package biz.netcentric.cq.tools.actool.authorizableinstaller.impl;

import biz.netcentric.cq.tools.actool.authorizableinstaller.AuthorizableCreatorException;
import biz.netcentric.cq.tools.actool.authorizableinstaller.AuthorizableInstallerService;
import biz.netcentric.cq.tools.actool.configmodel.AcConfiguration;
import biz.netcentric.cq.tools.actool.configmodel.AuthorizableConfigBean;
import biz.netcentric.cq.tools.actool.configmodel.AuthorizablesConfig;
import biz.netcentric.cq.tools.actool.configmodel.pkcs.Key;
import biz.netcentric.cq.tools.actool.configmodel.pkcs.RandomPassword;
import biz.netcentric.cq.tools.actool.crypto.DecryptionService;
import biz.netcentric.cq.tools.actool.helper.AcHelper;
import biz.netcentric.cq.tools.actool.helper.AccessControlUtils;
import biz.netcentric.cq.tools.actool.helper.Constants;
import biz.netcentric.cq.tools.actool.helper.ContentHelper;
import biz.netcentric.cq.tools.actool.history.InstallationLogger;
import com.adobe.granite.keystore.KeyStoreNotInitialisedException;
import com.adobe.granite.keystore.KeyStoreService;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.cert.Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern;
import javax.jcr.Node;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.SimpleCredentials;
import javax.jcr.UnsupportedRepositoryOperationException;
import javax.jcr.ValueFactory;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.AuthorizableExistsException;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.apache.sling.api.SlingIOException;
import org.apache.sling.api.resource.LoginException;
import org.apache.sling.api.resource.PersistenceException;
import org.apache.sling.api.resource.Resource;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.resource.ResourceResolverFactory;
import org.apache.sling.jcr.api.SlingRepository;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicy;
import org.osgi.service.component.annotations.ReferencePolicyOption;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component
/* loaded from: input_file:biz/netcentric/cq/tools/actool/authorizableinstaller/impl/AuthorizableInstallerServiceImpl.class */
public class AuthorizableInstallerServiceImpl implements AuthorizableInstallerService {
    private static final Logger LOG = LoggerFactory.getLogger(AuthorizableInstallerServiceImpl.class);
    private static final String PATH_SEGMENT_SYSTEMUSERS = "system";
    public static final String REP_EXTERNAL_ID = "rep:externalId";
    private static final String USER_KEYSTORE_FOLDER = "keystore";

    @Reference(cardinality = ReferenceCardinality.OPTIONAL, policyOption = ReferencePolicyOption.GREEDY)
    ExternalGroupInstallerServiceImpl externalGroupCreatorService;

    @Reference(cardinality = ReferenceCardinality.OPTIONAL, policyOption = ReferencePolicyOption.GREEDY)
    ImpersonationInstallerServiceImpl impersonationInstallerService;

    @Reference(policyOption = ReferencePolicyOption.GREEDY)
    DecryptionService decryptionService;

    @Reference(cardinality = ReferenceCardinality.OPTIONAL, policy = ReferencePolicy.DYNAMIC, policyOption = ReferencePolicyOption.GREEDY)
    volatile KeyStoreService keyStoreService;

    @Reference(policyOption = ReferencePolicyOption.GREEDY)
    ResourceResolverFactory resourceResolverFactory;

    @Reference(policyOption = ReferencePolicyOption.GREEDY)
    SlingRepository repository;

    @Override // biz.netcentric.cq.tools.actool.authorizableinstaller.AuthorizableInstallerService
    public void installAuthorizables(AcConfiguration acConfiguration, AuthorizablesConfig authorizablesConfig, Session session, InstallationLogger installationLogger) throws RepositoryException, AuthorizableCreatorException, LoginException, IOException, GeneralSecurityException {
        AuthInstallerUserManagerPrefetchingImpl authInstallerUserManagerPrefetchingImpl = new AuthInstallerUserManagerPrefetchingImpl(AccessControlUtils.getUserManagerAutoSaveDisabled(session), session.getValueFactory(), installationLogger);
        Set<String> authorizableIds = authorizablesConfig.getAuthorizableIds();
        Iterator it = authorizablesConfig.iterator();
        while (it.hasNext()) {
            installAuthorizableConfigurationBean(session, authInstallerUserManagerPrefetchingImpl, acConfiguration, (AuthorizableConfigBean) it.next(), installationLogger, authorizableIds);
        }
        installationLogger.addMessage(LOG, "Created " + installationLogger.getCountAuthorizablesCreated() + " authorizables (moved " + installationLogger.getCountAuthorizablesMoved() + " authorizables)");
    }

    private void installAuthorizableConfigurationBean(Session session, AuthInstallerUserManager authInstallerUserManager, AcConfiguration acConfiguration, AuthorizableConfigBean authorizableConfigBean, InstallationLogger installationLogger, Set<String> set) throws RepositoryException, AuthorizableCreatorException, IOException, GeneralSecurityException, LoginException {
        String authorizableId = authorizableConfigBean.getAuthorizableId();
        LOG.debug("- start installation of authorizable: {}", authorizableId);
        Authorizable authorizable = authInstallerUserManager.getAuthorizable(authorizableId);
        if (StringUtils.equals(authorizableId, Constants.PRINCIPAL_EVERYONE)) {
            if (ArrayUtils.isNotEmpty(authorizableConfigBean.getIsMemberOf()) || ArrayUtils.isNotEmpty(authorizableConfigBean.getMembers()) || StringUtils.isNotBlank(authorizableConfigBean.getMigrateFrom())) {
                throw new IllegalArgumentException("The special group everyone does not support setting properties 'members', 'isMemberOf' and 'migrateFrom'");
            }
            setAuthorizableProperties(authorizable, authorizableConfigBean, acConfiguration.getAuthorizablesConfig(), session, installationLogger);
            return;
        }
        if (authorizable == null) {
            authorizable = createNewAuthorizable(acConfiguration, authorizableConfigBean, installationLogger, authInstallerUserManager, session);
            installationLogger.incCountAuthorizablesCreated();
        } else {
            setAuthorizableProperties(authorizable, authorizableConfigBean, acConfiguration.getAuthorizablesConfig(), session, installationLogger);
            if (!authorizable.isGroup() && !authorizableConfigBean.isSystemUser() && StringUtils.isNotBlank(authorizableConfigBean.getPassword())) {
                setUserPassword(authorizableConfigBean, (User) authorizable, installationLogger);
            }
            handleRecreationOfAuthorizableIfNecessary(session, acConfiguration, authorizableConfigBean, installationLogger, authInstallerUserManager);
            applyGroupMembershipConfigIsMemberOf(installationLogger, acConfiguration, authorizableConfigBean, authInstallerUserManager, session, set);
        }
        applyGroupMembershipConfigMembers(acConfiguration, authorizableConfigBean, installationLogger, authorizableId, authInstallerUserManager, set);
        if (StringUtils.isNotBlank(authorizableConfigBean.getMigrateFrom()) && authorizableConfigBean.isGroup()) {
            migrateFromOldGroup(authorizableConfigBean, authInstallerUserManager, installationLogger);
        }
        if (authorizableConfigBean.getKeys() != null) {
            try {
                installKeys(authorizableConfigBean.isAppendToKeyStore(), (User) authorizable, authorizableConfigBean.getKeys(), authorizableId, this.decryptionService.decrypt(authorizableConfigBean.getKeyStorePassword()), session, installationLogger);
            } catch (UnsupportedOperationException e) {
                throw new AuthorizableCreatorException("Could not decrypt key store password for user " + authorizableConfigBean.getAuthorizableId() + ": " + e.getMessage(), e);
            }
        }
    }

    private void installKeys(boolean z, User user, Map<String, Key> map, String str, String str2, Session session, InstallationLogger installationLogger) throws LoginException, SlingIOException, SecurityException, KeyStoreNotInitialisedException, IOException, GeneralSecurityException, UnsupportedRepositoryOperationException, RepositoryException {
        HashMap hashMap = new HashMap();
        hashMap.put("user.jcr.session", session);
        ResourceResolver resourceResolver = this.resourceResolverFactory.getResourceResolver(hashMap);
        if (!z) {
            try {
                removeKeyStore(resourceResolver, user, installationLogger);
            } catch (Throwable th) {
                resourceResolver.close();
                throw th;
            }
        }
        installKeys(map, str, str2, resourceResolver, installationLogger);
        resourceResolver.close();
    }

    private void removeKeyStore(ResourceResolver resourceResolver, User user, InstallationLogger installationLogger) throws UnsupportedRepositoryOperationException, RepositoryException, PersistenceException {
        Resource resource = resourceResolver.getResource(user.getPath() + "/" + USER_KEYSTORE_FOLDER);
        if (resource == null) {
            installationLogger.addMessage(LOG, "No key store for user  '" + user.getID() + "' found to delete");
        } else {
            installationLogger.addMessage(LOG, "Deleting old key store for user  '" + user.getID() + "'");
            resourceResolver.delete(resource);
        }
    }

    private void installKeys(Map<String, Key> map, String str, String str2, ResourceResolver resourceResolver, InstallationLogger installationLogger) throws SlingIOException, SecurityException, KeyStoreNotInitialisedException, IOException, GeneralSecurityException {
        char[] generate;
        if (this.keyStoreService == null) {
            throw new IllegalStateException("Keys are used on the authorizable which require the AEM KeyStore Service which is missing.");
        }
        if (!this.keyStoreService.keyStoreExists(resourceResolver, str)) {
            boolean z = false;
            if (str2 == null || str2.isEmpty()) {
                generate = RandomPassword.generate(20);
                z = true;
            } else {
                generate = str2.toCharArray();
            }
            this.keyStoreService.createKeyStore(resourceResolver, str, generate);
            installationLogger.addMessage(LOG, "Created new key store with " + (z ? "random" : "predefined") + " password for user  '" + str + "'");
        } else if (str2 != null) {
            installationLogger.addWarning(LOG, "Key store for user " + str + " does already exist, ignoring configured 'keystorePassword'");
        }
        for (Map.Entry<String, Key> entry : map.entrySet()) {
            Certificate certificate = entry.getValue().getCertificate();
            if (certificate != null) {
                this.keyStoreService.addKeyStoreKeyEntry(resourceResolver, str, entry.getKey(), entry.getValue().getPrivateKey(), new Certificate[]{certificate});
            } else {
                this.keyStoreService.addKeyStoreKeyPair(resourceResolver, str, entry.getValue().getKeyPair(), entry.getKey());
            }
            installationLogger.addMessage(LOG, "Added key with alias '" + entry.getKey() + "' to keystore of user '" + str + "'");
        }
    }

    void setUserPassword(AuthorizableConfigBean authorizableConfigBean, User user, InstallationLogger installationLogger) throws RepositoryException, AuthorizableCreatorException {
        String id = user.getID();
        String password = getPassword(authorizableConfigBean);
        Session session = null;
        try {
            try {
                session = this.repository.login(new SimpleCredentials(id, password.toCharArray()));
                LOG.trace("Could obtain session {} for user {}, will not update password", session, id);
                installationLogger.addVerboseMessage(LOG, "Password of user " + id + " has not changed");
                if (session != null) {
                    session.logout();
                }
            } catch (javax.jcr.LoginException e) {
                LOG.trace("User {} could not log in with existing password", id, e);
                user.changePassword(password);
                installationLogger.addMessage(LOG, "Changed password of user " + id);
                if (session != null) {
                    session.logout();
                }
            }
        } catch (Throwable th) {
            if (session != null) {
                session.logout();
            }
            throw th;
        }
    }

    private String getPassword(AuthorizableConfigBean authorizableConfigBean) throws AuthorizableCreatorException {
        try {
            return this.decryptionService.decrypt(authorizableConfigBean.getPassword());
        } catch (UnsupportedOperationException e) {
            throw new AuthorizableCreatorException("Could not decrypt password for user " + authorizableConfigBean.getAuthorizableId() + ": " + e.getMessage(), e);
        }
    }

    void applyGroupMembershipConfigMembers(AcConfiguration acConfiguration, AuthorizableConfigBean authorizableConfigBean, InstallationLogger installationLogger, String str, AuthInstallerUserManager authInstallerUserManager, Set<String> set) throws RepositoryException {
        if (authorizableConfigBean.isGroup()) {
            String[] members = authorizableConfigBean.getMembers();
            HashSet hashSet = members != null ? new HashSet(Arrays.asList(members)) : new HashSet();
            Set<String> removeExternalMembersUnmanagedByConfiguration = removeExternalMembersUnmanagedByConfiguration(acConfiguration, authorizableConfigBean, new HashSet(CollectionUtils.subtract(authInstallerUserManager.getDeclaredMembersWithoutRegularUsers(str), set)), installationLogger);
            HashSet<String> hashSet2 = new HashSet(CollectionUtils.subtract(hashSet, removeExternalMembersUnmanagedByConfiguration));
            HashSet<String> hashSet3 = new HashSet(CollectionUtils.subtract(removeExternalMembersUnmanagedByConfiguration, hashSet));
            Group authorizable = authInstallerUserManager.getAuthorizable(str);
            if (!hashSet2.isEmpty()) {
                installationLogger.addVerboseMessage(LOG, "Adding " + hashSet2.size() + " external members to group " + authorizableConfigBean.getAuthorizableId());
                for (String str2 : hashSet2) {
                    Authorizable authorizable2 = authInstallerUserManager.getAuthorizable(str2);
                    if (authorizable2 == null) {
                        throw new IllegalStateException("Member " + str2 + " does not exist and cannot be added as external member to group " + authorizableConfigBean.getAuthorizableId());
                    }
                    authorizable.addMember(authorizable2);
                    installationLogger.addVerboseMessage(LOG, "Adding " + str2 + " as external member to group " + authorizableConfigBean.getAuthorizableId());
                }
            }
            if (hashSet3.isEmpty()) {
                return;
            }
            installationLogger.addVerboseMessage(LOG, "Removing " + hashSet3.size() + " external members from group " + authorizableConfigBean.getAuthorizableId());
            for (String str3 : hashSet3) {
                authorizable.removeMember(authInstallerUserManager.getAuthorizable(str3));
                installationLogger.addVerboseMessage(LOG, "Removing " + str3 + " as external member from group " + authorizableConfigBean.getAuthorizableId());
            }
        }
    }

    private Set<String> removeExternalMembersUnmanagedByConfiguration(AcConfiguration acConfiguration, AuthorizableConfigBean authorizableConfigBean, Set<String> set, InstallationLogger installationLogger) {
        HashSet hashSet = new HashSet(set);
        Pattern unmanagedExternalMembersRegex = authorizableConfigBean.getUnmanagedExternalMembersRegex();
        if (unmanagedExternalMembersRegex == null) {
            unmanagedExternalMembersRegex = acConfiguration.getGlobalConfiguration().getDefaultUnmanagedExternalMembersRegex();
        }
        HashSet hashSet2 = new HashSet();
        if (unmanagedExternalMembersRegex != null) {
            Iterator it = hashSet.iterator();
            while (it.hasNext()) {
                String str = (String) it.next();
                if (unmanagedExternalMembersRegex.matcher(str).matches()) {
                    hashSet2.add(str);
                    it.remove();
                }
            }
        }
        if (!hashSet2.isEmpty()) {
            installationLogger.addVerboseMessage(LOG, "Not removing members " + hashSet2 + " from " + authorizableConfigBean.getAuthorizableId() + " because of unmanagedExternalMembersRegex=" + unmanagedExternalMembersRegex);
        }
        return hashSet;
    }

    private void migrateFromOldGroup(AuthorizableConfigBean authorizableConfigBean, AuthInstallerUserManager authInstallerUserManager, InstallationLogger installationLogger) throws RepositoryException {
        Group authorizable = authInstallerUserManager.getAuthorizable(authorizableConfigBean.getMigrateFrom());
        String authorizableId = authorizableConfigBean.getAuthorizableId();
        if (authorizable == null) {
            installationLogger.addMessage(LOG, "Group " + authorizableConfigBean.getMigrateFrom() + " does not exist (specified as migrateFrom in group " + authorizableId + ") - no action taken");
            return;
        }
        if (!authorizable.isGroup()) {
            installationLogger.addWarning(LOG, "Specifying a user in 'migrateFrom' does not make sense (migrateFrom=" + authorizableConfigBean.getMigrateFrom() + " in " + authorizableId + ")");
            return;
        }
        installationLogger.addMessage(LOG, "Migrating from group " + authorizableConfigBean.getMigrateFrom() + "  to " + authorizableId);
        HashSet hashSet = new HashSet();
        Iterator members = authorizable.getMembers();
        while (members.hasNext()) {
            Authorizable authorizable2 = (Authorizable) members.next();
            if (!authorizable2.isGroup()) {
                hashSet.add(authorizable2);
            }
        }
        if (!hashSet.isEmpty()) {
            installationLogger.addMessage(LOG, "- Taking over " + hashSet.size() + " member users from group " + authorizableConfigBean.getMigrateFrom() + " to group " + authorizableId);
            Group authorizable3 = authInstallerUserManager.getAuthorizable(authorizableId);
            Iterator it = hashSet.iterator();
            while (it.hasNext()) {
                authorizable3.addMember((Authorizable) it.next());
            }
        }
        authInstallerUserManager.removeAuthorizable(authorizable);
        installationLogger.addMessage(LOG, "- Deleted group " + authorizableConfigBean.getMigrateFrom());
    }

    private void handleRecreationOfAuthorizableIfNecessary(Session session, AcConfiguration acConfiguration, AuthorizableConfigBean authorizableConfigBean, InstallationLogger installationLogger, AuthInstallerUserManager authInstallerUserManager) throws RepositoryException, AuthorizableCreatorException {
        Group authorizable = authInstallerUserManager.getAuthorizable(authorizableConfigBean.getAuthorizableId());
        String substring = authorizable.getPath().substring(0, authorizable.getPath().lastIndexOf("/"));
        String path = authorizableConfigBean.getPath();
        if (StringUtils.isNotEmpty(path) && path.charAt(0) != '/') {
            path = (authorizableConfigBean.isGroup() ? Constants.GROUPS_ROOT : Constants.USERS_ROOT) + ((!authorizableConfigBean.isSystemUser() || path.startsWith(PATH_SEGMENT_SYSTEMUSERS)) ? "" : "/system") + "/" + path;
        }
        boolean z = !StringUtils.equals(substring, path) && StringUtils.isNotBlank(authorizableConfigBean.getPath());
        if (z) {
            installationLogger.addMessage(LOG, "Found change of intermediate path for " + authorizable.getID() + ": " + substring + " -> " + path);
        }
        String str = (String) StringUtils.defaultIfEmpty(AcHelper.valuesToString(authorizable.getProperty(REP_EXTERNAL_ID)), "");
        String str2 = (String) StringUtils.defaultIfEmpty(authorizableConfigBean.getExternalId(), "");
        boolean z2 = !StringUtils.equals(str, str2);
        if (z2) {
            installationLogger.addMessage(LOG, "Found change of external id of " + authorizable.getID() + ": '" + str + "' (current) is not '" + str2 + "' (in config)");
        }
        if (z || z2) {
            HashSet hashSet = new HashSet();
            if (authorizable.isGroup()) {
                Iterator declaredMembers = authorizable.getDeclaredMembers();
                while (declaredMembers.hasNext()) {
                    hashSet.add(declaredMembers.next());
                }
            }
            authInstallerUserManager.removeAuthorizable(authorizable);
            Group createNewAuthorizable = createNewAuthorizable(acConfiguration, authorizableConfigBean, installationLogger, authInstallerUserManager, session);
            int i = 0;
            if (createNewAuthorizable.isGroup()) {
                Group group = createNewAuthorizable;
                Iterator it = hashSet.iterator();
                while (it.hasNext()) {
                    group.addMember((Authorizable) it.next());
                    i++;
                }
            }
            deleteOldIntermediatePath(session, session.getNode(substring));
            installationLogger.addMessage(LOG, "Recreated authorizable " + createNewAuthorizable + " at path " + createNewAuthorizable.getPath() + (createNewAuthorizable.isGroup() ? "(retained " + i + " members of group)" : ""));
            installationLogger.incCountAuthorizablesMoved();
        }
    }

    private void deleteOldIntermediatePath(Session session, Node node) throws RepositoryException {
        while (!StringUtils.equals(Constants.GROUPS_ROOT, node.getPath()) && !StringUtils.equals(Constants.USERS_ROOT, node.getPath()) && !node.hasNodes()) {
            Node parent = node.getParent();
            session.removeItem(node.getPath());
            node = parent;
        }
    }

    private void applyGroupMembershipConfigIsMemberOf(InstallationLogger installationLogger, AcConfiguration acConfiguration, AuthorizableConfigBean authorizableConfigBean, AuthInstallerUserManager authInstallerUserManager, Session session, Set<String> set) throws RepositoryException, AuthorizableCreatorException {
        applyGroupMembershipConfigIsMemberOf(authorizableConfigBean, acConfiguration, installationLogger, authInstallerUserManager, session, getMembershipGroupsFromConfig(authorizableConfigBean.getIsMemberOf()), authInstallerUserManager.getDeclaredIsMemberOf(authorizableConfigBean.getAuthorizableId()), set);
    }

    private Authorizable createNewAuthorizable(AcConfiguration acConfiguration, AuthorizableConfigBean authorizableConfigBean, InstallationLogger installationLogger, AuthInstallerUserManager authInstallerUserManager, Session session) throws AuthorizableExistsException, RepositoryException, AuthorizableCreatorException {
        Authorizable createNewUser;
        boolean isGroup = authorizableConfigBean.isGroup();
        String authorizableId = authorizableConfigBean.getAuthorizableId();
        if (isGroup) {
            createNewUser = createNewGroup(authInstallerUserManager, acConfiguration.getAuthorizablesConfig(), authorizableConfigBean, installationLogger, session);
            LOG.info("Successfully created new group: {}", authorizableId);
        } else {
            if (StringUtils.isNotEmpty(authorizableConfigBean.getExternalId())) {
                throw new IllegalStateException("External IDs are not supported for users (" + authorizableConfigBean.getAuthorizableId() + " is using '" + authorizableConfigBean.getExternalId() + "') - use a ootb sync handler to have users automatically created.");
            }
            createNewUser = createNewUser(authInstallerUserManager, acConfiguration.getAuthorizablesConfig(), authorizableConfigBean, installationLogger, session);
            LOG.info("Successfully created new user: {}", authorizableId);
        }
        return createNewUser;
    }

    private Set<String> getMembershipGroupsFromConfig(String[] strArr) {
        HashSet hashSet = new HashSet();
        if (strArr != null) {
            for (String str : strArr) {
                hashSet.add(str);
            }
        }
        return hashSet;
    }

    void applyGroupMembershipConfigIsMemberOf(AuthorizableConfigBean authorizableConfigBean, AcConfiguration acConfiguration, InstallationLogger installationLogger, AuthInstallerUserManager authInstallerUserManager, Session session, Set<String> set, Set<String> set2, Set<String> set3) throws RepositoryException, AuthorizableExistsException, AuthorizableCreatorException {
        set.remove(Constants.PRINCIPAL_EVERYONE);
        set2.remove(Constants.PRINCIPAL_EVERYONE);
        String authorizableId = authorizableConfigBean.getAuthorizableId();
        installationLogger.addVerboseMessage(LOG, "Authorizable " + authorizableId + " isMemberOf(repo)=" + set2);
        installationLogger.addVerboseMessage(LOG, "Authorizable " + authorizableId + " isMemberOf(config)=" + set);
        Set<String> validateAssignedGroups = validateAssignedGroups(authInstallerUserManager, acConfiguration.getAuthorizablesConfig(), session, authorizableId, set, installationLogger);
        installationLogger.addVerboseMessage(LOG, "Authorizable " + authorizableId + " remains member of groups " + CollectionUtils.intersection(set2, validateAssignedGroups));
        Collection<String> subtract = CollectionUtils.subtract(validateAssignedGroups, set2);
        installationLogger.addVerboseMessage(LOG, "Authorizable " + authorizableId + " will be added as member of " + subtract);
        Collection<String> subtract2 = CollectionUtils.subtract(set2, validateAssignedGroups);
        HashSet hashSet = new HashSet();
        Pattern unmanagedExternalIsMemberOfRegex = authorizableConfigBean.getUnmanagedExternalIsMemberOfRegex();
        if (unmanagedExternalIsMemberOfRegex == null) {
            unmanagedExternalIsMemberOfRegex = acConfiguration.getGlobalConfiguration().getDefaultUnmanagedExternalIsMemberOfRegex();
        }
        Iterator it = subtract2.iterator();
        while (it.hasNext()) {
            String str = (String) it.next();
            if (!set3.contains(str) && unmanagedExternalIsMemberOfRegex != null && unmanagedExternalIsMemberOfRegex.matcher(str).matches()) {
                hashSet.add(str);
                it.remove();
            }
        }
        installationLogger.addVerboseMessage(LOG, "Authorizable " + authorizableId + " will be removed from members of " + subtract2);
        if (!hashSet.isEmpty()) {
            installationLogger.addVerboseMessage(LOG, "Authorizable " + authorizableId + " remains member of groups " + hashSet + " (due to configured unmanagedExternalIsMemberOfRegex=" + unmanagedExternalIsMemberOfRegex + ")");
        }
        Authorizable authorizable = authInstallerUserManager.getAuthorizable(authorizableId);
        for (String str2 : subtract) {
            LOG.debug("Membership Change: Adding {} to members of group {} in repository", authorizableId, str2);
            authInstallerUserManager.getAuthorizable(str2).addMember(authorizable);
        }
        for (String str3 : subtract2) {
            LOG.debug("Membership Change: Removing {} from members of group {} in repository", authorizableId, str3);
            authInstallerUserManager.getAuthorizable(str3).removeMember(authorizable);
        }
        if (subtract.isEmpty() || subtract2.isEmpty()) {
            return;
        }
        installationLogger.addVerboseMessage(LOG, "Membership Change: Authorizable " + authorizableId + " was added to " + subtract.size() + " and removed from " + subtract2.size() + " groups");
    }

    private Authorizable createNewGroup(AuthInstallerUserManager authInstallerUserManager, AuthorizablesConfig authorizablesConfig, AuthorizableConfigBean authorizableConfigBean, InstallationLogger installationLogger, Session session) throws AuthorizableExistsException, RepositoryException, AuthorizableCreatorException {
        Group authorizable;
        String authorizableId = authorizableConfigBean.getAuthorizableId();
        String path = authorizableConfigBean.getPath();
        try {
            if (!StringUtils.isNotEmpty(authorizableConfigBean.getExternalId())) {
                PrincipalImpl principalImpl = new PrincipalImpl(authorizableId);
                authorizable = StringUtils.isNotBlank(path) ? authInstallerUserManager.createGroup(principalImpl, path) : authInstallerUserManager.createGroup(principalImpl);
            } else {
                if (this.externalGroupCreatorService == null) {
                    throw new IllegalStateException("External IDs are not available for your AEM version (" + authorizableConfigBean.getAuthorizableId() + " is using '" + authorizableConfigBean.getExternalId() + "')");
                }
                authorizable = (Group) this.externalGroupCreatorService.createGroupWithExternalId(authInstallerUserManager.getOakUserManager(), authorizableConfigBean, installationLogger, session);
                LOG.info("Successfully created new external group: {}", authorizableId);
            }
        } catch (AuthorizableExistsException e) {
            LOG.warn("Group {} already exists in system!", authorizableId);
            authorizable = authInstallerUserManager.getAuthorizable(authorizableId);
        }
        addMembersToReferencingAuthorizables(authorizable, authorizablesConfig, authorizableConfigBean, authInstallerUserManager, session, installationLogger);
        setAuthorizableProperties(authorizable, authorizableConfigBean, authorizablesConfig, session, installationLogger);
        return authorizable;
    }

    void setAuthorizableProperties(Authorizable authorizable, AuthorizableConfigBean authorizableConfigBean, AuthorizablesConfig authorizablesConfig, Session session, InstallationLogger installationLogger) throws RepositoryException {
        String substringBeforeLast;
        String substringAfterLast;
        String profileContent = authorizableConfigBean.getProfileContent();
        if (StringUtils.isNotBlank(profileContent)) {
            ContentHelper.importContent(session, authorizable.getPath() + "/profile", profileContent);
        }
        String preferencesContent = authorizableConfigBean.getPreferencesContent();
        if (StringUtils.isNotBlank(preferencesContent)) {
            ContentHelper.importContent(session, authorizable.getPath() + "/preferences", preferencesContent);
        }
        String socialContent = authorizableConfigBean.getSocialContent();
        if (StringUtils.isNotBlank(socialContent)) {
            ContentHelper.importContent(session, authorizable.getPath() + "/social", socialContent);
        }
        ValueFactory valueFactory = session.getValueFactory();
        String name = authorizableConfigBean.getName();
        if (StringUtils.isNotBlank(name)) {
            if (authorizable.isGroup()) {
                authorizable.setProperty("profile/givenName", valueFactory.createValue(name));
            } else {
                if (name.contains(",")) {
                    String[] split = name.split("\\s*,\\s*", 2);
                    substringAfterLast = split[0];
                    substringBeforeLast = split[1];
                } else {
                    substringBeforeLast = StringUtils.substringBeforeLast(name, " ");
                    substringAfterLast = StringUtils.substringAfterLast(name, " ");
                }
                authorizable.setProperty("profile/givenName", valueFactory.createValue(substringBeforeLast));
                authorizable.setProperty("profile/familyName", valueFactory.createValue(substringAfterLast));
            }
        } else if (StringUtils.isBlank(profileContent)) {
            authorizable.removeProperty("profile/givenName");
            authorizable.removeProperty("profile/familyName");
        }
        String email = authorizableConfigBean.getEmail();
        if (StringUtils.isNotBlank(email)) {
            authorizable.setProperty("profile/email", valueFactory.createValue(email));
        } else if (StringUtils.isBlank(profileContent)) {
            authorizable.removeProperty("profile/email");
        }
        String description = authorizableConfigBean.getDescription();
        if (StringUtils.isNotBlank(description)) {
            authorizable.setProperty("profile/aboutMe", valueFactory.createValue(description));
        } else if (StringUtils.isBlank(profileContent)) {
            authorizable.removeProperty("profile/aboutMe");
        }
        String disabled = authorizableConfigBean.getDisabled();
        if (StringUtils.isNotBlank(disabled)) {
            if (authorizable.isGroup()) {
                throw new IllegalStateException("Property 'disabled' cannot be set on groups");
            }
            String str = StringUtils.equalsIgnoreCase(disabled, "false") ? null : StringUtils.equalsIgnoreCase(disabled, "true") ? "User disabled by AC Tool" : disabled;
            User user = (User) authorizable;
            boolean isDisabled = user.isDisabled();
            boolean z = str != null;
            if (isDisabled && !z) {
                installationLogger.addMessage(LOG, "Enabling user " + user.getID());
            } else if (!isDisabled && z) {
                installationLogger.addMessage(LOG, "Disabling user " + user.getID() + " with reason: " + str);
            }
            if (isDisabled || z) {
                user.disable(str);
            }
        }
        List<String> impersonationAllowedFor = authorizableConfigBean.getImpersonationAllowedFor();
        if (impersonationAllowedFor != null) {
            if (authorizable.isGroup()) {
                throw new IllegalStateException("Property 'impersonationAllowedFor' cannot be set on groups");
            }
            this.impersonationInstallerService.setupImpersonation((User) authorizable, impersonationAllowedFor, authorizablesConfig, installationLogger);
        }
    }

    private Authorizable createNewUser(AuthInstallerUserManager authInstallerUserManager, AuthorizablesConfig authorizablesConfig, AuthorizableConfigBean authorizableConfigBean, InstallationLogger installationLogger, Session session) throws AuthorizableExistsException, RepositoryException, AuthorizableCreatorException {
        User createUser;
        String authorizableId = authorizableConfigBean.getAuthorizableId();
        String password = getPassword(authorizableConfigBean);
        boolean isSystemUser = authorizableConfigBean.isSystemUser();
        String path = authorizableConfigBean.getPath();
        if (isSystemUser) {
            if (path != null && !path.startsWith("system/") && !path.startsWith("/")) {
                path = "system/" + path;
            }
            createUser = authInstallerUserManager.createSystemUser(authorizableId, path);
        } else {
            createUser = authInstallerUserManager.createUser(authorizableId, password, new PrincipalImpl(authorizableId), path);
        }
        setAuthorizableProperties(createUser, authorizableConfigBean, authorizablesConfig, session, installationLogger);
        addMembersToReferencingAuthorizables(createUser, authorizablesConfig, authorizableConfigBean, authInstallerUserManager, session, installationLogger);
        return createUser;
    }

    private void addMembersToReferencingAuthorizables(Authorizable authorizable, AuthorizablesConfig authorizablesConfig, AuthorizableConfigBean authorizableConfigBean, AuthInstallerUserManager authInstallerUserManager, Session session, InstallationLogger installationLogger) throws RepositoryException, AuthorizableCreatorException {
        String authorizableId = authorizableConfigBean.getAuthorizableId();
        String[] isMemberOf = authorizableConfigBean.getIsMemberOf();
        if (authorizable == null || isMemberOf == null || isMemberOf.length <= 0) {
            return;
        }
        Set<String> validateAssignedGroups = validateAssignedGroups(authInstallerUserManager, authorizablesConfig, session, authorizableId, new HashSet(Arrays.asList(isMemberOf)), installationLogger);
        if (validateAssignedGroups.isEmpty()) {
            return;
        }
        LOG.debug("start adding {} to assignedGroups", authorizableId);
        Iterator<String> it = validateAssignedGroups.iterator();
        while (it.hasNext()) {
            Group authorizable2 = authInstallerUserManager.getAuthorizable(it.next());
            authorizable2.addMember(authorizable);
            LOG.debug("added to {} ", authorizable2);
        }
    }

    Set<String> validateAssignedGroups(AuthInstallerUserManager authInstallerUserManager, AuthorizablesConfig authorizablesConfig, Session session, String str, Set<String> set, InstallationLogger installationLogger) throws RepositoryException, AuthorizableCreatorException {
        HashSet hashSet = new HashSet();
        for (String str2 : set) {
            if (StringUtils.equals(str, str2)) {
                throw new AuthorizableCreatorException("Cannot add authorizable " + str + " as member of itself.");
            }
            Authorizable authorizable = authInstallerUserManager.getAuthorizable(str2);
            if (authorizable == null) {
                AuthorizableConfigBean authorizableConfig = authorizablesConfig.getAuthorizableConfig(str2);
                if (authorizableConfig == null) {
                    throw new AuthorizableCreatorException("Invalid isMemberOf group '" + str2 + "' in config of '" + str + "': Neither found '" + str2 + "' as already existing group in repository nor in AC Tool config itself!");
                }
                hashSet.add(createNewGroup(authInstallerUserManager, authorizablesConfig, authorizableConfig, installationLogger, session).getID());
                LOG.info("Created group to be able to add {} to group {} ", str, str2);
            } else {
                if (!authorizable.isGroup()) {
                    throw new AuthorizableCreatorException("Invalid isMemberOf in in config of '" + str + "': Cannot add '" + str2 + "' because it is a user and not a group!");
                }
                hashSet.add(authorizable.getID());
            }
        }
        return hashSet;
    }
}
