package org.apache.sling.jcr.repoinit.impl;

import java.security.Principal;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.jcr.PathNotFoundException;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.Value;
import javax.jcr.ValueFactory;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
import org.apache.jackrabbit.api.security.authorization.PrincipalAccessControlList;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.sling.repoinit.parser.operations.AclLine;
import org.apache.sling.repoinit.parser.operations.RestrictionClause;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/sling/jcr/repoinit/impl/AclUtil.class */
public class AclUtil {
    private static final Logger LOG = LoggerFactory.getLogger(AclUtil.class);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/sling/jcr/repoinit/impl/AclUtil$LocalAccessControlEntry.class */
    public static class LocalAccessControlEntry {
        private final Principal principal;
        private final Privilege[] privileges;
        private final boolean isAllow;
        private final LocalRestrictions restrictions;

        LocalAccessControlEntry(Principal principal, Privilege[] privilegeArr, boolean z) {
            this(principal, privilegeArr, z, null);
        }

        LocalAccessControlEntry(Principal principal, Privilege[] privilegeArr, boolean z, LocalRestrictions localRestrictions) {
            this.principal = principal;
            this.privileges = privilegeArr;
            this.isAllow = z;
            this.restrictions = localRestrictions != null ? localRestrictions : new LocalRestrictions();
        }

        public boolean isContainedIn(JackrabbitAccessControlEntry jackrabbitAccessControlEntry) throws RepositoryException {
            return jackrabbitAccessControlEntry.getPrincipal().equals(this.principal) && contains(jackrabbitAccessControlEntry.getPrivileges(), this.privileges) && jackrabbitAccessControlEntry.isAllow() == this.isAllow && sameRestrictions(jackrabbitAccessControlEntry);
        }

        private Set<Privilege> expandPrivileges(Privilege[] privilegeArr) {
            HashSet hashSet = new HashSet();
            if (privilegeArr != null) {
                for (Privilege privilege : privilegeArr) {
                    if (privilege.isAggregate()) {
                        hashSet.addAll(Arrays.asList(privilege.getAggregatePrivileges()));
                    } else {
                        hashSet.add(privilege);
                    }
                }
            }
            return hashSet;
        }

        private boolean sameRestrictions(JackrabbitAccessControlEntry jackrabbitAccessControlEntry) throws RepositoryException {
            if (jackrabbitAccessControlEntry.getRestrictionNames().length != this.restrictions.size()) {
                return false;
            }
            for (String str : jackrabbitAccessControlEntry.getRestrictionNames()) {
                Value[] restrictions = jackrabbitAccessControlEntry.getRestrictions(str);
                Value[] valueArr = this.restrictions.getRestrictions().get(str) != null ? new Value[]{this.restrictions.getRestrictions().get(str)} : this.restrictions.getMVRestrictions().get(str);
                if (((valueArr != null && valueArr.length != 0) || (restrictions != null && restrictions.length != 0)) && !AclUtil.compareArrays(valueArr, restrictions)) {
                    return false;
                }
            }
            return true;
        }

        private boolean contains(Privilege[] privilegeArr, Privilege[] privilegeArr2) {
            return expandPrivileges(privilegeArr).containsAll(expandPrivileges(privilegeArr2));
        }

        public String toString() {
            return "[" + getClass().getSimpleName() + "# principal " + this.principal + ", privileges: " + Arrays.toString(this.privileges) + ", isAllow : " + this.isAllow + "]";
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/sling/jcr/repoinit/impl/AclUtil$LocalRestrictions.class */
    public static class LocalRestrictions {
        private Map<String, Value> restrictions;
        private Map<String, Value[]> mvRestrictions;

        public LocalRestrictions() {
            this.restrictions = new HashMap();
            this.mvRestrictions = new HashMap();
        }

        public LocalRestrictions(Map<String, Value> map, Map<String, Value[]> map2) {
            this.restrictions = map != null ? map : new HashMap<>();
            this.mvRestrictions = map2 != null ? map2 : new HashMap<>();
        }

        public Map<String, Value> getRestrictions() {
            return this.restrictions;
        }

        public Map<String, Value[]> getMVRestrictions() {
            return this.mvRestrictions;
        }

        public int size() {
            return this.restrictions.size() + this.mvRestrictions.size();
        }
    }

    public static JackrabbitAccessControlManager getJACM(Session session) throws RepositoryException {
        JackrabbitAccessControlManager accessControlManager = session.getAccessControlManager();
        checkState(accessControlManager instanceof JackrabbitAccessControlManager, "AccessControlManager is not a JackrabbitAccessControlManager:" + accessControlManager.getClass().getName());
        return accessControlManager;
    }

    private static LocalRestrictions createLocalRestrictions(List<RestrictionClause> list, JackrabbitAccessControlList jackrabbitAccessControlList, Session session) throws RepositoryException {
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        if (list != null && !list.isEmpty()) {
            ValueFactory valueFactory = session.getValueFactory();
            for (RestrictionClause restrictionClause : list) {
                String name = restrictionClause.getName();
                int restrictionType = jackrabbitAccessControlList.getRestrictionType(name);
                boolean isMultiValueRestriction = jackrabbitAccessControlList.isMultiValueRestriction(name);
                Value[] valueArr = new Value[restrictionClause.getValues().size()];
                for (int i = 0; i < valueArr.length; i++) {
                    valueArr[i] = valueFactory.createValue((String) restrictionClause.getValues().get(i), restrictionType);
                }
                if ("rep:glob".equals(name) && valueArr.length == 0) {
                    hashMap.put(name, valueFactory.createValue(""));
                } else if (isMultiValueRestriction) {
                    hashMap2.put(name, valueArr);
                } else {
                    checkState(valueArr.length == 1, "Expected just one value for single valued restriction with name " + name);
                    hashMap.put(name, valueArr[0]);
                }
            }
        }
        return new LocalRestrictions(hashMap, hashMap2);
    }

    public static void setAcl(Session session, List<String> list, List<String> list2, List<String> list3, boolean z) throws RepositoryException {
        setAcl(session, list, list2, list3, z, (List<RestrictionClause>) Arrays.asList(new RestrictionClause[0]));
    }

    public static void setAcl(Session session, List<String> list, List<String> list2, List<String> list3, boolean z, List<RestrictionClause> list4) throws RepositoryException {
        for (String str : list2) {
            if (":repository".equals(str)) {
                setRepositoryAcl(session, list, list3, z, list4);
            } else {
                if (!session.nodeExists(str)) {
                    throw new PathNotFoundException("Cannot set ACL on non-existent path " + str);
                }
                setAcl(session, list, str, list3, z, list4);
            }
        }
    }

    private static void setAcl(Session session, List<String> list, String str, List<String> list2, boolean z, List<RestrictionClause> list3) throws RepositoryException {
        Privilege[] privilegesFromNames = AccessControlUtils.privilegesFromNames(session, (String[]) list2.toArray(new String[list2.size()]));
        JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(session, str);
        checkState(accessControlList != null, "No JackrabbitAccessControlList available for path " + str);
        LocalRestrictions createLocalRestrictions = createLocalRestrictions(list3, accessControlList, session);
        AccessControlEntry[] accessControlEntries = accessControlList.getAccessControlEntries();
        boolean z2 = false;
        for (String str2 : list) {
            Principal principal = AccessControlUtils.getPrincipal(session, str2);
            if (principal == null) {
                Authorizable authorizable = UserUtil.getAuthorizable(session, str2);
                checkState(authorizable != null, "Authorizable not found:" + str2);
                principal = authorizable.getPrincipal();
            }
            checkState(principal != null, "Principal not found: " + str2);
            LocalAccessControlEntry localAccessControlEntry = new LocalAccessControlEntry(principal, privilegesFromNames, z, createLocalRestrictions);
            if (contains(accessControlEntries, localAccessControlEntry)) {
                LOG.info("Not adding {} to path {} since an equivalent access control entry already exists", localAccessControlEntry, str);
            } else {
                accessControlList.addEntry(localAccessControlEntry.principal, localAccessControlEntry.privileges, localAccessControlEntry.isAllow, localAccessControlEntry.restrictions.getRestrictions(), localAccessControlEntry.restrictions.getMVRestrictions());
                z2 = true;
            }
        }
        if (z2) {
            session.getAccessControlManager().setPolicy(str, accessControlList);
        }
    }

    public static void setRepositoryAcl(Session session, List<String> list, List<String> list2, boolean z, List<RestrictionClause> list3) throws RepositoryException {
        setAcl(session, list, (String) null, list2, z, list3);
    }

    public static void setPrincipalAcl(Session session, String str, Collection<AclLine> collection) throws RepositoryException {
        JackrabbitAccessControlManager jacm = getJACM(session);
        Principal principal = AccessControlUtils.getPrincipal(session, str);
        checkState(principal != null, "Principal not found: " + str);
        PrincipalAccessControlList principalAccessControlList = getPrincipalAccessControlList(jacm, principal);
        boolean z = false;
        for (AclLine aclLine : collection) {
            if (aclLine.getAction() == AclLine.Action.DENY) {
                throw new AccessControlException("PrincipalAccessControlList doesn't support 'deny' entries.");
            }
            Privilege[] privilegesFromNames = AccessControlUtils.privilegesFromNames(session, (String[]) aclLine.getProperty("privileges").toArray(new String[0]));
            for (String str2 : aclLine.getProperty("paths")) {
                String str3 = (str2 == null || str2.isEmpty() || ":repository".equals(str2)) ? null : str2;
                if (principalAccessControlList == null) {
                    LOG.info("No PrincipalAccessControlList available for principal {}", principal);
                    checkState(containsEquivalentEntry(session, str2, principal, privilegesFromNames, true, aclLine.getRestrictions()), "No PrincipalAccessControlList available for principal '" + principal + "'.");
                } else {
                    LocalRestrictions createLocalRestrictions = createLocalRestrictions(aclLine.getRestrictions(), principalAccessControlList, session);
                    if (principalAccessControlList.addEntry(str3, privilegesFromNames, createLocalRestrictions.getRestrictions(), createLocalRestrictions.getMVRestrictions())) {
                        z = true;
                    } else {
                        LOG.info("Equivalent principal-based entry already exists for principal {} and effective path {} ", str, str2);
                    }
                }
            }
        }
        if (z) {
            jacm.setPolicy(principalAccessControlList.getPath(), principalAccessControlList);
        }
    }

    private static PrincipalAccessControlList getPrincipalAccessControlList(JackrabbitAccessControlManager jackrabbitAccessControlManager, Principal principal) throws RepositoryException {
        PrincipalAccessControlList principalAccessControlList = null;
        PrincipalAccessControlList[] policies = jackrabbitAccessControlManager.getPolicies(principal);
        int length = policies.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            PrincipalAccessControlList principalAccessControlList2 = policies[i];
            if (principalAccessControlList2 instanceof PrincipalAccessControlList) {
                principalAccessControlList = principalAccessControlList2;
                break;
            }
            i++;
        }
        if (principalAccessControlList == null) {
            JackrabbitAccessControlPolicy[] applicablePolicies = jackrabbitAccessControlManager.getApplicablePolicies(principal);
            int length2 = applicablePolicies.length;
            int i2 = 0;
            while (true) {
                if (i2 >= length2) {
                    break;
                }
                JackrabbitAccessControlPolicy jackrabbitAccessControlPolicy = applicablePolicies[i2];
                if (jackrabbitAccessControlPolicy instanceof PrincipalAccessControlList) {
                    principalAccessControlList = (PrincipalAccessControlList) jackrabbitAccessControlPolicy;
                    break;
                }
                i2++;
            }
        }
        return principalAccessControlList;
    }

    private static boolean containsEquivalentEntry(Session session, String str, Principal principal, Privilege[] privilegeArr, boolean z, List<RestrictionClause> list) throws RepositoryException {
        for (JackrabbitAccessControlList jackrabbitAccessControlList : session.getAccessControlManager().getPolicies(str)) {
            if (jackrabbitAccessControlList instanceof JackrabbitAccessControlList) {
                LocalAccessControlEntry localAccessControlEntry = new LocalAccessControlEntry(principal, privilegeArr, z, createLocalRestrictions(list, jackrabbitAccessControlList, session));
                if (contains(jackrabbitAccessControlList.getAccessControlEntries(), localAccessControlEntry)) {
                    LOG.info("Equivalent path-based entry exists for principal {} and effective path {} ", localAccessControlEntry.principal.getName(), str);
                    return true;
                }
            }
        }
        return false;
    }

    static boolean contains(AccessControlEntry[] accessControlEntryArr, LocalAccessControlEntry localAccessControlEntry) throws RepositoryException {
        for (AccessControlEntry accessControlEntry : accessControlEntryArr) {
            JackrabbitAccessControlEntry jackrabbitAccessControlEntry = (JackrabbitAccessControlEntry) accessControlEntry;
            LOG.debug("Comparing {} with {}", localAccessControlEntry, toString(jackrabbitAccessControlEntry));
            if (localAccessControlEntry.isContainedIn(jackrabbitAccessControlEntry)) {
                return true;
            }
        }
        return false;
    }

    private static String toString(JackrabbitAccessControlEntry jackrabbitAccessControlEntry) throws RepositoryException {
        return "[" + jackrabbitAccessControlEntry.getClass().getSimpleName() + "# principal: " + jackrabbitAccessControlEntry.getPrincipal() + ", privileges: " + Arrays.toString(jackrabbitAccessControlEntry.getPrivileges()) + ", isAllow: " + jackrabbitAccessControlEntry.isAllow() + ", restrictionNames: " + jackrabbitAccessControlEntry.getRestrictionNames() + "]";
    }

    private static void checkState(boolean z, String str) {
        if (!z) {
            throw new IllegalStateException(str);
        }
    }

    static boolean compareArrays(Object[] objArr, Object[] objArr2) {
        if (objArr == null && objArr2 == null) {
            return true;
        }
        if (objArr == null || objArr2 == null || objArr.length != objArr2.length) {
            return false;
        }
        Arrays.sort(objArr);
        Arrays.sort(objArr2);
        for (int i = 0; i < objArr.length; i++) {
            if (!objArr[i].equals(objArr2[i])) {
                return false;
            }
        }
        return true;
    }
}
