package com.adobe.granite.auth.oauth.impl;

import com.adobe.granite.auth.oauth.ExtendedTokenValidator;
import com.adobe.granite.auth.oauth.HandlerRedirect;
import com.adobe.granite.auth.oauth.OAuthManager;
import com.adobe.granite.auth.oauth.Provider;
import com.adobe.granite.auth.oauth.impl.helper.OAuthHelper;
import com.adobe.granite.auth.oauth.impl.helper.OAuthToken;
import com.adobe.granite.auth.oauth.impl.helper.OAuthUser;
import com.adobe.granite.auth.oauth.impl.helper.ProviderConfigManagerInternal;
import com.adobe.granite.security.user.UserProperties;
import com.adobe.granite.security.user.UserPropertiesManager;
import java.io.IOException;
import java.io.InputStream;
import java.io.UnsupportedEncodingException;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.Future;
import javax.jcr.Session;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.Header;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.client.utils.HttpClientUtils;
import org.apache.http.client.utils.URIBuilder;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
import org.apache.http.osgi.services.HttpClientBuilderFactory;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.resource.ResourceResolverFactory;
import org.apache.sling.auth.core.spi.AuthenticationFeedbackHandler;
import org.apache.sling.auth.core.spi.AuthenticationHandler;
import org.apache.sling.auth.core.spi.AuthenticationInfo;
import org.apache.sling.discovery.TopologyEvent;
import org.apache.sling.discovery.TopologyEventListener;
import org.apache.sling.jcr.api.SlingRepository;
import org.apache.sling.settings.SlingSettingsService;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicy;
import org.osgi.service.component.annotations.ReferencePolicyOption;
import org.osgi.service.metatype.annotations.AttributeDefinition;
import org.osgi.service.metatype.annotations.AttributeType;
import org.osgi.service.metatype.annotations.Designate;
import org.osgi.service.metatype.annotations.ObjectClassDefinition;
import org.scribe.model.Token;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Designate(ocd = Config.class)
@Component(service = {AuthenticationHandler.class, AuthenticationFeedbackHandler.class, TopologyEventListener.class}, property = {"service.description=Authentication handler for the \"Bearer\" HTTP Authentication Scheme. This authentication handler implements a solution to validate a provided bearer token against an OAuth Provider. This authentication handler requires configuration to be active.", "service.ranking=100000"}, configurationPolicy = ConfigurationPolicy.REQUIRE)
/* loaded from: input_file:com/adobe/granite/auth/oauth/impl/BearerAuthenticationHandler.class */
public class BearerAuthenticationHandler extends AbstractOAuthAuthenticationHandler implements TopologyEventListener {
    static final String SERVICE_DESCRIPTION = "Authentication handler for the \"Bearer\" HTTP Authentication Scheme. This authentication handler implements a solution to validate a provided bearer token against an OAuth Provider. This authentication handler requires configuration to be active.";
    private static final String REDIRECT_KEY = "redirect";
    private static final String ACCESS_TOKEN_TYPE = "access_token";
    private static final int MAX_HTTP_CONNECTIONS = 100;
    private static final String TOKEN_VALIDATOR_TARGET = "(auth.token.validator.type=com.adobe.granite.auth.ims.impl.token.OfflineValidatorImpl)";
    private final SlingRepository repository;
    private final SlingSettingsService settings;
    private final ProviderConfigManagerInternal providerConfigManager;
    private final OAuthManager oauthManager;
    private final ResourceResolverFactory resolverFactory;

    @Reference(policy = ReferencePolicy.DYNAMIC, cardinality = ReferenceCardinality.OPTIONAL)
    private volatile HandlerRedirect handlerRedirect;
    private ExtendedTokenValidator imsOfflineTokenValidator;
    private String repositoryId;
    private volatile String clusterId;
    private final String[] allowedClientIds;
    private PoolingHttpClientConnectionManager connectionManager;
    private final CloseableHttpClient httpClient;
    private final boolean syncWithIms;
    private final boolean jwtSupport;
    private final String configIdParameterName;
    private final String defaultConfigId;
    private final Set<String> allowedClients;
    private ExecutorService executorService;
    private final boolean disable;
    private final boolean validationWithPost;
    private static final Logger log = LoggerFactory.getLogger(BearerAuthenticationHandler.class);
    private static final String RANDOM_UUID = UUID.randomUUID().toString();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.adobe.granite.auth.oauth.impl.BearerAuthenticationHandler$2, reason: invalid class name */
    /* loaded from: input_file:com/adobe/granite/auth/oauth/impl/BearerAuthenticationHandler$2.class */
    public static /* synthetic */ class AnonymousClass2 {
        static final /* synthetic */ int[] $SwitchMap$com$adobe$granite$auth$oauth$ExtendedTokenValidator$ValidationResult = new int[ExtendedTokenValidator.ValidationResult.values().length];

        static {
            try {
                $SwitchMap$com$adobe$granite$auth$oauth$ExtendedTokenValidator$ValidationResult[ExtendedTokenValidator.ValidationResult.NOT_EXPECTED_FORMAT.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$com$adobe$granite$auth$oauth$ExtendedTokenValidator$ValidationResult[ExtendedTokenValidator.ValidationResult.NOT_RECOGNIZED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$com$adobe$granite$auth$oauth$ExtendedTokenValidator$ValidationResult[ExtendedTokenValidator.ValidationResult.PUBLIC_KEY_NOT_AVAILABLE.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$com$adobe$granite$auth$oauth$ExtendedTokenValidator$ValidationResult[ExtendedTokenValidator.ValidationResult.SIGNATURE_FAIL.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$com$adobe$granite$auth$oauth$ExtendedTokenValidator$ValidationResult[ExtendedTokenValidator.ValidationResult.NOT_EXPECTED_TYPE.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$com$adobe$granite$auth$oauth$ExtendedTokenValidator$ValidationResult[ExtendedTokenValidator.ValidationResult.EXPIRED.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$com$adobe$granite$auth$oauth$ExtendedTokenValidator$ValidationResult[ExtendedTokenValidator.ValidationResult.FUTURE.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$com$adobe$granite$auth$oauth$ExtendedTokenValidator$ValidationResult[ExtendedTokenValidator.ValidationResult.NOT_EXPECTED_ENVIRONMENT.ordinal()] = 8;
            } catch (NoSuchFieldError e8) {
            }
        }
    }

    @ObjectClassDefinition(name = "Adobe Granite Bearer Authentication Handler", description = BearerAuthenticationHandler.SERVICE_DESCRIPTION)
    /* loaded from: input_file:com/adobe/granite/auth/oauth/impl/BearerAuthenticationHandler$Config.class */
    public @interface Config {
        @AttributeDefinition(name = "Disable", description = "Bypass the Bearer Authentication Handler (returning always null).")
        boolean disable() default false;

        @AttributeDefinition(name = "Path", description = "Repository path for which this authentication handler should be used by Sling. If this is empty, the authentication handler will be disabled. By default this is set to \"/\".")
        String path() default "/";

        @AttributeDefinition(name = "Allowed OAuth client ids", description = "List of allowed OAuth client ids. If this is empty is not possible to authenticate using the Bearer Authentication Handler.", type = AttributeType.STRING)
        String[] oauth_clientIds_allowed();

        @AttributeDefinition(name = "Synchronize user with the Provider", description = "If checked (default), then the crx user is synchronized with the Provider at each login.")
        boolean auth_bearer_sync_ims() default true;

        @AttributeDefinition(name = "Configuration ID Request Parameter", description = "The name of the request parameter property that is used for identifying the configuration.")
        String oauth_bearer_configid() default "configid";

        @AttributeDefinition(name = "Default Configuration ID", description = "Default configuration id used if not specified as request parameter.")
        String oauth_bearer_default_configid() default "ims";

        @AttributeDefinition(name = "JWT based OAuth client ID validation", description = "Decode the JWT token and use the \"client_id\" claim to optimize the token validation. In case of error one validation per allowed client ID is done.")
        boolean oauth_jwt_support() default false;

        @AttributeDefinition(name = "IMS Offline Token validator", description = "Wire the IMS Offline Token Validator to validate the bearer tokens. This will perform an exhaustive validation of the token before doing any other processing. Disabled by default but needed if using IMS.")
        boolean use_ims_offline_token_validator() default false;

        @AttributeDefinition(name = "Use POST for online token validation", description = "Use the POST method instead of GET to perform online validation of the access token. This is heavily recommended if supported by the authorization server. Disabled by default for backward compatibility reasons.")
        boolean online_validation_with_post() default false;
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/adobe/granite/auth/oauth/impl/BearerAuthenticationHandler$DataFutureWithUrl.class */
    public static class DataFutureWithUrl {
        String url;
        Future<Map<String, String>> future;

        DataFutureWithUrl(String str, Future<Map<String, String>> future) {
            this.url = str;
            this.future = future;
        }
    }

    @Activate
    public BearerAuthenticationHandler(@Reference SlingRepository slingRepository, @Reference SlingSettingsService slingSettingsService, @Reference ProviderConfigManagerInternal providerConfigManagerInternal, @Reference OAuthManager oAuthManager, @Reference ResourceResolverFactory resourceResolverFactory, @Reference HttpClientBuilderFactory httpClientBuilderFactory, @Reference(policy = ReferencePolicy.STATIC, cardinality = ReferenceCardinality.OPTIONAL, policyOption = ReferencePolicyOption.GREEDY, target = "(auth.token.validator.type=com.adobe.granite.auth.ims.impl.token.OfflineValidatorImpl)") ExtendedTokenValidator extendedTokenValidator, Config config) {
        this.disable = config.disable();
        if (this.disable) {
            log.info("Activate: Bearer authentication handler disabled.");
        }
        this.repository = slingRepository;
        this.settings = slingSettingsService;
        this.providerConfigManager = providerConfigManagerInternal;
        this.oauthManager = oAuthManager;
        this.resolverFactory = resourceResolverFactory;
        initializeRepositoryId();
        this.allowedClientIds = config.oauth_clientIds_allowed();
        this.syncWithIms = config.auth_bearer_sync_ims();
        this.jwtSupport = config.oauth_jwt_support();
        this.configIdParameterName = config.oauth_bearer_configid();
        this.defaultConfigId = config.oauth_bearer_default_configid();
        this.validationWithPost = config.online_validation_with_post();
        this.connectionManager = new PoolingHttpClientConnectionManager();
        this.connectionManager.setDefaultMaxPerRoute(MAX_HTTP_CONNECTIONS);
        this.connectionManager.setMaxTotal(MAX_HTTP_CONNECTIONS);
        HttpClientBuilder newBuilder = httpClientBuilderFactory.newBuilder();
        newBuilder.setConnectionManager(this.connectionManager);
        this.httpClient = newBuilder.build();
        this.executorService = Executors.newCachedThreadPool();
        this.allowedClients = new HashSet(Arrays.asList(this.allowedClientIds));
        if (!config.use_ims_offline_token_validator()) {
            log.info("activate: IMS Offline Token Validator disabled.");
        } else {
            this.imsOfflineTokenValidator = extendedTokenValidator;
            log.info("activate: IMS Offline Token Validator enabled.");
        }
    }

    @Deactivate
    private void deactivate() {
        if (this.executorService != null) {
            this.executorService.shutdown();
            this.executorService = null;
        }
        HttpClientUtils.closeQuietly(this.httpClient);
        if (this.connectionManager != null) {
            try {
                this.connectionManager.close();
            } catch (Exception e) {
            }
            this.connectionManager = null;
        }
    }

    /* JADX WARN: Code restructure failed: missing block: B:34:0x011b, code lost:
    
        if (r0 == null) goto L109;
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public org.apache.sling.auth.core.spi.AuthenticationInfo extractCredentials(javax.servlet.http.HttpServletRequest r9, javax.servlet.http.HttpServletResponse r10) {
        /*
            Method dump skipped, instructions count: 834
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.adobe.granite.auth.oauth.impl.BearerAuthenticationHandler.extractCredentials(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse):org.apache.sling.auth.core.spi.AuthenticationInfo");
    }

    private String getConfigId(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter(this.configIdParameterName);
        if (parameter == null && allowDefaultConfigId(httpServletRequest)) {
            parameter = this.defaultConfigId;
        }
        return parameter;
    }

    private boolean allowDefaultConfigId(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("User-Agent");
        if ((!"GET".equalsIgnoreCase(httpServletRequest.getMethod()) && !"HEAD".equalsIgnoreCase(httpServletRequest.getMethod())) || !"/".equals(httpServletRequest.getRequestURI()) || !StringUtils.contains(header, "AdobeAssetLink/")) {
            return true;
        }
        log.info("GRANITE-32573 Asset Link workaround, not setting default configid={}. Request: {} {} ({}). User-Agent: {}", new Object[]{this.defaultConfigId, httpServletRequest.getMethod(), httpServletRequest.getRequestURL(), httpServletRequest.getQueryString(), header});
        return false;
    }

    @Nullable
    private static AuthenticationInfo handleInvalidValidationResult(@NotNull ExtendedTokenValidator.ValidationResult validationResult, @NotNull HttpServletRequest httpServletRequest) {
        switch (AnonymousClass2.$SwitchMap$com$adobe$granite$auth$oauth$ExtendedTokenValidator$ValidationResult[validationResult.ordinal()]) {
            case 1:
                log.debug("extractCredentials: The token is not a JWT token. The Bearer Authn Handler will not handle this request.");
                return null;
            case OAuthToken.AUTHORIZED /* 2 */:
                log.debug("extractCredentials: The JWT token is not an IMS token. The Bearer Authn Handler will not handle this request.");
                return null;
            case OAuthToken.ACCESS_TOKEN /* 3 */:
                log.warn("extractCredentials: The public key to validate the token signature is not available. Authentication failed.");
                return authenticationFailure(httpServletRequest);
            case 4:
                log.debug("extractCredentials: The IMS token signature is not valid. Authentication failed.");
                return authenticationFailure(httpServletRequest);
            case 5:
                log.debug("extractCredentials: The IMS token is not an access token. Authentication failed.");
                return authenticationFailure(httpServletRequest);
            case 6:
                log.debug("extractCredentials: The token has expired. Authentication failed.");
                return authenticationFailure(httpServletRequest);
            case 7:
                log.warn("extractCredentials: The token has been issued in the future, the system clock is probably misconfigured. Authentication failed.");
                return authenticationFailure(httpServletRequest);
            case 8:
                log.warn("extractCredentials: The token has been issued for a different environment. Authentication failed.");
                return authenticationFailure(httpServletRequest);
            default:
                throw new IllegalArgumentException("Invalid validation result");
        }
    }

    @NotNull
    private static AuthenticationInfo authenticationFailure(@NotNull HttpServletRequest httpServletRequest) {
        httpServletRequest.setAttribute("j_reason", "Bearer Authentication Handler: Authentication Failed.");
        return AuthenticationInfo.FAIL_AUTH;
    }

    @Nullable
    private String validateAccessToken(@NotNull String str, @NotNull OAuthHelper oAuthHelper, @NotNull Provider provider) {
        String[] strArr;
        if (this.jwtSupport) {
            log.debug("validateAccessToken: Read access token as JWT and try to find the OAuth client in client_id claim.");
            String clientIdFromAccessToken = oAuthHelper.getClientIdFromAccessToken(str);
            if (clientIdFromAccessToken == null) {
                log.debug("validateAccessToken: client_id claim not found, falling back to querying every client in the configured list of allowed OAuth clients.");
                strArr = this.allowedClientIds;
            } else {
                if (!this.allowedClients.contains(clientIdFromAccessToken)) {
                    log.info("validateAccessToken: The OAuth client used to create this access token is not allow-listed.");
                    return null;
                }
                strArr = new String[]{clientIdFromAccessToken};
            }
        } else {
            log.debug("validateAccessToken: Not reading JWT claims to find client ID, falling back to querying every client in the configured list of allowed OAuth clients.");
            strArr = this.allowedClientIds;
        }
        for (String str2 : strArr) {
            String validateTokenUrl = provider.getValidateTokenUrl(str2, str);
            log.debug("validateAccessToken: obtained validation token URL with client ID: {}.", str2);
            if (validateTokenUrl == null || validateTokenUrl.isEmpty()) {
                log.error("validateAccessToken: provider {} returned a null token validation URL.", provider);
            } else {
                String validateTokenAndGetUserId = validateTokenAndGetUserId(provider, validateTokenUrl, str2);
                if (validateTokenAndGetUserId != null) {
                    log.debug("validateAccessToken: token is valid, user ID: {} , client ID: {}.", validateTokenAndGetUserId, str2);
                    return validateTokenAndGetUserId;
                }
                log.debug("validateAccessToken: invalid access token, no valid user ID returned.");
            }
        }
        return null;
    }

    @Nullable
    private String validateTokenAndGetUserId(@NotNull Provider provider, @NotNull String str, @NotNull String str2) {
        try {
            CloseableHttpResponse response = getResponse(str);
            try {
                int statusCode = response.getStatusLine().getStatusCode();
                String readResponseBody = readResponseBody(response);
                if (statusCode != 200) {
                    log.debug("validateTokenAndGetUserId: non-OK response from validation url, HTTP status: {} error: {}", Integer.valueOf(statusCode), provider.getErrorDescriptionFromValidateTokenResponseBody(readResponseBody));
                    optionalXDebugIddHeaderLog(response);
                    if (response != null) {
                        response.close();
                    }
                    return null;
                }
                if (!provider.isValidToken(readResponseBody, str2, ACCESS_TOKEN_TYPE)) {
                    log.debug("validateTokenAndGetUserId: the provided token is invalid");
                    optionalXDebugIddHeaderLog(response);
                    if (response != null) {
                        response.close();
                    }
                    return null;
                }
                String userIdFromValidateTokenResponseBody = provider.getUserIdFromValidateTokenResponseBody(readResponseBody);
                log.debug("validateTokenAndGetUserId: valid token, returned user ID: {}", userIdFromValidateTokenResponseBody);
                optionalXDebugIddHeaderLog(response);
                if (response != null) {
                    response.close();
                }
                return userIdFromValidateTokenResponseBody;
            } catch (Throwable th) {
                if (response != null) {
                    try {
                        response.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (UnsupportedEncodingException e) {
            log.error("validateTokenAndGetUserId: Failure to encode POST validation request body: {}", e.getMessage());
            return null;
        } catch (IOException e2) {
            log.error("validateTokenAndGetUserId: Failed to connect to the token validation endpoint: {}", e2.getMessage());
            return null;
        } catch (URISyntaxException e3) {
            log.error("validateTokenAndGetUserId: Failure to create POST validation request, unable to parse initial URL: {}", e3.getMessage());
            return null;
        }
    }

    @NotNull
    private CloseableHttpResponse getResponse(@NotNull String str) throws IOException, URISyntaxException {
        if (this.validationWithPost) {
            HttpPost buildPostRequestFromUrl = buildPostRequestFromUrl(str);
            log.debug("Performing online token validation with POST request");
            return this.httpClient.execute(buildPostRequestFromUrl);
        }
        HttpGet httpGet = new HttpGet(str);
        log.debug("Performing online token validation with GET request");
        return this.httpClient.execute(httpGet);
    }

    @NotNull
    private static HttpPost buildPostRequestFromUrl(@NotNull String str) throws URISyntaxException, UnsupportedEncodingException {
        URIBuilder uRIBuilder = new URIBuilder(str);
        List queryParams = uRIBuilder.getQueryParams();
        uRIBuilder.removeQuery();
        HttpPost httpPost = new HttpPost(uRIBuilder.toString());
        httpPost.setEntity(new UrlEncodedFormEntity(queryParams));
        return httpPost;
    }

    @NotNull
    private static String readResponseBody(@NotNull CloseableHttpResponse closeableHttpResponse) {
        try {
            InputStream content = closeableHttpResponse.getEntity().getContent();
            try {
                String iOUtils = IOUtils.toString(content, StandardCharsets.UTF_8);
                if (content != null) {
                    content.close();
                }
                return iOUtils;
            } finally {
            }
        } catch (IOException | IllegalStateException e) {
            log.error("readResponseBody: Failure to read the body of the response: {}", e.getMessage());
            return "";
        }
    }

    private static void optionalXDebugIddHeaderLog(@NotNull CloseableHttpResponse closeableHttpResponse) {
        Header[] headers = closeableHttpResponse.getHeaders("x-debug-id");
        if (headers == null || headers.length == 0) {
            return;
        }
        log.debug("x-debug-id: {}", headers);
    }

    public boolean requestCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return false;
    }

    public void dropCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
    }

    public boolean authenticationSucceeded(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationInfo authenticationInfo) {
        if (getTokenInfo(httpServletRequest, this.repositoryId).token == null) {
            updateCookie(httpServletRequest, httpServletResponse, authenticationInfo, this.repository, this.repositoryId);
        }
        notifyProvider(authenticationInfo, httpServletRequest, this.oauthManager);
        return super.authenticationSucceeded(httpServletRequest, httpServletResponse, authenticationInfo);
    }

    @Nullable
    private String getBearerAccessToken(@NotNull HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null) {
            log.trace("getBearerAccessToken: No Authorization header found.");
            return null;
        }
        String trim = header.trim();
        if (trim.length() == 0) {
            log.debug("getBearerAccessToken: Empty Authorization header found.");
            return null;
        }
        if (trim.startsWith("Bearer ")) {
            return trim.substring(7).trim();
        }
        log.debug("getBearerAccessToken: Authorization scheme is not Bearer.");
        return null;
    }

    private OAuthUser getUserDetails(Session session, OAuthHelper oAuthHelper, Provider provider, String str) {
        User cRXUserByOAuthId;
        User user = null;
        ResourceResolver resourceResolver = null;
        OAuthUser oAuthUser = null;
        try {
            try {
                UserManager userManager = ((JackrabbitSession) session).getUserManager();
                resourceResolver = this.resolverFactory.getServiceResourceResolver((Map) null);
                UserPropertiesManager userPropertiesManager = (UserPropertiesManager) resourceResolver.adaptTo(UserPropertiesManager.class);
                if (oAuthHelper.getProviderConfig().getForceStrictUsernameMatching()) {
                    HashMap hashMap = new HashMap();
                    Iterator<Authorizable> cRXUsersByOAuthId = oAuthHelper.getCRXUsersByOAuthId(userManager, provider, new OAuthUser(str, Collections.emptyMap()));
                    while (cRXUsersByOAuthId.hasNext() && user == null) {
                        Authorizable next = cRXUsersByOAuthId.next();
                        if (!next.isGroup()) {
                            user = (User) next;
                            UserProperties userProperties = userPropertiesManager.getUserProperties(user.getID(), "profile");
                            for (String str2 : userProperties.getPropertyNames()) {
                                String property = userProperties.getProperty(str2);
                                if (property != null) {
                                    hashMap.put("profile/" + str2, property);
                                }
                            }
                        }
                    }
                    cRXUserByOAuthId = oAuthHelper.getCRXUserByMappedId(userManager, provider, new OAuthUser(str, hashMap));
                } else {
                    cRXUserByOAuthId = oAuthHelper.getCRXUserByOAuthId(userManager, provider, new OAuthUser(str, Collections.emptyMap()));
                }
                if (cRXUserByOAuthId != null) {
                    HashMap hashMap2 = new HashMap();
                    UserProperties userProperties2 = userPropertiesManager.getUserProperties(cRXUserByOAuthId.getID(), "profile");
                    for (String str3 : userProperties2.getPropertyNames()) {
                        String property2 = userProperties2.getProperty(str3);
                        if (property2 != null) {
                            hashMap2.put("profile/" + str3, property2);
                        }
                    }
                    oAuthUser = new OAuthUser(str, hashMap2);
                }
                if (resourceResolver != null && resourceResolver.isLive()) {
                    resourceResolver.close();
                }
            } catch (Exception e) {
                log.error("Failed to fetch the user properties from the crx user: {}", str, e);
                if (resourceResolver != null && resourceResolver.isLive()) {
                    resourceResolver.close();
                }
            }
            return oAuthUser;
        } catch (Throwable th) {
            if (resourceResolver != null && resourceResolver.isLive()) {
                resourceResolver.close();
            }
            throw th;
        }
    }

    protected OAuthUser getUserDetails(Provider provider, OAuthHelper oAuthHelper, Token token) throws IOException, InterruptedException {
        ArrayList arrayList = new ArrayList();
        arrayList.add(createDataFuture(provider, oAuthHelper, token, provider.getDetailsURL()));
        String scope = oAuthHelper.getProviderConfig().getScope();
        String[] extendedDetailsURLs = provider.getExtendedDetailsURLs(scope);
        if (extendedDetailsURLs != null) {
            for (String str : extendedDetailsURLs) {
                if (str != null && str.trim().length() > 0) {
                    arrayList.add(createDataFuture(provider, oAuthHelper, token, str));
                }
            }
        }
        DataFutureWithUrl dataFutureWithUrl = (DataFutureWithUrl) arrayList.get(0);
        Map<String, String> futureData = getFutureData(dataFutureWithUrl);
        String clientId = oAuthHelper.getProviderConfig().getClientId();
        Map<String, Object> mapProperties = provider.mapProperties(dataFutureWithUrl.url, clientId, Collections.emptyMap(), futureData);
        String str2 = futureData.get(provider.getUserIdProperty());
        if (str2 == null) {
            log.error("retrieveBasicData: could not retrieve user id from {}", provider.getDetailsURL());
            return null;
        }
        String[] extendedDetailsURLs2 = provider.getExtendedDetailsURLs(scope, str2, mapProperties);
        if (extendedDetailsURLs2 != null) {
            for (String str3 : extendedDetailsURLs2) {
                if (str3 != null && str3.trim().length() > 0) {
                    arrayList.add(createDataFuture(provider, oAuthHelper, token, str3));
                }
            }
        }
        String userIdProperty = oAuthHelper.getProviderConfig().getUserIdProperty();
        if (!userIdProperty.isEmpty() && futureData.containsKey(userIdProperty)) {
            mapProperties.put(OAuthHelper.RAW_USER_ID_PROPERTY, futureData.get(userIdProperty));
        }
        for (int i = 1; i < arrayList.size(); i++) {
            DataFutureWithUrl dataFutureWithUrl2 = (DataFutureWithUrl) arrayList.get(i);
            Map<String, String> futureData2 = getFutureData(dataFutureWithUrl2);
            mapProperties = provider.mapProperties(dataFutureWithUrl2.url, clientId, mapProperties, futureData2);
            if (!userIdProperty.isEmpty() && futureData2 != null && futureData2.containsKey(userIdProperty)) {
                mapProperties.put(OAuthHelper.RAW_USER_ID_PROPERTY, futureData2.get(userIdProperty));
            }
        }
        return new OAuthUser(str2, mapProperties);
    }

    private Map<String, String> getFutureData(DataFutureWithUrl dataFutureWithUrl) throws InterruptedException, IOException {
        try {
            return dataFutureWithUrl.future.get();
        } catch (ExecutionException e) {
            throw new IOException("Error while fetching data from " + dataFutureWithUrl.url + ": " + e.getCause());
        }
    }

    private DataFutureWithUrl createDataFuture(final Provider provider, final OAuthHelper oAuthHelper, final Token token, final String str) {
        return new DataFutureWithUrl(str, this.executorService.submit(new Callable<Map<String, String>>() { // from class: com.adobe.granite.auth.oauth.impl.BearerAuthenticationHandler.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public Map<String, String> call() throws Exception {
                return oAuthHelper.fetchProfileData(provider, str, token);
            }
        }));
    }

    public void handleTopologyEvent(TopologyEvent topologyEvent) {
        if (topologyEvent.getType() == TopologyEvent.Type.TOPOLOGY_CHANGED || topologyEvent.getType() == TopologyEvent.Type.TOPOLOGY_INIT) {
            this.clusterId = topologyEvent.getNewView().getLocalInstance().getClusterView().getId();
            initializeRepositoryId();
        }
    }

    private synchronized void initializeRepositoryId() {
        String str = this.clusterId;
        if (str == null) {
            str = this.settings.getSlingId();
            if (str == null) {
                str = RANDOM_UUID;
                log.error("Failure to acquire unique ID for this token authenticator. Using random UUID {}", str);
            } else {
                log.info("ClusterId not known so far. Using the SlingId [{}] for unique identifier", str);
            }
        } else {
            log.info("ClusterId determined using Topology Support [{}]", str);
        }
        this.repositoryId = str;
    }
}
