package com.day.cq.auth.impl.cug;

import com.day.cq.auth.impl.CugSupport;
import java.security.Principal;
import java.util.Collections;
import java.util.Dictionary;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Map;
import java.util.Set;
import java.util.TreeMap;
import javax.jcr.Node;
import javax.jcr.NodeIterator;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.observation.EventIterator;
import javax.jcr.observation.EventListener;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlList;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.AccessControlPolicyIterator;
import javax.jcr.security.Privilege;
import javax.servlet.http.HttpServletRequest;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.ConfigurationPolicy;
import org.apache.felix.scr.annotations.Deactivate;
import org.apache.felix.scr.annotations.Modified;
import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.Reference;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.sling.api.SlingException;
import org.apache.sling.api.resource.LoginException;
import org.apache.sling.api.resource.Resource;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.resource.ResourceResolverFactory;
import org.apache.sling.api.resource.ResourceUtil;
import org.apache.sling.commons.osgi.OsgiUtil;
import org.osgi.framework.BundleContext;
import org.osgi.framework.ServiceRegistration;
import org.osgi.service.event.Event;
import org.osgi.service.event.EventHandler;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(label = "%auth.cug.name", description = "%auth.cug.description", metatype = true, policy = ConfigurationPolicy.REQUIRE)
@Properties({@Property(name = "service.description", value = {"Day CQ Closed User Group (CUG) Support"}), @Property(name = "event.topics", value = {"org/apache/sling/api/resource/ResourceResolverMapping/CHANGED"}, propertyPrivate = true)})
/* loaded from: input_file:com/day/cq/auth/impl/cug/CugSupportImpl.class */
public class CugSupportImpl implements CugSupport, EventListener, EventHandler {
    private static final String CUG_ENABLED = "cug.enabled";
    private static final boolean CUG_ENABLED_DEFAULT = false;
    private static final String CUG_EXEMPTED = "cug.exempted.principals";
    private static final String CUG_EXEMPTED_DEFAULT = "administrators";

    @Reference
    private ResourceResolverFactory resourceResolverFactory;

    @Property(name = CUG_EXEMPTED, value = {CUG_EXEMPTED_DEFAULT}, cardinality = 200)
    private String[] cugExemptedPrincipals;

    @Property(name = CUG_ENABLED, boolValue = {false})
    private boolean cugEnabled;
    private static final String CUG_PRINCIPALS_REGEX = "cug.principals.regex";
    private static final String CUG_PRINCIPALS_REPLACEMENT = "cug.principals.replacement";

    @Property(name = CUG_PRINCIPALS_REGEX, value = {""})
    private String cugPrincipalsRegex;

    @Property(name = CUG_PRINCIPALS_REPLACEMENT, value = {""})
    private String cugPrincipalsReplacement;
    private ResourceResolver resolver;
    private Map<String, Object> properties;
    private ServiceRegistration registration;
    private CugSupportWebConsolePlugin webConsolePlugin;
    private final Logger log = LoggerFactory.getLogger(CugSupportImpl.class);
    private final Map<String, CugRoot> cugRoots = new TreeMap(Collections.reverseOrder());

    @Activate
    private void activate(BundleContext bundleContext, Map<String, Object> map) {
        this.properties = map;
        this.cugRoots.clear();
        try {
            this.resolver = this.resourceResolverFactory.getAdministrativeResourceResolver((Map) null);
            configure(bundleContext, map);
            registerObservation();
        } catch (LoginException e) {
            this.log.error("activate: Cannot get an administrative ResourceResolver; CUG support disabled", e);
        }
        try {
            this.webConsolePlugin = new CugSupportWebConsolePlugin(bundleContext, this);
        } catch (Throwable th) {
            this.log.warn("activate: Failed registering the CUG Web Console Plugin", th);
        }
    }

    @Modified
    private void configure(BundleContext bundleContext, Map<String, Object> map) {
        if (this.registration != null) {
            this.registration.unregister();
            this.registration = null;
        }
        if (map != null) {
            this.properties = map;
        }
        this.cugExemptedPrincipals = OsgiUtil.toStringArray(map.get(CUG_EXEMPTED));
        if (this.cugExemptedPrincipals == null) {
            this.cugExemptedPrincipals = new String[]{CUG_EXEMPTED_DEFAULT};
        }
        this.cugEnabled = OsgiUtil.toBoolean(map.get(CUG_ENABLED), false);
        if (this.cugEnabled) {
            findInitialSet();
            this.registration = bundleContext.registerService(new String[]{CugSupport.SERVICE_NAME, EventHandler.class.getName()}, this, getProperties());
        }
        this.cugPrincipalsRegex = OsgiUtil.toString(map.get(CUG_PRINCIPALS_REGEX), "");
        this.cugPrincipalsReplacement = OsgiUtil.toString(map.get(CUG_PRINCIPALS_REPLACEMENT), "");
    }

    private void registerObservation() {
        Session session = getSession();
        if (session != null) {
            try {
                session.getWorkspace().getObservationManager().addEventListener(this, 63, "/", true, (String[]) null, (String[]) null, true);
                this.log.info("registered observation listener");
            } catch (RepositoryException e) {
                this.log.error("error while registering observation: ", e);
            }
        }
    }

    private void unregisterObservation() {
        Session session = getSession();
        if (session != null) {
            try {
                session.getWorkspace().getObservationManager().removeEventListener(this);
                this.log.info("unregistered ovservation.");
            } catch (RepositoryException e) {
                this.log.error("error unregistering observation: ", e);
            }
        }
    }

    private Session getSession() {
        return (Session) this.resolver.adaptTo(Session.class);
    }

    @Deactivate
    private void deactivate() {
        if (this.webConsolePlugin != null) {
            this.webConsolePlugin.dispose();
            this.webConsolePlugin = null;
        }
        if (this.registration != null) {
            this.registration.unregister();
            this.registration = null;
        }
        unregisterObservation();
        if (this.resolver != null) {
            this.resolver.close();
            this.resolver = null;
        }
        this.cugRoots.clear();
    }

    public void onEvent(EventIterator eventIterator) {
        HashSet hashSet = new HashSet();
        while (eventIterator.hasNext()) {
            try {
                String path = eventIterator.nextEvent().getPath();
                if (this.cugRoots.containsKey(path)) {
                    hashSet.add(path);
                } else {
                    String name = ResourceUtil.getName(path);
                    if (name.startsWith("cq:cug")) {
                        hashSet.add(ResourceUtil.getParent(ResourceUtil.getParent(path)));
                    } else if ("jcr:content".equals(name)) {
                        String parent = ResourceUtil.getParent(path);
                        if (this.cugRoots.containsKey(parent)) {
                            hashSet.add(parent);
                        }
                    }
                }
            } catch (RepositoryException e) {
                this.log.error("error accessing event: ", e);
            }
        }
        if (manage(hashSet)) {
            updateRegistration();
        }
    }

    public void handleEvent(Event event) {
        updateRegistration();
    }

    @Override // com.day.cq.auth.impl.CugSupport
    public String getLoginPage(HttpServletRequest httpServletRequest) {
        CugRoot cugRoot = getCugRoot(httpServletRequest);
        if (cugRoot == null) {
            return null;
        }
        String loginPath = cugRoot.getLoginPath();
        this.log.debug("Found login page {} of cug root {}", loginPath, cugRoot.getRoot());
        if (loginPath == null) {
            this.log.debug("getLoginPage: CUG Root {} defines no login page, using default", cugRoot);
            return null;
        }
        if (ResourceUtil.isNonExistingResource(this.resolver.resolve(loginPath))) {
            this.log.info("getLoginPage: Configured login page {} does not exist, using default", loginPath);
        }
        return loginPath;
    }

    @Override // com.day.cq.auth.impl.CugSupport
    public String getRealm(HttpServletRequest httpServletRequest) {
        CugRoot cugRoot = getCugRoot(httpServletRequest);
        if (cugRoot != null) {
            return cugRoot.getRealm();
        }
        return null;
    }

    private CugRoot getCugRoot(HttpServletRequest httpServletRequest) {
        if (!this.cugEnabled) {
            return null;
        }
        String str = CUG_ENABLED_DEFAULT;
        if (httpServletRequest.getParameter("resource") != null) {
            str = httpServletRequest.getParameter("resource");
        }
        if (str == null) {
            str = httpServletRequest.getPathInfo();
        }
        if (str == null) {
            str = "/";
        }
        Resource resolve = this.resolver.resolve(httpServletRequest, str);
        if (!ResourceUtil.isNonExistingResource(resolve)) {
            str = resolve.getPath();
        }
        this.log.debug("Trying to find cug root for {}", str);
        for (Map.Entry<String, CugRoot> entry : this.cugRoots.entrySet()) {
            if (str.startsWith(entry.getKey())) {
                return entry.getValue();
            }
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isEnabled() {
        return this.cugEnabled;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String[] getExemptedPrincipals() {
        return this.cugExemptedPrincipals;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CugRoot[] getCugRoots() {
        return (CugRoot[]) this.cugRoots.values().toArray(new CugRoot[this.cugRoots.values().size()]);
    }

    private Dictionary<String, Object> getProperties() {
        Hashtable hashtable = new Hashtable();
        for (String str : this.properties.keySet()) {
            hashtable.put(str, this.properties.get(str));
        }
        HashSet hashSet = new HashSet();
        for (CugRoot cugRoot : this.cugRoots.values()) {
            hashSet.add(cugRoot.getRegistrationPath());
            hashSet.add(cugRoot.getRoot());
            if (cugRoot.getLoginPath() != null) {
                hashSet.add("-" + toRawPath(cugRoot.getLoginPath()));
            }
        }
        hashtable.put("sling.auth.requirements", hashSet.toArray(new String[hashSet.size()]));
        return hashtable;
    }

    private String toRawPath(String str) {
        if (this.resolver != null) {
            Resource resolve = this.resolver.resolve(str);
            if (!ResourceUtil.isNonExistingResource(resolve)) {
                return this.resolver.map(resolve.getPath());
            }
        }
        return str;
    }

    private void updateRegistration() {
        try {
            this.registration.setProperties(getProperties());
        } catch (IllegalStateException e) {
        } catch (NullPointerException e2) {
        } catch (Throwable th) {
        }
    }

    private void findInitialSet() {
        try {
            NodeIterator nodes = ((Session) this.resolver.adaptTo(Session.class)).getWorkspace().getQueryManager().createQuery("select * from nt:base where cq:cugEnabled='true'", "sql").execute().getNodes();
            while (nodes.hasNext()) {
                Node nextNode = nodes.nextNode();
                if ("jcr:content".equals(nextNode.getName())) {
                    nextNode = nextNode.getParent();
                }
                enable(nextNode.getPath(), nextNode);
            }
        } catch (RepositoryException e) {
            this.log.error("findInitialSet: Failed finding initial set of CUG roots", e);
        }
    }

    private boolean manage(Set<String> set) {
        Session session = getSession();
        boolean z = CUG_ENABLED_DEFAULT;
        for (String str : set) {
            try {
                if (session.itemExists(str)) {
                    Node node = (Node) session.getItem(str);
                    z = CugRoot.isEnabled(node) ? z | enable(str, node) : z | disable(str);
                } else {
                    z |= disable(str);
                }
            } catch (RepositoryException e) {
                this.log.error("onEvent: Cannot handle potential CUG Root " + str, e);
            }
        }
        return z;
    }

    private boolean enable(String str, Node node) throws RepositoryException {
        if (node.getPath().startsWith("/jcr:system/")) {
            return false;
        }
        CugRoot cugRoot = new CugRoot(this.resolver.map(str), node);
        this.cugRoots.put(str, cugRoot);
        syncACLs(cugRoot, true);
        return true;
    }

    private boolean disable(String str) {
        CugRoot remove = this.cugRoots.remove(str);
        if (remove == null) {
            return false;
        }
        syncACLs(remove, false);
        return true;
    }

    private void syncACLs(CugRoot cugRoot, boolean z) {
        Session session = getSession();
        if (!(session instanceof JackrabbitSession)) {
            this.log.warn("syncACLs: Cannot apply ACLs to {}: This is only supported with Jackrabbit based Repositories", cugRoot.getRoot());
            return;
        }
        boolean z2 = CUG_ENABLED_DEFAULT;
        try {
            try {
                z2 = z ? installCUG(cugRoot) : clearCUG(cugRoot);
                if (z2) {
                    return;
                }
                try {
                    session.refresh(false);
                } catch (RepositoryException e) {
                    this.log.error("Failed to revert pending changes.", e);
                    throw new SlingException(e.getMessage(), e);
                }
            } catch (Exception e2) {
                this.log.warn("syncACLs: Cannot apply ACL to " + cugRoot.getRoot(), e2);
                if (z2) {
                    return;
                }
                try {
                    session.refresh(false);
                } catch (RepositoryException e3) {
                    this.log.error("Failed to revert pending changes.", e3);
                    throw new SlingException(e3.getMessage(), e3);
                }
            }
        } catch (Throwable th) {
            if (!z2) {
                try {
                    session.refresh(false);
                } catch (RepositoryException e4) {
                    this.log.error("Failed to revert pending changes.", e4);
                    throw new SlingException(e4.getMessage(), e4);
                }
            }
            throw th;
        }
    }

    private boolean installCUG(CugRoot cugRoot) throws RepositoryException {
        this.log.debug("syncACLs: Limitting read access on {}", cugRoot.getRoot());
        JackrabbitSession session = getSession();
        AccessControlManager accessControlManager = session.getAccessControlManager();
        PrincipalManager principalManager = session.getPrincipalManager();
        if (!session.itemExists(cugRoot.getRoot())) {
            this.log.warn("Cannot install CUG: Target node " + cugRoot.getRoot() + " does not exist.");
            return false;
        }
        JackrabbitAccessControlList acl = getAcl(cugRoot.getRoot(), accessControlManager);
        if (acl == null) {
            this.log.warn("Cannot install CUG: No editable AccessControlList at " + cugRoot.getRoot());
            return false;
        }
        if (!acl.isEmpty()) {
            this.log.debug("Removing existing ACEs at " + cugRoot.getRoot());
            AccessControlEntry[] accessControlEntries = acl.getAccessControlEntries();
            int length = accessControlEntries.length;
            for (int i = CUG_ENABLED_DEFAULT; i < length; i++) {
                acl.removeAccessControlEntry(accessControlEntries[i]);
            }
        }
        acl.addEntry(principalManager.getEveryone(), new Privilege[]{accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}all")}, false);
        JackrabbitAccessControlList[] effectivePolicies = accessControlManager.getEffectivePolicies(cugRoot.getRoot());
        int length2 = effectivePolicies.length;
        for (int i2 = CUG_ENABLED_DEFAULT; i2 < length2; i2++) {
            JackrabbitAccessControlList jackrabbitAccessControlList = effectivePolicies[i2];
            if (jackrabbitAccessControlList instanceof JackrabbitAccessControlList) {
                JackrabbitAccessControlList jackrabbitAccessControlList2 = jackrabbitAccessControlList;
                if (!cugRoot.getRoot().equals(jackrabbitAccessControlList2.getPath())) {
                    JackrabbitAccessControlEntry[] accessControlEntries2 = jackrabbitAccessControlList2.getAccessControlEntries();
                    String[] strArr = this.cugExemptedPrincipals;
                    int length3 = strArr.length;
                    for (int i3 = CUG_ENABLED_DEFAULT; i3 < length3; i3++) {
                        String str = strArr[i3];
                        int length4 = accessControlEntries2.length;
                        for (int i4 = CUG_ENABLED_DEFAULT; i4 < length4; i4++) {
                            JackrabbitAccessControlEntry jackrabbitAccessControlEntry = accessControlEntries2[i4];
                            if (str.equals(jackrabbitAccessControlEntry.getPrincipal().getName())) {
                                if (principalManager.hasPrincipal(str)) {
                                    acl.addEntry(jackrabbitAccessControlEntry.getPrincipal(), jackrabbitAccessControlEntry.getPrivileges(), jackrabbitAccessControlEntry instanceof JackrabbitAccessControlEntry ? jackrabbitAccessControlEntry.isAllow() : true);
                                } else {
                                    this.log.warn("Cannot install ACE for cugExempted principal '" + str + "': Unknown to the PrincipalManager.");
                                }
                            }
                        }
                    }
                }
            }
        }
        String[] principals = cugRoot.getPrincipals();
        int length5 = principals.length;
        for (int i5 = CUG_ENABLED_DEFAULT; i5 < length5; i5++) {
            String str2 = principals[i5];
            if (str2 != null && !"".equals(str2)) {
                if (this.cugPrincipalsRegex != null && this.cugPrincipalsRegex.length() > 0) {
                    String replaceAll = str2.replaceAll(this.cugPrincipalsRegex, this.cugPrincipalsReplacement);
                    this.log.info("replacing principal name " + str2 + " with " + replaceAll);
                    str2 = replaceAll;
                }
                Principal principal = principalManager.getPrincipal(str2);
                if (principal != null) {
                    acl.addAccessControlEntry(principal, new Privilege[]{accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}read")});
                } else {
                    this.log.warn("Cannot install ACE for admitted principal '" + str2 + "': Unknown to the PrincipalManager.");
                }
            }
        }
        accessControlManager.setPolicy(cugRoot.getRoot(), acl);
        session.save();
        return true;
    }

    private boolean clearCUG(CugRoot cugRoot) throws RepositoryException {
        this.log.debug("syncACLs: Removing all access control from {}", cugRoot.getRoot());
        boolean z = CUG_ENABLED_DEFAULT;
        Session session = getSession();
        AccessControlManager accessControlManager = session.getAccessControlManager();
        String root = cugRoot.getRoot();
        AccessControlPolicy[] policies = accessControlManager.getPolicies(root);
        int length = policies.length;
        for (int i = CUG_ENABLED_DEFAULT; i < length; i++) {
            AccessControlPolicy accessControlPolicy = policies[i];
            if (accessControlPolicy instanceof AccessControlList) {
                accessControlManager.removePolicy(root, accessControlPolicy);
                z = true;
            }
        }
        if (!z) {
            return false;
        }
        session.save();
        return true;
    }

    private JackrabbitAccessControlList getAcl(String str, AccessControlManager accessControlManager) throws RepositoryException {
        AccessControlPolicyIterator applicablePolicies = accessControlManager.getApplicablePolicies(str);
        while (applicablePolicies.hasNext()) {
            JackrabbitAccessControlList nextAccessControlPolicy = applicablePolicies.nextAccessControlPolicy();
            if (nextAccessControlPolicy instanceof JackrabbitAccessControlPolicy) {
                this.log.debug("No Policy present create a new ACL Policy");
                return nextAccessControlPolicy;
            }
        }
        JackrabbitAccessControlList[] policies = accessControlManager.getPolicies(str);
        int length = policies.length;
        for (int i = CUG_ENABLED_DEFAULT; i < length; i++) {
            JackrabbitAccessControlList jackrabbitAccessControlList = policies[i];
            if (jackrabbitAccessControlList instanceof JackrabbitAccessControlPolicy) {
                this.log.debug("Found existing ACL Policy");
                return jackrabbitAccessControlList;
            }
        }
        return null;
    }

    protected void bindResourceResolverFactory(ResourceResolverFactory resourceResolverFactory) {
        this.resourceResolverFactory = resourceResolverFactory;
    }

    protected void unbindResourceResolverFactory(ResourceResolverFactory resourceResolverFactory) {
        if (this.resourceResolverFactory == resourceResolverFactory) {
            this.resourceResolverFactory = null;
        }
    }
}
