package com.adobe.aem.repoapi.impl.accesscontrol;

import com.adobe.aem.dam.api.exception.DamException;
import com.adobe.aem.dam.impl.exception.DamExceptionFactory;
import com.adobe.aem.repoapi.impl.SystemEnvRepoSettingsImpl;
import com.adobe.aem.repoapi.impl.accesscontrol.ims.ImsExternalPrincipal;
import com.adobe.aem.repoapi.impl.accesscontrol.ims.ImsToken;
import com.adobe.aem.repoapi.impl.api.RepoSettings;
import com.adobe.aem.repoapi.impl.api.accesscontrol.AccessControlConstants;
import com.adobe.aem.repoapi.impl.api.accesscontrol.ImsGroupMapper;
import com.adobe.aem.repoapi.impl.api.accesscontrol.PrincipalMapper;
import com.adobe.aem.repoapi.impl.api.accesscontrol.RepoApiPrincipal;
import java.security.Principal;
import java.util.Iterator;
import java.util.Objects;
import java.util.Optional;
import java.util.zip.CRC32;
import javax.jcr.GuestCredentials;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.Value;
import org.apache.commons.lang3.StringUtils;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.sling.jcr.api.SlingRepository;
import org.jetbrains.annotations.NotNull;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(service = {PrincipalMapper.class})
/* loaded from: input_file:com/adobe/aem/repoapi/impl/accesscontrol/PrincipalMapperImpl.class */
public class PrincipalMapperImpl implements PrincipalMapper {
    private static final Logger log = LoggerFactory.getLogger(PrincipalMapperImpl.class);
    private final String anonymousUsername;
    private final ImsGroupMapper imsGroupMapper;
    private final UserMapper userMapper;
    protected RepoSettings repoSettings = new SystemEnvRepoSettingsImpl();
    private final String localDomain = this.repoSettings.getInstanceDomain("author-plocal-elocal.adobeaemcloud.com");

    @Activate
    public PrincipalMapperImpl(@Reference SlingRepository slingRepository, @Reference(cardinality = ReferenceCardinality.OPTIONAL) ImsGroupMapper imsGroupMapper, @Reference UserMapper userMapper) throws RepositoryException {
        log.info("Using local domain: {}", this.localDomain);
        Session session = null;
        try {
            session = slingRepository.login(new GuestCredentials(), slingRepository.getDefaultWorkspace());
            this.anonymousUsername = session.getUserID();
            log.info("Using anonymous username: {}", this.anonymousUsername);
            if (session != null) {
                session.logout();
            }
            this.imsGroupMapper = imsGroupMapper;
            this.userMapper = userMapper;
        } catch (Throwable th) {
            if (session != null) {
                session.logout();
            }
            throw th;
        }
    }

    public Optional<Principal> rApiPrincipalToPrincipal(@NotNull Session session, @NotNull ImsToken imsToken, String str) throws DamException {
        return rApiPrincipalToPrincipal(session, imsToken, new RepoApiPrincipal(str));
    }

    public Optional<Principal> rApiPrincipalToPrincipal(@NotNull Session session, @NotNull ImsToken imsToken, @NotNull RepoApiPrincipal repoApiPrincipal) throws DamException {
        log.debug("Mapping to principal: {}", repoApiPrincipal);
        return RepoApiPrincipal.TYPE.SPECIAL == repoApiPrincipal.getType() ? handleSpecialPrincipal(getUserManager(session), repoApiPrincipal) : RepoApiPrincipal.TYPE.GROUP == repoApiPrincipal.getType() ? rApiGroupToJcrGroupPrincipal(session, imsToken, repoApiPrincipal) : RepoApiPrincipal.TYPE.USER == repoApiPrincipal.getType() ? rApiUserToJcrUser(imsToken, getUserManager(session), repoApiPrincipal) : Optional.empty();
    }

    @NotNull
    protected Optional<Principal> rApiUserToJcrUser(@NotNull ImsToken imsToken, @NotNull UserManager userManager, @NotNull RepoApiPrincipal repoApiPrincipal) throws DamException {
        if (this.localDomain.equals(repoApiPrincipal.getDomain())) {
            log.debug("Mapping principal to local user: {}", repoApiPrincipal);
            return getPrincipal(userManager, repoApiPrincipal.getGuid(), User.class);
        }
        log.debug("Mapping principal to IMS user: {}", repoApiPrincipal);
        return getImsUserPrincipal(imsToken, userManager, repoApiPrincipal.getPrincipal());
    }

    @NotNull
    private Optional<Principal> rApiGroupToJcrGroupPrincipal(@NotNull Session session, @NotNull ImsToken imsToken, @NotNull RepoApiPrincipal repoApiPrincipal) {
        log.debug("Mapping principal to group: {}", repoApiPrincipal);
        return this.imsGroupMapper.getJcrGroup(session, imsToken, repoApiPrincipal).map(group -> {
            try {
                return group.getPrincipal();
            } catch (RepositoryException e) {
                log.error("Exception occurred when mapping IMS group to JCR principal", e);
                return null;
            }
        });
    }

    @NotNull
    private Optional<Group> rApiGroupToJcrGroup(@NotNull Session session, @NotNull ImsToken imsToken, @NotNull RepoApiPrincipal repoApiPrincipal) {
        return this.imsGroupMapper.getJcrGroup(session, imsToken, repoApiPrincipal);
    }

    @NotNull
    private Optional<Principal> getAuthorizablePrincipal(Optional<? extends Authorizable> optional) {
        if (optional.isPresent()) {
            try {
                return Optional.of(optional.get().getPrincipal());
            } catch (RepositoryException e) {
                log.warn("Unable to retrieve principal from authorizable", e);
            }
        }
        return Optional.empty();
    }

    private <X extends Authorizable> Optional<Principal> getPrincipal(UserManager userManager, String str, Class<X> cls) {
        try {
            return getAuthorizablePrincipal(Optional.ofNullable(cls.cast(userManager.getAuthorizable(str))));
        } catch (RepositoryException e) {
            log.warn("Failed to get authorizable for principal: {}", str, e);
            return Optional.empty();
        } catch (ClassCastException e2) {
            log.warn("Failed to get authorizable, principal: {} is not type: {}", str, cls.getName());
            return Optional.empty();
        }
    }

    private Optional<Principal> getImsUserPrincipal(ImsToken imsToken, UserManager userManager, String str) throws DamException {
        Optional<Principal> principal = getPrincipal(userManager, "rep:externalId", ImsExternalPrincipal.createImsExternalId(str), User.class);
        if (!principal.isPresent() && imsToken.hasToken()) {
            log.debug("IMS principal '{}' not found in system. Attempting to map to email.", str);
            Optional<String> userEmail = this.userMapper.getUserEmail(imsToken, str);
            if (userEmail.isPresent()) {
                log.debug("Mapped principal '{}' to email '{}'", str, userEmail.get());
                principal = Optional.of(new ImsExternalPrincipal(userEmail.get()));
            } else {
                log.debug("No email found for principal '{}'", str);
            }
        }
        return principal;
    }

    private <X extends Authorizable> Optional<Principal> getPrincipal(UserManager userManager, String str, String str2, Class<X> cls) {
        Iterator findAuthorizables;
        try {
            findAuthorizables = userManager.findAuthorizables(str, str2);
        } catch (RepositoryException e) {
            log.warn("Failed to get authorizable for: {}={}", new Object[]{str, str2, e});
        } catch (ClassCastException e2) {
            log.warn("Failed to get authorizable, authorizable found with: {}={} is not type: {}", new Object[]{str, str2, cls.getName(), e2});
        }
        if (findAuthorizables != null && findAuthorizables.hasNext()) {
            return Optional.of(((Authorizable) findAuthorizables.next()).getPrincipal());
        }
        log.warn("No authorizable found with: {}={}", str, str2);
        return Optional.empty();
    }

    private Optional<Principal> handleSpecialPrincipal(UserManager userManager, RepoApiPrincipal repoApiPrincipal) {
        log.debug("Mapping special principal: {}", repoApiPrincipal);
        return AccessControlConstants.RAPI_PRINCIPAL_ALL.equals(repoApiPrincipal.getGuid()) ? getPrincipal(userManager, "everyone", Group.class) : AccessControlConstants.RAPI_PRINCIPAL_AUTHENTICATED.equals(repoApiPrincipal.getGuid()) ? getPrincipal(userManager, getAuthenticatedGroupName(), Group.class) : getPrincipal(userManager, this.anonymousUsername, User.class);
    }

    public Optional<Group> rApiGroupToJcrGroup(@NotNull Session session, @NotNull ImsToken imsToken, String str) throws DamException {
        return rApiGroupToJcrGroup(session, imsToken, new RepoApiPrincipal(str));
    }

    public Optional<Principal> rApiUserToJcrPrincipal(@NotNull ImsToken imsToken, UserManager userManager, String str) throws DamException {
        return rApiUserToJcrUser(imsToken, userManager, new RepoApiPrincipal(str));
    }

    public String jcrAuthorizableToRapi(@NotNull ImsToken imsToken, Authorizable authorizable) throws DamException {
        try {
            return authorizable instanceof Group ? jcrGroupToRapi(imsToken, (Group) authorizable) : jcrUserToRapi((User) authorizable);
        } catch (RepositoryException e) {
            throw DamExceptionFactory.fromRepositoryException(e);
        }
    }

    public String jcrGroupToRapi(ImsToken imsToken, Group group) throws RepositoryException {
        String id = group.getID();
        CRC32 crc32 = new CRC32();
        crc32.update(id.getBytes());
        String str = id + "@" + this.localDomain + ":" + crc32.getValue();
        return "everyone".equals(group.getID()) ? AccessControlConstants.RAPI_PRINCIPAL_ALL : getAuthenticatedGroupName().equals(group.getID()) ? AccessControlConstants.RAPI_PRINCIPAL_AUTHENTICATED : (this.imsGroupMapper == null || !this.imsGroupMapper.isImsGroup(imsToken, group)) ? str : this.imsGroupMapper.getImsId(imsToken, group).orElse(str);
    }

    public String jcrUserToRapi(User user) throws RepositoryException {
        if (this.anonymousUsername.equals(user.getID())) {
            return AccessControlConstants.RAPI_PRINCIPAL_UNAUTHENTICATED;
        }
        String imsId = getImsId(user);
        return imsId != null ? imsId : user.getID() + "@" + this.localDomain;
    }

    private String getImsId(Authorizable authorizable) throws RepositoryException {
        Value[] property;
        if (!authorizable.hasProperty("rep:externalId") || (property = authorizable.getProperty("rep:externalId")) == null || property.length == 0) {
            return null;
        }
        String string = property[0].getString();
        if (string.startsWith(AccessControlConstants.IMS_ID_PREFIX) && string.endsWith(AccessControlConstants.IMS_ID_SUFFIX)) {
            return StringUtils.substring(string, 4, -4);
        }
        return null;
    }

    private UserManager getUserManager(@NotNull Session session) throws DamException {
        try {
            return ((JackrabbitSession) session).getUserManager();
        } catch (RepositoryException e) {
            throw DamExceptionFactory.fromRepositoryException(e);
        }
    }

    @Override // com.adobe.aem.repoapi.impl.api.accesscontrol.PrincipalMapper
    @NotNull
    public Principal rApiPrincipalToOakPrincipal(@NotNull Session session, @NotNull ImsToken imsToken, @NotNull String str) throws DamException {
        return rApiPrincipalToOakPrincipal(session, imsToken, new RepoApiPrincipal(str));
    }

    @Override // com.adobe.aem.repoapi.impl.api.accesscontrol.PrincipalMapper
    @NotNull
    public Principal rApiPrincipalToOakPrincipal(@NotNull Session session, @NotNull ImsToken imsToken, @NotNull RepoApiPrincipal repoApiPrincipal) throws DamException {
        log.debug("Mapping principal: {}", repoApiPrincipal);
        Optional<U> map = rApiPrincipalToPrincipal(session, imsToken, repoApiPrincipal).map(principal -> {
            return principal;
        });
        Objects.requireNonNull(repoApiPrincipal);
        return (Principal) map.orElse(repoApiPrincipal::getGuid);
    }

    @Override // com.adobe.aem.repoapi.impl.api.accesscontrol.PrincipalMapper
    @NotNull
    public String oakPrincipalToRapi(@NotNull UserManager userManager, @NotNull ImsToken imsToken, @NotNull Principal principal) throws DamException {
        try {
            Authorizable authorizable = userManager.getAuthorizable(principal);
            if (authorizable != null) {
                return jcrAuthorizableToRapi(imsToken, authorizable);
            }
            if (imsToken.hasToken()) {
                log.debug("Authorable not found with principal {}, looking up IMS ID", principal);
                Optional<String> userImsId = this.userMapper.getUserImsId(imsToken, principal.getName());
                if (userImsId.isPresent()) {
                    log.debug("Found IMS ID for principal, using IMS ID for repo API principal");
                    return userImsId.get();
                }
            }
            log.debug("Authorizable not found with principal {}, treating as local user", principal);
            return principal.getName() + "@" + this.localDomain;
        } catch (RepositoryException e) {
            throw DamExceptionFactory.fromRepositoryException(e);
        }
    }

    @Override // com.adobe.aem.repoapi.impl.api.accesscontrol.PrincipalMapper
    @NotNull
    public RepoApiPrincipal oakPrincipalToRepoApiPrincipal(@NotNull UserManager userManager, @NotNull ImsToken imsToken, @NotNull Principal principal) throws DamException {
        return new RepoApiPrincipal(oakPrincipalToRapi(userManager, imsToken, principal));
    }

    private String getAuthenticatedGroupName() {
        String imsUserAutoMembershipGroup = this.repoSettings.getImsUserAutoMembershipGroup();
        if (imsUserAutoMembershipGroup == null) {
            imsUserAutoMembershipGroup = AccessControlConstants.AEM_GROUP_MAPPING_RAPI_PRINCIPAL_AUTHENTICATED_DEFAULT;
        }
        return imsUserAutoMembershipGroup;
    }
}
