package com.stormpath.sdk.servlet.filter.oauth;

import com.stormpath.sdk.lang.Assert;
import com.stormpath.sdk.lang.Strings;
import com.stormpath.sdk.servlet.authz.RequestAuthorizer;
import com.stormpath.sdk.servlet.filter.ServerUriResolver;
import com.stormpath.sdk.servlet.http.MediaType;
import com.stormpath.sdk.servlet.http.Resolver;
import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.util.StringUtils;

/* loaded from: input_file:com/stormpath/sdk/servlet/filter/oauth/OriginAccessTokenRequestAuthorizer.class */
public class OriginAccessTokenRequestAuthorizer implements RequestAuthorizer {
    private static final Logger log = LoggerFactory.getLogger(OriginAccessTokenRequestAuthorizer.class);
    public static final String ACCEPTS_HEADER_NAME = "Accept";
    public static final String ORIGIN_HEADER_NAME = "Origin";
    public static final String REFERER_HEADER_NAME = "Referer";
    public static final String ORIGIN_URIS_CONFIG_PROPERTY_NAME = "stormpath.web.oauth2.origin.authorizer.originUris";
    private final ServerUriResolver serverUriResolver;
    private final Resolver<Boolean> localhost;
    private final Collection<String> authorizedOriginUrls;
    private final boolean producesFavorsJSON;

    public OriginAccessTokenRequestAuthorizer(ServerUriResolver serverUriResolver, Resolver<Boolean> resolver, Collection<String> collection, List<MediaType> list) {
        Assert.notNull(serverUriResolver, "ServerUriResolver cannot be null.");
        Assert.notNull(resolver, "localhost resolver cannot be null.");
        this.serverUriResolver = serverUriResolver;
        this.localhost = resolver;
        if (collection == null) {
            this.authorizedOriginUrls = Collections.emptyList();
        } else {
            this.authorizedOriginUrls = collection;
        }
        if (list == null) {
            this.producesFavorsJSON = false;
        } else {
            this.producesFavorsJSON = list.size() > 0 && list.get(0).includes(MediaType.APPLICATION_JSON);
        }
    }

    public ServerUriResolver getServerUriResolver() {
        return this.serverUriResolver;
    }

    public Resolver<Boolean> getLocalhostResolver() {
        return this.localhost;
    }

    public Collection<String> getAuthorizedOriginUrls() {
        return this.authorizedOriginUrls;
    }

    @Override // com.stormpath.sdk.servlet.authz.RequestAuthorizer
    public void assertAuthorized(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws OAuthException {
        String clean = Strings.clean(httpServletRequest.getHeader(ACCEPTS_HEADER_NAME));
        if ((StringUtils.hasText(clean) && clean.contains("application/json")) || this.producesFavorsJSON) {
            return;
        }
        boolean isLocalhostClient = isLocalhostClient(httpServletRequest, httpServletResponse);
        String clean2 = Strings.clean(httpServletRequest.getHeader("Origin"));
        boolean z = false;
        if (clean2 == null) {
            clean2 = Strings.clean(httpServletRequest.getHeader(REFERER_HEADER_NAME));
            if (clean2 != null) {
                z = true;
            }
        }
        if (!Strings.hasText(clean2)) {
            String str = null;
            if (isLocalhostClient) {
                str = "Missing Origin or Referer header (Origin preferred).";
            }
            log.debug("Request client (remoteAddr={}) did not specify an Origin or Referer header. Access Token request is denied", httpServletRequest.getRemoteAddr());
            throw new OAuthException(OAuthErrorCode.INVALID_CLIENT, str, (Exception) null);
        }
        if (isAuthorizedOrigin(httpServletRequest, httpServletResponse, clean2)) {
            return;
        }
        String str2 = null;
        if (isLocalhostClient) {
            str2 = "Unauthorized request " + (z ? "origin (via Referer header)." : "Origin.");
        }
        Logger logger = log;
        Object[] objArr = new Object[3];
        objArr[0] = z ? REFERER_HEADER_NAME : "Origin";
        objArr[1] = clean2;
        objArr[2] = "stormpath.web.oauth2.origin.authorizer.originUris";
        logger.debug("Unauthorized {} header value: {}.  If this is unexpected, you might want to specify one or more comma-delimited URLs via the {} property.", objArr);
        throw new OAuthException(OAuthErrorCode.INVALID_CLIENT, str2, (Exception) null);
    }

    protected boolean isAuthorizedOrigin(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        if (str.startsWith(getServerUriResolver().getServerUri(httpServletRequest))) {
            return true;
        }
        Iterator<String> it = getAuthorizedOriginUrls().iterator();
        while (it.hasNext()) {
            if (str.startsWith(it.next())) {
                return true;
            }
        }
        return false;
    }

    protected boolean isLocalhostClient(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return getLocalhostResolver().get(httpServletRequest, httpServletResponse).booleanValue();
    }
}
