package com.adobe.cq.cdn.rewriter.impl;

import com.adobe.granite.oauth.jwt.JwsValidator;
import java.io.IOException;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.Set;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.apache.oltu.oauth2.jwt.JWT;
import org.apache.oltu.oauth2.jwt.io.JWTReader;
import org.apache.sling.auth.core.spi.AuthenticationHandler;
import org.apache.sling.auth.core.spi.AuthenticationInfo;
import org.apache.sling.jcr.api.SlingRepository;
import org.osgi.framework.ServiceRegistration;
import org.osgi.service.component.ComponentContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/adobe/cq/cdn/rewriter/impl/CDNAuthenticationHandler.class */
class CDNAuthenticationHandler implements AuthenticationHandler, Filter {
    private static final String PROP_FILTER_SCOPE = "sling.filter.scope";
    private static final String AUTH_INFO_SESSION_KEY = "user.jcr.session";
    private static final String AUTH_TYPE = "CDNServiceAuth";
    private final SlingRepository repository;
    private final JwsValidator jwsValidator;
    private static final String SESSION_REQ_ATTR = CDNAuthenticationHandler.class.getName() + ".session";
    private static final Logger log = LoggerFactory.getLogger(CDNAuthenticationHandler.class);
    private static Set<ServiceRegistration> serviceRegistrations = new HashSet();

    public CDNAuthenticationHandler(SlingRepository slingRepository, JwsValidator jwsValidator) {
        this.repository = slingRepository;
        this.jwsValidator = jwsValidator;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void registerService(ComponentContext componentContext, String[] strArr, SlingRepository slingRepository, JwsValidator jwsValidator) {
        Hashtable hashtable = new Hashtable();
        hashtable.put("path", strArr);
        hashtable.put(PROP_FILTER_SCOPE, "REQUEST");
        CDNAuthenticationHandler cDNAuthenticationHandler = new CDNAuthenticationHandler(slingRepository, jwsValidator);
        serviceRegistrations.add(componentContext.getBundleContext().registerService(AuthenticationHandler.class.getName(), cDNAuthenticationHandler, hashtable));
        serviceRegistrations.add(componentContext.getBundleContext().registerService(Filter.class.getName(), cDNAuthenticationHandler, hashtable));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void unregisterService() {
        Iterator<ServiceRegistration> it = serviceRegistrations.iterator();
        while (it.hasNext()) {
            it.next().unregister();
        }
    }

    public AuthenticationInfo extractCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (!"GET".equals(httpServletRequest.getMethod())) {
            log.debug("Not a GET request, returning");
            return null;
        }
        log.debug("Request uri = {}", httpServletRequest.getRequestURI());
        String parameter = httpServletRequest.getParameter("cdn_sign");
        if (StringUtils.isEmpty(parameter)) {
            log.debug("Signature param not found, returning");
            return null;
        }
        if (!this.jwsValidator.validate(parameter)) {
            log.error("Invalid JWS " + parameter);
            return null;
        }
        JWT jwt = (JWT) new JWTReader().read(parameter);
        String subject = jwt.getClaimsSet().getSubject();
        if (!"url".equals(subject)) {
            log.error("Subject {} doesn't match expected value {}", subject, "url");
            return null;
        }
        String str = (String) jwt.getClaimsSet().getCustomField("path", String.class);
        if (!httpServletRequest.getServletPath().equals(str)) {
            log.error("Requested path {} doesn't match path in jwt {} ", httpServletRequest.getServletPath(), str);
            return null;
        }
        try {
            Session loginService = this.repository.loginService("cdn-service", (String) null);
            httpServletRequest.setAttribute(SESSION_REQ_ATTR, loginService);
            AuthenticationInfo authenticationInfo = new AuthenticationInfo(AUTH_TYPE);
            authenticationInfo.put(AUTH_INFO_SESSION_KEY, loginService);
            return authenticationInfo;
        } catch (RepositoryException e) {
            log.error("Could not authenticate CDN request for {}", httpServletRequest.getRequestURI(), e);
            return null;
        }
    }

    public boolean requestCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        return false;
    }

    public void dropCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
    }

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        Session session = (Session) servletRequest.getAttribute(SESSION_REQ_ATTR);
        if (session != null) {
            servletRequest.removeAttribute(SESSION_REQ_ATTR);
        }
        filterChain.doFilter(servletRequest, servletResponse);
        if (session != null) {
            session.logout();
        }
    }

    public void destroy() {
    }
}
