/**

* Jooby https://jooby.io

* Apache License Version 2.0 https://jooby.io/LICENSE.txt

* Copyright 2014 Edgar Espina

*/

package io.jooby;

import com.typesafe.config.Config;

import javax.annotation.Nonnull;

import java.time.Duration;

import java.util.Arrays;

import java.util.Collections;

import java.util.List;

import java.util.concurrent.TimeUnit;

import java.util.function.Predicate;

import java.util.regex.Pattern;

import java.util.stream.Collectors;

import static java.util.Objects.requireNonNull;

/**

* <h1>Cross-origin resource sharing</h1>

* <p>

* Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources (e.g. fonts,

* JavaScript, etc.) on a web page to be requested from another domain outside the domain from which

* the resource originated.

* </p>

*

* <p>

* This class represent the available options for configure CORS in Jooby.

* </p>

*

* <h2>usage</h2>

*

* <pre>

* {

* decorator(new CorsHandler());

* }

* </pre>

*

* <p>

* Previous example, adds a cors filter using the default cors options.

* </p>

*

* @author edgar

* @since 2.0.4

*/

public class Cors {

private static class Matcher<T> implements Predicate<T> {

private List<String> values;

private Predicate<T> predicate;

private boolean wild;

Matcher(final List<String> values, final Predicate<T> predicate) {

this.values = values;

this.predicate = predicate;

this.wild = values.contains("*");

}

@Override

public boolean test(final T value) {

return predicate.test(value);

}

@Override public String toString() {

return values.toString();

}

}

/** Default max-age in minutes. */

private static final int _30 = 30;

private Matcher<String> origin;

private boolean credentials;

private Matcher<String> methods;

private Matcher<List<String>> headers;

private Duration maxAge;

private List<String> exposedHeaders = Collections.emptyList();

/**

* Creates default {@link Cors}. Default options are:

*

* <pre>

* origin: "*"

* credentials: true

* allowedMethods: [GET, POST]

* allowedHeaders: [X-Requested-With, Content-Type, Accept, Origin]

* maxAge: 30m

* exposedHeaders: []

* </pre>

*/

public Cors() {

setOrigin("*");

setUseCredentials(true);

setMethods("GET", "POST");

setHeaders("X-Requested-With", "Content-Type", "Accept", "Origin");

setMaxAge(Duration.ofMinutes(_30));

}

/**

* If true, set the <code>Access-Control-Allow-Credentials</code> header.

*

* @return If the <code>Access-Control-Allow-Credentials</code> header must be set.

*/

public boolean getUseCredentials() {

return this.credentials;

}

/**

* If true, set the <code>Access-Control-Allow-Credentials</code> header.

*

* @param credentials Credentials.

* @return This cors.

*/

public Cors setUseCredentials(boolean credentials) {

this.credentials = credentials;

return this;

}

/**

* @return True if any origin is accepted.

*/

public boolean anyOrigin() {

return origin.wild;

}

/**

* An origin must be a "*" (any origin), a domain name (like, http://foo.com) and/or a regex

* (like, http://*.domain.com).

*

* @return List of valid origins: Default is: <code>*</code>

*/

public List<String> getOrigin() {

return origin.values;

}

/**

* Test if the given origin is allowed or not.

*

* @param origin The origin to test.

* @return True if the origin is allowed.

*/

public boolean allowOrigin(final String origin) {

return this.origin.test(origin);

}

/**

* Set the allowed origins. An origin must be a "*" (any origin), a domain name (like,

* http://foo.com) and/or a regex (like, http://*.domain.com).

*

* @param origin One ore more origin.

* @return This cors.

*/

public Cors setOrigin(final String... origin) {

return setOrigin(Arrays.asList(origin));

}

/**

* Set the allowed origins. An origin must be a "*" (any origin), a domain name (like,

* http://foo.com) and/or a regex (like, http://*.domain.com).

*

* @param origin One ore more origin.

* @return This cors.

*/

public Cors setOrigin(final List<String> origin) {

this.origin = firstMatch(requireNonNull(origin, "Origins are required."));

return this;

}

/**

* True if the method is allowed.

*

* @param method Method to test.

* @return True if the method is allowed.

*/

public boolean allowMethod(final String method) {

return this.methods.test(method);

}

/**

* @return List of allowed methods.

*/

public List<String> getMethods() {

return methods.values;

}

/**

* Set one or more allowed methods.

*

* @param methods One or more method.

* @return This cors.

*/

public Cors setMethods(final String... methods) {

return setMethods(Arrays.asList(methods));

}

/**

* Set one or more allowed methods.

*

* @param methods One or more method.

* @return This cors.

*/

public Cors setMethods(final List<String> methods) {

this.methods = firstMatch(methods);

return this;

}

/**

* @return True if any header is allowed: <code>*</code>.

*/

public boolean anyHeader() {

return headers.wild;

}

/**

* True if all the headers are allowed.

*

* @param headers Headers to test.

* @return True if all the headers are allowed.

*/

public boolean allowHeader(final String... headers) {

return allowHeaders(Arrays.asList(headers));

}

/**

* True if all the headers are allowed.

*

* @param headers Headers to test.

* @return True if all the headers are allowed.

*/

public boolean allowHeaders(final List<String> headers) {

return this.headers.test(headers);

}

/**

* @return List of allowed headers. Default are: <code>X-Requested-With</code>,

* <code>Content-Type</code>, <code>Accept</code> and <code>Origin</code>.

*/

public List<String> getHeaders() {

return headers.values;

}

/**

* Set one or more allowed headers. Possible values are a header name or <code>*</code> if any

* header is allowed.

*

* @param headers Headers to set.

* @return This cors.

*/

public Cors setHeaders(final String... headers) {

return setHeaders(Arrays.asList(headers));

}

/**

* Set one or more allowed headers. Possible values are a header name or <code>*</code> if any

* header is allowed.

*

* @param headers Headers to set.

* @return This cors.

*/

public Cors setHeaders(final List<String> headers) {

this.headers = allMatch(headers);

return this;

}

/**

* @return List of exposed headers.

*/

public List<String> getExposedHeaders() {

return exposedHeaders;

}

/**

* Set the list of exposed headers.

*

* @param exposedHeaders Headers to expose.

* @return This cors.

*/

public Cors setExposedHeaders(final String... exposedHeaders) {

return setExposedHeaders(Arrays.asList(exposedHeaders));

}

/**

* Set the list of exposed headers.

*

* @param exposedHeaders Headers to expose.

* @return This cors.

*/

public Cors setExposedHeaders(final List<String> exposedHeaders) {

this.exposedHeaders = requireNonNull(exposedHeaders, "Exposed headers are required.");

return this;

}

/**

* @return Preflight max age. How many seconds a client can cache a preflight request.

*/

public Duration getMaxAge() {

return maxAge;

}

/**

* Set the preflight max age header. That's how many seconds a client can cache a preflight

* request.

*

* @param preflightMaxAge Number of seconds or <code>-1</code> to turn this off.

* @return This cors.

*/

public Cors setMaxAge(final Duration preflightMaxAge) {

this.maxAge = preflightMaxAge;

return this;

}

/**

* Get cors options from application configuration file.

*

* <pre>{@code

* cors {

* origin: *

* methods: [GET, POST]

* headers: [Custom-Header]

* maxAge: 30m

* exposesHeaders: [Header]

* }

* }</pre>

*

* @param conf Configuration.

* @return Cors options.

*/

public static @Nonnull Cors from(@Nonnull Config conf) {

Config cors = conf.hasPath("cors") ? conf.getConfig("cors") : conf;

Cors options = new Cors();

if (cors.hasPath("origin")) {

options.setOrigin(list(cors.getAnyRef("origin")));

}

if (cors.hasPath("credentials")) {

options.setUseCredentials(cors.getBoolean("credentials"));

}

if (cors.hasPath("methods")) {

options.setMethods(list(cors.getAnyRef("methods")));

}

if (cors.hasPath("headers")) {

options.setHeaders(list(cors.getAnyRef("headers")));

}

if (cors.hasPath("maxAge")) {

options.setMaxAge(Duration.ofSeconds(cors.getDuration("maxAge", TimeUnit.SECONDS)));

}

if (cors.hasPath("exposedHeaders")) {

options.setExposedHeaders(list(cors.getAnyRef("exposedHeaders")));

}

return options;

}

@SuppressWarnings({"unchecked", "rawtypes"})

private static List<String> list(final Object value) {

return value instanceof List ? (List) value : Collections.singletonList(value.toString());

}

private static Matcher<List<String>> allMatch(final List<String> values) {

Predicate<String> predicate = firstMatch(values);

Predicate<List<String>> allmatch = it -> it.stream().allMatch(predicate);

return new Matcher<>(values, allmatch);

}

private static Matcher<String> firstMatch(final List<String> values) {

List<Pattern> patterns = values.stream()

.map(Cors::rewrite)

.collect(Collectors.toList());

Predicate<String> predicate = it -> patterns.stream()

.filter(pattern -> pattern.matcher(it).matches())

.findFirst()

.isPresent();

return new Matcher<>(values, predicate);

}

private static Pattern rewrite(final String origin) {

return Pattern.compile(origin.replace(".", "\\.").replace("*", ".*"), Pattern.CASE_INSENSITIVE);

}

}