package com.day.crx.security.token.impl;

import com.adobe.granite.crypto.CryptoException;
import com.adobe.granite.oauth.jwt.JwsBuilderFactory;
import com.adobe.granite.oauth.jwt.JwsValidator;
import com.day.crx.security.token.TokenCookie;
import java.io.IOException;
import java.util.Arrays;
import java.util.Dictionary;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import javax.jcr.ItemNotFoundException;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.SimpleCredentials;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.jackrabbit.api.security.authentication.token.TokenCredentials;
import org.apache.jackrabbit.oak.spi.security.authentication.credentials.CredentialsSupport;
import org.apache.jackrabbit.oak.spi.security.authentication.token.TokenConfiguration;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.auth.core.AuthUtil;
import org.apache.sling.auth.core.spi.AbstractAuthenticationHandler;
import org.apache.sling.auth.core.spi.AuthenticationFeedbackHandler;
import org.apache.sling.auth.core.spi.AuthenticationHandler;
import org.apache.sling.auth.core.spi.AuthenticationInfo;
import org.apache.sling.auth.core.spi.DefaultAuthenticationFeedbackHandler;
import org.apache.sling.discovery.TopologyEvent;
import org.apache.sling.discovery.TopologyEventListener;
import org.apache.sling.jcr.api.SlingRepository;
import org.apache.sling.settings.SlingSettingsService;
import org.osgi.framework.BundleContext;
import org.osgi.framework.InvalidSyntaxException;
import org.osgi.framework.ServiceReference;
import org.osgi.framework.ServiceRegistration;
import org.osgi.service.cm.Configuration;
import org.osgi.service.cm.ConfigurationAdmin;
import org.osgi.service.cm.ConfigurationEvent;
import org.osgi.service.cm.ConfigurationListener;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicy;
import org.osgi.service.metatype.annotations.AttributeDefinition;
import org.osgi.service.metatype.annotations.Designate;
import org.osgi.service.metatype.annotations.ObjectClassDefinition;
import org.osgi.service.metatype.annotations.Option;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Designate(ocd = Config.class)
@Component(service = {AuthenticationHandler.class, TopologyEventListener.class}, name = "com.day.crx.security.token.impl.impl.TokenAuthenticationHandler", property = {"service.vendor=Adobe Systems Incorporated", "service.description=Token Authentication Handler"})
/* loaded from: input_file:com/day/crx/security/token/impl/TokenAuthenticationHandler.class */
public class TokenAuthenticationHandler extends AbstractAuthenticationHandler implements AuthenticationFeedbackHandler, TopologyEventListener {
    protected static final String DESCRIPTION = "Token Authentication Handler";
    protected static final String USER_AGENT = "user-agent";
    private static final String REQUEST_METHOD = "POST";
    private static final String REQUEST_URL_SUFFIX = "/j_security_check";
    private static final String PAR_J_USERNAME = "j_username";
    private static final String PAR_J_PASSWORD = "j_password";
    private static final String PAR_J_REASON = "j_reason";
    private static final String PAR_J_SET_COOKIE = "j_set_cookie";
    private static final String REASON_WRONG_CREDENTIALS = "invalid_login";
    private static final String REASON_TOKEN_EXPIRED = "session_timed_out";
    private static final String CREDENTIALS = "user.jcr.credentials";
    private static final String AUTH_TYPE = "TOKEN";
    private static final String ATTR_TOKEN = ".token";
    private static final String ATTR_TOKEN_IP = "ip";
    private static final String ATTR_TOKEN_IP_MANDATORY = ".token.ip";
    private static final String ATTR_TOKEN_AGENT = "useragent";
    private static final String ATTR_TOKEN_AGENT_MANDATORY = ".token.useragent";
    private static final String ATTR_REFERER = "referer";
    private static final String REQUIRED_ATTR_IP_AGENT = "ip_agent";
    private static final String REQUIRED_ATTR_IP = "ip";
    private static final String REQUIRED_ATTR_AGENT = "agent";
    private static final String REQUIRED_ATTR_NONE = "none";
    private static final String NO_TOKEN = "";
    protected static final String PID_TOKEN_CONFIGURATION = "org.apache.jackrabbit.oak.security.authentication.token.TokenConfigurationImpl";
    protected static final String TOKEN_CONFIGURATION_EXPIRATION = "tokenExpiration";
    private static final long TOKEN_EXPIRATION = 43200000;
    protected static final String ENCAPSULATED_TOKEN_SCOPE = "scope";
    protected static final String ENCAPSULATED_TOKEN_SCOPE_VALUE = "login";

    @Reference
    private SlingRepository repository;

    @Reference
    private SlingSettingsService settings;
    private static volatile JwsBuilderFactory jwsBuilderFactory;

    @Reference
    private JwsValidator jwsValidator;

    @Reference(policy = ReferencePolicy.DYNAMIC, cardinality = ReferenceCardinality.OPTIONAL)
    private volatile ConfigurationAdmin configAdmin;
    private String attrIp;
    private String attrAgent;
    private String alternateAuthUrl;
    private volatile String clusterId;
    private static volatile String repositoryId;
    private BundleContext context;
    private ServiceRegistration listenerReg;
    private ServiceRegistration<TokenConfiguration> tokenConfigurationService;
    private static volatile boolean encapsulatedToken;
    private static volatile long tokenExpiration;
    private static volatile String sameSiteCookie;
    private static volatile String[] userAgentSameSiteExemptions;
    private static final char[] NO_PASSWORD = new char[0];
    private static final String RANDOM_UUID = UUID.randomUUID().toString();
    private final Logger log = LoggerFactory.getLogger(getClass());
    private TokenConfigurationImpl tokenConfigurationImpl = new TokenConfigurationImpl();
    private final String SKIP_TOKEN_REFRESH_ATTR = "tokenSkipRefresh";
    private Set<String> skipTokenRefresh = new HashSet();

    @ObjectClassDefinition(name = "Adobe Granite Token Authentication Handler", description = "Implements the authorization steps based on the token authorization.")
    /* loaded from: input_file:com/day/crx/security/token/impl/TokenAuthenticationHandler$Config.class */
    public @interface Config {
        @AttributeDefinition(name = "Path", description = "Repository path for which this authentication handler should be used by Sling. If this is empty, the authentication handler will be disabled.")
        String path() default "/";

        @AttributeDefinition(name = "Required Attributes", description = "Which request properties to use as required attributes for authentication. Default (no value set) is \"Client IP Address\".", options = {@Option(label = "Client IP Address and User-Agent", value = TokenAuthenticationHandler.REQUIRED_ATTR_IP_AGENT), @Option(label = "Client IP Address", value = "ip"), @Option(label = "User-Agent", value = TokenAuthenticationHandler.REQUIRED_ATTR_AGENT), @Option(label = TokenCookie.SAMESITE_ATTR_NONE, value = TokenAuthenticationHandler.REQUIRED_ATTR_NONE)})
        String token_required_attr() default "ip";

        @AttributeDefinition(name = "Alternate Authentication Url", description = "Alternate url for the user name and password submission by the form. This name is can be used in addition to the 'j_security_check' to avoid any conflict with Application Server's security.")
        String token_alternate_url();

        @AttributeDefinition(name = "Enable encapsulated token support", description = "By enabling this feature the token verification is achieved offline (without repository access)")
        boolean token_encapsulated() default false;

        @AttributeDefinition(name = "Skip Login Token Refresh", description = "Skip login token refresh for requests going to any of the URIs in this list")
        String[] skip_token_refresh() default {"/libs/granite/csrf/token.json", "/mnt/overlay/granite/ui/content/shell/header/actions/pulse.data.json"};

        @AttributeDefinition(name = "SameSite attribute for the login-token cookie", description = "Value for the login-token's SameSite attribute. Default (no value set) is \"Lax\".", options = {@Option(label = TokenCookie.SAMESITE_ATTR_STRICT, value = TokenCookie.SAMESITE_ATTR_STRICT), @Option(label = TokenCookie.SAMESITE_ATTR_LAX, value = TokenCookie.SAMESITE_ATTR_LAX), @Option(label = TokenCookie.SAMESITE_ATTR_NONE, value = TokenCookie.SAMESITE_ATTR_NONE)})
        String token_samesite_cookie_attr() default "Lax";

        @AttributeDefinition(name = "User agents to be exempted from samesite attribute", description = "Some clients are incompatible with the samesite attribute. Specify the user agent regexes to be exempted when samesite = \"None\". This setting has no effect when samesite is not None.")
        String[] useragents_samesite_exempt_attr();
    }

    /* loaded from: input_file:com/day/crx/security/token/impl/TokenAuthenticationHandler$TokenExpirationConfigListener.class */
    private class TokenExpirationConfigListener implements ConfigurationListener {
        private TokenExpirationConfigListener() {
        }

        public void configurationEvent(ConfigurationEvent configurationEvent) {
            if (TokenAuthenticationHandler.PID_TOKEN_CONFIGURATION.equals(configurationEvent.getPid())) {
                ServiceReference reference = configurationEvent.getReference();
                try {
                    try {
                        ConfigurationAdmin configurationAdmin = (ConfigurationAdmin) TokenAuthenticationHandler.this.context.getService(reference);
                        if (1 != 0) {
                            TokenAuthenticationHandler.this.readTokenExpirationConfig(configurationAdmin);
                        }
                        if (reference != null) {
                            TokenAuthenticationHandler.this.context.ungetService(reference);
                        }
                    } catch (InvalidSyntaxException e) {
                        TokenAuthenticationHandler.this.log.warn("Error occurred while reading and updating token expiration configuration ", e);
                        if (reference != null) {
                            TokenAuthenticationHandler.this.context.ungetService(reference);
                        }
                    } catch (IOException e2) {
                        TokenAuthenticationHandler.this.log.warn("Error occurred while reading and updating token expiration configuration ", e2);
                        if (reference != null) {
                            TokenAuthenticationHandler.this.context.ungetService(reference);
                        }
                    }
                } catch (Throwable th) {
                    if (reference != null) {
                        TokenAuthenticationHandler.this.context.ungetService(reference);
                    }
                    throw th;
                }
            }
        }
    }

    @Activate
    private void activate(BundleContext bundleContext, Config config, Map<String, Object> map) throws IOException, InvalidSyntaxException {
        this.context = bundleContext;
        String str = config.token_required_attr();
        if ("ip".equals(str)) {
            this.log.info("activate: Validating Cookie with Client IP");
            this.attrIp = ATTR_TOKEN_IP_MANDATORY;
            this.attrAgent = ATTR_TOKEN_AGENT;
        } else if (REQUIRED_ATTR_AGENT.equals(str)) {
            this.log.info("activate: Validating Cookie with Client User-Agent");
            this.attrIp = "ip";
            this.attrAgent = ATTR_TOKEN_AGENT_MANDATORY;
        } else if (REQUIRED_ATTR_NONE.equals(str)) {
            this.log.info("activate: Validating Token Only");
            this.attrIp = "ip";
            this.attrAgent = ATTR_TOKEN_AGENT;
        } else {
            this.log.info("activate: Validating Cookie with Client IP and User-Agent");
            this.attrIp = ATTR_TOKEN_IP_MANDATORY;
            this.attrAgent = ATTR_TOKEN_AGENT_MANDATORY;
        }
        this.alternateAuthUrl = config.token_alternate_url();
        if (this.alternateAuthUrl != null && !this.alternateAuthUrl.startsWith("/")) {
            this.alternateAuthUrl = "/" + this.alternateAuthUrl;
        }
        encapsulatedToken = config.token_encapsulated();
        if (encapsulatedToken) {
            this.listenerReg = this.context.registerService(ConfigurationListener.class.getName(), new TokenExpirationConfigListener(), (Dictionary) null);
            readTokenExpirationConfig(this.configAdmin);
            this.tokenConfigurationImpl.setJwsValidator(this.jwsValidator);
            Hashtable hashtable = new Hashtable();
            hashtable.put("service.vendor", "Adobe System");
            hashtable.put("service.ranking", new Integer(5000));
            this.tokenConfigurationService = this.context.registerService(TokenConfiguration.class, this.tokenConfigurationImpl, hashtable);
        }
        this.skipTokenRefresh.addAll(Arrays.asList(config.skip_token_refresh()));
        sameSiteCookie = config.token_samesite_cookie_attr();
        userAgentSameSiteExemptions = config.useragents_samesite_exempt_attr();
        initializeRepositoryId();
    }

    @Deactivate
    private void deactivate() {
        if (this.listenerReg != null) {
            this.listenerReg.unregister();
        }
        if (this.tokenConfigurationService != null) {
            this.tokenConfigurationService.unregister();
            this.tokenConfigurationService = null;
        }
        encapsulatedToken = false;
        tokenExpiration = TOKEN_EXPIRATION;
    }

    @Reference(name = "jwsBuilderFactory", service = JwsBuilderFactory.class)
    protected void bindJwsBuilderFactory(JwsBuilderFactory jwsBuilderFactory2) {
        jwsBuilderFactory = jwsBuilderFactory2;
    }

    protected void unbindJwsBuilderFactory(JwsBuilderFactory jwsBuilderFactory2) {
        jwsBuilderFactory = null;
    }

    @Reference(name = "credentialsSupport", cardinality = ReferenceCardinality.MULTIPLE, policy = ReferencePolicy.DYNAMIC)
    public void bindCredentialsSupport(CredentialsSupport credentialsSupport) {
        this.tokenConfigurationImpl.bindCredentialsSupport(credentialsSupport);
    }

    public void unbindCredentialsSupport(CredentialsSupport credentialsSupport) {
        this.tokenConfigurationImpl.unbindCredentialsSupport(credentialsSupport);
    }

    public void handleTopologyEvent(TopologyEvent topologyEvent) {
        if (topologyEvent.getType() == TopologyEvent.Type.TOPOLOGY_CHANGED || topologyEvent.getType() == TopologyEvent.Type.TOPOLOGY_INIT) {
            this.clusterId = topologyEvent.getNewView().getLocalInstance().getClusterView().getId();
            initializeRepositoryId();
        }
    }

    public AuthenticationInfo extractCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        AuthenticationInfo tokenFormPars = getTokenFormPars(httpServletRequest);
        if (tokenFormPars != null) {
            httpServletRequest.setAttribute(REQUEST_URL_SUFFIX, AUTH_TYPE);
            return tokenFormPars;
        }
        TokenCookie.Info tokenInfo = TokenCookie.getTokenInfo(httpServletRequest, getRepositoryId(encapsulatedToken));
        if (tokenInfo.token == null) {
            return null;
        }
        if (this.log.isDebugEnabled()) {
            this.log.debug("Extracted token information: {}@{}", tokenInfo.token, tokenInfo.workspace);
        }
        if (tokenInfo.workspace != null && tokenInfo.workspace.length() > 0) {
            httpServletRequest.setAttribute("j_workspace", tokenInfo.workspace);
        }
        return createAuthenticationInfo(createCredentials(tokenInfo.token), httpServletRequest);
    }

    public boolean requestCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        return false;
    }

    public void dropCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (!encapsulatedToken) {
            removeTokenNode(httpServletRequest);
        }
        TokenCookie.update(httpServletRequest, httpServletResponse, getRepositoryId(encapsulatedToken), null, null, true, getSameSiteCookieAttribute(httpServletRequest.getHeader(USER_AGENT)));
    }

    public void authenticationFailed(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationInfo authenticationInfo) {
        if (TokenCookie.getTokenInfo(httpServletRequest, getRepositoryId(encapsulatedToken)).token != null) {
            httpServletRequest.setAttribute(PAR_J_REASON, REASON_TOKEN_EXPIRED);
        } else {
            httpServletRequest.setAttribute(PAR_J_REASON, REASON_WRONG_CREDENTIALS);
        }
        dropCredentials(httpServletRequest, httpServletResponse);
    }

    public boolean authenticationSucceeded(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationInfo authenticationInfo) {
        TokenCookie.Info createTokenInfo;
        boolean z = REQUEST_METHOD.equals(httpServletRequest.getMethod()) && isLoginURL(httpServletRequest);
        TokenCookie.Info tokenInfo = TokenCookie.getTokenInfo(httpServletRequest, getRepositoryId(encapsulatedToken));
        if ((z || needsCookieUpdate(tokenInfo, httpServletRequest)) && (createTokenInfo = createTokenInfo(httpServletRequest, authenticationInfo)) != null) {
            TokenCookie.update(httpServletRequest, httpServletResponse, getRepositoryId(encapsulatedToken), createTokenInfo.token, createTokenInfo.workspace, true, getSameSiteCookieAttribute(httpServletRequest.getHeader(USER_AGENT)));
        }
        boolean z2 = false;
        if (z && !DefaultAuthenticationFeedbackHandler.handleRedirect(httpServletRequest, httpServletResponse)) {
            String loginResource = AuthUtil.getLoginResource(httpServletRequest, (String) null);
            if (loginResource != null) {
                if (!AuthUtil.isRedirectValid(httpServletRequest, loginResource)) {
                    String defaultRedirectTarget = getDefaultRedirectTarget(httpServletRequest);
                    this.log.error("Redirect target '{}' is invalid, redirecting to {}", loginResource, defaultRedirectTarget);
                    loginResource = defaultRedirectTarget;
                }
                try {
                    httpServletResponse.sendRedirect(loginResource);
                } catch (IOException e) {
                    this.log.error("Failed to send redirect to: " + loginResource, e);
                }
                z2 = true;
            }
        }
        return z2;
    }

    public static String getRepositoryId(boolean z) {
        if (z) {
            return ENCAPSULATED_TOKEN_SCOPE_VALUE;
        }
        String str = repositoryId;
        if (str == null) {
            str = RANDOM_UUID;
        }
        return str;
    }

    public static String getSameSiteCookieAttribute(String str) {
        if (!TokenCookie.SAMESITE_ATTR_NONE.equals(sameSiteCookie) || userAgentSameSiteExemptions.length == 0 || str == null) {
            return sameSiteCookie;
        }
        for (String str2 : userAgentSameSiteExemptions) {
            if (str.matches(str2)) {
                return null;
            }
        }
        return sameSiteCookie;
    }

    public static String getSameSiteCookieAttribute() {
        return sameSiteCookie;
    }

    public String toString() {
        return DESCRIPTION;
    }

    public static String buildEncapsulatedToken(String str) throws CryptoException {
        return jwsBuilderFactory.getInstance("HS256").setSubject(str).setCustomClaimsSetField(ENCAPSULATED_TOKEN_SCOPE, ENCAPSULATED_TOKEN_SCOPE_VALUE).setExpiresIn(tokenExpiration / 1000).build();
    }

    public static boolean isEncapsulatedToken() {
        return encapsulatedToken;
    }

    boolean isLoginURL(HttpServletRequest httpServletRequest) {
        boolean endsWith = httpServletRequest.getRequestURI().endsWith(REQUEST_URL_SUFFIX);
        if (!endsWith && this.alternateAuthUrl != null) {
            endsWith = httpServletRequest.getRequestURI().endsWith(this.alternateAuthUrl);
        }
        if (!endsWith) {
            Object attribute = httpServletRequest.getAttribute("org.apache.sling.api.include.auth_uri_suffix");
            if (attribute instanceof String[]) {
                String[] strArr = (String[]) attribute;
                int length = strArr.length;
                int i = 0;
                while (true) {
                    if (i >= length) {
                        break;
                    }
                    if (httpServletRequest.getRequestURI().endsWith(strArr[i])) {
                        endsWith = true;
                        break;
                    }
                    i++;
                }
            }
        }
        return endsWith;
    }

    private String getDefaultRedirectTarget(HttpServletRequest httpServletRequest) {
        String contextPath = httpServletRequest.getContextPath();
        return contextPath.endsWith("/") ? contextPath : contextPath + "/";
    }

    private void initializeRepositoryId() {
        String str = this.clusterId;
        if (str == null) {
            str = this.settings.getSlingId();
            if (str == null) {
                str = RANDOM_UUID;
                this.log.error("Failure to acquire unique ID for this token authenticator. Using random UUID {}", str);
            } else {
                this.log.info("ClusterId not known so far. Using the SlingId [{}] for unique identifier", str);
            }
        } else {
            this.log.info("ClusterId determined using Topology Support [{}]", str);
        }
        repositoryId = str;
    }

    private AuthenticationInfo getTokenFormPars(HttpServletRequest httpServletRequest) {
        if (!REQUEST_METHOD.equals(httpServletRequest.getMethod()) || !isLoginURL(httpServletRequest) || httpServletRequest.getParameter(PAR_J_USERNAME) == null) {
            return null;
        }
        if (!isValidateRequest(httpServletRequest)) {
            String loginResource = AuthUtil.getLoginResource(httpServletRequest, httpServletRequest.getContextPath());
            if (loginResource == null || loginResource.length() == 0) {
                loginResource = "/";
            }
            setLoginResourceAttribute(httpServletRequest, loginResource);
        }
        return createAuthenticationInfo(createCredentials(httpServletRequest.getParameter(PAR_J_USERNAME), httpServletRequest.getParameter(PAR_J_PASSWORD)), httpServletRequest);
    }

    private static TokenCredentials createCredentials(String str) {
        return new TokenCredentials(str);
    }

    private static SimpleCredentials createCredentials(String str, String str2) {
        SimpleCredentials simpleCredentials = new SimpleCredentials(str, str2 != null ? str2.toCharArray() : NO_PASSWORD);
        simpleCredentials.setAttribute(ATTR_TOKEN, NO_TOKEN);
        return simpleCredentials;
    }

    private AuthenticationInfo createAuthenticationInfo(SimpleCredentials simpleCredentials, HttpServletRequest httpServletRequest) {
        String trim;
        String header = httpServletRequest.getHeader("X-Forwarded-For");
        if (header == null) {
            trim = httpServletRequest.getRemoteAddr();
        } else {
            String[] split = header.split(",");
            trim = split[split.length - 1].trim();
        }
        simpleCredentials.setAttribute(this.attrIp, trim);
        String header2 = httpServletRequest.getHeader("User-Agent");
        if (header2 != null) {
            simpleCredentials.setAttribute(this.attrAgent, header2);
        }
        String header3 = httpServletRequest.getHeader("Referer");
        if (header3 != null) {
            simpleCredentials.setAttribute(ATTR_REFERER, header3);
        }
        if (this.skipTokenRefresh.contains(httpServletRequest.getRequestURI())) {
            simpleCredentials.setAttribute("tokenSkipRefresh", NO_TOKEN);
        }
        AuthenticationInfo authenticationInfo = new AuthenticationInfo(AUTH_TYPE);
        authenticationInfo.put(CREDENTIALS, simpleCredentials);
        authenticationInfo.put("user.name", simpleCredentials.getUserID());
        return authenticationInfo;
    }

    private AuthenticationInfo createAuthenticationInfo(TokenCredentials tokenCredentials, HttpServletRequest httpServletRequest) {
        String trim;
        String header = httpServletRequest.getHeader("X-Forwarded-For");
        if (header == null) {
            trim = httpServletRequest.getRemoteAddr();
        } else {
            String[] split = header.split(",");
            trim = split[split.length - 1].trim();
        }
        tokenCredentials.setAttribute(!NO_TOKEN.equals(tokenCredentials.getAttribute(ATTR_TOKEN)) ? ATTR_TOKEN_IP_MANDATORY : this.attrIp, trim);
        String header2 = httpServletRequest.getHeader("User-Agent");
        if (header2 != null) {
            tokenCredentials.setAttribute(!NO_TOKEN.equals(tokenCredentials.getAttribute(ATTR_TOKEN)) ? ATTR_TOKEN_AGENT_MANDATORY : this.attrAgent, header2);
        }
        String header3 = httpServletRequest.getHeader("Referer");
        if (header3 != null) {
            tokenCredentials.setAttribute(ATTR_REFERER, header3);
        }
        if (this.skipTokenRefresh.contains(httpServletRequest.getRequestURI())) {
            tokenCredentials.setAttribute("tokenSkipRefresh", NO_TOKEN);
        }
        AuthenticationInfo authenticationInfo = new AuthenticationInfo(AUTH_TYPE);
        authenticationInfo.put(CREDENTIALS, tokenCredentials);
        return authenticationInfo;
    }

    private boolean needsCookieUpdate(TokenCookie.Info info, HttpServletRequest httpServletRequest) {
        return info.token == null || "true".equalsIgnoreCase(httpServletRequest.getParameter(PAR_J_SET_COOKIE));
    }

    private TokenCookie.Info createTokenInfo(HttpServletRequest httpServletRequest, AuthenticationInfo authenticationInfo) {
        Session session;
        String str = null;
        Object obj = authenticationInfo.get(CREDENTIALS);
        String str2 = null;
        Object attribute = httpServletRequest.getAttribute("org.apache.sling.auth.core.ResourceResolver");
        if ((attribute instanceof ResourceResolver) && (session = (Session) ((ResourceResolver) attribute).adaptTo(Session.class)) != null) {
            str2 = session.getWorkspace().getName();
        }
        if (obj instanceof SimpleCredentials) {
            Object attribute2 = ((SimpleCredentials) obj).getAttribute(ATTR_TOKEN);
            if (attribute2 != null) {
                str = attribute2.toString();
            }
        } else if (obj instanceof TokenCredentials) {
            str = ((TokenCredentials) obj).getToken();
        }
        if (str == null || str2 == null) {
            return null;
        }
        return new TokenCookie.Info(str, str2);
    }

    private void removeTokenNode(HttpServletRequest httpServletRequest) {
        TokenCookie.Info tokenInfo = TokenCookie.getTokenInfo(httpServletRequest, getRepositoryId(encapsulatedToken));
        if (tokenInfo == null || tokenInfo.token == null) {
            return;
        }
        removeTokenNode(tokenInfo.token, tokenInfo.workspace);
    }

    private void removeTokenNode(String str, String str2) {
        Session session = null;
        try {
            try {
                int indexOf = str.indexOf(95);
                String substring = indexOf == -1 ? str : str.substring(0, indexOf);
                session = this.repository.loginAdministrative(str2);
                session.getNodeByIdentifier(substring).remove();
                session.save();
                if (session != null) {
                    session.logout();
                }
            } catch (RepositoryException e) {
                this.log.info("removeTokenNode: Failed removing token node", e);
                if (session != null) {
                    session.logout();
                }
            } catch (ItemNotFoundException e2) {
                this.log.debug("removeTokenNode: Token node " + str2 + ":" + str + " not found", e2);
                if (session != null) {
                    session.logout();
                }
            }
        } catch (Throwable th) {
            if (session != null) {
                session.logout();
            }
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void readTokenExpirationConfig(ConfigurationAdmin configurationAdmin) throws IOException, InvalidSyntaxException {
        if (configurationAdmin == null) {
            this.log.info("the ConfigurationAdmin is not available");
            tokenExpiration = TOKEN_EXPIRATION;
            this.log.debug("token expiration is set at the default value {}", Long.valueOf(tokenExpiration));
            return;
        }
        Configuration[] listConfigurations = configurationAdmin.listConfigurations("(service.pid=org.apache.jackrabbit.oak.security.authentication.token.TokenConfigurationImpl)");
        if (listConfigurations == null || listConfigurations.length <= 0) {
            tokenExpiration = TOKEN_EXPIRATION;
            this.log.debug("token expiration is set at the default value {}", Long.valueOf(tokenExpiration));
            return;
        }
        Configuration configuration = listConfigurations[0];
        if (configuration == null) {
            tokenExpiration = TOKEN_EXPIRATION;
            this.log.debug("token expiration is set at the default value {}", Long.valueOf(tokenExpiration));
        }
        Dictionary properties = configuration.getProperties();
        tokenExpiration = TOKEN_EXPIRATION;
        Object obj = properties.get(TOKEN_CONFIGURATION_EXPIRATION);
        if (obj instanceof Long) {
            tokenExpiration = ((Long) obj).longValue();
        } else if (obj != null) {
            try {
                tokenExpiration = Long.parseLong(String.valueOf(obj));
            } catch (NumberFormatException e) {
            }
        }
        this.log.debug("token expiration is set at {}", Long.valueOf(tokenExpiration));
    }
}
