package org.genesys.blocks.security.component;

import java.io.IOException;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.genesys.blocks.oauth.model.OAuthClient;
import org.genesys.blocks.oauth.service.OAuthClientService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.oauth2.jwt.Jwt;
import org.springframework.security.oauth2.server.resource.authentication.AbstractOAuth2TokenAuthenticationToken;
import org.springframework.web.filter.OncePerRequestFilter;

/* loaded from: input_file:org/genesys/blocks/security/component/OAuthClientOriginCheckFilter.class */
public class OAuthClientOriginCheckFilter extends OncePerRequestFilter {
    private static final Logger log = LoggerFactory.getLogger(OAuthClientOriginCheckFilter.class);

    @Autowired
    private OAuthClientService clientDetailsService;

    protected void doFilterInternal(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
        if (!(authentication instanceof AbstractOAuth2TokenAuthenticationToken)) {
            log.debug("Authentication null for origin: {}", httpServletRequest.getHeader("Origin"));
        } else if (!checkValidOrigin(httpServletRequest, (AbstractOAuth2TokenAuthenticationToken) authentication)) {
            httpServletResponse.sendError(403, "Request origin not valid");
            return;
        }
        filterChain.doFilter(httpServletRequest, httpServletResponse);
    }

    private boolean checkValidOrigin(HttpServletRequest httpServletRequest, AbstractOAuth2TokenAuthenticationToken<?> abstractOAuth2TokenAuthenticationToken) {
        Jwt token = abstractOAuth2TokenAuthenticationToken.getToken();
        if (log.isTraceEnabled()) {
            log.trace(httpServletRequest.getRequestURI());
            Iterator it = Collections.list(httpServletRequest.getHeaderNames()).iterator();
            while (it.hasNext()) {
                String str = (String) it.next();
                log.trace(">> {}: {}", str, httpServletRequest.getHeader(str));
            }
        }
        String header = httpServletRequest.getHeader("Origin");
        String header2 = httpServletRequest.getHeader("Referer");
        if (token != null) {
            boolean equalsIgnoreCase = "get".equalsIgnoreCase(httpServletRequest.getMethod());
            String str2 = (String) ((List) token.getClaim("aud")).get(0);
            try {
                Set<String> allowedOrigins = getAllowedOrigins(str2);
                if (allowedOrigins.isEmpty()) {
                    if (header == null && header2 == null) {
                        return true;
                    }
                    log.info("{} may not be used from browsers. Denying.", str2);
                    return false;
                }
                if (header == null && header2 == null) {
                    log.info("No origin/referrer header in request. Denying.");
                    return false;
                }
                for (String str3 : allowedOrigins) {
                    if (header != null && header.startsWith(str3)) {
                        log.debug("Origin match: {} for {}", header, str3);
                        return true;
                    }
                    if ((equalsIgnoreCase || header == null) && header2 != null && header2.startsWith(str3)) {
                        log.debug("Referrer match: {} for {}", header2, str3);
                        return true;
                    }
                }
                log.info("No origin/referrer match: {} or {} in {}", new Object[]{header, header2, allowedOrigins});
                return false;
            } catch (Throwable th) {
                log.warn("Error loading client origins: {}", th.getMessage());
            }
        }
        log.debug("Allowing request with Origin: {}", header);
        return true;
    }

    private Set<String> getAllowedOrigins(String str) {
        OAuthClient loadClientByClientId = this.clientDetailsService.loadClientByClientId(str);
        if (loadClientByClientId == null) {
            throw new NullPointerException("No such client");
        }
        return loadClientByClientId.getAllowedOrigins();
    }
}
