package org.nuxeo.ecm.platform.ui.web.auth.token;

import java.util.List;
import java.util.Map;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.nuxeo.ecm.platform.api.login.UserIdentificationInfo;
import org.nuxeo.ecm.platform.ui.web.auth.interfaces.NuxeoAuthenticationPlugin;
import org.nuxeo.ecm.platform.usermanager.UserManager;
import org.nuxeo.ecm.tokenauth.service.TokenAuthenticationService;
import org.nuxeo.runtime.api.Framework;

/* loaded from: input_file:org/nuxeo/ecm/platform/ui/web/auth/token/TokenAuthenticator.class */
public class TokenAuthenticator implements NuxeoAuthenticationPlugin {
    public static final String ALLOW_ANONYMOUS_KEY = "allowAnonymous";
    private static final String HTTPS = "https";
    private static final String LOCALHOST = "localhost";
    private static final Log log = LogFactory.getLog(TokenAuthenticator.class);
    protected static final String TOKEN_HEADER = "X-Authentication-Token";
    protected boolean allowAnonymous = false;

    public Boolean handleLoginPrompt(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        return false;
    }

    public UserIdentificationInfo handleRetrieveIdentity(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        String tokenFromRequest = getTokenFromRequest(httpServletRequest);
        if (tokenFromRequest == null) {
            log.debug(String.format("Found no '%s' header in the request.", TOKEN_HEADER));
            return null;
        }
        String userByToken = getUserByToken(tokenFromRequest);
        if (userByToken == null) {
            log.debug(String.format("No user bound to the token '%s' (maybe it has been revoked), returning null.", tokenFromRequest));
            return null;
        }
        UserManager userManager = (UserManager) Framework.getService(UserManager.class);
        if (userManager == null || !userByToken.equals(userManager.getAnonymousUserId()) || this.allowAnonymous) {
            return new UserIdentificationInfo(userByToken, userByToken);
        }
        log.debug("Anonymous user is not allowed to get authenticated by token, returning null.");
        return null;
    }

    private String getTokenFromRequest(HttpServletRequest httpServletRequest) {
        Cookie tokenCookie;
        String header = httpServletRequest.getHeader(TOKEN_HEADER);
        return (header != null || httpServletRequest.getCookies() == null || (tokenCookie = getTokenCookie(httpServletRequest)) == null || !isAllowedToUseCookieToken(httpServletRequest)) ? header : tokenCookie.getValue();
    }

    private Cookie getTokenCookie(HttpServletRequest httpServletRequest) {
        Cookie[] cookies = httpServletRequest.getCookies();
        if (cookies == null) {
            return null;
        }
        for (Cookie cookie : cookies) {
            if (cookie.getName().equals(TOKEN_HEADER) && isAllowedToUseCookieToken(httpServletRequest)) {
                return cookie;
            }
        }
        return null;
    }

    private boolean isAllowedToUseCookieToken(HttpServletRequest httpServletRequest) {
        if (LOCALHOST.equals(httpServletRequest.getServerName())) {
            return true;
        }
        return HTTPS.equals(httpServletRequest.getScheme());
    }

    public Boolean needLoginPrompt(HttpServletRequest httpServletRequest) {
        return false;
    }

    public void initPlugin(Map<String, String> map) {
        if (map.containsKey(ALLOW_ANONYMOUS_KEY)) {
            this.allowAnonymous = Boolean.valueOf(map.get(ALLOW_ANONYMOUS_KEY)).booleanValue();
        }
    }

    public List<String> getUnAuthenticatedURLPrefix() {
        return null;
    }

    protected String getUserByToken(String str) {
        return ((TokenAuthenticationService) Framework.getLocalService(TokenAuthenticationService.class)).getUserName(str);
    }
}
