package org.apache.sling.auth.core.impl;

import java.io.IOException;
import java.io.UnsupportedEncodingException;
import java.net.URLDecoder;
import java.net.URLEncoder;
import java.util.Collection;
import java.util.Collections;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import javax.jcr.SimpleCredentials;
import javax.security.auth.login.AccountLockedException;
import javax.security.auth.login.AccountNotFoundException;
import javax.security.auth.login.CredentialExpiredException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletRequestEvent;
import javax.servlet.ServletRequestListener;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.sling.api.auth.Authenticator;
import org.apache.sling.api.auth.NoAuthenticationHandlerException;
import org.apache.sling.api.resource.LoginException;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.resource.ResourceResolverFactory;
import org.apache.sling.auth.core.AuthConstants;
import org.apache.sling.auth.core.AuthUtil;
import org.apache.sling.auth.core.AuthenticationSupport;
import org.apache.sling.auth.core.spi.AuthenticationFeedbackHandler;
import org.apache.sling.auth.core.spi.AuthenticationHandler;
import org.apache.sling.auth.core.spi.AuthenticationInfo;
import org.apache.sling.auth.core.spi.AuthenticationInfoPostProcessor;
import org.apache.sling.auth.core.spi.DefaultAuthenticationFeedbackHandler;
import org.apache.sling.commons.metrics.MetricsService;
import org.apache.sling.commons.metrics.Timer;
import org.osgi.framework.BundleContext;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.FieldOption;
import org.osgi.service.component.annotations.Modified;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicy;
import org.osgi.service.component.annotations.ReferencePolicyOption;
import org.osgi.service.component.propertytypes.ServiceDescription;
import org.osgi.service.component.propertytypes.ServiceVendor;
import org.osgi.service.event.Event;
import org.osgi.service.event.EventAdmin;
import org.osgi.service.http.whiteboard.propertytypes.HttpWhiteboardContextSelect;
import org.osgi.service.http.whiteboard.propertytypes.HttpWhiteboardListener;
import org.osgi.service.metatype.annotations.AttributeDefinition;
import org.osgi.service.metatype.annotations.AttributeType;
import org.osgi.service.metatype.annotations.Designate;
import org.osgi.service.metatype.annotations.ObjectClassDefinition;
import org.osgi.service.metatype.annotations.Option;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(name = SlingAuthenticator.PID, service = {Authenticator.class, AuthenticationSupport.class, ServletRequestListener.class})
@HttpWhiteboardListener
@ServiceDescription("Apache Sling Request Authenticator")
@ServiceVendor("The Apache Software Foundation")
@Designate(ocd = Config.class)
@HttpWhiteboardContextSelect("(osgi.http.whiteboard.context.name=*)")
/* loaded from: input_file:org/apache/sling/auth/core/impl/SlingAuthenticator.class */
public class SlingAuthenticator implements Authenticator, AuthenticationSupport, ServletRequestListener {
    public static final String PID = "org.apache.sling.engine.impl.auth.SlingAuthenticator";
    static final String HTTP_AUTH_ENABLED = "enabled";
    static final String HTTP_AUTH_DISABLED = "disabled";
    static final String HTTP_AUTH_PREEMPTIVE = "preemptive";
    static final String DEFAULT_AUTH_URI_SUFFIX = "/j_security_check";
    private static final String PAR_NEW_PASSWORD = "j_newpassword";
    private static final String AUTH_INFO_PROP_FEEDBACK_HANDLER = "$$sling.auth.AuthenticationFeedbackHandler$$";
    private volatile String sudoParameterName;
    private volatile String sudoCookieName;
    private volatile String[] authUriSuffices;
    private volatile String anonUser;
    private volatile char[] anonPassword;
    private volatile HttpBasicAuthenticationHandler httpBasicHandler;
    private final PathBasedHolderCache<AuthenticationRequirementHolder> authenticationRequirementsManager;
    private final PathBasedHolderCache<AbstractAuthenticationHandlerHolder> authHandlersManager;

    @Reference(policy = ReferencePolicy.DYNAMIC, cardinality = ReferenceCardinality.OPTIONAL, policyOption = ReferencePolicyOption.GREEDY)
    private volatile EventAdmin eventAdmin;
    private final SlingAuthenticationMetrics metrics;
    private final ResourceResolverFactory resourceResolverFactory;
    private final Logger log = LoggerFactory.getLogger(SlingAuthenticator.class);

    @Reference(cardinality = ReferenceCardinality.MULTIPLE, service = AuthenticationInfoPostProcessor.class, fieldOption = FieldOption.REPLACE)
    private volatile List<AuthenticationInfoPostProcessor> authInfoPostProcessors = Collections.emptyList();

    @ObjectClassDefinition(name = "Apache Sling Authentication Service", description = "Extracts user authentication details from the request with the help of authentication handlers registered as separate services. One example of such an authentication handler is the handler HTTP Authorization header contained authentication.")
    /* loaded from: input_file:org/apache/sling/auth/core/impl/SlingAuthenticator$Config.class */
    public @interface Config {
        @AttributeDefinition(name = "Impersonation Cookie", description = "The name the HTTP Cookie to set with the value of the user which is to be impersonated. This cookie will always be a session cookie.")
        String auth_sudo_cookie() default "sling.sudo";

        @AttributeDefinition(name = "Impersonation Parameter", description = "The name of the request parameter initiating impersonation. Setting this parameter to a user id will result in using an impersonated session (instead of the actually authenticated session) and set a session cookie of the name defined in the Impersonation Cookie setting.")
        String auth_sudo_parameter() default "sudo";

        @AttributeDefinition(name = "Allow Anonymous Access", description = "Whether default access as anonymous when no credentials are present in the request is allowed. The default value is \"true\" to allow access without credentials. When set to \"false\" access to the repository is only allowed if valid credentials are presented. The value of this configuration option is added to list of Authentication Requirements and needs not be explicitly listed. If anonymous access is allowed the entry added is \"-/\". Otherwise anonymous access is denied and \"+/\" is added to the list.")
        boolean auth_annonymous() default true;

        @AttributeDefinition(name = "Authentication Requirements", description = "Defines URL space subtrees which require or don't require authentication. For any request the best matching path configured applies and defines whether authentication is actually required for the request or not. Each entry in this list can be an absolute path (such as /content) or and absolute URI (such as http://thehost/content). Optionally each entry may be prefixed by a plus (+) or minus (-) sign indicating that authentication is required (plus) or not required (minus). Example entries are \"/content\" or \"+/content\" to require authentication at and below \"/content\" and \"-/system/sling/login\" to not require authentication at and below \"/system/sling/login\". By default this list is empty. This list is extended at run time with additional entries: One entry is added for the \"Allow Anonymous Access\" configuration. Other entries are added for any services setting the \"sling.auth.requirements\" service registration property.")
        String[] sling_auth_requirements();

        @AttributeDefinition(name = "Anonymous User Name", description = "Defines which user name to assume for anonymous requests, that is requests not providing credentials supported by any of the registered authentication handlers. If this property is missing or empty, the default is assumed which depends on the resource provider(s). Otherwise anonymous requests are handled with this user name. If the configured user name does not exist or is not allowed to access the resource data, anonymous requests may still be blocked. If anonymous access is not allowed, this property is ignored.")
        String sling_auth_anonymous_user();

        @AttributeDefinition(name = "Anonymous User Password", description = "Password for the anonymous user defined in the Anonymous User Name field. This property is only used if a non-empty anonymous user name is configured. If this property is not defined but a password is required, an empty password would be assumed.", type = AttributeType.PASSWORD)
        String sling_auth_anonymous_password();

        @AttributeDefinition(name = "HTTP Basic Authentication", description = "Level of support for HTTP Basic Authentication. Such support can be provided in three levels: (1) no support at all, that is disabled, (2) preemptive support, that is HTTP Basic Authentication is supported if the authentication header is set in the request, (3) full support. The default is preemptive support unless Anonymous Access is not allowed. In this case HTTP Basic Authentication is always enabled to ensure clients can authenticate at least with basic authentication.", options = {@Option(label = "Enabled", value = SlingAuthenticator.HTTP_AUTH_ENABLED), @Option(label = "Enabled (Preemptive)", value = SlingAuthenticator.HTTP_AUTH_PREEMPTIVE), @Option(label = "Disabled", value = SlingAuthenticator.HTTP_AUTH_DISABLED)})
        String auth_http() default "preemptive";

        @AttributeDefinition(name = "Realm", description = "HTTP BASIC authentication realm. This property is only used if the HTTP Basic Authentication support is not disabled. The default value is \"Sling (Development)\".")
        String auth_http_realm() default "Sling (Development)";

        @AttributeDefinition(name = "Authentication URI Suffices", description = "A list of request URI suffixes intended to be handled by Authentication Handlers. Any request whose request URI ends with any one of the listed suffices is intended to be handled by an Authentication Handler causing the request to either be rejected or the client being redirected to another location and thus the request not being further processed after the authentication phase. The default is just \"/j_security_check\" which is the suffix defined by the Servlet API specification used for FORM based authentication.")
        String[] auth_uri_suffix() default {"/j_security_check"};
    }

    @Activate
    public SlingAuthenticator(@Reference(policyOption = ReferencePolicyOption.GREEDY) MetricsService metricsService, @Reference AuthenticationRequirementsManager authenticationRequirementsManager, @Reference AuthenticationHandlersManager authenticationHandlersManager, @Reference(policyOption = ReferencePolicyOption.GREEDY) ResourceResolverFactory resourceResolverFactory, BundleContext bundleContext, Config config) {
        this.metrics = new SlingAuthenticationMetrics(metricsService);
        this.resourceResolverFactory = resourceResolverFactory;
        this.authenticationRequirementsManager = authenticationRequirementsManager;
        this.authHandlersManager = authenticationHandlersManager;
        modified(config);
    }

    @Modified
    private void modified(Config config) {
        if (!config.auth_sudo_cookie().equals(this.sudoCookieName)) {
            this.log.info("modified: Setting new cookie name for impersonation {} (was {})", config.auth_sudo_cookie(), this.sudoCookieName);
            this.sudoCookieName = config.auth_sudo_cookie();
        }
        if (!config.auth_sudo_parameter().equals(this.sudoParameterName)) {
            this.log.info("modified: Setting new parameter name for impersonation {} (was {})", config.auth_sudo_parameter(), this.sudoParameterName);
            this.sudoParameterName = config.auth_sudo_parameter();
        }
        if (config.sling_auth_anonymous_user() == null || config.sling_auth_anonymous_user().length() <= 0) {
            this.anonUser = null;
            this.anonPassword = null;
        } else {
            this.anonUser = config.sling_auth_anonymous_user();
            this.anonPassword = config.sling_auth_anonymous_password() == null ? "".toCharArray() : config.sling_auth_anonymous_password().toCharArray();
        }
        this.authUriSuffices = config.auth_uri_suffix();
        if (!config.auth_annonymous()) {
            this.log.debug("modified: Anonymous Access is denied thus HTTP Basic Authentication is fully enabled");
        }
        String httpAuth = getHttpAuth(config);
        if (HTTP_AUTH_DISABLED.equals(httpAuth)) {
            this.httpBasicHandler = null;
        } else {
            this.httpBasicHandler = new HttpBasicAuthenticationHandler(config.auth_http_realm(), HTTP_AUTH_ENABLED.equals(httpAuth));
        }
    }

    public static String getHttpAuth(Config config) {
        return config.auth_annonymous() ? config.auth_http() : HTTP_AUTH_ENABLED;
    }

    @Override // org.apache.sling.auth.core.AuthenticationSupport
    public boolean handleSecurity(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Object attribute = httpServletRequest.getAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER);
        if (attribute instanceof ResourceResolver) {
            this.log.debug("handleSecurity: Request already authenticated, nothing to do");
            return true;
        }
        if (attribute != null) {
            this.log.warn("handleSecurity: Overwriting existing ResourceResolver attribute ({})", attribute);
            httpServletRequest.removeAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER);
        }
        Timer.Context authenticationTimerContext = this.metrics.authenticationTimerContext();
        boolean z = false;
        try {
            z = doHandleSecurity(httpServletRequest, httpServletResponse);
            if (z && expectAuthenticationHandler(httpServletRequest)) {
                this.log.warn("handleSecurity: AuthenticationHandler did not block request; access denied");
                httpServletRequest.removeAttribute(AuthenticationHandler.FAILURE_REASON);
                httpServletRequest.removeAttribute(AuthenticationHandler.FAILURE_REASON_CODE);
                AuthUtil.sendInvalid(httpServletRequest, httpServletResponse);
                z = false;
            }
            return z;
        } finally {
            authenticationTimerContext.stop();
            this.metrics.authenticateCompleted(z);
        }
    }

    private boolean doHandleSecurity(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (httpServletRequest.getAttribute(AuthConstants.ATTR_REQUEST_AUTH_URI_SUFFIX) == null && this.authUriSuffices != null) {
            httpServletRequest.setAttribute(AuthConstants.ATTR_REQUEST_AUTH_URI_SUFFIX, this.authUriSuffices);
        }
        AuthenticationInfo authenticationInfo = getAuthenticationInfo(httpServletRequest, httpServletResponse);
        try {
            postProcess(authenticationInfo, httpServletRequest, httpServletResponse);
            if (authenticationInfo == AuthenticationInfo.DOING_AUTH) {
                this.log.debug("doHandleSecurity: ongoing authentication in the handler");
                return false;
            }
            if (authenticationInfo == AuthenticationInfo.FAIL_AUTH) {
                this.log.debug("doHandleSecurity: Credentials present but not valid, request authentication again");
                AuthUtil.setLoginResourceAttribute(httpServletRequest, httpServletRequest.getRequestURI());
                doLogin(httpServletRequest, httpServletResponse);
                return false;
            }
            if (authenticationInfo.getAuthType() == null) {
                this.log.debug("doHandleSecurity: No credentials in the request, anonymous");
                return getAnonymousResolver(httpServletRequest, httpServletResponse, authenticationInfo);
            }
            this.log.debug("doHandleSecurity: Trying to get a session for {}", authenticationInfo.getUser());
            return getResolver(httpServletRequest, httpServletResponse, authenticationInfo);
        } catch (LoginException e) {
            postLoginFailedEvent(httpServletRequest, authenticationInfo, e);
            handleLoginFailure(httpServletRequest, httpServletResponse, authenticationInfo, e);
            return false;
        }
    }

    public void login(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (httpServletResponse.isCommitted()) {
            throw new IllegalStateException("Response already committed");
        }
        Collection<AbstractAuthenticationHandlerHolder>[] findApplicableHolders = this.authHandlersManager.findApplicableHolders(httpServletRequest);
        String handlerSelectionPath = getHandlerSelectionPath(httpServletRequest);
        boolean z = false;
        for (int i = 0; !z && i < findApplicableHolders.length; i++) {
            Collection<AbstractAuthenticationHandlerHolder> collection = findApplicableHolders[i];
            if (collection != null) {
                for (AbstractAuthenticationHandlerHolder abstractAuthenticationHandlerHolder : collection) {
                    if (abstractAuthenticationHandlerHolder.isPathRequiresHandler(handlerSelectionPath)) {
                        this.log.debug("login: requesting authentication using handler: {}", abstractAuthenticationHandlerHolder);
                        try {
                            z = abstractAuthenticationHandlerHolder.requestCredentials(httpServletRequest, httpServletResponse);
                        } catch (IOException e) {
                            this.log.error("login: Failed sending authentication request through handler " + abstractAuthenticationHandlerHolder + ", access forbidden", e);
                            z = true;
                        }
                        if (z) {
                            break;
                        }
                    }
                }
            }
        }
        if (!z && this.httpBasicHandler != null) {
            z = this.httpBasicHandler.requestCredentials(httpServletRequest, httpServletResponse);
        }
        if (z) {
            return;
        }
        int i2 = 0;
        for (int i3 = 0; i3 < findApplicableHolders.length; i3++) {
            if (findApplicableHolders[i3] != null) {
                i2 += findApplicableHolders[i3].size();
            }
        }
        this.log.info("login: No handler for request ({} handlers available)", Integer.valueOf(i2));
        throw new NoAuthenticationHandlerException();
    }

    public void logout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (httpServletResponse.isCommitted()) {
            throw new IllegalStateException("Response already committed");
        }
        setSudoCookie(httpServletRequest, httpServletResponse, new AuthenticationInfo("dummy", httpServletRequest.getRemoteUser()));
        String handlerSelectionPath = getHandlerSelectionPath(httpServletRequest);
        for (Collection<AbstractAuthenticationHandlerHolder> collection : this.authHandlersManager.findApplicableHolders(httpServletRequest)) {
            if (collection != null) {
                for (AbstractAuthenticationHandlerHolder abstractAuthenticationHandlerHolder : collection) {
                    if (abstractAuthenticationHandlerHolder.isPathRequiresHandler(handlerSelectionPath)) {
                        this.log.debug("logout: dropping authentication using handler: {}", abstractAuthenticationHandlerHolder);
                        try {
                            abstractAuthenticationHandlerHolder.dropCredentials(httpServletRequest, httpServletResponse);
                        } catch (IOException e) {
                            this.log.error("logout: Failed dropping authentication through handler " + abstractAuthenticationHandlerHolder, e);
                        }
                    }
                }
            }
        }
        if (this.httpBasicHandler != null) {
            this.httpBasicHandler.dropCredentials(httpServletRequest, httpServletResponse);
        }
        redirectAfterLogout(httpServletRequest, httpServletResponse);
    }

    public void requestInitialized(ServletRequestEvent servletRequestEvent) {
    }

    public void requestDestroyed(ServletRequestEvent servletRequestEvent) {
        ServletRequest servletRequest = servletRequestEvent.getServletRequest();
        Object attribute = servletRequest.getAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER);
        if (attribute instanceof ResourceResolver) {
            ((ResourceResolver) attribute).close();
            servletRequest.removeAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER);
        }
    }

    private String getPath(HttpServletRequest httpServletRequest) {
        StringBuilder sb = new StringBuilder();
        if (httpServletRequest.getServletPath() != null) {
            sb.append(httpServletRequest.getServletPath());
        }
        if (httpServletRequest.getPathInfo() != null) {
            sb.append(httpServletRequest.getPathInfo());
        }
        String sb2 = sb.toString();
        if (sb2.length() == 0) {
            sb2 = "/";
        }
        return sb2;
    }

    private AuthenticationInfo getAuthenticationInfo(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        AuthenticationInfo extractCredentials;
        AuthenticationInfo extractCredentials2;
        String path = getPath(httpServletRequest);
        for (Collection<AbstractAuthenticationHandlerHolder> collection : this.authHandlersManager.findApplicableHolders(httpServletRequest)) {
            if (collection != null) {
                for (AbstractAuthenticationHandlerHolder abstractAuthenticationHandlerHolder : collection) {
                    if (abstractAuthenticationHandlerHolder.isPathRequiresHandler(path) && (extractCredentials2 = abstractAuthenticationHandlerHolder.extractCredentials(httpServletRequest, httpServletResponse)) != null) {
                        extractCredentials2.put(AUTH_INFO_PROP_FEEDBACK_HANDLER, (Object) abstractAuthenticationHandlerHolder.getFeedbackHandler());
                        return extractCredentials2;
                    }
                }
            }
        }
        if (this.httpBasicHandler == null || (extractCredentials = this.httpBasicHandler.extractCredentials(httpServletRequest, httpServletResponse)) == null) {
            this.log.debug("getAuthenticationInfo: no handler could extract credentials; assuming anonymous");
            return getAnonymousCredentials();
        }
        extractCredentials.put(AUTH_INFO_PROP_FEEDBACK_HANDLER, (Object) this.httpBasicHandler);
        return extractCredentials;
    }

    private void postProcess(AuthenticationInfo authenticationInfo, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws LoginException {
        Iterator<AuthenticationInfoPostProcessor> it = this.authInfoPostProcessors.iterator();
        while (it.hasNext()) {
            it.next().postProcess(authenticationInfo, httpServletRequest, httpServletResponse);
        }
    }

    private boolean getResolver(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationInfo authenticationInfo) {
        AuthenticationFeedbackHandler authenticationFeedbackHandler = (AuthenticationFeedbackHandler) authenticationInfo.remove(AUTH_INFO_PROP_FEEDBACK_HANDLER);
        Object remove = authenticationInfo.remove(AuthConstants.AUTH_INFO_LOGIN);
        try {
            handleImpersonation(httpServletRequest, authenticationInfo);
            handlePasswordChange(httpServletRequest, authenticationInfo);
            ResourceResolver resourceResolver = this.resourceResolverFactory.getResourceResolver(authenticationInfo);
            boolean sudoCookie = setSudoCookie(httpServletRequest, httpServletResponse, authenticationInfo);
            if (remove != null) {
                postLoginEvent(authenticationInfo);
            }
            httpServletRequest.setAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER, resourceResolver);
            boolean z = true;
            if (authenticationFeedbackHandler != null) {
                z = !authenticationFeedbackHandler.authenticationSucceeded(httpServletRequest, httpServletResponse, authenticationInfo);
            }
            if (z) {
                if (AuthUtil.isValidateRequest(httpServletRequest)) {
                    AuthUtil.sendValid(httpServletResponse);
                    z = false;
                } else if (sudoCookie || authenticationFeedbackHandler == null) {
                    z = !DefaultAuthenticationFeedbackHandler.handleRedirect(httpServletRequest, httpServletResponse);
                }
            }
            if (z) {
                setAttributes(resourceResolver, authenticationInfo.getAuthType(), httpServletRequest);
            } else {
                resourceResolver.close();
            }
            return z;
        } catch (LoginException e) {
            postLoginFailedEvent(httpServletRequest, authenticationInfo, e);
            if (authenticationFeedbackHandler != null) {
                authenticationFeedbackHandler.authenticationFailed(httpServletRequest, httpServletResponse, authenticationInfo);
            }
            if (httpServletResponse.isCommitted()) {
                return false;
            }
            return handleLoginFailure(httpServletRequest, httpServletResponse, authenticationInfo, e);
        }
    }

    private boolean expectAuthenticationHandler(HttpServletRequest httpServletRequest) {
        if (this.authUriSuffices == null) {
            return false;
        }
        String requestURI = httpServletRequest.getRequestURI();
        for (String str : this.authUriSuffices) {
            if (requestURI.endsWith(str)) {
                return true;
            }
        }
        return false;
    }

    private boolean getAnonymousResolver(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationInfo authenticationInfo) {
        if (!isAnonAllowed(httpServletRequest)) {
            this.log.info("getAnonymousResolver: Anonymous access not allowed by configuration - requesting credentials");
            doLogin(httpServletRequest, httpServletResponse);
            return false;
        }
        try {
            ResourceResolver resourceResolver = this.resourceResolverFactory.getResourceResolver(authenticationInfo);
            if (DefaultAuthenticationFeedbackHandler.handleRedirect(httpServletRequest, httpServletResponse)) {
                resourceResolver.close();
                return false;
            }
            setAttributes(resourceResolver, null, httpServletRequest);
            return true;
        } catch (LoginException e) {
            handleLoginFailure(httpServletRequest, httpServletResponse, new AuthenticationInfo(null, "anonymous user"), e);
            return false;
        }
    }

    boolean isAnonAllowed(HttpServletRequest httpServletRequest) {
        String path = getPath(httpServletRequest);
        for (Collection<AuthenticationRequirementHolder> collection : this.authenticationRequirementsManager.findApplicableHolders(httpServletRequest)) {
            if (collection != null) {
                for (AuthenticationRequirementHolder authenticationRequirementHolder : collection) {
                    if (authenticationRequirementHolder.isPathRequiresHandler(path)) {
                        return !authenticationRequirementHolder.requiresAuthentication();
                    }
                }
            }
        }
        return false;
    }

    private AuthenticationInfo getAnonymousCredentials() {
        AuthenticationInfo authenticationInfo = new AuthenticationInfo(null);
        if (this.anonUser != null) {
            authenticationInfo.setUser(this.anonUser);
            authenticationInfo.setPassword(this.anonPassword);
        }
        return authenticationInfo;
    }

    private boolean handleLoginFailure(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationInfo authenticationInfo, Exception exc) {
        Object obj;
        String user = authenticationInfo.getUser();
        boolean z = false;
        if (exc.getClass().getName().contains("TooManySessionsException")) {
            this.log.info("handleLoginFailure: Too many sessions for {}: {}", user, exc.getMessage());
            try {
                httpServletResponse.sendError(503, "SlingAuthenticator: Too Many Users");
            } catch (IOException e) {
                this.log.error("handleLoginFailure: Cannot send status 503 to client", e);
            }
        } else if (exc instanceof LoginException) {
            this.log.info("handleLoginFailure: Unable to authenticate {}: {}", user, exc.getMessage());
            if (!isAnonAllowed(httpServletRequest) || expectAuthenticationHandler(httpServletRequest) || AuthUtil.isValidateRequest(httpServletRequest)) {
                AuthenticationHandler.FAILURE_REASON_CODES failureReasonFromException = getFailureReasonFromException(authenticationInfo, exc);
                switch (failureReasonFromException) {
                    case ACCOUNT_LOCKED:
                        obj = "Account is locked";
                        break;
                    case ACCOUNT_NOT_FOUND:
                        obj = "Account was not found";
                        break;
                    case PASSWORD_EXPIRED:
                        obj = "Password expired";
                        break;
                    case PASSWORD_EXPIRED_AND_NEW_PASSWORD_IN_HISTORY:
                        obj = "Password expired and new password found in password history";
                        break;
                    case UNKNOWN:
                    case INVALID_LOGIN:
                    default:
                        obj = "User name and password do not match";
                        break;
                }
                httpServletRequest.setAttribute(AuthenticationHandler.FAILURE_REASON_CODE, failureReasonFromException);
                ensureAttribute(httpServletRequest, AuthenticationHandler.FAILURE_REASON, obj);
                doLogin(httpServletRequest, httpServletResponse);
            } else {
                this.log.debug("handleLoginFailure: LoginException on an anonymous resource, fallback to getAnonymousResolver");
                z = getAnonymousResolver(httpServletRequest, httpServletResponse, new AuthenticationInfo(null));
            }
        } else {
            this.log.error("handleLoginFailure: Unable to authenticate " + user, exc);
            try {
                httpServletResponse.sendError(500, "SlingAuthenticator: data access error, reason=" + exc.getClass().getSimpleName());
            } catch (IOException e2) {
                this.log.error("handleLoginFailure: Cannot send status 500 to client", e2);
            }
        }
        return z;
    }

    private AuthenticationHandler.FAILURE_REASON_CODES getFailureReasonFromException(AuthenticationInfo authenticationInfo, Exception exc) {
        AuthenticationHandler.FAILURE_REASON_CODES failure_reason_codes = null;
        if (exc.getClass().getName().contains("TooManySessionsException")) {
            failure_reason_codes = null;
        } else if (exc instanceof LoginException) {
            if (exc.getCause() instanceof CredentialExpiredException) {
                Object obj = authenticationInfo.get("user.jcr.credentials");
                failure_reason_codes = (!(obj instanceof SimpleCredentials) || ((SimpleCredentials) obj).getAttribute("PasswordHistoryException") == null) ? AuthenticationHandler.FAILURE_REASON_CODES.PASSWORD_EXPIRED : AuthenticationHandler.FAILURE_REASON_CODES.PASSWORD_EXPIRED_AND_NEW_PASSWORD_IN_HISTORY;
            } else if (exc.getCause() instanceof AccountLockedException) {
                failure_reason_codes = AuthenticationHandler.FAILURE_REASON_CODES.ACCOUNT_LOCKED;
            } else if (exc.getCause() instanceof AccountNotFoundException) {
                failure_reason_codes = AuthenticationHandler.FAILURE_REASON_CODES.ACCOUNT_NOT_FOUND;
            }
            if (failure_reason_codes == null) {
                failure_reason_codes = AuthenticationHandler.FAILURE_REASON_CODES.INVALID_LOGIN;
            }
        }
        return failure_reason_codes;
    }

    private void doLogin(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (!AuthUtil.isValidateRequest(httpServletRequest)) {
            if (AuthUtil.isBrowserRequest(httpServletRequest)) {
                if (!AuthUtil.isAjaxRequest(httpServletRequest) && !isLoginLoop(httpServletRequest)) {
                    try {
                        login(httpServletRequest, httpServletResponse);
                        return;
                    } catch (NoAuthenticationHandlerException e) {
                        this.log.error("doLogin: Cannot login: No AuthenticationHandler available to handle the request");
                    } catch (IllegalStateException e2) {
                        this.log.error("doLogin: Cannot login: Response already committed");
                        return;
                    }
                }
            } else if (this.httpBasicHandler != null) {
                this.httpBasicHandler.sendUnauthorized(httpServletResponse);
                return;
            }
        }
        ensureAttribute(httpServletRequest, AuthenticationHandler.FAILURE_REASON, "Authentication Failed");
        AuthUtil.sendInvalid(httpServletRequest, httpServletResponse);
    }

    private boolean isLoginLoop(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Referer");
        if (header == null) {
            return false;
        }
        StringBuffer requestURL = httpServletRequest.getRequestURL();
        if (httpServletRequest.getQueryString() != null) {
            requestURL.append('?').append(httpServletRequest.getQueryString());
        }
        return header.equals(requestURL.toString());
    }

    private void ensureAttribute(HttpServletRequest httpServletRequest, String str, Object obj) {
        if (httpServletRequest.getAttribute(str) == null) {
            httpServletRequest.setAttribute(str, obj);
        }
    }

    private void setAttributes(ResourceResolver resourceResolver, String str, HttpServletRequest httpServletRequest) {
        httpServletRequest.setAttribute("org.osgi.service.http.authentication.type", str);
        if (str != null) {
            httpServletRequest.setAttribute("org.osgi.service.http.authentication.remote.user", resourceResolver.getUserID());
        }
        httpServletRequest.setAttribute(AuthenticationSupport.REQUEST_ATTRIBUTE_RESOLVER, resourceResolver);
        this.log.debug("setAttributes: ResourceResolver stored as request attribute: user={}", resourceResolver.getUserID());
    }

    private void sendSudoCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str, int i, String str2, String str3) {
        String str4 = null;
        try {
            String quoteCookieValue = quoteCookieValue(str);
            if (str3 != null) {
                str4 = quoteCookieValue(str3);
            }
            if (quoteCookieValue != null) {
                Cookie cookie = new Cookie(this.sudoCookieName, quoteCookieValue);
                cookie.setHttpOnly(true);
                cookie.setSecure(httpServletRequest.isSecure());
                cookie.setMaxAge(i);
                cookie.setPath((str2 == null || str2.length() == 0) ? "/" : str2);
                try {
                    cookie.setComment(str4 + " impersonates as " + quoteCookieValue);
                } catch (IllegalArgumentException e) {
                }
                httpServletResponse.addCookie(cookie);
            }
        } catch (UnsupportedEncodingException e2) {
            this.log.error("sendSudoCookie: Failed to quote value '{}' of cookie {}: {}", new Object[]{str, this.sudoCookieName, e2.getMessage()});
        } catch (IllegalArgumentException e3) {
            this.log.error("sendSudoCookie: Failed to quote value '{}' of cookie {}: {}", new Object[]{str, this.sudoCookieName, e3.getMessage()});
        }
    }

    private void handleImpersonation(HttpServletRequest httpServletRequest, AuthenticationInfo authenticationInfo) {
        String sudoCookieValue = getSudoCookieValue(httpServletRequest);
        String parameter = httpServletRequest.getParameter(this.sudoParameterName);
        if (parameter == null || parameter.length() == 0) {
            parameter = sudoCookieValue;
        } else if ("-".equals(parameter)) {
            parameter = null;
        }
        if (parameter == null || parameter.length() <= 0) {
            return;
        }
        authenticationInfo.put("user.impersonation", (Object) parameter);
    }

    private void handlePasswordChange(HttpServletRequest httpServletRequest, AuthenticationInfo authenticationInfo) {
        String parameter = httpServletRequest.getParameter(PAR_NEW_PASSWORD);
        if (parameter == null || parameter.length() <= 0) {
            return;
        }
        authenticationInfo.put("user.newpassword", (Object) parameter);
    }

    private String getSudoCookieValue(HttpServletRequest httpServletRequest) {
        String str = null;
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies != null) {
            for (int i = 0; str == null && i < cookies.length; i++) {
                if (this.sudoCookieName.equals(cookies[i].getName())) {
                    str = unquoteCookieValue(cookies[i].getValue());
                }
            }
        }
        return str;
    }

    private boolean setSudoCookie(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationInfo authenticationInfo) {
        String str = (String) authenticationInfo.get("user.impersonation");
        String sudoCookieValue = getSudoCookieValue(httpServletRequest);
        boolean z = str != sudoCookieValue;
        if (z) {
            if (str == null) {
                sendSudoCookie(httpServletRequest, httpServletResponse, "", 0, httpServletRequest.getContextPath(), authenticationInfo.getUser());
            } else if (sudoCookieValue == null || !sudoCookieValue.equals(str)) {
                sendSudoCookie(httpServletRequest, httpServletResponse, str, -1, httpServletRequest.getContextPath(), str);
            }
        }
        return z;
    }

    private String getHandlerSelectionPath(HttpServletRequest httpServletRequest) {
        String path;
        Object attribute = httpServletRequest.getAttribute("resource");
        if (attribute instanceof String) {
            path = (String) attribute;
            String contextPath = httpServletRequest.getContextPath();
            if (contextPath != null && path.startsWith(contextPath)) {
                path = path.substring(contextPath.length());
            }
            if (path == null || path.length() == 0) {
                path = "/";
            }
        } else {
            path = getPath(httpServletRequest);
        }
        return path;
    }

    private void redirectAfterLogout(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (httpServletResponse.isCommitted()) {
            this.log.debug("redirectAfterLogout: Response has already been committed, not redirecting");
            return;
        }
        String loginResource = AuthUtil.getLoginResource(httpServletRequest, httpServletRequest.getContextPath());
        if (!AuthUtil.isRedirectValid(httpServletRequest, loginResource)) {
            this.log.warn("redirectAfterLogout: Desired redirect target '{}' is invalid; redirecting to '/'", loginResource);
            loginResource = httpServletRequest.getContextPath() + "/";
        }
        try {
            httpServletResponse.sendRedirect(loginResource);
        } catch (IOException e) {
            this.log.error("Failed to redirect to the page: " + loginResource, e);
        }
    }

    private void postLoginEvent(AuthenticationInfo authenticationInfo) {
        Hashtable hashtable = new Hashtable();
        hashtable.put("userid", authenticationInfo.getUser());
        hashtable.put(AuthenticationInfo.AUTH_TYPE, authenticationInfo.getAuthType());
        EventAdmin eventAdmin = this.eventAdmin;
        if (eventAdmin != null) {
            eventAdmin.postEvent(new Event(AuthConstants.TOPIC_LOGIN, hashtable));
        }
    }

    private void postLoginFailedEvent(HttpServletRequest httpServletRequest, AuthenticationInfo authenticationInfo, Exception exc) {
        AuthenticationHandler.FAILURE_REASON_CODES failureReasonFromException = getFailureReasonFromException(authenticationInfo, exc);
        if (failureReasonFromException != null) {
            Hashtable hashtable = new Hashtable();
            if (authenticationInfo.getUser() != null) {
                hashtable.put("userid", authenticationInfo.getUser());
            }
            if (authenticationInfo.getAuthType() != null) {
                hashtable.put(AuthenticationInfo.AUTH_TYPE, authenticationInfo.getAuthType());
            }
            hashtable.put("reason_code", failureReasonFromException.name());
            EventAdmin eventAdmin = this.eventAdmin;
            if (eventAdmin != null) {
                eventAdmin.postEvent(new Event(AuthConstants.TOPIC_LOGIN_FAILED, hashtable));
            }
        }
    }

    static String quoteCookieValue(String str) throws UnsupportedEncodingException {
        if (str == null) {
            throw new IllegalArgumentException("Cookie value may not be null");
        }
        StringBuilder sb = new StringBuilder(str.length() * 2);
        sb.append('\"');
        for (int i = 0; i < str.length(); i++) {
            char charAt = str.charAt(i);
            if (charAt == '\"') {
                sb.append("\\\"");
            } else if (charAt == '@') {
                sb.append(charAt);
            } else {
                if (charAt == 127 || (charAt < ' ' && charAt != '\t')) {
                    throw new IllegalArgumentException("Cookie value may not contain CTL character");
                }
                sb.append(URLEncoder.encode(String.valueOf(charAt), "UTF-8"));
            }
        }
        sb.append('\"');
        return sb.toString();
    }

    static String unquoteCookieValue(String str) {
        if (str == null || str.length() == 0) {
            return str;
        }
        if (str.startsWith("\"") && str.endsWith("\"")) {
            str = str.substring(1, str.length() - 1);
        }
        StringBuilder sb = new StringBuilder();
        for (String str2 : str.split("\\\\")) {
            try {
                sb.append(URLDecoder.decode(str2, "UTF-8"));
            } catch (UnsupportedEncodingException e) {
                sb.append(str2);
            }
        }
        return sb.toString();
    }
}
