package com.predic8.membrane.core.interceptor.cors;

import com.predic8.membrane.annot.MCAttribute;
import com.predic8.membrane.annot.MCElement;
import com.predic8.membrane.core.exceptions.ProblemDetails;
import com.predic8.membrane.core.exchange.Exchange;
import com.predic8.membrane.core.http.Header;
import com.predic8.membrane.core.http.Response;
import com.predic8.membrane.core.http.xml.Headers;
import com.predic8.membrane.core.interceptor.AbstractInterceptor;
import com.predic8.membrane.core.interceptor.Outcome;
import com.predic8.membrane.core.interceptor.statistics.util.JDBCUtil;
import com.predic8.membrane.core.util.ConfigurationException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import org.jetbrains.annotations.NotNull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@MCElement(name = "cors")
/* loaded from: input_file:com/predic8/membrane/core/interceptor/cors/CorsInterceptor.class */
public class CorsInterceptor extends AbstractInterceptor {
    private static final Logger log = LoggerFactory.getLogger(CorsInterceptor.class);
    public static final String ORIGIN = "Origin";
    public static final String ACCESS_CONTROL_REQUEST_METHOD = "Access-Control-Request-Method";
    public static final String ACCESS_CONTROL_REQUEST_HEADERS = "Access-Control-Request-Headers";
    public static final String ACCESS_CONTROL_ALLOW_ORIGIN = "Access-Control-Allow-Origin";
    public static final String ACCESS_CONTROL_ALLOW_METHODS = "Access-Control-Allow-Methods";
    public static final String ACCESS_CONTROL_ALLOW_HEADERS = "Access-Control-Allow-Headers";
    public static final String ACCESS_CONTROL_MAX_AGE = "Access-Control-Max-Age";
    public static final String ACCESS_CONTROL_ALLOW_CREDENTIALS = "Access-Control-Allow-Credentials";
    private boolean allowAll = false;
    private List<String> allowedOrigins = List.of("*");
    private List<String> allowedMethods = List.of("*");
    private List<String> allowedHeaders = new ArrayList();
    private boolean allowCredentials;
    private String maxAge;

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptor
    public void init() {
        super.init();
        if (this.allowCredentials && originContainsWildcard()) {
            throw new ConfigurationException("Access-Control-Allow-Credentials in combination with origin wildcard is forbidden");
        }
    }

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptor, com.predic8.membrane.core.interceptor.Interceptor
    public Outcome handleRequest(Exchange exchange) {
        String origin;
        if (exchange.getRequest().isOPTIONSRequest() && (origin = getOrigin(exchange)) != null) {
            if (this.allowAll) {
                exchange.setResponse(Response.noContent().header(createCORSHeader(origin, getRequestMethod(exchange), getRequestHeaders(exchange))).build());
                return Outcome.RETURN;
            }
            if (!originAllowed(origin)) {
                return createProblemDetails(exchange, origin, "origin");
            }
            String requestMethod = getRequestMethod(exchange);
            if (!methodAllowed(requestMethod)) {
                return createProblemDetails(exchange, origin, JDBCUtil.METHOD);
            }
            String requestHeaders = getRequestHeaders(exchange);
            if (!headersAllowed(requestHeaders)) {
                return createProblemDetails(exchange, origin, Headers.ELEMENT_NAME);
            }
            if (originContainsWildcard() && this.allowCredentials) {
                return createProblemDetails(exchange, origin, "credentials");
            }
            exchange.setResponse(Response.noContent().header(createCORSHeader(origin, requestMethod, requestHeaders)).build());
            return Outcome.RETURN;
        }
        return Outcome.CONTINUE;
    }

    private static String getRequestHeaders(Exchange exchange) {
        return exchange.getRequest().getHeader().getFirstValue(ACCESS_CONTROL_REQUEST_HEADERS);
    }

    private static String getRequestMethod(Exchange exchange) {
        return exchange.getRequest().getHeader().getFirstValue(ACCESS_CONTROL_REQUEST_METHOD);
    }

    private static String getOrigin(Exchange exchange) {
        return exchange.getRequest().getHeader().getFirstValue("Origin");
    }

    private static Outcome createProblemDetails(Exchange exchange, String str, String str2) {
        ProblemDetails.security(false, "cors").statusCode(403).addSubType("%s-not-allowed".formatted(str2)).detail("The %s '%s' is not allowed by the CORS policy.".formatted(str2, str)).topLevel("origin", str).buildAndSetResponse(exchange);
        log.info("CORS request denied: type={}, origin={}", str2, str);
        return Outcome.RETURN;
    }

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptor, com.predic8.membrane.core.interceptor.Interceptor
    public Outcome handleResponse(Exchange exchange) {
        String origin = getOrigin(exchange);
        if (origin == null) {
            return Outcome.CONTINUE;
        }
        if (this.allowAll) {
            createCORSHeader(exchange.getResponse().getHeader(), origin, exchange.getRequest().getMethod(), getRequestHeaders(exchange));
            return Outcome.CONTINUE;
        }
        if (originAllowed(origin)) {
            createCORSHeader(exchange.getResponse().getHeader(), origin, exchange.getRequest().getMethod(), getRequestHeaders(exchange));
        }
        return Outcome.CONTINUE;
    }

    private boolean originAllowed(String str) {
        return "null".equals(str) ? this.allowedOrigins.contains("null") : originContainsWildcard() || this.allowedOrigins.contains(str);
    }

    private boolean methodAllowed(String str) {
        return str != null && (this.allowedMethods.contains(str) || this.allowedMethods.contains("*"));
    }

    private boolean headersAllowed(String str) {
        if (str == null) {
            return true;
        }
        return ((Set) this.allowedHeaders.stream().map((v0) -> {
            return v0.toLowerCase();
        }).collect(Collectors.toSet())).containsAll((Collection) parseCommaSeparated(str).stream().map((v0) -> {
            return v0.toLowerCase();
        }).collect(Collectors.toSet()));
    }

    @NotNull
    private static List<String> parseCommaSeparated(String str) {
        return Arrays.stream(str.split("\\s*,\\s*|\\s+")).map((v0) -> {
            return v0.trim();
        }).filter(str2 -> {
            return !str2.isEmpty();
        }).toList();
    }

    private Header createCORSHeader(String str, String str2, String str3) {
        return createCORSHeader(new Header(), str, str2, str3);
    }

    private Header createCORSHeader(Header header, String str, String str2, String str3) {
        if (this.allowedOrigins.contains("*") && this.allowCredentials) {
            throw new ConfigurationException("UNSAFE CORS CONFIGURATION: 'credentials=true' and 'origins=*' is not allowed!");
        }
        header.setValue("Access-Control-Allow-Origin", getAllowOriginValue(str));
        header.setValue(ACCESS_CONTROL_ALLOW_METHODS, str2 != null ? str2 : join(this.allowedMethods));
        if (this.allowAll) {
            header.setValue(ACCESS_CONTROL_ALLOW_HEADERS, str3 != null ? str3.toLowerCase() : "content-type, authorization");
        } else if (this.allowedHeaders != null) {
            header.setValue(ACCESS_CONTROL_ALLOW_HEADERS, join((List) this.allowedHeaders.stream().map((v0) -> {
                return v0.toLowerCase();
            }).collect(Collectors.toList())));
        }
        if (this.maxAge != null) {
            header.setValue(ACCESS_CONTROL_MAX_AGE, this.maxAge);
        }
        if (this.allowCredentials) {
            header.setValue(ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
        }
        header.setValue(Header.VARY, "Origin, Access-Control-Request-Method, Access-Control-Request-Headers");
        return header;
    }

    private String getAllowOriginValue(String str) {
        return (!originContainsWildcard() || this.allowCredentials) ? str : "*";
    }

    @NotNull
    private String join(List<String> list) {
        return String.join(", ", list);
    }

    private boolean originContainsWildcard() {
        return this.allowedOrigins.contains("*");
    }

    @MCAttribute
    public void setAllowAll(boolean z) {
        this.allowAll = z;
    }

    @MCAttribute
    public void setOrigins(String str) {
        this.allowedOrigins = (List) Arrays.stream(str.split(" ")).map((v0) -> {
            return v0.trim();
        }).collect(Collectors.toList());
    }

    @MCAttribute
    public void setMethods(String str) {
        this.allowedMethods = parseCommaSeparated(str);
    }

    @MCAttribute
    public void setHeaders(String str) {
        this.allowedHeaders = parseCommaSeparated(str);
    }

    @MCAttribute
    public void setCredentials(boolean z) {
        this.allowCredentials = z;
    }

    @MCAttribute
    public void setMaxAge(String str) {
        this.maxAge = str;
    }

    public boolean isAllowAll() {
        return this.allowAll;
    }

    protected List<String> getAllowedOrigins() {
        return this.allowedOrigins;
    }

    protected List<String> getAllowedHeaders() {
        return this.allowedHeaders;
    }

    public String getHeaders() {
        return join(this.allowedHeaders);
    }

    public List<String> getMethods() {
        return this.allowedMethods;
    }

    public boolean isCredentials() {
        return this.allowCredentials;
    }

    public String getMaxAge() {
        return this.maxAge;
    }

    @Override // com.predic8.membrane.core.interceptor.AbstractInterceptor, com.predic8.membrane.core.interceptor.Interceptor
    public String getDisplayName() {
        return "CORS";
    }
}
