package ipsk.webapps;

import java.security.SecureRandom;
import java.util.Base64;
import java.util.HashSet;
import java.util.Set;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpSession;

/* loaded from: input_file:ipsk/webapps/SecureRequestTokenProvider.class */
public class SecureRequestTokenProvider {
    public static final int SECURE_REQUEST_TOKEN_BYTE_LEN = 64;
    public static final String SECURE_REQUEST_TOKEN_NAME = "_secureRequestToken";
    public static final String SECURE_REQUEST_TOKEN_ATTR_KEY = SecureRequestTokenProvider.class.getName() + "._secureRequestToken";
    private boolean consumeSecureRequestToken = true;

    public void setConsumeSecureRequestToken(boolean z) {
        this.consumeSecureRequestToken = z;
    }

    private static Set<String> sessionSecureRequestTokens(HttpServletRequest httpServletRequest) {
        Set<String> set = null;
        HttpSession session = httpServletRequest.getSession();
        if (session != null) {
            Object attribute = session.getAttribute(SECURE_REQUEST_TOKEN_ATTR_KEY);
            if (attribute == null) {
                set = new HashSet();
                session.setAttribute(SECURE_REQUEST_TOKEN_ATTR_KEY, set);
            } else if (attribute instanceof Set) {
                set = (Set) attribute;
            }
        }
        return set;
    }

    public static String generateSecureRequestToken(HttpServletRequest httpServletRequest) {
        byte[] bArr = new byte[64];
        new SecureRandom().nextBytes(bArr);
        String encodeToString = Base64.getUrlEncoder().withoutPadding().encodeToString(bArr);
        sessionSecureRequestTokens(httpServletRequest).add(encodeToString);
        return encodeToString;
    }

    private boolean _checkSecureRequestToken(HttpServletRequest httpServletRequest) {
        Set<String> sessionSecureRequestTokens;
        String parameter = httpServletRequest.getParameter(SECURE_REQUEST_TOKEN_NAME);
        if (parameter == null || (sessionSecureRequestTokens = sessionSecureRequestTokens(httpServletRequest)) == null) {
            return false;
        }
        return this.consumeSecureRequestToken ? sessionSecureRequestTokens.remove(parameter) : sessionSecureRequestTokens.contains(parameter);
    }

    public void checkSecureRequestToken(HttpServletRequest httpServletRequest) throws ControllerException {
        if (!_checkSecureRequestToken(httpServletRequest)) {
            throw new ControllerException("Invalid request!");
        }
    }
}
