package io.vertigo.vega.plugins.webservice.handler;

import io.vertigo.account.authorization.VSecurityException;
import io.vertigo.core.locale.MessageText;
import io.vertigo.core.param.ParamValue;
import io.vertigo.vega.impl.webservice.WebServiceHandlerPlugin;
import io.vertigo.vega.webservice.definitions.WebServiceDefinition;
import io.vertigo.vega.webservice.exception.SessionException;
import java.io.Serializable;
import java.util.Arrays;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import javax.inject.Inject;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;

/* loaded from: input_file:io/vertigo/vega/plugins/webservice/handler/CorsAllowerWebServiceHandlerPlugin.class */
public final class CorsAllowerWebServiceHandlerPlugin implements WebServiceHandlerPlugin {
    public static final int STACK_INDEX = 20;
    private static final String REQUEST_HEADER_ORIGIN = "Origin";
    private static final String DEFAULT_ALLOW_ORIGIN_CORS_FILTER = "*";
    private static final String DEFAULT_ALLOW_METHODS_CORS_FILTER = "GET, POST, DELETE, PUT, OPTIONS";
    private static final String DEFAULT_ALLOW_HEADERS_CORS_FILTER = "Content-Type, Cache-Control, X-Requested-With";
    private static final String DEFAULT_EXPOSED_HEADERS_CORS_FILTER = "Content-Type, listServerToken, content-length, x-total-count, x-access-token";
    private final String originCORSFilter;
    private final String methodCORSFilter;
    private final Set<String> originCORSFiltersSet;
    private final Set<String> methodCORSFiltersSet;

    @Inject
    public CorsAllowerWebServiceHandlerPlugin(@ParamValue("originCORSFilter") Optional<String> optional, @ParamValue("methodCORSFilter") Optional<String> optional2) {
        this.originCORSFilter = optional.orElse(DEFAULT_ALLOW_ORIGIN_CORS_FILTER);
        this.methodCORSFilter = optional2.orElse(DEFAULT_ALLOW_METHODS_CORS_FILTER);
        this.originCORSFiltersSet = parseStringToSet(this.originCORSFilter);
        this.methodCORSFiltersSet = parseStringToSet(this.methodCORSFilter);
    }

    @Override // io.vertigo.vega.impl.webservice.WebServiceHandlerPlugin
    public boolean accept(WebServiceDefinition webServiceDefinition) {
        return webServiceDefinition.isCorsProtected();
    }

    @Override // io.vertigo.vega.impl.webservice.WebServiceHandlerPlugin
    public Object handle(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, WebServiceCallContext webServiceCallContext, HandlerChain handlerChain) throws SessionException {
        putCorsResponseHeaders(httpServletRequest, httpServletResponse);
        if (!"OPTIONS".equalsIgnoreCase(httpServletRequest.getMethod())) {
            return handlerChain.handle(httpServletRequest, httpServletResponse, webServiceCallContext);
        }
        httpServletResponse.setStatus(200);
        httpServletResponse.setContentType("application/json;charset=UTF-8");
        return "";
    }

    public void putCorsResponseHeaders(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String header = httpServletRequest.getHeader(REQUEST_HEADER_ORIGIN);
        if (header != null) {
            String method = httpServletRequest.getMethod();
            if (!isAllowed(header, this.originCORSFiltersSet) || !isAllowed(method, this.methodCORSFiltersSet)) {
                httpServletResponse.setStatus(403);
                httpServletResponse.resetBuffer();
                throw new VSecurityException(MessageText.of("Invalid CORS Access (Origin:{0}, Method:{1})", new Serializable[]{header, method}));
            }
        }
        httpServletResponse.addHeader("Access-Control-Allow-Origin", this.originCORSFilter);
        httpServletResponse.addHeader("Access-Control-Allow-Methods", this.methodCORSFilter);
        httpServletResponse.addHeader("Access-Control-Allow-Headers", DEFAULT_ALLOW_HEADERS_CORS_FILTER);
        httpServletResponse.addHeader("Access-Control-Expose-Headers", DEFAULT_EXPOSED_HEADERS_CORS_FILTER);
    }

    private static boolean isAllowed(String str, Set<String> set) {
        if (set.contains(DEFAULT_ALLOW_ORIGIN_CORS_FILTER)) {
            return true;
        }
        if (str.trim().isEmpty()) {
            return false;
        }
        return set.contains(str);
    }

    private static Set<String> parseStringToSet(String str) {
        return (Set) Arrays.stream(str.split(",")).map((v0) -> {
            return v0.trim();
        }).collect(Collectors.toSet());
    }

    @Override // io.vertigo.vega.impl.webservice.WebServiceHandlerPlugin
    public int getStackIndex() {
        return 20;
    }
}
