package org.apache.struts2.interceptor;

import com.opensymphony.xwork2.ActionInvocation;
import com.opensymphony.xwork2.inject.Inject;
import com.opensymphony.xwork2.interceptor.AbstractInterceptor;
import com.opensymphony.xwork2.util.TextParseUtil;
import java.util.HashSet;
import java.util.Set;
import javassist.compiler.TokenId;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

/* loaded from: input_file:WEB-INF/lib/struts2-core-6.3.0.jar:org/apache/struts2/interceptor/FetchMetadataInterceptor.class */
public class FetchMetadataInterceptor extends AbstractInterceptor {
    private static final Logger LOG = LogManager.getLogger((Class<?>) FetchMetadataInterceptor.class);
    private static final String VARY_HEADER_VALUE = String.format("%s,%s,%s,%s", ResourceIsolationPolicy.SEC_FETCH_DEST_HEADER, ResourceIsolationPolicy.SEC_FETCH_MODE_HEADER, ResourceIsolationPolicy.SEC_FETCH_SITE_HEADER, ResourceIsolationPolicy.SEC_FETCH_USER_HEADER);
    private static final String SC_FORBIDDEN = String.valueOf(TokenId.LongConstant);
    private final Set<String> exemptedPaths = new HashSet();
    private final ResourceIsolationPolicy resourceIsolationPolicy = new StrutsResourceIsolationPolicy();

    @Inject(required = false)
    public void setExemptedPaths(String str) {
        this.exemptedPaths.addAll(TextParseUtil.commaDelimitedStringToSet(str));
    }

    @Override // com.opensymphony.xwork2.interceptor.AbstractInterceptor, com.opensymphony.xwork2.interceptor.Interceptor
    public String intercept(ActionInvocation actionInvocation) throws Exception {
        HttpServletRequest servletRequest = actionInvocation.getInvocationContext().getServletRequest();
        addVaryHeaders(actionInvocation);
        String contextPath = servletRequest.getContextPath();
        if (!this.exemptedPaths.contains(contextPath) && !this.resourceIsolationPolicy.isRequestAllowed(servletRequest)) {
            LOG.warn("Fetch metadata rejected cross-origin request to: {}", contextPath);
            return SC_FORBIDDEN;
        }
        return actionInvocation.invoke();
    }

    private void addVaryHeaders(ActionInvocation actionInvocation) {
        HttpServletResponse servletResponse = actionInvocation.getInvocationContext().getServletResponse();
        if (LOG.isDebugEnabled() && servletResponse.containsHeader(ResourceIsolationPolicy.VARY_HEADER)) {
            LOG.debug("HTTP response already has header: {} set, the old value will be overwritten (replaced)", ResourceIsolationPolicy.VARY_HEADER);
        }
        servletResponse.setHeader(ResourceIsolationPolicy.VARY_HEADER, VARY_HEADER_VALUE);
    }
}
