package com.adobe.granite.security.permissions.internal.servlets;

import java.io.IOException;
import java.security.Principal;
import java.util.AbstractMap;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.jcr.AccessDeniedException;
import javax.jcr.PathNotFoundException;
import javax.jcr.PropertyType;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.Value;
import javax.jcr.ValueFactory;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.AccessControlList;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.AccessControlPolicyIterator;
import javax.jcr.security.NamedAccessControlPolicy;
import javax.jcr.security.Privilege;
import javax.json.Json;
import javax.json.JsonException;
import javax.json.JsonObject;
import javax.json.stream.JsonGenerator;
import javax.servlet.Servlet;
import javax.servlet.ServletException;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.api.SlingHttpServletResponse;
import org.apache.sling.api.servlets.SlingAllMethodsServlet;
import org.osgi.service.component.annotations.Component;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(service = {Servlet.class}, property = {"sling.servlet.paths=/bin/policies", "sling.servlet.extensions=json", "sling.servlet.methods=GET", "sling.servlet.methods=POST"})
/* loaded from: input_file:com/adobe/granite/security/permissions/internal/servlets/PoliciesServlet.class */
public class PoliciesServlet extends SlingAllMethodsServlet {
    static final String PARAM_ACTION = "action";
    static final String PARAM_PATH = "path";
    static final String PARAM_RESTRICTIONS = "restrictions";
    static final String PARAM_POLICY_ID = "policyId";
    static final String PARAM_ENTRY_ID = "entryId";
    static final String OPT_ACTION_ADD = "addentry";
    static final String OPT_ACTION_RM = "removeentry";
    static final String OPT_ACTION_UPDATE = "updateentry";
    private static final String CUG = "org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.CugPolicyImpl";
    private static final Logger log = LoggerFactory.getLogger(PoliciesServlet.class);
    static final String PARAM_PRINCIPAL = "principal";
    static String PRINCIPAL_KEY = PARAM_PRINCIPAL;
    static String SUPP_RESTR_KEY = "supportedRestrictions";
    static String SUPP_PRIVS_KEY = "supportedPrivs";
    static String CAN_EDIT_KEY = "canEdit";
    static final String PARAM_ALLOW = "allow";
    static String ALLOW_KEY = PARAM_ALLOW;
    static final String PARAM_PRIVILEGES = "privileges";
    static String PRIVILEGES_KEY = PARAM_PRIVILEGES;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/adobe/granite/security/permissions/internal/servlets/PoliciesServlet$ACE_KEYS.class */
    public enum ACE_KEYS {
        aces,
        cugs,
        other
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:com/adobe/granite/security/permissions/internal/servlets/PoliciesServlet$Restrictions.class */
    public static class Restrictions {
        private Map<String, Value> simple = new HashMap();
        private Map<String, List<Value>> mvp = new HashMap();

        Restrictions() {
        }

        void put(String str, Value value, boolean z) {
            if (!z) {
                this.simple.put(str, value);
                return;
            }
            List<Value> orDefault = this.mvp.getOrDefault(str, new ArrayList());
            orDefault.add(value);
            this.mvp.put(str, orDefault);
        }

        Map<String, Value> getRestrictions() {
            return this.simple;
        }

        Map<String, Value[]> getMultiValueRestrictions() {
            if (this.mvp.isEmpty()) {
                return Collections.emptyMap();
            }
            HashMap hashMap = new HashMap();
            for (String str : this.mvp.keySet()) {
                hashMap.put(str, (Value[]) this.mvp.get(str).toArray(new Value[0]));
            }
            return hashMap;
        }
    }

    protected void doGet(SlingHttpServletRequest slingHttpServletRequest, SlingHttpServletResponse slingHttpServletResponse) throws ServletException, IOException {
        String parameter = slingHttpServletRequest.getParameter(PARAM_PRINCIPAL);
        String parameter2 = slingHttpServletRequest.getParameter(PARAM_PATH);
        String parameter3 = slingHttpServletRequest.getParameter(PARAM_POLICY_ID);
        String parameter4 = slingHttpServletRequest.getParameter(PARAM_ENTRY_ID);
        try {
            JackrabbitSession session = getSession(slingHttpServletRequest);
            ServletUtils.setContentType(slingHttpServletResponse);
            JsonGenerator newJsonGenerator = newJsonGenerator(slingHttpServletResponse);
            if (parameter2 == null) {
                printEffective(session, parameter, newJsonGenerator);
            } else {
                printLocal(session, parameter, parameter2, parameter3, parameter4, newJsonGenerator);
            }
        } catch (AccessDeniedException e) {
            slingHttpServletResponse.sendError(401);
        } catch (RepositoryException e2) {
            log.warn("Exception occurred while fetching polices: ", e2);
            slingHttpServletResponse.sendError(500);
        }
    }

    protected JackrabbitSession getSession(SlingHttpServletRequest slingHttpServletRequest) {
        return (Session) slingHttpServletRequest.getResourceResolver().adaptTo(Session.class);
    }

    private static JsonGenerator newJsonGenerator(SlingHttpServletResponse slingHttpServletResponse) throws IOException {
        return Json.createGeneratorFactory(Collections.singletonMap("javax.json.stream.JsonGenerator.prettyPrinting", "false")).createGenerator(slingHttpServletResponse.getWriter());
    }

    private static void printEffective(JackrabbitSession jackrabbitSession, String str, JsonGenerator jsonGenerator) throws RepositoryException {
        JackrabbitAccessControlManager accessControlManager = jackrabbitSession.getAccessControlManager();
        String trim = str == null ? "" : str.trim();
        AccessControlPolicy[] effectivePolicies = !trim.isEmpty() ? accessControlManager.getEffectivePolicies(Collections.singleton(new PrincipalImpl(trim))) : new AccessControlPolicy[0];
        JsonGenerator writeStartObject = jsonGenerator.writeStartObject();
        writeStartObject.write(PRINCIPAL_KEY, trim);
        print(effectivePolicies, writeStartObject, accessControlManager);
        writeStartObject.writeEnd();
        jsonGenerator.flush();
    }

    static boolean canReadAcl(JackrabbitAccessControlManager jackrabbitAccessControlManager, String str) {
        try {
            return jackrabbitAccessControlManager.hasPrivileges(str, new Privilege[]{jackrabbitAccessControlManager.privilegeFromName("jcr:readAccessControl")});
        } catch (RepositoryException e) {
            return false;
        }
    }

    static boolean canEditAcl(JackrabbitAccessControlManager jackrabbitAccessControlManager, String str) throws AccessControlException, RepositoryException {
        try {
            return jackrabbitAccessControlManager.hasPrivileges(str, new Privilege[]{jackrabbitAccessControlManager.privilegeFromName("jcr:modifyAccessControl")});
        } catch (RepositoryException e) {
            return false;
        }
    }

    private static void printLocal(JackrabbitSession jackrabbitSession, String str, String str2, String str3, String str4, JsonGenerator jsonGenerator) throws RepositoryException {
        JackrabbitAccessControlManager accessControlManager = jackrabbitSession.getAccessControlManager();
        JsonGenerator writeStartObject = jsonGenerator.writeStartObject();
        writeStartObject.write(PRINCIPAL_KEY, str);
        String adjustPath = adjustPath(str2);
        PrincipalImpl principalImpl = new PrincipalImpl(str);
        if (canReadAcl(accessControlManager, adjustPath)) {
            Map.Entry<JackrabbitAccessControlList, AccessControlEntry> entry = null;
            try {
                entry = getPolicies(accessControlManager, adjustPath, principalImpl, false, true, str3, str4);
            } catch (PathNotFoundException e) {
            }
            if (entry != null) {
                JackrabbitAccessControlList key = entry.getKey();
                if (str4 != null) {
                    writeStartObject.write(PARAM_POLICY_ID, getPolicyId(key));
                    AccessControlEntry value = entry.getValue();
                    if (value != null) {
                        print(value, jsonGenerator, canEditAcl(accessControlManager, adjustPath));
                    }
                }
                writeStartObject.writeStartArray(SUPP_RESTR_KEY);
                for (String str5 : key.getRestrictionNames()) {
                    writeStartObject.writeStartObject();
                    writeStartObject.write("name", str5);
                    writeStartObject.write("type", PropertyType.nameFromValue(key.getRestrictionType(str5)));
                    writeStartObject.writeEnd();
                }
                writeStartObject.writeEnd();
            }
            Privilege[] privilegeArr = null;
            try {
                privilegeArr = accessControlManager.getSupportedPrivileges(adjustPath);
            } catch (PathNotFoundException e2) {
            }
            if (privilegeArr != null) {
                writeStartObject.writeStartArray(SUPP_PRIVS_KEY);
                for (Privilege privilege : privilegeArr) {
                    print(privilege, writeStartObject);
                }
                writeStartObject.writeEnd();
            }
        }
        writeStartObject.writeEnd();
        jsonGenerator.flush();
    }

    private static void print(AccessControlPolicy[] accessControlPolicyArr, JsonGenerator jsonGenerator, JackrabbitAccessControlManager jackrabbitAccessControlManager) throws RepositoryException {
        for (Map.Entry<ACE_KEYS, List<AccessControlPolicy>> entry : groupByType(accessControlPolicyArr).entrySet()) {
            jsonGenerator.writeStartArray(entry.getKey().toString());
            Iterator<AccessControlPolicy> it = entry.getValue().iterator();
            while (it.hasNext()) {
                print(it.next(), jsonGenerator, jackrabbitAccessControlManager);
            }
            jsonGenerator.writeEnd();
        }
    }

    private static Map<ACE_KEYS, List<AccessControlPolicy>> groupByType(AccessControlPolicy[] accessControlPolicyArr) {
        HashMap hashMap = new HashMap();
        for (AccessControlPolicy accessControlPolicy : accessControlPolicyArr) {
            putOrAdd(hashMap, accessControlPolicy instanceof AccessControlList ? ACE_KEYS.aces : ((accessControlPolicy instanceof JackrabbitAccessControlPolicy) && CUG.equals(accessControlPolicy.getClass().getName())) ? ACE_KEYS.cugs : ACE_KEYS.other, accessControlPolicy, new ArrayList());
        }
        return hashMap;
    }

    private static <K, V, W extends Collection<V>> void putOrAdd(Map<K, W> map, K k, V v, W w) {
        W w2 = map.get(k);
        if (w2 == null) {
            w2 = w;
            map.put(k, w2);
        }
        w2.add(v);
    }

    private static void print(AccessControlPolicy accessControlPolicy, JsonGenerator jsonGenerator, JackrabbitAccessControlManager jackrabbitAccessControlManager) throws RepositoryException {
        if (accessControlPolicy instanceof AccessControlList) {
            print((AccessControlList) accessControlPolicy, jsonGenerator, jackrabbitAccessControlManager);
            return;
        }
        if (accessControlPolicy instanceof JackrabbitAccessControlPolicy) {
            print((JackrabbitAccessControlPolicy) accessControlPolicy, jsonGenerator);
        } else if (accessControlPolicy instanceof NamedAccessControlPolicy) {
            print((NamedAccessControlPolicy) accessControlPolicy, jsonGenerator);
        } else {
            log.debug("Ignoring unknown policy {}.", accessControlPolicy);
        }
    }

    private static void print(NamedAccessControlPolicy namedAccessControlPolicy, JsonGenerator jsonGenerator) throws RepositoryException {
        jsonGenerator.writeStartObject();
        jsonGenerator.write("name", namedAccessControlPolicy.getName());
        jsonGenerator.write(PARAM_POLICY_ID, getPolicyId(namedAccessControlPolicy));
        jsonGenerator.writeEnd();
    }

    private static void print(JackrabbitAccessControlPolicy jackrabbitAccessControlPolicy, JsonGenerator jsonGenerator) throws RepositoryException {
        jsonGenerator.writeStartObject();
        jsonGenerator.write(PARAM_PATH, jackrabbitAccessControlPolicy.getPath());
        jsonGenerator.write(PARAM_POLICY_ID, getPolicyId(jackrabbitAccessControlPolicy));
        jsonGenerator.writeEnd();
    }

    private static void print(AccessControlList accessControlList, JsonGenerator jsonGenerator, JackrabbitAccessControlManager jackrabbitAccessControlManager) throws RepositoryException {
        boolean z;
        jsonGenerator.writeStartObject();
        jsonGenerator.write(PARAM_POLICY_ID, getPolicyId(accessControlList));
        if (accessControlList instanceof JackrabbitAccessControlList) {
            JackrabbitAccessControlList jackrabbitAccessControlList = (JackrabbitAccessControlList) accessControlList;
            jsonGenerator.write(PARAM_PATH, jackrabbitAccessControlList.getPath());
            z = canEditAcl(jackrabbitAccessControlManager, jackrabbitAccessControlList.getPath());
        } else {
            jsonGenerator.write("type", "acl");
            z = false;
        }
        jsonGenerator.writeStartArray("entries");
        for (AccessControlEntry accessControlEntry : accessControlList.getAccessControlEntries()) {
            jsonGenerator.writeStartObject();
            print(accessControlEntry, jsonGenerator, z);
            jsonGenerator.writeEnd();
        }
        jsonGenerator.writeEnd();
        jsonGenerator.writeEnd();
    }

    private static void print(AccessControlEntry accessControlEntry, JsonGenerator jsonGenerator, boolean z) throws RepositoryException {
        jsonGenerator.write(PARAM_ENTRY_ID, getEntryId(accessControlEntry));
        jsonGenerator.write(CAN_EDIT_KEY, z);
        if (accessControlEntry instanceof JackrabbitAccessControlEntry) {
            JackrabbitAccessControlEntry jackrabbitAccessControlEntry = (JackrabbitAccessControlEntry) accessControlEntry;
            jsonGenerator.write(ALLOW_KEY, jackrabbitAccessControlEntry.isAllow());
            String[] restrictionNames = jackrabbitAccessControlEntry.getRestrictionNames();
            if (restrictionNames.length > 0) {
                jsonGenerator.writeStartArray(PARAM_RESTRICTIONS);
                for (String str : restrictionNames) {
                    jsonGenerator.writeStartObject();
                    Value[] restrictions = jackrabbitAccessControlEntry.getRestrictions(str);
                    jsonGenerator.writeStartArray(str);
                    for (Value value : restrictions) {
                        jsonGenerator.write(value.getString());
                    }
                    jsonGenerator.writeEnd();
                    jsonGenerator.writeEnd();
                }
                jsonGenerator.writeEnd();
            }
        } else {
            jsonGenerator.write("type", "ace");
        }
        jsonGenerator.writeStartArray(PRIVILEGES_KEY);
        for (Privilege privilege : accessControlEntry.getPrivileges()) {
            jsonGenerator.write(privilege.getName());
        }
        jsonGenerator.writeEnd();
    }

    private static void print(Privilege privilege, JsonGenerator jsonGenerator) {
        jsonGenerator.writeStartObject();
        jsonGenerator.write("name", privilege.getName());
        if (privilege.isAbstract()) {
            jsonGenerator.write("abstract", privilege.isAbstract());
        }
        if (privilege.isAggregate()) {
            jsonGenerator.write("aggregate", privilege.isAggregate());
            jsonGenerator.writeStartArray("declared");
            for (Privilege privilege2 : privilege.getDeclaredAggregatePrivileges()) {
                print(privilege2, jsonGenerator);
            }
            jsonGenerator.writeEnd();
        }
        jsonGenerator.writeEnd();
    }

    private static String getEntryId(AccessControlEntry accessControlEntry) {
        return accessControlEntry.hashCode() + "";
    }

    private static String getPolicyId(AccessControlPolicy accessControlPolicy) throws RepositoryException {
        if (accessControlPolicy instanceof NamedAccessControlPolicy) {
            return ((NamedAccessControlPolicy) accessControlPolicy).getName();
        }
        if (!(accessControlPolicy instanceof AccessControlList)) {
            return accessControlPolicy.getClass().getName();
        }
        StringBuilder sb = new StringBuilder();
        sb.append("[");
        for (AccessControlEntry accessControlEntry : ((AccessControlList) accessControlPolicy).getAccessControlEntries()) {
            sb.append(getEntryId(accessControlEntry)).append("_");
        }
        return sb.toString();
    }

    protected void doPost(SlingHttpServletRequest slingHttpServletRequest, SlingHttpServletResponse slingHttpServletResponse) throws ServletException, IOException {
        try {
            JsonObject readObject = Json.createReader(slingHttpServletRequest.getReader()).readObject();
            String string = readObject.getString(PARAM_ACTION, "");
            JackrabbitSession session = getSession(slingHttpServletRequest);
            if (OPT_ACTION_ADD.equals(string)) {
                doAddEntry(readObject, slingHttpServletResponse, session);
                return;
            }
            if (OPT_ACTION_UPDATE.equals(string)) {
                doUpdateEntry(readObject, slingHttpServletResponse, session);
            } else if (OPT_ACTION_RM.equals(string)) {
                doRemoveEntry(readObject, slingHttpServletResponse, session);
            } else {
                slingHttpServletResponse.sendError(400);
            }
        } catch (JsonException e) {
            log.error(e.getMessage(), e);
            slingHttpServletResponse.sendError(400);
        }
    }

    private static void doAddEntry(JsonObject jsonObject, SlingHttpServletResponse slingHttpServletResponse, JackrabbitSession jackrabbitSession) throws ServletException, IOException {
        String adjustPath = adjustPath(jsonObject.getString(PARAM_PATH, (String) null));
        String string = jsonObject.getString(PARAM_PRINCIPAL, (String) null);
        String[] collectStrings = ServletUtils.collectStrings(jsonObject, PARAM_PRIVILEGES);
        if (!ServletUtils.checkRequiredParams(string) || !ServletUtils.checkRequiredParams(collectStrings)) {
            slingHttpServletResponse.sendError(400);
            return;
        }
        boolean z = jsonObject.getBoolean(PARAM_ALLOW, false);
        String[] collectStrings2 = ServletUtils.collectStrings(jsonObject, PARAM_RESTRICTIONS);
        log.debug("{} adds policy on {} for {}", new Object[]{jackrabbitSession.getUserID(), adjustPath, string});
        try {
            modifyACL(jackrabbitSession, string, adjustPath, collectStrings, z, collectStrings2, null, null, true);
            ServletUtils.setContentType(slingHttpServletResponse);
            slingHttpServletResponse.setStatus(200);
        } catch (RepositoryException e) {
            log.warn("Exception occurred while fetching polices: ", e);
            slingHttpServletResponse.sendError(500);
        } catch (AccessDeniedException e2) {
            slingHttpServletResponse.sendError(401);
        }
    }

    private static void doUpdateEntry(JsonObject jsonObject, SlingHttpServletResponse slingHttpServletResponse, JackrabbitSession jackrabbitSession) throws ServletException, IOException {
        String adjustPath = adjustPath(jsonObject.getString(PARAM_PATH, (String) null));
        String string = jsonObject.getString(PARAM_PRINCIPAL, (String) null);
        String[] collectStrings = ServletUtils.collectStrings(jsonObject, PARAM_PRIVILEGES);
        String string2 = jsonObject.getString(PARAM_POLICY_ID, (String) null);
        String string3 = jsonObject.getString(PARAM_ENTRY_ID, (String) null);
        if (!ServletUtils.checkRequiredParams(string, string3, string2) || !ServletUtils.checkRequiredParams(collectStrings)) {
            slingHttpServletResponse.sendError(400);
            return;
        }
        boolean z = jsonObject.getBoolean(PARAM_ALLOW, false);
        String[] collectStrings2 = ServletUtils.collectStrings(jsonObject, PARAM_RESTRICTIONS);
        log.debug("{} updates policy on {} for {}", new Object[]{jackrabbitSession.getUserID(), adjustPath, string});
        try {
            modifyACL(jackrabbitSession, string, adjustPath, collectStrings, z, collectStrings2, string2, string3, false);
            ServletUtils.setContentType(slingHttpServletResponse);
            slingHttpServletResponse.setStatus(200);
        } catch (RepositoryException e) {
            log.warn("Exception occurred while fetching polices: ", e);
            slingHttpServletResponse.sendError(500);
        } catch (AccessDeniedException e2) {
            slingHttpServletResponse.sendError(401);
        }
    }

    static boolean modifyACL(JackrabbitSession jackrabbitSession, String str, String str2, String[] strArr, boolean z, String[] strArr2, String str3, String str4, boolean z2) throws RepositoryException {
        PrincipalImpl principalImpl;
        boolean z3;
        JackrabbitAccessControlManager accessControlManager = jackrabbitSession.getAccessControlManager();
        String adjustPath = adjustPath(str2);
        if (z2) {
            z3 = true;
            principalImpl = jackrabbitSession.getPrincipalManager().getPrincipal(str);
            if (principalImpl == null) {
                principalImpl = new PrincipalImpl(str);
                z3 = false;
            }
        } else {
            principalImpl = new PrincipalImpl(str);
            z3 = false;
        }
        JackrabbitAccessControlList jackrabbitAccessControlList = null;
        AccessControlEntry accessControlEntry = null;
        Map.Entry<JackrabbitAccessControlList, AccessControlEntry> entry = null;
        try {
            entry = getPolicies(accessControlManager, adjustPath, principalImpl, z3, z2, str3, str4);
        } catch (PathNotFoundException e) {
        }
        if (entry != null) {
            jackrabbitAccessControlList = entry.getKey();
            accessControlEntry = entry.getValue();
        }
        if (jackrabbitAccessControlList == null) {
            throw new RepositoryException("Unable to identify policy");
        }
        Privilege[] createPrivileges = createPrivileges(accessControlManager, strArr);
        Restrictions createRestrictions = createRestrictions(strArr2, jackrabbitAccessControlList, jackrabbitSession.getValueFactory(), adjustPath, z3);
        if (accessControlEntry != null) {
            String entryId = getEntryId(accessControlEntry);
            AccessControlEntry[] accessControlEntries = jackrabbitAccessControlList.getAccessControlEntries();
            int length = accessControlEntries.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                AccessControlEntry accessControlEntry2 = accessControlEntries[i];
                if (getEntryId(accessControlEntry2).equals(entryId)) {
                    jackrabbitAccessControlList.removeAccessControlEntry(accessControlEntry2);
                    break;
                }
                i++;
            }
        }
        if (!jackrabbitAccessControlList.addEntry(principalImpl, createPrivileges, z, createRestrictions.getRestrictions(), createRestrictions.getMultiValueRestrictions())) {
            return false;
        }
        accessControlManager.setPolicy(jackrabbitAccessControlList.getPath(), jackrabbitAccessControlList);
        jackrabbitSession.save();
        return true;
    }

    private static String adjustPath(String str) {
        if (str == null || str.isEmpty()) {
            return null;
        }
        return str;
    }

    static Restrictions createRestrictions(String[] strArr, JackrabbitAccessControlList jackrabbitAccessControlList, ValueFactory valueFactory, String str, boolean z) throws RepositoryException {
        int restrictionType;
        Restrictions restrictions = new Restrictions();
        for (String str2 : strArr) {
            if (str2 != null && str2.length() != 0) {
                String[] split = str2.split("=");
                if (split.length == 2 && split[0] != null && !split[0].isEmpty() && split[1] != null && !split[1].isEmpty()) {
                    String str3 = split[0];
                    String str4 = split[1];
                    if ("rep:glob".equals(str3) && "\"\"".equals(str4)) {
                        str4 = "";
                    }
                    restrictions.put(str3, valueFactory.createValue(str4, jackrabbitAccessControlList.getRestrictionType(str3)), jackrabbitAccessControlList.isMultiValueRestriction(str3));
                }
            }
        }
        if (z && !restrictions.getRestrictions().containsKey("rep:nodePath") && (restrictionType = jackrabbitAccessControlList.getRestrictionType("rep:nodePath")) != 0) {
            restrictions.put("rep:nodePath", str == null ? valueFactory.createValue("") : valueFactory.createValue(str, restrictionType), false);
        }
        return restrictions;
    }

    static Privilege[] createPrivileges(AccessControlManager accessControlManager, String[] strArr) throws RepositoryException {
        Privilege[] privilegeArr = new Privilege[strArr.length];
        int i = 0;
        for (String str : strArr) {
            int i2 = i;
            i++;
            privilegeArr[i2] = accessControlManager.privilegeFromName(str);
        }
        return privilegeArr;
    }

    private static void doRemoveEntry(JsonObject jsonObject, SlingHttpServletResponse slingHttpServletResponse, JackrabbitSession jackrabbitSession) throws ServletException, IOException {
        String adjustPath = adjustPath(jsonObject.getString(PARAM_PATH, (String) null));
        String string = jsonObject.getString(PARAM_PRINCIPAL, (String) null);
        String string2 = jsonObject.getString(PARAM_POLICY_ID, (String) null);
        String string3 = jsonObject.getString(PARAM_ENTRY_ID, (String) null);
        if (!ServletUtils.checkRequiredParams(string, string3, string2)) {
            slingHttpServletResponse.sendError(400);
            return;
        }
        try {
            log.debug("{} removing policy for {}, {}, {}", new Object[]{jackrabbitSession.getUserID(), adjustPath, string2, string3});
            removeACE(jackrabbitSession, string, adjustPath, string2, string3);
            ServletUtils.setContentType(slingHttpServletResponse);
            slingHttpServletResponse.setStatus(200);
        } catch (AccessDeniedException e) {
            slingHttpServletResponse.sendError(401);
        } catch (RepositoryException e2) {
            log.warn("Exception occurred while fetching polices: ", e2);
            slingHttpServletResponse.sendError(500);
        }
    }

    private static boolean removeACE(JackrabbitSession jackrabbitSession, String str, String str2, String str3, String str4) throws RepositoryException {
        PrincipalImpl principalImpl = new PrincipalImpl(str);
        JackrabbitAccessControlManager accessControlManager = jackrabbitSession.getAccessControlManager();
        Map.Entry<JackrabbitAccessControlList, AccessControlEntry> policies = getPolicies(accessControlManager, str2, principalImpl, false, false, str3, str4);
        if (policies == null) {
            throw new RepositoryException("Unable to identify policy");
        }
        JackrabbitAccessControlList key = policies.getKey();
        String entryId = getEntryId(policies.getValue());
        boolean z = false;
        for (AccessControlEntry accessControlEntry : key.getAccessControlEntries()) {
            if (getEntryId(accessControlEntry).equals(entryId)) {
                key.removeAccessControlEntry(accessControlEntry);
                z = true;
            }
        }
        if (!z) {
            return false;
        }
        accessControlManager.setPolicy(key.getPath(), key);
        jackrabbitSession.save();
        return true;
    }

    private static Map.Entry<JackrabbitAccessControlList, AccessControlEntry> getPolicies(JackrabbitAccessControlManager jackrabbitAccessControlManager, String str, Principal principal, boolean z, boolean z2, String str2, String str3) throws RepositoryException {
        if (!z) {
            for (JackrabbitAccessControlList jackrabbitAccessControlList : jackrabbitAccessControlManager.getPolicies(str)) {
                if (jackrabbitAccessControlList instanceof JackrabbitAccessControlList) {
                    JackrabbitAccessControlList jackrabbitAccessControlList2 = jackrabbitAccessControlList;
                    for (AccessControlEntry accessControlEntry : jackrabbitAccessControlList2.getAccessControlEntries()) {
                        if (principal.equals(accessControlEntry.getPrincipal()) && getEntryId(accessControlEntry).equals(str3)) {
                            return new AbstractMap.SimpleImmutableEntry(jackrabbitAccessControlList2, accessControlEntry);
                        }
                    }
                }
            }
            if (z2) {
                return getPoliciesByPath(jackrabbitAccessControlManager, str);
            }
            return null;
        }
        for (JackrabbitAccessControlList jackrabbitAccessControlList3 : jackrabbitAccessControlManager.getPolicies(principal)) {
            if (jackrabbitAccessControlList3 instanceof JackrabbitAccessControlList) {
                JackrabbitAccessControlList jackrabbitAccessControlList4 = jackrabbitAccessControlList3;
                for (AccessControlEntry accessControlEntry2 : jackrabbitAccessControlList4.getAccessControlEntries()) {
                    if ((str == null || matchesPath(accessControlEntry2, str)) && getEntryId(accessControlEntry2).equals(str3)) {
                        return new AbstractMap.SimpleImmutableEntry(jackrabbitAccessControlList4, accessControlEntry2);
                    }
                }
            }
        }
        if (z2) {
            return getPoliciesByPath(jackrabbitAccessControlManager, str);
        }
        return null;
    }

    private static Map.Entry<JackrabbitAccessControlList, AccessControlEntry> getPoliciesByPath(JackrabbitAccessControlManager jackrabbitAccessControlManager, String str) throws RepositoryException {
        AccessControlPolicyIterator applicablePolicies = jackrabbitAccessControlManager.getApplicablePolicies(str);
        while (applicablePolicies.hasNext()) {
            JackrabbitAccessControlList nextAccessControlPolicy = applicablePolicies.nextAccessControlPolicy();
            if (nextAccessControlPolicy instanceof JackrabbitAccessControlList) {
                return new AbstractMap.SimpleImmutableEntry(nextAccessControlPolicy, null);
            }
        }
        for (JackrabbitAccessControlList jackrabbitAccessControlList : jackrabbitAccessControlManager.getPolicies(str)) {
            if (jackrabbitAccessControlList instanceof JackrabbitAccessControlList) {
                return new AbstractMap.SimpleImmutableEntry(jackrabbitAccessControlList, null);
            }
        }
        return null;
    }

    private static boolean matchesPath(AccessControlEntry accessControlEntry, String str) throws RepositoryException {
        Value restriction;
        return (accessControlEntry instanceof JackrabbitAccessControlEntry) && (restriction = ((JackrabbitAccessControlEntry) accessControlEntry).getRestriction("rep:nodePath")) != null && restriction.getString().equals(str);
    }
}
