package com.atlassian.plugins.rest.v2.security.cors;

import com.atlassian.plugins.rest.api.internal.security.cors.CorsDefaults;
import com.atlassian.plugins.rest.api.internal.security.cors.CorsHeaders;
import java.io.IOException;
import java.net.URI;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Locale;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.StreamSupport;
import javax.annotation.Priority;
import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerRequestFilter;
import javax.ws.rs.container.ContainerResponseContext;
import javax.ws.rs.container.ContainerResponseFilter;
import javax.ws.rs.core.Response;
import javax.ws.rs.ext.Provider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Priority(3000)
@Provider
/* loaded from: input_file:WEB-INF/atlassian-bundled-plugins-setup/com.atlassian.plugins.rest.atlassian-rest-v2-plugin-8.1.2.jar:com/atlassian/plugins/rest/v2/security/cors/CorsResourceFilter.class */
public class CorsResourceFilter implements ContainerRequestFilter, ContainerResponseFilter {
    public static final String CORS_PREFLIGHT_FAILED = "Cors-Preflight-Failed";
    public static final String CORS_PREFLIGHT_SUCCEEDED = "Cors-Preflight-Succeeded";
    private static final Logger log = LoggerFactory.getLogger(CorsResourceFilter.class);
    private final String allowMethod;
    private final CorsDefaultService corsDefaultService;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/atlassian-bundled-plugins-setup/com.atlassian.plugins.rest.atlassian-rest-v2-plugin-8.1.2.jar:com/atlassian/plugins/rest/v2/security/cors/CorsResourceFilter$PreflightFailedException.class */
    public static class PreflightFailedException extends Exception {
        private PreflightFailedException(String str) {
            super(str);
        }
    }

    public CorsResourceFilter(String str, CorsDefaultService corsDefaultService) {
        this.allowMethod = str;
        this.corsDefaultService = corsDefaultService;
    }

    public void filter(ContainerRequestContext containerRequestContext) throws IOException {
        if (containerRequestContext.getPropertyNames().contains(CorsHeaders.CORS_PREFLIGHT_REQUESTED)) {
            try {
                String validateSingleOriginInWhitelist = validateSingleOriginInWhitelist(this.corsDefaultService.getCorsDefaults(), containerRequestContext);
                List<CorsDefaults> allowsOrigin = allowsOrigin(this.corsDefaultService.getCorsDefaults(), validateSingleOriginInWhitelist);
                Response.ResponseBuilder ok = Response.ok();
                validateAccessControlRequestMethod(this.allowMethod, containerRequestContext);
                Set<String> allowedRequestHeaders = getAllowedRequestHeaders(allowsOrigin, validateSingleOriginInWhitelist);
                validateAccessControlRequestHeaders(allowedRequestHeaders, containerRequestContext);
                addAccessControlAllowOrigin(ok, validateSingleOriginInWhitelist);
                conditionallyAddAccessControlAllowCredentials(ok, validateSingleOriginInWhitelist, allowsOrigin);
                addAccessControlMaxAge(ok);
                addAccessControlAllowMethods(ok, this.allowMethod);
                addAccessControlAllowHeaders(ok, allowedRequestHeaders);
                containerRequestContext.setProperty(CORS_PREFLIGHT_SUCCEEDED, "true");
                containerRequestContext.abortWith(ok.build());
            } catch (PreflightFailedException e) {
                Response.ResponseBuilder ok2 = Response.ok();
                containerRequestContext.setProperty(CORS_PREFLIGHT_FAILED, "true");
                log.info("CORS preflight failed: {}", e.getMessage());
                containerRequestContext.abortWith(ok2.build());
            }
        }
    }

    public void filter(ContainerRequestContext containerRequestContext, ContainerResponseContext containerResponseContext) throws IOException {
        if (containerRequestContext.getProperty(CORS_PREFLIGHT_FAILED) == null && containerRequestContext.getProperty(CORS_PREFLIGHT_SUCCEEDED) == null && extractOrigin(containerRequestContext) != null) {
            try {
                String validateSingleOriginInWhitelist = validateSingleOriginInWhitelist(this.corsDefaultService.getCorsDefaults(), containerRequestContext);
                List<CorsDefaults> allowsOrigin = allowsOrigin(this.corsDefaultService.getCorsDefaults(), validateSingleOriginInWhitelist);
                addAccessControlAllowOrigin(containerResponseContext, validateSingleOriginInWhitelist);
                conditionallyAddAccessControlAllowCredentials(containerResponseContext, validateSingleOriginInWhitelist, allowsOrigin);
                addAccessControlExposeHeaders(containerResponseContext, getAllowedResponseHeaders(allowsOrigin, validateSingleOriginInWhitelist));
            } catch (PreflightFailedException e) {
                log.info("Unable to add CORS headers to response: {}", e.getMessage());
            }
        }
    }

    private void addAccessControlExposeHeaders(ContainerResponseContext containerResponseContext, Set<String> set) {
        containerResponseContext.getHeaders().put(CorsHeaders.ACCESS_CONTROL_EXPOSE_HEADERS.value(), Collections.singletonList(String.join(", ", set)));
    }

    private void addAccessControlAllowHeaders(Response.ResponseBuilder responseBuilder, Set<String> set) {
        responseBuilder.header(CorsHeaders.ACCESS_CONTROL_ALLOW_HEADERS.value(), String.join(", ", set));
    }

    private void addAccessControlAllowMethods(Response.ResponseBuilder responseBuilder, String str) {
        responseBuilder.header(CorsHeaders.ACCESS_CONTROL_ALLOW_METHODS.value(), str);
    }

    private void addAccessControlMaxAge(Response.ResponseBuilder responseBuilder) {
        responseBuilder.header(CorsHeaders.ACCESS_CONTROL_MAX_AGE.value(), 3600);
    }

    private void addAccessControlAllowOrigin(Response.ResponseBuilder responseBuilder, String str) {
        responseBuilder.header(CorsHeaders.ACCESS_CONTROL_ALLOW_ORIGIN.value(), str);
    }

    private void addAccessControlAllowOrigin(ContainerResponseContext containerResponseContext, String str) {
        containerResponseContext.getHeaders().put(CorsHeaders.ACCESS_CONTROL_ALLOW_ORIGIN.value(), Collections.singletonList(str));
    }

    private void conditionallyAddAccessControlAllowCredentials(Response.ResponseBuilder responseBuilder, String str, Iterable<CorsDefaults> iterable) {
        if (anyAllowsCredentials(iterable, str)) {
            responseBuilder.header(CorsHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS.value(), "true");
        }
    }

    private void conditionallyAddAccessControlAllowCredentials(ContainerResponseContext containerResponseContext, String str, Iterable<CorsDefaults> iterable) {
        if (anyAllowsCredentials(iterable, str)) {
            containerResponseContext.getHeaders().put(CorsHeaders.ACCESS_CONTROL_ALLOW_CREDENTIALS.value(), Collections.singletonList("true"));
        }
    }

    private void validateAccessControlRequestHeaders(Set<String> set, ContainerRequestContext containerRequestContext) throws PreflightFailedException {
        List list = (List) containerRequestContext.getHeaders().get(CorsHeaders.ACCESS_CONTROL_REQUEST_HEADERS.value());
        List emptyList = list != null ? list : Collections.emptyList();
        HashSet hashSet = new HashSet();
        Iterator it = emptyList.iterator();
        while (it.hasNext()) {
            hashSet.addAll(Arrays.asList(((String) it.next()).toLowerCase(Locale.US).trim().split("\\s*,\\s*")));
        }
        Set set2 = (Set) set.stream().map(str -> {
            return str.toLowerCase(Locale.US);
        }).collect(Collectors.toSet());
        HashSet hashSet2 = new HashSet(hashSet);
        hashSet2.removeAll(set2);
        if (!hashSet2.isEmpty()) {
            throw new PreflightFailedException("Unexpected headers in CORS request: " + new ArrayList(hashSet2));
        }
    }

    private void validateAccessControlRequestMethod(String str, ContainerRequestContext containerRequestContext) throws PreflightFailedException {
        String headerString = containerRequestContext.getHeaderString(CorsHeaders.ACCESS_CONTROL_REQUEST_METHOD.value());
        if (!str.equals(headerString)) {
            throw new PreflightFailedException("Invalid method: " + headerString);
        }
    }

    private String validateSingleOriginInWhitelist(Iterable<CorsDefaults> iterable, ContainerRequestContext containerRequestContext) throws PreflightFailedException {
        String extractOrigin = extractOrigin(containerRequestContext);
        validateOriginAsUri(extractOrigin);
        if (allowsOrigin(iterable, extractOrigin).isEmpty()) {
            throw new PreflightFailedException("Origin '" + extractOrigin + "' not in whitelist");
        }
        return extractOrigin;
    }

    private void validateOriginAsUri(String str) throws PreflightFailedException {
        try {
            URI create = URI.create(str);
            if (create.isOpaque() || !create.isAbsolute()) {
                throw new IllegalArgumentException("The origin URI must be absolute and not opaque.");
            }
        } catch (IllegalArgumentException e) {
            throw new PreflightFailedException("Origin '" + str + "' is not a valid URI");
        }
    }

    public static String extractOrigin(ContainerRequestContext containerRequestContext) {
        return containerRequestContext.getHeaderString(CorsHeaders.ORIGIN.value());
    }

    private static List<CorsDefaults> allowsOrigin(Iterable<CorsDefaults> iterable, String str) {
        return (List) StreamSupport.stream(iterable.spliterator(), false).filter(corsDefaults -> {
            return corsDefaults.allowsOrigin(str);
        }).collect(Collectors.toList());
    }

    private static boolean anyAllowsCredentials(Iterable<CorsDefaults> iterable, String str) {
        Iterator<CorsDefaults> it = iterable.iterator();
        while (it.hasNext()) {
            if (it.next().allowsCredentials(str)) {
                return true;
            }
        }
        return false;
    }

    private static Set<String> getAllowedRequestHeaders(List<CorsDefaults> list, String str) {
        HashSet hashSet = new HashSet();
        Iterator<CorsDefaults> it = list.iterator();
        while (it.hasNext()) {
            hashSet.addAll(it.next().getAllowedRequestHeaders(str));
        }
        return hashSet;
    }

    private static Set<String> getAllowedResponseHeaders(List<CorsDefaults> list, String str) {
        HashSet hashSet = new HashSet();
        Iterator<CorsDefaults> it = list.iterator();
        while (it.hasNext()) {
            hashSet.addAll(it.next().getAllowedResponseHeaders(str));
        }
        return hashSet;
    }
}
