package com.adobe.granite.distribution.core.impl.transport;

import com.adobe.granite.auth.oauth.AccessTokenProvider;
import com.adobe.granite.crypto.CryptoException;
import java.io.IOException;
import java.net.URI;
import java.util.Collections;
import java.util.Map;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.SimpleCredentials;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.ConfigurationPolicy;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.Service;
import org.apache.sling.api.resource.LoginException;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.resource.ResourceResolverFactory;
import org.apache.sling.commons.osgi.PropertiesUtil;
import org.apache.sling.distribution.transport.DistributionTransportSecret;
import org.apache.sling.distribution.transport.DistributionTransportSecretProvider;
import org.apache.sling.jcr.api.SlingRepository;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Deactivate;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Service({DistributionTransportSecretProvider.class})
@Component(metatype = true, specVersion = "1.1", configurationFactory = true, policy = ConfigurationPolicy.REQUIRE, label = "Adobe Granite Distribution Transport Credentials - Access Token DistributionTransportSecretProvider")
@Property(name = "webconsole.configurationFactory.nameHint", value = {"Secret provider name: {name}"})
/* loaded from: input_file:com/adobe/granite/distribution/core/impl/transport/AccessTokenDistributionTransportSecretProvider.class */
public class AccessTokenDistributionTransportSecretProvider implements DistributionTransportSecretProvider {
    private final Logger log = LoggerFactory.getLogger(getClass());

    @Property(label = "Name", description = "The name of the secret provider.")
    public static final String NAME = "name";

    @Property(label = "Resource resolution sub service name")
    private static final String SUB_SERVICE_NAME = "serviceName";

    @Property(label = "User id", description = "The identifier of the user which has access to the cryptographic material required to obtain access tokens", value = {""})
    private static final String USER_ID = "userId";

    @Property(name = "accessTokenProvider.target", label = "Access Token Provider", description = "The target reference for the AccessTokenProvider used to obtain access tokens, e.g. use target=(name=...) to bind to services by name.", value = {"(name=...)"})
    @Reference(name = "accessTokenProvider")
    private AccessTokenProvider accessTokenProvider;

    @Reference
    private SlingRepository slingRepository;

    @Reference
    private ResourceResolverFactory rrf;
    private String subServiceName;
    private String userId;

    @Activate
    protected void activate(Map<String, Object> map) {
        this.log.info("Activate " + identity(map));
        this.userId = PropertiesUtil.toString(map.get(USER_ID), "");
        this.subServiceName = PropertiesUtil.toString(map.get(SUB_SERVICE_NAME), (String) null);
    }

    @Deactivate
    protected void deactivate(Map<String, Object> map) {
        this.log.info("Deactivate " + identity(map));
    }

    public DistributionTransportSecret getSecret(URI uri) {
        this.log.debug("Get secret for uri {}", uri);
        if ("https".equals(uri.getScheme())) {
            return createBearerTokenSecret();
        }
        this.log.warn("OAuth 2.0 Authorization Grants requires SSL");
        return null;
    }

    private DistributionTransportSecret createBearerTokenSecret() {
        Session session = null;
        ResourceResolver resourceResolver = null;
        try {
            try {
                session = this.slingRepository.impersonateFromService(this.subServiceName, new SimpleCredentials(this.userId, new char[0]), (String) null);
                resourceResolver = this.rrf.getResourceResolver(Collections.singletonMap("user.jcr.session", session));
                try {
                    BearerTokenSecret bearerTokenSecret = new BearerTokenSecret(this.accessTokenProvider.getAccessToken(resourceResolver, this.userId, (Map) null));
                    if (session != null) {
                        session.logout();
                    }
                    if (resourceResolver != null) {
                        resourceResolver.close();
                    }
                    return bearerTokenSecret;
                } catch (IOException | CryptoException e) {
                    this.log.error("Failed to get an access token for user {}", this.userId, e);
                    if (session != null) {
                        session.logout();
                    }
                    if (resourceResolver == null) {
                        return null;
                    }
                    resourceResolver.close();
                    return null;
                }
            } catch (RepositoryException | LoginException e2) {
                this.log.error("Unable to retrieve a session.", e2);
                if (session != null) {
                    session.logout();
                }
                if (resourceResolver == null) {
                    return null;
                }
                resourceResolver.close();
                return null;
            }
        } catch (Throwable th) {
            if (session != null) {
                session.logout();
            }
            if (resourceResolver != null) {
                resourceResolver.close();
            }
            throw th;
        }
    }

    private String identity(Map<String, Object> map) {
        return String.format("secret provider %s referencing AccessTokenProvider %s", map.get("name"), map.get("accessTokenProvider.target"));
    }

    protected void bindAccessTokenProvider(AccessTokenProvider accessTokenProvider) {
        this.accessTokenProvider = accessTokenProvider;
    }

    protected void unbindAccessTokenProvider(AccessTokenProvider accessTokenProvider) {
        if (this.accessTokenProvider == accessTokenProvider) {
            this.accessTokenProvider = null;
        }
    }

    protected void bindSlingRepository(SlingRepository slingRepository) {
        this.slingRepository = slingRepository;
    }

    protected void unbindSlingRepository(SlingRepository slingRepository) {
        if (this.slingRepository == slingRepository) {
            this.slingRepository = null;
        }
    }

    protected void bindRrf(ResourceResolverFactory resourceResolverFactory) {
        this.rrf = resourceResolverFactory;
    }

    protected void unbindRrf(ResourceResolverFactory resourceResolverFactory) {
        if (this.rrf == resourceResolverFactory) {
            this.rrf = null;
        }
    }
}
