package org.redpill.alfresco.ldap.behaviour;

import java.io.Serializable;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.alfresco.error.AlfrescoRuntimeException;
import org.alfresco.model.ContentModel;
import org.alfresco.repo.node.NodeServicePolicies;
import org.alfresco.repo.policy.Behaviour;
import org.alfresco.repo.policy.JavaBehaviour;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.tenant.TenantService;
import org.alfresco.service.cmr.repository.ChildAssociationRef;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.StoreRef;
import org.alfresco.service.cmr.security.AuthorityService;
import org.alfresco.service.namespace.NamespacePrefixResolver;
import org.alfresco.service.namespace.QName;
import org.alfresco.service.namespace.RegexQNamePattern;
import org.apache.log4j.Logger;
import org.redpill.alfresco.ldap.exception.PasswordDoesNotConformToPolicy;
import org.redpill.alfresco.ldap.model.RlLdapModel;
import org.redpill.alfresco.ldap.service.LdapUserService;
import org.springframework.util.Assert;

/* loaded from: input_file:org/redpill/alfresco/ldap/behaviour/PersonPolicy.class */
public class PersonPolicy extends AbstractPolicy implements NodeServicePolicies.OnCreateNodePolicy, NodeServicePolicies.OnUpdatePropertiesPolicy, NodeServicePolicies.OnUpdateNodePolicy, NodeServicePolicies.OnAddAspectPolicy {
    private static final Logger LOG = Logger.getLogger(PersonPolicy.class);
    private static final StoreRef STOREREF_USERS = new StoreRef("user", "alfrescoUserStore");
    private static Boolean initialized = false;
    protected LdapUserService ldapUserService;
    protected AuthorityService authorityService;
    protected TenantService tenantService;
    protected NamespacePrefixResolver namespacePrefixResolver;
    protected String syncZoneId;
    protected boolean enabled = false;
    protected boolean resetPasswordOnPushSync = false;

    public void onCreateNode(ChildAssociationRef childAssociationRef) {
        LOG.trace("onCreateNode begin");
        NodeRef childRef = childAssociationRef.getChildRef();
        if (!shouldSkipCreatePolicy(childRef)) {
            addUserToLdap(childRef);
        }
        LOG.trace("onCreateNode end");
    }

    protected void addUserToLdap(NodeRef nodeRef) {
        addUserToLdap(nodeRef, false);
    }

    protected void addUserToLdap(NodeRef nodeRef, final boolean z) {
        Map properties = this.nodeService.getProperties(nodeRef);
        final String str = (String) properties.get(ContentModel.PROP_USERNAME);
        String str2 = (String) properties.get(ContentModel.PROP_EMAIL);
        if (str2 == null) {
            str2 = "";
        }
        final String str3 = str2;
        final String str4 = (String) properties.get(ContentModel.PROP_FIRSTNAME);
        final String str5 = (String) properties.get(ContentModel.PROP_LASTNAME);
        AuthenticationUtil.runAsSystem(new AuthenticationUtil.RunAsWork<Void>() { // from class: org.redpill.alfresco.ldap.behaviour.PersonPolicy.1
            /* renamed from: doWork, reason: merged with bridge method [inline-methods] */
            public Void m1doWork() throws Exception {
                NodeRef userOrNull = PersonPolicy.this.getUserOrNull(str);
                String str6 = null;
                if (userOrNull != null) {
                    String str7 = (String) PersonPolicy.this.nodeService.getProperty(userOrNull, ContentModel.PROP_PASSWORD);
                    if (!z && str7.length() > 0) {
                        str6 = "{MD4}" + str7;
                    }
                }
                if (userOrNull == null || !PersonPolicy.this.nodeService.hasAspect(userOrNull, RlLdapModel.ASPECT_TEMPORARY_PASSWORD)) {
                    PersonPolicy.this.ldapUserService.createUser(str, str6, true, str3, str4, str5);
                } else {
                    PersonPolicy.this.ldapUserService.createUser(str, (String) PersonPolicy.this.nodeService.getProperty(userOrNull, RlLdapModel.PROP_TEMPORARY_PASSWORD), false, str3, str4, str5);
                    boolean isEnabled = PersonPolicy.this.behaviourFilter.isEnabled(userOrNull);
                    if (isEnabled) {
                        PersonPolicy.this.behaviourFilter.disableBehaviour(userOrNull);
                    }
                    PersonPolicy.LOG.trace("Removing temporary password aspect for user " + str);
                    PersonPolicy.this.nodeService.removeAspect(userOrNull, RlLdapModel.ASPECT_TEMPORARY_PASSWORD);
                    if (isEnabled) {
                        PersonPolicy.this.behaviourFilter.enableBehaviour(userOrNull);
                    }
                }
                String str8 = "AUTH.EXT." + PersonPolicy.this.syncZoneId;
                HashSet hashSet = new HashSet();
                hashSet.add(str8);
                PersonPolicy.this.authorityService.getOrCreateZone(str8);
                if (!PersonPolicy.this.authorityService.getAuthorityZones(str).contains(str8)) {
                    PersonPolicy.this.authorityService.addAuthorityToZones(str, hashSet);
                }
                if (!PersonPolicy.LOG.isInfoEnabled()) {
                    return null;
                }
                PersonPolicy.LOG.info("Adding " + str + " to zone " + str8);
                return null;
            }
        });
    }

    public void onUpdateProperties(NodeRef nodeRef, Map<QName, Serializable> map, Map<QName, Serializable> map2) {
        LOG.trace("onUpdateProperties begin");
        if (!shouldSkipUpdatePropertiesPolicy(nodeRef, map, map2)) {
            updateUserInLdap(nodeRef, map2);
        }
        LOG.trace("onUpdateProperties end");
    }

    public void onUpdateNode(NodeRef nodeRef) {
        LOG.trace("onUpdateNode begin");
        LOG.trace("onUpdateNode end");
    }

    public void onAddAspect(NodeRef nodeRef, QName qName) {
        LOG.trace("onAddAspect begin");
        if (!shouldSkipAddAspectPolicy(nodeRef)) {
            try {
                addUserToLdap(nodeRef, this.resetPasswordOnPushSync);
            } catch (PasswordDoesNotConformToPolicy e) {
                addUserToLdap(nodeRef, true);
                this.nodeService.addAspect(nodeRef, RlLdapModel.ASPECT_NO_PASSWORD, (Map) null);
                LOG.warn("Creating user in ldap without password due to old password not conforming to policies: " + nodeRef);
            }
        }
        LOG.trace("onAddAspect end");
    }

    protected void updateUserInLdap(NodeRef nodeRef, Map<QName, Serializable> map) {
        this.ldapUserService.editUser((String) map.get(ContentModel.PROP_USERNAME), null, null, (String) map.get(ContentModel.PROP_EMAIL), (String) map.get(ContentModel.PROP_FIRSTNAME), (String) map.get(ContentModel.PROP_LASTNAME));
    }

    private boolean shouldSkipUpdatePropertiesPolicy(NodeRef nodeRef, Map<QName, Serializable> map, Map<QName, Serializable> map2) {
        boolean shouldSkipPolicy = super.shouldSkipPolicy(nodeRef);
        if (!this.enabled) {
            LOG.info("Skipping policy. LDAP Manager is disabled.");
            shouldSkipPolicy = true;
        }
        if (!shouldSkipPolicy) {
            if (propertyChanged(map, map2, ContentModel.PROP_EMAIL) || propertyChanged(map, map2, ContentModel.PROP_FIRSTNAME) || propertyChanged(map, map2, ContentModel.PROP_LASTNAME)) {
                if (!this.authorityService.getAuthorityZones((String) this.nodeService.getProperty(nodeRef, ContentModel.PROP_USERNAME)).contains("AUTH.EXT." + this.syncZoneId)) {
                    LOG.trace("User is not part of AUTH.EXT." + this.syncZoneId + " zone. Skipping property update in ldap.");
                    shouldSkipPolicy = true;
                }
            } else {
                LOG.trace("No ldap properties updated. Skipping property update in ldap.");
                shouldSkipPolicy = true;
            }
        }
        return shouldSkipPolicy;
    }

    protected boolean propertyChanged(Map<QName, Serializable> map, Map<QName, Serializable> map2, QName qName) {
        Serializable serializable = map == null ? null : map.get(qName);
        Serializable serializable2 = map2 == null ? null : map2.get(qName);
        return !(serializable == null || serializable.equals(serializable2)) || (serializable == null && serializable2 != null);
    }

    protected boolean shouldSkipCreatePolicy(NodeRef nodeRef) {
        boolean shouldSkipPolicy = super.shouldSkipPolicy(nodeRef);
        if (!this.enabled) {
            LOG.info("Skipping policy. LDAP Manager is disabled.");
            shouldSkipPolicy = true;
        }
        if (!shouldSkipPolicy) {
            String str = (String) this.nodeService.getProperty(nodeRef, ContentModel.PROP_USERNAME);
            Iterator it = this.authorityService.getAuthorityZones(str).iterator();
            while (it.hasNext()) {
                if (((String) it.next()).startsWith("AUTH.EXT.")) {
                    if (LOG.isTraceEnabled()) {
                        LOG.trace("User " + str + " is originating from an external zone already. Will not move to LDAP.");
                    }
                    shouldSkipPolicy = true;
                }
            }
            if (AuthenticationUtil.getAdminUserName().equals(str)) {
                LOG.info("Skipping admin user. Will not move to LDAP.");
                shouldSkipPolicy = true;
            }
            if (AuthenticationUtil.getSystemUserName().equals(str) || (AuthenticationUtil.getSystemUserName() + "User").equals(str)) {
                LOG.info("Skipping sytem user. Will not move to LDAP.");
                shouldSkipPolicy = true;
            }
        }
        return shouldSkipPolicy;
    }

    protected boolean shouldSkipAddAspectPolicy(NodeRef nodeRef) {
        boolean shouldSkipPolicy = super.shouldSkipPolicy(nodeRef);
        if (!this.enabled) {
            LOG.info("Skipping policy. LDAP Manager is disabled.");
            shouldSkipPolicy = true;
        }
        if (!shouldSkipPolicy) {
            String str = (String) this.nodeService.getProperty(nodeRef, ContentModel.PROP_USERNAME);
            for (String str2 : this.authorityService.getAuthorityZones(str)) {
                if (str2.startsWith("AUTH.EXT.") && !str2.equals("AUTH.EXT." + this.syncZoneId)) {
                    if (LOG.isTraceEnabled()) {
                        LOG.trace("User " + str + " is originating from an external zone already. Will not move to LDAP.");
                    }
                    shouldSkipPolicy = true;
                }
            }
            if (AuthenticationUtil.getAdminUserName().equals(str)) {
                LOG.info("Skipping admin user. Will not move to LDAP.");
                shouldSkipPolicy = true;
            }
            if (AuthenticationUtil.getSystemUserName().equals(str) || (AuthenticationUtil.getSystemUserName() + "User").equals(str)) {
                LOG.info("Skipping system user. Will not move to LDAP.");
                shouldSkipPolicy = true;
            }
            if (AuthenticationUtil.getGuestUserName().equals(str)) {
                LOG.info("Skipping guest user. Will not move to LDAP.");
                shouldSkipPolicy = true;
            }
        }
        return shouldSkipPolicy;
    }

    protected NodeRef getUserOrNull(final String str) {
        return (NodeRef) AuthenticationUtil.runAsSystem(new AuthenticationUtil.RunAsWork<NodeRef>() { // from class: org.redpill.alfresco.ldap.behaviour.PersonPolicy.2
            /* renamed from: doWork, reason: merged with bridge method [inline-methods] */
            public NodeRef m2doWork() throws Exception {
                List childAssocs = PersonPolicy.this.nodeService.getChildAssocs(PersonPolicy.this.getUserFolderLocation(str), ContentModel.ASSOC_CHILDREN, QName.createQName("http://www.alfresco.org/model/user/1.0", str));
                if (childAssocs.isEmpty()) {
                    return null;
                }
                return PersonPolicy.this.tenantService.getName(((ChildAssociationRef) childAssocs.get(0)).getChildRef());
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public NodeRef getUserFolderLocation(String str) {
        List childAssocs;
        NodeRef nodeRef = null;
        QName createQName = QName.createQName("sys", "system", this.namespacePrefixResolver);
        QName createQName2 = QName.createQName("sys", "people", this.namespacePrefixResolver);
        try {
            childAssocs = this.nodeService.getChildAssocs(this.nodeService.getRootNode(new StoreRef(STOREREF_USERS.getProtocol(), STOREREF_USERS.getIdentifier())), RegexQNamePattern.MATCH_ALL, createQName);
        } catch (Exception e) {
            LOG.error("Error while getting user folder location", e);
        }
        if (childAssocs.size() == 0) {
            throw new AlfrescoRuntimeException("Required authority system folder path not found: " + createQName);
        }
        List childAssocs2 = this.nodeService.getChildAssocs(((ChildAssociationRef) childAssocs.get(0)).getChildRef(), RegexQNamePattern.MATCH_ALL, createQName2);
        if (childAssocs2.size() == 0) {
            throw new AlfrescoRuntimeException("Required user folder path not found: " + createQName2);
        }
        nodeRef = this.tenantService.getName(((ChildAssociationRef) childAssocs2.get(0)).getChildRef());
        return nodeRef;
    }

    public void setAuthorityService(AuthorityService authorityService) {
        this.authorityService = authorityService;
    }

    public void setLdapUserService(LdapUserService ldapUserService) {
        this.ldapUserService = ldapUserService;
    }

    public void setSyncZoneId(String str) {
        this.syncZoneId = str;
    }

    public void setEnabled(boolean z) {
        this.enabled = z;
    }

    public void setTenantService(TenantService tenantService) {
        this.tenantService = tenantService;
    }

    public void setNamespacePrefixResolver(NamespacePrefixResolver namespacePrefixResolver) {
        this.namespacePrefixResolver = namespacePrefixResolver;
    }

    public void setResetPasswordOnPushSync(boolean z) {
        this.resetPasswordOnPushSync = z;
    }

    @Override // org.redpill.alfresco.ldap.behaviour.AbstractPolicy
    public void afterPropertiesSet() {
        super.afterPropertiesSet();
        Assert.notNull(this.authorityService);
        Assert.notNull(this.ldapUserService);
        Assert.notNull(this.syncZoneId);
        Assert.notNull(this.tenantService);
        Assert.notNull(this.namespacePrefixResolver);
        if (initialized.booleanValue()) {
            return;
        }
        LOG.info("Initialized policy");
        this.policyComponent.bindClassBehaviour(NodeServicePolicies.OnCreateNodePolicy.QNAME, ContentModel.TYPE_PERSON, new JavaBehaviour(this, "onCreateNode", Behaviour.NotificationFrequency.TRANSACTION_COMMIT));
        this.policyComponent.bindClassBehaviour(NodeServicePolicies.OnUpdatePropertiesPolicy.QNAME, ContentModel.TYPE_PERSON, new JavaBehaviour(this, "onUpdateProperties", Behaviour.NotificationFrequency.TRANSACTION_COMMIT));
        this.policyComponent.bindClassBehaviour(NodeServicePolicies.OnUpdateNodePolicy.QNAME, ContentModel.TYPE_PERSON, new JavaBehaviour(this, "onUpdateNode", Behaviour.NotificationFrequency.TRANSACTION_COMMIT));
        this.policyComponent.bindClassBehaviour(NodeServicePolicies.OnAddAspectPolicy.QNAME, RlLdapModel.ASPECT_PUSH_SYNC, new JavaBehaviour(this, "onAddAspect", Behaviour.NotificationFrequency.TRANSACTION_COMMIT));
        initialized = true;
    }
}
