package com.adobe.granite.auth.sso.impl;

import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Dictionary;
import java.util.HashMap;
import java.util.Map;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.regex.PatternSyntaxException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.binary.Base64;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.ConfigurationPolicy;
import org.apache.felix.scr.annotations.Deactivate;
import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.Service;
import org.apache.sling.auth.core.spi.AuthenticationHandler;
import org.apache.sling.auth.core.spi.AuthenticationInfo;
import org.apache.sling.commons.osgi.OsgiUtil;
import org.osgi.service.component.ComponentContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Service({AuthenticationHandler.class})
@Component(label = "%auth.sso.name", description = "%auth.sso.description", metatype = true, policy = ConfigurationPolicy.REQUIRE)
@Properties({@Property(name = "service.description", value = {"Adobe Granite SSO Authentication Handler"}), @Property(name = "path", value = {"/"}), @Property(name = "service.ranking", intValue = {0}, propertyPrivate = false), @Property(name = "jaas.controlFlag", value = {"sufficient"}), @Property(name = "jaas.realmName", value = {"jackrabbit.oak"}), @Property(name = "jaas.ranking", intValue = {90})})
/* loaded from: input_file:com/adobe/granite/auth/sso/impl/SsoAuthenticationHandler.class */
public class SsoAuthenticationHandler implements AuthenticationHandler {

    @Property(name = "authtype", propertyPrivate = true)
    private static final String TYPE = "SSO";

    @Property(cardinality = Integer.MAX_VALUE)
    public static final String PROPERTY_HEADERS = "headers";
    public static final String DEFAULT_COOKIE_NAME = "cqpsso";

    @Property(cardinality = Integer.MAX_VALUE, value = {DEFAULT_COOKIE_NAME})
    public static final String PROPERTY_COOKIES = "cookies";

    @Property(cardinality = Integer.MAX_VALUE)
    public static final String PROPERTY_PARAMETERS = "parameters";

    @Property(cardinality = Integer.MAX_VALUE)
    public static final String PROPERTY_USERMAP = "usermap";
    private static final String DEFAULT_FORMAT = "Basic";

    @Property({DEFAULT_FORMAT})
    public static final String PROPERTY_FORMAT = "format";
    private static final String DEFAULT_TRUSTED_CREDENTIALS_ATTRIBUTE = "";

    @Property({DEFAULT_TRUSTED_CREDENTIALS_ATTRIBUTE})
    public static final String PROPERTY_TRUSTED_CREDENTIALS_ATTRIBUTE = "trustedCredentialsAttribute";
    private String[] headerNames;
    private String[] cookieNames;
    private String[] parameterNames;
    private Map<String, String> userMap;
    private Decoder decoder;
    private String trustedCredentialsAttribute;
    private final Logger log = LoggerFactory.getLogger(getClass().getName());
    private final JaasHelper jaasHelper = new JaasHelper();

    /* loaded from: input_file:com/adobe/granite/auth/sso/impl/SsoAuthenticationHandler$Decoder.class */
    private static class Decoder {
        static final String FORMAT = "AsIs";
        protected final Logger log;

        private Decoder() {
            this.log = LoggerFactory.getLogger(getClass());
        }

        String decode(String str) {
            return str;
        }

        public String toString() {
            return FORMAT;
        }
    }

    /* loaded from: input_file:com/adobe/granite/auth/sso/impl/SsoAuthenticationHandler$HttpBasicDecoder.class */
    private static class HttpBasicDecoder extends Decoder {
        static final String FORMAT = "Basic";

        private HttpBasicDecoder() {
            super();
        }

        @Override // com.adobe.granite.auth.sso.impl.SsoAuthenticationHandler.Decoder
        String decode(String str) {
            String[] split = str.split(" ");
            if (split.length < 2) {
                this.log.info("decodeAuthorizationHeader: Not a valid Authorization header {}", str);
                return null;
            }
            String str2 = split[0];
            String str3 = split[1];
            if (!str2.equalsIgnoreCase(FORMAT)) {
                this.log.info("decodeAuthorizationHeader: Unsupported HTTP authentication scheme {}", str2);
                return null;
            }
            try {
                String str4 = new String(Base64.decodeBase64(str3.getBytes("ISO-8859-1")), "ISO-8859-1");
                int indexOf = str4.indexOf(58);
                return indexOf < 0 ? str4 : str4.substring(0, indexOf);
            } catch (UnsupportedEncodingException e) {
                this.log.error("decodeAuthorizationHeader: Cannot en/decode authentication info", e);
                return null;
            }
        }

        @Override // com.adobe.granite.auth.sso.impl.SsoAuthenticationHandler.Decoder
        public String toString() {
            return FORMAT;
        }
    }

    /* loaded from: input_file:com/adobe/granite/auth/sso/impl/SsoAuthenticationHandler$RegexDecoder.class */
    private static class RegexDecoder extends Decoder {
        static final String FORMAT = "Regex";
        private Pattern pattern;
        private int matchGroup;

        RegexDecoder(String str) {
            super();
            int i;
            try {
                int lastIndexOf = str.lastIndexOf(124);
                String substring = lastIndexOf == -1 ? str : str.substring(0, lastIndexOf);
                if (lastIndexOf != -1) {
                    String substring2 = str.substring(lastIndexOf + 1);
                    try {
                        i = Integer.parseInt(substring2);
                    } catch (NumberFormatException e) {
                        this.log.error("Cannot parse match group '{}' to a number; assuming default", substring2);
                        i = -1;
                    }
                } else {
                    i = -1;
                }
                this.pattern = Pattern.compile(substring);
                this.matchGroup = i;
            } catch (PatternSyntaxException e2) {
                this.log.error("Unable to parse regexp: - defaulting to 'as is' format!" + str, e2);
            }
        }

        @Override // com.adobe.granite.auth.sso.impl.SsoAuthenticationHandler.Decoder
        String decode(String str) {
            Matcher matcher = this.pattern.matcher(str);
            if (matcher.find()) {
                return matcher.group(this.matchGroup >= 0 ? Math.min(this.matchGroup, matcher.groupCount()) : matcher.groupCount() > 0 ? 1 : 0);
            }
            this.log.info("Value {} does not match expression {}.", str, this.pattern.pattern());
            return null;
        }

        @Override // com.adobe.granite.auth.sso.impl.SsoAuthenticationHandler.Decoder
        public String toString() {
            return "Regex:" + this.pattern;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/adobe/granite/auth/sso/impl/SsoAuthenticationHandler$SSOInfo.class */
    public static final class SSOInfo {
        public String ssoUid;
        public String providerId;

        public SSOInfo(String str, String str2, String str3) {
            this.ssoUid = str;
            this.providerId = str2 + ":" + str3;
        }
    }

    @Activate
    private void activate(ComponentContext componentContext) {
        Dictionary properties = componentContext.getProperties();
        this.jaasHelper.open(componentContext.getBundleContext(), properties);
        this.headerNames = toCleanStringArray(properties.get(PROPERTY_HEADERS));
        this.cookieNames = toCleanStringArray(properties.get(PROPERTY_COOKIES));
        this.parameterNames = toCleanStringArray(properties.get(PROPERTY_PARAMETERS));
        this.userMap = parseUserMap(toCleanStringArray(properties.get(PROPERTY_USERMAP)));
        this.trustedCredentialsAttribute = OsgiUtil.toString(properties.get(PROPERTY_TRUSTED_CREDENTIALS_ATTRIBUTE), DEFAULT_TRUSTED_CREDENTIALS_ATTRIBUTE);
        String trim = OsgiUtil.toString(properties.get(PROPERTY_FORMAT), DEFAULT_FORMAT).trim();
        if (trim.length() == 0) {
            trim = DEFAULT_FORMAT;
        }
        if (trim.equals("AsIs")) {
            this.decoder = new Decoder();
        } else if (trim.equals(DEFAULT_FORMAT)) {
            this.decoder = new HttpBasicDecoder();
        } else {
            this.decoder = new RegexDecoder(trim);
        }
        this.log.info("SSO Authentication Handler configured: {}", this);
    }

    @Deactivate
    private void deactivate() {
        this.jaasHelper.close();
    }

    public AuthenticationInfo extractCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        SSOInfo ssoUid = getSsoUid(httpServletRequest);
        if (ssoUid == null) {
            return null;
        }
        String decode = this.decoder.decode(ssoUid.ssoUid);
        if (decode == null || decode.length() == 0) {
            this.log.info("Unable to decode user ID {}", decode);
            return null;
        }
        String str = this.userMap.get(decode);
        String str2 = str == null ? decode : str;
        AuthenticationInfo authenticationInfo = new AuthenticationInfo(TYPE, str2);
        if (this.jaasHelper.enabled()) {
            authenticationInfo.put("user.jcr.credentials", new SSOCredentials(str2));
        } else {
            authenticationInfo.put(this.trustedCredentialsAttribute, str2);
        }
        return authenticationInfo;
    }

    public boolean requestCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return false;
    }

    public void dropCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
    }

    public String toString() {
        StringBuilder sb = new StringBuilder("SsoAuthenticationHandler{");
        sb.append("jaasEnabled=").append(this.jaasHelper.enabled());
        sb.append(", headerNames=").append(Arrays.toString(this.headerNames));
        sb.append(", cookieNames=").append(Arrays.toString(this.cookieNames));
        sb.append(", parameterNames=").append(Arrays.toString(this.parameterNames));
        sb.append(", trustedCredentialsAttribute='").append(this.trustedCredentialsAttribute).append('\'');
        sb.append('}');
        return sb.toString();
    }

    private static String[] toCleanStringArray(Object obj) {
        String[] stringArray = OsgiUtil.toStringArray(obj);
        if (stringArray == null || stringArray.length == 0) {
            return null;
        }
        ArrayList arrayList = new ArrayList(stringArray.length);
        for (String str : stringArray) {
            if (str != null && str.length() > 0) {
                arrayList.add(str);
            }
        }
        if (arrayList.size() == 0) {
            return null;
        }
        return (String[]) arrayList.toArray(new String[arrayList.size()]);
    }

    private static Map<String, String> parseUserMap(String[] strArr) {
        HashMap hashMap = new HashMap();
        if (strArr != null) {
            for (String str : strArr) {
                String[] split = str.replace("\\=", "=").split("=", 2);
                String str2 = split[0];
                String str3 = split.length > 1 ? split[1] : DEFAULT_TRUSTED_CREDENTIALS_ATTRIBUTE;
                if (!"admin".equalsIgnoreCase(str2) && !"admin".equalsIgnoreCase(str3)) {
                    hashMap.put(str2, str3);
                }
            }
        }
        return hashMap;
    }

    private SSOInfo getSsoUid(HttpServletRequest httpServletRequest) {
        SSOInfo ssoUidFromHeader = getSsoUidFromHeader(httpServletRequest);
        if (ssoUidFromHeader == null) {
            ssoUidFromHeader = getSsoUidFromCookie(httpServletRequest);
            if (ssoUidFromHeader == null) {
                ssoUidFromHeader = getSsoUidFromParameter(httpServletRequest);
            }
        }
        return ssoUidFromHeader;
    }

    private SSOInfo getSsoUidFromHeader(HttpServletRequest httpServletRequest) {
        String[] strArr = this.headerNames;
        if (strArr == null) {
            return null;
        }
        for (String str : strArr) {
            String header = httpServletRequest.getHeader(str);
            if (header != null) {
                this.log.debug("found header {}={}", str, header);
                return new SSOInfo(header, "header", str);
            }
        }
        return null;
    }

    private SSOInfo getSsoUidFromParameter(HttpServletRequest httpServletRequest) {
        String[] strArr = this.parameterNames;
        if (strArr == null) {
            return null;
        }
        for (String str : strArr) {
            String parameter = httpServletRequest.getParameter(str);
            if (parameter != null) {
                this.log.debug("found parameter {}={}", str, parameter);
                return new SSOInfo(parameter, "parameter", str);
            }
        }
        return null;
    }

    private SSOInfo getSsoUidFromCookie(HttpServletRequest httpServletRequest) {
        Cookie[] cookies;
        String[] strArr = this.cookieNames;
        if (strArr == null || (cookies = httpServletRequest.getCookies()) == null) {
            return null;
        }
        for (String str : strArr) {
            for (Cookie cookie : cookies) {
                if (str.equalsIgnoreCase(cookie.getName())) {
                    String value = cookie.getValue();
                    this.log.debug("found cookie {}={}", str, value);
                    try {
                        value = URLDecoder.decode(value, "UTF-8");
                    } catch (UnsupportedEncodingException e) {
                    }
                    return new SSOInfo(value, "cookie", str);
                }
            }
        }
        return null;
    }
}
