package org.apache.jackrabbit.oak.security.user;

import java.io.UnsupportedEncodingException;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.util.Iterator;
import java.util.Set;
import javax.jcr.RepositoryException;
import javax.jcr.UnsupportedRepositoryOperationException;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.AuthorizableExistsException;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.Query;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.guava.common.base.Preconditions;
import org.apache.jackrabbit.guava.common.base.Strings;
import org.apache.jackrabbit.guava.common.collect.Iterables;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.apache.jackrabbit.oak.plugins.value.jcr.PartialValueFactory;
import org.apache.jackrabbit.oak.security.user.monitor.UserMonitor;
import org.apache.jackrabbit.oak.security.user.query.UserQueryManager;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalConfiguration;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.apache.jackrabbit.oak.spi.security.user.AuthorizableType;
import org.apache.jackrabbit.oak.spi.security.user.DynamicMembershipProvider;
import org.apache.jackrabbit.oak.spi.security.user.DynamicMembershipService;
import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration;
import org.apache.jackrabbit.oak.spi.security.user.UserConstants;
import org.apache.jackrabbit.oak.spi.security.user.action.AuthorizableAction;
import org.apache.jackrabbit.oak.spi.security.user.action.AuthorizableActionProvider;
import org.apache.jackrabbit.oak.spi.security.user.action.DefaultAuthorizableActionProvider;
import org.apache.jackrabbit.oak.spi.security.user.action.GroupAction;
import org.apache.jackrabbit.oak.spi.security.user.action.UserAction;
import org.apache.jackrabbit.oak.spi.security.user.util.PasswordUtil;
import org.apache.jackrabbit.oak.spi.security.user.util.UserUtil;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:lib/slingcms.far:org/apache/jackrabbit/oak-core/1.58.0/oak-core-1.58.0.jar:org/apache/jackrabbit/oak/security/user/UserManagerImpl.class */
public class UserManagerImpl implements UserManager {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) UserManagerImpl.class);
    private final Root root;
    private final PartialValueFactory valueFactory;
    private final NamePathMapper namePathMapper;
    private final SecurityProvider securityProvider;
    private final UserProvider userProvider;
    private final MembershipProvider membershipProvider;
    private final ConfigurationParameters config;
    private final AuthorizableActionProvider actionProvider;
    private final UserMonitor monitor;
    private UserQueryManager queryManager;
    private ReadOnlyNodeTypeManager ntMgr;
    private final DynamicMembershipService dynamicMembership;
    private DynamicMembershipProvider dynamicMembershipProvider;

    public UserManagerImpl(@NotNull Root root, @NotNull PartialValueFactory partialValueFactory, @NotNull SecurityProvider securityProvider, @NotNull UserMonitor userMonitor, @NotNull DynamicMembershipService dynamicMembershipService) {
        this.root = root;
        this.valueFactory = partialValueFactory;
        this.namePathMapper = partialValueFactory.getNamePathMapper();
        this.securityProvider = securityProvider;
        this.monitor = userMonitor;
        this.config = ((UserConfiguration) securityProvider.getConfiguration(UserConfiguration.class)).getParameters();
        this.userProvider = new UserProvider(root, this.config);
        this.membershipProvider = new MembershipProvider(root, this.config);
        this.dynamicMembership = dynamicMembershipService;
        this.actionProvider = getActionProvider(this.config);
    }

    @NotNull
    private static AuthorizableActionProvider getActionProvider(@NotNull ConfigurationParameters configurationParameters) {
        AuthorizableActionProvider authorizableActionProvider = (AuthorizableActionProvider) configurationParameters.getConfigValue(UserConstants.PARAM_AUTHORIZABLE_ACTION_PROVIDER, null, AuthorizableActionProvider.class);
        if (authorizableActionProvider == null) {
            authorizableActionProvider = new DefaultAuthorizableActionProvider(configurationParameters);
        }
        return authorizableActionProvider;
    }

    @Override // org.apache.jackrabbit.api.security.user.UserManager
    @Nullable
    public Authorizable getAuthorizable(@NotNull String str) throws RepositoryException {
        return getAuthorizable(Strings.isNullOrEmpty(str) ? null : this.userProvider.getAuthorizable(str));
    }

    @Override // org.apache.jackrabbit.api.security.user.UserManager
    @Nullable
    public <T extends Authorizable> T getAuthorizable(@NotNull String str, @NotNull Class<T> cls) throws RepositoryException {
        return (T) UserUtil.castAuthorizable(getAuthorizable(str), cls);
    }

    @Override // org.apache.jackrabbit.api.security.user.UserManager
    @Nullable
    public Authorizable getAuthorizable(@NotNull Principal principal) throws RepositoryException {
        if (principal == null) {
            return null;
        }
        return getAuthorizable(this.userProvider.getAuthorizableByPrincipal(principal));
    }

    @Override // org.apache.jackrabbit.api.security.user.UserManager
    @Nullable
    public Authorizable getAuthorizableByPath(@NotNull String str) throws RepositoryException {
        String oakPath = this.namePathMapper.getOakPath(str);
        if (oakPath == null) {
            throw new RepositoryException("Invalid path " + str);
        }
        return getAuthorizableByOakPath(oakPath);
    }

    @Override // org.apache.jackrabbit.api.security.user.UserManager
    @NotNull
    public Iterator<Authorizable> findAuthorizables(@NotNull String str, @Nullable String str2) throws RepositoryException {
        return findAuthorizables(str, str2, 3);
    }

    @Override // org.apache.jackrabbit.api.security.user.UserManager
    @NotNull
    public Iterator<Authorizable> findAuthorizables(@NotNull String str, @Nullable String str2, int i) throws RepositoryException {
        return getQueryManager().findAuthorizables(str, str2, AuthorizableType.getType(i));
    }

    @Override // org.apache.jackrabbit.api.security.user.UserManager
    @NotNull
    public Iterator<Authorizable> findAuthorizables(@NotNull Query query) throws RepositoryException {
        return getQueryManager().findAuthorizables(query);
    }

    @Override // org.apache.jackrabbit.api.security.user.UserManager
    @NotNull
    public User createUser(@NotNull String str, @Nullable String str2) throws RepositoryException {
        return createUser(str, str2, new PrincipalImpl(str), null);
    }

    @Override // org.apache.jackrabbit.api.security.user.UserManager
    @NotNull
    public User createUser(@NotNull String str, @Nullable String str2, @NotNull Principal principal, @Nullable String str3) throws RepositoryException {
        checkValidId(str);
        checkValidPrincipal(principal, false);
        if (str3 != null) {
            str3 = this.namePathMapper.getOakPath(str3);
        }
        Tree createUser = this.userProvider.createUser(str, str3);
        setPrincipal(createUser, principal);
        if (str2 != null) {
            setPassword(createUser, str, str2, false);
        }
        UserImpl userImpl = new UserImpl(str, createUser, this);
        onCreate(userImpl, str2);
        log.debug("User created: {}", str);
        return userImpl;
    }

    @Override // org.apache.jackrabbit.api.security.user.UserManager
    @NotNull
    public User createSystemUser(@NotNull String str, @Nullable String str2) throws RepositoryException {
        checkValidId(str);
        PrincipalImpl principalImpl = new PrincipalImpl(str);
        checkValidPrincipal(principalImpl, false);
        Tree createSystemUser = this.userProvider.createSystemUser(str, str2);
        setPrincipal(createSystemUser, principalImpl);
        SystemUserImpl systemUserImpl = new SystemUserImpl(str, createSystemUser, this);
        onCreate(systemUserImpl);
        log.debug("System user created: {}", str);
        return systemUserImpl;
    }

    @Override // org.apache.jackrabbit.api.security.user.UserManager
    @NotNull
    public Group createGroup(@NotNull String str) throws RepositoryException {
        return createGroup(str, new PrincipalImpl(str), null);
    }

    @Override // org.apache.jackrabbit.api.security.user.UserManager
    @NotNull
    public Group createGroup(@NotNull Principal principal) throws RepositoryException {
        return createGroup(principal, null);
    }

    @Override // org.apache.jackrabbit.api.security.user.UserManager
    @NotNull
    public Group createGroup(@NotNull Principal principal, @Nullable String str) throws RepositoryException {
        return createGroup(principal.getName(), principal, str);
    }

    @Override // org.apache.jackrabbit.api.security.user.UserManager
    @NotNull
    public Group createGroup(@NotNull String str, @NotNull Principal principal, @Nullable String str2) throws RepositoryException {
        checkValidId(str);
        checkValidPrincipal(principal, true);
        if (str2 != null) {
            str2 = this.namePathMapper.getOakPath(str2);
        }
        Tree createGroup = this.userProvider.createGroup(str, str2);
        setPrincipal(createGroup, principal);
        GroupImpl groupImpl = new GroupImpl(str, createGroup, this);
        onCreate(groupImpl);
        log.debug("Group created: {}", str);
        return groupImpl;
    }

    @Override // org.apache.jackrabbit.api.security.user.UserManager
    public boolean isAutoSave() {
        return false;
    }

    @Override // org.apache.jackrabbit.api.security.user.UserManager
    public void autoSave(boolean z) throws RepositoryException {
        throw new UnsupportedRepositoryOperationException("Session#save() is always required.");
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void onCreate(@NotNull User user, @Nullable String str) throws RepositoryException {
        if (user.isSystemUser()) {
            log.warn("onCreate(User,String) called for system user. Use onCreate(User) instead.");
            return;
        }
        Iterator<? extends AuthorizableAction> it = this.actionProvider.getAuthorizableActions(this.securityProvider).iterator();
        while (it.hasNext()) {
            it.next().onCreate(user, str, this.root, this.namePathMapper);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void onCreate(@NotNull User user) throws RepositoryException {
        Preconditions.checkArgument(user.isSystemUser());
        Iterator<? extends AuthorizableAction> it = this.actionProvider.getAuthorizableActions(this.securityProvider).iterator();
        while (it.hasNext()) {
            it.next().onCreate(user, this.root, this.namePathMapper);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void onCreate(@NotNull Group group) throws RepositoryException {
        Iterator<? extends AuthorizableAction> it = this.actionProvider.getAuthorizableActions(this.securityProvider).iterator();
        while (it.hasNext()) {
            it.next().onCreate(group, this.root, this.namePathMapper);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void onRemove(@NotNull Authorizable authorizable) throws RepositoryException {
        Iterator<? extends AuthorizableAction> it = this.actionProvider.getAuthorizableActions(this.securityProvider).iterator();
        while (it.hasNext()) {
            it.next().onRemove(authorizable, this.root, this.namePathMapper);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void onPasswordChange(@NotNull User user, @NotNull String str) throws RepositoryException {
        Iterator<? extends AuthorizableAction> it = this.actionProvider.getAuthorizableActions(this.securityProvider).iterator();
        while (it.hasNext()) {
            it.next().onPasswordChange(user, str, this.root, this.namePathMapper);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void onDisable(@NotNull User user, @Nullable String str) throws RepositoryException {
        Iterator<UserAction> it = filterUserActions().iterator();
        while (it.hasNext()) {
            it.next().onDisable(user, str, this.root, this.namePathMapper);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void onImpersonation(@NotNull User user, @NotNull Principal principal, boolean z) throws RepositoryException {
        for (UserAction userAction : filterUserActions()) {
            if (z) {
                userAction.onGrantImpersonation(user, principal, this.root, this.namePathMapper);
            } else {
                userAction.onRevokeImpersonation(user, principal, this.root, this.namePathMapper);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void onGroupUpdate(@NotNull Group group, boolean z, @NotNull Authorizable authorizable) throws RepositoryException {
        for (GroupAction groupAction : filterGroupActions()) {
            if (z) {
                groupAction.onMemberRemoved(group, authorizable, this.root, this.namePathMapper);
            } else {
                groupAction.onMemberAdded(group, authorizable, this.root, this.namePathMapper);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void onGroupUpdate(@NotNull Group group, boolean z, boolean z2, @NotNull Set<String> set, @NotNull Set<String> set2) throws RepositoryException {
        for (GroupAction groupAction : filterGroupActions()) {
            if (z) {
                groupAction.onMembersRemoved(group, set, set2, this.root, this.namePathMapper);
            } else if (z2) {
                groupAction.onMembersAddedContentId(group, set, set2, this.root, this.namePathMapper);
            } else {
                groupAction.onMembersAdded(group, set, set2, this.root, this.namePathMapper);
            }
        }
    }

    @Nullable
    public Authorizable getAuthorizable(@Nullable Tree tree) throws RepositoryException {
        String authorizableId;
        if (tree == null || !tree.exists() || (authorizableId = UserUtil.getAuthorizableId(tree)) == null) {
            return null;
        }
        return UserUtil.isType(tree, AuthorizableType.USER) ? UserUtil.isSystemUser(tree) ? new SystemUserImpl(authorizableId, tree, this) : new UserImpl(authorizableId, tree, this) : new GroupImpl(authorizableId, tree, this);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nullable
    public Authorizable getAuthorizableByOakPath(@NotNull String str) throws RepositoryException {
        return getAuthorizable(this.userProvider.getAuthorizableByPath(str));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @NotNull
    public NamePathMapper getNamePathMapper() {
        return this.namePathMapper;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @NotNull
    public PartialValueFactory getPartialValueFactory() {
        return this.valueFactory;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @NotNull
    public ReadOnlyNodeTypeManager getNodeTypeManager() {
        if (this.ntMgr == null) {
            this.ntMgr = ReadOnlyNodeTypeManager.getInstance(this.root, NamePathMapper.DEFAULT);
        }
        return this.ntMgr;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @NotNull
    public MembershipProvider getMembershipProvider() {
        return this.membershipProvider;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @NotNull
    public DynamicMembershipProvider getDynamicMembershipProvider() {
        if (this.dynamicMembershipProvider == null) {
            this.dynamicMembershipProvider = this.dynamicMembership.getDynamicMembershipProvider(this.root, this, this.namePathMapper);
        }
        return this.dynamicMembershipProvider;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @NotNull
    public PrincipalManager getPrincipalManager() {
        return ((PrincipalConfiguration) this.securityProvider.getConfiguration(PrincipalConfiguration.class)).getPrincipalManager(this.root, this.namePathMapper);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @NotNull
    public UserMonitor getMonitor() {
        return this.monitor;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @NotNull
    public ConfigurationParameters getConfig() {
        return this.config;
    }

    private void checkValidId(@Nullable String str) throws RepositoryException {
        if (str == null || str.isEmpty()) {
            throw new IllegalArgumentException("Invalid ID " + str);
        }
        if (getAuthorizable(str) != null) {
            throw new AuthorizableExistsException("Authorizable with ID " + str + " already exists");
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void checkValidPrincipal(@Nullable Principal principal, boolean z) throws RepositoryException {
        if (principal == null || Strings.isNullOrEmpty(principal.getName())) {
            throw new IllegalArgumentException("Principal may not be null and must have a valid name.");
        }
        if (!z && EveryonePrincipal.NAME.equals(principal.getName())) {
            throw new IllegalArgumentException("'everyone' is a reserved group principal name.");
        }
        if (getAuthorizable(principal) != null) {
            throw new AuthorizableExistsException("Authorizable with principal " + principal.getName() + " already exists.");
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setPrincipal(@NotNull Tree tree, @NotNull Principal principal) {
        tree.setProperty("rep:principalName", principal.getName());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setPassword(@NotNull Tree tree, @NotNull String str, @NotNull String str2, boolean z) throws RepositoryException {
        String buildPasswordHash;
        if (!z || PasswordUtil.isPlainTextPassword(str2)) {
            try {
                buildPasswordHash = PasswordUtil.buildPasswordHash(str2, this.config);
            } catch (UnsupportedEncodingException | NoSuchAlgorithmException e) {
                throw new RepositoryException(e);
            }
        } else {
            buildPasswordHash = str2;
        }
        tree.setProperty(UserConstants.REP_PASSWORD, buildPasswordHash);
        if (Utils.canHavePasswordExpired(str, this.config) && setPasswordLastModified(tree, z)) {
            TreeUtil.getOrAddChild(tree, UserConstants.REP_PWD, UserConstants.NT_REP_PASSWORD).setProperty(UserConstants.REP_PASSWORD_LAST_MODIFIED, Long.valueOf(System.currentTimeMillis()), Type.LONG);
        }
    }

    private boolean setPasswordLastModified(@NotNull Tree tree, boolean z) {
        if (forceInitialPasswordChangeEnabled()) {
            return (z || tree.getStatus() == Tree.Status.NEW) ? false : true;
        }
        if (passwordExpiryEnabled()) {
            return !z || tree.getStatus() == Tree.Status.NEW;
        }
        return false;
    }

    private boolean passwordExpiryEnabled() {
        return ((Integer) this.config.getConfigValue(UserConstants.PARAM_PASSWORD_MAX_AGE, 0)).intValue() > 0;
    }

    private boolean forceInitialPasswordChangeEnabled() {
        return ((Boolean) this.config.getConfigValue(UserConstants.PARAM_PASSWORD_INITIAL_CHANGE, false)).booleanValue();
    }

    @NotNull
    private UserQueryManager getQueryManager() {
        if (this.queryManager == null) {
            this.queryManager = new UserQueryManager(this, this.namePathMapper, this.config, this.root);
        }
        return this.queryManager;
    }

    @NotNull
    private Iterable<GroupAction> filterGroupActions() {
        return Iterables.filter(this.actionProvider.getAuthorizableActions(this.securityProvider), GroupAction.class);
    }

    @NotNull
    private Iterable<UserAction> filterUserActions() {
        return Iterables.filter(this.actionProvider.getAuthorizableActions(this.securityProvider), UserAction.class);
    }
}
