package com.adobe.granite.auth.oauth.impl;

import com.adobe.granite.auth.oauth.AccessTokenProvider;
import com.adobe.granite.auth.oauth.AccessTokenProviderConstants;
import com.adobe.granite.auth.oauth.AccessTokenRequestCustomizer;
import com.adobe.granite.auth.oauth.TokenValidator;
import com.adobe.granite.crypto.CryptoException;
import com.adobe.granite.crypto.CryptoSupport;
import com.adobe.granite.keystore.KeyStoreService;
import com.adobe.granite.oauth.jwt.JwsBuilder;
import com.adobe.granite.oauth.jwt.JwsBuilderFactory;
import java.io.IOException;
import java.net.URI;
import java.security.KeyStore;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.Value;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.ConfigurationPolicy;
import org.apache.felix.scr.annotations.Deactivate;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.PropertyUnbounded;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.ReferencePolicy;
import org.apache.felix.scr.annotations.ReferenceStrategy;
import org.apache.felix.scr.annotations.Service;
import org.apache.http.Consts;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.utils.HttpClientUtils;
import org.apache.http.config.RegistryBuilder;
import org.apache.http.conn.socket.PlainConnectionSocketFactory;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.conn.ssl.SSLContextBuilder;
import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
import org.apache.http.message.BasicNameValuePair;
import org.apache.http.osgi.services.HttpClientBuilderFactory;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.commons.json.JSONException;
import org.apache.sling.commons.json.JSONObject;
import org.apache.sling.commons.osgi.PropertiesUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Service
@Component(metatype = true, name = AccessTokenProviderImpl.FACTORY_PID, configurationFactory = true, immediate = true, policy = ConfigurationPolicy.REQUIRE, label = "%auth.token.provider.name", description = "%auth.token.provider.description")
@Property(name = "webconsole.configurationFactory.nameHint", value = {"AccessTokenProvider name: {name}"})
/* loaded from: input_file:com/adobe/granite/auth/oauth/impl/AccessTokenProviderImpl.class */
public class AccessTokenProviderImpl implements AccessTokenProvider {
    public static final String FACTORY_PID = "com.adobe.granite.auth.oauth.accesstoken.provider";
    private static final String HTTPS = "https";
    private static final String HTTP = "http";

    @Property
    private static final String NAME = "name";
    private static final String DEFAULT_TITLE = "Default";

    @Property({DEFAULT_TITLE})
    private static final String TITLE = "auth.token.provider.title";

    @Property(unbounded = PropertyUnbounded.ARRAY, value = {})
    protected static final String CLAIMS = "auth.token.provider.default.claims";
    private static final String DEFAULT_END_POINT = "gateway-api.omniture.com";

    @Property({DEFAULT_END_POINT})
    protected static final String END_POINT = "auth.token.provider.endpoint";
    private static final String DEFAULT_AUTHORIZATION_GRANTS_TYPE = "urn:ietf:params:oauth:grant-type:jwt-bearer";

    @Property(propertyPrivate = true, value = {DEFAULT_AUTHORIZATION_GRANTS_TYPE})
    protected static final String AUTHORIZATION_GRANTS_TYPE = "auth.token.provider.authorization.grants";
    private static final String DEFAULT_ACCESS_TOKEN_REQ_FORMAT = "https://%s/token";

    @Property({DEFAULT_ACCESS_TOKEN_REQ_FORMAT})
    protected static final String ACCESS_TOKEN_REQ_FORMAT = "auth.access.token.request";
    private static final String DEFAULT_KEYPAIR_ALIAS = "access-token-key-pair";

    @Property({DEFAULT_KEYPAIR_ALIAS})
    protected static final String KEYPAIR_ALIAS = "auth.token.provider.keypair.alias";
    private static final String DEFAULT_ALGORITHM = "RS256";

    @Property(propertyPrivate = true, value = {DEFAULT_ALGORITHM})
    protected static final String ALGORITHM = "auth.token.provider.algorithm";
    private static final String DEFAULT_ACCESS_TOKEN_PATH_FORMAT = "oauth/oauthid-%s";
    private static final int DEFAULT_CONNECTION_TIMEOUT = 30000;

    @Property(intValue = {30000})
    protected static final String CONNECTION_TIMEOUT = "auth.token.provider.conn.timeout";
    private static final int DEFAULT_SO_TIMEOUT = 30000;

    @Property(intValue = {30000})
    protected static final String SO_TIMEOUT = "auth.token.provider.so.timeout";
    private static final String DEFAULT_CLIENT_ID = "TestClient";

    @Property({DEFAULT_CLIENT_ID})
    protected static final String CLIENT_ID = "auth.token.provider.client.id";
    private static final String DEFAULT_SCOPE = "";

    @Property({""})
    protected static final String SCOPE = "auth.token.provider.scope";
    private static final boolean DEFAULT_REUSE_ACCESS_TOKENS = true;

    @Property(boolValue = {true})
    protected static final String REUSE_ACCESS_TOKENS = "auth.token.provider.reuse.access.token";
    private static final boolean DEFAULT_RELAXED_SSL = false;

    @Property(boolValue = {false})
    protected static final String RELAXED_SSL = "auth.token.provider.relaxed.ssl";
    private static final String DEFAULT_ACCESS_TOKEN_REQUEST_CUSTOMIZER_TYPE = "default";

    @Property(value = {"default"}, label = "%auth.token.request.customizer.name", description = "%auth.token.request.customizer.description")
    public static final String ACCESS_TOKEN_REQUEST_CUSTOMIZER_TYPE = "token.request.customizer.type";
    private static final String DEFAULT_TOKEN_VALIDATOR_TYPE = "default";

    @Property(value = {"default"}, name = "auth.token.validator.type")
    public static final String TOKEN_VALIDATOR_TYPE = "auth.token.validator.type";
    private static final int CLAIM_MAX_VALIDITY_TIME = 600;

    @Reference
    private CryptoSupport cryptoSupport;

    @Reference
    private KeyStoreService keyStoreService;

    @Reference
    private JwsBuilderFactory jwsBuilderFactory;

    @Reference
    private HttpClientBuilderFactory httpClientBuilderFactory;
    private CloseableHttpClient httpClient;
    private PoolingHttpClientConnectionManager connectionManager;
    private String authorizationGrantType;
    private String keyPairAlias;
    private String algorithm;
    private String clientId;
    private String scope;
    private boolean reuseAccessTokens;
    private String relativeUri;
    private String accessTokenRequestCustomizerType;
    private String tokenValidatorType;
    private static final Logger log = LoggerFactory.getLogger(AccessTokenProvider.class);
    private static final String[] DEFAULT_CLAIMS = new String[0];

    @Reference(referenceInterface = AccessTokenRequestCustomizer.class, policy = ReferencePolicy.DYNAMIC, cardinality = ReferenceCardinality.MANDATORY_MULTIPLE, strategy = ReferenceStrategy.EVENT, bind = "bindAccessTokenRequestCustomizer", unbind = "unbindAccessTokenRequestCustomizer")
    private Map<String, AccessTokenRequestCustomizer> availableTokenRequestCustomizers = new ConcurrentHashMap();

    @Reference(referenceInterface = TokenValidator.class, policy = ReferencePolicy.DYNAMIC, cardinality = ReferenceCardinality.MANDATORY_MULTIPLE, strategy = ReferenceStrategy.EVENT, bind = "bindTokenValidator", unbind = "unbindTokenValidator")
    private Map<String, TokenValidator> availableTokenValidators = new ConcurrentHashMap();
    private Map<String, Object> defaultClaims = new HashMap();

    @Activate
    protected void activate(Map<String, Object> map) throws Exception {
        this.defaultClaims.clear();
        try {
            this.defaultClaims = jsonToMap(claimsAsJson(PropertiesUtil.toStringArray(map.get(CLAIMS), DEFAULT_CLAIMS)));
        } catch (JSONException e) {
            log.error("Default claims have invalid format. Error={}", e.toString());
        }
        this.authorizationGrantType = PropertiesUtil.toString(map.get(AUTHORIZATION_GRANTS_TYPE), DEFAULT_AUTHORIZATION_GRANTS_TYPE);
        this.keyPairAlias = PropertiesUtil.toString(map.get(KEYPAIR_ALIAS), DEFAULT_KEYPAIR_ALIAS);
        this.algorithm = PropertiesUtil.toString(map.get(ALGORITHM), DEFAULT_ALGORITHM);
        this.clientId = PropertiesUtil.toString(map.get(CLIENT_ID), DEFAULT_CLIENT_ID);
        this.scope = PropertiesUtil.toString(map.get(SCOPE), "").trim();
        String propertiesUtil = PropertiesUtil.toString(map.get(END_POINT), DEFAULT_END_POINT);
        this.reuseAccessTokens = PropertiesUtil.toBoolean(map.get(REUSE_ACCESS_TOKENS), true);
        String propertiesUtil2 = PropertiesUtil.toString(map.get(ACCESS_TOKEN_REQ_FORMAT), DEFAULT_ACCESS_TOKEN_REQ_FORMAT);
        int abs = Math.abs(PropertiesUtil.toInteger(map.get(CONNECTION_TIMEOUT), 30000));
        int abs2 = Math.abs(PropertiesUtil.toInteger(map.get(SO_TIMEOUT), 30000));
        boolean z = PropertiesUtil.toBoolean(map.get(RELAXED_SSL), false);
        this.accessTokenRequestCustomizerType = PropertiesUtil.toString(map.get(ACCESS_TOKEN_REQUEST_CUSTOMIZER_TYPE), "default");
        this.tokenValidatorType = PropertiesUtil.toString(map.get("auth.token.validator.type"), "default");
        URI uri = new URI(String.format(propertiesUtil2, propertiesUtil));
        if (!HTTPS.equals(uri.getScheme())) {
            log.error("Communication with authorization server requires HTTPS");
            throw new IllegalArgumentException("Communication with authorization server requires HTTPS");
        }
        this.relativeUri = uri.toString();
        HttpClientBuilder newBuilder = this.httpClientBuilderFactory.newBuilder();
        if (z) {
            log.info("Enable relaxed SSL");
            log.warn("Do not use relaxed SSL in production");
            SSLContextBuilder sSLContextBuilder = new SSLContextBuilder();
            sSLContextBuilder.loadTrustMaterial((KeyStore) null, new TrustSelfSignedStrategy());
            SSLConnectionSocketFactory sSLConnectionSocketFactory = new SSLConnectionSocketFactory(sSLContextBuilder.build(), SSLConnectionSocketFactory.ALLOW_ALL_HOSTNAME_VERIFIER);
            this.connectionManager = new PoolingHttpClientConnectionManager(RegistryBuilder.create().register(HTTPS, sSLConnectionSocketFactory).register(HTTP, PlainConnectionSocketFactory.getSocketFactory()).build());
            newBuilder.setSSLSocketFactory(sSLConnectionSocketFactory);
        } else {
            this.connectionManager = new PoolingHttpClientConnectionManager();
        }
        newBuilder.setConnectionManager(this.connectionManager);
        RequestConfig.Builder custom = RequestConfig.custom();
        custom.setConnectTimeout(abs);
        custom.setSocketTimeout(abs2);
        newBuilder.setDefaultRequestConfig(custom.build());
        this.httpClient = newBuilder.build();
        log.info("activating provider");
    }

    @Deactivate
    protected void deactivate() throws Exception {
        HttpClientUtils.closeQuietly(this.httpClient);
        this.availableTokenRequestCustomizers.clear();
        this.availableTokenValidators.clear();
        log.info("deactivating provider");
        if (this.connectionManager != null) {
            try {
                this.connectionManager.close();
            } catch (Exception e) {
            }
            this.connectionManager = null;
        }
    }

    @Override // com.adobe.granite.auth.oauth.AccessTokenProvider
    public String getAccessToken(ResourceResolver resourceResolver, String str, Map<String, ?> map) throws CryptoException, IOException, NullPointerException {
        TokenValidator tokenValidator;
        String str2 = null;
        if (this.reuseAccessTokens && (tokenValidator = this.availableTokenValidators.get(this.tokenValidatorType)) != null) {
            synchronized (this) {
                str2 = internalGetAndValidateAccessToken(resourceResolver, str, tokenValidator);
                if (str2 == null) {
                    str2 = tradeAccessToken(resourceResolver, str, map);
                    try {
                        internalStoreAccessToken(resourceResolver, str, str2);
                    } catch (RepositoryException e) {
                        log.debug("Could not store an access token for the user: {}", str, e);
                        str2 = internalGetAndValidateAccessToken(resourceResolver, str, tokenValidator);
                        if (str2 == null) {
                            log.warn("No valid access token found for the user: {}", str, e);
                        }
                    }
                }
            }
        }
        return str2 != null ? str2 : tradeAccessToken(resourceResolver, str, map);
    }

    protected void bindAccessTokenRequestCustomizer(AccessTokenRequestCustomizer accessTokenRequestCustomizer, Map<?, ?> map) {
        this.availableTokenRequestCustomizers.put((String) map.get(AccessTokenRequestCustomizer.CUSTOMIZER_TYPE_PROPERTY), accessTokenRequestCustomizer);
    }

    protected void unbindAccessTokenRequestCustomizer(AccessTokenRequestCustomizer accessTokenRequestCustomizer, Map<?, ?> map) {
        this.availableTokenRequestCustomizers.remove((String) map.get(AccessTokenRequestCustomizer.CUSTOMIZER_TYPE_PROPERTY));
    }

    protected void bindTokenValidator(TokenValidator tokenValidator, Map<?, ?> map) {
        this.availableTokenValidators.put((String) map.get("auth.token.validator.type"), tokenValidator);
    }

    protected void unbindTokenValidator(TokenValidator tokenValidator, Map<?, ?> map) {
        this.availableTokenValidators.remove((String) map.get("auth.token.validator.type"));
    }

    private String tradeAccessToken(ResourceResolver resourceResolver, String str, Map<String, ?> map) throws CryptoException, IOException, NullPointerException {
        log.info("requires a new access token");
        return tradeAccessToken(this.relativeUri, buildJwt(resourceResolver, str, map));
    }

    private String buildJwt(ResourceResolver resourceResolver, String str, Map<String, ?> map) throws CryptoException {
        JwsBuilder expiresIn = this.jwsBuilderFactory.getInstance(this.algorithm, this.keyStoreService.getKeyStoreKeyPair(resourceResolver, str, this.keyPairAlias).getPrivate()).setExpiresIn(600L);
        for (Map.Entry<String, Object> entry : this.defaultClaims.entrySet()) {
            expiresIn.setCustomClaimsSetField(entry.getKey(), entry.getValue());
        }
        if (map != null) {
            for (Map.Entry<String, ?> entry2 : map.entrySet()) {
                expiresIn.setCustomClaimsSetField(entry2.getKey(), entry2.getValue());
            }
        }
        return expiresIn.build();
    }

    private String internalGetAndValidateAccessToken(ResourceResolver resourceResolver, String str, TokenValidator tokenValidator) {
        resourceResolver.refresh();
        String internalGetAccessToken = internalGetAccessToken(resourceResolver, str);
        if (internalGetAccessToken == null || !tokenValidator.isValid(internalGetAccessToken)) {
            return null;
        }
        return internalGetAccessToken;
    }

    private String internalGetAccessToken(ResourceResolver resourceResolver, String str) {
        Value[] property;
        try {
            User user = getUser((UserManager) resourceResolver.adaptTo(UserManager.class), str);
            if (user == null) {
                return null;
            }
            String accessTokenPath = getAccessTokenPath(this.clientId);
            if (!user.hasProperty(accessTokenPath) || (property = user.getProperty(accessTokenPath)) == null || property[0] == null) {
                return null;
            }
            return unprotect(property[0].getString());
        } catch (RepositoryException e) {
            log.error("error while looking for access token for the user: {}", str, e);
            return null;
        }
    }

    private void internalStoreAccessToken(ResourceResolver resourceResolver, String str, String str2) throws RepositoryException {
        UserManager userManager = (UserManager) resourceResolver.adaptTo(UserManager.class);
        User user = getUser(userManager, str);
        if (user != null) {
            Session session = (Session) resourceResolver.adaptTo(Session.class);
            user.setProperty(getAccessTokenPath(this.clientId), session.getValueFactory().createValue(protect(str2)));
            if (userManager.isAutoSave()) {
                return;
            }
            session.save();
        }
    }

    private User getUser(UserManager userManager, String str) throws RepositoryException {
        User authorizable = userManager.getAuthorizable(str);
        if (authorizable instanceof User) {
            return authorizable;
        }
        log.warn("authorizable {} does not exist or is not a User", str);
        return null;
    }

    /* JADX WARN: Multi-variable type inference failed */
    private String tradeAccessToken(String str, String str2) throws IOException {
        Map map;
        Map map2;
        Map hashMap = new HashMap();
        hashMap.put(AccessTokenProviderConstants.GRANT_TYPE, this.authorizationGrantType);
        hashMap.put(AccessTokenProviderConstants.CLIENT_ID, this.clientId);
        hashMap.put(AccessTokenProviderConstants.SCOPE, this.scope);
        hashMap.put(AccessTokenProviderConstants.ASSERTION, str2);
        Map hashMap2 = new HashMap();
        HashMap hashMap3 = new HashMap();
        hashMap3.put(AccessTokenProviderConstants.CONTEXT_HEADERS, new HashMap(hashMap2));
        hashMap3.put(AccessTokenProviderConstants.CONTEXT_JWT, str2);
        hashMap3.put(AccessTokenProviderConstants.CONTEXT_PARAMETERS, new HashMap(hashMap));
        hashMap3.put(AccessTokenProviderConstants.CONTEXT_URI, str);
        AccessTokenRequestCustomizer accessTokenRequestCustomizer = this.availableTokenRequestCustomizers.get(this.accessTokenRequestCustomizerType);
        if (accessTokenRequestCustomizer != null) {
            map = accessTokenRequestCustomizer.getRequestParameters(hashMap3);
            if (map != null) {
                map = new HashMap(map);
            }
            map2 = accessTokenRequestCustomizer.getRequestHeaders(hashMap3);
            if (map2 != null) {
                map2 = new HashMap(map2);
            }
        } else {
            map = hashMap;
            map2 = hashMap2;
        }
        HttpPost httpPost = null;
        try {
            HttpPost httpPost2 = new HttpPost(str);
            ArrayList arrayList = new ArrayList();
            if (map != null) {
                for (Map.Entry entry : map.entrySet()) {
                    arrayList.add(new BasicNameValuePair((String) entry.getKey(), (String) entry.getValue()));
                }
            }
            if (map2 != null) {
                for (Map.Entry entry2 : map2.entrySet()) {
                    Iterator it = ((List) entry2.getValue()).iterator();
                    while (it.hasNext()) {
                        httpPost2.addHeader((String) entry2.getKey(), (String) it.next());
                    }
                }
            }
            httpPost2.setEntity(new UrlEncodedFormEntity(arrayList, Consts.UTF_8));
            CloseableHttpResponse execute = this.httpClient.execute(httpPost2);
            String iOUtils = IOUtils.toString(execute.getEntity().getContent());
            int statusCode = execute.getStatusLine().getStatusCode();
            if (statusCode != 200) {
                String format = String.format("failed to get access token from authorization server status: %s response: %s", String.valueOf(statusCode), iOUtils);
                log.error(format);
                throw new IOException(format);
            }
            String parseAccessToken = parseAccessToken(iOUtils);
            HttpClientUtils.closeQuietly(execute);
            if (httpPost2 != null) {
                httpPost2.releaseConnection();
            }
            return parseAccessToken;
        } catch (Throwable th) {
            HttpClientUtils.closeQuietly((CloseableHttpResponse) null);
            if (0 != 0) {
                httpPost.releaseConnection();
            }
            throw th;
        }
    }

    private String parseAccessToken(String str) throws IOException {
        try {
            return new JSONObject(str).getString("access_token");
        } catch (JSONException e) {
            String format = String.format("failed to parse access token: %s", e.getMessage());
            log.error(format);
            throw new IOException(format);
        }
    }

    protected Map<String, Object> getDefaultClaims() {
        return this.defaultClaims;
    }

    private String getAccessTokenPath(String str) {
        return String.format(DEFAULT_ACCESS_TOKEN_PATH_FORMAT, str);
    }

    private String protect(String str) {
        try {
            return this.cryptoSupport.protect(str);
        } catch (Exception e) {
            log.error("failed to protect access token", e);
            return null;
        }
    }

    private String unprotect(String str) {
        try {
            return this.cryptoSupport.unprotect(str);
        } catch (Exception e) {
            log.error("failed to unprotect access token", e);
            return null;
        }
    }

    private JSONObject claimsAsJson(String[] strArr) throws JSONException {
        if (strArr == null || strArr.length <= 0) {
            return null;
        }
        return new JSONObject("{" + StringUtils.join(strArr, ",") + "}");
    }

    private static Map<String, Object> jsonToMap(JSONObject jSONObject) throws JSONException {
        HashMap hashMap = new HashMap();
        if (jSONObject != null) {
            Iterator keys = jSONObject.keys();
            while (keys.hasNext()) {
                String str = (String) keys.next();
                hashMap.put(str, jSONObject.get(str));
            }
        }
        return hashMap;
    }

    protected void bindCryptoSupport(CryptoSupport cryptoSupport) {
        this.cryptoSupport = cryptoSupport;
    }

    protected void unbindCryptoSupport(CryptoSupport cryptoSupport) {
        if (this.cryptoSupport == cryptoSupport) {
            this.cryptoSupport = null;
        }
    }

    protected void bindKeyStoreService(KeyStoreService keyStoreService) {
        this.keyStoreService = keyStoreService;
    }

    protected void unbindKeyStoreService(KeyStoreService keyStoreService) {
        if (this.keyStoreService == keyStoreService) {
            this.keyStoreService = null;
        }
    }

    protected void bindJwsBuilderFactory(JwsBuilderFactory jwsBuilderFactory) {
        this.jwsBuilderFactory = jwsBuilderFactory;
    }

    protected void unbindJwsBuilderFactory(JwsBuilderFactory jwsBuilderFactory) {
        if (this.jwsBuilderFactory == jwsBuilderFactory) {
            this.jwsBuilderFactory = null;
        }
    }

    protected void bindHttpClientBuilderFactory(HttpClientBuilderFactory httpClientBuilderFactory) {
        this.httpClientBuilderFactory = httpClientBuilderFactory;
    }

    protected void unbindHttpClientBuilderFactory(HttpClientBuilderFactory httpClientBuilderFactory) {
        if (this.httpClientBuilderFactory == httpClientBuilderFactory) {
            this.httpClientBuilderFactory = null;
        }
    }
}
