package org.apache.jackrabbit.oak.security.user;

import com.google.common.base.Preconditions;
import com.google.common.collect.Iterables;
import com.google.common.collect.Maps;
import com.google.common.collect.Sets;
import java.security.Principal;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TreeSet;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.Value;
import javax.jcr.nodetype.ConstraintViolationException;
import javax.jcr.nodetype.PropertyDefinition;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.principal.PrincipalIterator;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.AuthorizableExistsException;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.Impersonation;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.identifier.IdentifierManager;
import org.apache.jackrabbit.oak.plugins.memory.PropertyStates;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.apache.jackrabbit.oak.spi.security.user.UserConstants;
import org.apache.jackrabbit.oak.spi.security.user.util.UserUtil;
import org.apache.jackrabbit.oak.spi.xml.NodeInfo;
import org.apache.jackrabbit.oak.spi.xml.PropInfo;
import org.apache.jackrabbit.oak.spi.xml.ProtectedNodeImporter;
import org.apache.jackrabbit.oak.spi.xml.ProtectedPropertyImporter;
import org.apache.jackrabbit.oak.spi.xml.ReferenceChangeTracker;
import org.apache.jackrabbit.oak.spi.xml.TextValue;
import org.apache.jackrabbit.oak.util.TreeUtil;
import org.apache.sling.hc.util.HealthCheckFilter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:resources/install/15/oak-core-1.6.8.jar:org/apache/jackrabbit/oak/security/user/UserImporter.class */
public class UserImporter implements ProtectedPropertyImporter, ProtectedNodeImporter, UserConstants {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) UserImporter.class);
    private final int importBehavior;
    private JackrabbitSession session;
    private Root root;
    private NamePathMapper namePathMapper;
    private ReferenceChangeTracker referenceTracker;
    private UserManagerImpl userManager;
    private IdentifierManager identifierManager;
    private Membership currentMembership;
    private String currentPw;
    private boolean initialized = false;
    private Map<String, Membership> memberships = new HashMap();
    private Map<String, Principal> principals = new HashMap();

    /* loaded from: input_file:resources/install/15/oak-core-1.6.8.jar:org/apache/jackrabbit/oak/security/user/UserImporter$Impersonators.class */
    private final class Impersonators {
        private final String userId;
        private final Set<String> principalNames;

        private Impersonators(String str, List<? extends TextValue> list) {
            this.principalNames = new HashSet();
            this.userId = str;
            Iterator<? extends TextValue> it = list.iterator();
            while (it.hasNext()) {
                this.principalNames.add(it.next().getString());
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void process() throws RepositoryException {
            Authorizable authorizable = UserImporter.this.userManager.getAuthorizable(this.userId);
            if (authorizable == null || authorizable.isGroup()) {
                throw new RepositoryException(this.userId + " does not represent a valid user.");
            }
            Impersonation impersonation = (Impersonation) Preconditions.checkNotNull(((User) authorizable).getImpersonation());
            HashMap hashMap = new HashMap();
            PrincipalIterator impersonators = impersonation.getImpersonators();
            while (impersonators.hasNext()) {
                Principal nextPrincipal = impersonators.nextPrincipal();
                hashMap.put(nextPrincipal.getName(), nextPrincipal);
            }
            ArrayList<String> arrayList = new ArrayList();
            for (String str : this.principalNames) {
                if (hashMap.remove(str) == null) {
                    arrayList.add(str);
                }
            }
            for (Principal principal : hashMap.values()) {
                if (!impersonation.revokeImpersonation(principal)) {
                    UserImporter.this.handleFailure("Failed to revoke impersonation for " + principal.getName() + " on " + authorizable);
                }
            }
            ArrayList arrayList2 = new ArrayList();
            for (String str2 : arrayList) {
                if (!impersonation.grantImpersonation(UserImporter.this.principals.containsKey(str2) ? (Principal) UserImporter.this.principals.get(str2) : new PrincipalImpl(str2))) {
                    UserImporter.this.handleFailure("Failed to grant impersonation for " + str2 + " on " + authorizable);
                    if (UserImporter.this.importBehavior == 2 && UserImporter.this.getPrincipalManager().getPrincipal(str2) == null) {
                        UserImporter.log.debug("ImportBehavior.BESTEFFORT: Remember non-existing impersonator for special processing.");
                        arrayList2.add(str2);
                    }
                }
            }
            if (arrayList2.isEmpty()) {
                return;
            }
            Tree tree = (Tree) Preconditions.checkNotNull(UserImporter.this.root.getTree(authorizable.getPath()));
            PropertyState property = tree.getProperty(UserConstants.REP_IMPERSONATORS);
            if (property != null) {
                Iterator it = ((Iterable) property.getValue(Type.STRINGS)).iterator();
                while (it.hasNext()) {
                    arrayList2.add((String) it.next());
                }
            }
            tree.setProperty(UserConstants.REP_IMPERSONATORS, arrayList2, Type.STRINGS);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:resources/install/15/oak-core-1.6.8.jar:org/apache/jackrabbit/oak/security/user/UserImporter$Membership.class */
    public final class Membership {
        private final String authorizablePath;
        private final Set<String> members = new TreeSet();

        Membership(String str) {
            this.authorizablePath = str;
        }

        void addMember(String str) {
            this.members.add(str);
        }

        void addMembers(List<? extends TextValue> list) {
            Iterator<? extends TextValue> it = list.iterator();
            while (it.hasNext()) {
                addMember(it.next().getString());
            }
        }

        void process() throws RepositoryException {
            Authorizable authorizableByPath = UserImporter.this.userManager.getAuthorizableByPath(this.authorizablePath);
            if (authorizableByPath == null || !authorizableByPath.isGroup()) {
                throw new RepositoryException(this.authorizablePath + " does not represent a valid group.");
            }
            Group group = (Group) authorizableByPath;
            HashMap hashMap = new HashMap();
            Iterator<Authorizable> declaredMembers = group.getDeclaredMembers();
            while (declaredMembers.hasNext()) {
                Authorizable next = declaredMembers.next();
                hashMap.put(next.getID(), next);
            }
            HashMap newHashMapWithExpectedSize = Maps.newHashMapWithExpectedSize(this.members.size());
            HashMap newHashMap = Maps.newHashMap();
            for (String str : this.members) {
                String str2 = UserImporter.this.referenceTracker.get(str);
                String str3 = str2 == null ? str : str2;
                Authorizable authorizable = null;
                try {
                    authorizable = UserImporter.this.userManager.getAuthorizable(UserImporter.this.getIdentifierManager().getTree(str3));
                } catch (RepositoryException e) {
                }
                if (authorizable == null) {
                    UserImporter.this.handleFailure("New member of " + group + ": No such authorizable (NodeID = " + str3 + ')');
                    if (UserImporter.this.importBehavior == 2) {
                        UserImporter.log.debug("ImportBehavior.BESTEFFORT: Remember non-existing member for processing.");
                        newHashMap.put(str, HealthCheckFilter.OMIT_PREFIX);
                    }
                } else if (hashMap.remove(authorizable.getID()) == null) {
                    newHashMapWithExpectedSize.put(authorizable.getID(), authorizable);
                }
            }
            if (!hashMap.isEmpty()) {
                Set<String> removeMembers = group.removeMembers((String[]) hashMap.keySet().toArray(new String[hashMap.size()]));
                if (!removeMembers.isEmpty()) {
                    UserImporter.this.handleFailure("Failed removing members " + Iterables.toString(removeMembers) + " to " + group);
                }
            }
            if (!newHashMapWithExpectedSize.isEmpty()) {
                Set<String> addMembers = group.addMembers((String[]) newHashMapWithExpectedSize.keySet().toArray(new String[newHashMapWithExpectedSize.size()]));
                if (!addMembers.isEmpty()) {
                    UserImporter.this.handleFailure("Failed add members " + Iterables.toString(addMembers) + " to " + group);
                }
            }
            if (newHashMap.isEmpty()) {
                return;
            }
            UserImporter.log.debug("ImportBehavior.BESTEFFORT: Found " + newHashMap.size() + " entries of rep:members pointing to non-existing authorizables. Adding to rep:members.");
            Tree tree = UserImporter.this.root.getTree(group.getPath());
            MembershipProvider membershipProvider = UserImporter.this.userManager.getMembershipProvider();
            HashSet newHashSet = Sets.newHashSet(newHashMap.keySet());
            Set<String> addMembers2 = membershipProvider.addMembers(tree, newHashMap);
            newHashSet.removeAll(addMembers2);
            UserImporter.this.userManager.onGroupUpdate(group, false, true, newHashSet, addMembers2);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public UserImporter(ConfigurationParameters configurationParameters) {
        this.importBehavior = UserUtil.getImportBehavior(configurationParameters);
    }

    @Override // org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter
    public boolean init(@Nonnull Session session, @Nonnull Root root, @Nonnull NamePathMapper namePathMapper, boolean z, int i, @Nonnull ReferenceChangeTracker referenceChangeTracker, @Nonnull SecurityProvider securityProvider) {
        if (!(session instanceof JackrabbitSession)) {
            log.debug("Importing protected user content requires a JackrabbitSession");
            return false;
        }
        this.session = (JackrabbitSession) session;
        this.root = root;
        this.namePathMapper = namePathMapper;
        this.referenceTracker = referenceChangeTracker;
        if (this.initialized) {
            throw new IllegalStateException("Already initialized");
        }
        if (i == 0) {
            log.debug("ImportUUIDBehavior.IMPORT_UUID_CREATE_NEW isn't supported when importing users or groups.");
            return false;
        }
        if (!initUserManager(z, securityProvider)) {
            return false;
        }
        this.userManager = new UserManagerImpl(root, namePathMapper, securityProvider);
        this.initialized = true;
        return this.initialized;
    }

    private boolean initUserManager(boolean z, SecurityProvider securityProvider) {
        if (!z) {
            try {
                if (this.session.getUserManager().isAutoSave()) {
                    log.warn("Session import cannot handle user content: UserManager is in autosave mode.");
                    return false;
                }
            } catch (RepositoryException e) {
                log.error("Failed to initialize UserImporter: ", (Throwable) e);
                return false;
            }
        }
        this.userManager = new UserManagerImpl(this.root, this.namePathMapper, securityProvider);
        return true;
    }

    @Override // org.apache.jackrabbit.oak.spi.xml.ProtectedPropertyImporter
    public boolean handlePropInfo(@Nonnull Tree tree, @Nonnull PropInfo propInfo, @Nonnull PropertyDefinition propertyDefinition) throws RepositoryException {
        checkInitialized();
        String name = propInfo.getName();
        if (isPwdNode(tree)) {
            return importPwdNodeProperty(tree, propInfo, propertyDefinition);
        }
        Authorizable authorizable = this.userManager.getAuthorizable(tree);
        if (authorizable == null) {
            log.debug("Cannot handle protected PropInfo " + propInfo + ". Node " + tree + " doesn't represent an Authorizable.");
            return false;
        }
        if (UserConstants.REP_AUTHORIZABLE_ID.equals(name)) {
            if (!isValid(propertyDefinition, UserConstants.NT_REP_AUTHORIZABLE, false)) {
                return false;
            }
            String string = propInfo.getTextValue().getString();
            Authorizable authorizable2 = this.userManager.getAuthorizable(string);
            if (authorizable2 == null) {
                String str = "Cannot handle protected PropInfo " + propInfo + ". Invalid rep:authorizableId.";
                log.warn(str);
                throw new ConstraintViolationException(str);
            }
            if (!authorizable.getPath().equals(authorizable2.getPath())) {
                throw new AuthorizableExistsException(string);
            }
            tree.setProperty(UserConstants.REP_AUTHORIZABLE_ID, string);
            return false;
        }
        if ("rep:principalName".equals(name)) {
            if (!isValid(propertyDefinition, UserConstants.NT_REP_AUTHORIZABLE, false)) {
                return false;
            }
            String string2 = propInfo.getTextValue().getString();
            PrincipalImpl principalImpl = new PrincipalImpl(string2);
            this.userManager.checkValidPrincipal(principalImpl, authorizable.isGroup());
            this.userManager.setPrincipal(tree, principalImpl);
            if (this.principals == null) {
                this.principals = new HashMap();
            }
            this.principals.put(string2, authorizable.getPrincipal());
            return true;
        }
        if (UserConstants.REP_PASSWORD.equals(name)) {
            if (authorizable.isGroup() || !isValid(propertyDefinition, UserConstants.NT_REP_USER, false)) {
                log.warn("Unexpected authorizable or definition for property rep:password");
                return false;
            }
            if (((User) authorizable).isSystemUser()) {
                log.warn("System users may not have a password set.");
                return false;
            }
            String string3 = propInfo.getTextValue().getString();
            this.userManager.setPassword(tree, authorizable.getID(), string3, false);
            this.currentPw = string3;
            return true;
        }
        if (UserConstants.REP_IMPERSONATORS.equals(name)) {
            if (authorizable.isGroup() || !isValid(propertyDefinition, UserConstants.MIX_REP_IMPERSONATABLE, true)) {
                log.warn("Unexpected authorizable or definition for property rep:impersonators");
                return false;
            }
            this.referenceTracker.processedReference(new Impersonators(authorizable.getID(), propInfo.getTextValues()));
            return true;
        }
        if (UserConstants.REP_DISABLED.equals(name)) {
            if (authorizable.isGroup() || !isValid(propertyDefinition, UserConstants.NT_REP_USER, false)) {
                log.warn("Unexpected authorizable or definition for property rep:disabled");
                return false;
            }
            ((User) authorizable).disable(propInfo.getTextValue().getString());
            return true;
        }
        if (!UserConstants.REP_MEMBERS.equals(name) || !authorizable.isGroup() || !isValid(propertyDefinition, UserConstants.NT_REP_MEMBER_REFERENCES, true)) {
            return false;
        }
        getMembership(authorizable.getPath()).addMembers(propInfo.getTextValues());
        return true;
    }

    @Override // org.apache.jackrabbit.oak.spi.xml.ProtectedPropertyImporter
    public void propertiesCompleted(@Nonnull Tree tree) throws RepositoryException {
        if (isCacheNode(tree)) {
            tree.remove();
            return;
        }
        Authorizable authorizable = this.userManager.getAuthorizable(tree);
        if (authorizable == null) {
            return;
        }
        if (!tree.hasProperty(UserConstants.REP_AUTHORIZABLE_ID)) {
            tree.setProperty(UserConstants.REP_AUTHORIZABLE_ID, authorizable.getID(), Type.STRING);
        }
        if (tree.getStatus() == Tree.Status.NEW) {
            if (authorizable.isGroup()) {
                this.userManager.onCreate((Group) authorizable);
            } else {
                this.userManager.onCreate((User) authorizable, this.currentPw);
            }
        }
        this.currentPw = null;
    }

    @Override // org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter
    public void processReferences() throws RepositoryException {
        checkInitialized();
        Iterator<Membership> it = this.memberships.values().iterator();
        while (it.hasNext()) {
            this.referenceTracker.processedReference(it.next());
        }
        this.memberships.clear();
        ArrayList arrayList = new ArrayList();
        Iterator<Object> processedReferences = this.referenceTracker.getProcessedReferences();
        while (processedReferences.hasNext()) {
            Object next = processedReferences.next();
            if (next instanceof Membership) {
                ((Membership) next).process();
                arrayList.add(next);
            } else if (next instanceof Impersonators) {
                ((Impersonators) next).process();
                arrayList.add(next);
            }
        }
        this.referenceTracker.removeReferences(arrayList);
    }

    @Override // org.apache.jackrabbit.oak.spi.xml.ProtectedNodeImporter
    public boolean start(@Nonnull Tree tree) throws RepositoryException {
        Tree tree2;
        if (!isMemberNode(tree)) {
            if (!isMemberReferencesListNode(tree)) {
                return false;
            }
            Authorizable authorizable = this.userManager.getAuthorizable(tree.getParent());
            if (authorizable == null) {
                log.debug("Cannot handle protected node " + tree + ". It nor one of its parents represent a valid Authorizable.");
                return false;
            }
            this.currentMembership = getMembership(authorizable.getPath());
            return true;
        }
        Tree tree3 = tree;
        while (true) {
            tree2 = tree3;
            if (!isMemberNode(tree2) || tree2.isRoot()) {
                break;
            }
            tree3 = tree2.getParent();
        }
        Authorizable authorizable2 = this.userManager.getAuthorizable(tree2);
        if (authorizable2 == null) {
            log.debug("Cannot handle protected node " + tree + ". It nor one of its parents represent a valid Authorizable.");
            return false;
        }
        this.currentMembership = getMembership(authorizable2.getPath());
        return true;
    }

    @Override // org.apache.jackrabbit.oak.spi.xml.ProtectedNodeImporter
    public void startChildInfo(@Nonnull NodeInfo nodeInfo, @Nonnull List<PropInfo> list) throws RepositoryException {
        Preconditions.checkNotNull(this.currentMembership);
        String primaryTypeName = nodeInfo.getPrimaryTypeName();
        if (UserConstants.NT_REP_MEMBERS.equals(primaryTypeName)) {
            Iterator<PropInfo> it = list.iterator();
            while (it.hasNext()) {
                Iterator<? extends TextValue> it2 = it.next().getTextValues().iterator();
                while (it2.hasNext()) {
                    this.currentMembership.addMember(it2.next().getString());
                }
            }
            return;
        }
        if (!UserConstants.NT_REP_MEMBER_REFERENCES.equals(primaryTypeName)) {
            log.warn("{} is not of type rep:Members or rep:MemberReferences", nodeInfo.getName());
            return;
        }
        for (PropInfo propInfo : list) {
            if (UserConstants.REP_MEMBERS.equals(propInfo.getName())) {
                this.currentMembership.addMembers(propInfo.getTextValues());
            }
        }
    }

    @Override // org.apache.jackrabbit.oak.spi.xml.ProtectedNodeImporter
    public void endChildInfo() throws RepositoryException {
    }

    @Override // org.apache.jackrabbit.oak.spi.xml.ProtectedNodeImporter
    public void end(@Nonnull Tree tree) throws RepositoryException {
        this.currentMembership = null;
    }

    /* JADX INFO: Access modifiers changed from: private */
    @Nonnull
    public IdentifierManager getIdentifierManager() {
        if (this.identifierManager == null) {
            this.identifierManager = new IdentifierManager(this.root);
        }
        return this.identifierManager;
    }

    /* JADX INFO: Access modifiers changed from: private */
    @Nonnull
    public PrincipalManager getPrincipalManager() throws RepositoryException {
        return this.userManager.getPrincipalManager();
    }

    @Nonnull
    private Membership getMembership(@Nonnull String str) {
        Membership membership = this.memberships.get(str);
        if (membership == null) {
            membership = new Membership(str);
            this.memberships.put(str, membership);
        }
        return membership;
    }

    private void checkInitialized() {
        if (!this.initialized) {
            throw new IllegalStateException("Not initialized");
        }
    }

    private boolean isValid(PropertyDefinition propertyDefinition, String str, boolean z) {
        return z == propertyDefinition.isMultiple() && propertyDefinition.getDeclaringNodeType().isNodeType(this.namePathMapper.getJcrName(str));
    }

    private static boolean isMemberNode(@Nullable Tree tree) {
        return tree != null && UserConstants.NT_REP_MEMBERS.equals(TreeUtil.getPrimaryTypeName(tree));
    }

    private static boolean isMemberReferencesListNode(@Nullable Tree tree) {
        return tree != null && UserConstants.NT_REP_MEMBER_REFERENCES_LIST.equals(TreeUtil.getPrimaryTypeName(tree));
    }

    private static boolean isPwdNode(@Nonnull Tree tree) {
        return UserConstants.REP_PWD.equals(tree.getName()) && UserConstants.NT_REP_PASSWORD.equals(TreeUtil.getPrimaryTypeName(tree));
    }

    private static boolean importPwdNodeProperty(@Nonnull Tree tree, @Nonnull PropInfo propInfo, @Nonnull PropertyDefinition propertyDefinition) throws RepositoryException {
        String name = propInfo.getName();
        if (name == null) {
            name = propertyDefinition.getName();
            if (name == null || "*".equals(name)) {
                return false;
            }
        }
        int requiredType = propertyDefinition.getRequiredType();
        if (requiredType == 0) {
            requiredType = UserConstants.REP_PASSWORD_LAST_MODIFIED.equals(name) ? 3 : 1;
        }
        tree.setProperty(propertyDefinition.isMultiple() ? PropertyStates.createProperty(name, (Iterable<Value>) propInfo.getValues(requiredType)) : PropertyStates.createProperty(name, propInfo.getValue(requiredType)));
        return true;
    }

    private static boolean isCacheNode(@Nonnull Tree tree) {
        return tree.exists() && CacheConstants.REP_CACHE.equals(tree.getName()) && CacheConstants.NT_REP_CACHE.equals(TreeUtil.getPrimaryTypeName(tree));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void handleFailure(String str) throws ConstraintViolationException {
        switch (this.importBehavior) {
            case 1:
            case 2:
                log.warn(str);
                return;
            case 3:
                throw new ConstraintViolationException(str);
            default:
                return;
        }
    }
}
