package org.apache.jackrabbit.oak.spi.security.authentication.external.basic;

import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.math.BigDecimal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Calendar;
import java.util.Collection;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.jcr.Binary;
import javax.jcr.RepositoryException;
import javax.jcr.Value;
import javax.jcr.ValueFactory;
import joptsimple.internal.Strings;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.oak.commons.DebugTimer;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.console.commands.RetrieveCommand;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityProvider;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalUser;
import org.apache.jackrabbit.oak.spi.security.authentication.external.SyncContext;
import org.apache.jackrabbit.oak.spi.security.authentication.external.SyncException;
import org.apache.jackrabbit.oak.spi.security.authentication.external.SyncResult;
import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncConfig;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.apache.solr.common.cloud.ZkStateReader;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/basic/DefaultSyncContext.class */
public class DefaultSyncContext implements SyncContext {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) DefaultSyncContext.class);
    public static final String REP_EXTERNAL_ID = "rep:externalId";
    public static final String REP_LAST_SYNCED = "rep:lastSynced";
    protected final DefaultSyncConfig config;
    protected final ExternalIdentityProvider idp;
    protected final UserManager userManager;
    protected final ValueFactory valueFactory;
    protected boolean keepMissing;
    protected boolean forceUserSync;
    protected boolean forceGroupSync;
    protected final long now;
    protected final Value nowValue;

    public DefaultSyncContext(@Nonnull DefaultSyncConfig defaultSyncConfig, @Nonnull ExternalIdentityProvider externalIdentityProvider, @Nonnull UserManager userManager, @Nonnull ValueFactory valueFactory) {
        this.config = defaultSyncConfig;
        this.idp = externalIdentityProvider;
        this.userManager = userManager;
        this.valueFactory = valueFactory;
        Calendar calendar = Calendar.getInstance();
        this.nowValue = valueFactory.createValue(calendar);
        this.now = calendar.getTimeInMillis();
    }

    @CheckForNull
    public static DefaultSyncedIdentity createSyncedIdentity(@Nullable Authorizable authorizable) throws RepositoryException {
        if (authorizable == null) {
            return null;
        }
        ExternalIdentityRef identityRef = getIdentityRef(authorizable);
        Value[] property = authorizable.getProperty("rep:lastSynced");
        long j = -1;
        if (property != null && property.length > 0) {
            j = property[0].getLong();
        }
        return new DefaultSyncedIdentity(authorizable.getID(), identityRef, authorizable.isGroup(), j);
    }

    @CheckForNull
    public static ExternalIdentityRef getIdentityRef(@Nullable Authorizable authorizable) throws RepositoryException {
        Value[] property;
        if (authorizable == null || (property = authorizable.getProperty("rep:externalId")) == null || property.length == 0) {
            return null;
        }
        return ExternalIdentityRef.fromString(property[0].getString());
    }

    public static String joinPaths(String... strArr) {
        return PathUtils.concatRelativePaths(strArr);
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.SyncContext
    public void close() {
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.SyncContext
    public boolean isKeepMissing() {
        return this.keepMissing;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.SyncContext
    @Nonnull
    public SyncContext setKeepMissing(boolean z) {
        this.keepMissing = z;
        return this;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.SyncContext
    public boolean isForceUserSync() {
        return this.forceUserSync;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.SyncContext
    @Nonnull
    public SyncContext setForceUserSync(boolean z) {
        this.forceUserSync = z;
        return this;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.SyncContext
    public boolean isForceGroupSync() {
        return this.forceGroupSync;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.SyncContext
    @Nonnull
    public SyncContext setForceGroupSync(boolean z) {
        this.forceGroupSync = z;
        return this;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.SyncContext
    @Nonnull
    public SyncResult sync(@Nonnull ExternalIdentity externalIdentity) throws SyncException {
        DefaultSyncResultImpl syncGroup;
        ExternalIdentityRef externalId = externalIdentity.getExternalId();
        if (!isSameIDP(externalId)) {
            return new DefaultSyncResultImpl(new DefaultSyncedIdentity(externalIdentity.getId(), externalId, externalIdentity instanceof ExternalGroup, -1L), SyncResult.Status.FOREIGN);
        }
        try {
            DebugTimer debugTimer = new DebugTimer();
            boolean z = false;
            if (externalIdentity instanceof ExternalUser) {
                User user = (User) getAuthorizable(externalIdentity, User.class);
                debugTimer.mark("find");
                if (user == null) {
                    user = createUser((ExternalUser) externalIdentity);
                    debugTimer.mark("create");
                    z = true;
                }
                syncGroup = syncUser((ExternalUser) externalIdentity, user);
                debugTimer.mark(ZkStateReader.SYNC);
            } else {
                if (!(externalIdentity instanceof ExternalGroup)) {
                    throw new IllegalArgumentException("identity must be user or group but was: " + externalIdentity);
                }
                Group group = (Group) getAuthorizable(externalIdentity, Group.class);
                debugTimer.mark("find");
                if (group == null) {
                    group = createGroup((ExternalGroup) externalIdentity);
                    debugTimer.mark("create");
                    z = true;
                }
                syncGroup = syncGroup((ExternalGroup) externalIdentity, group);
                debugTimer.mark(ZkStateReader.SYNC);
            }
            if (log.isDebugEnabled()) {
                log.debug("sync({}) -> {} {}", externalId.getString(), externalIdentity.getId(), debugTimer.getString());
            }
            if (z) {
                syncGroup.setStatus(SyncResult.Status.ADD);
            }
            return syncGroup;
        } catch (RepositoryException e) {
            throw new SyncException(e);
        }
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.SyncContext
    @Nonnull
    public SyncResult sync(@Nonnull String str) throws SyncException {
        DefaultSyncResultImpl syncUser;
        try {
            DebugTimer debugTimer = new DebugTimer();
            Authorizable authorizable = this.userManager.getAuthorizable(str);
            if (authorizable == null) {
                return new DefaultSyncResultImpl(new DefaultSyncedIdentity(str, null, false, -1L), SyncResult.Status.NO_SUCH_AUTHORIZABLE);
            }
            ExternalIdentityRef identityRef = getIdentityRef(authorizable);
            if (identityRef == null || !isSameIDP(identityRef)) {
                return new DefaultSyncResultImpl(new DefaultSyncedIdentity(str, identityRef, authorizable.isGroup(), -1L), SyncResult.Status.FOREIGN);
            }
            if (authorizable.isGroup()) {
                ExternalGroup group = this.idp.getGroup(str);
                debugTimer.mark(RetrieveCommand.COMMAND_NAME);
                if (group == null) {
                    syncUser = handleMissingIdentity(str, authorizable, debugTimer);
                } else {
                    syncUser = syncGroup(group, (Group) authorizable);
                    debugTimer.mark(ZkStateReader.SYNC);
                }
            } else {
                ExternalUser user = this.idp.getUser(str);
                debugTimer.mark(RetrieveCommand.COMMAND_NAME);
                if (user == null) {
                    syncUser = handleMissingIdentity(str, authorizable, debugTimer);
                } else {
                    syncUser = syncUser(user, (User) authorizable);
                    debugTimer.mark(ZkStateReader.SYNC);
                }
            }
            if (log.isDebugEnabled()) {
                log.debug("sync({}) -> {} {}", str, identityRef.getString(), debugTimer.getString());
            }
            return syncUser;
        } catch (RepositoryException e) {
            throw new SyncException(e);
        } catch (ExternalIdentityException e2) {
            throw new SyncException(e2);
        }
    }

    private DefaultSyncResultImpl handleMissingIdentity(@Nonnull String str, @Nonnull Authorizable authorizable, @Nonnull DebugTimer debugTimer) throws RepositoryException {
        SyncResult.Status status;
        DefaultSyncedIdentity createSyncedIdentity = createSyncedIdentity(authorizable);
        if (authorizable.isGroup() && ((Group) authorizable).getDeclaredMembers().hasNext()) {
            log.info("won't remove local group with members: {}", str);
            status = SyncResult.Status.NOP;
        } else if (this.keepMissing) {
            status = SyncResult.Status.MISSING;
            log.info("external identity missing for {}, but purge == false.", str);
        } else {
            if (!this.config.user().getDisableMissing() || authorizable.isGroup()) {
                authorizable.remove();
                log.debug("removing authorizable '{}' that no longer exists on IDP {}", str, this.idp.getName());
                status = SyncResult.Status.DELETE;
            } else {
                ((User) authorizable).disable("No longer exists on external identity provider '" + this.idp.getName() + Strings.SINGLE_QUOTE);
                log.debug("disabling user '{}' that no longer exists on IDP {}", str, this.idp.getName());
                status = SyncResult.Status.DISABLE;
            }
            debugTimer.mark("remove");
        }
        return new DefaultSyncResultImpl(createSyncedIdentity, status);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @CheckForNull
    public <T extends Authorizable> T getAuthorizable(@Nonnull ExternalIdentity externalIdentity, @Nonnull Class<T> cls) throws RepositoryException, SyncException {
        Authorizable authorizable = this.userManager.getAuthorizable(externalIdentity.getId());
        if (authorizable == null) {
            authorizable = this.userManager.getAuthorizable(externalIdentity.getPrincipalName());
        }
        if (authorizable == null) {
            return null;
        }
        if (cls.isInstance(authorizable)) {
            return (T) authorizable;
        }
        log.error("Unable to process external {}: {}. Colliding authorizable exists in repository.", cls.getSimpleName(), externalIdentity.getId());
        throw new SyncException("Unexpected authorizable: " + authorizable);
    }

    @Nonnull
    protected User createUser(@Nonnull ExternalUser externalUser) throws RepositoryException {
        User createUser = this.userManager.createUser(externalUser.getId(), null, new PrincipalImpl(externalUser.getPrincipalName()), PathUtils.concatRelativePaths(this.config.user().getPathPrefix(), externalUser.getIntermediatePath()));
        setExternalId(createUser, externalUser);
        return createUser;
    }

    @Nonnull
    protected Group createGroup(@Nonnull ExternalGroup externalGroup) throws RepositoryException {
        Group createGroup = this.userManager.createGroup(externalGroup.getId(), new PrincipalImpl(externalGroup.getPrincipalName()), PathUtils.concatRelativePaths(this.config.group().getPathPrefix(), externalGroup.getIntermediatePath()));
        setExternalId(createGroup, externalGroup);
        return createGroup;
    }

    private void setExternalId(@Nonnull Authorizable authorizable, @Nonnull ExternalIdentity externalIdentity) throws RepositoryException {
        log.debug("Fallback: setting rep:externalId without adding the corresponding mixin type");
        authorizable.setProperty("rep:externalId", this.valueFactory.createValue(externalIdentity.getExternalId().getString()));
    }

    @Nonnull
    protected DefaultSyncResultImpl syncUser(@Nonnull ExternalUser externalUser, @Nonnull User user) throws RepositoryException {
        SyncResult.Status status;
        if (this.forceUserSync || isExpired(user)) {
            syncExternalIdentity(externalUser, user, this.config.user());
            if (isExpired(user, this.config.user().getMembershipExpirationTime(), "Membership")) {
                syncMembership(externalUser, user, this.config.user().getMembershipNestingDepth());
            }
            if (this.config.user().getDisableMissing() && user.isDisabled()) {
                status = SyncResult.Status.ENABLE;
                user.disable(null);
            } else {
                status = SyncResult.Status.UPDATE;
            }
            user.setProperty("rep:lastSynced", this.nowValue);
        } else {
            status = SyncResult.Status.NOP;
        }
        return new DefaultSyncResultImpl(createSyncedIdentity(user), status);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Nonnull
    public DefaultSyncResultImpl syncGroup(@Nonnull ExternalGroup externalGroup, @Nonnull Group group) throws RepositoryException {
        SyncResult.Status status;
        if (this.forceGroupSync || isExpired(group)) {
            syncExternalIdentity(externalGroup, group, this.config.group());
            group.setProperty("rep:lastSynced", this.nowValue);
            status = SyncResult.Status.UPDATE;
        } else {
            status = SyncResult.Status.NOP;
        }
        return new DefaultSyncResultImpl(createSyncedIdentity(group), status);
    }

    private void syncExternalIdentity(@Nonnull ExternalIdentity externalIdentity, @Nonnull Authorizable authorizable, @Nonnull DefaultSyncConfig.Authorizable authorizable2) throws RepositoryException {
        syncProperties(externalIdentity, authorizable, authorizable2.getPropertyMapping());
        applyMembership(authorizable, authorizable2.getAutoMembership());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void syncMembership(@Nonnull ExternalIdentity externalIdentity, @Nonnull Authorizable authorizable, long j) throws RepositoryException {
        Group createGroup;
        if (j <= 0) {
            return;
        }
        if (log.isDebugEnabled()) {
            log.debug("Syncing membership '{}' -> '{}'", externalIdentity.getExternalId().getString(), authorizable.getID());
        }
        DebugTimer debugTimer = new DebugTimer();
        try {
            Iterable<ExternalIdentityRef> declaredGroups = externalIdentity.getDeclaredGroups();
            debugTimer.mark("fetching");
            HashMap hashMap = new HashMap();
            Iterator<Group> declaredMemberOf = authorizable.declaredMemberOf();
            while (declaredMemberOf.hasNext()) {
                Group next = declaredMemberOf.next();
                if (isSameIDP(next)) {
                    hashMap.put(next.getID(), next);
                }
            }
            debugTimer.mark("reading");
            for (ExternalIdentityRef externalIdentityRef : declaredGroups) {
                log.debug("- processing membership {}", externalIdentityRef.getId());
                try {
                    ExternalIdentity identity = this.idp.getIdentity(externalIdentityRef);
                    if (identity instanceof ExternalGroup) {
                        ExternalGroup externalGroup = (ExternalGroup) identity;
                        log.debug("- idp returned '{}'", externalGroup.getId());
                        Authorizable authorizable2 = this.userManager.getAuthorizable(externalGroup.getId());
                        if (authorizable2 == null) {
                            createGroup = createGroup(externalGroup);
                            log.debug("- created new group");
                        } else if (authorizable2.isGroup() && isSameIDP(authorizable2)) {
                            createGroup = (Group) authorizable2;
                        } else {
                            log.warn("Existing authorizable '{}' is not a group from this IDP '{}'.", externalGroup.getId(), this.idp.getName());
                        }
                        log.debug("- user manager returned '{}'", createGroup);
                        syncGroup(externalGroup, createGroup);
                        createGroup.addMember(authorizable);
                        log.debug("- added '{}' as member to '{}'", authorizable, createGroup);
                        hashMap.remove(createGroup.getID());
                        if (j > 1) {
                            log.debug("- recursively sync group membership of '{}' (depth = {}).", createGroup.getID(), Long.valueOf(j));
                            syncMembership(externalGroup, createGroup, j - 1);
                        } else {
                            log.debug("- group nesting level for '{}' reached", createGroup.getID());
                        }
                    } else {
                        log.warn("No external group found for ref '{}'.", externalIdentityRef.getString());
                    }
                } catch (ExternalIdentityException e) {
                    log.warn("Unable to retrieve external group '{}' from provider.", externalIdentityRef.getString(), e);
                }
            }
            debugTimer.mark("adding");
            for (Group group : hashMap.values()) {
                group.removeMember(authorizable);
                log.debug("- removing member '{}' for group '{}'", authorizable.getID(), group.getID());
            }
            if (log.isDebugEnabled()) {
                debugTimer.mark("removing");
                log.debug("syncMembership({}) {}", externalIdentity.getId(), debugTimer.getString());
            }
        } catch (ExternalIdentityException e2) {
            log.error("Error while retrieving external declared groups for '{}'", externalIdentity.getId(), e2);
        }
    }

    protected void applyMembership(@Nonnull Authorizable authorizable, @Nonnull Set<String> set) throws RepositoryException {
        for (String str : set) {
            Authorizable authorizable2 = this.userManager.getAuthorizable(str);
            if (authorizable2 == null) {
                log.warn("Unable to apply auto-membership to {}. No such group: {}", authorizable.getID(), str);
            } else if (authorizable2 instanceof Group) {
                ((Group) authorizable2).addMember(authorizable);
            } else {
                log.warn("Unable to apply auto-membership to {}. Authorizable '{}' is not a group.", authorizable.getID(), str);
            }
        }
    }

    protected void syncProperties(@Nonnull ExternalIdentity externalIdentity, @Nonnull Authorizable authorizable, @Nonnull Map<String, String> map) throws RepositoryException {
        Map<String, ?> properties = externalIdentity.getProperties();
        for (Map.Entry<String, String> entry : map.entrySet()) {
            String key = entry.getKey();
            String value = entry.getValue();
            Object obj = properties.get(value);
            if (obj == null) {
                int length = value.length();
                if (length > 1 && value.charAt(0) == '\"' && value.charAt(length - 1) == '\"') {
                    authorizable.setProperty(key, this.valueFactory.createValue(value.substring(1, length - 1)));
                } else {
                    authorizable.removeProperty(key);
                }
            } else if (obj instanceof Collection) {
                authorizable.setProperty(key, createValues((Collection) obj));
            } else if ((obj instanceof byte[]) || (obj instanceof char[])) {
                authorizable.setProperty(key, createValue(obj));
            } else if (obj instanceof Object[]) {
                authorizable.setProperty(key, createValues(Arrays.asList((Object[]) obj)));
            } else {
                authorizable.setProperty(key, createValue(obj));
            }
        }
    }

    private boolean isExpired(@Nonnull Authorizable authorizable) throws RepositoryException {
        return isExpired(authorizable, authorizable.isGroup() ? this.config.group().getExpirationTime() : this.config.user().getExpirationTime(), "Properties");
    }

    protected boolean isExpired(@Nonnull Authorizable authorizable, long j, @Nonnull String str) throws RepositoryException {
        Value[] property = authorizable.getProperty("rep:lastSynced");
        if (property == null || property.length == 0) {
            if (!log.isDebugEnabled()) {
                return true;
            }
            Logger logger = log;
            Object[] objArr = new Object[3];
            objArr[0] = str;
            objArr[1] = authorizable.isGroup() ? "group" : "user";
            objArr[2] = authorizable.getID();
            logger.debug("{} of {} '{}' need sync. rep:lastSynced not set.", objArr);
            return true;
        }
        if (this.now - property[0].getLong() <= j) {
            if (!log.isDebugEnabled()) {
                return false;
            }
            Logger logger2 = log;
            Object[] objArr2 = new Object[3];
            objArr2[0] = str;
            objArr2[1] = authorizable.isGroup() ? "group" : "user";
            objArr2[2] = authorizable.getID();
            logger2.debug("{} of {} '{}' do not need sync.", objArr2);
            return false;
        }
        if (!log.isDebugEnabled()) {
            return true;
        }
        Logger logger3 = log;
        Object[] objArr3 = new Object[5];
        objArr3[0] = str;
        objArr3[1] = authorizable.isGroup() ? "group" : "user";
        objArr3[2] = authorizable.getID();
        objArr3[3] = Long.valueOf(this.now - property[0].getLong());
        objArr3[4] = Long.valueOf(j);
        logger3.debug("{} of {} '{}' need sync. rep:lastSynced expired ({} > {})", objArr3);
        return true;
    }

    @CheckForNull
    protected Value createValue(@Nullable Object obj) throws RepositoryException {
        if (obj == null) {
            return null;
        }
        if (obj instanceof Boolean) {
            return this.valueFactory.createValue(((Boolean) obj).booleanValue());
        }
        if ((obj instanceof Byte) || (obj instanceof Short) || (obj instanceof Integer) || (obj instanceof Long)) {
            return this.valueFactory.createValue(((Number) obj).longValue());
        }
        if ((obj instanceof Float) || (obj instanceof Double)) {
            return this.valueFactory.createValue(((Number) obj).doubleValue());
        }
        if (obj instanceof BigDecimal) {
            return this.valueFactory.createValue((BigDecimal) obj);
        }
        if (obj instanceof Calendar) {
            return this.valueFactory.createValue((Calendar) obj);
        }
        if (obj instanceof Date) {
            Calendar calendar = Calendar.getInstance();
            calendar.setTime((Date) obj);
            return this.valueFactory.createValue(calendar);
        }
        if (obj instanceof byte[]) {
            return this.valueFactory.createValue(this.valueFactory.createBinary(new ByteArrayInputStream((byte[]) obj)));
        }
        return obj instanceof Binary ? this.valueFactory.createValue((Binary) obj) : obj instanceof InputStream ? this.valueFactory.createValue((InputStream) obj) : obj instanceof char[] ? this.valueFactory.createValue(new String((char[]) obj)) : this.valueFactory.createValue(String.valueOf(obj));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @CheckForNull
    public Value[] createValues(@Nonnull Collection<?> collection) throws RepositoryException {
        ArrayList arrayList = new ArrayList();
        Iterator<?> it = collection.iterator();
        while (it.hasNext()) {
            Value createValue = createValue(it.next());
            if (createValue != null) {
                arrayList.add(createValue);
            }
        }
        return (Value[]) arrayList.toArray(new Value[arrayList.size()]);
    }

    protected boolean isSameIDP(@Nullable Authorizable authorizable) throws RepositoryException {
        ExternalIdentityRef identityRef = getIdentityRef(authorizable);
        return identityRef != null && this.idp.getName().equals(identityRef.getProviderName());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean isSameIDP(@Nonnull ExternalIdentityRef externalIdentityRef) {
        return this.idp.getName().equals(externalIdentityRef.getProviderName());
    }
}
