package org.geoserver.filters;

import java.io.IOException;
import org.geoserver.config.GeoServer;
import org.geoserver.config.GeoServerDataDirectory;
import org.geoserver.config.util.XStreamPersisterFactory;
import org.geoserver.platform.GeoServerExtensionsHelper;
import org.geoserver.security.csp.CSPConfiguration;
import org.geoserver.security.csp.CSPHeaderDAO;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;
import org.springframework.mock.web.MockFilterChain;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;

/* loaded from: input_file:org/geoserver/filters/SecurityHeadersFilterTest.class */
public class SecurityHeadersFilterTest {

    @ClassRule
    public static TemporaryFolder folder = new TemporaryFolder();
    private static CSPHeaderDAO dao;

    @BeforeClass
    public static void initDAO() throws IOException {
        dao = new CSPHeaderDAO((GeoServer) null, new GeoServerDataDirectory(folder.getRoot()), new XStreamPersisterFactory());
        GeoServerExtensionsHelper.singleton("cspHeaderDAO", dao, new Class[0]);
    }

    @AfterClass
    public static void clearExtensions() {
        GeoServerExtensionsHelper.clear();
    }

    @Before
    @After
    public void resetProperties() {
        System.clearProperty("geoserver.xContentType.shouldSetPolicy");
        System.clearProperty("geoserver.hsts.policy");
        System.clearProperty("geoserver.hsts.shouldSetPolicy");
        System.clearProperty("geoserver.xframe.policy");
        System.clearProperty("geoserver.xframe.shouldSetPolicy");
        System.clearProperty("geoserver.xXssProtection.policy");
        System.clearProperty("geoserver.xXssProtection.shouldSetPolicy");
    }

    @Test
    public void testFilterCSPDisabled() throws Exception {
        setCSPConfig(false, true);
        Assert.assertNull(getHeader("Content-Security-Policy"));
        Assert.assertNull(getHeader("Content-Security-Policy-Report-Only"));
    }

    @Test
    public void testFilterCSPBlocking() throws Exception {
        setCSPConfig(true, false);
        Assert.assertEquals("base-uri 'self'; form-action 'self'; default-src 'none'; child-src 'self'; connect-src 'self'; font-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self';, frame-ancestors 'self';", getHeader("Content-Security-Policy"));
        Assert.assertNull(getHeader("Content-Security-Policy-Report-Only"));
    }

    @Test
    public void testFilterCSPReporting() throws Exception {
        setCSPConfig(true, true);
        Assert.assertNull(getHeader("Content-Security-Policy"));
        Assert.assertEquals("base-uri 'self'; form-action 'self'; default-src 'none'; child-src 'self'; connect-src 'self'; font-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self';, frame-ancestors 'self';", getHeader("Content-Security-Policy-Report-Only"));
    }

    private static void setCSPConfig(boolean z, boolean z2) throws Exception {
        CSPConfiguration config = dao.getConfig();
        config.setEnabled(z);
        config.setReportOnly(z2);
        dao.setConfig(config);
    }

    @Test
    public void testFilterDefaultFrameOptions() throws Exception {
        Assert.assertEquals("SAMEORIGIN", getHeader("X-Frame-Options"));
    }

    @Test
    public void testFilterWithoutFrameOptions() throws Exception {
        System.setProperty("geoserver.xframe.shouldSetPolicy", "false");
        Assert.assertNull(getHeader("X-Frame-Options"));
    }

    @Test
    public void testFilterCustomFrameOptions() throws Exception {
        System.setProperty("geoserver.xframe.policy", "DENY");
        Assert.assertEquals("DENY", getHeader("X-Frame-Options"));
    }

    @Test
    public void testFilterDefaultContentTypeOptions() throws Exception {
        Assert.assertEquals("nosniff", getHeader("X-Content-Type-Options"));
    }

    @Test
    public void testFilterWithoutContentTypeOptions() throws Exception {
        System.setProperty("geoserver.xContentType.shouldSetPolicy", "false");
        Assert.assertNull(getHeader("X-Content-Type-Options"));
    }

    @Test
    public void testFilterDefaultXssProtection() throws Exception {
        Assert.assertNull(getHeader("X-XSS-Protection"));
    }

    @Test
    public void testFilterWithXssProtection() throws Exception {
        System.setProperty("geoserver.xXssProtection.shouldSetPolicy", "true");
        Assert.assertEquals("0", getHeader("X-XSS-Protection"));
    }

    @Test
    public void testFilterCustomXssProtection() throws Exception {
        System.setProperty("geoserver.xXssProtection.shouldSetPolicy", "true");
        System.setProperty("geoserver.xXssProtection.policy", "1; mode=block");
        Assert.assertEquals("1; mode=block", getHeader("X-XSS-Protection"));
    }

    @Test
    public void testFilterHttpHstsDefault() throws Exception {
        Assert.assertNull(getHeader("Strict-Transport-Security"));
    }

    @Test
    public void testFilterHttpHstsEnabled() throws Exception {
        System.setProperty("geoserver.hsts.shouldSetPolicy", "true");
        Assert.assertNull(getHeader("Strict-Transport-Security"));
    }

    @Test
    public void testFilterHttpsHstsDefault() throws Exception {
        Assert.assertNull(getHeader(true, "Strict-Transport-Security"));
    }

    @Test
    public void testFilterHttpsHstsEnabled() throws Exception {
        System.setProperty("geoserver.hsts.shouldSetPolicy", "true");
        Assert.assertEquals("max-age=31536000 ; includeSubDomains", getHeader(true, "Strict-Transport-Security"));
    }

    @Test
    public void testFilterHttpsHstsCustom() throws Exception {
        System.setProperty("geoserver.hsts.shouldSetPolicy", "true");
        System.setProperty("geoserver.hsts.policy", "max-age=985500");
        Assert.assertEquals("max-age=985500", getHeader(true, "Strict-Transport-Security"));
    }

    private static String getHeader(String str) throws Exception {
        return getHeader(false, str);
    }

    private static String getHeader(boolean z, String str) throws Exception {
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest("GET", "");
        mockHttpServletRequest.setScheme(z ? "https" : "http");
        MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
        new SecurityHeadersFilter().doFilter(mockHttpServletRequest, mockHttpServletResponse, new MockFilterChain());
        return mockHttpServletResponse.getHeader(str);
    }
}
