package org.apache.sling.jcr.resource.internal;

import java.lang.reflect.Method;
import java.security.Principal;
import java.util.HashSet;
import java.util.Set;
import java.util.concurrent.CopyOnWriteArraySet;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.sling.jcr.api.SlingRepository;
import org.apache.sling.serviceusermapping.ServicePrincipalsValidator;
import org.apache.sling.serviceusermapping.ServiceUserValidator;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.metatype.annotations.AttributeDefinition;
import org.osgi.service.metatype.annotations.Designate;
import org.osgi.service.metatype.annotations.ObjectClassDefinition;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Designate(ocd = Config.class)
@Component(service = {ServiceUserValidator.class, ServicePrincipalsValidator.class}, property = {"service.vendor=The Apache Software Foundation"})
/* loaded from: input_file:default/org.apache.sling.kickstart.far:org/apache/sling/org.apache.sling.jcr.resource/3.0.22/org.apache.sling.jcr.resource-3.0.22.jar:org/apache/sling/jcr/resource/internal/JcrSystemUserValidator.class */
public class JcrSystemUserValidator implements ServiceUserValidator, ServicePrincipalsValidator {
    public static final String VALIDATION_SERVICE_USER = "validation";

    @Reference
    private volatile SlingRepository repository;
    private final Method isSystemUserMethod;
    private boolean allowOnlySystemUsers;
    private final Logger log = LoggerFactory.getLogger((Class<?>) JcrSystemUserValidator.class);
    private final Set<String> validIds = new CopyOnWriteArraySet();
    private final Set<String> validPrincipalNames = new CopyOnWriteArraySet();
    private final ThreadLocal<Boolean> cycleDetection = new ThreadLocal<Boolean>() { // from class: org.apache.sling.jcr.resource.internal.JcrSystemUserValidator.1
        /* JADX INFO: Access modifiers changed from: protected */
        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.lang.ThreadLocal
        public Boolean initialValue() {
            return false;
        }
    };

    @ObjectClassDefinition(name = "Apache Sling JCR System User Validator", description = "Enforces the usage of JCR system users for all user mappings being used in the 'Sling Service User Mapper Service'")
    /* loaded from: input_file:default/org.apache.sling.kickstart.far:org/apache/sling/org.apache.sling.jcr.resource/3.0.22/org.apache.sling.jcr.resource-3.0.22.jar:org/apache/sling/jcr/resource/internal/JcrSystemUserValidator$Config.class */
    public @interface Config {
        @AttributeDefinition(name = "Allow only JCR System Users", description = "If set to true, only user IDs bound to JCR system users are allowed in the user mappings of the 'Sling Service User Mapper Service'. Otherwise all users are allowed!")
        boolean allow_only_system_user() default true;
    }

    public JcrSystemUserValidator() {
        Method method = null;
        try {
            method = User.class.getMethod("isSystemUser", new Class[0]);
        } catch (Exception e) {
            this.log.debug("Exception while accessing isSystemUser method", (Throwable) e);
        }
        this.isSystemUserMethod = method;
    }

    @Activate
    public void activate(Config config) {
        this.allowOnlySystemUsers = config.allow_only_system_user();
    }

    @Override // org.apache.sling.serviceusermapping.ServiceUserValidator
    public boolean isValid(String str, String str2, String str3) {
        if (this.cycleDetection.get().booleanValue()) {
            return true;
        }
        if (str == null) {
            this.log.debug("The provided service user id is null");
            return false;
        }
        if (!this.allowOnlySystemUsers) {
            this.log.debug("There is no enforcement of JCR system users, therefore service user id '{}' is valid", str);
            return true;
        }
        if (this.validIds.contains(str)) {
            this.log.debug("The provided service user id '{}' has been already validated and is a known JCR system user id", str);
            return true;
        }
        Session session = null;
        try {
            try {
                this.cycleDetection.set(true);
            } catch (RepositoryException e) {
                this.log.warn("Could not get user information", (Throwable) e);
            }
            try {
                session = this.repository.loginService("validation", null);
                this.cycleDetection.set(false);
                if (!(session instanceof JackrabbitSession) || !isValidSystemUser(((JackrabbitSession) session).getUserManager().getAuthorizable(str))) {
                    if (session != null) {
                        session.logout();
                    }
                    this.log.warn("The provided service user id '{}' is not a known JCR system user id and therefore not allowed in the Sling Service User Mapper.", str);
                    return false;
                }
                this.validIds.add(str);
                this.log.debug("The provided service user id {} is a known JCR system user id", str);
                if (session != null) {
                    session.logout();
                }
                return true;
            } catch (Throwable th) {
                this.cycleDetection.set(false);
                throw th;
            }
        } catch (Throwable th2) {
            if (0 != 0) {
                session.logout();
            }
            throw th2;
        }
    }

    @Override // org.apache.sling.serviceusermapping.ServicePrincipalsValidator
    public boolean isValid(Iterable<String> iterable, String str, String str2) {
        if (this.cycleDetection.get().booleanValue()) {
            return true;
        }
        if (iterable == null) {
            this.log.debug("The provided service principal names are null");
            return false;
        }
        if (!this.allowOnlySystemUsers) {
            this.log.debug("There is no enforcement of JCR system users, therefore service principal names '{}' are valid", iterable);
            return true;
        }
        Session session = null;
        UserManager userManager = null;
        HashSet hashSet = new HashSet();
        try {
            try {
                for (final String str3 : iterable) {
                    if (this.validPrincipalNames.contains(str3)) {
                        this.log.debug("The provided service principal name '{}' has been already validated and is a known JCR system user", str3);
                    } else {
                        if (session == null) {
                            this.cycleDetection.set(true);
                            try {
                                session = this.repository.loginService("validation", null);
                                this.cycleDetection.set(false);
                                if (!(session instanceof JackrabbitSession)) {
                                    this.log.debug("Unable to validate service user principals, JackrabbitSession expected.");
                                    if (session != null) {
                                        session.logout();
                                    }
                                    return false;
                                }
                                userManager = ((JackrabbitSession) session).getUserManager();
                            } catch (Throwable th) {
                                this.cycleDetection.set(false);
                                throw th;
                            }
                        }
                        if (isValidSystemUser(userManager.getAuthorizable(new Principal() { // from class: org.apache.sling.jcr.resource.internal.JcrSystemUserValidator.2
                            @Override // java.security.Principal
                            public String getName() {
                                return str3;
                            }
                        }))) {
                            this.validPrincipalNames.add(str3);
                            this.log.debug("The provided service principal name {} is a known JCR system user", str3);
                        } else {
                            this.log.warn("The provided service principal name '{}' is not a known JCR system user id and therefore not allowed in the Sling Service User Mapper.", str3);
                            hashSet.add(str3);
                        }
                    }
                }
                if (session != null) {
                    session.logout();
                }
            } catch (RepositoryException e) {
                this.log.warn("Could not get user information", (Throwable) e);
                if (0 != 0) {
                    session.logout();
                }
            }
            return hashSet.isEmpty();
        } catch (Throwable th2) {
            if (0 != 0) {
                session.logout();
            }
            throw th2;
        }
    }

    private boolean isValidSystemUser(Authorizable authorizable) {
        if (authorizable == null || authorizable.isGroup()) {
            return false;
        }
        User user = (User) authorizable;
        try {
            if (user.isDisabled()) {
                return false;
            }
            if (this.isSystemUserMethod == null) {
                return true;
            }
            try {
                return ((Boolean) this.isSystemUserMethod.invoke(user, new Object[0])).booleanValue();
            } catch (Exception e) {
                this.log.debug("Exception while invoking isSystemUser method", (Throwable) e);
                return true;
            }
        } catch (RepositoryException e2) {
            this.log.debug("Exception while invoking isDisabled method", (Throwable) e2);
            return false;
        }
    }
}
