package com.adobe.granite.auth.oauth.impl;

import com.adobe.granite.auth.oauth.AuthorizationCodeAcceptor;
import com.adobe.granite.auth.oauth.HandlerRedirect;
import com.adobe.granite.auth.oauth.LogoutProvider;
import com.adobe.granite.auth.oauth.OAuthManager;
import com.adobe.granite.auth.oauth.Provider;
import com.adobe.granite.auth.oauth.ProviderConfig;
import com.adobe.granite.auth.oauth.impl.helper.OAuthHelper;
import com.adobe.granite.auth.oauth.impl.helper.OAuthToken;
import com.adobe.granite.auth.oauth.impl.helper.OAuthUser;
import com.adobe.granite.auth.oauth.impl.helper.ProviderConfigImpl;
import com.adobe.granite.auth.oauth.impl.helper.ProviderConfigManagerInternal;
import com.adobe.granite.auth.oauth.impl.helper.RequestHelper;
import com.adobe.granite.crypto.CryptoSupport;
import java.io.IOException;
import java.util.Iterator;
import java.util.Map;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.ConfigurationPolicy;
import org.apache.felix.scr.annotations.Deactivate;
import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.ReferencePolicy;
import org.apache.felix.scr.annotations.Service;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.auth.core.spi.AuthenticationHandler;
import org.apache.sling.auth.core.spi.AuthenticationInfo;
import org.apache.sling.auth.core.spi.DefaultAuthenticationFeedbackHandler;
import org.apache.sling.commons.json.JSONObject;
import org.apache.sling.discovery.TopologyEvent;
import org.apache.sling.discovery.TopologyEventListener;
import org.apache.sling.jcr.api.SlingRepository;
import org.apache.sling.settings.SlingSettingsService;
import org.osgi.framework.BundleContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Service({AuthenticationHandler.class, TopologyEventListener.class})
@Component(metatype = true, policy = ConfigurationPolicy.REQUIRE)
@Properties({@Property(name = "path", value = {"/"}), @Property(name = "service.ranking", intValue = {-5000})})
/* loaded from: input_file:com/adobe/granite/auth/oauth/impl/OAuthAuthenticationHandler.class */
public class OAuthAuthenticationHandler extends AbstractOAuthAuthenticationHandler implements TopologyEventListener {

    @Property(name = "service.description")
    private static final String DESCRIPTION = "OAuth Authentication Handler";
    private final Logger log = LoggerFactory.getLogger(getClass());

    @Reference
    private SlingRepository repository;

    @Reference
    private CryptoSupport cryptoSupport;

    @Reference
    private OAuthManager oauthManager;

    @Reference
    private SlingSettingsService settings;

    @Reference
    private ProfileValidators profileValidators;
    private volatile String repositoryId;

    @Reference
    private ProviderConfigManagerInternal providerConfigManager;

    @Reference(policy = ReferencePolicy.DYNAMIC, cardinality = ReferenceCardinality.OPTIONAL_UNARY)
    private volatile HandlerRedirect handlerRedirect;

    @Activate
    private void activate(BundleContext bundleContext, Map<String, Object> map) {
        initializeRepositoryId(null);
    }

    @Deactivate
    private void deactivate() {
    }

    public AuthenticationInfo extractCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String configId = RequestHelper.getConfigId(httpServletRequest);
        OAuthHelper helper = configId == null ? null : this.providerConfigManager.getHelper(configId);
        if (RequestHelper.isInitialCall(httpServletRequest, true)) {
            this.log.debug("extractCredentials: Initial authentication request, try to start the OAuth dance");
            String parameter = httpServletRequest.getParameter(RequestHelper.PARAM_CONFIG_ID);
            OAuthHelper helper2 = this.providerConfigManager.getHelper(parameter);
            Provider provider = this.oauthManager.getProvider(parameter);
            String loginResource = getLoginResource(httpServletRequest, "");
            if (helper2 == null || provider == null) {
                this.log.error("extractCredentials: During initial request, invalid config: helper is: {}, provider is: {}", helper2, provider);
            } else {
                try {
                    helper2.requestAuthorization(httpServletRequest, httpServletResponse, provider, loginResource, true);
                    this.log.debug("extractCredentials: User agent redirected to OAuth server");
                    return AuthenticationInfo.DOING_AUTH;
                } catch (IOException e) {
                    this.log.error("extractCredentials: Failure requesting authorization code, using configId: {}", parameter);
                    this.log.error("extractCredentials: Exception requesting authorization code: ", e);
                }
            }
            setupAuthenticationFailure(httpServletRequest, httpServletResponse);
            this.log.debug("extractCredentials: Failure of the initial authentication request");
            return AuthenticationInfo.FAIL_AUTH;
        }
        if (!RequestHelper.hasAuthzCode(httpServletRequest)) {
            this.log.debug("extractCredentials: The OAuthAuthenticationHandler is not able to handle this request");
            return null;
        }
        this.log.debug("extractCredentials: User agent returns with authorization code");
        Provider provider2 = null;
        if (RequestHelper.isAuthzCode(httpServletRequest, true)) {
            provider2 = this.oauthManager.getProvider(configId);
        } else {
            Iterator<ProviderConfig> it = this.providerConfigManager.getProviderConfigs().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                ProviderConfig next = it.next();
                OAuthHelper helper3 = this.providerConfigManager.getHelper(next.getConfigId());
                Provider provider3 = this.providerConfigManager.getProvider(next.getConfigId());
                if ((provider3 instanceof AuthorizationCodeAcceptor) && ((AuthorizationCodeAcceptor) provider3).acceptsCodeRequest(httpServletRequest, next.getOAuthConfig(null))) {
                    helper = helper3;
                    provider2 = provider3;
                    httpServletRequest.setAttribute(RequestHelper.ATTRIBUTE_REDIRECT, RequestHelper.getURLWithoutAuthCode(httpServletRequest));
                    httpServletRequest.setAttribute("oauth-configId", next.getConfigId());
                    httpServletRequest.setAttribute(next.getClientId(), new OAuthToken(next.getClientId(), "", "", 1));
                    break;
                }
            }
            if (provider2 == null) {
                return null;
            }
        }
        if (helper == null || provider2 == null) {
            this.log.error("extractCredentials: During the processing of the authorization code, invalid config found: helper is: {}, provider is: {}", helper, provider2);
        } else {
            try {
                OAuthUser requestAccessCode = helper.requestAccessCode(provider2, httpServletRequest, httpServletResponse, true, true);
                this.log.debug("extractCredentials: Access token obtained");
                ProfileValidators profileValidators = this.profileValidators;
                if (requestAccessCode == null) {
                    this.log.error("extractCredentials: Failed to retrieve user identification; cannot authenticate");
                } else if (profileValidators == null || profileValidators.isValidProfile(provider2.getId(), requestAccessCode.getId(), requestAccessCode.getProperties())) {
                    Session session = null;
                    try {
                        if (this.handlerRedirect != null) {
                            AuthenticationInfo authenticationInfo = null;
                            OAuthToken oAuthToken = (OAuthToken) httpServletRequest.getAttribute(helper.getClientId());
                            if (oAuthToken != null) {
                                httpServletRequest.setAttribute("accessToken", oAuthToken.getKey());
                            }
                            String redirectUri = this.handlerRedirect.getRedirectUri(httpServletRequest, requestAccessCode.getId(), requestAccessCode.getProperties());
                            if (redirectUri != null) {
                                try {
                                    authenticationInfo = AuthenticationInfo.DOING_AUTH;
                                    if ("XMLHttpRequest".equalsIgnoreCase(httpServletRequest.getHeader("X-Requested-With"))) {
                                        httpServletResponse.setStatus(200);
                                        JSONObject put = new JSONObject().put("redirect", redirectUri);
                                        httpServletResponse.setContentType("application/json");
                                        httpServletResponse.getWriter().write(put.toString());
                                        httpServletResponse.flushBuffer();
                                    } else {
                                        httpServletResponse.sendRedirect(redirectUri);
                                    }
                                    this.log.debug("extractCredentials: return authentication info in handle redirect");
                                    if (0 != 0 && session.isLive()) {
                                        session.logout();
                                    }
                                    return authenticationInfo;
                                } catch (Exception e2) {
                                    this.log.error("failed to redirect the user: {}", authenticationInfo.getUser(), e2);
                                }
                            }
                        }
                        ProviderConfigImpl providerConfig = helper.getProviderConfig();
                        String str = null;
                        Session loginService = this.repository.loginService("", (String) null);
                        User user = helper.getUser(helper.getNotSavingUserManager(loginService), provider2, requestAccessCode);
                        if (user != null) {
                            str = user.getID();
                        }
                        if (str == null && providerConfig.getAutoCreateUsers()) {
                            str = helper.getMappedOauthUsername(provider2, requestAccessCode);
                        }
                        if (str != null) {
                            AuthenticationInfo createAuthenticationInfo = createAuthenticationInfo(providerConfig.getProviderId(), providerConfig.getConfigId(), str, provider2.mapUserId(requestAccessCode.getId(), requestAccessCode.getProperties()), requestAccessCode);
                            if (providerConfig.getSaveAccessToken()) {
                                storeAccessToken(createAuthenticationInfo, httpServletRequest, providerConfig);
                            }
                            this.log.debug("extractCredentials: return authentication info");
                            if (loginService != null && loginService.isLive()) {
                                loginService.logout();
                            }
                            return createAuthenticationInfo;
                        }
                        this.log.error("extractCredentials: Failed finding user for oauthUser={} of application {}", requestAccessCode, helper.getClientId());
                        if (loginService != null && loginService.isLive()) {
                            loginService.logout();
                        }
                    } catch (Throwable th) {
                        if (0 != 0 && session.isLive()) {
                            session.logout();
                        }
                        throw th;
                    }
                } else {
                    this.log.error("extractCredentials: Invalid user profile; cannot authenticate");
                }
            } catch (IOException e3) {
                this.log.error("extractCredentials: Failed to retrieve user identification; cannot authenticate", e3);
            } catch (RepositoryException e4) {
                this.log.error("extractCredentials: Failed to read user or properties", e4);
            }
        }
        setupAuthenticationFailure(httpServletRequest, httpServletResponse);
        this.log.debug("extractCredentials: authentication failure");
        return AuthenticationInfo.FAIL_AUTH;
    }

    public boolean requestCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return false;
    }

    public void dropCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String configId;
        OAuthHelper helper;
        Provider provider;
        String str = null;
        if (RequestHelper.getAuthenticatedConfigId(httpServletRequest) != null && (configId = RequestHelper.getConfigId(httpServletRequest)) != null && (helper = this.providerConfigManager.getHelper(configId)) != null && (provider = this.oauthManager.getProvider(configId)) != null && (provider instanceof LogoutProvider)) {
            this.log.info("dropCredentials: The provider can handle logout, calling logout API.");
            str = ((LogoutProvider) provider).logout(httpServletRequest, helper.getProviderConfig());
        }
        setAuthorizedId(httpServletRequest, httpServletResponse, null);
        RequestHelper.removeConfigId(httpServletRequest, httpServletResponse);
        RequestHelper.removeAuthenticatedConfigId(httpServletRequest, httpServletResponse);
        if (str != null) {
            this.log.info("redirecting to {}", str);
            try {
                httpServletResponse.sendRedirect(str);
            } catch (IOException e) {
                this.log.error("error while redirecting", e);
            }
        }
    }

    public boolean authenticationSucceeded(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationInfo authenticationInfo) {
        boolean z;
        if (needsCookieUpdate(getTokenInfo(httpServletRequest, this.repositoryId), httpServletRequest)) {
            updateCookie(httpServletRequest, httpServletResponse, authenticationInfo, this.repository, this.repositoryId);
        }
        notifyProvider(authenticationInfo, httpServletRequest, this.oauthManager);
        if (!RequestHelper.hasAuthzCode(httpServletRequest)) {
            return false;
        }
        ResourceResolver resourceResolver = (ResourceResolver) httpServletRequest.getAttribute("org.apache.sling.auth.core.ResourceResolver");
        if (resourceResolver != null) {
            setAuthorizedId(httpServletRequest, httpServletResponse, resourceResolver.getUserID());
        } else {
            this.log.warn("authenticationSucceeded: ResourceResolver missing from request, cannot cache user id");
        }
        if (DefaultAuthenticationFeedbackHandler.handleRedirect(httpServletRequest, httpServletResponse)) {
            z = false;
        } else {
            RequestHelper.handleRedirectAfterAuthentication(httpServletRequest, httpServletResponse);
            z = true;
        }
        return z;
    }

    public void authenticationFailed(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationInfo authenticationInfo) {
        dropCredentials(httpServletRequest, httpServletResponse);
    }

    public String toString() {
        return DESCRIPTION;
    }

    private void setupAuthenticationFailure(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        setLoginResourceAttribute(httpServletRequest, null);
        dropCredentials(httpServletRequest, httpServletResponse);
        httpServletRequest.setAttribute("j_reason", "Authentication Failed");
    }

    private void setAuthorizedId(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        Object attribute = httpServletRequest.getAttribute("oauth-configId");
        String configId = attribute instanceof String ? (String) attribute : RequestHelper.getConfigId(httpServletRequest);
        OAuthHelper helper = configId == null ? null : this.providerConfigManager.getHelper(configId);
        if (helper == null) {
            this.log.debug("No OauthHelper found under configId {}", configId);
        } else {
            helper.setAuthorizedId(httpServletRequest, httpServletResponse, str);
            RequestHelper.storeAuthenticatedConfigId(configId, helper.getProviderConfig().getCookieMaxAge(), httpServletRequest, httpServletResponse);
        }
    }

    public void handleTopologyEvent(TopologyEvent topologyEvent) {
        if (topologyEvent.getType() == TopologyEvent.Type.TOPOLOGY_CHANGED || topologyEvent.getType() == TopologyEvent.Type.TOPOLOGY_INIT) {
            initializeRepositoryId(topologyEvent.getNewView().getLocalInstance().getClusterView().getId());
        }
    }

    private void initializeRepositoryId(String str) {
        if (str == null) {
            this.repositoryId = RequestHelper.getRepositoryId(this.repository, this.settings);
            this.log.info("ClusterId not known so far, fallback to repository descriptors [{}]", this.repositoryId);
        } else {
            this.repositoryId = str;
            this.log.info("ClusterId determined using Topology Support [{}]", this.repositoryId);
        }
    }

    protected void bindRepository(SlingRepository slingRepository) {
        this.repository = slingRepository;
    }

    protected void unbindRepository(SlingRepository slingRepository) {
        if (this.repository == slingRepository) {
            this.repository = null;
        }
    }

    protected void bindCryptoSupport(CryptoSupport cryptoSupport) {
        this.cryptoSupport = cryptoSupport;
    }

    protected void unbindCryptoSupport(CryptoSupport cryptoSupport) {
        if (this.cryptoSupport == cryptoSupport) {
            this.cryptoSupport = null;
        }
    }

    protected void bindOauthManager(OAuthManager oAuthManager) {
        this.oauthManager = oAuthManager;
    }

    protected void unbindOauthManager(OAuthManager oAuthManager) {
        if (this.oauthManager == oAuthManager) {
            this.oauthManager = null;
        }
    }

    protected void bindSettings(SlingSettingsService slingSettingsService) {
        this.settings = slingSettingsService;
    }

    protected void unbindSettings(SlingSettingsService slingSettingsService) {
        if (this.settings == slingSettingsService) {
            this.settings = null;
        }
    }

    protected void bindProfileValidators(ProfileValidators profileValidators) {
        this.profileValidators = profileValidators;
    }

    protected void unbindProfileValidators(ProfileValidators profileValidators) {
        if (this.profileValidators == profileValidators) {
            this.profileValidators = null;
        }
    }

    protected void bindProviderConfigManager(ProviderConfigManagerInternal providerConfigManagerInternal) {
        this.providerConfigManager = providerConfigManagerInternal;
    }

    protected void unbindProviderConfigManager(ProviderConfigManagerInternal providerConfigManagerInternal) {
        if (this.providerConfigManager == providerConfigManagerInternal) {
            this.providerConfigManager = null;
        }
    }

    protected void bindHandlerRedirect(HandlerRedirect handlerRedirect) {
        this.handlerRedirect = handlerRedirect;
    }

    protected void unbindHandlerRedirect(HandlerRedirect handlerRedirect) {
        if (this.handlerRedirect == handlerRedirect) {
            this.handlerRedirect = null;
        }
    }
}
