package org.apache.tapestry5.internal.services;

import java.io.BufferedInputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.UnsupportedEncodingException;
import java.security.Key;
import java.util.zip.GZIPInputStream;
import javax.crypto.spec.SecretKeySpec;
import org.apache.tapestry5.SymbolConstants;
import org.apache.tapestry5.alerts.AlertManager;
import org.apache.tapestry5.internal.TapestryInternalUtils;
import org.apache.tapestry5.internal.util.Base64InputStream;
import org.apache.tapestry5.internal.util.MacOutputStream;
import org.apache.tapestry5.ioc.annotations.Symbol;
import org.apache.tapestry5.services.ClientDataEncoder;
import org.apache.tapestry5.services.ClientDataSink;
import org.apache.tapestry5.services.URLEncoder;
import org.eclipse.jetty.util.StringUtil;
import org.slf4j.Logger;

/* loaded from: input_file:org/apache/tapestry5/internal/services/ClientDataEncoderImpl.class */
public class ClientDataEncoderImpl implements ClientDataEncoder {
    private final URLEncoder urlEncoder;
    private final Key hmacKey;

    public ClientDataEncoderImpl(URLEncoder uRLEncoder, @Symbol("tapestry.hmac-passphrase") String str, Logger logger, @Symbol("tapestry.app-package") String str2, AlertManager alertManager) throws UnsupportedEncodingException {
        this.urlEncoder = uRLEncoder;
        if (str.equals("")) {
            String format = String.format("The symbol '%s' has not been configured. This is used to configure hash-based message authentication of Tapestry data stored in forms, or in the URL. You application is less secure, and more vulnerable to denial-of-service attacks, when this symbol is not configured.", SymbolConstants.HMAC_PASSPHRASE);
            alertManager.error(format);
            logger.error(format);
            str = str2;
        }
        this.hmacKey = new SecretKeySpec(str.getBytes(StringUtil.__UTF8Alt), "HmacSHA1");
    }

    @Override // org.apache.tapestry5.services.ClientDataEncoder
    public ClientDataSink createSink() {
        try {
            return new ClientDataSinkImpl(this.urlEncoder, this.hmacKey);
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    @Override // org.apache.tapestry5.services.ClientDataEncoder
    public ObjectInputStream decodeClientData(String str) {
        int indexOf = str.indexOf(58);
        if (indexOf < 0) {
            throw new IllegalArgumentException("Client data must be prefixed with its HMAC code.");
        }
        String substring = str.substring(0, indexOf);
        try {
            Base64InputStream base64InputStream = new Base64InputStream(str.substring(indexOf + 1));
            validateHMAC(substring, base64InputStream);
            base64InputStream.reset();
            return new ObjectInputStream(new BufferedInputStream(new GZIPInputStream(base64InputStream)));
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    private void validateHMAC(String str, Base64InputStream base64InputStream) throws IOException {
        MacOutputStream streamFor = MacOutputStream.streamFor(this.hmacKey);
        TapestryInternalUtils.copy(base64InputStream, streamFor);
        streamFor.close();
        if (!str.equals(streamFor.getResult())) {
            throw new IOException("Client data associated with the current request appears to have been tampered with (the HMAC signature does not match).");
        }
    }

    @Override // org.apache.tapestry5.services.ClientDataEncoder
    public ObjectInputStream decodeEncodedClientData(String str) throws IOException {
        return decodeClientData(this.urlEncoder.decode(str));
    }
}
