package io.vertigo.vega.plugins.rest.handler;

import io.vertigo.lang.Option;
import io.vertigo.vega.impl.rest.RestHandlerPlugin;
import io.vertigo.vega.rest.exception.SessionException;
import io.vertigo.vega.rest.exception.VSecurityException;
import io.vertigo.vega.rest.metamodel.EndPointDefinition;
import java.util.HashSet;
import java.util.Set;
import javax.inject.Inject;
import javax.inject.Named;
import spark.Request;
import spark.Response;

/* loaded from: input_file:io/vertigo/vega/plugins/rest/handler/CorsAllowerRestHandlerPlugin.class */
public final class CorsAllowerRestHandlerPlugin implements RestHandlerPlugin {
    private static final String REQUEST_HEADER_ORIGIN = "Origin";
    private static final String DEFAULT_ORIGIN_CORS_FILTER = "*";
    private static final String DEFAULT_METHODS_CORS_FILTER = "GET, POST, DELETE, PUT";
    private static final String DEFAULT_HEADERS_CORS_FILTER = "Content-Type, listServerToken, x-total-count, x-access-token";
    private final String originCORSFilter;
    private final String methodCORSFilter;
    private final Set<String> originCORSFiltersSet;
    private final Set<String> methodCORSFiltersSet;

    @Inject
    public CorsAllowerRestHandlerPlugin(@Named("originCORSFilter") Option<String> option, @Named("methodCORSFilter") Option<String> option2) {
        this.originCORSFilter = option.getOrElse(DEFAULT_ORIGIN_CORS_FILTER);
        this.methodCORSFilter = option2.getOrElse(DEFAULT_METHODS_CORS_FILTER);
        this.originCORSFiltersSet = parseStringToSet(this.originCORSFilter);
        this.methodCORSFiltersSet = parseStringToSet(this.methodCORSFilter);
    }

    @Override // io.vertigo.vega.impl.rest.RestHandlerPlugin
    public boolean accept(EndPointDefinition endPointDefinition) {
        return true;
    }

    @Override // io.vertigo.vega.impl.rest.RestHandlerPlugin
    public Object handle(Request request, Response response, RouteContext routeContext, HandlerChain handlerChain) throws SessionException, VSecurityException {
        String headers = request.headers(REQUEST_HEADER_ORIGIN);
        if (headers != null) {
            String method = request.raw().getMethod();
            if (!isAllowed(headers, this.originCORSFiltersSet) || !isAllowed(method, this.methodCORSFiltersSet)) {
                response.status(403);
                response.raw().resetBuffer();
                throw new VSecurityException("Invalid CORS Access (Origin:" + headers + ", Method:" + method + ")");
            }
        }
        response.header("Access-Control-Allow-Origin", this.originCORSFilter);
        response.header("Access-Control-Request-Method", this.methodCORSFilter);
        response.header("Access-Control-Expose-Headers", DEFAULT_HEADERS_CORS_FILTER);
        return handlerChain.handle(request, response, routeContext);
    }

    private boolean isAllowed(String str, Set<String> set) {
        if (set.contains(DEFAULT_ORIGIN_CORS_FILTER)) {
            return true;
        }
        return set.contains(str);
    }

    private Set<String> parseStringToSet(String str) {
        String[] split = str.split(",");
        HashSet hashSet = new HashSet(split.length);
        for (String str2 : split) {
            hashSet.add(str2.trim());
        }
        return hashSet;
    }
}
