package com.adobe.cq.dam.mac.sync.helper.impl.util;

import com.adobe.cq.dam.mac.sync.helper.impl.Claim;
import com.adobe.cq.dam.mac.sync.helper.impl.Constants;
import com.adobe.granite.crypto.CryptoException;
import com.adobe.granite.crypto.CryptoSupport;
import com.adobe.granite.keystore.KeyStoreService;
import com.adobe.granite.security.user.UserManagementService;
import java.io.IOException;
import java.security.KeyPair;
import java.security.Principal;
import java.security.PublicKey;
import java.util.ArrayList;
import java.util.Dictionary;
import java.util.Hashtable;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.security.Privilege;
import org.apache.commons.lang.RandomStringUtils;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.sling.api.resource.PersistenceException;
import org.apache.sling.api.resource.ResourceResolver;
import org.osgi.framework.InvalidSyntaxException;
import org.osgi.service.cm.Configuration;
import org.osgi.service.cm.ConfigurationAdmin;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/adobe/cq/dam/mac/sync/helper/impl/util/OAuthUtil.class */
public class OAuthUtil {
    private static final Logger LOG = LoggerFactory.getLogger(OAuthUtil.class);
    private static final String ACCESS_TOKEN_PROVIDER_FACTORY_PID = "com.adobe.granite.auth.oauth.accesstoken.provider";
    private static final String ACCESS_TOKEN_PROVIDER_DEFAULT_CLAIM = "auth.token.provider.default.claims";
    private static final String ACCESS_TOKEN_PROVIDER_CLIENT_ID = "auth.token.provider.client.id";
    private static final String ACCESS_TOKEN_PROVIDER_SCOPE = "auth.token.provider.scope";
    private static final String ACCESS_TOKEN_PROVIDER_ENDPOINT = "auth.token.provider.endpoint";
    private static final String REPLICATION_HTTP_PID = "com.day.cq.replication.impl.transport.Http";
    public static final String ACCESS_TOKEN_PROVIDER_KEYPAIR_ALIAS = "auth.token.provider.keypair.alias";
    private static final String CLIENT_ORG_SUFFIX = "@AdobeClient";
    private static final String KEYPAIR_ALGORITHM = "RSA";
    private static final String KEYPAIR_ALIAS = "replication";
    private static final String MP_KEYPAIR_ALIAS = "mpreplication";

    public static String updateAccessTokenProvider(ConfigurationAdmin configurationAdmin, String str, String str2, String str3) throws IOException {
        return updateAccessTokenProvider(configurationAdmin, str, str2, str3, KEYPAIR_ALIAS);
    }

    public static String updateAccessTokenProvider(ConfigurationAdmin configurationAdmin, String str, String str2, String str3, String str4) throws IOException {
        Configuration configuration = null;
        try {
            Configuration[] listConfigurations = configurationAdmin.listConfigurations("(&(service.factoryPid=com.adobe.granite.auth.oauth.accesstoken.provider))");
            if (listConfigurations != null) {
                for (Configuration configuration2 : listConfigurations) {
                    if (str4.equals((String) configuration2.getProperties().get(ACCESS_TOKEN_PROVIDER_KEYPAIR_ALIAS))) {
                        LOG.info("found configuration");
                        configuration2.delete();
                        configuration = null;
                    }
                }
            }
            if (configuration == null) {
                LOG.info("creating configuration");
                configuration = configurationAdmin.createFactoryConfiguration(ACCESS_TOKEN_PROVIDER_FACTORY_PID, (String) null);
            }
            Dictionary properties = configuration.getProperties();
            if (properties == null) {
                properties = new Hashtable();
            }
            String[] strArr = (String[]) properties.get(ACCESS_TOKEN_PROVIDER_DEFAULT_CLAIM);
            ArrayList arrayList = new ArrayList();
            if (strArr != null) {
                for (String str5 : strArr) {
                    Claim claim = new Claim(str5);
                    if (Claim.CLAIM_TYPE_SUB.equals(claim.getClaimType())) {
                        arrayList.add(new Claim(Claim.CLAIM_TYPE_SUB, str + CLIENT_ORG_SUFFIX).getClaim());
                    } else if (Claim.CLAIM_TYPE_ISS.equals(claim.getClaimType())) {
                        arrayList.add(new Claim(Claim.CLAIM_TYPE_ISS, str).getClaim());
                    } else if (Claim.CLAIM_TYPE_SCOPE.equals(claim.getClaimType())) {
                        arrayList.add(new Claim(Claim.CLAIM_TYPE_SCOPE, str2).getClaim());
                    } else if (Claim.CLAIM_TYPE_AUD.equals(claim.getClaimType())) {
                        arrayList.add(new Claim(Claim.CLAIM_TYPE_AUD, str3).getClaim());
                    } else {
                        arrayList.add(str5);
                    }
                }
            } else {
                arrayList.add(new Claim(Claim.CLAIM_TYPE_SUB, str + CLIENT_ORG_SUFFIX).getClaim());
                arrayList.add(new Claim(Claim.CLAIM_TYPE_ISS, str).getClaim());
                arrayList.add(new Claim(Claim.CLAIM_TYPE_SCOPE, str2).getClaim());
                arrayList.add(new Claim(Claim.CLAIM_TYPE_AUD, str3).getClaim());
            }
            properties.put(ACCESS_TOKEN_PROVIDER_CLIENT_ID, str);
            properties.put(ACCESS_TOKEN_PROVIDER_DEFAULT_CLAIM, arrayList.toArray(new String[0]));
            properties.put(ACCESS_TOKEN_PROVIDER_KEYPAIR_ALIAS, str4);
            properties.put(ACCESS_TOKEN_PROVIDER_SCOPE, str2);
            properties.put(ACCESS_TOKEN_PROVIDER_ENDPOINT, str3);
            configuration.update(properties);
            return configuration.getPid();
        } catch (InvalidSyntaxException e) {
            throw new RuntimeException((Throwable) e);
        }
    }

    public static KeyPair createKeyPair(ResourceResolver resourceResolver, String str, CryptoSupport cryptoSupport, KeyStoreService keyStoreService) throws CryptoException {
        return createKeyPair(resourceResolver, str, cryptoSupport, keyStoreService, KEYPAIR_ALIAS);
    }

    public static KeyPair createKeyPair(ResourceResolver resourceResolver, String str, CryptoSupport cryptoSupport, KeyStoreService keyStoreService, String str2) throws CryptoException {
        createKeyStore(resourceResolver, str, keyStoreService);
        KeyPair keyStoreKeyPair = keyStoreService.getKeyStoreKeyPair(resourceResolver, str, str2);
        if (keyStoreKeyPair == null) {
            keyStoreKeyPair = cryptoSupport.createKeyPair(KEYPAIR_ALGORITHM);
            keyStoreService.addKeyStoreKeyPair(resourceResolver, str, keyStoreKeyPair, str2);
        }
        return keyStoreKeyPair;
    }

    private static void createKeyStore(ResourceResolver resourceResolver, String str, KeyStoreService keyStoreService) {
        if (keyStoreService.keyStoreExists(resourceResolver, str)) {
            return;
        }
        keyStoreService.createKeyStore(resourceResolver, str, RandomStringUtils.random(15).toCharArray());
    }

    public static PublicKey getPublicKey(ResourceResolver resourceResolver, String str, CryptoSupport cryptoSupport, KeyStoreService keyStoreService) throws CryptoException {
        KeyPair keyStoreKeyPair = keyStoreService.getKeyStoreKeyPair(resourceResolver, str, KEYPAIR_ALIAS);
        if (keyStoreKeyPair != null) {
            return keyStoreKeyPair.getPublic();
        }
        return null;
    }

    public static PublicKey getPublicKey(ResourceResolver resourceResolver, String str, CryptoSupport cryptoSupport, KeyStoreService keyStoreService, String str2) throws CryptoException {
        KeyPair keyStoreKeyPair = keyStoreService.getKeyStoreKeyPair(resourceResolver, str, str2);
        if (keyStoreKeyPair != null) {
            return keyStoreKeyPair.getPublic();
        }
        return null;
    }

    public static String getReplicationUserId(String str) {
        return "mac-" + str + "-replication";
    }

    public static String createReplicationUser(ResourceResolver resourceResolver, String str, UserManagementService userManagementService) throws RepositoryException {
        JackrabbitSession jackrabbitSession = (Session) resourceResolver.adaptTo(Session.class);
        UserManager userManager = jackrabbitSession.getUserManager();
        final String replicationUserId = getReplicationUserId(str);
        Authorizable authorizable = userManager.getAuthorizable(replicationUserId);
        Privilege[] privilegesFromNames = AccessControlUtils.privilegesFromNames(jackrabbitSession, new String[]{"{http://www.jcp.org/jcr/1.0}read", "{http://www.jcp.org/jcr/1.0}nodeTypeManagement", "{http://www.jcp.org/jcr/1.0}write"});
        Privilege[] privilegesFromNames2 = AccessControlUtils.privilegesFromNames(jackrabbitSession, new String[]{"{http://www.jcp.org/jcr/1.0}read"});
        if (authorizable == null) {
            authorizable = userManager.createUser(replicationUserId, (String) null, new Principal() { // from class: com.adobe.cq.dam.mac.sync.helper.impl.util.OAuthUtil.1
                @Override // java.security.Principal
                public String getName() {
                    return replicationUserId;
                }
            }, userManagementService.getUserRootPath() + "/mac/" + str);
            if (jackrabbitSession.nodeExists(Constants.PROJECTS_ASSETS_FOLDER)) {
                AccessControlUtils.addAccessControlEntry(jackrabbitSession, Constants.PROJECTS_ASSETS_FOLDER, authorizable.getPrincipal(), privilegesFromNames, true);
            }
            AccessControlUtils.addAccessControlEntry(jackrabbitSession, Constants.REMOTE_ASSETS_USAGES_NUGGET_FOLDER, authorizable.getPrincipal(), privilegesFromNames, true);
        }
        AccessControlUtils.addAccessControlEntry(jackrabbitSession, Constants.DAM_COLLECTION_HOME, authorizable.getPrincipal(), privilegesFromNames, true);
        AccessControlUtils.addAccessControlEntry(jackrabbitSession, "/content/cq:tags", authorizable.getPrincipal(), privilegesFromNames2, true);
        try {
            Group createGroup = createGroup(userManager, jackrabbitSession);
            if (!createGroup.isMember(authorizable)) {
                createGroup.addMember(authorizable);
            }
            if (!userManager.isAutoSave()) {
                jackrabbitSession.save();
            }
            if (jackrabbitSession.hasPendingChanges()) {
                jackrabbitSession.save();
            }
            return authorizable.getID();
        } catch (PersistenceException e) {
            throw new RuntimeException("could not create dam mac namespace group");
        }
    }

    private static Group createGroup(UserManager userManager, Session session) throws RepositoryException, PersistenceException {
        Group authorizable = userManager.getAuthorizable("dam-mac-replication");
        if (authorizable != null) {
            return authorizable;
        }
        LOG.info("Creating Group {}", "dam-mac-replication");
        Group createGroup = userManager.createGroup(new Principal() { // from class: com.adobe.cq.dam.mac.sync.helper.impl.util.OAuthUtil.2
            @Override // java.security.Principal
            public String getName() {
                return "dam-mac-replication";
            }
        }, "mac");
        Group authorizable2 = userManager.getAuthorizable("dam-users");
        if (authorizable2 == null) {
            throw new RuntimeException("dam-users group is missing");
        }
        if (!(authorizable2 instanceof Group)) {
            throw new RuntimeException("dam-users should be a group");
        }
        Group group = authorizable2;
        if (!group.isMember(createGroup)) {
            group.addMember(createGroup);
        }
        return createGroup;
    }
}
