package org.apache.sling.engine.impl.auth;

import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Comparator;
import java.util.Dictionary;
import java.util.HashMap;
import java.util.Hashtable;
import java.util.List;
import java.util.Map;
import javax.jcr.LoginException;
import javax.jcr.Repository;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.SimpleCredentials;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.sling.commons.osgi.OsgiUtil;
import org.apache.sling.engine.EngineConstants;
import org.apache.sling.engine.RequestUtil;
import org.apache.sling.engine.auth.AuthenticationHandler;
import org.apache.sling.engine.auth.AuthenticationInfo;
import org.apache.sling.engine.auth.Authenticator;
import org.apache.sling.engine.auth.NoAuthenticationHandlerException;
import org.apache.sling.jcr.api.TooManySessionsException;
import org.apache.sling.servlets.post.SlingPostConstants;
import org.osgi.framework.BundleContext;
import org.osgi.framework.ServiceReference;
import org.osgi.framework.ServiceRegistration;
import org.osgi.service.cm.ManagedService;
import org.osgi.service.event.EventConstants;
import org.osgi.util.tracker.ServiceTracker;
import org.osgi.util.tracker.ServiceTrackerCustomizer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:resources/bundles/0/org.apache.sling.engine-2.0.4-incubator.jar:org/apache/sling/engine/impl/auth/SlingAuthenticator.class */
public class SlingAuthenticator implements ManagedService, Authenticator {
    public static final String REQUEST_ATTRIBUTE_HANDLER = "org.apache.sling.engine.impl.auth.authentication_handler";
    public static final String PAR_IMPERSONATION_COOKIE_NAME = "auth.sudo.cookie";
    public static final String PAR_IMPERSONATION_PAR_NAME = "auth.sudo.parameter";
    public static final String PAR_ANONYMOUS_ALLOWED = "auth.annonymous";
    private static final String DEFAULT_IMPERSONATION_PARAMETER = "sudo";
    private static final String DEFAULT_IMPERSONATION_COOKIE = "sling.sudo";
    private static final boolean DEFAULT_ANONYMOUS_ALLOWED = true;
    private final ServiceTracker repositoryTracker;
    private final ServiceTracker authHandlerTracker;
    private int authHandlerTrackerCount;
    private Map<String, Map<String, AuthenticationHandlerInfo[]>> authHandlerCache;
    private String sudoParameterName;
    private String sudoCookieName;
    private boolean cacheControl;
    boolean anonymousAllowed;
    private ServiceRegistration registration;
    private static final Logger log = LoggerFactory.getLogger(SlingAuthenticator.class);
    private static Map<String, Map<String, AuthenticationHandlerInfo[]>> EMPTY_PROTOCOL_MAP = new HashMap();
    private static AuthenticationHandlerInfo[] EMPTY_INFO = new AuthenticationHandlerInfo[0];

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:resources/bundles/0/org.apache.sling.engine-2.0.4-incubator.jar:org/apache/sling/engine/impl/auth/SlingAuthenticator$AuthenticationHandlerInfo.class */
    public static final class AuthenticationHandlerInfo {
        public final String fullPath;
        public final String path;
        public final String host;
        public final String protocol;
        public final AuthenticationHandler handler;

        public AuthenticationHandlerInfo(String str, String str2, String str3, String str4, AuthenticationHandler authenticationHandler) {
            this.fullPath = str;
            this.path = str2;
            this.host = str3;
            this.protocol = str4;
            this.handler = authenticationHandler;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:resources/bundles/0/org.apache.sling.engine-2.0.4-incubator.jar:org/apache/sling/engine/impl/auth/SlingAuthenticator$AuthenticationHandlerInfoComparator.class */
    public static final class AuthenticationHandlerInfoComparator implements Comparator<AuthenticationHandlerInfo> {
        public static final AuthenticationHandlerInfoComparator SINGLETON = new AuthenticationHandlerInfoComparator();

        protected AuthenticationHandlerInfoComparator() {
        }

        @Override // java.util.Comparator
        public int compare(AuthenticationHandlerInfo authenticationHandlerInfo, AuthenticationHandlerInfo authenticationHandlerInfo2) {
            return authenticationHandlerInfo.path.compareTo(authenticationHandlerInfo2.path) * (-1);
        }
    }

    public SlingAuthenticator(BundleContext bundleContext) {
        this.repositoryTracker = new ServiceTracker(bundleContext, Repository.class.getName(), (ServiceTrackerCustomizer) null);
        this.repositoryTracker.open();
        this.authHandlerTracker = new ServiceTracker(bundleContext, AuthenticationHandler.class.getName(), (ServiceTrackerCustomizer) null);
        this.authHandlerTracker.open();
        this.authHandlerTrackerCount = -1;
        this.authHandlerCache = null;
        Hashtable hashtable = new Hashtable();
        hashtable.put(EventConstants.SERVICE_PID, getClass().getName());
        hashtable.put("service.description", "Sling Request Authenticator");
        hashtable.put("service.vendor", "The Apache Software Foundation");
        this.registration = bundleContext.registerService(new String[]{ManagedService.class.getName(), Authenticator.class.getName()}, this, hashtable);
    }

    public void dispose() {
        this.registration.unregister();
        this.authHandlerTracker.close();
        this.repositoryTracker.close();
    }

    public boolean authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws MissingRepositoryException {
        Object attribute = httpServletRequest.getAttribute(EngineConstants.SESSION);
        if (attribute instanceof Session) {
            log.debug("authenticate: Request already authenticated, nothing to do");
            return true;
        }
        if (attribute != null) {
            log.warn("authenticate: Overwriting existing Session attribute ({})", attribute);
            httpServletRequest.removeAttribute(EngineConstants.SESSION);
        }
        AuthenticationInfo authenticationInfo = getAuthenticationInfo(httpServletRequest, httpServletResponse);
        if (authenticationInfo == AuthenticationInfo.DOING_AUTH) {
            log.debug("authenticate: ongoing authentication in the handler");
            return false;
        }
        if (authenticationInfo == null) {
            log.debug("authenticate: no credentials in the request, anonymous");
            return getAnonymousSession(httpServletRequest, httpServletResponse);
        }
        try {
            log.debug("authenticate: credentials, trying to get a session");
            setAttributes(handleImpersonation(httpServletRequest, httpServletResponse, getRepository().login(authenticationInfo.getCredentials(), authenticationInfo.getWorkspaceName())), authenticationInfo.getAuthType(), httpServletRequest);
            return true;
        } catch (RepositoryException e) {
            handleLoginFailure(httpServletRequest, httpServletResponse, e);
            return false;
        }
    }

    @Override // org.apache.sling.engine.auth.Authenticator
    public void login(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (httpServletResponse.isCommitted()) {
            throw new IllegalStateException("Response already committed");
        }
        AuthenticationHandlerInfo[] findApplicableAuthenticationHandlers = findApplicableAuthenticationHandlers(httpServletRequest);
        boolean z = false;
        for (int i = 0; !z && i < findApplicableAuthenticationHandlers.length; i++) {
            if (httpServletRequest.getPathInfo().startsWith(findApplicableAuthenticationHandlers[i].path)) {
                log.debug("requestAuthentication: requesting authentication using handler: {}", findApplicableAuthenticationHandlers[i]);
                Object requestAttribute = RequestUtil.setRequestAttribute(httpServletRequest, "path", findApplicableAuthenticationHandlers[i].fullPath);
                try {
                    try {
                        z = findApplicableAuthenticationHandlers[i].handler.requestAuthentication(httpServletRequest, httpServletResponse);
                        RequestUtil.setRequestAttribute(httpServletRequest, "path", requestAttribute);
                    } catch (IOException e) {
                        log.error("requestAuthentication: Failed sending authentication request through handler " + findApplicableAuthenticationHandlers[i] + ", access forbidden", (Throwable) e);
                        z = true;
                        RequestUtil.setRequestAttribute(httpServletRequest, "path", requestAttribute);
                    }
                } catch (Throwable th) {
                    RequestUtil.setRequestAttribute(httpServletRequest, "path", requestAttribute);
                    throw th;
                }
            }
        }
        if (z) {
            return;
        }
        log.info("requestAuthentication: No handler for request ({} handlers available)", Integer.valueOf(findApplicableAuthenticationHandlers.length));
        throw new NoAuthenticationHandlerException();
    }

    @Override // org.osgi.service.cm.ManagedService
    public void updated(Dictionary dictionary) {
        if (dictionary == null) {
            dictionary = new Hashtable();
        }
        String str = (String) dictionary.get(PAR_IMPERSONATION_COOKIE_NAME);
        if (str == null || str.length() == 0) {
            str = DEFAULT_IMPERSONATION_COOKIE;
        }
        if (!str.equals(this.sudoCookieName)) {
            log.info("Setting new cookie name for impersonation {} (was {})", str, this.sudoCookieName);
            this.sudoCookieName = str;
        }
        String str2 = (String) dictionary.get(PAR_IMPERSONATION_PAR_NAME);
        if (str2 == null || str2.length() == 0) {
            str2 = DEFAULT_IMPERSONATION_PARAMETER;
        }
        if (!str2.equals(this.sudoParameterName)) {
            log.info("Setting new parameter name for impersonation {} (was {})", str2, this.sudoParameterName);
            this.sudoParameterName = str2;
        }
        Object obj = dictionary.get(PAR_ANONYMOUS_ALLOWED);
        if (obj instanceof Boolean) {
            this.anonymousAllowed = ((Boolean) obj).booleanValue();
        } else {
            this.anonymousAllowed = true;
        }
    }

    private Repository getRepository() throws MissingRepositoryException {
        Repository repository = (Repository) this.repositoryTracker.getService();
        if (repository == null) {
            throw new MissingRepositoryException("No Repository available to " + getClass().getSimpleName() + ", cannot authenticate");
        }
        return repository;
    }

    private AuthenticationHandlerInfo[] findApplicableAuthenticationHandlers(HttpServletRequest httpServletRequest) {
        Map<String, Map<String, AuthenticationHandlerInfo[]>> authenticationHandlers = getAuthenticationHandlers();
        Map<String, AuthenticationHandlerInfo[]> map = authenticationHandlers.get(httpServletRequest.getScheme());
        if (map == null) {
            map = authenticationHandlers.get("");
        }
        String str = httpServletRequest.getServerName() + ((httpServletRequest.getServerPort() == 80 || httpServletRequest.getServerPort() == 443) ? "" : SlingPostConstants.RP_PREFIX + httpServletRequest.getServerPort());
        if (map != null) {
            AuthenticationHandlerInfo[] authenticationHandlerInfoArr = map.get(str);
            if (authenticationHandlerInfoArr == null) {
                authenticationHandlerInfoArr = map.get("");
            }
            if (authenticationHandlerInfoArr != null) {
                return authenticationHandlerInfoArr;
            }
        }
        return EMPTY_INFO;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private Map<String, Map<String, AuthenticationHandlerInfo[]>> getAuthenticationHandlers() {
        if (this.authHandlerCache == null || this.authHandlerTrackerCount < this.authHandlerTracker.getTrackingCount()) {
            ServiceReference[] serviceReferences = this.authHandlerTracker.getServiceReferences();
            if (serviceReferences == null || serviceReferences.length == 0) {
                this.authHandlerCache = EMPTY_PROTOCOL_MAP;
            } else {
                HashMap hashMap = new HashMap();
                int i = 0;
                for (int i2 = 0; i2 < serviceReferences.length; i2++) {
                    String[] stringArray = OsgiUtil.toStringArray(serviceReferences[i2].getProperty("path"));
                    if (stringArray != null && stringArray.length > 0) {
                        AuthenticationHandler authenticationHandler = (AuthenticationHandler) this.authHandlerTracker.getService(serviceReferences[i2]);
                        for (int i3 = 0; i3 < stringArray.length; i3++) {
                            if (stringArray[i3] != null && stringArray[i3].length() > 0) {
                                String str = stringArray[i3];
                                String str2 = str;
                                String str3 = "";
                                String str4 = "";
                                if (str2.startsWith("http://") || str2.startsWith("https://")) {
                                    int indexOf = str2.indexOf("://");
                                    str4 = str2.substring(0, indexOf);
                                    str2 = str2.substring(indexOf + 1);
                                }
                                if (str2.startsWith("//")) {
                                    int indexOf2 = str2.indexOf("/", 2);
                                    int length = indexOf2 == -1 ? str2.length() : indexOf2;
                                    if (str2.length() > 2) {
                                        str3 = str2.substring(2, length);
                                        str2 = length < str2.length() ? str2.substring(length) : "/";
                                    } else {
                                        str2 = "/";
                                    }
                                }
                                AuthenticationHandlerInfo authenticationHandlerInfo = new AuthenticationHandlerInfo(str, str2, str3, str4, authenticationHandler);
                                Map map = (Map) hashMap.get(str4);
                                if (map == null) {
                                    map = new HashMap();
                                    hashMap.put(str4, map);
                                }
                                List list = (List) map.get(str3);
                                if (list == null) {
                                    list = new ArrayList();
                                    map.put(str3, list);
                                }
                                list.add(authenticationHandlerInfo);
                                i++;
                            }
                        }
                    }
                }
                if (i == 0) {
                    this.authHandlerCache = EMPTY_PROTOCOL_MAP;
                } else {
                    this.authHandlerCache = new HashMap();
                    for (Map.Entry entry : hashMap.entrySet()) {
                        Map map2 = (Map) entry.getValue();
                        Map<String, AuthenticationHandlerInfo[]> map3 = this.authHandlerCache.get(entry.getKey());
                        if (map3 == null) {
                            map3 = new HashMap();
                            this.authHandlerCache.put(entry.getKey(), map3);
                        }
                        for (Map.Entry entry2 : map2.entrySet()) {
                            List list2 = (List) entry2.getValue();
                            Collections.sort(list2, AuthenticationHandlerInfoComparator.SINGLETON);
                            map3.put(entry2.getKey(), (AuthenticationHandlerInfo[]) list2.toArray(new AuthenticationHandlerInfo[list2.size()]));
                        }
                    }
                }
            }
            this.authHandlerTrackerCount = this.authHandlerTracker.getTrackingCount();
        }
        return this.authHandlerCache;
    }

    private AuthenticationInfo getAuthenticationInfo(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String pathInfo = httpServletRequest.getPathInfo();
        if (pathInfo == null || pathInfo.length() == 0) {
            pathInfo = "/";
        }
        AuthenticationHandlerInfo[] findApplicableAuthenticationHandlers = findApplicableAuthenticationHandlers(httpServletRequest);
        for (int i = 0; i < findApplicableAuthenticationHandlers.length; i++) {
            if (pathInfo.startsWith(findApplicableAuthenticationHandlers[i].path)) {
                Object requestAttribute = RequestUtil.setRequestAttribute(httpServletRequest, "path", findApplicableAuthenticationHandlers[i].fullPath);
                try {
                    AuthenticationInfo authenticate = findApplicableAuthenticationHandlers[i].handler.authenticate(httpServletRequest, httpServletResponse);
                    if (authenticate != null) {
                        return authenticate;
                    }
                    RequestUtil.setRequestAttribute(httpServletRequest, "path", requestAttribute);
                } finally {
                    RequestUtil.setRequestAttribute(httpServletRequest, "path", requestAttribute);
                }
            }
        }
        log.debug("getCredentials: no handler could extract credentials");
        return null;
    }

    private boolean getAnonymousSession(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws MissingRepositoryException {
        if (!this.anonymousAllowed) {
            log.debug("getAnonymousSession: Anonymous access not allowed by configuration");
            login(httpServletRequest, httpServletResponse);
            return false;
        }
        try {
            setAttributes(getRepository().login(), null, httpServletRequest);
            return true;
        } catch (RepositoryException e) {
            handleLoginFailure(httpServletRequest, httpServletResponse, e);
            return false;
        }
    }

    private void handleLoginFailure(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, RepositoryException repositoryException) {
        if (repositoryException instanceof TooManySessionsException) {
            log.info("authenticate: Too many sessions for user: {}", repositoryException.getMessage());
            try {
                httpServletResponse.sendError(503, "SlingAuthenticator: Too Many Users");
                return;
            } catch (IOException e) {
                log.error("authenticate: Cannot send status 503 to client", (Throwable) e);
                return;
            }
        }
        if (repositoryException instanceof LoginException) {
            log.info("authenticate: Unable to authenticate: {}", repositoryException.getMessage());
            login(httpServletRequest, httpServletResponse);
            return;
        }
        log.error("authenticate: Unable to authenticate", (Throwable) repositoryException);
        try {
            httpServletResponse.sendError(500, "SlingAuthenticator: data access error, reason=" + repositoryException.getClass().getSimpleName());
        } catch (IOException e2) {
            log.error("authenticate: Cannot send status 500 to client", (Throwable) e2);
        }
    }

    private void setAttributes(Session session, String str, HttpServletRequest httpServletRequest) {
        httpServletRequest.setAttribute("org.osgi.service.http.authentication.remote.user", session.getUserID());
        httpServletRequest.setAttribute("org.osgi.service.http.authentication.type", str);
        httpServletRequest.setAttribute(EngineConstants.SESSION, session);
        log.debug("Session stored as request attribute: user={}, workspace={}", session.getUserID(), session.getWorkspace().getName());
    }

    private void sendCookie(HttpServletResponse httpServletResponse, String str, String str2, int i, String str3) {
        if (str3 == null || str3.length() == 0) {
            log.debug("sendCookie: Using root path ''/''");
            str3 = "/";
        }
        Cookie cookie = new Cookie(str, str2);
        cookie.setMaxAge(i);
        cookie.setPath(str3);
        httpServletResponse.addCookie(cookie);
        if (this.cacheControl) {
            httpServletResponse.addHeader("Cache-Control", "no-cache=\"Set-Cookie\"");
        }
    }

    private Session handleImpersonation(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Session session) throws LoginException, RepositoryException {
        String str = null;
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies != null) {
            for (int i = 0; str == null && i < cookies.length; i++) {
                if (this.sudoCookieName.equals(cookies[i].getName())) {
                    str = cookies[i].getValue();
                }
            }
        }
        String parameter = httpServletRequest.getParameter(this.sudoParameterName);
        if (parameter == null || parameter.length() == 0) {
            parameter = str;
        } else if ("-".equals(parameter)) {
            parameter = null;
        }
        if (parameter != null && parameter.length() > 0) {
            session = session.impersonate(new SimpleCredentials(parameter, new char[0]));
        }
        if (parameter != str) {
            if (parameter == null) {
                sendCookie(httpServletResponse, this.sudoCookieName, "", 0, httpServletRequest.getContextPath());
            } else if (str == null || !str.equals(parameter)) {
                sendCookie(httpServletResponse, this.sudoCookieName, parameter, -1, httpServletRequest.getContextPath());
            }
        }
        return session;
    }
}
