package io.jenkins.plugins.extendedsecuritysettings;

import hudson.init.Initializer;
import hudson.util.PluginServletFilter;
import java.io.IOException;
import java.util.Collection;
import java.util.Collections;
import java.util.Locale;
import java.util.Set;
import java.util.stream.Collectors;
import javax.annotation.Nonnull;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
import jenkins.model.Jenkins;
import org.apache.commons.lang.StringUtils;
import org.kohsuke.accmod.Restricted;
import org.kohsuke.accmod.restrictions.NoExternalUse;

@Restricted({NoExternalUse.class})
/* loaded from: input_file:WEB-INF/lib/extended-security-settings.jar:io/jenkins/plugins/extendedsecuritysettings/UnauthorizedUserHttpHeaderRestrictionFilter.class */
public class UnauthorizedUserHttpHeaderRestrictionFilter implements Filter {

    /* loaded from: input_file:WEB-INF/lib/extended-security-settings.jar:io/jenkins/plugins/extendedsecuritysettings/UnauthorizedUserHttpHeaderRestrictionFilter$HeaderRemovingResponseWrapper.class */
    private static class HeaderRemovingResponseWrapper extends HttpServletResponseWrapper {
        private final Set<String> headerNames;

        private HeaderRemovingResponseWrapper(@Nonnull HttpServletResponse httpServletResponse, @Nonnull Set<String> set) {
            super(httpServletResponse);
            this.headerNames = set;
            set.forEach(str -> {
                httpServletResponse.setHeader(str, (String) null);
            });
        }

        private boolean isHeaderAllowed(@Nonnull String str) {
            return !this.headerNames.contains(str.toLowerCase(Locale.ENGLISH));
        }

        public boolean containsHeader(String str) {
            return isHeaderAllowed(str) && super.containsHeader(str);
        }

        public void setHeader(String str, String str2) {
            if (isHeaderAllowed(str)) {
                super.setHeader(str, str2);
            }
        }

        public void addHeader(String str, String str2) {
            if (isHeaderAllowed(str)) {
                super.addHeader(str, str2);
            }
        }

        public String getHeader(String str) {
            if (isHeaderAllowed(str)) {
                return super.getHeader(str);
            }
            return null;
        }

        public Collection<String> getHeaders(String str) {
            return isHeaderAllowed(str) ? super.getHeaders(str) : Collections.emptySet();
        }

        public Collection<String> getHeaderNames() {
            return (Collection) super.getHeaderNames().stream().filter(this::isHeaderAllowed).collect(Collectors.toSet());
        }
    }

    @Initializer
    public static void initialize() throws ServletException {
        PluginServletFilter.addFilter(new UnauthorizedUserHttpHeaderRestrictionFilter());
    }

    public void init(FilterConfig filterConfig) {
    }

    public void destroy() {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        ServletResponse servletResponse2 = null;
        if (isFilterableResponse(servletResponse) && !hasOverallRead()) {
            Set<String> filteredHeaderNames = getFilteredHeaderNames();
            if (!filteredHeaderNames.isEmpty()) {
                if (servletResponse instanceof HttpServletResponseWrapper) {
                    servletResponse2 = (HttpServletResponseWrapper) servletResponse;
                    HttpServletResponse response = servletResponse2.getResponse();
                    if (isFilterableResponse(response)) {
                        servletResponse2.setResponse(new HeaderRemovingResponseWrapper(response, filteredHeaderNames));
                    }
                } else {
                    servletResponse2 = new HeaderRemovingResponseWrapper((HttpServletResponse) servletResponse, filteredHeaderNames);
                }
            }
        }
        filterChain.doFilter(servletRequest, servletResponse2 != null ? servletResponse2 : servletResponse);
    }

    private static boolean isFilterableResponse(@Nonnull ServletResponse servletResponse) {
        return (servletResponse instanceof HttpServletResponse) && !servletResponse.isCommitted();
    }

    private static boolean hasOverallRead() {
        Jenkins instanceOrNull = Jenkins.getInstanceOrNull();
        return instanceOrNull != null && instanceOrNull.hasPermission(Jenkins.READ);
    }

    @Nonnull
    private static Set<String> getFilteredHeaderNames() {
        Set<HttpHeaderName> httpHeaderNames = ExtendedSecuritySettings.get().getHttpHeaderNames();
        return (httpHeaderNames == null || httpHeaderNames.isEmpty()) ? Collections.emptySet() : (Set) httpHeaderNames.stream().map((v0) -> {
            return v0.getHeaderName();
        }).filter(StringUtils::isNotEmpty).map(str -> {
            return str.toLowerCase(Locale.ENGLISH);
        }).collect(Collectors.toSet());
    }
}
