package biz.netcentric.cq.tools.actool.impl;

import biz.netcentric.cq.tools.actool.aceinstaller.AceBeanInstaller;
import biz.netcentric.cq.tools.actool.api.AcInstallationService;
import biz.netcentric.cq.tools.actool.api.InstallationLog;
import biz.netcentric.cq.tools.actool.authorizableinstaller.AuthorizableCreatorException;
import biz.netcentric.cq.tools.actool.authorizableinstaller.AuthorizableInstallerService;
import biz.netcentric.cq.tools.actool.configmodel.AcConfiguration;
import biz.netcentric.cq.tools.actool.configmodel.AceBean;
import biz.netcentric.cq.tools.actool.configmodel.AcesConfig;
import biz.netcentric.cq.tools.actool.configmodel.AuthorizableConfigBean;
import biz.netcentric.cq.tools.actool.configmodel.AuthorizablesConfig;
import biz.netcentric.cq.tools.actool.configreader.ConfigFilesRetriever;
import biz.netcentric.cq.tools.actool.configreader.ConfigReader;
import biz.netcentric.cq.tools.actool.configreader.ConfigurationMerger;
import biz.netcentric.cq.tools.actool.dumpservice.ConfigDumpService;
import biz.netcentric.cq.tools.actool.helper.AcHelper;
import biz.netcentric.cq.tools.actool.helper.AccessControlUtils;
import biz.netcentric.cq.tools.actool.helper.AclBean;
import biz.netcentric.cq.tools.actool.helper.Constants;
import biz.netcentric.cq.tools.actool.helper.PurgeHelper;
import biz.netcentric.cq.tools.actool.helper.QueryHelper;
import biz.netcentric.cq.tools.actool.helper.runtime.RuntimeHelper;
import biz.netcentric.cq.tools.actool.history.AcHistoryService;
import biz.netcentric.cq.tools.actool.history.InstallationLogger;
import biz.netcentric.cq.tools.actool.history.impl.PersistableInstallationLogger;
import biz.netcentric.cq.tools.actool.slingsettings.ExtendedSlingSettingsService;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Dictionary;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.jcr.AccessDeniedException;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.UnsupportedRepositoryOperationException;
import javax.jcr.ValueFormatException;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlManager;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.time.StopWatch;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.sling.commons.osgi.PropertiesUtil;
import org.apache.sling.jcr.api.SlingRepository;
import org.osgi.framework.BundleContext;
import org.osgi.framework.FrameworkUtil;
import org.osgi.service.cm.ConfigurationAdmin;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferencePolicyOption;
import org.osgi.service.metatype.annotations.AttributeDefinition;
import org.osgi.service.metatype.annotations.Designate;
import org.osgi.service.metatype.annotations.ObjectClassDefinition;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Designate(ocd = Configuration.class)
@Component
/* loaded from: input_file:biz/netcentric/cq/tools/actool/impl/AcInstallationServiceImpl.class */
public class AcInstallationServiceImpl implements AcInstallationService, AcInstallationServiceInternal {
    private static final Logger LOG = LoggerFactory.getLogger(AcInstallationServiceImpl.class);
    private static final String CONFIG_PID = "biz.netcentric.cq.tools.actool.impl.AcInstallationServiceImpl";
    private static final String LEGACY_CONFIG_PID = "biz.netcentric.cq.tools.actool.aceservice.impl.AceServiceImpl";
    private static final String LEGACY_PROPERTY_CONFIGURATION_PATH = "AceService.configurationPath";

    @Reference(policyOption = ReferencePolicyOption.GREEDY)
    AuthorizableInstallerService authorizableCreatorService;

    @Reference(target = "(component.name=biz.netcentric.cq.tools.actool.aceinstaller.AceBeanInstallerClassic)", policyOption = ReferencePolicyOption.GREEDY)
    AceBeanInstaller aceBeanInstallerClassic;

    @Reference(target = "(component.name=biz.netcentric.cq.tools.actool.aceinstaller.AceBeanInstallerIncremental)", policyOption = ReferencePolicyOption.GREEDY)
    AceBeanInstaller aceBeanInstallerIncremental;

    @Reference(policyOption = ReferencePolicyOption.GREEDY)
    private SlingRepository repository;

    @Reference(policyOption = ReferencePolicyOption.GREEDY)
    AcHistoryService acHistoryService;

    @Reference(policyOption = ReferencePolicyOption.GREEDY)
    private ConfigDumpService dumpservice;

    @Reference(policyOption = ReferencePolicyOption.GREEDY)
    private ConfigReader configReader;

    @Reference(policyOption = ReferencePolicyOption.GREEDY)
    private ConfigurationMerger configurationMerger;

    @Reference(policyOption = ReferencePolicyOption.GREEDY)
    private ConfigFilesRetriever configFilesRetriever;

    @Reference(policyOption = ReferencePolicyOption.GREEDY)
    private ConfigurationAdmin configAdmin;

    @Reference(policyOption = ReferencePolicyOption.GREEDY)
    private AcConfigChangeTracker acConfigChangeTracker;

    @Reference(policyOption = ReferencePolicyOption.GREEDY)
    private ExtendedSlingSettingsService slingSettingsService;
    private List<String> configurationRootPaths;

    @ObjectClassDefinition(name = "AC Tool Installation Service", description = "Service that installs groups & ACEs according to textual configuration files", id = AcInstallationServiceImpl.CONFIG_PID)
    /* loaded from: input_file:biz/netcentric/cq/tools/actool/impl/AcInstallationServiceImpl$Configuration.class */
    protected @interface Configuration {
        @AttributeDefinition(name = "Configuration path(s)", description = "JCR path(s) where the config files reside (usually it's just one, can be multiple for multitenant setups)")
        String[] configurationRootPaths() default {};
    }

    @Activate
    public void activate(Configuration configuration, BundleContext bundleContext) throws Exception {
        Dictionary properties;
        Dictionary properties2 = this.configAdmin.getConfiguration(CONFIG_PID).getProperties();
        this.configurationRootPaths = new ArrayList();
        if (!ArrayUtils.isEmpty(configuration.configurationRootPaths())) {
            this.configurationRootPaths.addAll(Arrays.asList(configuration.configurationRootPaths()));
        } else if (properties2 != null && properties2.get(LEGACY_PROPERTY_CONFIGURATION_PATH) != null) {
            LOG.warn("Using legacy property PID '{}' is deprecated, use 'configurationRootPaths' instead. ", LEGACY_PROPERTY_CONFIGURATION_PATH);
            this.configurationRootPaths.add(PropertiesUtil.toString(properties2.get(LEGACY_PROPERTY_CONFIGURATION_PATH), ""));
        }
        if (properties2 == null && (properties = this.configAdmin.getConfiguration(LEGACY_CONFIG_PID).getProperties()) != null) {
            LOG.warn("Using legacy configuration PID '{}'. Please remove this and switch to the new one with PID '{}',", LEGACY_CONFIG_PID, CONFIG_PID);
            this.configurationRootPaths = Arrays.asList(PropertiesUtil.toString(properties.get(LEGACY_PROPERTY_CONFIGURATION_PATH), ""));
        }
        LOG.info("Activated AC Tool at start level " + RuntimeHelper.getCurrentStartLevel(bundleContext) + " default config path: " + this.configurationRootPaths);
    }

    @Override // biz.netcentric.cq.tools.actool.api.AcInstallationService
    public InstallationLog apply() {
        return apply(null, null);
    }

    @Override // biz.netcentric.cq.tools.actool.api.AcInstallationService
    public InstallationLog apply(String str) {
        return apply(str, null);
    }

    @Override // biz.netcentric.cq.tools.actool.api.AcInstallationService
    public InstallationLog apply(String[] strArr) {
        return apply(null, strArr);
    }

    @Override // biz.netcentric.cq.tools.actool.api.AcInstallationService
    public InstallationLog apply(String str, String[] strArr) {
        return apply(str, strArr, false);
    }

    @Override // biz.netcentric.cq.tools.actool.api.AcInstallationService
    public InstallationLog apply(String str, String[] strArr, boolean z) {
        if (StringUtils.isBlank(str)) {
            if (CollectionUtils.isEmpty(this.configurationRootPaths)) {
                throw new IllegalArgumentException("Configuration root path neither configured nor provided.");
            }
            if (this.configurationRootPaths.size() != 1) {
                return applyMultipleConfigurations(strArr, z);
            }
            str = this.configurationRootPaths.get(0);
        }
        PersistableInstallationLogger persistableInstallationLogger = new PersistableInstallationLogger();
        Session session = null;
        try {
            try {
                try {
                    Session loginService = this.repository.loginService((String) null, (String) null);
                    try {
                        installConfigurationFiles(persistableInstallationLogger, this.configFilesRetriever.getConfigFileContentFromNode(str, loginService), strArr, loginService, z);
                        if (loginService != null) {
                            loginService.logout();
                        }
                    } catch (Exception e) {
                        persistableInstallationLogger.addError("Could not retrieve configuration from path " + str + ": " + e.getMessage(), e);
                        persistHistory(persistableInstallationLogger);
                        if (loginService != null) {
                            loginService.logout();
                        }
                        return persistableInstallationLogger;
                    }
                } catch (Throwable th) {
                    if (0 != 0) {
                        session.logout();
                    }
                    throw th;
                }
            } catch (Exception e2) {
                LOG.error("Exception in AceServiceImpl: {}", e2);
                if (0 != 0) {
                    session.logout();
                }
            }
        } catch (AuthorizableCreatorException e3) {
            LOG.warn("Exception during installation of authorizables (no rollback), e=" + e3, e3);
            if (0 != 0) {
                session.logout();
            }
        }
        return persistableInstallationLogger;
    }

    private InstallationLog applyMultipleConfigurations(String[] strArr, boolean z) {
        PersistableInstallationLogger persistableInstallationLogger = new PersistableInstallationLogger();
        persistableInstallationLogger.addMessage(LOG, "Applying multiple configs (this log only shows what was applied, check the individual logs for details)");
        for (String str : this.configurationRootPaths) {
            persistableInstallationLogger.addMessage(LOG, "Applying config at root path " + str);
            apply(str, strArr, z);
        }
        return persistableInstallationLogger;
    }

    @Override // biz.netcentric.cq.tools.actool.impl.AcInstallationServiceInternal
    public void installConfigurationFiles(PersistableInstallationLogger persistableInstallationLogger, Map<String, String> map, String[] strArr, Session session) throws Exception {
        installConfigurationFiles(persistableInstallationLogger, map, strArr, session, false);
    }

    public void installConfigurationFiles(PersistableInstallationLogger persistableInstallationLogger, Map<String, String> map, String[] strArr, Session session, boolean z) throws Exception {
        boolean configIsUnchangedComparedToLastExecution = this.acConfigChangeTracker.configIsUnchangedComparedToLastExecution(map, strArr, session);
        if (z && configIsUnchangedComparedToLastExecution) {
            persistableInstallationLogger.addMessage(LOG, "Config files are identical to last execution");
            return;
        }
        String name = Thread.currentThread().getName();
        try {
            try {
                Thread.currentThread().setName(name + "-ACTool-Config-Worker");
                StopWatch stopWatch = new StopWatch();
                stopWatch.start();
                persistableInstallationLogger.addMessage(LOG, "*** Applying AC Tool Configuration...");
                persistableInstallationLogger.addMessage(LOG, "Running with v" + getVersion() + " on instance id " + this.slingSettingsService.getSlingId() + (!ArrayUtils.isEmpty(strArr) ? " with restricted paths: " + Arrays.asList(strArr) : ""));
                if (map != null) {
                    persistableInstallationLogger.setConfigFileContentsByName(map);
                    AcConfiguration mergedConfigurations = this.configurationMerger.getMergedConfigurations(map, persistableInstallationLogger, this.configReader, session);
                    installMergedConfigurations(persistableInstallationLogger, mergedConfigurations, strArr, session);
                    ensureVirtualGroupsAreRemoved(persistableInstallationLogger, mergedConfigurations, session);
                    removeObsoleteAuthorizables(persistableInstallationLogger, mergedConfigurations.getObsoleteAuthorizables(), session);
                }
                stopWatch.stop();
                long time = stopWatch.getTime();
                persistableInstallationLogger.setExecutionTime(time);
                persistableInstallationLogger.addVerboseMessage(LOG, "Finished at bundle start level " + RuntimeHelper.getCurrentStartLevel());
                persistableInstallationLogger.addMessage(LOG, "Successfully applied AC Tool configuration in " + PersistableInstallationLogger.msHumanReadable(time));
                persistHistory(persistableInstallationLogger);
                Thread.currentThread().setName(name);
            } catch (Exception e) {
                persistableInstallationLogger.addError("Could not process yaml files", e);
                throw e;
            }
        } catch (Throwable th) {
            persistHistory(persistableInstallationLogger);
            Thread.currentThread().setName(name);
            throw th;
        }
    }

    private void persistHistory(PersistableInstallationLogger persistableInstallationLogger) {
        try {
            this.acHistoryService.persistHistory(persistableInstallationLogger);
        } catch (Exception e) {
            LOG.warn("Could not persist history, e=" + e, e);
        }
    }

    private void installAcConfiguration(AcConfiguration acConfiguration, InstallationLogger installationLogger, Map<String, Set<AceBean>> map, String[] strArr, Session session) throws Exception {
        if (acConfiguration.getAceConfig() == null) {
            LOG.error("ACE config not found in YAML file! installation aborted!");
            throw new IllegalArgumentException("ACE config not found in YAML file! installation aborted!");
        }
        installAuthorizables(installationLogger, acConfiguration, session);
        installAces(installationLogger, acConfiguration, map, strArr, session);
    }

    private void removeAcesForPathsNotInConfig(InstallationLogger installationLogger, Session session, Set<String> set, Map<String, Set<AceBean>> map, AcConfiguration acConfiguration) throws UnsupportedRepositoryOperationException, RepositoryException {
        int i = 0;
        int i2 = 0;
        for (String str : getRelevantPathsForAceCleanup(set, map, acConfiguration.getAceConfig())) {
            Set<String> removeUnmanagedPrincipalNamesAtPath = acConfiguration.getAuthorizablesConfig().removeUnmanagedPrincipalNamesAtPath(str, set, acConfiguration.getGlobalConfiguration().getDefaultUnmanagedAcePathsRegex());
            int deleteAllEntriesForPrincipalsFromACL = AccessControlUtils.deleteAllEntriesForPrincipalsFromACL(session, str, (String[]) removeUnmanagedPrincipalNamesAtPath.toArray(new String[removeUnmanagedPrincipalNamesAtPath.size()]));
            if (deleteAllEntriesForPrincipalsFromACL > 0) {
                i2++;
                installationLogger.addMessage(LOG, "For paths not contained in the configuration: Cleaned " + deleteAllEntriesForPrincipalsFromACL + " ACEs of path " + str + " from all ACEs for configured authorizables");
            }
            i += deleteAllEntriesForPrincipalsFromACL;
        }
        if (i > 0) {
            installationLogger.addMessage(LOG, "For paths not contained in the configuration: Cleaned " + i + " ACEs from " + i2 + " paths in repository (ACEs that belong to users in the AC Config, but resided at paths that are not contained in AC Config)");
        }
    }

    private Set<String> getRelevantPathsForAceCleanup(Set<String> set, Map<String, Set<AceBean>> map, AcesConfig acesConfig) {
        HashSet hashSet = new HashSet();
        Iterator<Map.Entry<String, Set<AceBean>>> it = map.entrySet().iterator();
        while (it.hasNext()) {
            for (AceBean aceBean : it.next().getValue()) {
                String jcrPath = aceBean.getJcrPath();
                String principalName = aceBean.getPrincipalName();
                if (acesConfig.containsPath(jcrPath)) {
                    LOG.trace("Path {} is explicitly listed in config and hence that ACL is handled later, not preceding cleanup needed here", jcrPath);
                } else if (set.contains(principalName)) {
                    hashSet.add(jcrPath);
                } else {
                    LOG.debug("Principal {} is not contained in config, hence not cleaning its ACE from non-config-contained path {}", principalName, jcrPath);
                }
            }
        }
        return hashSet;
    }

    boolean isRelevantPath(String str, String[] strArr) {
        if (strArr == null || strArr.length == 0) {
            return true;
        }
        boolean z = false;
        for (String str2 : strArr) {
            if (str.matches(StringUtils.containsAny(str2, new char[]{'*', '^', '$', '+'}) ? str2 : "^" + str2 + "(/.*|$)")) {
                z = true;
            }
        }
        return z;
    }

    private Set<String> getPrincipalNamesToRemoveAcesFor(AuthorizablesConfig authorizablesConfig) {
        Set<String> principalNames = authorizablesConfig.getPrincipalNames();
        Set<String> collectPrincipalsToBeMigrated = collectPrincipalsToBeMigrated(authorizablesConfig);
        Collection intersection = CollectionUtils.intersection(principalNames, collectPrincipalsToBeMigrated);
        if (!intersection.isEmpty()) {
            throw new IllegalArgumentException("If migrateFrom feature is used, groups that shall be migrated from must not be present in regular configuration (offending groups: " + intersection + ")");
        }
        principalNames.addAll(collectPrincipalsToBeMigrated);
        return principalNames;
    }

    Set<String> collectPrincipalsToBeMigrated(AuthorizablesConfig authorizablesConfig) {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        Iterator it = authorizablesConfig.iterator();
        while (it.hasNext()) {
            AuthorizableConfigBean authorizableConfigBean = (AuthorizableConfigBean) it.next();
            String migrateFrom = authorizableConfigBean.getMigrateFrom();
            if (StringUtils.isNotBlank(migrateFrom)) {
                if (StringUtils.equals(authorizableConfigBean.getPrincipalName(), authorizableConfigBean.getAuthorizableId())) {
                    linkedHashSet.add(migrateFrom);
                } else {
                    String principalName = authorizableConfigBean.getPrincipalName();
                    String replace = principalName.replace(authorizableConfigBean.getAuthorizableId(), migrateFrom);
                    if (StringUtils.equals(principalName, replace)) {
                        throw new IllegalStateException("Could not derive old principal name from newPrincipalName=" + principalName + " and authorizableId=" + authorizableConfigBean.getAuthorizableId() + " (oldPrincipalName=" + replace + " is equal to new principal name)");
                    }
                    linkedHashSet.add(replace);
                }
            }
        }
        return linkedHashSet;
    }

    private void installAces(InstallationLogger installationLogger, AcConfiguration acConfiguration, Map<String, Set<AceBean>> map, String[] strArr, Session session) throws Exception {
        Map<String, Set<AceBean>> pathBasedAceMap = AcHelper.getPathBasedAceMap(acConfiguration.getAceConfig(), AcHelper.ACE_ORDER_ACTOOL_BEST_PRACTICE);
        Set<String> principalNamesToRemoveAcesFor = getPrincipalNamesToRemoveAcesFor(acConfiguration.getAuthorizablesConfig());
        removeAcesForPathsNotInConfig(installationLogger, session, principalNamesToRemoveAcesFor, map, acConfiguration);
        Map<String, Set<AceBean>> filterForRestrictedPaths = filterForRestrictedPaths(pathBasedAceMap, strArr, installationLogger);
        if (filterForRestrictedPaths.isEmpty()) {
            installationLogger.addMessage(LOG, "No relevant ACEs to install");
        } else {
            AceBeanInstaller aceBeanInstaller = acConfiguration.getGlobalConfiguration().getInstallAclsIncrementally() ? this.aceBeanInstallerIncremental : this.aceBeanInstallerClassic;
            installationLogger.addMessage(LOG, "*** Starting installation of " + collectAceCount(filterForRestrictedPaths) + " ACE configurations for " + filterForRestrictedPaths.size() + " paths in content nodes using strategy " + aceBeanInstaller.getClass().getSimpleName() + "...");
            aceBeanInstaller.installPathBasedACEs(filterForRestrictedPaths, acConfiguration, session, installationLogger, principalNamesToRemoveAcesFor);
        }
        if (!session.hasPendingChanges()) {
            installationLogger.addMessage(LOG, "No changes were made to ACLs (session has no pending changes)");
        } else {
            session.save();
            installationLogger.addMessage(LOG, "Persisted changes of ACLs");
        }
    }

    private Map<String, Set<AceBean>> filterForRestrictedPaths(Map<String, Set<AceBean>> map, String[] strArr, InstallationLogger installationLogger) {
        if (strArr == null || strArr.length == 0) {
            return map;
        }
        HashMap hashMap = new HashMap();
        for (String str : map.keySet()) {
            if (isRelevantPath(str, strArr)) {
                hashMap.put(str, map.get(str));
            }
        }
        installationLogger.addMessage(LOG, "Will install AC Config at " + hashMap.keySet().size() + " paths (skipping " + (map.keySet().size() - hashMap.keySet().size()) + " due to paths restriction " + Arrays.toString(strArr) + ")");
        return hashMap;
    }

    private int collectAceCount(Map<String, Set<AceBean>> map) {
        int i = 0;
        Iterator<Set<AceBean>> it = map.values().iterator();
        while (it.hasNext()) {
            i += it.next().size();
        }
        return i;
    }

    private void installAuthorizables(InstallationLogger installationLogger, AcConfiguration acConfiguration, Session session) throws RepositoryException, Exception {
        StopWatch stopWatch = new StopWatch();
        stopWatch.start();
        AuthorizablesConfig authorizablesConfig = acConfiguration.getAuthorizablesConfig();
        installationLogger.addMessage(LOG, "*** Starting installation of " + authorizablesConfig.size() + " authorizables from configuration...");
        try {
            this.authorizableCreatorService.installAuthorizables(acConfiguration, authorizablesConfig, session, installationLogger);
            installationLogger.addMessage(LOG, "Finished installation of authorizables without errors in " + PersistableInstallationLogger.msHumanReadable(stopWatch.getTime()));
        } catch (Exception e) {
            throw new AuthorizableCreatorException(e);
        }
    }

    private Set<String> removeNonExistingAuthorizables(Set<String> set, Session session) throws AccessDeniedException, UnsupportedRepositoryOperationException, RepositoryException {
        HashSet hashSet = new HashSet();
        UserManager userManagerAutoSaveDisabled = AccessControlUtils.getUserManagerAutoSaveDisabled(session);
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            String next = it.next();
            if (userManagerAutoSaveDisabled.getAuthorizable(next) == null) {
                hashSet.add(next);
                it.remove();
            }
        }
        return hashSet;
    }

    private void removeObsoleteAuthorizables(InstallationLogger installationLogger, Set<String> set, Session session) {
        try {
            if (set.isEmpty()) {
                installationLogger.addVerboseMessage(LOG, "No obsolete authorizables configured");
                return;
            }
            Set<String> removeNonExistingAuthorizables = removeNonExistingAuthorizables(set, session);
            if (set.isEmpty()) {
                installationLogger.addMessage(LOG, "All configured " + removeNonExistingAuthorizables.size() + " obsolete authorizables have already been purged.");
                return;
            }
            installationLogger.addMessage(LOG, "*** Purging " + set.size() + " obsolete authorizables...  ");
            if (!removeNonExistingAuthorizables.isEmpty()) {
                installationLogger.addMessage(LOG, "(" + removeNonExistingAuthorizables.size() + " have been purged already)");
            }
            purgeAuthorizables(set, session, installationLogger, true);
            installationLogger.addMessage(LOG, "Successfully purged " + set);
        } catch (Exception e) {
            installationLogger.addError(LOG, "Could not purge obsolete authorizables " + set, e);
        }
    }

    private void ensureVirtualGroupsAreRemoved(InstallationLogger installationLogger, AcConfiguration acConfiguration, Session session) {
        try {
            List<AuthorizableConfigBean> virtualGroups = acConfiguration.getVirtualGroups();
            HashSet hashSet = new HashSet();
            Iterator<AuthorizableConfigBean> it = virtualGroups.iterator();
            while (it.hasNext()) {
                hashSet.add(it.next().getAuthorizableId());
            }
            if (virtualGroups.isEmpty()) {
                installationLogger.addVerboseMessage(LOG, "No virtual groups are configured - no need to ensure virtual groups are removed from repo.");
                return;
            }
            removeNonExistingAuthorizables(hashSet, session);
            if (hashSet.isEmpty()) {
                installationLogger.addVerboseMessage(LOG, "No virtual groups exist in repo that would require purging.");
                return;
            }
            installationLogger.addMessage(LOG, "Purging " + hashSet.size() + " virtual groups from repository (most likely they were non-virtual groups before)...");
            purgeAuthorizables(hashSet, session, installationLogger, true);
            installationLogger.addMessage(LOG, "Successfully purged virtual groups from repository: " + hashSet);
        } catch (Exception e) {
            installationLogger.addError(LOG, "Could not purge virtual groups", e);
        }
    }

    private void installMergedConfigurations(InstallationLogger installationLogger, AcConfiguration acConfiguration, String[] strArr, Session session) throws ValueFormatException, RepositoryException, Exception {
        installationLogger.addVerboseMessage(LOG, "Starting installation of merged configurations...");
        StopWatch stopWatch = new StopWatch();
        stopWatch.start();
        LOG.debug("Building dump from repository (to compare delta with config to be installed)");
        Map<String, Set<AceBean>> aceDump = this.dumpservice.createAclDumpMap(AcHelper.PATH_BASED_ORDER, AcHelper.ACE_ORDER_NONE, Collections.emptyList(), true, session).getAceDump();
        installationLogger.addMessage(LOG, "Retrieved existing ACLs from repository in " + PersistableInstallationLogger.msHumanReadable(stopWatch.getTime()));
        installAcConfiguration(acConfiguration, installationLogger, aceDump, strArr, session);
    }

    public boolean isReadyToStart() {
        Session session = null;
        boolean z = false;
        for (String str : this.configurationRootPaths) {
            try {
                try {
                    session = this.repository.loginService((String) null, (String) null);
                    boolean z2 = !this.configFilesRetriever.getConfigFileContentFromNode(str, session).isEmpty();
                    LOG.debug("Config {} is ready to start: {}", str, Boolean.valueOf(z2));
                    z |= z2;
                    if (session != null) {
                        session.logout();
                    }
                } catch (Exception e) {
                    LOG.warn("Could not retrieve config file content for root path " + str);
                    if (session != null) {
                        session.logout();
                    }
                    return false;
                }
            } catch (Throwable th) {
                if (session != null) {
                    session.logout();
                }
                throw th;
            }
        }
        return z;
    }

    @Override // biz.netcentric.cq.tools.actool.api.AcInstallationService, biz.netcentric.cq.tools.actool.impl.AcInstallationServiceInternal
    public String purgeACL(String str) {
        Session session = null;
        String str2 = "";
        boolean z = true;
        try {
            try {
                session = this.repository.loginService((String) null, (String) null);
                PurgeHelper.purgeAcl(session, str);
                session.save();
                if (session != null) {
                    session.logout();
                }
            } catch (Exception e) {
                z = false;
                str2 = e.toString();
                LOG.error("Exception: ", e);
                if (session != null) {
                    session.logout();
                }
            }
            if (!z) {
                return "Deletion of ACL failed! Reason:" + str2;
            }
            String str3 = "Deleted AccessControlList of node: " + str;
            PersistableInstallationLogger persistableInstallationLogger = new PersistableInstallationLogger();
            persistableInstallationLogger.addMessage(LOG, "purge method: purgeACL()");
            persistableInstallationLogger.addMessage(LOG, str3);
            this.acHistoryService.persistAcePurgeHistory(persistableInstallationLogger);
            return str3;
        } catch (Throwable th) {
            if (session != null) {
                session.logout();
            }
            throw th;
        }
    }

    @Override // biz.netcentric.cq.tools.actool.api.AcInstallationService, biz.netcentric.cq.tools.actool.impl.AcInstallationServiceInternal
    public String purgeACLs(String str) {
        String exc;
        Session session = null;
        boolean z = true;
        try {
            try {
                session = this.repository.loginService((String) null, (String) null);
                exc = PurgeHelper.purgeACLs(session, str);
                PersistableInstallationLogger persistableInstallationLogger = new PersistableInstallationLogger();
                persistableInstallationLogger.addMessage(LOG, "purge method: purgeACLs()");
                persistableInstallationLogger.addMessage(LOG, exc);
                this.acHistoryService.persistAcePurgeHistory(persistableInstallationLogger);
                session.save();
                if (session != null) {
                    session.logout();
                }
            } catch (Exception e) {
                LOG.error("Exception: ", e);
                z = false;
                exc = e.toString();
                if (session != null) {
                    session.logout();
                }
            }
            return z ? exc : "Deletion of ACL failed! Reason:" + exc;
        } catch (Throwable th) {
            if (session != null) {
                session.logout();
            }
            throw th;
        }
    }

    @Override // biz.netcentric.cq.tools.actool.impl.AcInstallationServiceInternal
    public String purgeAuthorizablesFromConfig() {
        ArrayList arrayList = new ArrayList();
        for (String str : this.configurationRootPaths) {
            LOG.info("Purging authorizables for root path {}", str);
            arrayList.add(purgeAuthorizablesFromConfig(str));
        }
        return StringUtils.join(arrayList, "\n");
    }

    @Override // biz.netcentric.cq.tools.actool.impl.AcInstallationServiceInternal
    public String purgeAuthorizablesFromConfig(String str) {
        Session session = null;
        try {
            try {
                session = this.repository.loginService((String) null, (String) null);
                PersistableInstallationLogger persistableInstallationLogger = new PersistableInstallationLogger();
                persistableInstallationLogger.addMessage(LOG, "*** Purging AC Tool configuraiton " + str + "...");
                AcConfiguration mergedConfigurations = this.configurationMerger.getMergedConfigurations(this.configFilesRetriever.getConfigFileContentFromNode(str, session), persistableInstallationLogger, this.configReader, session);
                persistableInstallationLogger.addMessage(LOG, "Purging ACLs...");
                long currentTimeMillis = System.currentTimeMillis();
                mergedConfigurations.getAceConfig().clear();
                installAces(persistableInstallationLogger, mergedConfigurations, this.dumpservice.createAclDumpMap(AcHelper.PATH_BASED_ORDER, AcHelper.ACE_ORDER_NONE, Collections.emptyList(), true, session).getAceDump(), null, session);
                persistableInstallationLogger.addMessage(LOG, "Purged ACLs for " + mergedConfigurations.getAuthorizablesConfig().size() + " authorizables in " + PersistableInstallationLogger.msHumanReadable(System.currentTimeMillis() - currentTimeMillis));
                persistableInstallationLogger.addMessage(LOG, "Purging authorizables...");
                Set<String> hashSet = new HashSet<>();
                Iterator it = mergedConfigurations.getAuthorizablesConfig().iterator();
                while (it.hasNext()) {
                    AuthorizableConfigBean authorizableConfigBean = (AuthorizableConfigBean) it.next();
                    String authorizableId = authorizableConfigBean.getAuthorizableId();
                    if (StringUtils.isNotBlank(authorizableConfigBean.getUnmanagedAcePathsRegex())) {
                        persistableInstallationLogger.addMessage(LOG, "Not purging " + authorizableId + " since property unmanagedAcePathsRegex is configured");
                    } else if (!Constants.PRINCIPAL_EVERYONE.equals(authorizableId)) {
                        hashSet.add(authorizableId);
                    }
                }
                purgeAuthorizables(hashSet, session, persistableInstallationLogger, false);
                this.acHistoryService.persistAcePurgeHistory(persistableInstallationLogger);
                String messageHistory = persistableInstallationLogger.getMessageHistory();
                if (session != null) {
                    session.logout();
                }
                return messageHistory;
            } catch (Exception e) {
                LOG.error("Exception while purging all authorizable from config: {}", e, e);
                String str2 = "Could not purge authorizables from config " + str + ": " + e;
                if (session != null) {
                    session.logout();
                }
                return str2;
            }
        } catch (Throwable th) {
            if (session != null) {
                session.logout();
            }
            throw th;
        }
    }

    @Override // biz.netcentric.cq.tools.actool.api.AcInstallationService, biz.netcentric.cq.tools.actool.impl.AcInstallationServiceInternal
    public String purgeAuthorizables(String[] strArr) {
        PersistableInstallationLogger persistableInstallationLogger = new PersistableInstallationLogger();
        Session session = null;
        try {
            try {
                session = this.repository.loginService((String) null, (String) null);
                purgeAuthorizables(new HashSet<>(Arrays.asList(strArr)), session, persistableInstallationLogger, true);
                this.acHistoryService.persistAcePurgeHistory(persistableInstallationLogger);
                if (session != null) {
                    session.logout();
                }
            } catch (RepositoryException e) {
                persistableInstallationLogger.addError(LOG, "Could not purge authorizables " + Arrays.asList(strArr) + ": " + e, e);
                if (session != null) {
                    session.logout();
                }
            }
            return persistableInstallationLogger.getMessageHistory();
        } catch (Throwable th) {
            if (session != null) {
                session.logout();
            }
            throw th;
        }
    }

    private void purgeAuthorizables(Set<String> set, Session session, InstallationLogger installationLogger, boolean z) {
        StopWatch stopWatch = new StopWatch();
        stopWatch.start();
        if (z) {
            try {
                HashSet hashSet = new HashSet();
                deleteAcesForPrincipalIds(session, installationLogger, hashSet, QueryHelper.getAuthorizablesAcls(session, set, hashSet));
            } catch (Exception e) {
                installationLogger.addError(LOG, "Purging of authorizables failed: " + e, e);
                return;
            }
        }
        UserManager userManagerAutoSaveDisabled = AccessControlUtils.getUserManagerAutoSaveDisabled(session);
        ArrayList arrayList = new ArrayList();
        for (String str : set) {
            Authorizable authorizable = userManagerAutoSaveDisabled.getAuthorizable(str);
            if (authorizable != null) {
                arrayList.add(authorizable);
            } else {
                installationLogger.addMessage(LOG, "Could not delete authorizable '" + str + "' because it does not exist");
            }
        }
        sortAuthorizablesForDeletion(arrayList);
        Iterator<Authorizable> it = arrayList.iterator();
        while (it.hasNext()) {
            deleteAuthorizable(installationLogger, it.next());
        }
        session.save();
        stopWatch.stop();
        installationLogger.addMessage(LOG, "Purged " + arrayList.size() + " authorizables in " + PersistableInstallationLogger.msHumanReadable(stopWatch.getTime()));
    }

    public void deleteAcesForPrincipalIds(Session session, InstallationLogger installationLogger, Set<String> set, Set<AclBean> set2) throws RepositoryException {
        StopWatch stopWatch = new StopWatch();
        stopWatch.start();
        AccessControlManager accessControlManager = session.getAccessControlManager();
        long j = 0;
        for (AclBean aclBean : set2) {
            if (aclBean != null) {
                JackrabbitAccessControlList acl = aclBean.getAcl();
                for (AccessControlEntry accessControlEntry : acl.getAccessControlEntries()) {
                    String name = accessControlEntry.getPrincipal().getName();
                    if (set.contains(name)) {
                        String parentPath = aclBean.getParentPath();
                        acl.removeAccessControlEntry(accessControlEntry);
                        boolean isEmpty = acl.isEmpty();
                        if (isEmpty) {
                            accessControlManager.removePolicy(aclBean.getParentPath(), acl);
                        } else {
                            accessControlManager.setPolicy(aclBean.getParentPath(), acl);
                        }
                        installationLogger.addVerboseMessage(LOG, "Path " + parentPath + ": Removed entry for '" + name + "' from ACL " + (isEmpty ? " (and the now emtpy ACL itself)" : ""));
                        j++;
                    }
                }
            }
        }
        stopWatch.stop();
        installationLogger.addMessage(LOG, j > 0 ? "Deleted " + j + " ACEs for " + set.size() + " principals in " + PersistableInstallationLogger.msHumanReadable(stopWatch.getTime()) : "Did not delete any ACEs");
    }

    void sortAuthorizablesForDeletion(List<Authorizable> list) throws RepositoryException {
        int i = 0;
        while (i < list.size()) {
            Authorizable authorizable = list.get(i);
            Iterator declaredMemberOf = authorizable.declaredMemberOf();
            LOG.trace("At index {}: {}", Integer.valueOf(i), authorizable.getID());
            while (declaredMemberOf != null && declaredMemberOf.hasNext()) {
                Group group = (Group) declaredMemberOf.next();
                int indexOf = list.indexOf(group);
                LOG.trace("  Is member of at index {}: {}", Integer.valueOf(indexOf), group.getID());
                if (indexOf > -1 && indexOf < i) {
                    LOG.trace("    Swap at index {} (groupOfAuthorizableIndex {}):", Integer.valueOf(i), Integer.valueOf(indexOf));
                    list.set(indexOf, authorizable);
                    list.set(i, group);
                    i = indexOf;
                    break;
                }
            }
            i++;
        }
    }

    private void deleteAuthorizable(InstallationLogger installationLogger, Authorizable authorizable) throws RepositoryException {
        try {
            ArrayList arrayList = new ArrayList();
            Iterator declaredMemberOf = authorizable.declaredMemberOf();
            while (declaredMemberOf.hasNext()) {
                Group group = (Group) declaredMemberOf.next();
                if (group.removeMember(authorizable)) {
                    arrayList.add(group.getID());
                }
            }
            authorizable.remove();
            installationLogger.addVerboseMessage(LOG, "Deleted authorizable '" + authorizable.getID() + "'" + (!arrayList.isEmpty() ? " and removed it from groups: " + StringUtils.join(arrayList, ", ") : ""));
        } catch (RepositoryException e) {
            installationLogger.addError(LOG, "Error while deleting authorizable '" + authorizable.getID() + "': e=" + e, e);
        }
    }

    public List<String> getConfigurationRootPaths() {
        return this.configurationRootPaths;
    }

    @Override // biz.netcentric.cq.tools.actool.impl.AcInstallationServiceInternal
    public Set<String> getCurrentConfigurationPaths() {
        Session session = null;
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        try {
            try {
                session = this.repository.loginService((String) null, (String) null);
                Iterator<String> it = this.configurationRootPaths.iterator();
                while (it.hasNext()) {
                    linkedHashSet.addAll(this.configFilesRetriever.getConfigFileContentFromNode(it.next(), session).keySet());
                }
                if (session != null) {
                    session.logout();
                }
            } catch (Exception e) {
                LOG.warn("Could not retrieve config file content for root paths {}: e={}", new Object[]{this.configurationRootPaths, e, e});
                if (session != null) {
                    session.logout();
                }
            }
            return linkedHashSet;
        } catch (Throwable th) {
            if (session != null) {
                session.logout();
            }
            throw th;
        }
    }

    @Override // biz.netcentric.cq.tools.actool.impl.AcInstallationServiceInternal
    public String getVersion() {
        return FrameworkUtil.getBundle(AcInstallationServiceImpl.class).getVersion().toString();
    }
}
