package org.apache.jackrabbit.core.security.authentication.token;

import java.io.UnsupportedEncodingException;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.GregorianCalendar;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.jcr.AccessDeniedException;
import javax.jcr.Node;
import javax.jcr.Property;
import javax.jcr.PropertyIterator;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.SimpleCredentials;
import javax.jcr.Value;
import javax.jcr.ValueFactory;
import org.apache.jackrabbit.api.security.authentication.token.TokenCredentials;
import org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.core.NodeImpl;
import org.apache.jackrabbit.core.ProtectedItemModifier;
import org.apache.jackrabbit.core.SessionImpl;
import org.apache.jackrabbit.core.id.NodeId;
import org.apache.jackrabbit.core.security.user.PasswordUtility;
import org.apache.jackrabbit.core.security.user.UserImpl;
import org.apache.jackrabbit.spi.Name;
import org.apache.jackrabbit.spi.commons.name.NameConstants;
import org.apache.jackrabbit.util.ISO8601;
import org.apache.jackrabbit.util.Text;
import org.apache.tika.metadata.Metadata;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/lib/jackrabbit-core-2.13.5.jar:org/apache/jackrabbit/core/security/authentication/token/TokenProvider.class
 */
/* loaded from: input_file:org/apache/jackrabbit/core/security/authentication/token/TokenProvider.class */
public class TokenProvider extends ProtectedItemModifier {
    private static final String TOKEN_ATTRIBUTE = ".token";
    private static final String TOKEN_ATTRIBUTE_EXPIRY = "rep:token.exp";
    private static final String TOKEN_ATTRIBUTE_KEY = "rep:token.key";
    private static final String TOKENS_NODE_NAME = ".tokens";
    private static final String TOKEN_NT_NAME = "rep:Token";
    private static final char DELIM = '_';
    private static final Collection<String> RESERVED_PREFIXES;
    private final SessionImpl session;
    private final UserManager userManager;
    private final long tokenExpiration;
    private static final Logger log = LoggerFactory.getLogger(TokenProvider.class);
    private static final Name TOKENS_NT_NAME = NameConstants.NT_UNSTRUCTURED;
    private static final Set<String> RESERVED_ATTRIBUTES = new HashSet(3);

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/lib/jackrabbit-core-2.13.5.jar:org/apache/jackrabbit/core/security/authentication/token/TokenProvider$TokenInfoImpl.class
     */
    /* loaded from: input_file:org/apache/jackrabbit/core/security/authentication/token/TokenProvider$TokenInfoImpl.class */
    public class TokenInfoImpl implements TokenInfo {
        private final String token;
        private final String tokenPath;
        private final String userId;
        private final long expirationTime;
        private final String key;
        private final Map<String, String> mandatoryAttributes;
        private final Map<String, String> publicAttributes;

        private TokenInfoImpl(NodeImpl nodeImpl, String str, String str2) throws RepositoryException {
            this.token = str;
            this.tokenPath = nodeImpl.getPath();
            this.userId = str2;
            this.expirationTime = TokenProvider.getExpirationTime(nodeImpl, Long.MIN_VALUE);
            this.key = nodeImpl.getProperty(TokenProvider.TOKEN_ATTRIBUTE_KEY).getString();
            this.mandatoryAttributes = new HashMap();
            this.publicAttributes = new HashMap();
            PropertyIterator properties = nodeImpl.getProperties();
            while (properties.hasNext()) {
                Property nextProperty = properties.nextProperty();
                String name = nextProperty.getName();
                String string = nextProperty.getString();
                if (!TokenProvider.RESERVED_ATTRIBUTES.contains(name)) {
                    if (TokenProvider.isMandatoryAttribute(name)) {
                        this.mandatoryAttributes.put(name, string);
                    } else if (TokenProvider.isInfoAttribute(name)) {
                        this.publicAttributes.put(name, string);
                    }
                }
            }
        }

        @Override // org.apache.jackrabbit.core.security.authentication.token.TokenInfo
        public String getToken() {
            return this.token;
        }

        @Override // org.apache.jackrabbit.core.security.authentication.token.TokenInfo
        public boolean isExpired(long j) {
            return this.expirationTime < j;
        }

        @Override // org.apache.jackrabbit.core.security.authentication.token.TokenInfo
        public boolean resetExpiration(long j) throws RepositoryException {
            if (isExpired(j)) {
                TokenProvider.log.debug("Attempt to reset an expired token.");
                return false;
            }
            Session session = null;
            try {
                try {
                    if (this.expirationTime - j > TokenProvider.this.tokenExpiration / 2) {
                        if (0 == 0) {
                            return false;
                        }
                        session.logout();
                        return false;
                    }
                    session = TokenProvider.this.session.createSession(TokenProvider.this.session.getWorkspace().getName());
                    TokenProvider.this.setProperty((NodeImpl) session.getNode(this.tokenPath), TokenProvider.this.session.getQName(TokenProvider.TOKEN_ATTRIBUTE_EXPIRY), TokenProvider.this.createExpirationValue(j, TokenProvider.this.session));
                    session.save();
                    TokenProvider.log.debug("Successfully reset token expiration time.");
                    if (session != null) {
                        session.logout();
                    }
                    return true;
                } catch (RepositoryException e) {
                    TokenProvider.log.warn("Error while resetting token expiration", (Throwable) e);
                    if (session == null) {
                        return false;
                    }
                    session.logout();
                    return false;
                }
            } catch (Throwable th) {
                if (session != null) {
                    session.logout();
                }
                throw th;
            }
        }

        @Override // org.apache.jackrabbit.core.security.authentication.token.TokenInfo
        public boolean matches(TokenCredentials tokenCredentials) {
            String token = tokenCredentials.getToken();
            int lastIndexOf = token.lastIndexOf(95);
            if (lastIndexOf > -1) {
                token = token.substring(lastIndexOf + 1);
            }
            if (this.key == null || !PasswordUtility.isSame(this.key, TokenProvider.getKeyValue(token, this.userId))) {
                return false;
            }
            for (String str : this.mandatoryAttributes.keySet()) {
                if (!this.mandatoryAttributes.get(str).equals(tokenCredentials.getAttribute(str))) {
                    return false;
                }
            }
            List asList = Arrays.asList(tokenCredentials.getAttributeNames());
            for (String str2 : this.publicAttributes.keySet()) {
                if (!asList.contains(str2)) {
                    tokenCredentials.setAttribute(str2, this.publicAttributes.get(str2).toString());
                }
            }
            return true;
        }

        @Override // org.apache.jackrabbit.core.security.authentication.token.TokenInfo
        public boolean remove() {
            Session session = null;
            try {
                try {
                    session = TokenProvider.this.session.createSession(TokenProvider.this.session.getWorkspace().getName());
                    session.getNode(this.tokenPath).remove();
                    session.save();
                    if (session != null) {
                        session.logout();
                    }
                    return true;
                } catch (RepositoryException e) {
                    TokenProvider.log.warn("Internal error while removing token node.", (Throwable) e);
                    if (session == null) {
                        return false;
                    }
                    session.logout();
                    return false;
                }
            } catch (Throwable th) {
                if (session != null) {
                    session.logout();
                }
                throw th;
            }
        }

        @Override // org.apache.jackrabbit.core.security.authentication.token.TokenInfo
        public TokenCredentials getCredentials() {
            TokenCredentials tokenCredentials = new TokenCredentials(this.token);
            for (String str : this.mandatoryAttributes.keySet()) {
                tokenCredentials.setAttribute(str, this.mandatoryAttributes.get(str));
            }
            for (String str2 : this.publicAttributes.keySet()) {
                tokenCredentials.setAttribute(str2, this.publicAttributes.get(str2));
            }
            return tokenCredentials;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public TokenProvider(SessionImpl sessionImpl, long j) throws RepositoryException {
        this.session = sessionImpl;
        this.userManager = sessionImpl.getUserManager();
        this.tokenExpiration = j;
    }

    public TokenInfo createToken(User user, SimpleCredentials simpleCredentials) throws RepositoryException {
        TokenInfo tokenInfo = null;
        if (simpleCredentials != null && user != null && user.getID().equalsIgnoreCase(simpleCredentials.getUserID())) {
            HashMap hashMap = new HashMap(simpleCredentials.getAttributeNames().length);
            for (String str : simpleCredentials.getAttributeNames()) {
                hashMap.put(str, simpleCredentials.getAttribute(str).toString());
            }
            tokenInfo = createToken(user, hashMap);
            if (tokenInfo != null) {
                simpleCredentials.setAttribute(".token", tokenInfo.getToken());
            }
        }
        return tokenInfo;
    }

    private TokenInfo createToken(User user, Map<String, ?> map) throws RepositoryException {
        NodeImpl tokenParent = getTokenParent(user);
        if (tokenParent == null) {
            log.warn("Unable to get/create token store for user {}", user.getID());
            return null;
        }
        try {
            ValueFactory valueFactory = this.session.getValueFactory();
            long time = new Date().getTime();
            Calendar gregorianCalendar = GregorianCalendar.getInstance();
            gregorianCalendar.setTimeInMillis(time);
            NodeImpl addNode = super.addNode(tokenParent, this.session.getQName(Text.replace(ISO8601.format(gregorianCalendar), Metadata.NAMESPACE_PREFIX_DELIMITER, ".")), this.session.getQName(TOKEN_NT_NAME), NodeId.randomId());
            String generateKey = generateKey(8);
            String str = addNode.getId().toString() + '_' + generateKey;
            setProperty(addNode, this.session.getQName(TOKEN_ATTRIBUTE_KEY), valueFactory.createValue(PasswordUtility.buildPasswordHash(getKeyValue(generateKey, user.getID()))));
            setProperty(addNode, this.session.getQName(TOKEN_ATTRIBUTE_EXPIRY), createExpirationValue(time, this.session));
            for (String str2 : map.keySet()) {
                if (!RESERVED_ATTRIBUTES.contains(str2)) {
                    setProperty(addNode, this.session.getQName(str2), valueFactory.createValue(map.get(str2).toString()));
                }
            }
            this.session.save();
            return new TokenInfoImpl(addNode, str, user.getID());
        } catch (UnsupportedEncodingException e) {
            log.error("Failed to create login token. ", (Throwable) e);
            return null;
        } catch (NoSuchAlgorithmException e2) {
            log.error("Failed to create login token. ", (Throwable) e2);
            return null;
        } catch (AccessDeniedException e3) {
            log.warn("Failed to create login token. ", (Throwable) e3);
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Value createExpirationValue(long j, Session session) throws RepositoryException {
        Calendar calendar = Calendar.getInstance();
        calendar.setTimeInMillis(createExpirationTime(j, this.tokenExpiration));
        return session.getValueFactory().createValue(calendar);
    }

    public TokenInfo getTokenInfo(String str) throws RepositoryException {
        NodeImpl nodeImpl;
        String userId;
        if (str == null || (userId = getUserId((nodeImpl = (NodeImpl) getTokenNode(str, this.session)), this.userManager)) == null || !isValidTokenTree(nodeImpl)) {
            return null;
        }
        return new TokenInfoImpl(nodeImpl, str, userId);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Node getTokenNode(String str, Session session) throws RepositoryException {
        int indexOf = str.indexOf(95);
        return session.getNodeByIdentifier(indexOf == -1 ? str : str.substring(0, indexOf));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String getUserId(NodeImpl nodeImpl, UserManager userManager) throws RepositoryException {
        if (nodeImpl == null) {
            return null;
        }
        final NodeImpl nodeImpl2 = (NodeImpl) nodeImpl.getParent().getParent();
        final String string = nodeImpl2.getProperty(UserImpl.P_PRINCIPAL_NAME).getString();
        if (!nodeImpl2.isNodeType(UserImpl.NT_REP_USER)) {
            throw new RepositoryException("Failed to calculate userId from token credentials");
        }
        Authorizable authorizable = userManager.getAuthorizable(new ItemBasedPrincipal() { // from class: org.apache.jackrabbit.core.security.authentication.token.TokenProvider.1
            @Override // org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal
            public String getPath() throws RepositoryException {
                return NodeImpl.this.getPath();
            }

            @Override // java.security.Principal
            public String getName() {
                return string;
            }
        });
        if (authorizable == null || authorizable.isGroup() || ((User) authorizable).isDisabled()) {
            return null;
        }
        return authorizable.getID();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean isMandatoryAttribute(String str) {
        return str != null && str.startsWith(".token");
    }

    static boolean isInfoAttribute(String str) {
        return !RESERVED_PREFIXES.contains(Text.getNamespacePrefix(str));
    }

    private static long createExpirationTime(long j, long j2) {
        return j + j2;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static long getExpirationTime(NodeImpl nodeImpl, long j) throws RepositoryException {
        return nodeImpl.hasProperty(TOKEN_ATTRIBUTE_EXPIRY) ? nodeImpl.getProperty(TOKEN_ATTRIBUTE_EXPIRY).getLong() : j;
    }

    private static String generateKey(int i) {
        byte[] bArr = new byte[i];
        new SecureRandom().nextBytes(bArr);
        StringBuilder sb = new StringBuilder(bArr.length * 2);
        for (byte b : bArr) {
            sb.append(Text.hexTable[(b >> 4) & 15]);
            sb.append(Text.hexTable[b & 15]);
        }
        return sb.toString();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String getKeyValue(String str, String str2) {
        return str + str2;
    }

    private static boolean isValidTokenTree(NodeImpl nodeImpl) throws RepositoryException {
        return nodeImpl != null && TOKENS_NODE_NAME.equals(nodeImpl.getParent().getName()) && TOKEN_NT_NAME.equals(nodeImpl.getPrimaryNodeType().getName());
    }

    private NodeImpl getTokenParent(User user) throws RepositoryException {
        NodeImpl nodeImpl = null;
        try {
            if (user != null) {
                Principal principal = user.getPrincipal();
                if (principal instanceof ItemBasedPrincipal) {
                    String path = ((ItemBasedPrincipal) principal).getPath();
                    NodeImpl nodeImpl2 = (NodeImpl) this.session.getNode(path);
                    if (nodeImpl2.hasNode(TOKENS_NODE_NAME)) {
                        nodeImpl = (NodeImpl) nodeImpl2.getNode(TOKENS_NODE_NAME);
                    } else {
                        nodeImpl = nodeImpl2.addNode(this.session.getQName(TOKENS_NODE_NAME), TOKENS_NT_NAME, NodeId.randomId());
                        String str = path + '/' + TOKENS_NODE_NAME;
                        this.session.save();
                    }
                }
            } else {
                log.debug("Cannot create login token: No user specified. (null)");
            }
        } catch (RepositoryException e) {
            log.debug("Conflict while creating token store -> retrying", (Throwable) e);
            this.session.refresh(false);
            if (0 != 0 && this.session.nodeExists(null)) {
                nodeImpl = (NodeImpl) this.session.getNode(null);
            }
        }
        return nodeImpl;
    }

    static {
        RESERVED_ATTRIBUTES.add(".token");
        RESERVED_ATTRIBUTES.add(TOKEN_ATTRIBUTE_EXPIRY);
        RESERVED_ATTRIBUTES.add(TOKEN_ATTRIBUTE_KEY);
        RESERVED_PREFIXES = Collections.unmodifiableList(Arrays.asList("xml", "jcr", "nt", "mix", "xmlns", "rep", "sv"));
    }
}
