package io.micronaut.http.server.tck.tests.cors;

import io.micronaut.context.annotation.Requires;
import io.micronaut.context.event.ApplicationEventListener;
import io.micronaut.context.event.ApplicationEventPublisher;
import io.micronaut.http.HttpRequest;
import io.micronaut.http.HttpStatus;
import io.micronaut.http.annotation.Consumes;
import io.micronaut.http.annotation.Controller;
import io.micronaut.http.annotation.Post;
import io.micronaut.http.annotation.Status;
import io.micronaut.http.client.multipart.MultipartBody;
import io.micronaut.http.server.tck.CorsAssertion;
import io.micronaut.http.tck.AssertionUtils;
import io.micronaut.http.tck.HttpResponseAssertion;
import io.micronaut.http.tck.RequestSupplier;
import io.micronaut.http.tck.ServerUnderTest;
import io.micronaut.http.tck.TestScenario;
import io.micronaut.runtime.context.scope.refresh.RefreshEvent;
import jakarta.inject.Inject;
import jakarta.inject.Singleton;
import java.io.IOException;
import java.util.Collections;
import java.util.Map;
import java.util.Optional;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.function.Executable;

/* loaded from: input_file:io/micronaut/http/server/tck/tests/cors/CorsSimpleRequestTest.class */
public class CorsSimpleRequestTest {
    private static final String SPECNAME = "CorsSimpleRequestTest";
    private static final String PROPERTY_MICRONAUT_SERVER_CORS_ENABLED = "micronaut.server.cors.enabled";
    private static final String PROPERTY_MICRONAUT_SERVER_CORS_LOCALHOST_PASS_THROUGH = "micronaut.server.cors.localhost-pass-through";

    @Requires(property = "spec.name", value = CorsSimpleRequestTest.SPECNAME)
    @Controller
    /* loaded from: input_file:io/micronaut/http/server/tck/tests/cors/CorsSimpleRequestTest$RefreshController.class */
    static class RefreshController {

        @Inject
        ApplicationEventPublisher<RefreshEvent> refreshEventApplicationEventPublisher;

        /* JADX INFO: Access modifiers changed from: package-private */
        @Consumes({"multipart/form-data"})
        @Post("/refresh")
        @Status(HttpStatus.OK)
        public void refresh() {
            this.refreshEventApplicationEventPublisher.publishEvent(new RefreshEvent());
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Singleton
    @Requires(property = "spec.name", value = CorsSimpleRequestTest.SPECNAME)
    /* loaded from: input_file:io/micronaut/http/server/tck/tests/cors/CorsSimpleRequestTest$RefreshCounter.class */
    public static class RefreshCounter implements ApplicationEventListener<RefreshEvent> {
        private int refreshCount = 0;

        public void onApplicationEvent(RefreshEvent refreshEvent) {
            this.refreshCount++;
        }

        public int getRefreshCount() {
            return this.refreshCount;
        }
    }

    @Tag("multipart")
    @Test
    void corsSimpleRequestNotAllowedForLocalhostAndAny() throws IOException {
        TestScenario.asserts(SPECNAME, Collections.singletonMap("micronaut.server.cors.enabled", "true"), createRequest("https://foo.com"), CorsSimpleRequestTest::isForbidden);
    }

    @Tag("multipart")
    @Test
    void corsSimpleRequestAllowedForLocalhostAndAnyWhenSpecificallyTurnedOff() throws IOException {
        TestScenario.asserts(SPECNAME, Map.of("micronaut.server.cors.enabled", "true", PROPERTY_MICRONAUT_SERVER_CORS_LOCALHOST_PASS_THROUGH, "true"), createRequest("https://foo.com"), CorsSimpleRequestTest::isSuccessful);
    }

    @Tag("multipart")
    @Test
    void corsSimpleRequestNotAllowedFor127AndAny() throws IOException {
        TestScenario.asserts(SPECNAME, Collections.singletonMap("micronaut.server.cors.enabled", "true"), createRequestFor("127.0.0.1", "https://foo.com"), CorsSimpleRequestTest::isForbidden);
    }

    @Tag("multipart")
    @Test
    void corsSimpleRequestAllowedForLocalhostAndOriginLocalhost() throws IOException {
        TestScenario.asserts(SPECNAME, Collections.singletonMap("micronaut.server.cors.enabled", "true"), createRequest("http://localhost:8000"), CorsSimpleRequestTest::isSuccessful);
    }

    @Tag("multipart")
    @Test
    void corsSimpleRequestAllowedForLocalhostAnd127Origin() throws IOException {
        TestScenario.asserts(SPECNAME, Collections.singletonMap("micronaut.server.cors.enabled", "true"), createRequestFor("localhost", "http://127.0.0.1:8000"), CorsSimpleRequestTest::isSuccessful);
    }

    @Tag("multipart")
    @Test
    void corsSimpleRequestFailsForLocalhostAndSpoofed127Origin() throws IOException {
        TestScenario.asserts(SPECNAME, Collections.singletonMap("micronaut.server.cors.enabled", "true"), createRequestFor("localhost", "http://127.0.0.1.hac0r.com:8000"), CorsSimpleRequestTest::isForbidden);
    }

    @Tag("multipart")
    @Test
    void corsSimpleRequestAllowedFor127RequestAndLocalhostOrigin() throws IOException {
        TestScenario.asserts(SPECNAME, Collections.singletonMap("micronaut.server.cors.enabled", "true"), createRequestFor("127.0.0.1", "http://localhost:8000"), CorsSimpleRequestTest::isSuccessful);
    }

    @Tag("multipart")
    @Test
    void corsSimpleRequestForLocalhostCanBeAllowedViaConfiguration() throws IOException {
        TestScenario.asserts(SPECNAME, Map.of("micronaut.server.cors.enabled", "true", "micronaut.server.cors.configurations.foo.allowed-origins", Collections.singletonList("https://foo.com")), createRequest("https://foo.com"), CorsSimpleRequestTest::isSuccessfulCorsAssertion);
    }

    @Tag("multipart")
    @Test
    void corsSimpleRequestForLocalhostCanBeAllowedViaRegexConfiguration() throws IOException {
        TestScenario.asserts(SPECNAME, Map.of("micronaut.server.cors.enabled", "true", "micronaut.server.cors.configurations.foo.allowed-origins-regex", Collections.singletonList("^http(|s):\\/\\/foo\\.com$")), createRequest("https://foo.com"), CorsSimpleRequestTest::isSuccessfulCorsAssertion);
    }

    @Tag("multipart")
    @Test
    void corsSimpleRequestForLocalhostForbiddenViaRegexConfiguration() throws IOException {
        TestScenario.asserts(SPECNAME, Map.of("micronaut.server.cors.enabled", "true", "micronaut.server.cors.configurations.foo.allowed-origins-regex", Collections.singletonList("^http(|s):\\/\\/foo\\.com$")), createRequest("https://bar.com"), CorsSimpleRequestTest::isForbidden);
    }

    @Tag("multipart")
    @Test
    void corsSimpleRequestForLocalhostCanBeAllowedViaConfigurationWithRegexToo() throws IOException {
        Map of = Map.of("micronaut.server.cors.enabled", "true", "micronaut.server.cors.configurations.foo.allowed-origins-regex", Collections.singletonList("^http(|s):\\/\\/foo\\.com$"), "micronaut.server.cors.configurations.foo.allowed-origins", Collections.singletonList("https://bar.com"));
        Assertions.assertAll(new Executable[]{() -> {
            TestScenario.asserts(SPECNAME, of, createRequest("https://foo.com"), (serverUnderTest, httpRequest) -> {
                RefreshCounter refreshCounter = (RefreshCounter) serverUnderTest.getApplicationContext().getBean(RefreshCounter.class);
                Assertions.assertEquals(0, refreshCounter.getRefreshCount());
                AssertionUtils.assertDoesNotThrow(serverUnderTest, httpRequest, HttpResponseAssertion.builder().status(HttpStatus.OK).assertResponse(httpResponse -> {
                    CorsAssertion.builder().vary("Origin").allowCredentials().allowOrigin("https://foo.com").build().validate(httpResponse);
                }).build());
                Assertions.assertEquals(1, refreshCounter.getRefreshCount());
            });
        }, () -> {
            TestScenario.asserts(SPECNAME, of, createRequest("http://foo.com"), (serverUnderTest, httpRequest) -> {
                RefreshCounter refreshCounter = (RefreshCounter) serverUnderTest.getApplicationContext().getBean(RefreshCounter.class);
                Assertions.assertEquals(0, refreshCounter.getRefreshCount());
                AssertionUtils.assertDoesNotThrow(serverUnderTest, httpRequest, HttpResponseAssertion.builder().status(HttpStatus.OK).assertResponse(httpResponse -> {
                    CorsAssertion.builder().vary("Origin").allowCredentials().allowOrigin("http://foo.com").build().validate(httpResponse);
                }).build());
                Assertions.assertEquals(1, refreshCounter.getRefreshCount());
            });
        }, () -> {
            TestScenario.asserts(SPECNAME, of, createRequest("https://bar.com"), (serverUnderTest, httpRequest) -> {
                RefreshCounter refreshCounter = (RefreshCounter) serverUnderTest.getApplicationContext().getBean(RefreshCounter.class);
                Assertions.assertEquals(0, refreshCounter.getRefreshCount());
                AssertionUtils.assertDoesNotThrow(serverUnderTest, httpRequest, HttpResponseAssertion.builder().status(HttpStatus.OK).assertResponse(httpResponse -> {
                    CorsAssertion.builder().vary("Origin").allowCredentials().allowOrigin("https://bar.com").build().validate(httpResponse);
                }).build());
                Assertions.assertEquals(1, refreshCounter.getRefreshCount());
            });
        }});
    }

    @Tag("multipart")
    @Test
    void corsSimpleRequestForAllowedRegexDoesNotDefaultToAllAllowedorigins() throws IOException {
        TestScenario.asserts(SPECNAME, Map.of("micronaut.server.cors.enabled", "true", "micronaut.server.cors.configurations.foo.allowed-origins-regex", Collections.singletonList("^http(|s):\\/\\/foo\\.com$")), createRequest("https://bar.com"), CorsSimpleRequestTest::isForbidden);
    }

    private RequestSupplier createRequestFor(String str, String str2) {
        return serverUnderTest -> {
            Optional port = serverUnderTest.getPort();
            Optional scheme = serverUnderTest.getScheme();
            if (port.isEmpty() || scheme.isEmpty()) {
                throw new RuntimeException("Unknown port or scheme for " + String.valueOf(serverUnderTest));
            }
            return createRequest(((String) scheme.get()) + "://" + str + ":" + String.valueOf(port.get()) + "/refresh", str2);
        };
    }

    static void isForbidden(ServerUnderTest serverUnderTest, HttpRequest<?> httpRequest) {
        RefreshCounter refreshCounter = (RefreshCounter) serverUnderTest.getApplicationContext().getBean(RefreshCounter.class);
        Assertions.assertEquals(0, refreshCounter.getRefreshCount());
        AssertionUtils.assertThrows(serverUnderTest, httpRequest, HttpResponseAssertion.builder().status(HttpStatus.FORBIDDEN).assertResponse(httpResponse -> {
            Assertions.assertFalse(httpResponse.getHeaders().contains("Vary"));
        }).build());
        Assertions.assertEquals(0, refreshCounter.getRefreshCount());
    }

    static void isSuccessful(ServerUnderTest serverUnderTest, HttpRequest<?> httpRequest) {
        RefreshCounter refreshCounter = (RefreshCounter) serverUnderTest.getApplicationContext().getBean(RefreshCounter.class);
        Assertions.assertEquals(0, refreshCounter.getRefreshCount());
        AssertionUtils.assertDoesNotThrow(serverUnderTest, httpRequest, HttpResponseAssertion.builder().status(HttpStatus.OK).build());
        Assertions.assertEquals(1, refreshCounter.getRefreshCount());
    }

    static void isSuccessfulCorsAssertion(ServerUnderTest serverUnderTest, HttpRequest<?> httpRequest) {
        RefreshCounter refreshCounter = (RefreshCounter) serverUnderTest.getApplicationContext().getBean(RefreshCounter.class);
        Assertions.assertEquals(0, refreshCounter.getRefreshCount());
        AssertionUtils.assertDoesNotThrow(serverUnderTest, httpRequest, HttpResponseAssertion.builder().status(HttpStatus.OK).assertResponse(httpResponse -> {
            CorsAssertion.builder().vary("Origin").allowCredentials().allowOrigin("https://foo.com").build().validate(httpResponse);
        }).build());
        Assertions.assertEquals(1, refreshCounter.getRefreshCount());
    }

    static HttpRequest<?> createRequest(String str) {
        return createRequest("/refresh", str);
    }

    static HttpRequest<?> createRequest(String str, String str2) {
        return HttpRequest.POST(str, MultipartBody.builder().addPart("force", "true").build()).header("Content-Type", "multipart/form-data; boundary=----WebKitFormBoundarywxiDZy8kMlSE59h1").header("Origin", str2).header("Accept-Encoding", "gzip, deflate").header("Connection", "keep-alive").header("Accept", "*/*").header("User-Agent", "Mozilla / 5.0 (Macintosh; Intel Mac OS X 10_15_7)AppleWebKit / 605.1 .15 (KHTML, like Gecko)Version / 16.1 Safari / 605.1 .15").header("Referer", str2).header("Accept-Language", "en - GB, en").header("content-length", "140");
    }
}
