package org.apache.sling.xss.impl.webconsole;

import java.io.IOException;
import java.io.InputStream;
import java.io.PrintWriter;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.atomic.AtomicInteger;
import javax.json.Json;
import javax.json.JsonArrayBuilder;
import javax.json.JsonWriter;
import javax.servlet.Servlet;
import javax.servlet.http.HttpServlet;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.batik.constants.XMLConstants;
import org.apache.batik.util.CSSConstants;
import org.apache.batik.util.SVGConstants;
import org.apache.commons.io.FilenameUtils;
import org.apache.commons.io.IOUtils;
import org.apache.commons.text.StringEscapeUtils;
import org.apache.sling.xss.XSSFilter;
import org.apache.sling.xss.impl.XSSFilterImpl;
import org.apache.sling.xss.impl.status.XSSStatusService;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(service = {Servlet.class}, property = {"felix.webconsole.label=xssprotection", "felix.webconsole.title=XSS Protection", "felix.webconsole.category=Sling"})
/* loaded from: input_file:org/apache/sling/xss/impl/webconsole/XSSProtectionAPIWebConsolePlugin.class */
public class XSSProtectionAPIWebConsolePlugin extends HttpServlet {
    static final String REG_PROP_LABEL = "felix.webconsole.label";
    static final String REG_PROP_TITLE = "felix.webconsole.title";
    static final String REG_PROP_CATEGORY = "felix.webconsole.category";
    static final String LABEL = "xssprotection";
    static final String TITLE = "XSS Protection";
    private static final String PLUGIN_ROOT_PATH = "/xssprotection";
    private static final String URI_CONFIG_XHR = "/xssprotection/config.xhr";
    private static final String URI_BLOCKED_XHR = "/xssprotection/blocked.json";
    private static final String URI_CONFIG_XML = "/xssprotection/config.xml";
    private static final String INTERNAL_RESOURCES_FOLDER = "/webconsole";
    private static final String RES_ROOT = "/xssprotection/webconsole";
    public static final String SCRIPT_TAG = "<script src='%s'></script>\n";
    public static final String LINK_TAG = "<link rel='stylesheet' type='text/css' href='%s'>";

    @Reference(target = "(component.name=org.apache.sling.xss.impl.XSSFilterImpl)")
    private XSSFilter xssFilter;

    @Reference
    private XSSStatusService statusService;
    private static final Logger LOGGER = LoggerFactory.getLogger(XSSProtectionAPIWebConsolePlugin.class);
    private static final String RES_URI_PRETTIFY_CSS = "/xssprotection/webconsole/prettify.css";
    private static final String RES_URI_XSS_CSS = "/xssprotection/webconsole/xss.css";
    private static final Set<String> CSS_RESOURCES = new HashSet(Arrays.asList(RES_URI_PRETTIFY_CSS, RES_URI_XSS_CSS));
    private static final String RES_URI_PRETTIFY_JS = "/xssprotection/webconsole/prettify.js";
    private static final String RES_URI_XSS_JS = "/xssprotection/webconsole/xss.js";
    private static final String RES_URI_BLOCKED_JS = "/xssprotection/webconsole/blocked.js";
    private static final String RES_URI_CONFIG_JS = "/xssprotection/webconsole/config.js";
    private static final Set<String> JS_RESOURCES = new HashSet(Arrays.asList(RES_URI_PRETTIFY_JS, RES_URI_XSS_JS, RES_URI_BLOCKED_JS, RES_URI_CONFIG_JS));

    protected void doGet(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String pathInfo = httpServletRequest.getPathInfo();
        String substring = httpServletRequest.getRequestURI().substring(0, httpServletRequest.getRequestURI().indexOf(pathInfo));
        if (CSS_RESOURCES.contains(pathInfo)) {
            streamResource(httpServletResponse, FilenameUtils.getName(pathInfo), CSSConstants.CSS_MIME_TYPE);
            return;
        }
        if (JS_RESOURCES.contains(pathInfo)) {
            streamResource(httpServletResponse, FilenameUtils.getName(pathInfo), SVGConstants.SVG_SCRIPT_TYPE_APPLICATION_JAVASCRIPT);
            return;
        }
        if (URI_CONFIG_XHR.equalsIgnoreCase(pathInfo) && this.xssFilter != null) {
            writeAntiSamyConfiguration(substring, httpServletResponse);
            return;
        }
        if (URI_CONFIG_XML.equalsIgnoreCase(pathInfo) && this.xssFilter != null) {
            streamAntiSamyConfiguration(httpServletResponse);
            return;
        }
        if (URI_BLOCKED_XHR.equalsIgnoreCase(pathInfo)) {
            generateInvalidUrlsJSONReport(httpServletResponse);
            return;
        }
        try {
            PrintWriter writer = httpServletResponse.getWriter();
            writer.printf(LINK_TAG, substring + RES_URI_XSS_CSS);
            writer.printf(SCRIPT_TAG, substring + RES_URI_XSS_JS);
            writer.println("<div id='xss-tabs'>");
            writer.println("<ul>");
            writer.println("<li id='blocked-tab'><a href='#blocked'><span>Status</span></a></li>");
            if (this.xssFilter != null) {
                writer.println(String.format("<li id='config-tab'><a href='%s'><span>Active Configuration</span></a></li>", substring + URI_CONFIG_XHR));
            }
            writer.println("</ul>");
            writer.println("<div id='blocked'>");
            writer.println("<div class='table'>");
            writer.println("<div class='ui-widget-header ui-corner-top buttonGroup'>Blocked URLs</div>");
            writer.println("<table class='nicetable tablesorter' id='invalid-urls'>");
            writer.println("<thead>");
            writer.println("<tr>");
            writer.println("<th class='header'>URL</th>");
            writer.println("<th class='header'>Times Blocked</th>");
            writer.println("</tr>");
            writer.println("</thead>");
            writer.println("<tbody id='invalid-urls-rows'>");
            writer.println("</tbody>");
            writer.println("</table>");
            writer.println("</div></div></div>");
        } catch (IOException e) {
            LOGGER.error("Unable to generate scaffold for the webconsole plugin output.", e);
        }
    }

    private void streamAntiSamyConfiguration(HttpServletResponse httpServletResponse) {
        try {
            httpServletResponse.setContentType("application/xml");
            httpServletResponse.setHeader("Content-Disposition", "attachment; filename=config.xml");
            IOUtils.copy(((XSSFilterImpl) this.xssFilter).getActivePolicy().read(), httpServletResponse.getOutputStream());
        } catch (IOException e) {
            LOGGER.error("Unable to stream AntiSamy configuration.", e);
        }
    }

    private void generateInvalidUrlsJSONReport(HttpServletResponse httpServletResponse) {
        JsonArrayBuilder createArrayBuilder = Json.createArrayBuilder();
        for (Map.Entry<String, AtomicInteger> entry : this.statusService.getInvalidUrls().entrySet()) {
            createArrayBuilder.add(Json.createObjectBuilder().add(XMLConstants.XLINK_HREF_ATTRIBUTE, entry.getKey()).add("times", entry.getValue().intValue()).build());
        }
        try {
            JsonWriter createWriter = Json.createWriter(httpServletResponse.getWriter());
            Throwable th = null;
            try {
                try {
                    httpServletResponse.setContentType("application/json");
                    createWriter.writeObject(Json.createObjectBuilder().add("hrefs", createArrayBuilder.build()).build());
                    if (createWriter != null) {
                        if (0 != 0) {
                            try {
                                createWriter.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            createWriter.close();
                        }
                    }
                } catch (Throwable th3) {
                    th = th3;
                    throw th3;
                }
            } finally {
            }
        } catch (IOException e) {
            LOGGER.error("Unable to write JSON report for invalid URLs.", e);
        }
    }

    private void writeAntiSamyConfiguration(String str, HttpServletResponse httpServletResponse) {
        httpServletResponse.setContentType("text/html");
        XSSFilterImpl.AntiSamyPolicy activePolicy = ((XSSFilterImpl) this.xssFilter).getActivePolicy();
        if (activePolicy != null) {
            try {
                PrintWriter writer = httpServletResponse.getWriter();
                writer.printf(SCRIPT_TAG, str + RES_URI_CONFIG_JS);
                writer.write("<div id='config'>");
                writer.printf(LINK_TAG, str + RES_URI_PRETTIFY_CSS);
                writer.printf(SCRIPT_TAG, str + RES_URI_PRETTIFY_JS);
                writer.write("<p class='statline ui-state-highlight'>The current AntiSamy configuration ");
                if (activePolicy.isEmbedded()) {
                    writer.write("is the default one embedded in the org.apache.sling.xss bundle.");
                } else {
                    writer.printf("is loaded from %s.", activePolicy.getPath());
                }
                writer.write("<button style='float:right' type='button' id='download-config'>Download</button></p>");
                InputStream read = activePolicy.read();
                Throwable th = null;
                try {
                    try {
                        String iOUtils = IOUtils.toString(read, StandardCharsets.UTF_8);
                        if (read != null) {
                            if (0 != 0) {
                                try {
                                    read.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                read.close();
                            }
                        }
                        writer.write("<pre class='prettyprint linenums'>");
                        writer.write(StringEscapeUtils.escapeHtml4(iOUtils));
                        writer.write("</pre>");
                        writer.write("</div>");
                    } finally {
                    }
                } catch (Throwable th3) {
                    th = th3;
                    throw th3;
                }
            } catch (IOException e) {
                LOGGER.error("Unable to write the AntiSamy configuration tab.", e);
            }
        }
    }

    private void streamResource(HttpServletResponse httpServletResponse, String str, String str2) {
        try {
            InputStream resourceAsStream = getClass().getClassLoader().getResourceAsStream("/webconsole/" + str);
            Throwable th = null;
            if (resourceAsStream != null) {
                try {
                    try {
                        httpServletResponse.setContentType(str2);
                        IOUtils.copy(resourceAsStream, httpServletResponse.getOutputStream());
                    } catch (Throwable th2) {
                        th = th2;
                        throw th2;
                    }
                } finally {
                }
            }
            if (resourceAsStream != null) {
                if (0 != 0) {
                    try {
                        resourceAsStream.close();
                    } catch (Throwable th3) {
                        th.addSuppressed(th3);
                    }
                } else {
                    resourceAsStream.close();
                }
            }
        } catch (IOException e) {
            LOGGER.error(String.format("Unable to stream bundled resource %s.", str), e);
        }
    }
}
