package com.ibm.ws.webcontainer.cors;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.webcontainer.cors.config.CorsConfig;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.TreeSet;
import java.util.concurrent.CopyOnWriteArrayList;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.aries.blueprint.parser.Parser;
import org.apache.wink.common.http.HttpMethodEx;
import org.osgi.service.component.ComponentContext;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicy;
import org.osgi.service.component.annotations.ReferencePolicyOption;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@Component(service = {CorsHelper.class}, configurationPolicy = ConfigurationPolicy.IGNORE, immediate = true, property = {"service.vendor=IBM"})
/* loaded from: input_file:wlp/lib/com.ibm.ws.webcontainer.cors_1.0.14.jar:com/ibm/ws/webcontainer/cors/CorsHelper.class */
public class CorsHelper {
    private static final String REQUEST_HEADER_ORIGIN = "Origin";
    private static final String REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD = "Access-Control-Request-Method";
    private static final String REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS = "Access-Control-Request-Headers";
    private static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN = "Access-Control-Allow-Origin";
    private static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS = "Access-Control-Allow-Credentials";
    private static final String RESPONSE_HEADER_ACCESS_CONTROL_EXPOSE_HEADERS = "Access-Control-Expose-Headers";
    private static final String RESPONSE_HEADER_ACCESS_CONTROL_MAX_AGE = "Access-Control-Allow-Max-Age";
    private static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_METHODS = "Access-Control-Allow-Methods";
    private static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_HEADERS = "Access-Control-Allow-Headers";
    List<CorsConfig> configurations = new CopyOnWriteArrayList();
    static final long serialVersionUID = -8836660110101617808L;
    private static final TraceComponent tc = Tr.register(CorsHelper.class);
    private static final List<String> SIMPLE_REQUEST_HEADER_CONTENT_TYPE_VALUES = Arrays.asList("application/x-www-form-urlencoded", "multipart/form-data", "text/plain");
    private static final List<String> COMPLEX_HTTP_METHOD_VALUES = Arrays.asList("PUT", "DELETE", HttpMethodEx.CONNECT, "TRACE");

    /* JADX INFO: Access modifiers changed from: private */
    @InjectedFFDC
    @TraceObjectField(fieldName = "$$$tc$$$", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
    /* loaded from: input_file:wlp/lib/com.ibm.ws.webcontainer.cors_1.0.14.jar:com/ibm/ws/webcontainer/cors/CorsHelper$CorsRequestType.class */
    public enum CorsRequestType {
        SIMPLE,
        PRE_FLIGHT,
        ACTUAL,
        OTHER;

        static final long serialVersionUID = 6689755590521730442L;
        private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(CorsRequestType.class);
    }

    @Activate
    protected void activate(ComponentContext componentContext, Map<String, Object> map) {
    }

    @Deactivate
    protected void deactivate(ComponentContext componentContext, int i) {
    }

    @Reference(service = CorsConfig.class, name = "corsConfig", policy = ReferencePolicy.DYNAMIC, cardinality = ReferenceCardinality.MULTIPLE, policyOption = ReferencePolicyOption.GREEDY)
    protected void setCorsConfig(CorsConfig corsConfig) {
        this.configurations.add(corsConfig);
    }

    protected void unsetCorsConfig(CorsConfig corsConfig) {
        this.configurations.remove(corsConfig);
    }

    public boolean handleCorsRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        boolean z = false;
        if (httpServletRequest.getHeader(REQUEST_HEADER_ORIGIN) != null) {
            logCorsRequestInfo(httpServletRequest);
            CorsRequestType requestType = getRequestType(httpServletRequest);
            if (requestType == CorsRequestType.PRE_FLIGHT) {
                z = handlePreflightRequest(httpServletRequest, httpServletResponse);
            } else if (requestType == CorsRequestType.SIMPLE || requestType == CorsRequestType.ACTUAL) {
                z = handleSimpleCrossOriginRequest(httpServletRequest, httpServletResponse);
            }
            logCorsResponseInfo(httpServletResponse);
        }
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(this, tc, "Request is fully handled and processed? " + z, new Object[0]);
        }
        return z;
    }

    private boolean handleSimpleCrossOriginRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        CorsConfig matchCorsConfig;
        String header = httpServletRequest.getHeader(REQUEST_HEADER_ORIGIN);
        if (header == null || (matchCorsConfig = matchCorsConfig(httpServletRequest.getRequestURI())) == null || !isMatch(matchCorsConfig, header)) {
            return false;
        }
        boolean allowCredentials = matchCorsConfig.getAllowCredentials();
        if (allowCredentials) {
            httpServletResponse.setHeader(RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
        }
        if (!isWildcardPath(matchCorsConfig.getAllowedOrigins()) || allowCredentials) {
            httpServletResponse.setHeader(RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN, filterHttpHeader(header));
        } else {
            httpServletResponse.setHeader(RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN, "*");
        }
        String exposedHeaders = matchCorsConfig.getExposedHeaders();
        if (exposedHeaders == null) {
            return false;
        }
        httpServletResponse.setHeader(RESPONSE_HEADER_ACCESS_CONTROL_EXPOSE_HEADERS, exposedHeaders);
        return false;
    }

    private boolean handlePreflightRequest(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        CorsConfig matchCorsConfig;
        String header = httpServletRequest.getHeader(REQUEST_HEADER_ORIGIN);
        if (header == null || (matchCorsConfig = matchCorsConfig(httpServletRequest.getRequestURI())) == null || !isMatch(matchCorsConfig, header)) {
            return false;
        }
        String header2 = httpServletRequest.getHeader(REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD);
        if (header2 == null || header2.isEmpty()) {
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return false;
            }
            Tr.debug(this, tc, "Value of the request header 'Access-Control-Request-Method' is '" + String.valueOf(header2) + "'.", new Object[0]);
            return false;
        }
        String trim = header2.trim();
        String header3 = httpServletRequest.getHeader(REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS);
        List emptyList = (header3 == null || header3.isEmpty()) ? Collections.emptyList() : Arrays.asList(header3.trim().split("\\s*,\\s*"));
        List<String> allowedMethods = matchCorsConfig.getAllowedMethods();
        if (!allowedMethods.contains(trim)) {
            if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                return false;
            }
            Tr.debug(this, tc, "Access-Control-Request-Method '" + trim + "' is not included in the list of allowed methods: " + Arrays.toString(allowedMethods.toArray()), new Object[0]);
            return false;
        }
        List<String> allowedHeaders = matchCorsConfig.getAllowedHeaders();
        if (!emptyList.isEmpty()) {
            TreeSet treeSet = new TreeSet(String.CASE_INSENSITIVE_ORDER);
            TreeSet treeSet2 = new TreeSet(String.CASE_INSENSITIVE_ORDER);
            treeSet.addAll(allowedHeaders);
            treeSet2.addAll(emptyList);
            if (!treeSet.containsAll(treeSet2)) {
                if (!TraceComponent.isAnyTracingEnabled() || !tc.isDebugEnabled()) {
                    return false;
                }
                Tr.debug(this, tc, "Access-Control-Request-Method '" + Arrays.toString(emptyList.toArray()) + "' is not included in the list of allowed headers: " + Arrays.toString(allowedHeaders.toArray()), new Object[0]);
                return false;
            }
        }
        boolean allowCredentials = matchCorsConfig.getAllowCredentials();
        if (allowCredentials) {
            httpServletResponse.setHeader(RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
        }
        if (!isWildcardPath(matchCorsConfig.getAllowedOrigins()) || allowCredentials) {
            httpServletResponse.setHeader(RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN, filterHttpHeader(header));
        } else {
            httpServletResponse.setHeader(RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN, "*");
        }
        Long maxAge = matchCorsConfig.getMaxAge();
        if (maxAge != null) {
            httpServletResponse.setHeader(RESPONSE_HEADER_ACCESS_CONTROL_MAX_AGE, String.valueOf(maxAge));
        }
        httpServletResponse.setHeader(RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_METHODS, join(", ", allowedMethods));
        if (allowedHeaders.isEmpty()) {
            return true;
        }
        httpServletResponse.setHeader(RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_HEADERS, join(", ", allowedHeaders));
        return true;
    }

    private CorsRequestType getRequestType(HttpServletRequest httpServletRequest) {
        CorsRequestType corsRequestType = CorsRequestType.OTHER;
        String header = httpServletRequest.getHeader(REQUEST_HEADER_ORIGIN);
        if (header != null && !header.isEmpty()) {
            String method = httpServletRequest.getMethod();
            if ("OPTIONS".equals(method)) {
                String header2 = httpServletRequest.getHeader(REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD);
                if (header2 != null && !header2.isEmpty()) {
                    corsRequestType = CorsRequestType.PRE_FLIGHT;
                } else if (header2 == null) {
                    corsRequestType = CorsRequestType.ACTUAL;
                }
            } else if ("GET".equals(method) || "HEAD".equals(method)) {
                corsRequestType = CorsRequestType.SIMPLE;
            } else if ("POST".equals(method)) {
                corsRequestType = SIMPLE_REQUEST_HEADER_CONTENT_TYPE_VALUES.contains(getType(httpServletRequest.getContentType())) ? CorsRequestType.SIMPLE : CorsRequestType.ACTUAL;
            } else if (COMPLEX_HTTP_METHOD_VALUES.contains(method)) {
                corsRequestType = CorsRequestType.ACTUAL;
            }
        }
        return corsRequestType;
    }

    private static String getType(String str) {
        if (str == null) {
            return null;
        }
        int indexOf = str.indexOf(";");
        return (indexOf == -1 ? str : str.substring(0, indexOf)).trim().toLowerCase(Locale.ENGLISH);
    }

    private CorsConfig matchCorsConfig(String str) {
        if (this.configurations.isEmpty()) {
            return null;
        }
        for (CorsConfig corsConfig : this.configurations) {
            if (str.startsWith(corsConfig.getDomain())) {
                return corsConfig;
            }
        }
        return null;
    }

    private static String filterHttpHeader(String str) {
        return str.replaceAll("(\\n|\\r|\\u0085|\\u2028)", "");
    }

    private static boolean isMatch(CorsConfig corsConfig, String str) {
        if (corsConfig == null) {
            return false;
        }
        List<String> allowedOrigins = corsConfig.getAllowedOrigins();
        if (allowedOrigins.get(0).equals(Parser.NULL_ELEMENT)) {
            return false;
        }
        if (isWildcardPath(allowedOrigins)) {
            return true;
        }
        Iterator<String> it = allowedOrigins.iterator();
        while (it.hasNext()) {
            if (it.next().equals(str)) {
                return true;
            }
        }
        return false;
    }

    private static boolean isWildcardPath(List<String> list) {
        return "*".equals(list.get(0));
    }

    public boolean isCorsSupportEnabled() {
        return !this.configurations.isEmpty();
    }

    private static String join(String str, List<String> list) {
        if (list == null || str == null) {
            throw new NullPointerException();
        }
        StringBuilder sb = new StringBuilder();
        boolean z = true;
        for (String str2 : list) {
            if (z) {
                z = false;
            } else {
                sb.append(str);
            }
            if (str2 != null) {
                sb.append(str2);
            }
        }
        return sb.toString();
    }

    private void logCorsRequestInfo(HttpServletRequest httpServletRequest) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(this, tc, "Request :: Method: " + httpServletRequest.getMethod() + " | Oorigin: " + String.valueOf(httpServletRequest.getHeader(REQUEST_HEADER_ORIGIN)) + " | Request Method: " + String.valueOf(httpServletRequest.getHeader(REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD)) + " | Request Headers: " + String.valueOf(httpServletRequest.getHeader(REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS)), new Object[0]);
        }
    }

    private void logCorsResponseInfo(HttpServletResponse httpServletResponse) {
        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
            Tr.debug(this, tc, "Respond :: Allow Origin: " + String.valueOf(httpServletResponse.getHeader(RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN)) + " | Allow Credential: " + String.valueOf(httpServletResponse.getHeader(RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS)) + " | Expose Headers: " + String.valueOf(httpServletResponse.getHeader(RESPONSE_HEADER_ACCESS_CONTROL_EXPOSE_HEADERS)) + " | Max Age: " + String.valueOf(httpServletResponse.getHeader(RESPONSE_HEADER_ACCESS_CONTROL_MAX_AGE)) + " | Allow Methods: " + String.valueOf(httpServletResponse.getHeader(RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_METHODS)) + " | Allow Headers :" + String.valueOf(httpServletResponse.getHeader(RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_HEADERS)), new Object[0]);
        }
    }
}
