package com.adobe.granite.auth.oauth.impl;

import com.adobe.granite.auth.oauth.HandlerRedirect;
import com.adobe.granite.auth.oauth.OAuthManager;
import com.adobe.granite.auth.oauth.Provider;
import com.adobe.granite.auth.oauth.impl.helper.OAuthHelper;
import com.adobe.granite.auth.oauth.impl.helper.OAuthUser;
import com.adobe.granite.auth.oauth.impl.helper.ProviderConfigManager;
import com.adobe.granite.auth.oauth.impl.helper.RequestHelper;
import com.adobe.granite.crypto.CryptoSupport;
import com.adobe.granite.security.user.UserProperties;
import com.adobe.granite.security.user.UserPropertiesManager;
import java.io.IOException;
import java.io.InputStream;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import javax.jcr.Session;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.httpclient.HttpClient;
import org.apache.commons.httpclient.HttpException;
import org.apache.commons.httpclient.MultiThreadedHttpConnectionManager;
import org.apache.commons.httpclient.methods.GetMethod;
import org.apache.commons.io.IOUtils;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.ConfigurationPolicy;
import org.apache.felix.scr.annotations.Deactivate;
import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.PropertyUnbounded;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.ReferencePolicy;
import org.apache.felix.scr.annotations.Service;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.resource.ResourceResolverFactory;
import org.apache.sling.auth.core.spi.AuthenticationHandler;
import org.apache.sling.commons.osgi.OsgiUtil;
import org.apache.sling.jcr.api.SlingRepository;
import org.apache.sling.settings.SlingSettingsService;
import org.osgi.framework.BundleContext;
import org.scribe.model.Token;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Service
@Component(metatype = true, policy = ConfigurationPolicy.REQUIRE, label = "%auth.bearer.name", description = "%auth.bearer.description")
@Properties({@Property(name = "service.ranking", intValue = {100000}), @Property(name = "path", value = {"/"}), @Property(name = BearerAuthenticationHandler.ALLOWED_CLIENT_IDS, unbounded = PropertyUnbounded.ARRAY)})
/* loaded from: input_file:com/adobe/granite/auth/oauth/impl/BearerAuthenticationHandler.class */
public class BearerAuthenticationHandler implements AuthenticationHandler {
    private final Logger log = LoggerFactory.getLogger(getClass());
    protected static final String ALLOWED_CLIENT_IDS = "oauth.clientIds.allowed";
    private static final String TOKEN_REQUEST_PARAMETER_NAME = "auth.tokenRequestParameter";
    private static final String REDIRECT_KEY = "redirect";
    private static final boolean DEFAULT_SYNC_USER_PROFILE_WITH_IMS = true;

    @Property(boolValue = {true})
    private static final String SYNC_USER_PROFILE_WITH_IMS = "auth.bearer.sync.ims";
    private static final String ACCESS_TOKEN_TYPE = "access_token";

    @Property(name = TOKEN_REQUEST_PARAMETER_NAME)
    private static final String TOKEN_REQUEST_PARAMETER_DEFAULT = "";

    @Property({RequestHelper.PARAM_CONFIG_ID})
    protected static final String CONFIGID_PARAMETER_NAME = "oauth.bearer.configid";

    @Reference
    private SlingRepository repository;

    @Reference
    private SlingSettingsService settings;

    @Reference
    private ProviderConfigManager providerConfigManager;

    @Reference
    private OAuthManager oauthManager;

    @Reference
    private ResourceResolverFactory resolverFactory;

    @Reference
    private CryptoSupport cryptoSupport;

    @Reference(policy = ReferencePolicy.DYNAMIC, cardinality = ReferenceCardinality.OPTIONAL_UNARY)
    private HandlerRedirect handlerRedirect;
    private String repositoryId;
    private String requestParameterName;
    private String[] allowedClientIds;
    private MultiThreadedHttpConnectionManager connectionManager;
    private HttpClient httpClient;
    private boolean syncWithIms;
    private String configIdParameterName;

    /* JADX WARN: Code restructure failed: missing block: B:21:0x009a, code lost:
    
        if (r0 == null) goto L73;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public org.apache.sling.auth.core.spi.AuthenticationInfo extractCredentials(javax.servlet.http.HttpServletRequest r9, javax.servlet.http.HttpServletResponse r10) {
        /*
            Method dump skipped, instructions count: 482
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.adobe.granite.auth.oauth.impl.BearerAuthenticationHandler.extractCredentials(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse):org.apache.sling.auth.core.spi.AuthenticationInfo");
    }

    private String validateTokenAndGetUserId(HttpServletRequest httpServletRequest, String str, OAuthHelper oAuthHelper, Provider provider) {
        if (provider == null || oAuthHelper == null) {
            this.log.error("createCredentials: invalid config: helper is {} provider is {} ", oAuthHelper, provider);
            return null;
        }
        for (String str2 : this.allowedClientIds) {
            String validateTokenUrl = provider.getValidateTokenUrl(str2, str);
            this.log.debug("createCredentials: obtained validate token url {}", validateTokenUrl);
            if (validateTokenUrl == null || "".equals(validateTokenUrl)) {
                this.log.error("createCredentials: validate token url for provider {} is null", provider);
            } else {
                String validateTokenAndGetUserId = validateTokenAndGetUserId(provider, validateTokenUrl, str2);
                if (validateTokenAndGetUserId != null) {
                    return validateTokenAndGetUserId;
                }
                this.log.debug("createCredentials: invalid token, no valid user found");
            }
        }
        return null;
    }

    private String validateTokenAndGetUserId(Provider provider, String str, String str2) {
        String str3 = null;
        GetMethod getMethod = new GetMethod(str);
        try {
            try {
                try {
                    int executeMethod = this.httpClient.executeMethod(getMethod);
                    InputStream responseBodyAsStream = getMethod.getResponseBodyAsStream();
                    String iOUtils = IOUtils.toString(responseBodyAsStream);
                    if (executeMethod != 200) {
                        this.log.debug("validateTokenAndGetUserId: bad request to validation url, failed with error {}", provider.getErrorDescriptionFromValidateTokenResponseBody(iOUtils));
                    } else if (provider.isValidToken(iOUtils, str2, ACCESS_TOKEN_TYPE)) {
                        str3 = provider.getUserIdFromValidateTokenResponseBody(iOUtils);
                    } else {
                        this.log.debug("validateTokenAndGetUserId: the provided token is invalid");
                    }
                    getMethod.releaseConnection();
                    IOUtils.closeQuietly(responseBodyAsStream);
                } catch (IOException e) {
                    this.log.error("validateTokenAndGetUserId: Failed to connect to validate token url", e);
                    getMethod.releaseConnection();
                    IOUtils.closeQuietly((InputStream) null);
                }
            } catch (HttpException e2) {
                this.log.error("validateTokenAndGetUserId: Failed to connect to validate token url", e2);
                getMethod.releaseConnection();
                IOUtils.closeQuietly((InputStream) null);
            }
            return str3;
        } catch (Throwable th) {
            getMethod.releaseConnection();
            IOUtils.closeQuietly((InputStream) null);
            throw th;
        }
    }

    public boolean requestCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        return false;
    }

    public void dropCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
    }

    @Activate
    private void activate(BundleContext bundleContext, Map<String, Object> map) {
        this.repositoryId = RequestHelper.getRepositoryId(this.repository, this.settings);
        this.log.info("activate: Supporting tokens bound to Repository (Cluster) {}", this.repositoryId);
        this.requestParameterName = OsgiUtil.toString(map.get(TOKEN_REQUEST_PARAMETER_NAME), "");
        this.allowedClientIds = OsgiUtil.toStringArray(map.get(ALLOWED_CLIENT_IDS), new String[0]);
        this.syncWithIms = OsgiUtil.toBoolean(map.get(SYNC_USER_PROFILE_WITH_IMS), true);
        this.configIdParameterName = OsgiUtil.toString(map.get(CONFIGID_PARAMETER_NAME), RequestHelper.PARAM_CONFIG_ID);
        this.connectionManager = new MultiThreadedHttpConnectionManager();
        this.httpClient = new HttpClient(this.connectionManager);
    }

    @Deactivate
    private void deactivate() {
    }

    private String getBearerAccessToken(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Authorization");
        if (header != null) {
            if (header.trim().startsWith("Bearer")) {
                String[] split = header.split("\\s");
                if (split.length == 2 && "Bearer".equals(split[0])) {
                    this.log.debug("getAccessToken: Found access token");
                    return split[1];
                }
                this.log.debug("getAccessToken: Wrong Authorization header format; ignoring");
            } else {
                this.log.debug("getAccessToken: Authorization scheme is not bearer; ignoring");
            }
        }
        if (!"POST".equals(httpServletRequest.getMethod())) {
            this.log.debug("getAccessToken: the request parameter is limited to POST operation; ignoring");
            return null;
        }
        String parameter = this.requestParameterName.length() > 0 ? httpServletRequest.getParameter(this.requestParameterName) : null;
        if (parameter == null) {
            this.log.debug("getAccessToken: No Authorization header in the request and no request parameter specified; ignoring");
            return null;
        }
        this.log.debug("getAccessToken: Found access token");
        return parameter;
    }

    private void setupAuthenticationFailure(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        dropCredentials(httpServletRequest, httpServletResponse);
        httpServletRequest.setAttribute("j_reason", "Authentication Failed");
    }

    private OAuthUser getUserDetails(Session session, OAuthHelper oAuthHelper, Provider provider, String str) {
        User cRXUserByOAuthId;
        User user = null;
        ResourceResolver resourceResolver = null;
        OAuthUser oAuthUser = null;
        try {
            try {
                UserManager userManager = ((JackrabbitSession) session).getUserManager();
                resourceResolver = this.resolverFactory.getAdministrativeResourceResolver((Map) null);
                UserPropertiesManager userPropertiesManager = (UserPropertiesManager) resourceResolver.adaptTo(UserPropertiesManager.class);
                if (oAuthHelper.getProviderConfig().getForceStrictUsernameMatching()) {
                    HashMap hashMap = new HashMap();
                    Iterator<Authorizable> cRXUsersByOAuthId = oAuthHelper.getCRXUsersByOAuthId(userManager, provider, new OAuthUser(str, Collections.emptyMap()));
                    while (cRXUsersByOAuthId.hasNext() && user == null) {
                        Authorizable next = cRXUsersByOAuthId.next();
                        if (!next.isGroup()) {
                            user = (User) next;
                            UserProperties userProperties = userPropertiesManager.getUserProperties(user.getID(), "profile");
                            for (String str2 : userProperties.getPropertyNames()) {
                                String property = userProperties.getProperty(str2);
                                if (property != null) {
                                    hashMap.put("profile/" + str2, property);
                                }
                            }
                        }
                    }
                    cRXUserByOAuthId = oAuthHelper.getCRXUserByMappedId(userManager, provider, new OAuthUser(str, hashMap));
                } else {
                    cRXUserByOAuthId = oAuthHelper.getCRXUserByOAuthId(userManager, provider, new OAuthUser(str, Collections.emptyMap()));
                }
                if (cRXUserByOAuthId != null) {
                    HashMap hashMap2 = new HashMap();
                    UserProperties userProperties2 = userPropertiesManager.getUserProperties(cRXUserByOAuthId.getID(), "profile");
                    for (String str3 : userProperties2.getPropertyNames()) {
                        String property2 = userProperties2.getProperty(str3);
                        if (property2 != null) {
                            hashMap2.put("profile/" + str3, property2);
                        }
                    }
                    oAuthUser = new OAuthUser(str, hashMap2);
                }
                if (resourceResolver != null && resourceResolver.isLive()) {
                    resourceResolver.close();
                }
            } catch (Exception e) {
                this.log.error("Failed to fetch the user properties from the crx user: {}", str, e);
                if (resourceResolver != null && resourceResolver.isLive()) {
                    resourceResolver.close();
                }
            }
            return oAuthUser;
        } catch (Throwable th) {
            if (resourceResolver != null && resourceResolver.isLive()) {
                resourceResolver.close();
            }
            throw th;
        }
    }

    private OAuthUser getUserDetails(Provider provider, OAuthHelper oAuthHelper, Token token) throws IOException {
        OAuthUser fetchAndMapBasicData = oAuthHelper.fetchAndMapBasicData(provider, provider.getDetailsURL(), token);
        String scope = oAuthHelper.getProviderConfig().getScope();
        String[] extendedDetailsURLs = provider.getExtendedDetailsURLs(scope);
        if (extendedDetailsURLs != null) {
            for (String str : extendedDetailsURLs) {
                fetchAndMapBasicData = oAuthHelper.fetchAndMapExtendedData(provider, str, token, fetchAndMapBasicData);
            }
        }
        String[] extendedDetailsURLs2 = provider.getExtendedDetailsURLs(scope, fetchAndMapBasicData.getId(), fetchAndMapBasicData.getProperties());
        if (extendedDetailsURLs2 != null) {
            for (String str2 : extendedDetailsURLs2) {
                fetchAndMapBasicData = oAuthHelper.fetchAndMapExtendedData(provider, str2, token, fetchAndMapBasicData);
            }
        }
        return fetchAndMapBasicData;
    }

    protected void bindRepository(SlingRepository slingRepository) {
        this.repository = slingRepository;
    }

    protected void unbindRepository(SlingRepository slingRepository) {
        if (this.repository == slingRepository) {
            this.repository = null;
        }
    }

    protected void bindSettings(SlingSettingsService slingSettingsService) {
        this.settings = slingSettingsService;
    }

    protected void unbindSettings(SlingSettingsService slingSettingsService) {
        if (this.settings == slingSettingsService) {
            this.settings = null;
        }
    }

    protected void bindProviderConfigManager(ProviderConfigManager providerConfigManager) {
        this.providerConfigManager = providerConfigManager;
    }

    protected void unbindProviderConfigManager(ProviderConfigManager providerConfigManager) {
        if (this.providerConfigManager == providerConfigManager) {
            this.providerConfigManager = null;
        }
    }

    protected void bindOauthManager(OAuthManager oAuthManager) {
        this.oauthManager = oAuthManager;
    }

    protected void unbindOauthManager(OAuthManager oAuthManager) {
        if (this.oauthManager == oAuthManager) {
            this.oauthManager = null;
        }
    }

    protected void bindResolverFactory(ResourceResolverFactory resourceResolverFactory) {
        this.resolverFactory = resourceResolverFactory;
    }

    protected void unbindResolverFactory(ResourceResolverFactory resourceResolverFactory) {
        if (this.resolverFactory == resourceResolverFactory) {
            this.resolverFactory = null;
        }
    }

    protected void bindCryptoSupport(CryptoSupport cryptoSupport) {
        this.cryptoSupport = cryptoSupport;
    }

    protected void unbindCryptoSupport(CryptoSupport cryptoSupport) {
        if (this.cryptoSupport == cryptoSupport) {
            this.cryptoSupport = null;
        }
    }

    protected void bindHandlerRedirect(HandlerRedirect handlerRedirect) {
        this.handlerRedirect = handlerRedirect;
    }

    protected void unbindHandlerRedirect(HandlerRedirect handlerRedirect) {
        if (this.handlerRedirect == handlerRedirect) {
            this.handlerRedirect = null;
        }
    }
}
