package org.apache.sling.jackrabbit.usermanager.impl;

import java.util.HashSet;
import java.util.Map;
import java.util.Objects;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration;
import org.apache.sling.commons.osgi.OsgiUtil;
import org.apache.sling.jackrabbit.usermanager.AuthorizablePrivilegesInfo;
import org.apache.sling.jackrabbit.usermanager.ChangeUserPassword;
import org.apache.sling.jackrabbit.usermanager.CreateUser;
import org.jetbrains.annotations.NotNull;
import org.osgi.framework.BundleContext;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicy;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(service = {AuthorizablePrivilegesInfo.class}, property = {"user.admin.group.name=UserAdmin", "group.admin.group.name=GroupAdmin"})
/* loaded from: input_file:org/apache/sling/jackrabbit/usermanager/impl/AuthorizablePrivilegesInfoImpl.class */
public class AuthorizablePrivilegesInfoImpl implements AuthorizablePrivilegesInfo {
    static final String DEFAULT_USER_ADMIN_GROUP_NAME = "UserAdmin";
    static final String PAR_USER_ADMIN_GROUP_NAME = "user.admin.group.name";
    static final String DEFAULT_GROUP_ADMIN_GROUP_NAME = "GroupAdmin";
    static final String PAR_GROUP_ADMIN_GROUP_NAME = "group.admin.group.name";
    private String usersPath;
    private String groupsPath;
    private boolean selfRegistrationEnabled;
    private String userAdminGroupName;
    private final Logger log = LoggerFactory.getLogger(getClass());
    private boolean allowSelfChangePassword = false;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/apache/sling/jackrabbit/usermanager/impl/AuthorizablePrivilegesInfoImpl$AccessChecker.class */
    public interface AccessChecker {
        boolean hasRights(String str) throws RepositoryException;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/apache/sling/jackrabbit/usermanager/impl/AuthorizablePrivilegesInfoImpl$AuthorizableChecker.class */
    public interface AuthorizableChecker {
        boolean isValid(Authorizable authorizable) throws RepositoryException;
    }

    @Reference(cardinality = ReferenceCardinality.OPTIONAL, policy = ReferencePolicy.DYNAMIC)
    private void bindChangeUserPassword(ChangeUserPassword changeUserPassword, Map<String, Object> map) {
        if (map.containsKey("alwaysAllowSelfChangePassword")) {
            this.log.warn("Obsolete 'alwaysAllowSelfChangePassword' configuration key was detected for the bound ChangeUserPassword component. Please change that key in your configuration to 'allowSelfChangePassword'.");
            this.allowSelfChangePassword = OsgiUtil.toBoolean(map.get("alwaysAllowSelfChangePassword"), false);
        } else {
            this.allowSelfChangePassword = OsgiUtil.toBoolean(map.get("allowSelfChangePassword"), false);
        }
        this.userAdminGroupName = OsgiUtil.toString(map.get(PAR_USER_ADMIN_GROUP_NAME), DEFAULT_USER_ADMIN_GROUP_NAME);
    }

    private void unbindChangeUserPassword(ChangeUserPassword changeUserPassword, Map<String, Object> map) {
        this.allowSelfChangePassword = false;
    }

    @Reference(cardinality = ReferenceCardinality.OPTIONAL, policy = ReferencePolicy.DYNAMIC)
    private void bindUserConfiguration(UserConfiguration userConfiguration, Map<String, Object> map) {
        this.usersPath = (String) map.get("usersPath");
        this.groupsPath = (String) map.get("groupsPath");
    }

    private void unbindUserConfiguration(UserConfiguration userConfiguration, Map<String, Object> map) {
        this.usersPath = null;
        this.groupsPath = null;
    }

    @Reference(cardinality = ReferenceCardinality.OPTIONAL, policy = ReferencePolicy.DYNAMIC)
    private void bindCreateUser(CreateUser createUser, Map<String, Object> map) {
        this.selfRegistrationEnabled = Boolean.TRUE.equals(map.get("self.registration.enabled"));
    }

    private void unbindCreateUser(CreateUser createUser, Map<String, Object> map) {
        this.selfRegistrationEnabled = false;
    }

    @Override // org.apache.sling.jackrabbit.usermanager.AuthorizablePrivilegesInfo
    public boolean canAddGroup(Session session) {
        boolean z = false;
        try {
            User authorizable = ((JackrabbitSession) session).getUserManager().getAuthorizable(session.getUserID());
            if ((authorizable instanceof User) && authorizable.isAdmin()) {
                z = true;
            } else if (this.groupsPath != null) {
                AccessControlManager accessControlManager = session.getAccessControlManager();
                z = accessControlManager.hasPrivileges(this.groupsPath, new Privilege[]{accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}read"), accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}readAccessControl"), accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}modifyAccessControl"), accessControlManager.privilegeFromName("rep:write"), accessControlManager.privilegeFromName("rep:userManagement")});
            }
        } catch (RepositoryException e) {
            this.log.warn("Failed to determine if {} can add a new group", session.getUserID());
        }
        return z;
    }

    @Override // org.apache.sling.jackrabbit.usermanager.AuthorizablePrivilegesInfo
    public boolean canAddUser(Session session) {
        boolean z = false;
        try {
            if (this.selfRegistrationEnabled) {
                z = true;
            } else {
                User authorizable = ((JackrabbitSession) session).getUserManager().getAuthorizable(session.getUserID());
                if ((authorizable instanceof User) && authorizable.isAdmin()) {
                    z = true;
                } else if (this.usersPath != null) {
                    AccessControlManager accessControlManager = session.getAccessControlManager();
                    z = accessControlManager.hasPrivileges(this.usersPath, new Privilege[]{accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}read"), accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}readAccessControl"), accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}modifyAccessControl"), accessControlManager.privilegeFromName("rep:write"), accessControlManager.privilegeFromName("rep:userManagement")});
                }
            }
        } catch (RepositoryException e) {
            this.log.warn("Failed to determine if {} can add a new user", session.getUserID());
        }
        return z;
    }

    protected boolean checkAuthorizablePath(Session session, String str, AuthorizableChecker authorizableChecker, AccessChecker accessChecker) throws RepositoryException {
        boolean z = false;
        UserManager userManager = ((JackrabbitSession) session).getUserManager();
        User authorizable = userManager.getAuthorizable(session.getUserID());
        Authorizable authorizable2 = userManager.getAuthorizable(str);
        if (authorizable2 == null) {
            this.log.debug("Failed to find authorizable: {}", str);
        } else if (authorizableChecker == null || authorizableChecker.isValid(authorizable2)) {
            if ((authorizable instanceof User) && authorizable.isAdmin()) {
                z = true;
            } else {
                String path = authorizable2.getPath();
                if (accessChecker != null) {
                    z = accessChecker.hasRights(path);
                }
            }
        }
        return z;
    }

    @Override // org.apache.sling.jackrabbit.usermanager.AuthorizablePrivilegesInfo
    public boolean canRemove(Session session, String str) {
        boolean z = false;
        try {
            z = checkAuthorizablePath(session, str, null, str2 -> {
                AccessControlManager accessControlManager = session.getAccessControlManager();
                return accessControlManager.hasPrivileges(str2, new Privilege[]{accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}read"), accessControlManager.privilegeFromName("rep:userManagement")});
            });
        } catch (RepositoryException e) {
            this.log.warn("Failed to determine if {} can remove authorizable {}", session.getUserID(), str);
        }
        return z;
    }

    @Override // org.apache.sling.jackrabbit.usermanager.AuthorizablePrivilegesInfo
    public boolean canUpdateGroupMembers(Session session, String str) {
        boolean z = false;
        try {
            Class<Group> cls = Group.class;
            Objects.requireNonNull(Group.class);
            z = checkAuthorizablePath(session, str, (v1) -> {
                return r3.isInstance(v1);
            }, str2 -> {
                AccessControlManager accessControlManager = session.getAccessControlManager();
                return accessControlManager.hasPrivileges(str2, new Privilege[]{accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}read"), accessControlManager.privilegeFromName("rep:userManagement")});
            });
        } catch (RepositoryException e) {
            this.log.warn("Failed to determine if {} can remove authorizable {}", session.getUserID(), str);
        }
        return z;
    }

    @Override // org.apache.sling.jackrabbit.usermanager.AuthorizablePrivilegesInfo
    public boolean canUpdateProperties(Session session, String str) {
        return canUpdateProperties(session, str, AuthorizablePrivilegesInfo.PropertyUpdateTypes.ADD_PROPERTY, AuthorizablePrivilegesInfo.PropertyUpdateTypes.ADD_NESTED_PROPERTY, AuthorizablePrivilegesInfo.PropertyUpdateTypes.ALTER_PROPERTY, AuthorizablePrivilegesInfo.PropertyUpdateTypes.REMOVE_PROPERTY);
    }

    @Override // org.apache.sling.jackrabbit.usermanager.AuthorizablePrivilegesInfo
    public boolean canUpdateProperties(Session session, String str, AuthorizablePrivilegesInfo.PropertyUpdateTypes... propertyUpdateTypesArr) {
        boolean z = false;
        try {
            z = checkAuthorizablePath(session, str, null, str2 -> {
                AccessControlManager accessControlManager = session.getAccessControlManager();
                HashSet hashSet = new HashSet();
                hashSet.add(accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}read"));
                if (propertyUpdateTypesArr != null) {
                    for (AuthorizablePrivilegesInfo.PropertyUpdateTypes propertyUpdateTypes : propertyUpdateTypesArr) {
                        AuthorizablePrivilegesInfo.PropertyUpdateTypes convertDeprecated = AuthorizablePrivilegesInfo.PropertyUpdateTypes.convertDeprecated(propertyUpdateTypes);
                        switch (convertDeprecated) {
                            case ADD_NESTED_PROPERTY:
                                hashSet.add(accessControlManager.privilegeFromName("rep:addProperties"));
                                hashSet.add(accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}addChildNodes"));
                                break;
                            case ADD_PROPERTY:
                                hashSet.add(accessControlManager.privilegeFromName("rep:addProperties"));
                                break;
                            case ALTER_PROPERTY:
                                hashSet.add(accessControlManager.privilegeFromName("rep:alterProperties"));
                                break;
                            case REMOVE_PROPERTY:
                                hashSet.add(accessControlManager.privilegeFromName("rep:removeProperties"));
                                break;
                            default:
                                this.log.warn("Unexpected property update type: {}", convertDeprecated);
                                break;
                        }
                    }
                }
                return accessControlManager.hasPrivileges(str2, (Privilege[]) hashSet.toArray(new Privilege[hashSet.size()]));
            });
        } catch (RepositoryException e) {
            this.log.warn("Failed to determine if {} can update properties of authorizable {}", session.getUserID(), str);
        }
        return z;
    }

    @Override // org.apache.sling.jackrabbit.usermanager.AuthorizablePrivilegesInfo
    public boolean canDisable(Session session, String str) {
        boolean z = false;
        try {
            Class<User> cls = User.class;
            Objects.requireNonNull(User.class);
            z = checkAuthorizablePath(session, str, (v1) -> {
                return r3.isInstance(v1);
            }, str2 -> {
                AccessControlManager accessControlManager = session.getAccessControlManager();
                HashSet hashSet = new HashSet();
                hashSet.add(accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}read"));
                hashSet.add(accessControlManager.privilegeFromName("rep:userManagement"));
                return accessControlManager.hasPrivileges(str2, (Privilege[]) hashSet.toArray(new Privilege[hashSet.size()]));
            });
        } catch (RepositoryException e) {
            this.log.warn("Failed to determine if {} can disable user {}", session.getUserID(), str);
        }
        return z;
    }

    @Override // org.apache.sling.jackrabbit.usermanager.AuthorizablePrivilegesInfo
    public boolean canChangePassword(Session session, String str) {
        boolean z = false;
        try {
            z = checkAuthorizablePath(session, str, authorizable -> {
                return (!(authorizable instanceof User) || ((User) authorizable).isSystemUser() || "anonymous".equals(authorizable.getID())) ? false : true;
            }, str2 -> {
                AccessControlManager accessControlManager = session.getAccessControlManager();
                HashSet hashSet = new HashSet();
                hashSet.add(accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}read"));
                hashSet.add(accessControlManager.privilegeFromName("rep:userManagement"));
                boolean hasPrivileges = accessControlManager.hasPrivileges(str2, (Privilege[]) hashSet.toArray(new Privilege[hashSet.size()]));
                if (!hasPrivileges && session.getUserID().equals(str)) {
                    hasPrivileges = this.allowSelfChangePassword;
                }
                return hasPrivileges;
            });
        } catch (RepositoryException e) {
            this.log.warn("Failed to determine if {} can change the password of user {}", session.getUserID(), str);
        }
        return z;
    }

    @Override // org.apache.sling.jackrabbit.usermanager.AuthorizablePrivilegesInfo
    public boolean canChangePasswordWithoutOldPassword(@NotNull Session session, @NotNull String str) {
        boolean z = false;
        try {
            if (!session.getUserID().equals(str)) {
                UserManager userManager = ((JackrabbitSession) session).getUserManager();
                User authorizable = userManager.getAuthorizable(session.getUserID());
                if (authorizable instanceof User) {
                    User authorizable2 = userManager.getAuthorizable(str);
                    if ((authorizable2 instanceof User) && !authorizable2.isSystemUser() && !"anonymous".equals(authorizable2.getID())) {
                        if (authorizable.isAdmin()) {
                            z = true;
                        } else if (this.userAdminGroupName != null) {
                            Group authorizable3 = userManager.getAuthorizable(this.userAdminGroupName);
                            if (authorizable3 instanceof Group) {
                                z = authorizable3.isMember(authorizable);
                            }
                        }
                    }
                }
            }
        } catch (RepositoryException e) {
            this.log.warn("Failed to determine if {} is a user admin", str);
        }
        return z;
    }

    @Activate
    protected void activate(BundleContext bundleContext, Map<String, Object> map) {
        String osgiUtil = OsgiUtil.toString(map.get(PAR_USER_ADMIN_GROUP_NAME), (String) null);
        if (osgiUtil != null && !DEFAULT_USER_ADMIN_GROUP_NAME.equals(osgiUtil)) {
            this.log.warn("Configuration setting for {} is deprecated and will not have any effect", PAR_USER_ADMIN_GROUP_NAME);
        }
        if (OsgiUtil.toString(map.get(PAR_GROUP_ADMIN_GROUP_NAME), (String) null) == null || DEFAULT_GROUP_ADMIN_GROUP_NAME.equals(osgiUtil)) {
            return;
        }
        this.log.warn("Configuration setting for {} is deprecated and will not have any effect", PAR_GROUP_ADMIN_GROUP_NAME);
    }
}
