package org.cloudfoundry.identity.uaa.security.web;

import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Pattern;
import java.util.regex.PatternSyntaxException;
import javax.annotation.PostConstruct;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.cloudfoundry.identity.uaa.util.UaaStringUtils;
import org.cloudfoundry.identity.uaa.zone.CorsConfiguration;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.util.StringUtils;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:WEB-INF/lib/cloudfoundry-identity-server-4.10.1.jar:org/cloudfoundry/identity/uaa/security/web/CorsFilter.class */
public class CorsFilter extends OncePerRequestFilter {
    static final Log logger = LogFactory.getLog(CorsFilter.class);
    public static final String X_REQUESTED_WITH = "X-Requested-With";
    public static final String WILDCARD = "*";
    private CorsConfiguration xhrConfiguration = new CorsConfiguration();
    private CorsConfiguration defaultConfiguration = new CorsConfiguration();

    public CorsFilter() {
        this.xhrConfiguration.setAllowedMethods(Arrays.asList(HttpMethod.GET.toString(), HttpMethod.OPTIONS.toString()));
        this.defaultConfiguration.setAllowedMethods(Arrays.asList(HttpMethod.GET.toString(), HttpMethod.OPTIONS.toString(), HttpMethod.POST.toString(), HttpMethod.PUT.toString(), HttpMethod.DELETE.toString(), HttpMethod.PATCH.toString()));
        this.xhrConfiguration.setAllowedHeaders(Arrays.asList("Accept", "Accept-Language", "Content-Type", "Content-Language", "Authorization", "X-Requested-With"));
        this.defaultConfiguration.setAllowedHeaders(Arrays.asList("Accept", "Accept-Language", "Content-Type", "Content-Language", "Authorization"));
        this.xhrConfiguration.setAllowedCredentials(true);
        this.defaultConfiguration.setAllowedCredentials(false);
    }

    @PostConstruct
    public void initialize() {
        for (CorsConfiguration corsConfiguration : Arrays.asList(this.xhrConfiguration, this.defaultConfiguration)) {
            String str = corsConfiguration == this.xhrConfiguration ? "xhr" : "default";
            corsConfiguration.getAllowedUriPatterns().clear();
            corsConfiguration.getAllowedOriginPatterns().clear();
            if (corsConfiguration.getAllowedUris() != null) {
                for (String str2 : corsConfiguration.getAllowedUris()) {
                    try {
                        corsConfiguration.getAllowedUriPatterns().add(Pattern.compile(str2));
                        logger.debug(String.format("URI '%s' is allowed for a %s CORS requests.", str2, str));
                    } catch (PatternSyntaxException e) {
                        logger.error("Invalid regular expression pattern in cors." + str + ".allowed.uris: " + str2, e);
                    }
                }
            }
            if (corsConfiguration.getAllowedOrigins() != null) {
                for (String str3 : corsConfiguration.getAllowedOrigins()) {
                    try {
                        corsConfiguration.getAllowedOriginPatterns().add(Pattern.compile(str3));
                        logger.debug(String.format("Origin '%s' is allowed for a %s CORS requests.", str3, str));
                    } catch (PatternSyntaxException e2) {
                        logger.error("Invalid regular expression pattern in cors." + str + ".allowed.origins: " + str3, e2);
                    }
                }
            }
        }
    }

    @Override // org.springframework.web.filter.OncePerRequestFilter
    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        if (!isCrossOriginRequest(httpServletRequest)) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return;
        }
        if (logger.isDebugEnabled()) {
            logger.debug("CORS Processing request: " + getRequestInfo(httpServletRequest));
        }
        if (isXhrRequest(httpServletRequest)) {
            handleRequest(httpServletRequest, httpServletResponse, filterChain, getXhrConfiguration());
        } else {
            handleRequest(httpServletRequest, httpServletResponse, filterChain, getDefaultConfiguration());
        }
        if (logger.isDebugEnabled()) {
            logger.debug("CORS processing completed for: " + getRequestInfo(httpServletRequest) + " Status:" + httpServletResponse.getStatus());
        }
    }

    protected boolean handleRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain, CorsConfiguration corsConfiguration) throws IOException, ServletException {
        boolean equals = HttpMethod.OPTIONS.toString().equals(httpServletRequest.getMethod());
        String method = httpServletRequest.getMethod();
        if (!equals && !isAllowedMethod(method, corsConfiguration)) {
            logger.debug(String.format("Request with invalid method was rejected: %s", method));
            httpServletResponse.sendError(HttpStatus.METHOD_NOT_ALLOWED.value(), "Illegal method.");
            return true;
        }
        String header = httpServletRequest.getHeader("Origin");
        try {
            URI uri = new URI(header);
            if (!isAllowedOrigin(header, corsConfiguration)) {
                logger.debug(String.format("Request with origin: %s was rejected because it didn't match allowed origins", header));
                httpServletResponse.sendError(HttpStatus.FORBIDDEN.value(), "Illegal origin");
                return true;
            }
            String requestURI = httpServletRequest.getRequestURI();
            if (!isAllowedRequestUri(requestURI, corsConfiguration)) {
                logger.debug(String.format("Request with URI: %s was rejected because it didn't match allowed URIs", requestURI));
                httpServletResponse.sendError(HttpStatus.FORBIDDEN.value(), "Illegal request URI");
                return true;
            }
            if (corsConfiguration.isAllowedCredentials()) {
                httpServletResponse.addHeader("Access-Control-Allow-Origin", uri.toString());
            } else {
                httpServletResponse.addHeader("Access-Control-Allow-Origin", "*");
            }
            if (equals) {
                logger.debug(String.format("Request is a pre-flight request", new Object[0]));
                buildCorsPreFlightResponse(httpServletRequest, httpServletResponse, corsConfiguration);
                return false;
            }
            logger.debug(String.format("Request cross origin request has passed validation.", new Object[0]));
            filterChain.doFilter(httpServletRequest, httpServletResponse);
            return false;
        } catch (URISyntaxException e) {
            logger.debug(String.format("Request with invalid origin was rejected: %s", header));
            httpServletResponse.sendError(HttpStatus.FORBIDDEN.value(), "Invalid origin");
            return true;
        }
    }

    protected boolean isXhrRequest(HttpServletRequest httpServletRequest) {
        if (StringUtils.hasText(httpServletRequest.getHeader("X-Requested-With"))) {
            return true;
        }
        String header = httpServletRequest.getHeader("Access-Control-Request-Headers");
        return StringUtils.hasText(header) && containsHeader(header, "X-Requested-With");
    }

    protected boolean isCrossOriginRequest(HttpServletRequest httpServletRequest) {
        return StringUtils.hasText(httpServletRequest.getHeader("Origin"));
    }

    protected String buildCommaDelimitedString(List<String> list) {
        StringBuilder sb = new StringBuilder();
        for (String str : list) {
            if (sb.length() > 0) {
                sb.append(", ");
            }
            sb.append(str);
        }
        return sb.toString();
    }

    protected List<String> splitCommaDelimitedString(String str) {
        String[] split = str.replace(" ", "").split(",");
        return (split == null || split.length == 0) ? Collections.EMPTY_LIST : Arrays.asList(split);
    }

    protected void buildCorsPreFlightResponse(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, CorsConfiguration corsConfiguration) throws IOException {
        String header = httpServletRequest.getHeader("Access-Control-Request-Method");
        if (null == header) {
            httpServletResponse.sendError(HttpStatus.BAD_REQUEST.value(), "Access-Control-Request-Method header is missing");
            return;
        }
        if (!isAllowedMethod(header, corsConfiguration)) {
            httpServletResponse.sendError(HttpStatus.METHOD_NOT_ALLOWED.value(), "Illegal method requested");
            return;
        }
        httpServletResponse.addHeader("Access-Control-Allow-Methods", buildCommaDelimitedString(corsConfiguration.getAllowedMethods()));
        String header2 = httpServletRequest.getHeader("Access-Control-Request-Headers");
        if (null == header2) {
            httpServletResponse.sendError(HttpStatus.BAD_REQUEST.value(), "Missing Access-Control-Request-Headers header.");
        } else if (!headersAllowed(header2, corsConfiguration)) {
            httpServletResponse.sendError(HttpStatus.FORBIDDEN.value(), "Illegal header requested");
        } else {
            httpServletResponse.addHeader("Access-Control-Allow-Headers", header2);
            httpServletResponse.addHeader("Access-Control-Max-Age", String.valueOf(corsConfiguration.getMaxAge()));
        }
    }

    protected boolean containsHeader(String str, String str2) {
        return UaaStringUtils.containsIgnoreCase(splitCommaDelimitedString(str), str2);
    }

    protected boolean headersAllowed(String str, CorsConfiguration corsConfiguration) {
        Iterator<String> it = splitCommaDelimitedString(str).iterator();
        while (it.hasNext()) {
            if (!UaaStringUtils.containsIgnoreCase(corsConfiguration.getAllowedHeaders(), it.next())) {
                return false;
            }
        }
        return true;
    }

    protected boolean isAllowedMethod(String str, CorsConfiguration corsConfiguration) {
        return UaaStringUtils.containsIgnoreCase(corsConfiguration.getAllowedMethods(), str);
    }

    protected boolean isAllowedRequestUri(String str, CorsConfiguration corsConfiguration) {
        if (StringUtils.isEmpty(str)) {
            return false;
        }
        Iterator<Pattern> it = corsConfiguration.getAllowedUriPatterns().iterator();
        while (it.hasNext()) {
            if (it.next().matcher(str).find()) {
                return true;
            }
        }
        logger.debug(String.format("The '%s' URI does not allow CORS requests.", str));
        return false;
    }

    protected boolean isAllowedOrigin(String str, CorsConfiguration corsConfiguration) {
        Iterator<Pattern> it = corsConfiguration.getAllowedOriginPatterns().iterator();
        while (it.hasNext()) {
            if (it.next().matcher(str).find()) {
                return true;
            }
        }
        logger.debug(String.format("The '%s' origin is not allowed to make CORS requests.", str));
        return false;
    }

    public String getRequestInfo(HttpServletRequest httpServletRequest) {
        return String.format("URI: %s; Scheme: %s; Host: %s; Port: %s; Origin: %s; Method: %s", httpServletRequest.getRequestURI(), httpServletRequest.getScheme(), httpServletRequest.getServerName(), Integer.valueOf(httpServletRequest.getServerPort()), httpServletRequest.getHeader("Origin"), httpServletRequest.getMethod());
    }

    public void setCorsXhrAllowedUris(List<String> list) {
        this.xhrConfiguration.setAllowedUris(list);
    }

    public void setCorsXhrAllowedOrigins(List<String> list) {
        this.xhrConfiguration.setAllowedOrigins(list);
    }

    public void setCorsXhrAllowedHeaders(List<String> list) {
        this.xhrConfiguration.setAllowedHeaders(new ArrayList(list));
    }

    public void setCorsXhrAllowedCredentials(boolean z) {
        this.xhrConfiguration.setAllowedCredentials(z);
    }

    public void setCorsXhrAllowedMethods(List<String> list) {
        this.xhrConfiguration.setAllowedMethods(new ArrayList(list));
    }

    public void setCorsXhrMaxAge(int i) {
        this.xhrConfiguration.setMaxAge(i);
    }

    public void setCorsAllowedUris(List<String> list) {
        this.defaultConfiguration.setAllowedUris(list);
    }

    public void setCorsAllowedOrigins(List<String> list) {
        this.defaultConfiguration.setAllowedOrigins(list);
    }

    public void setCorsAllowedHeaders(List<String> list) {
        this.defaultConfiguration.setAllowedHeaders(new ArrayList(list));
    }

    public void setCorsAllowedCredentials(boolean z) {
        this.defaultConfiguration.setAllowedCredentials(z);
    }

    public void setCorsAllowedMethods(List<String> list) {
        this.defaultConfiguration.setAllowedMethods(new ArrayList(list));
    }

    public void setCorsMaxAge(int i) {
        this.defaultConfiguration.setMaxAge(i);
    }

    public CorsConfiguration getDefaultConfiguration() {
        return this.defaultConfiguration;
    }

    public CorsConfiguration getXhrConfiguration() {
        return this.xhrConfiguration;
    }
}
