package com.axelor.web.servlet;

import com.axelor.app.AppSettings;
import com.axelor.common.StringUtils;
import java.io.IOException;
import java.util.regex.Pattern;
import java.util.regex.PatternSyntaxException;
import javax.inject.Singleton;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
/* loaded from: input_file:com/axelor/web/servlet/CorsFilter.class */
public class CorsFilter implements Filter {
    private static final String CONTENT_TYPE_JSON = "application/json";
    private static final String DEFAULT_CORS_ALLOW_ORIGIN = "*";
    private static final String DEFAULT_CORS_ALLOW_CREDENTIALS = "true";
    private static final String DEFAULT_CORS_ALLOW_METHODS = "GET,PUT,POST,DELETE,HEAD,OPTIONS";
    private static final String DEFAULT_CORS_ALLOW_HEADERS = "Origin,Accept,X-Requested-With,Content-Type,Access-Control-Request-Method,Access-Control-Request-Headers";
    private static final String DEFAULT_EXPOSE_HEADERS = "";
    private static final String DEFAULT_CORS_MAX_AGE = "1728000";
    private static Pattern corsOriginPattern;
    private static String corsAllowOrigin;
    private static String corsAllowCredentials;
    private static String corsAllowMethods;
    private static String corsAllowHeaders;
    private static String corsExposeHeaders;
    private static String corsMaxAge;
    private Logger log = LoggerFactory.getLogger(CorsFilter.class);

    /* loaded from: input_file:com/axelor/web/servlet/CorsFilter$JsonRequest.class */
    private static class JsonRequest extends HttpServletRequestWrapper {
        public JsonRequest(HttpServletRequest httpServletRequest) {
            super(httpServletRequest);
        }

        public String getContentType() {
            return CorsFilter.CONTENT_TYPE_JSON;
        }

        public String getHeader(String str) {
            return "content-type".equals(str.toLowerCase()) ? CorsFilter.CONTENT_TYPE_JSON : super.getHeader(str);
        }
    }

    public void init(FilterConfig filterConfig) throws ServletException {
        AppSettings appSettings = AppSettings.get();
        corsAllowOrigin = appSettings.get("cors.allow.origin");
        corsAllowCredentials = appSettings.get("cors.allow.credentials", DEFAULT_CORS_ALLOW_CREDENTIALS);
        corsAllowMethods = appSettings.get("cors.allow.methods", DEFAULT_CORS_ALLOW_METHODS);
        corsAllowHeaders = appSettings.get("cors.allow.headers", DEFAULT_CORS_ALLOW_HEADERS);
        corsExposeHeaders = appSettings.get("cors.expose.headers", DEFAULT_EXPOSE_HEADERS);
        corsMaxAge = appSettings.get("cors.max.age", DEFAULT_CORS_MAX_AGE);
        if (StringUtils.isBlank(corsAllowOrigin)) {
            return;
        }
        this.log.debug("CORS origin: {}", corsAllowOrigin);
        if (DEFAULT_CORS_ALLOW_ORIGIN.equals(corsAllowOrigin)) {
            corsOriginPattern = Pattern.compile(".*");
            return;
        }
        try {
            corsOriginPattern = Pattern.compile(corsAllowOrigin);
        } catch (PatternSyntaxException e) {
            this.log.error("CORS origin pattern is invalid", e);
            corsAllowOrigin = null;
        }
    }

    public void destroy() {
    }

    private boolean isCrossOrigin(String str, String str2) {
        return (StringUtils.isBlank(str) || str.endsWith(new StringBuilder().append("//").append(str2).toString())) ? false : true;
    }

    private boolean isOriginAllowed(String str) {
        return DEFAULT_CORS_ALLOW_ORIGIN.equals(corsAllowOrigin) || corsOriginPattern.matcher(str).matches();
    }

    private boolean isPreflight(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getMethod().equals("OPTIONS") && !StringUtils.isBlank(httpServletRequest.getHeader("Access-Control-Request-Method"));
    }

    private boolean isTextPlain(HttpServletRequest httpServletRequest) {
        return "text/plain;json".equals(httpServletRequest.getContentType());
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        JsonRequest jsonRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        String header = jsonRequest.getHeader("Origin");
        String header2 = jsonRequest.getHeader("Host");
        if (corsOriginPattern == null || !isCrossOrigin(header, header2)) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        if (!isOriginAllowed(header)) {
            httpServletResponse.setStatus(403);
            return;
        }
        httpServletResponse.addHeader("Access-Control-Allow-Origin", header);
        httpServletResponse.addHeader("Access-Control-Allow-Credentials", corsAllowCredentials);
        if (!isPreflight(jsonRequest)) {
            if (!StringUtils.isBlank(corsExposeHeaders)) {
                httpServletResponse.addHeader("Access-Control-Expose-Headers", corsExposeHeaders);
            }
            filterChain.doFilter(isTextPlain(jsonRequest) ? new JsonRequest(jsonRequest) : jsonRequest, servletResponse);
        } else {
            httpServletResponse.addHeader("Access-Control-Allow-Methods", corsAllowMethods);
            httpServletResponse.addHeader("Access-Control-Allow-Headers", corsAllowHeaders);
            httpServletResponse.addHeader("Access-Control-Max-Age", corsMaxAge);
            httpServletResponse.setStatus(200);
        }
    }
}
