package com.liferay.portal.security.content.security.policy.internal.servlet.filter;

import com.liferay.petra.string.StringBundler;
import com.liferay.portal.configuration.module.configuration.ConfigurationProvider;
import com.liferay.portal.kernel.util.Portal;
import com.liferay.portal.kernel.util.StringUtil;
import com.liferay.portal.kernel.util.Validator;
import com.liferay.portal.security.content.security.policy.internal.ContentSecurityPolicyNonceManager;
import com.liferay.portal.security.content.security.policy.internal.configuration.ContentSecurityPolicyConfiguration;
import com.liferay.portal.security.content.security.policy.internal.configuration.ContentSecurityPolicyConfigurationUtil;
import com.liferay.portal.servlet.filters.BasePortalFilter;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.OutputStreamWriter;
import java.io.PrintWriter;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.ServletOutputStream;
import javax.servlet.WriteListener;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;

@Component(property = {"after-filter=Portal CORS Servlet Filter", "dispatcher=FORWARD", "dispatcher=REQUEST", "servlet-context-name=", "servlet-filter-name=Content Security Policy Filter", "url-pattern=/*"}, service = {Filter.class})
/* loaded from: input_file:com/liferay/portal/security/content/security/policy/internal/servlet/filter/ContentSecurityPolicyFilter.class */
public class ContentSecurityPolicyFilter extends BasePortalFilter {
    private static final String[] _INTERNALLY_EXCLUDED_PATHS = {"/group/", "/user/", "/web/"};

    @Reference
    private ConfigurationProvider _configurationProvider;

    @Reference
    private ContentSecurityPolicyNonceManager _contentSecurityPolicyNonceManager;

    @Reference
    private Portal _portal;

    /* loaded from: input_file:com/liferay/portal/security/content/security/policy/internal/servlet/filter/ContentSecurityPolicyFilter$ContentSecurityPolicyHttpServletResponse.class */
    private static class ContentSecurityPolicyHttpServletResponse extends HttpServletResponseWrapper {
        private final ByteArrayOutputStream _byteArrayOutputStream;
        private PrintWriter _printWriter;
        private ServletOutputStream _servletOutputStream;

        public ContentSecurityPolicyHttpServletResponse(HttpServletResponse httpServletResponse) {
            super(httpServletResponse);
            this._byteArrayOutputStream = new ByteArrayOutputStream(httpServletResponse.getBufferSize());
        }

        public void flushBuffer() throws IOException {
            super.flushBuffer();
            if (this._printWriter != null) {
                this._printWriter.flush();
            } else if (this._servletOutputStream != null) {
                this._servletOutputStream.flush();
            }
        }

        public String getContent() throws IOException {
            if (this._printWriter != null) {
                this._printWriter.close();
            } else if (this._servletOutputStream != null) {
                this._servletOutputStream.close();
            }
            return this._byteArrayOutputStream.toString(getCharacterEncoding());
        }

        public ServletOutputStream getOutputStream() {
            if (this._printWriter != null) {
                throw new IllegalStateException("Get writer has already been called");
            }
            if (this._servletOutputStream == null) {
                this._servletOutputStream = new ServletOutputStream() { // from class: com.liferay.portal.security.content.security.policy.internal.servlet.filter.ContentSecurityPolicyFilter.ContentSecurityPolicyHttpServletResponse.1
                    public void close() throws IOException {
                        ContentSecurityPolicyHttpServletResponse.this._byteArrayOutputStream.close();
                    }

                    public void flush() throws IOException {
                        ContentSecurityPolicyHttpServletResponse.this._byteArrayOutputStream.flush();
                    }

                    public boolean isReady() {
                        return ContentSecurityPolicyHttpServletResponse.this._servletOutputStream.isReady();
                    }

                    public void setWriteListener(WriteListener writeListener) {
                        ContentSecurityPolicyHttpServletResponse.this._servletOutputStream.setWriteListener(writeListener);
                    }

                    public void write(int i) {
                        ContentSecurityPolicyHttpServletResponse.this._byteArrayOutputStream.write(i);
                    }
                };
            }
            return this._servletOutputStream;
        }

        public PrintWriter getWriter() throws IOException {
            if (this._servletOutputStream != null) {
                throw new IllegalStateException("Get output stream has already been called");
            }
            if (this._printWriter == null) {
                this._printWriter = new PrintWriter(new OutputStreamWriter(this._byteArrayOutputStream, getCharacterEncoding()));
            }
            return this._printWriter;
        }
    }

    public boolean isFilterEnabled(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        ContentSecurityPolicyConfiguration contentSecurityPolicyConfiguration = ContentSecurityPolicyConfigurationUtil.setContentSecurityPolicyConfiguration(this._configurationProvider, httpServletRequest, this._portal);
        return (!contentSecurityPolicyConfiguration.enabled() || Validator.isNull(contentSecurityPolicyConfiguration.policy()) || _isExcludedURIPath(contentSecurityPolicyConfiguration, httpServletRequest)) ? false : true;
    }

    protected void processFilter(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws Exception {
        String nonce = this._contentSecurityPolicyNonceManager.setNonce(httpServletRequest);
        try {
            httpServletResponse.setContentType("text/html; charset=UTF-8");
            httpServletResponse.setHeader("Content-Security-Policy", StringUtil.replace(ContentSecurityPolicyConfigurationUtil.getContentSecurityPolicyConfiguration(httpServletRequest).policy(), "[$NONCE$]", "nonce-" + nonce));
            PrintWriter writer = httpServletResponse.getWriter();
            ContentSecurityPolicyHttpServletResponse contentSecurityPolicyHttpServletResponse = new ContentSecurityPolicyHttpServletResponse(httpServletResponse);
            filterChain.doFilter(httpServletRequest, contentSecurityPolicyHttpServletResponse);
            String _updateContent = _updateContent(contentSecurityPolicyHttpServletResponse.getContent(), nonce);
            writer.write(_updateContent);
            writer.close();
            httpServletResponse.setContentLength(_updateContent.length());
            this._contentSecurityPolicyNonceManager.cleanUpNonce(httpServletRequest);
        } catch (Throwable th) {
            this._contentSecurityPolicyNonceManager.cleanUpNonce(httpServletRequest);
            throw th;
        }
    }

    private boolean _isExcludedURIPath(ContentSecurityPolicyConfiguration contentSecurityPolicyConfiguration, HttpServletRequest httpServletRequest) {
        String requestURI = httpServletRequest.getRequestURI();
        if (Validator.isNull(requestURI)) {
            return false;
        }
        for (String str : _INTERNALLY_EXCLUDED_PATHS) {
            if (Validator.isNotNull(str) && requestURI.startsWith(StringUtil.toLowerCase(str))) {
                return true;
            }
        }
        String lowerCase = StringUtil.toLowerCase(requestURI);
        for (String str2 : contentSecurityPolicyConfiguration.excludedPaths()) {
            if (Validator.isNotNull(str2) && lowerCase.startsWith(StringUtil.toLowerCase(str2))) {
                return true;
            }
        }
        return false;
    }

    private String _updateContent(String str, String str2) {
        String str3 = "nonce=\"" + str2 + "\"";
        String str4 = "nonce=\\\"" + str2 + "\\\"";
        String replaceAll = str.replaceAll("<(?i)link ", "<link " + str3 + " ").replaceAll("<(?i)link>", "<link " + str3 + "").replaceAll("<(?i)style ", "<style " + str3 + " ").replaceAll("<(?i)style>", "<style " + str3 + ">");
        Matcher matcher = Pattern.compile("\\{.*nonce=\".{" + str2.length() + "}\".*\\}").matcher(replaceAll);
        while (matcher.find()) {
            String group = matcher.group();
            String[] split = StringUtil.split(group, str3);
            StringBundler stringBundler = new StringBundler((split.length * 2) - 1);
            int i = 0;
            boolean z = false;
            for (int i2 = 0; i2 < split.length - 1; i2++) {
                i = (i + StringUtil.count(split[i2], '{')) - StringUtil.count(split[i2], '}');
                stringBundler.append(split[i2]);
                if (i > 0) {
                    z = true;
                    stringBundler.append(str4);
                } else {
                    stringBundler.append(str3);
                }
            }
            if (z) {
                stringBundler.append(split[split.length - 1]);
                replaceAll = StringUtil.replace(replaceAll, group, stringBundler.toString());
            }
        }
        return replaceAll;
    }
}
