package org.apache.sling.jackrabbit.usermanager.impl.post;

import java.util.List;
import java.util.Map;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.Privilege;
import javax.servlet.Servlet;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.api.resource.ResourceNotFoundException;
import org.apache.sling.commons.osgi.OsgiUtil;
import org.apache.sling.jackrabbit.usermanager.ChangeUserPassword;
import org.apache.sling.jackrabbit.usermanager.resource.SystemUserManagerPaths;
import org.apache.sling.jcr.api.SlingRepository;
import org.apache.sling.jcr.base.util.AccessControlUtil;
import org.apache.sling.serviceusermapping.ServiceUserMapped;
import org.apache.sling.servlets.post.Modification;
import org.apache.sling.servlets.post.PostResponse;
import org.apache.sling.servlets.post.PostResponseCreator;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicy;
import org.osgi.service.metatype.annotations.AttributeDefinition;
import org.osgi.service.metatype.annotations.Designate;
import org.osgi.service.metatype.annotations.ObjectClassDefinition;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Designate(ocd = Config.class)
@Component(service = {Servlet.class, ChangeUserPassword.class}, property = {"sling.servlet.resourceTypes=sling/user", "sling.servlet.methods=POST", "sling.servlet.selectors=changePassword", "sling.servlet.prefix:Integer=-1", "servlet.post.dateFormats=EEE MMM dd yyyy HH:mm:ss 'GMT'Z", "servlet.post.dateFormats=yyyy-MM-dd'T'HH:mm:ss.SSSZ", "servlet.post.dateFormats=yyyy-MM-dd'T'HH:mm:ss", "servlet.post.dateFormats=yyyy-MM-dd", "servlet.post.dateFormats=dd.MM.yyyy HH:mm:ss", "servlet.post.dateFormats=dd.MM.yyyy"})
/* loaded from: input_file:org/apache/sling/jackrabbit/usermanager/impl/post/ChangeUserPasswordServlet.class */
public class ChangeUserPasswordServlet extends AbstractAuthorizablePostServlet implements ChangeUserPassword {
    private static final long serialVersionUID = 1923614318474654502L;
    static final String DEFAULT_USER_ADMIN_GROUP_NAME = "UserAdmin";
    static final String PAR_USER_ADMIN_GROUP_NAME = "user.admin.group.name";

    @Reference
    private transient SlingRepository repository;

    @Reference
    private transient ServiceUserMapped serviceUserMapped;
    private final transient Logger log = LoggerFactory.getLogger(getClass());
    private String userAdminGroupName = DEFAULT_USER_ADMIN_GROUP_NAME;
    private boolean alwaysAllowSelfChangePassword = true;

    @ObjectClassDefinition(name = "Apache Sling Change User Password")
    /* loaded from: input_file:org/apache/sling/jackrabbit/usermanager/impl/post/ChangeUserPasswordServlet$Config.class */
    public @interface Config {
        @AttributeDefinition(name = "User Admin Group Name", description = "Specifies the name of the group whose members are allowed to reset the password of another user.")
        String user_admin_group_name() default "UserAdmin";

        @AttributeDefinition(name = "Allow Self Password Change", description = "Specifies whether a user is allowed to change their own password.")
        boolean allowSelfChangePassword() default true;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.sling.jackrabbit.usermanager.impl.post.AbstractAuthorizablePostServlet
    @Activate
    public void activate(Map<String, Object> map) {
        super.activate(map);
        this.alwaysAllowSelfChangePassword = OsgiUtil.toBoolean(map.get("alwaysAllowSelfChangePassword"), false);
        this.userAdminGroupName = OsgiUtil.toString(map.get(PAR_USER_ADMIN_GROUP_NAME), DEFAULT_USER_ADMIN_GROUP_NAME);
        this.log.debug("User Admin Group Name {}", this.userAdminGroupName);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.sling.jackrabbit.usermanager.impl.post.AbstractAuthorizablePostServlet
    @Deactivate
    public void deactivate() {
        super.deactivate();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.sling.jackrabbit.usermanager.impl.post.AbstractAuthorizablePostServlet
    @Reference
    public void bindSystemUserManagerPaths(SystemUserManagerPaths systemUserManagerPaths) {
        super.bindSystemUserManagerPaths(systemUserManagerPaths);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.sling.jackrabbit.usermanager.impl.post.AbstractPostServlet
    @Reference(service = PostResponseCreator.class, cardinality = ReferenceCardinality.MULTIPLE, policy = ReferencePolicy.DYNAMIC)
    public void bindPostResponseCreator(PostResponseCreator postResponseCreator, Map<String, Object> map) {
        super.bindPostResponseCreator(postResponseCreator, map);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.sling.jackrabbit.usermanager.impl.post.AbstractPostServlet
    public void unbindPostResponseCreator(PostResponseCreator postResponseCreator, Map<String, Object> map) {
        super.unbindPostResponseCreator(postResponseCreator, map);
    }

    @Override // org.apache.sling.jackrabbit.usermanager.impl.post.AbstractPostServlet
    protected void handleOperation(SlingHttpServletRequest slingHttpServletRequest, PostResponse postResponse, List<Modification> list) throws RepositoryException {
        changePassword((Session) slingHttpServletRequest.getResourceResolver().adaptTo(Session.class), slingHttpServletRequest.getResource().getName(), slingHttpServletRequest.getParameter("oldPwd"), slingHttpServletRequest.getParameter("newPwd"), slingHttpServletRequest.getParameter("newPwdConfirm"), list);
    }

    @Override // org.apache.sling.jackrabbit.usermanager.ChangeUserPassword
    public User changePassword(Session session, String str, String str2, String str3, String str4, List<Modification> list) throws RepositoryException {
        boolean z;
        if ("anonymous".equals(str)) {
            throw new RepositoryException("Can not change the password of the anonymous user.");
        }
        User authorizable = AccessControlUtil.getUserManager(session).getAuthorizable(str);
        if (!(authorizable instanceof User)) {
            throw new ResourceNotFoundException("User to update could not be determined");
        }
        User user = authorizable;
        if (str2 == null || str2.length() == 0) {
            try {
                UserManager userManager = AccessControlUtil.getUserManager(session);
                User authorizable2 = userManager.getAuthorizable(session.getUserID());
                z = authorizable2.isAdmin();
                if (!z) {
                    Group authorizable3 = userManager.getAuthorizable(this.userAdminGroupName);
                    if (authorizable3 instanceof Group) {
                        if (authorizable3.isMember(authorizable2)) {
                            z = true;
                        }
                    }
                }
            } catch (Exception e) {
                this.log.warn("Failed to determine if the user is an admin, assuming not. Cause: {}", e.getMessage());
                z = false;
            }
            if (!z) {
                throw new RepositoryException("Old Password was not submitted");
            }
        }
        if (str3 == null || str3.length() == 0) {
            throw new RepositoryException("New Password was not submitted");
        }
        if (!str3.equals(str4)) {
            throw new RepositoryException("New Password does not match the confirmation password");
        }
        if (str2 == null || str2.length() <= 0) {
            user.changePassword(str3);
        } else if (this.alwaysAllowSelfChangePassword && session.getUserID().equals(str)) {
            AccessControlManager accessControlManager = session.getAccessControlManager();
            if (accessControlManager.hasPrivileges(authorizable.getPath(), new Privilege[]{accessControlManager.privilegeFromName("rep:userManagement")})) {
                user.changePassword(str3, str2);
            } else {
                Session session2 = null;
                try {
                    session2 = this.repository.loginService((String) null, (String) null);
                    AccessControlUtil.getUserManager(session2).getAuthorizable(str).changePassword(str3, str2);
                    if (session2.hasPendingChanges()) {
                        session2.save();
                    }
                    if (session2 != null) {
                        session2.logout();
                    }
                } catch (Throwable th) {
                    if (session2 != null) {
                        session2.logout();
                    }
                    throw th;
                }
            }
        } else {
            user.changePassword(str3, str2);
        }
        list.add(Modification.onModified(this.systemUserManagerPaths.getUserPrefix() + user.getID() + "/rep:password"));
        return user;
    }
}
