package org.apache.sling.jcr.resourcesecurity.impl;

import java.util.Map;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.ConfigurationPolicy;
import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.Service;
import org.apache.sling.api.resource.Resource;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.commons.osgi.PropertiesUtil;
import org.apache.sling.resourceaccesssecurity.AllowingResourceAccessGate;
import org.apache.sling.resourceaccesssecurity.ResourceAccessGate;

@Service({ResourceAccessGate.class})
@Component(configurationFactory = true, policy = ConfigurationPolicy.REQUIRE, metatype = true, label = "Apache Sling JCR Resource Access Gate", description = "This access gate can be used to handle the access to resources not backed by a JCR repository by providing ACLs in the reposiory")
@Properties({@Property(name = "path", label = "Path", description = "The path is a regular expression for which resources the service should be called"), @Property(name = ResourceAccessGateFactory.PROP_PREFIX, label = "Deep Check Prefix", description = "If this value is configured with a prefix and the resource path starts with this prefix, the prefix is removed from the path and the remaining part is appended  to the JCR path to check. For example if /foo/a/b/c is required, this prefix is  configured with /foo and the JCR node to check is /check, the permissions at  /check/a/b/c are checked."), @Property(name = ResourceAccessGateFactory.PROP_JCR_PATH, label = "JCR Node", description = "This node is checked for permissions to the resources."), @Property(name = "operations", value = {"read", "create", "update", "delete"}, propertyPrivate = true), @Property(name = "access.context", value = {"provider"}, propertyPrivate = true)})
/* loaded from: input_file:org/apache/sling/jcr/resourcesecurity/impl/ResourceAccessGateFactory.class */
public class ResourceAccessGateFactory extends AllowingResourceAccessGate implements ResourceAccessGate {
    static final String PROP_JCR_PATH = "jcrPath";
    static final String PROP_PREFIX = "checkpath.prefix";
    private String jcrPath;
    private String prefix;

    @Activate
    protected void activate(Map<String, Object> map) {
        this.jcrPath = PropertiesUtil.toString(map.get(PROP_JCR_PATH), (String) null);
        this.prefix = PropertiesUtil.toString(map.get(PROP_PREFIX), (String) null);
        if (this.prefix.endsWith("/")) {
            return;
        }
        this.prefix += "/";
    }

    private ResourceAccessGate.GateResult checkPermission(ResourceResolver resourceResolver, String str, String str2) {
        boolean z = false;
        Session session = (Session) resourceResolver.adaptTo(Session.class);
        if (session != null) {
            String str3 = this.jcrPath;
            if (this.prefix != null && str.startsWith(this.prefix)) {
                str3 = this.jcrPath + str.substring(this.prefix.length() - 1);
            }
            try {
                z = session.hasPermission(str3, str2);
            } catch (RepositoryException e) {
            }
        }
        return z ? ResourceAccessGate.GateResult.GRANTED : ResourceAccessGate.GateResult.DENIED;
    }

    public boolean hasReadRestrictions(ResourceResolver resourceResolver) {
        return true;
    }

    public boolean hasCreateRestrictions(ResourceResolver resourceResolver) {
        return true;
    }

    public boolean hasUpdateRestrictions(ResourceResolver resourceResolver) {
        return true;
    }

    public boolean hasDeleteRestrictions(ResourceResolver resourceResolver) {
        return true;
    }

    public ResourceAccessGate.GateResult canRead(Resource resource) {
        return checkPermission(resource.getResourceResolver(), resource.getPath(), "read");
    }

    public ResourceAccessGate.GateResult canDelete(Resource resource) {
        return checkPermission(resource.getResourceResolver(), resource.getPath(), "remove");
    }

    public ResourceAccessGate.GateResult canUpdate(Resource resource) {
        return checkPermission(resource.getResourceResolver(), resource.getPath(), "set_property");
    }

    public ResourceAccessGate.GateResult canCreate(String str, ResourceResolver resourceResolver) {
        return checkPermission(resourceResolver, str, "add_node");
    }
}
