package org.apache.jackrabbit.core.security.authentication.token;

import java.io.UnsupportedEncodingException;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Collections;
import java.util.Date;
import java.util.GregorianCalendar;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.jcr.Credentials;
import javax.jcr.Node;
import javax.jcr.Property;
import javax.jcr.PropertyIterator;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.SimpleCredentials;
import org.apache.jackrabbit.api.security.authentication.token.TokenCredentials;
import org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.core.NodeImpl;
import org.apache.jackrabbit.core.SessionImpl;
import org.apache.jackrabbit.core.id.NodeId;
import org.apache.jackrabbit.core.id.NodeIdFactory;
import org.apache.jackrabbit.core.security.SecurityConstants;
import org.apache.jackrabbit.core.security.authentication.Authentication;
import org.apache.jackrabbit.spi.Name;
import org.apache.jackrabbit.util.ISO8601;
import org.apache.jackrabbit.util.Text;
import org.apache.tika.metadata.Metadata;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/jackrabbit-core-2.6.2.jar:org/apache/jackrabbit/core/security/authentication/token/TokenBasedAuthentication.class */
public class TokenBasedAuthentication implements Authentication {
    private static final Logger log = LoggerFactory.getLogger(TokenBasedAuthentication.class);
    public static final long TOKEN_EXPIRATION = 7200000;
    public static final String TOKEN_ATTRIBUTE = ".token";
    private static final String TOKEN_ATTRIBUTE_EXPIRY = ".token.exp";
    private static final String TOKEN_ATTRIBUTE_KEY = ".token.key";
    private static final String TOKENS_NODE_NAME = ".tokens";
    private static final String TOKENS_NT_NAME = "nt:unstructured";
    private static final char DELIM = '_';
    private final String token;
    private final long tokenExpiration;
    private final Session session;
    private final Map<String, String> attributes;
    private final Map<String, String> info;
    private final long expiry;
    private final String key;

    public TokenBasedAuthentication(String str, long j, Session session) throws RepositoryException {
        this.session = session;
        this.tokenExpiration = j;
        this.token = str;
        long j2 = Long.MAX_VALUE;
        String str2 = null;
        if (str != null) {
            this.attributes = new HashMap();
            this.info = new HashMap();
            PropertyIterator properties = getTokenNode(str, session).getProperties();
            while (properties.hasNext()) {
                Property nextProperty = properties.nextProperty();
                String name = nextProperty.getName();
                if (TOKEN_ATTRIBUTE_EXPIRY.equals(name)) {
                    j2 = nextProperty.getLong();
                } else if (TOKEN_ATTRIBUTE_KEY.equals(name)) {
                    str2 = nextProperty.getString();
                } else if (isMandatoryAttribute(name)) {
                    this.attributes.put(name, nextProperty.getString());
                } else if (isInfoAttribute(name)) {
                    this.info.put(name, nextProperty.getString());
                }
            }
        } else {
            this.attributes = Collections.emptyMap();
            this.info = Collections.emptyMap();
        }
        this.expiry = j2;
        this.key = str2;
    }

    @Override // org.apache.jackrabbit.core.security.authentication.Authentication
    public boolean canHandle(Credentials credentials) {
        return this.token != null && isTokenBasedLogin(credentials);
    }

    @Override // org.apache.jackrabbit.core.security.authentication.Authentication
    public boolean authenticate(Credentials credentials) throws RepositoryException {
        if (!(credentials instanceof TokenCredentials)) {
            throw new RepositoryException("TokenCredentials expected. Cannot handle " + credentials.getClass().getName());
        }
        TokenCredentials tokenCredentials = (TokenCredentials) credentials;
        if (!this.token.equals(tokenCredentials.getToken())) {
            return false;
        }
        long time = new Date().getTime();
        if (this.expiry < time) {
            removeToken();
            return false;
        }
        if (this.key != null && !this.key.equals(getDigestedKey(tokenCredentials))) {
            return false;
        }
        for (String str : this.attributes.keySet()) {
            if (!this.attributes.get(str).equals(tokenCredentials.getAttribute(str))) {
                return false;
            }
        }
        List asList = Arrays.asList(tokenCredentials.getAttributeNames());
        for (String str2 : this.info.keySet()) {
            if (!asList.contains(str2)) {
                tokenCredentials.setAttribute(str2, this.info.get(str2));
            }
        }
        updateTokenNode(this.expiry, time);
        return true;
    }

    private void updateTokenNode(long j, long j2) {
        Session session = null;
        try {
            try {
                if (j - j2 <= this.tokenExpiration / 2) {
                    long j3 = j2 + this.tokenExpiration;
                    Calendar gregorianCalendar = GregorianCalendar.getInstance();
                    gregorianCalendar.setTimeInMillis(j3);
                    session = ((SessionImpl) this.session).createSession(this.session.getWorkspace().getName());
                    getTokenNode(this.token, session).setProperty(TOKEN_ATTRIBUTE_EXPIRY, session.getValueFactory().createValue(gregorianCalendar));
                    session.save();
                }
                if (session != null) {
                    session.logout();
                }
            } catch (RepositoryException e) {
                log.warn("Failed to update expiry or informative attributes of token node.", e);
                if (session != null) {
                    session.logout();
                }
            }
        } catch (Throwable th) {
            if (session != null) {
                session.logout();
            }
            throw th;
        }
    }

    private void removeToken() {
        Session session = null;
        try {
            try {
                session = ((SessionImpl) this.session).createSession(this.session.getWorkspace().getName());
                getTokenNode(this.token, session).remove();
                session.save();
                if (session != null) {
                    session.logout();
                }
            } catch (RepositoryException e) {
                log.warn("Internal error while removing token node.", e);
                if (session != null) {
                    session.logout();
                }
            }
        } catch (Throwable th) {
            if (session != null) {
                session.logout();
            }
            throw th;
        }
    }

    public static boolean isTokenBasedLogin(Credentials credentials) {
        return credentials instanceof TokenCredentials;
    }

    public static boolean isMandatoryAttribute(String str) {
        return str != null && str.startsWith(TOKEN_ATTRIBUTE);
    }

    private static boolean isInfoAttribute(String str) {
        String namespacePrefix = Text.getNamespacePrefix(str);
        return (Name.NS_JCR_PREFIX.equals(namespacePrefix) || Name.NS_REP_PREFIX.equals(namespacePrefix)) ? false : true;
    }

    public static boolean doCreateToken(Credentials credentials) {
        Object attribute;
        return (credentials instanceof SimpleCredentials) && (attribute = ((SimpleCredentials) credentials).getAttribute(TOKEN_ATTRIBUTE)) != null && "".equals(attribute.toString());
    }

    public static synchronized Credentials createToken(User user, SimpleCredentials simpleCredentials, long j, Session session) throws RepositoryException {
        String name = session.getWorkspace().getName();
        if (user == null) {
            throw new RepositoryException("Cannot create login token: No corresponding node for 'null' user in workspace '" + name + "'.");
        }
        Principal principal = user.getPrincipal();
        String path = principal instanceof ItemBasedPrincipal ? ((ItemBasedPrincipal) principal).getPath() : null;
        if (path == null || !session.nodeExists(path)) {
            throw new RepositoryException("Cannot create login token: No corresponding node for User " + user.getID() + " in workspace '" + name + "'.");
        }
        Node node = session.getNode(path);
        Node node2 = node.hasNode(TOKENS_NODE_NAME) ? node.getNode(TOKENS_NODE_NAME) : node.addNode(TOKENS_NODE_NAME, "nt:unstructured");
        long time = new Date().getTime();
        long j2 = time + j;
        Calendar gregorianCalendar = GregorianCalendar.getInstance();
        gregorianCalendar.setTimeInMillis(time);
        String generateKey = generateKey(8);
        String replace = Text.replace(ISO8601.format(gregorianCalendar), Metadata.NAMESPACE_PREFIX_DELIMITER, ".");
        Node addNode = System.getProperty(NodeIdFactory.SEQUENTIAL_NODE_ID) == null ? node2.addNode(replace) : ((NodeImpl) node2).addNodeWithUuid(replace, NodeId.randomId().toString());
        StringBuilder sb = new StringBuilder(addNode.getIdentifier());
        sb.append('_').append(generateKey);
        String sb2 = sb.toString();
        TokenCredentials tokenCredentials = new TokenCredentials(sb2);
        simpleCredentials.setAttribute(TOKEN_ATTRIBUTE, sb2);
        addNode.setProperty(TOKEN_ATTRIBUTE_KEY, getDigestedKey(generateKey));
        gregorianCalendar.setTimeInMillis(j2);
        addNode.setProperty(TOKEN_ATTRIBUTE_EXPIRY, session.getValueFactory().createValue(gregorianCalendar));
        for (String str : simpleCredentials.getAttributeNames()) {
            if (!TOKEN_ATTRIBUTE.equals(str)) {
                String obj = simpleCredentials.getAttribute(str).toString();
                addNode.setProperty(str, obj);
                tokenCredentials.setAttribute(str, obj);
            }
        }
        session.save();
        return tokenCredentials;
    }

    public static Node getTokenNode(TokenCredentials tokenCredentials, Session session) throws RepositoryException {
        return getTokenNode(tokenCredentials.getToken(), session);
    }

    private static Node getTokenNode(String str, Session session) throws RepositoryException {
        int indexOf = str.indexOf(95);
        return session.getNodeByIdentifier(indexOf == -1 ? str : str.substring(0, indexOf));
    }

    private static String generateKey(int i) {
        byte[] bArr = new byte[i];
        new SecureRandom().nextBytes(bArr);
        StringBuffer stringBuffer = new StringBuffer(bArr.length * 2);
        for (byte b : bArr) {
            stringBuffer.append(Text.hexTable[(b >> 4) & 15]);
            stringBuffer.append(Text.hexTable[b & 15]);
        }
        return stringBuffer.toString();
    }

    private static String getDigestedKey(TokenCredentials tokenCredentials) throws RepositoryException {
        String token = tokenCredentials.getToken();
        int indexOf = token.indexOf(95);
        if (indexOf > -1) {
            return getDigestedKey(token.substring(indexOf + 1));
        }
        return null;
    }

    private static String getDigestedKey(String str) throws RepositoryException {
        try {
            StringBuilder sb = new StringBuilder();
            sb.append("{").append(SecurityConstants.DEFAULT_DIGEST).append("}");
            sb.append(Text.digest(SecurityConstants.DEFAULT_DIGEST, str, "UTF-8"));
            return sb.toString();
        } catch (UnsupportedEncodingException e) {
            throw new RepositoryException("Failed to generate login token.");
        } catch (NoSuchAlgorithmException e2) {
            throw new RepositoryException("Failed to generate login token.");
        }
    }
}
