package org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal;

import com.google.common.base.Function;
import com.google.common.base.Predicates;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import com.google.common.collect.Iterators;
import java.security.Principal;
import java.security.acl.Group;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Deactivate;
import org.apache.felix.scr.annotations.Service;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.commons.PropertiesUtil;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.spi.commit.MoveTracker;
import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider;
import org.apache.jackrabbit.oak.spi.lifecycle.RepositoryInitializer;
import org.apache.jackrabbit.oak.spi.security.ConfigurationBase;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.SecurityConfiguration;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authentication.external.SyncHandler;
import org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DefaultSyncConfigImpl;
import org.apache.jackrabbit.oak.spi.security.authentication.external.impl.SyncHandlerMapping;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalConfiguration;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalManagerImpl;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider;
import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration;
import org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter;
import org.osgi.framework.BundleContext;
import org.osgi.framework.ServiceReference;
import org.osgi.util.tracker.ServiceTracker;
import org.osgi.util.tracker.ServiceTrackerCustomizer;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Service({PrincipalConfiguration.class, SecurityConfiguration.class})
@Component(metatype = true, label = "Apache Jackrabbit Oak External PrincipalConfiguration", immediate = true)
/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalPrincipalConfiguration.class */
public class ExternalPrincipalConfiguration extends ConfigurationBase implements PrincipalConfiguration {
    private static final Logger log = LoggerFactory.getLogger(ExternalPrincipalConfiguration.class);
    private SyncConfigTracker syncConfigTracker;
    private SyncHandlerMappingTracker syncHandlerMappingTracker;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalPrincipalConfiguration$EmptyPrincipalProvider.class */
    public static final class EmptyPrincipalProvider implements PrincipalProvider {
        private static final PrincipalProvider INSTANCE = new EmptyPrincipalProvider();

        private EmptyPrincipalProvider() {
        }

        @Override // org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider
        public Principal getPrincipal(@Nonnull String str) {
            return null;
        }

        @Override // org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider
        @Nonnull
        public Set<Group> getGroupMembership(@Nonnull Principal principal) {
            return ImmutableSet.of();
        }

        @Override // org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider
        @Nonnull
        public Set<? extends Principal> getPrincipals(@Nonnull String str) {
            return ImmutableSet.of();
        }

        @Override // org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider
        @Nonnull
        public Iterator<? extends Principal> findPrincipals(@Nullable String str, int i) {
            return Iterators.emptyIterator();
        }

        @Override // org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider
        @Nonnull
        public Iterator<? extends Principal> findPrincipals(int i) {
            return Iterators.emptyIterator();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalPrincipalConfiguration$SyncConfigTracker.class */
    public static final class SyncConfigTracker extends ServiceTracker {
        private final SyncHandlerMappingTracker mappingTracker;
        private Set<ServiceReference> enablingRefs;
        private boolean isEnabled;

        public SyncConfigTracker(@Nonnull BundleContext bundleContext, @Nonnull SyncHandlerMappingTracker syncHandlerMappingTracker) {
            super(bundleContext, SyncHandler.class.getName(), (ServiceTrackerCustomizer) null);
            this.enablingRefs = new HashSet();
            this.isEnabled = false;
            this.mappingTracker = syncHandlerMappingTracker;
        }

        @Override // org.osgi.util.tracker.ServiceTracker, org.osgi.util.tracker.ServiceTrackerCustomizer
        public Object addingService(ServiceReference serviceReference) {
            if (hasDynamicMembership(serviceReference)) {
                this.enablingRefs.add(serviceReference);
                this.isEnabled = true;
            }
            return super.addingService(serviceReference);
        }

        @Override // org.osgi.util.tracker.ServiceTracker, org.osgi.util.tracker.ServiceTrackerCustomizer
        public void modifiedService(ServiceReference serviceReference, Object obj) {
            if (hasDynamicMembership(serviceReference)) {
                this.enablingRefs.add(serviceReference);
                this.isEnabled = true;
            } else {
                this.enablingRefs.remove(serviceReference);
                this.isEnabled = !this.enablingRefs.isEmpty();
            }
            super.modifiedService(serviceReference, obj);
        }

        @Override // org.osgi.util.tracker.ServiceTracker, org.osgi.util.tracker.ServiceTrackerCustomizer
        public void removedService(ServiceReference serviceReference, Object obj) {
            this.enablingRefs.remove(serviceReference);
            this.isEnabled = !this.enablingRefs.isEmpty();
            super.removedService(serviceReference, obj);
        }

        private static boolean hasDynamicMembership(ServiceReference serviceReference) {
            return PropertiesUtil.toBoolean(serviceReference.getProperty(DefaultSyncConfigImpl.PARAM_USER_DYNAMIC_MEMBERSHIP), false);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Map<String, String[]> getAutoMembership() {
            HashMap hashMap = new HashMap();
            for (ServiceReference serviceReference : this.enablingRefs) {
                String propertiesUtil = PropertiesUtil.toString(serviceReference.getProperty(DefaultSyncConfigImpl.PARAM_NAME), "default");
                String[] stringArray = PropertiesUtil.toStringArray(serviceReference.getProperty(DefaultSyncConfigImpl.PARAM_GROUP_AUTO_MEMBERSHIP), new String[0]);
                for (String str : this.mappingTracker.getIdpNames(propertiesUtil)) {
                    String[] strArr = (String[]) hashMap.put(str, stringArray);
                    if (strArr != null) {
                        ExternalPrincipalConfiguration.log.debug((Arrays.equals(strArr, stringArray) ? "Duplicate" : "Colliding") + " auto-membership configuration for IDP '{}'; replacing previous values {} by {} defined by SyncHandler '{}'", str, Arrays.toString(strArr), Arrays.toString(stringArray), propertiesUtil);
                    }
                }
            }
            return hashMap;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalPrincipalConfiguration$SyncHandlerMappingTracker.class */
    public static final class SyncHandlerMappingTracker extends ServiceTracker {
        private Map<ServiceReference, String[]> referenceMap;

        public SyncHandlerMappingTracker(@Nonnull BundleContext bundleContext) {
            super(bundleContext, SyncHandlerMapping.class.getName(), (ServiceTrackerCustomizer) null);
            this.referenceMap = new HashMap();
        }

        @Override // org.osgi.util.tracker.ServiceTracker, org.osgi.util.tracker.ServiceTrackerCustomizer
        public Object addingService(ServiceReference serviceReference) {
            addMapping(serviceReference);
            return super.addingService(serviceReference);
        }

        @Override // org.osgi.util.tracker.ServiceTracker, org.osgi.util.tracker.ServiceTrackerCustomizer
        public void modifiedService(ServiceReference serviceReference, Object obj) {
            addMapping(serviceReference);
            super.modifiedService(serviceReference, obj);
        }

        @Override // org.osgi.util.tracker.ServiceTracker, org.osgi.util.tracker.ServiceTrackerCustomizer
        public void removedService(ServiceReference serviceReference, Object obj) {
            this.referenceMap.remove(serviceReference);
            super.removedService(serviceReference, obj);
        }

        private void addMapping(ServiceReference serviceReference) {
            String propertiesUtil = PropertiesUtil.toString(serviceReference.getProperty("idp.name"), null);
            String propertiesUtil2 = PropertiesUtil.toString(serviceReference.getProperty("sync.handlerName"), null);
            if (propertiesUtil == null || propertiesUtil2 == null) {
                ExternalPrincipalConfiguration.log.warn("Ignoring SyncHandlerMapping with incomplete mapping of IDP '{}' and SyncHandler '{}'", propertiesUtil, propertiesUtil2);
            } else {
                this.referenceMap.put(serviceReference, new String[]{propertiesUtil2, propertiesUtil});
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Iterable<String> getIdpNames(@Nonnull final String str) {
            return Iterables.filter(Iterables.transform(this.referenceMap.values(), new Function<String[], String>() { // from class: org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal.ExternalPrincipalConfiguration.SyncHandlerMappingTracker.1
                @Override // com.google.common.base.Function
                @Nullable
                public String apply(@Nullable String[] strArr) {
                    if (strArr == null || strArr.length != 2) {
                        ExternalPrincipalConfiguration.log.warn("Unexpected value of reference map. Expected String[] with length = 2");
                        return null;
                    }
                    if (str.equals(strArr[0])) {
                        return strArr[1];
                    }
                    return null;
                }
            }), Predicates.notNull());
        }
    }

    public ExternalPrincipalConfiguration() {
    }

    public ExternalPrincipalConfiguration(SecurityProvider securityProvider) {
        super(securityProvider, securityProvider.getParameters(PrincipalConfiguration.NAME));
    }

    @Override // org.apache.jackrabbit.oak.spi.security.principal.PrincipalConfiguration
    @Nonnull
    public PrincipalManager getPrincipalManager(Root root, NamePathMapper namePathMapper) {
        return new PrincipalManagerImpl(getPrincipalProvider(root, namePathMapper));
    }

    @Override // org.apache.jackrabbit.oak.spi.security.principal.PrincipalConfiguration
    @Nonnull
    public PrincipalProvider getPrincipalProvider(Root root, NamePathMapper namePathMapper) {
        return dynamicMembershipEnabled() ? new ExternalGroupPrincipalProvider(root, (UserConfiguration) getSecurityProvider().getConfiguration(UserConfiguration.class), namePathMapper, this.syncConfigTracker.getAutoMembership()) : EmptyPrincipalProvider.INSTANCE;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.SecurityConfiguration.Default, org.apache.jackrabbit.oak.spi.security.SecurityConfiguration
    @Nonnull
    public String getName() {
        return PrincipalConfiguration.NAME;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.SecurityConfiguration.Default, org.apache.jackrabbit.oak.spi.security.SecurityConfiguration
    @Nonnull
    public RepositoryInitializer getRepositoryInitializer() {
        return new ExternalIdentityRepositoryInitializer();
    }

    @Override // org.apache.jackrabbit.oak.spi.security.SecurityConfiguration.Default, org.apache.jackrabbit.oak.spi.security.SecurityConfiguration
    @Nonnull
    public List<? extends ValidatorProvider> getValidators(@Nonnull String str, @Nonnull Set<Principal> set, @Nonnull MoveTracker moveTracker) {
        return ImmutableList.of(new ExternalIdentityValidatorProvider(set));
    }

    @Override // org.apache.jackrabbit.oak.spi.security.SecurityConfiguration.Default, org.apache.jackrabbit.oak.spi.security.SecurityConfiguration
    @Nonnull
    public List<ProtectedItemImporter> getProtectedItemImporters() {
        return ImmutableList.of(new ExternalIdentityImporter());
    }

    @Activate
    private void activate(BundleContext bundleContext, Map<String, Object> map) {
        setParameters(ConfigurationParameters.of(map));
        this.syncHandlerMappingTracker = new SyncHandlerMappingTracker(bundleContext);
        this.syncHandlerMappingTracker.open();
        this.syncConfigTracker = new SyncConfigTracker(bundleContext, this.syncHandlerMappingTracker);
        this.syncConfigTracker.open();
    }

    @Deactivate
    private void deactivate() {
        if (this.syncConfigTracker != null) {
            this.syncConfigTracker.close();
        }
        if (this.syncHandlerMappingTracker != null) {
            this.syncHandlerMappingTracker.close();
        }
    }

    private boolean dynamicMembershipEnabled() {
        return this.syncConfigTracker != null && this.syncConfigTracker.isEnabled;
    }
}
