package org.cloudfoundry.identity.uaa.web;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Pattern;
import java.util.regex.PatternSyntaxException;
import javax.annotation.PostConstruct;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.http.HttpStatus;
import org.springframework.util.StringUtils;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:org/cloudfoundry/identity/uaa/web/CorsFilter.class */
public class CorsFilter extends OncePerRequestFilter {
    static final Log LOG = LogFactory.getLog(CorsFilter.class);

    @Value("#{'${cors.xhr.allowed.uris:^$}'.split(',')}")
    private List<String> corsXhrAllowedUris;

    @Value("#{'${cors.xhr.allowed.origins:^$}'.split(',')}")
    private List<String> corsXhrAllowedOrigins;

    @Value("#{'${cors.xhr.allowed.headers:Accept,Authorization}'.split(',')}")
    private List<String> allowedHeaders;
    private final List<Pattern> corsXhrAllowedUriPatterns = new ArrayList();
    private final List<Pattern> corsXhrAllowedOriginPatterns = new ArrayList();

    @PostConstruct
    public void initialize() {
        if (this.corsXhrAllowedUris != null) {
            for (String str : this.corsXhrAllowedUris) {
                try {
                    this.corsXhrAllowedUriPatterns.add(Pattern.compile(str));
                    if (LOG.isDebugEnabled()) {
                        LOG.debug(String.format("URI '%s' allows 'X-Requested-With' header in CORS requests.", str));
                    }
                } catch (PatternSyntaxException e) {
                    LOG.error("Invalid regular expression pattern in cors.xhr.allowed.uris: " + str);
                }
            }
        }
        if (this.corsXhrAllowedOrigins != null) {
            for (String str2 : this.corsXhrAllowedOrigins) {
                try {
                    this.corsXhrAllowedOriginPatterns.add(Pattern.compile(str2));
                    if (LOG.isDebugEnabled()) {
                        LOG.debug(String.format("Origin '%s' allowed 'X-Requested-With' header in CORS requests.", str2));
                    }
                } catch (PatternSyntaxException e2) {
                    LOG.error("Invalid regular expression pattern in cors.xhr.allowed.origins: " + str2);
                }
            }
        }
    }

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        if (!isXhrRequest(httpServletRequest)) {
            httpServletResponse.addHeader("Access-Control-Allow-Origin", "*");
            if (httpServletRequest.getHeader("Access-Control-Request-Method") == null || !"OPTIONS".equals(httpServletRequest.getMethod())) {
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return;
            }
            httpServletResponse.addHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");
            httpServletResponse.addHeader("Access-Control-Allow-Headers", "Authorization");
            httpServletResponse.addHeader("Access-Control-Max-Age", "1728000");
            return;
        }
        if (!isCorsXhrAllowedMethod(httpServletRequest.getMethod())) {
            httpServletResponse.setStatus(HttpStatus.METHOD_NOT_ALLOWED.value());
            return;
        }
        String header = httpServletRequest.getHeader("Origin");
        if (!isCorsXhrAllowedRequestUri(httpServletRequest.getRequestURI()) || !isCorsXhrAllowedOrigin(header)) {
            httpServletResponse.setStatus(HttpStatus.FORBIDDEN.value());
            return;
        }
        httpServletResponse.addHeader("Access-Control-Allow-Origin", header);
        if ("OPTIONS".equals(httpServletRequest.getMethod())) {
            buildCorsXhrPreFlightResponse(httpServletRequest, httpServletResponse);
        } else {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        }
    }

    static boolean isXhrRequest(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("X-Requested-With");
        String header2 = httpServletRequest.getHeader("Access-Control-Request-Headers");
        return StringUtils.hasText(header) || (StringUtils.hasText(header2) && containsHeader(header2, "X-Requested-With"));
    }

    void buildCorsXhrPreFlightResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String header = httpServletRequest.getHeader("Access-Control-Request-Method");
        if (null == header) {
            httpServletResponse.setStatus(HttpStatus.BAD_REQUEST.value());
            return;
        }
        if (!"GET".equalsIgnoreCase(header)) {
            httpServletResponse.setStatus(HttpStatus.METHOD_NOT_ALLOWED.value());
            return;
        }
        httpServletResponse.addHeader("Access-Control-Allow-Methods", "GET");
        String header2 = httpServletRequest.getHeader("Access-Control-Request-Headers");
        if (null == header2) {
            httpServletResponse.setStatus(HttpStatus.BAD_REQUEST.value());
        } else if (!headersAllowed(header2)) {
            httpServletResponse.setStatus(HttpStatus.FORBIDDEN.value());
        } else {
            httpServletResponse.addHeader("Access-Control-Allow-Headers", "Authorization, X-Requested-With");
            httpServletResponse.addHeader("Access-Control-Max-Age", "1728000");
        }
    }

    private static boolean containsHeader(String str, String str2) {
        return Arrays.asList(str.replace(" ", "").toLowerCase().split(",")).contains(str2.toLowerCase());
    }

    private boolean headersAllowed(String str) {
        for (String str2 : Arrays.asList(str.replace(" ", "").split(","))) {
            if (!"X-Requested-With".equalsIgnoreCase(str2) && !this.allowedHeaders.contains(str2)) {
                return false;
            }
        }
        return true;
    }

    private static boolean isCorsXhrAllowedMethod(String str) {
        return "GET".equalsIgnoreCase(str) || "OPTIONS".equalsIgnoreCase(str);
    }

    private boolean isCorsXhrAllowedRequestUri(String str) {
        if (StringUtils.isEmpty(str)) {
            return false;
        }
        Iterator<Pattern> it = this.corsXhrAllowedUriPatterns.iterator();
        while (it.hasNext()) {
            if (it.next().matcher(str).find()) {
                return true;
            }
        }
        if (!LOG.isDebugEnabled()) {
            return false;
        }
        LOG.debug(String.format("The '%s' URI does not allow CORS requests with the 'X-Requested-With' header.", str));
        return false;
    }

    private boolean isCorsXhrAllowedOrigin(String str) {
        if (StringUtils.isEmpty(str)) {
            return false;
        }
        Iterator<Pattern> it = this.corsXhrAllowedOriginPatterns.iterator();
        while (it.hasNext()) {
            if (it.next().matcher(str).find()) {
                return true;
            }
        }
        if (!LOG.isDebugEnabled()) {
            return false;
        }
        LOG.debug(String.format("The '%s' origin is not allowed to make CORS requests with the 'X-Requested-With' header.", str));
        return false;
    }

    public void setCorsXhrAllowedUris(List<String> list) {
        this.corsXhrAllowedUris = list;
    }

    public void setCorsXhrAllowedOrigins(List<String> list) {
        this.corsXhrAllowedOrigins = list;
    }

    public void setAllowedHeaders(List<String> list) {
        this.allowedHeaders = list;
    }
}
