package org.apache.sling.jackrabbit.usermanager.impl;

import java.io.UnsupportedEncodingException;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.util.Map;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration;
import org.apache.sling.commons.osgi.OsgiUtil;
import org.apache.sling.jackrabbit.usermanager.AuthorizablePrivilegesInfo;
import org.apache.sling.jackrabbit.usermanager.CreateUser;
import org.apache.sling.jcr.base.util.AccessControlUtil;
import org.osgi.framework.BundleContext;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicy;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(service = {AuthorizablePrivilegesInfo.class}, property = {"user.admin.group.name=UserAdmin", "group.admin.group.name=GroupAdmin"})
/* loaded from: input_file:org/apache/sling/jackrabbit/usermanager/impl/AuthorizablePrivilegesInfoImpl.class */
public class AuthorizablePrivilegesInfoImpl implements AuthorizablePrivilegesInfo {
    private final Logger log = LoggerFactory.getLogger(getClass());
    static final String DEFAULT_USER_ADMIN_GROUP_NAME = "UserAdmin";
    static final String PAR_USER_ADMIN_GROUP_NAME = "user.admin.group.name";
    static final String DEFAULT_GROUP_ADMIN_GROUP_NAME = "GroupAdmin";
    static final String PAR_GROUP_ADMIN_GROUP_NAME = "group.admin.group.name";
    private String usersPath;
    private String groupsPath;
    private boolean selfRegistrationEnabled;

    @Reference(cardinality = ReferenceCardinality.OPTIONAL, policy = ReferencePolicy.DYNAMIC)
    private void bindUserConfiguration(UserConfiguration userConfiguration, Map<String, Object> map) {
        this.usersPath = (String) map.get("usersPath");
        this.groupsPath = (String) map.get("groupsPath");
    }

    private void unbindUserConfiguration(UserConfiguration userConfiguration, Map<String, Object> map) {
        this.usersPath = null;
        this.groupsPath = null;
    }

    @Reference(cardinality = ReferenceCardinality.OPTIONAL, policy = ReferencePolicy.DYNAMIC)
    private void bindCreateUser(CreateUser createUser, Map<String, Object> map) {
        this.selfRegistrationEnabled = Boolean.TRUE.equals(map.get("self.registration.enabled"));
    }

    private void unbindCreateUser(CreateUser createUser, Map<String, Object> map) {
        this.selfRegistrationEnabled = false;
    }

    @Override // org.apache.sling.jackrabbit.usermanager.AuthorizablePrivilegesInfo
    public boolean canAddGroup(Session session) {
        try {
            User authorizable = AccessControlUtil.getUserManager(session).getAuthorizable(session.getUserID());
            if (authorizable != null && authorizable.isAdmin()) {
                return true;
            }
            if (this.groupsPath == null) {
                return false;
            }
            AccessControlManager accessControlManager = session.getAccessControlManager();
            return accessControlManager.hasPrivileges(this.groupsPath, new Privilege[]{accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}read"), accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}readAccessControl"), accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}modifyAccessControl"), accessControlManager.privilegeFromName("rep:write"), accessControlManager.privilegeFromName("rep:userManagement")});
        } catch (RepositoryException e) {
            this.log.warn("Failed to determine if {} can add a new group", session.getUserID());
            return false;
        }
    }

    @Override // org.apache.sling.jackrabbit.usermanager.AuthorizablePrivilegesInfo
    public boolean canAddUser(Session session) {
        try {
            if (this.selfRegistrationEnabled) {
                return true;
            }
            User authorizable = AccessControlUtil.getUserManager(session).getAuthorizable(session.getUserID());
            if (authorizable != null && authorizable.isAdmin()) {
                return true;
            }
            if (this.usersPath == null) {
                return false;
            }
            AccessControlManager accessControlManager = session.getAccessControlManager();
            return accessControlManager.hasPrivileges(this.usersPath, new Privilege[]{accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}read"), accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}readAccessControl"), accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}modifyAccessControl"), accessControlManager.privilegeFromName("rep:write"), accessControlManager.privilegeFromName("rep:userManagement")});
        } catch (RepositoryException e) {
            this.log.warn("Failed to determine if {} can add a new user", session.getUserID());
            return false;
        }
    }

    @Override // org.apache.sling.jackrabbit.usermanager.AuthorizablePrivilegesInfo
    public boolean canRemove(Session session, String str) {
        try {
            if (AccessControlUtil.getUserManager(session).getAuthorizable(session.getUserID()).isAdmin()) {
                return true;
            }
            if (this.usersPath == null) {
                return false;
            }
            AccessControlManager accessControlManager = session.getAccessControlManager();
            return accessControlManager.hasPrivileges("/home/users", new Privilege[]{accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}read"), accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}readAccessControl"), accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}modifyAccessControl"), accessControlManager.privilegeFromName("rep:write"), accessControlManager.privilegeFromName("rep:userManagement")});
        } catch (RepositoryException e) {
            this.log.warn("Failed to determine if {} can remove authorizable {}", session.getUserID(), str);
            return false;
        }
    }

    @Override // org.apache.sling.jackrabbit.usermanager.AuthorizablePrivilegesInfo
    public boolean canUpdateGroupMembers(Session session, String str) {
        try {
            if (AccessControlUtil.getUserManager(session).getAuthorizable(session.getUserID()).isAdmin()) {
                return true;
            }
            if (this.groupsPath == null) {
                return false;
            }
            AccessControlManager accessControlManager = session.getAccessControlManager();
            return accessControlManager.hasPrivileges(this.groupsPath, new Privilege[]{accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}read"), accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}readAccessControl"), accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}modifyAccessControl"), accessControlManager.privilegeFromName("rep:write"), accessControlManager.privilegeFromName("rep:userManagement")});
        } catch (RepositoryException e) {
            this.log.warn("Failed to determine if {} can remove authorizable {}", session.getUserID(), str);
            return false;
        }
    }

    @Override // org.apache.sling.jackrabbit.usermanager.AuthorizablePrivilegesInfo
    public boolean canUpdateProperties(Session session, String str) {
        try {
            if (session.getUserID().equals(str)) {
                return true;
            }
            User authorizable = AccessControlUtil.getUserManager(session).getAuthorizable(session.getUserID());
            if (authorizable.isAdmin()) {
                return true;
            }
            String str2 = authorizable.isGroup() ? this.groupsPath : this.usersPath;
            if (str2 == null) {
                return false;
            }
            AccessControlManager accessControlManager = session.getAccessControlManager();
            return accessControlManager.hasPrivileges(str2, new Privilege[]{accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}read"), accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}readAccessControl"), accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}modifyAccessControl"), accessControlManager.privilegeFromName("rep:write"), accessControlManager.privilegeFromName("rep:userManagement")});
        } catch (RepositoryException e) {
            this.log.warn("Failed to determine if {} can remove authorizable {}", session.getUserID(), str);
            return false;
        }
    }

    @Activate
    protected void activate(BundleContext bundleContext, Map<String, Object> map) throws InvalidKeyException, NoSuchAlgorithmException, IllegalStateException, UnsupportedEncodingException {
        String osgiUtil = OsgiUtil.toString(map.get(PAR_USER_ADMIN_GROUP_NAME), (String) null);
        if (osgiUtil != null && !DEFAULT_USER_ADMIN_GROUP_NAME.equals(osgiUtil)) {
            this.log.warn("Configuration setting for {} is deprecated and will not have any effect", PAR_USER_ADMIN_GROUP_NAME);
        }
        if (OsgiUtil.toString(map.get(PAR_GROUP_ADMIN_GROUP_NAME), (String) null) == null || DEFAULT_GROUP_ADMIN_GROUP_NAME.equals(osgiUtil)) {
            return;
        }
        this.log.warn("Configuration setting for {} is deprecated and will not have any effect", PAR_GROUP_ADMIN_GROUP_NAME);
    }
}
