package it.com.atlassian.plugins.whitelist.ui;

import com.atlassian.plugins.whitelist.testing.WhitelistTestRule;
import com.google.common.base.Splitter;
import java.io.IOException;
import javax.ws.rs.core.Response;
import org.apache.http.Header;
import org.apache.http.HttpResponse;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpOptions;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.impl.client.DefaultHttpClient;
import org.apache.http.util.EntityUtils;
import org.hamcrest.FeatureMatcher;
import org.hamcrest.Matcher;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.junit.Rule;
import org.junit.Test;

/* loaded from: input_file:it/com/atlassian/plugins/whitelist/ui/TestCors.class */
public class TestCors {
    private static final String TEST_DOMAIN = "http://www.example.com";
    private static final String ORIGIN = "Origin";
    private static final String ACCESS_CONTROL_ALLOW_ORIGIN = "Access-Control-Allow-Origin";
    private static final String ACCESS_CONTROL_ALLOW_CREDENTIALS = "Access-Control-Allow-Credentials";
    private static final String ACCESS_CONTROL_REQUEST_HEADERS = "Access-Control-Request-Headers";
    private static final String ACCESS_CONTROL_REQUEST_METHOD = "Access-Control-Request-Method";
    private static final String ACCESS_CONTROL_ALLOW_HEADERS = "Access-Control-Allow-Headers";

    @Rule
    public WhitelistTestRule backdoor = WhitelistTestRule.withDefaultAdminLoginAndBaseUrl(BASE_URL);
    private static final String BASE_URL = System.getProperty("baseurl", "http://localhost:5990/refapp");
    private static final String TEST_URL = BASE_URL + "/rest/whitelist-testing/latest/corsAllowed";
    private static final Splitter CSV_SPLITTER = Splitter.on(',').trimResults().omitEmptyStrings();
    private static final HttpClient HTTP_CLIENT = new DefaultHttpClient();

    @Test
    public void corsFilterHandlesCrappyOrigin() throws IOException {
        HttpGet httpGet = new HttpGet(TEST_URL);
        httpGet.addHeader(ORIGIN, "some crap is in here");
        assertCorsNotAllowed(submitRequest(httpGet));
    }

    @Test
    public void corsFilterIgnoresMissingOrigin() throws IOException {
        this.backdoor.whitelistDomainAllowInbound(TEST_DOMAIN);
        assertCorsNotAllowed(submitRequest(new HttpGet(TEST_URL)));
    }

    @Test
    public void corsFilterJustHandlesRestResource() throws IOException {
        this.backdoor.whitelistDomainAllowInbound(TEST_DOMAIN);
        assertCorsNotAllowed(submitRequestWithOrigin(new HttpGet(BASE_URL)));
    }

    @Test
    public void optionsMethodNotAllowedByDefault() throws IOException {
        assertCorsNotAllowed(submitOptionsRequestWithOrigin());
    }

    @Test
    public void optionsMethodRequiresAllowInboundFlag() throws IOException {
        this.backdoor.whitelistDomain(TEST_DOMAIN);
        assertCorsNotAllowed(submitOptionsRequestWithOrigin());
    }

    @Test
    public void optionsMethodAllowedForWhitelistedOrigin() throws IOException {
        this.backdoor.whitelistDomainAllowInbound(TEST_DOMAIN);
        HttpResponse submitOptionsRequestWithOrigin = submitOptionsRequestWithOrigin();
        assertCorsAllowed(submitOptionsRequestWithOrigin);
        MatcherAssert.assertThat(submitOptionsRequestWithOrigin.getHeaders(ACCESS_CONTROL_ALLOW_HEADERS), Matchers.is(Matchers.arrayContaining(new Matcher[]{headerValues("Authorization", TestWhitelistResource.TOKEN_HEADER, "Content-Type")})));
    }

    @Test
    public void getMethodNotAllowedByDefault() throws IOException {
        assertCorsNotAllowed(submitGetRequestWithOrigin());
    }

    @Test
    public void getMethodRequiresAllowInboundFlag() throws IOException {
        this.backdoor.whitelistDomain(TEST_DOMAIN);
        assertCorsNotAllowed(submitGetRequestWithOrigin());
    }

    @Test
    public void getMethodAllowedForWhitelistedOrigin() throws IOException {
        this.backdoor.whitelistDomainAllowInbound(TEST_DOMAIN);
        assertCorsAllowed(submitGetRequestWithOrigin());
    }

    private void assertCorsNotAllowed(HttpResponse httpResponse) {
        MatcherAssert.assertThat(httpResponse, hasStatusCode(Response.Status.OK));
        MatcherAssert.assertThat(httpResponse.getHeaders(ACCESS_CONTROL_ALLOW_ORIGIN), Matchers.is(Matchers.emptyArray()));
        MatcherAssert.assertThat(httpResponse.getHeaders(ACCESS_CONTROL_ALLOW_CREDENTIALS), Matchers.is(Matchers.emptyArray()));
    }

    private void assertCorsAllowed(HttpResponse httpResponse) {
        MatcherAssert.assertThat(httpResponse, hasStatusCode(Response.Status.OK));
        Header[] headers = httpResponse.getHeaders(ACCESS_CONTROL_ALLOW_ORIGIN);
        Header[] headers2 = httpResponse.getHeaders(ACCESS_CONTROL_ALLOW_CREDENTIALS);
        MatcherAssert.assertThat(headers, Matchers.is(Matchers.arrayContaining(new Matcher[]{headerValues(TEST_DOMAIN)})));
        MatcherAssert.assertThat(headers2, Matchers.is(Matchers.arrayContaining(new Matcher[]{headerValues("true")})));
    }

    private HttpResponse submitOptionsRequestWithOrigin() throws IOException {
        HttpOptions httpOptions = new HttpOptions(TEST_URL);
        httpOptions.addHeader(ACCESS_CONTROL_REQUEST_METHOD, "GET");
        httpOptions.addHeader(ACCESS_CONTROL_REQUEST_HEADERS, "Content-Type, Authorization");
        return submitRequestWithOrigin(httpOptions);
    }

    private HttpResponse submitGetRequestWithOrigin() throws IOException {
        return submitRequestWithOrigin(new HttpGet(TEST_URL));
    }

    private HttpResponse submitRequestWithOrigin(HttpUriRequest httpUriRequest) throws IOException {
        httpUriRequest.addHeader(ORIGIN, TEST_DOMAIN);
        return submitRequest(httpUriRequest);
    }

    private HttpResponse submitRequest(HttpUriRequest httpUriRequest) throws IOException {
        HttpResponse httpResponse = null;
        try {
            HttpResponse execute = HTTP_CLIENT.execute(httpUriRequest);
            httpResponse = execute;
            if (httpResponse != null) {
                EntityUtils.consume(httpResponse.getEntity());
            }
            return execute;
        } catch (Throwable th) {
            if (httpResponse != null) {
                EntityUtils.consume(httpResponse.getEntity());
            }
            throw th;
        }
    }

    private static Matcher<Header> headerValues(String... strArr) {
        return new FeatureMatcher<Header, Iterable<String>>(Matchers.containsInAnyOrder(strArr), "a HTTP header with value", "values") { // from class: it.com.atlassian.plugins.whitelist.ui.TestCors.1
            /* JADX INFO: Access modifiers changed from: protected */
            public Iterable<String> featureValueOf(Header header) {
                return TestCors.CSV_SPLITTER.split(header.getValue());
            }
        };
    }

    private static Matcher<HttpResponse> hasStatusCode(Response.Status status) {
        return new FeatureMatcher<HttpResponse, Integer>(Matchers.equalTo(Integer.valueOf(status.getStatusCode())), "a HTTP response with status code", "status code") { // from class: it.com.atlassian.plugins.whitelist.ui.TestCors.2
            /* JADX INFO: Access modifiers changed from: protected */
            public Integer featureValueOf(HttpResponse httpResponse) {
                return Integer.valueOf(httpResponse.getStatusLine().getStatusCode());
            }
        };
    }
}
