package org.nuxeo.ecm.jwt;

import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.nuxeo.ecm.platform.api.login.UserIdentificationInfo;
import org.nuxeo.ecm.platform.ui.web.auth.interfaces.NuxeoAuthenticationPlugin;
import org.nuxeo.runtime.api.Framework;

/* loaded from: input_file:org/nuxeo/ecm/jwt/JWTAuthenticator.class */
public class JWTAuthenticator implements NuxeoAuthenticationPlugin {
    private static final Log log = LogFactory.getLog(JWTAuthenticator.class);
    protected static final String BEARER_SP = "Bearer ";
    protected static final String ACCESS_TOKEN = "access_token";

    public void initPlugin(Map<String, String> map) {
    }

    public List<String> getUnAuthenticatedURLPrefix() {
        return null;
    }

    public Boolean needLoginPrompt(HttpServletRequest httpServletRequest) {
        return Boolean.FALSE;
    }

    public Boolean handleLoginPrompt(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        return Boolean.FALSE;
    }

    public UserIdentificationInfo handleRetrieveIdentity(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String retrieveToken = retrieveToken(httpServletRequest);
        if (retrieveToken == null) {
            log.trace("No JWT token");
            return null;
        }
        Map<String, Object> verifyToken = ((JWTService) Framework.getService(JWTService.class)).verifyToken(retrieveToken);
        if (verifyToken == null) {
            log.trace("JWT token invalid");
            return null;
        }
        Object obj = verifyToken.get(JWTClaims.CLAIM_SUBJECT);
        if (!(obj instanceof String)) {
            log.trace("JWT token contains non-String subject claim");
            return null;
        }
        String str = (String) obj;
        if (log.isTraceEnabled()) {
            log.trace("JWT token valid for username: " + str);
        }
        Object obj2 = verifyToken.get(JWTClaims.CLAIM_AUDIENCE);
        if (obj2 != null) {
            if (!(obj2 instanceof String)) {
                log.trace("JWT token contains non-String audience claim");
                return null;
            }
            String strip = StringUtils.strip((String) obj2, "/");
            String requestPath = getRequestPath(httpServletRequest);
            if (!isEqualOrPathPrefix(requestPath, strip)) {
                if (!log.isTraceEnabled()) {
                    return null;
                }
                log.trace("JWT token for audience: " + strip + " but used with path: " + requestPath);
                return null;
            }
        }
        return new UserIdentificationInfo(str, str);
    }

    protected String retrieveToken(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Authorization");
        if (header == null) {
            String parameter = httpServletRequest.getParameter(ACCESS_TOKEN);
            if (StringUtils.isNotEmpty(parameter)) {
                log.trace("Access token available from URI");
                return parameter;
            }
            log.trace("No Authorization header or URI access token");
            return null;
        }
        if (!header.startsWith(BEARER_SP)) {
            log.trace("Authorization header without Bearer token");
            return null;
        }
        String trim = header.substring(BEARER_SP.length()).trim();
        if (trim.isEmpty()) {
            log.trace("Bearer token empty");
            return null;
        }
        log.trace("Bearer token available");
        return trim;
    }

    protected static String getRequestPath(HttpServletRequest httpServletRequest) {
        String servletPath = httpServletRequest.getServletPath();
        String pathInfo = httpServletRequest.getPathInfo();
        if (pathInfo != null) {
            servletPath = servletPath + pathInfo;
        }
        if (!servletPath.isEmpty()) {
            servletPath = servletPath.substring(1);
        }
        return servletPath;
    }

    protected static boolean isEqualOrPathPrefix(String str, String str2) {
        return str.equals(str2) || str.startsWith(new StringBuilder().append(str2).append('/').toString());
    }
}
