package io.apiman.common.servlet;

import io.apiman.common.config.ConfigFactory;
import java.io.IOException;
import java.util.Arrays;
import java.util.HashSet;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.configuration.Configuration;

/* loaded from: input_file:io/apiman/common/servlet/ApimanCorsFilter.class */
public class ApimanCorsFilter implements Filter {
    public static final Configuration config = ConfigFactory.createConfig();
    public static final String MANAGER_UI_ALLOWED_CORS_ORIGINS = "apiman-manager-ui.allowed-cors-origins";
    private HashSet<String> allowedCorsOrigins = new HashSet<>(Arrays.asList(System.getProperty(MANAGER_UI_ALLOWED_CORS_ORIGINS, config.getString(MANAGER_UI_ALLOWED_CORS_ORIGINS, "*")).trim().split(",")));

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        if (isPreflightRequest(httpServletRequest) && originIsAllowed(httpServletRequest)) {
            httpServletResponse.setHeader("Access-Control-Allow-Origin", httpServletRequest.getHeader("Origin"));
            if (!this.allowedCorsOrigins.contains("*")) {
                httpServletResponse.setHeader("Vary", "Origin");
            }
            httpServletResponse.setHeader("Access-Control-Allow-Credentials", "true");
            httpServletResponse.setHeader("Access-Control-Max-Age", "1800");
            httpServletResponse.setHeader("Access-Control-Allow-Methods", "DELETE,GET,HEAD,PATCH,POST,PUT");
            httpServletResponse.setHeader("Access-Control-Allow-Headers", "X-Requested-With,Content-Type,Accept,Origin,Authorization");
            httpServletResponse.setHeader("Access-Control-Expose-Headers", "X-Apiman-Error,Total-Count,X-Total-Count");
            return;
        }
        if (hasOriginHeader(httpServletRequest) && originIsAllowed(httpServletRequest)) {
            httpServletResponse.setHeader("Access-Control-Allow-Origin", httpServletRequest.getHeader("Origin"));
            if (!this.allowedCorsOrigins.contains("*")) {
                httpServletResponse.setHeader("Vary", "Origin");
            }
            httpServletResponse.setHeader("Access-Control-Allow-Credentials", "true");
            httpServletResponse.setHeader("Access-Control-Expose-Headers", "X-Apiman-Error,Total-Count,X-Total-Count");
        }
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    private boolean originIsAllowed(HttpServletRequest httpServletRequest) {
        return this.allowedCorsOrigins.contains("*") || this.allowedCorsOrigins.contains(httpServletRequest.getHeader("Origin").trim());
    }

    private boolean isPreflightRequest(HttpServletRequest httpServletRequest) {
        return isOptionsMethod(httpServletRequest) && hasOriginHeader(httpServletRequest);
    }

    private boolean isOptionsMethod(HttpServletRequest httpServletRequest) {
        return "OPTIONS".equals(httpServletRequest.getMethod());
    }

    private boolean hasOriginHeader(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Origin");
        return header != null && header.trim().length() > 0;
    }

    public void destroy() {
    }
}
