package com.liferay.analytics.settings.internal.security.auth.verifier;

import com.liferay.analytics.settings.configuration.AnalyticsConfiguration;
import com.liferay.petra.string.StringBundler;
import com.liferay.portal.kernel.json.JSONFactoryUtil;
import com.liferay.portal.kernel.json.JSONUtil;
import com.liferay.portal.kernel.log.Log;
import com.liferay.portal.kernel.log.LogFactoryUtil;
import com.liferay.portal.kernel.module.configuration.ConfigurationProvider;
import com.liferay.portal.kernel.security.auth.AccessControlContext;
import com.liferay.portal.kernel.security.auth.AuthException;
import com.liferay.portal.kernel.security.auth.verifier.AuthVerifier;
import com.liferay.portal.kernel.security.auth.verifier.AuthVerifierResult;
import com.liferay.portal.kernel.security.service.access.policy.ServiceAccessPolicy;
import com.liferay.portal.kernel.service.UserLocalService;
import com.liferay.portal.kernel.util.Base64;
import com.liferay.portal.kernel.util.GetterUtil;
import com.liferay.portal.kernel.util.Portal;
import java.nio.charset.Charset;
import java.security.KeyFactory;
import java.security.Signature;
import java.security.spec.X509EncodedKeySpec;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import java.util.Properties;
import java.util.Set;
import java.util.TreeMap;
import javax.servlet.http.HttpServletRequest;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Reference;

@Component(configurationPid = {"com.liferay.analytics.settings.configuration.AnalyticsConfiguration.scoped"}, configurationPolicy = ConfigurationPolicy.REQUIRE, property = {"auth.verifier.AnalyticsSecurityAuthVerifier.urls.includes=/o/segments-asah/v1.0/experiments/*"}, service = {AuthVerifier.class})
/* loaded from: input_file:com/liferay/analytics/settings/internal/security/auth/verifier/AnalyticsSecurityAuthVerifier.class */
public class AnalyticsSecurityAuthVerifier implements AuthVerifier {
    private static final long _EXPIRATION = 600000;
    private static final Log _log = LogFactoryUtil.getLog(AnalyticsSecurityAuthVerifier.class);

    @Reference
    private ConfigurationProvider _configurationProvider;

    @Reference
    private Portal _portal;

    @Reference
    private UserLocalService _userLocalService;

    public String getAuthType() {
        return getClass().getSimpleName();
    }

    public AuthVerifierResult verify(AccessControlContext accessControlContext, Properties properties) throws AuthException {
        AuthVerifierResult authVerifierResult = new AuthVerifierResult();
        HttpServletRequest request = accessControlContext.getRequest();
        String header = request.getHeader("Liferay-Analytics-Cloud-Security-Signature");
        if (header == null) {
            return authVerifierResult;
        }
        try {
            AnalyticsConfiguration analyticsConfiguration = (AnalyticsConfiguration) this._configurationProvider.getCompanyConfiguration(AnalyticsConfiguration.class, this._portal.getCompanyId(request));
            if (analyticsConfiguration.token() == null) {
                if (_log.isDebugEnabled()) {
                    _log.debug("Missing security configuration");
                }
                return authVerifierResult;
            }
            Set stringSet = JSONUtil.toStringSet(JSONFactoryUtil.createJSONArray(analyticsConfiguration.hostsAllowed()));
            if (!stringSet.isEmpty() && !stringSet.contains(request.getRemoteAddr())) {
                if (_log.isDebugEnabled()) {
                    _log.debug("Access denied for " + request.getRemoteAddr());
                }
                return authVerifierResult;
            }
            String header2 = request.getHeader("Liferay-Analytics-Cloud-Security-Timestamp");
            if (System.currentTimeMillis() - GetterUtil.getLong(header2) > _EXPIRATION) {
                if (_log.isDebugEnabled()) {
                    _log.debug("Signature timestamp expired " + header2);
                }
                return authVerifierResult;
            }
            if (!_validateSignature(request, analyticsConfiguration.publicKey(), header, header2)) {
                if (_log.isDebugEnabled()) {
                    _log.debug("Invalid signature " + header);
                }
                return authVerifierResult;
            }
            ((List) authVerifierResult.getSettings().computeIfAbsent(ServiceAccessPolicy.SERVICE_ACCESS_POLICY_NAMES, str -> {
                return new ArrayList();
            })).add("ANALYTICS_CLOUD_TOKEN");
            authVerifierResult.setState(AuthVerifierResult.State.SUCCESS);
            authVerifierResult.setUserId(_getAnalyticsAdminUserId(this._portal.getCompanyId(request)));
            return authVerifierResult;
        } catch (Exception e) {
            throw new AuthException(e);
        }
    }

    private long _getAnalyticsAdminUserId(long j) {
        return this._userLocalService.fetchUserByScreenName(j, "analytics.administrator").getUserId();
    }

    private boolean _validateSignature(HttpServletRequest httpServletRequest, String str, String str2, String str3) throws Exception {
        Signature signature = Signature.getInstance("DSA");
        signature.initVerify(KeyFactory.getInstance("DSA").generatePublic(new X509EncodedKeySpec(Base64.decode(str))));
        TreeMap treeMap = new TreeMap();
        for (Map.Entry entry : httpServletRequest.getParameterMap().entrySet()) {
            treeMap.put(entry.getKey(), ((String[]) entry.getValue())[0]);
        }
        treeMap.put("Liferay-Analytics-Cloud-Security-Timestamp", str3);
        StringBundler stringBundler = new StringBundler((2 * treeMap.size()) + 3);
        stringBundler.append(httpServletRequest.getContextPath());
        stringBundler.append(httpServletRequest.getServletPath());
        stringBundler.append(httpServletRequest.getPathInfo());
        for (Map.Entry entry2 : treeMap.entrySet()) {
            stringBundler.append((String) entry2.getKey());
            stringBundler.append((String) entry2.getValue());
        }
        signature.update(stringBundler.toString().getBytes(Charset.defaultCharset()));
        return signature.verify(Base64.decode(str2));
    }
}
