package com.adobe.acs.commons.users.impl;

import com.day.cq.search.PredicateGroup;
import com.day.cq.search.QueryBuilder;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.Value;
import javax.jcr.ValueFactory;
import javax.jcr.ValueFormatException;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.Privilege;
import org.apache.commons.lang.StringUtils;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.ConfigurationPolicy;
import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.PropertyOption;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.Service;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.sling.api.resource.Resource;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.resource.ResourceResolverFactory;
import org.apache.sling.commons.osgi.PropertiesUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Service({EnsureServiceUser.class})
@Component(label = "ACS AEM Commons - Ensure Service User", configurationFactory = true, metatype = true, immediate = true, policy = ConfigurationPolicy.REQUIRE)
@Properties({@Property(name = "webconsole.configurationFactory.nameHint", value = {"Ensure Service User: {operation} {principalName}"})})
/* loaded from: input_file:com/adobe/acs/commons/users/impl/EnsureServiceUser.class */
public final class EnsureServiceUser {
    private ServiceUser serviceUser = null;
    private Operation operation = null;

    @Property(label = "Ensure immediately", boolValue = {true}, description = "Ensure on activation. When set to false, this must be ensured via the JMX MBean.")
    public static final String PROP_ENSURE_IMMEDIATELY = "ensure-immediately";
    public static final String DEFAULT_OPERATION = "add";

    @Property(label = "Operation", description = "Defines if the service user (principal name) should be adjusted to align with this config or removed completely", options = {@PropertyOption(name = DEFAULT_OPERATION, value = "Ensure existence (add)"), @PropertyOption(name = "remove", value = "Ensure extinction (remove)")})
    public static final String PROP_OPERATION = "operation";

    @Property(label = "Principal Name", description = "The service user's principal name")
    public static final String PROP_PRINCIPAL_NAME = "principalName";

    @Property(label = "ACEs", description = "This field is ignored if the Operation is set to 'Ensure extinction' (remove)", cardinality = Integer.MAX_VALUE)
    public static final String PROP_ACES = "aces";

    @Reference
    private ResourceResolverFactory resourceResolverFactory;

    @Reference
    private QueryBuilder queryBuilder;
    private static final Logger log = LoggerFactory.getLogger(EnsureServiceUser.class);
    private static final String SERVICE_NAME = "ensure-service-user";
    private static final Map<String, Object> AUTH_INFO = Collections.singletonMap("sling.service.subservice", SERVICE_NAME);
    public static boolean DEFAULT_ENSURE_IMMEDIATELY = true;

    /* loaded from: input_file:com/adobe/acs/commons/users/impl/EnsureServiceUser$Operation.class */
    public enum Operation {
        ADD,
        REMOVE
    }

    public ServiceUser getServiceUser() {
        return this.serviceUser;
    }

    public Operation getOperation() {
        return this.operation;
    }

    public void ensure(Operation operation, ServiceUser serviceUser) throws EnsureServiceUserException {
        long currentTimeMillis = System.currentTimeMillis();
        ResourceResolver resourceResolver = null;
        try {
            try {
                ResourceResolver serviceResourceResolver = this.resourceResolverFactory.getServiceResourceResolver(AUTH_INFO);
                if (Operation.ADD.equals(operation)) {
                    ensureExistance(serviceResourceResolver, serviceUser);
                } else {
                    if (!Operation.REMOVE.equals(operation)) {
                        throw new EnsureServiceUserException("Unable to determine Ensure Service User operation Could not create or locate value system user (it is null).");
                    }
                    ensureRemoval(serviceResourceResolver, serviceUser);
                }
                if (serviceResourceResolver.hasChanges()) {
                    serviceResourceResolver.commit();
                    log.debug("Persisted change to Service User [ {} ]", serviceUser.getPrincipalName());
                } else {
                    log.debug("No changes required for Service User [ {} ]. Skipping...", serviceUser.getPrincipalName());
                }
                log.info("Successfully ensured [ {} ] of Service User [ {} ] in [ {} ms ]", new String[]{operation.toString(), getServiceUser().getPrincipalName(), String.valueOf(System.currentTimeMillis() - currentTimeMillis)});
                if (serviceResourceResolver != null) {
                    serviceResourceResolver.close();
                }
            } catch (Exception e) {
                throw new EnsureServiceUserException(String.format("Failed to ensure [ %s ] of Service User [ %s ]", operation.toString(), serviceUser.getPrincipalName()), e);
            }
        } catch (Throwable th) {
            if (0 != 0) {
                resourceResolver.close();
            }
            throw th;
        }
    }

    protected void ensureExistance(ResourceResolver resourceResolver, ServiceUser serviceUser) throws RepositoryException, EnsureServiceUserException {
        User ensureSystemUser = ensureSystemUser(resourceResolver, serviceUser);
        if (ensureSystemUser != null) {
            ensureAces(resourceResolver, ensureSystemUser, serviceUser);
        } else {
            log.error("Could not create or locate System User with principal name [ {} ]", serviceUser.getPrincipalName());
        }
    }

    private void ensureRemoval(ResourceResolver resourceResolver, ServiceUser serviceUser) throws RepositoryException, EnsureServiceUserException {
        User findSystemUser = findSystemUser(resourceResolver, serviceUser.getPrincipalName());
        removeAces(resourceResolver, findSystemUser, serviceUser);
        if (findSystemUser != null) {
            findSystemUser.remove();
        }
    }

    private User ensureSystemUser(ResourceResolver resourceResolver, ServiceUser serviceUser) throws RepositoryException, EnsureServiceUserException {
        User findSystemUser = findSystemUser(resourceResolver, serviceUser.getPrincipalName());
        if (findSystemUser == null) {
            UserManager userManager = (UserManager) resourceResolver.adaptTo(UserManager.class);
            log.debug("Requesting creation of system user [ {} ] at [ {} ]", serviceUser.getPrincipalName(), serviceUser.getIntermediatePath());
            findSystemUser = userManager.createSystemUser(serviceUser.getPrincipalName(), serviceUser.getIntermediatePath());
            log.debug("Created system user at [ {} ]", findSystemUser.getPath());
        }
        return findSystemUser;
    }

    private int ensureAces(ResourceResolver resourceResolver, User user, ServiceUser serviceUser) throws RepositoryException {
        int i = 0;
        Session session = (Session) resourceResolver.adaptTo(Session.class);
        AccessControlManager accessControlManager = (JackrabbitAccessControlManager) session.getAccessControlManager();
        for (JackrabbitAccessControlList jackrabbitAccessControlList : findAcls(resourceResolver, serviceUser.getPrincipalName(), accessControlManager)) {
            JackrabbitAccessControlEntry[] jackrabbitAccessControlEntryArr = (JackrabbitAccessControlEntry[]) jackrabbitAccessControlList.getAccessControlEntries();
            boolean hasAceAt = serviceUser.hasAceAt(jackrabbitAccessControlList.getPath());
            for (JackrabbitAccessControlEntry jackrabbitAccessControlEntry : jackrabbitAccessControlEntryArr) {
                if (StringUtils.equals(serviceUser.getPrincipalName(), jackrabbitAccessControlEntry.getPrincipal().getName()) && !StringUtils.startsWith(jackrabbitAccessControlList.getPath(), user.getPath())) {
                    if (hasAceAt) {
                        Ace ace = serviceUser.getAce(jackrabbitAccessControlEntry);
                        if (ace == null) {
                            jackrabbitAccessControlList.removeAccessControlEntry(jackrabbitAccessControlEntry);
                            log.debug("Removed System ACE as it doesn't exist in Service User [ {} ] configuration", serviceUser.getPrincipalName());
                        } else {
                            ace.setExists(true);
                            log.debug("No-op on System ACE as it already matches Service User [ {} ] configuration", serviceUser.getPrincipalName());
                        }
                    } else {
                        log.debug("Service user does NOT cover the path yet has an ACE; ensure removal of the ace! {}", jackrabbitAccessControlEntry.toString());
                        jackrabbitAccessControlList.removeAccessControlEntry(jackrabbitAccessControlEntry);
                    }
                }
            }
            accessControlManager.setPolicy(jackrabbitAccessControlList.getPath(), jackrabbitAccessControlList);
        }
        for (Ace ace2 : serviceUser.getMissingAces()) {
            if (resourceResolver.getResource(ace2.getContentPath()) == null) {
                log.warn("Unable to apply Service User [ {} ] privileges due to missing path at [ {} ]. Please create the path and re-ensure this service user.", serviceUser.getPrincipalName(), ace2.getContentPath());
                i++;
            } else {
                JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(session, ace2.getContentPath());
                HashMap hashMap = new HashMap();
                HashMap hashMap2 = new HashMap();
                ValueFactory valueFactory = session.getValueFactory();
                if (ace2.hasRepGlob()) {
                    hashMap.put("rep:glob", valueFactory.createValue(ace2.getRepGlob(), 1));
                }
                if (ace2.hasRepNtNames()) {
                    hashMap2.put("rep:ntNames", getMultiValues(valueFactory, ace2.getRepNtNames(), 7));
                }
                if (ace2.hasRepItemNames()) {
                    hashMap2.put("rep:itemNames", getMultiValues(valueFactory, ace2.getRepItemNames(), 7));
                }
                if (ace2.hasRepPrefixes()) {
                    hashMap2.put("rep:prefixes", getMultiValues(valueFactory, ace2.getRepPrefixes(), 1));
                }
                accessControlList.addEntry(user.getPrincipal(), (Privilege[]) ace2.getPrivileges(accessControlManager).toArray(new Privilege[0]), ace2.isAllow(), hashMap, hashMap2);
                accessControlManager.setPolicy(ace2.getContentPath(), accessControlList);
                log.debug("Added Service User ACE for [ {} ] to [ {} ]", serviceUser.getPrincipalName(), ace2.getContentPath());
            }
        }
        return i;
    }

    private void removeAces(ResourceResolver resourceResolver, User user, ServiceUser serviceUser) throws RepositoryException {
        JackrabbitAccessControlManager jackrabbitAccessControlManager = (JackrabbitAccessControlManager) ((Session) resourceResolver.adaptTo(Session.class)).getAccessControlManager();
        for (JackrabbitAccessControlList jackrabbitAccessControlList : findAcls(resourceResolver, serviceUser.getPrincipalName(), jackrabbitAccessControlManager)) {
            for (JackrabbitAccessControlEntry jackrabbitAccessControlEntry : jackrabbitAccessControlList.getAccessControlEntries()) {
                if (StringUtils.equals(serviceUser.getPrincipalName(), jackrabbitAccessControlEntry.getPrincipal().getName()) && (user == null || !StringUtils.startsWith(jackrabbitAccessControlList.getPath(), user.getPath()))) {
                    jackrabbitAccessControlList.removeAccessControlEntry(jackrabbitAccessControlEntry);
                }
            }
            jackrabbitAccessControlManager.setPolicy(jackrabbitAccessControlList.getPath(), jackrabbitAccessControlList);
            log.debug("Removed ACE from ACL at [ {} ] for [ {} ]", jackrabbitAccessControlList.getPath(), serviceUser.getPrincipalName());
        }
    }

    private User findSystemUser(ResourceResolver resourceResolver, String str) throws RepositoryException, EnsureServiceUserException {
        User user = null;
        Authorizable authorizable = ((UserManager) resourceResolver.adaptTo(UserManager.class)).getAuthorizable(str);
        if (authorizable != null) {
            if (!(authorizable instanceof User)) {
                throw new EnsureServiceUserException(String.format("Authorizable [ %s ] at [ %s ] is not a user", str, authorizable.getPath()));
            }
            user = (User) authorizable;
            if (!user.isSystemUser()) {
                throw new EnsureServiceUserException(String.format("User [ %s ] ensureExistance at [ %s ] but is NOT a system user", str, user.getPath()));
            }
        }
        return user;
    }

    private List<JackrabbitAccessControlList> findAcls(ResourceResolver resourceResolver, String str, JackrabbitAccessControlManager jackrabbitAccessControlManager) throws RepositoryException {
        HashSet hashSet = new HashSet();
        ArrayList arrayList = new ArrayList();
        HashMap hashMap = new HashMap();
        hashMap.put("type", "rep:ACE");
        hashMap.put("property", "rep:principalName");
        hashMap.put("property.value", str);
        hashMap.put("p.limit", "-1");
        Iterator resources = this.queryBuilder.createQuery(PredicateGroup.create(hashMap), (Session) resourceResolver.adaptTo(Session.class)).getResult().getResources();
        while (resources.hasNext()) {
            Resource parent = ((Resource) resources.next()).getParent().getParent();
            if (!hashSet.contains(parent.getPath())) {
                JackrabbitAccessControlList[] policies = jackrabbitAccessControlManager.getPolicies(parent.getPath());
                int length = policies.length;
                int i = 0;
                while (true) {
                    if (i < length) {
                        JackrabbitAccessControlList jackrabbitAccessControlList = policies[i];
                        if (jackrabbitAccessControlList instanceof JackrabbitAccessControlList) {
                            arrayList.add(jackrabbitAccessControlList);
                            break;
                        }
                        i++;
                    }
                }
            }
        }
        return arrayList;
    }

    private Value[] getMultiValues(ValueFactory valueFactory, List<String> list, int i) throws ValueFormatException {
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(valueFactory.createValue(it.next(), i));
        }
        return (Value[]) arrayList.toArray(new Value[arrayList.size()]);
    }

    @Activate
    protected void activate(Map<String, Object> map) {
        boolean z = PropertiesUtil.toBoolean(map.get(PROP_ENSURE_IMMEDIATELY), DEFAULT_ENSURE_IMMEDIATELY);
        String upperCase = StringUtils.upperCase(PropertiesUtil.toString(map.get(PROP_OPERATION), DEFAULT_OPERATION));
        try {
            this.operation = Operation.valueOf(upperCase);
            this.serviceUser = new ServiceUser(map);
            if (z) {
                ensure(this.operation, getServiceUser());
            } else {
                log.info("This Service User is configured to NOT ensure immediately. Please ensure this Service User via the JMX MBean.");
            }
        } catch (EnsureServiceUserException e) {
            log.error("Unable to ensure Service User [ {} ]", PropertiesUtil.toString(map.get(PROP_PRINCIPAL_NAME), "Undefined Service User Principal Name"), e);
        } catch (IllegalArgumentException e2) {
            throw new IllegalArgumentException("Unknown Ensure Service User operation [ " + upperCase + " ]", e2);
        }
    }

    protected void bindResourceResolverFactory(ResourceResolverFactory resourceResolverFactory) {
        this.resourceResolverFactory = resourceResolverFactory;
    }

    protected void unbindResourceResolverFactory(ResourceResolverFactory resourceResolverFactory) {
        if (this.resourceResolverFactory == resourceResolverFactory) {
            this.resourceResolverFactory = null;
        }
    }

    protected void bindQueryBuilder(QueryBuilder queryBuilder) {
        this.queryBuilder = queryBuilder;
    }

    protected void unbindQueryBuilder(QueryBuilder queryBuilder) {
        if (this.queryBuilder == queryBuilder) {
            this.queryBuilder = null;
        }
    }
}
