package org.alfresco.repo.security.authority;

import java.io.Serializable;
import java.util.Map;
import java.util.Optional;
import org.alfresco.model.ContentModel;
import org.alfresco.repo.node.NodeServicePolicies;
import org.alfresco.repo.policy.Behaviour;
import org.alfresco.repo.policy.JavaBehaviour;
import org.alfresco.repo.policy.PolicyComponent;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.permissions.AccessDeniedException;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.security.AuthorityService;
import org.alfresco.service.namespace.QName;
import org.alfresco.util.PropertyCheck;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.InitializingBean;

/* loaded from: input_file:org/alfresco/repo/security/authority/AuthorityTypeBehaviour.class */
public class AuthorityTypeBehaviour implements NodeServicePolicies.OnUpdatePropertiesPolicy, InitializingBean {
    private static Log logger = LogFactory.getLog(AuthorityTypeBehaviour.class);
    private static final String USERNAME_FIELD = "userName";
    private static final String INVALID_USERNAME_VALUE = "";
    private PolicyComponent policyComponent;
    private AuthorityService authorityService;

    public void setPolicyComponent(PolicyComponent policyComponent) {
        this.policyComponent = policyComponent;
    }

    public void setAuthorityService(AuthorityService authorityService) {
        this.authorityService = authorityService;
    }

    public void init() {
        this.policyComponent.bindClassBehaviour(QName.createQName("http://www.alfresco.org", "onUpdateProperties"), ContentModel.TYPE_AUTHORITY, (Behaviour) new JavaBehaviour(this, "onUpdateProperties"));
    }

    @Override // org.alfresco.repo.node.NodeServicePolicies.OnUpdatePropertiesPolicy
    public void onUpdateProperties(NodeRef nodeRef, Map<QName, Serializable> map, Map<QName, Serializable> map2) {
        if (!modifyingOwnAccount(map, map2) && !AuthenticationUtil.isRunAsUserTheSystemUser() && !this.authorityService.hasAdminAuthority()) {
            throw new AccessDeniedException("Only users with ROLE_ADMINISTRATOR are allowed to manage users.");
        }
    }

    private boolean modifyingOwnAccount(Map<QName, Serializable> map, Map<QName, Serializable> map2) {
        String findUsernameInProperties = findUsernameInProperties(map, USERNAME_FIELD, "");
        if (findUsernameInProperties(map2, USERNAME_FIELD, "").equals(findUsernameInProperties)) {
            return findUsernameInProperties.equals(AuthenticationUtil.getFullyAuthenticatedUser());
        }
        return false;
    }

    private String findUsernameInProperties(Map<QName, Serializable> map, String str, String str2) {
        Optional<QName> findFirst = map.keySet().stream().filter(qName -> {
            return qName.getLocalName().equals(str);
        }).findFirst();
        return findFirst.isPresent() ? map.get(findFirst.get()).toString() : str2;
    }

    public void afterPropertiesSet() throws Exception {
        PropertyCheck.mandatory(this, "policyComponent", this.policyComponent);
        PropertyCheck.mandatory(this, "authorityService", this.authorityService);
    }
}
