package org.apache.sling.jcr.base.internal;

import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.CopyOnWriteArrayList;
import java.util.regex.Pattern;
import org.apache.sling.commons.osgi.PropertiesUtil;
import org.osgi.framework.Bundle;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Modified;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicy;
import org.osgi.service.component.annotations.ReferencePolicyOption;
import org.osgi.service.metatype.annotations.Designate;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Designate(ocd = LoginAdminWhitelistConfiguration.class)
@Component(service = {LoginAdminWhitelist.class}, property = {"service.description=Apache Sling Login Admin Whitelist", "service.vendor=The Apache Software Foundation"})
/* loaded from: input_file:default/org.apache.sling.kickstart.far:org/apache/sling/org.apache.sling.jcr.base/3.1.6/org.apache.sling.jcr.base-3.1.6.jar:org/apache/sling/jcr/base/internal/LoginAdminWhitelist.class */
public class LoginAdminWhitelist {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) LoginAdminWhitelist.class);
    private volatile ConfigurationState config;
    private static final String PROP_WHITELIST_BUNDLES_DEFAULT = "whitelist.bundles.default";
    private static final String PROP_WHITELIST_BUNDLES_ADDITIONAL = "whitelist.bundles.additional";
    private final List<WhitelistFragment> whitelistFragments = new CopyOnWriteArrayList();
    private final Map<String, WhitelistFragment> backwardsCompatibleFragments = new ConcurrentHashMap();

    /* loaded from: input_file:default/org.apache.sling.kickstart.far:org/apache/sling/org.apache.sling.jcr.base/3.1.6/org.apache.sling.jcr.base-3.1.6.jar:org/apache/sling/jcr/base/internal/LoginAdminWhitelist$ConfigurationState.class */
    private static class ConfigurationState {
        private final boolean bypassWhitelist;
        private final Pattern whitelistRegexp;

        private ConfigurationState(LoginAdminWhitelistConfiguration loginAdminWhitelistConfiguration) {
            String whitelist_bundles_regexp = loginAdminWhitelistConfiguration.whitelist_bundles_regexp();
            if (whitelist_bundles_regexp.trim().length() > 0) {
                this.whitelistRegexp = Pattern.compile(whitelist_bundles_regexp);
                LoginAdminWhitelist.LOG.warn("A 'whitelist.bundles.regexp' is configured, this is NOT RECOMMENDED for production: {}", this.whitelistRegexp);
            } else {
                this.whitelistRegexp = null;
            }
            this.bypassWhitelist = loginAdminWhitelistConfiguration.whitelist_bypass();
            if (this.bypassWhitelist) {
                LoginAdminWhitelist.LOG.info("bypassWhitelist=true, whitelisted BSNs=<ALL>");
                LoginAdminWhitelist.LOG.warn("All bundles are allowed to use loginAdministrative due to the 'whitelist.bypass' configuration of this service. This is NOT RECOMMENDED, for security reasons.");
            }
        }
    }

    @Reference(cardinality = ReferenceCardinality.MULTIPLE, policy = ReferencePolicy.DYNAMIC, policyOption = ReferencePolicyOption.GREEDY)
    void bindWhitelistFragment(WhitelistFragment whitelistFragment) {
        this.whitelistFragments.add(whitelistFragment);
        LOG.info("WhitelistFragment added '{}'", whitelistFragment);
    }

    void unbindWhitelistFragment(WhitelistFragment whitelistFragment) {
        this.whitelistFragments.remove(whitelistFragment);
        LOG.info("WhitelistFragment removed '{}'", whitelistFragment);
    }

    @Activate
    @Modified
    void configure(LoginAdminWhitelistConfiguration loginAdminWhitelistConfiguration, Map<String, Object> map) {
        this.config = new ConfigurationState(loginAdminWhitelistConfiguration);
        ensureBackwardsCompatibility(map, PROP_WHITELIST_BUNDLES_DEFAULT);
        ensureBackwardsCompatibility(map, PROP_WHITELIST_BUNDLES_ADDITIONAL);
    }

    public boolean allowLoginAdministrative(Bundle bundle) {
        if (this.config == null) {
            throw new IllegalStateException("LoginAdminWhitelist has no configuration.");
        }
        ConfigurationState configurationState = this.config;
        if (configurationState.bypassWhitelist) {
            LOG.debug("Whitelist is bypassed, all bundles allowed to use loginAdministrative");
            return true;
        }
        String symbolicName = bundle.getSymbolicName();
        if (configurationState.whitelistRegexp != null && configurationState.whitelistRegexp.matcher(symbolicName).matches()) {
            LOG.debug("{} is whitelisted to use loginAdministrative, by regexp", symbolicName);
            return true;
        }
        for (WhitelistFragment whitelistFragment : this.whitelistFragments) {
            if (whitelistFragment.allows(symbolicName)) {
                LOG.debug("{} is whitelisted to use loginAdministrative, by whitelist fragment '{}'", symbolicName, whitelistFragment);
                return true;
            }
        }
        LOG.debug("{} is not whitelisted to use loginAdministrative", symbolicName);
        return false;
    }

    private void ensureBackwardsCompatibility(Map<String, Object> map, String str) {
        WhitelistFragment remove = this.backwardsCompatibleFragments.remove(str);
        String[] stringArray = PropertiesUtil.toStringArray(map.get(str), new String[0]);
        if (stringArray.length != 0) {
            LOG.warn("Using deprecated configuration property '{}'", str);
            WhitelistFragment whitelistFragment = new WhitelistFragment("deprecated-" + str, stringArray);
            bindWhitelistFragment(whitelistFragment);
            this.backwardsCompatibleFragments.put(str, whitelistFragment);
        }
        if (remove != null) {
            unbindWhitelistFragment(remove);
        }
    }
}
