001/*
002 * Licensed to the Apache Software Foundation (ASF) under one or more
003 * contributor license agreements.  See the NOTICE file distributed with
004 * this work for additional information regarding copyright ownership.
005 * The ASF licenses this file to You under the Apache License, Version 2.0
006 * (the "License"); you may not use this file except in compliance with
007 * the License.  You may obtain a copy of the License at
008 *
009 *      http://www.apache.org/licenses/LICENSE-2.0
010 *
011 * Unless required by applicable law or agreed to in writing, software
012 * distributed under the License is distributed on an "AS IS" BASIS,
013 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
014 * See the License for the specific language governing permissions and
015 * limitations under the License.
016 */
017package org.apache.wicket.coep;
018
019import org.apache.wicket.Application;
020import org.apache.wicket.protocol.http.WebApplication;
021import org.apache.wicket.util.lang.Args;
022
023import java.util.Arrays;
024import java.util.HashSet;
025import java.util.Set;
026
027/**
028 * Specifies the configuration for Cross-Origin Embedder Policy to be used for
029 * {@link CrossOriginEmbedderPolicyRequestCycleListener}. Users can specify the paths that should be exempt from COEP and
030 * one of 3 modes (<code>REPORTING, ENFORCING, DISABLED</code>) for the policy. The config object
031 * lives in {@link org.apache.wicket.settings.SecuritySettings}, users can specify their COOP
032 * preferences with the following lines in their application's {@link WebApplication#init()} method:
033 *
034 * <pre>
035 * &#064;Override
036 * protected void init()
037 * {
038 *      // ...
039 *      getSecuritySettings().setCrossOriginEmbedderPolicyConfiguration(CoepMode.REPORTING,
040 *              "EXEMPTED PATHS");
041 *      // ...
042 * }
043 * </pre>
044 *
045 * The config value will be read once at startup in {@link Application#initApplication()}, changing
046 * the configuration at runtime will have no effect of the COOP headers set.
047 * 
048 * @author Santiago Diaz - saldiaz@google.com
049 * @author Ecenaz Jen Ozmen - ecenazo@google.com
050 *
051 * @see CrossOriginEmbedderPolicyRequestCycleListener
052 * @see org.apache.wicket.settings.SecuritySettings
053 */
054public class CrossOriginEmbedderPolicyConfiguration
055{
056        public enum CoepMode
057        {
058                ENFORCING("Cross-Origin-Embedder-Policy"),
059                REPORTING("Cross-Origin-Embedder-Policy-Report-Only"),
060                DISABLED("");
061
062                final String header;
063
064                CoepMode(String header)
065                {
066                        this.header = header;
067                }
068        }
069
070        private final Set<String> exemptions = new HashSet<>();
071        private final CoepMode mode;
072
073        public CrossOriginEmbedderPolicyConfiguration(CoepMode mode, String... exemptions)
074        {
075                this.exemptions.addAll(Arrays.asList(exemptions));
076                this.mode = Args.notNull(mode, "mode");
077        }
078
079        public CrossOriginEmbedderPolicyConfiguration(CoepMode mode)
080        {
081                this.mode = Args.notNull(mode, "mode");
082        }
083
084        public Set<String> getExemptions()
085        {
086                return exemptions;
087        }
088
089        public CoepMode getMode()
090        {
091                return mode;
092        }
093
094        public String getCoepHeader()
095        {
096                return mode.header;
097        }
098
099        public CrossOriginEmbedderPolicyConfiguration addExemptedPath(String path)
100        {
101                exemptions.add(path);
102                return this;
103        }
104
105        public boolean isEnabled()
106        {
107                return mode != CoepMode.DISABLED;
108        }
109}