package org.eclipse.jetty.server.handler;

import java.time.Duration;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.Set;
import java.util.regex.Pattern;
import javax.ws.rs.HttpMethod;
import javax.ws.rs.core.HttpHeaders;
import org.apache.lucene.geo.SimpleWKTShapeParser;
import org.eclipse.jetty.http.HttpFields;
import org.eclipse.jetty.http.HttpHeader;
import org.eclipse.jetty.http.PreEncodedHttpField;
import org.eclipse.jetty.server.Handler;
import org.eclipse.jetty.server.Request;
import org.eclipse.jetty.server.Response;
import org.eclipse.jetty.util.Callback;
import org.eclipse.jetty.util.annotation.ManagedAttribute;
import org.eclipse.jetty.util.annotation.ManagedObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ManagedObject
/* loaded from: input_file:lib/jetty-server-12.0.14.jar:org/eclipse/jetty/server/handler/CrossOriginHandler.class */
public class CrossOriginHandler extends Handler.Wrapper {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) CrossOriginHandler.class);
    private static final PreEncodedHttpField ACCESS_CONTROL_ALLOW_CREDENTIALS_TRUE = new PreEncodedHttpField(HttpHeader.ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
    private static final PreEncodedHttpField VARY_ORIGIN = new PreEncodedHttpField(HttpHeader.VARY, HttpHeader.ORIGIN.asString());
    private boolean anyOriginAllowed;
    private boolean anyTimingOriginAllowed;
    private PreEncodedHttpField accessControlAllowMethodsField;
    private PreEncodedHttpField accessControlAllowHeadersField;
    private PreEncodedHttpField accessControlExposeHeadersField;
    private PreEncodedHttpField accessControlMaxAge;
    private boolean allowCredentials = false;
    private Set<String> allowedHeaders = Set.of(HttpHeaders.CONTENT_TYPE);
    private Set<String> allowedMethods = Set.of(HttpMethod.GET, HttpMethod.POST, HttpMethod.HEAD);
    private Set<String> allowedOrigins = Set.of();
    private Set<String> allowedTimingOrigins = Set.of();
    private boolean deliverPreflight = false;
    private boolean deliverNonAllowedOrigin = true;
    private boolean deliverNonAllowedOriginWebSocketUpgrade = false;
    private Set<String> exposedHeaders = Set.of();
    private Duration preflightMaxAge = Duration.ofSeconds(60);
    private final Set<Pattern> allowedOriginPatterns = new LinkedHashSet();
    private final Set<Pattern> allowedTimingOriginPatterns = new LinkedHashSet();

    @ManagedAttribute("Whether the server allows cross-origin requests to include credentials (cookies, authentication headers, etc.)")
    public boolean isAllowCredentials() {
        return this.allowCredentials;
    }

    public void setAllowCredentials(boolean z) {
        throwIfStarted();
        this.allowCredentials = z;
    }

    @ManagedAttribute("The set of allowed headers in a cross-origin request")
    public Set<String> getAllowedHeaders() {
        return this.allowedHeaders;
    }

    public void setAllowedHeaders(Set<String> set) {
        throwIfStarted();
        this.allowedHeaders = Set.copyOf(set);
    }

    @ManagedAttribute("The set of allowed methods in a cross-origin request")
    public Set<String> getAllowedMethods() {
        return this.allowedMethods;
    }

    public void setAllowedMethods(Set<String> set) {
        throwIfStarted();
        this.allowedMethods = Set.copyOf(set);
    }

    @ManagedAttribute("The set of allowed origin regex strings in a cross-origin request")
    public Set<String> getAllowedOriginPatterns() {
        return this.allowedOrigins;
    }

    public void setAllowedOriginPatterns(Set<String> set) {
        throwIfStarted();
        this.allowedOrigins = Set.copyOf(set);
    }

    @ManagedAttribute("The set of allowed timing origin regex strings in a cross-origin request")
    public Set<String> getAllowedTimingOriginPatterns() {
        return this.allowedTimingOrigins;
    }

    public void setAllowedTimingOriginPatterns(Set<String> set) {
        throwIfStarted();
        this.allowedTimingOrigins = Set.copyOf(set);
    }

    @ManagedAttribute("whether preflight requests are delivered to the child Handler")
    public boolean isDeliverPreflightRequests() {
        return this.deliverPreflight;
    }

    public void setDeliverPreflightRequests(boolean z) {
        throwIfStarted();
        this.deliverPreflight = z;
    }

    @ManagedAttribute("whether requests whose origin is not allowed are delivered to the child Handler")
    public boolean isDeliverNonAllowedOriginRequests() {
        return this.deliverNonAllowedOrigin;
    }

    public void setDeliverNonAllowedOriginRequests(boolean z) {
        this.deliverNonAllowedOrigin = z;
    }

    @ManagedAttribute("whether WebSocket upgrade requests whose origin is not allowed are delivered to the child Handler")
    public boolean isDeliverNonAllowedOriginWebSocketUpgradeRequests() {
        return this.deliverNonAllowedOriginWebSocketUpgrade;
    }

    public void setDeliverNonAllowedOriginWebSocketUpgradeRequests(boolean z) {
        this.deliverNonAllowedOriginWebSocketUpgrade = z;
    }

    @ManagedAttribute("The set of headers exposed in a cross-origin response")
    public Set<String> getExposedHeaders() {
        return this.exposedHeaders;
    }

    public void setExposedHeaders(Set<String> set) {
        throwIfStarted();
        this.exposedHeaders = Set.copyOf(set);
    }

    @ManagedAttribute("How long the preflight results can be cached by browsers")
    public Duration getPreflightMaxAge() {
        return this.preflightMaxAge;
    }

    public void setPreflightMaxAge(Duration duration) {
        throwIfStarted();
        this.preflightMaxAge = duration;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.eclipse.jetty.server.Handler.Abstract, org.eclipse.jetty.util.component.ContainerLifeCycle, org.eclipse.jetty.util.component.AbstractLifeCycle
    public void doStart() throws Exception {
        resolveAllowedOrigins();
        resolveAllowedTimingOrigins();
        this.accessControlAllowMethodsField = new PreEncodedHttpField(HttpHeader.ACCESS_CONTROL_ALLOW_METHODS, String.join(SimpleWKTShapeParser.COMMA, getAllowedMethods()));
        this.accessControlAllowHeadersField = new PreEncodedHttpField(HttpHeader.ACCESS_CONTROL_ALLOW_HEADERS, String.join(SimpleWKTShapeParser.COMMA, getAllowedHeaders()));
        this.accessControlExposeHeadersField = new PreEncodedHttpField(HttpHeader.ACCESS_CONTROL_EXPOSE_HEADERS, String.join(SimpleWKTShapeParser.COMMA, getExposedHeaders()));
        this.accessControlMaxAge = new PreEncodedHttpField(HttpHeader.ACCESS_CONTROL_MAX_AGE, getPreflightMaxAge().toSeconds());
        if (this.anyOriginAllowed && isAllowCredentials()) {
            LOG.warn("{} configured with insecure parameters allowedOrigins=* and allowCredentials=true", getClass().getSimpleName());
        }
        super.doStart();
    }

    @Override // org.eclipse.jetty.server.Handler.Wrapper, org.eclipse.jetty.server.Request.Handler
    public boolean handle(Request request, Response response, Callback callback) throws Exception {
        response.getHeaders().ensureField(VARY_ORIGIN);
        String str = request.getHeaders().get(HttpHeader.ORIGIN);
        if (str == null) {
            return super.handle(request, response, callback);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("handling cross-origin request {}", request);
        }
        boolean isPreflight = isPreflight(request);
        if (!originMatches(str)) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("cross-origin request does not match allowed origins: {} {}", request, getAllowedOriginPatterns());
            }
            if (!isDeliverNonAllowedOriginRequests()) {
                Response.writeError(request, response, callback, 400, "origin not allowed");
                return true;
            }
            if (isPreflight) {
                if (!isDeliverPreflightRequests()) {
                    if (LOG.isDebugEnabled()) {
                        LOG.debug("preflight cross-origin request not delivered to child handler {}", request);
                    }
                    callback.succeeded();
                    return true;
                }
            } else if (isWebSocketUpgrade(request) && !isDeliverNonAllowedOriginWebSocketUpgradeRequests()) {
                Response.writeError(request, response, callback, 400, "origin not allowed");
                return true;
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("cross-origin request delivered to child handler {}", request);
            }
            return super.handle(request, response, callback);
        }
        if (LOG.isDebugEnabled()) {
            LOG.debug("cross-origin request matches allowed origins: {} {}", request, getAllowedOriginPatterns());
        }
        if (isPreflight) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("preflight cross-origin request {}", request);
            }
            handlePreflightResponse(str, response);
            if (!isDeliverPreflightRequests()) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("preflight cross-origin request not delivered to child handler {}", request);
                }
                callback.succeeded();
                return true;
            }
        } else {
            if (LOG.isDebugEnabled()) {
                LOG.debug("simple cross-origin request {}", request);
            }
            handleSimpleResponse(str, response);
        }
        if (timingOriginMatches(str)) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("cross-origin request matches allowed timing origins: {} {}", request, getAllowedTimingOriginPatterns());
            }
            response.getHeaders().put(HttpHeader.TIMING_ALLOW_ORIGIN, str);
        }
        return super.handle(request, response, callback);
    }

    private boolean originMatches(String str) {
        if (this.anyOriginAllowed) {
            return true;
        }
        if (this.allowedOriginPatterns.isEmpty()) {
            return false;
        }
        return originMatches(str, this.allowedOriginPatterns);
    }

    private boolean timingOriginMatches(String str) {
        if (this.anyTimingOriginAllowed) {
            return true;
        }
        if (this.allowedTimingOriginPatterns.isEmpty()) {
            return false;
        }
        return originMatches(str, this.allowedTimingOriginPatterns);
    }

    private boolean originMatches(String str, Set<Pattern> set) {
        for (String str2 : str.split(" ")) {
            String trim = str2.trim();
            if (!trim.isEmpty()) {
                Iterator<Pattern> it = set.iterator();
                while (it.hasNext()) {
                    if (it.next().matcher(trim).matches()) {
                        return true;
                    }
                }
            }
        }
        return false;
    }

    private boolean isPreflight(Request request) {
        return org.eclipse.jetty.http.HttpMethod.OPTIONS.is(request.getMethod()) && request.getHeaders().contains(HttpHeader.ACCESS_CONTROL_REQUEST_METHOD);
    }

    private boolean isWebSocketUpgrade(Request request) {
        return request.getHeaders().contains(HttpHeader.SEC_WEBSOCKET_VERSION);
    }

    private void handlePreflightResponse(String str, Response response) {
        HttpFields.Mutable headers = response.getHeaders();
        headers.put(HttpHeader.ACCESS_CONTROL_ALLOW_ORIGIN, str);
        if (isAllowCredentials()) {
            headers.put(ACCESS_CONTROL_ALLOW_CREDENTIALS_TRUE);
        }
        if (!getAllowedMethods().isEmpty()) {
            headers.put(this.accessControlAllowMethodsField);
        }
        if (!getAllowedHeaders().isEmpty()) {
            headers.put(this.accessControlAllowHeadersField);
        }
        if (getPreflightMaxAge().toSeconds() > 0) {
            headers.put(this.accessControlMaxAge);
        }
    }

    private void handleSimpleResponse(String str, Response response) {
        HttpFields.Mutable headers = response.getHeaders();
        headers.put(HttpHeader.ACCESS_CONTROL_ALLOW_ORIGIN, str);
        if (isAllowCredentials()) {
            headers.put(ACCESS_CONTROL_ALLOW_CREDENTIALS_TRUE);
        }
        if (getExposedHeaders().isEmpty()) {
            return;
        }
        headers.put(this.accessControlExposeHeadersField);
    }

    private void resolveAllowedOrigins() {
        Iterator<String> it = getAllowedOriginPatterns().iterator();
        while (it.hasNext()) {
            String trim = it.next().trim();
            if (!trim.isEmpty()) {
                if ("*".equals(trim)) {
                    this.anyOriginAllowed = true;
                    return;
                }
                this.allowedOriginPatterns.add(Pattern.compile(trim, 2));
            }
        }
    }

    private void resolveAllowedTimingOrigins() {
        Iterator<String> it = getAllowedTimingOriginPatterns().iterator();
        while (it.hasNext()) {
            String trim = it.next().trim();
            if (!trim.isEmpty()) {
                if ("*".equals(trim)) {
                    this.anyTimingOriginAllowed = true;
                    return;
                }
                this.allowedTimingOriginPatterns.add(Pattern.compile(trim, 2));
            }
        }
    }

    private void throwIfStarted() {
        if (isStarted()) {
            throw new IllegalStateException("Cannot configure after start");
        }
    }
}
