package org.apache.jackrabbit.oak.spi.security.authentication.external.impl;

import java.security.Principal;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.jcr.Credentials;
import javax.jcr.SimpleCredentials;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.LoginException;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.oak.api.AuthInfo;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule;
import org.apache.jackrabbit.oak.spi.security.authentication.AuthInfoImpl;
import org.apache.jackrabbit.oak.spi.security.authentication.ImpersonationCredentials;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityProvider;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityProviderManager;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalUser;
import org.apache.jackrabbit.oak.spi.security.authentication.external.SyncContext;
import org.apache.jackrabbit.oak.spi.security.authentication.external.SyncException;
import org.apache.jackrabbit.oak.spi.security.authentication.external.SyncHandler;
import org.apache.jackrabbit.oak.spi.security.authentication.external.SyncManager;
import org.apache.jackrabbit.oak.spi.security.authentication.external.SyncedIdentity;
import org.apache.jackrabbit.oak.spi.whiteboard.Whiteboard;
import org.apache.jackrabbit.oak.spi.whiteboard.WhiteboardUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/ExternalLoginModule.class */
public class ExternalLoginModule extends AbstractLoginModule {
    private static final Logger log = LoggerFactory.getLogger(ExternalLoginModule.class);
    public static final String PARAM_IDP_NAME = "idp.name";
    public static final String PARAM_SYNC_HANDLER_NAME = "sync.handlerName";
    private ConfigurationParameters osgiConfig;
    private ExternalIdentityProvider idp;
    private SyncHandler syncHandler;
    private ExternalUser externalUser;
    private Credentials credentials;

    public ExternalLoginModule() {
    }

    public ExternalLoginModule(ConfigurationParameters configurationParameters) {
        this.osgiConfig = configurationParameters;
    }

    public void initialize(Subject subject, CallbackHandler callbackHandler, Map<String, ?> map, Map<String, ?> map2) {
        super.initialize(subject, callbackHandler, map, map2);
        if (this.osgiConfig != null) {
            this.options = ConfigurationParameters.of(new ConfigurationParameters[]{this.osgiConfig, this.options});
        }
        Whiteboard whiteboard = getWhiteboard();
        if (whiteboard == null) {
            log.error("External login module needs whiteboard. Will not be used for login.");
            return;
        }
        String str = (String) this.options.getConfigValue("idp.name", "");
        if (str.length() == 0) {
            log.error("External login module needs IPD name. Will not be used for login.");
        } else {
            ExternalIdentityProviderManager externalIdentityProviderManager = (ExternalIdentityProviderManager) WhiteboardUtils.getService(whiteboard, ExternalIdentityProviderManager.class);
            if (externalIdentityProviderManager == null) {
                log.error("External login module needs IDPManager. Will not be used for login.");
            } else {
                this.idp = externalIdentityProviderManager.getProvider(str);
                if (this.idp == null) {
                    log.error("No IDP found with name {}. Will not be used for login.", str);
                }
            }
        }
        String str2 = (String) this.options.getConfigValue("sync.handlerName", "");
        if (str2.length() == 0) {
            log.error("External login module needs SyncHandler name. Will not be used for login.");
            return;
        }
        SyncManager syncManager = (SyncManager) WhiteboardUtils.getService(whiteboard, SyncManager.class);
        if (syncManager == null) {
            log.error("External login module needs SyncManager. Will not be used for login.");
            return;
        }
        this.syncHandler = syncManager.getSyncHandler(str2);
        if (this.syncHandler == null) {
            log.error("No SyncHandler found with name {}. Will not be used for login.", str2);
        }
    }

    public boolean login() throws LoginException {
        if (this.idp == null || this.syncHandler == null) {
            return false;
        }
        this.credentials = getCredentials();
        if (this.credentials == null) {
            log.debug("No credentials found for external login module. ignoring.");
            return false;
        }
        String userID = this.credentials instanceof SimpleCredentials ? this.credentials.getUserID() : null;
        SyncedIdentity syncedIdentity = null;
        if (userID != null) {
            try {
                syncedIdentity = this.syncHandler.findIdentity(getUserManager(), userID);
                if (syncedIdentity != null) {
                    if (syncedIdentity.getExternalIdRef() == null) {
                        log.debug("ignoring local user: {}", syncedIdentity.getId());
                        return false;
                    }
                    if (!syncedIdentity.getExternalIdRef().getProviderName().equals(this.idp.getName())) {
                        if (!log.isDebugEnabled()) {
                            return false;
                        }
                        log.debug("ignoring foreign identity: {} (idp={})", syncedIdentity.getExternalIdRef().getString(), this.idp.getName());
                        return false;
                    }
                }
            } catch (LoginException e) {
                Logger logger = log;
                Object[] objArr = new Object[3];
                objArr[0] = this.idp.getName();
                objArr[1] = userID == null ? this.credentials : userID;
                objArr[2] = e.getMessage();
                logger.debug("IDP {} throws login exception for '{}': {}", objArr);
                throw e;
            } catch (ExternalIdentityException e2) {
                Logger logger2 = log;
                Object[] objArr2 = new Object[3];
                objArr2[0] = userID == null ? this.credentials : userID;
                objArr2[1] = this.idp.getName();
                objArr2[2] = e2;
                logger2.error("Error while authenticating '{}' with {}", objArr2);
                return false;
            } catch (Exception e3) {
                Logger logger3 = log;
                Object[] objArr3 = new Object[3];
                objArr3[0] = this.syncHandler.getName();
                objArr3[1] = userID == null ? this.credentials : userID;
                objArr3[2] = e3;
                logger3.debug("SyncHandler {} throws sync exception for '{}'", objArr3);
                LoginException loginException = new LoginException("Error while syncing user.");
                loginException.initCause(e3);
                throw loginException;
            }
        }
        this.externalUser = this.idp.authenticate(this.credentials);
        if (this.externalUser != null) {
            log.debug("IDP {} returned valid user {}", this.idp.getName(), this.externalUser);
            this.sharedState.put("org.apache.jackrabbit.credentials", this.credentials);
            this.sharedState.put("javax.security.auth.login.name", this.externalUser.getId());
            syncUser(this.externalUser);
            return true;
        }
        if (log.isDebugEnabled()) {
            if (userID != null) {
                log.debug("IDP {} returned null for simple creds of {}", this.idp.getName(), userID);
            } else {
                log.debug("IDP {} returned null for {}", this.idp.getName(), this.credentials);
            }
        }
        if (syncedIdentity == null) {
            return false;
        }
        log.debug("local user exists for '{}'. re-validating.", syncedIdentity.getId());
        validateUser(syncedIdentity.getId());
        return false;
    }

    public boolean commit() throws LoginException {
        if (this.externalUser == null) {
            return false;
        }
        Set principals = getPrincipals(this.externalUser.getId());
        if (principals.isEmpty()) {
            return false;
        }
        if (this.subject.isReadOnly()) {
            log.debug("Could not add information to read only subject {}", this.subject);
            return true;
        }
        this.subject.getPrincipals().addAll(principals);
        this.subject.getPublicCredentials().add(this.credentials);
        setAuthInfo(createAuthInfo(this.externalUser.getId(), principals), this.subject);
        return true;
    }

    public boolean abort() throws LoginException {
        clearState();
        return true;
    }

    private void syncUser(@Nonnull ExternalUser externalUser) throws SyncException {
        SyncContext syncContext = null;
        try {
            try {
                Root root = getRoot();
                if (root == null) {
                    throw new SyncException("Cannot synchronize user. root == null");
                }
                UserManager userManager = getUserManager();
                if (userManager == null) {
                    throw new SyncException("Cannot synchronize user. userManager == null");
                }
                DebugTimer debugTimer = new DebugTimer();
                SyncContext createContext = this.syncHandler.createContext(this.idp, userManager, root);
                createContext.sync(externalUser);
                debugTimer.mark("sync");
                root.commit();
                debugTimer.mark("commit");
                if (log.isDebugEnabled()) {
                    log.debug("syncUser({}) {}", externalUser.getId(), debugTimer.getString());
                }
                if (createContext != null) {
                    createContext.close();
                }
            } catch (CommitFailedException e) {
                throw new SyncException("User synchronization failed during commit.", e);
            }
        } catch (Throwable th) {
            if (0 != 0) {
                syncContext.close();
            }
            throw th;
        }
    }

    private void validateUser(@Nonnull String str) throws SyncException {
        SyncContext syncContext = null;
        try {
            try {
                Root root = getRoot();
                if (root == null) {
                    throw new SyncException("Cannot synchronize user. root == null");
                }
                UserManager userManager = getUserManager();
                if (userManager == null) {
                    throw new SyncException("Cannot synchronize user. userManager == null");
                }
                DebugTimer debugTimer = new DebugTimer();
                SyncContext createContext = this.syncHandler.createContext(this.idp, userManager, root);
                createContext.sync(str);
                debugTimer.mark("sync");
                root.commit();
                debugTimer.mark("commit");
                if (log.isDebugEnabled()) {
                    log.debug("validateUser({}) {}", str, debugTimer.getString());
                }
                if (createContext != null) {
                    createContext.close();
                }
            } catch (CommitFailedException e) {
                throw new SyncException("User synchronization failed during commit.", e);
            }
        } catch (Throwable th) {
            if (0 != 0) {
                syncContext.close();
            }
            throw th;
        }
    }

    private AuthInfo createAuthInfo(String str, Set<? extends Principal> set) {
        Credentials baseCredentials = this.credentials instanceof ImpersonationCredentials ? this.credentials.getBaseCredentials() : this.credentials;
        HashMap hashMap = new HashMap();
        Object obj = this.sharedState.get("javax.security.auth.login.attributes");
        if (obj instanceof Map) {
            for (Object obj2 : ((Map) obj).keySet()) {
                hashMap.put(obj2.toString(), ((Map) obj).get(obj2));
            }
        } else if (baseCredentials instanceof SimpleCredentials) {
            SimpleCredentials simpleCredentials = (SimpleCredentials) baseCredentials;
            for (String str2 : simpleCredentials.getAttributeNames()) {
                hashMap.put(str2, simpleCredentials.getAttribute(str2));
            }
        }
        return new AuthInfoImpl(str, hashMap, set);
    }

    protected void clearState() {
        super.clearState();
        this.externalUser = null;
        this.credentials = null;
    }

    protected Set<Class> getSupportedCredentials() {
        return Collections.singleton(SimpleCredentials.class);
    }
}
