package org.georchestra.security;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.annotations.VisibleForTesting;
import java.io.IOException;
import java.io.InputStream;
import java.net.HttpCookie;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.stream.Collectors;
import javax.annotation.Nullable;
import javax.annotation.PostConstruct;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import lombok.NonNull;
import org.apache.http.Header;
import org.apache.http.HttpResponse;
import org.apache.http.client.methods.HttpRequestBase;
import org.apache.http.message.BasicHeader;
import org.georchestra.commons.configuration.GeorchestraConfiguration;
import org.georchestra.commons.security.SecurityHeaders;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.jdbc.datasource.init.ScriptUtils;
import org.springframework.util.StringUtils;

/* loaded from: input_file:WEB-INF/classes/org/georchestra/security/HeadersManagementStrategy.class */
public class HeadersManagementStrategy {
    protected static final Logger logger = LoggerFactory.getLogger(Proxy.class.getPackage().getName());
    private boolean noAcceptEncoding = false;
    private List<HeaderProvider> headerProviders = Collections.emptyList();
    private List<HeaderFilter> filters = new ArrayList(1);
    private String forcedReferer = null;

    @VisibleForTesting
    private List<CookieAffinity> cookieAffinityConfig = Collections.emptyList();

    @VisibleForTesting
    @Autowired
    private GeorchestraConfiguration georchestraConfig;

    public HeadersManagementStrategy() {
        this.filters.add(new SecurityRequestHeaderFilter());
    }

    @PostConstruct
    void initConfig() throws IOException {
        if (this.georchestraConfig.activated()) {
            Path resolve = Paths.get(this.georchestraConfig.getContextDataDir(), new String[0]).resolve("cookie-mappings.json");
            if (!Files.isRegularFile(resolve, new LinkOption[0])) {
                logger.info("File {} does not exist, not loading cookie affinity configuration");
                return;
            }
            logger.info("Loading Cookie Affinity configuration from " + resolve);
            InputStream newInputStream = Files.newInputStream(resolve, new OpenOption[0]);
            try {
                setCookieAffinity(Arrays.asList((CookieAffinity[]) new ObjectMapper().readValue(newInputStream, CookieAffinity[].class)));
                if (newInputStream != null) {
                    newInputStream.close();
                }
            } catch (Throwable th) {
                if (newInputStream != null) {
                    try {
                        newInputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
    }

    public void setCookieAffinity(List<CookieAffinity> list) {
        this.cookieAffinityConfig = list == null ? Collections.emptyList() : (List) list.stream().filter((v0) -> {
            return Objects.nonNull(v0);
        }).collect(Collectors.toList());
        logger.info("Configured cookie affinity mappings: " + ((String) this.cookieAffinityConfig.stream().map((v0) -> {
            return v0.toString();
        }).collect(Collectors.joining(", "))));
    }

    public synchronized void configureRequestHeaders(HttpServletRequest httpServletRequest, HttpRequestBase httpRequestBase, boolean z, String str) {
        StringBuilder sb = logger.isTraceEnabled() ? new StringBuilder("Request Headers:\n==========================================================\n") : null;
        addHeaderToRequestAndLog(httpRequestBase, sb, SecurityHeaders.SEC_PROXY, "true");
        if (!HeaderProvider.isPreAuthorized(httpServletRequest)) {
            addAllowedIncomingHeaders(httpServletRequest, httpRequestBase, z, sb);
        }
        if (z) {
            handleRequestCookies(httpServletRequest, httpRequestBase, sb);
            applyHeaderProviders(httpServletRequest, httpRequestBase, sb, str);
        } else if (this.forcedReferer != null) {
            addHeaderToRequestAndLog(httpRequestBase, sb, "Referer", this.forcedReferer);
        }
        if (logger.isTraceEnabled()) {
            sb.append("==========================================================");
            logger.trace(sb.toString());
        }
    }

    private void applyHeaderProviders(HttpServletRequest httpServletRequest, HttpRequestBase httpRequestBase, StringBuilder sb, String str) {
        boolean isPreAuthorized = HeaderProvider.isPreAuthorized(httpServletRequest);
        HashMap hashMap = new HashMap();
        for (HeaderProvider headerProvider : this.headerProviders) {
            if (!isPreAuthorized || (headerProvider instanceof TrustedProxyRequestHeaderProvider)) {
                hashMap.putAll(headerProvider.getCustomRequestHeaders(httpServletRequest, str));
            } else {
                logger.debug("Bypassing header provider : {}", headerProvider.getClass().toString());
            }
        }
        hashMap.forEach((str2, str3) -> {
            if (isOneOf(str2, HeaderNames.HOST, HeaderNames.CONTENT_LENGTH)) {
                return;
            }
            if (!isOneOf(str2, SecurityHeaders.SEC_USERNAME, SecurityHeaders.SEC_ROLES) || httpRequestBase.getFirstHeader(str2) == null) {
                logger.debug("Adding header to proxied request: {} = {}", str2, str3);
                httpRequestBase.addHeader(str2, str3);
                addHeaderLog(sb, str2, str3);
                return;
            }
            for (Header header : httpRequestBase.getHeaders(str2)) {
                addHeaderLog(sb, header.getName(), header.getValue());
            }
        });
    }

    private boolean isOneOf(String str, String... strArr) {
        for (String str2 : strArr) {
            if (str.equalsIgnoreCase(str2)) {
                return true;
            }
        }
        return false;
    }

    private void addAllowedIncomingHeaders(HttpServletRequest httpServletRequest, HttpRequestBase httpRequestBase, boolean z, StringBuilder sb) {
        Iterator it = Collections.list(httpServletRequest.getHeaderNames()).iterator();
        while (it.hasNext()) {
            String str = (String) it.next();
            if (!ignoreIncomingHeader(str, httpServletRequest, httpRequestBase, z)) {
                addHeaderToRequestAndLog(httpRequestBase, sb, str, httpServletRequest.getHeader(str));
            }
        }
    }

    private boolean ignoreIncomingHeader(String str, HttpServletRequest httpServletRequest, HttpRequestBase httpRequestBase, boolean z) {
        if (str.compareToIgnoreCase(HeaderNames.CONTENT_LENGTH) == 0 || str.equalsIgnoreCase("Cookie") || filter(httpServletRequest, str, httpRequestBase)) {
            return true;
        }
        if ((this.noAcceptEncoding && str.equalsIgnoreCase("Accept-Encoding")) || str.equalsIgnoreCase("Transfer-Encoding") || str.equalsIgnoreCase(HeaderNames.HOST) || str.equalsIgnoreCase("Authorization") || str.toLowerCase().startsWith(HeaderNames.PROTECTED_HEADER_PREFIX)) {
            return true;
        }
        return (z || this.forcedReferer == null || !str.equalsIgnoreCase("Referer")) ? false : true;
    }

    private void addHeaderToRequestAndLog(HttpRequestBase httpRequestBase, @Nullable StringBuilder sb, String str, String str2) {
        logger.debug("Add Header: {} = {}", str, str2);
        httpRequestBase.addHeader(new BasicHeader(str, str2));
        addHeaderLog(sb, str, str2);
    }

    private void addHeaderLog(StringBuilder sb, String str, CharSequence charSequence) {
        if (sb != null) {
            sb.append("\t" + str);
            sb.append("=");
            sb.append(charSequence);
            sb.append("\n");
        }
    }

    @VisibleForTesting
    public void handleRequestCookies(HttpServletRequest httpServletRequest, HttpRequestBase httpRequestBase, @Nullable StringBuilder sb) {
        Enumeration headers = httpServletRequest.getHeaders("Cookie");
        StringBuilder sb2 = new StringBuilder();
        while (headers.hasMoreElements()) {
            for (String str : ((String) headers.nextElement()).split(ScriptUtils.DEFAULT_STATEMENT_SEPARATOR)) {
                String trim = str.trim();
                if (trim.length() > 0 && !trim.startsWith(HeaderNames.JSESSION_ID)) {
                    if (sb2.length() > 0) {
                        sb2.append("; ");
                    }
                    sb2.append(trim);
                }
            }
        }
        HttpSession session = httpServletRequest.getSession();
        String path = httpRequestBase.getURI().getPath();
        if (session != null && session.getAttribute(HeaderNames.JSESSION_ID) != null) {
            Map map = (Map) session.getAttribute(HeaderNames.JSESSION_ID);
            String str2 = null;
            String str3 = null;
            for (String str4 : map.keySet()) {
                if (path.startsWith(str4)) {
                    logger.debug("Found possible matching JSessionId: Path={} id={} for {} of uri {}", str4, map.get(str4), path, httpRequestBase.getURI());
                    if (str2 == null || str2.length() < str4.length()) {
                        str2 = str4;
                        str3 = (String) map.get(str4);
                    }
                }
            }
            if (str2 != null) {
                if (sb2.length() > 0) {
                    sb2.append("; ");
                }
                sb2.append(str3);
            }
        }
        addHeaderLog(sb, "Cookie", sb2);
        httpRequestBase.addHeader(new BasicHeader("Cookie", sb2.toString()));
    }

    private boolean filter(HttpServletRequest httpServletRequest, String str, HttpRequestBase httpRequestBase) {
        Iterator<HeaderFilter> it = this.filters.iterator();
        while (it.hasNext()) {
            if (it.next().filter(str, httpServletRequest, httpRequestBase)) {
                return true;
            }
        }
        return false;
    }

    public synchronized void copyResponseHeaders(HttpServletRequest httpServletRequest, String str, HttpResponse httpResponse, HttpServletResponse httpServletResponse, Map<String, String> map) {
        HttpSession session = httpServletRequest.getSession(true);
        Collection headerNames = httpServletResponse.getHeaderNames();
        for (Header header : httpResponse.getAllHeaders()) {
            if (!header.getName().equalsIgnoreCase("Set-Cookie") && !defaultIgnores(header)) {
                if (headerNames.contains(header.getName())) {
                    httpServletResponse.setHeader(header.getName(), header.getValue());
                } else {
                    httpServletResponse.addHeader(header.getName(), header.getValue());
                }
            }
        }
        Iterator<HeaderProvider> it = this.headerProviders.iterator();
        while (it.hasNext()) {
            for (Header header2 : it.next().getCustomResponseHeaders()) {
                httpServletResponse.addHeader(header2.getName(), header2.getValue());
            }
        }
        Header[] headers = httpResponse.getHeaders("Set-Cookie");
        if (headers.length > 0) {
            handleResponseCookies(str, httpServletResponse, headers, session);
        }
    }

    @VisibleForTesting
    public void handleResponseCookies(String str, HttpServletResponse httpServletResponse, Header[] headerArr, HttpSession httpSession) {
        String[] split = str.split("/", 3);
        String str2 = split.length > 1 ? split[1] : null;
        Arrays.stream(headerArr).peek(header -> {
            logger.debug("Parsing header: '{}'", header.toString());
        }).map((v0) -> {
            return v0.getValue();
        }).map(HttpCookie::parse).filter(list -> {
            return !list.isEmpty();
        }).map(list2 -> {
            return (HttpCookie) list2.get(0);
        }).forEach(httpCookie -> {
            if (httpCookie.getName().equalsIgnoreCase(HeaderNames.JSESSION_ID)) {
                handleJSessionID(httpCookie, httpSession);
            } else {
                handleResponseCookie(httpCookie, str2, httpServletResponse);
            }
        });
    }

    private void handleResponseCookie(HttpCookie httpCookie, @Nullable String str, HttpServletResponse httpServletResponse) {
        String str2;
        if (null == str) {
            str2 = "/";
        } else {
            str2 = (str.startsWith("/") ? "" : "/") + str;
        }
        Cookie cookie = new Cookie(httpCookie.getName(), httpCookie.getValue());
        if (null != httpCookie.getDomain()) {
            cookie.setDomain(httpCookie.getDomain());
        }
        cookie.setHttpOnly(cookie.isHttpOnly());
        cookie.setSecure(httpCookie.getSecure());
        cookie.setVersion(httpCookie.getVersion());
        cookie.setMaxAge(cookie.getMaxAge());
        cookie.setComment(httpCookie.getComment());
        cookie.setPath(str2);
        if (httpCookie.getPath() == null) {
            logger.debug("Current cookie has not path set, forcing it to {}", str2);
        } else {
            logger.debug("Current cookie {} has a path set to {}, forcing it to {}", httpCookie.getName(), httpCookie.getPath(), str2);
        }
        httpServletResponse.addCookie(cookie);
        String str3 = str2;
        this.cookieAffinityConfig.stream().filter(cookieAffinity -> {
            return str3.equals(cookieAffinity.getFrom()) && cookie.getName().equalsIgnoreCase(cookieAffinity.getName());
        }).forEach(cookieAffinity2 -> {
            Cookie cookie2 = (Cookie) cookie.clone();
            cookie2.setPath(cookieAffinity2.getTo());
            logger.debug("Adding " + cookieAffinity2);
            httpServletResponse.addCookie(cookie2);
        });
    }

    private void handleJSessionID(@NonNull HttpCookie httpCookie, HttpSession httpSession) {
        if (httpCookie == null) {
            throw new NullPointerException("jSessionId is marked non-null but is null");
        }
        if (httpCookie.getPath() != null) {
            logger.debug("Storing the JSESSIONID into session for path {}", httpCookie.getPath());
            storeJsessionHeader(httpSession, httpCookie.getPath(), httpCookie.toString());
        }
    }

    private void storeJsessionHeader(HttpSession httpSession, String str, String str2) {
        Map map = (Map) httpSession.getAttribute(HeaderNames.JSESSION_ID);
        if (map == null) {
            map = new HashMap();
        }
        if (!StringUtils.isEmpty(str)) {
            for (String str3 : new HashMap(map).keySet()) {
                if (str3.startsWith(str)) {
                    map.remove(str3);
                }
            }
        }
        map.put(str, str2);
        httpSession.setAttribute(HeaderNames.JSESSION_ID, map);
    }

    private boolean defaultIgnores(Header header) {
        return header.getName().equalsIgnoreCase("Transfer-Encoding") && header.getValue().equalsIgnoreCase("chunked");
    }

    public void setNoAcceptEncoding(boolean z) {
        this.noAcceptEncoding = z;
    }

    public void setHeaderProviders(List<HeaderProvider> list) {
        this.headerProviders = list;
    }

    public void setFilters(List<HeaderFilter> list) {
        this.filters = list;
    }

    public void setReferer(String str) {
        this.forcedReferer = str;
    }

    List<CookieAffinity> getCookieAffinityConfig() {
        return this.cookieAffinityConfig;
    }

    void setGeorchestraConfig(GeorchestraConfiguration georchestraConfiguration) {
        this.georchestraConfig = georchestraConfiguration;
    }
}
