package com.adobe.granite.auth.cert.impl;

import com.adobe.granite.auth.cert.UserCertificateMapping;
import com.adobe.granite.auth.cert.UserCertificateMappingException;
import com.adobe.granite.keystore.KeyStoreService;
import com.day.crx.security.token.TokenUtil;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.Map;
import javax.jcr.RepositoryException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.Service;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.sling.api.resource.LoginException;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.resource.ResourceResolverFactory;
import org.apache.sling.auth.core.spi.AuthenticationHandler;
import org.apache.sling.auth.core.spi.AuthenticationInfo;
import org.apache.sling.jcr.api.SlingRepository;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Service
@Component(specVersion = "1.1", label = "%auth.clientcerthandler.name", description = "%auth.clientcerthandler.description", metatype = true)
@Properties({@Property(name = "path", value = {"/"}), @Property(name = "service.ranking", intValue = {0}, propertyPrivate = false)})
/* loaded from: input_file:com/adobe/granite/auth/cert/impl/ClientCertAuthHandler.class */
public class ClientCertAuthHandler implements AuthenticationHandler, UserCertificateMapping {
    private final Logger log = LoggerFactory.getLogger(getClass().getName());

    @Property(name = "service.description")
    private static final String DESCRIPTION = "Granite Client Certificate Authentication Handler";

    @Property(name = "authtype", propertyPrivate = true)
    public static final String CERT_AUTHENTICATED = "certAuthenticated";
    public static final String CERT = "cert";
    public static final String SEPARATOR = "#";

    @Reference
    private SlingRepository repository;

    @Reference
    private ResourceResolverFactory rrf;

    @Reference
    private KeyStoreService keyStoreService;

    public AuthenticationInfo extractCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        X509Certificate[] x509CertificateArr = (X509Certificate[]) httpServletRequest.getAttribute("javax.servlet.request.X509Certificate");
        AuthenticationInfo authenticationInfo = null;
        if (x509CertificateArr != null && x509CertificateArr.length > 0) {
            String str = null;
            X509Certificate x509Certificate = x509CertificateArr[0];
            try {
                str = findMappedUsers(x509Certificate);
                if (str != null) {
                    authenticationInfo = TokenUtil.createCredentials(httpServletRequest, httpServletResponse, this.repository, str, true);
                    authenticationInfo.put(CERT, x509Certificate);
                }
            } catch (Exception e) {
                this.log.warn("Unable to create token credentials, setting cert for uid " + str, e);
                authenticationInfo = new AuthenticationInfo(CERT_AUTHENTICATED, str);
                authenticationInfo.put(CERT, x509Certificate);
            }
        }
        return authenticationInfo;
    }

    private String findMappedUsers(X509Certificate x509Certificate) throws UserCertificateMappingException {
        int lastIndexOf;
        String str = null;
        ResourceResolver resourceResolver = null;
        try {
            try {
                resourceResolver = this.rrf.getServiceResourceResolver((Map) null);
                String certificateAlias = this.keyStoreService.getTrustStore(resourceResolver).getCertificateAlias(x509Certificate);
                if (certificateAlias != null && (lastIndexOf = certificateAlias.lastIndexOf(SEPARATOR)) > -1) {
                    str = certificateAlias.substring(0, lastIndexOf);
                }
                if (resourceResolver != null) {
                    resourceResolver.close();
                }
                return str;
            } catch (LoginException e) {
                throw new UserCertificateMappingException((Throwable) e);
            } catch (KeyStoreException e2) {
                throw new UserCertificateMappingException(e2);
            }
        } catch (Throwable th) {
            if (resourceResolver != null) {
                resourceResolver.close();
            }
            throw th;
        }
    }

    public boolean requestCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        return false;
    }

    public void dropCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
    }

    @Override // com.adobe.granite.auth.cert.UserCertificateMapping
    public void mapCertificate(ResourceResolver resourceResolver, String str, X509Certificate x509Certificate) throws UserCertificateMappingException {
        String str2 = str + SEPARATOR + System.currentTimeMillis();
        try {
            UserManager userManager = (UserManager) resourceResolver.adaptTo(UserManager.class);
            if (userManager == null) {
                throw new UserCertificateMappingException("Failed to adapt given resolver to a user manager.");
            }
            Authorizable authorizable = userManager.getAuthorizable(str);
            if (authorizable == null || authorizable.isGroup()) {
                throw new UserCertificateMappingException("Failed to obtain a user using given userId " + str);
            }
            KeyStore trustStore = this.keyStoreService.getTrustStore(resourceResolver);
            String certificateAlias = trustStore.getCertificateAlias(x509Certificate);
            if (certificateAlias != null) {
                trustStore.deleteEntry(certificateAlias);
            }
            trustStore.setCertificateEntry(str2, x509Certificate);
        } catch (KeyStoreException e) {
            throw new UserCertificateMappingException(e);
        } catch (RepositoryException e2) {
            throw new UserCertificateMappingException((Throwable) e2);
        }
    }

    @Override // com.adobe.granite.auth.cert.UserCertificateMapping
    public void unmapCertificate(ResourceResolver resourceResolver, String str) throws UserCertificateMappingException {
        try {
            KeyStore trustStore = this.keyStoreService.getTrustStore(resourceResolver);
            if (!trustStore.containsAlias(str)) {
                throw new UserCertificateMappingException("Alias " + str + " doesn't exist.");
            }
            trustStore.deleteEntry(str);
        } catch (KeyStoreException e) {
            throw new UserCertificateMappingException(e);
        }
    }

    @Override // com.adobe.granite.auth.cert.UserCertificateMapping
    public Map<String, X509Certificate> listCertificates(ResourceResolver resourceResolver, String str) throws UserCertificateMappingException {
        try {
            UserManager userManager = (UserManager) resourceResolver.adaptTo(UserManager.class);
            if (userManager == null) {
                throw new UserCertificateMappingException("Failed to adapt given resolver to a user manager.");
            }
            Authorizable authorizable = userManager.getAuthorizable(str);
            if (authorizable == null || authorizable.isGroup()) {
                throw new UserCertificateMappingException("Failed to obtain a user using given userId " + str);
            }
            KeyStore trustStore = this.keyStoreService.getTrustStore(resourceResolver);
            HashMap hashMap = new HashMap();
            Enumeration<String> aliases = trustStore.aliases();
            while (aliases.hasMoreElements()) {
                String nextElement = aliases.nextElement();
                if (nextElement.startsWith(str + SEPARATOR)) {
                    hashMap.put(nextElement, (X509Certificate) trustStore.getCertificate(nextElement));
                }
            }
            return hashMap;
        } catch (KeyStoreException e) {
            throw new UserCertificateMappingException(e);
        } catch (RepositoryException e2) {
            throw new UserCertificateMappingException((Throwable) e2);
        }
    }

    protected void bindRepository(SlingRepository slingRepository) {
        this.repository = slingRepository;
    }

    protected void unbindRepository(SlingRepository slingRepository) {
        if (this.repository == slingRepository) {
            this.repository = null;
        }
    }

    protected void bindRrf(ResourceResolverFactory resourceResolverFactory) {
        this.rrf = resourceResolverFactory;
    }

    protected void unbindRrf(ResourceResolverFactory resourceResolverFactory) {
        if (this.rrf == resourceResolverFactory) {
            this.rrf = null;
        }
    }

    protected void bindKeyStoreService(KeyStoreService keyStoreService) {
        this.keyStoreService = keyStoreService;
    }

    protected void unbindKeyStoreService(KeyStoreService keyStoreService) {
        if (this.keyStoreService == keyStoreService) {
            this.keyStoreService = null;
        }
    }
}
