package org.apache.jackrabbit.oak.spi.security.authentication.external.impl;

import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import javax.jcr.RepositoryException;
import javax.jcr.Value;
import javax.jcr.ValueFactory;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.guava.common.collect.Iterables;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityProvider;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalUser;
import org.apache.jackrabbit.oak.spi.security.authentication.external.PrincipalNameResolver;
import org.apache.jackrabbit.oak.spi.security.authentication.external.SyncException;
import org.apache.jackrabbit.oak.spi.security.authentication.external.SyncResult;
import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncConfig;
import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext;
import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncResultImpl;
import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncedIdentity;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncContext.class */
public class DynamicSyncContext extends DefaultSyncContext {
    private static final Logger log = LoggerFactory.getLogger(DynamicSyncContext.class);

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncContext$SyncEntry.class */
    public static class SyncEntry {
        private final String principalName;
        private final ExternalGroup externalGroup;
        private final Group group;

        private SyncEntry(@NotNull String str, @Nullable ExternalGroup externalGroup, @Nullable Group group) {
            this.principalName = str;
            this.externalGroup = externalGroup;
            this.group = group;
        }
    }

    public DynamicSyncContext(@NotNull DefaultSyncConfig defaultSyncConfig, @NotNull ExternalIdentityProvider externalIdentityProvider, @NotNull UserManager userManager, @NotNull ValueFactory valueFactory) {
        super(defaultSyncConfig, externalIdentityProvider, userManager, valueFactory);
    }

    public boolean convertToDynamicMembership(@NotNull Authorizable authorizable) throws RepositoryException {
        if (authorizable.isGroup() || !groupsSyncedBefore(authorizable)) {
            return false;
        }
        setExternalPrincipalNames(authorizable, createValues(clearGroupMembership(authorizable)));
        return true;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext, org.apache.jackrabbit.oak.spi.security.authentication.external.SyncContext
    @NotNull
    public SyncResult sync(@NotNull ExternalIdentity externalIdentity) throws SyncException {
        if (externalIdentity instanceof ExternalUser) {
            return super.sync(externalIdentity);
        }
        if (!(externalIdentity instanceof ExternalGroup)) {
            throw new IllegalArgumentException("identity must be user or group but was: " + externalIdentity);
        }
        ExternalIdentityRef externalId = externalIdentity.getExternalId();
        if (isSameIDP(externalId)) {
            return sync((ExternalGroup) externalIdentity, externalId);
        }
        warnForeign(externalIdentity);
        return new DefaultSyncResultImpl(new DefaultSyncedIdentity(externalIdentity.getId(), externalId, true, -1L), SyncResult.Status.FOREIGN);
    }

    @NotNull
    private SyncResult sync(@NotNull ExternalGroup externalGroup, @NotNull ExternalIdentityRef externalIdentityRef) throws SyncException {
        try {
            Group group = (Group) getAuthorizable(externalGroup, Group.class);
            if (group != null) {
                return syncGroup(externalGroup, group);
            }
            if (!hasDynamicGroups()) {
                log.debug("ExternalGroup {}: Not synchronized as Group into the repository.", externalIdentityRef.getString());
                return new DefaultSyncResultImpl(new DefaultSyncedIdentity(externalGroup.getId(), externalIdentityRef, true, -1L), SyncResult.Status.NOP);
            }
            log.debug("ExternalGroup {}: synchronizing as dynamic group {}.", externalIdentityRef.getString(), externalGroup.getId());
            DefaultSyncResultImpl syncGroup = syncGroup(externalGroup, createGroup(externalGroup));
            syncGroup.setStatus(SyncResult.Status.ADD);
            return syncGroup;
        } catch (RepositoryException e) {
            throw new SyncException((Throwable) e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* JADX WARN: Removed duplicated region for block: B:21:0x0073 A[Catch: ExternalIdentityException -> 0x007c, TryCatch #0 {ExternalIdentityException -> 0x007c, blocks: (B:29:0x002b, B:14:0x0037, B:18:0x0063, B:21:0x0073), top: B:28:0x002b }] */
    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public void syncMembership(@org.jetbrains.annotations.NotNull org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity r7, @org.jetbrains.annotations.NotNull org.apache.jackrabbit.api.security.user.Authorizable r8, long r9) throws javax.jcr.RepositoryException {
        /*
            r6 = this;
            r0 = r8
            boolean r0 = r0.isGroup()
            if (r0 == 0) goto La
            return
        La:
            r0 = r8
            boolean r0 = groupsSyncedBefore(r0)
            r11 = r0
            r0 = r11
            if (r0 == 0) goto L26
            r0 = r6
            boolean r0 = r0.enforceDynamicSync()
            if (r0 != 0) goto L26
            r0 = r6
            r1 = r7
            r2 = r8
            r3 = r9
            super.syncMembership(r1, r2, r3)
            goto L90
        L26:
            r0 = r11
            if (r0 != 0) goto L32
            r0 = r8
            boolean r0 = requiresCleanup(r0)     // Catch: org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException -> L7c
            if (r0 == 0) goto L36
        L32:
            r0 = 1
            goto L37
        L36:
            r0 = 0
        L37:
            r12 = r0
            r0 = r7
            java.lang.Iterable r0 = r0.getDeclaredGroups()     // Catch: org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException -> L7c
            r13 = r0
            r0 = r6
            r1 = r13
            r2 = r9
            java.util.Map r0 = r0.collectSyncEntries(r1, r2)     // Catch: org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException -> L7c
            r14 = r0
            r0 = r6
            r1 = r8
            r2 = r14
            java.util.Collection r2 = r2.values()     // Catch: org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException -> L7c
            r0.setExternalPrincipalNames(r1, r2)     // Catch: org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException -> L7c
            r0 = r6
            boolean r0 = r0.hasDynamicGroups()     // Catch: org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException -> L7c
            if (r0 == 0) goto L6e
            r0 = r9
            r1 = 0
            int r0 = (r0 > r1 ? 1 : (r0 == r1 ? 0 : -1))
            if (r0 <= 0) goto L6e
            r0 = r6
            r1 = r14
            java.util.Collection r1 = r1.values()     // Catch: org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException -> L7c
            r0.createDynamicGroups(r1)     // Catch: org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException -> L7c
        L6e:
            r0 = r12
            if (r0 == 0) goto L79
            r0 = r6
            r1 = r8
            java.util.Collection r0 = r0.clearGroupMembership(r1)     // Catch: org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException -> L7c
        L79:
            goto L90
        L7c:
            r12 = move-exception
            org.slf4j.Logger r0 = org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DynamicSyncContext.log
            java.lang.String r1 = "Failed to synchronize membership information for external identity {}"
            r2 = r7
            java.lang.String r2 = r2.getId()
            r3 = r12
            r0.error(r1, r2, r3)
        L90:
            return
        */
        throw new UnsupportedOperationException("Method not decompiled: org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DynamicSyncContext.syncMembership(org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity, org.apache.jackrabbit.api.security.user.Authorizable, long):void");
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext
    protected void applyMembership(@NotNull Authorizable authorizable, @NotNull Set<String> set) throws RepositoryException {
        log.debug("Dynamic membership sync enabled => omit setting auto-membership for {} ", authorizable.getID());
    }

    private void setExternalPrincipalNames(@NotNull Authorizable authorizable, @NotNull Collection<SyncEntry> collection) throws RepositoryException {
        setExternalPrincipalNames(authorizable, collection.isEmpty() ? new Value[0] : createValues((Set) collection.stream().map(syncEntry -> {
            return syncEntry.principalName;
        }).collect(Collectors.toSet())));
    }

    private void setExternalPrincipalNames(@NotNull Authorizable authorizable, @NotNull Value[] valueArr) throws RepositoryException {
        authorizable.setProperty(ExternalIdentityConstants.REP_EXTERNAL_PRINCIPAL_NAMES, valueArr);
        authorizable.setProperty(ExternalIdentityConstants.REP_LAST_DYNAMIC_SYNC, this.nowValue);
    }

    @NotNull
    private Map<ExternalIdentityRef, SyncEntry> collectSyncEntries(@NotNull Iterable<ExternalIdentityRef> iterable, long j) throws RepositoryException, ExternalIdentityException {
        if (j <= 0) {
            return Collections.emptyMap();
        }
        HashMap hashMap = new HashMap();
        collectSyncEntries(iterable, j, hashMap);
        return hashMap;
    }

    private void collectSyncEntries(@NotNull Iterable<ExternalIdentityRef> iterable, long j, @NotNull Map<ExternalIdentityRef, SyncEntry> map) throws ExternalIdentityException, RepositoryException {
        boolean shortcut = shortcut(j);
        for (ExternalIdentityRef externalIdentityRef : Iterables.filter(iterable, this::isSameIDP)) {
            String str = null;
            Authorizable authorizable = null;
            ExternalGroup externalGroup = null;
            if (shortcut) {
                str = ((PrincipalNameResolver) this.idp).fromExternalIdentityRef(externalIdentityRef);
                authorizable = this.userManager.getAuthorizable(new PrincipalImpl(str));
            } else {
                externalGroup = getExternalGroupFromRef(externalIdentityRef);
                if (externalGroup != null) {
                    str = externalGroup.getPrincipalName();
                    authorizable = this.userManager.getAuthorizable(externalGroup.getId());
                    if (j > 1) {
                        collectSyncEntries(externalGroup.getDeclaredGroups(), j - 1, map);
                    }
                }
            }
            if (str != null && !isConflictingGroup(authorizable, str)) {
                map.put(externalIdentityRef, new SyncEntry(str, externalGroup, (Group) authorizable));
            }
        }
    }

    private boolean shortcut(long j) {
        return j <= 1 && (this.idp instanceof PrincipalNameResolver) && !hasDynamicGroups();
    }

    private boolean isConflictingGroup(@Nullable Authorizable authorizable, @NotNull String str) throws RepositoryException {
        if (authorizable == null) {
            return false;
        }
        if (!authorizable.isGroup()) {
            log.warn("Existing user '{}' collides with external group defined by IDP '{}'.", authorizable.getID(), this.idp.getName());
            return true;
        }
        if (!isSameIDP(authorizable)) {
            warnForeignExisting(authorizable, true);
            return true;
        }
        if (str.equals(authorizable.getPrincipal().getName())) {
            return false;
        }
        log.warn("Existing group with id '{}' doesn't have matching principal name. found '{}', expected '{}', IDP '{}'.", new Object[]{authorizable.getID(), authorizable.getPrincipal().getName(), str, this.idp.getName()});
        return true;
    }

    private void createDynamicGroups(@NotNull Iterable<SyncEntry> iterable) throws RepositoryException {
        for (SyncEntry syncEntry : iterable) {
            Objects.requireNonNull(syncEntry.externalGroup, "Cannot create dynamic group from null ExternalIdentity.");
            Group group = syncEntry.group;
            if (group == null) {
                group = createGroup(syncEntry.externalGroup);
            }
            syncGroup(syncEntry.externalGroup, group);
        }
    }

    @NotNull
    private Collection<String> clearGroupMembership(@NotNull Authorizable authorizable) throws RepositoryException {
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        clearGroupMembership(authorizable, hashSet, hashSet2);
        Iterator<Group> it = hashSet2.iterator();
        while (it.hasNext()) {
            it.next().remove();
        }
        return hashSet;
    }

    private void clearGroupMembership(@NotNull Authorizable authorizable, @NotNull Set<String> set, @NotNull Set<Group> set2) throws RepositoryException {
        Iterator declaredMemberOf = authorizable.declaredMemberOf();
        Set<String> autoMembership = (authorizable.isGroup() ? this.config.group() : this.config.user()).getAutoMembership(authorizable);
        while (declaredMemberOf.hasNext()) {
            Group group = (Group) declaredMemberOf.next();
            if (isSameIDP((Authorizable) group)) {
                set.add(group.getPrincipal().getName());
                group.removeMember(authorizable);
                clearGroupMembership(group, set, set2);
                if (clearGroup(group)) {
                    set2.add(group);
                }
            } else if (autoMembership.contains(group.getID())) {
                group.removeMember(authorizable);
                clearGroupMembership(group, set, set2);
            } else if (!isEveryone(group)) {
                log.warn("Ignoring unexpected membership of '{}' in group '{}' crossing IDP boundary.", authorizable.getID(), group.getID());
            }
        }
    }

    private boolean hasDynamicGroups() {
        return this.config.group().getDynamicGroups();
    }

    private boolean enforceDynamicSync() {
        return this.config.user().getEnforceDynamicMembership() || hasDynamicGroups();
    }

    private boolean clearGroup(@NotNull Group group) throws RepositoryException {
        return (hasDynamicGroups() || group.getDeclaredMembers().hasNext()) ? false : true;
    }

    private static boolean groupsSyncedBefore(@NotNull Authorizable authorizable) throws RepositoryException {
        return authorizable.hasProperty("rep:lastSynced") && !authorizable.hasProperty(ExternalIdentityConstants.REP_EXTERNAL_PRINCIPAL_NAMES);
    }

    private static boolean requiresCleanup(@NotNull Authorizable authorizable) throws RepositoryException {
        return authorizable.hasProperty("rep:lastSynced") && !authorizable.hasProperty(ExternalIdentityConstants.REP_LAST_DYNAMIC_SYNC);
    }

    private static boolean isEveryone(@NotNull Group group) {
        try {
            return "everyone".equals(group.getPrincipal().getName());
        } catch (RepositoryException e) {
            return false;
        }
    }
}
