package com.adobe.granite.conf.ui.core.internal.servlets;

import com.adobe.granite.conf.ui.core.internal.ConfigurationUtils;
import java.io.IOException;
import java.security.Principal;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.AccessControlList;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.AccessControlPolicyIterator;
import javax.jcr.security.Privilege;
import javax.servlet.ServletException;
import org.apache.felix.scr.annotations.sling.SlingServlet;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.api.SlingHttpServletResponse;
import org.apache.sling.api.resource.Resource;
import org.apache.sling.api.resource.ResourceResolver;
import org.apache.sling.api.servlets.SlingAllMethodsServlet;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@SlingServlet(resourceTypes = {"sling:Folder", "sling:OrderedFolder"}, selectors = {"confpermissions"}, extensions = {"json"}, methods = {"POST"})
/* loaded from: input_file:com/adobe/granite/conf/ui/core/internal/servlets/ConfigurationPermissionsServlet.class */
public class ConfigurationPermissionsServlet extends SlingAllMethodsServlet {
    public static final String ACTION_ADD = "add";
    public static final String ACTION_REMOVE = "remove";
    private static final Logger LOG = LoggerFactory.getLogger(ConfigurationPermissionsServlet.class);
    private static final String PARAM_ACTION = "action";
    private static final String PARAM_AUTHORIZABLE_ID = "authorizableId";
    private static final String PARAM_ALLOWED_PERMISSIONS = "allowedPermissions";

    protected void doPost(SlingHttpServletRequest slingHttpServletRequest, SlingHttpServletResponse slingHttpServletResponse) throws ServletException, IOException {
        Resource resource = slingHttpServletRequest.getResource();
        ResourceResolver resourceResolver = slingHttpServletRequest.getResourceResolver();
        Session session = (Session) resourceResolver.adaptTo(Session.class);
        try {
            AccessControlManager accessControlManager = session.getAccessControlManager();
            String[] split = slingHttpServletRequest.getParameter(PARAM_AUTHORIZABLE_ID).split(",");
            List asList = Arrays.asList(slingHttpServletRequest.getParameter(PARAM_ALLOWED_PERMISSIONS).split(","));
            String parameter = slingHttpServletRequest.getParameter(PARAM_ACTION);
            HashMap hashMap = new HashMap();
            for (String str : ConfigurationUtils.CONF_PERMISSIONS) {
                hashMap.put(str, Boolean.valueOf(asList.contains(str)));
            }
            for (String str2 : split) {
                Authorizable authorizable = getAuthorizable(str2, session);
                if (ACTION_ADD.equalsIgnoreCase(parameter)) {
                    installActions(resource, authorizable.getPrincipal(), hashMap, accessControlManager);
                } else if (ACTION_REMOVE.equalsIgnoreCase(parameter)) {
                    removeLocalPolicies(accessControlManager, resource.getPath(), authorizable.getPrincipal());
                }
            }
            if (resourceResolver.hasChanges()) {
                resourceResolver.commit();
            }
            slingHttpServletResponse.setStatus(200);
        } catch (Exception e) {
            LOG.error("Could not update permissions!", e);
            slingHttpServletResponse.sendError(500);
        }
    }

    private static Authorizable getAuthorizable(String str, Session session) throws RepositoryException {
        Authorizable authorizable = ((JackrabbitSession) session).getUserManager().getAuthorizable(str);
        if (authorizable == null) {
            throw new RepositoryException("No such authorizable " + str);
        }
        return authorizable;
    }

    private static void installActions(Resource resource, Principal principal, Map<String, Boolean> map, AccessControlManager accessControlManager) throws RepositoryException {
        if (map.isEmpty()) {
            return;
        }
        removeLocalPolicies(accessControlManager, resource.getPath(), principal);
        JackrabbitAccessControlList modifiableAcl = getModifiableAcl(accessControlManager, resource.getPath());
        for (String str : map.keySet()) {
            boolean booleanValue = map.get(str).booleanValue();
            Set<Privilege> set = ConfigurationUtils.getPrivilegesMap(accessControlManager).get(str);
            if (set != null && booleanValue) {
                modifiableAcl.addEntry(principal, (Privilege[]) set.toArray(new Privilege[set.size()]), booleanValue);
            }
        }
        accessControlManager.setPolicy(resource.getPath(), modifiableAcl);
    }

    private static void removeLocalPolicies(AccessControlManager accessControlManager, String str, Principal principal) throws RepositoryException {
        for (AccessControlList accessControlList : accessControlManager.getPolicies(str)) {
            if (accessControlList instanceof AccessControlList) {
                boolean z = false;
                AccessControlList accessControlList2 = accessControlList;
                for (AccessControlEntry accessControlEntry : accessControlList.getAccessControlEntries()) {
                    if (principal.equals(accessControlEntry.getPrincipal())) {
                        accessControlList2.removeAccessControlEntry(accessControlEntry);
                        z = true;
                    }
                }
                if (z) {
                    accessControlManager.setPolicy(str, accessControlList2);
                }
            }
        }
    }

    private static JackrabbitAccessControlList getModifiableAcl(AccessControlManager accessControlManager, String str) throws RepositoryException {
        for (JackrabbitAccessControlList jackrabbitAccessControlList : accessControlManager.getPolicies(str)) {
            if (jackrabbitAccessControlList instanceof JackrabbitAccessControlList) {
                return jackrabbitAccessControlList;
            }
        }
        AccessControlPolicyIterator applicablePolicies = accessControlManager.getApplicablePolicies(str);
        while (applicablePolicies.hasNext()) {
            JackrabbitAccessControlList nextAccessControlPolicy = applicablePolicies.nextAccessControlPolicy();
            if (nextAccessControlPolicy instanceof JackrabbitAccessControlList) {
                return nextAccessControlPolicy;
            }
        }
        throw new AccessControlException("No modifiable ACL at " + str);
    }
}
