package ru.org.openam.xss;

import com.iplanet.am.util.SystemProperties;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TreeMap;
import java.util.TreeSet;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.tuple.ImmutablePair;
import org.apache.commons.lang3.tuple.Pair;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:ru/org/openam/xss/XSSFilter.class */
public class XSSFilter implements Filter {
    public static XSSFilter shared;
    final List<Pair<String, String>> extraHeaders = new ArrayList();
    final Set<String> hideHeaders = new TreeSet(String.CASE_INSENSITIVE_ORDER);
    final Set<String> skipFormatControlFields = new TreeSet(String.CASE_INSENSITIVE_ORDER);
    final Set<String> ignoreParamsOnFailCsrf = new TreeSet(String.CASE_INSENSITIVE_ORDER);
    final Map<String, Set<String>> iFrameEmbedAllow = new HashMap();
    static final Logger logger = LoggerFactory.getLogger(XSSFilter.class.getName());
    public static String CSRF$key = null;
    public static final ArrayList<Map<String, String>> CSRF$ignore = new ArrayList<>();
    static Pattern head = Pattern.compile("<head>", 42);
    static final String CSRF_DATA_SET_ATTRIBUTE = XSSFilter.class.getName().concat(".csrfDataSet");

    public void init(FilterConfig filterConfig) throws ServletException {
        shared = this;
        CSRF$key = filterConfig.getInitParameter("CSRF.key") == null ? RandomStringUtils.random(64) : filterConfig.getInitParameter("CSRF.key");
        for (String str : (filterConfig.getInitParameter("setHeaders.extra") != null ? filterConfig.getInitParameter("setHeaders.extra") : "Server: openam.org.ru/1.0\nX-Powered-By: openam.org.ru/1.0\nX-Frame-Options: DENY\n X-XSS-Protection: 1; mode=block\nX-Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; options inline-script; report-uri {%context%}/csp-report;\nX-WebKit-CSP: allow 'self'; options inline-script; report-uri {%context%}/csp-report;\nContent-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; report-uri {%context%}/csp-report;\nX-Content-Type-Options: nosniff\n").split("\\\\n|\n")) {
            if (!StringUtils.isBlank(str)) {
                String[] split = str.trim().replace("{%context%}", filterConfig.getServletContext().getContextPath()).split(": ");
                logger.info("init {}: {}", split[0], split[1]);
                this.extraHeaders.add(new ImmutablePair(split[0], split[1]));
            }
        }
        this.hideHeaders.addAll(Arrays.asList((filterConfig.getInitParameter("setHeader.hide") != null ? filterConfig.getInitParameter("setHeader.hide") : "X-DSAMEVersion,X-AuthErrorCode,AM_CLIENT_TYPE").toLowerCase().split(",")));
        this.skipFormatControlFields.addAll(Arrays.asList((filterConfig.getInitParameter("formatControlFields.skip") != null ? filterConfig.getInitParameter("formatControlFields.skip") : "IDToken2,IDToken3").split(",")));
        this.ignoreParamsOnFailCsrf.addAll(Arrays.asList((filterConfig.getInitParameter("ignoreParamsOnFailCsrf") != null ? filterConfig.getInitParameter("ignoreParamsOnFailCsrf") : "IDToken0,IDToken1,IDToken3,IDToken2,IDButton,AMAuthCookie,encoded").split(",")));
        String initParameter = filterConfig.getInitParameter("iFrameEmbedAllow");
        if (initParameter != null) {
            for (String str2 : initParameter.split("\\\\n|\n")) {
                String[] split2 = str2.trim().split("=");
                if (split2.length > 1) {
                    if (!this.iFrameEmbedAllow.containsKey(split2[0])) {
                        this.iFrameEmbedAllow.put(split2[0], new HashSet());
                    }
                    this.iFrameEmbedAllow.get(split2[0]).add(split2[1]);
                } else {
                    logger.warn("error parse: {}", str2);
                }
            }
        }
        String initParameter2 = filterConfig.getInitParameter("CSRF.ignore");
        if (initParameter2 != null) {
            for (String str3 : initParameter2.trim().split("\\\\n")) {
                String[] split3 = str3.trim().split(";");
                TreeMap treeMap = new TreeMap(String.CASE_INSENSITIVE_ORDER);
                for (String str4 : split3) {
                    String[] split4 = str4.trim().split("=");
                    if (split4.length > 1) {
                        treeMap.put(split4[0].trim(), split4[1].trim());
                    } else {
                        logger.warn("error parse: {}", str3);
                    }
                }
                if (treeMap.size() > 0) {
                    CSRF$ignore.add(treeMap);
                } else {
                    logger.warn("empty ignore rule: {}", str3);
                }
            }
        }
    }

    public void destroy() {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (CSRF$key == null) {
            CSRF$key = System.getProperty("CSRF.key", SystemProperties.get("com.iplanet.am.service.secret"));
        }
        XSSRequestWrapper xSSRequestWrapper = new XSSRequestWrapper(this, (HttpServletRequest) servletRequest);
        XSSResponseWrapper xSSResponseWrapper = new XSSResponseWrapper(this, xSSRequestWrapper, (HttpServletResponse) servletResponse);
        filterChain.doFilter(xSSRequestWrapper, xSSResponseWrapper);
        String xSSResponseWrapper2 = xSSResponseWrapper.toString();
        if (xSSResponseWrapper2 == null) {
            return;
        }
        if (servletRequest.getAttribute(CSRF_DATA_SET_ATTRIBUTE) == null) {
            xSSResponseWrapper2 = CSRFToken.insertCSRFToken(xSSResponseWrapper2, (HttpServletRequest) servletRequest);
            if (StringUtils.containsIgnoreCase(((HttpServletRequest) servletRequest).getQueryString(), "IDToken") || StringUtils.containsIgnoreCase(((HttpServletRequest) servletRequest).getQueryString(), "number") || StringUtils.containsIgnoreCase(((HttpServletRequest) servletRequest).getQueryString(), "password") || StringUtils.containsIgnoreCase(((HttpServletRequest) servletRequest).getQueryString(), "ForceAuth") || StringUtils.containsIgnoreCase(((HttpServletRequest) servletRequest).getQueryString(), "arg=") || StringUtils.containsIgnoreCase(((HttpServletRequest) servletRequest).getQueryString(), "msisdn") || StringUtils.containsIgnoreCase(((HttpServletRequest) servletRequest).getQueryString(), "login")) {
                xSSResponseWrapper.setHeader("X-Robots-Tag", "noindex, nofollow");
                xSSResponseWrapper2 = head.matcher(xSSResponseWrapper2).replaceFirst("<head><meta name=\"robots\" content=\"noindex, nofollow\" />");
                ((HttpServletResponse) servletResponse).setHeader("Cache-Control", "no-store, no-cache, must-revalidate");
                ((HttpServletResponse) servletResponse).setHeader("Pragma", "no-cache");
                ((HttpServletResponse) servletResponse).setDateHeader("Expires", -1L);
            }
            if (StringUtils.endsWith(servletRequest.getAttribute("javax.servlet.forward.request_uri") == null ? ((HttpServletRequest) servletRequest).getRequestURI() : (String) servletRequest.getAttribute("javax.servlet.forward.request_uri"), "/UI/Login")) {
                ((HttpServletResponse) servletResponse).setHeader("Cache-Control", "no-cache,no-store,must-revalidate");
                ((HttpServletResponse) servletResponse).setHeader("Pragma", "no-cache");
                ((HttpServletResponse) servletResponse).setDateHeader("Expires", -1L);
                xSSResponseWrapper2 = head.matcher(xSSResponseWrapper2).replaceFirst("<head><meta http-equiv=\"Pragma\" content=\"no-cache\">".concat("<meta http-equiv=\"Expires\" content=\"-1\">".concat("<meta http-equiv=\"Cache-Control\" content=\"no-cache,no-store,must-revalidate\">")));
            }
        } else {
            logger.warn("filter already applied");
        }
        try {
            servletResponse.getWriter().write(xSSResponseWrapper2);
            servletRequest.setAttribute(CSRF_DATA_SET_ATTRIBUTE, true);
        } catch (Throwable th) {
            logger.warn("response.getWriter()", th);
        }
    }
}
