package org.geoserver.security.csp;

import com.google.common.annotations.VisibleForTesting;
import com.thoughtworks.xstream.XStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.URL;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.regex.Matcher;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.geoserver.config.GeoServer;
import org.geoserver.config.GeoServerDataDirectory;
import org.geoserver.config.SettingsInfo;
import org.geoserver.config.util.XStreamPersister;
import org.geoserver.config.util.XStreamPersisterFactory;
import org.geoserver.ows.AbstractDispatcherCallback;
import org.geoserver.ows.ProxifyingURLMangler;
import org.geoserver.ows.Request;
import org.geoserver.ows.URLMangler;
import org.geoserver.ows.util.ResponseUtils;
import org.geoserver.platform.FileWatcher;
import org.geoserver.platform.GeoServerExtensions;
import org.geoserver.platform.resource.Resource;
import org.geotools.util.logging.Logging;
import org.vfny.geoserver.util.Requests;

/* loaded from: input_file:org/geoserver/security/csp/CSPHeaderDAO.class */
public class CSPHeaderDAO extends AbstractDispatcherCallback {
    public static final String CONFIG_FILE_NAME = "csp.xml";
    public static final String DEFAULT_CONFIG_FILE_NAME = "csp_default.xml";
    private final GeoServer geoServer;
    private final FileWatcher<CSPConfiguration> configurationWatcher;
    private final Resource resource;
    private final XStreamPersister xp;
    private CSPConfiguration configuration = null;
    private static final Logger LOGGER = Logging.getLogger(CSPHeaderDAO.class);
    private static final ThreadLocal<String> PROXY_POLICY = new ThreadLocal<>();

    /* loaded from: input_file:org/geoserver/security/csp/CSPHeaderDAO$CSPConfigurationWatcher.class */
    private class CSPConfigurationWatcher extends FileWatcher<CSPConfiguration> {
        public CSPConfigurationWatcher(GeoServerDataDirectory geoServerDataDirectory) {
            super(geoServerDataDirectory.getSecurity(CSPHeaderDAO.CONFIG_FILE_NAME));
        }

        /* renamed from: read, reason: merged with bridge method [inline-methods] */
        public CSPConfiguration m217read() throws IOException {
            return (CSPConfiguration) Optional.ofNullable((CSPConfiguration) super.read()).orElseGet(CSPDefaultConfiguration::newInstance);
        }

        /* JADX INFO: Access modifiers changed from: protected */
        /* renamed from: parseFileContents, reason: merged with bridge method [inline-methods] */
        public CSPConfiguration m216parseFileContents(InputStream inputStream) throws IOException {
            return (CSPConfiguration) CSPHeaderDAO.this.xp.load(inputStream, CSPConfiguration.class);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/geoserver/security/csp/CSPHeaderDAO$ThrowingRunnable.class */
    public interface ThrowingRunnable {
        void run() throws IOException;
    }

    public CSPHeaderDAO(GeoServer geoServer, GeoServerDataDirectory geoServerDataDirectory, XStreamPersisterFactory xStreamPersisterFactory) throws IOException {
        this.geoServer = geoServer;
        this.configurationWatcher = new CSPConfigurationWatcher(geoServerDataDirectory);
        this.resource = this.configurationWatcher.getResource();
        this.xp = createXMLPersister(xStreamPersisterFactory);
        initializeConfigurationFiles();
    }

    public Request init(Request request) {
        try {
            String str = PROXY_POLICY.get();
            if (str != null && hasLocalProxyBase()) {
                String replaceVariables = replaceVariables(request.getHttpRequest(), getConfig(), str);
                HttpServletResponse httpResponse = request.getHttpResponse();
                String str2 = getConfig().isReportOnly() ? "Content-Security-Policy-Report-Only" : "Content-Security-Policy";
                if (!replaceVariables.equals(httpResponse.getHeader(str2))) {
                    logPolicy(request.getHttpRequest(), replaceVariables);
                    httpResponse.setHeader(str2, replaceVariables);
                }
            }
        } catch (Exception e) {
            LOGGER.log(Level.WARNING, "Unable to update CSP with local proxy base URL", (Throwable) e);
        }
        return request;
    }

    public CSPConfiguration getConfig() throws IOException {
        if (this.configurationWatcher.isModified() || this.configuration == null) {
            configurationAction(() -> {
                this.configuration = doGetConfig();
            });
        }
        return this.configuration;
    }

    public void setConfig(CSPConfiguration cSPConfiguration) throws IOException {
        configurationAction(() -> {
            this.configuration = doSetConfig(cSPConfiguration.parseFilters(), this.resource);
        });
    }

    public HttpServletResponse setContentSecurityPolicy(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String stringProperty;
        CSPConfiguration cSPConfiguration = new CSPConfiguration();
        cSPConfiguration.setReportOnly(false);
        try {
            cSPConfiguration = getConfig();
            stringProperty = getContentSecurityPolicy(cSPConfiguration, httpServletRequest, false);
        } catch (Throwable th) {
            LOGGER.log(Level.WARNING, "Error setting Content-Security-Policy header", th);
            stringProperty = CSPUtils.getStringProperty(CSPUtils.GEOSERVER_CSP_FALLBACK, CSPUtils.DEFAULT_FALLBACK);
        }
        if (!stringProperty.equals("NONE")) {
            httpServletResponse.setHeader(cSPConfiguration.isReportOnly() ? "Content-Security-Policy-Report-Only" : "Content-Security-Policy", stringProperty);
        }
        return new CSPHttpResponseWrapper(httpServletResponse, cSPConfiguration);
    }

    private void configurationAction(ThrowingRunnable throwingRunnable) throws IOException {
        Resource.Lock lock = this.resource.lock();
        try {
            throwingRunnable.run();
        } finally {
            lock.release();
        }
    }

    private CSPConfiguration doGetConfig() throws IOException {
        CSPConfiguration cSPConfiguration = (CSPConfiguration) this.configurationWatcher.read();
        if (this.resource.getType() == Resource.Type.RESOURCE) {
            return cSPConfiguration;
        }
        LOGGER.warning("Re-creating missing csp.xml with the default configuration");
        return doSetConfig(cSPConfiguration, this.resource);
    }

    private CSPConfiguration doSetConfig(CSPConfiguration cSPConfiguration, Resource resource) throws IOException {
        OutputStream out = resource.out();
        try {
            this.xp.save(cSPConfiguration, out);
            if (out != null) {
                out.close();
            }
            return doGetConfig();
        } catch (Throwable th) {
            if (out != null) {
                try {
                    out.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private boolean hasLocalProxyBase() {
        if (GeoServerExtensions.getProperty(Requests.PROXY_PARAM) != null) {
            return false;
        }
        SettingsInfo settings = this.geoServer.getSettings();
        return (settings.getWorkspace() == null || settings.getProxyBaseUrl() == null) ? false : true;
    }

    private void initializeConfigurationFiles() throws IOException {
        CSPConfiguration newInstance = CSPDefaultConfiguration.newInstance();
        Resource resource = this.resource.parent().get(DEFAULT_CONFIG_FILE_NAME);
        CSPConfiguration cSPConfiguration = null;
        if (resource.getType() != Resource.Type.UNDEFINED) {
            try {
                InputStream in = resource.in();
                try {
                    cSPConfiguration = (CSPConfiguration) this.xp.load(in, CSPConfiguration.class);
                    if (in != null) {
                        in.close();
                    }
                } finally {
                }
            } catch (Exception e) {
                LOGGER.log(Level.WARNING, "Error reading csp_default.xml, re-creating file", (Throwable) e);
            }
        }
        if (this.resource.getType() == Resource.Type.UNDEFINED) {
            LOGGER.info("Creating csp.xml with the default configuration");
            setConfig(newInstance);
        } else if (cSPConfiguration != null) {
            CSPConfiguration config = getConfig();
            if (config.equals(cSPConfiguration) && !config.equals(newInstance)) {
                LOGGER.info("Updating csp.xml with the new default configuration");
                setConfig(newInstance);
            } else if (!config.getPolicies().equals(cSPConfiguration.getPolicies()) || config.getPolicies().equals(newInstance.getPolicies())) {
                LOGGER.fine("Leaving the csp.xml file alone");
            } else {
                LOGGER.info("Updating csp.xml with the new default configuration");
                config.setPolicies(newInstance.getPolicies());
                setConfig(config);
            }
        } else {
            LOGGER.warning("Unable to check for default configuration changes. csp.xml exists but csp_default.xml is missing");
        }
        if (resource.getType() == Resource.Type.UNDEFINED) {
            LOGGER.info("Creating csp_default.xml with the default configuration");
            doSetConfig(newInstance, resource);
        } else if (newInstance.equals(cSPConfiguration)) {
            LOGGER.fine("Leaving the csp_default.xml file alone");
        } else {
            LOGGER.info("Updating csp_default.xml with the new default configuration");
            doSetConfig(newInstance, resource);
        }
    }

    @VisibleForTesting
    public void reset() {
        this.configuration = null;
        this.configurationWatcher.setKnownLastModified(Long.MIN_VALUE);
    }

    public static String getContentSecurityPolicy(CSPConfiguration cSPConfiguration, HttpServletRequest httpServletRequest, boolean z) {
        if (!cSPConfiguration.isEnabled()) {
            return "NONE";
        }
        CSPHttpRequestWrapper cSPHttpRequestWrapper = new CSPHttpRequestWrapper(httpServletRequest, cSPConfiguration);
        List list = (List) cSPConfiguration.getPolicies().stream().map(cSPPolicy -> {
            return cSPPolicy.getDirectives(cSPHttpRequestWrapper);
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).collect(Collectors.toList());
        if (list.isEmpty()) {
            return "NONE";
        }
        String replaceVariables = replaceVariables(cSPHttpRequestWrapper, cSPConfiguration, injectProxyBase(cSPConfiguration, (String) list.stream().collect(Collectors.joining(", ")), z));
        logPolicy(httpServletRequest, replaceVariables);
        return replaceVariables;
    }

    public static void removeProxyPolicy() {
        PROXY_POLICY.remove();
    }

    private static XStreamPersister createXMLPersister(XStreamPersisterFactory xStreamPersisterFactory) {
        XStreamPersister createXMLPersister = xStreamPersisterFactory.createXMLPersister();
        XStream xStream = createXMLPersister.getXStream();
        xStream.alias("config", CSPConfiguration.class);
        xStream.alias("policy", CSPPolicy.class);
        xStream.alias("rule", CSPRule.class);
        xStream.addImplicitCollection(CSPConfiguration.class, "policies", CSPPolicy.class);
        xStream.addImplicitCollection(CSPPolicy.class, "rules", CSPRule.class);
        return createXMLPersister;
    }

    private static String getForwardedPart(String str, String str2) {
        if (str == null) {
            return null;
        }
        Matcher matcher = ProxifyingURLMangler.FORWARDED_PATTERNS.get(str2).matcher(str);
        if (matcher.matches()) {
            return matcher.group(2);
        }
        return null;
    }

    @VisibleForTesting
    protected static String getPropertyValue(HttpServletRequest httpServletRequest, CSPConfiguration cSPConfiguration, String str) {
        if (str.equals("proxy.base.url")) {
            return getProxyBase(httpServletRequest, cSPConfiguration);
        }
        if (!CSPUtils.PROPERTY_KEY_REGEX.matcher(str).matches()) {
            LOGGER.fine(() -> {
                return "Ignoring invalid property key: " + str;
            });
            return "";
        }
        String stringProperty = CSPUtils.getStringProperty(str, cSPConfiguration.getField(str));
        if (stringProperty.isEmpty() || CSPUtils.PROPERTY_VALUE_REGEX.matcher(stringProperty).matches()) {
            return stringProperty;
        }
        LOGGER.fine(() -> {
            return "Ignoring invalid property value: " + stringProperty;
        });
        return "";
    }

    private static String getProxyBase(HttpServletRequest httpServletRequest, CSPConfiguration cSPConfiguration) {
        String buildURL = ResponseUtils.buildURL("/", (String) null, (Map) null, URLMangler.URLType.RESOURCE);
        if (buildURL.equals("/")) {
            return "";
        }
        try {
            URL url = new URL(buildURL);
            if (matchesProxyBase(httpServletRequest, url)) {
                return "";
            }
            return (url.getProtocol() + "://" + url.getHost()) + (url.getPort() == -1 ? "" : ":" + url.getPort());
        } catch (Exception e) {
            return "";
        }
    }

    private static String injectProxyBase(CSPConfiguration cSPConfiguration, String str, boolean z) {
        if (cSPConfiguration.isInjectProxyBase()) {
            str = str.replace("form-action 'self'", "form-action 'self' ${proxy.base.url}").replace("-src 'self'", "-src 'self' ${proxy.base.url}").replace("-src-attr 'self'", "-src-attr 'self' ${proxy.base.url}").replace("-src-elem 'self'", "-src-elem 'self' ${proxy.base.url}");
        }
        if (!z && str.contains("${proxy.base.url}")) {
            setProxyPolicy(str);
        }
        return str;
    }

    private static void logPolicy(HttpServletRequest httpServletRequest, String str) {
        LOGGER.fine(() -> {
            String queryString = httpServletRequest.getQueryString();
            return "Content-Security-Policy for request:\n" + httpServletRequest.getMethod() + " " + httpServletRequest.getRequestURI() + (queryString != null ? "?" + queryString : "") + "\n" + str;
        });
    }

    @VisibleForTesting
    protected static boolean matchesProxyBase(HttpServletRequest httpServletRequest, URL url) {
        String header = httpServletRequest.getHeader("Forwarded");
        String header2 = httpServletRequest.getHeader("X-Forwarded-Proto");
        String forwardedPart = header2 != null ? header2 : getForwardedPart(header, "proto");
        if (!url.getProtocol().equals(forwardedPart != null ? forwardedPart : httpServletRequest.getScheme())) {
            return false;
        }
        String header3 = httpServletRequest.getHeader("X-Forwarded-Host");
        String forwardedPart2 = header3 != null ? header3 : getForwardedPart(header, "host");
        String header4 = forwardedPart2 != null ? forwardedPart2 : httpServletRequest.getHeader("Host");
        if (header4 == null) {
            return false;
        }
        String header5 = httpServletRequest.getHeader("X-Forwarded-Port");
        int indexOf = header4.indexOf(58);
        if (indexOf >= 0) {
            header5 = header5 != null ? header5 : header4.substring(indexOf + 1);
            header4 = header4.substring(0, indexOf);
        }
        int parseInt = header5 != null ? Integer.parseInt(header5) : url.getDefaultPort();
        int port = url.getPort();
        return url.getHost().equals(header4) && (port != -1 ? port : url.getDefaultPort()) == parseInt;
    }

    private static String replaceVariables(HttpServletRequest httpServletRequest, CSPConfiguration cSPConfiguration, String str) {
        int indexOf = str.indexOf("${");
        while (true) {
            int i = indexOf;
            if (i < 0) {
                return CSPUtils.cleanDirectives(str);
            }
            int indexOf2 = str.indexOf(125, i + 2);
            str = str.replace(str.substring(i, indexOf2 + 1), getPropertyValue(httpServletRequest, cSPConfiguration, str.substring(i + 2, indexOf2)));
            indexOf = str.indexOf("${");
        }
    }

    @VisibleForTesting
    protected static void setProxyPolicy(String str) {
        PROXY_POLICY.set(str);
    }
}
