package com.atlassian.plugins.rest.common.security.jersey;

import aQute.bnd.osgi.Processor;
import com.atlassian.plugin.tracker.PluginModuleTracker;
import com.atlassian.plugins.rest.common.security.CorsHeaders;
import com.atlassian.plugins.rest.common.security.CorsPreflightCheckCompleteException;
import com.atlassian.plugins.rest.common.security.descriptor.CorsDefaults;
import com.atlassian.plugins.rest.common.security.descriptor.CorsDefaultsModuleDescriptor;
import com.google.common.base.Function;
import com.google.common.base.Joiner;
import com.google.common.base.Predicate;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import com.sun.jersey.spi.container.ContainerRequest;
import com.sun.jersey.spi.container.ContainerRequestFilter;
import com.sun.jersey.spi.container.ContainerResponse;
import com.sun.jersey.spi.container.ContainerResponseFilter;
import com.sun.jersey.spi.container.ResourceFilter;
import java.net.URI;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Set;
import javax.ws.rs.core.Response;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/atlassian-rest-module-3.4.12.jar:com/atlassian/plugins/rest/common/security/jersey/CorsResourceFilter.class */
public class CorsResourceFilter implements ResourceFilter, ContainerRequestFilter, ContainerResponseFilter {
    private static final String CORS_PREFLIGHT_FAILED = "Cors-Preflight-Failed";
    private static final String CORS_PREFLIGHT_SUCCEEDED = "Cors-Preflight-Succeeded";
    public static final String CORS_PREFLIGHT_REQUESTED = "Cors-Preflight-Requested";
    private static final Logger log = LoggerFactory.getLogger((Class<?>) CorsResourceFilter.class);
    private final PluginModuleTracker<CorsDefaults, CorsDefaultsModuleDescriptor> pluginModuleTracker;
    private final String allowMethod;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/atlassian-bundled-plugins/atlassian-rest-module-3.4.12.jar:com/atlassian/plugins/rest/common/security/jersey/CorsResourceFilter$PreflightFailedException.class */
    public static class PreflightFailedException extends Exception {
        private PreflightFailedException(String str) {
            super(str);
        }
    }

    public CorsResourceFilter(PluginModuleTracker<CorsDefaults, CorsDefaultsModuleDescriptor> pluginModuleTracker, String str) {
        this.allowMethod = str;
        this.pluginModuleTracker = pluginModuleTracker;
    }

    @Override // com.sun.jersey.spi.container.ContainerRequestFilter
    public ContainerRequest filter(ContainerRequest containerRequest) {
        if (!containerRequest.getProperties().containsKey(CORS_PREFLIGHT_REQUESTED)) {
            return containerRequest;
        }
        Iterable<CorsDefaults> modules = this.pluginModuleTracker.getModules();
        try {
            String validateSingleOriginInWhitelist = validateSingleOriginInWhitelist(modules, containerRequest);
            Iterable<CorsDefaults> allowsOrigin = allowsOrigin(modules, validateSingleOriginInWhitelist);
            Response.ResponseBuilder ok = Response.ok();
            validateAccessControlRequestMethod(this.allowMethod, containerRequest);
            Set<String> allowedRequestHeaders = getAllowedRequestHeaders(allowsOrigin, validateSingleOriginInWhitelist);
            validateAccessControlRequestHeaders(allowedRequestHeaders, containerRequest);
            addAccessControlAllowOrigin(ok, validateSingleOriginInWhitelist);
            conditionallyAddAccessControlAllowCredentials(ok, validateSingleOriginInWhitelist, allowsOrigin);
            addAccessControlMaxAge(ok);
            addAccessControlAllowMethods(ok, this.allowMethod);
            addAccessControlAllowHeaders(ok, allowedRequestHeaders);
            containerRequest.getProperties().put(CORS_PREFLIGHT_SUCCEEDED, "true");
            throw new CorsPreflightCheckCompleteException(ok.build());
        } catch (PreflightFailedException e) {
            Response.ResponseBuilder ok2 = Response.ok();
            containerRequest.getProperties().put(CORS_PREFLIGHT_FAILED, "true");
            log.info("CORS preflight failed: " + e.getMessage());
            throw new CorsPreflightCheckCompleteException(ok2.build());
        }
    }

    @Override // com.sun.jersey.spi.container.ContainerResponseFilter
    public ContainerResponse filter(ContainerRequest containerRequest, ContainerResponse containerResponse) {
        if (containerRequest.getProperties().containsKey(CORS_PREFLIGHT_FAILED) || containerRequest.getProperties().containsKey(CORS_PREFLIGHT_SUCCEEDED) || extractOrigin(containerRequest) == null) {
            return containerResponse;
        }
        Iterable<CorsDefaults> modules = this.pluginModuleTracker.getModules();
        try {
            String validateSingleOriginInWhitelist = validateSingleOriginInWhitelist(modules, containerRequest);
            Iterable<CorsDefaults> allowsOrigin = allowsOrigin(modules, validateSingleOriginInWhitelist);
            Response.ResponseBuilder fromResponse = Response.fromResponse(containerResponse.getResponse());
            addAccessControlAllowOrigin(fromResponse, validateSingleOriginInWhitelist);
            conditionallyAddAccessControlAllowCredentials(fromResponse, validateSingleOriginInWhitelist, allowsOrigin);
            addAccessControlExposeHeaders(fromResponse, getAllowedResponseHeaders(allowsOrigin, validateSingleOriginInWhitelist));
            containerResponse.setResponse(fromResponse.build());
            return containerResponse;
        } catch (PreflightFailedException e) {
            log.info("Unable to add CORS headers to response: " + e.getMessage());
            return containerResponse;
        }
    }

    private void addAccessControlExposeHeaders(Response.ResponseBuilder responseBuilder, Set<String> set) {
        responseBuilder.header(CorsHeaders.ACCESS_CONTROL_EXPOSE_HEADERS.value(), Joiner.on(", ").join(set));
    }

    private void addAccessControlAllowHeaders(Response.ResponseBuilder responseBuilder, Set<String> set) {
        responseBuilder.header(CorsHeaders.ACCESS_CONTROL_ALLOW_HEADERS.value(), Joiner.on(", ").join(set));
    }

    private void addAccessControlAllowMethods(Response.ResponseBuilder responseBuilder, String str) {
        responseBuilder.header(CorsHeaders.ACCESS_CONTROL_ALLOW_METHODS.value(), str);
    }

    private void addAccessControlMaxAge(Response.ResponseBuilder responseBuilder) {
        responseBuilder.header(CorsHeaders.ACCESS_CONTROL_MAX_AGE.value(), 3600);
    }

    private void addAccessControlAllowOrigin(Response.ResponseBuilder responseBuilder, String str) {
        responseBuilder.header(CorsHeaders.ACCESS_CONTROL_ALLOW_ORIGIN.value(), str);
    }

    private void conditionallyAddAccessControlAllowCredentials(Response.ResponseBuilder responseBuilder, String str, Iterable<CorsDefaults> iterable) {
        if (anyAllowsCredentials(iterable, str)) {
            responseBuilder.header(CorsHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS.value(), "true");
        }
    }

    private void validateAccessControlRequestHeaders(Set<String> set, ContainerRequest containerRequest) throws PreflightFailedException {
        List<String> requestHeader = containerRequest.getRequestHeader(CorsHeaders.ACCESS_CONTROL_REQUEST_HEADERS.value());
        List<String> emptyList = requestHeader != null ? requestHeader : Collections.emptyList();
        HashSet hashSet = new HashSet();
        Iterator<String> it = emptyList.iterator();
        while (it.hasNext()) {
            hashSet.addAll(Arrays.asList(it.next().toLowerCase(Locale.US).trim().split(Processor.LIST_SPLITTER)));
        }
        Sets.SetView difference = Sets.difference(hashSet, ImmutableSet.copyOf(Iterables.transform(set, new Function<String, String>() { // from class: com.atlassian.plugins.rest.common.security.jersey.CorsResourceFilter.1
            @Override // com.google.common.base.Function
            public String apply(String str) {
                return str.toLowerCase(Locale.US);
            }
        })));
        if (!difference.isEmpty()) {
            throw new PreflightFailedException("Unexpected headers in CORS request: " + Lists.newArrayList(difference));
        }
    }

    private void validateAccessControlRequestMethod(String str, ContainerRequest containerRequest) throws PreflightFailedException {
        String headerValue = containerRequest.getHeaderValue(CorsHeaders.ACCESS_CONTROL_REQUEST_METHOD.value());
        if (!str.equals(headerValue)) {
            throw new PreflightFailedException("Invalid method: " + headerValue);
        }
    }

    private String validateSingleOriginInWhitelist(Iterable<CorsDefaults> iterable, ContainerRequest containerRequest) throws PreflightFailedException {
        String extractOrigin = extractOrigin(containerRequest);
        validateOriginAsUri(extractOrigin);
        if (Iterables.isEmpty(allowsOrigin(iterable, extractOrigin))) {
            throw new PreflightFailedException("Origin '" + extractOrigin + "' not in whitelist");
        }
        return extractOrigin;
    }

    private void validateOriginAsUri(String str) throws PreflightFailedException {
        try {
            URI create = URI.create(str);
            if (create.isOpaque() || !create.isAbsolute()) {
                throw new IllegalArgumentException("The origin URI must be absolute and not opaque.");
            }
        } catch (IllegalArgumentException e) {
            throw new PreflightFailedException("Origin '" + str + "' is not a valid URI");
        }
    }

    public static String extractOrigin(ContainerRequest containerRequest) {
        return containerRequest.getHeaderValue(CorsHeaders.ORIGIN.value());
    }

    @Override // com.sun.jersey.spi.container.ResourceFilter
    public ContainerRequestFilter getRequestFilter() {
        return this;
    }

    @Override // com.sun.jersey.spi.container.ResourceFilter
    public ContainerResponseFilter getResponseFilter() {
        return this;
    }

    private static Iterable<CorsDefaults> allowsOrigin(Iterable<CorsDefaults> iterable, final String str) {
        return Iterables.filter(iterable, new Predicate<CorsDefaults>() { // from class: com.atlassian.plugins.rest.common.security.jersey.CorsResourceFilter.2
            @Override // com.google.common.base.Predicate
            public boolean apply(CorsDefaults corsDefaults) {
                return corsDefaults.allowsOrigin(str);
            }
        });
    }

    private static boolean anyAllowsCredentials(Iterable<CorsDefaults> iterable, String str) {
        Iterator<CorsDefaults> it = iterable.iterator();
        while (it.hasNext()) {
            if (it.next().allowsCredentials(str)) {
                return true;
            }
        }
        return false;
    }

    private static Set<String> getAllowedRequestHeaders(Iterable<CorsDefaults> iterable, String str) {
        HashSet newHashSet = Sets.newHashSet();
        Iterator<CorsDefaults> it = iterable.iterator();
        while (it.hasNext()) {
            newHashSet.addAll(it.next().getAllowedRequestHeaders(str));
        }
        return newHashSet;
    }

    private static Set<String> getAllowedResponseHeaders(Iterable<CorsDefaults> iterable, String str) {
        HashSet newHashSet = Sets.newHashSet();
        Iterator<CorsDefaults> it = iterable.iterator();
        while (it.hasNext()) {
            newHashSet.addAll(it.next().getAllowedResponseHeaders(str));
        }
        return newHashSet;
    }
}
