package biz.netcentric.cq.tools.actool.dumpservice.impl;

import biz.netcentric.cq.tools.actool.authorizableutils.impl.AuthorizableCreatorServiceImpl;
import biz.netcentric.cq.tools.actool.authorizableutils.impl.PrincipalImpl;
import biz.netcentric.cq.tools.actool.comparators.AcePathComparator;
import biz.netcentric.cq.tools.actool.comparators.AcePermissionComparator;
import biz.netcentric.cq.tools.actool.comparators.AuthorizableBeanIDComparator;
import biz.netcentric.cq.tools.actool.comparators.JcrCreatedComparator;
import biz.netcentric.cq.tools.actool.configmodel.AceBean;
import biz.netcentric.cq.tools.actool.configmodel.AuthorizableConfigBean;
import biz.netcentric.cq.tools.actool.dumpservice.AcDumpElementYamlVisitor;
import biz.netcentric.cq.tools.actool.dumpservice.AceDumpData;
import biz.netcentric.cq.tools.actool.dumpservice.CompleteAcDump;
import biz.netcentric.cq.tools.actool.dumpservice.Dumpservice;
import biz.netcentric.cq.tools.actool.dumpservice.MapKey;
import biz.netcentric.cq.tools.actool.helper.AcHelper;
import biz.netcentric.cq.tools.actool.helper.AccessControlUtils;
import biz.netcentric.cq.tools.actool.helper.AceWrapper;
import biz.netcentric.cq.tools.actool.helper.AclBean;
import biz.netcentric.cq.tools.actool.helper.QueryHelper;
import biz.netcentric.cq.tools.actool.installationhistory.impl.HistoryUtils;
import java.io.IOException;
import java.util.AbstractSet;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TreeMap;
import java.util.TreeSet;
import javax.jcr.AccessDeniedException;
import javax.jcr.ItemExistsException;
import javax.jcr.ItemNotFoundException;
import javax.jcr.Node;
import javax.jcr.NodeIterator;
import javax.jcr.PathNotFoundException;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.UnsupportedRepositoryOperationException;
import javax.jcr.ValueFormatException;
import javax.jcr.lock.LockException;
import javax.jcr.nodetype.ConstraintViolationException;
import javax.jcr.nodetype.NoSuchNodeTypeException;
import javax.jcr.version.VersionException;
import javax.servlet.ServletOutputStream;
import org.apache.commons.lang.StringUtils;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Modified;
import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.Service;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.Query;
import org.apache.jackrabbit.api.security.user.QueryBuilder;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.sling.api.SlingHttpServletResponse;
import org.apache.sling.api.resource.ResourceResolverFactory;
import org.apache.sling.commons.osgi.PropertiesUtil;
import org.apache.sling.jcr.api.SlingRepository;
import org.osgi.service.component.ComponentContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Service
@Component(metatype = true, label = "AC Dump Service", description = "Service that creates dumps of the current AC configurations (groups&ACEs)")
@Properties({@Property(label = "Number of dumps to save", name = DumpserviceImpl.DUMP_SERVICE_NR_OF_SAVED_DUMPS, value = {"5"}, description = "number of last dumps which get saved in CRX under /var/statistics/achistory"), @Property(label = "Include user ACEs in dumps", name = DumpserviceImpl.DUMP_INCLUDE_USERS, boolValue = {false}, description = "if selected, also user based ACEs (and their respective users) get added to dumps"), @Property(label = "AC query exclude paths", name = DumpserviceImpl.DUMP_SERVICE_EXCLUDE_PATHS_PATH, value = {"/home", "/jcr:system", "/tmp"}, description = "direct children of jcr:root which get excluded from all dumps (also from internal dumps)")})
/* loaded from: input_file:biz/netcentric/cq/tools/actool/dumpservice/impl/DumpserviceImpl.class */
public class DumpserviceImpl implements Dumpservice {
    private static final Logger LOG = LoggerFactory.getLogger(DumpserviceImpl.class);
    private static final String DUMP_FILE_EXTENSION = ".yaml";
    private static final String DUMP_NODE_PREFIX = "dump_";
    public static final int PRINCIPAL_BASED_SORTING = 1;
    public static final int PATH_BASED_SORTING = 2;
    public static final int DENY_ALLOW_ACL_SORTING = 1;
    public static final int NO_ACL_SORTING = 2;
    protected static final int NR_OF_DUMPS_TO_SAVE_DEFAULT = 5;
    static final String DUMP_SERVICE_EXCLUDE_PATHS_PATH = "DumpService.queryExcludePaths";
    static final String DUMP_SERVICE_NR_OF_SAVED_DUMPS = "DumpService.nrOfSavedDumps";
    static final String DUMP_INCLUDE_USERS = "DumpService.includeUsers";
    private String[] queryExcludePaths;
    private int nrOfSavedDumps;
    private boolean includeUsersInDumps = false;

    @Reference
    private SlingRepository repository;

    @Reference
    private ResourceResolverFactory resourceResolverFactory;

    @Activate
    public void activate(Map map, ComponentContext componentContext) throws Exception {
        updateProperties(map, componentContext);
    }

    @Modified
    public void modified(Map map, ComponentContext componentContext) throws Exception {
        updateProperties(map, componentContext);
    }

    private void updateProperties(Map map, ComponentContext componentContext) {
        this.queryExcludePaths = PropertiesUtil.toStringArray(map.get(DUMP_SERVICE_EXCLUDE_PATHS_PATH), (String[]) null);
        this.nrOfSavedDumps = PropertiesUtil.toInteger(map.get(DUMP_SERVICE_NR_OF_SAVED_DUMPS), 5);
        this.includeUsersInDumps = PropertiesUtil.toBoolean(map.get(DUMP_INCLUDE_USERS), false);
    }

    @Override // biz.netcentric.cq.tools.actool.dumpservice.Dumpservice
    public boolean isIncludeUsers() {
        return this.includeUsersInDumps;
    }

    @Override // biz.netcentric.cq.tools.actool.dumpservice.Dumpservice
    public String[] getQueryExcludePaths() {
        return this.queryExcludePaths;
    }

    @Override // biz.netcentric.cq.tools.actool.dumpservice.Dumpservice
    public String getCompletePathBasedDumpsAsString() {
        String completeDump = getCompleteDump(AcHelper.PATH_BASED_ORDER, AcHelper.ACE_ORDER_NONE);
        persistDump(completeDump);
        return completeDump;
    }

    @Override // biz.netcentric.cq.tools.actool.dumpservice.Dumpservice
    public String getCompletePrincipalBasedDumpsAsString() {
        String completeDump = getCompleteDump(AcHelper.PRINCIPAL_BASED_ORDER, AcHelper.ACE_ORDER_ACTOOL_BEST_PRACTICE);
        persistDump(completeDump);
        return completeDump;
    }

    private void persistDump(String str) {
        Session session = null;
        try {
            try {
                session = this.repository.loginAdministrative((String) null);
                createTransientDumpNode(str, HistoryUtils.getAcHistoryRootNode(session));
                session.save();
                if (session != null) {
                    session.logout();
                }
            } catch (RepositoryException e) {
                LOG.error("RepositoryException: {}", e);
                if (session != null) {
                    session.logout();
                }
            }
        } catch (Throwable th) {
            if (session != null) {
                session.logout();
            }
            throw th;
        }
    }

    private void createTransientDumpNode(String str, Node node) throws ItemExistsException, PathNotFoundException, NoSuchNodeTypeException, LockException, VersionException, ConstraintViolationException, RepositoryException, ValueFormatException {
        NodeIterator nodes = node.getNodes();
        TreeSet treeSet = new TreeSet(new JcrCreatedComparator());
        Node node2 = null;
        while (nodes.hasNext()) {
            Node nextNode = nodes.nextNode();
            if (nextNode.getName().startsWith(DUMP_NODE_PREFIX)) {
                treeSet.add(nextNode);
            }
        }
        if (!treeSet.isEmpty()) {
            node2 = (Node) treeSet.first();
        }
        if (treeSet.size() > this.nrOfSavedDumps - 1) {
            ((Node) treeSet.last()).remove();
        }
        Node newDumpNode = getNewDumpNode(str, node);
        if (node2 != null) {
            node.orderBefore(newDumpNode.getName(), node2.getName());
        }
    }

    private Node getNewDumpNode(String str, Node node) throws ItemExistsException, PathNotFoundException, NoSuchNodeTypeException, LockException, VersionException, ConstraintViolationException, RepositoryException, ValueFormatException {
        Node addNode = node.addNode(DUMP_NODE_PREFIX + System.currentTimeMillis() + DUMP_FILE_EXTENSION, "nt:file");
        Node addNode2 = addNode.addNode("jcr:content", "nt:resource");
        addNode2.setProperty("jcr:mimeType", "text/plain");
        addNode2.setProperty("jcr:encoding", "utf-8");
        addNode2.setProperty("jcr:data", str);
        return addNode;
    }

    private String getCompleteDump(int i, int i2) {
        Session session = null;
        LOG.info("Starting to create dump for " + (i == AcHelper.PRINCIPAL_BASED_ORDER ? "PRINCIPAL_BASED_ORDER" : "PATH_BASED_ORDER"));
        try {
            try {
                try {
                    AceDumpData createAclDumpMap = createAclDumpMap(i, AcHelper.ACE_ORDER_ACTOOL_BEST_PRACTICE, this.queryExcludePaths);
                    Map<String, Set<AceBean>> aceDump = createAclDumpMap.getAceDump();
                    session = this.repository.loginAdministrative((String) null);
                    String configurationDumpAsString = getConfigurationDumpAsString(createAclDumpMap, getGroupBeans(session), getUserBeans(getUsersFromAces(i, session, aceDump)), i2);
                    if (session != null) {
                        session.logout();
                    }
                    return configurationDumpAsString;
                } catch (IOException e) {
                    LOG.error("IOException in AceServiceImpl: {}", e);
                    if (session == null) {
                        return null;
                    }
                    session.logout();
                    return null;
                }
            } catch (IllegalStateException e2) {
                LOG.error("IllegalStateException in DumpServiceImpl: {}", e2);
                if (session == null) {
                    return null;
                }
                session.logout();
                return null;
            } catch (RepositoryException e3) {
                LOG.error("RepositoryException in AceServiceImpl: {}", e3);
                if (session == null) {
                    return null;
                }
                session.logout();
                return null;
            }
        } catch (Throwable th) {
            if (session != null) {
                session.logout();
            }
            throw th;
        }
    }

    private Set<User> getUsersFromAces(int i, Session session, Map<String, Set<AceBean>> map) throws AccessDeniedException, UnsupportedRepositoryOperationException, RepositoryException {
        HashSet hashSet = new HashSet();
        UserManager userManager = ((JackrabbitSession) session).getUserManager();
        if (i == 1) {
            new HashSet();
            Iterator<String> it = map.keySet().iterator();
            while (it.hasNext()) {
                User authorizable = userManager.getAuthorizable(new PrincipalImpl(it.next()));
                if (!authorizable.isGroup()) {
                    hashSet.add(authorizable);
                }
            }
        } else if (i == 2) {
            Iterator<Map.Entry<String, Set<AceBean>>> it2 = map.entrySet().iterator();
            while (it2.hasNext()) {
                Iterator<AceBean> it3 = it2.next().getValue().iterator();
                while (it3.hasNext()) {
                    User authorizable2 = userManager.getAuthorizable(it3.next().getPrincipalName());
                    if (!authorizable2.isGroup()) {
                        hashSet.add(authorizable2);
                    }
                }
            }
        }
        return hashSet;
    }

    @Override // biz.netcentric.cq.tools.actool.dumpservice.Dumpservice
    public String getConfigurationDumpAsString(AceDumpData aceDumpData, Set<AuthorizableConfigBean> set, Set<AuthorizableConfigBean> set2, int i) throws IOException {
        StringBuilder sb = new StringBuilder(20000);
        new CompleteAcDump(aceDumpData, set, set2, i, "Dump created: " + new Date(), this).accept(new AcDumpElementYamlVisitor(i, sb));
        return sb.toString();
    }

    @Override // biz.netcentric.cq.tools.actool.dumpservice.Dumpservice
    public Set<AclBean> getACLDumpBeans(Session session) throws RepositoryException {
        List<String> asList = Arrays.asList(this.queryExcludePaths);
        for (String str : asList) {
            try {
                if (!session.itemExists(str)) {
                    LOG.error("Query exclude path: {} doesn't exist in repository! AccessControl installation aborted! Check exclude paths in OSGi configuration of AceService!", str);
                    throw new IllegalArgumentException("Query exclude path: " + str + " doesn't exist in repository! AccessControl installation aborted! Check exclude paths in OSGi configuration of AceService!");
                }
            } catch (RepositoryException e) {
                LOG.error("RepositoryException: {}", e);
                throw e;
            }
        }
        Set<Node> repPolicyNodes = QueryHelper.getRepPolicyNodes(session, asList);
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        for (Node node : repPolicyNodes) {
            try {
                linkedHashSet.add(new AclBean(AccessControlUtils.getAccessControlList(session, node.getParent().getPath()), node.getParent().getPath()));
            } catch (RepositoryException e2) {
                LOG.error("RepositoryException: {}", e2);
            } catch (ItemNotFoundException e3) {
                LOG.error("ItemNotFoundException: {}", e3);
            } catch (AccessDeniedException e4) {
                LOG.error("AccessDeniedException: {}", e4);
            }
        }
        return linkedHashSet;
    }

    public AceDumpData createAclDumpMap(int i, int i2, String[] strArr) throws ValueFormatException, IllegalArgumentException, IllegalStateException, RepositoryException {
        return createAclDumpMap(i, i2, strArr, this.includeUsersInDumps);
    }

    @Override // biz.netcentric.cq.tools.actool.dumpservice.Dumpservice
    public AceDumpData createAclDumpMap(int i, int i2, String[] strArr, boolean z) throws RepositoryException {
        Session session = null;
        try {
            JackrabbitSession loginAdministrative = this.repository.loginAdministrative((String) null);
            AceDumpData aceDumpData = new AceDumpData();
            UserManager userManager = loginAdministrative.getUserManager();
            TreeMap treeMap = null;
            TreeMap treeMap2 = new TreeMap();
            if (i == AcHelper.PRINCIPAL_BASED_ORDER) {
                treeMap = new TreeMap();
            } else if (i == AcHelper.PATH_BASED_ORDER) {
                treeMap = new TreeMap();
            }
            for (AclBean aclBean : getACLDumpBeans(loginAdministrative)) {
                if (aclBean.getAcl() != null) {
                    boolean z2 = false;
                    for (JackrabbitAccessControlEntry jackrabbitAccessControlEntry : aclBean.getAcl().getAccessControlEntries()) {
                        if (!(jackrabbitAccessControlEntry instanceof JackrabbitAccessControlEntry)) {
                            throw new IllegalStateException("AC entry is not a JackrabbitAccessControlEntry: " + jackrabbitAccessControlEntry);
                        }
                        AceBean aceBean = AcHelper.getAceBean(new AceWrapper(jackrabbitAccessControlEntry, aclBean.getJcrPath()));
                        if (aceBean.isAllow()) {
                            z2 = true;
                        } else if (z2 && !aceBean.isAllow()) {
                            aceBean.setKeepOrder(true);
                        }
                        Authorizable authorizable = userManager.getAuthorizable(new PrincipalImpl(aceBean.getPrincipalName()));
                        if (authorizable == null) {
                            addBeanToMap(i, i2, treeMap2, aceBean);
                        } else if (authorizable.isGroup() || z) {
                            addBeanToMap(i, i2, treeMap, aceBean);
                        }
                    }
                }
            }
            aceDumpData.setAceDump(treeMap);
            aceDumpData.setLegacyAceDump(treeMap2);
            if (loginAdministrative != null) {
                loginAdministrative.logout();
            }
            return aceDumpData;
        } catch (Throwable th) {
            if (0 != 0) {
                session.logout();
            }
            throw th;
        }
    }

    private void addBeanToMap(int i, int i2, Map<String, Set<AceBean>> map, AceBean aceBean) {
        if (i == AcHelper.PRINCIPAL_BASED_ORDER) {
            String principalName = aceBean.getPrincipalName();
            if (map.containsKey(principalName)) {
                map.get(principalName).add(aceBean);
                return;
            }
            Set<AceBean> newAceSet = getNewAceSet(i2);
            newAceSet.add(aceBean);
            map.put(principalName, newAceSet);
            return;
        }
        if (i == AcHelper.PATH_BASED_ORDER) {
            String jcrPath = aceBean.getJcrPath();
            if (map.containsKey(jcrPath)) {
                map.get(jcrPath).add(aceBean);
                return;
            }
            Set<AceBean> newAceSet2 = getNewAceSet(i2);
            newAceSet2.add(aceBean);
            map.put(jcrPath, newAceSet2);
        }
    }

    private String getIntermediatePath(String str) {
        return StringUtils.substringBeforeLast(str, "/");
    }

    public void returnAuthorizableDumpAsFile(SlingHttpServletResponse slingHttpServletResponse, Set<AuthorizableConfigBean> set) throws IOException {
        slingHttpServletResponse.setContentType("application/octet-stream");
        ServletOutputStream servletOutputStream = null;
        try {
            servletOutputStream = slingHttpServletResponse.getOutputStream();
        } catch (IOException e) {
            LOG.error("Exception in AuthorizableDumpUtils: {}", e);
        }
        slingHttpServletResponse.setHeader("Content-Disposition", "attachment; filename=\"" + ("Authorizable_Dump_" + new Date(System.currentTimeMillis())) + "\"");
        try {
            writeAuthorizableConfigToStream(set, servletOutputStream);
        } catch (IOException e2) {
            LOG.error("Exception in AuthorizableDumpUtils: {}", e2);
        }
        servletOutputStream.close();
    }

    public void writeAuthorizableConfigToStream(Set<AuthorizableConfigBean> set, ServletOutputStream servletOutputStream) throws IOException {
        servletOutputStream.println("- group_config:");
        servletOutputStream.println();
        for (AuthorizableConfigBean authorizableConfigBean : set) {
            servletOutputStream.println(AcHelper.getBlankString(4) + "- " + authorizableConfigBean.getPrincipalID() + MapKey.YAML_MAP_KEY_SUFFIX);
            servletOutputStream.println();
            servletOutputStream.println(AcHelper.getBlankString(7) + "- name: ");
            servletOutputStream.println(AcHelper.getBlankString(9) + "memberOf: " + authorizableConfigBean.getMemberOfString());
            servletOutputStream.println(AcHelper.getBlankString(9) + "path: " + authorizableConfigBean.getPath());
            servletOutputStream.println(AcHelper.getBlankString(9) + "isGroup: '" + authorizableConfigBean.isGroup() + "'");
            servletOutputStream.println();
        }
    }

    public Set<AuthorizableConfigBean> getUserBeans(Set<User> set) throws RepositoryException, UnsupportedRepositoryOperationException {
        TreeSet treeSet = new TreeSet(new AuthorizableBeanIDComparator());
        if (!set.isEmpty()) {
            for (User user : set) {
                AuthorizableConfigBean authorizableConfigBean = new AuthorizableConfigBean();
                authorizableConfigBean.setPrincipalID(user.getID());
                String str = AcHelper.valuesToString(user.getProperty("profile/givenName")) + " " + AcHelper.valuesToString(user.getProperty("profile/familyName"));
                if (StringUtils.isBlank(str)) {
                    str = user.getID();
                }
                authorizableConfigBean.setName(str);
                authorizableConfigBean.setPath(getIntermediatePath(user.getPath()));
                authorizableConfigBean.setIsGroup(false);
                new HashSet();
                addDeclaredMembers(user, authorizableConfigBean);
                treeSet.add(authorizableConfigBean);
            }
        }
        return treeSet;
    }

    @Override // biz.netcentric.cq.tools.actool.dumpservice.Dumpservice
    public Set<AuthorizableConfigBean> getGroupBeans(Session session) throws AccessDeniedException, UnsupportedRepositoryOperationException, RepositoryException {
        UserManager userManager = ((JackrabbitSession) session).getUserManager();
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        Iterator findAuthorizables = userManager.findAuthorizables(new Query() { // from class: biz.netcentric.cq.tools.actool.dumpservice.impl.DumpserviceImpl.1
            public void build(QueryBuilder queryBuilder) {
                queryBuilder.setSortOrder("@rep:principalName", QueryBuilder.Direction.ASCENDING);
                queryBuilder.setSelector(Group.class);
            }
        });
        while (findAuthorizables.hasNext()) {
            Group group = (Group) findAuthorizables.next();
            if (group != null) {
                AuthorizableConfigBean authorizableConfigBean = new AuthorizableConfigBean();
                authorizableConfigBean.setPrincipalID(group.getID());
                authorizableConfigBean.setName(StringUtils.defaultIfEmpty(AcHelper.valuesToString(group.getProperty("profile/givenName")), group.getID()));
                if (group.hasProperty(AuthorizableCreatorServiceImpl.REP_EXTERNAL_ID)) {
                    authorizableConfigBean.setExternalId(AcHelper.valuesToString(group.getProperty(AuthorizableCreatorServiceImpl.REP_EXTERNAL_ID)));
                }
                addDeclaredMembers(group, authorizableConfigBean);
                authorizableConfigBean.setIsGroup(group.isGroup());
                authorizableConfigBean.setPath(getIntermediatePath(group.getPath()));
                linkedHashSet.add(authorizableConfigBean);
            } else {
                LOG.debug("group is null !");
            }
        }
        return linkedHashSet;
    }

    private void addDeclaredMembers(Authorizable authorizable, AuthorizableConfigBean authorizableConfigBean) throws RepositoryException {
        Iterator declaredMemberOf = authorizable.declaredMemberOf();
        ArrayList arrayList = new ArrayList();
        while (declaredMemberOf.hasNext()) {
            arrayList.add(((Group) declaredMemberOf.next()).getID());
        }
        authorizableConfigBean.setMemberOf((String[]) arrayList.toArray(new String[arrayList.size()]));
    }

    private Set<AceBean> getNewAceSet(int i) {
        AbstractSet abstractSet = null;
        if (i == AcHelper.ACE_ORDER_NONE) {
            abstractSet = new LinkedHashSet();
        } else if (i == AcHelper.ACE_ORDER_ACTOOL_BEST_PRACTICE) {
            abstractSet = new TreeSet(new AcePermissionComparator());
        } else if (i == AcHelper.ACE_ORDER_ALPHABETICAL) {
            abstractSet = new TreeSet(new AcePathComparator());
        }
        return abstractSet;
    }

    protected void bindRepository(SlingRepository slingRepository) {
        this.repository = slingRepository;
    }

    protected void unbindRepository(SlingRepository slingRepository) {
        if (this.repository == slingRepository) {
            this.repository = null;
        }
    }

    protected void bindResourceResolverFactory(ResourceResolverFactory resourceResolverFactory) {
        this.resourceResolverFactory = resourceResolverFactory;
    }

    protected void unbindResourceResolverFactory(ResourceResolverFactory resourceResolverFactory) {
        if (this.resourceResolverFactory == resourceResolverFactory) {
            this.resourceResolverFactory = null;
        }
    }
}
