package org.apache.jackrabbit.oak.security.user;

import com.google.common.base.Function;
import com.google.common.base.Joiner;
import com.google.common.base.Predicate;
import com.google.common.base.Predicates;
import com.google.common.collect.Iterables;
import com.google.common.collect.Iterators;
import com.google.common.collect.UnmodifiableIterator;
import java.security.Principal;
import java.text.ParseException;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.jcr.AccessDeniedException;
import javax.jcr.RepositoryException;
import javax.jcr.query.Query;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.QueryEngine;
import org.apache.jackrabbit.oak.api.ResultRow;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.commons.LongUtils;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.security.user.query.QueryUtil;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider;
import org.apache.jackrabbit.oak.spi.security.principal.SystemPrincipal;
import org.apache.jackrabbit.oak.spi.security.user.AuthorizableType;
import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration;
import org.apache.jackrabbit.oak.spi.security.user.util.UserUtil;
import org.apache.jackrabbit.oak.util.NodeUtil;
import org.apache.jackrabbit.util.Text;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/lib/oak-core-1.5.17.jar:org/apache/jackrabbit/oak/security/user/UserPrincipalProvider.class
 */
/* loaded from: input_file:WEB-INF/lib/oak-upgrade-1.5.17.jar:org/apache/jackrabbit/oak/security/user/UserPrincipalProvider.class */
public class UserPrincipalProvider implements PrincipalProvider {
    private static final Logger log = LoggerFactory.getLogger(UserPrincipalProvider.class);
    static final String PARAM_CACHE_EXPIRATION = "cacheExpiration";
    static final long EXPIRATION_NO_CACHE = 0;
    private static final long MEMBERSHIP_THRESHOLD = 0;
    private final Root root;
    private final UserConfiguration config;
    private final NamePathMapper namePathMapper;
    private final UserProvider userProvider;
    private final MembershipProvider membershipProvider;
    private final long expiration;
    private final boolean cacheEnabled;

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/lib/oak-core-1.5.17.jar:org/apache/jackrabbit/oak/security/user/UserPrincipalProvider$BaseGroupPrincipal.class
     */
    /* loaded from: input_file:WEB-INF/lib/oak-upgrade-1.5.17.jar:org/apache/jackrabbit/oak/security/user/UserPrincipalProvider$BaseGroupPrincipal.class */
    public abstract class BaseGroupPrincipal extends AbstractGroupPrincipal {
        private UserManager userManager;

        BaseGroupPrincipal(@Nonnull String str, @Nonnull Tree tree) {
            super(str, tree, UserPrincipalProvider.this.namePathMapper);
        }

        BaseGroupPrincipal(@Nonnull String str, @Nonnull String str2) {
            super(str, str2, UserPrincipalProvider.this.namePathMapper);
        }

        @Override // org.apache.jackrabbit.oak.security.user.AbstractGroupPrincipal
        UserManager getUserManager() {
            if (this.userManager == null) {
                this.userManager = UserPrincipalProvider.this.config.getUserManager(UserPrincipalProvider.this.root, UserPrincipalProvider.this.namePathMapper);
            }
            return this.userManager;
        }

        @Override // org.apache.jackrabbit.oak.security.user.AbstractGroupPrincipal
        boolean isEveryone() {
            return "everyone".equals(getName());
        }

        @Override // org.apache.jackrabbit.oak.security.user.AbstractGroupPrincipal
        boolean isMember(@Nonnull Authorizable authorizable) throws RepositoryException {
            Group group = getGroup();
            return group != null && group.isMember(authorizable);
        }

        @Override // org.apache.jackrabbit.oak.security.user.AbstractGroupPrincipal
        @Nonnull
        Iterator<Authorizable> getMembers() throws RepositoryException {
            Group group = getGroup();
            return group == null ? Iterators.emptyIterator() : group.getMembers();
        }

        @CheckForNull
        abstract Group getGroup() throws RepositoryException;
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/lib/oak-core-1.5.17.jar:org/apache/jackrabbit/oak/security/user/UserPrincipalProvider$CachedGroupPrincipal.class
     */
    /* loaded from: input_file:WEB-INF/lib/oak-upgrade-1.5.17.jar:org/apache/jackrabbit/oak/security/user/UserPrincipalProvider$CachedGroupPrincipal.class */
    public final class CachedGroupPrincipal extends BaseGroupPrincipal {
        private Group group;

        CachedGroupPrincipal(@Nonnull String str) {
            super(str, "");
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        @Override // org.apache.jackrabbit.oak.security.user.TreeBasedPrincipal
        public String getOakPath() {
            if (getPath() == null) {
                return null;
            }
            return UserPrincipalProvider.this.namePathMapper.getOakPath(getPath());
        }

        @Override // org.apache.jackrabbit.oak.security.user.TreeBasedPrincipal, org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal
        public String getPath() {
            try {
                Group group = getGroup();
                if (group == null) {
                    return null;
                }
                return group.getPath();
            } catch (RepositoryException e) {
                UserPrincipalProvider.log.error("Failed to retrieve path from group principal", e.getMessage());
                return null;
            }
        }

        @Override // org.apache.jackrabbit.oak.security.user.UserPrincipalProvider.BaseGroupPrincipal
        @CheckForNull
        Group getGroup() throws RepositoryException {
            Authorizable authorizable;
            if (this.group == null && (authorizable = getUserManager().getAuthorizable(new PrincipalImpl(getName()))) != null && authorizable.isGroup()) {
                this.group = (Group) authorizable;
            }
            return this.group;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/lib/oak-core-1.5.17.jar:org/apache/jackrabbit/oak/security/user/UserPrincipalProvider$EveryonePredicate.class
     */
    /* loaded from: input_file:WEB-INF/lib/oak-upgrade-1.5.17.jar:org/apache/jackrabbit/oak/security/user/UserPrincipalProvider$EveryonePredicate.class */
    public static final class EveryonePredicate implements Predicate<Principal> {
        private boolean servedEveryone;

        private EveryonePredicate() {
            this.servedEveryone = false;
        }

        @Override // com.google.common.base.Predicate
        public boolean apply(@Nullable Principal principal) {
            if (!"everyone".equals(principal == null ? null : principal.getName())) {
                return true;
            }
            if (this.servedEveryone) {
                return false;
            }
            this.servedEveryone = true;
            return true;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/lib/oak-core-1.5.17.jar:org/apache/jackrabbit/oak/security/user/UserPrincipalProvider$GroupPrincipal.class
     */
    /* loaded from: input_file:WEB-INF/lib/oak-upgrade-1.5.17.jar:org/apache/jackrabbit/oak/security/user/UserPrincipalProvider$GroupPrincipal.class */
    public final class GroupPrincipal extends BaseGroupPrincipal {
        private Group group;

        GroupPrincipal(@Nonnull String str, @Nonnull Tree tree) {
            super(str, tree);
        }

        @Override // org.apache.jackrabbit.oak.security.user.UserPrincipalProvider.BaseGroupPrincipal
        @CheckForNull
        Group getGroup() throws RepositoryException {
            Authorizable authorizable;
            if (this.group == null && (authorizable = getUserManager().getAuthorizable(this)) != null && authorizable.isGroup()) {
                this.group = (Group) authorizable;
            }
            return this.group;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/lib/oak-core-1.5.17.jar:org/apache/jackrabbit/oak/security/user/UserPrincipalProvider$ResultRowToPrincipal.class
     */
    /* loaded from: input_file:WEB-INF/lib/oak-upgrade-1.5.17.jar:org/apache/jackrabbit/oak/security/user/UserPrincipalProvider$ResultRowToPrincipal.class */
    public final class ResultRowToPrincipal implements Function<ResultRow, Principal> {
        private ResultRowToPrincipal() {
        }

        @Override // com.google.common.base.Function
        public Principal apply(@Nullable ResultRow resultRow) {
            if (resultRow != null) {
                return UserPrincipalProvider.this.createPrincipal(resultRow.getTree(null));
            }
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public UserPrincipalProvider(@Nonnull Root root, @Nonnull UserConfiguration userConfiguration, @Nonnull NamePathMapper namePathMapper) {
        this.root = root;
        this.config = userConfiguration;
        this.namePathMapper = namePathMapper;
        this.userProvider = new UserProvider(root, this.config.getParameters());
        this.membershipProvider = new MembershipProvider(root, this.config.getParameters());
        this.expiration = ((Long) this.config.getParameters().getConfigValue(PARAM_CACHE_EXPIRATION, 0L)).longValue();
        this.cacheEnabled = this.expiration > 0 && root.getContentSession().getAuthInfo().getPrincipals().contains(SystemPrincipal.INSTANCE);
    }

    @Override // org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider
    public Principal getPrincipal(@Nonnull String str) {
        Principal createPrincipal = createPrincipal(this.userProvider.getAuthorizableByPrincipal(new PrincipalImpl(str)));
        if (createPrincipal != null) {
            return createPrincipal;
        }
        if ("everyone".equals(str)) {
            return EveryonePrincipal.getInstance();
        }
        return null;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider
    @Nonnull
    public Set<java.security.acl.Group> getGroupMembership(@Nonnull Principal principal) {
        Tree authorizableTree = getAuthorizableTree(principal);
        return authorizableTree == null ? Collections.emptySet() : getGroupMembership(authorizableTree);
    }

    @Override // org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider
    @Nonnull
    public Set<? extends Principal> getPrincipals(@Nonnull String str) {
        Principal createUserPrincipal;
        HashSet hashSet = new HashSet();
        Tree authorizable = this.userProvider.getAuthorizable(str);
        if (authorizable != null && UserUtil.isType(authorizable, AuthorizableType.USER) && (createUserPrincipal = createUserPrincipal(str, authorizable)) != null) {
            hashSet.add(createUserPrincipal);
            hashSet.addAll(getGroupMembership(authorizable));
        }
        return hashSet;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider
    @Nonnull
    public Iterator<? extends Principal> findPrincipals(String str, int i) {
        try {
            AuthorizableType type = AuthorizableType.getType(i);
            UnmodifiableIterator filter = Iterators.filter(Iterators.transform(this.root.getQueryEngine().executeQuery(QueryUtil.getSearchRoot(type, this.config.getParameters()) + "//element(*," + QueryUtil.getNodeTypeName(type) + ")[jcr:like(@rep:principalName,'" + buildSearchPattern(str) + "')]", Query.XPATH, QueryEngine.NO_BINDINGS, this.namePathMapper.getSessionLocalMappings()).getRows().iterator(), new ResultRowToPrincipal()), Predicates.notNull());
            return matchesEveryone(str, i) ? Iterators.filter(Iterators.concat(filter, Iterators.singletonIterator(EveryonePrincipal.getInstance())), new EveryonePredicate()) : filter;
        } catch (ParseException e) {
            log.debug(e.getMessage());
            return Iterators.emptyIterator();
        }
    }

    @Override // org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider
    @Nonnull
    public Iterator<? extends Principal> findPrincipals(int i) {
        return findPrincipals(null, i);
    }

    @CheckForNull
    private Tree getAuthorizableTree(@Nonnull Principal principal) {
        return this.userProvider.getAuthorizableByPrincipal(principal);
    }

    /* JADX INFO: Access modifiers changed from: private */
    @CheckForNull
    public Principal createPrincipal(@CheckForNull Tree tree) {
        java.security.acl.Group group = null;
        if (tree != null) {
            AuthorizableType type = UserUtil.getType(tree);
            if (AuthorizableType.GROUP == type) {
                group = createGroupPrincipal(tree);
            } else if (AuthorizableType.USER == type) {
                group = createUserPrincipal(UserUtil.getAuthorizableId(tree, type), tree);
            }
        }
        return group;
    }

    @CheckForNull
    private Principal createUserPrincipal(@Nonnull String str, @Nonnull Tree tree) {
        String principalName = getPrincipalName(tree);
        if (principalName == null) {
            return null;
        }
        return UserUtil.isSystemUser(tree) ? new SystemUserPrincipalImpl(principalName, tree, this.namePathMapper) : UserUtil.isAdmin(this.config.getParameters(), str) ? new AdminPrincipalImpl(principalName, tree, this.namePathMapper) : new TreeBasedPrincipal(principalName, tree, this.namePathMapper);
    }

    @CheckForNull
    private java.security.acl.Group createGroupPrincipal(@Nonnull Tree tree) {
        String principalName = getPrincipalName(tree);
        if (principalName == null) {
            return null;
        }
        return new GroupPrincipal(principalName, tree);
    }

    @CheckForNull
    private static String getPrincipalName(@Nonnull Tree tree) {
        PropertyState property = tree.getProperty("rep:principalName");
        if (property != null) {
            return (String) property.getValue(Type.STRING);
        }
        log.warn("Authorizable without principal name " + UserUtil.getAuthorizableId(tree));
        return null;
    }

    @Nonnull
    private Set<java.security.acl.Group> getGroupMembership(@Nonnull Tree tree) {
        Set<java.security.acl.Group> set = null;
        NodeUtil nodeUtil = new NodeUtil(tree);
        boolean z = this.cacheEnabled && UserUtil.isType(tree, AuthorizableType.USER);
        if (z) {
            set = readGroupsFromCache(nodeUtil);
        }
        if (set == null) {
            set = new HashSet();
            Iterator<String> membership = this.membershipProvider.getMembership(tree, true);
            while (membership.hasNext()) {
                Tree authorizableByPath = this.userProvider.getAuthorizableByPath(membership.next());
                if (authorizableByPath != null && UserUtil.isType(authorizableByPath, AuthorizableType.GROUP) && createGroupPrincipal(authorizableByPath) != null) {
                    set.add(createGroupPrincipal(authorizableByPath));
                }
            }
            if (z) {
                cacheGroups(nodeUtil, set);
            }
        }
        set.add(EveryonePrincipal.getInstance());
        return set;
    }

    private void cacheGroups(@Nonnull NodeUtil nodeUtil, @Nonnull Set<java.security.acl.Group> set) {
        try {
            try {
                try {
                    this.root.refresh();
                    NodeUtil child = nodeUtil.getChild(CacheConstants.REP_CACHE);
                    if (child == null) {
                        if (set.size() <= 0) {
                            log.debug("Omit cache creation for user without group membership at " + nodeUtil.getTree().getPath());
                            this.root.refresh();
                            return;
                        } else {
                            log.debug("Create new group membership cache at " + nodeUtil.getTree().getPath());
                            child = nodeUtil.addChild(CacheConstants.REP_CACHE, CacheConstants.NT_REP_CACHE);
                        }
                    }
                    child.setLong(CacheConstants.REP_EXPIRATION, LongUtils.calculateExpirationTime(this.expiration));
                    child.setString(CacheConstants.REP_GROUP_PRINCIPAL_NAMES, set.isEmpty() ? "" : Joiner.on(",").join(Iterables.transform(set, new Function<java.security.acl.Group, String>() { // from class: org.apache.jackrabbit.oak.security.user.UserPrincipalProvider.1
                        @Override // com.google.common.base.Function
                        public String apply(java.security.acl.Group group) {
                            return Text.escape(group.getName());
                        }
                    })));
                    this.root.commit(CacheValidatorProvider.asCommitAttributes());
                    log.debug("Cached group membership at " + nodeUtil.getTree().getPath());
                    this.root.refresh();
                } catch (CommitFailedException e) {
                    log.debug("Failed to cache group membership", e.getMessage(), e);
                    this.root.refresh();
                }
            } catch (AccessDeniedException e2) {
                log.debug("Failed to cache group membership", e2.getMessage());
                this.root.refresh();
            }
        } catch (Throwable th) {
            this.root.refresh();
            throw th;
        }
    }

    @CheckForNull
    private Set<java.security.acl.Group> readGroupsFromCache(@Nonnull NodeUtil nodeUtil) {
        NodeUtil child = nodeUtil.getChild(CacheConstants.REP_CACHE);
        if (child == null) {
            log.debug("No group cache at " + nodeUtil.getTree().getPath());
            return null;
        }
        if (!isValidCache(child)) {
            log.debug("Expired group cache for " + nodeUtil.getTree().getPath());
            return null;
        }
        log.debug("Reading group membership at " + nodeUtil.getTree().getPath());
        String string = child.getString(CacheConstants.REP_GROUP_PRINCIPAL_NAMES, null);
        if (string == null || string.isEmpty()) {
            return new HashSet(1);
        }
        HashSet hashSet = new HashSet();
        for (String str : Text.explode(string, 44)) {
            hashSet.add(new CachedGroupPrincipal(Text.unescape(str)));
        }
        return hashSet;
    }

    private static boolean isValidCache(NodeUtil nodeUtil) {
        long j = nodeUtil.getLong(CacheConstants.REP_EXPIRATION, 0L);
        return j > 0 && new Date().getTime() < j;
    }

    private static String buildSearchPattern(String str) {
        if (str == null) {
            return "%";
        }
        return '%' + str.replace("%", "\\%").replace("_", "\\_") + '%';
    }

    private static boolean matchesEveryone(String str, int i) {
        return i != 1 && (str == null || "everyone".contains(str));
    }
}
