package org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal;

import java.security.Principal;
import java.util.Collections;
import java.util.Dictionary;
import java.util.List;
import java.util.Map;
import java.util.Set;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.guava.common.collect.ImmutableList;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.spi.commit.MoveTracker;
import org.apache.jackrabbit.oak.spi.commit.ThreeWayConflictHandler;
import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider;
import org.apache.jackrabbit.oak.spi.lifecycle.RepositoryInitializer;
import org.apache.jackrabbit.oak.spi.security.ConfigurationBase;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.SecurityConfiguration;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ProtectionConfig;
import org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalIdentityConstants;
import org.apache.jackrabbit.oak.spi.security.authentication.external.impl.monitor.ExternalIdentityMonitor;
import org.apache.jackrabbit.oak.spi.security.authentication.external.impl.monitor.ExternalIdentityMonitorImpl;
import org.apache.jackrabbit.oak.spi.security.principal.EmptyPrincipalProvider;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalConfiguration;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalManagerImpl;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider;
import org.apache.jackrabbit.oak.spi.security.user.DynamicMembershipService;
import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration;
import org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter;
import org.apache.jackrabbit.oak.stats.Monitor;
import org.apache.jackrabbit.oak.stats.StatisticsProvider;
import org.jetbrains.annotations.NotNull;
import org.osgi.framework.BundleContext;
import org.osgi.framework.ServiceRegistration;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.metatype.annotations.AttributeDefinition;
import org.osgi.service.metatype.annotations.Designate;
import org.osgi.service.metatype.annotations.ObjectClassDefinition;
import org.osgi.service.metatype.annotations.Option;

@Designate(ocd = Configuration.class)
@Component(immediate = true, service = {PrincipalConfiguration.class, SecurityConfiguration.class}, property = {"oak.security.name=org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal.ExternalPrincipalConfiguration", "protectExternalId:Boolean=true"})
/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalPrincipalConfiguration.class */
public class ExternalPrincipalConfiguration extends ConfigurationBase implements PrincipalConfiguration {
    private SyncConfigTracker syncConfigTracker;
    private SyncHandlerMappingTracker syncHandlerMappingTracker;
    private ProtectionConfigTracker protectionConfigTracker;
    private ServiceRegistration automembershipRegistration;
    private ServiceRegistration dynamicMembershipRegistration;
    private ExternalIdentityMonitor monitor;

    @ObjectClassDefinition(id = "org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal.ExternalPrincipalConfiguration", name = "Apache Jackrabbit Oak External PrincipalConfiguration")
    /* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalPrincipalConfiguration$Configuration.class */
    @interface Configuration {
        @AttributeDefinition(name = "External Identity Protection", description = "If disabled rep:externalId properties won't be properly protected (backwards compatible behavior). NOTE: for security reasons it is strongly recommend to keep the protection enabled!")
        boolean protectExternalId() default true;

        @AttributeDefinition(name = "External User and Group Protection", description = "If 'None' is selected the synchronized external users/groups won't be protected (backwards compatible behavior) and can be edited like local users/groups. NOTE: in order to avoid having inconsistencies between the IDP that defines the external identities and local synced identities it is recommend to enable the protection. With option 'Warn' the protection is disabled but warnings will be logged.", options = {@Option(label = ExternalIdentityConstants.VALUE_PROTECT_EXTERNAL_IDENTITIES_NONE, value = ExternalIdentityConstants.VALUE_PROTECT_EXTERNAL_IDENTITIES_NONE), @Option(label = ExternalIdentityConstants.VALUE_PROTECT_EXTERNAL_IDENTITIES_WARN, value = ExternalIdentityConstants.VALUE_PROTECT_EXTERNAL_IDENTITIES_WARN), @Option(label = ExternalIdentityConstants.VALUE_PROTECT_EXTERNAL_IDENTITIES_PROTECTED, value = ExternalIdentityConstants.VALUE_PROTECT_EXTERNAL_IDENTITIES_PROTECTED)})
        String protectExternalIdentities();

        @AttributeDefinition(name = "System Principal Names", description = "Names of additional 'SystemUserPrincipal' instances that are excluded from the protection check. Note that this configuration does not grant the required permission to perform the operation.", cardinality = 10)
        String[] systemPrincipalNames();
    }

    public ExternalPrincipalConfiguration() {
        this.monitor = ExternalIdentityMonitor.NOOP;
    }

    public ExternalPrincipalConfiguration(SecurityProvider securityProvider) {
        super(securityProvider, securityProvider.getParameters("org.apache.jackrabbit.oak.principal"));
        this.monitor = ExternalIdentityMonitor.NOOP;
    }

    @NotNull
    public PrincipalManager getPrincipalManager(Root root, NamePathMapper namePathMapper) {
        return new PrincipalManagerImpl(getPrincipalProvider(root, namePathMapper));
    }

    @NotNull
    public PrincipalProvider getPrincipalProvider(Root root, NamePathMapper namePathMapper) {
        return dynamicMembershipEnabled() ? new ExternalGroupPrincipalProvider(root, ((UserConfiguration) getSecurityProvider().getConfiguration(UserConfiguration.class)).getUserManager(root, namePathMapper), namePathMapper, this.syncConfigTracker) : EmptyPrincipalProvider.INSTANCE;
    }

    @NotNull
    public String getName() {
        return "org.apache.jackrabbit.oak.principal";
    }

    @NotNull
    public RepositoryInitializer getRepositoryInitializer() {
        return new ExternalIdentityRepositoryInitializer(protectedExternalIds());
    }

    @NotNull
    public List<? extends ValidatorProvider> getValidators(@NotNull String str, @NotNull Set<Principal> set, @NotNull MoveTracker moveTracker) {
        boolean containsSystemPrincipal = new SystemPrincipalConfig(getPrincipalNames()).containsSystemPrincipal(set);
        ImmutableList.Builder builder = new ImmutableList.Builder();
        builder.add(new ExternalIdentityValidatorProvider(containsSystemPrincipal, protectedExternalIds()));
        Set<String> idpNamesWithDynamicGroups = getIdpNamesWithDynamicGroups();
        if (!idpNamesWithDynamicGroups.isEmpty()) {
            builder.add(new DynamicGroupValidatorProvider(getRootProvider(), getTreeProvider(), getSecurityProvider(), idpNamesWithDynamicGroups));
        }
        IdentityProtectionType identityProtectionType = getIdentityProtectionType();
        if (identityProtectionType != IdentityProtectionType.NONE && !containsSystemPrincipal) {
            builder.add(new ExternalUserValidatorProvider(getRootProvider(), getTreeProvider(), getSecurityProvider(), identityProtectionType, getProtectionConfig()));
        }
        return builder.build();
    }

    @NotNull
    public List<ProtectedItemImporter> getProtectedItemImporters() {
        return Collections.singletonList(new ExternalIdentityImporter(new SystemPrincipalConfig(getPrincipalNames())));
    }

    @NotNull
    public Iterable<Monitor<?>> getMonitors(@NotNull StatisticsProvider statisticsProvider) {
        this.monitor = new ExternalIdentityMonitorImpl(statisticsProvider);
        return Collections.singleton(this.monitor);
    }

    @NotNull
    public List<ThreeWayConflictHandler> getConflictHandlers() {
        return Collections.singletonList(new ExternalIdentityConflictHandler());
    }

    @Activate
    private void activate(BundleContext bundleContext, Map<String, Object> map) {
        setParameters(ConfigurationParameters.of(map));
        this.syncHandlerMappingTracker = new SyncHandlerMappingTracker(bundleContext);
        this.syncHandlerMappingTracker.open();
        this.syncConfigTracker = new SyncConfigTracker(bundleContext, this.syncHandlerMappingTracker);
        this.syncConfigTracker.open();
        this.protectionConfigTracker = new ProtectionConfigTracker(bundleContext);
        this.protectionConfigTracker.open();
        this.automembershipRegistration = bundleContext.registerService(DynamicMembershipService.class.getName(), new AutomembershipService(this.syncConfigTracker), (Dictionary) null);
        this.dynamicMembershipRegistration = bundleContext.registerService(DynamicMembershipService.class.getName(), new DynamicGroupMembershipService(this.syncConfigTracker), (Dictionary) null);
    }

    @Deactivate
    private void deactivate() {
        if (this.syncConfigTracker != null) {
            this.syncConfigTracker.close();
        }
        if (this.syncHandlerMappingTracker != null) {
            this.syncHandlerMappingTracker.close();
        }
        if (this.protectionConfigTracker != null) {
            this.protectionConfigTracker.close();
        }
        if (this.automembershipRegistration != null) {
            this.automembershipRegistration.unregister();
        }
        if (this.dynamicMembershipRegistration != null) {
            this.dynamicMembershipRegistration.unregister();
        }
    }

    private boolean dynamicMembershipEnabled() {
        return this.syncConfigTracker != null && this.syncConfigTracker.isEnabled();
    }

    @NotNull
    private Set<String> getIdpNamesWithDynamicGroups() {
        return this.syncConfigTracker == null ? Collections.emptySet() : this.syncConfigTracker.getIdpNamesWithDynamicGroups();
    }

    private boolean protectedExternalIds() {
        return ((Boolean) getParameters().getConfigValue(ExternalIdentityConstants.PARAM_PROTECT_EXTERNAL_IDS, true)).booleanValue();
    }

    @NotNull
    private IdentityProtectionType getIdentityProtectionType() {
        return IdentityProtectionType.fromLabel((String) getParameters().getConfigValue(ExternalIdentityConstants.PARAM_PROTECT_EXTERNAL_IDENTITIES, ExternalIdentityConstants.VALUE_PROTECT_EXTERNAL_IDENTITIES_NONE));
    }

    @NotNull
    private ProtectionConfig getProtectionConfig() {
        return this.protectionConfigTracker == null ? ProtectionConfig.DEFAULT : this.protectionConfigTracker;
    }

    @NotNull
    private Set<String> getPrincipalNames() {
        return (Set) getParameters().getConfigValue(ExternalIdentityConstants.PARAM_SYSTEM_PRINCIPAL_NAMES, Collections.emptySet());
    }
}
