package org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal;

import com.google.common.base.Predicates;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import com.google.common.collect.Iterators;
import com.google.common.collect.Sets;
import java.security.Principal;
import java.security.acl.Group;
import java.text.ParseException;
import java.util.Collection;
import java.util.Collections;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.jcr.RepositoryException;
import javax.jcr.Value;
import javax.jcr.query.Query;
import org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.commons.iterator.AbstractLazyIterator;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.PropertyValue;
import org.apache.jackrabbit.oak.api.QueryEngine;
import org.apache.jackrabbit.oak.api.Result;
import org.apache.jackrabbit.oak.api.ResultRow;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.spi.query.PropertyValues;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef;
import org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalIdentityConstants;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider;
import org.apache.jackrabbit.oak.spi.security.user.AuthorizableType;
import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration;
import org.apache.jackrabbit.oak.spi.security.user.util.UserUtil;
import org.apache.lucene.analysis.shingle.ShingleFilter;
import org.apache.solr.security.PKIAuthenticationPlugin;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalGroupPrincipalProvider.class */
public class ExternalGroupPrincipalProvider implements PrincipalProvider, ExternalIdentityConstants {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) ExternalGroupPrincipalProvider.class);
    private static final String BINDING_PRINCIPAL_NAMES = "principalNames";
    private final Root root;
    private final NamePathMapper namePathMapper;
    private final UserManager userManager;
    private final AutoMembershipPrincipals autoMembershipPrincipals;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalGroupPrincipalProvider$AutoMembershipPrincipals.class */
    public final class AutoMembershipPrincipals {
        private final Map<String, String[]> autoMembershipMapping;
        private final Map<String, Set<Group>> principalMap;

        private AutoMembershipPrincipals(@Nonnull Map<String, String[]> map) {
            this.autoMembershipMapping = map;
            this.principalMap = new ConcurrentHashMap(map.size());
        }

        /* JADX INFO: Access modifiers changed from: private */
        @Nonnull
        public Collection<Group> get(@CheckForNull String str) {
            Set<Group> set;
            if (str == null) {
                return ImmutableSet.of();
            }
            if (this.principalMap.containsKey(str)) {
                set = this.principalMap.get(str);
            } else {
                if (this.autoMembershipMapping.get(str) == null) {
                    set = ImmutableSet.of();
                } else {
                    ImmutableSet.Builder builder = ImmutableSet.builder();
                    for (String str2 : this.autoMembershipMapping.get(str)) {
                        try {
                            Authorizable authorizable = ExternalGroupPrincipalProvider.this.userManager.getAuthorizable(str2);
                            if (authorizable == null || !authorizable.isGroup()) {
                                ExternalGroupPrincipalProvider.log.warn("Configured auto-membership group {} does not exist -> Ignoring", str2);
                            } else {
                                Principal principal = authorizable.getPrincipal();
                                if (principal instanceof Group) {
                                    builder.add((ImmutableSet.Builder) principal);
                                } else {
                                    ExternalGroupPrincipalProvider.log.warn("Principal of group {} is not of type java.security.acl.Group -> Ignoring", str2);
                                }
                            }
                        } catch (RepositoryException e) {
                            ExternalGroupPrincipalProvider.log.debug("Failed to retrieved 'auto-membership' group with id {}", str2, e);
                        }
                    }
                    set = builder.build();
                }
                this.principalMap.put(str, set);
            }
            return set;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalGroupPrincipalProvider$ExternalGroupPrincipal.class */
    public final class ExternalGroupPrincipal extends PrincipalImpl implements Group {
        private ExternalGroupPrincipal(String str) {
            super(str);
        }

        @Override // java.security.acl.Group
        public boolean addMember(Principal principal) {
            if (isMember(principal)) {
                return false;
            }
            throw new UnsupportedOperationException("Adding members to external group principals is not supported.");
        }

        @Override // java.security.acl.Group
        public boolean removeMember(Principal principal) {
            if (isMember(principal)) {
                throw new UnsupportedOperationException("Removing members from external group principals is not supported.");
            }
            return false;
        }

        @Override // java.security.acl.Group
        public boolean isMember(Principal principal) {
            Value[] property;
            if (principal instanceof Group) {
                return false;
            }
            try {
                String name = getName();
                if (principal instanceof ItemBasedPrincipal) {
                    Tree tree = ExternalGroupPrincipalProvider.this.root.getTree(((ItemBasedPrincipal) principal).getPath());
                    if (UserUtil.isType(tree, AuthorizableType.USER)) {
                        PropertyState property2 = tree.getProperty(ExternalIdentityConstants.REP_EXTERNAL_PRINCIPAL_NAMES);
                        return property2 != null && Iterables.contains((Iterable) property2.getValue(Type.STRINGS), name);
                    }
                } else {
                    Authorizable authorizable = ExternalGroupPrincipalProvider.this.userManager.getAuthorizable(principal);
                    if (authorizable != null && !authorizable.isGroup() && (property = authorizable.getProperty(ExternalIdentityConstants.REP_EXTERNAL_PRINCIPAL_NAMES)) != null) {
                        for (Value value : property) {
                            if (name.equals(value.getString())) {
                                return true;
                            }
                        }
                    }
                }
                return false;
            } catch (RepositoryException e) {
                ExternalGroupPrincipalProvider.log.debug(e.getMessage());
                return false;
            }
        }

        @Override // java.security.acl.Group
        public Enumeration<? extends Principal> members() {
            Result findPrincipals = ExternalGroupPrincipalProvider.this.findPrincipals(getName(), true);
            return findPrincipals != null ? Iterators.asEnumeration(new MemberIterator(findPrincipals)) : Iterators.asEnumeration(Iterators.emptyIterator());
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalGroupPrincipalProvider$GroupPrincipalIterator.class */
    public final class GroupPrincipalIterator extends AbstractLazyIterator<Principal> {
        private final Set<String> processed;
        private final String queryString;
        private final Iterator<? extends ResultRow> rows;
        private Iterator<String> propValues;

        private GroupPrincipalIterator(@Nullable String str, @Nonnull Result result) {
            this.processed = new HashSet();
            this.propValues = Iterators.emptyIterator();
            this.queryString = str;
            this.rows = result.getRows().iterator();
        }

        /* JADX INFO: Access modifiers changed from: protected */
        /* JADX WARN: Can't rename method to resolve collision */
        @Override // org.apache.jackrabbit.commons.iterator.AbstractLazyIterator
        public Principal getNext() {
            if (!this.propValues.hasNext()) {
                if (this.rows.hasNext()) {
                    this.propValues = ((Iterable) this.rows.next().getValue(ExternalIdentityConstants.REP_EXTERNAL_PRINCIPAL_NAMES).getValue(Type.STRINGS)).iterator();
                } else {
                    this.propValues = Iterators.emptyIterator();
                }
            }
            while (this.propValues.hasNext()) {
                String next = this.propValues.next();
                if (next != null && !this.processed.contains(next) && matchesQuery(next)) {
                    this.processed.add(next);
                    return new ExternalGroupPrincipal(next);
                }
            }
            return null;
        }

        private boolean matchesQuery(@Nonnull String str) {
            if (this.queryString == null) {
                return true;
            }
            return str.contains(this.queryString);
        }
    }

    /* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalGroupPrincipalProvider$MemberIterator.class */
    private final class MemberIterator extends AbstractLazyIterator<Principal> {
        private final Iterator<? extends ResultRow> rows;

        private MemberIterator(@Nonnull Result result) {
            this.rows = result.getRows().iterator();
        }

        /* JADX INFO: Access modifiers changed from: protected */
        /* JADX WARN: Can't rename method to resolve collision */
        @Override // org.apache.jackrabbit.commons.iterator.AbstractLazyIterator
        public Principal getNext() {
            Authorizable authorizableByPath;
            while (this.rows.hasNext()) {
                try {
                    authorizableByPath = ExternalGroupPrincipalProvider.this.userManager.getAuthorizableByPath(this.rows.next().getPath());
                } catch (RepositoryException e) {
                    ExternalGroupPrincipalProvider.log.debug("{}", e.getMessage());
                }
                if (authorizableByPath != null) {
                    return authorizableByPath.getPrincipal();
                }
                continue;
            }
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ExternalGroupPrincipalProvider(@Nonnull Root root, @Nonnull UserConfiguration userConfiguration, @Nonnull NamePathMapper namePathMapper, @Nonnull Map<String, String[]> map) {
        this.root = root;
        this.namePathMapper = namePathMapper;
        this.userManager = userConfiguration.getUserManager(root, namePathMapper);
        this.autoMembershipPrincipals = new AutoMembershipPrincipals(map);
    }

    @Override // org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider
    public Principal getPrincipal(@Nonnull String str) {
        Result findPrincipals = findPrincipals(str, true);
        if (findPrincipals == null || !findPrincipals.getRows().iterator().hasNext()) {
            return null;
        }
        return new ExternalGroupPrincipal(str);
    }

    @Override // org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider
    @Nonnull
    public Set<Group> getGroupMembership(@Nonnull Principal principal) {
        if (!(principal instanceof Group)) {
            try {
                return principal instanceof ItemBasedPrincipal ? getGroupPrincipals(this.root.getTree(((ItemBasedPrincipal) principal).getPath())) : getGroupPrincipals(this.userManager.getAuthorizable(principal));
            } catch (RepositoryException e) {
                log.debug(e.getMessage());
            }
        }
        return ImmutableSet.of();
    }

    @Override // org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider
    @Nonnull
    public Set<? extends Principal> getPrincipals(@Nonnull String str) {
        try {
            return getGroupPrincipals(this.userManager.getAuthorizable(str));
        } catch (RepositoryException e) {
            log.debug(e.getMessage());
            return ImmutableSet.of();
        }
    }

    @Override // org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider
    @Nonnull
    public Iterator<? extends Principal> findPrincipals(@Nullable String str, int i) {
        Result findPrincipals;
        return (1 == i || (findPrincipals = findPrincipals(Strings.nullToEmpty(str), false)) == null) ? Iterators.emptyIterator() : Iterators.filter(new GroupPrincipalIterator(str, findPrincipals), Predicates.notNull());
    }

    @Override // org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider
    @Nonnull
    public Iterator<? extends Principal> findPrincipals(int i) {
        return findPrincipals((String) null, i);
    }

    @CheckForNull
    private String getIdpName(@Nonnull Tree tree) {
        PropertyState property = tree.getProperty("rep:externalId");
        if (property != null) {
            return ExternalIdentityRef.fromString((String) property.getValue(Type.STRING)).getProviderName();
        }
        return null;
    }

    private Set<Group> getGroupPrincipals(@CheckForNull Authorizable authorizable) throws RepositoryException {
        return (authorizable == null || authorizable.isGroup()) ? ImmutableSet.of() : getGroupPrincipals(this.root.getTree(authorizable.getPath()));
    }

    private Set<Group> getGroupPrincipals(@Nonnull Tree tree) {
        PropertyState property;
        if (!tree.exists() || !UserUtil.isType(tree, AuthorizableType.USER) || !tree.hasProperty(ExternalIdentityConstants.REP_EXTERNAL_PRINCIPAL_NAMES) || (property = tree.getProperty(ExternalIdentityConstants.REP_EXTERNAL_PRINCIPAL_NAMES)) == null) {
            return ImmutableSet.of();
        }
        HashSet newHashSet = Sets.newHashSet();
        Iterator it = ((Iterable) property.getValue(Type.STRINGS)).iterator();
        while (it.hasNext()) {
            newHashSet.add(new ExternalGroupPrincipal((String) it.next()));
        }
        newHashSet.addAll(this.autoMembershipPrincipals.get(getIdpName(tree)));
        return newHashSet;
    }

    /* JADX INFO: Access modifiers changed from: private */
    @CheckForNull
    public Result findPrincipals(@Nonnull String str, boolean z) {
        try {
            return this.root.getQueryEngine().executeQuery("SELECT 'rep:externalPrincipalNames' FROM [rep:User] WHERE PROPERTY([rep:externalPrincipalNames], 'String')" + (z ? " = " : " LIKE ") + PKIAuthenticationPlugin.NODE_IS_USER + BINDING_PRINCIPAL_NAMES + QueryEngine.INTERNAL_SQL2_QUERY, Query.JCR_SQL2, buildBinding(str, z), this.namePathMapper.getSessionLocalMappings());
        } catch (ParseException e) {
            return null;
        }
    }

    @Nonnull
    private static Map<String, ? extends PropertyValue> buildBinding(@Nonnull String str, boolean z) {
        String str2 = str;
        if (!z) {
            if (str.isEmpty()) {
                str2 = "%";
            } else {
                str2 = '%' + str.replace("%", "\\%").replace(ShingleFilter.DEFAULT_FILLER_TOKEN, "\\_") + '%';
            }
        }
        return Collections.singletonMap(BINDING_PRINCIPAL_NAMES, PropertyValues.newString(str2));
    }
}
