package org.broadleafcommerce.common.security.service;

import java.security.NoSuchAlgorithmException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.broadleafcommerce.common.security.RandomGenerator;
import org.broadleafcommerce.common.util.BLCRequestUtils;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Service;
import org.springframework.web.context.request.RequestContextHolder;
import org.springframework.web.context.request.ServletWebRequest;

@Service("blStaleStateProtectionService")
/* loaded from: input_file:org/broadleafcommerce/common/security/service/StaleStateProtectionServiceImpl.class */
public class StaleStateProtectionServiceImpl implements StaleStateProtectionService {
    public static final String STATEVERSIONTOKEN = "stateVersionToken";
    public static final String STATEVERSIONTOKENPARAMETER = "stateVersionToken";
    private static final Log LOG = LogFactory.getLog(StaleStateProtectionServiceImpl.class);

    @Value("${stale.state.protection.enabled:false}")
    protected boolean staleStateProtectionEnabled = false;

    @Override // org.broadleafcommerce.common.security.service.StaleStateProtectionService
    public void compareToken(String str) {
        if (this.staleStateProtectionEnabled) {
            HttpServletRequest request = RequestContextHolder.getRequestAttributes().getRequest();
            if (!getStateVersionToken().equals(str) && request.getAttribute(getStateVersionTokenParameter()) == null) {
                throw new StaleStateServiceException("Page version token mismatch (" + str + "). The request likely came from a stale page.");
            }
            request.setAttribute(getStateVersionTokenParameter(), "passed");
            if (LOG.isDebugEnabled()) {
                LOG.debug("Validated page version token");
            }
        }
    }

    @Override // org.broadleafcommerce.common.security.service.StaleStateProtectionService
    public String getStateVersionToken() {
        HttpServletRequest request = RequestContextHolder.getRequestAttributes().getRequest();
        if (!BLCRequestUtils.isOKtoUseSession(new ServletWebRequest(request))) {
            return null;
        }
        HttpSession session = request.getSession();
        String str = (String) session.getAttribute("stateVersionToken");
        if (StringUtils.isEmpty(str)) {
            try {
                str = RandomGenerator.generateRandomId("SHA1PRNG", 32);
                session.setAttribute("stateVersionToken", str);
            } catch (NoSuchAlgorithmException e) {
                LOG.error("Unable to generate random number", e);
                throw new RuntimeException("Unable to generate random number", e);
            }
        }
        return str;
    }

    @Override // org.broadleafcommerce.common.security.service.StaleStateProtectionService
    public void invalidateState() {
        HttpServletRequest request = RequestContextHolder.getRequestAttributes().getRequest();
        if (BLCRequestUtils.isOKtoUseSession(new ServletWebRequest(request))) {
            request.getSession().removeAttribute("stateVersionToken");
        }
    }

    @Override // org.broadleafcommerce.common.security.service.StaleStateProtectionService
    public boolean isEnabled() {
        return this.staleStateProtectionEnabled;
    }

    @Override // org.broadleafcommerce.common.security.service.StaleStateProtectionService
    public String getStateVersionTokenParameter() {
        return "stateVersionToken";
    }
}
