package org.keycloak.headers;

import java.util.Collections;
import java.util.Map;
import javax.ws.rs.InternalServerErrorException;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerResponseContext;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.MultivaluedMap;
import org.jboss.logging.Logger;
import org.keycloak.models.BrowserSecurityHeaders;
import org.keycloak.models.ContentSecurityPolicyBuilder;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.RealmModel;

/* loaded from: input_file:BOOT-INF/lib/keycloak-services-11.0.2.jar:org/keycloak/headers/DefaultSecurityHeadersProvider.class */
public class DefaultSecurityHeadersProvider implements SecurityHeadersProvider {
    private static final Logger LOGGER = Logger.getLogger((Class<?>) DefaultSecurityHeadersProvider.class);
    private final Map<String, String> headerValues;
    private final KeycloakSession session;
    private DefaultSecurityHeadersOptions options;

    public DefaultSecurityHeadersProvider(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
        RealmModel realm = keycloakSession.getContext().getRealm();
        if (realm != null) {
            this.headerValues = realm.getBrowserSecurityHeaders();
        } else {
            this.headerValues = Collections.emptyMap();
        }
    }

    @Override // org.keycloak.headers.SecurityHeadersProvider
    public SecurityHeadersOptions options() {
        if (this.options == null) {
            this.options = new DefaultSecurityHeadersOptions();
        }
        return this.options;
    }

    @Override // org.keycloak.headers.SecurityHeadersProvider
    public void addHeaders(ContainerRequestContext containerRequestContext, ContainerResponseContext containerResponseContext) {
        if (this.options == null || !this.options.isSkipHeaders()) {
            MediaType mediaType = containerRequestContext.getMediaType();
            MediaType mediaType2 = containerResponseContext.getMediaType();
            MultivaluedMap<String, Object> headers = containerResponseContext.getHeaders();
            if (mediaType2 == null && !isEmptyMediaTypeAllowed(containerRequestContext, containerResponseContext)) {
                LOGGER.errorv("MediaType not set on path {0}, with response status {1}", this.session.getContext().getUri().getRequestUri().getPath(), Integer.valueOf(containerResponseContext.getStatus()));
                throw new InternalServerErrorException();
            }
            if (isRest(mediaType, mediaType2)) {
                addRestHeaders(headers);
            } else if (isHtml(mediaType, mediaType2)) {
                addHtmlHeaders(headers);
            } else {
                addGenericHeaders(headers);
            }
        }
    }

    private void addGenericHeaders(MultivaluedMap<String, Object> multivaluedMap) {
        addHeader(BrowserSecurityHeaders.STRICT_TRANSPORT_SECURITY, multivaluedMap);
        addHeader(BrowserSecurityHeaders.X_CONTENT_TYPE_OPTIONS, multivaluedMap);
        addHeader(BrowserSecurityHeaders.X_XSS_PROTECTION, multivaluedMap);
        addHeader(BrowserSecurityHeaders.REFERRER_POLICY, multivaluedMap);
    }

    private void addRestHeaders(MultivaluedMap<String, Object> multivaluedMap) {
        addHeader(BrowserSecurityHeaders.STRICT_TRANSPORT_SECURITY, multivaluedMap);
        addHeader(BrowserSecurityHeaders.X_FRAME_OPTIONS, multivaluedMap);
        addHeader(BrowserSecurityHeaders.X_CONTENT_TYPE_OPTIONS, multivaluedMap);
        addHeader(BrowserSecurityHeaders.X_XSS_PROTECTION, multivaluedMap);
        addHeader(BrowserSecurityHeaders.REFERRER_POLICY, multivaluedMap);
    }

    private void addHtmlHeaders(MultivaluedMap<String, Object> multivaluedMap) {
        for (BrowserSecurityHeaders browserSecurityHeaders : BrowserSecurityHeaders.values()) {
            addHeader(browserSecurityHeaders, multivaluedMap);
        }
        if (this.options != null) {
            ContentSecurityPolicyBuilder create = ContentSecurityPolicyBuilder.create();
            if (this.options.isAllowAnyFrameAncestor()) {
                multivaluedMap.remove(BrowserSecurityHeaders.X_FRAME_OPTIONS.getHeaderName());
                create.frameAncestors(null);
            }
            String allowedFrameSrc = this.options.getAllowedFrameSrc();
            if (allowedFrameSrc != null) {
                create.frameSrc(allowedFrameSrc);
            }
            if (BrowserSecurityHeaders.CONTENT_SECURITY_POLICY.getDefaultValue().equals(multivaluedMap.getFirst(BrowserSecurityHeaders.CONTENT_SECURITY_POLICY.getHeaderName()))) {
                multivaluedMap.putSingle(BrowserSecurityHeaders.CONTENT_SECURITY_POLICY.getHeaderName(), create.build());
            }
        }
    }

    private void addHeader(BrowserSecurityHeaders browserSecurityHeaders, MultivaluedMap<String, Object> multivaluedMap) {
        String orDefault = this.headerValues.getOrDefault(browserSecurityHeaders.getKey(), browserSecurityHeaders.getDefaultValue());
        if (orDefault == null || orDefault.isEmpty()) {
            return;
        }
        multivaluedMap.putSingle(browserSecurityHeaders.getHeaderName(), orDefault);
    }

    private boolean isEmptyMediaTypeAllowed(ContainerRequestContext containerRequestContext, ContainerResponseContext containerResponseContext) {
        int status;
        if (containerResponseContext.hasEntity()) {
            return false;
        }
        return (this.options != null && this.options.isAllowEmptyContentType()) || (status = containerResponseContext.getStatus()) == 201 || status == 204 || status == 301 || status == 302 || status == 303 || status == 307 || status == 308 || status == 400 || status == 401 || status == 403 || status == 404 || containerRequestContext.getMethod().equalsIgnoreCase("OPTIONS");
    }

    private boolean isRest(MediaType mediaType, MediaType mediaType2) {
        MediaType mediaType3 = mediaType2 != null ? mediaType2 : mediaType;
        return matches(mediaType3, MediaType.APPLICATION_JSON_TYPE) || matches(mediaType3, MediaType.APPLICATION_XML_TYPE);
    }

    private boolean isHtml(MediaType mediaType, MediaType mediaType2) {
        return matches(mediaType2, MediaType.TEXT_HTML_TYPE) || matches(mediaType, MediaType.APPLICATION_FORM_URLENCODED_TYPE);
    }

    private boolean matches(MediaType mediaType, MediaType mediaType2) {
        return mediaType == null ? mediaType2 == null : mediaType.getType().equalsIgnoreCase(mediaType2.getType()) && mediaType.getSubtype().equalsIgnoreCase(mediaType2.getSubtype());
    }
}
