package org.camunda.bpm.webapp.impl.security.filter.headersec.provider.impl;

import jakarta.servlet.ServletContext;
import java.util.Base64;
import java.util.Map;
import java.util.concurrent.ThreadLocalRandom;
import org.camunda.bpm.webapp.impl.security.filter.headersec.provider.HeaderSecurityProvider;
import org.camunda.bpm.webapp.impl.util.ServletFilterUtil;

/* loaded from: input_file:BOOT-INF/lib/camunda-webapp-jakarta-7.20.0-classes.jar:org/camunda/bpm/webapp/impl/security/filter/headersec/provider/impl/ContentSecurityPolicyProvider.class */
public class ContentSecurityPolicyProvider extends HeaderSecurityProvider {
    public static final String HEADER_NAME = "Content-Security-Policy";
    public static final String HEADER_NONCE_PLACEHOLDER = "$NONCE";
    public static final String HEADER_DEFAULT_VALUE = "base-uri 'self';script-src $NONCE 'strict-dynamic' 'unsafe-eval' https: 'self' 'unsafe-inline';style-src 'unsafe-inline' 'self';default-src 'self';img-src 'self' data:;block-all-mixed-content;form-action 'self';frame-ancestors 'none';object-src 'none';sandbox allow-forms allow-scripts allow-same-origin allow-popups allow-downloads";
    public static final String DISABLED_PARAM = "contentSecurityPolicyDisabled";
    public static final String VALUE_PARAM = "contentSecurityPolicyValue";
    public static final String ATTR_CSP_FILTER_NONCE = "org.camunda.bpm.csp.nonce";
    public static final Base64.Encoder ENCODER = Base64.getUrlEncoder().withoutPadding();

    @Override // org.camunda.bpm.webapp.impl.security.filter.headersec.provider.HeaderSecurityProvider
    public Map<String, String> initParams() {
        this.initParams.put(VALUE_PARAM, null);
        this.initParams.put(DISABLED_PARAM, null);
        return this.initParams;
    }

    @Override // org.camunda.bpm.webapp.impl.security.filter.headersec.provider.HeaderSecurityProvider
    public void parseParams() {
        String str = this.initParams.get(DISABLED_PARAM);
        if (ServletFilterUtil.isEmpty(str)) {
            setDisabled(false);
        } else {
            setDisabled(Boolean.valueOf(str).booleanValue());
        }
        String str2 = this.initParams.get(VALUE_PARAM);
        if (ServletFilterUtil.isEmpty(str2)) {
            setValue(HEADER_DEFAULT_VALUE);
        } else {
            setValue(normalizeString(str2));
        }
    }

    protected String normalizeString(String str) {
        return str.trim().replaceAll("\\s+", " ");
    }

    @Override // org.camunda.bpm.webapp.impl.security.filter.headersec.provider.HeaderSecurityProvider
    public String getHeaderName() {
        return "Content-Security-Policy";
    }

    @Override // org.camunda.bpm.webapp.impl.security.filter.headersec.provider.HeaderSecurityProvider
    public String getHeaderValue(ServletContext servletContext) {
        String generateNonce = generateNonce();
        servletContext.setAttribute(ATTR_CSP_FILTER_NONCE, generateNonce);
        return this.value.replaceAll("\\$NONCE", String.format("'nonce-%s'", generateNonce));
    }

    protected String generateNonce() {
        byte[] bArr = new byte[20];
        ThreadLocalRandom.current().nextBytes(bArr);
        return ENCODER.encodeToString(bArr);
    }
}
