package org.geoserver.filters;

import java.io.IOException;
import java.util.Collections;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.logging.Logger;
import java.util.stream.Collectors;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.geoserver.platform.GeoServerExtensions;
import org.geoserver.security.csp.CSPHeaderDAO;
import org.geotools.util.logging.Logging;

/* loaded from: input_file:org/geoserver/filters/SecurityHeadersFilter.class */
public class SecurityHeadersFilter implements Filter {
    private static final Logger LOGGER = Logging.getLogger(SecurityHeadersFilter.class);
    private static final String DEFAULT_HSTS_POLICY = "max-age=31536000 ; includeSubDomains";
    private static final String DEFAULT_FRAME_POLICY = "SAMEORIGIN";
    private static final String DEFAULT_XXSS_POLICY = "0";
    public static final String GEOSERVER_HSTS_SHOULD_SET_POLICY = "geoserver.hsts.shouldSetPolicy";
    public static final String GEOSERVER_HSTS_POLICY = "geoserver.hsts.policy";
    public static final String GEOSERVER_XFRAME_SHOULD_SET_POLICY = "geoserver.xframe.shouldSetPolicy";
    public static final String GEOSERVER_XFRAME_POLICY = "geoserver.xframe.policy";
    public static final String GEOSERVER_XCONTENT_TYPE_SHOULD_SET_POLICY = "geoserver.xContentType.shouldSetPolicy";
    public static final String GEOSERVER_XXSS_PROTECTION_SHOULD_SET_POLICY = "geoserver.xXssProtection.shouldSetPolicy";
    public static final String GEOSERVER_XXSS_PROTECTION_POLICY = "geoserver.xXssProtection.policy";
    private volatile Map<String, Object> cache = null;

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        Map<String, Object> cache = getCache();
        if (servletRequest.isSecure() && ((Boolean) cache.get(GEOSERVER_HSTS_SHOULD_SET_POLICY)).booleanValue()) {
            httpServletResponse.setHeader("Strict-Transport-Security", (String) cache.get(GEOSERVER_HSTS_POLICY));
        }
        if (((Boolean) cache.get(GEOSERVER_XCONTENT_TYPE_SHOULD_SET_POLICY)).booleanValue()) {
            httpServletResponse.setHeader("X-Content-Type-Options", "nosniff");
        }
        if (((Boolean) cache.get(GEOSERVER_XFRAME_SHOULD_SET_POLICY)).booleanValue()) {
            httpServletResponse.setHeader("X-Frame-Options", (String) cache.get(GEOSERVER_XFRAME_POLICY));
        }
        if (((Boolean) cache.get(GEOSERVER_XXSS_PROTECTION_SHOULD_SET_POLICY)).booleanValue()) {
            httpServletResponse.setHeader("X-XSS-Protection", (String) cache.get(GEOSERVER_XXSS_PROTECTION_POLICY));
        }
        try {
            filterChain.doFilter(servletRequest, ((CSPHeaderDAO) GeoServerExtensions.bean(CSPHeaderDAO.class)).setContentSecurityPolicy((HttpServletRequest) servletRequest, httpServletResponse));
        } finally {
            CSPHeaderDAO.removeProxyPolicy();
        }
    }

    public void destroy() {
    }

    private Map<String, Object> getCache() {
        if (this.cache == null) {
            synchronized (this) {
                if (this.cache == null) {
                    this.cache = initializeCache();
                }
            }
        }
        return this.cache;
    }

    private static boolean getBooleanProperty(String str, boolean z) {
        String stringProperty = getStringProperty(str, null);
        return stringProperty != null ? Boolean.parseBoolean(stringProperty) : z;
    }

    private static String getStringProperty(String str, String str2) {
        String property = GeoServerExtensions.getProperty(str);
        return StringUtils.isBlank(property) ? str2 : property.trim();
    }

    private static Map<String, Object> initializeCache() {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put(GEOSERVER_HSTS_SHOULD_SET_POLICY, Boolean.valueOf(getBooleanProperty(GEOSERVER_HSTS_SHOULD_SET_POLICY, false)));
        linkedHashMap.put(GEOSERVER_HSTS_POLICY, getStringProperty(GEOSERVER_HSTS_POLICY, DEFAULT_HSTS_POLICY));
        linkedHashMap.put(GEOSERVER_XCONTENT_TYPE_SHOULD_SET_POLICY, Boolean.valueOf(getBooleanProperty(GEOSERVER_XCONTENT_TYPE_SHOULD_SET_POLICY, true)));
        linkedHashMap.put(GEOSERVER_XFRAME_SHOULD_SET_POLICY, Boolean.valueOf(getBooleanProperty(GEOSERVER_XFRAME_SHOULD_SET_POLICY, true)));
        linkedHashMap.put(GEOSERVER_XFRAME_POLICY, getStringProperty(GEOSERVER_XFRAME_POLICY, DEFAULT_FRAME_POLICY));
        linkedHashMap.put(GEOSERVER_XXSS_PROTECTION_SHOULD_SET_POLICY, Boolean.valueOf(getBooleanProperty(GEOSERVER_XXSS_PROTECTION_SHOULD_SET_POLICY, false)));
        linkedHashMap.put(GEOSERVER_XXSS_PROTECTION_POLICY, getStringProperty(GEOSERVER_XXSS_PROTECTION_POLICY, DEFAULT_XXSS_POLICY));
        LOGGER.fine(() -> {
            return "Security HTTP response header settings: \n " + ((String) linkedHashMap.entrySet().stream().map(entry -> {
                return ((String) entry.getKey()) + " = " + entry.getValue();
            }).collect(Collectors.joining("\n ")));
        });
        return Collections.unmodifiableMap(linkedHashMap);
    }
}
