package com.appiancorp.security.cors;

import com.appiancorp.cache.AppianCacheFactory;
import com.appiancorp.common.config.ApplicationContextHolder;
import com.appiancorp.core.expr.portable.string.Strings;
import com.appiancorp.features.FeatureToggleClient;
import com.appiancorp.integration.microsoft.office365.MicrosoftOfficeIntegrationMetrics;
import com.appiancorp.oauth.inbound.authserver.clients.pm.ProcessMiningFrontEndClientConfig;
import com.appiancorp.security.auth.saml.IdpMetadataService;
import com.appiancorp.security.auth.saml.SamlSpServiceUrlGenerator;
import com.appiancorp.security.auth.saml.SamlTestStateManager;
import com.appiancorp.suite.Constants;
import com.appiancorp.suite.cfg.EmbeddedInterfaceConfiguration;
import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Suppliers;
import com.google.common.collect.Sets;
import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpServletResponseWrapper;
import org.apache.log4j.Logger;

@SuppressFBWarnings({"SE_BAD_FIELD"})
/* loaded from: input_file:com/appiancorp/security/cors/CorsFilter.class */
public class CorsFilter implements Filter {
    static final int HTTP_DEFAULT_PORT = 80;
    private static final int HTTPS_DEFAULT_PORT = 443;
    private static final String ORIGIN = "Origin";
    public static final String ADMINISTRATION_CACHE_KEY = "appian/cache/jcs-administration-config.ccf";
    static final String METHOD_OPTIONS = "OPTIONS";
    static final String METHOD_POST = "POST";
    static final String METHOD_PUT = "PUT";
    static final String METHOD_GET = "GET";
    static final String METHOD_DELETE = "DELETE";
    private static final String SELF_TEST_CORE_ENDPOINT_PREFIX = "/self-test";
    private static final String SELF_TEST_SUITE_ENDPOINT_PREFIX = "/self-test/";
    static final String HEADER_ACCESS_CONTROL_REQUEST_METHOD = "Access-Control-Request-Method";
    private static final String HEADER_ACCESS_CONTROL_REQUEST_HEADERS = "Access-Control-Request-Headers";
    static final String HEADER_ACCESS_CONTROL_ALLOW_ORIGIN = "Access-Control-Allow-Origin";
    static final String HEADER_ACCESS_CONTROL_ALLOW_METHODS = "Access-Control-Allow-Methods";
    private static final String HEADER_ACCESS_CONTROL_ALLOW_HEADERS = "Access-Control-Allow-Headers";
    static final String HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS = "Access-Control-Allow-Credentials";
    static final String HEADER_ACCESS_CONTROL_EXPOSE_HEADERS = "Access-Control-Expose-Headers";
    private static final String HEADER_ACCESS_CONTROL_MAX_AGE = "Access-Control-Max-Age";
    static final String HEADER_VARY = "Vary";
    private static final String HEADER_USER_AGENT = "User-Agent";
    private static final String HEADER_P3P = "P3P";
    private static final String DEFAULT_P3P = "CP=\"This site does not support P3P policies\"";
    private static final String MAX_PREFLIGHT_AGE = "3600";
    private static final String SUPPORTED_METHODS = "GET, POST, PUT, DELETE";
    private String exposedHeaders = "Link, X-Appian-Base-Uri, appianError, X-APPIAN-CSRF-TOKEN, X-GWT-Permutation, P3P, X-Appian-Cached-Datatypes, X-Appian-Ui-State, __appianCsrfToken, __appianMultipartCsrfToken, Requested-While-Authenticated, X-Appian-Mobile-Auth-Popup, REMEMBER_IDP_COOKIE";
    private String supportedHeaders = this.exposedHeaders + ", Content-Type, x-appian-suppress-www-authenticate, x-appian-ui-state, accept-language, x-appian-csrf-token, x-appian-features, x-appian-features-extended, x-atom-content-type, X-Requested-With, x-gwt-module-base, x-gwt-permutation, Origin";
    private static final Logger LOG = Logger.getLogger(CorsFilter.class);
    private static final Supplier<EmbeddedInterfaceConfiguration> embeddedInterfaceConfigSupplier = Suppliers.memoize(() -> {
        return (EmbeddedInterfaceConfiguration) ApplicationContextHolder.getBean(EmbeddedInterfaceConfiguration.class);
    });
    private static final Supplier<ProcessMiningFrontEndClientConfig> processMiningFrontEndClientConfigSupplier = Suppliers.memoize(() -> {
        return (ProcessMiningFrontEndClientConfig) ApplicationContextHolder.getBean(ProcessMiningFrontEndClientConfig.class);
    });
    private static final Supplier<FeatureToggleClient> featureToggleClientSupplier = Suppliers.memoize(() -> {
        return (FeatureToggleClient) ApplicationContextHolder.getBean(FeatureToggleClient.class);
    });

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/appiancorp/security/cors/CorsFilter$CorsResponse.class */
    public static class CorsResponse extends HttpServletResponseWrapper {
        private static final Set<String> RESPONSE_HEADER_NAMES = Collections.unmodifiableSet(Sets.newHashSet(new String[]{CorsFilter.HEADER_ACCESS_CONTROL_ALLOW_ORIGIN, CorsFilter.HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS, CorsFilter.HEADER_ACCESS_CONTROL_EXPOSE_HEADERS, CorsFilter.HEADER_VARY, CorsFilter.HEADER_P3P}));

        CorsResponse(HttpServletResponse httpServletResponse) {
            super(httpServletResponse);
        }

        public void reset() {
            Map<String, String> corsHeaders = getCorsHeaders();
            super.reset();
            for (Map.Entry<String, String> entry : corsHeaders.entrySet()) {
                setHeader(entry.getKey(), entry.getValue());
            }
        }

        private Map<String, String> getCorsHeaders() {
            HashMap hashMap = new HashMap();
            for (String str : getHeaderNames()) {
                if (RESPONSE_HEADER_NAMES.contains(str)) {
                    hashMap.put(str, getHeader(str));
                }
            }
            return hashMap;
        }
    }

    public static Set<String> getAllowedDomains() {
        Set<String> allowedOriginList = embeddedInterfaceConfigSupplier.get().getAllowedOriginList();
        if (featureToggleClientSupplier.get().isFeatureEnabled("ae.iam.common-auth-for-process-mining")) {
            try {
                URI registeredRedirectUri = processMiningFrontEndClientConfigSupplier.get().getRegisteredRedirectUri();
                if (registeredRedirectUri == null || Strings.isNullOrEmpty(registeredRedirectUri.toString())) {
                    LOG.info("Either Process Mining domain is not register or it is null or empty.");
                    return allowedOriginList;
                }
                allowedOriginList.add(CorsUtil.extractDomain(registeredRedirectUri.toString()));
            } catch (Exception e) {
                LOG.error("Error adding registered Process Mining domain to CORS allowed list.", e);
            }
        }
        return allowedOriginList;
    }

    public void destroy() {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (!(servletRequest instanceof HttpServletRequest) || !(servletResponse instanceof HttpServletResponse)) {
            throw new ServletException("Cannot filter non-HTTP requests/responses");
        }
        HttpServletResponse httpServletResponse = (HttpServletResponse) servletResponse;
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        maybeApplyP3PHeader(httpServletRequest, httpServletResponse);
        try {
            doFilter(httpServletRequest, httpServletResponse, filterChain);
        } catch (ServletException e) {
            httpServletResponse.setStatus(401);
            LOG.error("CORS request rejected; invalid request from " + servletRequest.getRemoteHost() + " to " + httpServletRequest.getServletPath(), e);
        }
    }

    private void doFilter(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        String rawOrigin = CorsUtil.getRawOrigin(httpServletRequest);
        if (rawOrigin == null) {
            if (!"/cors/refresh".equals(httpServletRequest.getServletPath())) {
                filterChain.doFilter(httpServletRequest, httpServletResponse);
                return;
            } else {
                AppianCacheFactory.getInstance().getCache("appian/cache/jcs-administration-config.ccf").clear();
                httpServletResponse.setStatus(200);
                return;
            }
        }
        String extractDomain = CorsUtil.extractDomain(rawOrigin);
        String extractProtocol = CorsUtil.extractProtocol(rawOrigin);
        String method = httpServletRequest.getMethod();
        boolean z = -1;
        switch (method.hashCode()) {
            case -531492226:
                if (method.equals(METHOD_OPTIONS)) {
                    z = false;
                    break;
                }
                break;
            case 70454:
                if (method.equals(METHOD_GET)) {
                    z = 4;
                    break;
                }
                break;
            case 79599:
                if (method.equals(METHOD_PUT)) {
                    z = 3;
                    break;
                }
                break;
            case 2461856:
                if (method.equals(METHOD_POST)) {
                    z = 2;
                    break;
                }
                break;
            case 2012838315:
                if (method.equals("DELETE")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                handlePreflightRequest(extractDomain, extractProtocol, httpServletRequest, httpServletResponse);
                return;
            case true:
            case true:
            case true:
            case true:
            default:
                if (extractDomain.equals(CorsUtil.getHostAndPort())) {
                    filterChain.doFilter(httpServletRequest, httpServletResponse);
                    return;
                } else {
                    handleNormalRequest(extractDomain, extractProtocol, httpServletRequest, httpServletResponse, filterChain);
                    return;
                }
        }
    }

    private void maybeApplyP3PHeader(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String header = httpServletRequest.getHeader(HEADER_USER_AGENT);
        if (header == null || !header.toLowerCase().contains("trident")) {
            return;
        }
        httpServletResponse.addHeader(HEADER_P3P, DEFAULT_P3P);
    }

    private void handleNormalRequest(String str, String str2, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, FilterChain filterChain) throws ServletException, IOException {
        if (!requestIsForSelfTestEndpoint(httpServletRequest.getServletPath()) && !isAllowedOriginDomain(httpServletRequest, str, str2)) {
            MicrosoftOfficeIntegrationMetrics.getInstance().updateOutlookIntegrationCorsFailureCounterIfNecessary(httpServletRequest);
            throw new ServletException("CORS origin denied: " + str + " is not on the allowed list:" + getAllowedDomains() + " or the request path does not match the allowed paths.");
        }
        httpServletResponse.addHeader(HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
        httpServletResponse.addHeader(HEADER_ACCESS_CONTROL_ALLOW_ORIGIN, CorsUtil.toOrigin(httpServletRequest));
        addAccessControlAllowMethodsHeader(str, httpServletResponse);
        httpServletResponse.addHeader(HEADER_VARY, "Origin");
        httpServletResponse.addHeader(HEADER_ACCESS_CONTROL_EXPOSE_HEADERS, this.exposedHeaders);
        filterChain.doFilter(httpServletRequest, new CorsResponse(httpServletResponse));
    }

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    private boolean requestIsForSelfTestEndpoint(String str) {
        return str.equals(SELF_TEST_CORE_ENDPOINT_PREFIX) || str.startsWith(SELF_TEST_SUITE_ENDPOINT_PREFIX);
    }

    private void handlePreflightRequest(String str, String str2, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws ServletException {
        if (!isAllowedOriginDomain(httpServletRequest, str, str2) && !requestIsForSelfTestEndpoint(httpServletRequest.getServletPath())) {
            throw new ServletException("CORS origin denied " + str + " not on allowed list:" + getAllowedDomains());
        }
        if (httpServletRequest.getHeader(HEADER_ACCESS_CONTROL_REQUEST_METHOD) == null) {
            throw new ServletException("Invalid preflight CORS request: Missing Access-Control-Request-Method header");
        }
        String header = httpServletRequest.getHeader(HEADER_ACCESS_CONTROL_REQUEST_HEADERS);
        httpServletResponse.addHeader(HEADER_ACCESS_CONTROL_ALLOW_ORIGIN, CorsUtil.toOrigin(httpServletRequest));
        httpServletResponse.addHeader(HEADER_ACCESS_CONTROL_ALLOW_CREDENTIALS, "true");
        httpServletResponse.addHeader(HEADER_VARY, "Origin");
        httpServletResponse.addHeader(HEADER_ACCESS_CONTROL_MAX_AGE, MAX_PREFLIGHT_AGE);
        addAccessControlAllowMethodsHeader(str, httpServletResponse);
        if (header != null) {
            httpServletResponse.addHeader(HEADER_ACCESS_CONTROL_ALLOW_HEADERS, header);
        } else {
            httpServletResponse.addHeader(HEADER_ACCESS_CONTROL_ALLOW_HEADERS, this.supportedHeaders);
        }
    }

    private void addAccessControlAllowMethodsHeader(String str, HttpServletResponse httpServletResponse) {
        String dynamicHostAndPort = CorsUtil.getDynamicHostAndPort();
        String staticHostAndPort = CorsUtil.getStaticHostAndPort();
        if ((Strings.isNullOrEmpty(dynamicHostAndPort) || !dynamicHostAndPort.equals(str)) && (Strings.isNullOrEmpty(staticHostAndPort) || !staticHostAndPort.equals(str))) {
            httpServletResponse.addHeader(HEADER_ACCESS_CONTROL_ALLOW_METHODS, SUPPORTED_METHODS);
        } else {
            httpServletResponse.addHeader(HEADER_ACCESS_CONTROL_ALLOW_METHODS, METHOD_GET);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @VisibleForTesting
    public static boolean isAllowedOriginDomain(HttpServletRequest httpServletRequest, String str, String str2) {
        String hostAndPort = CorsUtil.getHostAndPort();
        String dynamicHostAndPort = CorsUtil.getDynamicHostAndPort();
        String staticHostAndPort = CorsUtil.getStaticHostAndPort();
        if (hostAndPort.equals(str)) {
            return true;
        }
        if (!Strings.isNullOrEmpty(dynamicHostAndPort) && dynamicHostAndPort.equals(str)) {
            return true;
        }
        if ((!Strings.isNullOrEmpty(staticHostAndPort) && staticHostAndPort.equals(str)) || isDomainInAllowedOriginsList(str2, str)) {
            return true;
        }
        try {
            return isValidRequestForSamlTestLogin(httpServletRequest, str, str2);
        } catch (URISyntaxException e) {
            return false;
        }
    }

    public static boolean isDomainInAllowedOriginsList(String str, String str2) {
        String normalizeDomain = normalizeDomain(str, str2);
        Iterator<String> it = getAllowedDomains().iterator();
        while (it.hasNext()) {
            if (normalizeDomain.equalsIgnoreCase(normalizeDomain(str, it.next()))) {
                return true;
            }
        }
        return false;
    }

    @VisibleForTesting
    static String normalizeDomain(String str, String str2) {
        return str2.contains(":") ? str2 : str2 + getPortExtensionByProtocol(str);
    }

    private static String getPortExtensionByProtocol(String str) {
        return "https".equalsIgnoreCase(str) ? ":443" : ":80";
    }

    private static boolean isValidRequestForSamlTestLogin(HttpServletRequest httpServletRequest, String str, String str2) throws URISyntaxException {
        return isRequestUrlSetToSamlAssertionConsumerUrl(httpServletRequest) && isRequestFromSamlTestIdp(httpServletRequest, str, str2);
    }

    private static boolean isRequestUrlSetToSamlAssertionConsumerUrl(HttpServletRequest httpServletRequest) throws URISyntaxException {
        return new URI(httpServletRequest.getRequestURI()).getPath().equalsIgnoreCase("/" + Constants.APPLICATION_CONTEXT + SamlSpServiceUrlGenerator.SAML_ASSERTION_CONSUMER_ENDPOINT);
    }

    private static boolean isRequestFromSamlTestIdp(HttpServletRequest httpServletRequest, String str, String str2) throws URISyntaxException {
        SamlTestStateManager samlTestStateManager = (SamlTestStateManager) ApplicationContextHolder.getBean(SamlTestStateManager.class);
        if (samlTestStateManager.isTestModeUnavailable()) {
            return false;
        }
        samlTestStateManager.startUsingTestData();
        try {
            IdpMetadataService idpMetadataService = (IdpMetadataService) ApplicationContextHolder.getBean("idpMetadataService", IdpMetadataService.class);
            Stream<R> map = samlTestStateManager.getTestSamlSettingsList(httpServletRequest).stream().map((v0) -> {
                return v0.getIdpMetadataUuid();
            });
            idpMetadataService.getClass();
            Iterator it = ((List) map.map(idpMetadataService::getIdpLoginUrl).collect(Collectors.toList())).iterator();
            while (it.hasNext()) {
                if (normalizeDomain(str2, new URI((String) it.next()).getAuthority()).equalsIgnoreCase(normalizeDomain(str2, str))) {
                    return true;
                }
            }
            samlTestStateManager.stopUsingTestData();
            return false;
        } finally {
            samlTestStateManager.stopUsingTestData();
        }
    }
}
