package org.geoserver.security.csp;

import java.io.IOException;
import java.net.URL;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.StandardCopyOption;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.geoserver.catalog.WorkspaceInfo;
import org.geoserver.catalog.impl.WorkspaceInfoImpl;
import org.geoserver.config.GeoServer;
import org.geoserver.config.GeoServerDataDirectory;
import org.geoserver.config.SettingsInfo;
import org.geoserver.config.impl.SettingsInfoImpl;
import org.geoserver.config.util.XStreamPersisterFactory;
import org.geoserver.ows.ProxifyingURLMangler;
import org.geoserver.ows.Request;
import org.geoserver.ows.URLMangler;
import org.geoserver.platform.GeoServerExtensionsHelper;
import org.geoserver.platform.resource.Resource;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;
import org.springframework.mock.web.MockHttpServletRequest;
import org.springframework.mock.web.MockHttpServletResponse;

/* loaded from: input_file:org/geoserver/security/csp/CSPHeaderDAOTest.class */
public class CSPHeaderDAOTest {

    @ClassRule
    public static TemporaryFolder folder = new TemporaryFolder();
    private static XStreamPersisterFactory xpf = null;
    private static GeoServerDataDirectory dd = null;
    private static CSPHeaderDAO dao = null;
    private static SettingsInfo settings = null;

    @BeforeClass
    public static void initDAO() throws IOException {
        dd = new GeoServerDataDirectory(folder.getRoot());
        xpf = new XStreamPersisterFactory();
        GeoServer geoServer = (GeoServer) Mockito.mock(GeoServer.class);
        settings = new SettingsInfoImpl();
        settings.setUseHeadersProxyURL(false);
        Mockito.when(geoServer.getSettings()).thenReturn(settings);
        dao = new CSPHeaderDAO(geoServer, dd, xpf);
        GeoServerExtensionsHelper.singleton("proxyfier", new ProxifyingURLMangler(geoServer), URLMangler.class);
    }

    @AfterClass
    public static void clearExtensions() {
        GeoServerExtensionsHelper.clear();
    }

    @Before
    public void resetDAO() throws Exception {
        dao.reset();
        CSPConfiguration config = dao.getConfig();
        config.setReportOnly(false);
        dao.setConfig(config);
    }

    @After
    public void remoteThreadLocal() {
        CSPHeaderDAO.removeProxyPolicy();
    }

    @Before
    @After
    public void resetProperties() {
        System.clearProperty("geoserver.csp.remoteResources");
        System.clearProperty("PROXY_BASE_URL");
    }

    @Test
    public void testInitializeFromExistingFiles() throws Exception {
        long lastmodified = configFile().lastmodified();
        long lastmodified2 = defaultFile().lastmodified();
        Thread.sleep(5L);
        new CSPHeaderDAO((GeoServer) null, dd, xpf);
        Assert.assertEquals("csp.xml was unexpectedly updated", lastmodified, configFile().lastmodified());
        Assert.assertEquals("csp_default.xml was unexpectedly updated", lastmodified2, defaultFile().lastmodified());
    }

    @Test
    public void testInitializeDoNotUpdatedFile() throws Exception {
        Files.write(configFile().file().toPath(), "<config></config>".getBytes(), new OpenOption[0]);
        long lastmodified = configFile().lastmodified();
        long lastmodified2 = defaultFile().lastmodified();
        Thread.sleep(5L);
        new CSPHeaderDAO((GeoServer) null, dd, xpf);
        Assert.assertEquals("csp.xml was unexpectedly updated", lastmodified, configFile().lastmodified());
        Assert.assertEquals("csp_default.xml was unexpectedly updated", lastmodified2, defaultFile().lastmodified());
    }

    @Test
    public void testInitializeWithMissingDefaultFile() throws Exception {
        long lastmodified = configFile().lastmodified();
        Files.delete(defaultFile().file().toPath());
        Thread.sleep(5L);
        new CSPHeaderDAO((GeoServer) null, dd, xpf);
        Assert.assertEquals("csp.xml was unexpectedly updated", lastmodified, configFile().lastmodified());
        Assert.assertEquals("csp_default.xml was not re-created", Resource.Type.RESOURCE, defaultFile().getType());
    }

    @Test
    public void testInitializeUpdateOutdatedFiles() throws Exception {
        Files.write(configFile().file().toPath(), "<config></config>".getBytes(), new OpenOption[0]);
        Files.write(defaultFile().file().toPath(), "<config></config>".getBytes(), new OpenOption[0]);
        long lastmodified = configFile().lastmodified();
        long lastmodified2 = defaultFile().lastmodified();
        Thread.sleep(5L);
        new CSPHeaderDAO((GeoServer) null, dd, xpf);
        Assert.assertNotEquals("csp.xml was not updated", lastmodified, configFile().lastmodified());
        Assert.assertNotEquals("csp_default.xml was not updated", lastmodified2, defaultFile().lastmodified());
    }

    @Test
    public void testInitRequestNoProxyPolicy() throws Exception {
        Assert.assertNull(dao.init((Request) null));
    }

    @Test
    public void testInitRequestProxyPropertySet() throws Exception {
        System.setProperty("PROXY_BASE_URL", "http://foo");
        CSPHeaderDAO.setProxyPolicy("default-src: ${proxy.base.url}");
        Assert.assertNull(dao.init((Request) null));
    }

    @Test
    public void testInitRequestNoLocalSettings() throws Exception {
        CSPHeaderDAO.setProxyPolicy("default-src: ${proxy.base.url}");
        Assert.assertNull(dao.init((Request) null));
    }

    @Test
    public void testInitRequestNoLocalProxyBaseUrl() throws Exception {
        CSPHeaderDAO.setProxyPolicy("default-src: ${proxy.base.url}");
        try {
            settings.setWorkspace(new WorkspaceInfoImpl());
            Assert.assertNull(dao.init((Request) null));
            settings.setWorkspace((WorkspaceInfo) null);
        } catch (Throwable th) {
            settings.setWorkspace((WorkspaceInfo) null);
            throw th;
        }
    }

    @Test
    public void testInitRequestConfigException() throws Exception {
        CSPHeaderDAO.setProxyPolicy("default-src: ${proxy.base.url}");
        Request request = new Request();
        Path path = dd.getSecurity(new String[]{"csp.xml"}).file().toPath();
        try {
            Files.write(path, new byte[0], new OpenOption[0]);
            settings.setWorkspace(new WorkspaceInfoImpl());
            settings.setProxyBaseUrl("http://foo");
            Assert.assertSame(request, dao.init(request));
            settings.setWorkspace((WorkspaceInfo) null);
            settings.setProxyBaseUrl((String) null);
            Files.copy(dd.getSecurity(new String[]{"csp_default.xml"}).file().toPath(), path, StandardCopyOption.REPLACE_EXISTING);
        } catch (Throwable th) {
            settings.setWorkspace((WorkspaceInfo) null);
            settings.setProxyBaseUrl((String) null);
            Files.copy(dd.getSecurity(new String[]{"csp_default.xml"}).file().toPath(), path, StandardCopyOption.REPLACE_EXISTING);
            throw th;
        }
    }

    @Test
    public void testInitRequestWithSameLocalProxyBaseUrl() throws Exception {
        CSPHeaderDAO.setProxyPolicy("default-src: ${proxy.base.url}");
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        mockHttpServletRequest.addHeader("Host", "localhost");
        HttpServletResponse httpServletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
        Mockito.when(httpServletResponse.getHeader("Content-Security-Policy")).thenReturn("default-src: http://foo;");
        Request request = new Request();
        request.setHttpRequest(mockHttpServletRequest);
        request.setHttpResponse(httpServletResponse);
        try {
            settings.setWorkspace(new WorkspaceInfoImpl());
            settings.setProxyBaseUrl("http://foo");
            Assert.assertSame(request, dao.init(request));
            ((HttpServletResponse) Mockito.verify(httpServletResponse, Mockito.never())).setHeader((String) ArgumentMatchers.any(), (String) ArgumentMatchers.any());
            settings.setWorkspace((WorkspaceInfo) null);
            settings.setProxyBaseUrl((String) null);
        } catch (Throwable th) {
            settings.setWorkspace((WorkspaceInfo) null);
            settings.setProxyBaseUrl((String) null);
            throw th;
        }
    }

    @Test
    public void testInitRequestWithDifferentLocalProxyBaseUrl() throws Exception {
        CSPHeaderDAO.setProxyPolicy("default-src: ${proxy.base.url}");
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        mockHttpServletRequest.addHeader("Host", "localhost");
        MockHttpServletResponse mockHttpServletResponse = new MockHttpServletResponse();
        mockHttpServletResponse.setHeader("Content-Security-Policy", "default-src: http://bar;");
        Request request = new Request();
        request.setHttpRequest(mockHttpServletRequest);
        request.setHttpResponse(mockHttpServletResponse);
        try {
            settings.setWorkspace(new WorkspaceInfoImpl());
            settings.setProxyBaseUrl("http://foo");
            Assert.assertSame(request, dao.init(request));
            Assert.assertEquals("default-src: http://foo;", mockHttpServletResponse.getHeader("Content-Security-Policy"));
            settings.setWorkspace((WorkspaceInfo) null);
            settings.setProxyBaseUrl((String) null);
        } catch (Throwable th) {
            settings.setWorkspace((WorkspaceInfo) null);
            settings.setProxyBaseUrl((String) null);
            throw th;
        }
    }

    @Test
    public void testGetPropertyValueInvalidKey() throws Exception {
        Assert.assertEquals("", CSPHeaderDAO.getPropertyValue((HttpServletRequest) null, (CSPConfiguration) null, "java.version"));
    }

    @Test
    public void testGetPropertyValueInvalidPropertyValue() throws Exception {
        CSPConfiguration cSPConfiguration = new CSPConfiguration();
        System.setProperty("geoserver.csp.remoteResources", "~!@#$");
        Assert.assertEquals("", CSPHeaderDAO.getPropertyValue((HttpServletRequest) null, cSPConfiguration, "geoserver.csp.remoteResources"));
    }

    @Test
    public void testGetPropertyValueInvalidFieldValue() throws Exception {
        CSPConfiguration cSPConfiguration = new CSPConfiguration();
        cSPConfiguration.setRemoteResources("~!@#$");
        Assert.assertEquals("", CSPHeaderDAO.getPropertyValue((HttpServletRequest) null, cSPConfiguration, "geoserver.csp.remoteResources"));
    }

    @Test
    public void testGetPropertyValueMissingValue() throws Exception {
        Assert.assertEquals("", CSPHeaderDAO.getPropertyValue((HttpServletRequest) null, new CSPConfiguration(), "geoserver.csp.remoteResources"));
    }

    @Test
    public void testGetPropertyValueValidPropertyValue() throws Exception {
        CSPConfiguration cSPConfiguration = new CSPConfiguration();
        System.setProperty("geoserver.csp.remoteResources", "http://geoserver.org");
        Assert.assertEquals("http://geoserver.org", CSPHeaderDAO.getPropertyValue((HttpServletRequest) null, cSPConfiguration, "geoserver.csp.remoteResources"));
    }

    @Test
    public void testGetPropertyValueValidFieldValue() throws Exception {
        CSPConfiguration cSPConfiguration = new CSPConfiguration();
        cSPConfiguration.setRemoteResources("http://geoserver.org");
        Assert.assertEquals("http://geoserver.org", CSPHeaderDAO.getPropertyValue((HttpServletRequest) null, cSPConfiguration, "geoserver.csp.remoteResources"));
    }

    @Test
    public void testMatchesProxyBaseWrongProtocol() throws Exception {
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        mockHttpServletRequest.setScheme("http");
        Assert.assertFalse(CSPHeaderDAO.matchesProxyBase(mockHttpServletRequest, new URL("https://foo")));
    }

    @Test
    public void testMatchesProxyBaseWrongHost() throws Exception {
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        mockHttpServletRequest.setScheme("https");
        mockHttpServletRequest.addHeader("Host", "bar");
        Assert.assertFalse(CSPHeaderDAO.matchesProxyBase(mockHttpServletRequest, new URL("https://foo")));
    }

    @Test
    public void testMatchesProxyBaseWrongPort() throws Exception {
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        mockHttpServletRequest.setScheme("https");
        mockHttpServletRequest.addHeader("Host", "foo:8080");
        Assert.assertFalse(CSPHeaderDAO.matchesProxyBase(mockHttpServletRequest, new URL("https://foo")));
    }

    @Test
    public void testMatchesProxyBaseNoForwardedHeaderDefaultPort() throws Exception {
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        mockHttpServletRequest.setScheme("https");
        mockHttpServletRequest.addHeader("Host", "foo");
        Assert.assertTrue(CSPHeaderDAO.matchesProxyBase(mockHttpServletRequest, new URL("https://foo")));
    }

    @Test
    public void testMatchesProxyBaseWithXForwardedHeaders() throws Exception {
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        mockHttpServletRequest.addHeader("X-Forwarded-Proto", "https");
        mockHttpServletRequest.addHeader("X-Forwarded-Host", "foo");
        mockHttpServletRequest.addHeader("X-Forwarded-Port", "443");
        Assert.assertTrue(CSPHeaderDAO.matchesProxyBase(mockHttpServletRequest, new URL("https://foo")));
    }

    @Test
    public void testMatchesProxyBaseWithXForwardedPort() throws Exception {
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        mockHttpServletRequest.addHeader("X-Forwarded-Proto", "https");
        mockHttpServletRequest.addHeader("X-Forwarded-Host", "foo:8443");
        mockHttpServletRequest.addHeader("X-Forwarded-Port", "443");
        Assert.assertTrue(CSPHeaderDAO.matchesProxyBase(mockHttpServletRequest, new URL("https://foo")));
    }

    @Test
    public void testMatchesProxyBaseWithForwardedHeaderDefaultPort() throws Exception {
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        mockHttpServletRequest.addHeader("Forwarded", "for=127.0.0.1;proto=https;host=foo");
        Assert.assertTrue(CSPHeaderDAO.matchesProxyBase(mockHttpServletRequest, new URL("https://foo")));
    }

    @Test
    public void testMatchesProxyBaseWithForwardedHeaderWithPort() throws Exception {
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        mockHttpServletRequest.addHeader("Forwarded", "for=127.0.0.1;proto=https;host=foo:8443");
        Assert.assertTrue(CSPHeaderDAO.matchesProxyBase(mockHttpServletRequest, new URL("https://foo:8443")));
    }

    @Test
    public void testMatchesProxyBaseWithMissingForwardedHeaderParts() throws Exception {
        MockHttpServletRequest mockHttpServletRequest = new MockHttpServletRequest();
        mockHttpServletRequest.addHeader("Forwarded", "for=127.0.0.1");
        Assert.assertFalse(CSPHeaderDAO.matchesProxyBase(mockHttpServletRequest, new URL("https://foo")));
    }

    private static Resource configFile() {
        return dd.getSecurity(new String[]{"csp.xml"});
    }

    private static Resource defaultFile() {
        return dd.getSecurity(new String[]{"csp_default.xml"});
    }
}
