package org.primeframework.mvc.cors;

import io.fusionauth.http.HTTPMethod;
import java.io.IOException;
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.util.regex.Pattern;
import org.primeframework.mvc.PrimeBaseTest;
import org.testng.Assert;
import org.testng.annotations.AfterMethod;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.DataProvider;
import org.testng.annotations.Test;

/* loaded from: input_file:org/primeframework/mvc/cors/CORSFilterTest.class */
public class CORSFilterTest extends PrimeBaseTest {
    @Override // org.primeframework.mvc.PrimeBaseTest
    @AfterMethod
    public void afterMethod() {
        super.afterMethod();
        corsConfiguration = null;
    }

    @Override // org.primeframework.mvc.PrimeBaseTest
    @BeforeMethod
    public void beforeMethod() {
        super.beforeMethod();
        corsConfiguration = new CORSConfiguration().withAllowCredentials(true).withAllowedMethods(new HTTPMethod[]{HTTPMethod.GET, HTTPMethod.POST, HTTPMethod.HEAD, HTTPMethod.OPTIONS, HTTPMethod.PUT, HTTPMethod.DELETE}).withAllowedHeaders(new String[]{"Accept", "Access-Control-Request-Headers", "Access-Control-Request-Method", "Authorization", "Content-Type", "Last-Modified", "Origin", "X-FusionAuth-TenantId", "X-Requested-With"}).withAllowedOrigins(new URI[]{URI.create("*")}).withExcludedPathPattern(Pattern.compile("^/account.*|^/admin.*|^/support.*|^/ajax.*|^/css/.*|^/fonts/.*|^/images/.*|^/js/.*")).withExposedHeaders(new String[]{"Access-Control-Allow-Origin", "Access-Control-Allow-Credentials"}).withPreflightMaxAgeInSeconds(1800);
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [java.lang.Object[], java.lang.Object[][]] */
    @DataProvider(name = "excludedURIs")
    public Object[][] excludedURIs() {
        return new Object[]{new Object[]{"/admin/foo"}, new Object[]{"/admin/nested/foo"}, new Object[]{"/ajax/foo"}};
    }

    @Test
    public void get() throws Exception {
        HttpResponse send = HttpClient.newBuilder().followRedirects(HttpClient.Redirect.NEVER).priority(256).build().send(HttpRequest.newBuilder(URI.create("http://localhost:9080/api/status")).GET().header("Origin", "https://jackinthebox.com").build(), HttpResponse.BodyHandlers.discarding());
        Assert.assertEquals(send.statusCode(), 200);
        Assert.assertEquals((String) send.headers().firstValue("Access-Control-Allow-Credentials").orElse(null), "true");
        Assert.assertEquals((String) send.headers().firstValue("Access-Control-Expose-Headers").orElse(null), "Access-Control-Allow-Origin,Access-Control-Allow-Credentials");
        Assert.assertEquals((String) send.headers().firstValue("Access-Control-Allow-Origin").orElse(null), "https://jackinthebox.com");
        Assert.assertEquals((String) send.headers().firstValue("Vary").orElse(null), "Origin");
        Assert.assertNull(send.headers().firstValue("Access-Control-Allow-Methods").orElse(null));
        Assert.assertNull(send.headers().firstValue("Access-Control-Allow-Headers").orElse(null));
        Assert.assertNull(send.headers().firstValue("Access-Control-Max-Age").orElse(null));
    }

    @Test
    public void get_reactNativeOrigin() throws Exception {
        HttpClient build = HttpClient.newBuilder().followRedirects(HttpClient.Redirect.NEVER).priority(256).build();
        HttpResponse send = build.send(HttpRequest.newBuilder(URI.create("http://localhost:9080/api/status")).GET().header("Origin", "file://foo/index.html").build(), HttpResponse.BodyHandlers.discarding());
        Assert.assertEquals(send.statusCode(), 200);
        Assert.assertEquals((String) send.headers().firstValue("Access-Control-Allow-Credentials").orElse(null), "true");
        Assert.assertEquals((String) send.headers().firstValue("Access-Control-Expose-Headers").orElse(null), "Access-Control-Allow-Origin,Access-Control-Allow-Credentials");
        Assert.assertEquals((String) send.headers().firstValue("Access-Control-Allow-Origin").orElse(null), "file://foo/index.html");
        Assert.assertEquals((String) send.headers().firstValue("Vary").orElse(null), "Origin");
        Assert.assertNull(send.headers().firstValue("Access-Control-Allow-Methods").orElse(null));
        Assert.assertNull(send.headers().firstValue("Access-Control-Allow-Headers").orElse(null));
        Assert.assertNull(send.headers().firstValue("Access-Control-Max-Age").orElse(null));
        HttpResponse send2 = build.send(HttpRequest.newBuilder(URI.create("http://localhost:9080/api/status")).GET().header("Origin", "file://").build(), HttpResponse.BodyHandlers.discarding());
        Assert.assertEquals(send2.statusCode(), 200);
        Assert.assertEquals((String) send2.headers().firstValue("Access-Control-Allow-Credentials").orElse(null), "true");
        Assert.assertEquals((String) send2.headers().firstValue("Access-Control-Expose-Headers").orElse(null), "Access-Control-Allow-Origin,Access-Control-Allow-Credentials");
        Assert.assertEquals((String) send2.headers().firstValue("Access-Control-Allow-Origin").orElse(null), "file://");
        Assert.assertEquals((String) send2.headers().firstValue("Vary").orElse(null), "Origin");
        Assert.assertNull(send2.headers().firstValue("Access-Control-Allow-Methods").orElse(null));
        Assert.assertNull(send2.headers().firstValue("Access-Control-Allow-Headers").orElse(null));
        Assert.assertNull(send2.headers().firstValue("Access-Control-Max-Age").orElse(null));
    }

    @Test
    public void get_sameOrigin() throws Exception {
        corsConfiguration.allowedOrigins.clear();
        HttpClient build = HttpClient.newBuilder().followRedirects(HttpClient.Redirect.NEVER).priority(256).build();
        HttpResponse<Void> send = build.send(HttpRequest.newBuilder(URI.create("http://localhost:9080/api/status")).GET().header("Origin", "http://localhost:9080").build(), HttpResponse.BodyHandlers.discarding());
        Assert.assertEquals(send.statusCode(), 200);
        assertNoCORSHeaders(send);
        corsConfiguration.withAllowedOrigins(new URI[]{URI.create("http://jackinthebox.com")}).withAllowedMethods(new HTTPMethod[]{HTTPMethod.GET});
        HttpResponse<Void> send2 = build.send(HttpRequest.newBuilder(URI.create("http://localhost:9080/api/status")).POST(HttpRequest.BodyPublishers.noBody()).header("Content-Type", "application/json").header("Origin", "http://jackinthebox.com").build(), HttpResponse.BodyHandlers.discarding());
        Assert.assertEquals(send2.statusCode(), 403);
        assertNoCORSHeaders(send2);
    }

    @Test
    public void get_validateDisallowedMethod() throws Exception {
        corsConfiguration.withAllowedMethods(new HTTPMethod[]{HTTPMethod.POST}).withAllowedOrigins(new URI[]{URI.create("*")});
        assertUnauthorized();
    }

    @Test
    public void get_validateDisallowedOrigin() throws Exception {
        corsConfiguration.withAllowedMethods(new HTTPMethod[]{HTTPMethod.GET}).withAllowedOrigins(new URI[]{URI.create("http://foo.com"), URI.create("https://bar.com")});
        assertUnauthorized();
    }

    @Test(dataProvider = "excludedURIs")
    public void get_validateExcludedURIs(String str) throws Exception {
        HttpClient build = HttpClient.newBuilder().followRedirects(HttpClient.Redirect.NEVER).priority(256).build();
        HttpResponse<Void> send = build.send(HttpRequest.newBuilder(URI.create("http://localhost:9080" + str)).GET().build(), HttpResponse.BodyHandlers.discarding());
        Assert.assertEquals(send.statusCode(), 200);
        assertNoCORSHeaders(send);
        HttpResponse<Void> send2 = build.send(HttpRequest.newBuilder(URI.create("http://localhost:9080" + str)).GET().header("Origin", "http://foo.com").build(), HttpResponse.BodyHandlers.discarding());
        Assert.assertEquals(send2.statusCode(), 200);
        assertNoCORSHeaders(send2);
    }

    @Test
    public void options() throws Exception {
        HttpResponse send = HttpClient.newBuilder().followRedirects(HttpClient.Redirect.NEVER).priority(256).build().send(HttpRequest.newBuilder(URI.create("http://localhost:9080/api/status")).method("OPTIONS", HttpRequest.BodyPublishers.noBody()).header("Access-Control-Request-Method", "POST").header("Access-Control-Request-Headers", "X-FusionAuth-TenantId").header("Origin", "https://jackinthebox.com").build(), HttpResponse.BodyHandlers.discarding());
        Assert.assertEquals(send.statusCode(), 204);
        Assert.assertEquals((String) send.headers().firstValue("Access-Control-Allow-Credentials").orElse(null), "true");
        Assert.assertEquals((String) send.headers().firstValue("Access-Control-Allow-Headers").orElse(null), "Accept,Access-Control-Request-Headers,Access-Control-Request-Method,Authorization,Content-Type,Last-Modified,Origin,X-FusionAuth-TenantId,X-Requested-With");
        Assert.assertEquals((String) send.headers().firstValue("Access-Control-Allow-Methods").orElse(null), "POST");
        Assert.assertEquals((String) send.headers().firstValue("Access-Control-Max-Age").orElse(null), "1800");
        Assert.assertEquals((String) send.headers().firstValue("Access-Control-Allow-Origin").orElse(null), "https://jackinthebox.com");
        Assert.assertNull(send.headers().firstValue("Access-Control-Expose-Headers").orElse(null));
        Assert.assertEquals((String) send.headers().firstValue("Vary").orElse(null), "Origin");
    }

    @Test
    public void options_validateDisallowedHeader() throws Exception {
        HttpResponse<Void> send = HttpClient.newBuilder().followRedirects(HttpClient.Redirect.NEVER).priority(256).build().send(HttpRequest.newBuilder(URI.create("http://localhost:9080/api/status")).method("OPTIONS", HttpRequest.BodyPublishers.noBody()).header("Access-Control-Request-Method", "GET").header("Access-Control-Request-Headers", "X-Foo").header("Origin", "https://jackinthebox.com").build(), HttpResponse.BodyHandlers.discarding());
        Assert.assertEquals(send.statusCode(), 403);
        assertNoCORSHeaders(send);
    }

    @Test
    public void options_validateDisallowedMethod() throws Exception {
        corsConfiguration.withAllowedMethods(new HTTPMethod[]{HTTPMethod.POST});
        HttpResponse<Void> send = HttpClient.newBuilder().followRedirects(HttpClient.Redirect.NEVER).priority(256).build().send(HttpRequest.newBuilder(URI.create("http://localhost:9080/api/status")).method("OPTIONS", HttpRequest.BodyPublishers.noBody()).header("Access-Control-Request-Method", "GET").header("Origin", "https://jackinthebox.com").build(), HttpResponse.BodyHandlers.discarding());
        Assert.assertEquals(send.statusCode(), 403);
        assertNoCORSHeaders(send);
    }

    @Test
    public void options_validateDisallowedOrigin() throws Exception {
        corsConfiguration.withAllowedOrigins(new URI[]{URI.create("http://foo.com")});
        HttpResponse<Void> send = HttpClient.newBuilder().followRedirects(HttpClient.Redirect.NEVER).priority(256).build().send(HttpRequest.newBuilder(URI.create("http://localhost:9080/api/status")).method("OPTIONS", HttpRequest.BodyPublishers.noBody()).header("Access-Control-Request-Method", "GET").header("Origin", "https://jackinthebox.com").build(), HttpResponse.BodyHandlers.discarding());
        Assert.assertEquals(send.statusCode(), 403);
        assertNoCORSHeaders(send);
    }

    @Test
    public void options_validateExcludedURIs() throws Exception {
        HttpResponse<Void> send = HttpClient.newBuilder().followRedirects(HttpClient.Redirect.NEVER).priority(256).build().send(HttpRequest.newBuilder(URI.create("http://localhost:9080/admin/foo")).method("OPTIONS", HttpRequest.BodyPublishers.noBody()).header("Origin", "http://foo.com").build(), HttpResponse.BodyHandlers.discarding());
        Assert.assertEquals(send.statusCode(), 405);
        assertNoCORSHeaders(send);
    }

    @Test
    public void options_validateWildcardOriginDisallowCredentials() throws Exception {
        corsConfiguration.withAllowedMethods(new HTTPMethod[]{HTTPMethod.GET}).withAllowedOrigins(new URI[]{URI.create("*")}).withAllowCredentials(false);
        HttpResponse send = HttpClient.newBuilder().followRedirects(HttpClient.Redirect.NEVER).priority(256).build().send(HttpRequest.newBuilder(URI.create("http://localhost:9080/api/status")).method("OPTIONS", HttpRequest.BodyPublishers.noBody()).header("Access-Control-Request-Method", "GET").header("Origin", "https://jackinthebox.com").build(), HttpResponse.BodyHandlers.discarding());
        Assert.assertEquals(send.statusCode(), 204);
        Assert.assertNull(send.headers().firstValue("Access-Control-Allow-Credentials").orElse(null));
        Assert.assertEquals((String) send.headers().firstValue("Access-Control-Allow-Origin").orElse(null), "*");
        Assert.assertEquals((String) send.headers().firstValue("Access-Control-Allow-Headers").orElse(null), "Accept,Access-Control-Request-Headers,Access-Control-Request-Method,Authorization,Content-Type,Last-Modified,Origin,X-FusionAuth-TenantId,X-Requested-With");
        Assert.assertEquals((String) send.headers().firstValue("Access-Control-Allow-Methods").orElse(null), "GET");
        Assert.assertNull(send.headers().firstValue("Access-Control-Expose-Headers").orElse(null));
        Assert.assertEquals((String) send.headers().firstValue("Access-Control-Max-Age").orElse(null), "1800");
    }

    @Test
    public void post() throws Exception {
        HttpClient build = HttpClient.newBuilder().followRedirects(HttpClient.Redirect.NEVER).priority(256).build();
        HttpResponse send = build.send(HttpRequest.newBuilder(URI.create("http://localhost:9080/api/status")).POST(HttpRequest.BodyPublishers.noBody()).header("Content-Type", "application/json").header("Origin", "https://jackinthebox.com").build(), HttpResponse.BodyHandlers.discarding());
        Assert.assertEquals(send.statusCode(), 200);
        Assert.assertEquals((String) send.headers().firstValue("Access-Control-Allow-Credentials").orElse(null), "true");
        Assert.assertEquals((String) send.headers().firstValue("Access-Control-Allow-Origin").orElse(null), "https://jackinthebox.com");
        Assert.assertNull(send.headers().firstValue("Access-Control-Allow-Headers").orElse(null));
        Assert.assertNull(send.headers().firstValue("Access-Control-Allow-Methods").orElse(null));
        Assert.assertEquals((String) send.headers().firstValue("Access-Control-Expose-Headers").orElse(null), "Access-Control-Allow-Origin,Access-Control-Allow-Credentials");
        Assert.assertNull(send.headers().firstValue("Access-Control-Max-Age").orElse(null));
        HttpResponse<Void> send2 = build.send(HttpRequest.newBuilder(URI.create("http://localhost:9080/api/status")).POST(HttpRequest.BodyPublishers.noBody()).header("Origin", "https://jackinthebox.com").build(), HttpResponse.BodyHandlers.discarding());
        Assert.assertEquals(send2.statusCode(), 403);
        assertNoCORSHeaders(send2);
    }

    @Test
    public void post_validateDisallowedMethod() throws Exception {
        corsConfiguration.withAllowedMethods(new HTTPMethod[]{HTTPMethod.GET});
        HttpResponse<Void> send = HttpClient.newBuilder().followRedirects(HttpClient.Redirect.NEVER).priority(256).build().send(HttpRequest.newBuilder(URI.create("http://localhost:9080/api/status")).POST(HttpRequest.BodyPublishers.noBody()).header("Origin", "https://jackinthebox.com").build(), HttpResponse.BodyHandlers.discarding());
        Assert.assertEquals(send.statusCode(), 403);
        assertNoCORSHeaders(send);
    }

    @Test
    public void post_validateDisallowedOrigin() throws Exception {
        corsConfiguration.withAllowedOrigins(new URI[]{URI.create("http://foo.com")});
        HttpResponse<Void> send = HttpClient.newBuilder().followRedirects(HttpClient.Redirect.NEVER).priority(256).build().send(HttpRequest.newBuilder(URI.create("http://localhost:9080/api/status")).POST(HttpRequest.BodyPublishers.noBody()).header("Origin", "https://jackinthebox.com").build(), HttpResponse.BodyHandlers.discarding());
        Assert.assertEquals(send.statusCode(), 403);
        assertNoCORSHeaders(send);
    }

    @Test
    public void post_validateExcludedURIs_withSimpleContentType() throws Exception {
        HttpClient build = HttpClient.newBuilder().followRedirects(HttpClient.Redirect.NEVER).priority(256).build();
        HttpResponse<Void> send = build.send(HttpRequest.newBuilder(URI.create("http://localhost:9080/admin/nested/foo")).POST(HttpRequest.BodyPublishers.noBody()).build(), HttpResponse.BodyHandlers.discarding());
        Assert.assertEquals(send.statusCode(), 200);
        assertNoCORSHeaders(send);
        HttpResponse<Void> send2 = build.send(HttpRequest.newBuilder(URI.create("http://localhost:9080/admin/nested/foo")).POST(HttpRequest.BodyPublishers.noBody()).header("Origin", "https://jackinthebox.com").build(), HttpResponse.BodyHandlers.discarding());
        Assert.assertEquals(send2.statusCode(), 200);
        assertNoCORSHeaders(send2);
    }

    private void assertNoCORSHeaders(HttpResponse<Void> httpResponse) {
        Assert.assertNull(httpResponse.headers().firstValue("Access-Control-Allow-Credentials").orElse(null));
        Assert.assertNull(httpResponse.headers().firstValue("Access-Control-Allow-Headers").orElse(null));
        Assert.assertNull(httpResponse.headers().firstValue("Access-Control-Allow-Methods").orElse(null));
        Assert.assertNull(httpResponse.headers().firstValue("Access-Control-Allow-Origin").orElse(null));
        Assert.assertNull(httpResponse.headers().firstValue("Access-Control-Expose-Headers").orElse(null));
        Assert.assertNull(httpResponse.headers().firstValue("Access-Control-Max-Age").orElse(null));
        Assert.assertNull(httpResponse.headers().firstValue("Vary").orElse(null));
    }

    private void assertUnauthorized() throws IOException, InterruptedException {
        HttpResponse<Void> send = HttpClient.newBuilder().followRedirects(HttpClient.Redirect.NEVER).priority(256).build().send(HttpRequest.newBuilder(URI.create("http://localhost:9080/api/status")).GET().header("Origin", "https://jackinthebox.com").build(), HttpResponse.BodyHandlers.discarding());
        Assert.assertEquals(send.statusCode(), 403);
        assertNoCORSHeaders(send);
    }
}
