package org.apache.jackrabbit.oak.security.authentication.token;

import com.google.common.collect.ImmutableMap;
import java.io.UnsupportedEncodingException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Collections;
import java.util.Date;
import java.util.GregorianCalendar;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.jcr.AccessDeniedException;
import javax.jcr.Credentials;
import javax.jcr.RepositoryException;
import org.apache.jackrabbit.api.security.authentication.token.TokenCredentials;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.identifier.IdentifierManager;
import org.apache.jackrabbit.oak.plugins.name.NamespaceConstants;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.authentication.ImpersonationCredentials;
import org.apache.jackrabbit.oak.spi.security.authentication.credentials.CredentialsSupport;
import org.apache.jackrabbit.oak.spi.security.authentication.credentials.SimpleCredentialsSupport;
import org.apache.jackrabbit.oak.spi.security.authentication.token.TokenInfo;
import org.apache.jackrabbit.oak.spi.security.authentication.token.TokenProvider;
import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration;
import org.apache.jackrabbit.oak.spi.security.user.util.PasswordUtil;
import org.apache.jackrabbit.oak.util.NodeUtil;
import org.apache.jackrabbit.oak.util.TreeUtil;
import org.apache.jackrabbit.util.ISO8601;
import org.apache.jackrabbit.util.Text;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.class */
public class TokenProviderImpl implements TokenProvider, TokenConstants {
    private static final Logger log = LoggerFactory.getLogger(TokenProviderImpl.class);
    static final long DEFAULT_TOKEN_EXPIRATION = 7200000;
    static final int DEFAULT_KEY_SIZE = 8;
    private static final char DELIM = '_';
    private final Root root;
    private final ConfigurationParameters options;
    private final CredentialsSupport credentialsSupport;
    private final long tokenExpiration;
    private final UserManager userManager;
    private final IdentifierManager identifierManager;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl$TokenInfoImpl.class */
    public final class TokenInfoImpl implements TokenInfo {
        private final String token;
        private final String tokenPath;
        private final String userId;
        private final long expirationTime;
        private final String key;
        private final Map<String, String> mandatoryAttributes;
        private final Map<String, String> publicAttributes;

        private TokenInfoImpl(NodeUtil nodeUtil, String str, String str2) {
            this.token = str;
            this.tokenPath = nodeUtil.getTree().getPath();
            this.userId = str2;
            this.expirationTime = TokenProviderImpl.getExpirationTime(nodeUtil, Long.MIN_VALUE);
            this.key = nodeUtil.getString(TokenConstants.TOKEN_ATTRIBUTE_KEY, null);
            this.mandatoryAttributes = new HashMap();
            this.publicAttributes = new HashMap();
            for (PropertyState propertyState : nodeUtil.getTree().getProperties()) {
                String name = propertyState.getName();
                String str3 = (String) propertyState.getValue(Type.STRING);
                if (!TokenConstants.RESERVED_ATTRIBUTES.contains(name)) {
                    if (isMandatoryAttribute(name)) {
                        this.mandatoryAttributes.put(name, str3);
                    } else if (isInfoAttribute(name)) {
                        this.publicAttributes.put(name, str3);
                    }
                }
            }
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authentication.token.TokenInfo
        @Nonnull
        public String getUserId() {
            return this.userId;
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authentication.token.TokenInfo
        @Nonnull
        public String getToken() {
            return this.token;
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authentication.token.TokenInfo
        public boolean isExpired(long j) {
            return this.expirationTime < j;
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authentication.token.TokenInfo
        public boolean resetExpiration(long j) {
            Tree tokenTree;
            if (!((Boolean) TokenProviderImpl.this.options.getConfigValue(TokenProvider.PARAM_TOKEN_REFRESH, true)).booleanValue() || (tokenTree = TokenProviderImpl.this.getTokenTree(this)) == null || !tokenTree.exists()) {
                return false;
            }
            NodeUtil nodeUtil = new NodeUtil(tokenTree);
            if (isExpired(j)) {
                TokenProviderImpl.log.debug("Attempt to reset an expired token.");
                return false;
            }
            if (this.expirationTime - j > TokenProviderImpl.this.tokenExpiration / 2) {
                return false;
            }
            try {
                nodeUtil.setDate(TokenConstants.TOKEN_ATTRIBUTE_EXPIRY, TokenProviderImpl.createExpirationTime(j, TokenProviderImpl.this.tokenExpiration));
                TokenProviderImpl.this.root.commit(CommitMarker.asCommitAttributes());
                TokenProviderImpl.log.debug("Successfully reset token expiration time.");
                return true;
            } catch (CommitFailedException e) {
                TokenProviderImpl.log.debug("Failed to reset token expiration {}", e.getMessage());
                TokenProviderImpl.this.root.refresh();
                return false;
            }
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authentication.token.TokenInfo
        public boolean remove() {
            Tree tokenTree = TokenProviderImpl.this.getTokenTree(this);
            if (tokenTree == null || !tokenTree.exists()) {
                return false;
            }
            try {
                if (!tokenTree.remove()) {
                    return false;
                }
                TokenProviderImpl.this.root.commit(CommitMarker.asCommitAttributes());
                return true;
            } catch (CommitFailedException e) {
                TokenProviderImpl.log.debug("Error while removing expired token {}", e.getMessage());
                return false;
            }
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authentication.token.TokenInfo
        public boolean matches(TokenCredentials tokenCredentials) {
            String token = tokenCredentials.getToken();
            int lastIndexOf = token.lastIndexOf(TokenProviderImpl.DELIM);
            if (lastIndexOf > -1) {
                token = token.substring(lastIndexOf + 1);
            }
            if (this.key == null || !PasswordUtil.isSame(this.key, TokenProviderImpl.getKeyValue(token, this.userId))) {
                return false;
            }
            for (Map.Entry<String, String> entry : this.mandatoryAttributes.entrySet()) {
                if (!entry.getValue().equals(tokenCredentials.getAttribute(entry.getKey()))) {
                    return false;
                }
            }
            List asList = Arrays.asList(tokenCredentials.getAttributeNames());
            for (Map.Entry<String, String> entry2 : this.publicAttributes.entrySet()) {
                String key = entry2.getKey();
                if (!asList.contains(key)) {
                    tokenCredentials.setAttribute(key, entry2.getValue());
                }
            }
            return true;
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authentication.token.TokenInfo
        @Nonnull
        public Map<String, String> getPrivateAttributes() {
            return Collections.unmodifiableMap(this.mandatoryAttributes);
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authentication.token.TokenInfo
        @Nonnull
        public Map<String, String> getPublicAttributes() {
            return Collections.unmodifiableMap(this.publicAttributes);
        }

        private boolean isMandatoryAttribute(String str) {
            return str != null && str.startsWith(TokenConstants.TOKEN_ATTRIBUTE);
        }

        private boolean isInfoAttribute(String str) {
            return !NamespaceConstants.RESERVED_PREFIXES.contains(Text.getNamespacePrefix(str));
        }
    }

    TokenProviderImpl(@Nonnull Root root, @Nonnull ConfigurationParameters configurationParameters, @Nonnull UserConfiguration userConfiguration) {
        this(root, configurationParameters, userConfiguration, SimpleCredentialsSupport.getInstance());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public TokenProviderImpl(@Nonnull Root root, @Nonnull ConfigurationParameters configurationParameters, @Nonnull UserConfiguration userConfiguration, @Nonnull CredentialsSupport credentialsSupport) {
        this.root = root;
        this.options = configurationParameters;
        this.credentialsSupport = credentialsSupport;
        this.tokenExpiration = ((Long) configurationParameters.getConfigValue(TokenProvider.PARAM_TOKEN_EXPIRATION, Long.valueOf(DEFAULT_TOKEN_EXPIRATION))).longValue();
        this.userManager = userConfiguration.getUserManager(root, NamePathMapper.DEFAULT);
        this.identifierManager = new IdentifierManager(root);
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.token.TokenProvider
    public boolean doCreateToken(@Nonnull Credentials credentials) {
        Object obj;
        Credentials extractCredentials = extractCredentials(credentials);
        return (extractCredentials == null || (obj = this.credentialsSupport.getAttributes(extractCredentials).get(TokenConstants.TOKEN_ATTRIBUTE)) == null || !"".equals(obj.toString())) ? false : true;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.token.TokenProvider
    @CheckForNull
    public TokenInfo createToken(@Nonnull Credentials credentials) {
        Credentials extractCredentials = extractCredentials(credentials);
        String userId = extractCredentials != null ? this.credentialsSupport.getUserId(extractCredentials) : null;
        TokenInfo tokenInfo = null;
        if (userId != null) {
            tokenInfo = createToken(userId, this.credentialsSupport.getAttributes(extractCredentials));
            if (tokenInfo != null && !this.credentialsSupport.setAttributes(extractCredentials, ImmutableMap.of(TokenConstants.TOKEN_ATTRIBUTE, tokenInfo.getToken()))) {
                log.debug("Cannot set token attribute to " + extractCredentials);
            }
        }
        return tokenInfo;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.token.TokenProvider
    public TokenInfo createToken(@Nonnull String str, @Nonnull Map<String, ?> map) {
        TokenInfo createTokenNode;
        User user = getUser(str);
        NodeUtil tokenParent = getTokenParent(user);
        if (tokenParent == null || user == null) {
            log.warn("Unable to get/create token store for user " + str);
            return null;
        }
        try {
            String id = user.getID();
            long time = new Date().getTime();
            long createExpirationTime = createExpirationTime(time, map.containsKey(TokenProvider.PARAM_TOKEN_EXPIRATION) ? Long.parseLong(map.get(TokenProvider.PARAM_TOKEN_EXPIRATION).toString()) : this.tokenExpiration);
            String uuid = UUID.randomUUID().toString();
            try {
                createTokenNode = createTokenNode(tokenParent, generateTokenName(time), createExpirationTime, uuid, id, map);
                this.root.commit(CommitMarker.asCommitAttributes());
            } catch (CommitFailedException e) {
                log.debug("Failed to create token node. Using random name as fallback.");
                this.root.refresh();
                createTokenNode = createTokenNode(tokenParent, UUID.randomUUID().toString(), createExpirationTime, uuid, id, map);
                this.root.commit(CommitMarker.asCommitAttributes());
            }
            return createTokenNode;
        } catch (RepositoryException e2) {
            log.warn("Failed to create login token. {}", e2.getMessage());
            return null;
        } catch (UnsupportedEncodingException e3) {
            log.error("Failed to create login token. {}", e3.getMessage());
            return null;
        } catch (NoSuchAlgorithmException e4) {
            log.error("Failed to create login token. {}", e4.getMessage());
            return null;
        } catch (CommitFailedException e5) {
            log.warn("Failed to create login token. {}", e5.getMessage());
            return null;
        }
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.token.TokenProvider
    public TokenInfo getTokenInfo(@Nonnull String str) {
        int indexOf = str.indexOf(DELIM);
        Tree tree = this.identifierManager.getTree(indexOf == -1 ? str : str.substring(0, indexOf));
        String userId = getUserId(tree);
        if (userId == null || !isValidTokenTree(tree)) {
            return null;
        }
        return new TokenInfoImpl(new NodeUtil(tree), str, userId);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static long createExpirationTime(long j, long j2) {
        return j + j2;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static long getExpirationTime(NodeUtil nodeUtil, long j) {
        return nodeUtil.getLong(TokenConstants.TOKEN_ATTRIBUTE_EXPIRY, j);
    }

    @CheckForNull
    private Credentials extractCredentials(@Nonnull Credentials credentials) {
        Credentials credentials2 = credentials;
        if (credentials instanceof ImpersonationCredentials) {
            credentials2 = ((ImpersonationCredentials) credentials).getBaseCredentials();
        }
        if (this.credentialsSupport.mo406getCredentialClasses().contains(credentials2.getClass())) {
            return credentials2;
        }
        return null;
    }

    @Nonnull
    private static String generateKey(int i) {
        byte[] bArr = new byte[i];
        new SecureRandom().nextBytes(bArr);
        StringBuilder sb = new StringBuilder(bArr.length * 2);
        for (byte b : bArr) {
            sb.append(Text.hexTable[(b >> 4) & 15]);
            sb.append(Text.hexTable[b & 15]);
        }
        return sb.toString();
    }

    /* JADX INFO: Access modifiers changed from: private */
    @Nonnull
    public static String getKeyValue(@Nonnull String str, @Nonnull String str2) {
        return str + str2;
    }

    private static boolean isValidTokenTree(@CheckForNull Tree tree) {
        return tree != null && tree.exists() && TokenConstants.TOKENS_NODE_NAME.equals(tree.getParent().getName()) && TokenConstants.TOKEN_NT_NAME.equals(TreeUtil.getPrimaryTypeName(tree));
    }

    @Nonnull
    private static String generateTokenName(long j) {
        Calendar gregorianCalendar = GregorianCalendar.getInstance();
        gregorianCalendar.setTimeInMillis(j);
        return Text.replace(ISO8601.format(gregorianCalendar), ":", ".");
    }

    /* JADX INFO: Access modifiers changed from: private */
    @CheckForNull
    public Tree getTokenTree(@Nonnull TokenInfo tokenInfo) {
        if (tokenInfo instanceof TokenInfoImpl) {
            return this.root.getTree(((TokenInfoImpl) tokenInfo).tokenPath);
        }
        return null;
    }

    @CheckForNull
    private String getUserId(@CheckForNull Tree tree) {
        if (tree == null || !tree.exists()) {
            return null;
        }
        try {
            User authorizableByPath = this.userManager.getAuthorizableByPath(Text.getRelativeParent(tree.getPath(), 2));
            if (authorizableByPath == null || authorizableByPath.isGroup() || authorizableByPath.isDisabled()) {
                return null;
            }
            return authorizableByPath.getID();
        } catch (RepositoryException e) {
            log.debug("Cannot determine userID from token: {}", e.getMessage());
            return null;
        }
    }

    @CheckForNull
    private User getUser(@Nonnull String str) {
        try {
            User authorizable = this.userManager.getAuthorizable(str);
            if (authorizable != null && !authorizable.isGroup()) {
                return authorizable;
            }
            log.debug("Cannot create login token: No corresponding node for User " + str + '.');
            return null;
        } catch (RepositoryException e) {
            log.debug("Error while accessing user " + str + '.', e);
            return null;
        }
    }

    @CheckForNull
    private NodeUtil getTokenParent(@CheckForNull User user) {
        if (user == null) {
            return null;
        }
        NodeUtil nodeUtil = null;
        String str = null;
        try {
            String path = user.getPath();
            str = path + '/' + TokenConstants.TOKENS_NODE_NAME;
            nodeUtil = new NodeUtil(this.root.getTree(path)).getOrAddChild(TokenConstants.TOKENS_NODE_NAME, "rep:Unstructured");
            this.root.commit();
        } catch (CommitFailedException e) {
            log.debug("Conflict while creating token store -> retrying {}", e.getMessage());
            this.root.refresh();
            Tree tree = this.root.getTree(str);
            nodeUtil = tree.exists() ? new NodeUtil(tree) : null;
        } catch (RepositoryException e2) {
            log.debug("Error while creating token node {}", e2.getMessage());
        }
        return nodeUtil;
    }

    private TokenInfo createTokenNode(@Nonnull NodeUtil nodeUtil, @Nonnull String str, long j, @Nonnull String str2, @Nonnull String str3, Map<String, ?> map) throws AccessDeniedException, UnsupportedEncodingException, NoSuchAlgorithmException {
        NodeUtil addChild = nodeUtil.addChild(str, TokenConstants.TOKEN_NT_NAME);
        addChild.setString("jcr:uuid", str2);
        String generateKey = generateKey(((Integer) this.options.getConfigValue(TokenProvider.PARAM_TOKEN_LENGTH, 8)).intValue());
        String str4 = IdentifierManager.getIdentifier(addChild.getTree()) + '_' + generateKey;
        addChild.setString(TokenConstants.TOKEN_ATTRIBUTE_KEY, PasswordUtil.buildPasswordHash(getKeyValue(generateKey, str3), this.options));
        addChild.setDate(TokenConstants.TOKEN_ATTRIBUTE_EXPIRY, j);
        for (String str5 : map.keySet()) {
            if (!RESERVED_ATTRIBUTES.contains(str5)) {
                addChild.setString(str5, map.get(str5).toString());
            }
        }
        return new TokenInfoImpl(addChild, str4, str3);
    }
}
