package com.adobe.cq.dam.s7imaging.impl.ps.internal;

import com.adobe.cq.dam.ips.impl.JcrUtil;
import com.adobe.cq.dam.ips.impl.replication.trigger.ServiceResolverFactory;
import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.scene7.is.util.callbacks.Func1;
import com.scene7.is.util.callbacks.Option;
import com.scene7.is.util.matching.Matcher;
import com.scene7.is.util.matching.Matchers;
import com.scene7.is.util.matching.RegexMatcher;
import java.net.URL;
import java.net.URLDecoder;
import java.nio.charset.StandardCharsets;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.concurrent.TimeUnit;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang3.BooleanUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.lang3.Validate;
import org.apache.commons.lang3.tuple.Pair;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.Service;
import org.apache.sling.api.resource.PersistenceException;
import org.apache.sling.api.resource.Resource;
import org.apache.sling.api.resource.ResourceResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Service({ACLPermissionsValidator.class})
@Component
@Properties({@Property(name = "service.description", value = {"Validates asset access"})})
/* loaded from: input_file:com/adobe/cq/dam/s7imaging/impl/ps/internal/ACLPermissionsValidator.class */
public class ACLPermissionsValidator {

    @Reference
    private ServiceResolverFactory serviceResolverFactory;
    private static final Logger LOGGER = LoggerFactory.getLogger(ACLPermissionsValidator.class);
    private final String CONTENT_DAM = "/content/dam/";
    private final String TYPE_EPS = ".eps";
    private final String TYPE_PDF = ".pdf";
    private final String TYPE_AI = ".ai";
    private final String NODE_CONTENT_METADATA = "/jcr:content/metadata";
    private final String NODE_SEPERATOR = "/";
    private final String PROPERTY_SCENE7_IPS_URL = "dam:scene7IPSUrl";
    private final String PROPERTY_SCENE7_FILE_AVS = "dam:scene7FileAvs";
    private final String PROPERTY_SCENE7_FILE = "dam:scene7File";
    private final Cache<Pair<String, String>, Boolean> aclReadAccessCache = CacheBuilder.newBuilder().expireAfterWrite(2, TimeUnit.MINUTES).build();

    @Activate
    protected void activate() {
        this.aclReadAccessCache.invalidateAll();
    }

    public boolean validateAccess(ResourceResolver resourceResolver, String str, Map<String, String> map) {
        String str2 = s7FileNameMatcher("/is/image").match(str).orElse(s7FileNameMatcher("/is/content").match(str)).get();
        if (StringUtils.isBlank(str2) || !str2.contains("/")) {
            return true;
        }
        try {
            String decode = URLDecoder.decode(str2, StandardCharsets.UTF_8.name());
            return ((Boolean) this.aclReadAccessCache.get(Pair.of(resourceResolver.getUserID(), decode), () -> {
                return Boolean.valueOf(loadACLReadPermission(decode, resourceResolver, map));
            })).booleanValue();
        } catch (Exception e) {
            LOGGER.error("Error processing asset {} : {}", str2, e.getLocalizedMessage());
            return false;
        }
    }

    private boolean loadACLReadPermission(String str, ResourceResolver resourceResolver, Map<String, String> map) {
        Boolean bool = false;
        Iterator it = Arrays.asList(() -> {
            return checkPermissionUsingReferer(str, resourceResolver, map);
        }, () -> {
            return checkPermissionUsingScene7Path(str, resourceResolver);
        }, () -> {
            return checkVideoRenditionPermission(str, resourceResolver);
        }, () -> {
            return checkScene7FilePermission(str, resourceResolver);
        }, () -> {
            return checkDocumentFilePermission(str, resourceResolver);
        }).iterator();
        while (it.hasNext()) {
            bool = (Boolean) ((Supplier) it.next()).get();
            if (bool != null) {
                break;
            }
        }
        return bool.booleanValue();
    }

    private Boolean checkDocumentFilePermission(String str, ResourceResolver resourceResolver) {
        try {
            List<String> searchDocumentsWithFileName = searchDocumentsWithFileName(str);
            Boolean checkPathsReadAccess = checkPathsReadAccess(resourceResolver, searchDocumentsWithFileName);
            if (!BooleanUtils.isTrue(checkPathsReadAccess) || searchDocumentsWithFileName.size() != 1) {
                return checkPathsReadAccess;
            }
            searchDocumentsWithFileName.forEach(str2 -> {
                addScene7IPSUrlProperty(resourceResolver.getResource(str2 + "/jcr:content/metadata"), str);
            });
            return true;
        } catch (Exception e) {
            LOGGER.error("Unable to determine permission for path {} : {}", str, e.getLocalizedMessage());
            return null;
        }
    }

    List<String> searchDocumentsWithFileName(String str) {
        return getPathsFromQuery(String.format("SELECT * FROM [dam:Asset] AS asset WHERE ISDESCENDANTNODE('/content/dam') AND asset.[jcr:content/metadata/dam:scene7File] in ('%s', '%s', '%s')", getScene7AssetName(str, ".pdf"), getScene7AssetName(str, ".ai"), getScene7AssetName(str, ".eps")));
    }

    List<String> searchViewerPresets(String str) {
        return getPathsFromQuery(String.format("SELECT * FROM [cq:Page] AS page WHERE ISDESCENDANTNODE('/conf/global/settings/dam/dm/presets/viewer') AND page.[jcr:content/metadata/dam:scene7File] = '%s'", str));
    }

    List<String> searchAssetsInContentDam(String str, List<String> list) {
        Validate.notEmpty(list, "Atleast one property must be supplied to search", new Object[0]);
        return getPathsFromQuery("SELECT * FROM [dam:Asset] AS asset WHERE ISDESCENDANTNODE('/content/dam') AND (" + ((String) list.stream().map(str2 -> {
            return String.format("asset.[jcr:content/metadata/%s] = '%s'", str2, str);
        }).collect(Collectors.joining(" OR "))) + ")");
    }

    private List<String> getPathsFromQuery(final String str) {
        return (List) this.serviceResolverFactory.withResolver(new Func1<ResourceResolver, List<String>>() { // from class: com.adobe.cq.dam.s7imaging.impl.ps.internal.ACLPermissionsValidator.1
            /* JADX INFO: Access modifiers changed from: protected */
            @Override // com.scene7.is.util.callbacks.Func1
            public List<String> call(ResourceResolver resourceResolver) {
                Iterator findResources = resourceResolver.findResources(str, "JCR-SQL2");
                ArrayList arrayList = new ArrayList();
                findResources.forEachRemaining(resource -> {
                    arrayList.add(resource.getPath());
                });
                return arrayList;
            }
        });
    }

    private Boolean checkPermissionUsingReferer(String str, ResourceResolver resourceResolver, Map<String, String> map) {
        try {
            String str2 = map.get("Referer");
            if (StringUtils.isBlank(str2)) {
                return null;
            }
            String decode = URLDecoder.decode(new URL(str2).getPath(), StandardCharsets.UTF_8.name());
            String substring = decode.substring(decode.indexOf("/content/dam/"));
            if (validateReferer(substring, str, resourceResolver)) {
                return checkPathsReadAccess(resourceResolver, Collections.singletonList(substring));
            }
            return null;
        } catch (Exception e) {
            LOGGER.error("Unable to verify permissions using referer {}", e.getLocalizedMessage());
            return null;
        }
    }

    private void addScene7IPSUrlProperty(Resource resource, String str) {
        try {
            if (StringUtils.isBlank(JcrUtil.getPropertyAsString(resource, "dam:scene7IPSUrl"))) {
                JcrUtil.setProperty(resource, null, "dam:scene7IPSUrl", str, true);
            }
        } catch (RepositoryException | PersistenceException e) {
            LOGGER.error("Unable to set property 'dam:scene7Url' with scene7FilePath : {}, Error : {}", resource.getPath(), e.getLocalizedMessage());
        }
    }

    private boolean isDocumentAsset(String str) {
        Stream<String> stream = getSupportedDocumentTypes().stream();
        Objects.requireNonNull(str);
        return stream.anyMatch(str::endsWith);
    }

    private List<String> getSupportedDocumentTypes() {
        return Arrays.asList(".ai", ".eps", ".pdf");
    }

    private Boolean checkScene7FilePermission(String str, ResourceResolver resourceResolver) {
        try {
            List<String> searchAssetsInContentDam = searchAssetsInContentDam(str, getSearchProperties());
            if (CollectionUtils.isEmpty(searchAssetsInContentDam)) {
                searchAssetsInContentDam = searchViewerPresets(str);
            }
            return checkPathsReadAccess(resourceResolver, searchAssetsInContentDam);
        } catch (Exception e) {
            LOGGER.error("Unable to verify permission : {}", e.getLocalizedMessage());
            return null;
        }
    }

    private Boolean checkPermissionUsingScene7Path(String str, ResourceResolver resourceResolver) {
        try {
            if (hasPathInAssetName(str)) {
                return checkPathsReadAccess(resourceResolver, Collections.singletonList(getPathFromAssetName(str)));
            }
            return null;
        } catch (Exception e) {
            LOGGER.error("Error while checking permission using path url : {}", e.getLocalizedMessage());
            return null;
        }
    }

    private Boolean checkVideoRenditionPermission(String str, ResourceResolver resourceResolver) {
        try {
            if (isVideoRenditionRequest(str)) {
                return checkPathsReadAccess(resourceResolver, searchAssetsInContentDam(getScene7AssetName(str, null), Collections.singletonList("dam:scene7File")));
            }
            return null;
        } catch (Exception e) {
            LOGGER.error("Unable to check permission for video rendition request : {}", e.getLocalizedMessage());
            return null;
        }
    }

    private Boolean checkPathsReadAccess(ResourceResolver resourceResolver, List<String> list) throws RepositoryException {
        if (CollectionUtils.isEmpty(list)) {
            return null;
        }
        Session session = (Session) resourceResolver.adaptTo(Session.class);
        String userID = resourceResolver.getUserID();
        for (String str : list) {
            if (!session.hasPermission(str, "read")) {
                LOGGER.debug("User {} does not have access to asset: {}", userID, str);
                return false;
            }
        }
        return true;
    }

    private boolean validateReferer(String str, String str2, ResourceResolver resourceResolver) {
        Option<Resource> resource = JcrUtil.getResource(resourceResolver, str + "/jcr:content/metadata");
        if (resource.isEmpty()) {
            return false;
        }
        return getSearchProperties().stream().anyMatch(str3 -> {
            String propertyAsString = JcrUtil.getPropertyAsString((Resource) resource.get(), str3);
            return StringUtils.isNotBlank(propertyAsString) && (StringUtils.equals(propertyAsString, str2) || StringUtils.equals(propertyAsString, getScene7AssetName(str2, str)));
        });
    }

    private List<String> getSearchProperties() {
        return Arrays.asList("dam:scene7File", "dam:scene7FileAvs", "dam:scene7IPSUrl");
    }

    private String getScene7AssetName(String str, String str2) {
        if (isVideoRenditionRequest(str)) {
            return StringUtils.substringBeforeLast(StringUtils.substringBeforeLast(str, "-"), "-");
        }
        if (StringUtils.isNotBlank(str2)) {
            if (str2.endsWith(".eps")) {
                return str + ".eps";
            }
            if (str2.endsWith(".pdf")) {
                return str + "pdf";
            }
            if (str2.endsWith(".ai")) {
                return str + ".ai";
            }
        }
        return str;
    }

    private boolean hasPathInAssetName(String str) {
        String substringAfter = StringUtils.substringAfter(str, "/");
        return substringAfter.startsWith("_CSS/") || substringAfter.startsWith("_DMSAMPLE/");
    }

    private String getPathFromAssetName(String str) {
        return "/content/dam/" + StringUtils.substringAfter(str, "/");
    }

    private boolean isVideoRenditionRequest(String str) {
        return str.matches(".*-\\d{1,4}x\\d{1,4}-\\d{1,6}k");
    }

    private static Matcher<String, String> s7FileNameMatcher(String str) {
        return Matchers.afterPrefix(str).andThen(Matchers.emptyString().or(RegexMatcher.regexMatcher("/+([^:]*).*", 1)));
    }

    protected void bindServiceResolverFactory(ServiceResolverFactory serviceResolverFactory) {
        this.serviceResolverFactory = serviceResolverFactory;
    }

    protected void unbindServiceResolverFactory(ServiceResolverFactory serviceResolverFactory) {
        if (this.serviceResolverFactory == serviceResolverFactory) {
            this.serviceResolverFactory = null;
        }
    }
}
