package net.adamcin.sling.auth.httpsig.impl;

import java.io.File;
import java.io.IOException;
import java.util.List;
import java.util.Map;
import javax.jcr.Credentials;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.SimpleCredentials;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import net.adamcin.httpsig.api.Authorization;
import net.adamcin.httpsig.api.Challenge;
import net.adamcin.httpsig.api.Constants;
import net.adamcin.httpsig.api.DefaultKeychain;
import net.adamcin.httpsig.api.Keychain;
import net.adamcin.httpsig.api.RequestContent;
import net.adamcin.httpsig.api.Verifier;
import net.adamcin.httpsig.api.VerifyResult;
import net.adamcin.httpsig.http.servlet.ServletUtil;
import net.adamcin.httpsig.ssh.jce.AuthorizedKeys;
import net.adamcin.httpsig.ssh.jce.UserKeysFingerprintKeyId;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Deactivate;
import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.Service;
import org.apache.jackrabbit.api.security.authentication.token.TokenCredentials;
import org.apache.sling.auth.core.spi.AuthenticationHandler;
import org.apache.sling.auth.core.spi.AuthenticationInfo;
import org.apache.sling.commons.osgi.OsgiUtil;
import org.apache.sling.jcr.api.SlingRepository;
import org.apache.sling.settings.SlingSettingsService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Service
@Component(label = "%httpsig.name", description = "%httpsig.description", metatype = true)
@Properties({@Property(name = "path", value = {"/"}, label = "%httpsig.path.name", description = "%httpsig.path.description"), @Property(name = "authtype", value = {"Signature"}, propertyPrivate = true), @Property(name = "service.ranking", intValue = {0}, label = "%httpsig.ranking.name", propertyPrivate = false, description = "%httpsig.ranking.description")})
/* loaded from: input_file:net/adamcin/sling/auth/httpsig/impl/SignatureAuthenticationHandler.class */
public class SignatureAuthenticationHandler implements AuthenticationHandler {
    private static final Logger LOGGER = LoggerFactory.getLogger(SignatureAuthenticationHandler.class);

    @Property({"date"})
    private static final String OSGI_HEADERS = "httpsig.headers";

    @Property({"Sling (Development)"})
    private static final String OSGI_REALM = "httpsig.realm";

    @Property(longValue = {300000})
    private static final String OSGI_SKEW = "httpsig.skew";

    @Property({"admin"})
    private static final String OSGI_USERNAME = "httpsig.username";

    @Property
    private static final String OSGI_AUTHORIZED_KEYS = "httpsig.authkeys";

    @Reference
    private SlingRepository repository;

    @Reference
    private SlingSettingsService slingSettingsService;
    private String realm;
    private List<String> headers;
    private long skew;
    private Keychain keychain;
    private Challenge challenge;
    private String username;
    private Credentials userCredentials;
    private UserKeysFingerprintKeyId keyIdentifier;
    private String authorizedKeys;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: net.adamcin.sling.auth.httpsig.impl.SignatureAuthenticationHandler$1, reason: invalid class name */
    /* loaded from: input_file:net/adamcin/sling/auth/httpsig/impl/SignatureAuthenticationHandler$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$net$adamcin$httpsig$api$VerifyResult = new int[VerifyResult.values().length];

        static {
            try {
                $SwitchMap$net$adamcin$httpsig$api$VerifyResult[VerifyResult.CHALLENGE_NOT_SATISFIED.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$net$adamcin$httpsig$api$VerifyResult[VerifyResult.EXPIRED_DATE_HEADER.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$net$adamcin$httpsig$api$VerifyResult[VerifyResult.FAILED_KEY_VERIFY.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$net$adamcin$httpsig$api$VerifyResult[VerifyResult.INCOMPLETE_REQUEST.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$net$adamcin$httpsig$api$VerifyResult[VerifyResult.KEY_NOT_FOUND.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
        }
    }

    @Activate
    protected void activate(Map<String, Object> map) {
        this.realm = OsgiUtil.toString(map.get(OSGI_REALM), "");
        String osgiUtil = OsgiUtil.toString(map.get(OSGI_HEADERS), "");
        this.headers = osgiUtil.trim().isEmpty() ? Constants.DEFAULT_HEADERS : Constants.parseTokens(osgiUtil);
        this.skew = OsgiUtil.toLong(map.get(OSGI_SKEW), 1L);
        this.username = OsgiUtil.toString(map.get(OSGI_USERNAME), "");
        this.authorizedKeys = OsgiUtil.toString(map.get(OSGI_AUTHORIZED_KEYS), (String) null);
        this.keyIdentifier = new UserKeysFingerprintKeyId(this.username);
        this.keychain = loadKeychain();
        this.challenge = new Challenge(this.realm, this.headers, this.keychain.getAlgorithms());
    }

    @Deactivate
    protected void deactivate(Map<String, Object> map) {
        this.realm = null;
        this.headers = null;
        this.skew = -1L;
        this.username = null;
        this.authorizedKeys = null;
        this.keyIdentifier = null;
        this.keychain = null;
        this.challenge = null;
        this.userCredentials = null;
    }

    private Keychain loadKeychain() {
        try {
            if (this.authorizedKeys != null && !this.authorizedKeys.trim().isEmpty()) {
                return AuthorizedKeys.newKeychain(new File(this.authorizedKeys));
            }
            File file = new File(this.slingSettingsService.getSlingHomePath(), "../.ssh/authorized_keys");
            return file.exists() ? AuthorizedKeys.newKeychain(file) : AuthorizedKeys.defaultKeychain();
        } catch (IOException e) {
            LOGGER.error("[loadKeychain] failed to get a keychain.", e);
            return new DefaultKeychain();
        }
    }

    public AuthenticationInfo extractCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        Authorization authorization = ServletUtil.getAuthorization(httpServletRequest);
        if (authorization == null) {
            return null;
        }
        RequestContent requestContent = ServletUtil.getRequestContent(httpServletRequest);
        LOGGER.debug("[extractCredentials] requestContent: {}", requestContent);
        AuthenticationInfo extractCredentials = extractCredentials(authorization, requestContent);
        if (extractCredentials != null) {
            if (!"true".equalsIgnoreCase(httpServletRequest.getParameter("j_validate"))) {
                return extractCredentials;
            }
            sendValid(httpServletResponse);
            return AuthenticationInfo.DOING_AUTH;
        }
        try {
            if (ServletUtil.sendChallenge(httpServletResponse, this.challenge)) {
                return AuthenticationInfo.DOING_AUTH;
            }
            return null;
        } catch (IOException e) {
            LOGGER.warn("[extractCredentials] failed to send challenge.");
            return null;
        }
    }

    private static void sendValid(HttpServletResponse httpServletResponse) {
        LOGGER.debug("[sendValid] sending 200/ok");
        if (httpServletResponse.isCommitted()) {
            throw new IllegalStateException("Response is already committed");
        }
        httpServletResponse.resetBuffer();
        try {
            httpServletResponse.setStatus(200);
            httpServletResponse.setContentType("text/plain");
            httpServletResponse.setContentLength(0);
            httpServletResponse.setHeader("Pragma", "no-cache");
            httpServletResponse.setHeader("Cache-Control", "no-cache");
            httpServletResponse.setHeader("Cache-Control", "no-store");
            httpServletResponse.flushBuffer();
        } catch (IOException e) {
            LOGGER.error("Failed to send 'valid' response");
        }
    }

    private AuthenticationInfo extractCredentials(Authorization authorization, RequestContent requestContent) {
        if (authorization == null) {
            return null;
        }
        Verifier verifier = new Verifier(this.keychain, this.keyIdentifier);
        verifier.setSkew(this.skew);
        VerifyResult verifyWithResult = verifier.verifyWithResult(this.challenge, requestContent, authorization);
        if (verifyWithResult == VerifyResult.SUCCESS) {
            this.userCredentials = getCredentials(this.username, this.userCredentials);
            return createAuthInfo(this.username, this.userCredentials);
        }
        if (!LOGGER.isDebugEnabled()) {
            return null;
        }
        switch (AnonymousClass1.$SwitchMap$net$adamcin$httpsig$api$VerifyResult[verifyWithResult.ordinal()]) {
            case 1:
                LOGGER.debug("[extractCredentials] verify result: {}, cHeaders: {}, aHeaders: {}", new Object[]{verifyWithResult, this.challenge.getHeaders(), authorization.getHeaders()});
                return null;
            case 2:
                LOGGER.debug("[extractCredentials] verify result: {}, skewMS: {}, date header: {}", new Object[]{verifyWithResult, Long.valueOf(verifier.getSkew()), requestContent.getDate()});
                return null;
            case 3:
            case 4:
                LOGGER.debug("[extractCredentials] verify result: {}, aHeaders: {}, rHeaders: {}, request-line: {}", new Object[]{verifyWithResult, authorization.getHeaders(), requestContent.getHeaderNames(), requestContent.getRequestLine()});
                return null;
            case 5:
                LOGGER.debug("[extractCredentials] verify result: {}, keyId: {}", new Object[]{verifyWithResult, authorization.getKeyId()});
                return null;
            default:
                LOGGER.error("[extractCredentials] verify result: {}", verifyWithResult);
                return null;
        }
    }

    private Credentials getCredentials(String str, Credentials credentials) {
        if (credentials != null) {
            Session session = null;
            try {
                try {
                    session = this.repository.login(credentials);
                    if (session != null) {
                        session.logout();
                    }
                    return credentials;
                } catch (RepositoryException e) {
                    LOGGER.info("[createCredentials] failed to login using old credentials. Creating new credentials.", e);
                    if (session != null) {
                        session.logout();
                    }
                }
            } catch (Throwable th) {
                if (session != null) {
                    session.logout();
                }
                throw th;
            }
        }
        Session session2 = null;
        Session session3 = null;
        try {
            try {
                session3 = this.repository.loginAdministrative((String) null);
                SimpleCredentials simpleCredentials = new SimpleCredentials(str, new char[0]);
                simpleCredentials.setAttribute(".token", "");
                session2 = session3.impersonate(simpleCredentials);
                TokenCredentials tokenCredentials = new TokenCredentials((String) simpleCredentials.getAttribute(".token"));
                if (session2 != null) {
                    session2.logout();
                }
                if (session3 != null) {
                    session3.logout();
                }
                return tokenCredentials;
            } catch (Throwable th2) {
                if (session2 != null) {
                    session2.logout();
                }
                if (session3 != null) {
                    session3.logout();
                }
                throw th2;
            }
        } catch (RepositoryException e2) {
            LOGGER.error("[createCredentials] failed to create credentials for user: " + this.username, e2);
            if (session2 != null) {
                session2.logout();
            }
            if (session3 == null) {
                return null;
            }
            session3.logout();
            return null;
        }
    }

    private AuthenticationInfo createAuthInfo(String str, Credentials credentials) {
        if (credentials == null) {
            return null;
        }
        AuthenticationInfo authenticationInfo = new AuthenticationInfo("Signature", str);
        authenticationInfo.put("user.jcr.credentials", credentials);
        return authenticationInfo;
    }

    public boolean requestCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
        return false;
    }

    public void dropCredentials(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) throws IOException {
    }

    protected void bindRepository(SlingRepository slingRepository) {
        this.repository = slingRepository;
    }

    protected void unbindRepository(SlingRepository slingRepository) {
        if (this.repository == slingRepository) {
            this.repository = null;
        }
    }

    protected void bindSlingSettingsService(SlingSettingsService slingSettingsService) {
        this.slingSettingsService = slingSettingsService;
    }

    protected void unbindSlingSettingsService(SlingSettingsService slingSettingsService) {
        if (this.slingSettingsService == slingSettingsService) {
            this.slingSettingsService = null;
        }
    }
}
