package com.stormpath.sdk.servlet.filter.cors;

import com.stormpath.sdk.lang.Assert;
import com.stormpath.sdk.servlet.filter.HttpFilter;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.Locale;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/stormpath/sdk/servlet/filter/cors/CorsFilter.class */
public class CorsFilter extends HttpFilter {
    public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN = "Access-Control-Allow-Origin";
    public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS = "Access-Control-Allow-Credentials";
    public static final String RESPONSE_HEADER_ACCESS_CONTROL_EXPOSE_HEADERS = "Access-Control-Expose-Headers";
    public static final String RESPONSE_HEADER_ACCESS_CONTROL_MAX_AGE = "Access-Control-Max-Age";
    public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_METHODS = "Access-Control-Allow-Methods";
    public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_HEADERS = "Access-Control-Allow-Headers";
    public static final String REQUEST_HEADER_ORIGIN = "Origin";
    public static final String REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD = "Access-Control-Request-Method";
    public static final String REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS = "Access-Control-Request-Headers";
    private boolean anyOriginAllowed = false;
    private boolean supportsCredentials = true;
    private long preflightMaxAge = 1800;
    private Collection<String> allowedOrigins = new HashSet();
    private Collection<String> allowedHttpMethods = new HashSet();
    private Collection<String> allowedHttpHeaders = new HashSet();
    private Collection<String> exposedHeaders = new HashSet();
    private static final Logger log = LoggerFactory.getLogger(CorsFilter.class);
    public static final Collection<String> SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES = new HashSet(Arrays.asList("application/x-www-form-urlencoded", "multipart/form-data", "text/plain"));

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:com/stormpath/sdk/servlet/filter/cors/CorsFilter$CORSRequestType.class */
    public enum CORSRequestType {
        SIMPLE,
        ACTUAL,
        PRE_FLIGHT,
        NOT_CORS,
        INVALID_CORS
    }

    public void setAllowedOrigins(Collection<String> collection) {
        this.allowedOrigins = collection;
    }

    public void setAllowedHttpMethods(Collection<String> collection) {
        this.allowedHttpMethods = collection;
    }

    public void setAllowedHttpHeaders(Collection<String> collection) {
        this.allowedHttpHeaders = collection;
    }

    public void setAnyOriginAllowed(boolean z) {
        this.anyOriginAllowed = z;
    }

    public void setSupportsCredentials(boolean z) {
        this.supportsCredentials = z;
    }

    public void setPreflightMaxAge(long j) {
        this.preflightMaxAge = j;
    }

    public void setExposedHeaders(Collection<String> collection) {
        this.exposedHeaders = collection;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.stormpath.sdk.servlet.filter.HttpFilter
    public void onInit() throws Exception {
        super.onInit();
        Assert.notNull(this.allowedOrigins, "allowedOrigins cannot be null.");
        Assert.notEmpty(this.allowedHttpMethods, "allowedHttpMethods cannot be empty.");
        Assert.notEmpty(this.allowedHttpHeaders, "allowedHttpHeaders cannot be empty.");
    }

    @Override // com.stormpath.sdk.servlet.filter.HttpFilter
    protected boolean isEnabled(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws Exception {
        return httpServletRequest.getHeader("Origin") != null && isEnabled();
    }

    @Override // com.stormpath.sdk.servlet.filter.HttpFilter
    protected void filter(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws Exception {
        switch (checkRequestType(httpServletRequest)) {
            case SIMPLE:
                handleSimpleCORS(httpServletRequest, httpServletResponse, filterChain);
                return;
            case ACTUAL:
                handleSimpleCORS(httpServletRequest, httpServletResponse, filterChain);
                return;
            case PRE_FLIGHT:
                handlePreflightCORS(httpServletRequest, httpServletResponse, filterChain);
                return;
            case NOT_CORS:
                handleNonCORS(httpServletRequest, httpServletResponse, filterChain);
                return;
            default:
                handleInvalidCORS(httpServletRequest, httpServletResponse, filterChain);
                return;
        }
    }

    protected void handleSimpleCORS(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        String header = httpServletRequest.getHeader("Origin");
        String method = httpServletRequest.getMethod();
        if (!isOriginAllowed(header)) {
            handleInvalidCORS(httpServletRequest, httpServletResponse, filterChain);
            return;
        }
        if (!this.allowedHttpMethods.contains(method)) {
            handleInvalidCORS(httpServletRequest, httpServletResponse, filterChain);
            return;
        }
        if (!this.anyOriginAllowed || this.supportsCredentials) {
            httpServletResponse.addHeader(RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN, header);
        } else {
            httpServletResponse.addHeader(RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN, "*");
        }
        if (this.supportsCredentials) {
            httpServletResponse.addHeader(RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
        }
        if (this.exposedHeaders != null && this.exposedHeaders.size() > 0) {
            httpServletResponse.addHeader(RESPONSE_HEADER_ACCESS_CONTROL_EXPOSE_HEADERS, join(this.exposedHeaders, ","));
        }
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    protected void handlePreflightCORS(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        String header = httpServletRequest.getHeader("Origin");
        if (!isOriginAllowed(header)) {
            handleInvalidCORS(httpServletRequest, httpServletResponse, filterChain);
            return;
        }
        String header2 = httpServletRequest.getHeader(REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD);
        if (header2 == null) {
            handleInvalidCORS(httpServletRequest, httpServletResponse, filterChain);
            return;
        }
        String trim = header2.trim();
        String header3 = httpServletRequest.getHeader(REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS);
        LinkedList linkedList = new LinkedList();
        if (header3 != null && !header3.trim().isEmpty()) {
            for (String str : header3.trim().split(",")) {
                linkedList.add(str.trim().toLowerCase(Locale.ENGLISH));
            }
        }
        if (!this.allowedHttpMethods.contains(trim)) {
            handleInvalidCORS(httpServletRequest, httpServletResponse, filterChain);
            return;
        }
        if (!linkedList.isEmpty()) {
            Iterator it = linkedList.iterator();
            while (it.hasNext()) {
                if (!this.allowedHttpHeaders.contains((String) it.next())) {
                    handleInvalidCORS(httpServletRequest, httpServletResponse, filterChain);
                    return;
                }
            }
        }
        if (this.supportsCredentials) {
            httpServletResponse.addHeader(RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN, header);
            httpServletResponse.addHeader(RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
        } else if (this.anyOriginAllowed) {
            httpServletResponse.addHeader(RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN, "*");
        } else {
            httpServletResponse.addHeader(RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN, header);
        }
        if (this.preflightMaxAge > 0) {
            httpServletResponse.addHeader(RESPONSE_HEADER_ACCESS_CONTROL_MAX_AGE, String.valueOf(this.preflightMaxAge));
        }
        httpServletResponse.addHeader(RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_METHODS, trim);
        if (this.allowedHttpHeaders == null || this.allowedHttpHeaders.isEmpty()) {
            return;
        }
        httpServletResponse.addHeader(RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_HEADERS, join(this.allowedHttpHeaders, ","));
    }

    private void handleNonCORS(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    private void handleInvalidCORS(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) {
        String header = httpServletRequest.getHeader("Origin");
        String method = httpServletRequest.getMethod();
        String header2 = httpServletRequest.getHeader(REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS);
        httpServletResponse.setContentType("text/plain");
        httpServletResponse.setStatus(403);
        httpServletResponse.resetBuffer();
        if (log.isDebugEnabled()) {
            StringBuilder sb = new StringBuilder("Invalid CORS request; Origin=");
            sb.append(header);
            sb.append(";Method=");
            sb.append(method);
            if (header2 != null) {
                sb.append(";Access-Control-Request-Headers=");
                sb.append(header2);
            }
            log.debug(sb.toString());
        }
    }

    protected CORSRequestType checkRequestType(HttpServletRequest httpServletRequest) {
        CORSRequestType cORSRequestType = CORSRequestType.INVALID_CORS;
        String header = httpServletRequest.getHeader("Origin");
        if (header == null) {
            cORSRequestType = CORSRequestType.NOT_CORS;
        } else if (header.isEmpty()) {
            cORSRequestType = CORSRequestType.INVALID_CORS;
        } else if (!isValidOrigin(header)) {
            cORSRequestType = CORSRequestType.INVALID_CORS;
        } else {
            if (isLocalOrigin(httpServletRequest, header)) {
                return CORSRequestType.NOT_CORS;
            }
            String method = httpServletRequest.getMethod();
            if (method != null) {
                if ("OPTIONS".equals(method)) {
                    String header2 = httpServletRequest.getHeader(REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD);
                    cORSRequestType = (header2 == null || header2.isEmpty()) ? (header2 == null || !header2.isEmpty()) ? CORSRequestType.ACTUAL : CORSRequestType.INVALID_CORS : CORSRequestType.PRE_FLIGHT;
                } else if ("GET".equals(method) || "HEAD".equals(method)) {
                    cORSRequestType = CORSRequestType.SIMPLE;
                } else if ("POST".equals(method)) {
                    String mediaType = getMediaType(httpServletRequest.getContentType());
                    if (mediaType != null) {
                        cORSRequestType = SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES.contains(mediaType) ? CORSRequestType.SIMPLE : CORSRequestType.ACTUAL;
                    }
                } else {
                    cORSRequestType = CORSRequestType.ACTUAL;
                }
            }
        }
        return cORSRequestType;
    }

    protected static boolean isValidOrigin(String str) {
        if (str.contains("%")) {
            return false;
        }
        if ("null".equals(str)) {
            return true;
        }
        try {
            return new URI(str).getScheme() != null;
        } catch (URISyntaxException e) {
            return false;
        }
    }

    private boolean isLocalOrigin(HttpServletRequest httpServletRequest, String str) {
        StringBuilder sb = new StringBuilder();
        String scheme = httpServletRequest.getScheme();
        if (scheme == null) {
            return false;
        }
        String lowerCase = scheme.toLowerCase(Locale.ENGLISH);
        sb.append(lowerCase);
        sb.append("://");
        String serverName = httpServletRequest.getServerName();
        if (serverName == null) {
            return false;
        }
        sb.append(serverName);
        int serverPort = httpServletRequest.getServerPort();
        if (("http".equals(lowerCase) && serverPort != 80) || ("https".equals(lowerCase) && serverPort != 443)) {
            sb.append(':');
            sb.append(serverPort);
        }
        return str.equalsIgnoreCase(sb.toString());
    }

    private String getMediaType(String str) {
        if (str == null) {
            return null;
        }
        String lowerCase = str.toLowerCase(Locale.ENGLISH);
        int indexOf = lowerCase.indexOf(59);
        if (indexOf > -1) {
            lowerCase = lowerCase.substring(0, indexOf);
        }
        return lowerCase.trim();
    }

    private boolean isOriginAllowed(String str) {
        if (this.anyOriginAllowed) {
            return true;
        }
        return this.allowedOrigins.contains(str);
    }

    protected static String join(Collection<String> collection, String str) {
        if (collection == null) {
            return null;
        }
        String str2 = str != null ? str : ",";
        StringBuilder sb = new StringBuilder();
        boolean z = true;
        for (String str3 : collection) {
            if (z) {
                z = false;
            } else {
                sb.append(str2);
            }
            if (str3 != null) {
                sb.append(str3);
            }
        }
        return sb.toString();
    }
}
