package pl.ds.websight.groovyconsole.service.impl;

import java.util.stream.Stream;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import org.apache.commons.lang3.StringUtils;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.sling.jcr.base.util.AccessControlUtil;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.metatype.annotations.Designate;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import pl.ds.websight.groovyconsole.service.AuthorizationService;

@Designate(ocd = AuthorizationServiceConfig.class)
@Component(service = {AuthorizationService.class})
/* loaded from: input_file:resources/install/0/websight-release-admin-sling-1.0.3.zip:jcr_root/apps/websight/install/websight-groovy-console-service-1.0.2.jar:pl/ds/websight/groovyconsole/service/impl/AuthorizationServiceImpl.class */
public class AuthorizationServiceImpl implements AuthorizationService {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) AuthorizationServiceImpl.class);
    private AuthorizationServiceConfig config;

    @Override // pl.ds.websight.groovyconsole.service.AuthorizationService
    public boolean isAllowed(Session session) {
        if (session == null) {
            return false;
        }
        String userID = session.getUserID();
        try {
            UserManager userManager = AccessControlUtil.getUserManager(session);
            if (!isAllowedUser(userID)) {
                if (!isMemberOfAllowedGroup(userManager, userID)) {
                    return false;
                }
            }
            return true;
        } catch (RepositoryException e) {
            LOG.warn("Error while validating whether the user is member of allowed group", (Throwable) e);
            return false;
        }
    }

    private boolean isAllowedUser(String str) {
        return Stream.of((Object[]) this.config.allowed_users()).anyMatch(str2 -> {
            return StringUtils.equals(str, str2);
        });
    }

    private boolean isMemberOfAllowedGroup(UserManager userManager, String str) throws RepositoryException {
        Authorizable authorizable = userManager.getAuthorizable(str);
        for (String str2 : this.config.allowed_groups()) {
            Authorizable authorizable2 = userManager.getAuthorizable(str2);
            if (authorizable2 != null && authorizable2.isGroup() && ((Group) authorizable2).isMember(authorizable)) {
                return true;
            }
        }
        return false;
    }

    @Activate
    private void activate(AuthorizationServiceConfig authorizationServiceConfig) {
        this.config = authorizationServiceConfig;
    }
}
