package org.springframework.web.cors;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Collection;
import java.util.List;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.http.server.ServerHttpRequest;
import org.springframework.http.server.ServerHttpResponse;
import org.springframework.http.server.ServletServerHttpRequest;
import org.springframework.http.server.ServletServerHttpResponse;
import org.springframework.lang.Nullable;
import org.springframework.util.CollectionUtils;

/* loaded from: input_file:WEB-INF/lib/spring-web-5.3.4.jar:org/springframework/web/cors/DefaultCorsProcessor.class */
public class DefaultCorsProcessor implements CorsProcessor {
    private static final Log logger = LogFactory.getLog(DefaultCorsProcessor.class);

    @Override // org.springframework.web.cors.CorsProcessor
    public boolean processRequest(@Nullable CorsConfiguration corsConfiguration, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        Collection headers = httpServletResponse.getHeaders("Vary");
        if (!headers.contains("Origin")) {
            httpServletResponse.addHeader("Vary", "Origin");
        }
        if (!headers.contains("Access-Control-Request-Method")) {
            httpServletResponse.addHeader("Vary", "Access-Control-Request-Method");
        }
        if (!headers.contains("Access-Control-Request-Headers")) {
            httpServletResponse.addHeader("Vary", "Access-Control-Request-Headers");
        }
        if (!CorsUtils.isCorsRequest(httpServletRequest)) {
            return true;
        }
        if (httpServletResponse.getHeader("Access-Control-Allow-Origin") != null) {
            logger.trace("Skip: response already contains \"Access-Control-Allow-Origin\"");
            return true;
        }
        boolean isPreFlightRequest = CorsUtils.isPreFlightRequest(httpServletRequest);
        if (corsConfiguration != null) {
            return handleInternal(new ServletServerHttpRequest(httpServletRequest), new ServletServerHttpResponse(httpServletResponse), corsConfiguration, isPreFlightRequest);
        }
        if (!isPreFlightRequest) {
            return true;
        }
        rejectRequest(new ServletServerHttpResponse(httpServletResponse));
        return false;
    }

    protected void rejectRequest(ServerHttpResponse serverHttpResponse) throws IOException {
        serverHttpResponse.setStatusCode(HttpStatus.FORBIDDEN);
        serverHttpResponse.getBody().write("Invalid CORS request".getBytes(StandardCharsets.UTF_8));
        serverHttpResponse.flush();
    }

    protected boolean handleInternal(ServerHttpRequest serverHttpRequest, ServerHttpResponse serverHttpResponse, CorsConfiguration corsConfiguration, boolean z) throws IOException {
        String origin = serverHttpRequest.getHeaders().getOrigin();
        String checkOrigin = checkOrigin(corsConfiguration, origin);
        HttpHeaders headers = serverHttpResponse.getHeaders();
        if (checkOrigin == null) {
            logger.debug("Reject: '" + origin + "' origin is not allowed");
            rejectRequest(serverHttpResponse);
            return false;
        }
        HttpMethod methodToUse = getMethodToUse(serverHttpRequest, z);
        List<HttpMethod> checkMethods = checkMethods(corsConfiguration, methodToUse);
        if (checkMethods == null) {
            logger.debug("Reject: HTTP '" + methodToUse + "' is not allowed");
            rejectRequest(serverHttpResponse);
            return false;
        }
        List<String> headersToUse = getHeadersToUse(serverHttpRequest, z);
        List<String> checkHeaders = checkHeaders(corsConfiguration, headersToUse);
        if (z && checkHeaders == null) {
            logger.debug("Reject: headers '" + headersToUse + "' are not allowed");
            rejectRequest(serverHttpResponse);
            return false;
        }
        headers.setAccessControlAllowOrigin(checkOrigin);
        if (z) {
            headers.setAccessControlAllowMethods(checkMethods);
        }
        if (z && !checkHeaders.isEmpty()) {
            headers.setAccessControlAllowHeaders(checkHeaders);
        }
        if (!CollectionUtils.isEmpty(corsConfiguration.getExposedHeaders())) {
            headers.setAccessControlExposeHeaders(corsConfiguration.getExposedHeaders());
        }
        if (Boolean.TRUE.equals(corsConfiguration.getAllowCredentials())) {
            headers.setAccessControlAllowCredentials(true);
        }
        if (z && corsConfiguration.getMaxAge() != null) {
            headers.setAccessControlMaxAge(corsConfiguration.getMaxAge().longValue());
        }
        serverHttpResponse.flush();
        return true;
    }

    @Nullable
    protected String checkOrigin(CorsConfiguration corsConfiguration, @Nullable String str) {
        return corsConfiguration.checkOrigin(str);
    }

    @Nullable
    protected List<HttpMethod> checkMethods(CorsConfiguration corsConfiguration, @Nullable HttpMethod httpMethod) {
        return corsConfiguration.checkHttpMethod(httpMethod);
    }

    @Nullable
    private HttpMethod getMethodToUse(ServerHttpRequest serverHttpRequest, boolean z) {
        return z ? serverHttpRequest.getHeaders().getAccessControlRequestMethod() : serverHttpRequest.getMethod();
    }

    @Nullable
    protected List<String> checkHeaders(CorsConfiguration corsConfiguration, List<String> list) {
        return corsConfiguration.checkHeaders(list);
    }

    private List<String> getHeadersToUse(ServerHttpRequest serverHttpRequest, boolean z) {
        HttpHeaders headers = serverHttpRequest.getHeaders();
        return z ? headers.getAccessControlRequestHeaders() : new ArrayList(headers.keySet());
    }
}
