package ch.usp.core.waap.spec.v1.render.crs;

import ch.usp.core.waap.spec.v1.render.crs.rule.custom.CustomRulesWriter;
import ch.usp.core.waap.spec.v1.render.crs.rule.except.RuleExceptionWriter;
import ch.usp.core.waap.spec.v1.render.crs.util.HumanReadableByteSizesParser;
import ch.usp.core.waap.spec.v1.spec.WaapSpec;
import ch.usp.core.waap.spec.v1.spec.crs.RequestRuleSetAll;
import ch.usp.core.waap.spec.v1.spec.crs.WaapCrs;
import ch.usp.core.waap.spec.v1.spec.crs.WaapCrsRequestBodyAccessException;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Objects;
import java.util.TreeSet;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.apache.commons.io.FileUtils;

/* loaded from: input_file:ch/usp/core/waap/spec/v1/render/crs/WaapToCorazaDirectives.class */
public class WaapToCorazaDirectives {
    private static final int INIT_RULE_ID = 100000;
    private static final int START_EXCEPTIONS_RULE_ID = 200000;
    private static final int START_CUSTOM_RULE_ID = 300000;
    private static final int END_CUSTOM_RULE_ID = 399999;
    public static final int SECURITY_LEVEL_MIN = 1;
    public static final int SECURITY_LEVEL_MAX = 5;
    public static final int PARANOIA_LEVEL_MIN = 1;
    public static final int PARANOIA_LEVEL_MAX = 4;
    private static final int CRITICAL_ISSUES_MULTIPLIER_FOR_INBOUND = 5;
    private static final int CRITICAL_ISSUES_MULTIPLIER_FOR_OUTBOUND = 4;
    private int ruleId;
    private static final int[] ALLOWED_CRITICAL_ISSUES_PER_SECURITY_LEVEL = {10, 5, 3, 2, 1};
    private static final long REQ_BODY_LIMIT_MAX = HumanReadableByteSizesParser.toBytesAsLong("1Gb");
    private static final long RESP_BODY_LIMIT_MAX = HumanReadableByteSizesParser.toBytesAsLong("1Gb");

    public List<String> waapToCoraza(WaapSpec waapSpec) {
        LinkedList linkedList = new LinkedList();
        WaapCrs crs = waapSpec.getCrs();
        linkedList.add("SecRuleEngine On");
        linkedList.add("SecAuditLogFormat USP_AutoLearn_v1");
        linkedList.add("Include @crs-setup-conf");
        initRuleId();
        addSecurityLevelDirectives(crs, linkedList);
        addParanoiaLevelDirectives(crs, linkedList);
        addRequestBodyAccessAndLimitDirectives(crs, linkedList);
        addRequestBodyAccessExceptionDirectives(crs, linkedList);
        addParseAndValidateXmlAndJsonDirectives(crs, linkedList);
        addResponseBodyAccessAndLimitDirectives(crs, waapSpec.isWebsocket(), linkedList);
        addRuleExceptions(crs, linkedList);
        addRuleSetIncludes(crs, linkedList);
        addOnlyDetectIfConfiguredDirectives(crs, linkedList);
        return linkedList;
    }

    private void addSecurityLevelDirectives(WaapCrs waapCrs, List<String> list) {
        int securityLevel = waapCrs.getSecurityLevel();
        if (securityLevel < 1 || securityLevel > 5) {
            throw new RuntimeException("securityLevel must be 1-5 but is set to " + securityLevel);
        }
        int i = ALLOWED_CRITICAL_ISSUES_PER_SECURITY_LEVEL[securityLevel - 1];
        list.add("SecAction \"id:" + nextRuleId() + ",phase:1,nolog,pass,t:none,setvar:tx.inbound_anomaly_score_threshold=" + (i * 5) + ",setvar:tx.outbound_anomaly_score_threshold=" + (i * 4) + ",setvar:tx.inbound_blocked=false,setvar:tx.outbound_blocked=false,setvar:tx.crs_setup_version=4.3.0\"");
    }

    private void addParanoiaLevelDirectives(WaapCrs waapCrs, List<String> list) {
        int paranoiaLevel = waapCrs.getParanoiaLevel();
        if (paranoiaLevel < 1 || paranoiaLevel > 4) {
            throw new RuntimeException("paranoiaLevel must be 1-4 but is set to " + paranoiaLevel);
        }
        list.add("SecAction \"id:" + nextRuleId() + ",phase:1,pass,nolog,t:none,setvar:tx.detection_paranoia_level=" + paranoiaLevel + "\"");
        list.add("SecAction \"id:" + nextRuleId() + ",phase:1,pass,nolog,t:none,setvar:tx.blocking_paranoia_level=" + paranoiaLevel + "\"");
    }

    private void addRequestBodyAccessAndLimitDirectives(WaapCrs waapCrs, List<String> list) {
        if (!waapCrs.isRequestBodyAccess()) {
            list.add("SecRequestBodyAccess off");
            return;
        }
        list.add("SecRequestBodyAccess on");
        list.add("SecRequestBodyLimit " + Math.min(waapCrs.getRequestBodyLimitKb() * FileUtils.ONE_KB, REQ_BODY_LIMIT_MAX));
        list.add("SecRequestBodyLimitAction ProcessPartial");
    }

    private void addRequestBodyAccessExceptionDirectives(WaapCrs waapCrs, List<String> list) {
        Iterator<WaapCrsRequestBodyAccessException> it = waapCrs.getRequestBodyAccessExceptions().iterator();
        while (it.hasNext()) {
            addRequestBodyAccessExceptionDirectives(it.next(), list);
        }
    }

    private void addRequestBodyAccessExceptionDirectives(WaapCrsRequestBodyAccessException waapCrsRequestBodyAccessException, List<String> list) {
        String str = waapCrsRequestBodyAccessException.isRegEx() ? "@rx" : "@beginsWith";
        String str2 = (String) waapCrsRequestBodyAccessException.getMethods().stream().map((v0) -> {
            return v0.name();
        }).collect(Collectors.joining("|"));
        list.add("SecRule REQUEST_FILENAME \"" + str + " " + waapCrsRequestBodyAccessException.getLocation() + "\" \"id:" + nextRuleId() + ",phase:1,pass,nolog,chain\"");
        list.add("SecRule REQUEST_METHOD \"@rx (" + str2 + ")\" \"ctl:requestBodyAccess=off\"");
    }

    private void addParseAndValidateXmlAndJsonDirectives(WaapCrs waapCrs, List<String> list) {
        if (waapCrs.isRequestBodyAccess()) {
            if (waapCrs.isParseXml()) {
                list.add("SecRule REQUEST_HEADERS:Content-Type \"text/xml\" \"id:" + nextRuleId() + ",phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=XML\"");
            }
            if (waapCrs.isParseJson()) {
                list.add("SecRule REQUEST_HEADERS:Content-Type \"application/json\" \"id:" + nextRuleId() + ",phase:1,t:none,t:lowercase,pass,nolog,ctl:requestBodyProcessor=JSON\"");
            }
            if (waapCrs.isValidateJson()) {
                list.add("SecRule REQBODY_ERROR \"!@eq 0\" \"id:" + nextRuleId() + ", phase:2,t:none,log," + (waapCrs.getMode() == WaapCrs.Mode.BLOCK ? "deny" : "pass") + ",status:400,msg:'Failed to parse request body.',logdata:'%{reqbody_error_msg}',severity:2\"");
            }
        }
    }

    private void addResponseBodyAccessAndLimitDirectives(WaapCrs waapCrs, boolean z, List<String> list) {
        if (waapCrs.getEnabledResponseRules().isEmpty()) {
            list.add("SecResponseBodyAccess off");
            return;
        }
        list.add("SecResponseBodyAccess on");
        list.add("SecResponseBodyMimeType text/plain text/html text/xml application/json");
        list.add("SecResponseBodyLimit " + Math.min(waapCrs.getResponseBodyLimitKb() * FileUtils.ONE_KB, RESP_BODY_LIMIT_MAX));
        list.add("SecResponseBodyLimitAction ProcessPartial");
        if (z) {
            list.add("SecRule RESPONSE_HEADERS:Upgrade \"@streq websocket\" \"id:" + nextRuleId() + ",phase:3,nolog,t:lowercase,chain\"");
            list.add("SecRule RESPONSE_STATUS \"@streq 101\" \"ctl:responseBodyAccess=off\"");
        }
    }

    private void addOnlyDetectIfConfiguredDirectives(WaapCrs waapCrs, List<String> list) {
        boolean z = waapCrs.getMode() == WaapCrs.Mode.DETECT;
        if (z || waapCrs.getEffectivelyEnabledRequestRules().isEmpty()) {
            list.add("SecRuleRemoveByID 949110");
            list.add("SecRuleRemoveByID 949111");
        }
        if (z || waapCrs.getEnabledResponseRules().isEmpty()) {
            list.add("SecRuleRemoveByID 959100");
            list.add("SecRuleRemoveByID 959101");
        }
    }

    private void addRuleExceptions(WaapCrs waapCrs, List<String> list) {
        list.addAll(new RuleExceptionWriter(waapCrs, START_EXCEPTIONS_RULE_ID).writeRuleExceptions());
    }

    private void addRuleSetIncludes(WaapCrs waapCrs, List<String> list) {
        TreeSet treeSet = new TreeSet(WaapCrs.ALWAYS_ENABLED_REQUEST_RULE_SETS_ALL);
        Stream<R> map = waapCrs.getEffectivelyEnabledRequestRules().stream().map((v0) -> {
            return v0.getInner();
        });
        Objects.requireNonNull(treeSet);
        map.forEach((v1) -> {
            r1.add(v1);
        });
        treeSet.forEach(requestRuleSetAll -> {
            if (requestRuleSetAll == RequestRuleSetAll.REQUEST_949_BLOCKING_EVALUATION) {
                addCustomRequestRules(waapCrs, list);
            }
            list.add("Include @owasp_crs/" + requestRuleSetAll.getRuleSetName() + ".conf");
        });
        TreeSet treeSet2 = new TreeSet(WaapCrs.ALWAYS_ENABLED_RESPONSE_RULE_SETS_ALL);
        Stream<R> map2 = waapCrs.getEnabledResponseRules().stream().map((v0) -> {
            return v0.getInner();
        });
        Objects.requireNonNull(treeSet2);
        map2.forEach((v1) -> {
            r1.add(v1);
        });
        treeSet2.forEach(responseRuleSetAll -> {
            list.add("Include @owasp_crs/" + responseRuleSetAll.getRuleSetName() + ".conf");
        });
    }

    private void addCustomRequestRules(WaapCrs waapCrs, List<String> list) {
        list.addAll(new CustomRulesWriter(waapCrs, START_CUSTOM_RULE_ID, END_CUSTOM_RULE_ID).writeCustomRuleDirectives());
    }

    private void initRuleId() {
        this.ruleId = 100000;
    }

    private int nextRuleId() {
        int i = this.ruleId;
        this.ruleId = i + 1;
        return i;
    }
}
