package com.atlassian.jira.web.filters.steps.security;

import com.atlassian.jira.config.properties.JiraProperties;
import com.atlassian.jira.workflow.function.issue.UpdateIssueFieldFunction;
import com.atlassian.ozymandias.SafeAccessViaPluginAccessor;
import com.atlassian.ozymandias.SafePluginPointAccess;
import com.atlassian.plugin.PluginAccessor;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.collect.ImmutableList;
import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.concurrent.ThreadSafe;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.stereotype.Component;

@ThreadSafe
@Component
/* loaded from: input_file:com/atlassian/jira/web/filters/steps/security/HttpSecurityConfig.class */
public class HttpSecurityConfig {
    private static final String DISABLE_CLICKJACKING_PROTECTION_PROPERTY = "com.atlassian.jira.clickjacking.protection.disabled";
    private static final String CLICKJACKING_PROTECTION_EXCLUDE_PROPERTY = "com.atlassian.jira.clickjacking.protection.exclude";
    private static final String DISABLE_STRICT_TRANSPORT_SECURITY_PROPERTY = "com.atlassian.jira.strict.transport.security.disabled";
    private static final String ENABLE_STRICT_TRANSPORT_SECURITY_PRELOAD_PROPERTY = "com.atlassian.jira.strict.transport.security.preload.enabled";
    private static final String ENABLE_STRICT_TRANSPORT_SECURITY_INCLUDE_DOMAINS_PROPERTY = "com.atlassian.jira.strict.transport.security.include.subdomains.enabled";
    private static final String DISABLE_STRICT_TRANSPORT_SECURITY_ADDITIONAL_PARAMS_PROPERTY = "com.atlassian.jira.strict.transport.security.additional.params";
    private static final String STRICT_TRANSPORT_SECURITY_MAX_AGE_PROPERTY = "com.atlassian.jira.strict.transport.security.max.age";
    private static final String SEPARATOR = ",";
    private final JiraProperties jiraProperties;
    private final PluginAccessor pluginAccessor;
    private static final Logger log = LoggerFactory.getLogger(HttpSecurityConfig.class);
    private static final List<String> DEFAULT_EXCLUDED_PATHS = ImmutableList.of("/rest/collectors/1.0/template/form/", "/rest/collectors/1.0/template/custom/", "/rest/collectors/1.0/template/feedback/", "/plugins/servlet/applinks/auth/conf/trusted/", "/plugins/servlet/applinks/auth/conf/basic/", "/plugins/servlet/applinks/auth/conf/oauth/");

    @Autowired
    public HttpSecurityConfig(JiraProperties jiraProperties, PluginAccessor pluginAccessor) {
        this.jiraProperties = jiraProperties;
        this.pluginAccessor = pluginAccessor;
    }

    public boolean isClickjackingProtectionDisabled() {
        return this.jiraProperties.getBoolean(DISABLE_CLICKJACKING_PROTECTION_PROPERTY).booleanValue();
    }

    public boolean isStrictTransportSecurityDisabled() {
        return this.jiraProperties.getBoolean(DISABLE_STRICT_TRANSPORT_SECURITY_PROPERTY).booleanValue();
    }

    public boolean isStrictTransportSecurityPreloadEnabled() {
        return this.jiraProperties.getBoolean(ENABLE_STRICT_TRANSPORT_SECURITY_PRELOAD_PROPERTY).booleanValue();
    }

    public boolean isStrictTransportSecurityIncludeSubDomainsEnabled() {
        return this.jiraProperties.getBoolean(ENABLE_STRICT_TRANSPORT_SECURITY_INCLUDE_DOMAINS_PROPERTY).booleanValue();
    }

    public Long getStrictTransportSecurityMaxAge() {
        return this.jiraProperties.getLong(STRICT_TRANSPORT_SECURITY_MAX_AGE_PROPERTY, (Long) null);
    }

    public String getStrictTransportSecurityAdditionalParams() {
        return this.jiraProperties.getProperty(DISABLE_STRICT_TRANSPORT_SECURITY_ADDITIONAL_PARAMS_PROPERTY, (String) null);
    }

    public boolean isExcluded(String str) {
        if (log.isDebugEnabled()) {
            log.debug("clickjacking.disabled={}; clickjacking excluded paths: {}", Boolean.valueOf(isClickjackingProtectionDisabled()), getExcludedPaths().collect(Collectors.toList()));
        }
        if (str != null) {
            Stream<String> excludedPaths = getExcludedPaths();
            Objects.requireNonNull(str);
            if (excludedPaths.anyMatch(str::startsWith)) {
                return true;
            }
        }
        return false;
    }

    private String getClickjackingDefaultWhitelist() {
        return this.jiraProperties.getProperty(CLICKJACKING_PROTECTION_EXCLUDE_PROPERTY, UpdateIssueFieldFunction.UNASSIGNED_VALUE);
    }

    private Stream<String> getExcludedPaths() {
        return Stream.of((Object[]) new Stream[]{DEFAULT_EXCLUDED_PATHS.stream(), obtainExcludedPathsFromProperty(getClickjackingDefaultWhitelist()), obtainExcludedPathsFromPlugins()}).flatMap(stream -> {
            return stream;
        });
    }

    private static Stream<String> obtainExcludedPathsFromProperty(String str) {
        return Arrays.stream(str.split(SEPARATOR)).map((v0) -> {
            return v0.trim();
        }).filter((v0) -> {
            return StringUtils.isNotEmpty(v0);
        });
    }

    private Stream<String> obtainExcludedPathsFromPlugins() {
        return getSafeAccessViaPluginAccessor().forType(PathExclusionModuleDescriptor.class, (pathExclusionModuleDescriptor, pathExclusion) -> {
            return pathExclusion.getExcludedPaths().stream();
        }).stream().flatMap(stream -> {
            return stream;
        });
    }

    @VisibleForTesting
    SafeAccessViaPluginAccessor getSafeAccessViaPluginAccessor() {
        return SafePluginPointAccess.to(this.pluginAccessor);
    }
}
