# frozen_string_literal: true

# Handle violations from the Content Security Policy class CspViolationsController < ApplicationController

skip_before_action :verify_authenticity_token

def create
  report_base = JSON.parse(request.body.read)
  if report_base.key? "csp-report"
    report = report_base["csp-report"]
    message = build_content_security_message(report)

    log_csp_report_violation(message)

<% if rollbar? -%>

Rollbar.warning("csp-violation", message) unless ENV["ROLLBAR_ACCESS_TOKEN"].blank?

<% end -%>

  end
  head :ok
end

private

def log_csp_report_violation(message)
  # Post message using Lograge format
  Rails.logger.warn message.merge(
    "@timestamp" => ::Time.now.utc,
    type: "csp-report",
    request_id: request.request_id,
    user_agent: request.headers["User-Agent"]
  ).to_json
end

# rubocop:disable Metrics/AbcSize, Metrics/MethodLength
def build_content_security_message(report)
  {
    blocked_uri: report["blocked-uri"].try(:downcase),
    disposition: report["disposition"].try(:downcase),
    document_uri: report["document-uri"],
    effective_directive: report["effective-directive"].try(:downcase),
    violated_directive: report["violated-directive"].try(:downcase),
    referrer: report["referrer"].try(:downcase),
    status_code: (report["status-code"].presence || 0).to_i,
    raw_report: report
  }
end
# rubocop:enable Metrics/AbcSize, Metrics/MethodLength

end