package com.adobe.granite.auth.oauth.impl;

import com.adobe.granite.auth.oauth.ProviderConfigProperties;
import com.day.crx.security.token.TokenCookie;
import io.jsonwebtoken.Claims;
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.RequiredTypeException;
import java.io.ByteArrayInputStream;
import java.security.Key;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAPublicKey;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalUser;
import org.apache.sling.auth.core.spi.AuthenticationHandler;
import org.apache.sling.auth.core.spi.AuthenticationInfo;
import org.apache.sling.auth.core.spi.DefaultAuthenticationFeedbackHandler;
import org.apache.sling.jcr.api.SlingRepository;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferencePolicyOption;
import org.osgi.service.metatype.annotations.AttributeDefinition;
import org.osgi.service.metatype.annotations.Designate;
import org.osgi.service.metatype.annotations.ObjectClassDefinition;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Designate(ocd = Config.class)
@Component(configurationPolicy = ConfigurationPolicy.REQUIRE, service = {AuthenticationHandler.class}, property = {"authtype=OAUTH", "service.description=JWT Header Authentication Handler", "service.ranking=-5"})
/* loaded from: input_file:com/adobe/granite/auth/oauth/impl/JWTAuthenticationHandler.class */
public class JWTAuthenticationHandler extends DefaultAuthenticationFeedbackHandler implements AuthenticationHandler {
    public static final String JWT_EXTERNAL_USER = "JWT_EXTERNAL_USER";
    public static final String IMS_PN_REQUEST_TOKEN = "com.adobe.granite.auth.ims.internal.request.REQUEST_TOKEN";
    public static final String IMS_PN_EXCHANGED_TOKEN = "com.adobe.granite.auth.ims.internal.request.EXCHANGED_TOKEN";
    static final String REPO_DESC_CLUSTER_ID = "crx.cluster.id";
    static final String AUTHENTICATION_HEADER = "X-AuthenticationJWT";
    static final String AUTH_TYPE = "OAUTH";
    static final String AUTHORIZATION_HEADER = "Authorization";
    static final String EXCHANGED_TOKEN_HEADER = "X-Request-Ex-Token";
    static final String PROJECTED_PRODUCT_CONTEXT = "projectedProductContext";
    private static final String BEARER_WITH_SPACE = "Bearer ";
    private static final String ENCAPSULATED_TOKEN_SCOPE_VALUE = "login";
    private static final Logger log = LoggerFactory.getLogger(JWTAuthenticationHandler.class);
    private static final String[] ATTRIBUTES = {"givenName", "familyName", "last_name", "utcOffset", "preferred_languages", "displayName", "account_type", "authId", "emailVerified", "phoneNumber", "countryCode", "name", "mrktPerm", "mrktPermEmail", "first_name", "email", "ou"};
    private static final String PROFILE_ID = "profile/id";
    private final SlingRepository repository;
    private final String idp;
    private final String expectedAudience;
    private final Key publicKey;
    private final boolean strictImsCompatibility;
    private final boolean disable;

    @ObjectClassDefinition(name = "Adobe Granite JWT Authentication Handler", description = "Adobe Granite JWT Authentication Handler Service")
    /* loaded from: input_file:com/adobe/granite/auth/oauth/impl/JWTAuthenticationHandler$Config.class */
    public @interface Config {
        @AttributeDefinition(name = "Disable", description = "Bypass the JWT Authentication Handler (returning always null).")
        boolean disable() default false;

        @AttributeDefinition(name = "Path", description = "Repository path for which this authentication handler should be used by Sling. If this is empty, the authentication handler will be disabled. By default this is set to \"/\".")
        String path() default "/";

        @AttributeDefinition(name = "Sync Handler Configuration Name", description = "Name of Sync Handler Configuration.")
        String idp() default "ims";

        @AttributeDefinition(name = "Certificate", description = "Certificate with IMS Proxy public Key.")
        String certificate() default "";

        @AttributeDefinition(name = "Audience", description = "Audience expected in AEM JWT Token.")
        String audience() default "";

        @AttributeDefinition(name = "Strict IMS backward compatibility", description = "Perform the job of the ImsRequestTokenProvider from com.adobe.granite.auth.ims.")
        boolean strict_ims_compatibility() default false;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/adobe/granite/auth/oauth/impl/JWTAuthenticationHandler$JWTExternalUser.class */
    public static final class JWTExternalUser implements ExternalUser {
        private final OAuthCredentials creds;
        private final Iterable<String> groups;
        private final String idp;

        private JWTExternalUser(@NotNull OAuthCredentials oAuthCredentials, @Nullable List<String> list, @NotNull String str) {
            this.creds = oAuthCredentials;
            this.idp = str;
            if (list != null) {
                this.groups = list;
            } else {
                this.groups = Collections.emptyList();
            }
        }

        @NotNull
        public ExternalIdentityRef getExternalId() {
            return new ExternalIdentityRef(getIdFromCredentials(), this.idp);
        }

        @NotNull
        public String getId() {
            return getIdFromCredentials();
        }

        @NotNull
        public String getPrincipalName() {
            return getIdFromCredentials();
        }

        @Nullable
        public String getIntermediatePath() {
            return null;
        }

        @NotNull
        public Iterable<ExternalIdentityRef> getDeclaredGroups() {
            ArrayList arrayList = new ArrayList();
            this.groups.forEach(str -> {
                arrayList.add(new JWTGroupRef(str, this.idp));
            });
            return arrayList;
        }

        @NotNull
        public Map<String, ?> getProperties() {
            return new HashMap();
        }

        @NotNull
        private String getIdFromCredentials() {
            Object attribute = this.creds.getAttribute(JWTAuthenticationHandler.PROFILE_ID);
            if (attribute == null) {
                throw new IllegalStateException("Identifier attribute might not be null");
            }
            return attribute.toString();
        }
    }

    /* loaded from: input_file:com/adobe/granite/auth/oauth/impl/JWTAuthenticationHandler$JWTGroupRef.class */
    private static final class JWTGroupRef extends ExternalIdentityRef {
        private JWTGroupRef(@NotNull String str, @NotNull String str2) {
            super(str, str2);
        }
    }

    @Activate
    public JWTAuthenticationHandler(@Reference(policyOption = ReferencePolicyOption.GREEDY) @NotNull SlingRepository slingRepository, @NotNull Config config) {
        this.disable = config.disable();
        if (this.disable) {
            log.warn("Activate: JWT authentication handler disabled.");
            this.repository = null;
            this.idp = null;
            this.expectedAudience = null;
            this.publicKey = null;
            this.strictImsCompatibility = false;
            return;
        }
        this.repository = slingRepository;
        this.idp = config.idp();
        this.expectedAudience = config.audience();
        this.strictImsCompatibility = config.strict_ims_compatibility();
        try {
            this.publicKey = readPublicKey(config.certificate());
        } catch (CertificateException e) {
            log.error("Activate: CertificateException: ", e);
            throw new IllegalStateException(e);
        }
    }

    @Nullable
    public AuthenticationInfo extractCredentials(@Nullable HttpServletRequest httpServletRequest, @Nullable HttpServletResponse httpServletResponse) {
        if (this.disable) {
            return null;
        }
        if (httpServletRequest == null) {
            log.warn("extractCredentials: Request is null.");
            return null;
        }
        String header = httpServletRequest.getHeader(AUTHENTICATION_HEADER);
        if (header == null) {
            log.debug("extractCredentials: X-AuthenticationJWT not found.");
            return null;
        }
        log.debug("extractCredentials: X-AuthenticationJWT found.");
        try {
            AuthenticationInfo handleLogin = handleLogin(header);
            if (this.strictImsCompatibility) {
                setLegacyHeaders(httpServletRequest);
            }
            return handleLogin;
        } catch (JWTAuthenticationException e) {
            log.error("extractCredentials: Unexpected Exception: ", e);
            return AuthenticationInfo.FAIL_AUTH;
        }
    }

    @Nullable
    private static String extractAccessTokenFromAuthzHeader(@NotNull HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader(AUTHORIZATION_HEADER);
        if (header == null) {
            log.trace("extractAccessTokenFromAuthzHeader: No Authorization header found.");
            return null;
        }
        String trim = header.trim();
        if (trim.isEmpty()) {
            log.debug("extractAccessTokenFromAuthzHeader: Empty Authorization header found.");
            return null;
        }
        if (trim.startsWith(BEARER_WITH_SPACE)) {
            return trim.substring(7).trim();
        }
        log.debug("extractAccessTokenFromAuthzHeader: Authorization header doesn't match the expected \"Bearer + Token\" format.");
        return null;
    }

    private static void setLegacyHeaders(@NotNull HttpServletRequest httpServletRequest) {
        String extractAccessTokenFromAuthzHeader = extractAccessTokenFromAuthzHeader(httpServletRequest);
        if (extractAccessTokenFromAuthzHeader != null) {
            log.debug("setLegacyHeaders: Header: {} is present. Setting attribute: {}", AUTHORIZATION_HEADER, IMS_PN_REQUEST_TOKEN);
            httpServletRequest.setAttribute(IMS_PN_REQUEST_TOKEN, extractAccessTokenFromAuthzHeader);
        }
        String header = httpServletRequest.getHeader(EXCHANGED_TOKEN_HEADER);
        if (header != null) {
            log.debug("setLegacyHeaders: Header: {} is present. Setting attribute: {}", EXCHANGED_TOKEN_HEADER, IMS_PN_EXCHANGED_TOKEN);
            httpServletRequest.setAttribute(IMS_PN_EXCHANGED_TOKEN, header);
        }
    }

    private static void setCredentialsAttributes(@NotNull OAuthCredentials oAuthCredentials, @NotNull String str, @NotNull String str2, @NotNull String str3, @NotNull Claims claims) {
        oAuthCredentials.setAttribute("oauth.provider.id", "ims");
        oAuthCredentials.setAttribute(ProviderConfigProperties.CONFIG_ID, "ims");
        oAuthCredentials.setAttribute(":externalId", str3);
        HashMap hashMap = new HashMap();
        hashMap.put("audience", str);
        hashMap.put("ou", str2);
        hashMap.put("serviceCode", claims.get("serviceCode"));
        oAuthCredentials.setAttribute(PROJECTED_PRODUCT_CONTEXT, hashMap);
        oAuthCredentials.setAttribute(".token", "");
        for (String str4 : ATTRIBUTES) {
            log.debug("setAttributes: setting attribute: {}", str4);
            Object obj = (String) claims.get(str4, String.class);
            if (obj != null) {
                oAuthCredentials.setAttribute("profile/" + str4, obj);
            }
        }
        oAuthCredentials.setAttribute(PROFILE_ID, str3);
    }

    private static boolean isNullOrEmpty(@Nullable String str) {
        return str == null || str.isEmpty();
    }

    @NotNull
    private AuthenticationInfo handleLogin(@NotNull String str) throws JWTAuthenticationException {
        log.debug("handleLogin: Inside handleLogin");
        try {
            try {
                Claims claims = (Claims) Jwts.parserBuilder().setSigningKey(this.publicKey).build().parse(str).getBody();
                String audience = claims.getAudience();
                if (isNullOrEmpty(audience)) {
                    throw new JWTAuthenticationException("handleLogin: Malformed JWT. Missing audience claim.");
                }
                if (!ArrayUtils.contains(audience.replace("[", "").replace("]", "").split(","), this.expectedAudience)) {
                    throw new JWTAuthenticationException(String.format("handleLogin: Invalid audience! Expected audience: %s, audience in JWT: %s", this.expectedAudience, audience));
                }
                String str2 = (String) claims.get("ou", String.class);
                if (isNullOrEmpty(str2)) {
                    throw new JWTAuthenticationException("handleLogin: Malformed JWT. Missing ou claim.");
                }
                String str3 = (String) claims.get("email", String.class);
                if (isNullOrEmpty(str3)) {
                    throw new JWTAuthenticationException("handleLogin: Malformed JWT. Missing email claim.");
                }
                String str4 = (String) claims.get("userID", String.class);
                if (isNullOrEmpty(str4)) {
                    throw new JWTAuthenticationException("handleLogin: Malformed JWT. Missing userID claim.");
                }
                OAuthCredentials oAuthCredentials = new OAuthCredentials(str3);
                setCredentialsAttributes(oAuthCredentials, this.expectedAudience, str2, str4, claims);
                AuthenticationInfo authenticationInfo = new AuthenticationInfo(AUTH_TYPE, str3);
                oAuthCredentials.setAttribute(JWT_EXTERNAL_USER, new JWTExternalUser(oAuthCredentials, (List) claims.get("groups", List.class), this.idp));
                authenticationInfo.put("user.jcr.credentials", oAuthCredentials);
                return authenticationInfo;
            } catch (RequiredTypeException e) {
                throw new JWTAuthenticationException("handleLogin: Problem casting parsed JSON values.", e);
            }
        } catch (Exception e2) {
            throw new JWTAuthenticationException("handleLogin: Failure to parse JWT token.", e2);
        }
    }

    @NotNull
    private static RSAPublicKey readPublicKey(@NotNull String str) throws CertificateException {
        return (RSAPublicKey) ((X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(str.getBytes()))).getPublicKey();
    }

    public boolean requestCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return false;
    }

    public void dropCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
    }

    public boolean authenticationSucceeded(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationInfo authenticationInfo) {
        Object attribute;
        Object obj = authenticationInfo.get("user.jcr.credentials");
        if ((obj instanceof OAuthCredentials) && (attribute = ((OAuthCredentials) obj).getAttribute(".token")) != null) {
            String obj2 = attribute.toString();
            if (!obj2.isEmpty()) {
                String descriptor = this.repository.getDescriptor(REPO_DESC_CLUSTER_ID);
                if (isEncapsulatedToken(obj2)) {
                    descriptor = ENCAPSULATED_TOKEN_SCOPE_VALUE;
                }
                TokenCookie.update(httpServletRequest, httpServletResponse, descriptor, obj2, this.repository.getDefaultWorkspace(), true);
            }
        }
        return super.authenticationSucceeded(httpServletRequest, httpServletResponse, authenticationInfo);
    }

    protected boolean isEncapsulatedToken(String str) {
        boolean z = false;
        if (str != null && StringUtils.countMatches(str, ".") == 2 && str.startsWith("ey")) {
            z = true;
        }
        return z;
    }
}
