package biz.netcentric.cq.tools.actool.aceinstaller;

import biz.netcentric.cq.tools.actool.comparators.AcePermissionComparator;
import biz.netcentric.cq.tools.actool.configmodel.AcConfiguration;
import biz.netcentric.cq.tools.actool.configmodel.AceBean;
import biz.netcentric.cq.tools.actool.configmodel.Restriction;
import biz.netcentric.cq.tools.actool.helper.AccessControlUtils;
import biz.netcentric.cq.tools.actool.helper.ContentHelper;
import biz.netcentric.cq.tools.actool.helper.RestrictionsHolder;
import biz.netcentric.cq.tools.actool.helper.runtime.RuntimeHelper;
import biz.netcentric.cq.tools.actool.history.InstallationLogger;
import biz.netcentric.cq.tools.actool.history.impl.PersistableInstallationLogger;
import java.security.Principal;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TreeSet;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.UnsupportedRepositoryOperationException;
import javax.jcr.ValueFormatException;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.Privilege;
import org.apache.commons.lang3.time.StopWatch;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:biz/netcentric/cq/tools/actool/aceinstaller/BaseAceBeanInstaller.class */
public abstract class BaseAceBeanInstaller implements AceBeanInstaller {
    private static final Logger LOG = LoggerFactory.getLogger(BaseAceBeanInstaller.class);

    @Override // biz.netcentric.cq.tools.actool.aceinstaller.AceBeanInstaller
    public void installPathBasedACEs(Map<String, Set<AceBean>> map, AcConfiguration acConfiguration, Session session, InstallationLogger installationLogger, Set<String> set) throws Exception {
        StopWatch stopWatch = new StopWatch();
        stopWatch.start();
        Set<String> keySet = map.keySet();
        installationLogger.addVerboseMessage(LOG, "Found " + keySet.size() + "  paths in config");
        LOG.trace("Paths with ACEs: {}", keySet);
        Set<String> filterReadOnlyPaths = filterReadOnlyPaths(keySet, installationLogger, session);
        for (String str : filterReadOnlyPaths) {
            Set<AceBean> set2 = map.get(str);
            if ((AccessControlUtils.getModifiableAcl(session.getAccessControlManager(), str) != null) || ContentHelper.createInitialContent(session, installationLogger, str, set2)) {
                TreeSet treeSet = new TreeSet(new AcePermissionComparator());
                treeSet.addAll(set2);
                installAcl(treeSet, str, acConfiguration.getAuthorizablesConfig().removeUnmanagedPrincipalNamesAtPath(str, set, acConfiguration.getGlobalConfiguration().getDefaultUnmanagedAcePathsRegex()), session, installationLogger);
            } else {
                installationLogger.addVerboseMessage(LOG, "Skipped installing privileges/actions for non existing path: " + str);
                installationLogger.incCountAclsPathDoesNotExist();
            }
        }
        if (installationLogger.getMissingParentPathsForInitialContent() > 0) {
            installationLogger.addWarning(LOG, "There were " + installationLogger.getMissingParentPathsForInitialContent() + " parent paths missing for creation of initial content (those paths were skipped, see verbose log for details)");
        }
        installationLogger.addMessage(LOG, "ACL Update Statistics: Changed=" + installationLogger.getCountAclsChanged() + " Unchanged=" + installationLogger.getCountAclsUnchanged() + " Path not found=" + installationLogger.getCountAclsPathDoesNotExist() + " (action cache hit/miss=" + installationLogger.getCountActionCacheHit() + "/" + installationLogger.getCountActionCacheMiss() + ")");
        installationLogger.addMessage(LOG, "*** Finished installation of " + filterReadOnlyPaths.size() + " ACLs in " + PersistableInstallationLogger.msHumanReadable(stopWatch.getTime()));
    }

    private Set<String> filterReadOnlyPaths(Set<String> set, InstallationLogger installationLogger, Session session) {
        if (!RuntimeHelper.isCompositeNodeStore(session)) {
            return set;
        }
        TreeSet treeSet = new TreeSet();
        TreeSet treeSet2 = new TreeSet();
        for (String str : set) {
            if (str == null || !(str.startsWith("/apps") || str.startsWith("/libs"))) {
                treeSet.add(str);
            } else {
                treeSet2.add(str);
            }
        }
        installationLogger.addMessage(LOG, "Ignoring " + treeSet2.size() + " ACLs in /apps and /libs because they are ready-only (Composite NodeStore)");
        return treeSet;
    }

    protected abstract void installAcl(Set<AceBean> set, String str, Set<String> set2, Session session, InstallationLogger installationLogger) throws RepositoryException;

    /* JADX INFO: Access modifiers changed from: protected */
    public boolean installPrivileges(AceBean aceBean, Principal principal, JackrabbitAccessControlList jackrabbitAccessControlList, Session session, AccessControlManager accessControlManager) throws RepositoryException {
        Set<Privilege> privilegeSet = getPrivilegeSet(aceBean.getPrivileges(), accessControlManager);
        if (privilegeSet.isEmpty()) {
            return false;
        }
        RestrictionsHolder restrictions = getRestrictions(aceBean, session, jackrabbitAccessControlList);
        if (restrictions.isEmpty()) {
            jackrabbitAccessControlList.addEntry(principal, (Privilege[]) privilegeSet.toArray(new Privilege[privilegeSet.size()]), aceBean.isAllow());
            return true;
        }
        jackrabbitAccessControlList.addEntry(principal, (Privilege[]) privilegeSet.toArray(new Privilege[privilegeSet.size()]), aceBean.isAllow(), restrictions.getSingleValuedRestrictionsMap(), restrictions.getMultiValuedRestrictionsMap());
        return true;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public RestrictionsHolder getRestrictions(AceBean aceBean, Session session, JackrabbitAccessControlList jackrabbitAccessControlList) throws ValueFormatException, UnsupportedRepositoryOperationException, RepositoryException {
        List asList = Arrays.asList(jackrabbitAccessControlList.getRestrictionNames());
        if (aceBean.getRestrictions().isEmpty()) {
            return RestrictionsHolder.empty();
        }
        List<Restriction> restrictions = aceBean.getRestrictions();
        for (Restriction restriction : restrictions) {
            if (!asList.contains(restriction.getName())) {
                throw new IllegalStateException("The AccessControlList at " + jackrabbitAccessControlList.getPath() + " does not support setting " + restriction.getName() + " restrictions!");
            }
        }
        return new RestrictionsHolder(restrictions, session.getValueFactory(), jackrabbitAccessControlList);
    }

    public Set<Privilege> getPrivilegeSet(String[] strArr, AccessControlManager accessControlManager) throws RepositoryException {
        if (strArr == null) {
            return Collections.emptySet();
        }
        HashSet hashSet = new HashSet(strArr.length);
        for (String str : strArr) {
            Privilege privilegeFromName = accessControlManager.privilegeFromName(str);
            if (privilegeFromName.isAggregate()) {
                hashSet.addAll(Arrays.asList(privilegeFromName.getAggregatePrivileges()));
            } else {
                hashSet.add(privilegeFromName);
            }
        }
        return hashSet;
    }
}
