package org.apache.sling.jcr.base.internal;

import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.CopyOnWriteArrayList;
import java.util.regex.Pattern;
import org.osgi.framework.Bundle;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Modified;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicy;
import org.osgi.service.component.annotations.ReferencePolicyOption;
import org.osgi.util.converter.Converters;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(service = {LoginAdminAllowList.class}, configurationPid = {LoginAdminAllowList.PID, LoginAdminAllowList.LEGACY_PID})
/* loaded from: input_file:org/apache/sling/jcr/base/internal/LoginAdminAllowList.class */
public class LoginAdminAllowList {
    public static final String PID = "org.apache.sling.jcr.base.LoginAdminAllowList";
    public static final String LEGACY_PID = "org.apache.sling.jcr.base.internal.LoginAdminWhitelist";
    static final Logger LOG = LoggerFactory.getLogger(LoginAdminAllowList.class);
    private static final String LEGACY_BYPASS_PROPERTY = "whitelist.bypass";
    private static final String LEGACY_BUNDLES_PROPERTY = "whitelist.bundles.regexp";
    private static final String PROP_LEGACY_BUNDLES_DEFAULT = "whitelist.bundles.default";
    private static final String PROP_LEGACY_BUNDLES_ADDITIONAL = "whitelist.bundles.additional";
    private volatile ConfigurationState config;
    private final List<AllowListFragment> allowListFragments = new CopyOnWriteArrayList();
    private final Map<String, AllowListFragment> backwardsCompatibleFragments = new ConcurrentHashMap();

    /* loaded from: input_file:org/apache/sling/jcr/base/internal/LoginAdminAllowList$ConfigurationState.class */
    static class ConfigurationState {
        public final boolean bypassAllowList;
        public final Pattern allowListRegexp;

        ConfigurationState(LoginAdminAllowListConfiguration loginAdminAllowListConfiguration, Map<String, Object> map) {
            boolean allowlist_bypass = loginAdminAllowListConfiguration.allowlist_bypass();
            Object obj = map.get(LoginAdminAllowList.LEGACY_BYPASS_PROPERTY);
            if (obj != null) {
                LoginAdminAllowList.LOG.warn("Using deprecated configuration property '{}' from configuration '{}'. Update your configuration to use configuration '{}' and property '{}' instead.", new Object[]{LoginAdminAllowList.LEGACY_BYPASS_PROPERTY, LoginAdminAllowList.LEGACY_PID, LoginAdminAllowList.PID, "allowlist.bypass"});
                allowlist_bypass = ((Boolean) Converters.standardConverter().convert(obj).defaultValue(false).to(Boolean.class)).booleanValue();
            }
            String str = null;
            Object obj2 = map.get(LoginAdminAllowList.LEGACY_BUNDLES_PROPERTY);
            if (obj != null) {
                LoginAdminAllowList.LOG.warn("Using deprecated configuration property '{}' from configuration '{}'. Update your configuration to use configuration '{}' and property '{}' instead.", new Object[]{LoginAdminAllowList.LEGACY_BUNDLES_PROPERTY, LoginAdminAllowList.LEGACY_PID, LoginAdminAllowList.PID, "allowlist.bundles.regexp"});
                str = (String) Converters.standardConverter().convert(obj2).to(String.class);
            }
            String allowlist_bundles_regexp = loginAdminAllowListConfiguration.allowlist_bundles_regexp();
            if (allowlist_bundles_regexp.trim().length() > 0) {
                if (str != null) {
                    LoginAdminAllowList.LOG.warn("Both deprecated configuration property '{}' and non-deprecated configuration property '{}' are set. The deprecated property '{}' is ignored.", new Object[]{LoginAdminAllowList.LEGACY_BUNDLES_PROPERTY, "allowlist.bundles.regexp", LoginAdminAllowList.LEGACY_BUNDLES_PROPERTY});
                }
                this.allowListRegexp = Pattern.compile(allowlist_bundles_regexp);
            } else {
                this.allowListRegexp = str != null ? Pattern.compile(str) : null;
            }
            if (this.allowListRegexp != null) {
                LoginAdminAllowList.LOG.warn("A 'allowlist.bundles.regexp' is configured, this is NOT RECOMMENDED for production: {}", this.allowListRegexp);
            }
            this.bypassAllowList = allowlist_bypass;
            if (this.bypassAllowList) {
                LoginAdminAllowList.LOG.info("allowlist.bypass=true, allowed BSNs=<ALL>");
                LoginAdminAllowList.LOG.warn("All bundles are allowed to use loginAdministrative due to the 'allowlist.bypass' configuration of this service. This is NOT RECOMMENDED, for security reasons.");
            }
        }
    }

    @Reference(cardinality = ReferenceCardinality.MULTIPLE, policy = ReferencePolicy.DYNAMIC, policyOption = ReferencePolicyOption.GREEDY)
    void bindAllowListFragment(AllowListFragment allowListFragment) {
        this.allowListFragments.add(allowListFragment);
        LOG.info("AllowListFragment added '{}'", allowListFragment);
    }

    void unbindAllowListFragment(AllowListFragment allowListFragment) {
        this.allowListFragments.remove(allowListFragment);
        LOG.info("AllowListFragment removed '{}'", allowListFragment);
    }

    @Activate
    @Modified
    void configure(LoginAdminAllowListConfiguration loginAdminAllowListConfiguration, Map<String, Object> map) {
        this.config = new ConfigurationState(loginAdminAllowListConfiguration, map);
        ensureBackwardsCompatibility(map, PROP_LEGACY_BUNDLES_DEFAULT);
        ensureBackwardsCompatibility(map, PROP_LEGACY_BUNDLES_ADDITIONAL);
    }

    public boolean allowLoginAdministrative(Bundle bundle) {
        ConfigurationState configurationState = this.config;
        if (configurationState == null) {
            throw new IllegalStateException("LoginAdminAllowList has no configuration.");
        }
        if (configurationState.bypassAllowList) {
            LOG.debug("Allow list is bypassed, all bundles allowed to use loginAdministrative");
            return true;
        }
        String symbolicName = bundle.getSymbolicName();
        if (configurationState.allowListRegexp != null && configurationState.allowListRegexp.matcher(symbolicName).matches()) {
            LOG.debug("{} is allow listed to use loginAdministrative, by regexp", symbolicName);
            return true;
        }
        for (AllowListFragment allowListFragment : this.allowListFragments) {
            if (allowListFragment.allows(symbolicName)) {
                LOG.debug("{} is allow listed to use loginAdministrative, by allow list fragment '{}'", symbolicName, allowListFragment);
                return true;
            }
        }
        LOG.debug("{} is not allow listed to use loginAdministrative", symbolicName);
        return false;
    }

    private void ensureBackwardsCompatibility(Map<String, Object> map, String str) {
        AllowListFragment remove = this.backwardsCompatibleFragments.remove(str);
        String[] strArr = (String[]) Converters.standardConverter().convert(map.get(str)).to(String[].class);
        if (strArr != null && strArr.length != 0) {
            LOG.warn("Using deprecated configuration property '{}'", str);
            AllowListFragment allowListFragment = new AllowListFragment("deprecated-" + str, strArr);
            bindAllowListFragment(allowListFragment);
            this.backwardsCompatibleFragments.put(str, allowListFragment);
        }
        if (remove != null) {
            unbindAllowListFragment(remove);
        }
    }
}
