package com.adobe.acs.commons.users.impl;

import java.security.Principal;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.jcr.RepositoryException;
import org.apache.commons.lang3.StringUtils;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.ConfigurationPolicy;
import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.PropertyOption;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.Service;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.resource.ResourceResolverFactory;
import org.apache.sling.commons.osgi.PropertiesUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Service({EnsureGroup.class, EnsureAuthorizable.class})
@Component(label = "ACS AEM Commons - Ensure Group", configurationFactory = true, metatype = true, immediate = true, policy = ConfigurationPolicy.REQUIRE)
@Properties({@Property(name = "webconsole.configurationFactory.nameHint", value = {"Ensure Group: {operation} {principalName}"})})
/* loaded from: input_file:com/adobe/acs/commons/users/impl/EnsureGroup.class */
public final class EnsureGroup implements EnsureAuthorizable {

    @Property(label = "Ensure immediately", boolValue = {true}, description = "Ensure on activation. When set to false, this must be ensured via the JMX MBean.")
    public static final String PROP_ENSURE_IMMEDIATELY = "ensure-immediately";
    public static final String DEFAULT_OPERATION = "add";

    @Property(label = "Operation", description = "Defines if the group (principal name) should be adjusted to align with this config or removed completely", options = {@PropertyOption(name = "add", value = "Ensure existence (add)"), @PropertyOption(name = "remove", value = "Ensure extinction (remove)")})
    public static final String PROP_OPERATION = "operation";

    @Property(label = "Principal Name", description = "The grouo's principal name")
    public static final String PROP_PRINCIPAL_NAME = "principalName";

    @Property(label = "ACEs", description = "This field is ignored if the Operation is set to 'Ensure extinction' (remove)", cardinality = Integer.MAX_VALUE)
    public static final String PROP_ACES = "aces";

    @Property(label = "Member Of", description = "Defines groups this group must be a member of.  Group will be removed from any groups not listed.", cardinality = Integer.MAX_VALUE)
    public static final String PROP_MEMBER_OF = "member-of";
    private static final Logger log = LoggerFactory.getLogger(EnsureGroup.class);
    private static final String SERVICE_NAME = "ensure-service-user";
    private static final Map<String, Object> AUTH_INFO = Collections.singletonMap("sling.service.subservice", SERVICE_NAME);
    private static final boolean DEFAULT_ENSURE_IMMEDIATELY = true;
    private Group group = null;
    private Operation operation = null;

    @Reference
    private ResourceResolverFactory resourceResolverFactory;

    @Reference
    private EnsureAce ensureAce;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/adobe/acs/commons/users/impl/EnsureGroup$SimplePrincipal.class */
    public static class SimplePrincipal implements Principal {
        protected final String name;

        public SimplePrincipal(String str) {
            if (StringUtils.isBlank(str)) {
                throw new IllegalArgumentException("Principal name cannot be blank.");
            }
            this.name = str;
        }

        @Override // java.security.Principal
        public String getName() {
            return this.name;
        }

        @Override // java.security.Principal
        public int hashCode() {
            return this.name.hashCode();
        }

        @Override // java.security.Principal
        public boolean equals(Object obj) {
            if (obj instanceof Principal) {
                return this.name.equals(((Principal) obj).getName());
            }
            return false;
        }
    }

    @Override // com.adobe.acs.commons.users.impl.EnsureAuthorizable
    public Operation getOperation() {
        return this.operation;
    }

    @Override // com.adobe.acs.commons.users.impl.EnsureAuthorizable
    public Group getAuthorizable() {
        return this.group;
    }

    @Override // com.adobe.acs.commons.users.impl.EnsureAuthorizable
    public void ensure(Operation operation, AbstractAuthorizable abstractAuthorizable) throws EnsureAuthorizableException {
        long currentTimeMillis = System.currentTimeMillis();
        try {
            ResourceResolver serviceResourceResolver = this.resourceResolverFactory.getServiceResourceResolver(AUTH_INFO);
            try {
                if (Operation.ADD.equals(operation)) {
                    ensureExistance(serviceResourceResolver, (Group) abstractAuthorizable);
                } else {
                    if (!Operation.REMOVE.equals(operation)) {
                        throw new EnsureAuthorizableException("Unable to determine Ensure Group operation Could not create or locate value group (it is null).");
                    }
                    ensureRemoval(serviceResourceResolver, (Group) abstractAuthorizable);
                }
                if (serviceResourceResolver.hasChanges()) {
                    serviceResourceResolver.commit();
                    log.debug("Persisted change to Group [ {} ]", abstractAuthorizable.getPrincipalName());
                } else {
                    log.debug("No changes required for Group [ {} ]. Skipping...", abstractAuthorizable.getPrincipalName());
                }
                log.info("Successfully ensured [ {} ] of Group [ {} ] in [ {} ms ]", new Object[]{operation, getAuthorizable().getPrincipalName(), String.valueOf(System.currentTimeMillis() - currentTimeMillis)});
                if (serviceResourceResolver != null) {
                    serviceResourceResolver.close();
                }
            } finally {
            }
        } catch (Exception e) {
            throw new EnsureAuthorizableException(String.format("Failed to ensure [ %s ] of Group [ %s ]", operation.toString(), abstractAuthorizable.getPrincipalName()), e);
        }
    }

    protected void ensureExistance(ResourceResolver resourceResolver, Group group) throws RepositoryException, EnsureAuthorizableException {
        Authorizable ensureGroup = ensureGroup(resourceResolver, group);
        if (ensureGroup == null) {
            log.error("Could not create or locate Group with principal name [ {} ]", group.getPrincipalName());
        } else {
            this.ensureAce.ensureAces(resourceResolver, ensureGroup, group);
            ensureMembership(resourceResolver, ensureGroup, group);
        }
    }

    private void ensureRemoval(ResourceResolver resourceResolver, Group group) throws RepositoryException, EnsureAuthorizableException {
        Authorizable findGroup = findGroup(resourceResolver, group.getPrincipalName());
        this.ensureAce.removeAces(resourceResolver, findGroup, group);
        if (findGroup != null) {
            ensureRemoveMembership(findGroup);
            findGroup.remove();
        }
    }

    private org.apache.jackrabbit.api.security.user.Group ensureGroup(ResourceResolver resourceResolver, Group group) throws RepositoryException, EnsureAuthorizableException {
        org.apache.jackrabbit.api.security.user.Group findGroup = findGroup(resourceResolver, group.getPrincipalName());
        if (findGroup == null) {
            UserManager userManager = (UserManager) resourceResolver.adaptTo(UserManager.class);
            log.debug("Requesting creation of group [ {} ] at [ {} ]", group.getPrincipalName(), group.getIntermediatePath());
            findGroup = userManager.createGroup(new SimplePrincipal(group.getPrincipalName()), group.getIntermediatePath());
            log.debug("Created group at [ {} ]", findGroup.getPath());
        }
        return findGroup;
    }

    private org.apache.jackrabbit.api.security.user.Group findGroup(ResourceResolver resourceResolver, String str) throws RepositoryException, EnsureAuthorizableException {
        org.apache.jackrabbit.api.security.user.Group group = null;
        org.apache.jackrabbit.api.security.user.Group authorizable = ((UserManager) resourceResolver.adaptTo(UserManager.class)).getAuthorizable(str);
        if (authorizable != null) {
            if (!(authorizable instanceof org.apache.jackrabbit.api.security.user.Group)) {
                throw new EnsureAuthorizableException(String.format("Authorizable [ %s ] at [ %s ] is not a group", str, authorizable.getPath()));
            }
            group = authorizable;
        }
        return group;
    }

    private void ensureMembership(ResourceResolver resourceResolver, org.apache.jackrabbit.api.security.user.Group group, Group group2) throws EnsureAuthorizableException, RepositoryException {
        UserManager userManager = (UserManager) resourceResolver.adaptTo(UserManager.class);
        List<String> memberOf = group2.getMemberOf();
        Iterator declaredMemberOf = group.declaredMemberOf();
        while (declaredMemberOf.hasNext()) {
            org.apache.jackrabbit.api.security.user.Group group3 = (org.apache.jackrabbit.api.security.user.Group) declaredMemberOf.next();
            String name = group3.getPrincipal().getName();
            if (memberOf.contains(name)) {
                group2.addMembership(name);
            } else {
                group3.removeMember(group);
            }
        }
        for (String str : group2.getMissingMemberOf()) {
            org.apache.jackrabbit.api.security.user.Group authorizable = userManager.getAuthorizable(str);
            if (authorizable != null) {
                if (!(authorizable instanceof org.apache.jackrabbit.api.security.user.Group)) {
                    throw new EnsureAuthorizableException(String.format("Authorizable [ %s ] at [ %s ] is not a group", str, authorizable.getPath()));
                }
                authorizable.addMember(group);
            }
        }
    }

    private void ensureRemoveMembership(org.apache.jackrabbit.api.security.user.Group group) throws RepositoryException {
        Iterator declaredMemberOf = group.declaredMemberOf();
        while (declaredMemberOf.hasNext()) {
            ((org.apache.jackrabbit.api.security.user.Group) declaredMemberOf.next()).removeMember(group);
        }
    }

    @Activate
    protected void activate(Map<String, Object> map) {
        boolean z = PropertiesUtil.toBoolean(map.get("ensure-immediately"), true);
        String upperCase = StringUtils.upperCase(PropertiesUtil.toString(map.get("operation"), "add"));
        try {
            this.operation = Operation.valueOf(upperCase);
            this.group = new Group(map);
            if (z) {
                ensure(this.operation, getAuthorizable());
            } else {
                log.info("This Group is configured to NOT ensure immediately. Please ensure this Group via the JMX MBean.");
            }
        } catch (EnsureAuthorizableException e) {
            log.error("Unable to ensure Group [ {} ]", PropertiesUtil.toString(map.get("principalName"), "Undefined Group Principal Name"), e);
        } catch (IllegalArgumentException e2) {
            throw new IllegalArgumentException("Unknown Ensure Group operation [ " + upperCase + " ]", e2);
        }
    }

    protected void bindResourceResolverFactory(ResourceResolverFactory resourceResolverFactory) {
        this.resourceResolverFactory = resourceResolverFactory;
    }

    protected void unbindResourceResolverFactory(ResourceResolverFactory resourceResolverFactory) {
        if (this.resourceResolverFactory == resourceResolverFactory) {
            this.resourceResolverFactory = null;
        }
    }

    protected void bindEnsureAce(EnsureAce ensureAce) {
        this.ensureAce = ensureAce;
    }

    protected void unbindEnsureAce(EnsureAce ensureAce) {
        if (this.ensureAce == ensureAce) {
            this.ensureAce = null;
        }
    }
}
