package com.adobe.granite.auth.saml.extidp;

import com.adobe.granite.auth.saml.SamlIdentitySync;
import com.adobe.granite.auth.saml.spi.Assertion;
import com.adobe.granite.auth.saml.spi.Attribute;
import com.day.crx.security.token.TokenUtil;
import java.security.Principal;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.jcr.AccessDeniedException;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.Value;
import javax.jcr.ValueFactory;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.sling.auth.core.spi.AuthenticationInfo;
import org.apache.sling.jcr.api.SlingRepository;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/adobe/granite/auth/saml/extidp/DefaultUserSync.class */
public class DefaultUserSync implements SamlIdentitySync {
    private final SlingRepository repository;
    private final boolean createUser;
    private final String userIntermediatePath;
    private final boolean addGroupMemberships;
    private final Set<String> defaultGroups;
    private final String groupsAttribute;
    private final String[] synchronizeAttributes;
    public static final String MANAGED_BY_IDP = "rep:managedByIdp";
    private static final Logger log = LoggerFactory.getLogger(DefaultUserSync.class);

    public DefaultUserSync(SlingRepository slingRepository, boolean z, String str, boolean z2, Set<String> set, String str2, String[] strArr) {
        this.repository = slingRepository;
        this.createUser = z;
        this.userIntermediatePath = str;
        this.addGroupMemberships = z2;
        this.defaultGroups = set;
        this.groupsAttribute = str2;
        this.synchronizeAttributes = strArr;
    }

    @Override // com.adobe.granite.auth.saml.SamlIdentitySync
    public AuthenticationInfo process(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, Assertion assertion, String str, String str2) {
        AuthenticationInfo authenticationInfo;
        new AuthenticationInfo(SamlIdentitySync.AUTH_TYPE);
        Session session = null;
        Authorizable authorizable = null;
        try {
            try {
                session = this.repository.loginService("", (String) null);
                authorizable = createOrUpdateCRXUser(session, str, str2, this.createUser, this.userIntermediatePath);
                if (authorizable != null) {
                    if (this.addGroupMemberships) {
                        Attribute attribute = null;
                        if (assertion.getAttributes().containsKey(this.groupsAttribute)) {
                            attribute = assertion.getAttributes().get(this.groupsAttribute);
                        }
                        addUserToGroups(session, authorizable, attribute, this.defaultGroups);
                    }
                    synchronizeAttributes(session, authorizable, assertion, this.synchronizeAttributes);
                }
                session.save();
                authenticationInfo = TokenUtil.createCredentials(httpServletRequest, httpServletResponse, this.repository, str, true);
                if (null != session) {
                    session.logout();
                }
            } catch (RepositoryException e) {
                log.error("User synchronization failed: Could not access repository.", e);
                httpServletRequest.setAttribute("j_reason", SamlIdentitySync.REASON.user_sync_failed);
                authenticationInfo = AuthenticationInfo.FAIL_AUTH;
                if (null != session) {
                    session.logout();
                }
            }
            if (authorizable == null) {
                httpServletRequest.setAttribute("j_reason", SamlIdentitySync.REASON.user_not_found);
                return AuthenticationInfo.FAIL_AUTH;
            }
            authenticationInfo.put("$$auth.info.login$$", new Object());
            return authenticationInfo;
        } catch (Throwable th) {
            if (null != session) {
                session.logout();
            }
            throw th;
        }
    }

    private static void addUserToGroups(Session session, Authorizable authorizable, Attribute attribute, Set<String> set) {
        try {
            UserManager userManager = ((JackrabbitSession) session).getUserManager();
            if (userManager == null) {
                log.error("Group synchronization failed: Could not get user manager.");
                return;
            }
            boolean isAutoSave = userManager.isAutoSave();
            if (isAutoSave) {
                userManager.autoSave(false);
            }
            HashSet hashSet = new HashSet();
            hashSet.addAll(set);
            if (attribute != null) {
                for (Object obj : attribute.getListValue()) {
                    if (obj != null) {
                        hashSet.add(obj.toString());
                    }
                }
            }
            Iterator declaredMemberOf = authorizable.declaredMemberOf();
            while (declaredMemberOf.hasNext()) {
                Group group = (Group) declaredMemberOf.next();
                if (isSamlGroup(group)) {
                    String id = group.getID();
                    if (hashSet.contains(id)) {
                        hashSet.remove(id);
                    } else {
                        group.removeMember(authorizable);
                    }
                }
            }
            Iterator it = hashSet.iterator();
            while (it.hasNext()) {
                Group authorizable2 = userManager.getAuthorizable((String) it.next());
                if (authorizable2 != null && authorizable2.isGroup()) {
                    Group group2 = authorizable2;
                    group2.addMember(authorizable);
                    if (!isSamlGroup(group2)) {
                        setSamlGroup(session, group2);
                    }
                }
            }
            if (isAutoSave) {
                userManager.autoSave(true);
            }
        } catch (AccessDeniedException e) {
            log.error("Group synchronization failed: Access denied.", e);
        } catch (RepositoryException e2) {
            log.error("Group synchronization failed: Could not access repository.", e2);
        }
    }

    private static Authorizable createOrUpdateCRXUser(Session session, String str, String str2, boolean z, String str3) {
        try {
            UserManager userManager = ((JackrabbitSession) session).getUserManager();
            User authorizable = userManager.getAuthorizable(str);
            if (authorizable == null && z) {
                authorizable = (str3 == null || str3.isEmpty()) ? userManager.createUser(str, (String) null) : userManager.createUser(str, (String) null, newPrincipal(str), str3);
            }
            if (str2 != null && authorizable != null && !authorizable.isGroup()) {
                authorizable.setProperty(SamlIdentitySync.PROPERTY_SAML_RESPONSE, session.getValueFactory().createValue(str2));
            }
            return authorizable;
        } catch (RepositoryException e) {
            log.error("User synchronization failed: Could not access repository.", e);
            return null;
        } catch (AccessDeniedException e2) {
            log.error("User synchronization failed: Could not get user manager.", e2);
            return null;
        }
    }

    private static Principal newPrincipal(final String str) {
        return new Principal() { // from class: com.adobe.granite.auth.saml.extidp.DefaultUserSync.1
            @Override // java.security.Principal
            public String getName() {
                return str;
            }
        };
    }

    private static void synchronizeAttributes(Session session, Authorizable authorizable, Assertion assertion, String[] strArr) {
        Attribute attribute;
        try {
            ValueFactory valueFactory = session.getValueFactory();
            for (String str : strArr) {
                String[] split = str.trim().split("=");
                if (split.length == 2 && (attribute = assertion.getAttributes().get(split[0])) != null && attribute.getValue() != null) {
                    authorizable.setProperty(split[1], valueFactory.createValue(attribute.getValue().toString()));
                }
            }
        } catch (RepositoryException e) {
            log.error("Attribute synchronization failed.", e);
        }
    }

    private static boolean isSamlGroup(@Nonnull Group group) throws RepositoryException {
        Value[] property = group.getProperty(MANAGED_BY_IDP);
        return property != null && property.length > 0 && SamlIdentitySync.AUTH_TYPE.equals(property[0].getString());
    }

    private static void setSamlGroup(@Nonnull Session session, @Nonnull Group group) throws RepositoryException {
        group.setProperty(MANAGED_BY_IDP, session.getValueFactory().createValue(SamlIdentitySync.AUTH_TYPE));
    }

    @Override // com.adobe.granite.auth.saml.SamlIdentitySync
    public void authenticationSucceeded(HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse, AuthenticationInfo authenticationInfo) {
    }
}
