package org.nuxeo.ecm.platform.ui.web.auth.oauth;

import java.io.IOException;
import java.net.URISyntaxException;
import java.util.List;
import java.util.Map;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import net.oauth.OAuthAccessor;
import net.oauth.OAuthException;
import net.oauth.OAuthMessage;
import net.oauth.SimpleOAuthValidator;
import net.oauth.server.OAuthServlet;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.nuxeo.ecm.platform.api.login.UserIdentificationInfo;
import org.nuxeo.ecm.platform.oauth.consumers.NuxeoOAuthConsumer;
import org.nuxeo.ecm.platform.oauth.consumers.OAuthConsumerRegistry;
import org.nuxeo.ecm.platform.oauth.keys.OAuthServerKeyManager;
import org.nuxeo.ecm.platform.oauth.tokens.OAuthToken;
import org.nuxeo.ecm.platform.oauth.tokens.OAuthTokenStore;
import org.nuxeo.ecm.platform.ui.web.auth.interfaces.NuxeoAuthenticationPlugin;
import org.nuxeo.runtime.api.Framework;
import org.nuxeo.runtime.transaction.TransactionHelper;

/* loaded from: input_file:org/nuxeo/ecm/platform/ui/web/auth/oauth/NuxeoOAuth1Authenticator.class */
public class NuxeoOAuth1Authenticator implements NuxeoAuthenticationPlugin {
    private static final Logger log = LogManager.getLogger(NuxeoOAuth1Authenticator.class);

    public void initPlugin(Map<String, String> map) {
    }

    public List<String> getUnAuthenticatedURLPrefix() {
        return null;
    }

    public Boolean needLoginPrompt(HttpServletRequest httpServletRequest) {
        return Boolean.FALSE;
    }

    public Boolean handleLoginPrompt(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, String str) {
        return Boolean.FALSE;
    }

    public UserIdentificationInfo handleRetrieveIdentity(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
        if (!isOAuth1SignedRequest(httpServletRequest)) {
            log.trace("Not an OAuth 1 signed request");
            return null;
        }
        String identity = getIdentity(httpServletRequest);
        if (identity == null) {
            log.trace("OAuth 1 auth failed");
            return null;
        }
        log.trace("OAuth 1 auth for user: {}", identity);
        return new UserIdentificationInfo(identity, identity);
    }

    protected boolean isOAuth1SignedRequest(HttpServletRequest httpServletRequest) {
        String header = httpServletRequest.getHeader("Authorization");
        return (header != null && header.contains("OAuth")) || httpServletRequest.getParameter("oauth_signature") != null;
    }

    protected String getIdentity(HttpServletRequest httpServletRequest) {
        return (String) TransactionHelper.runInTransaction(() -> {
            try {
                return getOAuth1Identity(httpServletRequest);
            } catch (IOException e) {
                log.debug(e, e);
                return null;
            }
        });
    }

    protected String getOAuth1Identity(HttpServletRequest httpServletRequest) throws IOException {
        String signedFetchUser;
        OAuthMessage message = OAuthServlet.getMessage(httpServletRequest, getRequestURL(httpServletRequest));
        String consumerKey = message.getConsumerKey();
        NuxeoOAuthConsumer consumer = ((OAuthConsumerRegistry) Framework.getService(OAuthConsumerRegistry.class)).getConsumer(consumerKey, message.getSignatureMethod());
        if (consumer == null && consumerKey != null) {
            OAuthServerKeyManager oAuthServerKeyManager = (OAuthServerKeyManager) Framework.getService(OAuthServerKeyManager.class);
            if (consumerKey.equals(oAuthServerKeyManager.getInternalKey())) {
                consumer = oAuthServerKeyManager.getInternalConsumer();
            }
        }
        if (consumer == null) {
            return null;
        }
        OAuthAccessor oAuthAccessor = new OAuthAccessor(consumer);
        SimpleOAuthValidator simpleOAuthValidator = new SimpleOAuthValidator();
        OAuthToken accessToken = ((OAuthTokenStore) Framework.getService(OAuthTokenStore.class)).getAccessToken(message.getToken());
        if (accessToken != null) {
            oAuthAccessor.accessToken = accessToken.getToken();
            oAuthAccessor.tokenSecret = accessToken.getTokenSecret();
            signedFetchUser = accessToken.getNuxeoLogin();
        } else {
            if (!consumer.allowSignedFetch()) {
                return null;
            }
            signedFetchUser = consumer.getSignedFetchUser();
            if (NuxeoOAuthConsumer.SIGNEDFETCH_OPENSOCIAL_VIEWER.equals(signedFetchUser)) {
                signedFetchUser = message.getParameter("opensocial_viewer_id");
            } else if (NuxeoOAuthConsumer.SIGNEDFETCH_OPENSOCIAL_OWNER.equals(signedFetchUser)) {
                signedFetchUser = message.getParameter("opensocial_owner_id");
            }
        }
        try {
            simpleOAuthValidator.validateMessage(message, oAuthAccessor);
            return signedFetchUser;
        } catch (OAuthException | URISyntaxException e) {
            log.debug("Invalid OAuth signature", e);
            return null;
        }
    }

    public static String getRequestURL(HttpServletRequest httpServletRequest) {
        String stringBuffer = httpServletRequest.getRequestURL().toString();
        String header = httpServletRequest.getHeader("X-Forwarded-Proto");
        if (header != null && !stringBuffer.startsWith(header)) {
            stringBuffer = header + stringBuffer.substring(stringBuffer.indexOf("://"));
        }
        return stringBuffer;
    }
}
