package org.apache.jackrabbit.core.security.authentication.token;

import java.io.UnsupportedEncodingException;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Collections;
import java.util.Date;
import java.util.GregorianCalendar;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.jcr.Node;
import javax.jcr.Property;
import javax.jcr.PropertyIterator;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.SimpleCredentials;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.authentication.token.TokenCredentials;
import org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.core.NodeImpl;
import org.apache.jackrabbit.core.SessionImpl;
import org.apache.jackrabbit.core.id.NodeId;
import org.apache.jackrabbit.core.id.NodeIdFactory;
import org.apache.jackrabbit.core.security.SecurityConstants;
import org.apache.jackrabbit.core.security.user.UserImpl;
import org.apache.jackrabbit.spi.Name;
import org.apache.jackrabbit.util.ISO8601;
import org.apache.jackrabbit.util.Text;
import org.apache.tika.metadata.Metadata;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:WEB-INF/lib/jackrabbit-core-2.10.5.jar:org/apache/jackrabbit/core/security/authentication/token/CompatTokenProvider.class */
public class CompatTokenProvider {
    private static final Logger log = LoggerFactory.getLogger(CompatTokenProvider.class);
    private static final String TOKEN_ATTRIBUTE = ".token";
    private static final String TOKEN_ATTRIBUTE_EXPIRY = ".token.exp";
    private static final String TOKEN_ATTRIBUTE_KEY = ".token.key";
    private static final String TOKENS_NODE_NAME = ".tokens";
    private static final String TOKENS_NT_NAME = "nt:unstructured";
    private static final char DELIM = '_';
    private final SessionImpl session;
    private final UserManager userManager;
    private final long tokenExpiration;

    /* loaded from: input_file:WEB-INF/lib/jackrabbit-core-2.10.5.jar:org/apache/jackrabbit/core/security/authentication/token/CompatTokenProvider$CompatModeInfo.class */
    private final class CompatModeInfo implements TokenInfo {
        private final String token;
        private final Map<String, String> attributes;
        private final Map<String, String> info;
        private final long expiry;
        private final String key;

        private CompatModeInfo(CompatTokenProvider compatTokenProvider, String str) throws RepositoryException {
            this(str, CompatTokenProvider.getTokenNode(str, compatTokenProvider.session));
        }

        private CompatModeInfo(String str, Node node) throws RepositoryException {
            this.token = str;
            long j = Long.MAX_VALUE;
            String str2 = null;
            if (str != null) {
                this.attributes = new HashMap();
                this.info = new HashMap();
                PropertyIterator properties = node.getProperties();
                while (properties.hasNext()) {
                    Property nextProperty = properties.nextProperty();
                    String name = nextProperty.getName();
                    if (CompatTokenProvider.TOKEN_ATTRIBUTE_EXPIRY.equals(name)) {
                        j = nextProperty.getLong();
                    } else if (CompatTokenProvider.TOKEN_ATTRIBUTE_KEY.equals(name)) {
                        str2 = nextProperty.getString();
                    } else if (CompatTokenProvider.isMandatoryAttribute(name)) {
                        this.attributes.put(name, nextProperty.getString());
                    } else if (CompatTokenProvider.isInfoAttribute(name)) {
                        this.info.put(name, nextProperty.getString());
                    }
                }
            } else {
                this.attributes = Collections.emptyMap();
                this.info = Collections.emptyMap();
            }
            this.expiry = j;
            this.key = str2;
        }

        @Override // org.apache.jackrabbit.core.security.authentication.token.TokenInfo
        public String getToken() {
            return this.token;
        }

        @Override // org.apache.jackrabbit.core.security.authentication.token.TokenInfo
        public boolean isExpired(long j) {
            return this.expiry < j;
        }

        @Override // org.apache.jackrabbit.core.security.authentication.token.TokenInfo
        public boolean remove() {
            Session session = null;
            try {
                try {
                    session = CompatTokenProvider.this.session.createSession(CompatTokenProvider.this.session.getWorkspace().getName());
                    CompatTokenProvider.getTokenNode(this.token, session).remove();
                    session.save();
                    if (session != null) {
                        session.logout();
                    }
                    return true;
                } catch (RepositoryException e) {
                    CompatTokenProvider.log.warn("Internal error while removing token node.", e);
                    if (session == null) {
                        return false;
                    }
                    session.logout();
                    return false;
                }
            } catch (Throwable th) {
                if (session != null) {
                    session.logout();
                }
                throw th;
            }
        }

        @Override // org.apache.jackrabbit.core.security.authentication.token.TokenInfo
        public boolean matches(TokenCredentials tokenCredentials) throws RepositoryException {
            if (this.key != null && !this.key.equals(CompatTokenProvider.getDigestedKey(tokenCredentials))) {
                return false;
            }
            for (String str : this.attributes.keySet()) {
                if (!this.attributes.get(str).equals(tokenCredentials.getAttribute(str))) {
                    return false;
                }
            }
            List asList = Arrays.asList(tokenCredentials.getAttributeNames());
            for (String str2 : this.info.keySet()) {
                if (!asList.contains(str2)) {
                    tokenCredentials.setAttribute(str2, this.info.get(str2));
                }
            }
            return true;
        }

        @Override // org.apache.jackrabbit.core.security.authentication.token.TokenInfo
        public boolean resetExpiration(long j) throws RepositoryException {
            Session session = null;
            try {
                try {
                    if (this.expiry - j > CompatTokenProvider.this.tokenExpiration / 2) {
                        if (0 == 0) {
                            return false;
                        }
                        session.logout();
                        return false;
                    }
                    long j2 = j + CompatTokenProvider.this.tokenExpiration;
                    Calendar gregorianCalendar = GregorianCalendar.getInstance();
                    gregorianCalendar.setTimeInMillis(j2);
                    session = CompatTokenProvider.this.session.createSession(CompatTokenProvider.this.session.getWorkspace().getName());
                    CompatTokenProvider.getTokenNode(this.token, session).setProperty(CompatTokenProvider.TOKEN_ATTRIBUTE_EXPIRY, session.getValueFactory().createValue(gregorianCalendar));
                    session.save();
                    if (session != null) {
                        session.logout();
                    }
                    return true;
                } catch (RepositoryException e) {
                    CompatTokenProvider.log.warn("Failed to update expiry or informative attributes of token node.", e);
                    if (session == null) {
                        return false;
                    }
                    session.logout();
                    return false;
                }
            } catch (Throwable th) {
                if (session != null) {
                    session.logout();
                }
                throw th;
            }
        }

        @Override // org.apache.jackrabbit.core.security.authentication.token.TokenInfo
        public TokenCredentials getCredentials() {
            TokenCredentials tokenCredentials = new TokenCredentials(this.token);
            for (String str : this.attributes.keySet()) {
                tokenCredentials.setAttribute(str, this.attributes.get(str));
            }
            for (String str2 : this.info.keySet()) {
                tokenCredentials.setAttribute(str2, this.info.get(str2));
            }
            return tokenCredentials;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CompatTokenProvider(SessionImpl sessionImpl, long j) throws RepositoryException {
        this.session = sessionImpl;
        this.userManager = sessionImpl.getUserManager();
        this.tokenExpiration = j;
    }

    public TokenInfo createToken(User user, SimpleCredentials simpleCredentials) throws RepositoryException {
        Principal principal = user.getPrincipal();
        String path = principal instanceof ItemBasedPrincipal ? ((ItemBasedPrincipal) principal).getPath() : null;
        if (path == null || !this.session.nodeExists(path)) {
            throw new RepositoryException("Cannot create login token: No corresponding node for User " + user.getID() + " in workspace '" + this.session.getWorkspace().getName() + "'.");
        }
        Node node = this.session.getNode(path);
        if (!node.hasNode(TOKENS_NODE_NAME)) {
            node.addNode(TOKENS_NODE_NAME, "nt:unstructured");
            try {
                this.session.save();
            } catch (RepositoryException e) {
                this.session.refresh(false);
            }
        }
        Node node2 = node.getNode(TOKENS_NODE_NAME);
        long time = new Date().getTime();
        long j = time + this.tokenExpiration;
        Calendar gregorianCalendar = GregorianCalendar.getInstance();
        gregorianCalendar.setTimeInMillis(time);
        String generateKey = generateKey(8);
        String replace = Text.replace(ISO8601.format(gregorianCalendar), Metadata.NAMESPACE_PREFIX_DELIMITER, ".");
        Node addNode = System.getProperty(NodeIdFactory.SEQUENTIAL_NODE_ID) == null ? node2.addNode(replace) : ((NodeImpl) node2).addNodeWithUuid(replace, NodeId.randomId().toString());
        StringBuilder sb = new StringBuilder(addNode.getIdentifier());
        sb.append('_').append(generateKey);
        String sb2 = sb.toString();
        TokenCredentials tokenCredentials = new TokenCredentials(sb2);
        simpleCredentials.setAttribute(".token", sb2);
        addNode.setProperty(TOKEN_ATTRIBUTE_KEY, getDigestedKey(generateKey));
        gregorianCalendar.setTimeInMillis(j);
        addNode.setProperty(TOKEN_ATTRIBUTE_EXPIRY, this.session.getValueFactory().createValue(gregorianCalendar));
        for (String str : simpleCredentials.getAttributeNames()) {
            if (!".token".equals(str)) {
                String obj = simpleCredentials.getAttribute(str).toString();
                addNode.setProperty(str, obj);
                tokenCredentials.setAttribute(str, obj);
            }
        }
        this.session.save();
        return new CompatModeInfo(sb2, addNode);
    }

    public TokenInfo getTokenInfo(String str) throws RepositoryException {
        if (str == null) {
            return null;
        }
        NodeImpl nodeImpl = (NodeImpl) getTokenNode(str, this.session);
        if (getUserId(nodeImpl, this.userManager) == null || !isValidTokenTree(nodeImpl)) {
            return null;
        }
        return new CompatModeInfo(str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Node getTokenNode(String str, Session session) throws RepositoryException {
        int indexOf = str.indexOf(95);
        return session.getNodeByIdentifier(indexOf == -1 ? str : str.substring(0, indexOf));
    }

    public static String getUserId(TokenCredentials tokenCredentials, Session session) throws RepositoryException {
        if (session instanceof JackrabbitSession) {
            return getUserId((NodeImpl) getTokenNode(tokenCredentials.getToken(), session), ((JackrabbitSession) session).getUserManager());
        }
        throw new RepositoryException("JackrabbitSession expected");
    }

    private static String getUserId(NodeImpl nodeImpl, UserManager userManager) throws RepositoryException {
        if (nodeImpl == null) {
            return null;
        }
        final NodeImpl nodeImpl2 = (NodeImpl) nodeImpl.getParent().getParent();
        final String string = nodeImpl2.getProperty(UserImpl.P_PRINCIPAL_NAME).getString();
        if (!nodeImpl2.isNodeType(UserImpl.NT_REP_USER)) {
            throw new RepositoryException("Failed to calculate userId from token credentials");
        }
        Authorizable authorizable = userManager.getAuthorizable(new ItemBasedPrincipal() { // from class: org.apache.jackrabbit.core.security.authentication.token.CompatTokenProvider.1
            @Override // org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal
            public String getPath() throws RepositoryException {
                return NodeImpl.this.getPath();
            }

            @Override // java.security.Principal
            public String getName() {
                return string;
            }
        });
        if (authorizable == null || authorizable.isGroup() || ((User) authorizable).isDisabled()) {
            return null;
        }
        return authorizable.getID();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean isMandatoryAttribute(String str) {
        return str != null && str.startsWith(".token");
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isInfoAttribute(String str) {
        String namespacePrefix = Text.getNamespacePrefix(str);
        return (Name.NS_JCR_PREFIX.equals(namespacePrefix) || "rep".equals(namespacePrefix)) ? false : true;
    }

    private static boolean isValidTokenTree(NodeImpl nodeImpl) throws RepositoryException {
        if (nodeImpl == null) {
            return false;
        }
        return TOKENS_NODE_NAME.equals(nodeImpl.getParent().getName());
    }

    private static String generateKey(int i) {
        byte[] bArr = new byte[i];
        new SecureRandom().nextBytes(bArr);
        StringBuffer stringBuffer = new StringBuffer(bArr.length * 2);
        for (byte b : bArr) {
            stringBuffer.append(Text.hexTable[(b >> 4) & 15]);
            stringBuffer.append(Text.hexTable[b & 15]);
        }
        return stringBuffer.toString();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String getDigestedKey(TokenCredentials tokenCredentials) throws RepositoryException {
        String token = tokenCredentials.getToken();
        int indexOf = token.indexOf(95);
        if (indexOf > -1) {
            return getDigestedKey(token.substring(indexOf + 1));
        }
        return null;
    }

    private static String getDigestedKey(String str) throws RepositoryException {
        try {
            StringBuilder sb = new StringBuilder();
            sb.append("{").append(SecurityConstants.DEFAULT_DIGEST).append("}");
            sb.append(Text.digest(SecurityConstants.DEFAULT_DIGEST, str, "UTF-8"));
            return sb.toString();
        } catch (UnsupportedEncodingException e) {
            throw new RepositoryException("Failed to generate login token.");
        } catch (NoSuchAlgorithmException e2) {
            throw new RepositoryException("Failed to generate login token.");
        }
    }
}
