package io.micronaut.http.server.cors;

import io.micronaut.core.annotation.NonNull;
import io.micronaut.core.annotation.Nullable;
import io.micronaut.core.async.publisher.Publishers;
import io.micronaut.core.convert.ArgumentConversionContext;
import io.micronaut.core.convert.ConversionContext;
import io.micronaut.core.convert.ImmutableArgumentConversionContext;
import io.micronaut.core.util.StringUtils;
import io.micronaut.http.HttpAttributes;
import io.micronaut.http.HttpHeaders;
import io.micronaut.http.HttpMethod;
import io.micronaut.http.HttpRequest;
import io.micronaut.http.HttpResponse;
import io.micronaut.http.HttpStatus;
import io.micronaut.http.MutableHttpResponse;
import io.micronaut.http.annotation.Filter;
import io.micronaut.http.filter.HttpServerFilter;
import io.micronaut.http.filter.ServerFilterChain;
import io.micronaut.http.filter.ServerFilterPhase;
import io.micronaut.http.server.HttpServerConfiguration;
import io.micronaut.http.server.util.HttpHostResolver;
import jakarta.inject.Inject;
import java.net.URI;
import java.util.ArrayList;
import java.util.List;
import java.util.Optional;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import org.jetbrains.annotations.NotNull;
import org.reactivestreams.Publisher;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import redis.clients.jedis.Protocol;

@Filter({"/**"})
/* loaded from: input_file:io/micronaut/http/server/cors/CorsFilter.class */
public class CorsFilter implements HttpServerFilter {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) CorsFilter.class);
    private static final ArgumentConversionContext<HttpMethod> CONVERSION_CONTEXT_HTTP_METHOD = ImmutableArgumentConversionContext.of(HttpMethod.class);
    protected final HttpServerConfiguration.CorsConfiguration corsConfiguration;

    @Nullable
    private final HttpHostResolver httpHostResolver;

    @Inject
    public CorsFilter(HttpServerConfiguration.CorsConfiguration corsConfiguration, @Nullable HttpHostResolver httpHostResolver) {
        this.corsConfiguration = corsConfiguration;
        this.httpHostResolver = httpHostResolver;
    }

    @Deprecated
    public CorsFilter(HttpServerConfiguration.CorsConfiguration corsConfiguration) {
        this(corsConfiguration, null);
    }

    @Override // io.micronaut.http.filter.HttpServerFilter
    public Publisher<MutableHttpResponse<?>> doFilter(HttpRequest<?> httpRequest, ServerFilterChain serverFilterChain) {
        String orElse = httpRequest.getHeaders().getOrigin().orElse(null);
        if (orElse == null) {
            LOG.trace("Http Header Origin not present. Proceeding with the request.");
            return serverFilterChain.proceed(httpRequest);
        }
        CorsOriginConfiguration orElse2 = getConfiguration(orElse).orElse(null);
        if (orElse2 == null) {
            if (shouldDenyToPreventDriveByLocalhostAttack(orElse, httpRequest)) {
                LOG.trace("the request specifies an origin different than localhost. To prevent drive-by-localhost attacks the request is forbidden");
                return forbidden();
            }
            LOG.trace("CORS configuration not found for {} origin", orElse);
            return serverFilterChain.proceed(httpRequest);
        }
        if (CorsUtil.isPreflightRequest(httpRequest)) {
            return handlePreflightRequest(httpRequest, serverFilterChain, orElse2);
        }
        if (!validateMethodToMatch(httpRequest, orElse2).isPresent()) {
            return forbidden();
        }
        if (!shouldDenyToPreventDriveByLocalhostAttack(orElse2, httpRequest)) {
            return Publishers.then(serverFilterChain.proceed(httpRequest), mutableHttpResponse -> {
                decorateResponseWithHeaders(httpRequest, mutableHttpResponse, orElse2);
            });
        }
        LOG.trace("The resolved configuration allows any origin. To prevent drive-by-localhost attacks the request is forbidden");
        return forbidden();
    }

    protected boolean shouldDenyToPreventDriveByLocalhostAttack(@NonNull CorsOriginConfiguration corsOriginConfiguration, @NonNull HttpRequest<?> httpRequest) {
        String orElse;
        if (this.corsConfiguration.isLocalhostPassThrough() || this.httpHostResolver == null || (orElse = httpRequest.getHeaders().getOrigin().orElse(null)) == null || isOriginLocal(orElse)) {
            return false;
        }
        return isAny(corsOriginConfiguration.getAllowedOrigins()) && isHostLocal(this.httpHostResolver.resolve(httpRequest));
    }

    protected boolean shouldDenyToPreventDriveByLocalhostAttack(@NonNull String str, @NonNull HttpRequest<?> httpRequest) {
        if (this.corsConfiguration.isLocalhostPassThrough() || this.httpHostResolver == null) {
            return false;
        }
        return !isOriginLocal(str) && isHostLocal(this.httpHostResolver.resolve(httpRequest));
    }

    private boolean isHostLocal(@NonNull String str) {
        if (str.isEmpty()) {
            return false;
        }
        char charAt = str.charAt(0);
        if (charAt == 'h' || charAt == 'w') {
            return str.startsWith("http://localhost") || str.startsWith("https://localhost") || str.startsWith("http://127.") || str.startsWith("https://127.") || str.startsWith("ws://localhost") || str.startsWith("wss://localhost") || str.startsWith("ws://127.") || str.startsWith("wss://127.");
        }
        return false;
    }

    private boolean isOriginLocal(@NonNull String str) {
        try {
            String host = URI.create(str).getHost();
            if (!"localhost".equals(host)) {
                if (!Protocol.DEFAULT_HOST.equals(host)) {
                    return false;
                }
            }
            return true;
        } catch (IllegalArgumentException e) {
            return false;
        }
    }

    @Override // io.micronaut.core.order.Ordered
    public int getOrder() {
        return ServerFilterPhase.METRICS.after();
    }

    @Deprecated
    protected void handleResponse(HttpRequest<?> httpRequest, MutableHttpResponse<?> mutableHttpResponse) {
    }

    @Deprecated
    protected Optional<MutableHttpResponse<?>> handleRequest(HttpRequest httpRequest) {
        return Optional.empty();
    }

    @NonNull
    private Optional<HttpMethod> validateMethodToMatch(@NonNull HttpRequest<?> httpRequest, @NonNull CorsOriginConfiguration corsOriginConfiguration) {
        HttpMethod methodToMatch = methodToMatch(httpRequest);
        return !methodAllowed(corsOriginConfiguration, methodToMatch) ? Optional.empty() : Optional.of(methodToMatch);
    }

    protected void setAllowCredentials(CorsOriginConfiguration corsOriginConfiguration, MutableHttpResponse<?> mutableHttpResponse) {
        if (corsOriginConfiguration.isAllowCredentials()) {
            mutableHttpResponse.header((CharSequence) "Access-Control-Allow-Credentials", (CharSequence) Boolean.toString(true));
        }
    }

    protected void setExposeHeaders(List<String> list, MutableHttpResponse<?> mutableHttpResponse) {
        if (!this.corsConfiguration.isSingleHeader()) {
            list.forEach(str -> {
                mutableHttpResponse.header("Access-Control-Expose-Headers", (CharSequence) str);
            });
            return;
        }
        String join = String.join(",", list);
        if (StringUtils.isNotEmpty(join)) {
            mutableHttpResponse.header((CharSequence) "Access-Control-Expose-Headers", (CharSequence) join);
        }
    }

    protected void setVary(MutableHttpResponse<?> mutableHttpResponse) {
        mutableHttpResponse.header((CharSequence) "Vary", (CharSequence) "Origin");
    }

    protected void setOrigin(@Nullable String str, @NonNull MutableHttpResponse<?> mutableHttpResponse) {
        if (str != null) {
            mutableHttpResponse.header((CharSequence) "Access-Control-Allow-Origin", (CharSequence) str);
        }
    }

    protected void setAllowMethods(HttpMethod httpMethod, MutableHttpResponse<?> mutableHttpResponse) {
        mutableHttpResponse.header((CharSequence) "Access-Control-Allow-Methods", (CharSequence) httpMethod);
    }

    protected void setAllowHeaders(List<?> list, MutableHttpResponse<?> mutableHttpResponse) {
        List list2 = (List) list.stream().map((v0) -> {
            return v0.toString();
        }).collect(Collectors.toList());
        if (!this.corsConfiguration.isSingleHeader()) {
            list2.stream().map(StringUtils::trimLeadingWhitespace).forEach(str -> {
                mutableHttpResponse.header("Access-Control-Allow-Headers", (CharSequence) str);
            });
            return;
        }
        String join = String.join(",", list2);
        if (StringUtils.isNotEmpty(join)) {
            mutableHttpResponse.header((CharSequence) "Access-Control-Allow-Headers", (CharSequence) join);
        }
    }

    protected void setMaxAge(long j, MutableHttpResponse<?> mutableHttpResponse) {
        if (j > -1) {
            mutableHttpResponse.header((CharSequence) "Access-Control-Max-Age", (CharSequence) Long.toString(j));
        }
    }

    @NonNull
    private Optional<CorsOriginConfiguration> getConfiguration(@NonNull String str) {
        return !this.corsConfiguration.isEnabled() ? Optional.empty() : this.corsConfiguration.getConfigurations().values().stream().filter(corsOriginConfiguration -> {
            List<String> allowedOrigins = corsOriginConfiguration.getAllowedOrigins();
            return !allowedOrigins.isEmpty() && (isAny(allowedOrigins) || allowedOrigins.stream().anyMatch(str2 -> {
                return matchesOrigin(str2, str);
            }));
        }).findFirst();
    }

    private boolean matchesOrigin(@NonNull String str, @NonNull String str2) {
        if (str.equals(str2)) {
            return true;
        }
        return Pattern.compile(str).matcher(str2).matches();
    }

    private boolean isAny(List<String> list) {
        return list == CorsOriginConfiguration.ANY;
    }

    private boolean isAnyMethod(List<HttpMethod> list) {
        return list == CorsOriginConfiguration.ANY_METHOD;
    }

    private boolean methodAllowed(@NonNull CorsOriginConfiguration corsOriginConfiguration, @NonNull HttpMethod httpMethod) {
        List<HttpMethod> allowedMethods = corsOriginConfiguration.getAllowedMethods();
        return isAnyMethod(allowedMethods) || allowedMethods.stream().anyMatch(httpMethod2 -> {
            return httpMethod2.equals(httpMethod);
        });
    }

    @NonNull
    private HttpMethod methodToMatch(@NonNull HttpRequest<?> httpRequest) {
        HttpMethod method = httpRequest.getMethod();
        return CorsUtil.isPreflightRequest(httpRequest) ? (HttpMethod) httpRequest.getHeaders().getFirst("Access-Control-Request-Method", CONVERSION_CONTEXT_HTTP_METHOD).orElse(method) : method;
    }

    private boolean hasAllowedHeaders(@NonNull HttpRequest<?> httpRequest, @NonNull CorsOriginConfiguration corsOriginConfiguration) {
        Optional<T> optional = httpRequest.getHeaders().get((HttpHeaders) "Access-Control-Request-Headers", (ArgumentConversionContext) ConversionContext.LIST_OF_STRING);
        List<String> allowedHeaders = corsOriginConfiguration.getAllowedHeaders();
        return isAny(allowedHeaders) || (optional.isPresent() && ((List) optional.get()).stream().allMatch(str -> {
            return allowedHeaders.stream().anyMatch(str -> {
                return str.equalsIgnoreCase(str.trim());
            });
        }));
    }

    @NotNull
    private static Publisher<MutableHttpResponse<?>> forbidden() {
        return Publishers.just(HttpResponse.status(HttpStatus.FORBIDDEN));
    }

    @NonNull
    private void decorateResponseWithHeadersForPreflightRequest(@NonNull HttpRequest<?> httpRequest, @NonNull MutableHttpResponse<?> mutableHttpResponse, @NonNull CorsOriginConfiguration corsOriginConfiguration) {
        HttpHeaders headers = httpRequest.getHeaders();
        headers.getFirst("Access-Control-Request-Method", CONVERSION_CONTEXT_HTTP_METHOD).ifPresent(httpMethod -> {
            setAllowMethods(httpMethod, mutableHttpResponse);
        });
        headers.get((HttpHeaders) "Access-Control-Request-Headers", (ArgumentConversionContext) ConversionContext.LIST_OF_STRING).ifPresent(list -> {
            setAllowHeaders(list, mutableHttpResponse);
        });
        setMaxAge(corsOriginConfiguration.getMaxAge().longValue(), mutableHttpResponse);
    }

    @NonNull
    private void decorateResponseWithHeaders(@NonNull HttpRequest<?> httpRequest, @NonNull MutableHttpResponse<?> mutableHttpResponse, @NonNull CorsOriginConfiguration corsOriginConfiguration) {
        setOrigin(httpRequest.getHeaders().getOrigin().orElse(null), mutableHttpResponse);
        setVary(mutableHttpResponse);
        setExposeHeaders(corsOriginConfiguration.getExposedHeaders(), mutableHttpResponse);
        setAllowCredentials(corsOriginConfiguration, mutableHttpResponse);
    }

    @NonNull
    private Publisher<MutableHttpResponse<?>> handlePreflightRequest(@NonNull HttpRequest<?> httpRequest, @NonNull ServerFilterChain serverFilterChain, @NonNull CorsOriginConfiguration corsOriginConfiguration) {
        Optional<HttpStatus> validatePreflightRequest = validatePreflightRequest(httpRequest, corsOriginConfiguration);
        if (!validatePreflightRequest.isPresent()) {
            return Publishers.then(serverFilterChain.proceed(httpRequest), mutableHttpResponse -> {
                decorateResponseWithHeadersForPreflightRequest(httpRequest, mutableHttpResponse, corsOriginConfiguration);
                decorateResponseWithHeaders(httpRequest, mutableHttpResponse, corsOriginConfiguration);
            });
        }
        HttpStatus httpStatus = validatePreflightRequest.get();
        if (httpStatus.getCode() >= 400) {
            return Publishers.just(HttpResponse.status(httpStatus));
        }
        MutableHttpResponse<?> status = HttpResponse.status(httpStatus);
        decorateResponseWithHeadersForPreflightRequest(httpRequest, status, corsOriginConfiguration);
        decorateResponseWithHeaders(httpRequest, status, corsOriginConfiguration);
        return Publishers.just(status);
    }

    @NonNull
    private Optional<HttpStatus> validatePreflightRequest(@NonNull HttpRequest<?> httpRequest, @NonNull CorsOriginConfiguration corsOriginConfiguration) {
        Optional<HttpMethod> validateMethodToMatch = validateMethodToMatch(httpRequest, corsOriginConfiguration);
        if (!validateMethodToMatch.isPresent()) {
            return Optional.of(HttpStatus.FORBIDDEN);
        }
        HttpMethod httpMethod = validateMethodToMatch.get();
        Optional<T> attribute = httpRequest.getAttribute(HttpAttributes.AVAILABLE_HTTP_METHODS, new ArrayList().getClass());
        return (CorsUtil.isPreflightRequest(httpRequest) && attribute.isPresent() && ((ArrayList) attribute.get()).stream().anyMatch(httpMethod2 -> {
            return httpMethod2.equals(httpMethod);
        })) ? !hasAllowedHeaders(httpRequest, corsOriginConfiguration) ? Optional.of(HttpStatus.FORBIDDEN) : Optional.of(HttpStatus.OK) : Optional.empty();
    }
}
