package org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal;

import java.security.Principal;
import java.util.Collections;
import java.util.Iterator;
import java.util.Objects;
import java.util.Set;
import java.util.Spliterators;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import java.util.stream.StreamSupport;
import javax.jcr.RepositoryException;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.guava.common.collect.ImmutableSet;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.ResultRow;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.plugins.tree.TreeAware;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef;
import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext;
import org.apache.jackrabbit.oak.spi.security.user.AuthorizableType;
import org.apache.jackrabbit.oak.spi.security.user.util.UserUtil;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/DynamicGroupUtil.class */
public class DynamicGroupUtil {
    private static final Logger log = LoggerFactory.getLogger(DynamicGroupUtil.class);
    private static final Set<String> MEMBER_NODE_NAMES = ImmutableSet.of("rep:members", "rep:membersList");
    private static final Set<String> MEMBERS_TYPES = ImmutableSet.of("rep:MemberReferences", "rep:MemberReferencesList", "rep:Members");

    private DynamicGroupUtil() {
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean isGroup(@NotNull Tree tree) {
        return UserUtil.isType(tree, AuthorizableType.GROUP);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean isMemberProperty(@NotNull PropertyState propertyState) {
        return "rep:members".equals(propertyState.getName());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nullable
    public static String findGroupIdInHierarchy(@NotNull Tree tree) {
        Tree tree2 = tree;
        while (true) {
            Tree tree3 = tree2;
            if (tree3.isRoot()) {
                return null;
            }
            String authorizableId = UserUtil.getAuthorizableId(tree3);
            if (authorizableId != null) {
                return authorizableId;
            }
            tree2 = tree3.getParent();
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @NotNull
    public static Tree getTree(@NotNull Authorizable authorizable, @NotNull Root root) throws RepositoryException {
        return authorizable instanceof TreeAware ? ((TreeAware) authorizable).getTree() : root.getTree(authorizable.getPath());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean hasStoredMemberInfo(@NotNull Group group, @NotNull Root root) {
        try {
            Tree tree = getTree(group, root);
            if (!tree.hasProperty("rep:members")) {
                Stream<String> stream = MEMBER_NODE_NAMES.stream();
                Objects.requireNonNull(tree);
                if (!stream.anyMatch(tree::hasChild)) {
                    return false;
                }
            }
            return true;
        } catch (RepositoryException e) {
            log.error("Cannot test for stored members information, failed to obtain tree from group.", e);
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean isMembersType(@NotNull Tree tree) {
        String primaryTypeName = TreeUtil.getPrimaryTypeName(tree);
        return primaryTypeName != null && MEMBERS_TYPES.contains(primaryTypeName);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nullable
    public static String getIdpName(@NotNull Tree tree) {
        PropertyState property = tree.getProperty("rep:externalId");
        if (property != null) {
            return ExternalIdentityRef.fromString((String) property.getValue(Type.STRING)).getProviderName();
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nullable
    public static String getIdpName(@NotNull ResultRow resultRow) {
        return getIdpName(resultRow.getTree((String) null));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nullable
    public static String getIdpName(@NotNull Authorizable authorizable) throws RepositoryException {
        ExternalIdentityRef identityRef = DefaultSyncContext.getIdentityRef(authorizable);
        if (identityRef == null) {
            return null;
        }
        return identityRef.getProviderName();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean isSameIDP(@NotNull Authorizable authorizable, @NotNull Authorizable authorizable2) throws RepositoryException {
        String idpName = getIdpName(authorizable);
        if (idpName == null) {
            log.warn("Referenced dynamic group '{}' not associated with an external IDP.", authorizable.getID());
            return false;
        }
        String idpName2 = getIdpName(authorizable2);
        if (idpName.equals(idpName2)) {
            return true;
        }
        log.warn("IDP mismatch between dynamic group '{}' and member '{}'.", idpName, idpName2);
        return false;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Set<Principal> getInheritedPrincipals(@NotNull Principal principal, @NotNull UserManager userManager) {
        try {
            Authorizable authorizable = userManager.getAuthorizable(principal);
            if (authorizable != null && authorizable.isGroup()) {
                Iterator memberOf = authorizable.memberOf();
                if (memberOf.hasNext()) {
                    return (Set) StreamSupport.stream(Spliterators.spliteratorUnknownSize(memberOf, 0), false).map(group -> {
                        try {
                            return group.getPrincipal();
                        } catch (RepositoryException e) {
                            return null;
                        }
                    }).filter((v0) -> {
                        return Objects.nonNull(v0);
                    }).collect(Collectors.toSet());
                }
            }
        } catch (RepositoryException e) {
            log.error("Failed to retrieve inherited group principals", e);
        }
        return Collections.emptySet();
    }
}
