package com.day.cq.auth.impl;

import com.adobe.granite.auth.requirement.impl.Constants;
import java.io.IOException;
import java.io.PrintWriter;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.net.URISyntaxException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Dictionary;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.binary.Base64;
import org.apache.sling.api.resource.LoginException;
import org.apache.sling.api.resource.Resource;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.resource.ResourceResolverFactory;
import org.apache.sling.api.resource.ResourceUtil;
import org.apache.sling.auth.core.AuthUtil;
import org.apache.sling.auth.core.spi.AuthenticationHandler;
import org.apache.sling.auth.core.spi.AuthenticationInfo;
import org.apache.sling.xss.XSSAPI;
import org.osgi.framework.BundleContext;
import org.osgi.framework.ServiceRegistration;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.propertytypes.ServiceDescription;
import org.osgi.service.component.propertytypes.ServiceVendor;
import org.osgi.service.metatype.annotations.AttributeDefinition;
import org.osgi.service.metatype.annotations.Designate;
import org.osgi.service.metatype.annotations.ObjectClassDefinition;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(name = "com.day.cq.wcm.foundation.impl.HTTPAuthHandler", configurationPolicy = ConfigurationPolicy.REQUIRE, service = {})
@ServiceDescription("HTTP Basic Authentication Handler")
@ServiceVendor(Constants.VENDOR)
@Designate(ocd = Config.class)
/* loaded from: input_file:com/day/cq/auth/impl/HTTPAuthHandler.class */
public class HTTPAuthHandler implements AuthenticationHandler {
    private final Logger log = LoggerFactory.getLogger(getClass().getName());
    static final String REQUEST_LOGIN_PARAMETER = "sling:authRequestLogin";
    private static final String HEADER_WWW_AUTHENTICATE = "WWW-Authenticate";
    private static final String HEADER_AUTHORIZATION = "Authorization";
    private static final String AUTHENTICATION_SCHEME_BASIC = "Basic";
    static final String LOGIN_FORCED_FLAG = "cq.authhandler.dologin";

    @Reference
    private ResourceResolverFactory resolverFactory;

    @Reference
    private XSSAPI xssAPI;
    private boolean noLoginForm;
    private String realm;
    private String defaultLoginPage;
    private String[] formSupportingUserAgents;
    private String[] utf8EncodingUserAgents;
    private ServiceRegistration<AuthenticationHandler> registration;
    private volatile Map<String, Object> props;
    private volatile Config configuration;

    @ObjectClassDefinition(name = "Adobe Granite HTTP Header Authentication Handler", description = "Implements the authorization steps based on the Authorization header of the HTTP request. This authenticator supports the BASIC authentication method.")
    /* loaded from: input_file:com/day/cq/auth/impl/HTTPAuthHandler$Config.class */
    public @interface Config {
        @AttributeDefinition(name = "Path", description = "Repository path for which this authentication handler should be used by Sling. If this is empty, the authentication handler will be disabled.")
        String[] path() default {"/"};

        @AttributeDefinition(name = "Disable Login Page", description = "Check this if the Login Page of this authenticator  should be disabled or not. If not checked, the loing page is returned if a  request to a page triggers the login mechanism. If this is checked, then  login page is only returned if explicitly requested (for example by the  login servlet at \"/bin/login.html\"). In author systems, this property is  generally not checked, while on publish systems this property is checked to  prevent presenting casual users with the login form.")
        boolean auth_http_nologin() default false;

        @AttributeDefinition(name = "HTTP Realm", description = "Name of the HTTP realm - this name is displayed in then login window to the user (and is a key for the client to cache the credentials).")
        String auth_http_realm() default "Adobe AEM";

        @AttributeDefinition(name = "Default Login Page", description = "Absolute path of the page to use to display the default login form. This page is rendered if no Closed User Group applies or the applicable Closed User Group does not declare its own login page. This property is used to render the page as is in an HTTP GET request. As such the value must included any necessary request extension such as \".html\". The default value of this property is \"/login\", which is a vanity URL.")
        String auth_default_loginpage() default "/libs/cq/core/content/login.html";

        @AttributeDefinition(name = "Login Form Clients", description = "Lists identifiers of clients which are known to support form based HTTP (Basic) authentication. Such authentication presents a form and uses AJAX requests to validate the user name and password and assumes the client caches this information. This is only known to work in Firefox and some Internet Explorer browsers. The default value for this property therefore is [ \"Firefox\", \"Shiretoko\", \"MSIE 7\", \"MSIE 6\" ]. Changing this value is strongly discouraged because it may prevent login. All browsers not supporting form based HTTP (Basic) authentication will use regular HTTP (Basic) authentication using the 401/UNAUTHORIZED status code and the regular browser password dialog.\n")
        String[] auth_cred_form() default {"Firefox", "Shiretoko", "MSIE 7", "MSIE 6"};

        @AttributeDefinition(name = "UTF-8 Credentials", description = "Lists identifiers of clients which are known to encode non-ASCII credentials using UTF-8 character encoding. Clients whose User-Agent header does not contain one of the listed identifiers are assumed to encode the credentials using ISO-8859-1 character encoding. The default list of clients is [ \"Firefox\", \"Shiretoko\", \"Chrome\", \"Opera\", \"curl\", \"Wget\" ].")
        String[] auth_cred_utf8() default {"Firefox", "Shiretoko", "Chrome", "Opera", "curl", "Wget"};
    }

    public AuthenticationInfo extractCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        AuthenticationInfo extractAuthentication = extractAuthentication(httpServletRequest);
        if (extractAuthentication != null) {
            return extractAuthentication;
        }
        if (forceAuthentication(httpServletRequest, httpServletResponse)) {
            return AuthenticationInfo.DOING_AUTH;
        }
        return null;
    }

    public boolean requestCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        String str;
        String str2;
        if (httpServletResponse.isCommitted()) {
            this.log.error("requestAuthentication: Response is committed, cannot request authentication");
            return true;
        }
        httpServletResponse.resetBuffer();
        if (httpServletRequest.getParameter(REQUEST_LOGIN_PARAMETER) != null) {
            httpServletResponse.sendError(403);
            httpServletResponse.flushBuffer();
            return true;
        }
        if (!doLoginForm(httpServletRequest)) {
            this.log.debug("requestAuthentication: Not authenticating here because login form is disabled and cq.authhandler.dologin request attribute is not set");
            return false;
        }
        if (!isLoginFormClient(httpServletRequest)) {
            sendUnauthorized(httpServletRequest, httpServletResponse);
            return true;
        }
        String loginPage = getLoginPage(httpServletRequest);
        if (loginPage == null) {
            loginPage = getDefaultLoginPage();
            str = "requestAuthentication: Using default login page ({})";
        } else {
            str = "requestAuthentication: Using login page: {}";
        }
        if (isLoginFormLoop(httpServletRequest, loginPage)) {
            this.log.warn("requestAuthentication: Authentication loop detected, sending 401/UNAUTHENICATED to force browser based authentication");
            this.log.warn("requestAuthentication: Authentication loop reason: Wrong login page configuration or credentials not accepted for login");
            sendUnauthorized(httpServletRequest, httpServletResponse);
            return true;
        }
        if (httpServletRequest.getContextPath() != null && !loginPage.startsWith(httpServletRequest.getContextPath())) {
            loginPage = httpServletRequest.getContextPath() + loginPage;
        }
        String parameter = httpServletRequest.getParameter("resource");
        if (parameter == null) {
            parameter = httpServletRequest.getRequestURI();
            str2 = "requestAuthentication: Using current request as post-login target: {}";
        } else if (AuthUtil.isRedirectValid(httpServletRequest, parameter)) {
            str2 = "requestAuthentication: Reusing post-login target from request parameter: {}";
        } else {
            parameter = "/";
            str2 = "requestAuthentication: Post-login target {} is invalid; using '/'";
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug(str, loginPage);
            this.log.debug(str2, parameter);
        }
        httpServletResponse.setContentType("text/html");
        httpServletResponse.setCharacterEncoding("UTF-8");
        httpServletResponse.setHeader("Cache-control", "no-cache");
        httpServletResponse.addHeader("Cache-control", "no-store");
        httpServletResponse.setHeader("Dispatcher", "no-cache");
        httpServletResponse.setHeader("Pragma", "no-cache");
        httpServletResponse.setHeader("Expires", "0");
        PrintWriter writer = httpServletResponse.getWriter();
        writer.write("<html><head><script type=\"text/javascript\">");
        writer.write("var u=\"");
        writer.write(this.xssAPI.encodeForJSString(loginPage));
        writer.write("?resource=");
        writer.write(this.xssAPI.encodeForJSString(parameter));
        writer.write("\"; if ( window.location.hash) {");
        writer.write("u = u + window.location.hash;");
        writer.write("} document.location = u;");
        writer.write("</script></head><body>");
        writer.write("<!-- QUICKSTART_HOMEPAGE - (string used for readyness detection, do not remove) -->");
        writer.write("</body></html>");
        httpServletResponse.flushBuffer();
        return true;
    }

    public void dropCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        if (httpServletRequest.getHeader(HEADER_AUTHORIZATION) != null) {
            requestCredentials(httpServletRequest, httpServletResponse);
        }
    }

    private String getDefaultLoginPage() {
        return this.defaultLoginPage;
    }

    private String getLoginPage(HttpServletRequest httpServletRequest) {
        return null;
    }

    public String toString() {
        return "HTTP Basic Authentication Handler";
    }

    @Activate
    protected void activate(BundleContext bundleContext, Map<String, Object> map, Config config) {
        configure(map, config);
        ResourceResolver resourceResolver = null;
        try {
            try {
                resourceResolver = this.resolverFactory.getResourceResolver((Map) null);
                this.registration = bundleContext.registerService(AuthenticationHandler.class, this, getProperties(resourceResolver));
                if (resourceResolver != null) {
                    resourceResolver.close();
                }
            } catch (LoginException e) {
                this.log.error("bindRepository: Failed logging in, cannot handle Closed User Groups", e);
                if (resourceResolver != null) {
                    resourceResolver.close();
                }
            }
        } catch (Throwable th) {
            if (resourceResolver != null) {
                resourceResolver.close();
            }
            throw th;
        }
    }

    private void configure(Map<String, Object> map, Config config) {
        this.noLoginForm = config.auth_http_nologin();
        this.realm = config.auth_http_realm();
        this.defaultLoginPage = config.auth_default_loginpage();
        this.formSupportingUserAgents = config.auth_cred_form();
        this.utf8EncodingUserAgents = config.auth_cred_utf8();
        this.log.debug("configure: realm='{}', loginPage='{}'", this.realm, this.defaultLoginPage);
        this.props = map;
        this.configuration = config;
    }

    @Deactivate
    protected void deactivate() {
        if (this.registration != null) {
            this.registration.unregister();
            this.registration = null;
        }
    }

    private Dictionary<String, Object> getProperties(ResourceResolver resourceResolver) {
        Hashtable hashtable = new Hashtable();
        hashtable.putAll(this.props);
        ArrayList arrayList = new ArrayList();
        HashSet hashSet = new HashSet();
        hashSet.add("-" + toRawPath(getDefaultLoginPage(), resourceResolver));
        String[] path = this.configuration.path();
        if (path != null) {
            arrayList.addAll(Arrays.asList(path));
        }
        hashtable.put("sling.auth.requirements", hashSet.toArray(new String[hashSet.size()]));
        hashtable.put("path", arrayList.toArray(new String[arrayList.size()]));
        return hashtable;
    }

    private static String toRawPath(String str, ResourceResolver resourceResolver) {
        if (resourceResolver != null) {
            Resource resolve = resourceResolver.resolve(str);
            if (!ResourceUtil.isNonExistingResource(resolve)) {
                return resourceResolver.map(resolve.getPath());
            }
        }
        return str;
    }

    private AuthenticationInfo extractAuthentication(HttpServletRequest httpServletRequest) {
        String trim;
        int indexOf;
        String substring;
        char[] charArray;
        String header = httpServletRequest.getHeader(HEADER_AUTHORIZATION);
        if (((header == null || header.length() == 0) && (header == null || header.length() == 0)) || (indexOf = (trim = header.trim()).indexOf(32)) <= 0) {
            return null;
        }
        String substring2 = trim.substring(0, indexOf);
        String trim2 = trim.substring(indexOf).trim();
        if (!substring2.equalsIgnoreCase(AUTHENTICATION_SCHEME_BASIC)) {
            return null;
        }
        try {
            String str = new String(Base64.decodeBase64(trim2.getBytes("ISO-8859-1")), getCredentialsEncoding(httpServletRequest));
            int indexOf2 = str.indexOf(58);
            if (indexOf2 < 0) {
                substring = str;
                charArray = new char[0];
            } else {
                substring = str.substring(0, indexOf2);
                charArray = str.substring(indexOf2 + 1).toCharArray();
            }
            return new AuthenticationInfo("BASIC", substring, charArray);
        } catch (UnsupportedEncodingException e) {
            this.log.error("extractAuthentication: Cannot en/decode authentication info", e);
            return null;
        }
    }

    private boolean forceAuthentication(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        boolean z = false;
        if (httpServletRequest.getParameter(REQUEST_LOGIN_PARAMETER) == null) {
            this.log.debug("forceAuthentication: Not forcing authentication because request parameter {} is not set", REQUEST_LOGIN_PARAMETER);
        } else if (httpServletResponse.isCommitted()) {
            this.log.error("forceAuthentication: Response is committed, cannot request authentication");
        } else {
            z = sendUnauthorized(httpServletRequest, httpServletResponse);
        }
        return z;
    }

    private boolean sendUnauthorized(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (httpServletResponse.isCommitted()) {
            this.log.debug("sendUnauthorized: Response committed, cannot send 401/UNAUTHORIZED");
            return false;
        }
        httpServletResponse.reset();
        httpServletResponse.setStatus(401);
        httpServletResponse.setHeader(HEADER_WWW_AUTHENTICATE, "Basic realm=\"" + this.realm + "\"");
        try {
            httpServletResponse.flushBuffer();
            return true;
        } catch (IOException e) {
            this.log.error("sendUnauthorized: Failed requesting authentication", e);
            return false;
        }
    }

    private boolean doLoginForm(HttpServletRequest httpServletRequest) {
        return (httpServletRequest.getAttribute(LOGIN_FORCED_FLAG) == null && this.noLoginForm) ? false : true;
    }

    private boolean isLoginFormClient(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("User-Agent");
        if (userAgentMatch(header, this.formSupportingUserAgents)) {
            this.log.debug("isLoginFormClient: Client ({}) assumed to support form based authentication", header);
            return true;
        }
        this.log.debug("isLoginFormClient: Client ({}) assumed to not support form based authentication, sending 401/UNAUTHORIZED", header);
        return false;
    }

    private boolean isLoginFormLoop(HttpServletRequest httpServletRequest, String str) {
        String contextPath = httpServletRequest.getContextPath();
        String concat = (contextPath == null || contextPath.length() == 0) ? str : contextPath.concat(str);
        if (httpServletRequest.getRequestURI().equals(concat)) {
            return true;
        }
        String header = httpServletRequest.getHeader("Referer");
        if (header == null) {
            return false;
        }
        try {
            return concat.equals(new URI(header).getPath());
        } catch (URISyntaxException e) {
            return false;
        }
    }

    private String getCredentialsEncoding(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("User-Agent");
        if (userAgentMatch(header, this.utf8EncodingUserAgents)) {
            this.log.debug("getCredentialsEncoding: User-Agent ({}) indicates UTF-8 encoding browser, using UTF-8", header);
            return "UTF-8";
        }
        this.log.debug("getCredentialsEncoding: User-Agent ({}) indicates non-UTF-8 encoding browser, using ISO-8859-1", header);
        return "ISO-8859-1";
    }

    private boolean userAgentMatch(String str, String... strArr) {
        if (str == null || strArr.length <= 0) {
            return false;
        }
        for (String str2 : strArr) {
            if (str.contains(str2)) {
                return true;
            }
        }
        return false;
    }
}
