package com.gruelbox.tools.dropwizard.httpsredirect;

import com.google.common.collect.FluentIterable;
import java.io.IOException;
import java.util.regex.Pattern;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.collections4.iterators.EnumerationIterator;
import org.apache.commons.lang3.StringUtils;
import org.eclipse.jetty.util.URIUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/gruelbox/tools/dropwizard/httpsredirect/HttpsEnforcer.class */
public final class HttpsEnforcer implements Filter {
    private static final String HTTPS = "https";
    private static final String X_FORWARDED_PROTO = "X-Forwarded-Proto";
    private static final String STRICT_CONTENT_SECURITY = "Strict-Transport-Security";
    private static final String CONTENT_SECURITY_HEADER = "max-age=63072000; includeSubDomains; preload";
    private final HttpsResponsibility httpsResponsibility;
    private static final Logger LOGGER = LoggerFactory.getLogger(HttpsEnforcer.class);
    private static final Pattern CR_OR_LF = Pattern.compile("\\r|\\n");

    public HttpsEnforcer(HttpsResponsibility httpsResponsibility) {
        this.httpsResponsibility = httpsResponsibility;
    }

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public final void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (HttpServletResponse.class.isInstance(servletResponse)) {
            apply((HttpServletRequest) servletRequest, (HttpServletResponse) servletResponse, filterChain);
        }
    }

    public void destroy() {
    }

    private void apply(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        switch (this.httpsResponsibility) {
            case HTTPS_AT_PROXY:
                if (StringUtils.isEmpty(httpServletRequest.getHeader(X_FORWARDED_PROTO))) {
                    throw new IllegalStateException("Configured to assume application is behind a proxy but the forward header has not been provided. Headers available: " + listForRequest(httpServletRequest).toList());
                }
                if (!httpServletRequest.getHeader(X_FORWARDED_PROTO).equalsIgnoreCase(HTTPS)) {
                    switchToHttps(httpServletRequest, httpServletResponse);
                    return;
                }
                break;
            case HTTPS_DIRECT:
                if (!httpServletRequest.isSecure()) {
                    if (httpServletRequest.getProtocol().equalsIgnoreCase(HTTPS)) {
                        throw new IllegalStateException("Configured to assume application is accessed directly but connection is not secure and protocol is already https");
                    }
                    switchToHttps(httpServletRequest, httpServletResponse);
                    return;
                }
                break;
            default:
                throw new UnsupportedOperationException("Unknown HTTP responsibility: " + this.httpsResponsibility);
        }
        httpServletResponse.addHeader(STRICT_CONTENT_SECURITY, CONTENT_SECURITY_HEADER);
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    private void switchToHttps(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        StringBuilder sb = new StringBuilder(128);
        URIUtil.appendSchemeHostPort(sb, HTTPS, httpServletRequest.getServerName(), httpServletRequest.getServerPort() == 80 ? 443 : httpServletRequest.getServerPort());
        sb.append(httpServletRequest.getRequestURI());
        if (httpServletRequest.getQueryString() != null) {
            sb.append("?");
            sb.append(httpServletRequest.getQueryString());
        }
        String sanitize = sanitize(sb.toString());
        if (sanitize == null) {
            httpServletResponse.sendError(400, "Malformed request");
        }
        LOGGER.error("Unsecured access redirected to [{}]", sanitize);
        httpServletResponse.sendRedirect(sanitize);
    }

    String sanitize(String str) {
        if (!CR_OR_LF.matcher(str).find()) {
            return str;
        }
        LOGGER.warn("Attempted response split attack");
        return null;
    }

    private static FluentIterable<String> listForRequest(HttpServletRequest httpServletRequest) {
        return FluentIterable.from(() -> {
            return new EnumerationIterator(httpServletRequest.getHeaderNames());
        });
    }
}
