package com.day.cq.dam.core.impl.assetlinkshare;

import com.adobe.granite.toggle.api.ToggleRouter;
import com.day.cq.dam.commons.util.DamUtil;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Calendar;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.regex.Pattern;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.jcr.Node;
import javax.jcr.Session;
import javax.jcr.SimpleCredentials;
import javax.jcr.Value;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang.StringUtils;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferencePolicyOption;
import org.apache.felix.scr.annotations.Service;
import org.apache.http.NameValuePair;
import org.apache.http.client.utils.URLEncodedUtils;
import org.apache.sling.api.resource.Resource;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.resource.ResourceResolverFactory;
import org.apache.sling.api.resource.ResourceUtil;
import org.apache.sling.auth.core.spi.AuthenticationHandler;
import org.apache.sling.auth.core.spi.AuthenticationInfo;
import org.apache.sling.jcr.api.SlingRepository;
import org.apache.sling.resource.collection.ResourceCollection;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Service({AuthenticationHandler.class, Filter.class})
@Component(metatype = false, label = "Adhoc Asset Share Authentication Handler", description = "Adhoc Asset Share Authentication Handler")
@Properties({@Property(name = "service.description", value = {"Adhoc Asset Share Authentication Handler"}), @Property(name = "authtype", value = {AdhocAssetShareAuthHandler.AUTH_TYPE}, propertyPrivate = true), @Property(name = "service.ranking", intValue = {Integer.MIN_VALUE}, propertyPrivate = false), @Property(name = "path", value = {AdhocAssetShareAuthHandler.ASSET_LINK_SHARE_PATH, AdhocAssetShareAuthHandler.SHARE_PAGE_PATH, AdhocAssetShareAuthHandler.SHARE_PAGE_PATH_VANITY, AdhocAssetShareAuthHandler.LINK_EXPIRED_PAGE_PATH, AdhocAssetShareAuthHandler.LINK_EXPIRED_PAGE_PATH_VANITY, AdhocAssetShareAuthHandler.LINK_SHARE_PREVIEW_PAGE_PATH, AdhocAssetShareAuthHandler.ASSET_PREVIEW_PAGE_VANITY, AdhocAssetShareAuthHandler.EXTERNALIZATION_URL, AdhocAssetShareAuthHandler.GRANITE_CORALUI3_RESOURCES_PATH}, cardinality = 2, label = "Paths", description = "Paths for which this Sling Authentication Handler is used"), @Property(name = "sling.filter.scope", value = {"REQUEST"}, propertyPrivate = true)})
/* loaded from: input_file:com/day/cq/dam/core/impl/assetlinkshare/AdhocAssetShareAuthHandler.class */
public final class AdhocAssetShareAuthHandler implements AuthenticationHandler, Filter {
    private static final String TOKEN_QUERY_PARAM = "sh";
    private static final String PATH_QUERY_PARAM = "path";
    private static final String REFERER_HEADER = "referer";
    protected static final String SHARE_PAGE_PATH = "/libs/dam/gui/content/adhocassetsharepage";
    protected static final String SHARE_PAGE_PATH_VANITY = "/linkshare.html";
    protected static final String ASSET_PREVIEW_PAGE_VANITY = "/linksharepreview.html";
    protected static final String LINK_SHARE_PREVIEW_PAGE_PATH = "/libs/dam/gui/content/adhocassetsharepage/linksharepreview";
    protected static final String ASSET_LINK_SHARE_PATH = "/libs/dam/gui/content/assets/assetlinkshare";
    private static final String PROXY_SHARED_ASSET = "/libs/dam/gui/content/assets/assetlinkshare.html";
    protected static final String LINK_EXPIRED_PAGE_PATH = "/libs/dam/gui/content/adhocassetsharepage/linkexpiredpage";
    protected static final String LINK_EXPIRED_PAGE_PATH_VANITY = "/linkexpired.html";
    protected static final String GRANITE_CORALUI3_RESOURCES_PATH = "/libs/clientlibs/granite/coralui3/resources";
    private static final String AUTH_TYPE = "adhocAssetShareAuth";
    protected static final String EXTERNALIZATION_URL = "/libs/cq/i18n";
    private static final String SYNC_ASSET_DOWNLOAD_SELECTOR = "assetdownload.zip";
    private static final String ASYNC_ASSET_DOWNLOAD_SUFFIX = "assetdownload.json";
    private static final String AUTHENTICATION_INFO_SESSION = "user.jcr.session";
    private static final String FT_ALLOW_RENDITIONS = "FT_CQ-4319692";
    public static final String PN_TOKEN_NODE_PATH = "tokenNodePath";

    @Reference(policyOption = ReferencePolicyOption.GREEDY)
    private ToggleRouter toggleRouter;

    @Reference
    protected AdhocAssetShareTokenService tokenService;

    @Reference
    private ResourceResolverFactory resolverFactory;
    private static final String SESSION_REQ_ATTR = AdhocAssetShareAuthHandler.class.getName() + ".session";
    private static Logger log = LoggerFactory.getLogger(AdhocAssetShareAuthHandler.class);

    @Reference
    private SlingRepository repository = null;
    private AdhocAssetShareHelper assetShareHelper = new AdhocAssetShareHelper();

    public AuthenticationInfo extractCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Calendar date;
        if (!httpServletRequest.getMethod().equals("GET") && !httpServletRequest.getMethod().equals("POST")) {
            return null;
        }
        if (httpServletRequest.getMethod().equals("POST") && !isDownloadRequest(httpServletRequest.getRequestURI())) {
            return null;
        }
        try {
            if (ResourceUtil.normalize(StringUtils.isBlank(httpServletRequest.getPathInfo()) ? URI.create(httpServletRequest.getRequestURI()).getPath() : "").startsWith(httpServletRequest.getContextPath() + EXTERNALIZATION_URL)) {
                String path = new URI(httpServletRequest.getHeader(REFERER_HEADER)).getPath();
                if (path.startsWith(SHARE_PAGE_PATH_VANITY) || path.startsWith(ASSET_PREVIEW_PAGE_VANITY) || path.startsWith(LINK_EXPIRED_PAGE_PATH_VANITY) || path.startsWith(httpServletRequest.getContextPath() + SHARE_PAGE_PATH_VANITY) || path.startsWith(httpServletRequest.getContextPath() + ASSET_PREVIEW_PAGE_VANITY) || path.startsWith(httpServletRequest.getContextPath() + LINK_EXPIRED_PAGE_PATH_VANITY)) {
                    Session loginService = this.repository.loginService(AdhocAssetShareServlet.LINK_SHARE_SUBSERVICE, (String) null);
                    httpServletRequest.setAttribute(SESSION_REQ_ATTR, loginService);
                    AuthenticationInfo authenticationInfo = new AuthenticationInfo(AUTH_TYPE);
                    authenticationInfo.put(AUTHENTICATION_INFO_SESSION, loginService);
                    return authenticationInfo;
                }
            }
        } catch (Exception e) {
        }
        String tokenFromRequest = getTokenFromRequest(httpServletRequest);
        if (tokenFromRequest == null) {
            return null;
        }
        Session session = null;
        Session session2 = null;
        try {
            try {
                String pathInfo = httpServletRequest.getPathInfo();
                if (StringUtils.isBlank(pathInfo)) {
                    pathInfo = URI.create(httpServletRequest.getRequestURI()).getPath();
                }
                String normalize = ResourceUtil.normalize(pathInfo);
                if (normalize.startsWith(LINK_EXPIRED_PAGE_PATH) || normalize.startsWith(LINK_EXPIRED_PAGE_PATH_VANITY) || normalize.startsWith(httpServletRequest.getContextPath() + LINK_EXPIRED_PAGE_PATH) || normalize.startsWith(httpServletRequest.getContextPath() + LINK_EXPIRED_PAGE_PATH_VANITY)) {
                    AuthenticationInfo authenticationInfo2 = new AuthenticationInfo(AUTH_TYPE);
                    if (0 != 0 && session.isLive()) {
                        session.logout();
                    }
                    return authenticationInfo2;
                }
                if (!this.tokenService.isValidToken(tokenFromRequest)) {
                    if (0 != 0 && session.isLive()) {
                        session.logout();
                    }
                    return null;
                }
                String extractToken = this.tokenService.extractToken(tokenFromRequest);
                if (StringUtils.isBlank(extractToken)) {
                    if (0 != 0 && session.isLive()) {
                        session.logout();
                    }
                    return null;
                }
                Session loginService2 = this.repository.loginService(AdhocAssetShareServlet.LINK_SHARE_SUBSERVICE, (String) null);
                String str = "/var/dam/share/" + extractToken;
                if (!loginService2.nodeExists(str)) {
                    httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + LINK_EXPIRED_PAGE_PATH_VANITY + "?sh=" + tokenFromRequest);
                }
                Node node = loginService2.getNode(str);
                httpServletRequest.setAttribute(PN_TOKEN_NODE_PATH, str);
                Value[] values = node.getProperty("path").getValues();
                if (!node.hasProperty("jcr:createdBy")) {
                    if (null != loginService2 && loginService2.isLive()) {
                        loginService2.logout();
                    }
                    return null;
                }
                Session impersonateFromService = this.repository.impersonateFromService(AdhocAssetShareServlet.LINK_SHARE_SUBSERVICE, new SimpleCredentials(node.getProperty("jcr:createdBy").getString(), "".toCharArray()), (String) null);
                ArrayList arrayList = new ArrayList(10);
                for (Value value : values) {
                    arrayList.add(value.getString());
                }
                if (!normalize.startsWith(httpServletRequest.getContextPath() + SHARE_PAGE_PATH) && !normalize.startsWith(httpServletRequest.getContextPath() + SHARE_PAGE_PATH_VANITY) && !normalize.startsWith(httpServletRequest.getContextPath() + PROXY_SHARED_ASSET) && !normalize.startsWith(httpServletRequest.getContextPath() + ASSET_PREVIEW_PAGE_VANITY) && !normalize.startsWith(httpServletRequest.getContextPath() + GRANITE_CORALUI3_RESOURCES_PATH)) {
                    if (null != loginService2 && loginService2.isLive()) {
                        loginService2.logout();
                    }
                    return null;
                }
                ArrayList arrayList2 = new ArrayList(10);
                boolean z = false;
                if (normalize.startsWith(httpServletRequest.getContextPath() + SHARE_PAGE_PATH) || normalize.startsWith(httpServletRequest.getContextPath() + SHARE_PAGE_PATH_VANITY) || normalize.startsWith(httpServletRequest.getContextPath() + ASSET_PREVIEW_PAGE_VANITY) || normalize.startsWith(httpServletRequest.getContextPath() + GRANITE_CORALUI3_RESOURCES_PATH)) {
                    if (httpServletRequest.getParameterValues("path") != null && StringUtils.isNotBlank(httpServletRequest.getParameterValues("path")[0])) {
                        arrayList2.addAll(Arrays.asList(httpServletRequest.getParameterValues("path")));
                    }
                    if (normalize.startsWith(httpServletRequest.getContextPath() + ASSET_PREVIEW_PAGE_VANITY) && StringUtils.isNotBlank(StringUtils.substringAfter(normalize, httpServletRequest.getContextPath() + ASSET_PREVIEW_PAGE_VANITY))) {
                        arrayList2.add(StringUtils.substringAfter(normalize, httpServletRequest.getContextPath() + ASSET_PREVIEW_PAGE_VANITY));
                    }
                    if (arrayList2.isEmpty()) {
                        z = true;
                    }
                } else {
                    if (httpServletRequest.getParameterValues("path") != null) {
                        arrayList2.addAll(Arrays.asList(httpServletRequest.getParameterValues("path")));
                    }
                    String substring = normalize.substring(normalize.indexOf(httpServletRequest.getContextPath() + PROXY_SHARED_ASSET) + httpServletRequest.getContextPath().length() + PROXY_SHARED_ASSET.length());
                    if (StringUtils.isNotBlank(substring) && substring.startsWith(httpServletRequest.getContextPath())) {
                        substring = substring.replaceFirst(httpServletRequest.getContextPath(), "");
                    }
                    if (StringUtils.isNotBlank(substring) && !"/status.assetdownload.json".equals(substring) && !"/content/dam.downloadbinaries.json".equals(substring)) {
                        arrayList2.add(substring);
                    }
                }
                if (!z) {
                    z = isSharedWithThisToken(impersonateFromService, arrayList, arrayList2, node);
                }
                if (!z) {
                    if (null != loginService2 && loginService2.isLive()) {
                        loginService2.logout();
                    }
                    return null;
                }
                if (!node.hasProperty(AdhocAssetShareConstants.TOKEN_PROPERTY_EXPIRATION_DATE) || null == (date = node.getProperty(AdhocAssetShareConstants.TOKEN_PROPERTY_EXPIRATION_DATE).getDate())) {
                    if (null != loginService2 && loginService2.isLive()) {
                        loginService2.logout();
                    }
                    return null;
                }
                if (Calendar.getInstance(date.getTimeZone()).after(date) && loginService2.nodeExists(str)) {
                    loginService2.removeItem(str);
                    loginService2.save();
                    httpServletResponse.sendRedirect(httpServletRequest.getContextPath() + LINK_EXPIRED_PAGE_PATH_VANITY);
                }
                if (node.hasProperty(RenditionProps.allowOriginal.name())) {
                    httpServletRequest.setAttribute(RenditionProps.allowOriginal.name(), Boolean.valueOf(node.getProperty(RenditionProps.allowOriginal.name()).getBoolean()));
                }
                if (node.hasProperty(RenditionProps.allowRenditions.name()) && this.toggleRouter.isEnabled(FT_ALLOW_RENDITIONS)) {
                    httpServletRequest.setAttribute(RenditionProps.allowRenditions.name(), Boolean.valueOf(node.getProperty(RenditionProps.allowRenditions.name()).getBoolean()));
                }
                httpServletRequest.setAttribute(SESSION_REQ_ATTR, impersonateFromService);
                AuthenticationInfo authenticationInfo3 = new AuthenticationInfo(AUTH_TYPE);
                authenticationInfo3.put(AUTHENTICATION_INFO_SESSION, impersonateFromService);
                if (null != loginService2 && loginService2.isLive()) {
                    loginService2.logout();
                }
                return authenticationInfo3;
            } catch (Throwable th) {
                if (0 != 0 && session.isLive()) {
                    session.logout();
                }
                throw th;
            }
        } catch (Exception e2) {
            log.warn("Couldn't serve Adhoc asset link share landing page. Failed due to: {}", e2.toString());
            if (log.isDebugEnabled()) {
                log.debug("Full Stacktrace: ", e2);
            }
            if (0 != 0 && session2.isLive()) {
                session2.logout();
            }
            httpServletRequest.removeAttribute(SESSION_REQ_ATTR);
            if (0 != 0 && session.isLive()) {
                session.logout();
            }
            return null;
        }
    }

    private boolean isDownloadRequest(String str) {
        String[] split = str.split("/");
        return split[split.length - 2].endsWith(SYNC_ASSET_DOWNLOAD_SELECTOR) || str.endsWith(ASYNC_ASSET_DOWNLOAD_SUFFIX);
    }

    private boolean isSharedWithThisToken(Session session, List<String> list, List<String> list2, Node node) {
        try {
            AuthenticationInfo authenticationInfo = new AuthenticationInfo((String) null);
            authenticationInfo.put(AUTHENTICATION_INFO_SESSION, session);
            ResourceResolver resourceResolver = this.resolverFactory.getResourceResolver(authenticationInfo);
            if (null == resourceResolver) {
                return false;
            }
            HashSet<String> hashSet = new HashSet();
            ArrayList arrayList = new ArrayList();
            Iterator<String> it = list.iterator();
            while (it.hasNext()) {
                Resource resource = resourceResolver.getResource(it.next());
                if (null != resource) {
                    hashSet.add(resource.getPath());
                    if (null != resource.adaptTo(ResourceCollection.class)) {
                        arrayList.add(resource);
                    }
                }
            }
            while (!arrayList.isEmpty()) {
                Iterator<Resource> children = getChildren((Resource) arrayList.remove(0));
                while (children.hasNext()) {
                    Resource next = children.next();
                    if (null != next) {
                        hashSet.add(next.getPath());
                        if (next.adaptTo(ResourceCollection.class) != null) {
                            arrayList.add(next);
                        }
                    }
                }
            }
            boolean z = list2.size() == 0;
            Iterator<String> it2 = list2.iterator();
            while (it2.hasNext()) {
                z = false;
                String normalize = ResourceUtil.normalize(it2.next());
                if (StringUtils.isNotBlank(normalize)) {
                    for (String str : hashSet) {
                        if (!DamUtil.isAsset(resourceResolver.getResource(str))) {
                            if (normalize.equals(str) || normalize.matches(Pattern.quote(str) + "(\\.assetdownload\\.(zip|json)|\\.folderthumbnail\\.[a-zA-Z]*|/).*")) {
                                z = this.assetShareHelper.canShareAsset(session.getAccessControlManager(), str, this.assetShareHelper.getPrivilegeToCheck(node));
                                break;
                            }
                        } else {
                            if (normalize.equals(str) || normalize.matches(Pattern.quote(str) + "(\\.assetdownload\\.(zip|json)|\\/content\\/dam\\.downloadbinaries\\.json|\\.thumb\\.|/((_jcr_content|jcr:content)/renditions|subassets)/).*")) {
                                z = true;
                                break;
                            }
                        }
                    }
                    if (!z) {
                        return false;
                    }
                }
            }
            return z;
        } catch (Exception e) {
            return false;
        }
    }

    private Iterator<Resource> getChildren(Resource resource) {
        ResourceCollection resourceCollection = (ResourceCollection) resource.adaptTo(ResourceCollection.class);
        if (resourceCollection != null) {
            return resourceCollection.getResources();
        }
        return null;
    }

    @Nullable
    private static String getTokenFromRequest(@Nonnull HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter("sh");
        return parameter != null ? parameter : getTokenFromRequestReferer(httpServletRequest);
    }

    @Nullable
    private static String getTokenFromRequestReferer(@Nonnull HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader(REFERER_HEADER);
        if (!StringUtils.isNotBlank(header)) {
            return null;
        }
        try {
            for (NameValuePair nameValuePair : URLEncodedUtils.parse(new URI(header), StandardCharsets.UTF_8.name())) {
                if ("sh".equals(nameValuePair.getName())) {
                    return nameValuePair.getValue();
                }
            }
            return null;
        } catch (URISyntaxException e) {
            log.warn("Illegal Referer header. Ignoring: {}", e.getMessage());
            return null;
        }
    }

    public void dropCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
    }

    public boolean requestCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        return false;
    }

    public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain) throws IOException, ServletException {
        Session session = (Session) servletRequest.getAttribute(SESSION_REQ_ATTR);
        if (session != null) {
            servletRequest.removeAttribute(SESSION_REQ_ATTR);
        }
        filterChain.doFilter(servletRequest, servletResponse);
        if (session != null) {
            session.logout();
        }
    }

    public void init(FilterConfig filterConfig) throws ServletException {
    }

    public void destroy() {
    }

    protected void bindToggleRouter(ToggleRouter toggleRouter) {
        this.toggleRouter = toggleRouter;
    }

    protected void unbindToggleRouter(ToggleRouter toggleRouter) {
        if (this.toggleRouter == toggleRouter) {
            this.toggleRouter = null;
        }
    }

    protected void bindTokenService(AdhocAssetShareTokenService adhocAssetShareTokenService) {
        this.tokenService = adhocAssetShareTokenService;
    }

    protected void unbindTokenService(AdhocAssetShareTokenService adhocAssetShareTokenService) {
        if (this.tokenService == adhocAssetShareTokenService) {
            this.tokenService = null;
        }
    }

    protected void bindRepository(SlingRepository slingRepository) {
        this.repository = slingRepository;
    }

    protected void unbindRepository(SlingRepository slingRepository) {
        if (this.repository == slingRepository) {
            this.repository = null;
        }
    }

    protected void bindResolverFactory(ResourceResolverFactory resourceResolverFactory) {
        this.resolverFactory = resourceResolverFactory;
    }

    protected void unbindResolverFactory(ResourceResolverFactory resourceResolverFactory) {
        if (this.resolverFactory == resourceResolverFactory) {
            this.resolverFactory = null;
        }
    }
}
