package org.apache.sling.openidauth.impl;

import com.dyuproject.openid.OpenIdUser;
import com.dyuproject.openid.RelyingParty;
import com.dyuproject.openid.manager.CookieBasedUserManager;
import java.io.IOException;
import java.security.Principal;
import java.util.Map;
import java.util.Properties;
import javax.jcr.Credentials;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.SimpleCredentials;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.FailedLoginException;
import javax.security.auth.login.LoginException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.sling.commons.osgi.OsgiUtil;
import org.apache.sling.engine.auth.AuthenticationHandler;
import org.apache.sling.engine.auth.AuthenticationInfo;
import org.apache.sling.jcr.jackrabbit.server.security.AuthenticationPlugin;
import org.apache.sling.jcr.jackrabbit.server.security.LoginModulePlugin;
import org.apache.sling.openidauth.OpenIDConstants;
import org.apache.sling.openidauth.OpenIDUserUtil;
import org.osgi.service.component.ComponentContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/sling/openidauth/impl/OpenIDAuthenticationHandler.class */
public class OpenIDAuthenticationHandler implements AuthenticationHandler, LoginModulePlugin {
    private final Logger log = LoggerFactory.getLogger(getClass());
    public static final String PROP_LOGIN_FORM = "openid.login.form";
    public static final String DEFAULT_LOGIN_FORM = "/system/sling/openid/loginform.html";
    public static final String PROP_LOGIN_IDENTIFIER_FORM_FIELD = "openid.login.identifier";
    public static final String DEFAULT_LOGIN_IDENTIFIER_FORM_FIELD = "openid_identifier";
    public static final String PROP_ORIGINAL_URL_ON_SUCCESS = "openid.original.url.onsuccess";
    public static final boolean DEFAULT_ORIGINAL_URL_ON_SUCCESS = true;
    public static final String PROP_AUTH_SUCCESS_URL = "openid.login.success";
    public static final String DEFAULT_AUTH_SUCCESS_URL = "/system/sling/openid/authsuccess.html";
    public static final String PROP_AUTH_FAIL_URL = "openid.login.fail";
    public static final String DEFAULT_AUTH_FAIL_URL = "/system/sling/openid/authfail.html";
    public static final String PROP_LOGOUT_URL = "openid.logout";
    public static final String DEFAULT_LOGOUT_URL = "/system/sling/openid/logout.html";
    public static final String PROP_EXTERNAL_URL_PREFIX = "openid.external.url.prefix";
    public static final String DEFAULT_EXTERNAL_URL_PREFIX = "http://my.external.sling.com";
    public static final String PROP_OPENID_USERS_PASSWORD = "openid.users.password";
    public static final String DEFAULT_OPENID_USERS_PASSWORD = "changeme";
    public static final String PROP_ANONYMOUS_AUTH_RESOURCES = "openid.anon.auth.resources";
    public static final boolean DEFAULT_ANONYMOUS_AUTH_RESOURCES = true;
    public static final String PROP_USE_COOKIE = "openid.use.cookie";
    public static final boolean DEFAULT_USE_COOKIE = false;
    public static final String PROP_COOKIE_DOMAIN = "openid.cookie.domain";
    public static final String DEFAULT_COOKIE_DOMAIN = ".sling.com";
    public static final String PROP_COOKIE_NAME = "openid.cookie.name";
    public static final String DEFAULT_COOKIE_NAME = "sling.openid";
    public static final String PROP_COOKIE_PATH = "openid.cookie.path";
    public static final String DEFAULT_COOKIE_PATH = "/";
    public static final String PROP_COOKIE_SECRET_KEY = "openid.cookie.secret.key";
    public static final String DEFAULT_COOKIE_SECRET_KEY = "secret";
    static final String SLASH = "/";
    private ComponentContext context;
    private String loginForm;
    private String authSuccessUrl;
    private String authFailUrl;
    private String logoutUrl;
    private boolean accessAuthPageAnon;
    private boolean redirectToOriginalUrl;
    private String externalUrlPrefix;
    private boolean useCookie;
    private String cookieDomain;
    private String cookieName;
    private String cookiePath;
    private String identifierParam;
    private RelyingParty relyingParty;

    public OpenIDAuthenticationHandler() {
        this.log.info("OpenIDAuthenticationHandler created");
    }

    public AuthenticationInfo authenticate(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        AuthenticationInfo extractAuthentication = extractAuthentication(httpServletRequest, httpServletResponse);
        if (extractAuthentication != null) {
            return extractAuthentication;
        }
        return null;
    }

    public boolean requestAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        if (httpServletResponse.isCommitted()) {
            this.log.error("requestAuthentication: Response is committed, cannot request authentication");
            return true;
        }
        OpenIdUser openIdUser = (OpenIdUser) httpServletRequest.getAttribute("openid_user");
        if (openIdUser != null && openIdUser.isAuthenticated()) {
            httpServletRequest.getSession().setAttribute(OpenIDConstants.OPENID_FAILURE_REASON_ATTRIBUTE, OpenIDConstants.OpenIDFailure.REPOSITORY);
        }
        this.relyingParty.invalidate(httpServletRequest, httpServletResponse);
        if (httpServletRequest.getSession().getAttribute(OpenIDConstants.ORIGINAL_URL_ATTRIBUTE) == null) {
            String str = httpServletRequest.getRequestURI() + (httpServletRequest.getQueryString() != null ? "?" + httpServletRequest.getQueryString() : "");
            if (!str.equals(this.loginForm)) {
                httpServletRequest.getSession().setAttribute(OpenIDConstants.ORIGINAL_URL_ATTRIBUTE, str);
            }
        }
        httpServletResponse.sendRedirect(this.loginForm);
        return true;
    }

    protected AuthenticationInfo handleAuthFailure(OpenIDConstants.OpenIDFailure openIDFailure, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        httpServletRequest.getSession().setAttribute(OpenIDConstants.OPENID_FAILURE_REASON_ATTRIBUTE, openIDFailure);
        if (this.authFailUrl == null || "".equals(this.authFailUrl)) {
            return null;
        }
        httpServletResponse.sendRedirect(this.authFailUrl);
        return AuthenticationInfo.DOING_AUTH;
    }

    protected AuthenticationInfo handleLogout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        String parameter = httpServletRequest.getParameter(OpenIDConstants.REDIRECT_URL_PARAMETER) != null ? httpServletRequest.getParameter(OpenIDConstants.REDIRECT_URL_PARAMETER) : this.logoutUrl;
        if (parameter == null) {
            parameter = "/";
        }
        httpServletResponse.sendRedirect(parameter);
        return AuthenticationInfo.DOING_AUTH;
    }

    protected void activate(ComponentContext componentContext) {
        this.context = componentContext;
        this.loginForm = OsgiUtil.toString(this.context.getProperties().get(PROP_LOGIN_FORM), DEFAULT_LOGIN_FORM);
        this.authSuccessUrl = OsgiUtil.toString(this.context.getProperties().get(PROP_AUTH_SUCCESS_URL), DEFAULT_AUTH_SUCCESS_URL);
        this.authFailUrl = OsgiUtil.toString(this.context.getProperties().get(PROP_AUTH_FAIL_URL), DEFAULT_AUTH_FAIL_URL);
        this.logoutUrl = OsgiUtil.toString(this.context.getProperties().get(PROP_LOGOUT_URL), DEFAULT_LOGOUT_URL);
        this.redirectToOriginalUrl = OsgiUtil.toBoolean(this.context.getProperties().get(PROP_ORIGINAL_URL_ON_SUCCESS), true);
        this.accessAuthPageAnon = OsgiUtil.toBoolean(this.context.getProperties().get(PROP_ANONYMOUS_AUTH_RESOURCES), true);
        this.externalUrlPrefix = OsgiUtil.toString(this.context.getProperties().get(PROP_EXTERNAL_URL_PREFIX), DEFAULT_EXTERNAL_URL_PREFIX);
        this.useCookie = OsgiUtil.toBoolean(this.context.getProperties().get(PROP_USE_COOKIE), false);
        this.cookieDomain = OsgiUtil.toString(this.context.getProperties().get(PROP_COOKIE_DOMAIN), DEFAULT_COOKIE_DOMAIN);
        this.cookieName = OsgiUtil.toString(this.context.getProperties().get(PROP_COOKIE_NAME), DEFAULT_COOKIE_NAME);
        this.cookiePath = OsgiUtil.toString(this.context.getProperties().get(PROP_COOKIE_PATH), "/");
        this.identifierParam = OsgiUtil.toString(this.context.getProperties().get(PROP_LOGIN_IDENTIFIER_FORM_FIELD), "openid_identifier");
        String osgiUtil = OsgiUtil.toString(this.context.getProperties().get(PROP_COOKIE_SECRET_KEY), DEFAULT_COOKIE_SECRET_KEY);
        Properties properties = new Properties();
        properties.setProperty("openid.identifier.parameter", this.identifierParam);
        if (this.useCookie) {
            properties.setProperty("openid.user.manager", CookieBasedUserManager.class.getName());
            properties.setProperty("openid.user.manager.cookie.name", this.cookieName);
            properties.setProperty("openid.user.manager.cookie.path", this.cookiePath);
            properties.setProperty("openid.user.manager.cookie.domain", this.cookieDomain);
            properties.setProperty("openid.user.manager.cookie.security.secret_key", osgiUtil);
        }
        this.relyingParty = RelyingParty.newInstance(properties);
    }

    protected AuthenticationInfo extractAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        StringBuffer requestURL;
        String substring;
        String str;
        String pathInfo;
        try {
            OpenIdUser discover = this.relyingParty.discover(httpServletRequest);
            if (discover == null && RelyingParty.isAuthResponse(httpServletRequest)) {
                this.log.debug("OpenID authentication timeout");
                httpServletResponse.sendRedirect(httpServletRequest.getRequestURI());
                return AuthenticationInfo.DOING_AUTH;
            }
            if (httpServletRequest.getPathInfo() != null && (pathInfo = httpServletRequest.getPathInfo()) != null) {
                if (OpenIDConstants.LOGOUT_REQUEST_PATH.equals(pathInfo)) {
                    this.relyingParty.invalidate(httpServletRequest, httpServletResponse);
                    return handleLogout(httpServletRequest, httpServletResponse);
                }
                if (this.loginForm.equals(pathInfo) || this.authFailUrl.equals(pathInfo) || this.logoutUrl.equals(pathInfo)) {
                    if (this.loginForm.equals(pathInfo)) {
                        if (httpServletRequest.getParameter(OpenIDConstants.REDIRECT_URL_PARAMETER) != null) {
                            httpServletRequest.getSession().setAttribute(OpenIDConstants.ORIGINAL_URL_ATTRIBUTE, httpServletRequest.getParameter(OpenIDConstants.REDIRECT_URL_PARAMETER));
                        }
                        moveAttributeFromSessionToRequest(OpenIDConstants.OPENID_FAILURE_REASON_ATTRIBUTE, OpenIDConstants.OpenIDFailure.class, httpServletRequest);
                        moveAttributeFromSessionToRequest(OpenIDConstants.ORIGINAL_URL_ATTRIBUTE, String.class, httpServletRequest);
                    } else if (this.authFailUrl.equals(pathInfo)) {
                        moveAttributeFromSessionToRequest(OpenIDConstants.OPENID_FAILURE_REASON_ATTRIBUTE, OpenIDConstants.OpenIDFailure.class, httpServletRequest);
                        moveAttributeFromSessionToRequest(OpenIDConstants.ORIGINAL_URL_ATTRIBUTE, String.class, httpServletRequest);
                    }
                    if (this.accessAuthPageAnon) {
                        return new AuthenticationInfo(OpenIDConstants.OPEN_ID_AUTH_TYPE, (Credentials) null);
                    }
                }
            }
            if (discover == null) {
                return null;
            }
            if (discover.isAuthenticated()) {
                httpServletRequest.setAttribute("openid_user", discover);
                return getAuthInfoFromUser(discover);
            }
            if (discover.isAssociated()) {
                if (!RelyingParty.isAuthResponse(httpServletRequest)) {
                    this.relyingParty.invalidate(httpServletRequest, httpServletResponse);
                    AuthenticationInfo handleAuthFailure = handleAuthFailure(OpenIDConstants.OpenIDFailure.AUTHENTICATION, httpServletRequest, httpServletResponse);
                    if (handleAuthFailure != null) {
                        return handleAuthFailure;
                    }
                    return null;
                }
                if (this.relyingParty.verifyAuth(discover, httpServletRequest, httpServletResponse)) {
                    httpServletResponse.sendRedirect(httpServletRequest.getRequestURI());
                    return AuthenticationInfo.DOING_AUTH;
                }
                AuthenticationInfo handleAuthFailure2 = handleAuthFailure(OpenIDConstants.OpenIDFailure.VERIFICATION, httpServletRequest, httpServletResponse);
                if (handleAuthFailure2 != null) {
                    return handleAuthFailure2;
                }
                return null;
            }
            if (this.externalUrlPrefix == null || "".equals(this.externalUrlPrefix.trim())) {
                requestURL = httpServletRequest.getRequestURL();
                substring = requestURL.substring(0, requestURL.indexOf("/", 9));
            } else {
                requestURL = new StringBuffer(this.externalUrlPrefix).append(httpServletRequest.getRequestURI());
                substring = this.externalUrlPrefix;
            }
            String substring2 = requestURL.substring(0, requestURL.lastIndexOf("/"));
            if (this.redirectToOriginalUrl) {
                str = requestURL.toString();
            } else {
                httpServletRequest.setAttribute(OpenIDConstants.ORIGINAL_URL_ATTRIBUTE, httpServletRequest.getRequestURI());
                str = this.authSuccessUrl;
            }
            if (this.relyingParty.associateAndAuthenticate(discover, httpServletRequest, httpServletResponse, substring, substring2, str)) {
                return AuthenticationInfo.DOING_AUTH;
            }
            AuthenticationInfo handleAuthFailure3 = handleAuthFailure(OpenIDConstants.OpenIDFailure.ASSOCIATION, httpServletRequest, httpServletResponse);
            if (handleAuthFailure3 != null) {
                return handleAuthFailure3;
            }
            return null;
        } catch (Exception e) {
            this.log.error("Error processing OpenID request", e);
            return null;
        }
    }

    private <T> T removeAttributeFromSession(String str, Class<T> cls, HttpServletRequest httpServletRequest) {
        T t = (T) httpServletRequest.getSession().getAttribute(str);
        httpServletRequest.getSession().removeAttribute(str);
        return t;
    }

    private <T> T moveAttributeFromSessionToRequest(String str, Class<T> cls, HttpServletRequest httpServletRequest) {
        T t = (T) removeAttributeFromSession(str, cls, httpServletRequest);
        httpServletRequest.setAttribute(str, t);
        return t;
    }

    private AuthenticationInfo getAuthInfoFromUser(OpenIdUser openIdUser) {
        SimpleCredentials simpleCredentials = new SimpleCredentials(OpenIDUserUtil.getPrincipalName(openIdUser.getIdentity()), new char[0]);
        simpleCredentials.setAttribute(getClass().getName(), openIdUser);
        return new AuthenticationInfo(OpenIDConstants.OPEN_ID_AUTH_TYPE, simpleCredentials);
    }

    public boolean canHandle(Credentials credentials) {
        OpenIdUser openIdUser;
        if (credentials == null || !(credentials instanceof SimpleCredentials) || (openIdUser = (OpenIdUser) ((SimpleCredentials) credentials).getAttribute(getClass().getName())) == null) {
            return false;
        }
        return openIdUser.isAssociated();
    }

    public void doInit(CallbackHandler callbackHandler, Session session, Map map) throws LoginException {
    }

    public AuthenticationPlugin getAuthentication(Principal principal, Credentials credentials) throws RepositoryException {
        return new OpenIDAuthenticationPlugin(principal);
    }

    public Principal getPrincipal(Credentials credentials) {
        OpenIdUser openIdUser;
        if (credentials == null || !(credentials instanceof SimpleCredentials) || (openIdUser = (OpenIdUser) ((SimpleCredentials) credentials).getAttribute(getClass().getName())) == null) {
            return null;
        }
        return new OpenIDPrincipal(openIdUser);
    }

    public int impersonate(Principal principal, Credentials credentials) throws RepositoryException, FailedLoginException {
        return 0;
    }
}
