package com.day.cq.auth.impl;

import java.io.IOException;
import java.io.PrintWriter;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.Dictionary;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.binary.Base64;
import org.apache.sling.auth.core.spi.AbstractAuthenticationHandler;
import org.apache.sling.commons.auth.spi.AuthenticationHandler;
import org.apache.sling.commons.auth.spi.AuthenticationInfo;
import org.apache.sling.commons.osgi.OsgiUtil;
import org.osgi.service.component.ComponentContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/day/cq/auth/impl/AbstractHTTPAuthHandler.class */
abstract class AbstractHTTPAuthHandler implements AuthenticationHandler {
    private static final String NO_LOGIN_FORM = "auth.http.nologin";
    private static final boolean DEFAULT_NO_LOGIN_FORM = false;
    protected static final String REALM = "auth.http.realm";
    protected static final String DEFAULT_REALM = "Day Communique 5";
    static final String REQUEST_LOGIN_PARAMETER = "sling:authRequestLogin";
    private static final String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate";
    private static final String HEADER_AUTHORIZATION = "Authorization";
    private static final String AUTHENTICATION_SCHEME_BASIC = "Basic";
    private static final String DEFAULT_DEFAULT_LOGIN_PAGE = "/libs/cq/core/content/login.html";
    private static final String PROP_DEFAULT_LOGIN_PAGE = "auth.default.loginpage";
    private static final String PROP_FORM_LOGIN = "auth.cred.form";
    private static final String PROP_UTF8_CREDENTIALS = "auth.cred.utf8";
    static final String LOGIN_FORCED_FLAG = "cq.authhandler.dologin";
    private final Logger log = LoggerFactory.getLogger(getClass());
    private boolean noLoginForm;
    private String realm;
    private String defaultLoginPage;
    private String[] formSupportingUserAgents;
    private String[] utf8EncodingUserAgents;
    private static final String[] DEFAULT_FORM_LOGIN = {"Firefox", "Shiretoko", "MSIE 7", "MSIE 6"};
    private static final String[] DEFAULT_UTF8_CREDENTIALS = {"Firefox", "Shiretoko", "Chrome", "Opera", "curl", "Wget"};

    public AuthenticationInfo extractCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        AuthenticationInfo extractAuthentication = extractAuthentication(httpServletRequest);
        if (extractAuthentication != null) {
            return extractAuthentication;
        }
        if (forceAuthentication(httpServletRequest, httpServletResponse)) {
            return AuthenticationInfo.DOING_AUTH;
        }
        return null;
    }

    public boolean requestCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        String str;
        String str2;
        if (httpServletResponse.isCommitted()) {
            this.log.error("requestAuthentication: Response is committed, cannot request authentication");
            return true;
        }
        httpServletResponse.reset();
        if (httpServletRequest.getParameter(REQUEST_LOGIN_PARAMETER) != null) {
            httpServletResponse.sendError(403);
            httpServletResponse.flushBuffer();
            return true;
        }
        if (!doLoginForm(httpServletRequest)) {
            this.log.debug("requestAuthentication: Not authenticating here because login form is disabled and cq.authhandler.dologin request attribute is not set");
            return false;
        }
        if (!isLoginFormClient(httpServletRequest)) {
            sendUnauthorized(httpServletRequest, httpServletResponse);
            return true;
        }
        String loginPage = getLoginPage(httpServletRequest);
        if (loginPage == null) {
            loginPage = getDefaultLoginPage();
            str = "requestAuthentication: Using default login page ({})";
        } else {
            str = "requestAuthentication: Using login page: {}";
        }
        if (isLoginFormLoop(httpServletRequest, loginPage)) {
            this.log.warn("requestAuthentication: Authentication loop detected, sending 401/UNAUTHENICATED to force browser based authentication");
            this.log.warn("requestAuthentication: Authentication loop reason: Wrong login page configuration or credentials not accepted for login");
            sendUnauthorized(httpServletRequest, httpServletResponse);
            return true;
        }
        if (httpServletRequest.getContextPath() != null && !loginPage.startsWith(httpServletRequest.getContextPath())) {
            loginPage = httpServletRequest.getContextPath() + loginPage;
        }
        String parameter = httpServletRequest.getParameter("resource");
        if (parameter == null) {
            parameter = httpServletRequest.getRequestURI();
            str2 = "requestAuthentication: Using current request as post-login target: {}";
        } else if (AbstractAuthenticationHandler.isRedirectValid(httpServletRequest, parameter)) {
            str2 = "requestAuthentication: Reusing post-login target from request parameter: {}";
        } else {
            parameter = "/";
            str2 = "requestAuthentication: Post-login target {} is invalid; using '/'";
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug(str, loginPage);
            this.log.debug(str2, parameter);
        }
        httpServletResponse.setContentType("text/html");
        httpServletResponse.setCharacterEncoding("UTF-8");
        httpServletResponse.setHeader("Cache-control", "no-cache");
        httpServletResponse.addHeader("Cache-control", "no-store");
        httpServletResponse.setHeader("Dispatcher", "no-cache");
        httpServletResponse.setHeader("Pragma", "no-cache");
        httpServletResponse.setHeader("Expires", "0");
        PrintWriter writer = httpServletResponse.getWriter();
        writer.write("<html><head><script type=\"text/javascript\">");
        writer.write("var u=\"");
        writer.write(loginPage);
        writer.write("?resource=");
        writer.write(parameter);
        writer.write("\"; if ( window.location.hash) {");
        writer.write("u = u + window.location.hash;");
        writer.write("} document.location = u;");
        writer.write("</script></head><body>");
        writer.write("<!-- QUICKSTART_HOMEPAGE - (string used for readyness detection, do not remove) -->");
        writer.write("</body></html>");
        httpServletResponse.flushBuffer();
        return true;
    }

    public void dropCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public final String getDefaultLoginPage() {
        return this.defaultLoginPage;
    }

    protected abstract String getLoginPage(HttpServletRequest httpServletRequest);

    protected abstract String getRealm(HttpServletRequest httpServletRequest);

    /* JADX INFO: Access modifiers changed from: protected */
    public void activate(ComponentContext componentContext) {
        configure(componentContext.getProperties());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void configure(Dictionary<?, ?> dictionary) {
        this.noLoginForm = OsgiUtil.toBoolean(dictionary.get(NO_LOGIN_FORM), false);
        this.realm = OsgiUtil.toString(dictionary.get(REALM), DEFAULT_REALM);
        this.defaultLoginPage = OsgiUtil.toString(dictionary.get(PROP_DEFAULT_LOGIN_PAGE), DEFAULT_DEFAULT_LOGIN_PAGE);
        this.formSupportingUserAgents = OsgiUtil.toStringArray(dictionary.get(PROP_FORM_LOGIN), DEFAULT_FORM_LOGIN);
        this.utf8EncodingUserAgents = OsgiUtil.toStringArray(dictionary.get(PROP_UTF8_CREDENTIALS), DEFAULT_UTF8_CREDENTIALS);
        this.log.debug("configure: realm='{}', loginPage='{}'", this.realm, this.defaultLoginPage);
    }

    protected AuthenticationInfo extractAuthentication(HttpServletRequest httpServletRequest) {
        String trim;
        int indexOf;
        String substring;
        char[] charArray;
        String header = httpServletRequest.getHeader(HEADER_AUTHORIZATION);
        if (((header == null || header.length() == 0) && (header == null || header.length() == 0)) || (indexOf = (trim = header.trim()).indexOf(32)) <= 0) {
            return null;
        }
        String substring2 = trim.substring(DEFAULT_NO_LOGIN_FORM, indexOf);
        String trim2 = trim.substring(indexOf).trim();
        if (!substring2.equalsIgnoreCase(AUTHENTICATION_SCHEME_BASIC)) {
            return null;
        }
        try {
            String str = new String(Base64.decodeBase64(trim2.getBytes("ISO-8859-1")), getCredentialsEncoding(httpServletRequest));
            int indexOf2 = str.indexOf(58);
            if (indexOf2 < 0) {
                substring = str;
                charArray = new char[DEFAULT_NO_LOGIN_FORM];
            } else {
                substring = str.substring(DEFAULT_NO_LOGIN_FORM, indexOf2);
                charArray = str.substring(indexOf2 + 1).toCharArray();
            }
            return new AuthenticationInfo("BASIC", substring, charArray);
        } catch (UnsupportedEncodingException e) {
            this.log.error("extractAuthentication: Cannot en/decode authentication info", e);
            return null;
        }
    }

    private boolean forceAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        boolean z = DEFAULT_NO_LOGIN_FORM;
        if (httpServletRequest.getParameter(REQUEST_LOGIN_PARAMETER) == null) {
            this.log.debug("forceAuthentication: Not forcing authentication because request parameter {} is not set", REQUEST_LOGIN_PARAMETER);
        } else if (httpServletResponse.isCommitted()) {
            this.log.error("forceAuthentication: Response is committed, cannot request authentication");
        } else {
            z = sendUnauthorized(httpServletRequest, httpServletResponse);
        }
        return z;
    }

    private boolean sendUnauthorized(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (httpServletResponse.isCommitted()) {
            this.log.debug("sendUnauthorized: Response committed, cannot send 401/UNAUTHORIZED");
            return false;
        }
        String realm = getRealm(httpServletRequest);
        if (realm == null) {
            realm = this.realm;
        }
        httpServletResponse.reset();
        httpServletResponse.setStatus(401);
        httpServletResponse.setHeader(HEADER_WWW_AUTHENTICATE, "Basic realm=\"" + realm + "\"");
        try {
            httpServletResponse.flushBuffer();
            return true;
        } catch (IOException e) {
            this.log.error("sendUnauthorized: Failed requesting authentication", e);
            return false;
        }
    }

    protected boolean doLoginForm(HttpServletRequest httpServletRequest) {
        return (httpServletRequest.getAttribute(LOGIN_FORCED_FLAG) == null && this.noLoginForm) ? false : true;
    }

    protected boolean isLoginFormClient(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("User-Agent");
        if (userAgentMatch(header, this.formSupportingUserAgents)) {
            this.log.debug("isLoginFormClient: Client ({}) assumed to support form based authentication", header);
            return true;
        }
        this.log.debug("isLoginFormClient: Client ({}) assumed to not support form based authentication, sending 401/UNAUTHORIZED", header);
        return false;
    }

    private boolean isLoginFormLoop(HttpServletRequest httpServletRequest, String str) {
        String contextPath = httpServletRequest.getContextPath();
        String concat = (contextPath == null || contextPath.length() == 0) ? str : contextPath.concat(str);
        if (httpServletRequest.getRequestURI().equals(concat)) {
            return true;
        }
        String header = httpServletRequest.getHeader("Referer");
        if (header == null) {
            return false;
        }
        try {
            return concat.equals(new URI(header).getPath());
        } catch (URISyntaxException e) {
            return false;
        }
    }

    private String getCredentialsEncoding(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("User-Agent");
        if (userAgentMatch(header, this.utf8EncodingUserAgents)) {
            this.log.debug("getCredentialsEncoding: User-Agent ({}) indicates UTF-8 encoding browser, using UTF-8", header);
            return "UTF-8";
        }
        this.log.debug("getCredentialsEncoding: User-Agent ({}) indicates non-UTF-8 encoding browser, using ISO-8859-1", header);
        return "ISO-8859-1";
    }

    private boolean userAgentMatch(String str, String... strArr) {
        if (str == null || strArr.length <= 0) {
            return false;
        }
        int length = strArr.length;
        for (int i = DEFAULT_NO_LOGIN_FORM; i < length; i++) {
            if (str.contains(strArr[i])) {
                return true;
            }
        }
        return false;
    }
}
