package com.adobe.aem.dam.impl.accesscontrol;

import com.adobe.aem.dam.api.exception.DamException;
import com.adobe.aem.dam.api.exception.DamRuntimeException;
import com.adobe.aem.dam.api.exception.NotFoundException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.Map;
import java.util.Optional;
import javax.jcr.AccessDeniedException;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.Value;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.sling.api.resource.Resource;
import org.apache.sling.api.resource.ResourceResolver;
import org.osgi.service.component.annotations.Component;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(service = {AccessControlHelper.class})
/* loaded from: input_file:com/adobe/aem/dam/impl/accesscontrol/AccessControlHelper.class */
public class AccessControlHelper {
    private static final Logger log = LoggerFactory.getLogger(AccessControlHelper.class);

    public boolean hasPrivileges(Resource resource, String[] strArr) throws RepositoryException {
        AccessControlManager accessControlManager = ((Session) resource.getResourceResolver().adaptTo(Session.class)).getAccessControlManager();
        ArrayList arrayList = new ArrayList();
        for (String str : strArr) {
            arrayList.add(accessControlManager.privilegeFromName(str));
        }
        return accessControlManager.hasPrivileges(resource.getPath(), (Privilege[]) arrayList.toArray(new Privilege[arrayList.size()]));
    }

    public boolean hasRestriction(Resource resource, String str, Value value) throws RepositoryException {
        ResourceResolver resourceResolver = resource.getResourceResolver();
        try {
            UserResourceAccessInfo accessControlEntry = getAccessControlEntry(((Session) resourceResolver.adaptTo(Session.class)).getAccessControlManager(), resource.getPath(), resourceResolver.getUserID());
            if (accessControlEntry.getUserAccessControlEntry().isPresent()) {
                log.debug("Checking existing ACLs for restriction {}", str);
                Value restriction = accessControlEntry.getUserAccessControlEntry().get().getRestriction(str);
                if (restriction != null) {
                    log.debug("Found {} on resource. Checking that the value matches.", str);
                    return value.equals(restriction);
                }
                log.debug("Restriction {} not found on resource", restriction);
            }
            log.debug("Existing ACLs not found; cannot check for restriction {}", str);
            return false;
        } catch (AccessDeniedException e) {
            log.info("User reading restrictions has insufficient privileges. Reporting no restrictions.", e);
            return false;
        }
    }

    public void applyJcrPrivilegesToResource(String str, String[] strArr, Resource resource, Map<String, Value> map) throws RepositoryException, DamException {
        JackrabbitAccessControlList createNewEntry;
        Session session = (Session) resource.getResourceResolver().adaptTo(Session.class);
        if (!(session instanceof JackrabbitSession)) {
            throw new DamRuntimeException("Session is not a jackrabbit session");
        }
        JackrabbitSession jackrabbitSession = (JackrabbitSession) session;
        AccessControlManager accessControlManager = jackrabbitSession.getAccessControlManager();
        UserResourceAccessInfo accessControlEntry = getAccessControlEntry(accessControlManager, resource.getPath(), str);
        Principal principalByName = getPrincipalByName(jackrabbitSession, str);
        Privilege[] namesToPrivileges = namesToPrivileges(accessControlManager, strArr);
        if (accessControlEntry.getUserAccessControlEntry().isPresent()) {
            log.debug("ACL already exists on resource for principal. Overwriting existing entry");
            createNewEntry = replaceExistingEntry(accessControlEntry.getResourceAccessControlList().get(), (AccessControlEntry) accessControlEntry.getUserAccessControlEntry().get(), principalByName, namesToPrivileges, map);
        } else {
            log.debug("ACL does not exist on resource for principal. Creating entry");
            createNewEntry = createNewEntry(accessControlManager, accessControlEntry.getResourceAccessControlList(), principalByName, resource.getPath(), namesToPrivileges, map);
        }
        if (createNewEntry != null) {
            log.debug("ACL was modified, applying policy.");
            accessControlManager.setPolicy(resource.getPath(), createNewEntry);
        }
    }

    public JackrabbitAccessControlList createNewEntry(AccessControlManager accessControlManager, Optional<JackrabbitAccessControlList> optional, Principal principal, String str, Privilege[] privilegeArr, Map<String, Value> map) throws RepositoryException {
        if (!optional.isPresent()) {
            log.debug("Existing ACL does not exist. Retrieving from applicable policies");
            optional = Optional.ofNullable(getAccessControlList(accessControlManager.getApplicablePolicies(str)));
        }
        if (!optional.isPresent()) {
            throw new DamRuntimeException("Unable to retrieve ACL for path " + str);
        }
        if (privilegeArr.length <= 0) {
            log.debug("Nor privileges provided, not creating entry.");
            return null;
        }
        log.debug("Adding new ACL entry");
        addAclEntry(optional.get(), principal, privilegeArr, map);
        return optional.get();
    }

    public JackrabbitAccessControlList replaceExistingEntry(JackrabbitAccessControlList jackrabbitAccessControlList, AccessControlEntry accessControlEntry, Principal principal, Privilege[] privilegeArr, Map<String, Value> map) throws RepositoryException {
        log.debug("Removing existing entry for principal {}", principal.getName());
        jackrabbitAccessControlList.removeAccessControlEntry(accessControlEntry);
        if (privilegeArr.length > 0) {
            log.debug("Adding new entry for principal {}", principal.getName());
            addAclEntry(jackrabbitAccessControlList, principal, privilegeArr, map);
        }
        return jackrabbitAccessControlList;
    }

    public void addAclEntry(JackrabbitAccessControlList jackrabbitAccessControlList, Principal principal, Privilege[] privilegeArr, Map<String, Value> map) throws RepositoryException {
        if (!jackrabbitAccessControlList.addEntry(principal, privilegeArr, true, map)) {
            throw new DamRuntimeException("Unable to apply entry to ACL for unspecified reason");
        }
    }

    public UserResourceAccessInfo getAccessControlEntry(AccessControlManager accessControlManager, String str, String str2) throws RepositoryException {
        if (!accessControlManager.hasPrivileges(str, new Privilege[]{accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}readAccessControl")})) {
            log.debug("Session does not have READ ACL access to resource path.");
            return new UserResourceAccessInfo(str2, str, null, null);
        }
        JackrabbitAccessControlList accessControlList = getAccessControlList(Arrays.stream(accessControlManager.getPolicies(str)).iterator());
        if (accessControlList == null) {
            log.debug("Resource does not have an existing ACL.");
            return new UserResourceAccessInfo(str2, str, null, null);
        }
        log.debug("Resource has an existing ACL. Looking for entry for principal {}", str2);
        for (JackrabbitAccessControlEntry jackrabbitAccessControlEntry : accessControlList.getAccessControlEntries()) {
            log.debug("Resource ACL has entry for principal {}", jackrabbitAccessControlEntry.getPrincipal().getName());
            if (jackrabbitAccessControlEntry.getPrincipal().getName().equals(str2)) {
                log.debug("Found matching entry for principal {}", str2);
                return new UserResourceAccessInfo(str2, str, accessControlList, jackrabbitAccessControlEntry);
            }
        }
        log.debug("Resource ACL does not have an entry for principal {}", str2);
        return new UserResourceAccessInfo(str2, str, accessControlList, null);
    }

    public JackrabbitAccessControlList getAccessControlList(Iterator it) {
        while (it.hasNext()) {
            JackrabbitAccessControlList jackrabbitAccessControlList = (AccessControlPolicy) it.next();
            log.debug("Policy iterator has a {} policy.", jackrabbitAccessControlList.getClass().getSimpleName());
            if (jackrabbitAccessControlList instanceof JackrabbitAccessControlList) {
                log.debug("Found ACL in policy iterator");
                return jackrabbitAccessControlList;
            }
        }
        log.debug("Given policy iterator does not contain an ACL");
        return null;
    }

    public Privilege[] namesToPrivileges(AccessControlManager accessControlManager, String[] strArr) throws RepositoryException {
        ArrayList arrayList = new ArrayList();
        for (String str : strArr) {
            arrayList.add(accessControlManager.privilegeFromName(str));
        }
        return (Privilege[]) arrayList.toArray(new Privilege[arrayList.size()]);
    }

    public Principal getPrincipalByName(JackrabbitSession jackrabbitSession, String str) throws DamException, RepositoryException {
        Principal principal = jackrabbitSession.getPrincipalManager().getPrincipal(str);
        if (principal == null) {
            throw new NotFoundException("Unable to find principal " + str);
        }
        return principal;
    }
}
