package com.adobe.aem.wcm.site.manager.internal;

import com.adobe.aem.wcm.site.manager.constants.Constants;
import com.adobe.granite.security.user.UserManagementService;
import com.adobe.granite.toggle.api.monitor.ToggleMonitor;
import com.adobe.granite.toggle.api.monitor.ToggleMonitorManager;
import java.security.Principal;
import java.util.Collections;
import javax.annotation.Nonnull;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.sling.api.resource.LoginException;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.resource.ResourceResolverFactory;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Reference;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(service = {SitePrivateAccessService.class}, immediate = true)
/* loaded from: input_file:com/adobe/aem/wcm/site/manager/internal/SitePrivateAccessService.class */
public class SitePrivateAccessService {
    private static final Logger LOGGER = LoggerFactory.getLogger(SitePrivateAccessService.class);
    private static String[] PRIVILEGE_DENY = {"{http://www.jcp.org/jcr/1.0}all"};
    private static String[] PRIVILEGE_ALLOW_VERSIONS = {"{http://www.jcp.org/jcr/1.0}versionManagement", "{http://www.jcp.org/jcr/1.0}read", "{http://www.jcp.org/jcr/1.0}modifyAccessControl", "rep:write", "crx:replicate", "{http://www.jcp.org/jcr/1.0}lockManagement"};
    private static String[] PRIVILEGE_ALLOW_EDIT = {"{http://www.jcp.org/jcr/1.0}nodeTypeManagement", "{http://www.jcp.org/jcr/1.0}versionManagement", "{http://www.jcp.org/jcr/1.0}read", "{http://www.jcp.org/jcr/1.0}readAccessControl", "{http://www.jcp.org/jcr/1.0}addChildNodes", "crx:replicate", "{http://www.jcp.org/jcr/1.0}modifyProperties", "{http://www.jcp.org/jcr/1.0}lockManagement", "{http://www.jcp.org/jcr/1.0}removeChildNodes"};
    private static String[] PRIVILEGE_ALLOW_NODE_REMOVE = {"{http://www.jcp.org/jcr/1.0}removeNode"};
    private static String[] PRIVILEGE_ALLOW_READ = {"{http://www.jcp.org/jcr/1.0}read"};
    private static String OWNER_GROUP_SUFFIX = "-quick-site-owner";
    private static String EDITOR_GROUP_SUFFIX = "-quick-site-editor";
    private static String SITE_GROUP_SUFFIX = "-quick-site";
    private static String CONTRIBUTOR_GROUP_NAME = "contributor";
    private static String SITE_TEMPLATES_PATH = "/conf/global/site-templates";

    @Reference
    private UserManagementService userManagementService;

    @Reference
    private ResourceResolverFactory resolverFactory;

    @Reference
    private ToggleMonitorManager toggleMonitorManager;
    private ToggleMonitor toggleMonitor;

    /* loaded from: input_file:com/adobe/aem/wcm/site/manager/internal/SitePrivateAccessService$ToggleMonitorImpl.class */
    private class ToggleMonitorImpl implements ToggleMonitor {
        private ToggleMonitorImpl() {
        }

        public void onStatusChanged(boolean z, String str) {
            if (z) {
                SitePrivateAccessService.this.setTemplateACL();
            } else {
                SitePrivateAccessService.this.removeTemplateACL();
            }
        }
    }

    public void makeSitePrivate(@Nonnull String str, @Nonnull String str2) throws UnsupportedOperationException, RepositoryException, LoginException {
        try {
            ResourceResolver serviceResourceResolver = this.resolverFactory.getServiceResourceResolver(Collections.singletonMap("sling.service.subservice", Constants.SITES_ACCESS_SERVICE));
            try {
                Session session = (Session) serviceResourceResolver.adaptTo(Session.class);
                UserManager userManager = this.userManagementService.getUserManager(session);
                Authorizable authorizable = userManager.getAuthorizable(str);
                Authorizable authorizable2 = userManager.getAuthorizable("everyone");
                Group orCreateGroup = getOrCreateGroup(userManager, authorizable, str2 + OWNER_GROUP_SUFFIX);
                Group orCreateGroup2 = getOrCreateGroup(userManager, authorizable, str2 + EDITOR_GROUP_SUFFIX);
                Group orCreateGroup3 = getOrCreateGroup(userManager, authorizable, str2 + SITE_GROUP_SUFFIX);
                session.save();
                for (String str3 : SiteUtils.SITE_ROOT_PATHS) {
                    String str4 = str3 + "/" + str2;
                    LOGGER.info("Making path {} private for user {}.", str4, str);
                    if (serviceResourceResolver.getResource(str4) == null) {
                        LOGGER.warn("Path {} does not exist.", str4);
                    } else {
                        AccessControlUtils.addAccessControlEntry(session, str4, authorizable2.getPrincipal(), PRIVILEGE_DENY, false);
                        AccessControlUtils.addAccessControlEntry(session, str4, orCreateGroup.getPrincipal(), PRIVILEGE_ALLOW_VERSIONS, true);
                        AccessControlUtils.addAccessControlEntry(session, str4, orCreateGroup2.getPrincipal(), PRIVILEGE_ALLOW_EDIT, true);
                        AccessControlUtils.addAccessControlEntry(session, str4, orCreateGroup2.getPrincipal(), PRIVILEGE_ALLOW_NODE_REMOVE, true);
                        AccessControlUtils.addAccessControlEntry(session, str4, orCreateGroup3.getPrincipal(), PRIVILEGE_ALLOW_READ, true);
                    }
                }
                session.save();
                if (serviceResourceResolver != null) {
                    serviceResourceResolver.close();
                }
            } finally {
            }
        } catch (Exception e) {
            LOGGER.error("Error occured while making site private.", e);
            throw e;
        }
    }

    @Activate
    protected void activate() {
        this.toggleMonitor = new ToggleMonitorImpl();
        this.toggleMonitorManager.registerMonitor(this.toggleMonitor, Constants.SITE_PRIVATE_ACCESS_FEATURE_TOGGLE_NAME);
    }

    @Deactivate
    protected void deactivate() {
        this.toggleMonitorManager.deregisterMonitor(this.toggleMonitor, Constants.SITE_PRIVATE_ACCESS_FEATURE_TOGGLE_NAME);
    }

    private Group getOrCreateGroup(UserManager userManager, Authorizable authorizable, final String str) throws RepositoryException {
        Principal principal = new Principal() { // from class: com.adobe.aem.wcm.site.manager.internal.SitePrivateAccessService.1
            @Override // java.security.Principal
            public String getName() {
                return str;
            }
        };
        Group authorizable2 = userManager.getAuthorizable(principal);
        if (authorizable2 == null) {
            authorizable2 = userManager.createGroup(principal);
            LOGGER.debug("New group '{}' created.", str);
        }
        if (!authorizable2.isMember(authorizable)) {
            authorizable2.addMember(authorizable);
            LOGGER.debug("User '{}' added to group '{}'", authorizable.getID(), str);
        }
        return authorizable2;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void setTemplateACL() {
        LOGGER.info("Allowing contributor read access to site templates.");
        try {
            ResourceResolver serviceResourceResolver = this.resolverFactory.getServiceResourceResolver(Collections.singletonMap("sling.service.subservice", Constants.SITES_ACCESS_SERVICE));
            try {
                Session session = (Session) serviceResourceResolver.adaptTo(Session.class);
                AccessControlUtils.addAccessControlEntry(session, SITE_TEMPLATES_PATH, this.userManagementService.getUserManager(session).getAuthorizable(CONTRIBUTOR_GROUP_NAME).getPrincipal(), new String[]{"{http://www.jcp.org/jcr/1.0}read"}, true);
                session.save();
                if (serviceResourceResolver != null) {
                    serviceResourceResolver.close();
                }
            } finally {
            }
        } catch (Exception e) {
            LOGGER.error("Unable to allow contributor read access to site templates.", e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void removeTemplateACL() {
        LOGGER.info("Removing contributor read access to site templates.");
        try {
            ResourceResolver serviceResourceResolver = this.resolverFactory.getServiceResourceResolver(Collections.singletonMap("sling.service.subservice", Constants.SITES_ACCESS_SERVICE));
            try {
                Session session = (Session) serviceResourceResolver.adaptTo(Session.class);
                AccessControlUtils.clear(session, SITE_TEMPLATES_PATH, CONTRIBUTOR_GROUP_NAME);
                session.save();
                if (serviceResourceResolver != null) {
                    serviceResourceResolver.close();
                }
            } finally {
            }
        } catch (Exception e) {
            LOGGER.error("Unable to remove contributor read access to site templates.", e);
        }
    }
}
