package org.apache.hadoop.hbase.http;

import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.URL;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.HBaseClassTestRule;
import org.apache.hadoop.hbase.testclassification.MediumTests;
import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert;
import org.hamcrest.core.Is;
import org.hamcrest.core.IsEqual;
import org.junit.After;
import org.junit.ClassRule;
import org.junit.Test;
import org.junit.experimental.categories.Category;

@Category({HttpServerFunctionalTest.class, MediumTests.class})
/* loaded from: input_file:org/apache/hadoop/hbase/http/TestSecurityHeadersFilter.class */
public class TestSecurityHeadersFilter {
    private static URL baseUrl;
    private HttpServer http;

    @ClassRule
    public static final HBaseClassTestRule CLASS_RULE = HBaseClassTestRule.forClass(TestSecurityHeadersFilter.class);

    @After
    public void tearDown() throws Exception {
        this.http.stop();
    }

    @Test
    public void testDefaultValues() throws Exception {
        Configuration configuration = new Configuration();
        configuration.set("hbase.http.servlet.default.dirAllowed", "true");
        this.http = HttpServerFunctionalTest.createTestServer(configuration);
        this.http.start();
        baseUrl = HttpServerFunctionalTest.getServerURL(this.http);
        HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(baseUrl, "/").openConnection();
        MatcherAssert.assertThat(Integer.valueOf(httpURLConnection.getResponseCode()), CoreMatchers.equalTo(200));
        MatcherAssert.assertThat("Header 'X-Content-Type-Options' is missing", httpURLConnection.getHeaderField("X-Content-Type-Options"), CoreMatchers.is(CoreMatchers.not((String) null)));
        MatcherAssert.assertThat(httpURLConnection.getHeaderField("X-Content-Type-Options"), CoreMatchers.equalTo("nosniff"));
        MatcherAssert.assertThat("Header 'X-XSS-Protection' is missing", httpURLConnection.getHeaderField("X-XSS-Protection"), CoreMatchers.is(CoreMatchers.not((String) null)));
        MatcherAssert.assertThat("Header 'X-XSS-Protection' has invalid value", httpURLConnection.getHeaderField("X-XSS-Protection"), CoreMatchers.equalTo("1; mode=block"));
        MatcherAssert.assertThat("Header 'Strict-Transport-Security' should be missing from response,but it's present", httpURLConnection.getHeaderField("Strict-Transport-Security"), CoreMatchers.is((String) null));
        MatcherAssert.assertThat("Header 'Content-Security-Policy' should be missing from response,but it's present", httpURLConnection.getHeaderField("Content-Security-Policy"), CoreMatchers.is((String) null));
    }

    @Test
    public void testHstsAndCspSettings() throws IOException {
        Configuration configuration = new Configuration();
        configuration.set("hbase.http.filter.hsts.value", "max-age=63072000;includeSubDomains;preload");
        configuration.set("hbase.http.filter.csp.value", "default-src https: data: 'unsafe-inline' 'unsafe-eval'");
        configuration.set("hbase.http.servlet.default.dirAllowed", "true");
        this.http = HttpServerFunctionalTest.createTestServer(configuration);
        this.http.start();
        baseUrl = HttpServerFunctionalTest.getServerURL(this.http);
        HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(baseUrl, "/").openConnection();
        MatcherAssert.assertThat(Integer.valueOf(httpURLConnection.getResponseCode()), CoreMatchers.equalTo(200));
        MatcherAssert.assertThat("Header 'Strict-Transport-Security' is missing from Rest response", httpURLConnection.getHeaderField("Strict-Transport-Security"), Is.is(CoreMatchers.not((String) null)));
        MatcherAssert.assertThat("Header 'Strict-Transport-Security' has invalid value", httpURLConnection.getHeaderField("Strict-Transport-Security"), IsEqual.equalTo("max-age=63072000;includeSubDomains;preload"));
        MatcherAssert.assertThat("Header 'Content-Security-Policy' is missing from Rest response", httpURLConnection.getHeaderField("Content-Security-Policy"), Is.is(CoreMatchers.not((String) null)));
        MatcherAssert.assertThat("Header 'Content-Security-Policy' has invalid value", httpURLConnection.getHeaderField("Content-Security-Policy"), IsEqual.equalTo("default-src https: data: 'unsafe-inline' 'unsafe-eval'"));
    }

    @Test
    public void testReferrerPolicySettings() throws IOException {
        Configuration configuration = new Configuration();
        configuration.set("hbase.http.filter.referrerpolicy.value", "no-referrer");
        configuration.set("hbase.http.servlet.default.dirAllowed", "true");
        this.http = HttpServerFunctionalTest.createTestServer(configuration);
        this.http.start();
        baseUrl = HttpServerFunctionalTest.getServerURL(this.http);
        HttpURLConnection httpURLConnection = (HttpURLConnection) new URL(baseUrl, "/").openConnection();
        MatcherAssert.assertThat(Integer.valueOf(httpURLConnection.getResponseCode()), CoreMatchers.equalTo(200));
        MatcherAssert.assertThat("Header 'Referrer-Policy' is missing from response", httpURLConnection.getHeaderField("Referrer-Policy"), Is.is(CoreMatchers.not((String) null)));
        MatcherAssert.assertThat("Header 'Referrer-Polic' has invalid value", httpURLConnection.getHeaderField("Referrer-Policy"), IsEqual.equalTo("no-referrer"));
    }

    @Test
    public void testDirectoryNotAllowed() throws Exception {
        Configuration configuration = new Configuration();
        configuration.set("hbase.http.servlet.default.dirAllowed", "false");
        this.http = HttpServerFunctionalTest.createTestServer(configuration);
        this.http.start();
        baseUrl = HttpServerFunctionalTest.getServerURL(this.http);
        MatcherAssert.assertThat(Integer.valueOf(((HttpURLConnection) new URL(baseUrl, "/").openConnection()).getResponseCode()), CoreMatchers.equalTo(403));
    }
}
