package org.apache.jackrabbit.oak.security.authentication.token;

import com.google.common.collect.ImmutableMap;
import java.io.UnsupportedEncodingException;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import javax.jcr.AccessDeniedException;
import javax.jcr.Credentials;
import javax.jcr.RepositoryException;
import org.apache.jackrabbit.JcrConstants;
import org.apache.jackrabbit.api.security.authentication.token.TokenCredentials;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.identifier.IdentifierManager;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.apache.jackrabbit.oak.spi.namespace.NamespaceConstants;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.authentication.ImpersonationCredentials;
import org.apache.jackrabbit.oak.spi.security.authentication.credentials.CredentialsSupport;
import org.apache.jackrabbit.oak.spi.security.authentication.credentials.SimpleCredentialsSupport;
import org.apache.jackrabbit.oak.spi.security.authentication.token.TokenConstants;
import org.apache.jackrabbit.oak.spi.security.authentication.token.TokenInfo;
import org.apache.jackrabbit.oak.spi.security.authentication.token.TokenProvider;
import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration;
import org.apache.jackrabbit.oak.spi.security.user.util.PasswordUtil;
import org.apache.jackrabbit.util.ISO8601;
import org.apache.jackrabbit.util.Text;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl.class */
public class TokenProviderImpl implements TokenProvider, TokenConstants {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) TokenProviderImpl.class);
    static final String PARAM_TOKEN_CLEANUP_THRESHOLD = "tokenCleanupThreshold";
    static final long NO_TOKEN_CLEANUP = 0;
    static final long DEFAULT_TOKEN_EXPIRATION = 7200000;
    static final int DEFAULT_KEY_SIZE = 8;
    private static final char DELIM = '_';
    private final Root root;
    private final ConfigurationParameters options;
    private final CredentialsSupport credentialsSupport;
    private final long tokenExpiration;
    private final UserManager userManager;
    private final IdentifierManager identifierManager;
    private final long cleanupThreshold;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authentication/token/TokenProviderImpl$TokenInfoImpl.class */
    public final class TokenInfoImpl implements TokenInfo {
        private final String token;
        private final String tokenPath;
        private final String userId;
        private final Principal principal;
        private final long expirationTime;
        private final String key;
        private final Map<String, String> mandatoryAttributes;
        private final Map<String, String> publicAttributes;

        private TokenInfoImpl(@NotNull Tree tree, @NotNull String str, @NotNull String str2, @Nullable Principal principal) {
            this.token = str;
            this.tokenPath = tree.getPath();
            this.userId = str2;
            this.principal = principal;
            this.expirationTime = TokenProviderImpl.getExpirationTime(tree, Long.MIN_VALUE);
            this.key = TreeUtil.getString(tree, TokenConstants.TOKEN_ATTRIBUTE_KEY);
            this.mandatoryAttributes = new HashMap();
            this.publicAttributes = new HashMap();
            for (PropertyState propertyState : tree.getProperties()) {
                String name = propertyState.getName();
                String str3 = (String) propertyState.getValue(Type.STRING);
                if (!TokenConstants.RESERVED_ATTRIBUTES.contains(name)) {
                    if (isMandatoryAttribute(name)) {
                        this.mandatoryAttributes.put(name, str3);
                    } else if (isInfoAttribute(name)) {
                        this.publicAttributes.put(name, str3);
                    }
                }
            }
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        @Nullable
        public Principal getPrincipal() {
            return this.principal;
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authentication.token.TokenInfo
        @NotNull
        public String getUserId() {
            return this.userId;
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authentication.token.TokenInfo
        @NotNull
        public String getToken() {
            return this.token;
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authentication.token.TokenInfo
        public boolean isExpired(long j) {
            return TokenProviderImpl.isExpired(this.expirationTime, j);
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authentication.token.TokenInfo
        public boolean resetExpiration(long j) {
            if (!((Boolean) TokenProviderImpl.this.options.getConfigValue(TokenProvider.PARAM_TOKEN_REFRESH, true)).booleanValue()) {
                return false;
            }
            Tree tokenTree = TokenProviderImpl.this.getTokenTree(this);
            if (!tokenTree.exists()) {
                return false;
            }
            if (isExpired(j)) {
                TokenProviderImpl.log.debug("Attempt to reset an expired token.");
                return false;
            }
            if (this.expirationTime - j > TokenProviderImpl.this.tokenExpiration / 2) {
                return false;
            }
            try {
                TokenProviderImpl.setExpirationTime(tokenTree, TokenProviderImpl.createExpirationTime(j, TokenProviderImpl.this.tokenExpiration));
                TokenProviderImpl.this.root.commit(CommitMarker.asCommitAttributes());
                TokenProviderImpl.log.debug("Successfully reset token expiration time.");
                return true;
            } catch (CommitFailedException e) {
                TokenProviderImpl.log.debug("Failed to reset token expiration {}", e.getMessage());
                TokenProviderImpl.this.root.refresh();
                return false;
            }
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authentication.token.TokenInfo
        public boolean remove() {
            Tree tokenTree = TokenProviderImpl.this.getTokenTree(this);
            if (!tokenTree.exists()) {
                return false;
            }
            try {
                if (!tokenTree.remove()) {
                    return false;
                }
                TokenProviderImpl.this.root.commit(CommitMarker.asCommitAttributes());
                return true;
            } catch (CommitFailedException e) {
                TokenProviderImpl.log.debug("Error while removing expired token {}", e.getMessage());
                return false;
            }
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authentication.token.TokenInfo
        public boolean matches(@NotNull TokenCredentials tokenCredentials) {
            String token = tokenCredentials.getToken();
            int lastIndexOf = token.lastIndexOf(95);
            if (lastIndexOf > -1) {
                token = token.substring(lastIndexOf + 1);
            }
            if (!PasswordUtil.isSame(this.key, TokenProviderImpl.getKeyValue(token, this.userId))) {
                return false;
            }
            for (Map.Entry<String, String> entry : this.mandatoryAttributes.entrySet()) {
                if (!entry.getValue().equals(tokenCredentials.getAttribute(entry.getKey()))) {
                    return false;
                }
            }
            List asList = Arrays.asList(tokenCredentials.getAttributeNames());
            this.publicAttributes.forEach((str, str2) -> {
                if (asList.contains(str)) {
                    return;
                }
                tokenCredentials.setAttribute(str, str2);
            });
            return true;
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authentication.token.TokenInfo
        @NotNull
        public Map<String, String> getPrivateAttributes() {
            return Collections.unmodifiableMap(this.mandatoryAttributes);
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authentication.token.TokenInfo
        @NotNull
        public Map<String, String> getPublicAttributes() {
            return Collections.unmodifiableMap(this.publicAttributes);
        }

        private boolean isMandatoryAttribute(@NotNull String str) {
            return str.startsWith(".token");
        }

        private boolean isInfoAttribute(@NotNull String str) {
            return !NamespaceConstants.RESERVED_PREFIXES.contains(Text.getNamespacePrefix(str));
        }
    }

    TokenProviderImpl(@NotNull Root root, @NotNull ConfigurationParameters configurationParameters, @NotNull UserConfiguration userConfiguration) {
        this(root, configurationParameters, userConfiguration, SimpleCredentialsSupport.getInstance());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public TokenProviderImpl(@NotNull Root root, @NotNull ConfigurationParameters configurationParameters, @NotNull UserConfiguration userConfiguration, @NotNull CredentialsSupport credentialsSupport) {
        this.root = root;
        this.options = configurationParameters;
        this.credentialsSupport = credentialsSupport;
        this.tokenExpiration = ((Long) configurationParameters.getConfigValue(TokenProvider.PARAM_TOKEN_EXPIRATION, 7200000L)).longValue();
        this.userManager = userConfiguration.getUserManager(root, NamePathMapper.DEFAULT);
        this.identifierManager = new IdentifierManager(root);
        this.cleanupThreshold = ((Long) configurationParameters.getConfigValue(PARAM_TOKEN_CLEANUP_THRESHOLD, 0L)).longValue();
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.token.TokenProvider
    public boolean doCreateToken(@NotNull Credentials credentials) {
        Object obj;
        Credentials extractCredentials = extractCredentials(credentials);
        return (extractCredentials == null || (obj = this.credentialsSupport.getAttributes(extractCredentials).get(".token")) == null || !obj.toString().isEmpty()) ? false : true;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.token.TokenProvider
    @Nullable
    public TokenInfo createToken(@NotNull Credentials credentials) {
        Credentials extractCredentials = extractCredentials(credentials);
        String userId = extractCredentials != null ? this.credentialsSupport.getUserId(extractCredentials) : null;
        TokenInfo tokenInfo = null;
        if (userId != null) {
            tokenInfo = createToken(userId, this.credentialsSupport.getAttributes(extractCredentials));
            if (tokenInfo != null && !this.credentialsSupport.setAttributes(extractCredentials, ImmutableMap.of(".token", tokenInfo.getToken()))) {
                log.debug("Cannot set token attribute to " + extractCredentials);
            }
        }
        return tokenInfo;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.token.TokenProvider
    public TokenInfo createToken(@NotNull String str, @NotNull Map<String, ?> map) {
        TokenInfo createTokenNode;
        User user = getUser(str);
        Tree tokenParent = user == null ? null : getTokenParent(user);
        if (tokenParent == null) {
            log.warn("Unable to get/create token store for user " + str);
            return null;
        }
        try {
            String id = user.getID();
            long currentTimeMillis = System.currentTimeMillis();
            long createExpirationTime = createExpirationTime(currentTimeMillis, map.containsKey(TokenProvider.PARAM_TOKEN_EXPIRATION) ? Long.parseLong(map.get(TokenProvider.PARAM_TOKEN_EXPIRATION).toString()) : this.tokenExpiration);
            String uuid = UUID.randomUUID().toString();
            try {
                createTokenNode = createTokenNode(tokenParent, uuid, createExpirationTime, uuid, id, map);
                this.root.commit(CommitMarker.asCommitAttributes());
            } catch (CommitFailedException e) {
                log.debug("Failed to create token node. Using random name as fallback.");
                this.root.refresh();
                createTokenNode = createTokenNode(tokenParent, UUID.randomUUID().toString(), createExpirationTime, uuid, id, map);
                this.root.commit(CommitMarker.asCommitAttributes());
            }
            cleanupExpired(str, tokenParent, currentTimeMillis, createTokenNode.getToken());
            return createTokenNode;
        } catch (UnsupportedEncodingException | NoSuchAlgorithmException e2) {
            log.error("Failed to create login token. {}", e2.getMessage());
            return null;
        } catch (RepositoryException | CommitFailedException e3) {
            log.warn("Failed to create login token. {}", e3.getMessage());
            return null;
        }
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.token.TokenProvider
    public TokenInfo getTokenInfo(@NotNull String str) {
        int indexOf = str.indexOf(95);
        Tree tree = this.identifierManager.getTree(indexOf == -1 ? str : str.substring(0, indexOf));
        if (!isValidTokenTree(tree)) {
            return null;
        }
        try {
            User user = getUser(tree);
            if (user != null) {
                return new TokenInfoImpl(tree, str, user.getID(), user.getPrincipal());
            }
            return null;
        } catch (RepositoryException e) {
            log.debug("Cannot determine userID/principal from token: {}", e.getMessage());
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static long createExpirationTime(long j, long j2) {
        return j + j2;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static long getExpirationTime(@NotNull Tree tree, long j) {
        return TreeUtil.getLong(tree, TokenConstants.TOKEN_ATTRIBUTE_EXPIRY, j);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean isExpired(long j, long j2) {
        return j < j2;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void setExpirationTime(@NotNull Tree tree, long j) {
        Calendar calendar = Calendar.getInstance();
        calendar.setTimeInMillis(j);
        tree.setProperty(TokenConstants.TOKEN_ATTRIBUTE_EXPIRY, ISO8601.format(calendar), Type.DATE);
    }

    @Nullable
    private Credentials extractCredentials(@NotNull Credentials credentials) {
        Credentials credentials2 = credentials;
        if (credentials instanceof ImpersonationCredentials) {
            credentials2 = ((ImpersonationCredentials) credentials).getBaseCredentials();
        }
        if (this.credentialsSupport.getCredentialClasses().contains(credentials2.getClass())) {
            return credentials2;
        }
        return null;
    }

    @NotNull
    private static String generateKey(int i) {
        byte[] bArr = new byte[i];
        new SecureRandom().nextBytes(bArr);
        StringBuilder sb = new StringBuilder(bArr.length * 2);
        for (byte b : bArr) {
            sb.append(Text.hexTable[(b >> 4) & 15]);
            sb.append(Text.hexTable[b & 15]);
        }
        return sb.toString();
    }

    /* JADX INFO: Access modifiers changed from: private */
    @NotNull
    public static String getKeyValue(@NotNull String str, @NotNull String str2) {
        return str + str2;
    }

    private static boolean isValidTokenTree(@Nullable Tree tree) {
        return tree != null && tree.exists() && TokenConstants.TOKENS_NODE_NAME.equals(tree.getParent().getName()) && TokenConstants.TOKEN_NT_NAME.equals(TreeUtil.getPrimaryTypeName(tree));
    }

    /* JADX INFO: Access modifiers changed from: private */
    @NotNull
    public Tree getTokenTree(@NotNull TokenInfoImpl tokenInfoImpl) {
        return this.root.getTree(tokenInfoImpl.tokenPath);
    }

    @Nullable
    private User getUser(@NotNull Tree tree) throws RepositoryException {
        Authorizable authorizableByPath = this.userManager.getAuthorizableByPath(Text.getRelativeParent(tree.getPath(), 2));
        if (authorizableByPath == null || authorizableByPath.isGroup() || ((User) authorizableByPath).isDisabled()) {
            return null;
        }
        return (User) authorizableByPath;
    }

    @Nullable
    private User getUser(@NotNull String str) {
        try {
            Authorizable authorizable = this.userManager.getAuthorizable(str);
            if (authorizable != null && !authorizable.isGroup()) {
                return (User) authorizable;
            }
            log.debug("Cannot create login token: No corresponding node for User " + str + '.');
            return null;
        } catch (RepositoryException e) {
            log.debug("Error while accessing user " + str + '.', (Throwable) e);
            return null;
        }
    }

    @Nullable
    private Tree getTokenParent(@NotNull User user) {
        Tree tree = null;
        String str = null;
        try {
            String path = user.getPath();
            str = path + '/' + TokenConstants.TOKENS_NODE_NAME;
            tree = TreeUtil.getOrAddChild(this.root.getTree(path), TokenConstants.TOKENS_NODE_NAME, "rep:Unstructured");
            this.root.commit();
        } catch (RepositoryException e) {
            log.debug("Error while creating token node {}", e.getMessage());
        } catch (CommitFailedException e2) {
            log.debug("Conflict while creating token store -> retrying {}", e2.getMessage());
            this.root.refresh();
            Tree tree2 = this.root.getTree(str);
            tree = tree2.exists() ? tree2 : null;
        }
        return tree;
    }

    @NotNull
    private TokenInfo createTokenNode(@NotNull Tree tree, @NotNull String str, long j, @NotNull String str2, @NotNull String str3, Map<String, ?> map) throws AccessDeniedException, UnsupportedEncodingException, NoSuchAlgorithmException {
        Tree addChild = TreeUtil.addChild(tree, str, TokenConstants.TOKEN_NT_NAME);
        addChild.setProperty(JcrConstants.JCR_UUID, str2);
        String generateKey = generateKey(((Integer) this.options.getConfigValue(TokenProvider.PARAM_TOKEN_LENGTH, 8)).intValue());
        String str4 = IdentifierManager.getIdentifier(addChild) + '_' + generateKey;
        addChild.setProperty(TokenConstants.TOKEN_ATTRIBUTE_KEY, PasswordUtil.buildPasswordHash(getKeyValue(generateKey, str3), this.options));
        setExpirationTime(addChild, j);
        map.forEach((str5, obj) -> {
            if (RESERVED_ATTRIBUTES.contains(str5)) {
                return;
            }
            addChild.setProperty(str5, obj.toString());
        });
        return new TokenInfoImpl(addChild, str4, str3, null);
    }

    private void cleanupExpired(@NotNull String str, @NotNull Tree tree, long j, @NotNull String str2) {
        if (this.cleanupThreshold <= 0 || !shouldRunCleanup(str2)) {
            return;
        }
        long currentTimeMillis = System.currentTimeMillis();
        long j2 = 0;
        long j3 = 0;
        try {
            try {
                if (tree.getChildrenCount(this.cleanupThreshold) >= this.cleanupThreshold) {
                    for (Tree tree2 : tree.getChildren()) {
                        if (isExpired(getExpirationTime(tree2, Long.MIN_VALUE), j)) {
                            j3++;
                            tree2.remove();
                        } else {
                            j2++;
                        }
                    }
                }
                if (this.root.hasPendingChanges()) {
                    this.root.commit(CommitMarker.asCommitAttributes());
                }
                if (!log.isDebugEnabled() || j2 + j3 <= 0) {
                    return;
                }
                log.debug("Token cleanup completed in {} ms: removed {}/{} tokens for {}.", Long.valueOf(System.currentTimeMillis() - currentTimeMillis), Long.valueOf(j3), Long.valueOf(j2 + j3), str);
            } catch (CommitFailedException e) {
                log.debug("Failed to cleanup expired token nodes", (Throwable) e);
                this.root.refresh();
                if (!log.isDebugEnabled() || j2 + j3 <= 0) {
                    return;
                }
                log.debug("Token cleanup completed in {} ms: removed {}/{} tokens for {}.", Long.valueOf(System.currentTimeMillis() - currentTimeMillis), Long.valueOf(j3), Long.valueOf(j2 + j3), str);
            }
        } catch (Throwable th) {
            if (log.isDebugEnabled() && j2 + j3 > 0) {
                log.debug("Token cleanup completed in {} ms: removed {}/{} tokens for {}.", Long.valueOf(System.currentTimeMillis() - currentTimeMillis), Long.valueOf(j3), Long.valueOf(j2 + j3), str);
            }
            throw th;
        }
    }

    static boolean shouldRunCleanup(@NotNull String str) {
        return str.charAt(0) < '2';
    }
}
