package com.day.crx.security.token.impl;

import com.day.crx.security.token.TokenCookie;
import com.day.crx.security.token.impl.FlexClientResponseHelper;
import java.io.IOException;
import java.util.HashMap;
import java.util.Map;
import java.util.UUID;
import javax.jcr.ItemNotFoundException;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.SimpleCredentials;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.jackrabbit.api.security.authentication.token.TokenCredentials;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.auth.core.spi.AbstractAuthenticationHandler;
import org.apache.sling.auth.core.spi.AuthenticationFeedbackHandler;
import org.apache.sling.auth.core.spi.AuthenticationInfo;
import org.apache.sling.auth.core.spi.DefaultAuthenticationFeedbackHandler;
import org.apache.sling.commons.osgi.OsgiUtil;
import org.apache.sling.jcr.api.SlingRepository;
import org.apache.sling.settings.SlingSettingsService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/day/crx/security/token/impl/TokenAuthenticationHandler.class */
public class TokenAuthenticationHandler extends AbstractAuthenticationHandler implements AuthenticationFeedbackHandler {
    private static final String REQUEST_METHOD = "POST";
    private static final String REQUEST_URL_SUFFIX = "/j_security_check";
    private static final String PAR_J_USERNAME = "j_username";
    private static final String PAR_J_PASSWORD = "j_password";
    private static final String PAR_J_REASON = "j_reason";
    private static final String PAR_J_SET_COOKIE = "j_set_cookie";
    private static final String REASON_WRONG_CREDENTIALS = "User name and password do not match";
    private static final String REASON_TOKEN_EXPIRED = "Session timed out, please login again";
    private static final String CREDENTIALS = "user.jcr.credentials";
    private static final String AUTH_TYPE = "TOKEN";
    private static final String ATTR_TOKEN = ".token";
    private static final String ATTR_TOKEN_IP = "ip";
    private static final String ATTR_TOKEN_IP_MANDATORY = ".token.ip";
    private static final String ATTR_TOKEN_AGENT = "useragent";
    private static final String ATTR_TOKEN_AGENT_MANDATORY = ".token.useragent";
    private static final String ATTR_REFERER = "referer";
    private static final String REQUIRED_ATTR_IP_AGENT = "ip_agent";
    private static final String REQUIRED_ATTR_IP = "ip";
    private static final String REQUIRED_ATTR_AGENT = "agent";
    private static final String REQUIRED_ATTR_NONE = "none";
    private static final String PROP_REQUIRED_ATTR = "token.required.attr";
    private static final String PROP_ALTERNATE_URL = "token.alternate.url";
    private static final String NO_TOKEN = "";
    private static final char[] NO_PASSWORD = new char[0];
    private static final String REPO_DESC_ID = "crx.repository.systemid";
    private static final String REPO_DESC_CLUSTER_ID = "crx.cluster.id";
    private final Logger log = LoggerFactory.getLogger(getClass());
    private static final String DESCRIPTION = "Token Authentication Handler";
    private SlingRepository repository;
    private SlingSettingsService settings;
    private String repositoryId;
    private String attrIp;
    private String attrAgent;
    private String alternateAuthUrl;

    private void activate(Map<String, Object> map) {
        String descriptor = this.repository.getDescriptor(REPO_DESC_CLUSTER_ID);
        if (descriptor == null) {
            descriptor = this.repository.getDescriptor(REPO_DESC_ID);
            if (descriptor == null) {
                descriptor = this.settings.getSlingId();
                if (descriptor == null) {
                    descriptor = UUID.randomUUID().toString();
                    this.log.error("activate: Failure to acquire unique ID for this token authenticator. Using random UUID {}", descriptor);
                }
            }
        }
        this.repositoryId = descriptor;
        this.log.info("activate: Supporting tokens bound to Repository (Cluster) {}", this.repositoryId);
        String osgiUtil = OsgiUtil.toString(map.get(PROP_REQUIRED_ATTR), REQUIRED_ATTR_IP_AGENT);
        if ("ip".equals(osgiUtil)) {
            this.log.info("activate: Validating Cookie with Client IP");
            this.attrIp = ATTR_TOKEN_IP_MANDATORY;
            this.attrAgent = ATTR_TOKEN_AGENT;
        } else if (REQUIRED_ATTR_AGENT.equals(osgiUtil)) {
            this.log.info("activate: Validating Cookie with Client User-Agent");
            this.attrIp = "ip";
            this.attrAgent = ATTR_TOKEN_AGENT_MANDATORY;
        } else if (REQUIRED_ATTR_NONE.equals(osgiUtil)) {
            this.log.info("activate: Validating Token Only");
            this.attrIp = "ip";
            this.attrAgent = ATTR_TOKEN_AGENT;
        } else {
            this.log.info("activate: Validating Cookie with Client IP and User-Agent");
            this.attrIp = ATTR_TOKEN_IP_MANDATORY;
            this.attrAgent = ATTR_TOKEN_AGENT_MANDATORY;
        }
        this.alternateAuthUrl = OsgiUtil.toString(map.get(PROP_ALTERNATE_URL), (String) null);
        if (this.alternateAuthUrl == null || this.alternateAuthUrl.startsWith("/")) {
            return;
        }
        this.alternateAuthUrl = "/" + this.alternateAuthUrl;
    }

    public AuthenticationInfo extractCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        AuthenticationInfo tokenFormPars = getTokenFormPars(httpServletRequest);
        if (tokenFormPars != null) {
            httpServletRequest.setAttribute(REQUEST_URL_SUFFIX, AUTH_TYPE);
            return tokenFormPars;
        }
        TokenCookie.Info tokenInfo = TokenCookie.getTokenInfo(httpServletRequest, this.repositoryId);
        if (tokenInfo.token == null) {
            return null;
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug("Extracted token information: {}@{}", tokenInfo.token, tokenInfo.workspace);
        }
        if (tokenInfo.workspace != null && tokenInfo.workspace.length() > 0) {
            httpServletRequest.setAttribute("j_workspace", tokenInfo.workspace);
        }
        return createAuthenticationInfo(createCredentials(tokenInfo.token), httpServletRequest);
    }

    public boolean requestCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return false;
    }

    public void dropCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        removeTokenNode(httpServletRequest);
        TokenCookie.update(httpServletRequest, httpServletResponse, this.repositoryId, null, null, true);
        if (isFlexRequest(httpServletRequest) && httpServletRequest.getAttribute(PAR_J_REASON) == null) {
            HashMap hashMap = new HashMap();
            hashMap.put(FlexClientResponseHelper.RES_AUTHENTICATED, "false");
            hashMap.put(FlexClientResponseHelper.RES_AUTHSTATE, FlexClientResponseHelper.AuthState.LOGGED_OUT.name());
            FlexClientResponseHelper.writeResponse(httpServletResponse, hashMap);
        }
    }

    public void authenticationFailed(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationInfo authenticationInfo) {
        FlexClientResponseHelper.AuthFailedReason authFailedReason;
        if (TokenCookie.getTokenInfo(httpServletRequest, this.repositoryId).token != null) {
            httpServletRequest.setAttribute(PAR_J_REASON, REASON_TOKEN_EXPIRED);
            authFailedReason = FlexClientResponseHelper.AuthFailedReason.TOKEN_EXPIRED;
        } else {
            httpServletRequest.setAttribute(PAR_J_REASON, REASON_WRONG_CREDENTIALS);
            authFailedReason = FlexClientResponseHelper.AuthFailedReason.WRONG_CREDENTIALS;
        }
        dropCredentials(httpServletRequest, httpServletResponse);
        if (isFlexRequest(httpServletRequest)) {
            HashMap hashMap = new HashMap();
            hashMap.put(FlexClientResponseHelper.RES_REASON, authFailedReason.name());
            hashMap.put(FlexClientResponseHelper.RES_AUTHENTICATED, "false");
            hashMap.put(FlexClientResponseHelper.RES_AUTHSTATE, FlexClientResponseHelper.AuthState.FAILED.name());
            FlexClientResponseHelper.writeResponse(httpServletResponse, hashMap);
        }
    }

    public boolean authenticationSucceeded(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationInfo authenticationInfo) {
        boolean z = REQUEST_METHOD.equals(httpServletRequest.getMethod()) && isLoginURL(httpServletRequest);
        TokenCookie.Info tokenInfo = TokenCookie.getTokenInfo(httpServletRequest, this.repositoryId);
        if (z || needsCookieUpdate(tokenInfo, httpServletRequest)) {
            TokenCookie.Info createTokenInfo = createTokenInfo(httpServletRequest, authenticationInfo);
            TokenCookie.update(httpServletRequest, httpServletResponse, this.repositoryId, createTokenInfo.token, createTokenInfo.workspace, true);
        }
        boolean z2 = false;
        if (isFlexRequest(httpServletRequest) && !logoutRequest(httpServletRequest)) {
            HashMap hashMap = new HashMap();
            hashMap.put(FlexClientResponseHelper.RES_AUTHENTICATED, "true");
            hashMap.put(FlexClientResponseHelper.RES_AUTHSTATE, FlexClientResponseHelper.AuthState.COMPLETE.name());
            hashMap.put(FlexClientResponseHelper.RES_AUTHTYPE, AUTH_TYPE);
            Object attribute = httpServletRequest.getAttribute("org.apache.sling.auth.core.ResourceResolver");
            if (attribute instanceof ResourceResolver) {
                hashMap.put(FlexClientResponseHelper.RES_USERID, ((ResourceResolver) attribute).getUserID());
            }
            FlexClientResponseHelper.writeResponse(httpServletResponse, hashMap);
            z2 = true;
        } else if (z && !DefaultAuthenticationFeedbackHandler.handleRedirect(httpServletRequest, httpServletResponse)) {
            String loginResource = getLoginResource(httpServletRequest, null);
            if (loginResource != null) {
                if (!isRedirectValid(httpServletRequest, loginResource)) {
                    this.log.error("Redirect target '{}' is invalid, redirecting to '/'", loginResource);
                    loginResource = "/";
                }
                try {
                    httpServletResponse.sendRedirect(loginResource);
                } catch (IOException e) {
                    this.log.error("Failed to send redirect to: " + loginResource, e);
                }
                z2 = true;
            }
        }
        return z2;
    }

    private boolean isLoginURL(HttpServletRequest httpServletRequest) {
        boolean endsWith = httpServletRequest.getRequestURI().endsWith(REQUEST_URL_SUFFIX);
        if (!endsWith && this.alternateAuthUrl != null) {
            endsWith = httpServletRequest.getRequestURI().endsWith(this.alternateAuthUrl);
        }
        return endsWith;
    }

    private boolean logoutRequest(HttpServletRequest httpServletRequest) {
        return "true".equalsIgnoreCase(httpServletRequest.getParameter(FlexClientResponseHelper.PAR_J_LOGOUT));
    }

    private boolean isFlexRequest(HttpServletRequest httpServletRequest) {
        return "true".equalsIgnoreCase(httpServletRequest.getParameter(FlexClientResponseHelper.PAR_J_FLEX));
    }

    private AuthenticationInfo getTokenFormPars(HttpServletRequest httpServletRequest) {
        if (!REQUEST_METHOD.equals(httpServletRequest.getMethod()) || !isLoginURL(httpServletRequest) || httpServletRequest.getParameter(PAR_J_USERNAME) == null) {
            return null;
        }
        if (!isValidateRequest(httpServletRequest)) {
            setLoginResourceAttribute(httpServletRequest, httpServletRequest.getContextPath());
        }
        return createAuthenticationInfo(createCredentials(httpServletRequest.getParameter(PAR_J_USERNAME), httpServletRequest.getParameter(PAR_J_PASSWORD)), httpServletRequest);
    }

    public String toString() {
        return DESCRIPTION;
    }

    private static TokenCredentials createCredentials(String str) {
        return new TokenCredentials(str);
    }

    private static SimpleCredentials createCredentials(String str, String str2) {
        SimpleCredentials simpleCredentials = new SimpleCredentials(str, str2 != null ? str2.toCharArray() : NO_PASSWORD);
        simpleCredentials.setAttribute(ATTR_TOKEN, NO_TOKEN);
        return simpleCredentials;
    }

    private AuthenticationInfo createAuthenticationInfo(SimpleCredentials simpleCredentials, HttpServletRequest httpServletRequest) {
        String trim;
        String header = httpServletRequest.getHeader("X-Forwarded-For");
        if (header == null) {
            trim = httpServletRequest.getRemoteAddr();
        } else {
            String[] split = header.split(",");
            trim = split[split.length - 1].trim();
        }
        simpleCredentials.setAttribute(this.attrIp, trim);
        String header2 = httpServletRequest.getHeader("User-Agent");
        if (header2 != null) {
            simpleCredentials.setAttribute(this.attrAgent, header2);
        }
        String header3 = httpServletRequest.getHeader("Referer");
        if (header3 != null) {
            simpleCredentials.setAttribute(ATTR_REFERER, header3);
        }
        AuthenticationInfo authenticationInfo = new AuthenticationInfo(AUTH_TYPE);
        authenticationInfo.put(CREDENTIALS, simpleCredentials);
        return authenticationInfo;
    }

    private AuthenticationInfo createAuthenticationInfo(TokenCredentials tokenCredentials, HttpServletRequest httpServletRequest) {
        String trim;
        String header = httpServletRequest.getHeader("X-Forwarded-For");
        if (header == null) {
            trim = httpServletRequest.getRemoteAddr();
        } else {
            String[] split = header.split(",");
            trim = split[split.length - 1].trim();
        }
        tokenCredentials.setAttribute(!NO_TOKEN.equals(tokenCredentials.getAttribute(ATTR_TOKEN)) ? ATTR_TOKEN_IP_MANDATORY : this.attrIp, trim);
        String header2 = httpServletRequest.getHeader("User-Agent");
        if (header2 != null) {
            tokenCredentials.setAttribute(!NO_TOKEN.equals(tokenCredentials.getAttribute(ATTR_TOKEN)) ? ATTR_TOKEN_AGENT_MANDATORY : this.attrAgent, header2);
        }
        String header3 = httpServletRequest.getHeader("Referer");
        if (header3 != null) {
            tokenCredentials.setAttribute(ATTR_REFERER, header3);
        }
        AuthenticationInfo authenticationInfo = new AuthenticationInfo(AUTH_TYPE);
        authenticationInfo.put(CREDENTIALS, tokenCredentials);
        return authenticationInfo;
    }

    private boolean needsCookieUpdate(TokenCookie.Info info, HttpServletRequest httpServletRequest) {
        return info.token == null || "true".equalsIgnoreCase(httpServletRequest.getParameter(PAR_J_SET_COOKIE));
    }

    private TokenCookie.Info createTokenInfo(HttpServletRequest httpServletRequest, AuthenticationInfo authenticationInfo) {
        Session session;
        String str = null;
        Object obj = authenticationInfo.get(CREDENTIALS);
        if (obj instanceof SimpleCredentials) {
            Object attribute = ((SimpleCredentials) obj).getAttribute(ATTR_TOKEN);
            if (attribute != null) {
                str = attribute.toString();
            }
        } else if (obj instanceof TokenCredentials) {
            str = ((TokenCredentials) obj).getToken();
        }
        String str2 = null;
        Object attribute2 = httpServletRequest.getAttribute("org.apache.sling.auth.core.ResourceResolver");
        if ((attribute2 instanceof ResourceResolver) && (session = (Session) ((ResourceResolver) attribute2).adaptTo(Session.class)) != null) {
            str2 = session.getWorkspace().getName();
        }
        if (str == null || str2 == null) {
            return null;
        }
        return new TokenCookie.Info(str, str2);
    }

    private void removeTokenNode(HttpServletRequest httpServletRequest) {
        TokenCookie.Info tokenInfo = TokenCookie.getTokenInfo(httpServletRequest, this.repositoryId);
        if (tokenInfo == null || tokenInfo.token == null) {
            return;
        }
        Session session = null;
        try {
            try {
                String str = tokenInfo.token;
                int indexOf = str.indexOf(95);
                String substring = indexOf == -1 ? str : str.substring(0, indexOf);
                session = this.repository.loginAdministrative(tokenInfo.workspace);
                session.getNodeByIdentifier(substring).remove();
                session.save();
                if (session != null) {
                    session.logout();
                }
            } catch (ItemNotFoundException e) {
                this.log.debug("removeTokenNode: Token node " + tokenInfo.workspace + ":" + tokenInfo.token + " not found", e);
                if (session != null) {
                    session.logout();
                }
            } catch (RepositoryException e2) {
                this.log.info("removeTokenNode: Failed removing token node", e2);
                if (session != null) {
                    session.logout();
                }
            }
        } catch (Throwable th) {
            if (session != null) {
                session.logout();
            }
            throw th;
        }
    }

    protected void bindRepository(SlingRepository slingRepository) {
        this.repository = slingRepository;
    }

    protected void unbindRepository(SlingRepository slingRepository) {
        if (this.repository == slingRepository) {
            this.repository = null;
        }
    }

    protected void bindSettings(SlingSettingsService slingSettingsService) {
        this.settings = slingSettingsService;
    }

    protected void unbindSettings(SlingSettingsService slingSettingsService) {
        if (this.settings == slingSettingsService) {
            this.settings = null;
        }
    }
}
