package com.adobe.aem.repoapi.impl.api.accesscontrol;

import com.adobe.aem.dam.api.DamCollection;
import com.adobe.aem.dam.api.DamEntity;
import com.adobe.aem.dam.api.exception.DamException;
import com.adobe.aem.dam.impl.exception.DamExceptionFactory;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import javax.annotation.Nonnull;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.Value;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
import org.apache.sling.api.resource.Resource;
import org.apache.sling.api.resource.ResourceResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/adobe/aem/repoapi/impl/api/accesscontrol/JcrPrivilegeMapper.class */
public class JcrPrivilegeMapper {
    private static final Logger log = LoggerFactory.getLogger(PrincipalPrivileges.class);

    public PrincipalPrivileges getPrivilegesForEntity(@Nonnull DamEntity damEntity) throws DamException {
        ResourceResolver resourceResolver = ((Resource) damEntity.adaptTo(Resource.class)).getResourceResolver();
        Session session = (Session) resourceResolver.adaptTo(Session.class);
        ArrayList arrayList = new ArrayList();
        try {
            boolean hasPrivileges = damEntity.hasPrivileges(new String[]{"{http://www.jcp.org/jcr/1.0}read"});
            boolean z = damEntity.hasPrivileges(new String[]{"jcr:write"}) || damEntity.hasPrivileges(new String[]{"rep:write"});
            if (damEntity instanceof DamCollection) {
                z = z || damEntity.hasPrivileges(new String[]{"jcr:removeChildNodes"});
            }
            if (hasPrivileges && z) {
                log.debug("Principle has JCR read and write access. Map to repo api privileges accordingly.");
                arrayList.add(RepoApiPrivilege.ACK);
                arrayList.add(RepoApiPrivilege.READ);
                arrayList.add(RepoApiPrivilege.WRITE);
                arrayList.add(RepoApiPrivilege.DELETE);
            } else if (z) {
                log.debug("Principle has only JCR write access. Map to repo api privileges accordingly.");
                arrayList.add(RepoApiPrivilege.WRITE);
                arrayList.add(RepoApiPrivilege.DELETE);
            } else if (hasPrivileges) {
                log.debug("Principle has only JCR read access. Map to repo api privileges accordingly.");
                arrayList.add(RepoApiPrivilege.ACK);
                if (!damEntity.hasRestriction(AccessControlConstants.REP_GLOB, session.getValueFactory().createValue(""))) {
                    log.debug("Principle has no glob restrictions. Add read privilege.");
                    arrayList.add(RepoApiPrivilege.READ);
                }
            }
            return new PrincipalPrivileges(new RepoApiPrincipal(resourceResolver.getUserID()), arrayList);
        } catch (RepositoryException e) {
            throw DamExceptionFactory.fromRepositoryException(e);
        }
    }

    public void applyPrivilegesToEntity(@Nonnull PrincipalPrivileges principalPrivileges, @Nonnull DamEntity damEntity) throws DamException {
        String principal = principalPrivileges.getPrincipal().getPrincipal();
        log.debug("Applying {} repo API privileges to resource {} for principal {}", new Object[]{Integer.valueOf(principalPrivileges.getAllPrivileges().length), damEntity.getPath(), principal});
        try {
            ArrayList arrayList = new ArrayList();
            HashMap hashMap = new HashMap();
            Session session = (Session) ((Resource) damEntity.adaptTo(Resource.class)).getResourceResolver().adaptTo(Session.class);
            if (principalPrivileges.hasPrivilege(RepoApiPrivilege.ACK) || principalPrivileges.hasPrivilege(RepoApiPrivilege.READ)) {
                log.debug("Applying jcr:read principal");
                arrayList.add("{http://www.jcp.org/jcr/1.0}read");
                if (!principalPrivileges.hasPrivilege(RepoApiPrivilege.READ)) {
                    log.debug("Applying rep:glob restriction");
                    hashMap.put(AccessControlConstants.REP_GLOB, session.getValueFactory().createValue(""));
                }
            }
            if (principalPrivileges.hasPrivilege(RepoApiPrivilege.DELETE) || principalPrivileges.hasPrivilege(RepoApiPrivilege.WRITE)) {
                log.debug("Applying rep:write privilege");
                arrayList.add("rep:write");
            }
            damEntity.applyPrivileges((String[]) arrayList.toArray(new String[arrayList.size()]), hashMap);
        } catch (RepositoryException e) {
            throw DamExceptionFactory.fromRepositoryException(e);
        }
    }

    public static List<RepoApiPrivilege> getRepoApiPrivileges(JackrabbitAccessControlEntry jackrabbitAccessControlEntry) throws RepositoryException {
        ArrayList arrayList = new ArrayList();
        if (jackrabbitAccessControlEntry.getRestriction(AccessControlConstants.REP_GLOB) != null && !hasAckGlobRestriction(jackrabbitAccessControlEntry)) {
            return arrayList;
        }
        for (Privilege privilege : jackrabbitAccessControlEntry.getPrivileges()) {
            log.debug("Mapping privilege {}", privilege);
            if ("jcr:read".equals(privilege.getName()) || "jcr:all".equals(privilege.getName())) {
                log.trace("Adding ACK privilege");
                arrayList.add(RepoApiPrivilege.ACK);
                if (!hasAckGlobRestriction(jackrabbitAccessControlEntry)) {
                    log.trace("Principle has no glob restrictions. Add read privilege.");
                    arrayList.add(RepoApiPrivilege.READ);
                }
            }
            if ("rep:write".equals(privilege.getName()) || "jcr:write".equals(privilege.getName()) || "jcr:all".equals(privilege.getName())) {
                log.trace("Adding write / delete");
                arrayList.add(RepoApiPrivilege.WRITE);
                arrayList.add(RepoApiPrivilege.DELETE);
            }
            if ("jcr:removeChildNodes".equals(privilege.getName()) && !arrayList.contains(RepoApiPrivilege.WRITE)) {
                arrayList.add(RepoApiPrivilege.WRITE);
                arrayList.add(RepoApiPrivilege.DELETE);
            }
        }
        return arrayList;
    }

    public static boolean hasAckGlobRestriction(JackrabbitAccessControlEntry jackrabbitAccessControlEntry) throws RepositoryException {
        Value[] restrictions = jackrabbitAccessControlEntry.getRestrictions(AccessControlConstants.REP_GLOB);
        if (restrictions == null || restrictions.length != 1) {
            return false;
        }
        return "".equals(restrictions[0].getString());
    }
}
