package com.liferay.portal.security.content.security.policy.internal.servlet.filter;

import com.liferay.petra.reflect.ReflectionUtil;
import com.liferay.portal.configuration.module.configuration.ConfigurationProvider;
import com.liferay.portal.kernel.exception.PortalException;
import com.liferay.portal.kernel.feature.flag.FeatureFlagManagerUtil;
import com.liferay.portal.kernel.util.Portal;
import com.liferay.portal.kernel.util.StringUtil;
import com.liferay.portal.kernel.util.Validator;
import com.liferay.portal.security.content.security.policy.internal.ContentSecurityPolicyNonceManager;
import com.liferay.portal.security.content.security.policy.internal.configuration.ContentSecurityPolicyConfiguration;
import com.liferay.portal.servlet.filters.BasePortalFilter;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.OutputStreamWriter;
import java.io.PrintWriter;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.ServletOutputStream;
import javax.servlet.WriteListener;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;

@Component(property = {"after-filter=Portal CORS Servlet Filter", "dispatcher=FORWARD", "dispatcher=REQUEST", "servlet-context-name=", "servlet-filter-name=Content Security Policy Filter", "url-pattern=/*"}, service = {Filter.class})
/* loaded from: input_file:com/liferay/portal/security/content/security/policy/internal/servlet/filter/ContentSecurityPolicyFilter.class */
public class ContentSecurityPolicyFilter extends BasePortalFilter {
    private static final String[] _INTERNALLY_EXCLUDED_PATHS = {"/group/", "/user/", "/web/"};

    @Reference
    private ConfigurationProvider _configurationProvider;

    @Reference
    private ContentSecurityPolicyNonceManager _contentSecurityPolicyNonceManager;

    @Reference
    private Portal _portal;

    /* loaded from: input_file:com/liferay/portal/security/content/security/policy/internal/servlet/filter/ContentSecurityPolicyFilter$ContentSecurityPolicyHttpServletResponse.class */
    private static class ContentSecurityPolicyHttpServletResponse extends HttpServletResponseWrapper {
        private final ByteArrayOutputStream _byteArrayOutputStream;
        private PrintWriter _printWriter;
        private ServletOutputStream _servletOutputStream;

        public ContentSecurityPolicyHttpServletResponse(HttpServletResponse httpServletResponse) {
            super(httpServletResponse);
            this._byteArrayOutputStream = new ByteArrayOutputStream(httpServletResponse.getBufferSize());
        }

        public void flushBuffer() throws IOException {
            super.flushBuffer();
            if (this._printWriter != null) {
                this._printWriter.flush();
            } else if (this._servletOutputStream != null) {
                this._servletOutputStream.flush();
            }
        }

        public String getContent() throws IOException {
            if (this._printWriter != null) {
                this._printWriter.close();
            } else if (this._servletOutputStream != null) {
                this._servletOutputStream.close();
            }
            return this._byteArrayOutputStream.toString(getCharacterEncoding());
        }

        public ServletOutputStream getOutputStream() {
            if (this._printWriter != null) {
                throw new IllegalStateException("Get writer has already been called");
            }
            if (this._servletOutputStream == null) {
                this._servletOutputStream = new ServletOutputStream() { // from class: com.liferay.portal.security.content.security.policy.internal.servlet.filter.ContentSecurityPolicyFilter.ContentSecurityPolicyHttpServletResponse.1
                    public void close() throws IOException {
                        ContentSecurityPolicyHttpServletResponse.this._byteArrayOutputStream.close();
                    }

                    public void flush() throws IOException {
                        ContentSecurityPolicyHttpServletResponse.this._byteArrayOutputStream.flush();
                    }

                    public boolean isReady() {
                        return ContentSecurityPolicyHttpServletResponse.this._servletOutputStream.isReady();
                    }

                    public void setWriteListener(WriteListener writeListener) {
                        ContentSecurityPolicyHttpServletResponse.this._servletOutputStream.setWriteListener(writeListener);
                    }

                    public void write(int i) {
                        ContentSecurityPolicyHttpServletResponse.this._byteArrayOutputStream.write(i);
                    }
                };
            }
            return this._servletOutputStream;
        }

        public PrintWriter getWriter() throws IOException {
            if (this._servletOutputStream != null) {
                throw new IllegalStateException("Get output stream has already been called");
            }
            if (this._printWriter == null) {
                this._printWriter = new PrintWriter(new OutputStreamWriter(this._byteArrayOutputStream, getCharacterEncoding()));
            }
            return this._printWriter;
        }
    }

    public boolean isFilterEnabled(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (FeatureFlagManagerUtil.isEnabled("LPS-134060")) {
            return _getContentSecurityPolicyConfiguration(httpServletRequest).enabled();
        }
        return false;
    }

    protected void processFilter(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws Exception {
        if (_isExcludedURIPath(httpServletRequest)) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        String policy = _getContentSecurityPolicyConfiguration(httpServletRequest).policy();
        if (Validator.isNull(policy)) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        String ensureNonce = this._contentSecurityPolicyNonceManager.ensureNonce(httpServletRequest);
        try {
            this._contentSecurityPolicyNonceManager.setTLSNonce(ensureNonce);
            httpServletResponse.setHeader("Content-Security-Policy", StringUtil.replace(policy, "[$NONCE$]", "nonce-" + ensureNonce));
            PrintWriter writer = httpServletResponse.getWriter();
            ContentSecurityPolicyHttpServletResponse contentSecurityPolicyHttpServletResponse = new ContentSecurityPolicyHttpServletResponse(httpServletResponse);
            filterChain.doFilter(httpServletRequest, contentSecurityPolicyHttpServletResponse);
            String replaceAll = contentSecurityPolicyHttpServletResponse.getContent().replaceAll("<(?i)link ", "<link nonce=\"" + ensureNonce + "\" ").replaceAll("<(?i)link>", "<link nonce=\"" + ensureNonce + "\">").replaceAll("<(?i)script ", "<script nonce=\"" + ensureNonce + "\" ").replaceAll("<(?i)script>", "<script nonce=\"" + ensureNonce + "\">").replaceAll("<(?i)style ", "<style nonce=\"" + ensureNonce + "\" ").replaceAll("<(?i)style>", "<style nonce=\"" + ensureNonce + "\">");
            writer.write(replaceAll);
            writer.close();
            httpServletResponse.setContentLength(replaceAll.length());
            this._contentSecurityPolicyNonceManager.removeTLSNonce();
        } catch (Throwable th) {
            this._contentSecurityPolicyNonceManager.removeTLSNonce();
            throw th;
        }
    }

    private ContentSecurityPolicyConfiguration _getContentSecurityPolicyConfiguration(HttpServletRequest httpServletRequest) {
        try {
            long scopeGroupId = this._portal.getScopeGroupId(httpServletRequest);
            return scopeGroupId > 0 ? (ContentSecurityPolicyConfiguration) this._configurationProvider.getGroupConfiguration(ContentSecurityPolicyConfiguration.class, scopeGroupId) : (ContentSecurityPolicyConfiguration) this._configurationProvider.getCompanyConfiguration(ContentSecurityPolicyConfiguration.class, this._portal.getCompanyId(httpServletRequest));
        } catch (PortalException e) {
            return (ContentSecurityPolicyConfiguration) ReflectionUtil.throwException(e);
        }
    }

    private boolean _isExcludedURIPath(HttpServletRequest httpServletRequest) {
        String requestURI = httpServletRequest.getRequestURI();
        if (Validator.isNull(requestURI)) {
            return false;
        }
        for (String str : _INTERNALLY_EXCLUDED_PATHS) {
            if (Validator.isNotNull(str) && requestURI.startsWith(StringUtil.toLowerCase(str))) {
                return true;
            }
        }
        String lowerCase = StringUtil.toLowerCase(requestURI);
        for (String str2 : _getContentSecurityPolicyConfiguration(httpServletRequest).excludedPaths()) {
            if (Validator.isNotNull(str2) && lowerCase.startsWith(StringUtil.toLowerCase(str2))) {
                return true;
            }
        }
        return false;
    }
}
