package org.forgerock.openam.cors;

import com.sun.identity.shared.debug.Debug;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.stream.Collectors;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.collections4.CollectionUtils;
import org.forgerock.openam.cors.utils.CSVHelper;
import org.forgerock.util.Reject;

/* loaded from: input_file:org/forgerock/openam/cors/CORSService.class */
public class CORSService {
    private static final Debug DEBUG = Debug.getInstance("frRest");
    private static final Set<String> simpleHeaders = Collections.unmodifiableSet(new HashSet(Arrays.asList("cache-control", "content-language", "expires", "last-modified", "pragma")));
    private final CSVHelper csvHelper = new CSVHelper();
    private final boolean enabled;
    private final List<String> acceptedOrigins;
    private final List<String> acceptedMethods;
    private final List<String> acceptedHeaders;
    private final List<String> exposedHeaders;
    private final String expectedHostname;
    private final int maxAge;
    private final boolean allowCredentials;

    public CORSService(boolean z, List<String> list, List<String> list2, List<String> list3, List<String> list4, int i, boolean z2, String str) {
        this.enabled = z;
        if (z) {
            Reject.ifTrue(list == null || list.size() < 1, "AcceptedOrigins must have at least one value.");
            Reject.ifTrue(list2 == null || list2.size() < 1, "AcceptedOrigins must have at least one value.");
        }
        list = list == null ? new ArrayList() : list;
        list2 = list2 == null ? new ArrayList() : list2;
        i = i < 0 ? 0 : i;
        list3 = list3 == null ? new ArrayList() : list3;
        list4 = list4 == null ? new ArrayList() : list4;
        this.acceptedOrigins = list;
        this.acceptedMethods = list2;
        this.acceptedHeaders = (List) list3.stream().map((v0) -> {
            return v0.toLowerCase();
        }).collect(Collectors.toList());
        this.exposedHeaders = list4;
        this.allowCredentials = z2;
        this.maxAge = i;
        this.expectedHostname = str;
    }

    public boolean handleRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (!this.enabled || httpServletRequest.getHeader(CORSConstants.ORIGIN) == null) {
            return true;
        }
        if (!isValidCORSRequest(httpServletRequest)) {
            return false;
        }
        if (!isPreflightFlow(httpServletRequest)) {
            return handleActualRequestFlow(httpServletRequest, httpServletResponse);
        }
        handlePreflightFlow(httpServletRequest, httpServletResponse);
        return false;
    }

    private void handlePreflightFlow(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String header = httpServletRequest.getHeader(CORSConstants.ORIGIN);
        if (isPreflightValid(httpServletRequest)) {
            httpServletResponse.setHeader(CORSConstants.AC_ALLOW_METHODS, this.csvHelper.listToCSVString(this.acceptedMethods));
            if (this.acceptedHeaders.size() > 0) {
                httpServletResponse.setHeader(CORSConstants.AC_ALLOW_HEADERS, this.csvHelper.listToCSVString(this.acceptedHeaders));
            }
            if (this.maxAge > 0) {
                httpServletResponse.setIntHeader(CORSConstants.AC_MAX_AGE, this.maxAge);
            }
            addOriginAndCredsHeaders(httpServletResponse, header);
        }
    }

    private boolean handleActualRequestFlow(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String header = httpServletRequest.getHeader(CORSConstants.ORIGIN);
        if (this.exposedHeaders.size() > 0) {
            httpServletResponse.setHeader(CORSConstants.AC_EXPOSE_HEADERS, this.csvHelper.listToCSVString(this.exposedHeaders));
        }
        addOriginAndCredsHeaders(httpServletResponse, header);
        return true;
    }

    private boolean isPreflightFlow(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader(CORSConstants.AC_REQUEST_METHOD);
        return (!CORSConstants.HTTP_OPTIONS.equals(httpServletRequest.getMethod()) || header == null || header.isEmpty()) ? false : true;
    }

    private boolean isPreflightValid(HttpServletRequest httpServletRequest) {
        if (!CORSConstants.HTTP_OPTIONS.equals(httpServletRequest.getMethod())) {
            DEBUG.warning("CORS Fail - Preflight request method is not HTTP OPTIONS.");
            return false;
        }
        if (!this.acceptedMethods.contains(httpServletRequest.getHeader(CORSConstants.AC_REQUEST_METHOD))) {
            DEBUG.warning("CORS Fail - Preflight request did not contain the Access-Control-Request-Method header.");
            return false;
        }
        if (httpServletRequest.getHeader(CORSConstants.AC_REQUEST_HEADERS) == null) {
            return true;
        }
        for (String str : this.csvHelper.csvStringToList(httpServletRequest.getHeader(CORSConstants.AC_REQUEST_HEADERS), true)) {
            if (!this.acceptedHeaders.contains(str.toLowerCase()) && !simpleHeaders.contains(str.toLowerCase())) {
                DEBUG.warning("CORS Fail - Preflight request contained the Access-Control-Request-Headers headers with an invalid value.");
                return false;
            }
        }
        return true;
    }

    private boolean isValidCORSRequest(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader(CORSConstants.HOST);
        String header2 = httpServletRequest.getHeader(CORSConstants.ORIGIN);
        if (header2 == null || header2.isEmpty()) {
            DEBUG.warning("CORS Fail - Request did not contain an origin header.");
            return false;
        }
        if (CollectionUtils.isEmpty(this.acceptedOrigins)) {
            DEBUG.warning("CORS Fail - Accepted Origins setting is empty");
            return false;
        }
        if (!this.acceptedOrigins.contains(CORSConstants.ALL) && !this.acceptedOrigins.contains(header2)) {
            DEBUG.warning("CORS Fail - Requested origin comes from a location not whitelisted.");
            return false;
        }
        if (this.expectedHostname != null && !this.expectedHostname.isEmpty() && !this.expectedHostname.equals(header)) {
            DEBUG.warning("CORS Fail - Expected hostname does not equal actual hostname.");
            return false;
        }
        if (CollectionUtils.isEmpty(this.acceptedMethods)) {
            DEBUG.warning("CORS Fail - Accepted Method setting is empty");
            return false;
        }
        if (this.acceptedMethods.contains(httpServletRequest.getMethod()) || CORSConstants.HTTP_OPTIONS.equals(httpServletRequest.getMethod())) {
            return true;
        }
        DEBUG.warning("CORS Fail - Requested HTTP method has not been whitelisted.");
        return false;
    }

    private void addOriginAndCredsHeaders(HttpServletResponse httpServletResponse, String str) {
        if (this.allowCredentials) {
            httpServletResponse.setHeader(CORSConstants.VARY, CORSConstants.ORIGIN);
            httpServletResponse.setHeader(CORSConstants.AC_ALLOW_ORIGIN, str);
            httpServletResponse.setHeader(CORSConstants.AC_ALLOW_CREDS, CORSConstants.AC_CREDENTIALS_TRUE);
        } else if (this.acceptedOrigins.contains(CORSConstants.ALL)) {
            httpServletResponse.setHeader(CORSConstants.AC_ALLOW_ORIGIN, CORSConstants.ALL);
        } else {
            httpServletResponse.setHeader(CORSConstants.AC_ALLOW_ORIGIN, str);
        }
    }
}
