package org.owasp.security.logging.log4j.mask;

import org.apache.logging.log4j.Marker;
import org.apache.logging.log4j.core.LogEvent;
import org.apache.logging.log4j.core.appender.rewrite.RewritePolicy;
import org.apache.logging.log4j.core.config.plugins.Plugin;
import org.apache.logging.log4j.core.config.plugins.PluginFactory;
import org.apache.logging.log4j.core.impl.Log4jLogEvent;
import org.apache.logging.log4j.message.Message;
import org.apache.logging.log4j.message.ParameterizedMessage;
import org.apache.logging.slf4j.Log4jMarker;
import org.owasp.security.logging.SecurityMarkers;

@Plugin(name = "MaskingRewritePolicy", category = "Core", elementType = "rewritePolicy", printObject = true)
/* loaded from: input_file:org/owasp/security/logging/log4j/mask/MaskingRewritePolicy.class */
public class MaskingRewritePolicy implements RewritePolicy {
    public static final Object MASKED_PASSWORD = "********";

    @PluginFactory
    public static MaskingRewritePolicy createPolicy() {
        return new MaskingRewritePolicy();
    }

    public LogEvent rewrite(LogEvent logEvent) {
        Marker marker = logEvent.getMarker();
        if (marker == null) {
            return logEvent;
        }
        Message message = logEvent.getMessage();
        if (message == null || !(message instanceof ParameterizedMessage)) {
            return logEvent;
        }
        Object[] parameters = message.getParameters();
        if (parameters == null || parameters.length == 0) {
            return logEvent;
        }
        if (!new Log4jMarker(marker).contains(SecurityMarkers.CONFIDENTIAL)) {
            return logEvent;
        }
        for (int i = 0; i < parameters.length; i++) {
            parameters[i] = MASKED_PASSWORD;
        }
        return new Log4jLogEvent.Builder(logEvent).setMessage(new ParameterizedMessage(message.getFormat(), parameters, message.getThrowable())).build();
    }
}
