package org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal;

import java.security.Principal;
import java.text.ParseException;
import java.util.Collections;
import java.util.Comparator;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.Spliterators;
import java.util.stream.Stream;
import java.util.stream.StreamSupport;
import javax.jcr.RepositoryException;
import javax.jcr.Value;
import javax.jcr.query.Query;
import org.apache.jackrabbit.api.security.principal.GroupPrincipal;
import org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.commons.iterator.AbstractLazyIterator;
import org.apache.jackrabbit.guava.common.base.Strings;
import org.apache.jackrabbit.guava.common.collect.ImmutableSet;
import org.apache.jackrabbit.guava.common.collect.Iterables;
import org.apache.jackrabbit.guava.common.collect.Iterators;
import org.apache.jackrabbit.guava.common.collect.Sets;
import org.apache.jackrabbit.guava.common.collect.UnmodifiableIterator;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.PropertyValue;
import org.apache.jackrabbit.oak.api.Result;
import org.apache.jackrabbit.oak.api.ResultRow;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.memory.PropertyValues;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef;
import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncConfig;
import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext;
import org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalIdentityConstants;
import org.apache.jackrabbit.oak.spi.security.principal.GroupPrincipals;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider;
import org.apache.jackrabbit.oak.spi.security.user.AuthorizableType;
import org.apache.jackrabbit.oak.spi.security.user.DynamicMembershipProvider;
import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration;
import org.apache.jackrabbit.oak.spi.security.user.util.UserUtil;
import org.apache.lucene.analysis.shingle.ShingleFilter;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:lib/slingcms.far:org/apache/jackrabbit/oak-auth-external/1.58.0/oak-auth-external-1.58.0.jar:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalGroupPrincipalProvider.class */
public class ExternalGroupPrincipalProvider implements PrincipalProvider, ExternalIdentityConstants, DynamicMembershipProvider {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) ExternalGroupPrincipalProvider.class);
    private static final String BINDING_PRINCIPAL_NAMES = "principalNames";
    private final Root root;
    private final NamePathMapper namePathMapper;
    private final UserManager userManager;
    private final Set<String> idpNamesWithDynamicGroups;
    private final boolean hasOnlyDynamicGroups;
    private final AutoMembershipPrincipals autoMembershipPrincipals;
    private final AutoMembershipPrincipals groupAutoMembershipPrincipals;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/slingcms.far:org/apache/jackrabbit/oak-auth-external/1.58.0/oak-auth-external-1.58.0.jar:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalGroupPrincipalProvider$ExternalGroupPrincipal.class */
    public class ExternalGroupPrincipal extends PrincipalImpl implements GroupPrincipal {
        private final String idpName;

        private ExternalGroupPrincipal(@NotNull String str, @Nullable String str2) {
            super(str);
            this.idpName = Strings.nullToEmpty(str2);
        }

        @NotNull
        private String getIdpName() {
            return this.idpName;
        }

        @Override // org.apache.jackrabbit.api.security.principal.GroupPrincipal
        public boolean isMember(@NotNull Principal principal) {
            if (GroupPrincipals.isGroup(principal)) {
                return false;
            }
            try {
                return isContainedInExternalPrincipalNames(principal);
            } catch (RepositoryException e) {
                ExternalGroupPrincipalProvider.log.debug(e.getMessage());
                return false;
            }
        }

        private boolean isContainedInExternalPrincipalNames(@NotNull Principal principal) throws RepositoryException {
            PropertyState property;
            String name = getName();
            if (!(principal instanceof ItemBasedPrincipal)) {
                return ExternalGroupPrincipalProvider.isDynamicMember(name, ExternalGroupPrincipalProvider.this.userManager.getAuthorizable(principal));
            }
            Tree tree = ExternalGroupPrincipalProvider.this.root.getTree(((ItemBasedPrincipal) principal).getPath());
            return UserUtil.isType(tree, AuthorizableType.USER) && (property = tree.getProperty(ExternalIdentityConstants.REP_EXTERNAL_PRINCIPAL_NAMES)) != null && Iterables.contains((Iterable) property.getValue(Type.STRINGS), name);
        }

        @Override // org.apache.jackrabbit.api.security.principal.GroupPrincipal
        @NotNull
        public Enumeration<? extends Principal> members() {
            Result findPrincipals = ExternalGroupPrincipalProvider.this.findPrincipals(getName(), true);
            return findPrincipals != null ? Iterators.asEnumeration(new MemberIterator<Principal>(findPrincipals) { // from class: org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal.ExternalGroupPrincipalProvider.ExternalGroupPrincipal.1
                {
                    ExternalGroupPrincipalProvider externalGroupPrincipalProvider = ExternalGroupPrincipalProvider.this;
                }

                /* JADX INFO: Access modifiers changed from: package-private */
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal.ExternalGroupPrincipalProvider.MemberIterator
                public Principal get(@NotNull Authorizable authorizable) throws RepositoryException {
                    return authorizable.getPrincipal();
                }
            }) : Iterators.asEnumeration(Collections.emptyIterator());
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/slingcms.far:org/apache/jackrabbit/oak-auth-external/1.58.0/oak-auth-external-1.58.0.jar:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalGroupPrincipalProvider$ExternalGroupPrincipalItemBased.class */
    public final class ExternalGroupPrincipalItemBased extends ExternalGroupPrincipal implements ItemBasedPrincipal {
        private ExternalGroupPrincipalItemBased(@NotNull String str, @Nullable String str2) {
            super(str, str2);
        }

        @Override // org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal
        @NotNull
        public String getPath() throws RepositoryException {
            Authorizable authorizable = ExternalGroupPrincipalProvider.this.userManager.getAuthorizable(this);
            if (authorizable == null) {
                throw new RepositoryException("Cannot determine path for principal '" + getName() + "'. Group with this principal name does not exist.");
            }
            return authorizable.getPath();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/slingcms.far:org/apache/jackrabbit/oak-auth-external/1.58.0/oak-auth-external-1.58.0.jar:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalGroupPrincipalProvider$GroupPrincipalIterator.class */
    public final class GroupPrincipalIterator extends AbstractLazyIterator<Principal> {
        private final String queryString;
        private final Iterator<? extends ResultRow> rows;
        private final Set<String> processed = new HashSet();
        private Iterator<String> propValues = Collections.emptyIterator();
        private String idpName = "";

        private GroupPrincipalIterator(@Nullable String str, @NotNull Result result) {
            this.queryString = str;
            this.rows = result.getRows().iterator();
        }

        /* JADX INFO: Access modifiers changed from: protected */
        /* JADX WARN: Can't rename method to resolve collision */
        @Override // org.apache.jackrabbit.commons.iterator.AbstractLazyIterator
        @Nullable
        public Principal getNext() {
            if (!this.propValues.hasNext()) {
                if (this.rows.hasNext()) {
                    ResultRow next = this.rows.next();
                    this.propValues = Iterators.filter(((Iterable) next.getValue(ExternalIdentityConstants.REP_EXTERNAL_PRINCIPAL_NAMES).getValue(Type.STRINGS)).iterator(), (v0) -> {
                        return Objects.nonNull(v0);
                    });
                    this.idpName = DynamicGroupUtil.getIdpName(next);
                } else {
                    this.propValues = Collections.emptyIterator();
                }
            }
            while (this.propValues.hasNext()) {
                String next2 = this.propValues.next();
                if (!this.processed.contains(next2) && matchesQuery(next2)) {
                    this.processed.add(next2);
                    return ExternalGroupPrincipalProvider.this.createExternalGroupPrincipal(next2, this.idpName);
                }
            }
            return null;
        }

        private boolean matchesQuery(@NotNull String str) {
            if (this.queryString == null) {
                return true;
            }
            return str.contains(this.queryString);
        }
    }

    /* loaded from: input_file:lib/slingcms.far:org/apache/jackrabbit/oak-auth-external/1.58.0/oak-auth-external-1.58.0.jar:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalGroupPrincipalProvider$MemberIterator.class */
    private abstract class MemberIterator<T> extends AbstractLazyIterator<T> {
        private final Iterator<? extends ResultRow> rows;

        private MemberIterator(@NotNull Result result) {
            this.rows = result.getRows().iterator();
        }

        @Override // org.apache.jackrabbit.commons.iterator.AbstractLazyIterator
        @Nullable
        protected T getNext() {
            Authorizable authorizableByPath;
            while (this.rows.hasNext()) {
                try {
                    authorizableByPath = ExternalGroupPrincipalProvider.this.userManager.getAuthorizableByPath(this.rows.next().getPath());
                } catch (RepositoryException e) {
                    ExternalGroupPrincipalProvider.log.debug("{}", e.getMessage());
                }
                if (authorizableByPath != null) {
                    return get(authorizableByPath);
                }
                continue;
            }
            return null;
        }

        abstract T get(@NotNull Authorizable authorizable) throws RepositoryException;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ExternalGroupPrincipalProvider(@NotNull Root root, @NotNull UserManager userManager, @NotNull NamePathMapper namePathMapper, @NotNull SyncConfigTracker syncConfigTracker) {
        this.root = root;
        this.namePathMapper = namePathMapper;
        this.userManager = userManager;
        this.idpNamesWithDynamicGroups = syncConfigTracker.getIdpNamesWithDynamicGroups();
        this.hasOnlyDynamicGroups = this.idpNamesWithDynamicGroups.size() == syncConfigTracker.getServiceReferences().length;
        this.autoMembershipPrincipals = new AutoMembershipPrincipals(userManager, syncConfigTracker.getAutoMembership(), syncConfigTracker.getAutoMembershipConfig());
        this.groupAutoMembershipPrincipals = this.idpNamesWithDynamicGroups.isEmpty() ? null : new AutoMembershipPrincipals(userManager, syncConfigTracker.getGroupAutoMembership(), syncConfigTracker.getAutoMembershipConfig());
    }

    ExternalGroupPrincipalProvider(@NotNull Root root, @NotNull UserConfiguration userConfiguration, @NotNull NamePathMapper namePathMapper, @NotNull String str, @NotNull DefaultSyncConfig defaultSyncConfig, @NotNull Set<String> set, boolean z) {
        this.root = root;
        this.namePathMapper = namePathMapper;
        this.userManager = userConfiguration.getUserManager(root, namePathMapper);
        this.idpNamesWithDynamicGroups = set;
        this.hasOnlyDynamicGroups = z;
        this.autoMembershipPrincipals = new AutoMembershipPrincipals(this.userManager, Collections.singletonMap(str, (String[]) Iterables.toArray(Iterables.concat(defaultSyncConfig.user().getAutoMembership(), defaultSyncConfig.group().getAutoMembership()), String.class)), Collections.singletonMap(str, defaultSyncConfig.user().getAutoMembershipConfig()));
        this.groupAutoMembershipPrincipals = set.isEmpty() ? null : new AutoMembershipPrincipals(this.userManager, Collections.singletonMap(str, (String[]) defaultSyncConfig.group().getAutoMembership().toArray(new String[0])), Collections.singletonMap(str, defaultSyncConfig.group().getAutoMembershipConfig()));
    }

    @Override // org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider
    public Principal getPrincipal(@NotNull String str) {
        if (this.hasOnlyDynamicGroups) {
            return null;
        }
        Result findPrincipals = findPrincipals(str, true);
        Iterator<? extends ResultRow> emptyIterator = findPrincipals == null ? Collections.emptyIterator() : findPrincipals.getRows().iterator();
        if (emptyIterator.hasNext()) {
            return createExternalGroupPrincipal(str, DynamicGroupUtil.getIdpName(emptyIterator.next()));
        }
        return null;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider
    @NotNull
    public Set<Principal> getMembershipPrincipals(@NotNull Principal principal) {
        if (hasDynamicMembershipPrincipals(principal)) {
            try {
                if (!(principal instanceof ItemBasedPrincipal)) {
                    return getGroupPrincipals(this.userManager.getAuthorizable(principal), false);
                }
                String path = ((ItemBasedPrincipal) principal).getPath();
                Tree tree = this.root.getTree(path);
                Authorizable authorizableByPath = this.userManager.getAuthorizableByPath(path);
                if (authorizableByPath != null) {
                    return getGroupPrincipals(authorizableByPath, tree);
                }
            } catch (RepositoryException e) {
                log.debug(e.getMessage());
            }
        }
        return ImmutableSet.of();
    }

    @Override // org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider
    @NotNull
    public Set<? extends Principal> getPrincipals(@NotNull String str) {
        try {
            return getGroupPrincipals(this.userManager.getAuthorizable(str), true);
        } catch (RepositoryException e) {
            log.debug(e.getMessage());
            return ImmutableSet.of();
        }
    }

    @Override // org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider
    @NotNull
    public Iterator<? extends Principal> findPrincipals(@Nullable String str, int i) {
        if (1 == i || this.hasOnlyDynamicGroups) {
            return Collections.emptyIterator();
        }
        Result findPrincipals = findPrincipals(Strings.nullToEmpty(str), false);
        return findPrincipals != null ? Iterators.filter(new GroupPrincipalIterator(str, findPrincipals), (v0) -> {
            return Objects.nonNull(v0);
        }) : Collections.emptyIterator();
    }

    @Override // org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider
    @NotNull
    public Iterator<? extends Principal> findPrincipals(int i) {
        return findPrincipals((String) null, i);
    }

    @Override // org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider
    @NotNull
    public Iterator<? extends Principal> findPrincipals(@Nullable String str, boolean z, int i, long j, long j2) {
        Iterator<? extends Principal> findPrincipals = findPrincipals(str, i);
        if (!findPrincipals.hasNext()) {
            return Collections.emptyIterator();
        }
        Stream sorted = StreamSupport.stream(Spliterators.spliteratorUnknownSize(findPrincipals, 0), false).sorted(Comparator.comparing((v0) -> {
            return v0.getName();
        }));
        if (j > 0) {
            sorted = sorted.skip(j);
        }
        if (j2 >= 0) {
            sorted = sorted.limit(j2);
        }
        return sorted.iterator();
    }

    @Override // org.apache.jackrabbit.oak.spi.security.user.DynamicMembershipProvider
    public boolean coversAllMembers(@NotNull Group group) {
        return isDynamic(group) && !DynamicGroupUtil.hasStoredMemberInfo(group, this.root);
    }

    @Override // org.apache.jackrabbit.oak.spi.security.user.DynamicMembershipProvider
    @NotNull
    public Iterator<Authorizable> getMembers(@NotNull Group group, boolean z) throws RepositoryException {
        Result findPrincipals;
        if (isDynamic(group) && (findPrincipals = findPrincipals(group.getPrincipal().getName(), true)) != null) {
            return new MemberIterator<Authorizable>(findPrincipals) { // from class: org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal.ExternalGroupPrincipalProvider.1
                /* JADX INFO: Access modifiers changed from: package-private */
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal.ExternalGroupPrincipalProvider.MemberIterator
                public Authorizable get(@NotNull Authorizable authorizable) {
                    return authorizable;
                }
            };
        }
        return Collections.emptyIterator();
    }

    @Override // org.apache.jackrabbit.oak.spi.security.user.DynamicMembershipProvider
    public boolean isMember(@NotNull Group group, @NotNull Authorizable authorizable, boolean z) throws RepositoryException {
        if (authorizable.isGroup() || !isDynamic(authorizable)) {
            return false;
        }
        if (isDynamic(group) && isDynamicMember(group.getPrincipal().getName(), authorizable)) {
            return true;
        }
        if (!z) {
            return false;
        }
        Iterator<Group> membership = getMembership(authorizable, false);
        while (membership.hasNext()) {
            if (group.isMember(membership.next())) {
                return true;
            }
        }
        return false;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.user.DynamicMembershipProvider
    @NotNull
    public Iterator<Group> getMembership(@NotNull Authorizable authorizable, boolean z) throws RepositoryException {
        if (authorizable.isGroup() || !isDynamic(authorizable)) {
            return Collections.emptyIterator();
        }
        Value[] property = authorizable.getProperty(ExternalIdentityConstants.REP_EXTERNAL_PRINCIPAL_NAMES);
        if (property == null || property.length == 0) {
            return Collections.emptyIterator();
        }
        UnmodifiableIterator filter = Iterators.filter(Iterators.transform(ImmutableSet.copyOf(property).iterator(), value -> {
            try {
                Authorizable authorizable2 = this.userManager.getAuthorizable(new PrincipalImpl(value.getString()));
                if (isValidGroup(authorizable2, authorizable)) {
                    return (Group) authorizable2;
                }
                return null;
            } catch (RepositoryException e) {
                return null;
            }
        }), (v0) -> {
            return Objects.nonNull(v0);
        });
        return z ? new InheritedMembershipIterator(filter) : filter;
    }

    private static boolean isValidGroup(@Nullable Authorizable authorizable, @NotNull Authorizable authorizable2) throws RepositoryException {
        if (authorizable == null || !authorizable.isGroup()) {
            return false;
        }
        return DynamicGroupUtil.isSameIDP(authorizable, authorizable2);
    }

    private boolean isDynamic(@NotNull Authorizable authorizable) {
        if (this.idpNamesWithDynamicGroups.isEmpty()) {
            return false;
        }
        try {
            ExternalIdentityRef identityRef = DefaultSyncContext.getIdentityRef(authorizable);
            if (identityRef == null) {
                return false;
            }
            return this.idpNamesWithDynamicGroups.contains(identityRef.getProviderName());
        } catch (RepositoryException e) {
            log.warn("Cannot retrieve rep:externalId property from identity {}", authorizable);
            return false;
        }
    }

    @NotNull
    private Set<Principal> getGroupPrincipals(@Nullable Authorizable authorizable, boolean z) throws RepositoryException {
        return (authorizable == null || (authorizable.isGroup() && z)) ? ImmutableSet.of() : getGroupPrincipals(authorizable, DynamicGroupUtil.getTree(authorizable, this.root));
    }

    @NotNull
    private Set<Principal> getGroupPrincipals(@NotNull Authorizable authorizable, @NotNull Tree tree) throws RepositoryException {
        String idpName;
        if (tree.exists() && (idpName = DynamicGroupUtil.getIdpName(tree)) != null) {
            if (!UserUtil.isType(tree, AuthorizableType.USER)) {
                return getAutomembershipPrincipals(idpName, authorizable);
            }
            PropertyState property = tree.getProperty(ExternalIdentityConstants.REP_EXTERNAL_PRINCIPAL_NAMES);
            if (property == null) {
                return Collections.emptySet();
            }
            HashSet newHashSet = Sets.newHashSet();
            Iterator it = ((Iterable) property.getValue(Type.STRINGS)).iterator();
            while (it.hasNext()) {
                newHashSet.add(createExternalGroupPrincipal((String) it.next(), idpName));
            }
            newHashSet.addAll(getInheritedPrincipals(newHashSet, idpName));
            newHashSet.addAll(getAutomembershipPrincipals(idpName, authorizable));
            return newHashSet;
        }
        return Collections.emptySet();
    }

    private Set<Principal> getInheritedPrincipals(@NotNull Set<Principal> set, @NotNull String str) {
        if (!this.idpNamesWithDynamicGroups.contains(str)) {
            return Collections.emptySet();
        }
        HashSet hashSet = new HashSet();
        Iterator<Principal> it = set.iterator();
        while (it.hasNext()) {
            hashSet.addAll(DynamicGroupUtil.getInheritedPrincipals(it.next(), this.userManager));
        }
        return hashSet;
    }

    private Set<Principal> getAutomembershipPrincipals(@NotNull String str, @NotNull Authorizable authorizable) {
        return authorizable.isGroup() ? this.idpNamesWithDynamicGroups.contains(str) ? this.groupAutoMembershipPrincipals.getAutoMembership(str, authorizable, true).keySet() : Collections.emptySet() : this.autoMembershipPrincipals.getAutoMembership(str, authorizable, true).keySet();
    }

    @Nullable
    private Result findPrincipals(@NotNull String str, boolean z) {
        try {
            return this.root.getQueryEngine().executeQuery("SELECT [rep:externalPrincipalNames] FROM [rep:User] WHERE PROPERTY([rep:externalPrincipalNames], 'String')" + (z ? " = " : " LIKE ") + "$principalNames /* oak-internal */", Query.JCR_SQL2, buildBinding(str, z), this.namePathMapper.getSessionLocalMappings());
        } catch (ParseException e) {
            return null;
        }
    }

    @NotNull
    private static Map<String, ? extends PropertyValue> buildBinding(@NotNull String str, boolean z) {
        String str2 = str;
        if (!z) {
            str2 = str.isEmpty() ? "%" : "%" + str.replace("%", "\\%").replace(ShingleFilter.DEFAULT_FILLER_TOKEN, "\\_") + "%";
        }
        return Collections.singletonMap(BINDING_PRINCIPAL_NAMES, PropertyValues.newString(str2));
    }

    private static boolean isDynamicMember(@NotNull String str, @Nullable Authorizable authorizable) throws RepositoryException {
        Value[] property;
        if (authorizable == null || authorizable.isGroup() || (property = authorizable.getProperty(ExternalIdentityConstants.REP_EXTERNAL_PRINCIPAL_NAMES)) == null) {
            return false;
        }
        for (Value value : property) {
            if (str.equals(value.getString())) {
                return true;
            }
        }
        return false;
    }

    private boolean hasDynamicMembershipPrincipals(@NotNull Principal principal) {
        if (GroupPrincipals.isGroup(principal)) {
            return principal instanceof ExternalGroupPrincipal ? this.idpNamesWithDynamicGroups.contains(((ExternalGroupPrincipal) principal).getIdpName()) : principal instanceof ItemBasedPrincipal;
        }
        return true;
    }

    private GroupPrincipal createExternalGroupPrincipal(@NotNull String str, @Nullable String str2) {
        return this.idpNamesWithDynamicGroups.contains(str2) ? new ExternalGroupPrincipalItemBased(str, str2) : new ExternalGroupPrincipal(str, str2);
    }
}
