package org.apache.sling.auth.oauth_client.impl;

import java.io.File;
import java.nio.charset.StandardCharsets;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import javax.jcr.Credentials;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.binary.Base64;
import org.apache.sling.auth.core.spi.AuthenticationInfo;
import org.apache.sling.auth.oauth_client.spi.LoginCookieManager;
import org.apache.sling.auth.oauth_client.spi.OidcAuthCredentials;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.osgi.framework.BundleContext;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.metatype.annotations.AttributeDefinition;
import org.osgi.service.metatype.annotations.ObjectClassDefinition;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(service = {LoginCookieManager.class}, immediate = true, property = {"service.ranking:Integer=10"})
/* loaded from: input_file:org/apache/sling/auth/oauth_client/impl/SlingLoginCookieManager.class */
public class SlingLoginCookieManager implements LoginCookieManager {
    private static final Logger log = LoggerFactory.getLogger(SlingLoginCookieManager.class);
    private final TokenStore tokenStore;
    private final long sessionTimeout;
    private final String cookieName;

    @ObjectClassDefinition(name = "Apache Sling Token Update Configuration for OIDC Authentication Handler", description = "Apache Sling Token Update Configuration for OIDC Authentication Handler")
    /* loaded from: input_file:org/apache/sling/auth/oauth_client/impl/SlingLoginCookieManager$SlingLoginCookieManagerConfig.class */
    @interface SlingLoginCookieManagerConfig {
        @AttributeDefinition(name = "tokenFile", description = "Token File")
        String tokenFile() default "cookie-tokens.bin";

        @AttributeDefinition(name = "form_token_fastseed", description = "Form Token Fast Seed")
        boolean form_token_fastseed() default false;

        @AttributeDefinition(name = "sessionTimeout", description = "Session Timeout")
        long sessionTimeout() default 28800000;

        @AttributeDefinition(name = "cookieName", description = "Cookie Name")
        String cookieName() default "sling.oidcauth";
    }

    @Activate
    public SlingLoginCookieManager(SlingLoginCookieManagerConfig slingLoginCookieManagerConfig, BundleContext bundleContext) throws InvalidKeyException, NoSuchAlgorithmException, IllegalStateException {
        File tokenFile = getTokenFile(slingLoginCookieManagerConfig.tokenFile(), bundleContext);
        boolean form_token_fastseed = slingLoginCookieManagerConfig.form_token_fastseed();
        log.info("Storing tokens in {}", tokenFile.getAbsolutePath());
        this.sessionTimeout = slingLoginCookieManagerConfig.sessionTimeout();
        this.cookieName = slingLoginCookieManagerConfig.cookieName();
        this.tokenStore = new TokenStore(tokenFile, this.sessionTimeout, form_token_fastseed);
    }

    @Override // org.apache.sling.auth.oauth_client.spi.LoginCookieManager
    public void setLoginCookie(@NotNull HttpServletRequest httpServletRequest, @NotNull HttpServletResponse httpServletResponse, @NotNull Credentials credentials) {
        try {
            setCookie(httpServletRequest, httpServletResponse, this.cookieName, Base64.encodeBase64URLSafeString(this.tokenStore.encode(System.currentTimeMillis() + this.sessionTimeout, ((OidcAuthCredentials) credentials).getUserId()).getBytes(StandardCharsets.UTF_8)), (int) (this.sessionTimeout / 1000));
        } catch (InvalidKeyException | NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }

    @Override // org.apache.sling.auth.oauth_client.spi.LoginCookieManager
    @Nullable
    public AuthenticationInfo verifyLoginCookie(@NotNull HttpServletRequest httpServletRequest) {
        Cookie loginCookie = getLoginCookie(httpServletRequest);
        if (loginCookie == null) {
            return null;
        }
        String value = loginCookie.getValue();
        if (value.isEmpty()) {
            return null;
        }
        String str = new String(Base64.decodeBase64(value), StandardCharsets.UTF_8);
        if (this.tokenStore.isValid(str)) {
            return createAuthInfo(str);
        }
        return null;
    }

    @Override // org.apache.sling.auth.oauth_client.spi.LoginCookieManager
    @Nullable
    public Cookie getLoginCookie(@NotNull HttpServletRequest httpServletRequest) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies == null) {
            return null;
        }
        for (Cookie cookie : cookies) {
            if (this.cookieName.equals(cookie.getName())) {
                return cookie;
            }
        }
        return null;
    }

    @Nullable
    private static AuthenticationInfo createAuthInfo(@NotNull String str) {
        String userId = getUserId(str);
        if (userId == null) {
            return null;
        }
        OidcAuthCredentials oidcAuthCredentials = new OidcAuthCredentials(userId, "oidc");
        oidcAuthCredentials.setAttribute(".token", "");
        AuthenticationInfo authenticationInfo = new AuthenticationInfo("oidc", userId);
        authenticationInfo.put("user.jcr.credentials", oidcAuthCredentials);
        return authenticationInfo;
    }

    @Nullable
    private static String getUserId(@NotNull String str) {
        String[] split = TokenStore.split(str);
        if (split.length == 3) {
            return split[2];
        }
        return null;
    }

    private static void setCookie(@NotNull HttpServletRequest httpServletRequest, @NotNull HttpServletResponse httpServletResponse, @NotNull String str, @NotNull String str2, int i) {
        StringBuilder sb = new StringBuilder(str);
        sb.append('=');
        sb.append(str2);
        sb.append("; Path=/; HttpOnly");
        if (i >= 0) {
            sb.append("; Max-Age=");
            sb.append(i);
        }
        sb.append("; SameSite=Lax");
        if (httpServletRequest.isSecure()) {
            sb.append("; Secure");
        }
        httpServletResponse.addHeader("Set-Cookie", sb.toString());
    }

    @NotNull
    private static File getTokenFile(@NotNull String str, @NotNull BundleContext bundleContext) {
        File file = new File(str);
        if (file.isAbsolute()) {
            return file;
        }
        File dataFile = bundleContext.getDataFile(str);
        if (dataFile == null) {
            String property = bundleContext.getProperty("sling.home");
            dataFile = property != null ? new File(property, str) : new File(str);
        }
        return dataFile.getAbsoluteFile();
    }
}
