package com.adobe.granite.security.user.internal.servlets;

import com.adobe.granite.security.user.UserPropertiesService;
import com.adobe.granite.security.user.util.AuthorizableJSONWriter;
import com.adobe.granite.security.user.util.AuthorizableUtil;
import com.adobe.granite.security.user.util.ImpersonationNotifier;
import com.adobe.granite.security.user.util.PropConstants;
import com.adobe.granite.xss.XSSFilter;
import java.io.IOException;
import java.net.URLEncoder;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.Iterator;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.servlet.ServletException;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.ReferencePolicy;
import org.apache.felix.scr.annotations.Service;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Query;
import org.apache.jackrabbit.api.security.user.QueryBuilder;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.api.SlingHttpServletResponse;
import org.apache.sling.api.request.RequestParameterMap;
import org.apache.sling.api.resource.Resource;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.servlets.HtmlResponse;
import org.apache.sling.commons.json.JSONException;
import org.apache.sling.commons.json.io.JSONWriter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Service
@Component(metatype = false)
@Properties({@Property(name = "sling.servlet.paths", value = {"rep/User/impersonate.json.GET.servlet", "rep/SystemUser/impersonate.json.GET.servlet", "rep/User/impersonators.html.POST.servlet", "rep/SystemUser/impersonators.html.POST.servlet"})})
/* loaded from: input_file:com/adobe/granite/security/user/internal/servlets/ImpersonationServlet.class */
public class ImpersonationServlet extends AbstractServlet {
    private static final Logger log = LoggerFactory.getLogger(ImpersonationServlet.class);
    private static final String SELECTOR_IMPERSONATE = "impersonate";
    private static final String SELECTOR_IMPERSONATORS = "impersonators";
    private static final String PARAM_IMPERSONATE = "impersonate";
    private static final String SLING_PARAM_SUDO = "sudo=";
    private static final String SLING_PARAM_REDIRECT = "sling.auth.redirect=";
    private static final String ACTUAL_USER_ID = "actualUserId";
    private static final String ACTUAL_USER_NAME = "actualUserName";
    private static final String IMPERSONATE_NAME = "impersonateName";
    private static final String IMPERSONATE_ID = "impersonateId";

    @Reference
    private UserPropertiesService service;

    @Reference
    private XSSFilter xss;

    @Reference(cardinality = ReferenceCardinality.OPTIONAL_MULTIPLE, referenceInterface = ImpersonationNotifier.class, bind = "bindImpersonationNotifier", unbind = "unbindImpersonationNotifier", policy = ReferencePolicy.DYNAMIC)
    private final ArrayList<ImpersonationNotifier> notifiers = new ArrayList<>();

    protected void bindImpersonationNotifier(ImpersonationNotifier impersonationNotifier) {
        this.notifiers.add(impersonationNotifier);
    }

    protected void unbindImpersonationNotifier(ImpersonationNotifier impersonationNotifier) {
        this.notifiers.remove(impersonationNotifier);
    }

    protected void doGet(SlingHttpServletRequest slingHttpServletRequest, SlingHttpServletResponse slingHttpServletResponse) throws IOException {
        HtmlResponse htmlResponse = null;
        Resource resource = slingHttpServletRequest.getResource();
        ResourceResolver resourceResolver = slingHttpServletRequest.getResourceResolver();
        User user = (User) resource.adaptTo(User.class);
        try {
            try {
                if (user == null) {
                    htmlResponse = createErrorResponse(404, "Cannot resolve to user (" + resource.getPath() + ")");
                } else {
                    Session session = (Session) resourceResolver.adaptTo(Session.class);
                    String str = slingHttpServletRequest.getRequestPathInfo().getSelectors()[0];
                    RequestParameterMap requestParameterMap = slingHttpServletRequest.getRequestParameterMap();
                    String id = user.getID();
                    if (!"impersonate".equals(str)) {
                        htmlResponse = createErrorResponse(400, "Invalid selector " + str);
                    } else if (!id.equals(session.getUserID())) {
                        htmlResponse = createErrorResponse(400, "User does not match editing session. Cannot handle impersonation request.");
                    } else if (requestParameterMap.containsKey("impersonate")) {
                        String string = requestParameterMap.getValue("impersonate").getString();
                        String obj = revertAction(string) ? session.getAttribute("user.impersonator").toString() : session.getUserID();
                        log.debug("Set parameter to impersonate {} as {}", id, string);
                        notifyImpersonation(string, id, obj, resourceResolver);
                        String string2 = requestParameterMap.containsKey("path") ? requestParameterMap.getValue("path").getString() : "/";
                        StringBuilder sb = new StringBuilder();
                        sb.append("?").append(SLING_PARAM_REDIRECT).append(URLEncoder.encode(string2, "utf-8"));
                        sb.append("&").append(SLING_PARAM_SUDO).append(URLEncoder.encode(string, "utf-8"));
                        sb.append("&_charset_=utf-8");
                        setJsonResponseHeader(slingHttpServletResponse);
                        slingHttpServletResponse.sendRedirect(sb.toString());
                    } else {
                        htmlResponse = createErrorResponse(400, "Command missing in request ('impersonate' parameter expected).");
                    }
                }
                if (htmlResponse != null) {
                    htmlResponse.send(slingHttpServletResponse, true);
                }
            } catch (Exception e) {
                HtmlResponse createErrorResponse = createErrorResponse(e);
                if (createErrorResponse != null) {
                    createErrorResponse.send(slingHttpServletResponse, true);
                }
            }
        } catch (Throwable th) {
            if (0 != 0) {
                htmlResponse.send(slingHttpServletResponse, true);
            }
            throw th;
        }
    }

    protected void doPost(SlingHttpServletRequest slingHttpServletRequest, SlingHttpServletResponse slingHttpServletResponse) throws ServletException, IOException {
        HtmlResponse htmlResponse = null;
        Resource resource = slingHttpServletRequest.getResource();
        ResourceResolver resourceResolver = slingHttpServletRequest.getResourceResolver();
        final User user = (User) resource.adaptTo(User.class);
        UserManager userManager = (UserManager) resourceResolver.adaptTo(UserManager.class);
        try {
            try {
                try {
                    try {
                        if (user == null || userManager == null) {
                            htmlResponse = createErrorResponse(404, "Cannot resolve to user or user manager (" + resource.getPath() + ")");
                        } else {
                            Session session = (Session) resourceResolver.adaptTo(Session.class);
                            String str = slingHttpServletRequest.getRequestPathInfo().getSelectors()[0];
                            RequestParameterMap requestParameterMap = slingHttpServletRequest.getRequestParameterMap();
                            final String id = user.getID();
                            if ("impersonators".equals(str)) {
                                final String parameter = slingHttpServletRequest.getParameter("query");
                                final long nonNegativeValue = getNonNegativeValue(requestParameterMap, PropConstants.OFFSET, 0L);
                                final long nonNegativeValue2 = getNonNegativeValue(requestParameterMap, "max", -1L);
                                Iterator findAuthorizables = userManager.findAuthorizables(new Query() { // from class: com.adobe.granite.security.user.internal.servlets.ImpersonationServlet.1
                                    public void build(QueryBuilder queryBuilder) {
                                        try {
                                            String name = user.getPrincipal().getName();
                                            if (parameter == null) {
                                                queryBuilder.setCondition(user.isAdmin() ? queryBuilder.not(queryBuilder.nameMatches(id)) : queryBuilder.impersonates(name));
                                            } else {
                                                String str2 = parameter.replaceAll("'", "''").replaceAll("\\\\", "\\\\\\\\") + "%";
                                                queryBuilder.setCondition(queryBuilder.and(user.isAdmin() ? queryBuilder.not(queryBuilder.nameMatches(id)) : queryBuilder.impersonates(name), queryBuilder.or(queryBuilder.nameMatches(str2), queryBuilder.or(queryBuilder.like("profile/" + "givenName", str2), queryBuilder.or(queryBuilder.like("profile/" + "familyName", str2), queryBuilder.like("profile/" + "displayName", str2))))));
                                            }
                                            queryBuilder.setSelector(User.class);
                                            queryBuilder.setLimit(nonNegativeValue, nonNegativeValue2);
                                        } catch (RepositoryException e) {
                                            ImpersonationServlet.log.error("Cannot access impersonators: Unable to read principal name.", e);
                                        }
                                    }
                                });
                                setJsonResponseHeader(slingHttpServletResponse);
                                JSONWriter jSONWriter = new JSONWriter(slingHttpServletResponse.getWriter());
                                jSONWriter.object();
                                jSONWriter.key(PropConstants.AUTHORIZABLES);
                                jSONWriter.array();
                                AuthorizableJSONWriter authorizableJSONWriter = new AuthorizableJSONWriter(this.service.createUserPropertiesManager(session, resourceResolver), resourceResolver, session, getProps(requestParameterMap), this.xss);
                                long j = 0;
                                while (findAuthorizables.hasNext()) {
                                    authorizableJSONWriter.write(jSONWriter, (Authorizable) findAuthorizables.next());
                                    j++;
                                }
                                jSONWriter.endArray();
                                jSONWriter.key(PropConstants.CNT.toLowerCase()).value(j);
                                jSONWriter.endObject();
                            } else {
                                htmlResponse = createErrorResponse(400, "Invalid selector " + str);
                            }
                        }
                        if (htmlResponse != null) {
                            htmlResponse.send(slingHttpServletResponse, true);
                        }
                    } catch (JSONException e) {
                        HtmlResponse createErrorResponse = createErrorResponse(e);
                        if (createErrorResponse != null) {
                            createErrorResponse.send(slingHttpServletResponse, true);
                        }
                    }
                } catch (Exception e2) {
                    HtmlResponse createErrorResponse2 = createErrorResponse(e2);
                    if (createErrorResponse2 != null) {
                        createErrorResponse2.send(slingHttpServletResponse, true);
                    }
                }
            } catch (RepositoryException e3) {
                HtmlResponse createErrorResponse3 = createErrorResponse(e3);
                if (createErrorResponse3 != null) {
                    createErrorResponse3.send(slingHttpServletResponse, true);
                }
            }
        } catch (Throwable th) {
            if (0 != 0) {
                htmlResponse.send(slingHttpServletResponse, true);
            }
            throw th;
        }
    }

    void notifyImpersonation(String str, String str2, String str3, ResourceResolver resourceResolver) {
        if (CollectionUtils.isNotEmpty(this.notifiers)) {
            String formattedName = StringUtils.isNotBlank(str3) ? AuthorizableUtil.getFormattedName(resourceResolver, str3) : "";
            Iterator<ImpersonationNotifier> it = this.notifiers.iterator();
            while (it.hasNext()) {
                ImpersonationNotifier next = it.next();
                if (next != null) {
                    HashMap hashMap = new HashMap();
                    hashMap.put(ACTUAL_USER_ID, str3);
                    hashMap.put(ACTUAL_USER_NAME, formattedName);
                    if (revertAction(str)) {
                        hashMap.put(IMPERSONATE_NAME, AuthorizableUtil.getFormattedName(resourceResolver, str2));
                        hashMap.put(IMPERSONATE_ID, str2);
                        next.notify(new Date(), str2, "revert", hashMap);
                    } else {
                        hashMap.put(IMPERSONATE_NAME, AuthorizableUtil.getFormattedName(resourceResolver, str));
                        hashMap.put(IMPERSONATE_ID, str);
                        hashMap.put("sudo", str);
                        next.notify(new Date(), str2, "sudo", hashMap);
                    }
                }
            }
        }
    }

    boolean revertAction(String str) {
        return "-".equals(str);
    }

    protected void bindService(UserPropertiesService userPropertiesService) {
        this.service = userPropertiesService;
    }

    protected void unbindService(UserPropertiesService userPropertiesService) {
        if (this.service == userPropertiesService) {
            this.service = null;
        }
    }

    protected void bindXss(XSSFilter xSSFilter) {
        this.xss = xSSFilter;
    }

    protected void unbindXss(XSSFilter xSSFilter) {
        if (this.xss == xSSFilter) {
            this.xss = null;
        }
    }
}
