package org.apache.sling.auth.form.impl;

import java.io.File;
import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.HashMap;
import java.util.Map;
import javax.jcr.Credentials;
import javax.jcr.SimpleCredentials;
import javax.servlet.Servlet;
import javax.servlet.ServletException;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.codec.binary.Hex;
import org.apache.sling.api.resource.LoginException;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.resource.ResourceResolverFactory;
import org.apache.sling.auth.core.AuthUtil;
import org.apache.sling.auth.core.spi.AuthenticationHandler;
import org.apache.sling.auth.core.spi.AuthenticationInfo;
import org.apache.sling.auth.core.spi.DefaultAuthenticationFeedbackHandler;
import org.apache.sling.auth.form.FormReason;
import org.apache.sling.auth.form.impl.jaas.FormCredentials;
import org.apache.sling.auth.form.impl.jaas.JaasHelper;
import org.osgi.framework.BundleContext;
import org.osgi.framework.ServiceRegistration;
import org.osgi.service.component.ComponentContext;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicy;
import org.osgi.service.metatype.annotations.Designate;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Designate(ocd = FormAuthenticationHandlerConfig.class)
@Component(name = "org.apache.sling.auth.form.FormAuthenticationHandler", property = {"authtype=FORM"}, service = {AuthenticationHandler.class}, immediate = true)
/* loaded from: input_file:org/apache/sling/auth/form/impl/FormAuthenticationHandler.class */
public class FormAuthenticationHandler extends DefaultAuthenticationFeedbackHandler implements AuthenticationHandler {
    private static final String REQUEST_METHOD = "POST";
    private static final String REQUEST_URL_SUFFIX = "/j_security_check";
    private static final String PAR_J_USERNAME = "j_username";
    private static final String PAR_J_PASSWORD = "j_password";
    private static final String COOKIE_DOMAIN = "cookie.domain";
    private static final long MINUTES = 60000;
    private final Logger log = LoggerFactory.getLogger(getClass());
    private AuthenticationStorage authStorage;
    private String loginForm;
    private long sessionTimeout;
    private String attrCookieAuthData;
    private TokenStore tokenStore;
    private ServiceRegistration<?> loginModule;
    private boolean includeLoginForm;

    @Reference(policy = ReferencePolicy.DYNAMIC, cardinality = ReferenceCardinality.OPTIONAL)
    private volatile ResourceResolverFactory resourceResolverFactory;
    private boolean loginAfterExpire;
    private JaasHelper jaasHelper;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/sling/auth/form/impl/FormAuthenticationHandler$AuthenticationStorage.class */
    public interface AuthenticationStorage {
        String extractAuthenticationInfo(HttpServletRequest httpServletRequest);

        void set(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, AuthenticationInfo authenticationInfo);

        void clear(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse);
    }

    /* loaded from: input_file:org/apache/sling/auth/form/impl/FormAuthenticationHandler$CookieStorage.class */
    private static class CookieStorage implements AuthenticationStorage {
        private static final String HEADER_SET_COOKIE = "Set-Cookie";
        private final String cookieName;
        private final String domainCookieName;
        private final String defaultCookieDomain;

        public CookieStorage(String str, String str2) {
            this.cookieName = str;
            this.domainCookieName = str + "." + FormAuthenticationHandler.COOKIE_DOMAIN;
            this.defaultCookieDomain = str2;
        }

        @Override // org.apache.sling.auth.form.impl.FormAuthenticationHandler.AuthenticationStorage
        public String extractAuthenticationInfo(HttpServletRequest httpServletRequest) {
            Cookie[] cookies = httpServletRequest.getCookies();
            if (cookies == null) {
                return null;
            }
            for (Cookie cookie : cookies) {
                if (this.cookieName.equals(cookie.getName())) {
                    String value = cookie.getValue();
                    if (value.length() > 0) {
                        try {
                            return new String(Base64.decodeBase64(value), Hex.DEFAULT_CHARSET_NAME);
                        } catch (UnsupportedEncodingException e) {
                            throw new RuntimeException(e);
                        }
                    }
                }
            }
            return null;
        }

        @Override // org.apache.sling.auth.form.impl.FormAuthenticationHandler.AuthenticationStorage
        public void set(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, AuthenticationInfo authenticationInfo) {
            try {
                String encodeBase64URLSafeString = Base64.encodeBase64URLSafeString(str.getBytes(Hex.DEFAULT_CHARSET_NAME));
                String str2 = (String) authenticationInfo.get(FormAuthenticationHandler.COOKIE_DOMAIN);
                if (str2 == null || str2.length() == 0) {
                    str2 = this.defaultCookieDomain;
                }
                setCookie(httpServletRequest, httpServletResponse, this.cookieName, encodeBase64URLSafeString, -1, str2);
                if (str2 != null) {
                    setCookie(httpServletRequest, httpServletResponse, this.domainCookieName, str2, -1, str2);
                }
            } catch (UnsupportedEncodingException e) {
                throw new RuntimeException(e);
            }
        }

        @Override // org.apache.sling.auth.form.impl.FormAuthenticationHandler.AuthenticationStorage
        public void clear(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
            Cookie cookie = null;
            String str = null;
            Cookie[] cookies = httpServletRequest.getCookies();
            if (cookies != null) {
                for (Cookie cookie2 : cookies) {
                    if (this.cookieName.equals(cookie2.getName())) {
                        cookie = cookie2;
                    } else if (this.domainCookieName.equals(cookie2.getName())) {
                        str = cookie2.getValue();
                    }
                }
            }
            if (cookie != null) {
                setCookie(httpServletRequest, httpServletResponse, this.cookieName, "", 0, str);
                if (str == null || str.length() <= 0) {
                    return;
                }
                setCookie(httpServletRequest, httpServletResponse, this.domainCookieName, "", 0, str);
            }
        }

        private void setCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, String str2, int i, String str3) {
            String contextPath = httpServletRequest.getContextPath();
            String str4 = (contextPath == null || contextPath.length() == 0) ? "/" : contextPath;
            StringBuilder sb = new StringBuilder();
            sb.append(str).append("=").append(str2);
            sb.append("; Path=").append(str4);
            sb.append("; HttpOnly");
            if (str3 != null) {
                sb.append("; Domain=").append(str3);
            }
            if (i >= 0) {
                sb.append("; Max-Age=").append(i);
            }
            if (httpServletRequest.isSecure()) {
                sb.append("; Secure");
            }
            httpServletResponse.addHeader(HEADER_SET_COOKIE, sb.toString());
        }
    }

    /* loaded from: input_file:org/apache/sling/auth/form/impl/FormAuthenticationHandler$SessionStorage.class */
    private static class SessionStorage implements AuthenticationStorage {
        private final String sessionAttributeName;

        SessionStorage(String str) {
            this.sessionAttributeName = str;
        }

        @Override // org.apache.sling.auth.form.impl.FormAuthenticationHandler.AuthenticationStorage
        public String extractAuthenticationInfo(HttpServletRequest httpServletRequest) {
            HttpSession session = httpServletRequest.getSession(false);
            if (session == null) {
                return null;
            }
            Object attribute = session.getAttribute(this.sessionAttributeName);
            if (attribute instanceof String) {
                return (String) attribute;
            }
            return null;
        }

        @Override // org.apache.sling.auth.form.impl.FormAuthenticationHandler.AuthenticationStorage
        public void set(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, AuthenticationInfo authenticationInfo) {
            httpServletRequest.getSession().setAttribute(this.sessionAttributeName, str);
        }

        @Override // org.apache.sling.auth.form.impl.FormAuthenticationHandler.AuthenticationStorage
        public void clear(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
            HttpSession session = httpServletRequest.getSession(false);
            if (session != null) {
                session.removeAttribute(this.sessionAttributeName);
            }
        }
    }

    public AuthenticationInfo extractCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String extractAuthenticationInfo;
        AuthenticationInfo extractRequestParameterAuthentication = extractRequestParameterAuthentication(httpServletRequest);
        if (extractRequestParameterAuthentication == null && (extractAuthenticationInfo = this.authStorage.extractAuthenticationInfo(httpServletRequest)) != null) {
            if (this.tokenStore.isValid(extractAuthenticationInfo)) {
                extractRequestParameterAuthentication = createAuthInfo(extractAuthenticationInfo);
            } else {
                this.authStorage.clear(httpServletRequest, httpServletResponse);
                if (this.loginAfterExpire || AuthUtil.isValidateRequest(httpServletRequest)) {
                    httpServletRequest.setAttribute("j_reason", FormReason.TIMEOUT);
                    extractRequestParameterAuthentication = AuthenticationInfo.FAIL_AUTH;
                }
            }
        }
        return extractRequestParameterAuthentication;
    }

    public boolean requestCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        if (ignoreRequestCredentials(httpServletRequest) || !AuthUtil.checkReferer(httpServletRequest, this.loginForm)) {
            return false;
        }
        String loginResourceAttribute = AuthUtil.setLoginResourceAttribute(httpServletRequest, httpServletRequest.getRequestURI());
        if (this.includeLoginForm && this.resourceResolverFactory != null) {
            ResourceResolver resourceResolver = null;
            try {
                try {
                    resourceResolver = this.resourceResolverFactory.getAdministrativeResourceResolver((Map) null);
                    Servlet servlet = (Servlet) resourceResolver.resolve(this.loginForm).adaptTo(Servlet.class);
                    if (servlet != null) {
                        try {
                            servlet.service(httpServletRequest, httpServletResponse);
                            if (resourceResolver != null) {
                                resourceResolver.close();
                            }
                            return true;
                        } catch (ServletException e) {
                            this.log.error("Failed to include the form: " + this.loginForm, e);
                        }
                    }
                    if (resourceResolver != null) {
                        resourceResolver.close();
                    }
                } catch (LoginException e2) {
                    this.log.error("Unable to get a resource resolver to include for the login resource. Will redirect instead.");
                    if (resourceResolver != null) {
                        resourceResolver.close();
                    }
                }
            } catch (Throwable th) {
                if (resourceResolver != null) {
                    resourceResolver.close();
                }
                throw th;
            }
        }
        HashMap hashMap = new HashMap();
        hashMap.put("resource", loginResourceAttribute);
        if (httpServletRequest.getAttribute("j_reason") != null) {
            Object attribute = httpServletRequest.getAttribute("j_reason");
            hashMap.put("j_reason", attribute instanceof Enum ? ((Enum) attribute).name() : attribute.toString());
        }
        try {
            AuthUtil.sendRedirect(httpServletRequest, httpServletResponse, httpServletRequest.getContextPath() + this.loginForm, hashMap);
            return true;
        } catch (IOException e3) {
            this.log.error("Failed to redirect to the login form " + this.loginForm, e3);
            return true;
        }
    }

    public void dropCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        this.authStorage.clear(httpServletRequest, httpServletResponse);
    }

    public void authenticationFailed(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationInfo authenticationInfo) {
        this.authStorage.clear(httpServletRequest, httpServletResponse);
        httpServletRequest.setAttribute("j_reason", FormReason.INVALID_CREDENTIALS);
    }

    public boolean authenticationSucceeded(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationInfo authenticationInfo) {
        boolean z;
        refreshAuthData(httpServletRequest, httpServletResponse, authenticationInfo);
        if (!REQUEST_METHOD.equals(httpServletRequest.getMethod()) || !httpServletRequest.getRequestURI().endsWith(REQUEST_URL_SUFFIX)) {
            z = false;
        } else if (DefaultAuthenticationFeedbackHandler.handleRedirect(httpServletRequest, httpServletResponse)) {
            z = false;
        } else {
            String loginResource = AuthUtil.getLoginResource(httpServletRequest, (String) null);
            if (loginResource != null) {
                try {
                } catch (IOException e) {
                    this.log.error("Failed to send redirect to: " + loginResource, e);
                }
                if (httpServletResponse.isCommitted()) {
                    throw new IllegalStateException("Response is already committed");
                }
                httpServletResponse.resetBuffer();
                StringBuilder sb = new StringBuilder();
                if (AuthUtil.isRedirectValid(httpServletRequest, loginResource)) {
                    sb.append(loginResource);
                } else if (httpServletRequest.getContextPath().length() == 0) {
                    sb.append("/");
                } else {
                    sb.append(httpServletRequest.getContextPath());
                }
                httpServletResponse.sendRedirect(sb.toString());
                z = true;
            } else {
                z = false;
            }
        }
        return z;
    }

    public String toString() {
        return "Form Based Authentication Handler";
    }

    private boolean ignoreRequestCredentials(HttpServletRequest httpServletRequest) {
        String parameter = httpServletRequest.getParameter("sling:authRequestLogin");
        return (parameter == null || "FORM".equals(parameter)) ? false : true;
    }

    private void refreshAuthData(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationInfo authenticationInfo) {
        String cookieAuthData = getCookieAuthData(authenticationInfo);
        if (needsRefresh(cookieAuthData, this.sessionTimeout)) {
            try {
                cookieAuthData = this.tokenStore.encode(System.currentTimeMillis() + this.sessionTimeout, authenticationInfo.getUser());
            } catch (UnsupportedEncodingException e) {
                this.log.error(e.getMessage(), e);
            } catch (IllegalStateException e2) {
                this.log.error(e2.getMessage(), e2);
            } catch (InvalidKeyException e3) {
                this.log.error(e3.getMessage(), e3);
            } catch (NoSuchAlgorithmException e4) {
                this.log.error(e4.getMessage(), e4);
            }
            if (cookieAuthData != null) {
                this.authStorage.set(httpServletRequest, httpServletResponse, cookieAuthData, authenticationInfo);
            } else {
                this.authStorage.clear(httpServletRequest, httpServletResponse);
            }
        }
    }

    private AuthenticationInfo extractRequestParameterAuthentication(HttpServletRequest httpServletRequest) {
        AuthenticationInfo authenticationInfo = null;
        if (REQUEST_METHOD.equals(httpServletRequest.getMethod()) && httpServletRequest.getRequestURI().endsWith(REQUEST_URL_SUFFIX)) {
            String parameter = httpServletRequest.getParameter(PAR_J_USERNAME);
            String parameter2 = httpServletRequest.getParameter(PAR_J_PASSWORD);
            if (parameter != null && parameter2 != null) {
                authenticationInfo = new AuthenticationInfo("FORM", parameter, parameter2.toCharArray());
                authenticationInfo.put("$$auth.info.login$$", new Object());
                if (!AuthUtil.isValidateRequest(httpServletRequest)) {
                    AuthUtil.setLoginResourceAttribute(httpServletRequest, httpServletRequest.getContextPath());
                }
            }
        }
        return authenticationInfo;
    }

    private AuthenticationInfo createAuthInfo(String str) {
        String userId = getUserId(str);
        if (userId == null) {
            return null;
        }
        AuthenticationInfo authenticationInfo = new AuthenticationInfo("FORM", userId);
        if (this.jaasHelper.enabled()) {
            authenticationInfo.put("user.jcr.credentials", new FormCredentials(userId, str));
        } else {
            authenticationInfo.put(this.attrCookieAuthData, str);
        }
        return authenticationInfo;
    }

    private String getCookieAuthData(AuthenticationInfo authenticationInfo) {
        Object obj = authenticationInfo.get(this.attrCookieAuthData);
        if (obj instanceof String) {
            return (String) obj;
        }
        return null;
    }

    private String getCookieAuthData(Credentials credentials) {
        if (!(credentials instanceof SimpleCredentials)) {
            if (credentials instanceof FormCredentials) {
                return ((FormCredentials) credentials).getAuthData();
            }
            return null;
        }
        Object attribute = ((SimpleCredentials) credentials).getAttribute(this.attrCookieAuthData);
        if (attribute instanceof String) {
            return (String) attribute;
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean hasAuthData(Credentials credentials) {
        return getCookieAuthData(credentials) != null;
    }

    public boolean isValid(Credentials credentials) {
        String cookieAuthData = getCookieAuthData(credentials);
        if (cookieAuthData != null) {
            return this.tokenStore.isValid(cookieAuthData);
        }
        return false;
    }

    @Activate
    protected void activate(FormAuthenticationHandlerConfig formAuthenticationHandlerConfig, ComponentContext componentContext) throws InvalidKeyException, NoSuchAlgorithmException, IllegalStateException, UnsupportedEncodingException {
        this.jaasHelper = new JaasHelper(this, componentContext.getBundleContext(), formAuthenticationHandlerConfig);
        this.loginForm = formAuthenticationHandlerConfig.form_login_form();
        this.log.info("Login Form URL {}", this.loginForm);
        String form_auth_name = formAuthenticationHandlerConfig.form_auth_name();
        String form_default_cookie_domain = formAuthenticationHandlerConfig.form_default_cookie_domain();
        if (form_default_cookie_domain.length() == 0) {
            form_default_cookie_domain = null;
        }
        if (FormAuthenticationHandlerConfig.AUTH_STORAGE_SESSION_ATTRIBUTE.equals(formAuthenticationHandlerConfig.form_auth_storage())) {
            this.authStorage = new SessionStorage(form_auth_name);
            this.log.info("Using HTTP Session store with attribute name {}", form_auth_name);
        } else {
            this.authStorage = new CookieStorage(form_auth_name, form_default_cookie_domain);
            this.log.info("Using Cookie store with name {}", form_auth_name);
        }
        this.attrCookieAuthData = formAuthenticationHandlerConfig.form_credentials_name();
        this.log.info("Setting Auth Data attribute name {}", this.attrCookieAuthData);
        int form_auth_timeout = formAuthenticationHandlerConfig.form_auth_timeout();
        if (form_auth_timeout < 1) {
            form_auth_timeout = 30;
        }
        this.log.info("Setting session timeout {} minutes", Integer.valueOf(form_auth_timeout));
        this.sessionTimeout = MINUTES * form_auth_timeout;
        File tokenFile = getTokenFile(formAuthenticationHandlerConfig.form_token_file(), componentContext.getBundleContext());
        boolean form_token_fastseed = formAuthenticationHandlerConfig.form_token_fastseed();
        this.log.info("Storing tokens in {}", tokenFile.getAbsolutePath());
        this.tokenStore = new TokenStore(tokenFile, this.sessionTimeout, form_token_fastseed);
        this.loginModule = null;
        if (!this.jaasHelper.enabled()) {
            try {
                this.loginModule = FormLoginModulePlugin.register(this, componentContext.getBundleContext());
            } catch (Throwable th) {
                this.log.info("Cannot register FormLoginModulePlugin. This is expected if Sling LoginModulePlugin services are not supported");
                this.log.debug("dump", th);
            }
        }
        this.includeLoginForm = formAuthenticationHandlerConfig.useInclude();
        this.loginAfterExpire = formAuthenticationHandlerConfig.form_onexpire_login();
    }

    @Deactivate
    protected void deactivate() {
        if (this.jaasHelper != null) {
            this.jaasHelper.close();
            this.jaasHelper = null;
        }
        if (this.loginModule != null) {
            this.loginModule.unregister();
            this.loginModule = null;
        }
    }

    File getTokenFile(String str, BundleContext bundleContext) {
        File file = new File(str);
        if (file.isAbsolute()) {
            return file;
        }
        File dataFile = bundleContext.getDataFile(str);
        if (dataFile == null) {
            String property = bundleContext.getProperty("sling.home");
            dataFile = property != null ? new File(property, str) : new File(str);
        }
        return dataFile.getAbsoluteFile();
    }

    String getUserId(String str) {
        String[] split;
        if (str == null || (split = TokenStore.split(str)) == null) {
            return null;
        }
        return split[2];
    }

    private boolean needsRefresh(String str, long j) {
        boolean z = false;
        if (str == null) {
            z = true;
        } else {
            String[] split = TokenStore.split(str);
            if (split != null && split.length == 3) {
                if (System.currentTimeMillis() + (j / 2) > Long.parseLong(split[1].substring(1))) {
                    z = true;
                }
            }
        }
        return z;
    }
}
