package org.geoserver.security.csp;

import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.util.Collections;
import java.util.Map;
import org.geoserver.config.GeoServer;
import org.geoserver.config.GeoServerDataDirectory;
import org.geoserver.config.SettingsInfo;
import org.geoserver.config.impl.SettingsInfoImpl;
import org.geoserver.config.util.XStreamPersisterFactory;
import org.geoserver.filters.SecurityHeadersFilter;
import org.geoserver.ows.ProxifyingURLMangler;
import org.geoserver.ows.URLMangler;
import org.geoserver.platform.GeoServerExtensionsHelper;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;
import org.mockito.Mockito;
import org.springframework.mock.web.MockFilterChain;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;

/* loaded from: input_file:org/geoserver/security/csp/ContentSecurityPolicyTest.class */
public class ContentSecurityPolicyTest {

    @ClassRule
    public static TemporaryFolder folder = new TemporaryFolder();
    private static XStreamPersisterFactory xpf = null;
    private static GeoServerDataDirectory dd = null;
    private static CSPHeaderDAO dao = null;
    private static SettingsInfo settings = null;

    @BeforeClass
    public static void initDAO() throws IOException {
        dd = new GeoServerDataDirectory(folder.getRoot());
        xpf = new XStreamPersisterFactory();
        GeoServer geoServer = (GeoServer) Mockito.mock(GeoServer.class);
        settings = new SettingsInfoImpl();
        settings.setUseHeadersProxyURL(false);
        Mockito.when(geoServer.getSettings()).thenReturn(settings);
        dao = new CSPHeaderDAO(geoServer, dd, xpf);
        GeoServerExtensionsHelper.singleton("cspHeaderDAO", dao, new Class[0]);
        GeoServerExtensionsHelper.singleton("proxyfier", new ProxifyingURLMangler(geoServer), URLMangler.class);
    }

    @AfterClass
    public static void clearExtensions() {
        GeoServerExtensionsHelper.clear();
    }

    @Before
    public void resetDAO() throws Exception {
        dao.reset();
        CSPConfiguration config = dao.getConfig();
        config.setReportOnly(false);
        dao.setConfig(config);
        dao.reset();
    }

    @Before
    @After
    public void resetProperties() {
        System.clearProperty("geoserver.xframe.shouldSetPolicy");
        System.clearProperty("geoserver.xframe.policy");
        System.clearProperty("geoserver.csp.fallbackDirectives");
        System.clearProperty("geoserver.csp.remoteResources");
        System.clearProperty("geoserver.csp.frameAncestors");
        System.clearProperty("PROXY_BASE_URL");
        System.clearProperty("GEOSERVER_DISABLE_STATIC_WEB_FILES");
        System.clearProperty("GEOSERVER_STATIC_WEB_FILES_SCRIPT");
    }

    @Test
    public void testDisabledConfig() throws Exception {
        dao.getConfig().setEnabled(false);
        assertHeader(null, "GET", null, null, null);
    }

    @Test
    public void testDisabledPolicies() throws Exception {
        dao.getConfig().getPolicies().forEach(cSPPolicy -> {
            cSPPolicy.setEnabled(false);
        });
        assertHeader(null, "GET", null, null, null);
    }

    @Test
    public void testDisabledRules() throws Exception {
        dao.getConfig().getPolicies().forEach(cSPPolicy -> {
            cSPPolicy.getRules().forEach(cSPRule -> {
                cSPRule.setEnabled(false);
            });
        });
        assertHeader(null, "GET", null, null, null);
    }

    @Test
    public void testDefaultFallback() throws Exception {
        Path path = dd.getSecurity(new String[]{"csp.xml"}).file().toPath();
        try {
            Files.write(path, new byte[0], new OpenOption[0]);
            assertHeader("base-uri 'none'; form-action 'none'; default-src 'none'; frame-ancestors 'none';", "GET", null, null, null);
        } finally {
            Files.delete(path);
        }
    }

    @Test
    public void testCustomFallback() throws Exception {
        System.setProperty("geoserver.csp.fallbackDirectives", "frame-ancestors 'none';");
        Path path = dd.getSecurity(new String[]{"csp.xml"}).file().toPath();
        try {
            Files.write(path, new byte[0], new OpenOption[0]);
            assertHeader("frame-ancestors 'none';", "GET", null, null, null);
        } finally {
            Files.delete(path);
        }
    }

    @Test
    public void testGET() throws Exception {
        assertHeader("base-uri 'self'; form-action 'self'; default-src 'none'; child-src 'self'; connect-src 'self'; font-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self';, frame-ancestors 'self';", "GET", null, null, null);
    }

    @Test
    public void testHEAD() throws Exception {
        assertHeader("base-uri 'self'; form-action 'self'; default-src 'none'; child-src 'self'; connect-src 'self'; font-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self';, frame-ancestors 'self';", "HEAD", null, null, null);
    }

    @Test
    public void testPOST() throws Exception {
        assertHeader("base-uri 'self'; form-action 'self'; default-src 'none'; child-src 'self'; connect-src 'self'; font-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self';, frame-ancestors 'self';", "POST", null, null, null);
    }

    @Test
    public void testPUT() throws Exception {
        assertHeader("base-uri 'self'; form-action 'self'; default-src 'none'; child-src 'self'; connect-src 'self'; font-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self';, frame-ancestors 'self';", "PUT", null, null, null);
    }

    @Test
    public void testDELETE() throws Exception {
        assertHeader("base-uri 'self'; form-action 'self'; default-src 'none'; child-src 'self'; connect-src 'self'; font-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self';, frame-ancestors 'self';", "DELETE", null, null, null);
    }

    @Test
    public void testInjectProxyBaseURLNotSet() throws Exception {
        dao.getConfig().setInjectProxyBase(true);
        assertHeader("base-uri 'self'; form-action 'self'; default-src 'none'; child-src 'self'; connect-src 'self'; font-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self';, frame-ancestors 'self';", "GET", null, null, null);
    }

    @Test
    public void testInjectProxyBaseURLWithoutPort() throws Exception {
        System.setProperty("PROXY_BASE_URL", "http://foo");
        dao.getConfig().setInjectProxyBase(true);
        assertHeader("base-uri 'self'; form-action 'self' http://foo; default-src 'none'; child-src 'self' http://foo; connect-src 'self' http://foo; font-src 'self' http://foo; img-src 'self' http://foo data:; style-src 'self' http://foo 'unsafe-inline'; script-src 'self' http://foo;, frame-ancestors 'self';", "GET", null, null, null);
    }

    @Test
    public void testInjectProxyBaseURLWithPort() throws Exception {
        System.setProperty("PROXY_BASE_URL", "http://foo:8080");
        dao.getConfig().setInjectProxyBase(true);
        assertHeader("base-uri 'self'; form-action 'self' http://foo:8080; default-src 'none'; child-src 'self' http://foo:8080; connect-src 'self' http://foo:8080; font-src 'self' http://foo:8080; img-src 'self' http://foo:8080 data:; style-src 'self' http://foo:8080 'unsafe-inline'; script-src 'self' http://foo:8080;, frame-ancestors 'self';", "GET", null, null, null);
    }

    @Test
    public void testInjectProxyBaseURLRequestToProxy() throws Exception {
        System.setProperty("PROXY_BASE_URL", "http://localhost");
        dao.getConfig().setInjectProxyBase(true);
        assertHeader("base-uri 'self'; form-action 'self'; default-src 'none'; child-src 'self'; connect-src 'self'; font-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self';, frame-ancestors 'self';", "GET", null, null, null);
    }

    @Test
    public void testInjectProxyBaseURLNothingToInject() throws Exception {
        CSPConfiguration config = dao.getConfig();
        config.setInjectProxyBase(true);
        ((CSPPolicy) config.getPolicies().get(0)).setEnabled(false);
        assertHeader("frame-ancestors 'self';", "HEAD", null, null, null);
    }

    @Test
    public void testStaticWebFileDisabled() throws Exception {
        System.setProperty("GEOSERVER_DISABLE_STATIC_WEB_FILES", "true");
        assertHeader("base-uri 'self'; form-action 'self'; default-src 'none'; child-src 'self'; connect-src 'self'; font-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self';, frame-ancestors 'self';", "GET", "/www/index.html", null, null);
    }

    @Test
    public void testStaticWebFileScriptSelf() throws Exception {
        System.setProperty("GEOSERVER_STATIC_WEB_FILES_SCRIPT", "SELF");
        assertHeader("base-uri 'self'; form-action 'self'; default-src 'none'; child-src 'self'; connect-src 'self'; font-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self';, frame-ancestors 'self';", "GET", "/www/index.html", null, null);
    }

    @Test
    public void testStaticWebFileNoRemoteResources() throws Exception {
        assertHeader("base-uri 'self'; form-action 'self'; default-src 'none'; child-src 'self'; connect-src 'self'; font-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval';, frame-ancestors 'self';", "GET", "/www/index.html", null, null);
    }

    @Test
    public void testStaticWebFileInvalidRemoteResources() throws Exception {
        System.setProperty("geoserver.csp.remoteResources", "~!@#$");
        assertHeader("base-uri 'self'; form-action 'self'; default-src 'none'; child-src 'self'; connect-src 'self'; font-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval';, frame-ancestors 'self';", "GET", "/www/index.html", null, null);
    }

    @Test
    public void testStaticWebFileRemoteResourcesProperty() throws Exception {
        System.setProperty("geoserver.csp.remoteResources", "http://foo");
        assertHeader("base-uri 'self'; form-action 'self'; default-src 'none'; child-src 'self'; connect-src 'self'; font-src 'self' http://foo; img-src 'self' http://foo data:; style-src 'self' http://foo 'unsafe-inline'; script-src 'self' http://foo 'unsafe-inline' 'unsafe-eval';, frame-ancestors 'self';", "GET", "/www/index.html", null, null);
    }

    @Test
    public void testStaticWebFileRemoteResourcesField() throws Exception {
        dao.getConfig().setRemoteResources("http://bar");
        assertHeader("base-uri 'self'; form-action 'self'; default-src 'none'; child-src 'self'; connect-src 'self'; font-src 'self' http://bar; img-src 'self' http://bar data:; style-src 'self' http://bar 'unsafe-inline'; script-src 'self' http://bar 'unsafe-inline' 'unsafe-eval';, frame-ancestors 'self';", "GET", "/www/index.html", null, null);
    }

    @Test
    public void testStaticWebFileRemoteResourcesPropertyAndField() throws Exception {
        System.setProperty("geoserver.csp.remoteResources", "http://foo");
        dao.getConfig().setRemoteResources("http://bar");
        assertHeader("base-uri 'self'; form-action 'self'; default-src 'none'; child-src 'self'; connect-src 'self'; font-src 'self' http://foo; img-src 'self' http://foo data:; style-src 'self' http://foo 'unsafe-inline'; script-src 'self' http://foo 'unsafe-inline' 'unsafe-eval';, frame-ancestors 'self';", "GET", "/www/index.html", null, null);
    }

    @Test
    public void testIndexPage() throws Exception {
        assertHeader("base-uri 'self'; form-action 'self'; default-src 'none'; child-src 'self'; connect-src 'self'; font-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline';, frame-ancestors 'self';", "GET", "/index.html", null, null);
    }

    @Test
    public void testFrameAncestorsSAMEORIGIN() throws Exception {
        System.setProperty("geoserver.xframe.policy", "SAMEORIGIN");
        ((CSPPolicy) dao.getConfig().getPolicies().get(0)).setEnabled(false);
        assertHeader("frame-ancestors 'self';", "GET", null, null, null);
    }

    @Test
    public void testFrameAncestorsDENY() throws Exception {
        System.setProperty("geoserver.xframe.policy", "DENY");
        ((CSPPolicy) dao.getConfig().getPolicies().get(0)).setEnabled(false);
        assertHeader("frame-ancestors 'none';", "GET", null, null, null);
    }

    @Test
    public void testFrameAncestorsALLOWFROM() throws Exception {
        System.setProperty("geoserver.xframe.policy", "ALLOW-FROM http://foo");
        ((CSPPolicy) dao.getConfig().getPolicies().get(0)).setEnabled(false);
        assertHeader(null, "GET", null, null, null);
    }

    @Test
    public void testFrameAncestorsXFrameDisabled() throws Exception {
        System.setProperty("geoserver.xframe.shouldSetPolicy", "false");
        ((CSPPolicy) dao.getConfig().getPolicies().get(0)).setEnabled(false);
        assertHeader(null, "GET", null, null, null);
    }

    @Test
    public void testFrameAncestorsProperty() throws Exception {
        System.setProperty("geoserver.csp.frameAncestors", "https:");
        ((CSPPolicy) dao.getConfig().getPolicies().get(0)).setEnabled(false);
        assertHeader("frame-ancestors https:;", "GET", null, null, null);
    }

    @Test
    public void testFrameAncestorsField() throws Exception {
        CSPConfiguration config = dao.getConfig();
        config.setFrameAncestors("http:");
        ((CSPPolicy) config.getPolicies().get(0)).setEnabled(false);
        assertHeader("frame-ancestors http:;", "GET", null, null, null);
    }

    @Test
    public void testFrameAncestorsPropertyAndField() throws Exception {
        System.setProperty("geoserver.csp.frameAncestors", "https:");
        CSPConfiguration config = dao.getConfig();
        config.setFrameAncestors("http:");
        ((CSPPolicy) config.getPolicies().get(0)).setEnabled(false);
        assertHeader("frame-ancestors https:;", "GET", null, null, null);
    }

    private static void assertHeader(String str, String str2, String str3, String str4, Map<String, ?> map) throws Exception {
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest(str2, "");
        mockHttpServletRequest.setPathInfo(str3);
        mockHttpServletRequest.setQueryString(str4);
        mockHttpServletRequest.setParameters(map != null ? map : Collections.emptyMap());
        mockHttpServletRequest.setProtocol("http");
        mockHttpServletRequest.addHeader("Host", "localhost");
        MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
        new SecurityHeadersFilter().doFilter(mockHttpServletRequest, mockHttpServletResponse, new MockFilterChain());
        String header = mockHttpServletResponse.getHeader("Content-Security-Policy");
        if (str == null) {
            Assert.assertNull(header);
        } else {
            Assert.assertEquals(str, header);
        }
    }
}
