package com.adobe.granite.security.user.internal;

import com.adobe.granite.security.user.AuthorizableTypes;
import com.adobe.granite.security.user.UserManagementService;
import com.adobe.granite.security.user.UserProperties;
import com.adobe.granite.security.user.UserPropertiesComposite;
import com.adobe.granite.security.user.UserPropertiesFilter;
import com.adobe.granite.security.user.UserPropertiesManager;
import com.adobe.granite.security.user.UserPropertiesQueryParams;
import com.google.common.base.Function;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.Iterators;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.Comparator;
import java.util.Iterator;
import java.util.List;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.jcr.ItemNotFoundException;
import javax.jcr.Node;
import javax.jcr.NodeIterator;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.query.Query;
import javax.jcr.security.Privilege;
import org.apache.commons.lang3.StringUtils;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.commons.JcrUtils;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.util.Text;
import org.apache.sling.api.resource.ResourceResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/adobe/granite/security/user/internal/UserPropertiesManagerImpl.class */
public class UserPropertiesManagerImpl implements UserPropertiesManager {
    private static final Logger log = LoggerFactory.getLogger(UserPropertiesManagerImpl.class);
    private static final String SLING_URI = "http://sling.apache.org/jcr/sling/1.0";
    private static final String SLING_RESOURCE_TYPE = "resourceType";
    public static final String MIX_GRANITE_RANKING = "granite:Ranking";
    private final String SQL2_CONDITION_IS_NOT_ADMIN;
    private final String SQL2_CONDITION_IS_NOT_ANONYMOUS;
    private final String ADMIN_USER_PRINCIPAL_NAME;
    private static final String BASE_SQL2_AUTHORIZABLES_QUERY_STRING = "select profileNode.[jcr:path] from [nt:base] as authorizableNode inner join [nt:base] as profileNode on ischildnode(profileNode, authorizableNode) ";
    private final Session session;
    private final ResourceResolver resourceResolver;
    private final UserPropertiesServiceImpl service;
    private final String slingResourceType;
    private final Privilege[] readPrivileges;
    private final String DESCENDANT_OF_ALL_AUTHORIZABLES_ROOT_NODE;
    private final String DESCENDANT_OF_GROUPS_ROOT_NODE;
    private final String DESCENDANT_OF_USERS_ROOT_NODE;
    private final String DESCENDANT_OF_SYSTEM_USERS_ROOT_NODE;
    private final String NOT_DESCENDANT_OF_SYSTEM_USERS_ROOT_NODE;

    /* loaded from: input_file:com/adobe/granite/security/user/internal/UserPropertiesManagerImpl$UserPropertiesIterator.class */
    private class UserPropertiesIterator implements Iterator<UserProperties> {
        private final Iterator<AuthorizableInfo> infoIter;
        private final String relPath;
        private final boolean readableOnly;
        private UserProperties next;

        public UserPropertiesIterator(@Nonnull Iterator<AuthorizableInfo> it, @Nonnull String str, boolean z) {
            this.infoIter = it;
            this.relPath = str;
            this.readableOnly = z;
            seek();
        }

        @Override // java.util.Iterator
        public boolean hasNext() {
            return this.next != null;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.util.Iterator
        public UserProperties next() {
            UserProperties userProperties = this.next;
            seek();
            return userProperties;
        }

        @Override // java.util.Iterator
        public void remove() {
            throw new UnsupportedOperationException();
        }

        private void seek() {
            this.next = null;
            while (this.infoIter.hasNext()) {
                AuthorizableInfo next = this.infoIter.next();
                try {
                    if (!this.readableOnly || UserPropertiesManagerImpl.this.session.nodeExists(next.getPath())) {
                        Node node = UserPropertiesManagerImpl.this.getNode(next.getPath(), this.relPath);
                        if (node != null) {
                            this.next = UserPropertiesManagerImpl.this.getUserProperties(next, node);
                            return;
                        }
                        continue;
                    }
                } catch (RepositoryException e) {
                    UserPropertiesManagerImpl.log.warn("error retrieving properties of '{}'", next.getId(), e);
                }
            }
        }
    }

    public UserPropertiesManagerImpl(Session session, ResourceResolver resourceResolver, UserPropertiesServiceImpl userPropertiesServiceImpl) throws RepositoryException {
        this.resourceResolver = resourceResolver;
        if (session == null) {
            throw new RepositoryException("Cannot create UserPropertiesManager for 'null' session.");
        }
        this.session = session;
        this.service = userPropertiesServiceImpl;
        this.slingResourceType = session.getNamespacePrefix(SLING_URI) + ":resourceType";
        this.readPrivileges = AccessControlUtils.privilegesFromNames(session, new String[]{"{http://www.jcp.org/jcr/1.0}read"});
        UserManagementService userManagementService = userPropertiesServiceImpl.getUserManagementService();
        this.SQL2_CONDITION_IS_NOT_ADMIN = "authorizableNode.[rep:principalName] <> '" + userManagementService.getAdminId() + "'";
        this.SQL2_CONDITION_IS_NOT_ANONYMOUS = "authorizableNode.[rep:principalName] <> '" + userManagementService.getAnonymousId() + "'";
        this.ADMIN_USER_PRINCIPAL_NAME = userManagementService.getAdminId();
        this.DESCENDANT_OF_ALL_AUTHORIZABLES_ROOT_NODE = "isdescendantnode(authorizableNode, '" + userPropertiesServiceImpl.getUserManagementService().getAuthorizableRootPath() + "')";
        this.DESCENDANT_OF_GROUPS_ROOT_NODE = "isdescendantnode(authorizableNode, '" + userPropertiesServiceImpl.getUserManagementService().getGroupRootPath() + "')";
        this.DESCENDANT_OF_USERS_ROOT_NODE = "isdescendantnode(authorizableNode, '" + userPropertiesServiceImpl.getUserManagementService().getUserRootPath() + "')";
        this.DESCENDANT_OF_SYSTEM_USERS_ROOT_NODE = "isdescendantnode(authorizableNode, '" + userPropertiesServiceImpl.getUserManagementService().getSystemUserRootPath() + "')";
        this.NOT_DESCENDANT_OF_SYSTEM_USERS_ROOT_NODE = "NOT " + this.DESCENDANT_OF_SYSTEM_USERS_ROOT_NODE;
    }

    @Override // com.adobe.granite.security.user.UserPropertiesManager
    @CheckForNull
    public UserProperties createUserProperties(@Nonnull String str, @Nonnull String str2) throws RepositoryException {
        String resourceType;
        Authorizable authorizable = this.session.getUserManager().getAuthorizable(str);
        if (authorizable == null) {
            return null;
        }
        String path = authorizable.getPath();
        if (!this.session.nodeExists(path)) {
            return null;
        }
        Node node = this.session.getNode(path);
        Node orCreateByPath = JcrUtils.getOrCreateByPath(node, str2, false, (String) null, this.service.getNodeType(str2), false);
        orCreateByPath.addMixin("{http://www.jcp.org/jcr/mix/1.0}title");
        orCreateByPath.addMixin(MIX_GRANITE_RANKING);
        if (!orCreateByPath.isSame(node) && (resourceType = this.service.getResourceType(str2)) != null) {
            orCreateByPath.setProperty(this.slingResourceType, resourceType);
        }
        if (isValidUserPropertiesPath(path, orCreateByPath.getPath())) {
            return getUserProperties(new AuthorizableInfo(authorizable), orCreateByPath);
        }
        throw new RepositoryException("Attempt to create user properties outside of scope of authorizable '" + str + "'.");
    }

    @Override // com.adobe.granite.security.user.UserPropertiesManager
    @CheckForNull
    public UserProperties getUserProperties(@Nonnull String str, @Nullable String str2) throws RepositoryException {
        AuthorizableInfo authorizableInfo = this.service.getAuthorizableInfo(str);
        if (authorizableInfo == null) {
            return null;
        }
        return getUserProperties(authorizableInfo, str2);
    }

    @Override // com.adobe.granite.security.user.UserPropertiesManager
    @CheckForNull
    public UserProperties getUserProperties(@Nonnull Authorizable authorizable, @Nullable String str) throws RepositoryException {
        Node node = getNode(authorizable.getPath(), str);
        if (node == null) {
            return null;
        }
        return getUserProperties(new AuthorizableInfo(authorizable), node);
    }

    @Override // com.adobe.granite.security.user.UserPropertiesManager
    @Nonnull
    public UserProperties getUserProperties(@Nonnull Node node) throws RepositoryException {
        String path = node.getPath();
        AuthorizableInfo authorizableInfoByPath = this.service.getAuthorizableInfoByPath(path);
        if (authorizableInfoByPath != null) {
            return getUserProperties(authorizableInfoByPath, node);
        }
        String str = "User properties node '" + path + "' is not associated with an authorizable.";
        log.debug(str);
        throw new RepositoryException(str);
    }

    @Override // com.adobe.granite.security.user.UserPropertiesManager
    @Nonnull
    public UserProperties getUserProperties(@Nonnull String str, @Nullable String str2, @Nonnull Comparator<Node> comparator) throws RepositoryException {
        AuthorizableInfo authorizableInfo = this.service.getAuthorizableInfo(str);
        checkValidAuthorizableInfo(authorizableInfo, str);
        List<Node> listUserPropertiesNodes = this.service.listUserPropertiesNodes(authorizableInfo, str2, this.resourceResolver);
        if (listUserPropertiesNodes.isEmpty()) {
            return new AggregatedUserProperties(authorizableInfo, null, ImmutableList.of());
        }
        Collections.sort(listUserPropertiesNodes, comparator);
        ArrayList arrayList = new ArrayList();
        Iterator<Node> it = listUserPropertiesNodes.iterator();
        while (it.hasNext()) {
            UserProperties userProperties = getUserProperties(authorizableInfo, it.next().getPath().replace(authorizableInfo.getPath() + "/", ""));
            if (userProperties != null) {
                arrayList.add(userProperties);
            }
        }
        Node node = null;
        JackrabbitSession jackrabbitSession = (Session) this.resourceResolver.adaptTo(Session.class);
        if (jackrabbitSession instanceof JackrabbitSession) {
            node = jackrabbitSession.getNodeOrNull(UserPropertiesServiceImpl.getUserPropertiesPath(authorizableInfo, str2));
        }
        return new AggregatedUserProperties(authorizableInfo, node, arrayList);
    }

    @Override // com.adobe.granite.security.user.UserPropertiesManager
    public UserPropertiesComposite getUserPropertiesComposite(String str, String[] strArr) throws RepositoryException {
        if (Strings.isNullOrEmpty(str)) {
            throw new IllegalArgumentException("authorizable ID must not be empty or null");
        }
        if (null == strArr || strArr.length == 0) {
            throw new IllegalArgumentException("relPaths must not be empty or null");
        }
        ArrayList arrayList = new ArrayList();
        for (String str2 : strArr) {
            arrayList.add(getUserProperties(str, str2));
        }
        return new UserPropertiesCompositeImpl(str, arrayList);
    }

    @Override // com.adobe.granite.security.user.UserPropertiesManager
    public UserPropertiesComposite getUserPropertiesComposite(String str, UserPropertiesFilter userPropertiesFilter) throws RepositoryException {
        if (Strings.isNullOrEmpty(str)) {
            throw new IllegalArgumentException("authorizable ID must not be empty or null");
        }
        if (null == userPropertiesFilter) {
            throw new IllegalArgumentException("filter must not be null");
        }
        Node node = getNode(this.service.getAuthorizablePath(str), null);
        ArrayList arrayList = new ArrayList();
        traverseAndFilterNodes(node, userPropertiesFilter, arrayList);
        return new UserPropertiesCompositeImpl(str, arrayList);
    }

    @Override // com.adobe.granite.security.user.UserPropertiesManager
    @Nonnull
    public UserPropertiesComposite getUserPropertiesComposite(@Nonnull String str, @Nullable String str2) throws RepositoryException {
        return getUserPropertiesComposite(str, str2, DESCENDING_RANKING_COMPARATOR);
    }

    @Override // com.adobe.granite.security.user.UserPropertiesManager
    @Nonnull
    public UserPropertiesComposite getUserPropertiesComposite(@Nonnull String str, @Nullable String str2, @Nonnull Comparator<Node> comparator) throws RepositoryException {
        AuthorizableInfo authorizableInfo = this.service.getAuthorizableInfo(str);
        checkValidAuthorizableInfo(authorizableInfo, str);
        List<Node> listUserPropertiesNodes = this.service.listUserPropertiesNodes(authorizableInfo, str2, this.resourceResolver);
        if (listUserPropertiesNodes.isEmpty()) {
            return new UserPropertiesCompositeImpl(str, ImmutableList.of());
        }
        Collections.sort(listUserPropertiesNodes, comparator);
        String[] strArr = new String[listUserPropertiesNodes.size()];
        for (int i = 0; i < strArr.length; i++) {
            strArr[i] = listUserPropertiesNodes.get(i).getPath().replace(authorizableInfo.getPath() + "/", "");
        }
        return getUserPropertiesComposite(str, strArr);
    }

    @CheckForNull
    protected Node getNode(@Nonnull String str, @Nullable String str2) throws RepositoryException {
        if (Strings.isNullOrEmpty(str)) {
            return null;
        }
        StringBuilder sb = new StringBuilder(str);
        if (str2 != null) {
            sb.append('/').append(str2);
        }
        String sb2 = sb.toString();
        if (!this.session.nodeExists(sb2)) {
            return null;
        }
        Node node = this.session.getNode(sb2);
        if (isValidUserPropertiesPath(str, node.getPath())) {
            return node;
        }
        throw new RepositoryException("User properties outside of scope of authorizable '" + Text.getName(str) + "'.");
    }

    @Nonnull
    private UserProperties getUserProperties(@Nonnull AuthorizableInfo authorizableInfo, @Nonnull Node node) {
        return new UserPropertiesImpl(authorizableInfo, node, this.resourceResolver);
    }

    @CheckForNull
    private UserProperties getUserProperties(@Nonnull AuthorizableInfo authorizableInfo, @Nullable String str) throws RepositoryException {
        Node node = getNode(authorizableInfo.getPath(), str);
        if (node == null) {
            return null;
        }
        return getUserProperties(authorizableInfo, node);
    }

    private static boolean isValidUserPropertiesPath(@Nonnull String str, @Nonnull String str2) {
        return Text.isDescendantOrEqual(str, str2);
    }

    protected void traverseAndFilterNodes(Node node, UserPropertiesFilter userPropertiesFilter, Collection<UserProperties> collection) throws RepositoryException {
        UserProperties userProperties = getUserProperties(node);
        if (userPropertiesFilter.includes(userProperties)) {
            collection.add(userProperties);
        }
        NodeIterator nodes = node.getNodes();
        while (nodes.hasNext()) {
            traverseAndFilterNodes(nodes.nextNode(), userPropertiesFilter, collection);
        }
    }

    @Override // com.adobe.granite.security.user.UserPropertiesManager
    @Nonnull
    public Iterator<UserProperties> getMemberUserProperties(@Nonnull Group group, @Nonnull String str, boolean z) throws RepositoryException {
        return new UserPropertiesIterator(this.service.getMembers(group, z), str, false);
    }

    @Override // com.adobe.granite.security.user.UserPropertiesManager
    public boolean addReaders(@Nonnull UserProperties userProperties, @Nonnull Principal... principalArr) throws RepositoryException {
        return setReadable(userProperties, true, principalArr);
    }

    @Override // com.adobe.granite.security.user.UserPropertiesManager
    public boolean removeReaders(@Nonnull UserProperties userProperties, @Nonnull Principal... principalArr) throws RepositoryException {
        return setReadable(userProperties, false, principalArr);
    }

    private boolean setReadable(@Nonnull UserProperties userProperties, boolean z, @Nonnull Principal... principalArr) throws RepositoryException {
        String path = userProperties.getNode().getPath();
        boolean z2 = false;
        JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(this.session, path);
        if (accessControlList != null) {
            for (Principal principal : principalArr) {
                z2 = z2 || accessControlList.addEntry(principal, this.readPrivileges, z);
            }
            if (z2) {
                this.session.getAccessControlManager().setPolicy(path, accessControlList);
                this.session.save();
            }
        }
        return z2;
    }

    @Override // com.adobe.granite.security.user.UserPropertiesManager
    @Nonnull
    public Iterator<UserProperties> getMemberOfUserProperties(@Nonnull String str, @Nonnull String str2, boolean z) throws RepositoryException {
        return new UserPropertiesIterator(this.service.getMemberOf(str, z), str2, true);
    }

    @Override // com.adobe.granite.security.user.UserPropertiesManager
    @Nonnull
    public UserPropertiesQueryParams createQueryParams() {
        return new UserPropertiesQueryParamsImpl();
    }

    @Override // com.adobe.granite.security.user.UserPropertiesManager
    @Nonnull
    public Iterator<UserProperties> query(@Nonnull UserPropertiesQueryParams userPropertiesQueryParams, @Nonnull String str) throws RepositoryException {
        String createQueryString = createQueryString(userPropertiesQueryParams, str);
        if (createQueryString == null) {
            return Collections.emptyList().iterator();
        }
        Query createQuery = this.session.getWorkspace().getQueryManager().createQuery(createQueryString, "JCR-SQL2");
        createQuery.setOffset(userPropertiesQueryParams.getOffset());
        createQuery.setLimit(userPropertiesQueryParams.getLimit());
        return Iterators.transform(createQuery.execute().getNodes(), new Function<Node, UserProperties>() { // from class: com.adobe.granite.security.user.internal.UserPropertiesManagerImpl.1
            @Nonnull
            public UserProperties apply(@Nonnull Node node) {
                try {
                    return UserPropertiesManagerImpl.this.getUserProperties(node);
                } catch (RepositoryException e) {
                    UserPropertiesManagerImpl.log.error("Could not obtain authorizable path for: {}", node);
                    throw new RuntimeException((Throwable) e);
                }
            }
        });
    }

    @Nullable
    private String createQueryString(@Nonnull UserPropertiesQueryParams userPropertiesQueryParams, @Nonnull String str) {
        StringBuilder sb = new StringBuilder(BASE_SQL2_AUTHORIZABLES_QUERY_STRING);
        ArrayList arrayList = new ArrayList();
        arrayList.add("name(profileNode) = '" + str + "'");
        arrayList.addAll(getAuthorizableLocationConditions(userPropertiesQueryParams.getAuthorizableTypes()));
        String str2 = "";
        if (StringUtils.isEmpty(userPropertiesQueryParams.getFulltextQuery())) {
            str2 = " order by profileNode.[displayName]";
        } else {
            arrayList.add("contains(authorizableNode.[" + str + "/*], '" + escapeXPathFunctionArgument(Text.escapeIllegalXpathSearchChars(userPropertiesQueryParams.getFulltextQuery().trim())) + "*')");
        }
        if (userPropertiesQueryParams.getImpersonableUserFilter() != null) {
            String impersonatorPrincipalName = userPropertiesQueryParams.getImpersonatorPrincipalName();
            if (impersonatorPrincipalName == null) {
                throw new IllegalArgumentException("Impersonable user filter used but no principal name provided");
            }
            if (impersonatorPrincipalName.equals(this.ADMIN_USER_PRINCIPAL_NAME)) {
                if (!userPropertiesQueryParams.getImpersonableUserFilter().booleanValue()) {
                    return null;
                }
                arrayList.add(this.SQL2_CONDITION_IS_NOT_ADMIN);
                arrayList.add(this.SQL2_CONDITION_IS_NOT_ANONYMOUS);
            } else {
                if (!userPropertiesQueryParams.getImpersonableUserFilter().booleanValue()) {
                    throw new IllegalArgumentException("Unable to search for users that the provided principal cannot impersonate");
                }
                arrayList.add("authorizableNode.[rep:impersonators = '" + escapeXPathComparedValue(impersonatorPrincipalName) + "'");
            }
        }
        if (!arrayList.isEmpty()) {
            sb.append("WHERE ").append(StringUtils.join(arrayList, " and "));
        }
        sb.append(str2);
        return sb.toString();
    }

    @Nonnull
    private List<String> getAuthorizableLocationConditions(@Nullable AuthorizableTypes authorizableTypes) {
        if (authorizableTypes == null) {
            authorizableTypes = AuthorizableTypes.ALL;
        }
        ArrayList arrayList = new ArrayList();
        if (authorizableTypes == AuthorizableTypes.ALL) {
            arrayList.add(this.DESCENDANT_OF_ALL_AUTHORIZABLES_ROOT_NODE);
        } else {
            if (authorizableTypes.includesGroups()) {
                arrayList.add(this.DESCENDANT_OF_GROUPS_ROOT_NODE);
            }
            if (authorizableTypes.includesUsers()) {
                arrayList.add(this.DESCENDANT_OF_USERS_ROOT_NODE);
                if (!authorizableTypes.includesSystemUsers()) {
                    arrayList.add(this.NOT_DESCENDANT_OF_SYSTEM_USERS_ROOT_NODE);
                }
            } else if (authorizableTypes.includesSystemUsers()) {
                arrayList.add(this.DESCENDANT_OF_SYSTEM_USERS_ROOT_NODE);
            }
        }
        return arrayList;
    }

    private String escapeXPathFunctionArgument(String str) {
        StringBuilder sb = new StringBuilder();
        for (int i = 0; i < str.length(); i++) {
            char charAt = str.charAt(i);
            if (charAt == '\\') {
                sb.append("\\\\");
            } else if (charAt == '\'') {
                sb.append("''");
            } else {
                sb.append(charAt);
            }
        }
        return sb.toString();
    }

    private String escapeXPathComparedValue(String str) {
        StringBuilder sb = new StringBuilder();
        for (int i = 0; i < str.length(); i++) {
            char charAt = str.charAt(i);
            if (charAt == '\'') {
                sb.append("''");
            } else {
                sb.append(charAt);
            }
        }
        return sb.toString();
    }

    private static void checkValidAuthorizableInfo(@Nullable AuthorizableInfo authorizableInfo, @Nonnull String str) throws RepositoryException {
        if (authorizableInfo == null) {
            throw new ItemNotFoundException("Unable to retrieve properties for " + str);
        }
    }
}
