package com.day.cq.wcm.msm.impl.actions;

import com.day.cq.wcm.api.WCMException;
import com.day.cq.wcm.msm.api.LiveRelationship;
import com.day.cq.wcm.msm.commons.BaseAction;
import com.day.cq.wcm.msm.commons.BaseActionFactory;
import com.day.cq.wcm.msm.impl.Utils;
import com.day.cq.wcm.msm.impl.actions.util.ACEUtils;
import com.day.cq.wcm.msm.impl.actions.util.AccessControlEntry;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.jcr.Node;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.Privilege;
import org.apache.commons.lang.StringUtils;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Modified;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.Service;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.sling.api.resource.Resource;
import org.apache.sling.api.resource.ValueMap;
import org.osgi.service.component.ComponentContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Service
@Component(metatype = false)
/* loaded from: input_file:com/day/cq/wcm/msm/impl/actions/AccessControlActionFactory.class */
public class AccessControlActionFactory extends BaseActionFactory<BaseAction> {
    private static final Logger log = LoggerFactory.getLogger(AccessControlActionFactory.class);

    @Property(name = "liveActionName")
    private static final String[] LIVE_ACTION_NAME = {AccessControlListAction.class.getSimpleName(), "MandatoryActionFactory", "mandatory", "MandatoryContentAction", "mandatoryContent", "MandatoryStructureAction", "mandatoryStructure"};

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/day/cq/wcm/msm/impl/actions/AccessControlActionFactory$AccessControlListAction.class */
    public static final class AccessControlListAction extends BaseAction {
        static final String MANDATORY_ACTION_PARAM_TARGET = "target";
        static final String PN_PRINCIPAL = "principalName";
        static final String PN_PRIVILEGES = "privilegeNames";
        static final String PN_DENY = "deny";
        private static final String[] modificationPrivileges = {"{http://www.jcp.org/jcr/1.0}modifyProperties", "{http://www.jcp.org/jcr/1.0}lockManagement", "{http://www.jcp.org/jcr/1.0}versionManagement", "{http://www.jcp.org/jcr/1.0}addChildNodes", "{http://www.jcp.org/jcr/1.0}nodeTypeManagement", "{http://www.jcp.org/jcr/1.0}removeChildNodes", "{http://www.jcp.org/jcr/1.0}removeNode"};
        private static final String[] nodeManagementPrivileges = {"{http://www.jcp.org/jcr/1.0}addChildNodes", "{http://www.jcp.org/jcr/1.0}nodeTypeManagement", "{http://www.jcp.org/jcr/1.0}removeChildNodes", "{http://www.jcp.org/jcr/1.0}removeNode"};
        private final List<AccessControlEntry> aces;
        private static final String PATH_CONTENT = "/jcr:content";

        /* JADX INFO: Access modifiers changed from: package-private */
        /* loaded from: input_file:com/day/cq/wcm/msm/impl/actions/AccessControlActionFactory$AccessControlListAction$ACLTemplates.class */
        public enum ACLTemplates {
            INSTANCE;

            private HashMap<String, AccessControlEntry[]> mandatoryActionACETemplates = new HashMap<>();

            ACLTemplates() {
                AccessControlEntry accessControlEntry = new AccessControlEntry(null, false, null, AccessControlListAction.modificationPrivileges);
                AccessControlEntry accessControlEntry2 = new AccessControlEntry(null, false, "/jcr:content*", AccessControlListAction.modificationPrivileges);
                AccessControlEntry accessControlEntry3 = new AccessControlEntry(null, false, null, AccessControlListAction.nodeManagementPrivileges);
                AccessControlEntry accessControlEntry4 = new AccessControlEntry(null, true, "/jcr:content*", AccessControlListAction.modificationPrivileges);
                this.mandatoryActionACETemplates.put("mandatory", new AccessControlEntry[]{accessControlEntry});
                this.mandatoryActionACETemplates.put("MandatoryActionFactory", new AccessControlEntry[]{accessControlEntry});
                this.mandatoryActionACETemplates.put("mandatoryContent", new AccessControlEntry[]{accessControlEntry2});
                this.mandatoryActionACETemplates.put("MandatoryContentAction", new AccessControlEntry[]{accessControlEntry2});
                this.mandatoryActionACETemplates.put("mandatoryStructure", new AccessControlEntry[]{accessControlEntry3, accessControlEntry4});
                this.mandatoryActionACETemplates.put("MandatoryStructureAction", new AccessControlEntry[]{accessControlEntry3, accessControlEntry4});
            }

            public AccessControlEntry[] getMandatoryACE(String str) {
                return this.mandatoryActionACETemplates.get(str);
            }
        }

        private AccessControlListAction(Resource resource, BaseActionFactory baseActionFactory) throws RepositoryException {
            super(resource.getValueMap(), baseActionFactory);
            this.aces = new ArrayList();
            this.aces.addAll(loadACE(resource));
            Iterator it = resource.getChildren().iterator();
            while (it.hasNext()) {
                this.aces.addAll(loadACE((Resource) it.next()));
            }
        }

        private List<AccessControlEntry> loadACE(Resource resource) throws RepositoryException {
            ArrayList arrayList = new ArrayList();
            String name = resource.getName();
            String str = null;
            AccessControlEntry[] accessControlEntryArr = null;
            ValueMap valueMap = resource.getValueMap();
            if (valueMap.containsKey(PN_PRINCIPAL) && valueMap.containsKey(PN_PRIVILEGES)) {
                str = (String) valueMap.get(PN_PRINCIPAL, String.class);
                accessControlEntryArr = new AccessControlEntry[]{new AccessControlEntry(null, !((Boolean) valueMap.get(PN_DENY, Boolean.FALSE)).booleanValue(), null, (String[]) valueMap.get(PN_PRIVILEGES, String[].class))};
            } else if (valueMap.containsKey("target")) {
                str = (String) valueMap.get("target", (Class) null);
                accessControlEntryArr = ACLTemplates.INSTANCE.getMandatoryACE(name);
            }
            if (accessControlEntryArr != null && StringUtils.isNotBlank(str)) {
                for (AccessControlEntry accessControlEntry : accessControlEntryArr) {
                    AccessControlEntry accessControlEntry2 = new AccessControlEntry(str, accessControlEntry);
                    arrayList.add(accessControlEntry2);
                    AccessControlActionFactory.log.debug("Found ACE {} on config node {}", accessControlEntry2, resource.getPath());
                }
            }
            return arrayList;
        }

        protected void doExecute(Resource resource, Resource resource2, LiveRelationship liveRelationship, boolean z) throws RepositoryException, WCMException {
            Node hierarchyNode = Utils.getHierarchyNode((Node) resource2.adaptTo(Node.class));
            JackrabbitSession session = hierarchyNode.getSession();
            String path = hierarchyNode.getPath();
            JackrabbitSession jackrabbitSession = session;
            JackrabbitAccessControlManager jackrabbitAccessControlManager = (JackrabbitAccessControlManager) jackrabbitSession.getAccessControlManager();
            PrincipalManager principalManager = jackrabbitSession.getPrincipalManager();
            for (AccessControlEntry accessControlEntry : this.aces) {
                if ((PATH_CONTENT.equals(liveRelationship.getSyncPath()) || StringUtils.isEmpty(liveRelationship.getSyncPath())) || !(ACEUtils.getPrincipal(accessControlEntry, principalManager) == null || aceIsEffective(path, accessControlEntry, jackrabbitAccessControlManager, ACEUtils.getPrincipal(accessControlEntry, principalManager)))) {
                    applyPrivileges(session, path, accessControlEntry, jackrabbitAccessControlManager, principalManager);
                }
            }
        }

        protected boolean handles(Resource resource, Resource resource2, LiveRelationship liveRelationship, boolean z) throws WCMException, RepositoryException {
            Node node;
            return (!liveRelationship.getStatus().isPage() || resource2 == null || (node = (Node) resource2.adaptTo(Node.class)) == null || !(node.getSession() instanceof JackrabbitSession) || node.getSession().getAccessControlManager() == null) ? false : true;
        }

        private boolean aceIsEffective(String str, AccessControlEntry accessControlEntry, JackrabbitAccessControlManager jackrabbitAccessControlManager, Principal principal) throws RepositoryException {
            Set singleton = Collections.singleton(principal);
            if (accessControlEntry.isAllow()) {
                return jackrabbitAccessControlManager.hasPrivileges(str, singleton, AccessControlUtils.privilegesFromNames(jackrabbitAccessControlManager, accessControlEntry.getPrivilegeNames()));
            }
            for (String str2 : accessControlEntry.getPrivilegeNames()) {
                if (jackrabbitAccessControlManager.hasPrivileges(str, singleton, AccessControlUtils.privilegesFromNames(jackrabbitAccessControlManager, new String[]{str2}))) {
                    return false;
                }
            }
            return true;
        }

        private void applyPrivileges(Session session, String str, AccessControlEntry accessControlEntry, AccessControlManager accessControlManager, PrincipalManager principalManager) throws RepositoryException {
            try {
                Privilege[] privilegesFromNames = AccessControlUtils.privilegesFromNames(accessControlManager, accessControlEntry.getPrivilegeNames());
                Principal principal = ACEUtils.getPrincipal(accessControlEntry, principalManager);
                if (!StringUtils.isNotBlank(str) || principal == null) {
                    AccessControlActionFactory.log.debug("No change in ACL, path is empty or principal is null!");
                } else if (ACEUtils.addAccessControlEntry(session, str, principal, privilegesFromNames, accessControlEntry)) {
                    AccessControlActionFactory.log.debug("Add new ACE to be for {} to ACL at {}", accessControlEntry.getPrincipalName(), str);
                } else {
                    AccessControlActionFactory.log.debug("ACE for {} contained in ACL at {}: no change", accessControlEntry.getPrincipalName(), str);
                }
            } catch (AccessControlException e) {
                AccessControlActionFactory.log.debug("No change in ACL: Entry contains invalid privilege.");
            }
        }
    }

    public String createsAction() {
        return LIVE_ACTION_NAME[0];
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* renamed from: newActionInstance, reason: merged with bridge method [inline-methods] */
    public BaseAction m33newActionInstance(ValueMap valueMap) throws WCMException {
        log.info("AccessControlActions must be created using createAction");
        return null;
    }

    /* renamed from: createAction, reason: merged with bridge method [inline-methods] */
    public BaseAction m32createAction(Resource resource) throws WCMException {
        if (resource != null) {
            try {
                Node node = (Node) resource.adaptTo(Node.class);
                if (node != null && (node.getSession() instanceof JackrabbitSession)) {
                    return new AccessControlListAction(resource, this);
                }
            } catch (RepositoryException e) {
                log.debug("Failure Accessing Repository on building AccessControlListAction: {}", e);
                throw new WCMException(e);
            }
        }
        log.warn("Resource does not meet requirement to build an LiveAction: Resource must be a Node from JackrabbitRepository");
        return null;
    }

    @Modified
    @Activate
    protected void activate(ComponentContext componentContext) {
    }
}
