package org.apache.jackrabbit.oak.spi.security.authentication.external.impl.jmx;

import com.google.common.base.Function;
import com.google.common.base.Predicates;
import com.google.common.collect.Iterators;
import java.io.IOException;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import javax.jcr.Credentials;
import javax.jcr.NoSuchWorkspaceException;
import javax.jcr.RepositoryException;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.commons.json.JsonUtil;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.ContentRepository;
import org.apache.jackrabbit.oak.api.ContentSession;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.value.jcr.ValueFactoryImpl;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authentication.SystemSubject;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityProvider;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalUser;
import org.apache.jackrabbit.oak.spi.security.authentication.external.SyncContext;
import org.apache.jackrabbit.oak.spi.security.authentication.external.SyncException;
import org.apache.jackrabbit.oak.spi.security.authentication.external.SyncHandler;
import org.apache.jackrabbit.oak.spi.security.authentication.external.SyncResult;
import org.apache.jackrabbit.oak.spi.security.authentication.external.SyncedIdentity;
import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncResultImpl;
import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncedIdentity;
import org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalIdentityConstants;
import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee.class */
public final class Delegatee {
    private static final Logger log = LoggerFactory.getLogger(Delegatee.class);
    private static final String ERROR_CREATE_DELEGATEE = "Unable to create delegatee";
    private static final String ERROR_SYNC_USER = "Error while syncing user {}";
    private static final int NO_BATCH_SIZE = 0;
    private static final int DEFAULT_BATCH_SIZE = 100;
    private final SyncHandler handler;
    private final ExternalIdentityProvider idp;
    private final UserManager userMgr;
    private final ContentSession systemSession;
    private final Root root;
    private final int batchSize;
    private SyncContext context;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apache.jackrabbit.oak.spi.security.authentication.external.impl.jmx.Delegatee$3, reason: invalid class name */
    /* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee$3.class */
    public static /* synthetic */ class AnonymousClass3 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$jackrabbit$oak$spi$security$authentication$external$SyncResult$Status = new int[SyncResult.Status.values().length];

        static {
            try {
                $SwitchMap$org$apache$jackrabbit$oak$spi$security$authentication$external$SyncResult$Status[SyncResult.Status.ADD.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$jackrabbit$oak$spi$security$authentication$external$SyncResult$Status[SyncResult.Status.DELETE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$jackrabbit$oak$spi$security$authentication$external$SyncResult$Status[SyncResult.Status.UPDATE.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$apache$jackrabbit$oak$spi$security$authentication$external$SyncResult$Status[SyncResult.Status.ENABLE.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$apache$jackrabbit$oak$spi$security$authentication$external$SyncResult$Status[SyncResult.Status.DISABLE.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$apache$jackrabbit$oak$spi$security$authentication$external$SyncResult$Status[SyncResult.Status.NOP.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
            try {
                $SwitchMap$org$apache$jackrabbit$oak$spi$security$authentication$external$SyncResult$Status[SyncResult.Status.NO_SUCH_AUTHORIZABLE.ordinal()] = 7;
            } catch (NoSuchFieldError e7) {
            }
            try {
                $SwitchMap$org$apache$jackrabbit$oak$spi$security$authentication$external$SyncResult$Status[SyncResult.Status.NO_SUCH_IDENTITY.ordinal()] = 8;
            } catch (NoSuchFieldError e8) {
            }
            try {
                $SwitchMap$org$apache$jackrabbit$oak$spi$security$authentication$external$SyncResult$Status[SyncResult.Status.MISSING.ordinal()] = 9;
            } catch (NoSuchFieldError e9) {
            }
            try {
                $SwitchMap$org$apache$jackrabbit$oak$spi$security$authentication$external$SyncResult$Status[SyncResult.Status.FOREIGN.ordinal()] = 10;
            } catch (NoSuchFieldError e10) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/jmx/Delegatee$ErrorSyncResult.class */
    public static final class ErrorSyncResult implements SyncResult {
        private final SyncedIdentity syncedIdentity;
        private final Exception error;

        private ErrorSyncResult(@NotNull String str, @Nullable String str2, @NotNull Exception exc) {
            this.syncedIdentity = new DefaultSyncedIdentity(str, str2 != null ? new ExternalIdentityRef(str, str2) : null, false, -1L);
            this.error = exc;
        }

        private ErrorSyncResult(@NotNull ExternalIdentityRef externalIdentityRef, @NotNull Exception exc) {
            this.syncedIdentity = new DefaultSyncedIdentity(externalIdentityRef.getId(), externalIdentityRef, false, -1L);
            this.error = exc;
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.SyncResult
        @NotNull
        public SyncedIdentity getIdentity() {
            return this.syncedIdentity;
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.SyncResult
        @NotNull
        public SyncResult.Status getStatus() {
            return SyncResult.Status.NOP;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void append(@NotNull List<String> list) {
            Delegatee.append(list, this.syncedIdentity, this.error);
        }
    }

    private Delegatee(@NotNull SyncHandler syncHandler, @NotNull ExternalIdentityProvider externalIdentityProvider, @NotNull ContentSession contentSession, @NotNull SecurityProvider securityProvider, int i) {
        this.handler = syncHandler;
        this.idp = externalIdentityProvider;
        this.systemSession = contentSession;
        this.batchSize = i;
        this.root = contentSession.getLatestRoot();
        this.userMgr = ((UserConfiguration) securityProvider.getConfiguration(UserConfiguration.class)).getUserManager(this.root, NamePathMapper.DEFAULT);
        this.context = syncHandler.createContext(externalIdentityProvider, this.userMgr, new ValueFactoryImpl(this.root, NamePathMapper.DEFAULT));
        log.info("Created delegatee for SyncMBean with session: {} {}", contentSession, contentSession.getAuthInfo().getUserID());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Delegatee createInstance(@NotNull ContentRepository contentRepository, @NotNull SecurityProvider securityProvider, @NotNull SyncHandler syncHandler, @NotNull ExternalIdentityProvider externalIdentityProvider) {
        return createInstance(contentRepository, securityProvider, syncHandler, externalIdentityProvider, DEFAULT_BATCH_SIZE);
    }

    static Delegatee createInstance(@NotNull final ContentRepository contentRepository, @NotNull SecurityProvider securityProvider, @NotNull SyncHandler syncHandler, @NotNull ExternalIdentityProvider externalIdentityProvider, int i) {
        try {
            return new Delegatee(syncHandler, externalIdentityProvider, (ContentSession) Subject.doAs(SystemSubject.INSTANCE, new PrivilegedExceptionAction<ContentSession>() { // from class: org.apache.jackrabbit.oak.spi.security.authentication.external.impl.jmx.Delegatee.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public ContentSession run() throws NoSuchWorkspaceException, LoginException {
                    return contentRepository.login((Credentials) null, (String) null);
                }
            }), securityProvider, i);
        } catch (PrivilegedActionException e) {
            throw new SyncRuntimeException(ERROR_CREATE_DELEGATEE, e);
        }
    }

    private static void close(@NotNull ContentSession contentSession) {
        try {
            contentSession.close();
        } catch (IOException e) {
            log.error("Error while closing ContentSession {}", contentSession);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void close() {
        if (this.context != null) {
            this.context.close();
            this.context = null;
        }
        close(this.systemSession);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @NotNull
    public String[] syncUsers(@NotNull String[] strArr, boolean z) {
        this.context.setKeepMissing(!z).setForceGroupSync(true).setForceUserSync(true);
        ArrayList arrayList = new ArrayList();
        List<SyncResult> arrayList2 = new ArrayList(this.batchSize);
        for (String str : strArr) {
            arrayList2 = syncUser(str, false, arrayList2, arrayList);
        }
        commit(arrayList, arrayList2, 0);
        return (String[]) arrayList.toArray(new String[0]);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @NotNull
    public String[] syncAllUsers(boolean z) {
        try {
            ArrayList arrayList = new ArrayList();
            this.context.setKeepMissing(!z).setForceGroupSync(true).setForceUserSync(true);
            Iterator<SyncedIdentity> listIdentities = this.handler.listIdentities(this.userMgr);
            List<SyncResult> arrayList2 = new ArrayList(this.batchSize);
            while (listIdentities.hasNext()) {
                SyncedIdentity next = listIdentities.next();
                if (isMyIDP(next)) {
                    arrayList2 = syncUser(next.getId(), false, arrayList2, arrayList);
                }
            }
            commit(arrayList, arrayList2, 0);
            return (String[]) arrayList.toArray(new String[0]);
        } catch (RepositoryException e) {
            throw new IllegalStateException("Error retrieving users for syncing", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @NotNull
    public String[] syncExternalUsers(@NotNull String[] strArr) {
        ArrayList arrayList = new ArrayList();
        this.context.setForceGroupSync(true).setForceUserSync(true);
        List<SyncResult> arrayList2 = new ArrayList(this.batchSize);
        for (String str : strArr) {
            ExternalIdentityRef fromString = ExternalIdentityRef.fromString(str);
            if (this.idp.getName().equals(fromString.getProviderName())) {
                try {
                    ExternalIdentity identity = this.idp.getIdentity(fromString);
                    if (identity != null) {
                        arrayList2 = syncUser(identity, arrayList2, arrayList);
                    } else {
                        arrayList2.add(new DefaultSyncResultImpl(new DefaultSyncedIdentity("", fromString, false, -1L), SyncResult.Status.NO_SUCH_IDENTITY));
                    }
                } catch (ExternalIdentityException e) {
                    log.warn("error while fetching the external identity {}", str, e);
                    arrayList2.add(new ErrorSyncResult(fromString, e));
                }
            } else {
                arrayList2.add(new DefaultSyncResultImpl(new DefaultSyncedIdentity(fromString.getId(), fromString, false, -1L), SyncResult.Status.FOREIGN));
            }
        }
        commit(arrayList, arrayList2, 0);
        return (String[]) arrayList.toArray(new String[0]);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @NotNull
    public String[] syncAllExternalUsers() {
        ArrayList arrayList = new ArrayList();
        this.context.setForceGroupSync(true).setForceUserSync(true);
        try {
            List<SyncResult> arrayList2 = new ArrayList(this.batchSize);
            Iterator<ExternalUser> listUsers = this.idp.listUsers();
            while (listUsers.hasNext()) {
                arrayList2 = syncUser(listUsers.next(), arrayList2, arrayList);
            }
            commit(arrayList, arrayList2, 0);
            return (String[]) arrayList.toArray(new String[0]);
        } catch (ExternalIdentityException e) {
            throw new SyncRuntimeException("Unable to retrieve external users", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @NotNull
    public String[] listOrphanedUsers() {
        return (String[]) Iterators.toArray(internalListOrphanedIdentities(), String.class);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @NotNull
    public String[] purgeOrphanedUsers() {
        this.context.setKeepMissing(false);
        ArrayList arrayList = new ArrayList();
        Iterator<String> internalListOrphanedIdentities = internalListOrphanedIdentities();
        List<SyncResult> arrayList2 = new ArrayList<>(this.batchSize);
        while (true) {
            List<SyncResult> list = arrayList2;
            if (!internalListOrphanedIdentities.hasNext()) {
                commit(arrayList, list, 0);
                return (String[]) arrayList.toArray(new String[0]);
            }
            arrayList2 = syncUser(internalListOrphanedIdentities.next(), true, list, arrayList);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean isMyIDP(@NotNull SyncedIdentity syncedIdentity) {
        ExternalIdentityRef externalIdRef = syncedIdentity.getExternalIdRef();
        String providerName = externalIdRef == null ? null : externalIdRef.getProviderName();
        return providerName != null && (providerName.isEmpty() || providerName.equals(this.idp.getName()));
    }

    @NotNull
    private List<SyncResult> syncUser(@NotNull ExternalIdentity externalIdentity, @NotNull List<SyncResult> list, @NotNull List<String> list2) {
        try {
            SyncResult sync = this.context.sync(externalIdentity);
            if (sync.getIdentity() == null) {
                sync = new DefaultSyncResultImpl(new DefaultSyncedIdentity(externalIdentity.getId(), externalIdentity.getExternalId(), false, -1L), SyncResult.Status.NO_SUCH_IDENTITY);
                log.warn("sync failed. {}", sync.getIdentity());
            } else {
                log.info("synced {}", sync.getIdentity());
            }
            list.add(sync);
        } catch (SyncException e) {
            log.error(ERROR_SYNC_USER, externalIdentity, e);
            list.add(new ErrorSyncResult(externalIdentity.getExternalId(), e));
        }
        return commit(list2, list, this.batchSize);
    }

    private List<SyncResult> syncUser(@NotNull String str, boolean z, @NotNull List<SyncResult> list, @NotNull List<String> list2) {
        try {
            list.add(this.context.sync(str));
        } catch (SyncException e) {
            log.warn(ERROR_SYNC_USER, str, e);
            list.add(new ErrorSyncResult(str, z ? this.idp.getName() : null, e));
        }
        return commit(list2, list, this.batchSize);
    }

    private List<SyncResult> commit(@NotNull List<String> list, @NotNull List<SyncResult> list2, int i) {
        if (!list2.isEmpty()) {
            try {
                if (list2.size() >= i) {
                    try {
                        this.root.commit();
                        append(list, list2);
                        this.root.refresh();
                    } catch (CommitFailedException e) {
                        append(list, list2, (Exception) e);
                        this.root.refresh();
                    }
                    return new ArrayList(i);
                }
            } catch (Throwable th) {
                this.root.refresh();
                throw th;
            }
        }
        return list2;
    }

    @NotNull
    private Iterator<String> internalListOrphanedIdentities() {
        try {
            return Iterators.filter(Iterators.transform(this.handler.listIdentities(this.userMgr), new Function<SyncedIdentity, String>() { // from class: org.apache.jackrabbit.oak.spi.security.authentication.external.impl.jmx.Delegatee.2
                @Nullable
                public String apply(@Nullable SyncedIdentity syncedIdentity) {
                    ExternalIdentity identity;
                    if (syncedIdentity == null || !Delegatee.this.isMyIDP(syncedIdentity)) {
                        return null;
                    }
                    ExternalIdentityRef externalIdRef = syncedIdentity.getExternalIdRef();
                    if (externalIdRef == null) {
                        identity = null;
                    } else {
                        try {
                            identity = Delegatee.this.idp.getIdentity(externalIdRef);
                        } catch (ExternalIdentityException e) {
                            Delegatee.log.error("Error while fetching external identity {}", syncedIdentity, e);
                            return null;
                        }
                    }
                    if (identity == null) {
                        return syncedIdentity.getId();
                    }
                    return null;
                }
            }), Predicates.notNull());
        } catch (RepositoryException e) {
            log.error("Error while listing orphaned users", e);
            return Collections.emptyIterator();
        }
    }

    private static void append(@NotNull List<String> list, @NotNull SyncResult syncResult) {
        if (syncResult instanceof ErrorSyncResult) {
            ((ErrorSyncResult) syncResult).append(list);
        } else {
            append(list, syncResult.getIdentity(), getOperationFromStatus(syncResult.getStatus()), null);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void append(@NotNull List<String> list, @Nullable SyncedIdentity syncedIdentity, @NotNull Exception exc) {
        append(list, syncedIdentity, "ERR", exc.toString());
    }

    private static void append(@NotNull List<String> list, @Nullable SyncedIdentity syncedIdentity, @NotNull String str, @Nullable String str2) {
        String jsonString = JsonUtil.getJsonString(syncedIdentity == null ? null : syncedIdentity.getId());
        ExternalIdentityRef externalIdRef = syncedIdentity == null ? null : syncedIdentity.getExternalIdRef();
        String jsonString2 = externalIdRef == null ? "\"\"" : JsonUtil.getJsonString(externalIdRef.getString());
        if (str2 == null) {
            list.add(String.format("{op:\"%s\",uid:%s,eid:%s}", str, jsonString, jsonString2));
        } else {
            list.add(String.format("{op:\"%s\",uid:%s,eid:%s,msg:%s}", str, jsonString, jsonString2, JsonUtil.getJsonString(str2)));
        }
    }

    private static void append(@NotNull List<String> list, @NotNull List<SyncResult> list2) {
        Iterator<SyncResult> it = list2.iterator();
        while (it.hasNext()) {
            append(list, it.next());
        }
    }

    private static void append(@NotNull List<String> list, @NotNull List<SyncResult> list2, @NotNull Exception exc) {
        for (SyncResult syncResult : list2) {
            if (!(syncResult instanceof ErrorSyncResult)) {
                switch (AnonymousClass3.$SwitchMap$org$apache$jackrabbit$oak$spi$security$authentication$external$SyncResult$Status[syncResult.getStatus().ordinal()]) {
                    case ExternalIdentityConstants.DEFAULT_PROTECT_EXTERNAL_IDS /* 1 */:
                    case 2:
                    case 3:
                    case 4:
                    case 5:
                        append(list, syncResult.getIdentity(), exc);
                        break;
                    default:
                        append(list, syncResult);
                        break;
                }
            } else {
                ((ErrorSyncResult) syncResult).append(list);
            }
        }
    }

    private static String getOperationFromStatus(SyncResult.Status status) {
        String str;
        switch (AnonymousClass3.$SwitchMap$org$apache$jackrabbit$oak$spi$security$authentication$external$SyncResult$Status[status.ordinal()]) {
            case ExternalIdentityConstants.DEFAULT_PROTECT_EXTERNAL_IDS /* 1 */:
                str = "add";
                break;
            case 2:
                str = "del";
                break;
            case 3:
                str = "upd";
                break;
            case 4:
                str = "ena";
                break;
            case 5:
                str = "dis";
                break;
            case 6:
                str = "nop";
                break;
            case 7:
                str = "nsa";
                break;
            case 8:
                str = "nsi";
                break;
            case 9:
                str = "mis";
                break;
            case 10:
                str = "for";
                break;
            default:
                str = "";
                break;
        }
        return str;
    }
}
