package org.apache.catalina.filters;

import java.io.IOException;
import java.io.ObjectInputStream;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Locale;
import java.util.Set;
import javax.servlet.FilterChain;
import javax.servlet.GenericFilter;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.http.client.methods.HttpOptions;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.http.RequestUtil;
import org.apache.tomcat.util.http.ResponseUtil;
import org.apache.tomcat.util.res.StringManager;

/* loaded from: input_file:BOOT-INF/lib/tomcat-embed-core-9.0.71.jar:org/apache/catalina/filters/CorsFilter.class */
public class CorsFilter extends GenericFilter {
    private static final long serialVersionUID = 1;
    private boolean anyOriginAllowed;
    private boolean supportsCredentials;
    private long preflightMaxAge;
    private boolean decorateRequest;
    public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_ORIGIN = "Access-Control-Allow-Origin";
    public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS = "Access-Control-Allow-Credentials";
    public static final String RESPONSE_HEADER_ACCESS_CONTROL_EXPOSE_HEADERS = "Access-Control-Expose-Headers";
    public static final String RESPONSE_HEADER_ACCESS_CONTROL_MAX_AGE = "Access-Control-Max-Age";
    public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_METHODS = "Access-Control-Allow-Methods";
    public static final String RESPONSE_HEADER_ACCESS_CONTROL_ALLOW_HEADERS = "Access-Control-Allow-Headers";

    @Deprecated
    public static final String REQUEST_HEADER_VARY = "Vary";
    public static final String REQUEST_HEADER_ORIGIN = "Origin";
    public static final String REQUEST_HEADER_ACCESS_CONTROL_REQUEST_METHOD = "Access-Control-Request-Method";
    public static final String REQUEST_HEADER_ACCESS_CONTROL_REQUEST_HEADERS = "Access-Control-Request-Headers";
    public static final String HTTP_REQUEST_ATTRIBUTE_PREFIX = "cors.";
    public static final String HTTP_REQUEST_ATTRIBUTE_ORIGIN = "cors.request.origin";
    public static final String HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST = "cors.isCorsRequest";
    public static final String HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE = "cors.request.type";
    public static final String HTTP_REQUEST_ATTRIBUTE_REQUEST_HEADERS = "cors.request.headers";
    public static final String DEFAULT_ALLOWED_ORIGINS = "";
    public static final String DEFAULT_ALLOWED_HTTP_METHODS = "GET,POST,HEAD,OPTIONS";
    public static final String DEFAULT_PREFLIGHT_MAXAGE = "1800";
    public static final String DEFAULT_SUPPORTS_CREDENTIALS = "false";
    public static final String DEFAULT_ALLOWED_HTTP_HEADERS = "Origin,Accept,X-Requested-With,Content-Type,Access-Control-Request-Method,Access-Control-Request-Headers";
    public static final String DEFAULT_EXPOSED_HEADERS = "";
    public static final String DEFAULT_DECORATE_REQUEST = "true";
    public static final String PARAM_CORS_ALLOWED_ORIGINS = "cors.allowed.origins";
    public static final String PARAM_CORS_SUPPORT_CREDENTIALS = "cors.support.credentials";
    public static final String PARAM_CORS_EXPOSED_HEADERS = "cors.exposed.headers";
    public static final String PARAM_CORS_ALLOWED_HEADERS = "cors.allowed.headers";
    public static final String PARAM_CORS_ALLOWED_METHODS = "cors.allowed.methods";
    public static final String PARAM_CORS_PREFLIGHT_MAXAGE = "cors.preflight.maxage";
    public static final String PARAM_CORS_REQUEST_DECORATE = "cors.request.decorate";
    private static final StringManager sm = StringManager.getManager((Class<?>) CorsFilter.class);
    public static final Collection<String> SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES = Collections.unmodifiableSet(new HashSet(Arrays.asList("application/x-www-form-urlencoded", "multipart/form-data", "text/plain")));
    private transient Log log = LogFactory.getLog((Class<?>) CorsFilter.class);
    private final Collection<String> allowedOrigins = new HashSet();
    private final Collection<String> allowedHttpMethods = new HashSet();
    private final Collection<String> allowedHttpHeaders = new HashSet();
    private final Collection<String> exposedHeaders = new HashSet();

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:BOOT-INF/lib/tomcat-embed-core-9.0.71.jar:org/apache/catalina/filters/CorsFilter$CORSRequestType.class */
    public enum CORSRequestType {
        SIMPLE,
        ACTUAL,
        PRE_FLIGHT,
        NOT_CORS,
        INVALID_CORS
    }

    @Override // javax.servlet.Filter
    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (!(servletRequest instanceof HttpServletRequest) || !(servletResponse instanceof HttpServletResponse)) {
            throw new ServletException(sm.getString("corsFilter.onlyHttp"));
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        CORSRequestType checkRequestType = checkRequestType(httpServletRequest);
        if (isDecorateRequest()) {
            decorateCORSProperties(httpServletRequest, checkRequestType);
        }
        switch (checkRequestType) {
            case SIMPLE:
            case ACTUAL:
                handleSimpleCORS(httpServletRequest, httpServletResponse, filterChain);
                return;
            case PRE_FLIGHT:
                handlePreflightCORS(httpServletRequest, httpServletResponse, filterChain);
                return;
            case NOT_CORS:
                handleNonCORS(httpServletRequest, httpServletResponse, filterChain);
                return;
            default:
                handleInvalidCORS(httpServletRequest, httpServletResponse, filterChain);
                return;
        }
    }

    @Override // javax.servlet.GenericFilter
    public void init() throws ServletException {
        parseAndStore(getInitParameter(PARAM_CORS_ALLOWED_ORIGINS, ""), getInitParameter(PARAM_CORS_ALLOWED_METHODS, DEFAULT_ALLOWED_HTTP_METHODS), getInitParameter(PARAM_CORS_ALLOWED_HEADERS, DEFAULT_ALLOWED_HTTP_HEADERS), getInitParameter(PARAM_CORS_EXPOSED_HEADERS, ""), getInitParameter(PARAM_CORS_SUPPORT_CREDENTIALS, "false"), getInitParameter(PARAM_CORS_PREFLIGHT_MAXAGE, DEFAULT_PREFLIGHT_MAXAGE), getInitParameter(PARAM_CORS_REQUEST_DECORATE, "true"));
    }

    private String getInitParameter(String str, String str2) {
        String initParameter = getInitParameter(str);
        return initParameter != null ? initParameter : str2;
    }

    protected void handleSimpleCORS(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        CORSRequestType checkRequestType = checkRequestType(httpServletRequest);
        if (checkRequestType != CORSRequestType.SIMPLE && checkRequestType != CORSRequestType.ACTUAL) {
            throw new IllegalArgumentException(sm.getString("corsFilter.wrongType2", CORSRequestType.SIMPLE, CORSRequestType.ACTUAL));
        }
        String header = httpServletRequest.getHeader("Origin");
        String method = httpServletRequest.getMethod();
        if (!isOriginAllowed(header)) {
            handleInvalidCORS(httpServletRequest, httpServletResponse, filterChain);
        } else if (!getAllowedHttpMethods().contains(method)) {
            handleInvalidCORS(httpServletRequest, httpServletResponse, filterChain);
        } else {
            addStandardHeaders(httpServletRequest, httpServletResponse);
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        }
    }

    protected void handlePreflightCORS(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (checkRequestType(httpServletRequest) != CORSRequestType.PRE_FLIGHT) {
            throw new IllegalArgumentException(sm.getString("corsFilter.wrongType1", CORSRequestType.PRE_FLIGHT.name().toLowerCase(Locale.ENGLISH)));
        }
        if (!isOriginAllowed(httpServletRequest.getHeader("Origin"))) {
            handleInvalidCORS(httpServletRequest, httpServletResponse, filterChain);
            return;
        }
        String header = httpServletRequest.getHeader("Access-Control-Request-Method");
        if (header == null) {
            handleInvalidCORS(httpServletRequest, httpServletResponse, filterChain);
            return;
        }
        String trim = header.trim();
        String header2 = httpServletRequest.getHeader("Access-Control-Request-Headers");
        ArrayList arrayList = new ArrayList();
        if (header2 != null && !header2.trim().isEmpty()) {
            for (String str : header2.trim().split(",")) {
                arrayList.add(str.trim().toLowerCase(Locale.ENGLISH));
            }
        }
        if (!getAllowedHttpMethods().contains(trim)) {
            handleInvalidCORS(httpServletRequest, httpServletResponse, filterChain);
            return;
        }
        if (!arrayList.isEmpty()) {
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                if (!getAllowedHttpHeaders().contains((String) it.next())) {
                    handleInvalidCORS(httpServletRequest, httpServletResponse, filterChain);
                    return;
                }
            }
        }
        addStandardHeaders(httpServletRequest, httpServletResponse);
    }

    private void handleNonCORS(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws IOException, ServletException {
        addStandardHeaders(httpServletRequest, httpServletResponse);
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    private void handleInvalidCORS(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) {
        String header = httpServletRequest.getHeader("Origin");
        String method = httpServletRequest.getMethod();
        String header2 = httpServletRequest.getHeader("Access-Control-Request-Headers");
        httpServletResponse.setContentType("text/plain");
        httpServletResponse.setStatus(403);
        httpServletResponse.resetBuffer();
        if (this.log.isDebugEnabled()) {
            StringBuilder sb = new StringBuilder("Invalid CORS request; Origin=");
            sb.append(header);
            sb.append(";Method=");
            sb.append(method);
            if (header2 != null) {
                sb.append(";Access-Control-Request-Headers=");
                sb.append(header2);
            }
            this.log.debug(sb.toString());
        }
    }

    private void addStandardHeaders(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String method = httpServletRequest.getMethod();
        String header = httpServletRequest.getHeader("Origin");
        boolean isAnyOriginAllowed = isAnyOriginAllowed();
        if (!isAnyOriginAllowed) {
            ResponseUtil.addVaryFieldName(httpServletResponse, "Origin");
        }
        if (isAnyOriginAllowed) {
            httpServletResponse.addHeader("Access-Control-Allow-Origin", "*");
        } else {
            httpServletResponse.addHeader("Access-Control-Allow-Origin", header);
        }
        if (isSupportsCredentials()) {
            httpServletResponse.addHeader("Access-Control-Allow-Credentials", "true");
        }
        Collection<String> exposedHeaders = getExposedHeaders();
        if (exposedHeaders != null && exposedHeaders.size() > 0) {
            httpServletResponse.addHeader("Access-Control-Expose-Headers", join(exposedHeaders, ","));
        }
        if (HttpOptions.METHOD_NAME.equals(method)) {
            ResponseUtil.addVaryFieldName(httpServletResponse, "Access-Control-Request-Method");
            ResponseUtil.addVaryFieldName(httpServletResponse, "Access-Control-Request-Headers");
            long preflightMaxAge = getPreflightMaxAge();
            if (preflightMaxAge > 0) {
                httpServletResponse.addHeader("Access-Control-Max-Age", String.valueOf(preflightMaxAge));
            }
            Collection<String> allowedHttpMethods = getAllowedHttpMethods();
            if (allowedHttpMethods != null && !allowedHttpMethods.isEmpty()) {
                httpServletResponse.addHeader("Access-Control-Allow-Methods", join(allowedHttpMethods, ","));
            }
            Collection<String> allowedHttpHeaders = getAllowedHttpHeaders();
            if (allowedHttpHeaders == null || allowedHttpHeaders.isEmpty()) {
                return;
            }
            httpServletResponse.addHeader("Access-Control-Allow-Headers", join(allowedHttpHeaders, ","));
        }
    }

    protected static void decorateCORSProperties(HttpServletRequest httpServletRequest, CORSRequestType cORSRequestType) {
        if (httpServletRequest == null) {
            throw new IllegalArgumentException(sm.getString("corsFilter.nullRequest"));
        }
        if (cORSRequestType == null) {
            throw new IllegalArgumentException(sm.getString("corsFilter.nullRequestType"));
        }
        switch (cORSRequestType) {
            case SIMPLE:
            case ACTUAL:
                httpServletRequest.setAttribute(HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST, Boolean.TRUE);
                httpServletRequest.setAttribute(HTTP_REQUEST_ATTRIBUTE_ORIGIN, httpServletRequest.getHeader("Origin"));
                httpServletRequest.setAttribute(HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE, cORSRequestType.name().toLowerCase(Locale.ENGLISH));
                return;
            case PRE_FLIGHT:
                httpServletRequest.setAttribute(HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST, Boolean.TRUE);
                httpServletRequest.setAttribute(HTTP_REQUEST_ATTRIBUTE_ORIGIN, httpServletRequest.getHeader("Origin"));
                httpServletRequest.setAttribute(HTTP_REQUEST_ATTRIBUTE_REQUEST_TYPE, cORSRequestType.name().toLowerCase(Locale.ENGLISH));
                String header = httpServletRequest.getHeader("Access-Control-Request-Headers");
                if (header == null) {
                    header = "";
                }
                httpServletRequest.setAttribute(HTTP_REQUEST_ATTRIBUTE_REQUEST_HEADERS, header);
                return;
            case NOT_CORS:
                httpServletRequest.setAttribute(HTTP_REQUEST_ATTRIBUTE_IS_CORS_REQUEST, Boolean.FALSE);
                return;
            default:
                return;
        }
    }

    protected static String join(Collection<String> collection, String str) {
        if (collection == null) {
            return null;
        }
        String str2 = str != null ? str : ",";
        StringBuilder sb = new StringBuilder();
        boolean z = true;
        for (String str3 : collection) {
            if (z) {
                z = false;
            } else {
                sb.append(str2);
            }
            if (str3 != null) {
                sb.append(str3);
            }
        }
        return sb.toString();
    }

    protected CORSRequestType checkRequestType(HttpServletRequest httpServletRequest) {
        CORSRequestType cORSRequestType = CORSRequestType.INVALID_CORS;
        if (httpServletRequest == null) {
            throw new IllegalArgumentException(sm.getString("corsFilter.nullRequest"));
        }
        String header = httpServletRequest.getHeader("Origin");
        if (header == null) {
            cORSRequestType = CORSRequestType.NOT_CORS;
        } else if (header.isEmpty()) {
            cORSRequestType = CORSRequestType.INVALID_CORS;
        } else if (!RequestUtil.isValidOrigin(header)) {
            cORSRequestType = CORSRequestType.INVALID_CORS;
        } else {
            if (RequestUtil.isSameOrigin(httpServletRequest, header)) {
                return CORSRequestType.NOT_CORS;
            }
            String method = httpServletRequest.getMethod();
            if (method != null) {
                if (HttpOptions.METHOD_NAME.equals(method)) {
                    String header2 = httpServletRequest.getHeader("Access-Control-Request-Method");
                    cORSRequestType = (header2 == null || header2.isEmpty()) ? (header2 == null || !header2.isEmpty()) ? CORSRequestType.ACTUAL : CORSRequestType.INVALID_CORS : CORSRequestType.PRE_FLIGHT;
                } else if ("GET".equals(method) || "HEAD".equals(method)) {
                    cORSRequestType = CORSRequestType.SIMPLE;
                } else if ("POST".equals(method)) {
                    String mediaType = getMediaType(httpServletRequest.getContentType());
                    if (mediaType != null) {
                        cORSRequestType = SIMPLE_HTTP_REQUEST_CONTENT_TYPE_VALUES.contains(mediaType) ? CORSRequestType.SIMPLE : CORSRequestType.ACTUAL;
                    }
                } else {
                    cORSRequestType = CORSRequestType.ACTUAL;
                }
            }
        }
        return cORSRequestType;
    }

    private String getMediaType(String str) {
        if (str == null) {
            return null;
        }
        String lowerCase = str.toLowerCase(Locale.ENGLISH);
        int indexOf = lowerCase.indexOf(59);
        if (indexOf > -1) {
            lowerCase = lowerCase.substring(0, indexOf);
        }
        return lowerCase.trim();
    }

    private boolean isOriginAllowed(String str) {
        if (isAnyOriginAllowed()) {
            return true;
        }
        return getAllowedOrigins().contains(str);
    }

    private void parseAndStore(String str, String str2, String str3, String str4, String str5, String str6, String str7) throws ServletException {
        if (str.trim().equals("*")) {
            this.anyOriginAllowed = true;
        } else {
            this.anyOriginAllowed = false;
            Set<String> parseStringToSet = parseStringToSet(str);
            this.allowedOrigins.clear();
            this.allowedOrigins.addAll(parseStringToSet);
        }
        Set<String> parseStringToSet2 = parseStringToSet(str2);
        this.allowedHttpMethods.clear();
        this.allowedHttpMethods.addAll(parseStringToSet2);
        Set<String> parseStringToSet3 = parseStringToSet(str3);
        HashSet hashSet = new HashSet();
        Iterator<String> it = parseStringToSet3.iterator();
        while (it.hasNext()) {
            hashSet.add(it.next().toLowerCase(Locale.ENGLISH));
        }
        this.allowedHttpHeaders.clear();
        this.allowedHttpHeaders.addAll(hashSet);
        Set<String> parseStringToSet4 = parseStringToSet(str4);
        this.exposedHeaders.clear();
        this.exposedHeaders.addAll(parseStringToSet4);
        this.supportsCredentials = Boolean.parseBoolean(str5);
        if (this.supportsCredentials && this.anyOriginAllowed) {
            throw new ServletException(sm.getString("corsFilter.invalidSupportsCredentials"));
        }
        try {
            if (str6.isEmpty()) {
                this.preflightMaxAge = 0L;
            } else {
                this.preflightMaxAge = Long.parseLong(str6);
            }
            this.decorateRequest = Boolean.parseBoolean(str7);
        } catch (NumberFormatException e) {
            throw new ServletException(sm.getString("corsFilter.invalidPreflightMaxAge"), e);
        }
    }

    private Set<String> parseStringToSet(String str) {
        String[] split = (str == null || str.length() <= 0) ? new String[0] : str.split(",");
        HashSet hashSet = new HashSet();
        if (split.length > 0) {
            for (String str2 : split) {
                hashSet.add(str2.trim());
            }
        }
        return hashSet;
    }

    @Deprecated
    protected static boolean isValidOrigin(String str) {
        return RequestUtil.isValidOrigin(str);
    }

    public boolean isAnyOriginAllowed() {
        return this.anyOriginAllowed;
    }

    public Collection<String> getExposedHeaders() {
        return this.exposedHeaders;
    }

    public boolean isSupportsCredentials() {
        return this.supportsCredentials;
    }

    public long getPreflightMaxAge() {
        return this.preflightMaxAge;
    }

    public Collection<String> getAllowedOrigins() {
        return this.allowedOrigins;
    }

    public Collection<String> getAllowedHttpMethods() {
        return this.allowedHttpMethods;
    }

    public Collection<String> getAllowedHttpHeaders() {
        return this.allowedHttpHeaders;
    }

    public boolean isDecorateRequest() {
        return this.decorateRequest;
    }

    private void readObject(ObjectInputStream objectInputStream) throws ClassNotFoundException, IOException {
        objectInputStream.defaultReadObject();
        this.log = LogFactory.getLog((Class<?>) CorsFilter.class);
    }
}
