package org.genesys.blocks.security.component;

import com.google.common.cache.CacheBuilder;
import com.google.common.cache.CacheLoader;
import com.google.common.cache.LoadingCache;
import java.io.IOException;
import java.util.Collections;
import java.util.Iterator;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.genesys.blocks.oauth.model.OAuthClient;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.provider.ClientDetailsService;
import org.springframework.security.oauth2.provider.OAuth2Authentication;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:org/genesys/blocks/security/component/OAuthClientOriginCheckFilter.class */
public class OAuthClientOriginCheckFilter extends OncePerRequestFilter {

    @Autowired
    @Qualifier("oauthService")
    private ClientDetailsService clientDetailsService;
    private LoadingCache<String, Set<String>> clientOriginsCache = CacheBuilder.newBuilder().maximumSize(100).expireAfterWrite(10, TimeUnit.MINUTES).build(new CacheLoader<String, Set<String>>() { // from class: org.genesys.blocks.security.component.OAuthClientOriginCheckFilter.1
        public Set<String> load(String str) {
            if (OAuthClientOriginCheckFilter.this.logger.isInfoEnabled()) {
                OAuthClientOriginCheckFilter.this.logger.info("Loading allowed origins for client: " + str);
            }
            return ((OAuthClient) OAuthClientOriginCheckFilter.this.clientDetailsService.loadClientByClientId(str)).getAllowedOrigins();
        }
    });

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (authentication == null || !(authentication instanceof OAuth2Authentication)) {
            if (this.logger.isDebugEnabled()) {
                this.logger.debug("Authentication null for origin: " + httpServletRequest.getHeader("Origin"));
            }
        } else if (!checkValidOrigin(httpServletRequest, (OAuth2Authentication) authentication)) {
            httpServletResponse.sendError(403, "Request origin not valid");
            return;
        }
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    private boolean checkValidOrigin(HttpServletRequest httpServletRequest, OAuth2Authentication oAuth2Authentication) {
        if (this.logger.isTraceEnabled()) {
            this.logger.trace(httpServletRequest.getRequestURI());
            Iterator it = Collections.list(httpServletRequest.getHeaderNames()).iterator();
            while (it.hasNext()) {
                String str = (String) it.next();
                this.logger.trace(">> " + str + ": " + httpServletRequest.getHeader(str));
            }
        }
        String header = httpServletRequest.getHeader("Origin");
        String header2 = httpServletRequest.getHeader("Referer");
        if (oAuth2Authentication.getOAuth2Request() != null) {
            boolean equalsIgnoreCase = httpServletRequest.getMethod().equalsIgnoreCase("get");
            String clientId = oAuth2Authentication.getOAuth2Request().getClientId();
            try {
                Set<String> set = (Set) this.clientOriginsCache.get(clientId);
                if (set.isEmpty()) {
                    if (header == null && header2 == null) {
                        return true;
                    }
                    if (!this.logger.isInfoEnabled()) {
                        return false;
                    }
                    this.logger.info(clientId + " may not be used from browsers. Denying.");
                    return false;
                }
                if (header == null && header2 == null) {
                    if (!this.logger.isInfoEnabled()) {
                        return false;
                    }
                    this.logger.info("No origin/referrer header in request. Denying.");
                    return false;
                }
                for (String str2 : set) {
                    if (header != null && header.startsWith(str2)) {
                        if (!this.logger.isDebugEnabled()) {
                            return true;
                        }
                        this.logger.debug("Origin match: " + header + " for " + str2);
                        return true;
                    }
                    if ((equalsIgnoreCase || header == null) && header2 != null && header2.startsWith(str2)) {
                        if (!this.logger.isDebugEnabled()) {
                            return true;
                        }
                        this.logger.debug("Referrer match: " + header2 + " for " + str2);
                        return true;
                    }
                }
                if (!this.logger.isInfoEnabled()) {
                    return false;
                }
                this.logger.info("No origin/referrer match: " + header + " or " + header2 + " in " + set.toString());
                return false;
            } catch (ExecutionException e) {
                this.logger.warn("Error loading client origins", e);
            }
        }
        if (!this.logger.isDebugEnabled()) {
            return true;
        }
        this.logger.debug("Allowing request with Origin: " + header);
        return true;
    }
}
