package biz.netcentric.cq.tools.actool.aceinstaller;

import biz.netcentric.cq.tools.actool.aem.AcToolCqActions;
import biz.netcentric.cq.tools.actool.configmodel.AceBean;
import biz.netcentric.cq.tools.actool.configmodel.Restriction;
import biz.netcentric.cq.tools.actool.helper.AcHelper;
import biz.netcentric.cq.tools.actool.helper.AccessControlUtils;
import biz.netcentric.cq.tools.actool.history.InstallationLogger;
import java.security.Principal;
import java.text.Collator;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Comparator;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TreeSet;
import java.util.concurrent.ConcurrentHashMap;
import javax.jcr.PathNotFoundException;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.UnsupportedRepositoryOperationException;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.Privilege;
import org.apache.commons.lang3.StringUtils;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.apache.sling.jcr.api.SlingRepository;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferencePolicyOption;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component
/* loaded from: input_file:biz/netcentric/cq/tools/actool/aceinstaller/AceBeanInstallerIncremental.class */
public class AceBeanInstallerIncremental extends BaseAceBeanInstaller implements AceBeanInstaller {

    @Reference(policyOption = ReferencePolicyOption.GREEDY)
    private SlingRepository slingRepository;
    private static final Logger LOG = LoggerFactory.getLogger(AceBeanInstallerIncremental.class);
    private Map<String, Set<AceBean>> actionsToPrivilegesMapping = new ConcurrentHashMap();

    @Override // biz.netcentric.cq.tools.actool.aceinstaller.BaseAceBeanInstaller
    protected void installAcl(Set<AceBean> set, String str, Set<String> set2, Session session, InstallationLogger installationLogger) throws RepositoryException {
        AceBean aceBean;
        boolean hasPendingChanges = session.hasPendingChanges();
        int i = 0;
        int i2 = 0;
        int i3 = 0;
        int i4 = 0;
        StringBuilder sb = new StringBuilder();
        ArrayList arrayList = new ArrayList(filterDuplicates(filterInitialContentOnlyNodes(transformActionsIntoPrivileges(set, session, installationLogger)), session));
        int i5 = 0;
        boolean z = false;
        AccessControlManager accessControlManager = session.getAccessControlManager();
        JackrabbitAccessControlList accessControlList = getAccessControlList(accessControlManager, str);
        for (AccessControlEntry accessControlEntry : Arrays.asList(accessControlList.getAccessControlEntries())) {
            AceBean aceBean2 = AcHelper.getAceBean(accessControlEntry, accessControlList);
            String principalName = aceBean2.getPrincipalName();
            String aceCompareString = toAceCompareString(aceBean2, accessControlManager);
            if (set2.contains(principalName)) {
                if (i5 < arrayList.size()) {
                    aceBean = (AceBean) arrayList.get(i5);
                } else {
                    z = true;
                    aceBean = null;
                }
                String aceCompareString2 = toAceCompareString(aceBean, accessControlManager);
                boolean equals = StringUtils.equals(aceCompareString, aceCompareString2);
                if (!z && !equals) {
                    sb.append("<<< CHANGE (Repo Version)   " + aceCompareString + "\n>>> CHANGE (Config Version) " + aceCompareString2 + "\n");
                }
                if (z || !equals) {
                    z = true;
                    accessControlList.removeAccessControlEntry(accessControlEntry);
                    i++;
                    sb.append("    DELETED (from Repo)     " + aceCompareString + "\n");
                } else {
                    i5++;
                    i3++;
                    sb.append("    UNCHANGED               " + aceCompareString + "\n");
                }
            } else {
                i4++;
                sb.append("    OUTSIDE (not in Config) " + aceCompareString + "\n");
            }
        }
        for (int i6 = i5; i6 < arrayList.size(); i6++) {
            AceBean aceBean3 = (AceBean) arrayList.get(i6);
            installPrivileges(aceBean3, new PrincipalImpl(aceBean3.getPrincipalName()), accessControlList, session, accessControlManager);
            sb.append("    APPENDED (from Config)  " + toAceCompareString(aceBean3, accessControlManager) + "\n");
            i2++;
        }
        if (i2 > 0 || i > 0) {
            accessControlManager.setPolicy(StringUtils.isNotBlank(str) ? str : null, accessControlList);
            installationLogger.incCountAclsChanged();
            installationLogger.addVerboseMessage(LOG, "Update result at path " + str + ": O=" + i4 + " N=" + i3 + " D=" + i + " A=" + i2 + (LOG.isDebugEnabled() ? "\nDIFF at " + str + "\n" + ((Object) sb) : ""));
        } else {
            installationLogger.incCountAclsNoChange();
        }
        if (hasPendingChanges || !session.hasPendingChanges()) {
            return;
        }
        installationLogger.addMessage(LOG, "Path " + str + " introduced pending changes to the session");
    }

    private Set<AceBean> filterDuplicates(Set<AceBean> set, Session session) throws UnsupportedRepositoryOperationException, RepositoryException {
        LinkedHashSet linkedHashSet = new LinkedHashSet(set);
        Iterator it = linkedHashSet.iterator();
        HashSet hashSet = new HashSet();
        while (it.hasNext()) {
            String aceCompareString = toAceCompareString((AceBean) it.next(), session.getAccessControlManager());
            if (hashSet.contains(aceCompareString)) {
                it.remove();
            } else {
                hashSet.add(aceCompareString);
            }
        }
        return linkedHashSet;
    }

    private Set<AceBean> filterInitialContentOnlyNodes(Set<AceBean> set) {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        for (AceBean aceBean : set) {
            if (!aceBean.isInitialContentOnlyConfig()) {
                linkedHashSet.add(aceBean);
            }
        }
        return linkedHashSet;
    }

    protected JackrabbitAccessControlList getAccessControlList(AccessControlManager accessControlManager, String str) throws RepositoryException {
        return AccessControlUtils.getModifiableAcl(accessControlManager, str);
    }

    private Set<AceBean> transformActionsIntoPrivileges(Set<AceBean> set, Session session, InstallationLogger installationLogger) throws RepositoryException {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        for (AceBean aceBean : set) {
            if (aceBean.getActionMap().isEmpty()) {
                linkedHashSet.add(aceBean);
            } else {
                Iterator<AceBean> it = getPrincipalAceBeansForActionAceBeanCached(aceBean, session, installationLogger).iterator();
                while (it.hasNext()) {
                    linkedHashSet.add(it.next());
                }
            }
        }
        return linkedHashSet;
    }

    private Set<AceBean> getPrincipalAceBeansForActionAceBeanCached(AceBean aceBean, Session session, InstallationLogger installationLogger) throws RepositoryException {
        Session session2;
        String str = (definesContent(aceBean.getJcrPathForPolicyApi(), session) ? "definesContent" : "simple") + "-" + aceBean.getPermission() + "-" + getRestrictionsComparable(aceBean.getRestrictions()) + "-" + Arrays.toString(aceBean.getActions());
        if (this.actionsToPrivilegesMapping.containsKey(str)) {
            installationLogger.incCountActionCacheHit();
            LOG.trace("Cache hit for key " + str);
            Set<AceBean> set = this.actionsToPrivilegesMapping.get(str);
            LinkedHashSet linkedHashSet = new LinkedHashSet();
            Iterator<AceBean> it = set.iterator();
            while (it.hasNext()) {
                AceBean m12clone = it.next().m12clone();
                m12clone.setPrincipalName(aceBean.getPrincipalName());
                linkedHashSet.add(m12clone);
            }
            return linkedHashSet;
        }
        installationLogger.incCountActionCacheMiss();
        Session loginService = this.slingRepository.loginService((String) null, (String) null);
        try {
            if (loginService.nodeExists(aceBean.getJcrPath())) {
                session2 = loginService;
            } else {
                session2 = session;
                LOG.warn("Reusing main session for path {} since the node was only just created in that session via 'initialContent'", aceBean.getJcrPath());
            }
            Set<AceBean> principalAceBeansForActionAceBean = getPrincipalAceBeansForActionAceBean(aceBean, session2);
            loginService.logout();
            LOG.debug("Adding to cache: {}={}", str, principalAceBeansForActionAceBean);
            this.actionsToPrivilegesMapping.put(str, principalAceBeansForActionAceBean);
            return principalAceBeansForActionAceBean;
        } catch (Throwable th) {
            loginService.logout();
            throw th;
        }
    }

    Set<AceBean> getPrincipalAceBeansForActionAceBean(AceBean aceBean, Session session) throws RepositoryException {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        Principal testActionMapperPrincipal = getTestActionMapperPrincipal();
        applyCqActions(aceBean, session, testActionMapperPrincipal);
        JackrabbitAccessControlList accessControlList = getAccessControlList(session.getAccessControlManager(), aceBean.getJcrPathForPolicyApi());
        boolean z = true;
        for (AccessControlEntry accessControlEntry : accessControlList.getAccessControlEntries()) {
            if (accessControlEntry.getPrincipal().equals(testActionMapperPrincipal)) {
                AceBean aceBean2 = AcHelper.getAceBean(accessControlEntry, accessControlList);
                aceBean2.setPrincipalName(aceBean.getPrincipalName());
                if (z) {
                    if (aceBean.containsRestriction(AceBean.RESTRICTION_NAME_GLOB) && aceBean2.containsRestriction(AceBean.RESTRICTION_NAME_GLOB)) {
                        throw new IllegalArgumentException("When using actions that produce rep:glob restrictions (e.g. for page paths), rep:glob cannot be configured (origAceBean=" + aceBean.getRestrictions() + ", privilegesAceBeanForAction=" + aceBean2.getRestrictions() + "), check configuration for " + aceBean);
                    }
                    aceBean2.getRestrictions().addAll(aceBean.getRestrictions());
                }
                linkedHashSet.add(aceBean2);
                accessControlList.removeAccessControlEntry(accessControlEntry);
                z = false;
            }
        }
        AccessControlManager accessControlManager = session.getAccessControlManager();
        accessControlManager.setPolicy(aceBean.getJcrPath(), accessControlList);
        AceBean aceBean3 = (AceBean) linkedHashSet.iterator().next();
        LinkedHashSet linkedHashSet2 = new LinkedHashSet();
        if (aceBean3.getPrivileges() != null) {
            linkedHashSet2.addAll(Arrays.asList(aceBean3.getPrivileges()));
        }
        Set<String> flatSetResolvedAggregates = flatSetResolvedAggregates(aceBean3.getPrivileges(), accessControlManager, true);
        if (aceBean.getPrivileges() != null) {
            for (String str : aceBean.getPrivileges()) {
                if (!flatSetResolvedAggregates.contains(str)) {
                    linkedHashSet2.add(str);
                }
            }
        }
        aceBean3.setPrivilegesString(StringUtils.join(linkedHashSet2, ","));
        if (LOG.isDebugEnabled()) {
            StringBuilder sb = new StringBuilder();
            sb.append("CqActions at path " + aceBean.getJcrPath() + " with authorizableId=" + aceBean.getAuthorizableId() + "/" + testActionMapperPrincipal.getName() + " produced \n");
            Iterator it = linkedHashSet.iterator();
            while (it.hasNext()) {
                sb.append("   " + toAceCompareString((AceBean) it.next(), accessControlManager) + "\n");
            }
            LOG.debug(sb.toString());
        }
        return linkedHashSet;
    }

    Principal getTestActionMapperPrincipal() {
        return new PrincipalImpl("actool-tester-action-mapper");
    }

    void applyCqActions(AceBean aceBean, Session session, Principal principal) throws RepositoryException {
        if (aceBean.getActionMap().isEmpty()) {
            return;
        }
        AcToolCqActions acToolCqActions = new AcToolCqActions(session);
        acToolCqActions.installActions(aceBean.getJcrPath(), principal, aceBean.getActionMap(), acToolCqActions.getAllowedActions(aceBean.getJcrPathForPolicyApi(), Collections.singleton(principal)));
    }

    private Set<String> flatSetResolvedAggregates(String[] strArr, AccessControlManager accessControlManager, boolean z) throws RepositoryException {
        if (strArr == null) {
            return Collections.emptySet();
        }
        HashSet hashSet = new HashSet();
        for (String str : strArr) {
            Privilege privilegeFromName = accessControlManager.privilegeFromName(str);
            if (!privilegeFromName.isAggregate() || z) {
                hashSet.add(privilegeFromName.getName());
            }
            if (privilegeFromName.isAggregate()) {
                for (Privilege privilege : privilegeFromName.getDeclaredAggregatePrivileges()) {
                    hashSet.addAll(flatSetResolvedAggregates(new String[]{privilege.getName()}, accessControlManager, z));
                }
            }
        }
        return hashSet;
    }

    boolean definesContent(String str, Session session) throws RepositoryException {
        if (str == null || str.equals("/")) {
            return false;
        }
        try {
            return AcToolCqActions.definesContent(session.getNode(str));
        } catch (PathNotFoundException e) {
            return false;
        }
    }

    private String toAceCompareString(AceBean aceBean, AccessControlManager accessControlManager) throws RepositoryException {
        if (aceBean == null) {
            return "null";
        }
        return aceBean.getPrincipalName() + " " + aceBean.getPermission() + " " + privilegesToComparableSet(aceBean.getPrivileges(), accessControlManager) + Arrays.toString(getRestrictionsComparable(aceBean.getRestrictions()).toArray());
    }

    private List<Restriction> getRestrictionsComparable(List<Restriction> list) {
        ArrayList arrayList = new ArrayList(list);
        Collections.sort(arrayList, new Comparator<Restriction>() { // from class: biz.netcentric.cq.tools.actool.aceinstaller.AceBeanInstallerIncremental.1
            @Override // java.util.Comparator
            public int compare(Restriction restriction, Restriction restriction2) {
                return Collator.getInstance().compare(restriction.getName(), restriction2.getName());
            }
        });
        return arrayList;
    }

    String privilegesToComparableSet(String[] strArr, AccessControlManager accessControlManager) throws RepositoryException {
        return new TreeSet(flatSetResolvedAggregates(strArr, accessControlManager, false)).toString();
    }
}
