package org.apache.sling.auth.openid.impl;

import com.dyuproject.openid.OpenIdUser;
import com.dyuproject.openid.RelyingParty;
import com.dyuproject.openid.manager.CookieBasedUserManager;
import java.io.IOException;
import java.net.URLEncoder;
import java.net.UnknownHostException;
import java.util.Dictionary;
import java.util.Iterator;
import java.util.Properties;
import javax.jcr.Credentials;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.SimpleCredentials;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.sling.auth.core.spi.AbstractAuthenticationHandler;
import org.apache.sling.auth.core.spi.AuthenticationInfo;
import org.apache.sling.auth.core.spi.DefaultAuthenticationFeedbackHandler;
import org.apache.sling.auth.openid.OpenIDConstants;
import org.apache.sling.auth.openid.OpenIDFailure;
import org.apache.sling.commons.osgi.OsgiUtil;
import org.apache.sling.jcr.api.SlingRepository;
import org.mortbay.util.URIUtil;
import org.osgi.framework.ServiceRegistration;
import org.osgi.service.component.ComponentContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/sling/auth/openid/impl/OpenIDAuthenticationHandler.class */
public class OpenIDAuthenticationHandler extends AbstractAuthenticationHandler {
    private final Logger log = LoggerFactory.getLogger(getClass());
    public static final String PROP_LOGIN_FORM = "openid.login.form";
    public static final String PROP_LOGIN_IDENTIFIER_FORM_FIELD = "openid.login.identifier";
    public static final String DEFAULT_LOGIN_IDENTIFIER_FORM_FIELD = "openid_identifier";
    public static final String PROP_EXTERNAL_URL_PREFIX = "openid.external.url.prefix";
    public static final String DEFAULT_EXTERNAL_URL_PREFIX = "";
    public static final String PROP_USE_COOKIE = "openid.use.cookie";
    public static final boolean DEFAULT_USE_COOKIE = true;
    public static final String PROP_COOKIE_DOMAIN = "openid.cookie.domain";
    public static final String DEFAULT_COOKIE_DOMAIN = "";
    public static final String PROP_COOKIE_NAME = "openid.cookie.name";
    public static final String DEFAULT_COOKIE_NAME = "sling.openid";
    public static final String PROP_COOKIE_SECRET_KEY = "openid.cookie.secret.key";
    public static final String DEFAULT_COOKIE_SECRET_KEY = "secret";
    private static final String PROP_OPENID_USER_ATTR = "openid.user.attr";
    private static final String DEFAULT_OPENID_USER_ATTR = "openid.user";
    private static final String PROP_OPEN_ID_IDENTIFIER_PROPERTY = "openid.property.identity";
    private static final String DEFAULT_OPEN_ID_IDENTIFIER_PROPERTY = "openid.identity";
    private static final String ATTR_USER_ID = "jcr.userid";
    static final String SLASH = "/";
    private SlingRepository repository;
    private Session session;
    private UserManager userManager;
    private ComponentContext context;
    private String loginForm;
    private String externalUrlPrefix;
    private String realm;
    private boolean useCookie;
    private String cookieDomain;
    private char[] cookieSecret;
    private String cookieName;
    private String identifierParam;
    private String identityProperty;
    private String openIdAttribute;
    private RelyingParty relyingParty;
    private ServiceRegistration loginModule;

    public OpenIDAuthenticationHandler() {
        this.log.info("OpenIDAuthenticationHandler created");
    }

    public AuthenticationInfo extractCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            RelyingParty relyingParty = getRelyingParty(httpServletRequest);
            OpenIdUser discover = discover(relyingParty, httpServletRequest);
            if (discover == null) {
                if (RelyingParty.isAuthResponse(httpServletRequest)) {
                    this.log.debug("OpenID authentication timeout");
                    httpServletResponse.sendRedirect(httpServletRequest.getRequestURI());
                    return AuthenticationInfo.DOING_AUTH;
                }
                if (RelyingParty.isAuthCancel(httpServletRequest)) {
                    this.log.info("OpenID authentication cancelled by user");
                    return handleAuthFailure(OpenIDFailure.AUTHENTICATION, httpServletRequest);
                }
                if (httpServletRequest.getParameter(this.identifierParam) == null) {
                    return null;
                }
                this.log.info("OpenID authentication failed (probably failed to discover OpenID Provider)");
                return handleAuthFailure(OpenIDFailure.DISCOVERY, httpServletRequest);
            }
            if (discover.isAuthenticated()) {
                return getAuthInfoFromUser(discover);
            }
            if (!discover.isAssociated()) {
                String baseUrl = getBaseUrl(httpServletRequest);
                String str = this.realm == null ? baseUrl : this.realm;
                return relyingParty.associateAndAuthenticate(discover, httpServletRequest, httpServletResponse, str, str, new StringBuilder().append(baseUrl).append(getLoginResource(httpServletRequest, "/")).toString()) ? AuthenticationInfo.DOING_AUTH : handleAuthFailure(OpenIDFailure.ASSOCIATION, httpServletRequest);
            }
            if (!RelyingParty.isAuthResponse(httpServletRequest)) {
                relyingParty.invalidate(httpServletRequest, httpServletResponse);
                return handleAuthFailure(OpenIDFailure.AUTHENTICATION, httpServletRequest);
            }
            if (!relyingParty.verifyAuth(discover, httpServletRequest, httpServletResponse)) {
                return handleAuthFailure(OpenIDFailure.VERIFICATION, httpServletRequest);
            }
            httpServletResponse.sendRedirect(httpServletRequest.getRequestURI());
            return AuthenticationInfo.DOING_AUTH;
        } catch (ClassCastException e) {
            this.log.warn("extractCredentials: Found OpenID user data in HTTP Session which cannot be used; failing credentials extraction");
            this.log.debug("extractCredentials: dump", e);
            dropCredentials(httpServletRequest, httpServletResponse);
            return handleAuthFailure(OpenIDFailure.OTHER, httpServletRequest);
        } catch (Exception e2) {
            this.log.error("Error processing OpenID request", e2);
            return null;
        }
    }

    public boolean requestCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        if (ignoreRequestCredentials(httpServletRequest)) {
            return false;
        }
        getRelyingParty(httpServletRequest).invalidate(httpServletRequest, httpServletResponse);
        StringBuilder sb = new StringBuilder();
        sb.append(httpServletRequest.getContextPath());
        sb.append(this.loginForm);
        char c = '?';
        String loginResource = getLoginResource(httpServletRequest, null);
        if (loginResource != null) {
            sb.append('?').append("resource");
            sb.append("=").append(URLEncoder.encode(loginResource, "UTF-8"));
            c = '&';
        }
        if (httpServletRequest.getAttribute(OpenIDConstants.OPENID_FAILURE_REASON) != null) {
            Object attribute = httpServletRequest.getAttribute(OpenIDConstants.OPENID_FAILURE_REASON);
            String name = attribute instanceof Enum ? ((Enum) attribute).name() : attribute.toString();
            sb.append(c).append(OpenIDConstants.OPENID_FAILURE_REASON);
            sb.append("=").append(URLEncoder.encode(name, "UTF-8"));
            c = '&';
        }
        Object attribute2 = httpServletRequest.getAttribute(OpenIDConstants.OPENID_IDENTITY);
        if (attribute2 instanceof String) {
            sb.append(c).append(OpenIDConstants.OPENID_IDENTITY);
            sb.append("=").append(URLEncoder.encode((String) attribute2, "UTF-8"));
        }
        String sb2 = sb.toString();
        try {
            httpServletResponse.sendRedirect(sb2);
            return true;
        } catch (IOException e) {
            this.log.error("Failed to redirect to the page: " + sb2, e);
            return true;
        }
    }

    public void dropCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        try {
            getRelyingParty(httpServletRequest).invalidate(httpServletRequest, httpServletResponse);
        } catch (Exception e) {
            this.log.warn("dropAuthentication: Problem checking whether the user is logged in at all, assuming not logged in and therefore not logging out");
        }
    }

    public void authenticationFailed(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationInfo authenticationInfo) {
        OpenIdUser openIdUser = null;
        try {
            openIdUser = getRelyingParty(httpServletRequest).discover(httpServletRequest);
        } catch (Exception e) {
        }
        dropCredentials(httpServletRequest, httpServletResponse);
        httpServletRequest.setAttribute(OpenIDConstants.OPENID_FAILURE_REASON, OpenIDFailure.REPOSITORY);
        if (openIdUser == null || openIdUser.getIdentity() == null) {
            return;
        }
        httpServletRequest.setAttribute(OpenIDConstants.OPENID_IDENTITY, openIdUser.getIdentity());
    }

    public boolean authenticationSucceeded(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationInfo authenticationInfo) {
        return DefaultAuthenticationFeedbackHandler.handleRedirect(httpServletRequest, httpServletResponse);
    }

    private OpenIdUser discover(RelyingParty relyingParty, HttpServletRequest httpServletRequest) {
        try {
            return relyingParty.discover(httpServletRequest);
        } catch (IOException e) {
            this.log.info("discover: Failure to communicate with OpenID provider", e);
            return null;
        } catch (ClassCastException e2) {
            throw e2;
        } catch (UnknownHostException e3) {
            this.log.info("discover: The OpenID identifier cannot be resolved because it designates an unknown host {}", e3.getMessage());
            return null;
        } catch (Exception e4) {
            this.log.warn("discover: Unexpected failure discovering the OpenID user", e4);
            return null;
        }
    }

    private AuthenticationInfo handleAuthFailure(OpenIDFailure openIDFailure, HttpServletRequest httpServletRequest) {
        httpServletRequest.setAttribute(OpenIDConstants.OPENID_FAILURE_REASON, openIDFailure);
        return AuthenticationInfo.FAIL_AUTH;
    }

    protected void activate(ComponentContext componentContext) {
        this.context = componentContext;
        Dictionary properties = this.context.getProperties();
        this.loginForm = OsgiUtil.toString(properties.get(PROP_LOGIN_FORM), "/system/sling/openid/login");
        this.externalUrlPrefix = OsgiUtil.toString(properties.get(PROP_EXTERNAL_URL_PREFIX), "");
        this.identityProperty = OsgiUtil.toString(properties.get(PROP_OPEN_ID_IDENTIFIER_PROPERTY), "openid.identity");
        this.useCookie = OsgiUtil.toBoolean(properties.get(PROP_USE_COOKIE), true);
        this.cookieDomain = OsgiUtil.toString(properties.get(PROP_COOKIE_DOMAIN), "");
        this.cookieName = OsgiUtil.toString(properties.get(PROP_COOKIE_NAME), DEFAULT_COOKIE_NAME);
        this.identifierParam = OsgiUtil.toString(properties.get(PROP_LOGIN_IDENTIFIER_FORM_FIELD), "openid_identifier");
        this.cookieSecret = OsgiUtil.toString(properties.get(PROP_COOKIE_SECRET_KEY), DEFAULT_COOKIE_SECRET_KEY).toCharArray();
        this.openIdAttribute = OsgiUtil.toString(properties.get(PROP_OPENID_USER_ATTR), DEFAULT_OPENID_USER_ATTR);
        this.loginModule = null;
        try {
            this.loginModule = OpenIDLoginModulePlugin.register(this, componentContext.getBundleContext());
        } catch (Throwable th) {
            this.log.info("Cannot register OpenIDLoginModulePlugin. This is expected if Sling LoginModulePlugin services are not supported");
            this.log.debug("dump", th);
        }
    }

    protected void deactivate(ComponentContext componentContext) {
        if (this.loginModule != null) {
            this.loginModule.unregister();
            this.loginModule = null;
        }
        if (this.session != null) {
            try {
                if (this.session.isLive()) {
                    this.session.logout();
                }
            } catch (Throwable th) {
                this.log.error("deactivate: Unexpected problem logging out session", th);
            }
            this.userManager = null;
            this.session = null;
        }
    }

    private boolean ignoreRequestCredentials(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter("sling:authRequestLogin");
        return (parameter == null || OpenIDConstants.OPENID_AUTH.equals(parameter)) ? false : true;
    }

    private AuthenticationInfo getAuthInfoFromUser(OpenIdUser openIdUser) {
        AuthenticationInfo authenticationInfo = new AuthenticationInfo(OpenIDConstants.OPENID_AUTH, getUserName(openIdUser));
        if (this.loginModule == null) {
            authenticationInfo.put(this.openIdAttribute, openIdUser.getIdentity());
        } else {
            authenticationInfo.put(this.openIdAttribute, openIdUser);
        }
        return authenticationInfo;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public OpenIdUser getOpenIdUser(Credentials credentials) {
        if (credentials instanceof SimpleCredentials) {
            return (OpenIdUser) ((SimpleCredentials) credentials).getAttribute(this.openIdAttribute);
        }
        return null;
    }

    private String getUserName(OpenIdUser openIdUser) {
        Object attribute = openIdUser.getAttribute(ATTR_USER_ID);
        if (attribute instanceof String) {
            return (String) attribute;
        }
        String identity = openIdUser.getIdentity();
        String str = null;
        UserManager userManager = getUserManager();
        if (userManager != null) {
            str = getUserIdByProperty(userManager, this.identityProperty, identity);
        }
        if (str == null) {
            str = "::not_valid_for_login::";
        } else {
            openIdUser.setAttribute(ATTR_USER_ID, str);
        }
        return str;
    }

    private UserManager getUserManager() {
        if (this.userManager == null) {
            try {
                if (this.session == null) {
                    this.session = this.repository.loginAdministrative((String) null);
                }
                if (this.session instanceof JackrabbitSession) {
                    this.userManager = this.session.getUserManager();
                }
            } catch (RepositoryException e) {
                this.log.error("getUserManager: Cannot get UserManager", e);
            }
        }
        return this.userManager;
    }

    private String getUserIdByProperty(UserManager userManager, String str, String str2) {
        String str3 = null;
        try {
            Iterator findAuthorizables = userManager.findAuthorizables(str, str2, 1);
            if (findAuthorizables.hasNext()) {
                str3 = ((User) findAuthorizables.next()).getID();
                if (findAuthorizables.hasNext()) {
                    this.log.warn("getUserName: Multiple users found with property {}={}; using {}", new Object[]{str, str2, str3});
                }
            }
        } catch (RepositoryException e) {
            this.log.warn("getUserName: Problem finding user with property {}={}", new Object[]{str, str2}, e);
        }
        return str3;
    }

    private RelyingParty getRelyingParty(HttpServletRequest httpServletRequest) {
        if (this.relyingParty == null) {
            Properties properties = new Properties();
            properties.setProperty("openid.identifier.parameter", this.identifierParam);
            if (this.useCookie) {
                String contextPath = httpServletRequest.getContextPath();
                String str = (contextPath == null || contextPath.length() == 0) ? "/" : contextPath;
                properties.setProperty("openid.user.manager", CookieBasedUserManager.class.getName());
                properties.setProperty("openid.user.manager.cookie.name", this.cookieName);
                properties.setProperty("openid.user.manager.cookie.path", str);
                if (this.cookieDomain != null) {
                    properties.setProperty("openid.user.manager.cookie.domain", this.cookieDomain);
                }
                properties.setProperty("openid.user.manager.cookie.security.secret_key", new String(this.cookieSecret));
            }
            this.relyingParty = RelyingParty.newInstance(properties);
        }
        return this.relyingParty;
    }

    String getBaseUrl(HttpServletRequest httpServletRequest) {
        if (this.externalUrlPrefix != null && this.externalUrlPrefix.length() != 0) {
            return this.externalUrlPrefix;
        }
        String scheme = httpServletRequest.getScheme();
        String serverName = httpServletRequest.getServerName();
        int serverPort = httpServletRequest.getServerPort();
        String contextPath = httpServletRequest.getContextPath();
        StringBuilder sb = new StringBuilder();
        sb.append(scheme).append("://");
        sb.append(serverName);
        if (serverPort > 0 && ((!"http".equals(scheme) || serverPort != 80) && (!URIUtil.HTTPS.equals(scheme) || serverPort != 443))) {
            sb.append(':').append(serverPort);
        }
        sb.append(contextPath);
        return sb.toString();
    }

    protected void bindRepository(SlingRepository slingRepository) {
        this.repository = slingRepository;
    }

    protected void unbindRepository(SlingRepository slingRepository) {
        if (this.repository == slingRepository) {
            this.repository = null;
        }
    }
}
