package com.adobe.granite.auth.ims.impl;

import com.adobe.granite.auth.ims.impl.CachedIMSClusterATExchangeGrantProviderImpl;
import com.adobe.granite.auth.ims.impl.IMSClusterATExchangeGrantProviderImpl;
import com.adobe.granite.auth.ims.impl.http.client.IMSHttpClientBuilder;
import com.adobe.granite.auth.ims.impl.request.ImsRequestTokenProviderImpl;
import com.adobe.granite.auth.oauth.ExtendedTokenValidator;
import java.io.IOException;
import java.net.URISyntaxException;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Set;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import org.jetbrains.annotations.NotNull;
import org.osgi.service.cm.ConfigurationEvent;
import org.osgi.service.cm.ConfigurationListener;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.http.whiteboard.Preprocessor;
import org.osgi.service.metatype.annotations.AttributeDefinition;
import org.osgi.service.metatype.annotations.Designate;
import org.osgi.service.metatype.annotations.ObjectClassDefinition;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Designate(ocd = Config.class)
@Component(service = {Preprocessor.class, ConfigurationListener.class}, property = {"service.description=This preprocessor is designed to work in conjunction with the Adobe Granite Bearer Authentication Handler. It will exchange every IMS Bearer token received for another one that is guaranteed to be part of the same IMS Organization. This is needed to maintain backwards compatibility after the incorporation of T2E users in IMS.", "osgi.http.whiteboard.filter.pattern=/", "osgi.http.whiteboard.context.select=(osgi.http.whiteboard.context.name=*)"})
/* loaded from: input_file:com/adobe/granite/auth/ims/impl/IMSClusterExchangeTokenPreprocessor.class */
public class IMSClusterExchangeTokenPreprocessor implements Preprocessor, ConfigurationListener {
    static final String SERVICE_DESCRIPTION = "This preprocessor is designed to work in conjunction with the Adobe Granite Bearer Authentication Handler. It will exchange every IMS Bearer token received for another one that is guaranteed to be part of the same IMS Organization. This is needed to maintain backwards compatibility after the incorporation of T2E users in IMS.";
    private static final String TOKEN_VALIDATOR_TARGET = "(auth.token.validator.type=com.adobe.granite.auth.ims.impl.token.OfflineValidatorImpl)";
    static final String IMS_CONFIG_PROVIDER_PID = "com.adobe.granite.auth.ims.impl.ImsConfigProviderImpl";
    static final String IMS_PROVIDER_PID = "com.adobe.granite.auth.ims.impl.IMSProviderImpl";
    static final String OAUTH_PROVIDER_PPID = "com.adobe.granite.auth.oauth.provider";
    static final String BEARER_AUTHN_HANDLER_PID = "com.adobe.granite.auth.oauth.impl.BearerAuthenticationHandler";
    static final String OAUTH_CONFIG_ID_PROPERTY_IN_IMS_CONFIG_PROVIDER = "oauth.configmanager.ims.configid";
    static final String OAUTH_CONFIG_ID_PROPERTY_IN_OAUTH_PROVIDER = "oauth.config.id";
    static final String IMS_OWNING_ENTITY_PROPERTY = "ims.owningEntity";
    static final String VALIDATE_TOKEN_URL_PROPERTY = "oauth.provider.ims.validate.token.url";
    static final String OAUTH_CLIENT_ID_PROPERTY = "oauth.client.id";
    static final String OAUTH_CLIENT_SECRET_PROPERTY = "oauth.client.secret";
    static final String ALLOWED_CLIENT_IDS_PROPERTY = "oauth.clientIds.allowed";
    private final Logger log = LoggerFactory.getLogger(getClass());
    private final IMSHttpClientBuilder imsHttpClientBuilder;
    private IMSClusterATExchangeGrantProvider grantExecutor;
    private final ArbitraryConfigurationProvider confLoader;
    private final ExtendedTokenValidator offlineValidator;
    private String oauthConfigId;
    private String clientId;
    private String clientSecret;
    private String tokenExchangeURL;
    private String imsOrg;
    private Set<String> allowedClients;
    private final boolean disableCache;
    private final int cacheSize;
    private final long cacheTTL;
    boolean configurationIsHealthy;

    @ObjectClassDefinition(name = "Adobe Granite IMS Cluster Exchange Token Preprocessor", description = IMSClusterExchangeTokenPreprocessor.SERVICE_DESCRIPTION)
    /* loaded from: input_file:com/adobe/granite/auth/ims/impl/IMSClusterExchangeTokenPreprocessor$Config.class */
    public @interface Config {
        @AttributeDefinition(name = "Disable", description = "Disable the IMS Cluster Exchange Token Preprocessor. Enabled by default.")
        boolean ims_exchange_token_preprocessor_disable() default false;

        @AttributeDefinition(name = "Disable caching", description = "Disable caching for the token negotiation.")
        boolean ims_exchange_token_preprocessor_disable_cache() default false;

        @AttributeDefinition(name = "Token cache TTL", description = "How many milliseconds are the tokens going to be cached.")
        long ims_exchange_token_preprocessor_cache_ttl() default 1800000;

        @AttributeDefinition(name = "Cache capacity", description = "Maximum number of tokens being cached.")
        int ims_exchange_token_preprocessor_cache_size() default 10000;
    }

    @Activate
    public IMSClusterExchangeTokenPreprocessor(@Reference ArbitraryConfigurationProvider arbitraryConfigurationProvider, @Reference IMSHttpClientBuilder iMSHttpClientBuilder, @Reference(target = "(auth.token.validator.type=com.adobe.granite.auth.ims.impl.token.OfflineValidatorImpl)") ExtendedTokenValidator extendedTokenValidator, Config config) {
        this.confLoader = arbitraryConfigurationProvider;
        boolean ims_exchange_token_preprocessor_disable = config.ims_exchange_token_preprocessor_disable();
        this.disableCache = config.ims_exchange_token_preprocessor_disable_cache();
        this.cacheSize = config.ims_exchange_token_preprocessor_cache_size();
        this.cacheTTL = config.ims_exchange_token_preprocessor_cache_ttl();
        this.imsHttpClientBuilder = iMSHttpClientBuilder;
        this.offlineValidator = extendedTokenValidator;
        if (ims_exchange_token_preprocessor_disable) {
            return;
        }
        this.configurationIsHealthy = initializePreprocessorConfig();
        if (this.configurationIsHealthy) {
            initializeGrantProvider();
        } else {
            this.log.info("Configuration is not healthy, the IMS Cluster Exchange Token Preprocessor is bypassed.");
        }
    }

    private void initializeGrantProvider() {
        if (this.grantExecutor != null) {
            try {
                this.grantExecutor.close();
            } catch (Exception e) {
                this.log.warn("initializeGrantProvider: Unexpected exception closing IMSClusterATExchangeGrantProvider");
            } finally {
                this.grantExecutor = null;
            }
        }
        if (this.disableCache) {
            this.grantExecutor = new IMSClusterATExchangeGrantProviderImpl.Builder().withClientId(this.clientId).withClientSecret(this.clientSecret).withTokenExchangeURL(this.tokenExchangeURL).withImsOrg(this.imsOrg).withAllowedClientIds(this.allowedClients).withIMSHttpClientBuilder(this.imsHttpClientBuilder).build();
        } else {
            this.grantExecutor = new CachedIMSClusterATExchangeGrantProviderImpl.Builder().withClientId(this.clientId).withClientSecret(this.clientSecret).withTokenExchangeURL(this.tokenExchangeURL).withImsOrg(this.imsOrg).withAllowedClientIds(this.allowedClients).withIMSHttpClientBuilder(this.imsHttpClientBuilder).withCacheSize(this.cacheSize).withCacheTTL(this.cacheTTL).build();
        }
    }

    @Deactivate
    void deactivate() {
        if (this.grantExecutor != null) {
            try {
                this.grantExecutor.close();
            } catch (Exception e) {
                this.log.warn("deactivate: Unexpected exception closing IMSClusterATExchangeGrantProvider");
            } finally {
                this.grantExecutor = null;
            }
        }
    }

    public void init(FilterConfig filterConfig) {
    }

    public void destroy() {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        if (!this.configurationIsHealthy) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        HttpServletRequest httpServletRequest = (HttpServletRequest) servletRequest;
        String extractAccessTokenFromRequestHeader = extractAccessTokenFromRequestHeader(httpServletRequest);
        if (extractAccessTokenFromRequestHeader == null) {
            this.log.trace("doFilter: Failure extracting token from Authorization header.");
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        this.log.debug("doFilter: Bearer token successfully extracted from the Authorization header.");
        boolean isValid = this.offlineValidator.isValid(extractAccessTokenFromRequestHeader);
        this.log.debug("doFilter: Offline token validator, validation returned: {}", Boolean.valueOf(isValid));
        if (!isValid) {
            this.log.debug("doFilter: The token is invalid, skipping token exchange.");
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        this.log.debug("doFilter: Token has been validated offline. Performing token exchange.");
        servletRequest.setAttribute(ImsRequestTokenProviderImpl.PN_REQUEST_TOKEN, extractAccessTokenFromRequestHeader);
        String exchangeAccessToken = exchangeAccessToken(extractAccessTokenFromRequestHeader);
        if (exchangeAccessToken == null) {
            filterChain.doFilter(servletRequest, servletResponse);
            return;
        }
        this.log.debug("Correct token exchange, modifying the request.");
        servletRequest.setAttribute(ImsRequestTokenProviderImpl.PN_EXCHANGED_TOKEN, exchangeAccessToken);
        filterChain.doFilter(changeRequestTokenInHeader(httpServletRequest, exchangeAccessToken), servletResponse);
    }

    private String extractAccessTokenFromRequestHeader(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null) {
            this.log.trace("extractAccessTokenFromRequestHeader: No Authorization header found.");
            return null;
        }
        String trim = header.trim();
        if (trim.length() == 0) {
            this.log.debug("extractAccessTokenFromRequestHeader: Empty Authorization header found.");
            return null;
        }
        if (trim.startsWith("Bearer ")) {
            return trim.substring(7).trim();
        }
        this.log.debug("extractAccessTokenFromRequestHeader: Authorization header doesn't match the expected \"Bearer + Token\" format.");
        return null;
    }

    private String exchangeAccessToken(@NotNull String str) {
        try {
            AccessToken accessToken = new AccessToken(str);
            if (this.grantExecutor == null) {
                this.log.warn("exchangeAccessToken: grantExecutor is null. The access token cannot be exchanged. [{}]", accessToken.getFingerPrint());
                return null;
            }
            String exchangeTokenByIMSOrg = this.grantExecutor.exchangeTokenByIMSOrg(str);
            if (exchangeTokenByIMSOrg == null) {
                this.log.debug("exchangeAccessToken: failure to exchange token: [{}]", accessToken.getFingerPrint());
                return null;
            }
            this.log.debug("exchangeAccessToken: exchanged token [{}] with [{}]. This exchange may be cached.", accessToken.getFingerPrint(), new AccessToken(exchangeTokenByIMSOrg).getFingerPrint());
            return exchangeTokenByIMSOrg;
        } catch (Throwable th) {
            this.log.error("exchangeAccessToken: Error while exchanging access token", th);
            return null;
        }
    }

    private HttpServletRequest changeRequestTokenInHeader(HttpServletRequest httpServletRequest, final String str) {
        return new HttpServletRequestWrapper(httpServletRequest) { // from class: com.adobe.granite.auth.ims.impl.IMSClusterExchangeTokenPreprocessor.1
            public String getHeader(String str2) {
                return "Authorization".equalsIgnoreCase(str2) ? "Bearer " + str : super.getHeader(str2);
            }
        };
    }

    private boolean initializePreprocessorConfig() {
        return configurePreprocessorWithImsConfigProvider() && configurePreprocessorWithImsProvider() && configurePreprocessorWithOauthProvider() && configurePreprocessorWithBearerAuthenticationHandler();
    }

    private boolean configurePreprocessorWithImsConfigProvider() {
        this.oauthConfigId = this.confLoader.readConfigPropertyAsString(IMSUtil.configFilter(IMS_CONFIG_PROVIDER_PID), OAUTH_CONFIG_ID_PROPERTY_IN_IMS_CONFIG_PROVIDER);
        if (this.oauthConfigId == null) {
            this.log.debug("configurePreprocessorWithImsConfigProvider: Error reading {} property.", OAUTH_CONFIG_ID_PROPERTY_IN_IMS_CONFIG_PROVIDER);
            return false;
        }
        this.imsOrg = this.confLoader.readConfigPropertyAsString(IMSUtil.configFilter(IMS_CONFIG_PROVIDER_PID), "ims.owningEntity");
        if (this.imsOrg != null) {
            return true;
        }
        this.log.debug("configurePreprocessorWithImsConfigProvider: Error reading {} property.", "ims.owningEntity");
        return false;
    }

    private boolean configurePreprocessorWithImsProvider() {
        String readConfigPropertyAsString = this.confLoader.readConfigPropertyAsString(IMSUtil.configFilter(IMS_PROVIDER_PID), VALIDATE_TOKEN_URL_PROPERTY);
        if (readConfigPropertyAsString == null) {
            this.log.debug("configurePreprocessorWithImsProvider : Error reading {} property.", VALIDATE_TOKEN_URL_PROPERTY);
            return false;
        }
        try {
            this.tokenExchangeURL = IMSUtil.getBaseUrl(readConfigPropertyAsString).append(IMSConstants.CLUSTER_AT_EXCHANGE_API).toString();
            return true;
        } catch (URISyntaxException e) {
            this.log.debug("configurePreprocessorWithImsProvider: Error building tokenExchangeURL.");
            return false;
        }
    }

    private boolean configurePreprocessorWithOauthProvider() {
        this.clientId = this.confLoader.readConfigPropertyAsString(IMSUtil.factoryConfigFilterExtended(OAUTH_PROVIDER_PPID, OAUTH_CONFIG_ID_PROPERTY_IN_OAUTH_PROVIDER, this.oauthConfigId), OAUTH_CLIENT_ID_PROPERTY);
        if (this.clientId == null) {
            this.log.debug("configurePreprocessorOAuthProperties: Error reading {} property.", OAUTH_CLIENT_ID_PROPERTY);
            return false;
        }
        this.clientSecret = this.confLoader.readConfigPropertyAsString(IMSUtil.factoryConfigFilterExtended(OAUTH_PROVIDER_PPID, OAUTH_CONFIG_ID_PROPERTY_IN_OAUTH_PROVIDER, this.oauthConfigId), OAUTH_CLIENT_SECRET_PROPERTY);
        if (this.clientSecret != null) {
            return true;
        }
        this.log.debug("configurePreprocessorOAuthProperties: Error reading {} property.", OAUTH_CLIENT_SECRET_PROPERTY);
        return false;
    }

    private boolean configurePreprocessorWithBearerAuthenticationHandler() {
        String[] readConfigMultiPropertyAsStringArray = this.confLoader.readConfigMultiPropertyAsStringArray(IMSUtil.configFilter(BEARER_AUTHN_HANDLER_PID), ALLOWED_CLIENT_IDS_PROPERTY);
        if (readConfigMultiPropertyAsStringArray == null) {
            this.log.debug("configurePreprocessorWithBearerAuthenticationHandler: Error reading {} property.", ALLOWED_CLIENT_IDS_PROPERTY);
            return false;
        }
        this.allowedClients = new HashSet(Arrays.asList(readConfigMultiPropertyAsStringArray));
        return true;
    }

    public void configurationEvent(ConfigurationEvent configurationEvent) {
        boolean z = false;
        if (IMS_CONFIG_PROVIDER_PID.equals(configurationEvent.getPid())) {
            this.log.info("{} configuration updated, updating IMSClusterExchangeTokenPreprocessor ...", IMS_CONFIG_PROVIDER_PID);
            z = true;
        }
        if (IMS_PROVIDER_PID.equals(configurationEvent.getPid())) {
            this.log.info("{} configuration updated, updating IMSClusterExchangeTokenPreprocessor ...", IMS_PROVIDER_PID);
            z = true;
        }
        if (OAUTH_PROVIDER_PPID.equals(configurationEvent.getFactoryPid())) {
            this.log.info("{} configuration updated, updating IMSClusterExchangeTokenPreprocessor ...", OAUTH_PROVIDER_PPID);
            z = true;
        }
        if (BEARER_AUTHN_HANDLER_PID.equals(configurationEvent.getPid())) {
            this.log.info("{} configuration updated, updating IMSClusterExchangeTokenPreprocessor ...", BEARER_AUTHN_HANDLER_PID);
            z = true;
        }
        if (z) {
            this.configurationIsHealthy = initializePreprocessorConfig();
            if (!this.configurationIsHealthy) {
                this.log.warn("After the update, IMSClusterExchangeTokenPreprocessor configuration is UNHEALTHY.");
            } else {
                this.log.info("After the update, IMSClusterExchangeTokenPreprocessor configuration is healthy.");
                initializeGrantProvider();
            }
        }
    }
}
