package org.springframework.web.cors.reactive;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.http.HttpHeaders;
import org.springframework.http.HttpMethod;
import org.springframework.http.HttpStatus;
import org.springframework.http.server.reactive.ServerHttpRequest;
import org.springframework.http.server.reactive.ServerHttpResponse;
import org.springframework.lang.Nullable;
import org.springframework.util.CollectionUtils;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.server.ServerWebExchange;

/* loaded from: input_file:BOOT-INF/lib/spring-web-5.1.14.RELEASE.jar:org/springframework/web/cors/reactive/DefaultCorsProcessor.class */
public class DefaultCorsProcessor implements CorsProcessor {
    private static final Log logger = LogFactory.getLog(DefaultCorsProcessor.class);

    @Override // org.springframework.web.cors.reactive.CorsProcessor
    public boolean process(@Nullable CorsConfiguration corsConfiguration, ServerWebExchange serverWebExchange) {
        ServerHttpRequest request = serverWebExchange.getRequest();
        ServerHttpResponse response = serverWebExchange.getResponse();
        if (!CorsUtils.isCorsRequest(request)) {
            return true;
        }
        if (responseHasCors(response)) {
            logger.trace("Skip: response already contains \"Access-Control-Allow-Origin\"");
            return true;
        }
        if (CorsUtils.isSameOrigin(request)) {
            logger.trace("Skip: request is from same origin");
            return true;
        }
        boolean isPreFlightRequest = CorsUtils.isPreFlightRequest(request);
        if (corsConfiguration != null) {
            return handleInternal(serverWebExchange, corsConfiguration, isPreFlightRequest);
        }
        if (!isPreFlightRequest) {
            return true;
        }
        rejectRequest(response);
        return false;
    }

    private boolean responseHasCors(ServerHttpResponse serverHttpResponse) {
        return serverHttpResponse.getHeaders().getFirst("Access-Control-Allow-Origin") != null;
    }

    protected void rejectRequest(ServerHttpResponse serverHttpResponse) {
        serverHttpResponse.setStatusCode(HttpStatus.FORBIDDEN);
    }

    protected boolean handleInternal(ServerWebExchange serverWebExchange, CorsConfiguration corsConfiguration, boolean z) {
        ServerHttpRequest request = serverWebExchange.getRequest();
        ServerHttpResponse response = serverWebExchange.getResponse();
        HttpHeaders headers = response.getHeaders();
        response.getHeaders().addAll("Vary", Arrays.asList("Origin", "Access-Control-Request-Method", "Access-Control-Request-Headers"));
        String origin = request.getHeaders().getOrigin();
        String checkOrigin = checkOrigin(corsConfiguration, origin);
        if (checkOrigin == null) {
            logger.debug("Reject: '" + origin + "' origin is not allowed");
            rejectRequest(response);
            return false;
        }
        HttpMethod methodToUse = getMethodToUse(request, z);
        List<HttpMethod> checkMethods = checkMethods(corsConfiguration, methodToUse);
        if (checkMethods == null) {
            logger.debug("Reject: HTTP '" + methodToUse + "' is not allowed");
            rejectRequest(response);
            return false;
        }
        List<String> headersToUse = getHeadersToUse(request, z);
        List<String> checkHeaders = checkHeaders(corsConfiguration, headersToUse);
        if (z && checkHeaders == null) {
            logger.debug("Reject: headers '" + headersToUse + "' are not allowed");
            rejectRequest(response);
            return false;
        }
        headers.setAccessControlAllowOrigin(checkOrigin);
        if (z) {
            headers.setAccessControlAllowMethods(checkMethods);
        }
        if (z && !checkHeaders.isEmpty()) {
            headers.setAccessControlAllowHeaders(checkHeaders);
        }
        if (!CollectionUtils.isEmpty(corsConfiguration.getExposedHeaders())) {
            headers.setAccessControlExposeHeaders(corsConfiguration.getExposedHeaders());
        }
        if (Boolean.TRUE.equals(corsConfiguration.getAllowCredentials())) {
            headers.setAccessControlAllowCredentials(true);
        }
        if (!z || corsConfiguration.getMaxAge() == null) {
            return true;
        }
        headers.setAccessControlMaxAge(corsConfiguration.getMaxAge().longValue());
        return true;
    }

    @Nullable
    protected String checkOrigin(CorsConfiguration corsConfiguration, @Nullable String str) {
        return corsConfiguration.checkOrigin(str);
    }

    @Nullable
    protected List<HttpMethod> checkMethods(CorsConfiguration corsConfiguration, @Nullable HttpMethod httpMethod) {
        return corsConfiguration.checkHttpMethod(httpMethod);
    }

    @Nullable
    private HttpMethod getMethodToUse(ServerHttpRequest serverHttpRequest, boolean z) {
        return z ? serverHttpRequest.getHeaders().getAccessControlRequestMethod() : serverHttpRequest.getMethod();
    }

    @Nullable
    protected List<String> checkHeaders(CorsConfiguration corsConfiguration, List<String> list) {
        return corsConfiguration.checkHeaders(list);
    }

    private List<String> getHeadersToUse(ServerHttpRequest serverHttpRequest, boolean z) {
        HttpHeaders headers = serverHttpRequest.getHeaders();
        return z ? headers.getAccessControlRequestHeaders() : new ArrayList(headers.keySet());
    }
}
