/**
    * This file Copyright (c) 2003-2015 Magnolia International
    * Ltd.  (http://www.magnolia-cms.com). All rights reserved.
    *
    *
    * This file is dual-licensed under both the Magnolia
    * Network Agreement and the GNU General Public License.
    * You may elect to use one or the other of these licenses.
    *
   * This file is distributed in the hope that it will be
   * useful, but AS-IS and WITHOUT ANY WARRANTY; without even the
   * implied warranty of MERCHANTABILITY or FITNESS FOR A
   * PARTICULAR PURPOSE, TITLE, or NONINFRINGEMENT.
   * Redistribution, except as permitted by whichever of the GPL
   * or MNA you select, is prohibited.
   *
   * 1. For the GPL license (GPL), you can redistribute and/or
   * modify this file under the terms of the GNU General
   * Public License, Version 3, as published by the Free Software
   * Foundation.  You should have received a copy of the GNU
   * General Public License, Version 3 along with this program;
   * if not, write to the Free Software Foundation, Inc., 51
   * Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
   *
   * 2. For the Magnolia Network Agreement (MNA), this file
   * and the accompanying materials are made available under the
   * terms of the MNA which accompanies this distribution, and
   * is available at http://www.magnolia-cms.com/mna.html
   *
   * Any modifications to this file must keep this entire header
   * intact.
   *
   */
  package info.magnolia.cms.filters;
  
  import info.magnolia.cms.beans.config.MIMEMapping;
  import info.magnolia.cms.beans.config.ServerConfiguration;
  import info.magnolia.cms.core.AggregationState;
  import info.magnolia.cms.util.ServletUtil;
  import info.magnolia.context.MgnlContext;
  import info.magnolia.util.EscapeUtil;
  
  import java.io.IOException;
  import java.io.UnsupportedEncodingException;
  import java.net.URI;
  import java.net.URLDecoder;
  
  import javax.inject.Inject;
  import javax.servlet.FilterChain;
  import javax.servlet.ServletException;
  import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpServletResponse;
  
  import org.apache.commons.lang3.StringUtils;
  
  
  /**
   * Sets content type and encoding for requests based on the uri extension and prepares uri path information in the
   * aggregation state.
   *
   * TODO : rename this filter. What it really does is initialize and setup the basic,
   * non-content related attributes of the AggregationState. ContentType could become an
   * attribute of the AggregationState too and could be set later.
   *
   * FIXME: the original uri should not be reset, MAGNOLIA-3204
   *
   * @see MIMEMapping
   * @see AggregationState
   */
  public class ContentTypeFilter extends AbstractMgnlFilter {
  
      private static final org.slf4j.Logger log = org.slf4j.LoggerFactory.getLogger(ContentTypeFilter.class);
  
      private boolean sanitizeXssUri = true;
  
      /**
       * If set we have to reset the aggregation state before setting the original URI/URL with new values.
       */
      private static final String AGGREGATION_STATE_INITIALIZED = ContentTypeFilter.class.getName() + ".aggregationStateInitialized";
  
      private boolean registeredExtensionsOnly = false;
  
      private ServerConfiguration serverConfiguration;
  
      /**
       * @deprecated since 5.4.2, use {@link #ContentTypeFilter(ServerConfiguration)} instead.
       */
      @Deprecated
      public ContentTypeFilter() {
      }
  
      @Inject
      public ContentTypeFilter(ServerConfiguration serverConfiguration) {
          this.serverConfiguration = serverConfiguration;
      }
  
  
      @Override
      public void doFilter(HttpServletRequest request, HttpServletResponse response, FilterChain chain) throws IOException, ServletException {
 
         // we will set the original uri, to avoid conflicts we have to reset the aggregation state
         // this will mainly reset the original uri and keep all other information
         if (request.getAttribute(AGGREGATION_STATE_INITIALIZED) != null) {
             MgnlContext.resetAggregationState();
         } else {
             request.setAttribute(AGGREGATION_STATE_INITIALIZED, Boolean.TRUE);
         }
 
         final String originalUri = ServletUtil.getOriginalRequestURI(request);
         final String originalUrl = ServletUtil.getOriginalRequestURLIncludingQueryString(request);
         final String extension = getUriExtension(originalUri);
         final String mimeType = setupContentType(extension, response);
         if (isRegisteredExtensionsOnly() && mimeType == null && !response.isCommitted()) {
             response.sendError(HttpServletResponse.SC_BAD_REQUEST, String.format("Unsupported extension=%1$s.", extension));
             return;
         }
         final String characterEncoding = setupCharacterEncoding(mimeType, request, response);
         final AggregationState aggregationState = MgnlContext.getAggregationState();
         aggregationState.setCharacterEncoding(characterEncoding);
 
         final String decodedOriginalUri = decodeUri(originalUri, characterEncoding);
         aggregationState.setOriginalURI(decodedOriginalUri);
 
         try {
             final String decodedOriginalUrl = decodeUri(originalUrl, characterEncoding);
             aggregationState.setOriginalURL(decodedOriginalUrl);
         } catch (IllegalArgumentException e) {
             // URL is malformed and cannot be decoded - send back error 400
             if (!response.isCommitted()) {
                 response.sendError(HttpServletResponse.SC_BAD_REQUEST, "URL is malformed (not encoded properly).");
             }
             // stop filter chain
             return;
         }
         aggregationState.setOriginalBrowserURI(originalUri);
         aggregationState.setOriginalBrowserURL(originalUrl);
         final String requestURI = URI.create(ServletUtil.getRequestUri(request)).normalize().getRawPath();
         final String currentURI = decodeUri(requestURI, characterEncoding);
         aggregationState.setCurrentURI(currentURI);
         aggregationState.setExtension(extension);
         aggregationState.setQueryString(request.getQueryString());
 
         chain.doFilter(request, response);
     }
 
     protected String getUriExtension(String uri) {
         final String fileName = StringUtils.substringAfterLast(uri, "/");
         return StringUtils.substringAfterLast(fileName, ".");
     }
 
     protected String setupContentType(String extension, HttpServletResponse response) {
         final String mimeType;
 
         if (isRegisteredExtensionsOnly()) {
             if (StringUtils.isBlank(extension)) {
                 extension = serverConfiguration.getDefaultExtension();
                 if (StringUtils.isBlank(extension)) {
                     extension = MIMEMapping.DEFAULT_EXTENSION;
                 }
             }
             mimeType = MIMEMapping.getMIMEType(extension);
             if (mimeType == null) {
                 return null;
             }
         } else {
             mimeType = MIMEMapping.getMIMETypeOrDefault(extension);
         }
 
         response.setContentType(mimeType);
 
         return mimeType;
     }
 
     protected String setupCharacterEncoding(String mimeType, HttpServletRequest request, HttpServletResponse response) {
         final String characterEncoding = MIMEMapping.getContentEncodingOrDefault(mimeType);
 
         try {
             // let's not override the request encoding if set by the servlet container or the requesting browser
             if (request.getCharacterEncoding() == null) {
                 request.setCharacterEncoding(characterEncoding);
             }
         } catch (UnsupportedEncodingException e) {
             log.error("Can't set character encoding for the request (mimetype={})", mimeType, e);
         }
 
         response.setCharacterEncoding(characterEncoding);
 
         return characterEncoding;
     }
 
     /**
      * XSS escaping of a substring after last dot in uri for preventing XSS attack.
      * If uri doesn't contain dot, the same uri will be returned.
      * @param uri the uri whose substring after last dot will be XSS escaped.
      */
     private String sanitizeXss(String uri) {
         final String afterLastDot = StringUtils.substringAfterLast(uri, ".");
         if (StringUtils.isNotEmpty(afterLastDot)) {
             final String xssEscapedAfterLastDot = EscapeUtil.escapeXss(afterLastDot);
             final String sanitizedXssUri = StringUtils.removeEnd(uri, afterLastDot).concat(xssEscapedAfterLastDot);
             return sanitizedXssUri;
         }
 
         return uri;
     }
 
     /**
      * Decodes an URI using given character encoding and sanitizes the URI against XSS if configured.
      */
     private String decodeUri(String uri, String characterEncoding) throws UnsupportedEncodingException {
         final String decodedUri = URLDecoder.decode(uri, characterEncoding);
         return isSanitizeXssUri() ? sanitizeXss(decodedUri) : decodedUri;
     }
 
     public boolean isSanitizeXssUri() {
         return sanitizeXssUri;
     }
 
     public void setSanitizeXssUri(boolean sanitizeXssUri) {
         this.sanitizeXssUri = sanitizeXssUri;
     }
 
     public boolean isRegisteredExtensionsOnly() {
         return registeredExtensionsOnly;
     }
 
     public void setRegisteredExtensionsOnly(boolean registeredExtensionsOnly) {
         this.registeredExtensionsOnly = registeredExtensionsOnly;
     }
 
     /**
      * @deprecated since 5.4.2, use {@link #setupContentType(String, HttpServletResponse)} and {@link #setupCharacterEncoding(String, HttpServletRequest, HttpServletResponse)} instead.
      */
     @Deprecated
     protected String setupContentTypeAndCharacterEncoding(String extension, HttpServletRequest request, HttpServletResponse response) {
         final String mimeType = setupContentType(extension, response);
         return setupCharacterEncoding(mimeType, request, response);
     }
 }