package com.adobe.granite.csrf.impl;

import com.adobe.granite.crypto.CryptoException;
import com.adobe.granite.crypto.CryptoSupport;
import com.adobe.granite.oauth.jwt.JwsBuilderFactory;
import java.io.IOException;
import java.util.Map;
import javax.servlet.ServletException;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Modified;
import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.sling.SlingServlet;
import org.apache.oltu.commons.encodedtoken.TokenDecoder;
import org.apache.oltu.oauth2.jwt.JWT;
import org.apache.oltu.oauth2.jwt.io.JWTClaimsSetWriter;
import org.apache.oltu.oauth2.jwt.io.JWTReader;
import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.api.SlingHttpServletResponse;
import org.apache.sling.api.servlets.SlingSafeMethodsServlet;
import org.apache.sling.commons.osgi.PropertiesUtil;
import org.json.JSONWriter;
import org.osgi.framework.BundleContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@SlingServlet(resourceTypes = {"granite/csrf/token"}, extensions = {"json"}, metatype = true, description = "Servlet that return the CSRF token for a given user.", label = "Adobe Granite CSRF Servlet")
@Properties({@Property(label = "CSRF Token Expires In", description = "The lifetime in seconds of the csrf token (min 600 seconds/10 minutes)", name = CSRFConstants.CSRF_TOKEN_EXPIRES_IN, longValue = {CSRFServlet.CSRF_TOKEN_EXPIRES_IN_DEFAULT}), @Property(name = "sling.auth.requirements", value = {"-/libs/granite/csrf/token"})})
/* loaded from: input_file:com/adobe/granite/csrf/impl/CSRFServlet.class */
public class CSRFServlet extends SlingSafeMethodsServlet {
    private static final long serialVersionUID = 1;
    static final long CSRF_TOKEN_EXPIRES_IN_DEFAULT = 600;
    private final Logger logger = LoggerFactory.getLogger(CSRFServlet.class);

    @Reference
    private JwsBuilderFactory jwsBuilderFactory;

    @Reference
    private CryptoSupport cryptoSupport;
    private long csrfTokenExpiresIn;

    @Modified
    @Activate
    private void activate(BundleContext bundleContext, Map<String, Object> map) {
        this.csrfTokenExpiresIn = PropertiesUtil.toLong(map.get(CSRFConstants.CSRF_TOKEN_EXPIRES_IN), CSRF_TOKEN_EXPIRES_IN_DEFAULT);
        if (this.csrfTokenExpiresIn < CSRF_TOKEN_EXPIRES_IN_DEFAULT) {
            this.logger.warn("The lifetime in seconds of the csrf token must be minimum 600 seconds/10 minutes, defaulting lifetime to 600 seconds/10 minutes");
            this.csrfTokenExpiresIn = CSRF_TOKEN_EXPIRES_IN_DEFAULT;
        }
    }

    protected void doGet(SlingHttpServletRequest slingHttpServletRequest, SlingHttpServletResponse slingHttpServletResponse) throws ServletException, IOException {
        JSONWriter jSONWriter = new JSONWriter(slingHttpServletResponse.getWriter());
        jSONWriter.object();
        try {
            if (slingHttpServletRequest.getAuthType() != null) {
                jSONWriter.key("token").value(getCSRFToken(slingHttpServletRequest.getRemoteUser()));
            } else {
                this.logger.debug("doGet: CSRF token available only for authenticated users");
            }
            slingHttpServletResponse.setContentType("application/json");
            slingHttpServletResponse.setCharacterEncoding("utf8");
            slingHttpServletResponse.setHeader("Cache-Control", "no-cache");
            slingHttpServletResponse.setHeader("Expires", "-1");
            slingHttpServletResponse.setStatus(200);
            jSONWriter.endObject();
        } catch (CryptoException e) {
            this.logger.error("doGet: failed to generate CSRF token", e);
            slingHttpServletResponse.sendError(500);
        }
    }

    private String getCSRFToken(String str) throws NumberFormatException, CryptoException {
        StringBuilder sb = new StringBuilder();
        JWT jwt = (JWT) new JWTReader().read(this.jwsBuilderFactory.getInstance("HS256").setSubject(str).setExpiresIn(this.csrfTokenExpiresIn).setCustomClaimsSetField("scope", CSRFConstants.CSRF_TOKEN_VALUE).build());
        long issuedAt = jwt.getClaimsSet().getIssuedAt();
        sb.append(TokenDecoder.base64Encode(new JWTClaimsSetWriter().write(new JWT.Builder().setClaimsSetIssuedAt(issuedAt).setClaimsSetExpirationTime(issuedAt + this.csrfTokenExpiresIn).build().getClaimsSet()))).append(".").append(jwt.getSignature());
        return sb.toString();
    }

    protected void bindJwsBuilderFactory(JwsBuilderFactory jwsBuilderFactory) {
        this.jwsBuilderFactory = jwsBuilderFactory;
    }

    protected void unbindJwsBuilderFactory(JwsBuilderFactory jwsBuilderFactory) {
        if (this.jwsBuilderFactory == jwsBuilderFactory) {
            this.jwsBuilderFactory = null;
        }
    }

    protected void bindCryptoSupport(CryptoSupport cryptoSupport) {
        this.cryptoSupport = cryptoSupport;
    }

    protected void unbindCryptoSupport(CryptoSupport cryptoSupport) {
        if (this.cryptoSupport == cryptoSupport) {
            this.cryptoSupport = null;
        }
    }
}
