package com.atlassian.jira.web.filters.steps.security;

import com.atlassian.jira.component.ComponentAccessor;
import com.atlassian.jira.web.filters.steps.FilterCallContext;
import com.atlassian.jira.web.filters.steps.FilterCallContextImpl;
import com.atlassian.jira.web.filters.steps.FilterStep;
import com.atlassian.jira.web.filters.steps.security.csp.DynamicContentSecurityPolicyResponseWrapperFactory;
import com.atlassian.jira.workflow.function.issue.UpdateIssueFieldFunction;
import java.time.Duration;
import java.time.temporal.ChronoUnit;
import java.util.Optional;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.validation.constraints.NotNull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/atlassian/jira/web/filters/steps/security/HttpSecurityStep.class */
public class HttpSecurityStep implements FilterStep {
    private static final Logger log = LoggerFactory.getLogger(HttpSecurityStep.class);
    private static final String ASSETS_SERVLET_PATH = "/s";
    private static final String STRICT_ORIGIN_WHEN_CROSS_ORIGIN = "strict-origin-when-cross-origin";
    private static final String X_XSS_PROTECTION_VALUE = "1; mode=block";
    private static final String X_CONTENT_TYPE_OPTIONS_VALUE = "nosniff";
    private static final String X_FRAME_OPTIONS_VALUE = "SAMEORIGIN";
    private static final String CONTENT_SECURITY_POLICY_VALUE = "frame-ancestors 'self'";
    private final HttpSecurityConfig httpSecurityConfig = getHttpSecurityConfig().orElse(null);

    public HttpSecurityStep() {
        if (this.httpSecurityConfig == null) {
            log.debug("All resources have clickjacking protection right now. That's OK for Jira in setup and start-up mode.");
        }
    }

    @Override // com.atlassian.jira.web.filters.steps.FilterStep
    public FilterCallContext beforeDoFilter(FilterCallContext filterCallContext) {
        HttpServletRequest httpServletRequest = filterCallContext.getHttpServletRequest();
        HttpServletResponse httpServletResponse = filterCallContext.getHttpServletResponse();
        String servletPath = httpServletRequest.getServletPath();
        String pathInfo = httpServletRequest.getPathInfo();
        log.debug("setting XSS and nosniff protection for servlet path [{}] for path [{}]", servletPath, pathInfo);
        httpServletResponse.setHeader("Referrer-Policy", STRICT_ORIGIN_WHEN_CROSS_ORIGIN);
        httpServletResponse.setHeader("X-XSS-Protection", X_XSS_PROTECTION_VALUE);
        httpServletResponse.setHeader("X-Content-Type-Options", X_CONTENT_TYPE_OPTIONS_VALUE);
        boolean z = true;
        if (!servletPath.equals(ASSETS_SERVLET_PATH) && this.httpSecurityConfig != null) {
            z = (this.httpSecurityConfig.isClickjackingProtectionDisabled() || this.httpSecurityConfig.isExcluded(combinePaths(servletPath, pathInfo))) ? false : true;
        }
        if (z) {
            log.debug("setting clickjacking protection for servlet path [{}] for path [{}]", servletPath, pathInfo);
            httpServletResponse.setHeader("X-Frame-Options", X_FRAME_OPTIONS_VALUE);
            httpServletResponse.setHeader("Content-Security-Policy", CONTENT_SECURITY_POLICY_VALUE);
        }
        setStrictTransportSecurityHeader(httpServletResponse);
        return new FilterCallContextImpl(filterCallContext.getHttpServletRequest(), DynamicContentSecurityPolicyResponseWrapperFactory.getWrapper(filterCallContext.getHttpServletResponse(), filterCallContext.getHttpServletRequest()), filterCallContext.getFilterChain(), filterCallContext.getFilterConfig());
    }

    private void setStrictTransportSecurityHeader(HttpServletResponse httpServletResponse) {
        if (this.httpSecurityConfig == null || !this.httpSecurityConfig.isStrictTransportSecurityDisabled()) {
            Long strictTransportSecurityMaxAge = this.httpSecurityConfig == null ? null : this.httpSecurityConfig.getStrictTransportSecurityMaxAge();
            if (strictTransportSecurityMaxAge == null) {
                strictTransportSecurityMaxAge = Long.valueOf(Duration.of(365L, ChronoUnit.DAYS).getSeconds());
            }
            httpServletResponse.setHeader("Strict-Transport-Security", "max-age=" + strictTransportSecurityMaxAge + getStrictTransportSecurityAdditionalParams());
        }
    }

    @Nonnull
    private String getStrictTransportSecurityAdditionalParams() {
        String str = UpdateIssueFieldFunction.UNASSIGNED_VALUE;
        if (this.httpSecurityConfig != null) {
            if (this.httpSecurityConfig.isStrictTransportSecurityIncludeSubDomainsEnabled() || this.httpSecurityConfig.isStrictTransportSecurityPreloadEnabled()) {
                str = str + "; includeSubDomains";
            }
            if (this.httpSecurityConfig.isStrictTransportSecurityPreloadEnabled()) {
                str = str + "; preload";
            }
            if (this.httpSecurityConfig.getStrictTransportSecurityAdditionalParams() != null) {
                str = str + "; " + this.httpSecurityConfig.getStrictTransportSecurityAdditionalParams();
            }
        }
        return str;
    }

    @Override // com.atlassian.jira.web.filters.steps.FilterStep
    public FilterCallContext finallyAfterDoFilter(FilterCallContext filterCallContext) {
        return filterCallContext;
    }

    private Optional<HttpSecurityConfig> getHttpSecurityConfig() {
        return ComponentAccessor.getComponentSafely(HttpSecurityConfig.class);
    }

    private static String combinePaths(@NotNull String str, @Nullable String str2) {
        StringBuilder sb = new StringBuilder(str);
        if (str2 != null) {
            sb.append(str2);
        }
        return sb.toString();
    }
}
