package com.adobe.granite.repository.impl;

import com.google.common.collect.Iterables;
import java.io.Closeable;
import java.io.IOException;
import java.security.AccessControlContext;
import java.security.Principal;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import java.util.stream.StreamSupport;
import javax.jcr.Credentials;
import javax.jcr.NoSuchWorkspaceException;
import javax.jcr.RepositoryException;
import javax.jcr.security.AccessControlManager;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginException;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
import org.apache.jackrabbit.api.security.authorization.PrincipalAccessControlList;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.oak.api.ContentRepository;
import org.apache.jackrabbit.oak.api.ContentSession;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authentication.SystemSubject;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalConfiguration;
import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration;
import org.apache.sling.commons.metrics.MetricsService;
import org.apache.sling.serviceusermapping.ServicePrincipalsValidator;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.metatype.annotations.AttributeDefinition;
import org.osgi.service.metatype.annotations.Designate;
import org.osgi.service.metatype.annotations.ObjectClassDefinition;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Designate(ocd = Config.class)
@Component(service = {ServicePrincipalsValidator.class}, configurationPolicy = ConfigurationPolicy.REQUIRE)
/* loaded from: input_file:com/adobe/granite/repository/impl/SystemPrincipalsValidation.class */
public class SystemPrincipalsValidation implements ServicePrincipalsValidator {
    private static final Logger log = LoggerFactory.getLogger(SystemPrincipalsValidation.class);
    private boolean warnOnly;
    private final ContentRepository contentRepository;
    private final SecurityProvider securityProvider;
    private final Map<String, Boolean> validatedPrincipalNames = new ConcurrentHashMap();
    private final AtomicInteger inconsistentMappingCounter = new AtomicInteger();

    @ObjectClassDefinition(name = "Adobe Granite System Principal Validator", description = "Validates service mappings with principals mandating principal-based access control setup.")
    /* loaded from: input_file:com/adobe/granite/repository/impl/SystemPrincipalsValidation$Config.class */
    public @interface Config {
        @AttributeDefinition(name = "Log only warning", description = "If set to true, only a warning is logged instead of rendering mappings containing principals without principal-based access control setup invalid.")
        boolean warnOnly() default false;
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/adobe/granite/repository/impl/SystemPrincipalsValidation$ManagerSupplier.class */
    public final class ManagerSupplier implements Closeable {
        private ContentSession contentSessionSession;
        private Root root;
        private AccessControlManager accessControlManager;
        private PrincipalManager principalManager;
        private UserManager userManager;

        private ManagerSupplier() {
        }

        @Nullable
        private Root getRoot() {
            if (this.root == null) {
                this.contentSessionSession = (ContentSession) Subject.doAsPrivileged(SystemSubject.INSTANCE, () -> {
                    try {
                        return SystemPrincipalsValidation.this.contentRepository.login((Credentials) null, (String) null);
                    } catch (LoginException | NoSuchWorkspaceException e) {
                        SystemPrincipalsValidation.log.error("Failed to retrieve system session.", e);
                        return null;
                    }
                }, (AccessControlContext) null);
                if (this.contentSessionSession != null) {
                    this.root = this.contentSessionSession.getLatestRoot();
                }
            }
            return this.root;
        }

        /* JADX INFO: Access modifiers changed from: private */
        @Nullable
        public AccessControlManager getAccessControlManager() {
            Root root;
            if (this.accessControlManager == null && (root = getRoot()) != null) {
                this.accessControlManager = ((AuthorizationConfiguration) SystemPrincipalsValidation.this.securityProvider.getConfiguration(AuthorizationConfiguration.class)).getAccessControlManager(root, NamePathMapper.DEFAULT);
            }
            return this.accessControlManager;
        }

        @Nullable
        public PrincipalManager getPrincipalManager() {
            Root root;
            if (this.principalManager == null && (root = getRoot()) != null) {
                this.principalManager = ((PrincipalConfiguration) SystemPrincipalsValidation.this.securityProvider.getConfiguration(PrincipalConfiguration.class)).getPrincipalManager(root, NamePathMapper.DEFAULT);
            }
            return this.principalManager;
        }

        @Nullable
        public UserManager getUserManager() {
            Root root;
            if (this.userManager == null && (root = getRoot()) != null) {
                this.userManager = ((UserConfiguration) SystemPrincipalsValidation.this.securityProvider.getConfiguration(UserConfiguration.class)).getUserManager(root, NamePathMapper.DEFAULT);
            }
            return this.userManager;
        }

        @Override // java.io.Closeable, java.lang.AutoCloseable
        public void close() throws IOException {
            this.root = null;
            this.accessControlManager = null;
            this.principalManager = null;
            if (this.contentSessionSession != null) {
                this.contentSessionSession.close();
            }
        }
    }

    @Activate
    public SystemPrincipalsValidation(Config config, @Reference ContentRepository contentRepository, @Reference SecurityProvider securityProvider, @Reference MetricsService metricsService) {
        this.contentRepository = contentRepository;
        this.securityProvider = securityProvider;
        AtomicInteger atomicInteger = this.inconsistentMappingCounter;
        Objects.requireNonNull(atomicInteger);
        metricsService.gauge("serviceusermapping.principal.inconsistent-mapping.gauge", atomicInteger::get);
        this.warnOnly = config.warnOnly();
    }

    public boolean isValid(Iterable<String> iterable, String str, String str2) {
        boolean validatePrincipalName;
        try {
            ManagerSupplier managerSupplier = new ManagerSupplier();
            try {
                HashSet hashSet = new HashSet();
                for (String str3 : iterable) {
                    if (this.validatedPrincipalNames.containsKey(str3)) {
                        validatePrincipalName = this.validatedPrincipalNames.get(str3).booleanValue();
                        log.debug("Principal name '{}' has already been validated. isValid = {}", str3, Boolean.valueOf(validatePrincipalName));
                    } else {
                        PrincipalManager principalManager = managerSupplier.getPrincipalManager();
                        if (principalManager == null) {
                            log.warn("Unable to validate principals: failed to obtain PrincipalManager.");
                            managerSupplier.close();
                            return false;
                        }
                        AccessControlManager accessControlManager = managerSupplier.getAccessControlManager();
                        if (!(accessControlManager instanceof JackrabbitAccessControlManager)) {
                            log.error("Unable to validate principals: expected access control manager to be JackrabbitAccessControlManager.");
                            managerSupplier.close();
                            return false;
                        }
                        validatePrincipalName = validatePrincipalName(str3, principalManager, (JackrabbitAccessControlManager) accessControlManager, managerSupplier);
                        this.validatedPrincipalNames.put(str3, Boolean.valueOf(validatePrincipalName));
                    }
                    if (!validatePrincipalName) {
                        hashSet.add(str3);
                    }
                }
                logInconsistentMapping(hashSet, iterable, str, str2);
                boolean z = this.warnOnly || hashSet.isEmpty();
                managerSupplier.close();
                return z;
            } finally {
            }
        } catch (RepositoryException e) {
            log.error("Unexpected error while validating principals", e);
            return false;
        } catch (IOException e2) {
            log.error("Failed to close system session after principal validation", e2);
            return false;
        }
    }

    private void logInconsistentMapping(@NotNull Set<String> set, @NotNull Iterable<String> iterable, @NotNull String str, @Nullable String str2) {
        if (set.isEmpty() || set.size() == Iterables.size(iterable)) {
            return;
        }
        Set set2 = (Set) StreamSupport.stream(iterable.spliterator(), false).filter(str3 -> {
            return !set.contains(str3);
        }).collect(Collectors.toSet());
        String str4 = str2 == null ? str : str + ":" + str2;
        if (this.warnOnly) {
            log.warn("Service mapping '{}' lists principals with inconsistent support for principal-based authorization. Not supported = '{}', Supported = '{}'", new Object[]{str4, set, set2});
        } else {
            log.error("Service mapping '{}' lists principals with inconsistent support for principal-based authorization. Not supported = '{}', Supported = '{}'", new Object[]{str4, set, set2});
        }
        this.inconsistentMappingCounter.incrementAndGet();
    }

    private boolean validatePrincipalName(@NotNull String str, @NotNull PrincipalManager principalManager, @NotNull JackrabbitAccessControlManager jackrabbitAccessControlManager, @NotNull ManagerSupplier managerSupplier) throws RepositoryException {
        Principal principal = principalManager.getPrincipal(str);
        if (principal == null) {
            log.warn("Principal '{}' does not exist. Trying to access through user management.", str);
            UserManager userManager = managerSupplier.getUserManager();
            if (userManager == null) {
                log.warn("Unable to validate: failed to obtain UserManager.");
                return false;
            }
            Authorizable authorizable = userManager.getAuthorizable(str);
            if (authorizable == null) {
                log.error("Principal '{}' does not exist. Unable to validate.", str);
                return false;
            }
            principal = authorizable.getPrincipal();
        }
        JackrabbitAccessControlPolicy[] policies = jackrabbitAccessControlManager.getPolicies(principal);
        if (containsPrincipalAcl(policies)) {
            return true;
        }
        if (policies.length == 0 && containsPrincipalAcl(jackrabbitAccessControlManager.getApplicablePolicies(principal))) {
            return true;
        }
        if (this.warnOnly) {
            log.warn("Refactor principal '{}' to have principal-based access control setup.", str);
            return false;
        }
        log.error("Refactor principal '{}' to have principal-based access control setup.", str);
        return false;
    }

    private static boolean containsPrincipalAcl(@NotNull JackrabbitAccessControlPolicy[] jackrabbitAccessControlPolicyArr) {
        Stream stream = Arrays.stream(jackrabbitAccessControlPolicyArr);
        Class<PrincipalAccessControlList> cls = PrincipalAccessControlList.class;
        Objects.requireNonNull(PrincipalAccessControlList.class);
        return stream.anyMatch((v1) -> {
            return r1.isInstance(v1);
        });
    }

    int getInconsistentMappingCounter() {
        return this.inconsistentMappingCounter.get();
    }
}
