package org.geoserver.security.csp;

import java.util.Arrays;
import java.util.Objects;
import java.util.logging.Logger;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
import org.geotools.util.logging.Logging;

/* loaded from: input_file:org/geoserver/security/csp/CSPHttpResponseWrapper.class */
public class CSPHttpResponseWrapper extends HttpServletResponseWrapper {
    private static final Logger LOGGER = Logging.getLogger(CSPHttpResponseWrapper.class);
    private final CSPConfiguration config;

    public CSPHttpResponseWrapper(HttpServletResponse httpServletResponse, CSPConfiguration cSPConfiguration) {
        super(httpServletResponse);
        this.config = cSPConfiguration;
    }

    public void setHeader(String str, String str2) {
        if ("Content-Security-Policy".equalsIgnoreCase(str) || "Content-Security-Policy-Report-Only".equalsIgnoreCase(str)) {
            setContentSecurityPolicy(str, str2);
        } else {
            super.setHeader(str, str2);
        }
    }

    private void setContentSecurityPolicy(String str, String str2) {
        if (!this.config.isEnabled()) {
            if (this.config.isAllowOverride()) {
                super.setHeader(str, str2);
                return;
            }
            return;
        }
        String str3 = this.config.isReportOnly() ? "Content-Security-Policy-Report-Only" : "Content-Security-Policy";
        String header = getHeader(str3);
        if (!this.config.isAllowOverride()) {
            String mergedHeader = getMergedHeader(header, str2);
            LOGGER.fine(() -> {
                return "Merging " + str3 + " header:\n Old: " + header + "\n New: " + str2 + "\n Merged: " + mergedHeader;
            });
            super.setHeader(str3, mergedHeader);
        } else {
            if (header != null && !str.equalsIgnoreCase(str3)) {
                super.setHeader(str3, (String) null);
            }
            String str4 = "Content-Security-Policy".equalsIgnoreCase(str) ? "Content-Security-Policy" : "Content-Security-Policy-Report-Only";
            LOGGER.fine(() -> {
                return "Overriding header:\n Old" + str3 + ": " + header + "\n New" + str4 + ": " + str2;
            });
            super.setHeader(str4, str2);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String getMergedDirective(String str, String str2) {
        int indexOf = str2.indexOf(32);
        String substring = indexOf < 0 ? str2 : str2.substring(0, indexOf);
        if (substring.contains("-src") || str.contains(substring)) {
            return null;
        }
        return str2;
    }

    private static String getMergedHeader(String str, String str2) {
        if (str != null) {
            String str3 = (String) Arrays.stream(str.split(",")).map(str4 -> {
                return str4.split(";");
            }).flatMap((v0) -> {
                return Arrays.stream(v0);
            }).map((v0) -> {
                return v0.trim();
            }).map(str5 -> {
                return getMergedDirective(str2, str5);
            }).filter((v0) -> {
                return Objects.nonNull(v0);
            }).collect(Collectors.joining("; "));
            if (!str3.isEmpty()) {
                return str2 + (str2.endsWith(";") ? "" : ";") + ", " + str3 + ";";
            }
        }
        return str2;
    }
}
