package org.apache.sling.auth.oauth_client.impl;

import java.time.ZonedDateTime;
import java.util.Calendar;
import java.util.GregorianCalendar;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.Value;
import javax.jcr.ValueFactory;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.auth.oauth_client.ClientConnection;
import org.apache.sling.commons.crypto.CryptoService;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Reference;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(configurationPolicy = ConfigurationPolicy.REQUIRE)
/* loaded from: input_file:org/apache/sling/auth/oauth_client/impl/JcrUserHomeOAuthTokenStore.class */
public class JcrUserHomeOAuthTokenStore implements OAuthTokenStore {
    private static final String PROPERTY_NAME_EXPIRES_AT = "expires_at";
    private static final String PROPERTY_NAME_REFRESH_TOKEN = "refresh_token";
    private static final Logger logger = LoggerFactory.getLogger(JcrUserHomeOAuthTokenStore.class);
    private final CryptoService cryptoService;

    @Activate
    public JcrUserHomeOAuthTokenStore(@Reference CryptoService cryptoService) {
        this.cryptoService = cryptoService;
    }

    @Override // org.apache.sling.auth.oauth_client.impl.OAuthTokenStore
    @NotNull
    public OAuthToken getAccessToken(@NotNull ClientConnection clientConnection, @NotNull ResourceResolver resourceResolver) {
        try {
            User adaptToUser = adaptToUser(resourceResolver);
            Value[] property = adaptToUser.getProperty(propertyPath(clientConnection, PROPERTY_NAME_EXPIRES_AT));
            if (property != null && property.length == 1 && property[0].getType() == 5) {
                Calendar date = property[0].getDate();
                if (date.before(Calendar.getInstance())) {
                    logger.info("Token for {} expired at {}, marking as expired", clientConnection.name(), date);
                    return new OAuthToken(TokenState.EXPIRED, null);
                }
            }
            return getToken(clientConnection, adaptToUser, OAuthTokenStore.PROPERTY_NAME_ACCESS_TOKEN);
        } catch (RepositoryException e) {
            throw new OAuthException((Throwable) e);
        }
    }

    @NotNull
    private OAuthToken getToken(@NotNull ClientConnection clientConnection, @NotNull User user, @NotNull String str) throws RepositoryException {
        Value[] property = user.getProperty(propertyPath(clientConnection, str));
        if (property == null) {
            return new OAuthToken(TokenState.MISSING, null);
        }
        if (property.length != 1) {
            throw new OAuthException(String.format("Unexpected value count %d for token property %s", Integer.valueOf(property.length), str));
        }
        return new OAuthToken(TokenState.VALID, this.cryptoService.decrypt(property[0].getString()));
    }

    @Override // org.apache.sling.auth.oauth_client.impl.OAuthTokenStore
    @NotNull
    public OAuthToken getRefreshToken(@NotNull ClientConnection clientConnection, @NotNull ResourceResolver resourceResolver) {
        try {
            return getToken(clientConnection, adaptToUser(resourceResolver), "refresh_token");
        } catch (RepositoryException e) {
            throw new OAuthException((Throwable) e);
        }
    }

    @Override // org.apache.sling.auth.oauth_client.impl.OAuthTokenStore
    public void persistTokens(@NotNull ClientConnection clientConnection, @NotNull ResourceResolver resourceResolver, @NotNull OAuthTokens oAuthTokens) {
        try {
            User adaptToUser = adaptToUser(resourceResolver);
            Session adaptToSession = adaptToSession(resourceResolver);
            ValueFactory valueFactory = adaptToSession.getValueFactory();
            setTokenProperty(adaptToUser, valueFactory, propertyPath(clientConnection, OAuthTokenStore.PROPERTY_NAME_ACCESS_TOKEN), oAuthTokens.accessToken());
            setTokenProperty(adaptToUser, valueFactory, propertyPath(clientConnection, "refresh_token"), oAuthTokens.refreshToken());
            ZonedDateTime zonedDateTime = null;
            long expiresAt = oAuthTokens.expiresAt();
            if (expiresAt > 0) {
                zonedDateTime = ZonedDateTime.now().plusSeconds(expiresAt);
            }
            if (zonedDateTime != null) {
                adaptToUser.setProperty(propertyPath(clientConnection, PROPERTY_NAME_EXPIRES_AT), valueFactory.createValue(GregorianCalendar.from(zonedDateTime)));
            } else {
                adaptToUser.removeProperty(propertyPath(clientConnection, PROPERTY_NAME_EXPIRES_AT));
            }
            adaptToSession.save();
        } catch (RepositoryException e) {
            throw new OAuthException((Throwable) e);
        }
    }

    @Override // org.apache.sling.auth.oauth_client.impl.OAuthTokenStore
    public void clearAccessToken(@NotNull ClientConnection clientConnection, @NotNull ResourceResolver resourceResolver) throws OAuthException {
        try {
            User adaptToUser = adaptToUser(resourceResolver);
            adaptToUser.removeProperty(propertyPath(clientConnection, OAuthTokenStore.PROPERTY_NAME_ACCESS_TOKEN));
            adaptToUser.removeProperty(propertyPath(clientConnection, PROPERTY_NAME_EXPIRES_AT));
            adaptToSession(resourceResolver).save();
        } catch (RepositoryException e) {
            throw new OAuthException((Throwable) e);
        }
    }

    private void setTokenProperty(@NotNull User user, @NotNull ValueFactory valueFactory, @NotNull String str, @Nullable String str2) throws RepositoryException {
        if (str2 != null) {
            user.setProperty(str, createTokenValue(valueFactory, str2));
        } else {
            logger.info("Token value is null, removing property {}", str);
            user.removeProperty(str);
        }
    }

    @NotNull
    private Value createTokenValue(@NotNull ValueFactory valueFactory, @NotNull String str) {
        return valueFactory.createValue(this.cryptoService.encrypt(str));
    }

    @NotNull
    private static String propertyPath(@NotNull ClientConnection clientConnection, @NotNull String str) {
        return nodePath(clientConnection) + "/" + str;
    }

    @NotNull
    private static String nodePath(@NotNull ClientConnection clientConnection) {
        return "oauth-tokens/" + clientConnection.name();
    }

    @NotNull
    private static User adaptToUser(@NotNull ResourceResolver resourceResolver) {
        User user = (User) resourceResolver.adaptTo(User.class);
        if (user == null) {
            throw new OAuthException("Unable to adapt resolver to a user.");
        }
        return user;
    }

    @NotNull
    private static Session adaptToSession(@NotNull ResourceResolver resourceResolver) {
        Session session = (Session) resourceResolver.adaptTo(Session.class);
        if (session == null) {
            throw new OAuthException("Unable to adapt resolver to a session.");
        }
        return session;
    }
}
