package biz.netcentric.cq.tools.actool.aceinstaller;

import biz.netcentric.cq.tools.actool.aem.AcToolCqActions;
import biz.netcentric.cq.tools.actool.configmodel.AceBean;
import biz.netcentric.cq.tools.actool.helper.AccessControlUtils;
import biz.netcentric.cq.tools.actool.helper.RestrictionsHolder;
import biz.netcentric.cq.tools.actool.history.InstallationLogger;
import java.security.Principal;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.UnsupportedRepositoryOperationException;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.Privilege;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.osgi.service.component.annotations.Component;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component
/* loaded from: input_file:biz/netcentric/cq/tools/actool/aceinstaller/AceBeanInstallerClassic.class */
public class AceBeanInstallerClassic extends BaseAceBeanInstaller implements AceBeanInstaller {
    private static final Logger LOG = LoggerFactory.getLogger(AceBeanInstallerClassic.class);

    @Override // biz.netcentric.cq.tools.actool.aceinstaller.BaseAceBeanInstaller
    protected void installAcl(Set<AceBean> set, String str, Set<String> set2, Session session, InstallationLogger installationLogger) throws RepositoryException {
        installationLogger.addVerboseMessage(LOG, "Deleted " + AccessControlUtils.deleteAllEntriesForPrincipalsFromACL(session, str, (String[]) set2.toArray(new String[set2.size()])) + " ACEs for configured principals from path " + str);
        for (AceBean aceBean : set) {
            LOG.debug("Writing bean to repository {}", aceBean);
            installAce(aceBean, session, new PrincipalImpl(aceBean.getPrincipalName()), installationLogger);
        }
        installationLogger.incCountAclsChanged();
    }

    private void installAce(AceBean aceBean, Session session, Principal principal, InstallationLogger installationLogger) throws RepositoryException {
        if (aceBean.isInitialContentOnlyConfig()) {
            return;
        }
        AccessControlManager accessControlManager = session.getAccessControlManager();
        JackrabbitAccessControlList modifiableAcl = AccessControlUtils.getModifiableAcl(accessControlManager, aceBean.getJcrPathForPolicyApi());
        if (modifiableAcl == null) {
            installationLogger.addMessage(LOG, "Skipped installing privileges/actions for non existing path: " + aceBean.getJcrPath());
            return;
        }
        JackrabbitAccessControlList installActions = installActions(aceBean, principal, modifiableAcl, session, accessControlManager, installationLogger);
        if (modifiableAcl != installActions) {
            installationLogger.addVerboseMessage(LOG, "Added action(s) for path: " + aceBean.getJcrPath() + ", principal: " + principal.getName() + ", actions: " + aceBean.getActionsString() + ", allow: " + aceBean.isAllow());
            removeRedundantPrivileges(aceBean, session);
            modifiableAcl = installActions;
        }
        if (installPrivileges(aceBean, principal, modifiableAcl, session, accessControlManager)) {
            installationLogger.addVerboseMessage(LOG, "Added privilege(s) for path: " + aceBean.getJcrPath() + ", principal: " + principal.getName() + ", privileges: " + aceBean.getPrivilegesString() + ", allow: " + aceBean.isAllow());
        }
        if (modifiableAcl.isEmpty()) {
            accessControlManager.removePolicy(aceBean.getJcrPathForPolicyApi(), modifiableAcl);
        } else {
            accessControlManager.setPolicy(aceBean.getJcrPathForPolicyApi(), modifiableAcl);
        }
    }

    private JackrabbitAccessControlList installActions(AceBean aceBean, Principal principal, JackrabbitAccessControlList jackrabbitAccessControlList, Session session, AccessControlManager accessControlManager, InstallationLogger installationLogger) throws RepositoryException {
        Map<String, Boolean> actionMap = aceBean.getActionMap();
        if (actionMap.isEmpty()) {
            return jackrabbitAccessControlList;
        }
        AcToolCqActions acToolCqActions = new AcToolCqActions(session);
        acToolCqActions.installActions(aceBean.getJcrPathForPolicyApi(), principal, actionMap, acToolCqActions.getAllowedActions(aceBean.getJcrPathForPolicyApi(), Collections.singleton(principal)));
        JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(session, aceBean.getJcrPath());
        RestrictionsHolder restrictions = getRestrictions(aceBean, session, jackrabbitAccessControlList);
        if (!aceBean.getRestrictions().isEmpty()) {
            addAdditionalRestriction(aceBean, jackrabbitAccessControlList, accessControlList, restrictions);
        }
        return accessControlList;
    }

    private void addAdditionalRestriction(AceBean aceBean, JackrabbitAccessControlList jackrabbitAccessControlList, JackrabbitAccessControlList jackrabbitAccessControlList2, RestrictionsHolder restrictionsHolder) throws RepositoryException {
        List<AccessControlEntry> modifiedAces = getModifiedAces(jackrabbitAccessControlList, jackrabbitAccessControlList2);
        if (!modifiedAces.isEmpty()) {
            Iterator<AccessControlEntry> it = modifiedAces.iterator();
            while (it.hasNext()) {
                addRestrictionIfNotSet(jackrabbitAccessControlList2, restrictionsHolder, it.next());
            }
        } else {
            AccessControlEntry accessControlEntry = jackrabbitAccessControlList.getAccessControlEntries()[jackrabbitAccessControlList.getAccessControlEntries().length - 1];
            AccessControlEntry accessControlEntry2 = jackrabbitAccessControlList2.getAccessControlEntries()[jackrabbitAccessControlList2.getAccessControlEntries().length - 1];
            if (!accessControlEntry.equals(accessControlEntry2) || !accessControlEntry2.getPrincipal().getName().equals(aceBean.getPrincipalName())) {
                throw new IllegalStateException("No new entries have been set for AccessControlList at " + aceBean.getJcrPath());
            }
            addRestrictionIfNotSet(jackrabbitAccessControlList2, restrictionsHolder, accessControlEntry2);
        }
    }

    private void addRestrictionIfNotSet(JackrabbitAccessControlList jackrabbitAccessControlList, RestrictionsHolder restrictionsHolder, AccessControlEntry accessControlEntry) throws RepositoryException, AccessControlException, UnsupportedRepositoryOperationException, SecurityException {
        if (!(accessControlEntry instanceof JackrabbitAccessControlEntry)) {
            throw new IllegalStateException("Can not deal with non JackrabbitAccessControlEntrys, but entry is of type " + accessControlEntry.getClass().getName());
        }
        JackrabbitAccessControlEntry jackrabbitAccessControlEntry = (JackrabbitAccessControlEntry) accessControlEntry;
        if (jackrabbitAccessControlEntry.getRestrictionNames().length == 0) {
            extendExistingAceWithRestrictions(jackrabbitAccessControlList, jackrabbitAccessControlEntry, restrictionsHolder);
        }
    }

    private List<AccessControlEntry> getModifiedAces(JackrabbitAccessControlList jackrabbitAccessControlList, JackrabbitAccessControlList jackrabbitAccessControlList2) throws RepositoryException {
        return (List) CollectionUtils.subtract(Arrays.asList(jackrabbitAccessControlList2.getAccessControlEntries()), Arrays.asList(jackrabbitAccessControlList.getAccessControlEntries()));
    }

    private void removeRedundantPrivileges(AceBean aceBean, Session session) throws RepositoryException {
        aceBean.setPrivilegesString(StringUtils.join(removeRedundantPrivileges(session, aceBean.getPrivileges(), aceBean.getActions()), ","));
    }

    private Set<String> removeRedundantPrivileges(Session session, String[] strArr, String[] strArr2) throws RepositoryException {
        AcToolCqActions acToolCqActions = new AcToolCqActions(session);
        HashSet hashSet = new HashSet();
        if (strArr == null) {
            return hashSet;
        }
        hashSet.addAll(Arrays.asList(strArr));
        if (strArr2 == null) {
            return hashSet;
        }
        for (String str : strArr2) {
            Iterator<Privilege> it = acToolCqActions.getPrivileges(str).iterator();
            while (it.hasNext()) {
                hashSet.remove(it.next().getName());
            }
        }
        return hashSet;
    }

    private void extendExistingAceWithRestrictions(JackrabbitAccessControlList jackrabbitAccessControlList, JackrabbitAccessControlEntry jackrabbitAccessControlEntry, RestrictionsHolder restrictionsHolder) throws SecurityException, UnsupportedRepositoryOperationException, RepositoryException {
        if (!jackrabbitAccessControlList.addEntry(jackrabbitAccessControlEntry.getPrincipal(), jackrabbitAccessControlEntry.getPrivileges(), jackrabbitAccessControlEntry.isAllow(), restrictionsHolder.getSingleValuedRestrictionsMap(), restrictionsHolder.getMultiValuedRestrictionsMap())) {
            throw new IllegalStateException("Could not add entry, probably because it was already there!");
        }
        jackrabbitAccessControlList.orderBefore(jackrabbitAccessControlList.getAccessControlEntries()[jackrabbitAccessControlList.size() - 1], jackrabbitAccessControlEntry);
        jackrabbitAccessControlList.removeAccessControlEntry(jackrabbitAccessControlEntry);
    }
}
