package com.adobe.granite.auth.oauth.impl.helper;

import com.adobe.granite.auth.oauth.ProviderConfigProperties;
import com.day.crx.security.token.TokenCookie;
import java.io.IOException;
import java.util.UUID;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.binary.StringUtils;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.resource.ResourceUtil;
import org.apache.sling.jcr.api.SlingRepository;
import org.apache.sling.settings.SlingSettingsService;
import org.scribe.utils.OAuthEncoder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/adobe/granite/auth/oauth/impl/helper/RequestHelper.class */
public final class RequestHelper {
    public static final String PARAM_CONFIG_ID = "configid";
    private static final String REPO_DESC_ID = "crx.repository.systemid";
    private static final String REPO_DESC_CLUSTER_ID = "crx.cluster.id";
    private static final String COOKIE_CONFIG_ID = "oauth-configid";
    private static final String COOKIE_AUTH_CONFIG_ID = "oauth-authid";
    private static final Logger log = LoggerFactory.getLogger(RequestHelper.class);

    private RequestHelper() {
    }

    public static String getRepositoryId(SlingRepository slingRepository, SlingSettingsService slingSettingsService) {
        String descriptor = slingRepository.getDescriptor(REPO_DESC_CLUSTER_ID);
        if (descriptor == null) {
            descriptor = slingRepository.getDescriptor(REPO_DESC_ID);
            if (descriptor == null) {
                descriptor = slingSettingsService.getSlingId();
                if (descriptor == null) {
                    descriptor = UUID.randomUUID().toString();
                    log.error("RequestHelper: Failure to acquire unique ID for this token authenticator. Using random UUID {}", descriptor);
                }
            }
        }
        return descriptor;
    }

    public static String getConfigId(HttpServletRequest httpServletRequest) {
        return TokenCookie.getCookie(httpServletRequest, COOKIE_CONFIG_ID);
    }

    public static String getAuthenticatedConfigId(HttpServletRequest httpServletRequest) {
        return TokenCookie.getCookie(httpServletRequest, COOKIE_AUTH_CONFIG_ID);
    }

    public static void storeConfigId(String str, int i, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        TokenCookie.setCookie(httpServletResponse, COOKIE_CONFIG_ID, str, i, "/", (String) null, true, httpServletRequest.isSecure());
    }

    public static void storeAuthenticatedConfigId(String str, int i, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        TokenCookie.setCookie(httpServletResponse, COOKIE_AUTH_CONFIG_ID, str, i, "/", (String) null, true, httpServletRequest.isSecure());
    }

    public static void removeConfigId(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        storeConfigId(ProviderConfigProperties.DEFAULT_CALL_BACK_URL, 0, httpServletRequest, httpServletResponse);
    }

    public static void removeAuthenticatedConfigId(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        storeAuthenticatedConfigId(ProviderConfigProperties.DEFAULT_CALL_BACK_URL, 0, httpServletRequest, httpServletResponse);
    }

    public static void handleRedirectAfterAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String parameter = httpServletRequest.getParameter(OAuthHelper.PARAM_STATE);
        if (parameter != null) {
            parameter = OAuthEncoder.decode(parameter);
            if (!isRedirectValid(httpServletRequest, parameter)) {
                log.error("Redirect target '{}' is invalid; checking request URI", parameter);
                parameter = null;
            }
        }
        if (parameter == null) {
            parameter = OAuthHelper.getOriginalRequestUri(httpServletRequest.getRequestURI());
            if (parameter.length() == 0) {
                parameter = "/";
            } else if (!isRedirectValid(httpServletRequest, parameter)) {
                log.error("Request URI '{}' is invalid, redirecting to '/'", parameter);
                parameter = "/";
            }
        }
        try {
            log.debug("Redirecting to '{}' after successful authentication", parameter);
            httpServletResponse.sendRedirect(parameter);
        } catch (IOException e) {
            log.error("Failed to send redirect to: " + parameter, e);
        }
    }

    public static boolean isInitialCall(HttpServletRequest httpServletRequest, boolean z) {
        return (isInitialLogin(httpServletRequest) || (!z && isInitialConnect(httpServletRequest))) && httpServletRequest.getParameter(PARAM_CONFIG_ID) != null;
    }

    public static boolean isAuthzCode(HttpServletRequest httpServletRequest, boolean z) {
        return "GET".equals(httpServletRequest.getMethod()) && (isAuthzLogin(httpServletRequest) || (!z && isAuthzConnect(httpServletRequest))) && !(httpServletRequest.getParameter("code") == null && httpServletRequest.getParameter("oauth_verifier") == null);
    }

    private static boolean isInitialLogin(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getRequestURI().endsWith(OAuthHelper.REDIRECT_SUFFIX_AUTHENTICATE);
    }

    private static boolean isInitialConnect(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getRequestURI().endsWith(OAuthHelper.REDIRECT_SUFFIX_CONNECT);
    }

    private static boolean isAuthzLogin(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getRequestURI().endsWith(OAuthHelper.CALLBACK_SUFFIX_AUTHENTICATE);
    }

    private static boolean isAuthzConnect(HttpServletRequest httpServletRequest) {
        return httpServletRequest.getRequestURI().endsWith(OAuthHelper.CALLBACK_SUFFIX_CONNECT);
    }

    public static boolean isRedirectValid(HttpServletRequest httpServletRequest, String str) {
        ResourceResolver resourceResolver;
        if (str == null || str.length() == 0) {
            log.warn("isRedirectValid: Redirect target must not be empty or null");
            return false;
        }
        if (str.contains("://")) {
            log.warn("isRedirectValid: Redirect target '{}' must not be an URL", str);
            return false;
        }
        int indexOf = str.indexOf(63);
        String substring = indexOf > 0 ? str.substring(0, indexOf) : str;
        String contextPath = httpServletRequest.getContextPath();
        if (contextPath != null && str.startsWith(contextPath)) {
            substring = substring.substring(contextPath.length());
        }
        if (httpServletRequest == null || (resourceResolver = (ResourceResolver) httpServletRequest.getAttribute("org.apache.sling.auth.core.ResourceResolver")) == null) {
            boolean startsWith = str.startsWith("/");
            if (!startsWith) {
                log.warn("isRedirectValid: Redirect target '{}' must be an absolute path", str);
            }
            return startsWith;
        }
        boolean z = !ResourceUtil.isNonExistingResource(resourceResolver.resolve(httpServletRequest, substring));
        if (!z) {
            log.warn("isRedirectValid: Redirect target '{}' does not resolve to an existing resource", str);
        }
        return z;
    }

    private static String encodeBase64(byte[] bArr) {
        return StringUtils.newStringUtf8(Base64.encodeBase64(bArr));
    }
}
