package biz.netcentric.cq.tools.actool.acls;

import biz.netcentric.cq.tools.actool.comparators.AcePermissionComparator;
import biz.netcentric.cq.tools.actool.configmodel.AceBean;
import biz.netcentric.cq.tools.actool.configmodel.Restriction;
import biz.netcentric.cq.tools.actool.helper.AcHelper;
import biz.netcentric.cq.tools.actool.helper.AccessControlUtils;
import biz.netcentric.cq.tools.actool.helper.ContentHelper;
import biz.netcentric.cq.tools.actool.helper.RestrictionsHolder;
import biz.netcentric.cq.tools.actool.installationhistory.AcInstallationHistoryPojo;
import com.day.cq.security.util.CqActions;
import java.security.Principal;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TreeSet;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.UnsupportedRepositoryOperationException;
import javax.jcr.ValueFormatException;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.Privilege;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Service;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Service
@Component
/* loaded from: input_file:biz/netcentric/cq/tools/actool/acls/AceBeanInstallerImpl.class */
public class AceBeanInstallerImpl implements AceBeanInstaller {
    private static final Logger LOG = LoggerFactory.getLogger(AceBeanInstallerImpl.class);

    @Override // biz.netcentric.cq.tools.actool.acls.AceBeanInstaller
    public void installPathBasedACEs(Map<String, Set<AceBean>> map, Session session, AcInstallationHistoryPojo acInstallationHistoryPojo, Set<String> set, boolean z) throws Exception {
        Set<String> keySet = map.keySet();
        String str = "Found " + keySet.size() + "  paths in config";
        LOG.debug(str);
        acInstallationHistoryPojo.addVerboseMessage(str);
        LOG.trace("Paths with ACEs: {}", keySet);
        if (z) {
            LOG.info("Will save ACL for each path to session due to configuration option intermediateSaves=true - rollback functionality is disabled.");
            acInstallationHistoryPojo.addMessage("Will save ACL for each path to session due to configuration option intermediateSaves=true - rollback functionality is disabled.");
        }
        for (String str2 : keySet) {
            Set<AceBean> set2 = map.get(str2);
            if ((AccessControlUtils.getModifiableAcl(session.getAccessControlManager(), str2) != null) || ContentHelper.createInitialContent(session, acInstallationHistoryPojo, str2, set2)) {
                TreeSet treeSet = new TreeSet(new AcePermissionComparator());
                treeSet.addAll(set2);
                String str3 = "Deleted " + AccessControlUtils.deleteAllEntriesForPrincipalsFromACL(session, str2, (String[]) set.toArray(new String[set.size()])) + " ACEs for configured authorizables from path " + str2;
                LOG.debug(str3);
                acInstallationHistoryPojo.addVerboseMessage(str3);
                writeAcBeansToRepository(session, acInstallationHistoryPojo, treeSet);
                if (z) {
                    String str4 = "Saved session for path " + str2;
                    LOG.debug(str4);
                    acInstallationHistoryPojo.addVerboseMessage(str4);
                    session.save();
                }
            } else {
                String str5 = "Skipped installing privileges/actions for non existing path: " + str2;
                LOG.debug(str5);
                acInstallationHistoryPojo.addMessage(str5);
            }
        }
    }

    private void writeAcBeansToRepository(Session session, AcInstallationHistoryPojo acInstallationHistoryPojo, Set<AceBean> set) throws RepositoryException, UnsupportedRepositoryOperationException, NoSuchMethodException, SecurityException {
        for (AceBean aceBean : set) {
            LOG.debug("Writing bean to repository {}", aceBean);
            Principal principal = AcHelper.getPrincipal(session, aceBean);
            if (principal == null) {
                String str = "Could not find definition for authorizable " + aceBean.getPrincipalName() + " in groups config while installing ACE for: " + aceBean.getJcrPath() + "! Skipped installation of ACEs for this authorizable!\n";
                LOG.error(str);
                acInstallationHistoryPojo.addError(str);
            } else {
                acInstallationHistoryPojo.addVerboseMessage("starting installation of bean: \n" + aceBean);
                install(aceBean, session, principal, acInstallationHistoryPojo);
            }
        }
    }

    private JackrabbitAccessControlList installActions(AceBean aceBean, Principal principal, JackrabbitAccessControlList jackrabbitAccessControlList, Session session, AccessControlManager accessControlManager, AcInstallationHistoryPojo acInstallationHistoryPojo) throws RepositoryException, SecurityException {
        Map<String, Boolean> actionMap = aceBean.getActionMap();
        if (actionMap.isEmpty()) {
            return jackrabbitAccessControlList;
        }
        CqActions cqActions = new CqActions(session);
        cqActions.installActions(aceBean.getJcrPath(), principal, actionMap, cqActions.getAllowedActions(aceBean.getJcrPath(), Collections.singleton(principal)));
        JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(session, aceBean.getJcrPath());
        RestrictionsHolder restrictions = getRestrictions(aceBean, session, jackrabbitAccessControlList);
        if (!aceBean.getRestrictions().isEmpty()) {
            addAdditionalRestriction(aceBean, jackrabbitAccessControlList, accessControlList, restrictions);
        }
        return accessControlList;
    }

    private void addAdditionalRestriction(AceBean aceBean, JackrabbitAccessControlList jackrabbitAccessControlList, JackrabbitAccessControlList jackrabbitAccessControlList2, RestrictionsHolder restrictionsHolder) throws RepositoryException, AccessControlException, UnsupportedRepositoryOperationException, SecurityException {
        List<AccessControlEntry> modifiedAces = getModifiedAces(jackrabbitAccessControlList, jackrabbitAccessControlList2);
        if (!modifiedAces.isEmpty()) {
            Iterator<AccessControlEntry> it = modifiedAces.iterator();
            while (it.hasNext()) {
                addRestrictionIfNotSet(jackrabbitAccessControlList2, restrictionsHolder, it.next());
            }
        } else {
            AccessControlEntry accessControlEntry = jackrabbitAccessControlList.getAccessControlEntries()[jackrabbitAccessControlList.getAccessControlEntries().length - 1];
            AccessControlEntry accessControlEntry2 = jackrabbitAccessControlList2.getAccessControlEntries()[jackrabbitAccessControlList2.getAccessControlEntries().length - 1];
            if (!accessControlEntry.equals(accessControlEntry2) || !accessControlEntry2.getPrincipal().getName().equals(aceBean.getPrincipalName())) {
                throw new IllegalStateException("No new entries have been set for AccessControlList at " + aceBean.getJcrPath());
            }
            addRestrictionIfNotSet(jackrabbitAccessControlList2, restrictionsHolder, accessControlEntry2);
        }
    }

    private void addRestrictionIfNotSet(JackrabbitAccessControlList jackrabbitAccessControlList, RestrictionsHolder restrictionsHolder, AccessControlEntry accessControlEntry) throws RepositoryException, AccessControlException, UnsupportedRepositoryOperationException, SecurityException {
        if (!(accessControlEntry instanceof JackrabbitAccessControlEntry)) {
            throw new IllegalStateException("Can not deal with non JackrabbitAccessControlEntrys, but entry is of type " + accessControlEntry.getClass().getName());
        }
        JackrabbitAccessControlEntry jackrabbitAccessControlEntry = (JackrabbitAccessControlEntry) accessControlEntry;
        if (jackrabbitAccessControlEntry.getRestrictionNames().length == 0) {
            extendExistingAceWithRestrictions(jackrabbitAccessControlList, jackrabbitAccessControlEntry, restrictionsHolder);
        }
    }

    private List<AccessControlEntry> getModifiedAces(JackrabbitAccessControlList jackrabbitAccessControlList, JackrabbitAccessControlList jackrabbitAccessControlList2) throws RepositoryException {
        return (List) CollectionUtils.subtract(Arrays.asList(jackrabbitAccessControlList2.getAccessControlEntries()), Arrays.asList(jackrabbitAccessControlList.getAccessControlEntries()));
    }

    private boolean installPrivileges(AceBean aceBean, Principal principal, JackrabbitAccessControlList jackrabbitAccessControlList, Session session, AccessControlManager accessControlManager) throws RepositoryException {
        Set<Privilege> privilegeSet = AccessControlUtils.getPrivilegeSet(aceBean.getPrivileges(), accessControlManager);
        if (privilegeSet.isEmpty()) {
            return false;
        }
        RestrictionsHolder restrictions = getRestrictions(aceBean, session, jackrabbitAccessControlList);
        if (restrictions.isEmpty()) {
            jackrabbitAccessControlList.addEntry(principal, (Privilege[]) privilegeSet.toArray(new Privilege[privilegeSet.size()]), aceBean.isAllow());
            return true;
        }
        jackrabbitAccessControlList.addEntry(principal, (Privilege[]) privilegeSet.toArray(new Privilege[privilegeSet.size()]), aceBean.isAllow(), restrictions.getSingleValuedRestrictionsMap(), restrictions.getMultiValuedRestrictionsMap());
        return true;
    }

    private void install(AceBean aceBean, Session session, Principal principal, AcInstallationHistoryPojo acInstallationHistoryPojo) throws RepositoryException, SecurityException {
        if (aceBean.isInitialContentOnlyConfig()) {
            return;
        }
        AccessControlManager accessControlManager = session.getAccessControlManager();
        JackrabbitAccessControlList modifiableAcl = AccessControlUtils.getModifiableAcl(accessControlManager, aceBean.getJcrPath());
        if (modifiableAcl == null) {
            String str = "Skipped installing privileges/actions for non existing path: " + aceBean.getJcrPath();
            LOG.debug(str);
            acInstallationHistoryPojo.addMessage(str);
            return;
        }
        JackrabbitAccessControlList installActions = installActions(aceBean, principal, modifiableAcl, session, accessControlManager, acInstallationHistoryPojo);
        if (modifiableAcl != installActions) {
            acInstallationHistoryPojo.addVerboseMessage("added action(s) for path: " + aceBean.getJcrPath() + ", principal: " + principal.getName() + ", actions: " + aceBean.getActionsString() + ", allow: " + aceBean.isAllow());
            removeRedundantPrivileges(aceBean, session);
            modifiableAcl = installActions;
        }
        if (installPrivileges(aceBean, principal, modifiableAcl, session, accessControlManager)) {
            acInstallationHistoryPojo.addVerboseMessage("added privilege(s) for path: " + aceBean.getJcrPath() + ", principal: " + principal.getName() + ", privileges: " + aceBean.getPrivilegesString() + ", allow: " + aceBean.isAllow());
        }
        accessControlManager.setPolicy(aceBean.getJcrPath(), modifiableAcl);
    }

    private void removeRedundantPrivileges(AceBean aceBean, Session session) throws RepositoryException {
        aceBean.setPrivilegesString(StringUtils.join(removeRedundantPrivileges(session, aceBean.getPrivileges(), aceBean.getActions()), ","));
    }

    private static Set<String> removeRedundantPrivileges(Session session, String[] strArr, String[] strArr2) throws RepositoryException {
        CqActions cqActions = new CqActions(session);
        HashSet hashSet = new HashSet();
        if (strArr == null) {
            return hashSet;
        }
        hashSet.addAll(Arrays.asList(strArr));
        if (strArr2 == null) {
            return hashSet;
        }
        for (String str : strArr2) {
            Iterator it = cqActions.getPrivileges(str).iterator();
            while (it.hasNext()) {
                hashSet.remove(((Privilege) it.next()).getName());
            }
        }
        return hashSet;
    }

    private RestrictionsHolder getRestrictions(AceBean aceBean, Session session, JackrabbitAccessControlList jackrabbitAccessControlList) throws ValueFormatException, UnsupportedRepositoryOperationException, RepositoryException {
        List asList = Arrays.asList(jackrabbitAccessControlList.getRestrictionNames());
        if (aceBean.getRestrictions().isEmpty()) {
            return RestrictionsHolder.empty();
        }
        List<Restriction> restrictions = aceBean.getRestrictions();
        for (Restriction restriction : restrictions) {
            if (!asList.contains(restriction.getName())) {
                throw new IllegalStateException("The AccessControlList at " + jackrabbitAccessControlList.getPath() + " does not support setting " + restriction.getName() + " restrictions!");
            }
        }
        return new RestrictionsHolder(restrictions, session.getValueFactory(), jackrabbitAccessControlList);
    }

    private void extendExistingAceWithRestrictions(JackrabbitAccessControlList jackrabbitAccessControlList, JackrabbitAccessControlEntry jackrabbitAccessControlEntry, RestrictionsHolder restrictionsHolder) throws SecurityException, UnsupportedRepositoryOperationException, RepositoryException {
        if (!jackrabbitAccessControlList.addEntry(jackrabbitAccessControlEntry.getPrincipal(), jackrabbitAccessControlEntry.getPrivileges(), jackrabbitAccessControlEntry.isAllow(), restrictionsHolder.getSingleValuedRestrictionsMap(), restrictionsHolder.getMultiValuedRestrictionsMap())) {
            throw new IllegalStateException("Could not add entry, probably because it was already there!");
        }
        jackrabbitAccessControlList.orderBefore(jackrabbitAccessControlList.getAccessControlEntries()[jackrabbitAccessControlList.size() - 1], jackrabbitAccessControlEntry);
        jackrabbitAccessControlList.removeAccessControlEntry(jackrabbitAccessControlEntry);
    }
}
