package divconq.hub;

import divconq.lang.op.OperationContext;
import divconq.log.Logger;
import divconq.struct.Struct;
import divconq.util.StringUtil;
import divconq.xml.XAttribute;
import divconq.xml.XElement;
import io.netty.handler.codec.http.HttpResponse;
import javax.net.ssl.SSLEngine;

/* loaded from: input_file:divconq/hub/SecurityPolicy.class */
public class SecurityPolicy {
    public void hardenHttpResponse(HttpResponse httpResponse) {
        String domainId = OperationContext.get().getUserContext().getDomainId();
        if (StringUtil.isNotEmpty(domainId)) {
            XElement settings = Hub.instance.getDomainInfo(domainId).getSettings();
            XElement xElement = null;
            if (settings != null) {
                xElement = settings.selectFirst("Harden/Http");
            }
            hardenHttpResponseConfig(httpResponse, xElement, false);
        }
        HubResources resources = Hub.instance.getResources();
        if (resources == null) {
            return;
        }
        hardenHttpResponseConfig(httpResponse, resources.getConfig().selectFirst("Harden/Http"), true);
    }

    public void hardenHttpResponseConfig(HttpResponse httpResponse, XElement xElement, boolean z) {
        if (z || xElement != null) {
            if (xElement == null) {
                xElement = new XElement("Http", new XAttribute("Hsts", "SelfPlus"));
            }
            XElement find = xElement.find("ContentSecurityPolicy");
            String attribute = xElement.getAttribute("Hsts", "SelfPlus");
            boolean booleanValue = Struct.objectToBoolean(xElement.getAttribute("HstsForce", "False")).booleanValue();
            if (!httpResponse.headers().contains("Strict-Transport-Security") || booleanValue) {
                if ("SelfPlus".equals(attribute)) {
                    httpResponse.headers().set("Strict-Transport-Security", "max-age=157680000; includeSubDomains");
                } else if ("Self".equals(attribute)) {
                    httpResponse.headers().set("Strict-Transport-Security", "max-age=157680000;");
                } else if ("Custom".equals(attribute)) {
                    httpResponse.headers().set("Strict-Transport-Security", xElement.getAttribute("HstsValue", "max-age=157680000; includeSubDomains"));
                }
            }
            if (z || find != null) {
                if (find == null) {
                    find = new XElement("ContentSecurityPolicy", new Object[0]);
                }
                boolean booleanValue2 = Struct.objectToBoolean(find.getAttribute("Force", "False")).booleanValue();
                boolean booleanValue3 = Struct.objectToBoolean(find.getAttribute("ReportOnly", "False")).booleanValue();
                String attribute2 = find.getAttribute("Mode", "Strict");
                String str = booleanValue3 ? "-Report-Only" : "";
                if (!httpResponse.headers().contains("Content-Security-Policy") || booleanValue2) {
                    if ("Strict".equals(attribute2)) {
                        httpResponse.headers().set("Content-Security-Policy" + str, "default-src 'self'; img-src 'self' data:; media-src mediastream:; frame-ancestors 'self'; connect-src *;");
                    } else if ("Loose".equals(attribute2)) {
                        httpResponse.headers().set("Content-Security-Policy" + str, "default-src 'self'; img-src *; media-src *; font-src *; style-src 'unsafe-inline' *; frame-ancestors 'self'; connect-src *;");
                    }
                }
            }
        }
    }

    public void hardenPublic(SSLEngine sSLEngine) {
        harden(sSLEngine);
    }

    public void hardenBus(SSLEngine sSLEngine) {
        harden(sSLEngine);
    }

    public void harden(SSLEngine sSLEngine) {
        HubResources resources = Hub.instance.getResources();
        if (resources == null) {
            return;
        }
        XElement selectFirst = resources.getConfig().selectFirst("Harden/TLS");
        if (selectFirst == null || "Strict".equals(selectFirst.getAttribute("Mode", "Strict"))) {
            sSLEngine.setEnabledProtocols(new String[]{"TLSv1.2"});
            sSLEngine.setEnabledCipherSuites(new String[]{"TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_EMPTY_RENEGOTIATION_INFO_SCSV"});
        } else if ("Loose".equals(selectFirst.getAttribute("Mode"))) {
            sSLEngine.setEnabledProtocols(new String[]{"TLSv1", "TLSv1.1", "TLSv1.2"});
            sSLEngine.setEnabledCipherSuites(new String[]{"TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_DHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_DHE_DSS_WITH_AES_256_GCM_SHA384", "TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384", "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384", "TLS_RSA_WITH_AES_256_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_256_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_256_CBC_SHA256", "TLS_RSA_WITH_AES_128_GCM_SHA256", "TLS_DHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_DHE_DSS_WITH_AES_128_GCM_SHA256", "TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256", "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256", "TLS_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_RSA_WITH_AES_128_CBC_SHA", "TLS_DHE_DSS_WITH_AES_128_CBC_SHA", "TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDH_RSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA", "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", "TLS_EMPTY_RENEGOTIATION_INFO_SCSV", "TLS_ECDHE_ECDSA_WITH_RC4_128_SHA", "TLS_ECDHE_RSA_WITH_RC4_128_SHA", "TLS_ECDH_ECDSA_WITH_RC4_128_SHA", "TLS_ECDH_RSA_WITH_RC4_128_SHA"});
        } else {
            sSLEngine.setEnabledProtocols(selectFirst.getAttribute("Protocols", "").split(","));
            sSLEngine.setEnabledCipherSuites(selectFirst.getAttribute("Suites", "").split(","));
        }
        if (sSLEngine.getEnabledProtocols().length == 0) {
            Logger.warn("No Protocols are enabled!!", new String[0]);
        }
        if (sSLEngine.getEnabledCipherSuites().length == 0) {
            Logger.warn("No Cipher are enabled!!", new String[0]);
        }
    }
}
