package org.apache.sling.feature.cpconverter.accesscontrol;

import java.io.File;
import java.io.FileInputStream;
import java.io.StringReader;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Formatter;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.LinkedHashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.jcr.NamespaceException;
import org.apache.jackrabbit.spi.PrivilegeDefinition;
import org.apache.jackrabbit.spi.commons.conversion.DefaultNamePathResolver;
import org.apache.jackrabbit.spi.commons.conversion.NameResolver;
import org.apache.jackrabbit.vault.fs.spi.PrivilegeDefinitions;
import org.apache.jackrabbit.vault.util.PlatformNameFormat;
import org.apache.sling.feature.cpconverter.features.FeaturesManager;
import org.apache.sling.feature.cpconverter.repoinit.NoOpVisitor;
import org.apache.sling.feature.cpconverter.repoinit.OperationProcessor;
import org.apache.sling.feature.cpconverter.shared.RepoPath;
import org.apache.sling.feature.cpconverter.vltpkg.VaultPackageAssembler;
import org.apache.sling.repoinit.parser.RepoInitParsingException;
import org.apache.sling.repoinit.parser.impl.RepoInitParserService;
import org.apache.sling.repoinit.parser.impl.WithPathOptions;
import org.apache.sling.repoinit.parser.operations.AclLine;
import org.apache.sling.repoinit.parser.operations.CreatePath;
import org.apache.sling.repoinit.parser.operations.CreateServiceUser;
import org.apache.sling.repoinit.parser.operations.DisableServiceUser;
import org.apache.sling.repoinit.parser.operations.Operation;
import org.apache.sling.repoinit.parser.operations.RegisterNodetypes;
import org.apache.sling.repoinit.parser.operations.RegisterPrivilege;
import org.apache.sling.repoinit.parser.operations.SetAclPrincipalBased;
import org.apache.sling.repoinit.parser.operations.SetAclPrincipals;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/sling/feature/cpconverter/accesscontrol/DefaultAclManager.class */
public class DefaultAclManager implements AclManager, EnforceInfo {
    private static final Logger log = LoggerFactory.getLogger(DefaultAclManager.class);
    private static final String CONTENT_XML_FILE_NAME = ".content.xml";
    private final RepoPath enforcePrincipalBasedSupportedPath;
    private final String systemRelPath;
    private final OperationProcessor processor;
    private final Set<SystemUser> systemUsers;
    private final Set<String> systemUserIds;
    private final Set<Group> groups;
    private final Set<User> users;
    private final Set<Mapping> mappings;
    private final Set<String> mappedById;
    private final Map<String, List<AccessControlEntry>> acls;
    private final List<RegisterNodetypes> nodetypeOperations;
    private volatile PrivilegeDefinitions privilegeDefinitions;

    public DefaultAclManager() {
        this(null, "system");
    }

    public DefaultAclManager(@Nullable String str, @NotNull String str2) {
        this.processor = new OperationProcessor();
        this.systemUsers = new LinkedHashSet();
        this.systemUserIds = new LinkedHashSet();
        this.groups = new LinkedHashSet();
        this.users = new LinkedHashSet();
        this.mappings = new HashSet();
        this.mappedById = new HashSet();
        this.acls = new HashMap();
        this.nodetypeOperations = new LinkedList();
        if (str != null && !str.contains(str2)) {
            throw new IllegalArgumentException("Relative path for system users " + str2 + " not included in " + str);
        }
        this.enforcePrincipalBasedSupportedPath = str == null ? null : new RepoPath(str);
        this.systemRelPath = str2;
    }

    @Override // org.apache.sling.feature.cpconverter.accesscontrol.AclManager
    public boolean addUser(@NotNull User user) {
        return this.users.add(user);
    }

    @Override // org.apache.sling.feature.cpconverter.accesscontrol.AclManager
    public boolean addGroup(@NotNull Group group) {
        return this.groups.add(group);
    }

    @Override // org.apache.sling.feature.cpconverter.accesscontrol.AclManager
    public boolean addSystemUser(@NotNull SystemUser systemUser) {
        if (!this.systemUsers.add(systemUser)) {
            return false;
        }
        recordSystemUserIds(systemUser.getId());
        return true;
    }

    @Override // org.apache.sling.feature.cpconverter.accesscontrol.AclManager
    public void addMapping(@NotNull Mapping mapping) {
        if (this.mappings.add(mapping)) {
            for (SystemUser systemUser : this.systemUsers) {
                if (mapping.mapsUser(systemUser.getId())) {
                    this.mappedById.add(systemUser.getId());
                }
            }
        }
    }

    @Override // org.apache.sling.feature.cpconverter.accesscontrol.AclManager
    public boolean addAcl(@NotNull String str, @NotNull AccessControlEntry accessControlEntry) {
        if (!getSystemUser(str).isPresent()) {
            return false;
        }
        this.acls.computeIfAbsent(str, str2 -> {
            return new LinkedList();
        }).add(accessControlEntry);
        return true;
    }

    @Override // org.apache.sling.feature.cpconverter.accesscontrol.AclManager
    public void addRepoinitExtension(@NotNull List<VaultPackageAssembler> list, @NotNull FeaturesManager featuresManager) {
        Formatter formatter = new Formatter();
        try {
            if (this.privilegeDefinitions != null) {
                registerPrivileges(this.privilegeDefinitions, formatter);
            }
            Iterator<RegisterNodetypes> it = this.nodetypeOperations.iterator();
            while (it.hasNext()) {
                formatter.format("%s", it.next().asRepoInitString());
            }
            addUsersAndGroups(formatter);
            addPaths(formatter, list);
            this.acls.forEach((str, list2) -> {
                getSystemUser(str).ifPresent(systemUser -> {
                    addStatements(systemUser, list2, formatter);
                });
            });
            String formatter2 = formatter.toString();
            if (!formatter2.isEmpty()) {
                featuresManager.addOrAppendRepoInitExtension(formatter2, null);
            }
            formatter.close();
        } catch (Throwable th) {
            try {
                formatter.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    @Override // org.apache.sling.feature.cpconverter.accesscontrol.AclManager
    public void addRepoinitExtention(@Nullable String str, @Nullable String str2, @NotNull FeaturesManager featuresManager) {
        if (str == null || str.trim().isEmpty()) {
            return;
        }
        if ("seed".equalsIgnoreCase(str2)) {
            try {
                Iterator it = new RepoInitParserService().parse(new StringReader(str)).iterator();
                while (it.hasNext()) {
                    ((Operation) it.next()).accept(new NoOpVisitor() { // from class: org.apache.sling.feature.cpconverter.accesscontrol.DefaultAclManager.1
                        @Override // org.apache.sling.feature.cpconverter.repoinit.NoOpVisitor
                        public void visitCreateServiceUser(CreateServiceUser createServiceUser) {
                            DefaultAclManager.this.recordSystemUserIds(createServiceUser.getUsername());
                        }
                    });
                }
                return;
            } catch (RepoInitParsingException e) {
                throw new IllegalArgumentException((Throwable) e);
            }
        }
        try {
            Formatter formatter = new Formatter();
            try {
                if (enforcePrincipalBased()) {
                    this.processor.apply(new RepoInitParserService().parse(new StringReader(str)), formatter, this);
                } else {
                    formatter.format("%s", str);
                }
                String trim = formatter.toString().trim();
                if (!trim.isEmpty()) {
                    featuresManager.addOrAppendRepoInitExtension(trim, str2);
                }
                formatter.close();
            } finally {
            }
        } catch (RepoInitParsingException e2) {
            throw new IllegalStateException((Throwable) e2);
        }
    }

    private void addUsersAndGroups(@NotNull Formatter formatter) {
        for (SystemUser systemUser : this.systemUsers) {
            formatter.format("%s", new CreateServiceUser(systemUser.getId(), new WithPathOptions(calculateIntermediatePath(systemUser), enforcePrincipalBased(systemUser))).asRepoInitString());
            if (systemUser.getDisabledReason() != null) {
                DisableServiceUser disableServiceUser = new DisableServiceUser(systemUser.getId(), systemUser.getDisabledReason());
                disableServiceUser.setServiceUser(true);
                formatter.format("%s", disableServiceUser.asRepoInitString());
            }
            if (aclIsBelow(systemUser.getPath())) {
                throw new IllegalStateException("Detected policy on subpath of system-user: " + systemUser);
            }
        }
        Stream.concat(this.groups.stream(), this.users.stream()).forEach(abstractUser -> {
            if (aclStartsWith(abstractUser.getPath())) {
                throw new IllegalStateException("Detected policy on user/group: " + abstractUser);
            }
        });
    }

    @NotNull
    private String calculateIntermediatePath(@NotNull SystemUser systemUser) {
        RepoPath intermediatePath = systemUser.getIntermediatePath();
        return enforcePrincipalBased(systemUser) ? calculateEnforcedIntermediatePath(intermediatePath.toString()) : getRelativeIntermediatePath(intermediatePath.toString());
    }

    private void addPaths(@NotNull Formatter formatter, @NotNull List<VaultPackageAssembler> list) {
        Stream flatMap = this.acls.entrySet().stream().filter(entry -> {
            Optional<SystemUser> systemUser = getSystemUser((String) entry.getKey());
            return systemUser.isPresent() && !enforcePrincipalBased(systemUser.get());
        }).map((v0) -> {
            return v0.getValue();
        }).flatMap((v0) -> {
            return v0.stream();
        });
        Predicate predicate = (v0) -> {
            return v0.isPrincipalBased();
        };
        Set set = (Set) flatMap.filter(predicate.negate()).map((v0) -> {
            return v0.getRepositoryPath();
        }).collect(Collectors.toSet());
        Stream filter = set.stream().filter(repoPath -> {
            return set.stream().noneMatch(repoPath -> {
                return !repoPath.equals(repoPath) && repoPath.startsWith(repoPath);
            });
        });
        Predicate predicate2 = (v0) -> {
            return v0.isRepositoryPath();
        };
        filter.filter(predicate2.negate()).filter(repoPath2 -> {
            return Stream.of((Object[]) new Set[]{this.systemUsers, this.users, this.groups}).flatMap((v0) -> {
                return v0.stream();
            }).noneMatch(abstractUser -> {
                return abstractUser.getPath().startsWith(repoPath2);
            });
        }).map(repoPath3 -> {
            return getCreatePath(repoPath3, list);
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).forEach(createPath -> {
            formatter.format("%s", createPath.asRepoInitString());
        });
    }

    private boolean aclStartsWith(@NotNull RepoPath repoPath) {
        return this.acls.values().stream().flatMap((v0) -> {
            return v0.stream();
        }).anyMatch(accessControlEntry -> {
            return accessControlEntry.getRepositoryPath().startsWith(repoPath);
        });
    }

    private boolean aclIsBelow(@NotNull RepoPath repoPath) {
        return this.acls.values().stream().flatMap((v0) -> {
            return v0.stream();
        }).anyMatch(accessControlEntry -> {
            return accessControlEntry.getRepositoryPath().startsWith(repoPath) && !accessControlEntry.getRepositoryPath().equals(repoPath);
        });
    }

    private void addStatements(@NotNull SystemUser systemUser, @NotNull List<AccessControlEntry> list, @NotNull Formatter formatter) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        LinkedHashMap linkedHashMap2 = new LinkedHashMap();
        list.forEach(accessControlEntry -> {
            String repoInitPath = getRepoInitPath(accessControlEntry.getRepositoryPath(), systemUser);
            if (accessControlEntry.isPrincipalBased() || enforcePrincipalBased(systemUser)) {
                linkedHashMap2.put(accessControlEntry, repoInitPath);
            } else {
                linkedHashMap.put(accessControlEntry, repoInitPath);
            }
        });
        if (!linkedHashMap2.isEmpty()) {
            formatter.format("%s", new SetAclPrincipalBased(Collections.singletonList(systemUser.getId()), asAcLines(linkedHashMap2)).asRepoInitString());
        }
        if (linkedHashMap.isEmpty()) {
            return;
        }
        formatter.format("%s", new SetAclPrincipals(Collections.singletonList(systemUser.getId()), asAcLines(linkedHashMap)).asRepoInitString());
    }

    private List<AclLine> asAcLines(@NotNull Map<AccessControlEntry, String> map) {
        ArrayList arrayList = new ArrayList();
        map.forEach((accessControlEntry, str) -> {
            arrayList.add(accessControlEntry.asAclLine(str));
        });
        return arrayList;
    }

    private boolean enforcePrincipalBased() {
        return this.enforcePrincipalBasedSupportedPath != null;
    }

    private boolean enforcePrincipalBased(@NotNull SystemUser systemUser) {
        return enforcePrincipalBased(systemUser.getId());
    }

    @NotNull
    private Optional<SystemUser> getSystemUser(@NotNull String str) {
        return this.systemUsers.stream().filter(systemUser -> {
            return systemUser.getId().equals(str);
        }).findFirst();
    }

    @Override // org.apache.sling.feature.cpconverter.accesscontrol.AclManager
    public void addNodetypeRegistration(@NotNull String str) {
        this.nodetypeOperations.add(new RegisterNodetypes(str));
    }

    @Override // org.apache.sling.feature.cpconverter.accesscontrol.AclManager
    public void addPrivilegeDefinitions(@NotNull PrivilegeDefinitions privilegeDefinitions) {
        this.privilegeDefinitions = privilegeDefinitions;
    }

    @Override // org.apache.sling.feature.cpconverter.accesscontrol.AclManager
    public void reset() {
        this.systemUsers.clear();
        this.acls.clear();
        this.nodetypeOperations.clear();
        this.privilegeDefinitions = null;
    }

    @Override // org.apache.sling.feature.cpconverter.accesscontrol.EnforceInfo
    public void recordSystemUserIds(@NotNull String... strArr) {
        for (String str : strArr) {
            if (this.systemUserIds.add(str) && this.mappings.stream().anyMatch(mapping -> {
                return mapping.mapsUser(str);
            })) {
                this.mappedById.add(str);
            }
        }
    }

    @Override // org.apache.sling.feature.cpconverter.accesscontrol.EnforceInfo
    public boolean enforcePrincipalBased(@NotNull String str) {
        if (!enforcePrincipalBased() || !this.systemUserIds.contains(str)) {
            return false;
        }
        if (!this.mappedById.contains(str)) {
            return true;
        }
        log.warn("Skip enforcing principal-based access control setup for system user '{}' due to existing mapping by id.", str);
        return false;
    }

    /* JADX WARN: Code restructure failed: missing block: B:27:0x00ac, code lost:
    
        throw new java.lang.IllegalStateException("Cannot calculate intermediate path for service user. Configured Supported path " + r5.enforcePrincipalBasedSupportedPath + " has no common ancestor with " + r6);
     */
    @Override // org.apache.sling.feature.cpconverter.accesscontrol.EnforceInfo
    @org.jetbrains.annotations.NotNull
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public java.lang.String calculateEnforcedIntermediatePath(@org.jetbrains.annotations.Nullable java.lang.String r6) {
        /*
            r5 = this;
            r0 = r5
            org.apache.sling.feature.cpconverter.shared.RepoPath r0 = r0.enforcePrincipalBasedSupportedPath
            if (r0 != 0) goto L11
            java.lang.IllegalStateException r0 = new java.lang.IllegalStateException
            r1 = r0
            java.lang.String r2 = "No supported path configured"
            r1.<init>(r2)
            throw r0
        L11:
            r0 = r5
            r1 = r5
            org.apache.sling.feature.cpconverter.shared.RepoPath r1 = r1.enforcePrincipalBasedSupportedPath
            java.lang.String r1 = r1.toString()
            java.lang.String r0 = r0.getRelativeIntermediatePath(r1)
            r7 = r0
            r0 = r6
            if (r0 == 0) goto L28
            r0 = r6
            boolean r0 = r0.isEmpty()
            if (r0 == 0) goto L2a
        L28:
            r0 = r7
            return r0
        L2a:
            r0 = r5
            r1 = r6
            java.lang.String r0 = r0.getRelativeIntermediatePath(r1)
            r8 = r0
            r0 = r7
            r1 = r8
            boolean r0 = org.apache.jackrabbit.vault.util.Text.isDescendantOrEqual(r0, r1)
            if (r0 == 0) goto L3a
            r0 = r8
            return r0
        L3a:
            r0 = r8
            r1 = 1
            java.lang.String r0 = org.apache.jackrabbit.vault.util.Text.getRelativeParent(r0, r1)
            r9 = r0
        L41:
            r0 = r9
            boolean r0 = r0.isEmpty()
            if (r0 != 0) goto L86
            java.lang.String r0 = "/"
            r1 = r9
            boolean r0 = r0.equals(r1)
            if (r0 != 0) goto L86
            r0 = r9
            r1 = r7
            boolean r0 = org.apache.jackrabbit.vault.util.Text.isDescendantOrEqual(r0, r1)
            if (r0 == 0) goto L7b
            r0 = r8
            r1 = r9
            int r1 = r1.length()
            java.lang.String r0 = r0.substring(r1)
            r10 = r0
            java.lang.StringBuilder r0 = new java.lang.StringBuilder
            r1 = r0
            r1.<init>()
            r1 = r7
            java.lang.StringBuilder r0 = r0.append(r1)
            r1 = r10
            java.lang.StringBuilder r0 = r0.append(r1)
            java.lang.String r0 = r0.toString()
            return r0
        L7b:
            r0 = r9
            r1 = 1
            java.lang.String r0 = org.apache.jackrabbit.vault.util.Text.getRelativeParent(r0, r1)
            r9 = r0
            goto L41
        L86:
            java.lang.IllegalStateException r0 = new java.lang.IllegalStateException
            r1 = r0
            java.lang.StringBuilder r2 = new java.lang.StringBuilder
            r3 = r2
            r3.<init>()
            java.lang.String r3 = "Cannot calculate intermediate path for service user. Configured Supported path "
            java.lang.StringBuilder r2 = r2.append(r3)
            r3 = r5
            org.apache.sling.feature.cpconverter.shared.RepoPath r3 = r3.enforcePrincipalBasedSupportedPath
            java.lang.StringBuilder r2 = r2.append(r3)
            java.lang.String r3 = " has no common ancestor with "
            java.lang.StringBuilder r2 = r2.append(r3)
            r3 = r6
            java.lang.StringBuilder r2 = r2.append(r3)
            java.lang.String r2 = r2.toString()
            r1.<init>(r2)
            throw r0
        */
        throw new UnsupportedOperationException("Method not decompiled: org.apache.sling.feature.cpconverter.accesscontrol.DefaultAclManager.calculateEnforcedIntermediatePath(java.lang.String):java.lang.String");
    }

    @NotNull
    private String getRelativeIntermediatePath(@NotNull String str) {
        if (str.equals(this.systemRelPath) || str.startsWith(this.systemRelPath + "/")) {
            return str;
        }
        int indexOf = (str + "/").indexOf("/" + this.systemRelPath + "/");
        if (indexOf == -1) {
            throw new IllegalStateException("Invalid intermediate path for system user " + str + ". Must include " + this.systemRelPath);
        }
        return str.substring(indexOf + 1);
    }

    @Nullable
    protected CreatePath getCreatePath(@NotNull RepoPath repoPath, @NotNull List<VaultPackageAssembler> list) {
        String str = "";
        boolean z = false;
        CreatePath createPath = new CreatePath((String) null);
        for (String str2 : repoPath.toString().substring(1).split("/")) {
            String platformName = PlatformNameFormat.getPlatformName(str2);
            str = str + (str.isEmpty() ? platformName : "/" + platformName);
            boolean z2 = false;
            Iterator<VaultPackageAssembler> it = list.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                File entry = it.next().getEntry(str + "/" + CONTENT_XML_FILE_NAME);
                if (entry.isFile()) {
                    z2 = addSegment(createPath, str2, entry);
                    if (z2) {
                        z = true;
                        break;
                    }
                }
            }
            if (!z2) {
                createPath.addSegment(str2, (String) null);
            }
        }
        if (z) {
            return createPath;
        }
        return null;
    }

    private boolean addSegment(@NotNull CreatePath createPath, @NotNull String str, @NotNull File file) {
        try {
            FileInputStream fileInputStream = new FileInputStream(file);
            try {
                FileInputStream fileInputStream2 = new FileInputStream(file);
                try {
                    String parse = new PrimaryTypeParser().parse(fileInputStream);
                    if (parse == null) {
                        fileInputStream2.close();
                        fileInputStream.close();
                        return false;
                    }
                    ArrayList arrayList = new ArrayList();
                    String parse2 = new MixinParser().parse(fileInputStream2);
                    if (parse2 != null) {
                        String trim = parse2.trim();
                        if (trim.startsWith("[")) {
                            trim = trim.substring(1, trim.length() - 1);
                        }
                        for (String str2 : trim.split(",")) {
                            String trim2 = str2.trim();
                            if (!trim2.isEmpty()) {
                                arrayList.add(trim2);
                            }
                        }
                    }
                    createPath.addSegment(str, parse, arrayList);
                    fileInputStream2.close();
                    fileInputStream.close();
                    return true;
                } catch (Throwable th) {
                    try {
                        fileInputStream2.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                    throw th;
                }
            } finally {
            }
        } catch (Exception e) {
            throw new RuntimeException("A fatal error occurred while parsing the '" + file + "' file, see nested exceptions: " + e);
        }
    }

    @NotNull
    private String getRepoInitPath(@NotNull RepoPath repoPath, @NotNull SystemUser systemUser) {
        if (repoPath.isRepositoryPath()) {
            return ":repository";
        }
        if (isHomePath(repoPath, systemUser.getPath())) {
            return getHomePath(systemUser);
        }
        AbstractUser otherUser = getOtherUser(repoPath, Stream.of((Object[]) new Set[]{this.systemUsers, this.groups}).flatMap((v0) -> {
            return v0.stream();
        }));
        return otherUser != null ? getHomePath(otherUser) : repoPath.toString();
    }

    private boolean isHomePath(@NotNull RepoPath repoPath, @NotNull RepoPath repoPath2) {
        return repoPath.equals(repoPath2);
    }

    @Nullable
    private static AbstractUser getOtherUser(@NotNull RepoPath repoPath, @NotNull Stream<? extends AbstractUser> stream) {
        return stream.filter(abstractUser -> {
            return repoPath.startsWith(abstractUser.getPath());
        }).findFirst().orElse(null);
    }

    @NotNull
    private String getHomePath(@NotNull AbstractUser abstractUser) {
        return "home(" + abstractUser.getId() + ")";
    }

    private static void registerPrivileges(@NotNull PrivilegeDefinitions privilegeDefinitions, @NotNull Formatter formatter) {
        DefaultNamePathResolver defaultNamePathResolver = new DefaultNamePathResolver(privilegeDefinitions.getNamespaceMapping());
        for (PrivilegeDefinition privilegeDefinition : privilegeDefinitions.getDefinitions()) {
            try {
                formatter.format("%s", new RegisterPrivilege(defaultNamePathResolver.getJCRName(privilegeDefinition.getName()), privilegeDefinition.isAbstract(), getAggregatedNames(privilegeDefinition, defaultNamePathResolver)).asRepoInitString());
            } catch (NamespaceException e) {
                throw new IllegalStateException((Throwable) e);
            }
        }
    }

    @NotNull
    private static List<String> getAggregatedNames(@NotNull PrivilegeDefinition privilegeDefinition, @NotNull NameResolver nameResolver) {
        Set declaredAggregateNames = privilegeDefinition.getDeclaredAggregateNames();
        return declaredAggregateNames.isEmpty() ? Collections.emptyList() : (List) declaredAggregateNames.stream().map(name -> {
            try {
                return nameResolver.getJCRName(name);
            } catch (NamespaceException e) {
                throw new IllegalStateException((Throwable) e);
            }
        }).collect(Collectors.toList());
    }
}
