package com.google.gerrit.httpd.restapi;

import com.google.common.base.Joiner;
import com.google.common.base.Splitter;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import com.google.common.net.HttpHeaders;
import com.google.gerrit.common.Nullable;
import com.google.gerrit.extensions.restapi.BadRequestException;
import com.google.gerrit.util.http.CacheHeaders;
import java.util.Locale;
import java.util.regex.Pattern;
import java.util.stream.Stream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.http.client.methods.HttpDelete;
import org.apache.http.client.methods.HttpOptions;
import org.eclipse.jgit.lib.Config;

/* loaded from: input_file:com/google/gerrit/httpd/restapi/CorsResponder.class */
public class CorsResponder {
    private static final String PLAIN_TEXT = "text/plain";
    private static final String X_GERRIT_AUTH = "X-Gerrit-Auth";
    private static final String X_REQUESTED_WITH = "X-Requested-With";
    static final ImmutableSet<String> ALLOWED_CORS_METHODS = ImmutableSet.of("GET", "HEAD", "POST", "PUT", HttpDelete.METHOD_NAME);
    private static final ImmutableSet<String> ALLOWED_CORS_REQUEST_HEADERS = (ImmutableSet) Stream.of((Object[]) new String[]{"Authorization", "Content-Type", "X-Gerrit-Auth", "X-Requested-With"}).map(str -> {
        return str.toLowerCase(Locale.US);
    }).collect(ImmutableSet.toImmutableSet());

    @Nullable
    private final Pattern allowOrigin;

    private static boolean isCorsPreflight(HttpServletRequest httpServletRequest) {
        return (!HttpOptions.METHOD_NAME.equals(httpServletRequest.getMethod()) || Strings.isNullOrEmpty(httpServletRequest.getHeader(HttpHeaders.ORIGIN)) || Strings.isNullOrEmpty(httpServletRequest.getHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD))) ? false : true;
    }

    @Nullable
    public static Pattern makeAllowOrigin(Config config) {
        String[] stringList = config.getStringList("site", null, "allowOriginRegex");
        if (stringList.length > 0) {
            return Pattern.compile(Joiner.on('|').join(stringList));
        }
        return null;
    }

    public CorsResponder(@Nullable Pattern pattern) {
        this.allowOrigin = pattern;
    }

    public boolean filterCorsPreflight(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws BadRequestException {
        if (!isCorsPreflight(httpServletRequest)) {
            return false;
        }
        doCorsPreflight(httpServletRequest, httpServletResponse);
        return true;
    }

    public void checkCors(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, boolean z) throws BadRequestException {
        String header = httpServletRequest.getHeader(HttpHeaders.ORIGIN);
        if (z) {
            if (Strings.isNullOrEmpty(header) || !isOriginAllowed(header)) {
                throw new BadRequestException("origin not allowed");
            }
            httpServletResponse.addHeader("Vary", HttpHeaders.ORIGIN);
            httpServletResponse.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, header);
            httpServletResponse.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
            return;
        }
        if (Strings.isNullOrEmpty(header)) {
            return;
        }
        if (this.allowOrigin != null) {
            httpServletResponse.addHeader("Vary", HttpHeaders.ORIGIN);
        }
        if (isOriginAllowed(header)) {
            setCorsHeaders(httpServletResponse, header);
        }
    }

    private void doCorsPreflight(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws BadRequestException {
        CacheHeaders.setNotCacheable(httpServletResponse);
        setHeaderList(httpServletResponse, "Vary", ImmutableList.of(HttpHeaders.ORIGIN, HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD, HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS));
        String header = httpServletRequest.getHeader(HttpHeaders.ORIGIN);
        if (Strings.isNullOrEmpty(header) || !isOriginAllowed(header)) {
            throw new BadRequestException("CORS not allowed");
        }
        String header2 = httpServletRequest.getHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_METHOD);
        if (!ALLOWED_CORS_METHODS.contains(header2)) {
            throw new BadRequestException(header2 + " not allowed in CORS");
        }
        String header3 = httpServletRequest.getHeader(HttpHeaders.ACCESS_CONTROL_REQUEST_HEADERS);
        if (header3 != null) {
            for (String str : Splitter.on(',').trimResults().split(header3)) {
                if (!ALLOWED_CORS_REQUEST_HEADERS.contains(str.toLowerCase(Locale.US))) {
                    throw new BadRequestException(str + " not allowed in CORS");
                }
            }
        }
        httpServletResponse.setStatus(200);
        setCorsHeaders(httpServletResponse, header);
        httpServletResponse.setContentType("text/plain");
        httpServletResponse.setContentLength(0);
    }

    private static void setCorsHeaders(HttpServletResponse httpServletResponse, String str) {
        httpServletResponse.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_ORIGIN, str);
        httpServletResponse.setHeader(HttpHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
        httpServletResponse.setHeader(HttpHeaders.ACCESS_CONTROL_MAX_AGE, "600");
        setHeaderList(httpServletResponse, HttpHeaders.ACCESS_CONTROL_ALLOW_METHODS, Iterables.concat(ALLOWED_CORS_METHODS, ImmutableList.of(HttpOptions.METHOD_NAME)));
        setHeaderList(httpServletResponse, HttpHeaders.ACCESS_CONTROL_ALLOW_HEADERS, ALLOWED_CORS_REQUEST_HEADERS);
    }

    private static void setHeaderList(HttpServletResponse httpServletResponse, String str, Iterable<String> iterable) {
        httpServletResponse.setHeader(str, Joiner.on(", ").join(iterable));
    }

    private boolean isOriginAllowed(String str) {
        return this.allowOrigin != null && this.allowOrigin.matcher(str).matches();
    }
}
