package org.apache.jackrabbit.oak.security.user;

import java.security.Principal;
import java.security.acl.Group;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.jcr.RepositoryException;
import javax.security.auth.Subject;
import org.apache.jackrabbit.api.security.principal.PrincipalIterator;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Impersonation;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalIteratorAdapter;
import org.apache.jackrabbit.oak.spi.security.user.UserConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/resources/install/15/oak-core-1.6.8.jar:org/apache/jackrabbit/oak/security/user/ImpersonationImpl.class */
class ImpersonationImpl implements Impersonation, UserConstants {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) ImpersonationImpl.class);
    private final UserImpl user;
    private final PrincipalManager principalManager;

    /* JADX INFO: Access modifiers changed from: package-private */
    public ImpersonationImpl(UserImpl userImpl) throws RepositoryException {
        this.user = userImpl;
        this.principalManager = userImpl.getUserManager().getPrincipalManager();
    }

    @Override // org.apache.jackrabbit.api.security.user.Impersonation
    public PrincipalIterator getImpersonators() throws RepositoryException {
        Set<String> impersonatorNames = getImpersonatorNames();
        if (impersonatorNames.isEmpty()) {
            return PrincipalIteratorAdapter.EMPTY;
        }
        HashSet hashSet = new HashSet();
        for (String str : impersonatorNames) {
            Principal principal = this.principalManager.getPrincipal(str);
            if (principal == null) {
                log.debug("Impersonator " + str + " does not correspond to a known Principal.");
                principal = new PrincipalImpl(str);
            }
            hashSet.add(principal);
        }
        return new PrincipalIteratorAdapter(hashSet);
    }

    @Override // org.apache.jackrabbit.api.security.user.Impersonation
    public boolean grantImpersonation(Principal principal) throws RepositoryException {
        if (!isValidPrincipal(principal)) {
            return false;
        }
        String name = principal.getName();
        Tree tree = this.user.getTree();
        PropertyState property = tree.getProperty("rep:principalName");
        if (property != null && ((String) property.getValue(Type.STRING)).equals(name)) {
            log.warn("Cannot grant impersonation to oneself.");
            return false;
        }
        Set<String> impersonatorNames = getImpersonatorNames(tree);
        if (!impersonatorNames.add(name)) {
            return false;
        }
        updateImpersonatorNames(tree, impersonatorNames);
        return true;
    }

    @Override // org.apache.jackrabbit.api.security.user.Impersonation
    public boolean revokeImpersonation(Principal principal) throws RepositoryException {
        String name = principal.getName();
        Tree tree = this.user.getTree();
        Set<String> impersonatorNames = getImpersonatorNames(tree);
        if (!impersonatorNames.remove(name)) {
            return false;
        }
        updateImpersonatorNames(tree, impersonatorNames);
        return true;
    }

    @Override // org.apache.jackrabbit.api.security.user.Impersonation
    public boolean allows(Subject subject) throws RepositoryException {
        if (subject == null) {
            return false;
        }
        HashSet hashSet = new HashSet();
        Iterator<Principal> it = subject.getPrincipals().iterator();
        while (it.hasNext()) {
            hashSet.add(it.next().getName());
        }
        boolean removeAll = getImpersonatorNames().removeAll(hashSet);
        if (!removeAll) {
            Iterator<Principal> it2 = subject.getPrincipals().iterator();
            while (true) {
                if (!it2.hasNext()) {
                    break;
                }
                if (isAdmin(it2.next())) {
                    removeAll = true;
                    break;
                }
            }
        }
        return removeAll;
    }

    private Set<String> getImpersonatorNames() {
        return getImpersonatorNames(this.user.getTree());
    }

    private Set<String> getImpersonatorNames(Tree tree) {
        HashSet hashSet = new HashSet();
        PropertyState property = tree.getProperty(UserConstants.REP_IMPERSONATORS);
        if (property != null) {
            Iterator it = ((Iterable) property.getValue(Type.STRINGS)).iterator();
            while (it.hasNext()) {
                hashSet.add((String) it.next());
            }
        }
        return hashSet;
    }

    private void updateImpersonatorNames(Tree tree, Set<String> set) {
        if (set == null || set.isEmpty()) {
            tree.removeProperty(UserConstants.REP_IMPERSONATORS);
        } else {
            tree.setProperty(UserConstants.REP_IMPERSONATORS, set, Type.STRINGS);
        }
    }

    private boolean isAdmin(Principal principal) {
        if (principal instanceof AdminPrincipal) {
            return true;
        }
        if (principal instanceof Group) {
            return false;
        }
        try {
            Authorizable authorizable = this.user.getUserManager().getAuthorizable(principal);
            if (authorizable != null && !authorizable.isGroup()) {
                if (((User) authorizable).isAdmin()) {
                    return true;
                }
            }
            return false;
        } catch (RepositoryException e) {
            log.debug(e.getMessage());
            return false;
        }
    }

    private boolean isValidPrincipal(Principal principal) {
        Principal principal2 = null;
        if (principal instanceof TreeBasedPrincipal) {
            try {
                Authorizable authorizable = this.user.getUserManager().getAuthorizable(principal);
                if (authorizable != null) {
                    principal2 = authorizable.getPrincipal();
                }
            } catch (RepositoryException e) {
                log.debug(e.getMessage());
            }
        } else {
            principal2 = this.principalManager.getPrincipal(principal.getName());
        }
        if (principal2 == null) {
            log.debug("Cannot grant impersonation to an unknown principal.");
            return false;
        }
        if (principal2 instanceof Group) {
            log.debug("Cannot grant impersonation to a principal that is a Group.");
            return false;
        }
        if (!isAdmin(principal2)) {
            return true;
        }
        log.debug("Admin principal is already granted impersonation.");
        return false;
    }
}
