package org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal;

import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.jcr.RepositoryException;
import javax.jcr.nodetype.ConstraintViolationException;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.commons.PropertiesUtil;
import org.apache.jackrabbit.oak.commons.collections.SetUtils;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef;
import org.apache.jackrabbit.oak.spi.security.authentication.external.SyncHandler;
import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext;
import org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DefaultSyncConfigImpl;
import org.apache.jackrabbit.oak.spi.security.user.action.AbstractGroupAction;
import org.apache.jackrabbit.oak.spi.security.user.action.AuthorizableAction;
import org.apache.jackrabbit.oak.spi.security.user.action.AuthorizableActionProvider;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.osgi.framework.BundleContext;
import org.osgi.framework.ServiceReference;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.metatype.annotations.AttributeDefinition;
import org.osgi.service.metatype.annotations.Designate;
import org.osgi.service.metatype.annotations.ObjectClassDefinition;
import org.osgi.util.tracker.ServiceTracker;
import org.osgi.util.tracker.ServiceTrackerCustomizer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Designate(ocd = Configuration.class)
@Component(service = {AuthorizableActionProvider.class}, configurationPolicy = ConfigurationPolicy.REQUIRE, property = {"oak.security.name=org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal.ExternalAuthorizableActionProvider"})
/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalAuthorizableActionProvider.class */
public final class ExternalAuthorizableActionProvider implements AuthorizableActionProvider {
    private static final Logger log = LoggerFactory.getLogger(ExternalAuthorizableActionProvider.class);
    private boolean failAddMembersForDifferentIdp = false;
    private SyncHandlerMappingTracker syncHandlerMappingTracker;
    private AutomembershipTracker automembershipTracker;

    /* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalAuthorizableActionProvider$AutomembershipTracker.class */
    private static final class AutomembershipTracker extends ServiceTracker {
        private final SyncHandlerMappingTracker mappingTracker;
        private final Set<ServiceReference> refs;
        private final Map<String, Set<String>> userAutoMembership;
        private final Map<String, Set<String>> groupAutoMembership;

        AutomembershipTracker(@NotNull BundleContext bundleContext, @NotNull SyncHandlerMappingTracker syncHandlerMappingTracker) {
            super(bundleContext, SyncHandler.class.getName(), (ServiceTrackerCustomizer) null);
            this.refs = new HashSet();
            this.userAutoMembership = new HashMap();
            this.groupAutoMembership = new HashMap();
            this.mappingTracker = syncHandlerMappingTracker;
        }

        public Object addingService(ServiceReference serviceReference) {
            this.refs.add(serviceReference);
            this.userAutoMembership.clear();
            this.groupAutoMembership.clear();
            return super.addingService(serviceReference);
        }

        public void modifiedService(ServiceReference serviceReference, Object obj) {
            this.refs.add(serviceReference);
            this.userAutoMembership.clear();
            this.groupAutoMembership.clear();
            super.modifiedService(serviceReference, obj);
        }

        public void removedService(ServiceReference serviceReference, Object obj) {
            this.refs.remove(serviceReference);
            this.userAutoMembership.clear();
            this.groupAutoMembership.clear();
            super.removedService(serviceReference, obj);
        }

        @NotNull
        private Map<String, Set<String>> getAutomembership(boolean z) {
            Map<String, Set<String>> map = z ? this.groupAutoMembership : this.userAutoMembership;
            if (map.isEmpty() && !this.refs.isEmpty()) {
                for (ServiceReference serviceReference : this.refs) {
                    String propertiesUtil = PropertiesUtil.toString(serviceReference.getProperty(DefaultSyncConfigImpl.PARAM_NAME), "default");
                    String[] stringArray = PropertiesUtil.toStringArray(serviceReference.getProperty(DefaultSyncConfigImpl.PARAM_USER_AUTO_MEMBERSHIP), new String[0]);
                    String[] stringArray2 = PropertiesUtil.toStringArray(serviceReference.getProperty(DefaultSyncConfigImpl.PARAM_GROUP_AUTO_MEMBERSHIP), new String[0]);
                    for (String str : this.mappingTracker.getIdpNames(propertiesUtil)) {
                        updateAutoMembershipMap(this.userAutoMembership, propertiesUtil, str, stringArray);
                        updateAutoMembershipMap(this.groupAutoMembership, propertiesUtil, str, stringArray2);
                    }
                }
            }
            return map;
        }

        private static void updateAutoMembershipMap(@NotNull Map<String, Set<String>> map, @NotNull String str, @NotNull String str2, @NotNull String[] strArr) {
            Set<String> unmodifiableSet = Collections.unmodifiableSet(SetUtils.toLinkedSet(strArr));
            Set<String> put = map.put(str2, unmodifiableSet);
            if (put != null) {
                ExternalAuthorizableActionProvider.log.debug("{} auto-membership configuration for IDP '{}'; replacing previous values {} by {} defined by SyncHandler '{}'", new Object[]{put.equals(unmodifiableSet) ? "Duplicate" : "Colliding", str2, put, unmodifiableSet, str});
            }
        }

        private boolean isAutoMembership(@NotNull String str, @NotNull String str2, boolean z) {
            Set<String> set = getAutomembership(z).get(str);
            return set != null && set.contains(str2);
        }
    }

    @ObjectClassDefinition(name = "Apache Jackrabbit Oak ExternalAuthorizableActionProvider", description = "Implementation of the AuthorizableActionProvider that specifically covers operations for users/groups defined by an external IDP that get synced into the repository.")
    /* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalAuthorizableActionProvider$Configuration.class */
    @interface Configuration {
        @AttributeDefinition(name = "Behavior when Adding Members from Different IDP", description = "Defines if Group.addMember should fail when adding a member defined by a different IDP. If set to false only a warning is logged.")
        boolean failAddMembersForDifferentIdp() default false;
    }

    /* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalAuthorizableActionProvider$IdpBoundaryAction.class */
    private final class IdpBoundaryAction extends AbstractGroupAction {
        private IdpBoundaryAction() {
        }

        public void onMemberAdded(@NotNull Group group, @NotNull Authorizable authorizable, @NotNull Root root, @NotNull NamePathMapper namePathMapper) throws RepositoryException {
            ExternalIdentityRef identityRef = DefaultSyncContext.getIdentityRef(authorizable);
            String idpName = ExternalAuthorizableActionProvider.getIdpName(identityRef);
            if (idpName == null) {
                return;
            }
            String idpName2 = ExternalAuthorizableActionProvider.getIdpName(DefaultSyncContext.getIdentityRef(group));
            if (idpName.equals(idpName2)) {
                return;
            }
            String id = group.getID();
            if (ExternalAuthorizableActionProvider.this.automembershipTracker == null || !ExternalAuthorizableActionProvider.this.automembershipTracker.isAutoMembership(idpName, id, authorizable.isGroup())) {
                String format = String.format("Attempt to add external identity '%s' as member of group '%s' defined by IDP '%s'.", identityRef.getString(), id, idpName2);
                ExternalAuthorizableActionProvider.log.warn(format);
                if (ExternalAuthorizableActionProvider.this.failAddMembersForDifferentIdp) {
                    throw new ConstraintViolationException(format);
                }
            }
        }
    }

    @Activate
    public void activate(@NotNull BundleContext bundleContext, @NotNull Configuration configuration) {
        this.failAddMembersForDifferentIdp = configuration.failAddMembersForDifferentIdp();
        this.syncHandlerMappingTracker = new SyncHandlerMappingTracker(bundleContext);
        this.syncHandlerMappingTracker.open();
        this.automembershipTracker = new AutomembershipTracker(bundleContext, this.syncHandlerMappingTracker);
        this.automembershipTracker.open();
    }

    @Deactivate
    public void deactivate() {
        if (this.automembershipTracker != null) {
            this.automembershipTracker.close();
        }
        if (this.syncHandlerMappingTracker != null) {
            this.syncHandlerMappingTracker.close();
        }
    }

    @NotNull
    public List<? extends AuthorizableAction> getAuthorizableActions(@NotNull SecurityProvider securityProvider) {
        return Collections.singletonList(new IdpBoundaryAction());
    }

    @Nullable
    private static String getIdpName(@Nullable ExternalIdentityRef externalIdentityRef) {
        if (externalIdentityRef == null) {
            return null;
        }
        return externalIdentityRef.getProviderName();
    }
}
