package com.adobe.aem.repoapi.impl.accesscontrol;

import com.adobe.aem.dam.api.DamEntity;
import com.adobe.aem.dam.api.exception.DamException;
import com.adobe.aem.dam.api.exception.DamRuntimeException;
import com.adobe.aem.dam.api.exception.InvalidOperationException;
import com.adobe.aem.dam.impl.exception.DamExceptionFactory;
import com.adobe.aem.repoapi.impl.Constants;
import com.adobe.aem.repoapi.impl.ResourceUtils;
import com.adobe.aem.repoapi.impl.accesscontrol.ims.ImsToken;
import com.adobe.aem.repoapi.impl.api.accesscontrol.AccessControlConstants;
import com.adobe.aem.repoapi.impl.api.accesscontrol.AccessControlEntry;
import com.adobe.aem.repoapi.impl.api.accesscontrol.JcrPrivilegeMapper;
import com.adobe.aem.repoapi.impl.api.accesscontrol.PrincipalMapper;
import com.adobe.aem.repoapi.impl.api.accesscontrol.RepoApiAccessControlInheritance;
import com.adobe.aem.repoapi.impl.api.accesscontrol.RepoApiAccessControlModifier;
import com.adobe.aem.repoapi.impl.api.accesscontrol.RepoApiPrincipal;
import com.adobe.aem.repoapi.impl.api.accesscontrol.RepoApiPrivilege;
import com.adobe.aem.repoapi.impl.api.exception.ResourceNotAllowedException;
import com.adobe.aem.repoapi.impl.api.exception.UnprocessableEntityException;
import com.adobe.aem.repoapi.impl.spi.patch.PatchOperation;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.annotation.Nullable;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.Value;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.oak.spi.security.principal.SystemUserPrincipal;
import org.json.JSONArray;
import org.json.JSONException;
import org.json.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/adobe/aem/repoapi/impl/accesscontrol/PolicyHelper.class */
public class PolicyHelper {
    private static final Logger log = LoggerFactory.getLogger(PolicyHelper.class);
    private static final Set<String> PERMISSIONED_RELS = new HashSet();
    private static final Map<String, String> JCR_RESTRICTION_RELS = new HashMap();

    public JackrabbitAccessControlList getAccessControlList(Iterator<?> it) {
        while (it.hasNext()) {
            JackrabbitAccessControlList jackrabbitAccessControlList = (AccessControlPolicy) it.next();
            log.debug("Policy iterator has a {} policy.", jackrabbitAccessControlList.getClass().getSimpleName());
            if (jackrabbitAccessControlList instanceof JackrabbitAccessControlList) {
                log.debug("Found ACL in policy iterator");
                return jackrabbitAccessControlList;
            }
        }
        log.debug("Given policy iterator does not contain an ACL");
        return null;
    }

    public Privilege[] namesToPrivileges(AccessControlManager accessControlManager, Set<String> set) throws RepositoryException {
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            arrayList.add(accessControlManager.privilegeFromName(it.next()));
        }
        return (Privilege[]) arrayList.toArray(new Privilege[arrayList.size()]);
    }

    public Optional<AccessControlEntry> getPrimaryRepoApiAccessControlEntry(PrincipalMapper principalMapper, UserManager userManager, ImsToken imsToken, JackrabbitAccessControlEntry jackrabbitAccessControlEntry) throws DamException {
        try {
            RepoApiAccessControlModifier repoApiAccessControlModifier = jackrabbitAccessControlEntry.isAllow() ? RepoApiAccessControlModifier.GRANT : RepoApiAccessControlModifier.DENY;
            RepoApiPrincipal oakPrincipalToRepoApiPrincipal = principalMapper.oakPrincipalToRepoApiPrincipal(userManager, imsToken, jackrabbitAccessControlEntry.getPrincipal());
            List<RepoApiPrivilege> repoApiPrivileges = JcrPrivilegeMapper.getRepoApiPrivileges(jackrabbitAccessControlEntry);
            return repoApiPrivileges.size() > 0 ? Optional.of(new AccessControlEntry(oakPrincipalToRepoApiPrincipal, repoApiPrivileges, repoApiAccessControlModifier)) : Optional.empty();
        } catch (RepositoryException e) {
            throw DamExceptionFactory.fromRepositoryException(e);
        }
    }

    public List<javax.jcr.security.AccessControlEntry> getApplicableAccessControlList(JackrabbitAccessControlList jackrabbitAccessControlList) throws RepositoryException {
        return jackrabbitAccessControlList != null ? (List) Arrays.stream(jackrabbitAccessControlList.getAccessControlEntries()).filter(accessControlEntry -> {
            return !(accessControlEntry.getPrincipal() instanceof SystemUserPrincipal);
        }).collect(Collectors.toList()) : new ArrayList();
    }

    public final int getPatchIndex(PatchOperation patchOperation) {
        if (patchOperation.getPath().equals("/acl/-")) {
            return -1;
        }
        return Integer.parseInt(patchOperation.getPath().substring(5), 10);
    }

    public AccessControlEntry parseAccessControlEntry(JSONObject jSONObject) throws JSONException, DamException {
        String string;
        AccessControlEntry accessControlEntry;
        String str = null;
        String str2 = null;
        if (jSONObject.get(AccessControlConstants.PN_REPO_PRINCIPAL) instanceof String) {
            string = jSONObject.getString(AccessControlConstants.PN_REPO_PRINCIPAL);
        } else {
            JSONObject jSONObject2 = jSONObject.getJSONObject(AccessControlConstants.PN_REPO_PRINCIPAL);
            string = jSONObject2.getString(AccessControlConstants.PN_ID);
            try {
                str = jSONObject2.getString(AccessControlConstants.PN_TYPE);
                if (jSONObject2.has(AccessControlConstants.PN_XDM_PROVIDER)) {
                    str2 = jSONObject2.getJSONObject(AccessControlConstants.PN_XDM_PROVIDER).getString(AccessControlConstants.PN_ID);
                }
            } catch (NullPointerException | JSONException e) {
                log.warn("Failed to parse type and provider ref", e);
            }
        }
        log.debug("Loading principal from ID: {}", string);
        RepoApiPrincipal repoApiPrincipal = new RepoApiPrincipal(string, str, str2);
        if (repoApiPrincipal.getType() == RepoApiPrincipal.TYPE.INVALID) {
            throw new InvalidOperationException("Cannot create access control with invalid principal: " + string);
        }
        ArrayList arrayList = new ArrayList();
        JSONArray jSONArray = jSONObject.getJSONArray(AccessControlConstants.PN_REPO_PRIVILEGES);
        for (int i = 0; i < jSONArray.length(); i++) {
            arrayList.add(RepoApiPrivilege.fromString(jSONArray.getString(i)));
        }
        ArrayList arrayList2 = new ArrayList();
        if (jSONObject.has("repo:relations")) {
            JSONArray jSONArray2 = jSONObject.getJSONArray("repo:relations");
            if (jSONArray2.length() > 1 || jSONArray2.length() != 1 || !Constants.REL_PRIMARY.equals(jSONArray2.getString(0))) {
                for (int i2 = 0; i2 < jSONArray2.length(); i2++) {
                    String string2 = jSONArray2.getString(i2);
                    validatePermissionedRel(string2);
                    arrayList2.add(string2);
                }
            }
        }
        if (arrayList2.size() == 0) {
            accessControlEntry = new AccessControlEntry(repoApiPrincipal, arrayList);
        } else {
            accessControlEntry = new AccessControlEntry(repoApiPrincipal, arrayList, (String) arrayList2.get(0));
            Iterator it = arrayList2.subList(1, arrayList2.size()).iterator();
            while (it.hasNext()) {
                accessControlEntry.addRelation((String) it.next());
            }
            accessControlEntry.notAllRelsMatch();
        }
        if (jSONObject.has(AccessControlConstants.PN_REPO_MODIFIER)) {
            try {
                accessControlEntry.setModifier(RepoApiAccessControlModifier.fromString(jSONObject.getString(AccessControlConstants.PN_REPO_MODIFIER)));
            } catch (IllegalArgumentException e2) {
                throw new InvalidOperationException("Invalid value for repo:modifier", e2);
            }
        }
        if (jSONObject.has(AccessControlConstants.PN_REPO_INHERITANCE)) {
            try {
                RepoApiAccessControlInheritance fromString = RepoApiAccessControlInheritance.fromString(jSONObject.getString(AccessControlConstants.PN_REPO_INHERITANCE));
                if (fromString != RepoApiAccessControlInheritance.DEEP) {
                    throw new UnprocessableEntityException("Unsupported inheritence for api:ac/policy: " + jSONObject.getString(AccessControlConstants.PN_REPO_INHERITANCE));
                }
                accessControlEntry.setInheritance(fromString);
            } catch (IllegalArgumentException e3) {
                throw new InvalidOperationException("Invalid value for repo:inheritance", e3);
            }
        }
        return accessControlEntry;
    }

    public void saveAccessControlList(DamEntity damEntity, Session session, JackrabbitAccessControlList jackrabbitAccessControlList) throws RepositoryException, DamException {
        session.getAccessControlManager().setPolicy(damEntity.getPath(), jackrabbitAccessControlList);
        session.save();
    }

    public final void validatePermissionedRel(String str) throws ResourceNotAllowedException {
        if (!PERMISSIONED_RELS.contains(str)) {
            throw new ResourceNotAllowedException();
        }
    }

    public void ensureAclOrder(PatchOperation patchOperation, DamEntity damEntity, ImsToken imsToken, PrincipalMapper principalMapper, AccessControlEntry accessControlEntry) throws DamException, RepositoryException {
        int patchIndex = getPatchIndex(patchOperation);
        Session entitySession = ResourceUtils.getEntitySession(damEntity);
        AccessControlManager accessControlManager = entitySession.getAccessControlManager();
        if (patchIndex < 0) {
            log.warn("Negative index {}, ignoring reordering", Integer.valueOf(patchIndex));
            return;
        }
        JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(accessControlManager, damEntity.getPath());
        List<javax.jcr.security.AccessControlEntry> applicableAccessControlList = getApplicableAccessControlList(accessControlList);
        if (patchIndex >= applicableAccessControlList.size()) {
            log.warn("Index {} out of bounds, ignoring reordering", Integer.valueOf(patchIndex));
            return;
        }
        log.debug("Ensuring ACE is in position {}", Integer.valueOf(patchIndex));
        Principal rApiPrincipalToOakPrincipal = principalMapper.rApiPrincipalToOakPrincipal(entitySession, imsToken, accessControlEntry.getPrincipal());
        List list = (List) applicableAccessControlList.stream().filter(accessControlEntry2 -> {
            return rApiPrincipalToOakPrincipal.getName().equals(accessControlEntry2.getPrincipal().getName()) && sameModifier(accessControlEntry2, accessControlEntry) && sameRestriction(accessControlEntry2, accessControlEntry);
        }).collect(Collectors.toList());
        log.debug("Reording ace to {}", Integer.valueOf(patchIndex));
        Iterator it = list.iterator();
        while (it.hasNext()) {
            accessControlList.orderBefore((javax.jcr.security.AccessControlEntry) it.next(), applicableAccessControlList.get(patchIndex));
        }
        saveAccessControlList(damEntity, entitySession, accessControlList);
    }

    private boolean sameRestriction(javax.jcr.security.AccessControlEntry accessControlEntry, AccessControlEntry accessControlEntry2) {
        try {
            if (!(accessControlEntry instanceof JackrabbitAccessControlEntry)) {
                return false;
            }
            JackrabbitAccessControlEntry jackrabbitAccessControlEntry = (JackrabbitAccessControlEntry) accessControlEntry;
            Set set = (Set) JCR_RESTRICTION_RELS.keySet().stream().collect(Collectors.toSet());
            set.retainAll(accessControlEntry2.getRelations());
            boolean z = !set.isEmpty();
            Stream stream = Arrays.stream(jackrabbitAccessControlEntry.getRestrictionNames());
            String str = AccessControlConstants.REP_GLOB;
            boolean z2 = !stream.noneMatch((v1) -> {
                return r1.equals(v1);
            });
            if (z != z2) {
                return false;
            }
            if (!z2) {
                return true;
            }
            String string = jackrabbitAccessControlEntry.getRestriction(AccessControlConstants.REP_GLOB).getString();
            Stream<String> stream2 = accessControlEntry2.getRelations().stream();
            Map<String, String> map = JCR_RESTRICTION_RELS;
            Objects.requireNonNull(map);
            return ((Set) stream2.map((v1) -> {
                return r1.get(v1);
            }).collect(Collectors.toSet())).contains(string);
        } catch (RepositoryException e) {
            throw new DamRuntimeException("Could not evaluate restrictions", DamExceptionFactory.fromRepositoryException(e));
        }
    }

    private boolean sameModifier(javax.jcr.security.AccessControlEntry accessControlEntry, AccessControlEntry accessControlEntry2) {
        if (accessControlEntry instanceof JackrabbitAccessControlEntry) {
            return ((JackrabbitAccessControlEntry) accessControlEntry).isAllow() ? accessControlEntry2.getModifier() == RepoApiAccessControlModifier.GRANT : accessControlEntry2.getModifier() == RepoApiAccessControlModifier.DENY;
        }
        return false;
    }

    public void handleAclPatchUpdate(PrincipalMapper principalMapper, DamEntity damEntity, ImsToken imsToken, PatchOperation patchOperation, AccessControlEntry accessControlEntry, String str, String str2) throws RepositoryException, DamException {
        Session entitySession = ResourceUtils.getEntitySession(damEntity);
        JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(entitySession.getAccessControlManager(), damEntity.getPath());
        int patchIndex = getPatchIndex(patchOperation);
        if (patchOperation.getOp() == PatchOperation.OPS.add) {
            handleAdd(principalMapper, accessControlList, accessControlEntry, entitySession, imsToken, str, str2);
            log.debug("Saving changes to access control list");
            saveAccessControlList(damEntity, entitySession, accessControlList);
        } else {
            if (patchOperation.getOp() != PatchOperation.OPS.remove) {
                throw new InvalidOperationException("Patches with opeation " + patchOperation.getOp() + " not supported");
            }
            List<javax.jcr.security.AccessControlEntry> applicableAccessControlList = getApplicableAccessControlList(accessControlList);
            if (applicableAccessControlList.size() <= patchIndex) {
                throw new InvalidOperationException("No access control entry for index: " + patchIndex);
            }
            if (applicableAccessControlList.get(patchIndex).getPrincipal() instanceof SystemUserPrincipal) {
                throw new InvalidOperationException("Cannot remove ace for system user");
            }
            accessControlList.removeAccessControlEntry(applicableAccessControlList.get(patchIndex));
            saveAccessControlList(damEntity, entitySession, accessControlList);
        }
    }

    private void handleAdd(PrincipalMapper principalMapper, JackrabbitAccessControlList jackrabbitAccessControlList, AccessControlEntry accessControlEntry, Session session, ImsToken imsToken, String str, String str2) throws RepositoryException, DamException {
        Principal rApiPrincipalToOakPrincipal = principalMapper.rApiPrincipalToOakPrincipal(session, imsToken, accessControlEntry.getPrincipal());
        HashSet hashSet = new HashSet();
        if (accessControlEntry.getPrivileges().contains(RepoApiPrivilege.ACK) && !accessControlEntry.getPrivileges().contains(RepoApiPrivilege.READ) && !accessControlEntry.getPrivileges().contains(RepoApiPrivilege.WRITE) && !accessControlEntry.getPrivileges().contains(RepoApiPrivilege.DELETE)) {
            log.debug("Setting ACK privileges");
            hashSet.add("jcr:read");
            accessControlEntry.setGlobRestriction(session.getValueFactory().createValue(""));
        }
        if (accessControlEntry.getPrivileges().contains(RepoApiPrivilege.READ)) {
            if (str == null) {
                log.debug("READ privileges not relevant for relation, skipping");
            } else {
                log.debug("Setting READ privileges");
                hashSet.add(str);
            }
        }
        if (accessControlEntry.getPrivileges().contains(RepoApiPrivilege.WRITE) || accessControlEntry.getPrivileges().contains(RepoApiPrivilege.DELETE)) {
            if (str2 == null) {
                throw new InvalidOperationException("'WRITE' privilege is not supported for supplied relation");
            }
            log.debug("Setting WRITE/DELETE privileges");
            hashSet.add(str2);
        }
        log.info("Adding access control entry for: {}", rApiPrincipalToOakPrincipal);
        if (accessControlEntry.getRestrictions().size() > 0) {
            jackrabbitAccessControlList.addEntry(rApiPrincipalToOakPrincipal, namesToPrivileges(session.getAccessControlManager(), hashSet), accessControlEntry.getModifier().equals(RepoApiAccessControlModifier.GRANT), accessControlEntry.getRestrictions());
        } else {
            jackrabbitAccessControlList.addEntry(rApiPrincipalToOakPrincipal, namesToPrivileges(session.getAccessControlManager(), hashSet), accessControlEntry.getModifier().equals(RepoApiAccessControlModifier.GRANT));
        }
    }

    public Optional<AccessControlEntry> mergeRelAccessControlEntry(PrincipalMapper principalMapper, DamEntity damEntity, ImsToken imsToken, JackrabbitAccessControlEntry jackrabbitAccessControlEntry, Optional<AccessControlEntry> optional, @Nullable String str, @Nullable String str2, @Nullable String str3, List<String> list) throws DamException {
        String path = damEntity.getPath();
        UserManager entityUserManager = ResourceUtils.getEntityUserManager(damEntity);
        try {
            RepoApiAccessControlModifier repoApiAccessControlModifier = jackrabbitAccessControlEntry.isAllow() ? RepoApiAccessControlModifier.GRANT : RepoApiAccessControlModifier.DENY;
            RepoApiPrincipal principal = optional.isPresent() ? optional.get().getPrincipal() : principalMapper.oakPrincipalToRepoApiPrincipal(entityUserManager, imsToken, jackrabbitAccessControlEntry.getPrincipal());
            Value restriction = jackrabbitAccessControlEntry.getRestriction(AccessControlConstants.REP_GLOB);
            if (!(str3 == null && restriction == null) && (str3 == null || restriction == null || !restriction.getString().equals(str3))) {
                return optional;
            }
            ArrayList arrayList = new ArrayList();
            for (Privilege privilege : Arrays.asList(jackrabbitAccessControlEntry.getPrivileges())) {
                if (str != null && privilege.getName().equals(str)) {
                    arrayList.add(RepoApiPrivilege.READ);
                }
                if (str2 != null && privilege.getName().equals(str2)) {
                    arrayList.add(RepoApiPrivilege.WRITE);
                }
            }
            List<RepoApiPrivilege> ensureJackrabbitPrivilegesMatchRapiEntry = (optional.isPresent() && optional.get().getRelations().contains(Constants.REL_PRIMARY)) ? ensureJackrabbitPrivilegesMatchRapiEntry(arrayList, optional.get().getPrivileges(), str, str2) : arrayList;
            if (ensureJackrabbitPrivilegesMatchRapiEntry.size() <= 0) {
                return optional;
            }
            AccessControlEntry accessControlEntry = optional.isPresent() ? optional.get() : new AccessControlEntry(principal, ensureJackrabbitPrivilegesMatchRapiEntry, list.get(0), repoApiAccessControlModifier);
            if (list.size() > 1 || optional.isPresent()) {
                Iterator<String> it = list.iterator();
                while (it.hasNext()) {
                    accessControlEntry.addRelation(it.next());
                }
                accessControlEntry.notAllRelsMatch();
            }
            return Optional.of(accessControlEntry);
        } catch (RepositoryException e) {
            throw new InvalidOperationException(String.format("Failed to get acl for '%s' with error", path), e);
        }
    }

    private List<RepoApiPrivilege> ensureJackrabbitPrivilegesMatchRapiEntry(List<RepoApiPrivilege> list, List<RepoApiPrivilege> list2, @Nullable String str, @Nullable String str2) {
        ArrayList arrayList = new ArrayList();
        if (str != null) {
            arrayList.add(RepoApiPrivilege.READ);
        }
        if (str2 != null) {
            arrayList.add(RepoApiPrivilege.WRITE);
        }
        ArrayList arrayList2 = new ArrayList();
        for (RepoApiPrivilege repoApiPrivilege : list2) {
            if (arrayList.contains(repoApiPrivilege)) {
                arrayList2.add(repoApiPrivilege);
            }
        }
        return list.containsAll(arrayList2) ? arrayList2 : new ArrayList();
    }

    static {
        PERMISSIONED_RELS.add(Constants.REL_PRIMARY);
        PERMISSIONED_RELS.add(Constants.REL_AC_POLICY);
        PERMISSIONED_RELS.add(Constants.REL_ANNOTATIONS);
        PERMISSIONED_RELS.add(Constants.REL_TASKS);
        PERMISSIONED_RELS.add(Constants.REL_METADATA_APPLICATION);
        PERMISSIONED_RELS.add(Constants.REL_RENDITION);
        PERMISSIONED_RELS.add(Constants.REL_TOGGLE_CHECKOUT);
        PERMISSIONED_RELS.add(Constants.REL_VERSION_HISTORY);
        PERMISSIONED_RELS.add(Constants.REL_AEM_RESTORE_HEAD);
        JCR_RESTRICTION_RELS.put(Constants.REL_RENDITION, RenditionRelationAccessControlProviderImpl.RENDITIONS_ACE_RESTRICTION);
        JCR_RESTRICTION_RELS.put(Constants.REL_ANNOTATIONS, AnnotationsAndTasksRelationAccessControlProviderImpl.ANNOTATIONS_ACE_RESTRICTION);
        JCR_RESTRICTION_RELS.put(Constants.REL_TASKS, AnnotationsAndTasksRelationAccessControlProviderImpl.TASKS_ACE_RESTRICTION);
    }
}
