package com.almworks.structure.commons.security;

import com.atlassian.applinks.api.ReadOnlyApplicationLink;
import com.atlassian.applinks.api.ReadOnlyApplicationLinkService;
import com.atlassian.applinks.api.event.ApplicationLinkEvent;
import com.atlassian.cache.Cache;
import com.atlassian.cache.CacheLoader;
import com.atlassian.cache.CacheManager;
import com.atlassian.event.api.EventListener;
import com.atlassian.event.api.EventPublisher;
import java.net.HttpCookie;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Arrays;
import java.util.Collections;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import javax.annotation.Nonnull;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/lib/structure-shared-confluence-1.1.2.jar:com/almworks/structure/commons/security/SecurityInterceptorEnhancer.class */
public class SecurityInterceptorEnhancer {
    private static final Logger logger = LoggerFactory.getLogger(SecurityInterceptorEnhancer.class);
    private static final int DAY_IN_SECONDS = 86400;
    private static final String REFERRER_COOKIE = "structure.pages.referrer";
    private static final String JSESSION_COOKIE_NAME = "JSESSIONID";
    private final Cache<String, Set<String>> myFrameAncestorsCache;
    private final ReadOnlyApplicationLinkService myLinkService;
    private final EventPublisher myEventPublisher;
    private final Cache<String, Set<String>> myKnownReferrerCache;
    private final Function<String, Set<String>> myKnownReferrerLookup = new Function<String, Set<String>>() { // from class: com.almworks.structure.commons.security.SecurityInterceptorEnhancer.1
        @Override // java.util.function.Function
        public Set<String> apply(String str) {
            return (Set) SecurityInterceptorEnhancer.this.myKnownReferrerCache.get(str);
        }
    };

    /* loaded from: input_file:META-INF/lib/structure-shared-confluence-1.1.2.jar:com/almworks/structure/commons/security/SecurityInterceptorEnhancer$FrameAncestorsLoader.class */
    private class FrameAncestorsLoader implements CacheLoader<String, Set<String>> {
        private FrameAncestorsLoader() {
        }

        @NotNull
        public Set<String> load(@NotNull String str) {
            LinkedHashSet linkedHashSet = new LinkedHashSet();
            Set set = (Set) SecurityInterceptorEnhancer.this.getKnownReferrers().stream().map(uri -> {
                return SecurityInterceptorEnhancer.getOriginWithScheme(uri);
            }).collect(Collectors.toSet());
            linkedHashSet.add("'self'");
            linkedHashSet.addAll(set);
            return linkedHashSet;
        }
    }

    /* loaded from: input_file:META-INF/lib/structure-shared-confluence-1.1.2.jar:com/almworks/structure/commons/security/SecurityInterceptorEnhancer$KnownReferrerLoader.class */
    private class KnownReferrerLoader implements CacheLoader<String, Set<String>> {
        private KnownReferrerLoader() {
        }

        @Nonnull
        public Set<String> load(@Nonnull String str) {
            Set knownReferrers = SecurityInterceptorEnhancer.this.getKnownReferrers();
            if (knownReferrers.isEmpty()) {
                return Collections.emptySet();
            }
            try {
                String origin = SecurityInterceptorEnhancer.getOrigin(new URI(str));
                return (Set) knownReferrers.stream().filter(uri -> {
                    return StringUtils.equalsIgnoreCase(SecurityInterceptorEnhancer.getOrigin(uri), origin);
                }).findFirst().map((v0) -> {
                    return v0.toString();
                }).map((v0) -> {
                    return Collections.singleton(v0);
                }).orElse(Collections.emptySet());
            } catch (URISyntaxException e) {
                SecurityInterceptorEnhancer.logger.error("Cannot load know referrer", e);
                return Collections.emptySet();
            }
        }
    }

    public SecurityInterceptorEnhancer(ReadOnlyApplicationLinkService readOnlyApplicationLinkService, CacheManager cacheManager, EventPublisher eventPublisher) {
        this.myLinkService = readOnlyApplicationLinkService;
        this.myEventPublisher = eventPublisher;
        this.myFrameAncestorsCache = cacheManager.getCache("com.almworks.structure.confluence.helper.app-links", new FrameAncestorsLoader());
        this.myKnownReferrerCache = cacheManager.getCache("com.almworks.structure.confluence.helper.known-referrer", new KnownReferrerLoader());
        eventPublisher.register(this);
    }

    public void setContentSecurityPolicy(HttpServletResponse httpServletResponse, @Nullable String str) {
        httpServletResponse.setHeader(HttpHeaders.CONTENT_SECURITY_POLICY, addAncestorSources(StringUtils.trimToEmpty(str), (Set) this.myFrameAncestorsCache.get("*")));
    }

    private String addAncestorSources(@NotNull String str, Set<String> set) {
        if (StringUtils.isEmpty(str)) {
            return buildFrameAncestorsOption(set);
        }
        String[] split = str.split(";");
        for (int i = 0; i < split.length; i++) {
            String trim = split[i].trim();
            if (trim.toLowerCase().startsWith("frame-ancestors ")) {
                split[i] = extendFrameAncestorsDirective(trim, set);
                return StringUtils.join(split, ";");
            }
        }
        if (!str.endsWith(";")) {
            str = str + ";";
        }
        return str + buildFrameAncestorsOption(set);
    }

    private String extendFrameAncestorsDirective(String str, Set<String> set) {
        String[] split = str.substring("frame-ancestors ".length()).split("\\s+");
        if (split.length == 0 || (split.length == 1 && "'none'".equalsIgnoreCase(split[0]))) {
            return buildFrameAncestorsOption(set);
        }
        LinkedHashSet linkedHashSet = new LinkedHashSet(Arrays.asList(split));
        linkedHashSet.addAll(set);
        return buildFrameAncestorsOption(linkedHashSet);
    }

    private String buildFrameAncestorsOption(Iterable<String> iterable) {
        return "frame-ancestors " + StringUtils.join(iterable, " ");
    }

    public void setXFrameOptions(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, @Nullable String str) {
        Optional<String> flatMap = Optional.ofNullable(httpServletRequest.getCookies()).flatMap(this::getStructureReferrerCookie).flatMap(str2 -> {
            return this.myKnownReferrerLookup.apply(str2).stream().findFirst();
        });
        Optional<String> headerReferrer = flatMap.isPresent() ? flatMap : getHeaderReferrer(httpServletRequest);
        if (!headerReferrer.isPresent()) {
            logger.debug("Unknown referrer: " + getOrigin(httpServletRequest));
            httpServletResponse.setHeader(HttpHeaders.X_FRAME_OPTIONS, str);
            return;
        }
        String str3 = headerReferrer.get();
        logger.debug("Known referrer: " + str3);
        httpServletResponse.setHeader(HttpHeaders.X_FRAME_OPTIONS, "Allow-From " + str3);
        if (flatMap.isPresent()) {
            return;
        }
        String format = String.format("%s; %s; %s", "structure.pages.referrer=" + str3, "Path=" + ((String) StringUtils.defaultIfEmpty(StringUtils.removeEnd(httpServletRequest.getContextPath(), "/"), "/")), "Max-Age=86400");
        if ("https".equalsIgnoreCase(httpServletRequest.getScheme())) {
            format = format + "; SameSite=None; Secure";
        }
        httpServletResponse.addHeader(HttpHeaders.SET_COOKIE, format);
    }

    private Optional<String> getStructureReferrerCookie(Cookie[] cookieArr) {
        return Arrays.stream(cookieArr).filter(SecurityInterceptorEnhancer::isReferrerCookie).map((v0) -> {
            return v0.getValue();
        }).findFirst();
    }

    @NotNull
    private Optional<String> getHeaderReferrer(HttpServletRequest httpServletRequest) {
        try {
            return Optional.ofNullable(httpServletRequest.getHeader(HttpHeaders.REFERER)).flatMap(str -> {
                return this.myKnownReferrerLookup.apply(str).stream().findFirst();
            });
        } catch (Exception e) {
            logger.error("Cannot get referrer", e);
            return Optional.empty();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    @NotNull
    public Set<URI> getKnownReferrers() {
        Iterable<ReadOnlyApplicationLink> applicationLinks = this.myLinkService.getApplicationLinks();
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        for (ReadOnlyApplicationLink readOnlyApplicationLink : applicationLinks) {
            linkedHashSet.add(cutUrl(readOnlyApplicationLink.getDisplayUrl()));
            linkedHashSet.add(cutUrl(readOnlyApplicationLink.getRpcUrl()));
        }
        return linkedHashSet;
    }

    public static boolean hasOurCookie(HttpServletRequest httpServletRequest) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies == null) {
            return false;
        }
        return Arrays.stream(cookies).anyMatch(SecurityInterceptorEnhancer::isReferrerCookie);
    }

    private static boolean isReferrerCookie(@NotNull Cookie cookie) {
        return StringUtils.equalsIgnoreCase(cookie.getName(), REFERRER_COOKIE);
    }

    public static void appendSameSite(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if ("https".equals(httpServletRequest.getScheme())) {
            boolean z = true;
            for (String str : httpServletResponse.getHeaders(HttpHeaders.SET_COOKIE)) {
                if (str != null && !str.trim().isEmpty()) {
                    List<HttpCookie> list = null;
                    try {
                        list = HttpCookie.parse(str);
                    } catch (IllegalArgumentException e) {
                        logger.warn("Cookie header violates the cookie specification and will be ignored.");
                    }
                    if (list != null && list.size() == 1) {
                        String str2 = str;
                        if (list.get(0).getName().equals(JSESSION_COOKIE_NAME)) {
                            str2 = appendSameSiteAttribute(str2);
                        }
                        if (z) {
                            httpServletResponse.setHeader(HttpHeaders.SET_COOKIE, str2);
                            z = false;
                        } else {
                            httpServletResponse.addHeader(HttpHeaders.SET_COOKIE, str2);
                        }
                    }
                }
            }
        }
    }

    private static String appendSameSiteAttribute(String str) {
        if (str.contains("SameSite")) {
            logger.debug("Not adding SameSite cookie attribute as it already has one!");
        } else {
            str = str + "; SameSite=None";
        }
        if (str.contains("Secure")) {
            logger.debug("Not adding Secure cookie attribute as it already has one!");
        } else {
            str = str + "; Secure";
        }
        return str;
    }

    @NotNull
    private static URI cutUrl(@NotNull URI uri) {
        try {
            return new URI(uri.getScheme(), null, uri.getHost(), uri.getPort(), null, null, null);
        } catch (URISyntaxException e) {
            logger.error("Cannot cut the URL " + uri, e);
            return uri;
        }
    }

    private static String getOrigin(HttpServletRequest httpServletRequest) {
        return getOrigin(httpServletRequest.getServerName(), httpServletRequest.getServerPort());
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String getOriginWithScheme(URI uri) {
        String scheme = uri.getScheme();
        int port = uri.getPort();
        if (scheme == null) {
            return getOrigin(uri.getHost(), port);
        }
        if ((scheme.equals("https") && port == 443) || (scheme.equals("http") && port == 80)) {
            port = -1;
        }
        String str = scheme + "://" + uri.getHost();
        return port > 0 ? str + ":" + port : str;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String getOrigin(URI uri) {
        return getOrigin(uri.getHost(), uri.getPort());
    }

    private static String getOrigin(@NotNull String str, int i) {
        return (i <= 0 || i == 80) ? str : str + ":" + i;
    }

    public void destroy() {
        logger.warn("{} stopping", this);
        this.myEventPublisher.unregister(this);
    }

    @EventListener
    public void onAppLinkEvent(ApplicationLinkEvent applicationLinkEvent) {
        this.myKnownReferrerCache.removeAll();
        this.myFrameAncestorsCache.removeAll();
    }
}
