package no.kantega.publishing.client.filter;

import java.io.UnsupportedEncodingException;
import java.math.BigInteger;
import java.security.SecureRandom;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.http.HttpServletRequest;
import no.kantega.commons.util.HttpHelper;

/* loaded from: input_file:WEB-INF/lib/openaksess-core-6.0.1.jar:no/kantega/publishing/client/filter/CrossSiteRequestForgeryContentRewriter.class */
public class CrossSiteRequestForgeryContentRewriter implements ContentRewriter {
    private Pattern pattern = Pattern.compile("<(form|FORM)[^>]*>");
    private BigInteger secret = new BigInteger(128, new SecureRandom());
    public static final String CSRF_KEY = "csrfkey";

    @Override // no.kantega.publishing.client.filter.ContentRewriter
    public String rewriteContent(HttpServletRequest httpServletRequest, String str) {
        int i;
        if (!shouldRewrite(httpServletRequest)) {
            return str;
        }
        StringBuilder sb = new StringBuilder();
        Matcher matcher = this.pattern.matcher(str);
        int i2 = 0;
        while (true) {
            i = i2;
            if (!matcher.find()) {
                break;
            }
            sb.append(str.substring(i, matcher.end()));
            sb.append("<input type=\"hidden\" name=\"csrfkey\" value=\"" + generateKey(httpServletRequest) + "\">");
            i2 = matcher.end();
        }
        if (i < str.length()) {
            sb.append(str.substring(i));
        }
        return sb.toString();
    }

    protected boolean shouldRewrite(HttpServletRequest httpServletRequest) {
        return HttpHelper.isAdminMode(httpServletRequest);
    }

    protected String generateKey(HttpServletRequest httpServletRequest) {
        try {
            return new BigInteger(httpServletRequest.getSession().getId().getBytes("utf8")).xor(this.secret).toString();
        } catch (UnsupportedEncodingException e) {
            throw new RuntimeException(e);
        }
    }

    public BigInteger getSecret() {
        return this.secret;
    }
}
