package org.nuxeo.ecm.platform.web.requestcontroller.filter;

import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.inject.Inject;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang3.mutable.MutableObject;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.Matchers;
import org.mockito.Mockito;
import org.mockito.invocation.InvocationOnMock;
import org.nuxeo.ecm.platform.web.common.requestcontroller.filter.NuxeoCorsCsrfFilter;
import org.nuxeo.runtime.mockito.MockitoFeature;
import org.nuxeo.runtime.test.runner.Deploy;
import org.nuxeo.runtime.test.runner.Deploys;
import org.nuxeo.runtime.test.runner.Features;
import org.nuxeo.runtime.test.runner.FeaturesRunner;
import org.nuxeo.runtime.test.runner.LogCaptureFeature;
import org.nuxeo.runtime.test.runner.LogFeature;
import org.nuxeo.runtime.test.runner.RuntimeFeature;

@LogCaptureFeature.FilterOn(logLevel = "WARN", loggerClass = NuxeoCorsCsrfFilter.class)
@RunWith(FeaturesRunner.class)
@Features({RuntimeFeature.class, MockitoFeature.class, LogFeature.class, LogCaptureFeature.class})
@Deploys({@Deploy({"org.nuxeo.ecm.platform.web.common:OSGI-INF/web-request-controller-framework.xml"}), @Deploy({"org.nuxeo.ecm.platform.web.common:OSGI-INF/cors-configuration.xml"})})
/* loaded from: input_file:org/nuxeo/ecm/platform/web/requestcontroller/filter/TestNuxeoCorsCsrfFilter.class */
public class TestNuxeoCorsCsrfFilter {
    protected static final String SCHEME = "http";
    protected static final String HOST = "example.com";
    protected static final int PORT = 8080;
    protected static final String URL_BASE = "http://example.com:8080/";
    protected static final String CONTEXT = "/nuxeo";
    protected static final String NUXEO_VIRTUAL_HOST = "nuxeo-virtual-host";
    protected static final String X_FORWARDED_PROTO = "x-forwarded-proto";
    protected static final String X_FORWARDED_HOST = "x-forwarded-host";
    protected static final String X_FORWARDED_PORT = "x-forwarded-port";

    @Inject
    protected LogFeature logFeature;

    @Inject
    protected LogCaptureFeature.Result logCaptureResult;
    protected NuxeoCorsCsrfFilter filter;
    protected DummyFilterChain chain;
    protected HttpServletRequest request;
    protected HttpServletResponse response;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/nuxeo/ecm/platform/web/requestcontroller/filter/TestNuxeoCorsCsrfFilter$DummyFilterChain.class */
    public static class DummyFilterChain implements FilterChain {
        protected boolean called;

        protected DummyFilterChain() {
        }

        public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse) {
            this.called = true;
        }
    }

    @Before
    public void setUp() throws Exception {
        this.filter = new NuxeoCorsCsrfFilter();
        this.filter.init((FilterConfig) null);
        this.chain = new DummyFilterChain();
        this.request = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
        this.response = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
    }

    @After
    public void tearDown() {
        this.filter.destroy();
    }

    protected void maybeSetupToken() {
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Map<String, Object> mockSessionAttributes() {
        HttpSession httpSession = (HttpSession) Mockito.mock(HttpSession.class);
        HashMap hashMap = new HashMap();
        mockSessionAttributes(httpSession, hashMap);
        Mockito.when(this.request.getSession()).thenReturn(httpSession);
        Mockito.when(this.request.getSession(Matchers.anyBoolean())).thenReturn(httpSession);
        return hashMap;
    }

    protected void mockSessionAttributes(HttpSession httpSession, Map<String, Object> map) {
        ((HttpSession) Mockito.doAnswer(invocationOnMock -> {
            return map.get((String) invocationOnMock.getArguments()[0]);
        }).when(httpSession)).getAttribute(Matchers.anyString());
        ((HttpSession) Mockito.doAnswer(invocationOnMock2 -> {
            map.put((String) invocationOnMock2.getArguments()[0], invocationOnMock2.getArguments()[1]);
            return null;
        }).when(httpSession)).setAttribute(Matchers.anyString(), Matchers.any());
        ((HttpSession) Mockito.doAnswer(invocationOnMock3 -> {
            map.remove((String) invocationOnMock3.getArguments()[0]);
            return null;
        }).when(httpSession)).removeAttribute(Matchers.anyString());
        ((HttpSession) Mockito.doAnswer(invocationOnMock4 -> {
            map.clear();
            return null;
        }).when(httpSession)).invalidate();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void mockRequestURI(HttpServletRequest httpServletRequest, String str, String str2) {
        String str3 = CONTEXT + str2;
        Mockito.when(httpServletRequest.getMethod()).thenReturn(str);
        Mockito.when(httpServletRequest.getScheme()).thenReturn(SCHEME);
        Mockito.when(httpServletRequest.getServerName()).thenReturn(HOST);
        Mockito.when(Integer.valueOf(httpServletRequest.getServerPort())).thenReturn(Integer.valueOf(PORT));
        Mockito.when(httpServletRequest.getRequestURI()).thenReturn(str3);
        Mockito.when(httpServletRequest.getContextPath()).thenReturn(CONTEXT);
        Mockito.when(httpServletRequest.getServletPath()).thenReturn(str2);
        Mockito.when(httpServletRequest.getPathInfo()).thenReturn((Object) null);
        Mockito.when(httpServletRequest.getQueryString()).thenReturn((Object) null);
    }

    @Test
    public void testNoOriginNorReferer() throws Exception {
        mockRequestURI(this.request, "GET", "");
        Mockito.when(this.request.getHeader((String) Matchers.eq(NUXEO_VIRTUAL_HOST))).thenReturn(URL_BASE);
        this.filter.doFilter(this.request, this.response, this.chain);
        Assert.assertTrue(this.chain.called);
    }

    @Test
    public void testMatchOrigin() throws Exception {
        mockRequestURI(this.request, "GET", "");
        Mockito.when(this.request.getHeader((String) Matchers.eq("Origin"))).thenReturn(URL_BASE);
        this.filter.doFilter(this.request, this.response, this.chain);
        Assert.assertTrue(this.chain.called);
    }

    @Test
    public void testMatchOriginWithVirtualHost() throws Exception {
        mockRequestURI(this.request, "GET", "");
        Mockito.when(this.request.getHeader((String) Matchers.eq("Origin"))).thenReturn(URL_BASE);
        Mockito.when(this.request.getHeader((String) Matchers.eq(NUXEO_VIRTUAL_HOST))).thenReturn(URL_BASE);
        this.filter.doFilter(this.request, this.response, this.chain);
        Assert.assertTrue(this.chain.called);
    }

    @Test
    public void testMatchOriginWithForwardedHeaders() throws Exception {
        mockRequestURI(this.request, "GET", "");
        Mockito.when(this.request.getHeader((String) Matchers.eq("Origin"))).thenReturn("https://nicesite.example.com");
        Mockito.when(this.request.getHeader((String) Matchers.eq(X_FORWARDED_PROTO))).thenReturn("https");
        Mockito.when(this.request.getHeader((String) Matchers.eq(X_FORWARDED_HOST))).thenReturn("nicesite.example.com");
        Mockito.when(this.request.getHeader((String) Matchers.eq(X_FORWARDED_PORT))).thenReturn("443");
        this.filter.doFilter(this.request, this.response, this.chain);
        Assert.assertTrue(this.chain.called);
    }

    @Test
    public void testMatchReferer() throws Exception {
        mockRequestURI(this.request, "GET", "");
        Mockito.when(this.request.getHeader((String) Matchers.eq("Referer"))).thenReturn("http://example.com:8080/nuxeo/somepage.html");
        Mockito.when(this.request.getHeader((String) Matchers.eq(NUXEO_VIRTUAL_HOST))).thenReturn(URL_BASE);
        this.filter.doFilter(this.request, this.response, this.chain);
        Assert.assertTrue(this.chain.called);
    }

    @Test
    public void testMismatchButGet() throws Exception {
        doTestMismatchButNonStateChangingMethod("GET");
    }

    @Test
    public void testMismatchButHead() throws Exception {
        doTestMismatchButNonStateChangingMethod("HEAD");
    }

    @Test
    public void testMismatchButOptions() throws Exception {
        doTestMismatchButNonStateChangingMethod("OPTIONS");
    }

    @Test
    public void testMismatchButTrace() throws Exception {
        doTestMismatchButNonStateChangingMethod("TRACE");
    }

    public void doTestMismatchButNonStateChangingMethod(String str) throws Exception {
        mockRequestURI(this.request, "GET", "");
        Mockito.when(this.request.getMethod()).thenReturn(str);
        Mockito.when(this.request.getHeader((String) Matchers.eq("Referer"))).thenReturn("http://google.com/");
        Mockito.when(this.request.getHeader((String) Matchers.eq(NUXEO_VIRTUAL_HOST))).thenReturn(URL_BASE);
        this.filter.doFilter(this.request, this.response, this.chain);
        Assert.assertTrue(this.chain.called);
    }

    @Test
    @Deploy({"org.nuxeo.ecm.platform.web.common.test:OSGI-INF/test-cors-config.xml"})
    public void testOriginFromBrowserExtension() throws Exception {
        mockRequestURI(this.request, "POST", "/site/something");
        Mockito.when(this.request.getHeader((String) Matchers.eq("Origin"))).thenReturn("moz-extension://12345678-1234-1234-1234-1234567890ab");
        Mockito.when(this.request.getHeader((String) Matchers.eq(NUXEO_VIRTUAL_HOST))).thenReturn(URL_BASE);
        maybeSetupToken();
        this.filter.doFilter(this.request, this.response, this.chain);
        Assert.assertTrue(this.chain.called);
    }

    @Test
    @Deploy({"org.nuxeo.ecm.platform.web.common.test:OSGI-INF/test-cors-config.xml"})
    public void testMismatchPostButAllowedByCORS() throws Exception {
        mockRequestURI(this.request, "POST", "/site/something");
        Mockito.when(this.request.getHeader((String) Matchers.eq("Origin"))).thenReturn("http://friendly.com");
        Mockito.when(this.request.getHeader((String) Matchers.eq(NUXEO_VIRTUAL_HOST))).thenReturn(URL_BASE);
        maybeSetupToken();
        this.filter.doFilter(this.request, this.response, this.chain);
        Assert.assertTrue(this.chain.called);
    }

    @Test
    @Deploy({"org.nuxeo.ecm.platform.web.common.test:OSGI-INF/test-cors-config.xml"})
    public void testMismatchPostFromBuggyBrowser() throws Exception {
        mockRequestURI(this.request, "POST", "/site/something");
        Mockito.when(this.request.getHeader((String) Matchers.eq("Referer"))).thenReturn("http://friendly.com/myapp/login?key=123");
        Mockito.when(this.request.getHeader((String) Matchers.eq(NUXEO_VIRTUAL_HOST))).thenReturn(URL_BASE);
        maybeSetupToken();
        this.filter.doFilter(this.request, this.response, this.chain);
        Assert.assertTrue(this.chain.called);
    }

    @Test
    public void testMismatchPost() throws Exception {
        doTestMismatchPost("http://attacker.com", false);
    }

    @Test
    public void testMismatchPostNullOriginDefault() throws Exception {
        doTestMismatchPostNullOrigin(false);
    }

    @Test
    @Deploy({"org.nuxeo.ecm.platform.web.common.test:OSGI-INF/test-cors-null-origin-forbidden.xml"})
    public void testMismatchPostNullOriginForbidden() throws Exception {
        doTestMismatchPostNullOrigin(false);
    }

    @Test
    @Deploy({"org.nuxeo.ecm.platform.web.common.test:OSGI-INF/test-cors-null-origin-allowed.xml"})
    public void testMismatchPostNullOriginAllowed() throws Exception {
        doTestMismatchPostNullOrigin(true);
    }

    protected void doTestMismatchPostNullOrigin(boolean z) throws Exception {
        doTestMismatchPost("null", z);
    }

    protected void doTestMismatchPost(String str, boolean z) throws Exception {
        mockRequestURI(this.request, "POST", "/site/something");
        Mockito.when(this.request.getHeader((String) Matchers.eq("Origin"))).thenReturn(str);
        Mockito.when(this.request.getHeader((String) Matchers.eq(NUXEO_VIRTUAL_HOST))).thenReturn(URL_BASE);
        maybeSetupToken();
        MutableObject mutableObject = new MutableObject();
        ((HttpServletResponse) Mockito.doAnswer(invocationOnMock -> {
            mutableObject.setValue(invocationOnMock);
            return null;
        }).when(this.response)).sendError(Matchers.anyInt(), Matchers.anyString());
        try {
            this.logFeature.hideWarningFromConsoleLog();
            this.filter.doFilter(this.request, this.response, this.chain);
            this.logFeature.restoreConsoleLog();
            if ("null".equals(str) && z) {
                Assert.assertTrue(this.chain.called);
                return;
            }
            Assert.assertFalse(this.chain.called);
            Assert.assertNotNull(mutableObject.getValue());
            Object[] arguments = ((InvocationOnMock) mutableObject.getValue()).getArguments();
            Assert.assertEquals(403, arguments[0]);
            Assert.assertEquals("CSRF check failure", arguments[1]);
            List caughtEventMessages = this.logCaptureResult.getCaughtEventMessages();
            Assert.assertFalse("Expected WARN", caughtEventMessages.isEmpty());
            Assert.assertEquals("CSRF check failure: source: " + (str.equals("null") ? "privacy-sensitive:///" : str) + " does not match target: " + URL_BASE + " and not allowed by CORS config", (String) caughtEventMessages.get(caughtEventMessages.size() - 1));
        } catch (Throwable th) {
            this.logFeature.restoreConsoleLog();
            throw th;
        }
    }
}
