package org.apache.struts2.interceptor.csp;

import jakarta.servlet.http.HttpServletRequest;
import jakarta.servlet.http.HttpServletResponse;
import java.security.SecureRandom;
import java.util.Base64;
import java.util.Objects;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

/* loaded from: input_file:org/apache/struts2/interceptor/csp/DefaultCspSettings.class */
public class DefaultCspSettings implements CspSettings {
    private static final Logger LOG = LogManager.getLogger(DefaultCspSettings.class);
    protected String reportUri;
    protected String reportTo;
    private final SecureRandom sRand = new SecureRandom();
    protected String cspHeader = CspSettings.CSP_REPORT_HEADER;

    @Override // org.apache.struts2.interceptor.csp.CspSettings
    public void addCspHeaders(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (!isSessionActive(httpServletRequest)) {
            LOG.trace("Session is not active, ignoring CSP settings");
            return;
        }
        LOG.trace("Session is active, applying CSP settings");
        associateNonceWithSession(httpServletRequest);
        httpServletResponse.setHeader(this.cspHeader, createPolicyFormat(httpServletRequest));
    }

    private boolean isSessionActive(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getSession(false) != null;
    }

    private void associateNonceWithSession(HttpServletRequest httpServletRequest) {
        httpServletRequest.getSession().setAttribute("nonce", Base64.getUrlEncoder().encodeToString(getRandomBytes()));
    }

    protected String createPolicyFormat(HttpServletRequest httpServletRequest) {
        StringBuilder append = new StringBuilder().append(CspSettings.OBJECT_SRC).append(String.format(" '%s'; ", "none")).append(CspSettings.SCRIPT_SRC).append(" 'nonce-%s' ").append(String.format("'%s' ", CspSettings.STRICT_DYNAMIC)).append(String.format("%s %s; ", CspSettings.HTTP, CspSettings.HTTPS)).append(CspSettings.BASE_URI).append(String.format(" '%s'; ", "none"));
        if (this.reportUri != null) {
            append.append(CspSettings.REPORT_URI).append(String.format(" %s; ", this.reportUri));
            if (this.reportTo != null) {
                append.append(CspSettings.REPORT_TO).append(String.format(" %s; ", this.reportTo));
            }
        }
        return String.format(append.toString(), getNonceString(httpServletRequest));
    }

    protected String getNonceString(HttpServletRequest httpServletRequest) {
        return Objects.toString(httpServletRequest.getSession().getAttribute("nonce"));
    }

    private byte[] getRandomBytes() {
        byte[] bArr = new byte[18];
        this.sRand.nextBytes(bArr);
        return bArr;
    }

    @Override // org.apache.struts2.interceptor.csp.CspSettings
    public void setEnforcingMode(boolean z) {
        if (z) {
            this.cspHeader = CspSettings.CSP_ENFORCE_HEADER;
        }
    }

    @Override // org.apache.struts2.interceptor.csp.CspSettings
    public void setReportUri(String str) {
        this.reportUri = str;
    }

    @Override // org.apache.struts2.interceptor.csp.CspSettings
    public void setReportTo(String str) {
        this.reportTo = str;
    }

    public String toString() {
        return "DefaultCspSettings{reportUri='" + this.reportUri + "', reportTo='" + this.reportTo + "', cspHeader='" + this.cspHeader + "'}";
    }
}
