package com.adobe.granite.auth.saml.extidp;

import com.adobe.granite.auth.saml.SamlIdentitySync;
import com.adobe.granite.auth.saml.spi.Assertion;
import com.adobe.granite.auth.saml.spi.Attribute;
import com.adobe.granite.auth.saml.spi.SamlCredentials;
import com.day.crx.security.token.TokenCookie;
import java.util.HashSet;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.apache.sling.auth.core.spi.AuthenticationInfo;
import org.apache.sling.jcr.api.SlingRepository;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/adobe/granite/auth/saml/extidp/SamlIdpUserSync.class */
public class SamlIdpUserSync implements SamlIdentitySync {
    public static final String SYNC_TYPE_IDP = "idp";
    public static final String SYNC_TYPE_IDP_DYNAMIC = "idp_dynamic";
    public static final String SYNC_TYPE_IDP_DYNAMIC_SIMPLIFIED_ID = "idp_dynamic_simplified_id";
    public static final String SYNC_TYPE_DEFAULT = "default";
    private final String idp;
    private final String workspace;
    private final String repositoryId;
    private final String groupsAttribute;
    private SlingRepository repository = null;
    private boolean idpNameInUserId;
    private static final String ENCAPSULATED_TOKEN_SCOPE_VALUE = "login";
    private static final Logger log = LoggerFactory.getLogger(SamlIdpUserSync.class);
    static String TOKEN_ATTRIBUTE = ".token";

    public SamlIdpUserSync(String str, String str2, String str3, String str4, boolean z) {
        this.idp = str;
        this.workspace = str2;
        this.repositoryId = str3;
        this.groupsAttribute = str4;
        this.idpNameInUserId = z;
    }

    @Override // com.adobe.granite.auth.saml.SamlIdentitySync
    public AuthenticationInfo process(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Assertion assertion, String str, String str2) {
        AuthenticationInfo authenticationInfo = new AuthenticationInfo(SamlIdentitySync.AUTH_TYPE, str);
        SamlCredentials samlCredentials = new SamlCredentials(str, this.idp, this.idpNameInUserId);
        samlCredentials.setAttribute(SamlIdentitySync.PROPERTY_SAML_RESPONSE, str2);
        samlCredentials.setAttribute(TOKEN_ATTRIBUTE, "");
        HashSet hashSet = new HashSet();
        Attribute attribute = assertion.getAttributes().containsKey(this.groupsAttribute) ? assertion.getAttributes().get(this.groupsAttribute) : null;
        if (attribute != null) {
            for (Object obj : attribute.getListValue()) {
                if (obj != null) {
                    hashSet.add(obj.toString());
                }
            }
        }
        samlCredentials.setSamlGroups(hashSet);
        Map<String, Attribute> attributes = assertion.getAttributes();
        for (String str3 : attributes.keySet()) {
            Object value = attributes.get(str3).getValue();
            if (value != null) {
                samlCredentials.setAttribute(str3, value.toString());
            }
        }
        authenticationInfo.put("user.jcr.credentials", samlCredentials);
        return authenticationInfo;
    }

    @Override // com.adobe.granite.auth.saml.SamlIdentitySync
    public void authenticationSucceeded(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationInfo authenticationInfo) {
        Object obj = authenticationInfo.get("user.jcr.credentials");
        if (obj instanceof SamlCredentials) {
            Object attribute = ((SamlCredentials) obj).getAttribute(TOKEN_ATTRIBUTE);
            if (attribute == null || attribute.toString().isEmpty()) {
                log.debug("missing token attribute, will not update token cookie.");
                return;
            }
            String obj2 = attribute.toString();
            String str = this.repositoryId;
            if (isEncapsulatedToken(obj2)) {
                str = ENCAPSULATED_TOKEN_SCOPE_VALUE;
            }
            TokenCookie.update(httpServletRequest, httpServletResponse, str, obj2, this.workspace, true);
            log.debug("updating token cookie {}", obj2);
        }
    }

    private static boolean isEncapsulatedToken(String str) {
        boolean z = false;
        if (str != null && StringUtils.countMatches(str, ".") == 2 && str.startsWith("ey")) {
            z = true;
        }
        return z;
    }
}
