package biz.netcentric.cq.tools.actool.validators.impl;

import biz.netcentric.cq.tools.actool.configmodel.AceBean;
import biz.netcentric.cq.tools.actool.configmodel.Restriction;
import biz.netcentric.cq.tools.actool.helper.AccessControlUtils;
import biz.netcentric.cq.tools.actool.validators.AceBeanValidator;
import biz.netcentric.cq.tools.actool.validators.Validators;
import biz.netcentric.cq.tools.actool.validators.exceptions.AcConfigBeanValidationException;
import biz.netcentric.cq.tools.actool.validators.exceptions.DoubledDefinedActionException;
import biz.netcentric.cq.tools.actool.validators.exceptions.DoubledDefinedJcrPrivilegeException;
import biz.netcentric.cq.tools.actool.validators.exceptions.InvalidActionException;
import biz.netcentric.cq.tools.actool.validators.exceptions.InvalidGroupNameException;
import biz.netcentric.cq.tools.actool.validators.exceptions.InvalidJcrPrivilegeException;
import biz.netcentric.cq.tools.actool.validators.exceptions.InvalidPathException;
import biz.netcentric.cq.tools.actool.validators.exceptions.InvalidPermissionException;
import biz.netcentric.cq.tools.actool.validators.exceptions.InvalidRepGlobException;
import biz.netcentric.cq.tools.actool.validators.exceptions.InvalidRestrictionsException;
import biz.netcentric.cq.tools.actool.validators.exceptions.NoActionOrPrivilegeDefinedException;
import biz.netcentric.cq.tools.actool.validators.exceptions.NoGroupDefinedException;
import biz.netcentric.cq.tools.actool.validators.exceptions.TooManyActionsException;
import com.day.cq.security.util.CqActions;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.jcr.AccessDeniedException;
import javax.jcr.RepositoryException;
import javax.jcr.security.AccessControlManager;
import org.apache.commons.lang.StringUtils;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:biz/netcentric/cq/tools/actool/validators/impl/AceBeanValidatorImpl.class */
public class AceBeanValidatorImpl implements AceBeanValidator {
    private static final Logger LOG = LoggerFactory.getLogger(AceBeanValidatorImpl.class);
    private AceBean aceBean;
    private Set<String> groupsFromCurrentConfig;
    private long currentBeanCounter = 0;
    private boolean enabled = true;

    public AceBeanValidatorImpl(Set<String> set) {
        this.groupsFromCurrentConfig = set;
    }

    public AceBeanValidatorImpl() {
    }

    @Override // biz.netcentric.cq.tools.actool.validators.AceBeanValidator
    public boolean validate(AceBean aceBean, AccessControlManager accessControlManager) throws AcConfigBeanValidationException {
        if (!this.enabled) {
            return true;
        }
        this.aceBean = aceBean;
        return validate(accessControlManager);
    }

    private boolean validate(AccessControlManager accessControlManager) throws AcConfigBeanValidationException {
        if (this.aceBean.isInitialContentOnlyConfig()) {
            return true;
        }
        this.currentBeanCounter++;
        validateAuthorizableId(this.groupsFromCurrentConfig, this.aceBean);
        validateAcePath(this.aceBean);
        boolean validateActions = validateActions(this.aceBean);
        boolean validatePrivileges = validatePrivileges(this.aceBean, accessControlManager);
        validatePermission(this.aceBean);
        boolean z = validateActions || validatePrivileges;
        boolean isNotBlank = StringUtils.isNotBlank(this.aceBean.getInitialContent());
        if (z || isNotBlank) {
            validateRestrictions(this.aceBean, accessControlManager);
            return true;
        }
        String str = getBeanDescription(this.currentBeanCounter, this.aceBean.getPrincipalName()) + ", no actions or privileges defined! Installation aborted!";
        LOG.error(str);
        throw new NoActionOrPrivilegeDefinedException(str);
    }

    @Override // biz.netcentric.cq.tools.actool.validators.AceBeanValidator
    public boolean validateRestrictions(AceBean aceBean, AccessControlManager accessControlManager) throws InvalidRepGlobException, InvalidRestrictionsException {
        List<Restriction> restrictions = aceBean.getRestrictions();
        if (restrictions.isEmpty()) {
            return true;
        }
        String principalName = aceBean.getPrincipalName();
        HashSet hashSet = new HashSet();
        Iterator<Restriction> it = restrictions.iterator();
        while (it.hasNext()) {
            hashSet.add(it.next().getName());
        }
        Set<String> supportedRestrictions = getSupportedRestrictions(accessControlManager);
        if (supportedRestrictions.containsAll(hashSet)) {
            return true;
        }
        hashSet.removeAll(supportedRestrictions);
        throw new InvalidRestrictionsException(getBeanDescription(this.currentBeanCounter, principalName) + ",  this repository doesn't support following restriction(s): " + hashSet);
    }

    private Set<String> getSupportedRestrictions(AccessControlManager accessControlManager) throws InvalidRepGlobException {
        new HashSet();
        try {
            return new HashSet(Arrays.asList(getJackrabbitAccessControlList(accessControlManager).getRestrictionNames()));
        } catch (RepositoryException e) {
            throw new InvalidRepGlobException("Could not get restriction names from ACL of path: " + this.aceBean.getJcrPath());
        }
    }

    private JackrabbitAccessControlList getJackrabbitAccessControlList(AccessControlManager accessControlManager) throws RepositoryException, AccessDeniedException {
        JackrabbitAccessControlList jackrabbitAccessControlList = null;
        if (!this.aceBean.getJcrPath().contains("*")) {
            jackrabbitAccessControlList = AccessControlUtils.getModifiableAcl(accessControlManager, this.aceBean.getJcrPath());
        }
        if (jackrabbitAccessControlList == null) {
            jackrabbitAccessControlList = AccessControlUtils.getModifiableAcl(accessControlManager, "/");
        }
        return jackrabbitAccessControlList;
    }

    @Override // biz.netcentric.cq.tools.actool.validators.AceBeanValidator
    public boolean validatePermission(AceBean aceBean) throws InvalidPermissionException {
        String permission = aceBean.getPermission();
        if (StringUtils.isNotBlank(this.aceBean.getInitialContent()) && StringUtils.isBlank(permission)) {
            return true;
        }
        if (Validators.isValidPermission(permission)) {
            aceBean.setPermission(permission);
            return true;
        }
        String str = getBeanDescription(this.currentBeanCounter, aceBean.getPrincipalName()) + ", invalid permission: '" + permission + "'";
        LOG.error(str);
        throw new InvalidPermissionException(str);
    }

    @Override // biz.netcentric.cq.tools.actool.validators.AceBeanValidator
    public boolean validateActions(AceBean aceBean) throws InvalidActionException, TooManyActionsException, DoubledDefinedActionException {
        String principalName = aceBean.getPrincipalName();
        if (!StringUtils.isNotBlank(aceBean.getActionsStringFromConfig())) {
            return false;
        }
        String[] split = aceBean.getActionsStringFromConfig().split(",");
        if (split.length > CqActions.ACTIONS.length) {
            String str = getBeanDescription(this.currentBeanCounter, principalName) + " too many actions defined!";
            LOG.error(str);
            throw new TooManyActionsException(str);
        }
        HashSet hashSet = new HashSet();
        for (int i = 0; i < split.length; i++) {
            split[i] = StringUtils.strip(split[i]);
            if (!Validators.isValidAction(split[i])) {
                String str2 = getBeanDescription(this.currentBeanCounter, principalName) + ", invalid action: " + split[i];
                LOG.error(str2);
                throw new InvalidActionException(str2);
            }
            if (!hashSet.add(split[i])) {
                String str3 = getBeanDescription(this.currentBeanCounter, principalName) + ", doubled defined action: " + split[i];
                LOG.error(str3);
                throw new DoubledDefinedActionException(str3);
            }
        }
        aceBean.setActions(split);
        return true;
    }

    @Override // biz.netcentric.cq.tools.actool.validators.AceBeanValidator
    public boolean validatePrivileges(AceBean aceBean, AccessControlManager accessControlManager) throws InvalidJcrPrivilegeException, DoubledDefinedJcrPrivilegeException {
        String privilegesString = aceBean.getPrivilegesString();
        String principalName = aceBean.getPrincipalName();
        if (!StringUtils.isNotBlank(privilegesString)) {
            return false;
        }
        String[] split = privilegesString.split(",");
        HashSet hashSet = new HashSet();
        for (int i = 0; i < split.length; i++) {
            split[i] = StringUtils.strip(split[i]);
            if (!Validators.isValidJcrPrivilege(split[i], accessControlManager)) {
                String str = getBeanDescription(this.currentBeanCounter, principalName) + ",  invalid jcr privilege: " + split[i];
                LOG.error(str);
                throw new InvalidJcrPrivilegeException(str);
            }
            if (!hashSet.add(split[i])) {
                String str2 = getBeanDescription(this.currentBeanCounter, principalName) + ", doubled defined jcr privilege: " + split[i];
                LOG.error(str2);
                throw new DoubledDefinedJcrPrivilegeException(str2);
            }
        }
        aceBean.setPrivilegesString(privilegesString);
        return true;
    }

    @Override // biz.netcentric.cq.tools.actool.validators.AceBeanValidator
    public boolean validateAcePath(AceBean aceBean) throws InvalidPathException {
        String jcrPath = aceBean.getJcrPath();
        String principalName = aceBean.getPrincipalName();
        if (Validators.isValidNodePath(jcrPath)) {
            aceBean.setJcrPath(jcrPath);
            return true;
        }
        String str = getBeanDescription(this.currentBeanCounter, principalName) + ", invalid path: " + jcrPath;
        LOG.error(str);
        throw new InvalidPathException(str);
    }

    @Override // biz.netcentric.cq.tools.actool.validators.AceBeanValidator
    public boolean validateAuthorizableId(Set<String> set, AceBean aceBean) throws NoGroupDefinedException, InvalidGroupNameException {
        String principalName = aceBean.getPrincipalName();
        if (!Validators.isValidAuthorizableId(principalName)) {
            String str = getBeanDescription(this.currentBeanCounter, principalName) + principalName + ", invalid authorizable name: " + principalName;
            LOG.error(str);
            throw new InvalidGroupNameException(str);
        }
        if (!set.contains(principalName)) {
            throw new NoGroupDefinedException(getBeanDescription(this.currentBeanCounter, principalName) + " is not defined in group configuration");
        }
        aceBean.setPrincipal(principalName);
        return true;
    }

    @Override // biz.netcentric.cq.tools.actool.validators.AceBeanValidator
    public void setBean(AceBean aceBean) {
        this.aceBean = aceBean;
    }

    @Override // biz.netcentric.cq.tools.actool.validators.AceBeanValidator
    public void setGroupsFromCurrentConfig(Set<String> set) {
        this.groupsFromCurrentConfig = set;
    }

    @Override // biz.netcentric.cq.tools.actool.validators.AceBeanValidator
    public void setBeanCounter(long j) {
        this.currentBeanCounter = j;
    }

    private String getBeanDescription(long j, String str) {
        return "Validation error while reading ACE definition nr." + j + " of authorizable: " + str;
    }

    @Override // biz.netcentric.cq.tools.actool.validators.AceBeanValidator
    public void setCurrentAuthorizableName(String str) {
        if (this.enabled) {
            LOG.debug("Start validation of ACEs for authorizable: {}", str);
            this.currentBeanCounter = 0L;
        }
    }

    @Override // biz.netcentric.cq.tools.actool.validators.AceBeanValidator
    public void enable() {
        this.enabled = true;
    }

    @Override // biz.netcentric.cq.tools.actool.validators.AceBeanValidator
    public void disable() {
        this.enabled = false;
    }
}
