package org.apache.jackrabbit.oak.security.authentication.token;

import com.google.common.collect.Iterables;
import java.io.IOException;
import java.security.Principal;
import java.util.Collections;
import java.util.HashMap;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.jcr.Credentials;
import javax.security.auth.Subject;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.auth.login.LoginException;
import org.apache.jackrabbit.api.security.authentication.token.TokenCredentials;
import org.apache.jackrabbit.oak.api.AuthInfo;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule;
import org.apache.jackrabbit.oak.spi.security.authentication.AuthInfoImpl;
import org.apache.jackrabbit.oak.spi.security.authentication.callback.TokenProviderCallback;
import org.apache.jackrabbit.oak.spi.security.authentication.token.TokenConfiguration;
import org.apache.jackrabbit.oak.spi.security.authentication.token.TokenInfo;
import org.apache.jackrabbit.oak.spi.security.authentication.token.TokenProvider;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/jackrabbit/oak/security/authentication/token/TokenLoginModule.class */
public final class TokenLoginModule extends AbstractLoginModule {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) TokenLoginModule.class);
    private TokenProvider tokenProvider;
    private TokenCredentials tokenCredentials;
    private TokenInfo tokenInfo;
    private Principal principal;
    private Set<? extends Principal> principals;
    private AuthInfo authInfo;

    public boolean login() throws LoginException {
        this.tokenProvider = getTokenProvider();
        if (this.tokenProvider == null) {
            return false;
        }
        Credentials credentials = getCredentials();
        if (!(credentials instanceof TokenCredentials)) {
            return false;
        }
        TokenCredentials tokenCredentials = (TokenCredentials) credentials;
        TokenAuthentication tokenAuthentication = new TokenAuthentication(this.tokenProvider);
        if (!tokenAuthentication.authenticate(tokenCredentials)) {
            return false;
        }
        this.tokenCredentials = tokenCredentials;
        this.tokenInfo = tokenAuthentication.getTokenInfo();
        this.principal = tokenAuthentication.getUserPrincipal();
        log.debug("Login: adding login name to shared state.");
        this.sharedState.put(AbstractLoginModule.SHARED_KEY_LOGIN_NAME, this.tokenInfo.getUserId());
        return true;
    }

    public boolean commit() throws LoginException {
        Credentials sharedCredentials;
        if (this.tokenCredentials != null && this.tokenInfo != null) {
            this.principals = this.principal != null ? getPrincipals(this.principal) : getPrincipals(this.tokenInfo.getUserId());
            this.authInfo = getAuthInfo(this.tokenInfo, Iterables.concat(this.principals, this.subject.getPrincipals()));
            updateSubject(this.subject, this.tokenCredentials, this.authInfo);
            closeSystemSession();
            return true;
        }
        try {
            if (this.tokenProvider != null && this.sharedState.containsKey(AbstractLoginModule.SHARED_KEY_CREDENTIALS) && (sharedCredentials = getSharedCredentials()) != null && this.tokenProvider.doCreateToken(sharedCredentials)) {
                Root root = getRoot();
                if (root != null) {
                    root.refresh();
                }
                TokenInfo createToken = this.tokenProvider.createToken(sharedCredentials);
                if (createToken == null) {
                    onError();
                    Object obj = this.sharedState.get(AbstractLoginModule.SHARED_KEY_LOGIN_NAME);
                    log.error("TokenProvider failed to create a login token for user {}", obj);
                    throw new LoginException("Failed to create login token for user " + obj);
                }
                TokenCredentials tokenCredentials = new TokenCredentials(createToken.getToken());
                createToken.getPrivateAttributes().forEach((str, str2) -> {
                    tokenCredentials.setAttribute(str, str2);
                });
                createToken.getPublicAttributes().forEach((str3, str4) -> {
                    tokenCredentials.setAttribute(str3, str4);
                });
                this.sharedState.put(AbstractLoginModule.SHARED_KEY_ATTRIBUTES, createToken.getPublicAttributes());
                updateSubject(this.subject, tokenCredentials, null);
            }
            return false;
        } finally {
            clearState();
        }
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule
    public boolean logout() throws LoginException {
        Set<Object> set = (Set) Stream.of(this.tokenCredentials, this.authInfo).filter(Objects::nonNull).collect(Collectors.toSet());
        return logout(set.isEmpty() ? null : set, this.principals);
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule
    @NotNull
    protected Set<Class> getSupportedCredentials() {
        return Collections.singleton(TokenCredentials.class);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.jackrabbit.oak.spi.security.authentication.AbstractLoginModule
    public void clearState() {
        super.clearState();
        this.tokenCredentials = null;
        this.tokenInfo = null;
        this.tokenProvider = null;
        this.principal = null;
        this.principals = null;
        this.authInfo = null;
    }

    @Nullable
    private TokenProvider getTokenProvider() {
        TokenProvider tokenProvider = null;
        SecurityProvider securityProvider = getSecurityProvider();
        Root root = getRoot();
        if (root != null && securityProvider != null) {
            tokenProvider = ((TokenConfiguration) securityProvider.getConfiguration(TokenConfiguration.class)).getTokenProvider(root);
        }
        if (tokenProvider == null && this.callbackHandler != null) {
            try {
                TokenProviderCallback tokenProviderCallback = new TokenProviderCallback();
                this.callbackHandler.handle(new Callback[]{tokenProviderCallback});
                tokenProvider = tokenProviderCallback.getTokenProvider();
            } catch (IOException | UnsupportedCallbackException e) {
                onError();
                log.error(e.getMessage(), (Throwable) e);
            }
        }
        return tokenProvider;
    }

    @NotNull
    private static AuthInfo getAuthInfo(@NotNull TokenInfo tokenInfo, @NotNull Iterable<? extends Principal> iterable) {
        HashMap hashMap = new HashMap();
        tokenInfo.getPublicAttributes().forEach((str, str2) -> {
            hashMap.put(str, str2);
        });
        return new AuthInfoImpl(tokenInfo.getUserId(), hashMap, iterable);
    }

    private static void updateSubject(@NotNull Subject subject, @NotNull TokenCredentials tokenCredentials, @Nullable AuthInfo authInfo) {
        if (subject.isReadOnly()) {
            return;
        }
        subject.getPublicCredentials().add(tokenCredentials);
        if (authInfo != null) {
            subject.getPrincipals().addAll(authInfo.getPrincipals());
            setAuthInfo(authInfo, subject);
        }
    }
}
