package org.apache.jackrabbit.oak.security.user;

import com.google.common.base.Strings;
import com.google.common.collect.Lists;
import java.io.UnsupportedEncodingException;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.jcr.RepositoryException;
import javax.jcr.UnsupportedRepositoryOperationException;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.AuthorizableExistsException;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.Query;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager;
import org.apache.jackrabbit.oak.security.user.query.UserQueryManager;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalConfiguration;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.apache.jackrabbit.oak.spi.security.user.AuthorizableType;
import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration;
import org.apache.jackrabbit.oak.spi.security.user.UserConstants;
import org.apache.jackrabbit.oak.spi.security.user.action.AuthorizableAction;
import org.apache.jackrabbit.oak.spi.security.user.action.AuthorizableActionProvider;
import org.apache.jackrabbit.oak.spi.security.user.action.DefaultAuthorizableActionProvider;
import org.apache.jackrabbit.oak.spi.security.user.action.GroupAction;
import org.apache.jackrabbit.oak.spi.security.user.util.PasswordUtil;
import org.apache.jackrabbit.oak.spi.security.user.util.UserUtil;
import org.apache.jackrabbit.oak.util.NodeUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/jackrabbit/oak/security/user/UserManagerImpl.class */
public class UserManagerImpl implements UserManager {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) UserManagerImpl.class);
    private final Root root;
    private final NamePathMapper namePathMapper;
    private final SecurityProvider securityProvider;
    private final UserProvider userProvider;
    private final MembershipProvider membershipProvider;
    private final ConfigurationParameters config;
    private final AuthorizableActionProvider actionProvider;
    private UserQueryManager queryManager;
    private ReadOnlyNodeTypeManager ntMgr;

    public UserManagerImpl(@Nonnull Root root, @Nonnull NamePathMapper namePathMapper, @Nonnull SecurityProvider securityProvider) {
        this.root = root;
        this.namePathMapper = namePathMapper;
        this.securityProvider = securityProvider;
        this.config = ((UserConfiguration) securityProvider.getConfiguration(UserConfiguration.class)).getParameters();
        this.userProvider = new UserProvider(root, this.config);
        this.membershipProvider = new MembershipProvider(root, this.config);
        this.actionProvider = getActionProvider(this.config);
    }

    @Nonnull
    private static AuthorizableActionProvider getActionProvider(@Nonnull ConfigurationParameters configurationParameters) {
        AuthorizableActionProvider authorizableActionProvider = (AuthorizableActionProvider) configurationParameters.getConfigValue(UserConstants.PARAM_AUTHORIZABLE_ACTION_PROVIDER, null, AuthorizableActionProvider.class);
        if (authorizableActionProvider == null) {
            authorizableActionProvider = new DefaultAuthorizableActionProvider(configurationParameters);
        }
        return authorizableActionProvider;
    }

    @Override // org.apache.jackrabbit.api.security.user.UserManager
    public Authorizable getAuthorizable(String str) throws RepositoryException {
        Authorizable authorizable = null;
        Tree authorizable2 = Strings.isNullOrEmpty(str) ? null : this.userProvider.getAuthorizable(str);
        if (authorizable2 != null) {
            authorizable = getAuthorizable(UserUtil.getAuthorizableId(authorizable2), authorizable2);
        }
        return authorizable;
    }

    @Override // org.apache.jackrabbit.api.security.user.UserManager
    public <T extends Authorizable> T getAuthorizable(String str, Class<T> cls) throws RepositoryException {
        return (T) UserUtil.castAuthorizable(getAuthorizable(str), cls);
    }

    @Override // org.apache.jackrabbit.api.security.user.UserManager
    public Authorizable getAuthorizable(Principal principal) throws RepositoryException {
        if (principal == null) {
            return null;
        }
        return getAuthorizable(this.userProvider.getAuthorizableByPrincipal(principal));
    }

    @Override // org.apache.jackrabbit.api.security.user.UserManager
    public Authorizable getAuthorizableByPath(String str) throws RepositoryException {
        String oakPath = this.namePathMapper.getOakPath(str);
        if (oakPath == null) {
            throw new RepositoryException("Invalid path " + str);
        }
        return getAuthorizableByOakPath(oakPath);
    }

    @Override // org.apache.jackrabbit.api.security.user.UserManager
    public Iterator<Authorizable> findAuthorizables(String str, String str2) throws RepositoryException {
        return findAuthorizables(str, str2, 3);
    }

    @Override // org.apache.jackrabbit.api.security.user.UserManager
    public Iterator<Authorizable> findAuthorizables(String str, String str2, int i) throws RepositoryException {
        return getQueryManager().findAuthorizables(str, str2, AuthorizableType.getType(i));
    }

    @Override // org.apache.jackrabbit.api.security.user.UserManager
    public Iterator<Authorizable> findAuthorizables(Query query) throws RepositoryException {
        return getQueryManager().findAuthorizables(query);
    }

    @Override // org.apache.jackrabbit.api.security.user.UserManager
    public User createUser(String str, String str2) throws RepositoryException {
        return createUser(str, str2, new PrincipalImpl(str), null);
    }

    @Override // org.apache.jackrabbit.api.security.user.UserManager
    public User createUser(String str, String str2, Principal principal, @Nullable String str3) throws RepositoryException {
        checkValidId(str);
        checkValidPrincipal(principal, false);
        if (str3 != null) {
            str3 = this.namePathMapper.getOakPath(str3);
        }
        Tree createUser = this.userProvider.createUser(str, str3);
        setPrincipal(createUser, principal);
        if (str2 != null) {
            setPassword(createUser, str, str2, true);
        }
        UserImpl userImpl = new UserImpl(str, createUser, this);
        onCreate(userImpl, str2);
        log.debug("User created: " + str);
        return userImpl;
    }

    @Override // org.apache.jackrabbit.api.security.user.UserManager
    public User createSystemUser(String str, String str2) throws RepositoryException {
        checkValidId(str);
        PrincipalImpl principalImpl = new PrincipalImpl(str);
        checkValidPrincipal(principalImpl, false);
        Tree createSystemUser = this.userProvider.createSystemUser(str, str2);
        setPrincipal(createSystemUser, principalImpl);
        SystemUserImpl systemUserImpl = new SystemUserImpl(str, createSystemUser, this);
        log.debug("System user created: " + str);
        return systemUserImpl;
    }

    @Override // org.apache.jackrabbit.api.security.user.UserManager
    public Group createGroup(String str) throws RepositoryException {
        return createGroup(str, new PrincipalImpl(str), null);
    }

    @Override // org.apache.jackrabbit.api.security.user.UserManager
    public Group createGroup(Principal principal) throws RepositoryException {
        return createGroup(principal, null);
    }

    @Override // org.apache.jackrabbit.api.security.user.UserManager
    public Group createGroup(Principal principal, @Nullable String str) throws RepositoryException {
        return createGroup(principal.getName(), principal, str);
    }

    @Override // org.apache.jackrabbit.api.security.user.UserManager
    public Group createGroup(String str, Principal principal, @Nullable String str2) throws RepositoryException {
        checkValidId(str);
        checkValidPrincipal(principal, true);
        if (str2 != null) {
            str2 = this.namePathMapper.getOakPath(str2);
        }
        Tree createGroup = this.userProvider.createGroup(str, str2);
        setPrincipal(createGroup, principal);
        GroupImpl groupImpl = new GroupImpl(str, createGroup, this);
        onCreate(groupImpl);
        log.debug("Group created: " + str);
        return groupImpl;
    }

    @Override // org.apache.jackrabbit.api.security.user.UserManager
    public boolean isAutoSave() {
        return false;
    }

    @Override // org.apache.jackrabbit.api.security.user.UserManager
    public void autoSave(boolean z) throws RepositoryException {
        throw new UnsupportedRepositoryOperationException("Session#save() is always required.");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void onCreate(@Nonnull User user, @CheckForNull String str) throws RepositoryException {
        if (user.isSystemUser()) {
            log.debug("Omit onCreate action for system users.");
            return;
        }
        Iterator<? extends AuthorizableAction> it = this.actionProvider.getAuthorizableActions(this.securityProvider).iterator();
        while (it.hasNext()) {
            it.next().onCreate(user, str, this.root, this.namePathMapper);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void onCreate(@Nonnull Group group) throws RepositoryException {
        Iterator<? extends AuthorizableAction> it = this.actionProvider.getAuthorizableActions(this.securityProvider).iterator();
        while (it.hasNext()) {
            it.next().onCreate(group, this.root, this.namePathMapper);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void onRemove(@Nonnull Authorizable authorizable) throws RepositoryException {
        Iterator<? extends AuthorizableAction> it = this.actionProvider.getAuthorizableActions(this.securityProvider).iterator();
        while (it.hasNext()) {
            it.next().onRemove(authorizable, this.root, this.namePathMapper);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void onPasswordChange(@Nonnull User user, @Nonnull String str) throws RepositoryException {
        Iterator<? extends AuthorizableAction> it = this.actionProvider.getAuthorizableActions(this.securityProvider).iterator();
        while (it.hasNext()) {
            it.next().onPasswordChange(user, str, this.root, this.namePathMapper);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void onGroupUpdate(@Nonnull Group group, boolean z, @Nonnull Authorizable authorizable) throws RepositoryException {
        for (GroupAction groupAction : selectGroupActions()) {
            if (z) {
                groupAction.onMemberRemoved(group, authorizable, this.root, this.namePathMapper);
            } else {
                groupAction.onMemberAdded(group, authorizable, this.root, this.namePathMapper);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void onGroupUpdate(@Nonnull Group group, boolean z, boolean z2, @Nonnull Set<String> set, @Nonnull Set<String> set2) throws RepositoryException {
        for (GroupAction groupAction : selectGroupActions()) {
            if (z) {
                groupAction.onMembersRemoved(group, set, set2, this.root, this.namePathMapper);
            } else if (z2) {
                groupAction.onMembersAddedContentId(group, set, set2, this.root, this.namePathMapper);
            } else {
                groupAction.onMembersAdded(group, set, set2, this.root, this.namePathMapper);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @CheckForNull
    public Authorizable getAuthorizable(@CheckForNull Tree tree) throws RepositoryException {
        if (tree == null || !tree.exists()) {
            return null;
        }
        return getAuthorizable(UserUtil.getAuthorizableId(tree), tree);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @CheckForNull
    public Authorizable getAuthorizableByOakPath(@Nonnull String str) throws RepositoryException {
        return getAuthorizable(this.userProvider.getAuthorizableByPath(str));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nonnull
    public NamePathMapper getNamePathMapper() {
        return this.namePathMapper;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nonnull
    public ReadOnlyNodeTypeManager getNodeTypeManager() {
        if (this.ntMgr == null) {
            this.ntMgr = ReadOnlyNodeTypeManager.getInstance(this.root, NamePathMapper.DEFAULT);
        }
        return this.ntMgr;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nonnull
    public MembershipProvider getMembershipProvider() {
        return this.membershipProvider;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nonnull
    public PrincipalManager getPrincipalManager() throws RepositoryException {
        return ((PrincipalConfiguration) this.securityProvider.getConfiguration(PrincipalConfiguration.class)).getPrincipalManager(this.root, this.namePathMapper);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nonnull
    public ConfigurationParameters getConfig() {
        return this.config;
    }

    @CheckForNull
    private Authorizable getAuthorizable(@CheckForNull String str, @CheckForNull Tree tree) throws RepositoryException {
        if (str == null || tree == null) {
            return null;
        }
        if (UserUtil.isType(tree, AuthorizableType.USER)) {
            return UserUtil.isSystemUser(tree) ? new SystemUserImpl(str, tree, this) : new UserImpl(str, tree, this);
        }
        if (UserUtil.isType(tree, AuthorizableType.GROUP)) {
            return new GroupImpl(str, tree, this);
        }
        throw new RepositoryException("Not a user or group tree " + tree.getPath() + '.');
    }

    private void checkValidId(@CheckForNull String str) throws RepositoryException {
        if (str == null || str.isEmpty()) {
            throw new IllegalArgumentException("Invalid ID " + str);
        }
        if (getAuthorizable(str) != null) {
            throw new AuthorizableExistsException("Authorizable with ID " + str + " already exists");
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void checkValidPrincipal(@CheckForNull Principal principal, boolean z) throws RepositoryException {
        if (principal == null || Strings.isNullOrEmpty(principal.getName())) {
            throw new IllegalArgumentException("Principal may not be null and must have a valid name.");
        }
        if (!z && EveryonePrincipal.NAME.equals(principal.getName())) {
            throw new IllegalArgumentException("'everyone' is a reserved group principal name.");
        }
        if (getAuthorizable(principal) != null) {
            throw new AuthorizableExistsException("Authorizable with principal " + principal.getName() + " already exists.");
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setPrincipal(@Nonnull Tree tree, @Nonnull Principal principal) {
        tree.setProperty("rep:principalName", principal.getName());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setPassword(@Nonnull Tree tree, @Nonnull String str, @Nonnull String str2, boolean z) throws RepositoryException {
        String buildPasswordHash;
        if (z || PasswordUtil.isPlainTextPassword(str2)) {
            try {
                buildPasswordHash = PasswordUtil.buildPasswordHash(str2, this.config);
            } catch (UnsupportedEncodingException | NoSuchAlgorithmException e) {
                throw new RepositoryException(e);
            }
        } else {
            buildPasswordHash = str2;
        }
        tree.setProperty(UserConstants.REP_PASSWORD, buildPasswordHash);
        boolean passwordExpiryEnabled = passwordExpiryEnabled();
        boolean forceInitialPasswordChangeEnabled = forceInitialPasswordChangeEnabled();
        boolean z2 = tree.getStatus() == Tree.Status.NEW;
        if (UserUtil.isAdmin(this.config, str)) {
            return;
        }
        if ((!passwordExpiryEnabled || forceInitialPasswordChangeEnabled) && (!forceInitialPasswordChangeEnabled || z2)) {
            return;
        }
        new NodeUtil(tree).getOrAddChild(UserConstants.REP_PWD, UserConstants.NT_REP_PASSWORD).getTree().setProperty(UserConstants.REP_PASSWORD_LAST_MODIFIED, Long.valueOf(System.currentTimeMillis()), Type.LONG);
    }

    private boolean passwordExpiryEnabled() {
        return ((Integer) this.config.getConfigValue(UserConstants.PARAM_PASSWORD_MAX_AGE, 0)).intValue() > 0;
    }

    private boolean forceInitialPasswordChangeEnabled() {
        return ((Boolean) this.config.getConfigValue(UserConstants.PARAM_PASSWORD_INITIAL_CHANGE, false)).booleanValue();
    }

    @Nonnull
    private UserQueryManager getQueryManager() {
        if (this.queryManager == null) {
            this.queryManager = new UserQueryManager(this, this.namePathMapper, this.config, this.root);
        }
        return this.queryManager;
    }

    @Nonnull
    private List<GroupAction> selectGroupActions() {
        ArrayList newArrayList = Lists.newArrayList();
        for (AuthorizableAction authorizableAction : this.actionProvider.getAuthorizableActions(this.securityProvider)) {
            if (authorizableAction instanceof GroupAction) {
                newArrayList.add((GroupAction) authorizableAction);
            }
        }
        return newArrayList;
    }
}
