/**
    * This file Copyright (c) 2020 Magnolia International
    * Ltd.  (http://www.magnolia-cms.com). All rights reserved.
    *
    *
    * This file is dual-licensed under both the Magnolia
    * Network Agreement and the GNU General Public License.
    * You may elect to use one or the other of these licenses.
    *
   * This file is distributed in the hope that it will be
   * useful, but AS-IS and WITHOUT ANY WARRANTY; without even the
   * implied warranty of MERCHANTABILITY or FITNESS FOR A
   * PARTICULAR PURPOSE, TITLE, or NONINFRINGEMENT.
   * Redistribution, except as permitted by whichever of the GPL
   * or MNA you select, is prohibited.
   *
   * 1. For the GPL license (GPL), you can redistribute and/or
   * modify this file under the terms of the GNU General
   * Public License, Version 3, as published by the Free Software
   * Foundation.  You should have received a copy of the GNU
   * General Public License, Version 3 along with this program;
   * if not, write to the Free Software Foundation, Inc., 51
   * Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
   *
   * 2. For the Magnolia Network Agreement (MNA), this file
   * and the accompanying materials are made available under the
   * terms of the MNA which accompanies this distribution, and
   * is available at http://www.magnolia-cms.com/mna.html
   *
   * Any modifications to this file must keep this entire header
   * intact.
   *
   */
  package info.magnolia.cors;
  
  import static info.magnolia.cors.AbstractCorsFilter.Headers.*;
  
  import info.magnolia.cms.filters.AbstractMgnlFilter;
  
  import java.io.IOException;
  import java.util.ArrayList;
  import java.util.Collection;
  import java.util.Enumeration;
  import java.util.HashSet;
  import java.util.Set;
  
  import javax.inject.Inject;
  import javax.servlet.FilterChain;
  import javax.servlet.ServletException;
  import javax.servlet.http.HttpServletRequest;
  import javax.servlet.http.HttpServletResponse;
  
  import org.apache.commons.lang3.StringUtils;
  
  import com.google.common.base.Joiner;
  
  /**
   * Filter that handles CORS requests.
   */
  public class CorsResponseFilter extends AbstractMgnlFilter {
  
      private static final String WILDCARD = "*";
  
      private final CorsConfiguration configuration;
  
      @Inject
      public CorsResponseFilter(final CorsConfiguration configuration) {
          this.configuration = configuration;
      }
  
      @Override
      public void doFilter(final HttpServletRequest request, final HttpServletResponse response, final FilterChain chain) throws IOException, ServletException {
          final String origin = request.getHeader(ORIGIN.getName());
          if (!isOriginAllowed(origin)) {
              throw new CorsException(String.format("Origin [%s] not allowed", origin));
          }
          if (isPreflightRequest(request)) {
              final String requestMethod = request.getHeader(ACCESS_CONTROL_REQUEST_METHOD.getName());
              if (StringUtils.isBlank(requestMethod)) {
                  throw new CorsException(String.format("Header [%s] value must not be null or empty", ACCESS_CONTROL_REQUEST_METHOD.getName()));
              }
              if (!isMethodAllowed(requestMethod)) {
                  throw new CorsException(String.format("Method [%s] is not allowed", requestMethod.toUpperCase()));
              }
              final Set<String> requestHeaders = accessControlRequestHeaders(request);
              if (!areHeadersAllowed(requestHeaders)) {
                  requestHeaders.removeAll(configuration.getAllowedHeaders());
                  throw new CorsException(String.format("Some of the request headers %s are not allowed", requestHeaders));
              }
  
              setVaryHeader(response, ACCESS_CONTROL_REQUEST_METHOD.getName());
              setVaryHeader(response, ACCESS_CONTROL_REQUEST_HEADERS.getName());
  
              if (configuration.getMaxAge() > 0) {
                  response.addHeader(ACCESS_CONTROL_MAX_AGE.getName(), String.valueOf(configuration.getMaxAge()));
              }
              response.addHeader(ACCESS_CONTROL_ALLOW_METHODS.getName(), Joiner.on(',').join(configuration.getAllowedMethods()));
              response.addHeader(ACCESS_CONTROL_ALLOW_HEADERS.getName(), Joiner.on(',').join(configuration.getAllowedHeaders()));
              response.setStatus(204);
         } else {
             final String method = request.getMethod();
             if (!isMethodAllowed(method)) {
                 throw new CorsException(String.format("Method [%s] is not allowed", method.toUpperCase()));
             }
         }
         addStandardHeaders(request, response);
     }
 
     private boolean isPreflightRequest(final HttpServletRequest request) {
         final String method = request.getMethod();
         final String requestMethodHeader = request.getHeader(ACCESS_CONTROL_REQUEST_METHOD.getName());
 
         return AbstractCorsFilter.OPTIONS_METHOD.equals(method)
                 && requestMethodHeader != null;
     }
 
     private boolean isMethodAllowed(final String requestMethod) {
         if (configuration.getAllowedMethods().contains(WILDCARD)) {
             return true;
         }
         return configuration.getAllowedMethods().contains(requestMethod);
     }
 
     private Set<String> accessControlRequestHeaders(final HttpServletRequest request) {
         final Set<String> result = new HashSet<>();
         final Enumeration<String> headers = request.getHeaders(ACCESS_CONTROL_REQUEST_HEADERS.getName());
         while (headers.hasMoreElements()) {
             result.add(headers.nextElement().toLowerCase());
         }
         return result;
     }
 
     private boolean areHeadersAllowed(final Set<String> requestHeaders) {
         if (configuration.getAllowedHeaders().contains(WILDCARD)) {
             return true;
         }
         return configuration.getAllowedHeaders().containsAll(requestHeaders);
     }
 
     private void addStandardHeaders(final HttpServletRequest request, final HttpServletResponse response) {
         final String origin = request.getHeader(ORIGIN.getName());
         final boolean anyOriginAllowed = configuration.getAllowedOrigins().contains(WILDCARD);
 
         if (!anyOriginAllowed) {
             setVaryHeader(response, ORIGIN.getName());
         }
 
         if (anyOriginAllowed) {
             response.addHeader(ACCESS_CONTROL_ALLOW_ORIGIN.getName(), WILDCARD);
         } else {
             response.addHeader(ACCESS_CONTROL_ALLOW_ORIGIN.getName(), origin);
         }
 
         if (configuration.isSupportsCredentials()) {
             response.addHeader(ACCESS_CONTROL_ALLOW_CREDENTIALS.getName(), "true");
         }
     }
 
     private boolean isOriginAllowed(final String origin) {
         if (origin == null || origin.isEmpty()) {
             return false;
         }
         if (configuration.getAllowedOrigins().contains(WILDCARD)) {
             return true;
         }
         return configuration.getAllowedOrigins().contains(origin);
     }
 
     private void setVaryHeader(final HttpServletResponse response, final String name) {
         final Collection<String> varyHeaders = response.getHeaders(VARY.getName());
         final String headerName = name.trim();
 
         if (varyHeaders.size() == 1 && varyHeaders.stream().anyMatch(WILDCARD::equals)) {
             return;
         }
 
         if (varyHeaders.size() == 0) {
             response.addHeader(VARY.getName(), headerName);
             return;
         }
 
         if (WILDCARD.equals(headerName)) {
             response.setHeader(VARY.getName(), WILDCARD);
             return;
         }
 
         if (varyHeaders.stream().map(String::trim).anyMatch(headerName::equals)) {
             return;
         }
 
         final ArrayList<String> headerValues = new ArrayList<>(varyHeaders);
         headerValues.add(headerName);
         response.setHeader(VARY.getName(), Joiner.on(',').join(headerValues));
     }
 }