package org.nuxeo.ecm.platform.web.common.requestcontroller.filter;

import com.thetransactioncompany.cors.CORSConfiguration;
import com.thetransactioncompany.cors.CORSFilter;
import com.thetransactioncompany.cors.Origin;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.nuxeo.ecm.platform.web.common.requestcontroller.service.RequestControllerManager;
import org.nuxeo.ecm.platform.web.common.vh.VirtualHostHelper;
import org.nuxeo.runtime.api.Framework;

/* loaded from: input_file:org/nuxeo/ecm/platform/web/common/requestcontroller/filter/NuxeoCorsCsrfFilter.class */
public class NuxeoCorsCsrfFilter implements Filter {
    public static final String GET = "GET";
    public static final String HEAD = "HEAD";
    public static final String OPTIONS = "OPTIONS";
    public static final String TRACE = "TRACE";
    private static final Log log = LogFactory.getLog(NuxeoCorsCsrfFilter.class);
    public static final List<String> SCHEMES_ALLOWED = Arrays.asList("moz-extension", "chrome-extension");

    /* loaded from: input_file:org/nuxeo/ecm/platform/web/common/requestcontroller/filter/NuxeoCorsCsrfFilter$IgnoredOriginRequestWrapper.class */
    public static class IgnoredOriginRequestWrapper extends HttpServletRequestWrapper {
        public IgnoredOriginRequestWrapper(HttpServletRequest httpServletRequest) {
            super(httpServletRequest);
        }

        public String getHeader(String str) {
            if ("Origin".equalsIgnoreCase(str)) {
                return null;
            }
            return super.getHeader(str);
        }
    }

    public void init(FilterConfig filterConfig) {
    }

    public void destroy() {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        boolean z;
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        CORSFilter corsFilterForRequest = ((RequestControllerManager) Framework.getService(RequestControllerManager.class)).getCorsFilterForRequest(httpServletRequest);
        CORSConfiguration configuration = corsFilterForRequest == null ? null : corsFilterForRequest.getConfiguration();
        String method = httpServletRequest.getMethod();
        URI sourceURI = getSourceURI(httpServletRequest);
        URI targetURI = getTargetURI(httpServletRequest);
        if (log.isDebugEnabled()) {
            log.debug("Method: " + method + ", source: " + sourceURI + ", target: " + targetURI);
        }
        if (GET.equals(method) || HEAD.equals(method) || OPTIONS.equals(method) || TRACE.equals(method)) {
            log.debug("Safe method: allow");
            z = true;
        } else if (sourceAndTargetMatch(sourceURI, targetURI)) {
            log.debug("Source and target match: allow");
            if (targetURI == null) {
                log.error("Cannot determine target URL for CSRF check");
            }
            z = true;
        } else if (configuration == null) {
            log.debug("URL not covered by CORS config: disallow cross-site request");
            z = false;
        } else if (!configuration.isAllowedOrigin(new Origin(sourceURI.toString()))) {
            log.debug("Origin not allowed by CORS config: disallow cross-site request");
            z = false;
        } else if (configuration.isSupportedMethod(method)) {
            log.debug("Origin and method allowed by CORS config: allow cross-site request");
            z = true;
        } else {
            log.debug("Method not allowed by CORS config: disallow cross-site request");
            z = false;
        }
        if (!z) {
            log.warn("CSRF check failure: source: " + sourceURI + " does not match target: " + targetURI + " and not allowed by CORS config");
            httpServletResponse.sendError(403, "CSRF check failure");
        } else if (corsFilterForRequest == null) {
            filterChain.doFilter(httpServletRequest, httpServletResponse);
        } else {
            corsFilterForRequest.doFilter(maybeIgnoreWhitelistedOrigin(httpServletRequest), httpServletResponse, filterChain);
        }
    }

    public URI getSourceURI(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Origin");
        if (StringUtils.isBlank(header)) {
            header = httpServletRequest.getHeader("Referer");
        }
        if (StringUtils.isBlank(header)) {
            return null;
        }
        String trim = header.trim();
        if ("null".equals(trim)) {
            return null;
        }
        if (trim.contains(" ")) {
            trim = trim.substring(0, trim.indexOf(32));
        }
        try {
            return new URI(trim);
        } catch (URISyntaxException e) {
            return null;
        }
    }

    public URI getTargetURI(HttpServletRequest httpServletRequest) {
        String serverURL = VirtualHostHelper.getServerURL(httpServletRequest, false);
        if (serverURL == null) {
            return null;
        }
        try {
            return new URI(serverURL);
        } catch (URISyntaxException e) {
            return null;
        }
    }

    public boolean sourceAndTargetMatch(URI uri, URI uri2) {
        if (uri == null || uri2 == null || isWhitelistedScheme(uri)) {
            return true;
        }
        return Objects.equals(uri.getScheme(), uri2.getScheme()) && Objects.equals(uri.getHost(), uri2.getHost()) && uri.getPort() == uri2.getPort();
    }

    protected HttpServletRequest maybeIgnoreWhitelistedOrigin(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Origin");
        if (header == null) {
            return httpServletRequest;
        }
        try {
            return !isWhitelistedScheme(new URI(header)) ? httpServletRequest : new IgnoredOriginRequestWrapper(httpServletRequest);
        } catch (URISyntaxException e) {
            return httpServletRequest;
        }
    }

    protected boolean isWhitelistedScheme(URI uri) {
        return SCHEMES_ALLOWED.contains(uri.getScheme());
    }
}
