package io.micronaut.http.server.tck.tests.cors;

import io.micronaut.context.annotation.Replaces;
import io.micronaut.context.annotation.Requires;
import io.micronaut.core.annotation.Nullable;
import io.micronaut.core.util.CollectionUtils;
import io.micronaut.http.HttpMethod;
import io.micronaut.http.HttpRequest;
import io.micronaut.http.HttpResponse;
import io.micronaut.http.HttpStatus;
import io.micronaut.http.MutableHttpRequest;
import io.micronaut.http.annotation.Controller;
import io.micronaut.http.annotation.Delete;
import io.micronaut.http.annotation.Get;
import io.micronaut.http.annotation.PathVariable;
import io.micronaut.http.annotation.Post;
import io.micronaut.http.annotation.Produces;
import io.micronaut.http.server.cors.CrossOrigin;
import io.micronaut.http.server.tck.AssertionUtils;
import io.micronaut.http.server.tck.CorsUtils;
import io.micronaut.http.server.tck.HttpResponseAssertion;
import io.micronaut.http.server.tck.ServerUnderTest;
import io.micronaut.http.server.tck.TestScenario;
import io.micronaut.http.server.util.HttpHostResolver;
import io.micronaut.http.uri.UriBuilder;
import jakarta.inject.Singleton;
import java.io.IOException;
import java.net.URI;
import java.util.Map;
import java.util.function.BiConsumer;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.function.Executable;

/* loaded from: input_file:io/micronaut/http/server/tck/tests/cors/CrossOriginTest.class */
public class CrossOriginTest {
    private static final String SPECNAME = "CrossOriginTest";

    @Requires(property = "spec.name", value = CrossOriginTest.SPECNAME)
    @Controller("/allowedheaders")
    @CrossOrigin(value = {"https://foo.com"}, allowedHeaders = {"Content-Type", "Authorization"})
    /* loaded from: input_file:io/micronaut/http/server/tck/tests/cors/CrossOriginTest$AllowedHeaders.class */
    static class AllowedHeaders {
        /* JADX INFO: Access modifiers changed from: package-private */
        @Get("/bar")
        @Produces({"text/plain"})
        public String index() {
            return "bar";
        }
    }

    @Requires(property = "spec.name", value = CrossOriginTest.SPECNAME)
    @Controller("/methods")
    @CrossOrigin(allowedOrigins = {"https://www.google.com"}, allowedMethods = {HttpMethod.GET, HttpMethod.POST})
    /* loaded from: input_file:io/micronaut/http/server/tck/tests/cors/CrossOriginTest$AllowedMethods.class */
    static class AllowedMethods {
        /* JADX INFO: Access modifiers changed from: package-private */
        @Get("/getit")
        @Produces({"text/plain"})
        public String canGet() {
            return "get";
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        @Post("/postit/{id}")
        @Produces({"text/plain"})
        public String canPost(@PathVariable String str) {
            return str;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        @Delete("/deleteit/{id}")
        public String cantDelete(@PathVariable String str) {
            return str;
        }
    }

    @Requires(property = "spec.name", value = CrossOriginTest.SPECNAME)
    @Controller("/allowedoriginsregex")
    /* loaded from: input_file:io/micronaut/http/server/tck/tests/cors/CrossOriginTest$AllowedOriginsRegex.class */
    static class AllowedOriginsRegex {
        /* JADX INFO: Access modifiers changed from: package-private */
        @CrossOrigin(allowedOriginsRegex = "^http(|s):\\/\\/foo\\.com$")
        @Get("/foo")
        @Produces({"text/plain"})
        public String foo() {
            return "foo";
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        @CrossOrigin({"^http(|s):\\/\\/foo\\.com$"})
        @Get("/bar")
        @Produces({"text/plain"})
        public String bar() {
            return "bar";
        }
    }

    @Requires(property = "spec.name", value = CrossOriginTest.SPECNAME)
    @Controller("/credentials")
    /* loaded from: input_file:io/micronaut/http/server/tck/tests/cors/CrossOriginTest$Credentials.class */
    static class Credentials {
        /* JADX INFO: Access modifiers changed from: package-private */
        @CrossOrigin(value = {"https://foo.com"}, allowCredentials = false)
        @Get("/foo")
        @Produces({"text/plain"})
        public String foo() {
            return "foo";
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        @CrossOrigin({"https://foo.com"})
        @Get("/bar")
        @Produces({"text/plain"})
        public String bar() {
            return "bar";
        }
    }

    @Requires(property = "spec.name", value = CrossOriginTest.SPECNAME)
    @Controller("/exposedheaders")
    /* loaded from: input_file:io/micronaut/http/server/tck/tests/cors/CrossOriginTest$ExposedHeaders.class */
    static class ExposedHeaders {
        /* JADX INFO: Access modifiers changed from: package-private */
        @CrossOrigin(value = {"https://foo.com"}, exposedHeaders = {"Content-Encoding", "Kuma-Revision"})
        @Get("/bar")
        @Produces({"text/plain"})
        public String bar() {
            return "bar";
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        @CrossOrigin({"https://foo.com"})
        @Get("/foo")
        @Produces({"text/plain"})
        public String foo() {
            return "foo";
        }
    }

    @Requires(property = "spec.name", value = CrossOriginTest.SPECNAME)
    @Controller("/foo")
    /* loaded from: input_file:io/micronaut/http/server/tck/tests/cors/CrossOriginTest$Foo.class */
    static class Foo {
        /* JADX INFO: Access modifiers changed from: package-private */
        @CrossOrigin({"https://foo.com"})
        @Get("/bar")
        @Produces({"text/plain"})
        public String index() {
            return "bar";
        }
    }

    @Singleton
    @Requires(property = "spec.name", value = CrossOriginTest.SPECNAME)
    @Replaces(HttpHostResolver.class)
    /* loaded from: input_file:io/micronaut/http/server/tck/tests/cors/CrossOriginTest$HttpHostResolverReplacement.class */
    static class HttpHostResolverReplacement implements HttpHostResolver {
        public String resolve(@Nullable HttpRequest httpRequest) {
            return "https://micronautexample.com";
        }
    }

    @Requires(property = "spec.name", value = CrossOriginTest.SPECNAME)
    @Controller("/maxage")
    /* loaded from: input_file:io/micronaut/http/server/tck/tests/cors/CrossOriginTest$MaxAge.class */
    static class MaxAge {
        /* JADX INFO: Access modifiers changed from: package-private */
        @CrossOrigin({"https://foo.com"})
        @Get("/foo")
        @Produces({"text/plain"})
        public String foo() {
            return "foo";
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        @CrossOrigin(value = {"https://foo.com"}, maxAge = 1000)
        @Get("/bar")
        @Produces({"text/plain"})
        public String bar() {
            return "bar";
        }
    }

    @Test
    void crossOriginAnnotationWithMatchingOrigin() throws IOException {
        TestScenario.asserts(SPECNAME, preflight(UriBuilder.of("/foo").path("bar"), "https://foo.com", HttpMethod.GET), (serverUnderTest, httpRequest) -> {
            AssertionUtils.assertDoesNotThrow(serverUnderTest, httpRequest, HttpResponseAssertion.builder().status(HttpStatus.OK).assertResponse(httpResponse -> {
                CorsUtils.assertCorsHeaders(httpResponse, "https://foo.com", HttpMethod.GET);
                Assertions.assertFalse(httpResponse.getHeaders().names().contains("Access-Control-Allow-Headers"));
            }).build());
        });
    }

    @Test
    void crossOriginAnnotationWithNoMatchingOrigin() throws IOException {
        TestScenario.asserts(SPECNAME, preflight(UriBuilder.of("/foo").path("bar"), "https://bar.com", HttpMethod.GET), (serverUnderTest, httpRequest) -> {
            AssertionUtils.assertThrows(serverUnderTest, httpRequest, HttpResponseAssertion.builder().status(HttpStatus.METHOD_NOT_ALLOWED).assertResponse(CorsUtils::assertCorsHeadersNotPresent).build());
        });
    }

    @Test
    void verifyHttpMethodIsValidatedInACorsRequest() {
        Assertions.assertAll(new Executable[]{() -> {
            TestScenario.asserts(SPECNAME, preflight(UriBuilder.of("/methods").path("getit"), "https://www.google.com", HttpMethod.GET), (serverUnderTest, httpRequest) -> {
                AssertionUtils.assertDoesNotThrow(serverUnderTest, httpRequest, HttpResponseAssertion.builder().status(HttpStatus.OK).assertResponse(httpResponse -> {
                    CorsUtils.assertCorsHeaders(httpResponse, "https://www.google.com", HttpMethod.GET);
                    Assertions.assertFalse(httpResponse.getHeaders().names().contains("Access-Control-Allow-Headers"));
                }).build());
            });
        }, () -> {
            TestScenario.asserts(SPECNAME, preflight(UriBuilder.of("/methods").path("postit").path("id"), "https://www.google.com", HttpMethod.POST), (serverUnderTest, httpRequest) -> {
                AssertionUtils.assertDoesNotThrow(serverUnderTest, httpRequest, HttpResponseAssertion.builder().status(HttpStatus.OK).assertResponse(httpResponse -> {
                    CorsUtils.assertCorsHeaders(httpResponse, "https://www.google.com", HttpMethod.POST);
                    Assertions.assertFalse(httpResponse.getHeaders().names().contains("Access-Control-Allow-Headers"));
                }).build());
            });
        }, () -> {
            TestScenario.asserts(SPECNAME, preflight(UriBuilder.of("/methods").path("deleteit").path("id"), "https://www.google.com", HttpMethod.DELETE), (serverUnderTest, httpRequest) -> {
                AssertionUtils.assertThrows(serverUnderTest, httpRequest, HttpResponseAssertion.builder().status(HttpStatus.FORBIDDEN).assertResponse(CorsUtils::assertCorsHeadersNotPresent).build());
            });
        }});
    }

    @Test
    void allowedOriginsRegexHappyPath() throws IOException {
        URI build = UriBuilder.of("/allowedoriginsregex").path("foo").build();
        TestScenario.asserts(SPECNAME, preflight(build, "https://foo.com", HttpMethod.GET), happyPathAssertion("https://foo.com"));
        TestScenario.asserts(SPECNAME, preflight(build, "http://foo.com", HttpMethod.GET), happyPathAssertion("http://foo.com"));
    }

    private static BiConsumer<ServerUnderTest, HttpRequest<?>> happyPathAssertion(String str) {
        return (serverUnderTest, httpRequest) -> {
            AssertionUtils.assertDoesNotThrow(serverUnderTest, httpRequest, HttpResponseAssertion.builder().status(HttpStatus.OK).assertResponse(httpResponse -> {
                CorsUtils.assertCorsHeaders(httpResponse, str, HttpMethod.GET);
                Assertions.assertFalse(httpResponse.getHeaders().names().contains("Access-Control-Allow-Headers"));
            }).build());
        };
    }

    @Test
    void allowedOriginsRegexFailure() throws IOException {
        TestScenario.asserts(SPECNAME, preflight(UriBuilder.of("/allowedoriginsregex").path("bar"), "https://foo.com", HttpMethod.GET), (serverUnderTest, httpRequest) -> {
            AssertionUtils.assertThrows(serverUnderTest, httpRequest, HttpResponseAssertion.builder().status(HttpStatus.METHOD_NOT_ALLOWED).assertResponse(CorsUtils::assertCorsHeadersNotPresent).build());
        });
    }

    @Test
    void allowedHeadersHappyPath() throws IOException {
        TestScenario.asserts(SPECNAME, preflight(UriBuilder.of("/allowedheaders").path("bar"), "https://foo.com", HttpMethod.GET).header("Access-Control-Request-Headers", "Authorization,Content-Type"), (serverUnderTest, httpRequest) -> {
            AssertionUtils.assertDoesNotThrow(serverUnderTest, httpRequest, HttpResponseAssertion.builder().status(HttpStatus.OK).assertResponse(httpResponse -> {
                CorsUtils.assertCorsHeaders(httpResponse, "https://foo.com", HttpMethod.GET);
                Assertions.assertTrue(httpResponse.getHeaders().names().contains("Access-Control-Allow-Headers"));
            }).build());
        });
    }

    @Test
    void allowedHeadersFailure() throws IOException {
        TestScenario.asserts(SPECNAME, preflight(UriBuilder.of("/allowedheaders").path("bar"), "https://foo.com", HttpMethod.GET).header("Access-Control-Request-Headers", "foo"), (serverUnderTest, httpRequest) -> {
            AssertionUtils.assertThrows(serverUnderTest, httpRequest, HttpResponseAssertion.builder().status(HttpStatus.FORBIDDEN).assertResponse(CorsUtils::assertCorsHeadersNotPresent).build());
        });
    }

    @Test
    void defaultAccessControlExposeHeaderValueIsNotSet() throws IOException {
        TestScenario.asserts(SPECNAME, preflight(UriBuilder.of("/exposedheaders").path("foo"), "https://foo.com", HttpMethod.GET), (serverUnderTest, httpRequest) -> {
            AssertionUtils.assertDoesNotThrow(serverUnderTest, httpRequest, HttpResponseAssertion.builder().status(HttpStatus.OK).assertResponse(httpResponse -> {
                CorsUtils.assertCorsHeaders(httpResponse, "https://foo.com", HttpMethod.GET);
                Assertions.assertFalse(httpResponse.getHeaders().names().contains("Access-Control-Expose-Headers"));
            }).build());
        });
    }

    @Test
    void httHeaderValueAccessControlExposeHeaderValueCanBeSetViaCrossOriginAnnotation() throws IOException {
        TestScenario.asserts(SPECNAME, (Map<String, Object>) CollectionUtils.mapOf(new Object[]{"micronaut.server.cors.single-header", "true"}), (HttpRequest<?>) preflight(UriBuilder.of("/exposedheaders").path("bar"), "https://foo.com", HttpMethod.GET).header("Access-Control-Expose-Headers", "foo"), (BiConsumer<ServerUnderTest, HttpRequest<?>>) (serverUnderTest, httpRequest) -> {
            AssertionUtils.assertDoesNotThrow(serverUnderTest, httpRequest, HttpResponseAssertion.builder().status(HttpStatus.OK).assertResponse(httpResponse -> {
                CorsUtils.assertCorsHeaders(httpResponse, "https://foo.com", HttpMethod.GET);
                Assertions.assertTrue(httpResponse.getHeaders().names().contains("Access-Control-Expose-Headers"));
                Assertions.assertEquals("Content-Encoding,Kuma-Revision", httpResponse.getHeaders().get("Access-Control-Expose-Headers"));
            }).build());
        });
    }

    @Test
    void defaultAccessControlAllowCredentialsValueIsNotSet() throws IOException {
        TestScenario.asserts(SPECNAME, preflight(UriBuilder.of("/credentials").path("foo"), "https://foo.com", HttpMethod.GET), (serverUnderTest, httpRequest) -> {
            AssertionUtils.assertDoesNotThrow(serverUnderTest, httpRequest, HttpResponseAssertion.builder().status(HttpStatus.OK).assertResponse(httpResponse -> {
                CorsUtils.assertCorsHeaders((HttpResponse<?>) httpResponse, "https://foo.com", HttpMethod.GET, false);
                Assertions.assertFalse(httpResponse.getHeaders().names().contains("Access-Control-Allow-Credentials"));
            }).build());
        });
    }

    @Test
    void defaultAccessControlAllowCredentialsValueIsSet() throws IOException {
        TestScenario.asserts(SPECNAME, preflight(UriBuilder.of("/credentials").path("bar"), "https://foo.com", HttpMethod.GET), (serverUnderTest, httpRequest) -> {
            AssertionUtils.assertDoesNotThrow(serverUnderTest, httpRequest, HttpResponseAssertion.builder().status(HttpStatus.OK).assertResponse(httpResponse -> {
                CorsUtils.assertCorsHeaders(httpResponse, "https://foo.com", HttpMethod.GET);
                Assertions.assertTrue(httpResponse.getHeaders().names().contains("Access-Control-Allow-Credentials"));
                Assertions.assertEquals("true", httpResponse.getHeaders().get("Access-Control-Allow-Credentials"));
            }).build());
        });
    }

    @Test
    void defaultAccessControlMaxAgeValueIsSet() throws IOException {
        TestScenario.asserts(SPECNAME, preflight(UriBuilder.of("/maxage").path("foo"), "https://foo.com", HttpMethod.GET), (serverUnderTest, httpRequest) -> {
            AssertionUtils.assertDoesNotThrow(serverUnderTest, httpRequest, HttpResponseAssertion.builder().status(HttpStatus.OK).assertResponse(httpResponse -> {
                CorsUtils.assertCorsHeaders(httpResponse, "https://foo.com", HttpMethod.GET);
                Assertions.assertTrue(httpResponse.getHeaders().names().contains("Access-Control-Max-Age"));
                Assertions.assertEquals("1800", httpResponse.getHeaders().get("Access-Control-Max-Age"));
            }).build());
        });
    }

    @Test
    void accessControlMaxAgeValueIsSet() throws IOException {
        TestScenario.asserts(SPECNAME, preflight(UriBuilder.of("/maxage").path("bar"), "https://foo.com", HttpMethod.GET), (serverUnderTest, httpRequest) -> {
            AssertionUtils.assertDoesNotThrow(serverUnderTest, httpRequest, HttpResponseAssertion.builder().status(HttpStatus.OK).assertResponse(httpResponse -> {
                CorsUtils.assertCorsHeaders((HttpResponse<?>) httpResponse, "https://foo.com", HttpMethod.GET, "1000");
                Assertions.assertTrue(httpResponse.getHeaders().names().contains("Access-Control-Max-Age"));
                Assertions.assertEquals("1000", httpResponse.getHeaders().get("Access-Control-Max-Age"));
            }).build());
        });
    }

    private static MutableHttpRequest<?> preflight(UriBuilder uriBuilder, String str, HttpMethod httpMethod) {
        return preflight(uriBuilder.build(), str, httpMethod);
    }

    private static MutableHttpRequest<?> preflight(URI uri, String str, HttpMethod httpMethod) {
        return HttpRequest.OPTIONS(uri).header("Accept", "text/plain").header("Origin", str).header("Access-Control-Request-Method", httpMethod);
    }
}
