package org.apache.sling.pipes.internal;

import java.security.Principal;
import java.util.Arrays;
import java.util.Iterator;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.security.Privilege;
import javax.json.Json;
import javax.json.JsonArrayBuilder;
import javax.json.JsonObjectBuilder;
import javax.script.ScriptException;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.sling.api.resource.Resource;
import org.apache.sling.api.resource.ValueMap;
import org.apache.sling.pipes.BasePipe;
import org.apache.sling.pipes.PipeBindings;
import org.apache.sling.pipes.Plumber;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/sling/pipes/internal/ACLPipe.class */
public class ACLPipe extends BasePipe {
    private static Logger logger = LoggerFactory.getLogger(ACLPipe.class);
    public static final String RESOURCE_TYPE = "slingPipes/acl";
    public static final String PN_USERNAME = "userName";
    public static final String PN_ALLOW = "allow";
    public static final String PN_DENY = "deny";
    public static final String PN_AUTHORIZABLE = "authorizable";
    public static final String PATH_KEY = "path";
    public static final String PRIVILEGES_KEY = "rep:privileges";
    public static final String ACE_GRANT_KEY = "rep:GrantACE";
    public static final String ACE_DENY_KEY = "rep:DenyACE";
    public static final String JCR_PRIVILEGES_INPUT = "jcr:privileges";
    public static final String PRIVILEGES_JSON_KEY = "privileges";
    Session session;
    UserManager userManager;
    Privilege[] privileges;
    String[] privilegesInput;
    boolean allow;
    boolean deny;
    Object outputBinding;

    @Override // org.apache.sling.pipes.BasePipe, org.apache.sling.pipes.Pipe
    public Object getOutputBinding() {
        return this.outputBinding != null ? this.outputBinding : super.getOutputBinding();
    }

    @Override // org.apache.sling.pipes.BasePipe, org.apache.sling.pipes.Pipe
    public boolean modifiesContent() {
        return this.allow || this.deny;
    }

    public ACLPipe(Plumber plumber, Resource resource, PipeBindings pipeBindings) throws Exception {
        super(plumber, resource, pipeBindings);
        this.session = (Session) this.resolver.adaptTo(Session.class);
        this.userManager = (UserManager) this.resolver.adaptTo(UserManager.class);
        this.privilegesInput = (String[]) this.properties.get(JCR_PRIVILEGES_INPUT, new String[0]);
        this.allow = ((Boolean) this.properties.get(PN_ALLOW, false)).booleanValue();
        this.deny = ((Boolean) this.properties.get(PN_DENY, false)).booleanValue();
    }

    @Override // org.apache.sling.pipes.BasePipe
    public Iterator<Resource> computeOutput() throws Exception {
        Resource input = getInput();
        if (input == null) {
            return EMPTY_ITERATOR;
        }
        if (!this.allow && !this.deny) {
            bindACLs(input);
            return super.computeOutput();
        }
        logger.debug("Going to changing ACL for the resource at path {}", input.getPath());
        if (StringUtils.isEmpty(getExpr())) {
            throw new IllegalArgumentException("expression for the principal or authorizable Id should be provided or provided correctly for privileges to be set");
        }
        Principal principalFor = getPrincipalFor(getExpr());
        if (ArrayUtils.isEmpty(this.privilegesInput)) {
            this.privileges = this.allow ? AccessControlUtils.privilegesFromNames(this.session, new String[]{"{http://www.jcp.org/jcr/1.0}all"}) : AccessControlUtils.privilegesFromNames(this.session, new String[]{"{http://www.jcp.org/jcr/1.0}read"});
        } else {
            this.privilegesInput = processPrivilegesInput(this.privilegesInput);
            this.privileges = AccessControlUtils.privilegesFromNames(this.session, this.privilegesInput);
        }
        addAccessControlEntry(input, principalFor);
        return super.computeOutput();
    }

    protected void bindACLs(Resource resource) {
        try {
            Authorizable checkIsAuthorizableResource = checkIsAuthorizableResource(resource);
            if (null != checkIsAuthorizableResource) {
                bindAclsForAuthorizableResource(checkIsAuthorizableResource);
                return;
            }
            logger.info("binding acls for resource at path {}", resource.getPath());
            JackrabbitAccessControlEntry[] accessControlEntries = AccessControlUtils.getAccessControlList(this.session, resource.getPath()).getAccessControlEntries();
            JsonArrayBuilder createArrayBuilder = Json.createArrayBuilder();
            for (JackrabbitAccessControlEntry jackrabbitAccessControlEntry : accessControlEntries) {
                JsonObjectBuilder createObjectBuilder = Json.createObjectBuilder();
                JsonArrayBuilder createArrayBuilder2 = Json.createArrayBuilder();
                for (Privilege privilege : jackrabbitAccessControlEntry.getPrivileges()) {
                    createArrayBuilder2.add(privilege.getName());
                }
                createObjectBuilder.add(PN_AUTHORIZABLE, jackrabbitAccessControlEntry.getPrincipal().getName());
                createObjectBuilder.add(PRIVILEGES_JSON_KEY, createArrayBuilder2);
                if (jackrabbitAccessControlEntry.isAllow()) {
                    createObjectBuilder.add(PN_ALLOW, true);
                } else {
                    createObjectBuilder.add(PN_DENY, true);
                }
                createArrayBuilder.add(createObjectBuilder);
            }
            this.outputBinding = JsonUtil.toString(createArrayBuilder);
        } catch (Exception e) {
            this.outputBinding = JsonUtil.toString(Json.createObjectBuilder());
            logger.error("unable to bind acls", e);
        }
    }

    protected void bindAclsForAuthorizableResource(Authorizable authorizable) throws RepositoryException {
        logger.info("binding acls for authorizable {} and authID {}", authorizable.getPath(), authorizable.getID());
        Iterator findResources = this.resolver.findResources("/jcr:root//element(*, rep:ACE)[@rep:principalName = '" + authorizable.getID() + "']", "xpath");
        JsonObjectBuilder createObjectBuilder = Json.createObjectBuilder();
        JsonArrayBuilder createArrayBuilder = Json.createArrayBuilder();
        JsonArrayBuilder createArrayBuilder2 = Json.createArrayBuilder();
        findResources.forEachRemaining(resource -> {
            String[] strArr = (String[]) ((ValueMap) resource.adaptTo(ValueMap.class)).get(PRIVILEGES_KEY, String[].class);
            JsonArrayBuilder createArrayBuilder3 = Json.createArrayBuilder();
            for (String str : strArr) {
                createArrayBuilder3.add(str);
            }
            JsonObjectBuilder createObjectBuilder2 = Json.createObjectBuilder();
            createObjectBuilder2.add("path", resource.getParent().getParent().getPath());
            createObjectBuilder2.add(PRIVILEGES_JSON_KEY, createArrayBuilder3);
            if (resource.getResourceType().equals(ACE_GRANT_KEY)) {
                createArrayBuilder.add(createObjectBuilder2);
            } else if (resource.getResourceType().equals(ACE_DENY_KEY)) {
                createArrayBuilder2.add(createObjectBuilder2);
            }
        });
        createObjectBuilder.add(PN_AUTHORIZABLE, authorizable.getID());
        createObjectBuilder.add(PN_ALLOW, createArrayBuilder);
        createObjectBuilder.add(PN_DENY, createArrayBuilder2);
        this.outputBinding = JsonUtil.toString(createObjectBuilder);
    }

    protected Authorizable checkIsAuthorizableResource(Resource resource) {
        return (Authorizable) resource.adaptTo(Authorizable.class);
    }

    protected Principal getPrincipalFor(String str) {
        Principal principal = null;
        try {
            if (StringUtils.isNotBlank(str)) {
                logger.debug("try to find principalId {}", str);
                principal = this.session.getPrincipalManager().getPrincipal(str);
            }
        } catch (Exception e) {
            logger.error("unable to get principal for principalName {} ", str, e);
        }
        return principal;
    }

    private void addAccessControlEntry(Resource resource, Principal principal) throws Exception {
        logger.info("adding privileges {} for principal {} allow {} deny {} with dryRun {} ", new Object[]{ArrayUtils.toString(this.privileges), principal.getName(), Boolean.valueOf(this.allow), Boolean.valueOf(this.deny), Boolean.valueOf(isDryRun())});
        if (isDryRun()) {
            return;
        }
        if (this.allow) {
            AccessControlUtils.addAccessControlEntry(this.session, resource.getPath(), principal, this.privileges, true);
        } else if (this.deny) {
            AccessControlUtils.addAccessControlEntry(this.session, resource.getPath(), principal, this.privileges, false);
        }
    }

    private String[] processPrivilegesInput(String[] strArr) throws ScriptException {
        String instantiateExpression = this.bindings.instantiateExpression(ArrayUtils.toString(strArr));
        return (instantiateExpression.indexOf("[") <= -1 || instantiateExpression.indexOf("]") <= -1) ? strArr : (String[]) Arrays.stream(instantiateExpression.substring(instantiateExpression.indexOf("[") + 1, instantiateExpression.indexOf("]")).split(",")).map(str -> {
            return str.trim();
        }).toArray(i -> {
            return new String[i];
        });
    }
}
