package org.geoserver.web;

import java.util.Arrays;
import java.util.Collection;
import org.apache.wicket.markup.html.form.IFormSubmitListener;
import org.apache.wicket.protocol.http.mock.MockHttpServletRequest;
import org.apache.wicket.request.mapper.parameter.PageParameters;
import org.apache.wicket.util.tester.FormTester;
import org.apache.wicket.util.tester.WicketTester;
import org.geoserver.catalog.NamespaceInfo;
import org.geoserver.catalog.WorkspaceInfo;
import org.geoserver.config.GeoServer;
import org.geoserver.config.SettingsInfo;
import org.geoserver.data.test.MockData;
import org.geoserver.web.data.workspace.WorkspaceEditPage;
import org.geoserver.web.data.workspace.WorkspacePage;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;

@RunWith(Parameterized.class)
/* loaded from: input_file:org/geoserver/web/GeoServerWicketCsrfTest.class */
public class GeoServerWicketCsrfTest extends GeoServerWicketTestSupport {

    @Parameterized.Parameter(0)
    public String csrfDisabled;

    @Parameterized.Parameter(1)
    public String csrfWhitelist;
    private WorkspaceInfo citeWorkspace;

    @Parameterized.Parameters
    public static Collection<Object[]> data() {
        return Arrays.asList(new Object[]{"true", "foo.com"}, new Object[]{"false", "geoserver.org"}, new Object[]{"false", ""});
    }

    @Before
    public void init() {
        System.setProperty("GEOSERVER_CSRF_WHITELIST", this.csrfWhitelist);
        System.setProperty("GEOSERVER_CSRF_DISABLED", this.csrfDisabled);
        GeoServerApplication geoServerApplication = (GeoServerApplication) applicationContext.getBean("webApplication");
        tester = new WicketTester(geoServerApplication, false);
        geoServerApplication.init();
        login();
        this.citeWorkspace = getCatalog().getWorkspaceByName(MockData.CITE_PREFIX);
        GeoServer geoServer = getGeoServer();
        SettingsInfo settings = geoServer.getSettings(this.citeWorkspace);
        if (settings != null) {
            geoServer.remove(settings);
        }
        NamespaceInfo namespaceByPrefix = getCatalog().getNamespaceByPrefix(MockData.CITE_PREFIX);
        namespaceByPrefix.setURI(MockData.CITE_URI);
        getCatalog().save(namespaceByPrefix);
        tester.startPage(new WorkspaceEditPage(this.citeWorkspace));
    }

    @Test
    public void testFormSubmitWhitelistedDomain() {
        FormTester newFormTester = tester.newFormTester("form");
        MockHttpServletRequest request = tester.getRequest();
        String substring = newFormTester.getForm().getRootForm().urlFor(IFormSubmitListener.INTERFACE, new PageParameters()).toString().substring(1);
        request.setServerName("geoserver.org");
        request.setHeader("Origin", "http://www.geoserver.org");
        request.setHeader("Referer", "http://www.geoserver.org" + substring);
        newFormTester.setValue("tabs:panel:uri", "http://www.geoserver.org");
        newFormTester.submit("save");
        if ("".equals(this.csrfWhitelist)) {
            Assert.assertNull(tester.getLastRenderedPage());
        } else {
            tester.assertRenderedPage(WorkspacePage.class);
            tester.assertNoErrorMessage();
        }
    }

    @Test
    public void testFormSubmitNotWhitelistedDomain() {
        FormTester newFormTester = tester.newFormTester("form");
        MockHttpServletRequest request = tester.getRequest();
        String substring = newFormTester.getForm().getRootForm().urlFor(IFormSubmitListener.INTERFACE, new PageParameters()).toString().substring(1);
        request.setServerName("geoserver.org");
        request.setHeader("Origin", "http://www.remote.com");
        request.setHeader("Referer", "http://www.remote.com" + substring);
        newFormTester.setValue("tabs:panel:uri", "http://www.geoserver.org");
        newFormTester.submit("save");
        if (!"true".equals(this.csrfDisabled)) {
            Assert.assertNull(tester.getLastRenderedPage());
        } else {
            tester.assertRenderedPage(WorkspacePage.class);
            tester.assertNoErrorMessage();
        }
    }
}
