package com.day.cq.security.util;

import com.adobe.granite.activitystreams.Verbs;
import com.day.cq.replication.Replicator;
import java.security.Principal;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.jcr.AccessDeniedException;
import javax.jcr.Node;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.Value;
import javax.jcr.nodetype.NodeDefinition;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.AccessControlPolicyIterator;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.apache.sling.servlets.post.SlingPostConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/day/cq/security/util/CqActions.class */
public class CqActions {
    private static Logger log = LoggerFactory.getLogger(CqActions.class);
    public static final String[] ACTIONS = {Verbs.READ, SlingPostConstants.OPERATION_MODIFY, Verbs.CREATE, "delete", "acl_read", "acl_edit", "replicate"};
    private static final String CONTENT_RESTRICTION = "*/jcr:content*";
    private final Session session;
    private final Map<String, Set<Privilege>> map = new HashMap();

    public CqActions(Session session) throws RepositoryException {
        this.session = session;
        AccessControlManager accessControlManager = session.getAccessControlManager();
        this.map.put(Verbs.READ, getPrivilegeSet("{http://www.jcp.org/jcr/1.0}read", accessControlManager));
        this.map.put(SlingPostConstants.OPERATION_MODIFY, getPrivilegeSet(new String[]{"{http://www.jcp.org/jcr/1.0}modifyProperties", "{http://www.jcp.org/jcr/1.0}lockManagement", "{http://www.jcp.org/jcr/1.0}versionManagement"}, accessControlManager));
        this.map.put(Verbs.CREATE, getPrivilegeSet(new String[]{"{http://www.jcp.org/jcr/1.0}addChildNodes", "{http://www.jcp.org/jcr/1.0}nodeTypeManagement"}, accessControlManager));
        this.map.put("delete", getPrivilegeSet(new String[]{"{http://www.jcp.org/jcr/1.0}removeChildNodes", "{http://www.jcp.org/jcr/1.0}removeNode"}, accessControlManager));
        this.map.put("acl_read", getPrivilegeSet("{http://www.jcp.org/jcr/1.0}readAccessControl", accessControlManager));
        this.map.put("acl_edit", getPrivilegeSet("{http://www.jcp.org/jcr/1.0}modifyAccessControl", accessControlManager));
        try {
            this.map.put("replicate", getPrivilegeSet(Replicator.REPLICATE_PRIVILEGE, accessControlManager));
        } catch (AccessControlException e) {
            log.warn("Replicate privilege not registered");
        }
    }

    public Set<Privilege> getPrivileges(String str) {
        return this.map.get(str);
    }

    public boolean isGranted(Set<Privilege> set, String str) {
        return set.containsAll(getPrivileges(str));
    }

    public Collection<String> getActions(Session session, String str) throws RepositoryException {
        HashSet hashSet = new HashSet();
        for (Privilege privilege : session.getAccessControlManager().getPrivileges(str)) {
            if (privilege.isAggregate()) {
                hashSet.addAll(Arrays.asList(privilege.getAggregatePrivileges()));
            } else {
                hashSet.add(privilege);
            }
        }
        HashSet hashSet2 = new HashSet();
        for (Map.Entry<String, Set<Privilege>> entry : this.map.entrySet()) {
            if (hashSet.containsAll(entry.getValue())) {
                hashSet2.add(entry.getKey());
            }
        }
        return hashSet2;
    }

    public Collection<String> getAllowedActions(String str, Set<Principal> set) throws RepositoryException {
        AccessControlManager accessControlManager = this.session.getAccessControlManager();
        HashSet hashSet = new HashSet();
        Set<Privilege> privileges = getPrivileges(str, set, accessControlManager);
        for (Map.Entry<String, Set<Privilege>> entry : this.map.entrySet()) {
            if (privileges.containsAll(entry.getValue())) {
                hashSet.add(entry.getKey());
            }
        }
        if (definesContent(this.session.getNode(str))) {
            String str2 = str + "/jcr:content";
            if (hashSet.contains(SlingPostConstants.OPERATION_MODIFY) && (!this.session.nodeExists(str2) || !getPrivileges(str2, set, accessControlManager).containsAll(getPrivilegeSet(PrivilegeConstants.REP_WRITE, accessControlManager)))) {
                hashSet.remove(SlingPostConstants.OPERATION_MODIFY);
            }
        }
        return hashSet;
    }

    public void installActions(String str, Principal principal, Map<String, Boolean> map, Collection<String> collection) throws RepositoryException {
        boolean contains;
        if (map.isEmpty()) {
            return;
        }
        AccessControlManager accessControlManager = this.session.getAccessControlManager();
        JackrabbitAccessControlList modifiableAcl = getModifiableAcl(accessControlManager, str);
        for (String str2 : map.keySet()) {
            boolean booleanValue = map.get(str2).booleanValue();
            Set<Privilege> set = this.map.get(str2);
            if (set != null) {
                modifiableAcl.addEntry(principal, (Privilege[]) set.toArray(new Privilege[set.size()]), booleanValue);
            }
        }
        if (definesContent(this.session.getNode(str))) {
            Map<String, Value> map2 = null;
            String[] restrictionNames = modifiableAcl.getRestrictionNames();
            int length = restrictionNames.length;
            int i = 0;
            while (true) {
                if (i >= length) {
                    break;
                }
                String str3 = restrictionNames[i];
                if (AccessControlConstants.REP_GLOB.equals(str3)) {
                    map2 = Collections.singletonMap(str3, this.session.getValueFactory().createValue(CONTENT_RESTRICTION, modifiableAcl.getRestrictionType(str3)));
                    break;
                }
                i++;
            }
            if (map2 == null) {
                log.warn("Cannot install special permissions node with jcr:content primary item. rep:glob restriction not supported by AC model.");
            } else {
                HashSet hashSet = new HashSet();
                HashSet hashSet2 = new HashSet();
                if (map.containsKey(SlingPostConstants.OPERATION_MODIFY)) {
                    List asList = Arrays.asList(accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}nodeTypeManagement"), accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}addChildNodes"), accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}removeChildNodes"), accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}removeNode"));
                    if (map.get(SlingPostConstants.OPERATION_MODIFY).booleanValue()) {
                        hashSet.addAll(asList);
                    } else {
                        hashSet2.addAll(asList);
                    }
                    contains = map.get(SlingPostConstants.OPERATION_MODIFY).booleanValue();
                } else {
                    contains = collection.contains(SlingPostConstants.OPERATION_MODIFY);
                }
                if (contains) {
                    if (map.containsKey(Verbs.CREATE) && !map.get(Verbs.CREATE).booleanValue()) {
                        hashSet.add(accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}addChildNodes"));
                        hashSet.add(accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}nodeTypeManagement"));
                    }
                    if (map.containsKey("delete") && !map.get("delete").booleanValue()) {
                        hashSet.add(accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}removeChildNodes"));
                        hashSet.add(accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}removeNode"));
                    }
                } else {
                    if (map.containsKey(Verbs.CREATE) && map.get(Verbs.CREATE).booleanValue()) {
                        hashSet2.add(accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}addChildNodes"));
                        hashSet2.add(accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}nodeTypeManagement"));
                    }
                    if (map.containsKey("delete") && map.get("delete").booleanValue()) {
                        hashSet2.add(accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}removeChildNodes"));
                        hashSet2.add(accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}removeNode"));
                    }
                }
                if (!hashSet.isEmpty()) {
                    modifiableAcl.addEntry(principal, (Privilege[]) hashSet.toArray(new Privilege[hashSet.size()]), true, map2);
                }
                if (!hashSet2.isEmpty()) {
                    modifiableAcl.addEntry(principal, (Privilege[]) hashSet2.toArray(new Privilege[hashSet2.size()]), false, map2);
                }
            }
        }
        accessControlManager.setPolicy(str, modifiableAcl);
    }

    public static boolean definesContent(Node node) throws RepositoryException {
        for (NodeDefinition nodeDefinition : node.getPrimaryNodeType().getChildNodeDefinitions()) {
            if ("jcr:content".equals(nodeDefinition.getName())) {
                return true;
            }
        }
        return false;
    }

    public static boolean hasContentRestriction(AccessControlEntry accessControlEntry) throws RepositoryException {
        if (!(accessControlEntry instanceof JackrabbitAccessControlEntry)) {
            return false;
        }
        JackrabbitAccessControlEntry jackrabbitAccessControlEntry = (JackrabbitAccessControlEntry) accessControlEntry;
        for (String str : jackrabbitAccessControlEntry.getRestrictionNames()) {
            if (AccessControlConstants.REP_GLOB.equals(str) && CONTENT_RESTRICTION.equals(jackrabbitAccessControlEntry.getRestriction(str).getString())) {
                return true;
            }
        }
        return false;
    }

    private static Set<Privilege> getPrivileges(String str, Set<Principal> set, AccessControlManager accessControlManager) throws RepositoryException, AccessDeniedException {
        HashSet hashSet = new HashSet();
        for (Privilege privilege : set == null ? accessControlManager.getPrivileges(str) : ((JackrabbitAccessControlManager) accessControlManager).getPrivileges(str, set)) {
            if (privilege.isAggregate()) {
                hashSet.addAll(Arrays.asList(privilege.getAggregatePrivileges()));
            } else {
                hashSet.add(privilege);
            }
        }
        return hashSet;
    }

    private static Set<Privilege> getPrivilegeSet(String str, AccessControlManager accessControlManager) throws RepositoryException {
        Privilege privilegeFromName = accessControlManager.privilegeFromName(str);
        return privilegeFromName.isAggregate() ? new HashSet(Arrays.asList(privilegeFromName.getAggregatePrivileges())) : Collections.singleton(privilegeFromName);
    }

    private static Set<Privilege> getPrivilegeSet(String[] strArr, AccessControlManager accessControlManager) throws RepositoryException {
        HashSet hashSet = new HashSet(strArr.length);
        for (String str : strArr) {
            Privilege privilegeFromName = accessControlManager.privilegeFromName(str);
            if (privilegeFromName.isAggregate()) {
                hashSet.addAll(Arrays.asList(privilegeFromName.getAggregatePrivileges()));
            } else {
                hashSet.add(privilegeFromName);
            }
        }
        return hashSet;
    }

    private static JackrabbitAccessControlList getModifiableAcl(AccessControlManager accessControlManager, String str) throws RepositoryException, AccessDeniedException {
        for (AccessControlPolicy accessControlPolicy : accessControlManager.getPolicies(str)) {
            if (accessControlPolicy instanceof JackrabbitAccessControlList) {
                return (JackrabbitAccessControlList) accessControlPolicy;
            }
        }
        AccessControlPolicyIterator applicablePolicies = accessControlManager.getApplicablePolicies(str);
        while (applicablePolicies.hasNext()) {
            AccessControlPolicy nextAccessControlPolicy = applicablePolicies.nextAccessControlPolicy();
            if (nextAccessControlPolicy instanceof JackrabbitAccessControlList) {
                return (JackrabbitAccessControlList) nextAccessControlPolicy;
            }
        }
        throw new AccessControlException("No modifiable ACL at " + str);
    }
}
