package com.adobe.granite.oauth.server.impl;

import com.adobe.granite.oauth.jwt.JwsValidator;
import com.adobe.granite.oauth.server.OAuth2ResourceServer;
import com.adobe.granite.oauth.server.impl.helper.OAuth2Constants;
import com.adobe.granite.oauth.server.impl.helper.OAuth2Helper;
import java.security.Principal;
import java.util.Iterator;
import javax.jcr.InvalidItemStateException;
import javax.jcr.LoginException;
import javax.jcr.Node;
import javax.jcr.NodeIterator;
import javax.jcr.PathNotFoundException;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlList;
import javax.jcr.security.AccessControlManager;
import org.apache.commons.lang.StringUtils;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.Service;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration;
import org.apache.sling.jcr.api.SlingRepository;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(metatype = true, label = "Adobe OAuth2 Access Token Authentication Handler: Cleanup Task (DEPRECATED)", description = "Task to regularly purge expired access tokens from the repository (DEPRECATED)")
@Deprecated
@Service({Runnable.class})
@Properties({@Property(name = "scheduler.expression", value = {"23 07 * * * ?"}, label = "Schedule", description = "Cron expression scheudling this job. Default is hourly 07m23s after the hour. See http://www.docjar.com/docs/api/org/quartz/CronTrigger.html for a description of the format for this value."), @Property(name = "scheduler.runOn", value = {"LEADER"}, propertyPrivate = true), @Property(name = "service.description", value = {"Periodic Cleanup Job (DEPRECATED)"}, propertyPrivate = true)})
/* loaded from: input_file:com/adobe/granite/oauth/server/impl/AccessTokenCleanupTask.class */
public class AccessTokenCleanupTask implements Runnable {
    private final Logger log = LoggerFactory.getLogger(getClass());
    private static final String JWT_HEADER = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.";

    @Reference
    private SlingRepository repository;

    @Reference
    private JwsValidator jwsValidator;

    @Reference
    private OAuth2ResourceServer oAuth2ResourceServer;

    @Reference
    private UserConfiguration userConfiguration;

    @Override // java.lang.Runnable
    public void run() {
        this.log.debug("AccessTokenCleanupTask: Starting cleanup");
        cleanup();
    }

    private void cleanup() {
        long currentTimeMillis = System.currentTimeMillis();
        int i = 0;
        int i2 = 0;
        Session session = null;
        try {
            try {
                Session loginService = this.repository.loginService((String) null, (String) null);
                String str = (String) this.userConfiguration.getParameters().getConfigValue("usersPath", "/rep:security/rep:authorizables/rep:users");
                if (loginService.nodeExists(str + OAuthServletContext.CONTEXT_PATH)) {
                    NodeIterator nodes = loginService.getNode(str + "/oauth/").getNodes();
                    while (nodes.hasNext()) {
                        Node nextNode = nodes.nextNode();
                        NodeIterator nodes2 = nextNode.getNodes();
                        while (nodes2.hasNext()) {
                            Node nextNode2 = nodes2.nextNode();
                            String string = nextNode2.getProperty("rep:authorizableId").getString();
                            User user = OAuth2Helper.getUser(loginService, string);
                            if (user != null) {
                                String jwtFromUserId = OAuth2Helper.getJwtFromUserId(user.getPrincipal().getName());
                                if (isJwtToken(jwtFromUserId)) {
                                    if (this.jwsValidator.validate(jwtFromUserId)) {
                                        i2++;
                                    } else {
                                        removeAces(loginService, jwtFromUserId, string);
                                        if (!OAuth2Helper.isRevoked(nextNode2)) {
                                            try {
                                                OAuth2Helper.removeAccessTokenReference(loginService, nextNode2.getPath());
                                            } catch (RepositoryException e) {
                                                this.log.warn("Failed to remove token reference for access token at {}", nextNode2.getPath(), e);
                                            }
                                        }
                                        this.log.debug("removing user node {} ", nextNode2.getPath());
                                        nextNode2.remove();
                                        i++;
                                    }
                                }
                            }
                        }
                        if (!nextNode.hasNodes()) {
                            nextNode.remove();
                        }
                    }
                    for (Node node : OAuth2Helper.getAllRefreshTokens(loginService, str)) {
                        try {
                            String string2 = node.getProperty(OAuth2Constants.NN_OAUTH_TOKEN).getString();
                            if (!StringUtils.isNotBlank(string2) || this.jwsValidator.validate(string2)) {
                                i2++;
                            } else {
                                Node parent = node.getParent();
                                node.remove();
                                i++;
                                if (!parent.hasNodes()) {
                                    parent.remove();
                                }
                            }
                        } catch (PathNotFoundException e2) {
                            this.log.warn("Tried cleaning up invalid refresh token at {}.  Continuing on", node.getPath(), e2);
                        }
                    }
                    if (loginService.hasPendingChanges()) {
                        try {
                            loginService.save();
                        } catch (InvalidItemStateException e3) {
                            this.log.info("AccessTokenCleanupTask: Concurrent modification to one or more of the tokens to be removed. Retrying later");
                        } catch (RepositoryException e4) {
                            this.log.info("AccessTokenCleanupTask: Failed persisting token removal. Retrying later");
                        }
                    }
                }
                if (loginService != null) {
                    loginService.logout();
                }
            } catch (Throwable th) {
                if (0 != 0) {
                    session.logout();
                }
                throw th;
            }
        } catch (Throwable th2) {
            this.log.error("AccessTokenCleanupTask: General failure while trying to cleanup tokens", th2);
            if (0 != 0) {
                session.logout();
            }
        }
        this.log.info("AccessTokenCleanupTask: Removed {} token(s) in {}ms ({} token(s) still active)", new Object[]{Integer.valueOf(i), Long.valueOf(System.currentTimeMillis() - currentTimeMillis), Integer.valueOf(i2)});
    }

    private void removeAces(Session session, String str, String str2) throws LoginException, RepositoryException {
        Iterator<String> it = OAuth2Helper.getDefaultScopesResourcePathSet(this.oAuth2ResourceServer, OAuth2Helper.getScopes(str), OAuth2Helper.getUser(session, OAuth2Helper.getSubject(str))).iterator();
        while (it.hasNext()) {
            removeAce(session, str2, it.next());
        }
    }

    private void removeAce(Session session, String str, String str2) {
        try {
            AccessControlManager accessControlManager = session.getAccessControlManager();
            Principal principal = getPrincipal(session, str);
            if (principal != null) {
                for (AccessControlList accessControlList : accessControlManager.getPolicies(str2)) {
                    if (accessControlList instanceof AccessControlList) {
                        boolean z = false;
                        AccessControlList accessControlList2 = accessControlList;
                        for (AccessControlEntry accessControlEntry : accessControlList2.getAccessControlEntries()) {
                            if (principal.equals(accessControlEntry.getPrincipal())) {
                                accessControlList2.removeAccessControlEntry(accessControlEntry);
                                this.log.debug("removed {} ace for principal {} ", accessControlEntry, str);
                                z = true;
                            }
                        }
                        if (z) {
                            accessControlManager.setPolicy(str2, accessControlList2);
                        }
                    }
                }
                if (session.hasPendingChanges()) {
                    session.save();
                }
            }
        } catch (Exception e) {
            this.log.error("exception while removing ace", e);
        }
    }

    private static Principal getPrincipal(Session session, String str) throws RepositoryException {
        User user = OAuth2Helper.getUser(session, str);
        if (user != null) {
            return user.getPrincipal();
        }
        return null;
    }

    private boolean isJwtToken(String str) {
        return str.startsWith(JWT_HEADER);
    }

    protected void bindRepository(SlingRepository slingRepository) {
        this.repository = slingRepository;
    }

    protected void unbindRepository(SlingRepository slingRepository) {
        if (this.repository == slingRepository) {
            this.repository = null;
        }
    }

    protected void bindJwsValidator(JwsValidator jwsValidator) {
        this.jwsValidator = jwsValidator;
    }

    protected void unbindJwsValidator(JwsValidator jwsValidator) {
        if (this.jwsValidator == jwsValidator) {
            this.jwsValidator = null;
        }
    }

    protected void bindOAuth2ResourceServer(OAuth2ResourceServer oAuth2ResourceServer) {
        this.oAuth2ResourceServer = oAuth2ResourceServer;
    }

    protected void unbindOAuth2ResourceServer(OAuth2ResourceServer oAuth2ResourceServer) {
        if (this.oAuth2ResourceServer == oAuth2ResourceServer) {
            this.oAuth2ResourceServer = null;
        }
    }

    protected void bindUserConfiguration(UserConfiguration userConfiguration) {
        this.userConfiguration = userConfiguration;
    }

    protected void unbindUserConfiguration(UserConfiguration userConfiguration) {
        if (this.userConfiguration == userConfiguration) {
            this.userConfiguration = null;
        }
    }
}
