package com.atlassian.jira.webtests.ztests.security.plugin;

import com.atlassian.jira.functest.framework.Administration;
import com.atlassian.jira.functest.framework.BaseJiraFuncTest;
import com.atlassian.jira.functest.framework.FuncTestRestClient;
import com.atlassian.jira.functest.framework.LoginAs;
import com.atlassian.jira.functest.framework.suite.Category;
import com.atlassian.jira.functest.framework.suite.WebTest;
import com.atlassian.jira.webtests.ztests.plugin.reloadable.ReferencePluginConstants;
import com.google.common.base.Preconditions;
import com.meterware.httpunit.WebResponse;
import java.io.IOException;
import javax.inject.Inject;
import org.hamcrest.CoreMatchers;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.xml.sax.SAXException;

@LoginAs(user = "admin")
@WebTest({Category.FUNC_TEST, Category.SECURITY, Category.REFERENCE_PLUGIN})
/* loaded from: input_file:com/atlassian/jira/webtests/ztests/security/plugin/TestHttpSecurityHeadersConfig.class */
public class TestHttpSecurityHeadersConfig extends BaseJiraFuncTest {
    private static final String REFAPP_EXCLUDED_PATH = "/plugins/servlet/reference-servlet-with-filter";
    private static final String REFAPP_NOT_EXCLUDED_PATH = "/plugins/servlet/reference-servlet";
    private static final String JIRA_EXCLUDED_PATH = "/issues/";
    private static final String JIRA_NOT_EXCLUDED_PATH = "/secure/Dashboard.jspa";
    private static final String X_XSS_PROTECTION_VALUE = "1; mode=block";
    private static final String X_CONTENT_TYPE_OPTIONS_VALUE = "nosniff";
    private static final String X_FRAME_OPTIONS_VALUE = "SAMEORIGIN";
    private static final String CONTENT_SECURITY_POLICY_VALUE = "frame-ancestors 'self'";
    private static final String STRICT_TRANSPORT_SECURITY_DEFAULT_VALUE = "max-age=31536000";

    @Inject
    private FuncTestRestClient restClient;

    @Inject
    private Administration administration;

    @Before
    public void setUpTest() {
        Preconditions.checkState(this.backdoor.plugins().getPluginState(ReferencePluginConstants.REFERENCE_PLUGIN_KEY).equals("ENABLED"));
    }

    @Test
    public void testExcludedPathWithinRefapp() {
        assertOnlyCommonHeadersSetForPath(REFAPP_EXCLUDED_PATH);
    }

    @Test
    public void testExcludedPathOutsideRefapp() {
        assertOnlyCommonHeadersSetForPath("/issues/?jql=text");
    }

    @Test
    public void testNotExcludedPathWithinRefapp() {
        assertAllHeadersSetForPath(REFAPP_NOT_EXCLUDED_PATH);
    }

    @Test
    public void testNotExcludedPathOutsideRefapp() {
        assertAllHeadersSetForPath(JIRA_NOT_EXCLUDED_PATH);
    }

    @Test
    public void testExcludedPathOutsideRefappWhenRefappIsDisabled() {
        runCodeWhenRefappIsDisabled(() -> {
            assertAllHeadersSetForPath(JIRA_EXCLUDED_PATH);
        });
    }

    @Test
    public void testExcludedPathOutsideRefappWhenRefappModuleIsDisabled() {
        runCodeWhenRefappModuleIsDisabled(() -> {
            assertAllHeadersSetForPath(JIRA_EXCLUDED_PATH);
        });
    }

    @Test
    public void testExcludedPathWithinRefappWhenRefappModuleIsDisabled() {
        runCodeWhenRefappModuleIsDisabled(() -> {
            assertAllHeadersSetForPath(REFAPP_EXCLUDED_PATH);
        });
    }

    private void runCodeWhenRefappIsDisabled(Runnable runnable) {
        try {
            this.backdoor.plugins().disablePlugin(ReferencePluginConstants.REFERENCE_PLUGIN_KEY);
            Assert.assertTrue(this.administration.plugins().isPluginDisabled(ReferencePluginConstants.REFERENCE_PLUGIN_KEY));
            runnable.run();
        } finally {
            this.backdoor.plugins().enablePlugin(ReferencePluginConstants.REFERENCE_PLUGIN_KEY);
        }
    }

    private void runCodeWhenRefappModuleIsDisabled(Runnable runnable) {
        try {
            this.backdoor.plugins().disablePluginModule(ReferencePluginConstants.CLICKJACKING_EXCLUDED_PATHS_KEY);
            Assert.assertTrue(this.administration.plugins().isPluginModuleDisabled(ReferencePluginConstants.REFERENCE_PLUGIN_KEY, ReferencePluginConstants.CLICKJACKING_EXCLUDED_PATHS_KEY));
            runnable.run();
        } finally {
            this.backdoor.plugins().enablePluginModule(ReferencePluginConstants.CLICKJACKING_EXCLUDED_PATHS_KEY);
        }
    }

    private void assertOnlyCommonHeadersSetForPath(String str) {
        WebResponse doGet = doGet(str);
        verifyCommonHeadersAreSet(doGet);
        verifyClickjackingHeadersNotSet(doGet);
        verifyClickjackingHeaderIsSet(doGet);
    }

    private void assertAllHeadersSetForPath(String str) {
        WebResponse doGet = doGet(str);
        verifyCommonHeadersAreSet(doGet);
        verifyClickjackingHeadersAreSet(doGet);
        verifyClickjackingHeaderIsSet(doGet);
    }

    private void verifyCommonHeadersAreSet(WebResponse webResponse) {
        Assert.assertThat(webResponse.getHeaderField("X-Content-Type-Options"), CoreMatchers.equalTo(X_CONTENT_TYPE_OPTIONS_VALUE));
        Assert.assertThat(webResponse.getHeaderField("X-XSS-Protection"), CoreMatchers.equalTo(X_XSS_PROTECTION_VALUE));
    }

    private void verifyClickjackingHeadersAreSet(WebResponse webResponse) {
        Assert.assertThat(webResponse.getHeaderField("X-Frame-Options"), CoreMatchers.equalTo(X_FRAME_OPTIONS_VALUE));
        Assert.assertThat(webResponse.getHeaderField("Content-Security-Policy"), CoreMatchers.equalTo(CONTENT_SECURITY_POLICY_VALUE));
    }

    private void verifyClickjackingHeaderIsSet(WebResponse webResponse) {
        Assert.assertThat(webResponse.getHeaderField("Strict-Transport-Security"), CoreMatchers.equalTo(STRICT_TRANSPORT_SECURITY_DEFAULT_VALUE));
    }

    private void verifyClickjackingHeadersNotSet(WebResponse webResponse) {
        Assert.assertThat(webResponse.getHeaderField("X-Frame-Options"), CoreMatchers.nullValue());
        Assert.assertThat(webResponse.getHeaderField("Content-Security-Policy"), CoreMatchers.nullValue());
    }

    private WebResponse doGet(String str) {
        try {
            return this.restClient.GET(str);
        } catch (IOException | SAXException e) {
            throw new RuntimeException(e);
        }
    }
}
