package org.apache.jackrabbit.oak.spi.security.authentication.external.impl;

import java.util.HashSet;
import java.util.Set;
import javax.jcr.RepositoryException;
import javax.jcr.Value;
import javax.jcr.ValueFactory;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityProvider;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalUser;
import org.apache.jackrabbit.oak.spi.security.authentication.external.PrincipalNameResolver;
import org.apache.jackrabbit.oak.spi.security.authentication.external.SyncException;
import org.apache.jackrabbit.oak.spi.security.authentication.external.SyncResult;
import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncConfig;
import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext;
import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncResultImpl;
import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncedIdentity;
import org.jetbrains.annotations.NotNull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncContext.class */
public class DynamicSyncContext extends DefaultSyncContext {
    private static final Logger log = LoggerFactory.getLogger(DynamicSyncContext.class);

    public DynamicSyncContext(@NotNull DefaultSyncConfig defaultSyncConfig, @NotNull ExternalIdentityProvider externalIdentityProvider, @NotNull UserManager userManager, @NotNull ValueFactory valueFactory) {
        super(defaultSyncConfig, externalIdentityProvider, userManager, valueFactory);
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext, org.apache.jackrabbit.oak.spi.security.authentication.external.SyncContext
    @NotNull
    public SyncResult sync(@NotNull ExternalIdentity externalIdentity) throws SyncException {
        if (externalIdentity instanceof ExternalUser) {
            return super.sync(externalIdentity);
        }
        if (!(externalIdentity instanceof ExternalGroup)) {
            throw new IllegalArgumentException("identity must be user or group but was: " + externalIdentity);
        }
        try {
            Group group = (Group) getAuthorizable(externalIdentity, Group.class);
            if (group != null) {
                return syncGroup((ExternalGroup) externalIdentity, group);
            }
            ExternalIdentityRef externalId = externalIdentity.getExternalId();
            log.debug("ExternalGroup {}: Not synchronized as authorizable Group into the repository.", externalId.getString());
            return new DefaultSyncResultImpl(new DefaultSyncedIdentity(externalIdentity.getId(), externalId, true, -1L), isSameIDP(externalId) ? SyncResult.Status.NOP : SyncResult.Status.FOREIGN);
        } catch (RepositoryException e) {
            throw new SyncException((Throwable) e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext
    public void syncMembership(@NotNull ExternalIdentity externalIdentity, @NotNull Authorizable authorizable, long j) throws RepositoryException {
        Value[] createValues;
        if (authorizable.isGroup()) {
            return;
        }
        if (authorizable.hasProperty("rep:lastSynced") && !authorizable.hasProperty(ExternalIdentityConstants.REP_EXTERNAL_PRINCIPAL_NAMES)) {
            super.syncMembership(externalIdentity, authorizable, j);
            return;
        }
        try {
            if (j <= 0) {
                createValues = new Value[0];
            } else {
                HashSet hashSet = new HashSet();
                collectPrincipalNames(hashSet, externalIdentity.getDeclaredGroups(), j);
                createValues = createValues(hashSet);
            }
            authorizable.setProperty(ExternalIdentityConstants.REP_EXTERNAL_PRINCIPAL_NAMES, createValues);
        } catch (ExternalIdentityException e) {
            log.error("Failed to synchronize membership information for external identity {}", externalIdentity.getId(), e);
        }
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext
    protected void applyMembership(@NotNull Authorizable authorizable, @NotNull Set<String> set) throws RepositoryException {
        log.debug("Dynamic membership sync enabled => omit setting auto-membership for {} ", authorizable.getID());
    }

    private void collectPrincipalNames(@NotNull Set<String> set, @NotNull Iterable<ExternalIdentityRef> iterable, long j) throws ExternalIdentityException {
        boolean z = j <= 1 && (this.idp instanceof PrincipalNameResolver);
        for (ExternalIdentityRef externalIdentityRef : iterable) {
            if (z) {
                set.add(((PrincipalNameResolver) this.idp).fromExternalIdentityRef(externalIdentityRef));
            } else {
                ExternalIdentity identity = this.idp.getIdentity(externalIdentityRef);
                if (identity instanceof ExternalGroup) {
                    set.add(identity.getPrincipalName());
                    if (j > 1) {
                        collectPrincipalNames(set, identity.getDeclaredGroups(), j - 1);
                    }
                } else {
                    log.debug("Not an external group ({}) => ignore.", identity);
                }
            }
        }
    }
}
