package com.adobe.granite.auth.oauth.impl.helper;

import com.adobe.granite.auth.oauth.OAuthIdInUseException;
import com.adobe.granite.auth.oauth.Provider;
import com.adobe.granite.auth.oauth.ProviderConfigProperties;
import com.adobe.granite.crypto.CryptoException;
import com.adobe.granite.crypto.CryptoSupport;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.MessageDigest;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.Map;
import java.util.Random;
import javax.jcr.Node;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.Value;
import javax.jcr.ValueFactory;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.binary.StringUtils;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.AuthorizableExistsException;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.sling.api.resource.Resource;
import org.scribe.model.OAuthRequest;
import org.scribe.model.Response;
import org.scribe.model.Token;
import org.scribe.oauth.OAuthService;
import org.scribe.utils.OAuthEncoder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/adobe/granite/auth/oauth/impl/helper/OAuthHelper.class */
public abstract class OAuthHelper {
    private final Logger log = LoggerFactory.getLogger(getClass());
    public static final String PARAM_STATE = "state";
    public static final String REDIRECT_SUFFIX_AUTHENTICATE = "/j_security_check";
    public static final String CALLBACK_SUFFIX_AUTHENTICATE = "/callback/j_security_check";
    private static final int MAX_COLLISION_TRIES = 1000;
    public static final String REDIRECT_SUFFIX_CONNECT = "/connect";
    public static final String CALLBACK_SUFFIX_CONNECT = "/callback/connect";
    protected static final String TOKEN_ATTR_USER = "user";
    protected final ProviderConfig config;
    protected final String callBackUrl;

    /* JADX INFO: Access modifiers changed from: protected */
    public OAuthHelper(ProviderConfig providerConfig) {
        this.config = providerConfig;
        this.callBackUrl = providerConfig.getCallBackUrl();
    }

    public abstract void requestAuthorization(Provider provider, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, boolean z) throws IOException;

    public abstract OAuthUser requestAccessCode(Provider provider, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, boolean z, boolean z2) throws IOException;

    public String getClientId() {
        return this.config.getClientId();
    }

    private String getUserPropKey(Provider provider) {
        return provider.getOAuthIdPropertyPath(this.config.getClientId());
    }

    public ProviderConfig getProviderConfig() {
        return this.config;
    }

    public void requestAuthorization(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Provider provider, String str, boolean z) throws IOException {
        RequestHelper.storeConfigId(this.config.getConfigId(), this.config.getCookieMaxAge(), httpServletRequest, httpServletResponse);
        requestAuthorization(provider, httpServletRequest, httpServletResponse, OAuthEncoder.encode(str == null ? ProviderConfigProperties.DEFAULT_CALL_BACK_URL : str), z);
    }

    private void assignUserProfileData(User user, Map<String, Object> map, ValueFactory valueFactory) throws RepositoryException {
        for (Map.Entry<String, Object> entry : map.entrySet()) {
            Object value = entry.getValue();
            if (value.getClass().isArray()) {
                Object[] objArr = (Object[]) value;
                Value[] valueArr = new Value[objArr.length];
                for (int i = 0; i < objArr.length; i++) {
                    if (objArr[i] != null) {
                        valueArr[i] = valueFactory.createValue(objArr[i].toString());
                    }
                }
                user.setProperty(entry.getKey(), valueArr);
            } else if (entry.getValue() != null) {
                user.setProperty(entry.getKey(), valueFactory.createValue(entry.getValue().toString()));
            }
        }
        Iterator propertyNames = user.getPropertyNames();
        while (propertyNames.hasNext()) {
            String str = (String) propertyNames.next();
            if (str.startsWith("profile/facebook") && map.get(str) == null) {
                this.log.info("**** removing property:" + str);
                user.removeProperty(str);
            }
        }
    }

    public void storeAccessToken(HttpServletRequest httpServletRequest, Provider provider, User user, ValueFactory valueFactory) {
        if (!this.config.getSaveAccessToken()) {
            this.log.debug("config {} does not allow storing access token with user", this.config.getConfigId());
            return;
        }
        try {
            this.config.getOAuthTokenManager().saveToken(this.config.getClientId(), httpServletRequest, user, valueFactory, provider.getAccessTokenPropertyPath(this.config.getClientId()));
        } catch (RepositoryException e) {
            this.log.error("could not save access token for user {}", user, e);
        }
    }

    public boolean storeAccessToken(HttpServletRequest httpServletRequest, Node node) throws RepositoryException {
        return this.config.getOAuthTokenManager().saveToken(this.config.getClientId(), httpServletRequest, node);
    }

    public String getAuthorizedId(HttpServletRequest httpServletRequest) {
        OAuthToken token = this.config.getOAuthTokenManager().getToken(this.config.getClientId(), httpServletRequest);
        if (token == null || !token.isAuthentic()) {
            return null;
        }
        return (String) token.getAttribute(TOKEN_ATTR_USER);
    }

    public void setAuthorizedId(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        if (str == null) {
            this.config.getOAuthTokenManager().invalidate(this.config.getClientId(), httpServletRequest, httpServletResponse);
            return;
        }
        OAuthToken token = this.config.getOAuthTokenManager().getToken(this.config.getClientId(), httpServletRequest);
        if (token == null || !token.isAuthentic()) {
            return;
        }
        token.setAttribute(TOKEN_ATTR_USER, str);
        this.config.getOAuthTokenManager().saveToken(token, httpServletRequest, httpServletResponse);
    }

    public OAuthUser getUserDetails(Provider provider, HttpServletRequest httpServletRequest, boolean z) throws IOException {
        return getUserDetails(this.config.getOAuthTokenManager().getToken(this.config.getClientId(), httpServletRequest), provider, z);
    }

    public OAuthUser getUserDetails(Provider provider, User user, boolean z) throws IOException {
        try {
            String accessTokenPropertyPath = provider.getAccessTokenPropertyPath(this.config.getClientId());
            OAuthToken token = this.config.getOAuthTokenManager().getToken(this.config.getClientId(), user, accessTokenPropertyPath);
            if (token != null && token.isAuthentic()) {
                return getUserDetails(token, provider, z);
            }
            this.log.debug("accesss token for user {} at property {} was missing or invalid", user, accessTokenPropertyPath);
            return null;
        } catch (RepositoryException e) {
            this.log.error("could not retrieve access token", e);
            return null;
        }
    }

    private OAuthUser getUserDetails(OAuthToken oAuthToken, Provider provider, boolean z) throws IOException {
        if (oAuthToken == null || !oAuthToken.isAuthentic()) {
            this.log.warn("token was null or not authentic:{}", oAuthToken);
            return null;
        }
        Token token = new Token(oAuthToken.getKey(), oAuthToken.getSecret());
        ArrayList arrayList = new ArrayList();
        OAuthUser fetchAndMapBasicData = fetchAndMapBasicData(provider, provider.getDetailsURL(), token);
        String[] extendedDetailsURLs = provider.getExtendedDetailsURLs(this.config.getScope());
        if (z && extendedDetailsURLs != null && extendedDetailsURLs.length > 0) {
            arrayList.addAll(Arrays.asList(extendedDetailsURLs));
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                fetchAndMapBasicData = fetchAndMapExtendedData(provider, (String) it.next(), token, fetchAndMapBasicData);
            }
        }
        return fetchAndMapBasicData;
    }

    public Response getProtectedData(Resource resource, Provider provider, OAuthRequest oAuthRequest) {
        try {
            OAuthToken token = this.config.getOAuthTokenManager().getToken(resource);
            if (token != null && token.isAuthentic()) {
                return getProtectedData(new Token(token.getKey(), token.getSecret()), provider, oAuthRequest);
            }
            this.log.debug("accesss token at {} was missing or invalid", resource.getPath());
            return null;
        } catch (RepositoryException e) {
            this.log.error("could not retrieve access token", e);
            return null;
        }
    }

    public Response getProtectedData(User user, Provider provider, OAuthRequest oAuthRequest) {
        try {
            String accessTokenPropertyPath = provider.getAccessTokenPropertyPath(this.config.getClientId());
            OAuthToken token = this.config.getOAuthTokenManager().getToken(this.config.getClientId(), user, accessTokenPropertyPath);
            if (token != null && token.isAuthentic()) {
                return getProtectedData(new Token(token.getKey(), token.getSecret()), provider, oAuthRequest);
            }
            this.log.debug("accesss token for user {} at property {} was missing or invalid", user, accessTokenPropertyPath);
            return null;
        } catch (RepositoryException e) {
            this.log.error("could not retrieve access token", e);
            return null;
        }
    }

    private Response getProtectedData(Token token, Provider provider, OAuthRequest oAuthRequest) {
        getService(provider).signRequest(token, oAuthRequest);
        return oAuthRequest.send();
    }

    private Response getProtectedProfileData(Token token, Provider provider, String str) {
        return getProtectedData(token, provider, provider.getProtectedDataRequest(str));
    }

    public OAuthUser fetchAndMapBasicData(Provider provider, String str, Token token) throws IOException {
        Map<String, String> fetchProfileData = fetchProfileData(provider, str, token);
        String str2 = fetchProfileData.get(provider.getUserIdProperty());
        if (str2 != null) {
            return new OAuthUser(str2, provider.mapProperties(str, this.config.getClientId(), Collections.emptyMap(), fetchProfileData));
        }
        this.log.error("retrieveBasicData: could not retrieve user id from {}", provider.getDetailsURL());
        return null;
    }

    public OAuthUser fetchAndMapExtendedData(Provider provider, String str, Token token, OAuthUser oAuthUser) throws IOException {
        return new OAuthUser(oAuthUser.getId(), provider.mapProperties(str, this.config.getClientId(), oAuthUser.getProperties(), fetchProfileData(provider, str, token)));
    }

    private Map<String, String> fetchProfileData(Provider provider, String str, Token token) throws IOException {
        this.log.debug("fetching data from url:{}", str);
        return provider.parseProfileDataResponse(getProtectedProfileData(token, provider, str));
    }

    protected OAuthService getService(Provider provider) {
        return this.config.getOAuthService(provider, this.callBackUrl);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public OAuthService getService(Provider provider, HttpServletRequest httpServletRequest, boolean z) {
        String sb;
        if (this.callBackUrl == null || this.callBackUrl.startsWith("/")) {
            StringBuilder sb2 = new StringBuilder();
            sb2.append(httpServletRequest.isSecure() ? "https" : "http");
            sb2.append("://");
            sb2.append(getHost(httpServletRequest));
            if (this.callBackUrl == null || !this.callBackUrl.startsWith("/")) {
                sb2.append(getOriginalRequestUri(httpServletRequest.getRequestURI()));
            } else {
                sb2.append(this.callBackUrl);
            }
            if (z) {
                sb2.append(CALLBACK_SUFFIX_AUTHENTICATE);
            } else {
                sb2.append(CALLBACK_SUFFIX_CONNECT);
            }
            sb = sb2.toString();
        } else {
            sb = this.callBackUrl;
        }
        this.log.debug("getService: Getting Service with callback={}", sb);
        return this.config.getOAuthService(provider, sb);
    }

    private String getHost(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("x-forwarded-host");
        if (header != null) {
            if (header.indexOf(44) >= 0) {
                header = header.substring(header.indexOf(44));
            }
            return header.trim();
        }
        String header2 = httpServletRequest.getHeader("Host");
        if (header2 != null) {
            return header2;
        }
        try {
            return new URI(httpServletRequest.getRequestURL().toString()).getAuthority();
        } catch (URISyntaxException e) {
            return httpServletRequest.getServerName() + ":" + httpServletRequest.getServerPort();
        }
    }

    public static String getOriginalRequestUri(String str) {
        int length = str.length();
        if (str.endsWith(CALLBACK_SUFFIX_AUTHENTICATE)) {
            length -= CALLBACK_SUFFIX_AUTHENTICATE.length();
        } else if (str.endsWith(REDIRECT_SUFFIX_AUTHENTICATE)) {
            length -= REDIRECT_SUFFIX_AUTHENTICATE.length();
        } else if (str.endsWith(CALLBACK_SUFFIX_CONNECT)) {
            length -= CALLBACK_SUFFIX_CONNECT.length();
        } else if (str.endsWith(REDIRECT_SUFFIX_CONNECT)) {
            length -= REDIRECT_SUFFIX_CONNECT.length();
        }
        return str.substring(0, length);
    }

    public User createOrUpdateCRXUser(Session session, CryptoSupport cryptoSupport, Provider provider, HttpServletRequest httpServletRequest, OAuthUser oAuthUser) throws RepositoryException {
        try {
            return createOrUpdateCRXUser(session, cryptoSupport, provider, httpServletRequest, oAuthUser, null);
        } catch (OAuthIdInUseException e) {
            return null;
        }
    }

    public User createOrUpdateCRXUser(Session session, CryptoSupport cryptoSupport, Provider provider, HttpServletRequest httpServletRequest, OAuthUser oAuthUser, User user) throws RepositoryException, OAuthIdInUseException {
        Group authorizable;
        UserManager userManager = ((JackrabbitSession) session).getUserManager();
        User cRXUserByMappedId = getProviderConfig().getForceStrictUsernameMatching() ? getCRXUserByMappedId(userManager, provider, oAuthUser) : getCRXUserByOAuthId(userManager, provider, oAuthUser);
        if (user != null && cRXUserByMappedId != null && !user.getID().equals(cRXUserByMappedId.getID())) {
            throw new OAuthIdInUseException("Cannot link to user " + user.getID() + "; OAuth ID " + oAuthUser.getId() + " already linked to user " + cRXUserByMappedId.getID());
        }
        User user2 = user != null ? user : cRXUserByMappedId;
        boolean z = user2 == null;
        if (user2 == null) {
            user2 = createUserForOAuthId(session, cryptoSupport, provider, oAuthUser);
            if (user2 == null) {
                this.log.warn("createOrUpdateCRXUser: could not create user, user auto creation may not be enabled");
                return null;
            }
        }
        ValueFactory valueFactory = session.getValueFactory();
        user2.setProperty(getUserPropKey(provider), valueFactory.createValue(oAuthUser.getId()));
        assignUserProfileData(user2, oAuthUser.getProperties(), valueFactory);
        for (String str : getProviderConfig().getAutoCreateUsersGroups()) {
            if (str != null && str.length() > 0 && (authorizable = userManager.getAuthorizable(str)) != null && authorizable.isGroup() && !authorizable.isMember(user2)) {
                authorizable.addMember(user2);
            }
        }
        storeAccessToken(httpServletRequest, provider, user2, valueFactory);
        if (z) {
            provider.onUserCreate(user2);
        } else {
            provider.onUserUpdate(user2);
        }
        return user2;
    }

    public User getCRXUserByOAuthId(UserManager userManager, Provider provider, OAuthUser oAuthUser) throws RepositoryException {
        Iterator findAuthorizables = userManager.findAuthorizables(getUserPropKey(provider), oAuthUser.getId(), 1);
        User user = null;
        while (findAuthorizables.hasNext() && user == null) {
            Authorizable authorizable = (Authorizable) findAuthorizables.next();
            if (!authorizable.isGroup()) {
                user = (User) authorizable;
            }
            if (findAuthorizables.hasNext()) {
                this.log.info("getCRXUserByOAuthId: More than one user registered for ID={} of oauth config {}; assuming {}", new Object[]{oAuthUser.getId(), getProviderConfig().getConfigId(), user.getID()});
            }
        }
        return user;
    }

    public Iterator<Authorizable> getCRXUsersByOAuthId(UserManager userManager, Provider provider, OAuthUser oAuthUser) throws RepositoryException {
        return userManager.findAuthorizables(getUserPropKey(provider), oAuthUser.getId(), 1);
    }

    public User getCRXUserByMappedId(UserManager userManager, Provider provider, OAuthUser oAuthUser) throws RepositoryException {
        User user = null;
        Authorizable authorizable = userManager.getAuthorizable(getMappedOauthUsername(provider, oAuthUser));
        if (authorizable != null && !authorizable.isGroup()) {
            user = (User) authorizable;
            if (!oAuthUser.getId().equals(getOauthUserId(provider, user))) {
                this.log.warn("Collision detected for userId: {} oauthUserId {}", user.getID(), oAuthUser.getId());
                user = getCRXUserByOAuthId(userManager, provider, oAuthUser);
                if (user == null) {
                    this.log.debug("user not found, handling collision, returning null");
                    return null;
                }
            }
        }
        return user;
    }

    private String getOauthUserId(Provider provider, User user) throws RepositoryException {
        String userPropKey = getUserPropKey(provider);
        Value[] property = user.hasProperty(userPropKey) ? user.getProperty(userPropKey) : null;
        if (property == null || property.length <= 0) {
            return null;
        }
        return property[0].getString();
    }

    private String getMappedOauthUsername(Provider provider, OAuthUser oAuthUser) {
        String mapUserId = provider.mapUserId(oAuthUser.getId(), oAuthUser.getProperties());
        if (getProviderConfig().getEncodeUserIds()) {
            mapUserId = encodeBase64(StringUtils.getBytesUtf8(mapUserId));
        }
        if (getProviderConfig().getHashUserIds()) {
            mapUserId = hashUserId(mapUserId);
        }
        return mapUserId;
    }

    private String hashUserId(String str) {
        try {
            return Base64.encodeBase64URLSafeString(MessageDigest.getInstance("SHA-256").digest(str.getBytes("UTF-8"))).toLowerCase();
        } catch (Exception e) {
            this.log.error("Failed to hash a userId: ", e.getMessage());
            return null;
        }
    }

    private String generateUniqueIdentifier(UserManager userManager, String str) throws RepositoryException {
        Random random = new Random(System.currentTimeMillis());
        for (int i = 0; i < MAX_COLLISION_TRIES; i++) {
            String str2 = str + random.nextInt();
            if (userManager.getAuthorizable(str2) == null) {
                return str2;
            }
        }
        return null;
    }

    private User createUserForOAuthId(Session session, CryptoSupport cryptoSupport, Provider provider, OAuthUser oAuthUser) throws RepositoryException {
        if (provider == null) {
            this.log.error("createUserForOauthId: helper or provider is null");
            return null;
        }
        if (!getProviderConfig().getAutoCreateUsers()) {
            this.log.debug("createUserForId: User creation disabled");
            return null;
        }
        User user = null;
        try {
            UserManager userManager = ((JackrabbitSession) session).getUserManager();
            byte[] bArr = new byte[16];
            try {
                cryptoSupport.nextRandomBytes(bArr);
            } catch (CryptoException e) {
                this.log.error("cryptoSupport.nextRandomBytes failed", e);
                new Random().nextBytes(bArr);
            }
            final String mappedOauthUsername = getMappedOauthUsername(provider, oAuthUser);
            Principal principal = new Principal() { // from class: com.adobe.granite.auth.oauth.impl.helper.OAuthHelper.1
                @Override // java.security.Principal
                public String getName() {
                    return mappedOauthUsername;
                }
            };
            String userFolderPath = provider.getUserFolderPath(oAuthUser.getId(), getProviderConfig().getClientId(), oAuthUser.getProperties());
            try {
                user = userManager.createUser(mappedOauthUsername, encodeBase64(bArr), principal, userFolderPath);
            } catch (AuthorizableExistsException e2) {
                this.log.warn("Collision detected for userId: {} , generate unique identifier", mappedOauthUsername);
                final String generateUniqueIdentifier = generateUniqueIdentifier(userManager, getMappedOauthUsername(provider, oAuthUser));
                user = userManager.createUser(generateUniqueIdentifier, encodeBase64(bArr), new Principal() { // from class: com.adobe.granite.auth.oauth.impl.helper.OAuthHelper.2
                    @Override // java.security.Principal
                    public String getName() {
                        return generateUniqueIdentifier;
                    }
                }, userFolderPath);
            }
            return user;
        } catch (RepositoryException e3) {
            if (user != null) {
                try {
                    user.remove();
                } catch (RepositoryException e4) {
                }
            }
            throw e3;
        }
    }

    private String encodeBase64(byte[] bArr) {
        return StringUtils.newStringUtf8(Base64.encodeBase64(bArr));
    }
}
