package com.adobe.aem.repoapi.impl;

import com.adobe.aem.dam.api.exception.DamException;
import com.adobe.aem.dam.api.exception.DamRuntimeException;
import com.adobe.aem.repoapi.impl.accesscontrol.addressbook.AddressBook;
import com.adobe.aem.repoapi.impl.accesscontrol.addressbook.AddressBookApi;
import com.adobe.aem.repoapi.impl.accesscontrol.addressbook.AddressBookGroup;
import com.adobe.aem.repoapi.impl.accesscontrol.ims.ImsApi;
import com.adobe.aem.repoapi.impl.accesscontrol.ims.ImsToken;
import com.adobe.aem.repoapi.impl.api.RepoSettings;
import com.adobe.aem.repoapi.impl.api.accesscontrol.AccessControlConstants;
import com.adobe.aem.repoapi.impl.api.accesscontrol.ImsGroupMapper;
import com.adobe.aem.repoapi.impl.api.accesscontrol.RepoApiPrincipal;
import com.adobe.aem.repoapi.impl.api.accesscontrol.ims.ImsGroup;
import com.adobe.aem.repoapi.impl.api.accesscontrol.ims.ImsOrganization;
import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.DeserializationFeature;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.Principal;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import javax.jcr.AccessDeniedException;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.Value;
import javax.jcr.ValueFactory;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
import org.apache.http.util.EntityUtils;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.jetbrains.annotations.NotNull;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Reference;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(service = {ImsGroupMapper.class})
/* loaded from: input_file:com/adobe/aem/repoapi/impl/ImsGroupMapperImpl.class */
public class ImsGroupMapperImpl implements ImsGroupMapper {
    private static final Logger log = LoggerFactory.getLogger(ImsGroupMapperImpl.class);
    private static final String PN_IMS_ID = "profile/imsId";
    private static final String PN_PROVIDER_REF = "profile/providerRef";
    private static final String PN_TYPE_REF = "profile/typeRef";
    private final String imsEndpoint;
    private Cache<RepoApiPrincipal, Optional<String>> imsidToGroupNameCache;
    private Cache<String, Optional<RepoApiPrincipal>> groupNametoImsIdCache;
    private CloseableHttpClient httpclient;
    private AddressBookApi addressBookApi;
    private ObjectMapper objectMapper = new ObjectMapper().configure(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES, false);
    protected RepoSettings settingsSvc = new SystemEnvRepoSettingsImpl();
    private final String imsOrgId = this.settingsSvc.getImsOrg();

    @Activate
    public ImsGroupMapperImpl(@Reference ImsApi imsApi) throws URISyntaxException {
        this.imsEndpoint = imsApi.getEndpoint().toString();
        log.info("loaded IMS endpoint: {}", this.imsEndpoint);
        this.addressBookApi = new AddressBookApi(new ImsApi(new URI(this.imsEndpoint)));
        this.groupNametoImsIdCache = CacheBuilder.newBuilder().build();
        this.imsidToGroupNameCache = CacheBuilder.newBuilder().build();
        this.httpclient = HttpClientBuilder.create().setConnectionManager(new PoolingHttpClientConnectionManager()).setDefaultRequestConfig(RequestConfig.custom().setConnectTimeout(15000).setConnectionRequestTimeout(15000).setSocketTimeout(15000).build()).build();
    }

    @Deactivate
    public void deactivate() {
        if (this.httpclient != null) {
            try {
                this.httpclient.close();
            } catch (IOException e) {
            }
        }
    }

    @Override // com.adobe.aem.repoapi.impl.api.accesscontrol.ImsGroupMapper
    public boolean isImsGroup(@NotNull ImsToken imsToken, @NotNull Group group) {
        try {
            log.debug("Checking to see if group is IMS Group: {}", group);
            return lookupGroup(imsToken, group).isPresent();
        } catch (RepositoryException e) {
            log.error("Exception occurred when checking IMS group by group", e);
            return false;
        }
    }

    @Override // com.adobe.aem.repoapi.impl.api.accesscontrol.ImsGroupMapper
    public boolean isImsGroup(@NotNull UserManager userManager, @NotNull ImsToken imsToken, @NotNull RepoApiPrincipal repoApiPrincipal) {
        if (StringUtils.isBlank(repoApiPrincipal.getGroupId())) {
            log.warn("Requested principal is not a group: {}", repoApiPrincipal);
            return false;
        }
        try {
            log.debug("Checking to see if principal is IMS Group: {}", repoApiPrincipal);
            return lookupImsGroup(userManager, imsToken, repoApiPrincipal).isPresent();
        } catch (RepositoryException e) {
            log.error("Exception occurred when checking IMS group by principal", e);
            return false;
        }
    }

    @Override // com.adobe.aem.repoapi.impl.api.accesscontrol.ImsGroupMapper
    @NotNull
    public Optional<String> getImsId(@NotNull ImsToken imsToken, @NotNull Group group) {
        try {
            log.debug("Getting IMS ID for: {}", group);
            return lookupGroup(imsToken, group).map((v0) -> {
                return v0.getPrincipal();
            });
        } catch (RepositoryException e) {
            log.warn("Failed to get IMS ID for group", e);
            return Optional.empty();
        }
    }

    private UserManager getUserManager(Session session) throws RepositoryException {
        Optional ofNullable = Optional.ofNullable(session);
        Class<JackrabbitSession> cls = JackrabbitSession.class;
        Objects.requireNonNull(JackrabbitSession.class);
        return (UserManager) ofNullable.map((v1) -> {
            return r1.cast(v1);
        }).map(jackrabbitSession -> {
            try {
                return jackrabbitSession.getUserManager();
            } catch (RepositoryException e) {
                log.error("Failed to get user manager", e);
                return null;
            }
        }).orElseThrow(() -> {
            return new RepositoryException("Failed to get user manager");
        });
    }

    @Override // com.adobe.aem.repoapi.impl.api.accesscontrol.ImsGroupMapper
    @NotNull
    public Optional<Group> getJcrGroup(@NotNull Session session, @NotNull ImsToken imsToken, @NotNull RepoApiPrincipal repoApiPrincipal) {
        if (StringUtils.isBlank(repoApiPrincipal.getGroupId())) {
            log.warn("Requested principal is not a group: {}", repoApiPrincipal);
            return Optional.empty();
        }
        try {
            UserManager userManager = getUserManager(session);
            Optional<Principal> lookupImsGroup = lookupImsGroup(userManager, imsToken, repoApiPrincipal);
            log.debug("Using principal: {}", lookupImsGroup);
            if (lookupImsGroup.isPresent()) {
                Principal principal = lookupImsGroup.get();
                Group group = (Group) userManager.getAuthorizable(principal);
                if (group == null) {
                    log.info("Creating group for: {}", principal.getName());
                    group = userManager.createGroup(principal, "ims");
                    group.setProperty("rep:externalId", session.getValueFactory().createValue(principal.getName() + ";ims"));
                    session.save();
                    log.info("Set external id to: {};ims", principal.getName());
                } else {
                    log.debug("Using group: {}", group);
                }
                addPrincipalInfo(session, group, repoApiPrincipal);
                return Optional.ofNullable(group);
            }
        } catch (RepositoryException e) {
            log.error("Failed to get group", e);
        }
        return Optional.empty();
    }

    private Optional<String> getProperty(Group group, String str) {
        try {
            if (group.hasProperty(str)) {
                Value[] property = group.getProperty(str);
                if (property.length > 0) {
                    return Optional.ofNullable(property[0].getString());
                }
            }
        } catch (RepositoryException e) {
            log.warn("Failed to get property {}", str, e);
        }
        return Optional.empty();
    }

    protected Optional<RepoApiPrincipal> lookupGroup(@NotNull ImsToken imsToken, @NotNull Group group) throws RepositoryException {
        Optional<RepoApiPrincipal> safe = getSafe((Optional) this.groupNametoImsIdCache.getIfPresent(group.getPrincipal().getName()));
        if (safe.isPresent()) {
            log.trace("Mapping found in cache");
            return safe;
        }
        log.debug("Checking R-API principal on: {}", group.getID());
        Optional<String> property = getProperty(group, PN_IMS_ID);
        if (property.isPresent()) {
            log.debug("Loading IMS ID from Group profile");
            return Optional.of(new RepoApiPrincipal(property.get(), getProperty(group, PN_TYPE_REF).orElse(null), getProperty(group, PN_PROVIDER_REF).orElse(null)));
        }
        if (!imsToken.hasToken()) {
            log.debug("Unable to find IMS information locally and no IMS token is present. Group information not found.");
            return Optional.empty();
        }
        log.debug("Checking IMS for groups matching: {}", group.getID());
        cacheImsGroups(imsToken);
        Optional<RepoApiPrincipal> safe2 = getSafe((Optional) this.groupNametoImsIdCache.getIfPresent(group.getPrincipal().getName()));
        if (safe2.isPresent()) {
            log.trace("Mapping found from IMS");
            return safe2;
        }
        log.debug("Checking Address book for groups matching: {}", group.getID());
        cacheAddressBookGroups(imsToken);
        Optional<RepoApiPrincipal> safe3 = getSafe((Optional) this.groupNametoImsIdCache.getIfPresent(group.getPrincipal().getName()));
        if (!safe3.isPresent()) {
            return Optional.empty();
        }
        log.trace("Mapping found in address book");
        return safe3;
    }

    private void addPrincipalInfo(@NotNull Session session, @NotNull Group group, RepoApiPrincipal repoApiPrincipal) {
        try {
            if (!getProperty(group, PN_IMS_ID).isPresent()) {
                ValueFactory valueFactory = session.getValueFactory();
                group.setProperty(PN_IMS_ID, valueFactory.createValue(repoApiPrincipal.getPrincipal()));
                group.setProperty(PN_PROVIDER_REF, valueFactory.createValue(repoApiPrincipal.getProviderRef()));
                group.setProperty(PN_TYPE_REF, valueFactory.createValue(repoApiPrincipal.getTypeRef()));
                session.save();
            }
        } catch (RepositoryException e) {
            log.warn("Could not set IMS ID on group: {}", group, e);
        }
    }

    private void cache(String str, RepoApiPrincipal repoApiPrincipal) {
        this.imsidToGroupNameCache.put(repoApiPrincipal, Optional.of(str));
        this.groupNametoImsIdCache.put(str, Optional.of(repoApiPrincipal));
    }

    private <T> Optional<T> getSafe(Optional<T> optional) {
        return optional != null ? optional : Optional.empty();
    }

    private Optional<Principal> lookupImsGroup(@NotNull UserManager userManager, @NotNull ImsToken imsToken, @NotNull RepoApiPrincipal repoApiPrincipal) throws RepositoryException {
        Optional safe = getSafe((Optional) this.imsidToGroupNameCache.getIfPresent(repoApiPrincipal));
        if (safe.isPresent()) {
            log.trace("Mapping found in cache");
            return Optional.of(new PrincipalImpl((String) safe.get()));
        }
        log.debug("Looking for authorizables matching: {}", repoApiPrincipal);
        Iterator findAuthorizables = userManager.findAuthorizables(PN_IMS_ID, repoApiPrincipal.toString());
        if (findAuthorizables.hasNext()) {
            log.trace("Mapping found on group");
            Principal principal = ((Authorizable) findAuthorizables.next()).getPrincipal();
            cache(principal.getName(), repoApiPrincipal);
            return Optional.of(principal);
        }
        if (!imsToken.hasToken()) {
            log.debug("Unable to find authorizables matcing: {}, and no IMS token provided. No mapping available.", repoApiPrincipal);
            return Optional.empty();
        }
        log.debug("Checking IMS for groups matching: {}", repoApiPrincipal);
        cacheImsGroups(imsToken);
        Optional safe2 = getSafe((Optional) this.imsidToGroupNameCache.getIfPresent(repoApiPrincipal));
        if (safe2.isPresent()) {
            log.trace("Mapping found from IMS");
            return Optional.of(new PrincipalImpl((String) safe2.get()));
        }
        log.debug("Checking Address Book for groups matching: {}", repoApiPrincipal);
        cacheAddressBookGroups(imsToken);
        Optional safe3 = getSafe((Optional) this.imsidToGroupNameCache.getIfPresent(repoApiPrincipal));
        if (!safe3.isPresent()) {
            return Optional.empty();
        }
        log.trace("Mapping found from Address book");
        return Optional.of(new PrincipalImpl((String) safe3.get()));
    }

    @NotNull
    private Optional<ImsOrganization> cacheImsGroups(@NotNull ImsToken imsToken) {
        if (StringUtils.isNotBlank(this.imsEndpoint) && imsToken.hasToken()) {
            try {
                HttpGet httpGet = new HttpGet(this.imsEndpoint + "/organizations/v3");
                httpGet.addHeader("Authorization", imsToken.getHttpAuthorization());
                log.debug("Getting groups from: {}", httpGet.getURI());
                CloseableHttpResponse execute = this.httpclient.execute(httpGet);
                try {
                    if (execute.getStatusLine().getStatusCode() == 200) {
                        Optional findFirst = ((List) this.objectMapper.readValue(execute.getEntity().getContent(), new TypeReference<List<ImsOrganization>>() { // from class: com.adobe.aem.repoapi.impl.ImsGroupMapperImpl.1
                        })).stream().filter(imsOrganization -> {
                            return this.imsOrgId.equals(imsOrganization.getOrgRef().getIdent() + "@" + imsOrganization.getOrgRef().getAuthSrc());
                        }).findFirst();
                        if (findFirst.isPresent()) {
                            ImsOrganization imsOrganization2 = (ImsOrganization) findFirst.get();
                            log.debug("Caching {} groups", Integer.valueOf(imsOrganization2.getGroups().size()));
                            imsOrganization2.getGroups().stream().forEach(imsGroup -> {
                                String str = imsOrganization2.getOrgRef().getIdent() + "@" + imsOrganization2.getOrgRef().getAuthSrc() + ":" + imsGroup.getIdent();
                                String str2 = AccessControlConstants.PRINCIPAL_TYPE_IMS_GROUP;
                                if (imsGroup.getGroupType() != ImsGroup.GROUP_TYPE.USER) {
                                    str2 = String.format(AccessControlConstants.PRINCIPAL_TYPE_IMS_INTERNAL_GROUP_PATTERN, imsGroup.getGroupType().name().toLowerCase());
                                }
                                cache(imsGroup.getName(), new RepoApiPrincipal(str, str2, AccessControlConstants.PRINCIPAL_PROVIDER_ID_IMS));
                            });
                        }
                    } else {
                        log.warn("Retrieved invalid status: {} and response: {}", execute.getStatusLine(), EntityUtils.toString(execute.getEntity()));
                    }
                    if (execute != null) {
                        execute.close();
                    }
                } finally {
                }
            } catch (IOException e) {
                log.error("Failed to make call to IMS", e);
            }
        } else {
            log.debug("Endpoint not set, not interacting with IMS");
        }
        return Optional.empty();
    }

    private void cacheAddressBookGroups(@NotNull ImsToken imsToken) throws AccessDeniedException {
        try {
            Optional<AddressBook> addressBook = this.addressBookApi.getAddressBook(imsToken, this.imsOrgId);
            if (addressBook.isPresent()) {
                AddressBook addressBook2 = addressBook.get();
                List<AddressBookGroup> addressBookGroups = this.addressBookApi.getAddressBookGroups(imsToken, addressBook2.getIdent());
                log.debug("Retrieved {} address book groups", Integer.valueOf(addressBookGroups.size()));
                for (AddressBookGroup addressBookGroup : addressBookGroups) {
                    cache(addressBookGroup.getName(), new RepoApiPrincipal(addressBook2.getOwnerId() + ":" + addressBookGroup.getLinkedGroupId(), AccessControlConstants.PRINCIPAL_TYPE_IMS_GROUP, AccessControlConstants.PRINCIPAL_PROVIDER_ID_IMS));
                }
            } else {
                log.warn("Could not find address book for {}", this.imsOrgId);
            }
        } catch (DamException | DamRuntimeException e) {
            throw new AccessDeniedException("Failed to call address book, assuming insufficient access", e);
        }
    }
}
