package com.adobe.aem.repoapi.impl.entity;

import com.adobe.aem.dam.api.DamAsset;
import com.adobe.aem.dam.api.DamAssetVersion;
import com.adobe.aem.dam.api.DamEntity;
import com.adobe.aem.dam.api.exception.AccessDeniedException;
import com.adobe.aem.dam.api.exception.DamException;
import com.adobe.aem.dam.api.exception.InvalidOperationException;
import com.adobe.aem.dam.impl.exception.DamExceptionFactory;
import com.adobe.aem.repoapi.impl.Constants;
import com.adobe.aem.repoapi.impl.ResourceUtils;
import com.adobe.aem.repoapi.impl.accesscontrol.PolicyHelper;
import com.adobe.aem.repoapi.impl.accesscontrol.ims.ImsToken;
import com.adobe.aem.repoapi.impl.api.accesscontrol.AccessControlConstants;
import com.adobe.aem.repoapi.impl.api.accesscontrol.AccessControlEntry;
import com.adobe.aem.repoapi.impl.api.accesscontrol.PrimaryAccessControlProvider;
import com.adobe.aem.repoapi.impl.api.accesscontrol.PrincipalMapper;
import com.adobe.aem.repoapi.impl.api.accesscontrol.RelationAccessControlProvider;
import com.adobe.aem.repoapi.impl.api.accesscontrol.RelationPrivileges;
import com.adobe.aem.repoapi.impl.api.accesscontrol.RepoApiAccessControlModifier;
import com.adobe.aem.repoapi.impl.api.accesscontrol.RepoApiPrivilege;
import com.adobe.aem.repoapi.impl.api.exception.ResourceNotAllowedException;
import com.adobe.aem.repoapi.impl.spi.patch.PatchOperation;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.TreeSet;
import javax.annotation.Nonnull;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.oak.spi.security.principal.SystemUserPrincipal;
import org.apache.sling.api.resource.Resource;
import org.json.JSONException;
import org.json.JSONObject;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicy;
import org.osgi.service.component.annotations.ReferencePolicyOption;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(service = {PermissionService.class})
/* loaded from: input_file:com/adobe/aem/repoapi/impl/entity/PermissionService.class */
public class PermissionService {
    private static final Logger LOG = LoggerFactory.getLogger(PermissionService.class);
    private final List<RelationAccessControlProvider> relationAccessControlProviders;
    private final PrimaryAccessControlProvider primaryAccessControlProvider;
    private final PrincipalMapper principalMapper;
    private final PolicyHelper policyHelper;

    @Activate
    public PermissionService(@Nonnull @Reference PrimaryAccessControlProvider primaryAccessControlProvider, @Nonnull @Reference PrincipalMapper principalMapper) {
        this(primaryAccessControlProvider, principalMapper, new PolicyHelper());
    }

    protected PermissionService(@Nonnull PrimaryAccessControlProvider primaryAccessControlProvider, @Nonnull PrincipalMapper principalMapper, @Nonnull PolicyHelper policyHelper) {
        this.relationAccessControlProviders = new ArrayList();
        this.primaryAccessControlProvider = primaryAccessControlProvider;
        this.principalMapper = principalMapper;
        this.policyHelper = policyHelper;
    }

    public List<RelationAccessControlProvider> getRelationAccessControlProviders() {
        return this.relationAccessControlProviders;
    }

    @Reference(cardinality = ReferenceCardinality.MULTIPLE, policy = ReferencePolicy.DYNAMIC, policyOption = ReferencePolicyOption.GREEDY, unbind = "removeRelationAccessControlProvider")
    public void addRelationAccessControlProvider(RelationAccessControlProvider relationAccessControlProvider) {
        LOG.info("Binding relation access control provider {}", relationAccessControlProvider.getClass().getName());
        this.relationAccessControlProviders.add(relationAccessControlProvider);
    }

    public void removeRelationAccessControlProvider(RelationAccessControlProvider relationAccessControlProvider) {
        this.relationAccessControlProviders.remove(relationAccessControlProvider);
    }

    public RelationPrivileges[] getAllEffectiveRelPrivileges(@Nonnull DamEntity damEntity) throws DamException {
        ArrayList arrayList = new ArrayList();
        Iterator<RelationAccessControlProvider> it = this.relationAccessControlProviders.iterator();
        while (it.hasNext()) {
            arrayList.addAll(Arrays.asList(it.next().getEffectivePrivileges(damEntity)));
        }
        return (RelationPrivileges[]) arrayList.toArray(new RelationPrivileges[arrayList.size()]);
    }

    @Nonnull
    public Optional<RelationPrivileges> getEffectiveRelPrivileges(@Nonnull DamEntity damEntity, @Nonnull String str) throws DamException {
        Iterator<RelationAccessControlProvider> it = this.relationAccessControlProviders.iterator();
        while (it.hasNext()) {
            for (RelationPrivileges relationPrivileges : it.next().getEffectivePrivileges(damEntity)) {
                if (relationPrivileges.getRel().equals(str)) {
                    return Optional.of(relationPrivileges);
                }
            }
        }
        return Optional.empty();
    }

    public List<AccessControlEntry> getAccessControlList(@Nonnull DamEntity damEntity, @Nonnull ImsToken imsToken) throws DamException {
        if (imsToken.isExternalOrgRequest()) {
            throw new AccessDeniedException("Cannot get access controls from an enternal IMS Organization token");
        }
        ArrayList arrayList = new ArrayList();
        try {
            JackrabbitAccessControlList accessControlList = this.policyHelper.getAccessControlList(Arrays.stream(ResourceUtils.getEntitySession(damEntity).getAccessControlManager().getPolicies(damEntity.getPath())).iterator());
            LOG.debug("Getting access control entries for: {}", accessControlList);
            if (accessControlList != null) {
                for (JackrabbitAccessControlEntry jackrabbitAccessControlEntry : accessControlList.getAccessControlEntries()) {
                    LOG.debug("Processing access control entry: {}", jackrabbitAccessControlEntry);
                    JackrabbitAccessControlEntry jackrabbitAccessControlEntry2 = jackrabbitAccessControlEntry;
                    if (jackrabbitAccessControlEntry.getPrincipal() instanceof SystemUserPrincipal) {
                        LOG.debug("Skipping service user Access Control Entry: {}", jackrabbitAccessControlEntry);
                    } else {
                        Optional<AccessControlEntry> primaryAccessControlEntry = this.primaryAccessControlProvider.getPrimaryAccessControlEntry(ResourceUtils.getEntityUserManager(damEntity), imsToken, jackrabbitAccessControlEntry2);
                        Iterator<RelationAccessControlProvider> it = getRelationAccessControlProviders().iterator();
                        while (it.hasNext()) {
                            primaryAccessControlEntry = it.next().mergeAccessControlEntry(damEntity, imsToken, jackrabbitAccessControlEntry2, primaryAccessControlEntry);
                        }
                        if (primaryAccessControlEntry.isPresent()) {
                            arrayList.add(primaryAccessControlEntry.get());
                        }
                    }
                }
            }
            return arrayList;
        } catch (RepositoryException e) {
            throw DamExceptionFactory.fromRepositoryException(e);
        }
    }

    public void updateAccessControlList(DamEntity damEntity, ImsToken imsToken, List<PatchOperation> list) throws DamException {
        if (imsToken.isExternalOrgRequest()) {
            throw new AccessDeniedException("Cannot set access controls from an enternal IMS Organization token");
        }
        if (damEntity instanceof DamAssetVersion) {
            throw new InvalidOperationException("Cannot apply access control privileges to asset version");
        }
        boolean equals = damEntity.getPath().equals(Constants.DAM_ROOT_PATH);
        for (int i = 0; i < list.size(); i++) {
            PatchOperation patchOperation = list.get(i);
            if (patchOperation.getOp() != PatchOperation.OPS.remove) {
                try {
                    AccessControlEntry parseAccessControlEntry = this.policyHelper.parseAccessControlEntry((JSONObject) patchOperation.getValue());
                    if (equals) {
                        validateDenyReadForAuthenticated(parseAccessControlEntry);
                    }
                    if (!parseAccessControlEntry.getRelations().contains(Constants.REL_PRIMARY)) {
                        List<RepoApiPrivilege> privileges = parseAccessControlEntry.getPrivileges();
                        if (privileges.contains(RepoApiPrivilege.ACK) || privileges.contains(RepoApiPrivilege.DELETE)) {
                            throw new InvalidOperationException("Can only set 'READ' and 'WRITE' privileges to rel resources");
                        }
                    }
                } catch (InvalidOperationException | JSONException e) {
                    throw new InvalidOperationException(String.format("Invalid patch at index %s: %s", Integer.valueOf(i), e.getMessage()), e);
                }
            }
        }
        for (int i2 = 0; i2 < list.size(); i2++) {
            PatchOperation patchOperation2 = list.get(i2);
            if (patchOperation2.getOp() != PatchOperation.OPS.remove) {
                try {
                    AccessControlEntry parseAccessControlEntry2 = this.policyHelper.parseAccessControlEntry((JSONObject) patchOperation2.getValue());
                    this.primaryAccessControlProvider.applyAccessControlUpdate(damEntity, imsToken, patchOperation2, parseAccessControlEntry2);
                    Iterator<RelationAccessControlProvider> it = getRelationAccessControlProviders().iterator();
                    while (it.hasNext()) {
                        it.next().applyAccessControlUpdate(damEntity, imsToken, patchOperation2, parseAccessControlEntry2);
                    }
                    try {
                        this.policyHelper.ensureAclOrder(patchOperation2, damEntity, imsToken, this.principalMapper, parseAccessControlEntry2);
                    } catch (RepositoryException e2) {
                        throw DamExceptionFactory.fromRepositoryException(e2);
                    }
                } catch (InvalidOperationException | JSONException e3) {
                    throw new InvalidOperationException(String.format("Invalid patch at index %s: %s", Integer.valueOf(i2), e3.getMessage()), e3);
                }
            } else {
                try {
                    this.policyHelper.handleAclPatchUpdate(null, damEntity, imsToken, patchOperation2, null, "jcr:read", "rep:write");
                } catch (RepositoryException e4) {
                    throw DamExceptionFactory.fromRepositoryException(e4);
                }
            }
        }
    }

    private void validateDenyReadForAuthenticated(AccessControlEntry accessControlEntry) throws InvalidOperationException {
        if (accessControlEntry.getPrivileges().contains(RepoApiPrivilege.READ) && accessControlEntry.getRelations().contains(Constants.REL_PRIMARY) && AccessControlConstants.RAPI_PRINCIPAL_AUTHENTICATED.equals(accessControlEntry.getPrincipal().getGuid()) && RepoApiAccessControlModifier.DENY.equals(accessControlEntry.getModifier())) {
            throw new InvalidOperationException("Cannot deny read for Authenticated on root folder");
        }
    }

    public final void validatePermissionedRel(String str) throws ResourceNotAllowedException {
        this.policyHelper.validatePermissionedRel(str);
    }

    @Nonnull
    public Set<String> getReadOnlyMetadataProperties(@Nonnull DamEntity damEntity) throws DamException {
        TreeSet treeSet = new TreeSet();
        if (damEntity instanceof DamAsset) {
            Optional<String> metadataResourcePath = getMetadataResourcePath(damEntity);
            if (metadataResourcePath.isPresent()) {
                Session entitySession = ResourceUtils.getEntitySession(damEntity);
                try {
                    for (String str : ((DamAsset) damEntity).getMetadataProperties().keySet()) {
                        if (!entitySession.hasPermission(metadataResourcePath.get() + "/" + str, "set_property")) {
                            treeSet.add(str);
                        }
                    }
                } catch (RepositoryException e) {
                    throw DamExceptionFactory.fromRepositoryException(e);
                }
            }
        }
        return treeSet;
    }

    private Optional<String> getMetadataResourcePath(DamEntity damEntity) {
        return Optional.ofNullable((Resource) damEntity.adaptTo(Resource.class)).map(resource -> {
            return resource.getChild(Constants.JCR_CONTENT);
        }).map(resource2 -> {
            return resource2.getChild(Constants.RESOURCE_METADATA_REPOSITORY);
        }).map((v0) -> {
            return v0.getPath();
        });
    }
}
