package org.restheart.security.authorizers;

import io.undertow.util.PathTemplate;
import io.undertow.util.PathTemplateMatcher;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import org.restheart.configuration.ConfigurationException;
import org.restheart.exchange.Request;
import org.restheart.plugins.Inject;
import org.restheart.plugins.OnInit;
import org.restheart.plugins.RegisterPlugin;
import org.restheart.plugins.security.Authorizer;
import org.restheart.utils.URLUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@RegisterPlugin(name = "originVetoer", description = "protects from CSRF attacks by forbidding requests whose Origin header is not whitelisted", enabledByDefault = false, authorizerType = Authorizer.TYPE.VETOER)
/* loaded from: input_file:org/restheart/security/authorizers/OriginVetoer.class */
public class OriginVetoer implements Authorizer {
    private static final Logger LOGGER = LoggerFactory.getLogger(OriginVetoer.class);
    private List<String> whitelist = null;
    private PathTemplateMatcher<Boolean> ignoreLists = new PathTemplateMatcher<>();

    @Inject("config")
    private Map<String, Object> config;

    @OnInit
    public void init() {
        try {
            this.whitelist = (List) ((List) arg(this.config, "whitelist")).stream().filter(str -> {
                return str != null;
            }).map(str2 -> {
                return str2.strip();
            }).map(str3 -> {
                return str3.toLowerCase();
            }).map(str4 -> {
                return URLUtils.removeTrailingSlashes(str4);
            }).map(str5 -> {
                return str5.concat("/");
            }).collect(Collectors.toList());
            LOGGER.info("whitelist defined for originVetoer, requests will be accepted with Origin header in {}", this.whitelist);
        } catch (ConfigurationException e) {
            this.whitelist = null;
            LOGGER.info("No whitelist defined for originVetoer, all Origin headers are accepted");
        }
        try {
            List list = (List) arg(this.config, "ignore-paths");
            list.stream().filter(str6 -> {
                return str6 != null;
            }).map(str7 -> {
                return str7.strip();
            }).map(str8 -> {
                return str8.toLowerCase();
            }).map(str9 -> {
                return PathTemplate.create(str9);
            }).forEach(pathTemplate -> {
                this.ignoreLists.add(pathTemplate, true);
            });
            LOGGER.info("ignore list defined for originVetoer, requests will be accepted without checking the Origin header for paths in {}", list);
        } catch (ConfigurationException e2) {
            this.ignoreLists = null;
            LOGGER.info("No ignoreLists defined for originVetoer, all paths are checked");
        }
    }

    public boolean isAllowed(Request<?> request) {
        if (this.ignoreLists != null && this.ignoreLists.match(request.getPath()) != null) {
            LOGGER.debug("originVetoer: request is accepted since path is in ignore list");
            return true;
        }
        if (this.whitelist == null || this.whitelist.isEmpty()) {
            return true;
        }
        String header = request.getHeader("Origin");
        if (header == null) {
            LOGGER.warn("request forbidden by originVetoer due to missing Origin header, whitelist is {}", this.whitelist);
            return false;
        }
        boolean anyMatch = this.whitelist.stream().anyMatch(str -> {
            return URLUtils.removeTrailingSlashes(header.toLowerCase()).concat("/").startsWith(str);
        });
        if (!anyMatch) {
            LOGGER.warn("request forbidden by originVetoer due to Origin header {} not in whitelist {}", header, this.whitelist);
        }
        return anyMatch;
    }

    public boolean isAuthenticationRequired(Request request) {
        return false;
    }
}
