package com.composum.sling.core.service.impl;

import com.composum.sling.core.service.RepositorySetupService;
import com.composum.sling.core.util.ValueEmbeddingReader;
import com.google.gson.Gson;
import com.google.gson.stream.JsonReader;
import com.google.gson.stream.JsonToken;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.Reader;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.jcr.Node;
import javax.jcr.PathNotFoundException;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.ValueFactory;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.Privilege;
import org.apache.commons.configuration.tree.DefaultExpressionEngine;
import org.apache.commons.lang3.StringUtils;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Service;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.webdav.security.Principal;
import org.apache.pdfbox.contentstream.operator.OperatorName;
import org.osgi.service.condpermadmin.ConditionalPermissionInfo;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Service
@Component(label = "Composum Nodes Security Service")
/* loaded from: input_file:default/org.apache.sling.kickstart.far:com/composum/sling/core/composum-sling-core-commons/1.12.0/composum-sling-core-commons-1.12.0.jar:com/composum/sling/core/service/impl/CoreRepositorySetupService.class */
public class CoreRepositorySetupService implements RepositorySetupService {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) CoreRepositorySetupService.class);

    @Override // com.composum.sling.core.service.RepositorySetupService
    public void addJsonAcl(@Nonnull Session session, @Nonnull String str, @Nullable Map<String, Object> map) throws RepositoryException, IOException {
        Node node = session.getNode(str);
        if (node == null) {
            throw new IOException("configuration file node not found (" + str + DefaultExpressionEngine.DEFAULT_INDEX_END);
        }
        InputStream stream = node.getNode("jcr:content").getProperty("jcr:data").getBinary().getStream();
        try {
            InputStreamReader inputStreamReader = new InputStreamReader(stream, StandardCharsets.UTF_8);
            try {
                addJsonAcl(session, inputStreamReader, map);
                inputStreamReader.close();
                if (stream != null) {
                    stream.close();
                }
            } finally {
            }
        } catch (Throwable th) {
            if (stream != null) {
                try {
                    stream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Override // com.composum.sling.core.service.RepositorySetupService
    public void addJsonAcl(@Nonnull Session session, @Nonnull Reader reader, @Nullable Map<String, Object> map) throws RepositoryException, IOException {
        JsonReader jsonReader = new JsonReader(map != null ? new ValueEmbeddingReader(reader, map) : reader);
        try {
            if (jsonReader.peek() == JsonToken.BEGIN_ARRAY) {
                jsonReader.beginArray();
                while (jsonReader.peek() != JsonToken.END_ARRAY) {
                    addAclObject(session, jsonReader);
                }
                jsonReader.endArray();
            } else {
                addAclObject(session, jsonReader);
            }
            jsonReader.close();
        } catch (Throwable th) {
            try {
                jsonReader.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    @Override // com.composum.sling.core.service.RepositorySetupService
    public void removeJsonAcl(@Nonnull Session session, @Nonnull String str, @Nullable Map<String, Object> map) throws RepositoryException, IOException {
        Node node = session.getNode(str);
        if (node == null) {
            throw new IOException("configuration file node not found (" + str + DefaultExpressionEngine.DEFAULT_INDEX_END);
        }
        InputStream stream = node.getNode("jcr:content").getProperty("jcr:data").getBinary().getStream();
        try {
            InputStreamReader inputStreamReader = new InputStreamReader(stream, StandardCharsets.UTF_8);
            try {
                removeJsonAcl(session, inputStreamReader, map);
                inputStreamReader.close();
                if (stream != null) {
                    stream.close();
                }
            } finally {
            }
        } catch (Throwable th) {
            if (stream != null) {
                try {
                    stream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Override // com.composum.sling.core.service.RepositorySetupService
    public void removeJsonAcl(@Nonnull Session session, @Nonnull Reader reader, @Nullable Map<String, Object> map) throws RepositoryException, IOException {
        JsonReader jsonReader = new JsonReader(map != null ? new ValueEmbeddingReader(reader, map) : reader);
        try {
            if (jsonReader.peek() == JsonToken.BEGIN_ARRAY) {
                jsonReader.beginArray();
                while (jsonReader.peek() != JsonToken.END_ARRAY) {
                    removeAclObject(session, jsonReader);
                }
                jsonReader.endArray();
            } else {
                removeAclObject(session, jsonReader);
            }
            jsonReader.close();
        } catch (Throwable th) {
            try {
                jsonReader.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    protected void addAclObject(@Nonnull Session session, @Nonnull JsonReader jsonReader) throws RepositoryException {
        Map map = (Map) new Gson().fromJson(jsonReader, Map.class);
        String str = (String) map.get("path");
        if (StringUtils.isNotBlank(str)) {
            String str2 = (String) map.get("jcr:primaryType");
            if (StringUtils.isNotBlank(str2)) {
                makeNodeAvailable(session, str, str2);
            }
            List<Map> list = (List) map.get("acl");
            if (list != null) {
                addAclList(session, str, list);
            } else {
                removeAcl(session, str, null);
            }
        }
    }

    protected void removeAclObject(@Nonnull Session session, @Nonnull JsonReader jsonReader) throws RepositoryException {
        Map map = (Map) new Gson().fromJson(jsonReader, Map.class);
        String str = (String) map.get("path");
        if (StringUtils.isNotBlank(str)) {
            List<Map> list = (List) map.get("acl");
            if (list != null) {
                removeAclList(session, str, list);
            } else {
                removeAcl(session, str, null);
            }
            if (StringUtils.isNotBlank((String) map.get("jcr:primaryType"))) {
                removeNode(session, str);
            }
        }
    }

    protected void addAclList(@Nonnull Session session, @Nonnull String str, @Nonnull List<Map> list) throws RepositoryException {
        for (Map map : list) {
            String str2 = (String) map.get(Principal.XML_PRINCIPAL);
            if (StringUtils.isNotBlank(str2)) {
                String str3 = (String) map.get(RepositorySetupService.GROUP_PATH);
                if (StringUtils.isNotBlank(str3)) {
                    makeGroupAvailable(session, str2, str3);
                }
                List<String> list2 = (List) map.get(RepositorySetupService.MEMBER_OF);
                if (list2 != null) {
                    makeMemberAvailable(session, str2, list2);
                }
                List<Map> list3 = (List) map.get("acl");
                if (list3 != null) {
                    for (Map map2 : list3) {
                        boolean booleanValue = ((Boolean) map2.get(ConditionalPermissionInfo.ALLOW)).booleanValue();
                        Object obj = map2.get("privileges");
                        String[] strArr = obj instanceof List ? (String[]) ((List) obj).toArray(new String[0]) : new String[]{(String) obj};
                        Map<String, Object> map3 = (Map) map2.get("restrictions");
                        addAcl(session, str, str2, booleanValue, strArr, map3 != null ? map3 : Collections.EMPTY_MAP);
                    }
                } else {
                    removeAcl(session, str, str2);
                }
            }
        }
    }

    protected void removeAclList(@Nonnull Session session, @Nonnull String str, @Nonnull List<Map> list) throws RepositoryException {
        for (Map map : list) {
            String str2 = (String) map.get(Principal.XML_PRINCIPAL);
            if (StringUtils.isNotBlank(str2)) {
                removeAcl(session, str, str2);
                List<String> list2 = (List) map.get(RepositorySetupService.MEMBER_OF);
                if (list2 != null) {
                    removeMember(session, str2, list2);
                }
                if (StringUtils.isNotBlank((String) map.get(RepositorySetupService.GROUP_PATH))) {
                    removeGroup(session, str2);
                }
            }
        }
    }

    protected void addAcl(@Nonnull Session session, @Nonnull String str, @Nonnull String str2, boolean z, @Nonnull String[] strArr, @Nonnull Map<String, Object> map) throws RepositoryException {
        try {
            AccessControlManager accessControlManager = session.getAccessControlManager();
            PrincipalManager principalManager = ((JackrabbitSession) session).getPrincipalManager();
            JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(accessControlManager, str);
            java.security.Principal principal = principalManager.getPrincipal(str2);
            Privilege[] privilegesFromNames = AccessControlUtils.privilegesFromNames(accessControlManager, strArr);
            HashMap hashMap = new HashMap();
            ValueFactory valueFactory = session.getValueFactory();
            for (String str3 : map.keySet()) {
                hashMap.put(str3, valueFactory.createValue((String) map.get(str3), accessControlList.getRestrictionType(str3)));
            }
            accessControlList.addEntry(principal, privilegesFromNames, z, hashMap);
            LOG.info("addAcl({},{})", str2, Arrays.toString(strArr));
            accessControlManager.setPolicy(str, accessControlList);
        } catch (Exception e) {
            LOG.error("Error in addAcl({},{},{},{}, {}) : {}", str, str2, Boolean.valueOf(z), Arrays.asList(strArr), map, e.toString());
            throw e;
        }
    }

    protected void removeAcl(@Nonnull Session session, @Nonnull String str, @Nullable String str2) throws RepositoryException {
        try {
            AccessControlManager accessControlManager = session.getAccessControlManager();
            JackrabbitAccessControlList jackrabbitAccessControlList = null;
            try {
                jackrabbitAccessControlList = AccessControlUtils.getAccessControlList(accessControlManager, str);
            } catch (RepositoryException e) {
            }
            if (jackrabbitAccessControlList != null) {
                for (AccessControlEntry accessControlEntry : jackrabbitAccessControlList.getAccessControlEntries()) {
                    JackrabbitAccessControlEntry jackrabbitAccessControlEntry = (JackrabbitAccessControlEntry) accessControlEntry;
                    if (str2 == null || str2.equals(jackrabbitAccessControlEntry.getPrincipal().getName())) {
                        LOG.info("removeAcl({},{})", accessControlEntry.getPrincipal().getName(), Arrays.toString(accessControlEntry.getPrivileges()));
                        jackrabbitAccessControlList.removeAccessControlEntry(accessControlEntry);
                    }
                }
                accessControlManager.setPolicy(str, jackrabbitAccessControlList);
                if (jackrabbitAccessControlList.isEmpty()) {
                    accessControlManager.removePolicy(str, jackrabbitAccessControlList);
                }
            }
        } catch (RepositoryException e2) {
            LOG.error("Error in removeAcl({},{}) : {}", str, str2, e2.toString());
            throw e2;
        }
    }

    protected Node makeNodeAvailable(@Nonnull Session session, @Nonnull String str, @Nonnull String str2) throws RepositoryException {
        Node addNode;
        try {
            addNode = session.getNode(StringUtils.isNotBlank(str) ? str : "/");
        } catch (PathNotFoundException e) {
            LOG.info("createNode({},{})", str, str2);
            addNode = makeNodeAvailable(session, StringUtils.substringBeforeLast(str, "/"), str2).addNode(StringUtils.substringAfterLast(str, "/"), str2);
        } catch (RepositoryException e2) {
            LOG.error("Error in makeNodeAvailable({},{}) : {}", str, str2, e2.toString());
            throw e2;
        }
        return addNode;
    }

    protected void removeNode(@Nonnull Session session, @Nonnull String str) throws RepositoryException {
        try {
            Node node = session.getNode(str);
            LOG.info("removeNode({})", str);
            node.remove();
        } catch (PathNotFoundException e) {
        } catch (RepositoryException e2) {
            LOG.error("Error in removeNode({}) : {}", str, e2.toString());
            throw e2;
        }
    }

    protected Authorizable makeGroupAvailable(@Nonnull Session session, @Nonnull final String str, @Nonnull String str2) throws RepositoryException {
        UserManager userManager = ((JackrabbitSession) session).getUserManager();
        Authorizable authorizable = userManager.getAuthorizable(str);
        if (authorizable != null) {
            if (authorizable.isGroup()) {
                return authorizable;
            }
            throw new RepositoryException(OperatorName.SHOW_TEXT_LINE + str + "' exists but is not a group");
        }
        LOG.info("addGroup({},{})", str, str2);
        try {
            Group createGroup = userManager.createGroup(new java.security.Principal() { // from class: com.composum.sling.core.service.impl.CoreRepositorySetupService.1
                @Override // java.security.Principal
                public String getName() {
                    return str;
                }
            }, str2);
            session.save();
            return createGroup;
        } catch (RepositoryException e) {
            LOG.error("Error in makeGroupAvailable({},{}) : {}", str, str2, e.toString());
            throw e;
        }
    }

    protected void removeGroup(@Nonnull Session session, @Nonnull String str) throws RepositoryException {
        try {
            Authorizable authorizable = ((JackrabbitSession) session).getUserManager().getAuthorizable(str);
            if (authorizable != null && authorizable.isGroup()) {
                LOG.info("removeGroup({})", str);
                authorizable.remove();
            }
        } catch (RepositoryException e) {
            LOG.error("Error in removeGroup({}): {}", str, e.toString());
            throw e;
        }
    }

    protected void makeMemberAvailable(@Nonnull Session session, @Nonnull String str, @Nonnull List<String> list) throws RepositoryException {
        try {
            UserManager userManager = ((JackrabbitSession) session).getUserManager();
            Authorizable authorizable = userManager.getAuthorizable(str);
            if (authorizable != null) {
                for (String str2 : list) {
                    Authorizable authorizable2 = userManager.getAuthorizable(str2);
                    if (authorizable2 != null && authorizable2.isGroup()) {
                        Group group = (Group) authorizable2;
                        if (!group.isMember(authorizable)) {
                            LOG.info("addMember({},{})", str, str2);
                            group.addMember(authorizable);
                            session.save();
                        }
                    }
                }
            }
        } catch (RepositoryException e) {
            LOG.error("Error in makeMemberAvailable({},{}) : {}", str, list, e.toString());
            throw e;
        }
    }

    protected void removeMember(@Nonnull Session session, @Nonnull String str, @Nonnull List<String> list) throws RepositoryException {
        try {
            UserManager userManager = ((JackrabbitSession) session).getUserManager();
            Authorizable authorizable = userManager.getAuthorizable(str);
            if (authorizable != null) {
                for (String str2 : list) {
                    Authorizable authorizable2 = userManager.getAuthorizable(str2);
                    if (authorizable2 != null && authorizable2.isGroup()) {
                        Group group = (Group) authorizable2;
                        if (group.isMember(authorizable)) {
                            LOG.info("removeMember({},{})", str, str2);
                            group.removeMember(authorizable);
                            session.save();
                        }
                    }
                }
            }
        } catch (RepositoryException e) {
            LOG.error("Error in removeMember({},{}) : {}", str, list, e.toString());
            throw e;
        }
    }
}
