package com.adobe.granite.oauth.server.auth.impl;

import com.adobe.granite.crypto.CryptoSupport;
import com.adobe.granite.oauth.jwt.JwsValidator;
import com.adobe.granite.oauth.server.OAuth2AuthorizationServer;
import com.adobe.granite.oauth.server.OAuth2ResourceServer;
import com.adobe.granite.oauth.server.impl.helper.OAuth2Constants;
import com.adobe.granite.oauth.server.impl.helper.OAuth2Helper;
import com.adobe.granite.oauth.server.scopes.impl.ReplicateScope;
import java.io.IOException;
import java.util.Dictionary;
import javax.jcr.PathNotFoundException;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.ConfigurationPolicy;
import org.apache.felix.scr.annotations.Deactivate;
import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.Service;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.oltu.oauth2.common.exception.OAuthProblemException;
import org.apache.oltu.oauth2.common.exception.OAuthSystemException;
import org.apache.oltu.oauth2.common.message.types.ParameterStyle;
import org.apache.oltu.oauth2.rs.request.OAuthAccessResourceRequest;
import org.apache.sling.auth.core.spi.AuthenticationHandler;
import org.apache.sling.auth.core.spi.AuthenticationInfo;
import org.apache.sling.commons.osgi.PropertiesUtil;
import org.apache.sling.jcr.api.SlingRepository;
import org.apache.sling.settings.SlingSettingsService;
import org.osgi.service.component.ComponentContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(metatype = true, policy = ConfigurationPolicy.REQUIRE, label = "%oauth.server.name", description = "%oauth.server.description")
@Deprecated
@Service
@Properties({@Property(name = "service.description", value = {"OAuth2ServerAuthenticationHandler (DEPRECATED)"}), @Property(name = "service.ranking", intValue = {200000}), @Property(name = "path", value = {"/"}), @Property(name = "jaas.controlFlag", value = {"sufficient"}), @Property(name = "jaas.realmName", value = {"jackrabbit.oak"}), @Property(name = "jaas.ranking", intValue = {1000})})
/* loaded from: input_file:com/adobe/granite/oauth/server/auth/impl/OAuth2ServerAuthenticationHandler.class */
public class OAuth2ServerAuthenticationHandler implements AuthenticationHandler {
    private static final String REPLICATION_RECEIVER = "replication-receiver";

    @Property(name = "authtype", propertyPrivate = true)
    private static final String TYPE = "OAUTH2SERVER";
    private static final String OFFLINE_VALIDATION = "oauth.offline.validation";

    @Property(name = OFFLINE_VALIDATION)
    private static final boolean OFFLINE_VALIDATION_DEFAULT = true;

    @Reference
    private SlingRepository repository;

    @Reference
    private SlingSettingsService settings;

    @Reference
    private CryptoSupport cryptoSupport;

    @Reference
    JwsValidator jwsValidator;

    @Reference
    private OAuth2ResourceServer oAuth2ResourceServer;

    @Reference
    private OAuth2AuthorizationServer oAuth2AuthorizationServer;
    private boolean offlineValidation;
    private final Logger log = LoggerFactory.getLogger(getClass());
    private final JaasHelper jaasHelper = new JaasHelper();

    @Activate
    private void activate(ComponentContext componentContext) {
        this.log.warn("'Adobe Granite OAuth Server' has been deprecated.");
        Dictionary properties = componentContext.getProperties();
        this.jaasHelper.open(componentContext.getBundleContext(), properties);
        this.offlineValidation = PropertiesUtil.toBoolean(properties.get(OFFLINE_VALIDATION), true);
    }

    @Deactivate
    private void deactivate() {
        this.jaasHelper.close();
    }

    public AuthenticationInfo extractCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String id;
        if (!this.jaasHelper.enabled()) {
            this.log.error("this feature is available only for Oak deployments");
            return null;
        }
        String accessToken = getAccessToken(httpServletRequest);
        this.log.debug("extractCredentials: extracted access token");
        if (accessToken != null && isValidAccessToken(accessToken)) {
            String subject = OAuth2Helper.getSubject(accessToken);
            this.log.debug("extractCredentials: extracted userId {}", subject);
            if (subject != null) {
                Session session = null;
                try {
                    try {
                        session = this.repository.loginService((String) null, (String) null);
                        User user = OAuth2Helper.getUser(session, subject);
                        if (user != null) {
                            String scopes = OAuth2Helper.getScopes(accessToken);
                            this.log.debug("extractCredentials: extracted scopes {}", scopes);
                            if (OAuth2Helper.getScopesSet(scopes).contains(ReplicateScope.REPLICATE_SCOPE_NAME)) {
                                id = REPLICATION_RECEIVER;
                            } else {
                                String jwtUserId = OAuth2Helper.getJwtUserId(accessToken);
                                User user2 = OAuth2Helper.getUser(session, jwtUserId);
                                if (user2 == null) {
                                    this.log.debug("create oauth user and assign privileges");
                                    user2 = OAuth2Helper.createUser(session, jwtUserId, "oauth/" + jwtUserId.substring("oauth-".length(), 9));
                                    OAuth2Helper.createAccessTokenReference(session, user, user2, OAuth2Helper.getClientIdFromJwt(accessToken), scopes);
                                } else if (OAuth2Helper.isRevoked(user2)) {
                                    if (session != null) {
                                        session.logout();
                                    }
                                    return null;
                                }
                                try {
                                    OAuth2Helper.addACLEntries(session, user2.getPrincipal(), user, OAuth2Helper.getScopeSetFromNames(this.oAuth2ResourceServer, scopes), true);
                                } catch (PathNotFoundException e) {
                                    this.log.debug("default scopes ACE could not be applied");
                                }
                                id = user2.getID();
                            }
                            this.log.debug("extractCredentials: creating authentication info with user {}", id);
                            AuthenticationInfo authenticationInfo = new AuthenticationInfo(TYPE, id);
                            authenticationInfo.put("user.jcr.credentials", new OAuth2ServerCredentials(id));
                            if (session != null) {
                                session.logout();
                            }
                            return authenticationInfo;
                        }
                        if (session != null) {
                            session.logout();
                        }
                    } catch (RepositoryException e2) {
                        this.log.error("extractCredentials: Failed to impersonate user ", e2);
                        if (session != null) {
                            session.logout();
                        }
                    }
                } catch (Throwable th) {
                    if (session != null) {
                        session.logout();
                    }
                    throw th;
                }
            }
        }
        this.log.debug("extractCredentials: returning null");
        return null;
    }

    public boolean requestCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        return false;
    }

    public void dropCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
    }

    private boolean isValidAccessToken(String str) {
        boolean z = false;
        try {
            if (this.offlineValidation) {
                z = this.jwsValidator.validate(str);
                if (z) {
                    if (!OAuth2Constants.CONTENT_TYPE_ACCESS_TOKEN.equals(OAuth2Helper.getContentType(str))) {
                        z = false;
                    }
                }
            } else {
                this.log.info("isValidAccessToken: online validation is not supported for now");
            }
        } catch (Exception e) {
            this.log.debug("isValidAccessToken: error while validate the token ", e);
        }
        return z;
    }

    private String getAccessToken(HttpServletRequest httpServletRequest) {
        String str = null;
        try {
            str = new OAuthAccessResourceRequest(httpServletRequest, new ParameterStyle[]{ParameterStyle.HEADER}).getAccessToken();
        } catch (OAuthProblemException e) {
            this.log.debug("getAccessToken: Wrong Authorization header format; ignoring");
        } catch (OAuthSystemException e2) {
            this.log.debug("getAccessToken: Wrong Authorization header format; ignoring");
        }
        return str;
    }

    protected void bindRepository(SlingRepository slingRepository) {
        this.repository = slingRepository;
    }

    protected void unbindRepository(SlingRepository slingRepository) {
        if (this.repository == slingRepository) {
            this.repository = null;
        }
    }

    protected void bindSettings(SlingSettingsService slingSettingsService) {
        this.settings = slingSettingsService;
    }

    protected void unbindSettings(SlingSettingsService slingSettingsService) {
        if (this.settings == slingSettingsService) {
            this.settings = null;
        }
    }

    protected void bindCryptoSupport(CryptoSupport cryptoSupport) {
        this.cryptoSupport = cryptoSupport;
    }

    protected void unbindCryptoSupport(CryptoSupport cryptoSupport) {
        if (this.cryptoSupport == cryptoSupport) {
            this.cryptoSupport = null;
        }
    }

    protected void bindJwsValidator(JwsValidator jwsValidator) {
        this.jwsValidator = jwsValidator;
    }

    protected void unbindJwsValidator(JwsValidator jwsValidator) {
        if (this.jwsValidator == jwsValidator) {
            this.jwsValidator = null;
        }
    }

    protected void bindOAuth2ResourceServer(OAuth2ResourceServer oAuth2ResourceServer) {
        this.oAuth2ResourceServer = oAuth2ResourceServer;
    }

    protected void unbindOAuth2ResourceServer(OAuth2ResourceServer oAuth2ResourceServer) {
        if (this.oAuth2ResourceServer == oAuth2ResourceServer) {
            this.oAuth2ResourceServer = null;
        }
    }

    protected void bindOAuth2AuthorizationServer(OAuth2AuthorizationServer oAuth2AuthorizationServer) {
        this.oAuth2AuthorizationServer = oAuth2AuthorizationServer;
    }

    protected void unbindOAuth2AuthorizationServer(OAuth2AuthorizationServer oAuth2AuthorizationServer) {
        if (this.oAuth2AuthorizationServer == oAuth2AuthorizationServer) {
            this.oAuth2AuthorizationServer = null;
        }
    }
}
