package org.apache.jackrabbit.vault.fs.impl.io;

import java.security.Principal;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Deque;
import java.util.HashMap;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import javax.jcr.Node;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.Value;
import javax.jcr.ValueFactory;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.AccessControlPolicyIterator;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
import org.apache.jackrabbit.api.security.authorization.PrincipalAccessControlList;
import org.apache.jackrabbit.api.security.authorization.PrincipalSetPolicy;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.spi.Name;
import org.apache.jackrabbit.spi.commons.conversion.DefaultNamePathResolver;
import org.apache.jackrabbit.spi.commons.conversion.NamePathResolver;
import org.apache.jackrabbit.spi.commons.conversion.NameResolver;
import org.apache.jackrabbit.spi.commons.name.NameConstants;
import org.apache.jackrabbit.spi.commons.name.NameFactoryImpl;
import org.apache.jackrabbit.vault.fs.io.AccessControlHandling;
import org.apache.jackrabbit.vault.util.DocViewNode2;
import org.apache.jackrabbit.vault.util.DocViewProperty2;
import org.slf4j.Logger;

/* loaded from: input_file:org/apache/jackrabbit/vault/fs/impl/io/JackrabbitACLImporter.class */
public class JackrabbitACLImporter implements DocViewAdapter {
    private static final Name NAME_REP_EFFECTIVE_PATH = NameFactoryImpl.getInstance().create(Name.NS_REP_URI, "effectivePath");
    private static final Name NAME_REP_PRINCIPAL_NAMES = NameFactoryImpl.getInstance().create(Name.NS_REP_URI, "principalNames");
    private static final Logger log = DocViewImporter.log;
    private final JackrabbitSession session;
    private final AccessControlHandling aclHandling;
    private final AccessControlManager acMgr;
    private final PrincipalManager pMgr;
    private final String accessControlledPath;
    private final NamePathResolver resolver;
    private ImportedPolicy<? extends AccessControlPolicy> importPolicy;
    private final Deque<State> states;

    /* loaded from: input_file:org/apache/jackrabbit/vault/fs/impl/io/JackrabbitACLImporter$ACE.class */
    private static class ACE extends AbstractEntry {
        private final boolean allow;
        private final String principalName;

        private ACE(DocViewNode2 docViewNode2) {
            super(docViewNode2);
            String orElseThrow = docViewNode2.getPrimaryType().orElseThrow(() -> {
                return new IllegalStateException("mandatory property 'jcr:primaryType' missing on ace node");
            });
            if ("rep:GrantACE".equals(orElseThrow)) {
                this.allow = true;
            } else {
                if (!"rep:DenyACE".equals(orElseThrow)) {
                    throw new IllegalArgumentException("Unexpected node ACE type: " + docViewNode2.getPrimaryType());
                }
                this.allow = false;
            }
            this.principalName = docViewNode2.getPropertyValue(NameConstants.REP_PRINCIPAL_NAME).orElseThrow(() -> {
                return new IllegalStateException("mandatory property 'rep:principalName' missing");
            });
        }
    }

    /* loaded from: input_file:org/apache/jackrabbit/vault/fs/impl/io/JackrabbitACLImporter$AbstractEntry.class */
    private static class AbstractEntry {
        private final Collection<String> privileges;
        private final Map<Name, DocViewProperty2> restrictions;

        private AbstractEntry(DocViewNode2 docViewNode2) {
            this.privileges = docViewNode2.getPropertyValues(NameConstants.REP_PRIVILEGES);
            this.restrictions = new HashMap();
            addRestrictions(docViewNode2);
        }

        void addRestrictions(DocViewNode2 docViewNode2) {
            this.restrictions.putAll((Map) docViewNode2.getProperties().stream().collect(Collectors.toMap((v0) -> {
                return v0.getName();
            }, Function.identity())));
        }

        void convertRestrictions(JackrabbitAccessControlList jackrabbitAccessControlList, ValueFactory valueFactory, NameResolver nameResolver, Map<String, Value> map, Map<String, Value[]> map2) throws RepositoryException {
            for (String str : jackrabbitAccessControlList.getRestrictionNames()) {
                DocViewProperty2 docViewProperty2 = this.restrictions.get(nameResolver.getQName(str));
                if (docViewProperty2 != null) {
                    Value[] valueArr = new Value[docViewProperty2.getStringValues().size()];
                    int restrictionType = jackrabbitAccessControlList.getRestrictionType(str);
                    for (int i = 0; i < valueArr.length; i++) {
                        valueArr[i] = valueFactory.createValue(docViewProperty2.getStringValues().get(i), restrictionType);
                    }
                    if (docViewProperty2.isMultiValue()) {
                        map2.put(str, valueArr);
                    } else {
                        map.put(str, valueArr[0]);
                    }
                }
            }
        }

        Privilege[] getPrivileges(AccessControlManager accessControlManager) throws RepositoryException {
            return AccessControlUtils.privilegesFromNames(accessControlManager, (String[]) this.privileges.toArray(new String[0]));
        }
    }

    /* loaded from: input_file:org/apache/jackrabbit/vault/fs/impl/io/JackrabbitACLImporter$ImportedAcList.class */
    private final class ImportedAcList extends ImportedPolicy<JackrabbitAccessControlList> {
        private List<ACE> aceList;
        private ACE currentACE;

        private ImportedAcList() {
            super();
            this.aceList = new ArrayList();
        }

        @Override // org.apache.jackrabbit.vault.fs.impl.io.JackrabbitACLImporter.ImportedPolicy
        State append(State state, DocViewNode2 docViewNode2) {
            if (state != State.ACL) {
                if (state == State.ACE) {
                    this.currentACE.addRestrictions(docViewNode2);
                    return State.RESTRICTION;
                }
                JackrabbitACLImporter.log.error("Error while reading access control content: Unexpected node: {} for state {}", docViewNode2.getPrimaryType(), state);
                return State.ERROR;
            }
            try {
                this.currentACE = new ACE(docViewNode2);
                this.aceList.add(this.currentACE);
                return State.ACE;
            } catch (IllegalArgumentException e) {
                JackrabbitACLImporter.log.error("Error while reading access control content: {}", e);
                return State.ERROR;
            }
        }

        @Override // org.apache.jackrabbit.vault.fs.impl.io.JackrabbitACLImporter.ImportedPolicy
        void endNode(State state) {
            if (state == State.ACE) {
                this.currentACE = null;
            }
        }

        @Override // org.apache.jackrabbit.vault.fs.impl.io.JackrabbitACLImporter.ImportedPolicy
        void apply(List<String> list, NameResolver nameResolver) throws RepositoryException {
            JackrabbitAccessControlList policy = getPolicy(JackrabbitAccessControlList.class);
            HashSet hashSet = new HashSet();
            if (policy != null) {
                for (AccessControlEntry accessControlEntry : policy.getAccessControlEntries()) {
                    hashSet.add(accessControlEntry.getPrincipal().getName());
                }
                if (JackrabbitACLImporter.this.aclHandling == AccessControlHandling.OVERWRITE) {
                    JackrabbitACLImporter.this.acMgr.removePolicy(JackrabbitACLImporter.this.accessControlledPath, policy);
                    policy = null;
                }
            }
            if (policy == null) {
                policy = getApplicablePolicy(JackrabbitAccessControlList.class);
            }
            if (JackrabbitACLImporter.this.aclHandling == AccessControlHandling.MERGE) {
                for (ACE ace : this.aceList) {
                    for (AccessControlEntry accessControlEntry2 : policy.getAccessControlEntries()) {
                        if (accessControlEntry2.getPrincipal().getName().equals(ace.principalName)) {
                            policy.removeAccessControlEntry(accessControlEntry2);
                        }
                    }
                }
            }
            for (ACE ace2 : this.aceList) {
                String str = ace2.principalName;
                if (JackrabbitACLImporter.this.aclHandling != AccessControlHandling.MERGE_PRESERVE || !hashSet.contains(str)) {
                    Principal principal = getPrincipal(str);
                    HashMap hashMap = new HashMap();
                    HashMap hashMap2 = new HashMap();
                    ace2.convertRestrictions(policy, JackrabbitACLImporter.this.session.getValueFactory(), nameResolver, hashMap, hashMap2);
                    policy.addEntry(principal, ace2.getPrivileges(JackrabbitACLImporter.this.acMgr), ace2.allow, hashMap, hashMap2);
                }
            }
            JackrabbitACLImporter.this.acMgr.setPolicy(JackrabbitACLImporter.this.accessControlledPath, policy);
            if (JackrabbitACLImporter.this.accessControlledPath == null) {
                JackrabbitACLImporter.this.addPathIfExists(list, "/rep:repoPolicy");
            } else if ("/".equals(JackrabbitACLImporter.this.accessControlledPath)) {
                JackrabbitACLImporter.this.addPathIfExists(list, "/rep:policy");
            } else {
                JackrabbitACLImporter.this.addPathIfExists(list, JackrabbitACLImporter.this.accessControlledPath + "/rep:policy");
            }
        }
    }

    /* loaded from: input_file:org/apache/jackrabbit/vault/fs/impl/io/JackrabbitACLImporter$ImportedPolicy.class */
    private abstract class ImportedPolicy<T extends AccessControlPolicy> {
        private ImportedPolicy() {
        }

        abstract State append(State state, DocViewNode2 docViewNode2);

        abstract void endNode(State state);

        abstract void apply(List<String> list, NameResolver nameResolver) throws RepositoryException;

        Principal getPrincipal(final String str) {
            return new Principal() { // from class: org.apache.jackrabbit.vault.fs.impl.io.JackrabbitACLImporter.ImportedPolicy.1
                @Override // java.security.Principal
                public String getName() {
                    return str;
                }
            };
        }

        T getPolicy(Class<T> cls) throws RepositoryException {
            for (AccessControlPolicy accessControlPolicy : JackrabbitACLImporter.this.acMgr.getPolicies(JackrabbitACLImporter.this.accessControlledPath)) {
                if (cls.isAssignableFrom(accessControlPolicy.getClass())) {
                    return cls.cast(accessControlPolicy);
                }
            }
            return null;
        }

        T getPolicy(Class<T> cls, Principal principal) throws RepositoryException {
            if (!(JackrabbitACLImporter.this.acMgr instanceof JackrabbitAccessControlManager)) {
                return null;
            }
            for (JackrabbitAccessControlPolicy jackrabbitAccessControlPolicy : ((JackrabbitAccessControlManager) JackrabbitACLImporter.this.acMgr).getPolicies(principal)) {
                if (cls.isAssignableFrom(jackrabbitAccessControlPolicy.getClass())) {
                    return cls.cast(jackrabbitAccessControlPolicy);
                }
            }
            return null;
        }

        T getApplicablePolicy(Class<T> cls) throws RepositoryException {
            AccessControlPolicyIterator applicablePolicies = JackrabbitACLImporter.this.acMgr.getApplicablePolicies(JackrabbitACLImporter.this.accessControlledPath);
            while (applicablePolicies.hasNext()) {
                AccessControlPolicy nextAccessControlPolicy = applicablePolicies.nextAccessControlPolicy();
                if (cls.isAssignableFrom(nextAccessControlPolicy.getClass())) {
                    return cls.cast(nextAccessControlPolicy);
                }
            }
            throw new RepositoryException("no applicable AccessControlPolicy of type " + cls + " on " + (JackrabbitACLImporter.this.accessControlledPath == null ? "'root'" : JackrabbitACLImporter.this.accessControlledPath));
        }

        T getApplicablePolicy(Class<T> cls, Principal principal) throws RepositoryException {
            if (JackrabbitACLImporter.this.acMgr instanceof JackrabbitAccessControlManager) {
                for (JackrabbitAccessControlPolicy jackrabbitAccessControlPolicy : ((JackrabbitAccessControlManager) JackrabbitACLImporter.this.acMgr).getApplicablePolicies(principal)) {
                    if (cls.isAssignableFrom(jackrabbitAccessControlPolicy.getClass())) {
                        return cls.cast(jackrabbitAccessControlPolicy);
                    }
                }
            }
            throw new AccessControlException("no applicable AccessControlPolicy of type " + cls + " for " + principal.getName());
        }
    }

    /* loaded from: input_file:org/apache/jackrabbit/vault/fs/impl/io/JackrabbitACLImporter$ImportedPrincipalAcList.class */
    private final class ImportedPrincipalAcList extends ImportedPolicy<PrincipalAccessControlList> {
        private final Principal principal;
        private final List<PrincipalEntry> entries;
        private PrincipalEntry currentEntry;

        private ImportedPrincipalAcList(DocViewNode2 docViewNode2) {
            super();
            this.entries = new ArrayList();
            String orElseThrow = docViewNode2.getPropertyValue(NameConstants.REP_PRINCIPAL_NAME).orElseThrow(() -> {
                return new IllegalStateException("mandatory property 'rep:principalName' missing on principal policy node");
            });
            Principal principal = JackrabbitACLImporter.this.pMgr.getPrincipal(orElseThrow);
            if (principal == null) {
                try {
                    Authorizable authorizableByPath = JackrabbitACLImporter.this.session.getUserManager().getAuthorizableByPath(JackrabbitACLImporter.this.accessControlledPath);
                    if (authorizableByPath != null) {
                        principal = authorizableByPath.getPrincipal();
                    }
                } catch (RepositoryException e) {
                    JackrabbitACLImporter.log.debug("Error while trying to retrieve user/group from access controlled path {}, {}", JackrabbitACLImporter.this.accessControlledPath, e.getMessage());
                }
                if (principal == null) {
                    principal = getPrincipal(orElseThrow);
                }
            }
            this.principal = principal;
        }

        @Override // org.apache.jackrabbit.vault.fs.impl.io.JackrabbitACLImporter.ImportedPolicy
        State append(State state, DocViewNode2 docViewNode2) {
            if (state != State.ACL) {
                if (state == State.ACE) {
                    this.currentEntry.addRestrictions(docViewNode2);
                    return State.RESTRICTION;
                }
                JackrabbitACLImporter.log.error("Error while reading access control content: Unexpected node: {} for state {}", docViewNode2.getPrimaryType(), state);
                return State.ERROR;
            }
            if (!"rep:PrincipalEntry".equals(docViewNode2.getPrimaryType().orElseThrow(() -> {
                return new IllegalStateException("mandatory property 'jcr:primaryType' missing on principal policy node");
            }))) {
                JackrabbitACLImporter.log.error("Unexpected node type of access control entry: {}", docViewNode2.getPrimaryType());
                return State.ERROR;
            }
            this.currentEntry = new PrincipalEntry(docViewNode2);
            this.entries.add(this.currentEntry);
            return State.ACE;
        }

        @Override // org.apache.jackrabbit.vault.fs.impl.io.JackrabbitACLImporter.ImportedPolicy
        void endNode(State state) {
            if (state == State.ACE) {
                this.currentEntry = null;
            }
        }

        @Override // org.apache.jackrabbit.vault.fs.impl.io.JackrabbitACLImporter.ImportedPolicy
        void apply(List<String> list, NameResolver nameResolver) throws RepositoryException {
            if (JackrabbitACLImporter.this.aclHandling == AccessControlHandling.MERGE_PRESERVE) {
                JackrabbitACLImporter.log.debug("MERGE_PRESERVE for principal-based access control list is equivalent to IGNORE.");
                return;
            }
            PrincipalAccessControlList policy = getPolicy(PrincipalAccessControlList.class, this.principal);
            if (policy != null && JackrabbitACLImporter.this.aclHandling == AccessControlHandling.OVERWRITE) {
                JackrabbitACLImporter.this.acMgr.removePolicy(policy.getPath(), policy);
                policy = null;
            }
            if (policy == null) {
                policy = getApplicablePolicy(PrincipalAccessControlList.class, this.principal);
            }
            for (PrincipalEntry principalEntry : this.entries) {
                HashMap hashMap = new HashMap();
                HashMap hashMap2 = new HashMap();
                principalEntry.convertRestrictions(policy, JackrabbitACLImporter.this.session.getValueFactory(), nameResolver, hashMap, hashMap2);
                policy.addEntry(principalEntry.effectivePath, principalEntry.getPrivileges(JackrabbitACLImporter.this.acMgr), hashMap, hashMap2);
            }
            JackrabbitACLImporter.this.acMgr.setPolicy(policy.getPath(), policy);
            if (JackrabbitACLImporter.this.accessControlledPath == null) {
                JackrabbitACLImporter.this.addPathIfExists(list, "/rep:repoPolicy");
            } else if ("/".equals(JackrabbitACLImporter.this.accessControlledPath)) {
                JackrabbitACLImporter.this.addPathIfExists(list, "/rep:policy");
            } else {
                JackrabbitACLImporter.this.addPathIfExists(list, JackrabbitACLImporter.this.accessControlledPath + "/rep:policy");
            }
        }
    }

    /* loaded from: input_file:org/apache/jackrabbit/vault/fs/impl/io/JackrabbitACLImporter$ImportedPrincipalSet.class */
    private final class ImportedPrincipalSet extends ImportedPolicy<PrincipalSetPolicy> {
        private final Collection<String> principalNames;

        private ImportedPrincipalSet(DocViewNode2 docViewNode2) {
            super();
            this.principalNames = docViewNode2.getPropertyValues(JackrabbitACLImporter.NAME_REP_PRINCIPAL_NAMES);
        }

        @Override // org.apache.jackrabbit.vault.fs.impl.io.JackrabbitACLImporter.ImportedPolicy
        State append(State state, DocViewNode2 docViewNode2) {
            JackrabbitACLImporter.log.error("Error while reading access control content: Unexpected node: {} for state {}", docViewNode2.getPrimaryType(), state);
            return State.ERROR;
        }

        @Override // org.apache.jackrabbit.vault.fs.impl.io.JackrabbitACLImporter.ImportedPolicy
        void endNode(State state) {
        }

        @Override // org.apache.jackrabbit.vault.fs.impl.io.JackrabbitACLImporter.ImportedPolicy
        void apply(List<String> list, NameResolver nameResolver) throws RepositoryException {
            PrincipalSetPolicy policy = getPolicy(PrincipalSetPolicy.class);
            if (policy != null) {
                Set<Principal> principals = policy.getPrincipals();
                if (JackrabbitACLImporter.this.aclHandling == AccessControlHandling.OVERWRITE) {
                    policy.removePrincipals((Principal[]) principals.toArray(new Principal[principals.size()]));
                }
            } else {
                policy = getApplicablePolicy(PrincipalSetPolicy.class);
            }
            policy.addPrincipals((Principal[]) this.principalNames.stream().map(str -> {
                return getPrincipal(str);
            }).toArray(i -> {
                return new Principal[i];
            }));
            JackrabbitACLImporter.this.acMgr.setPolicy(JackrabbitACLImporter.this.accessControlledPath, policy);
            if ("/".equals(JackrabbitACLImporter.this.accessControlledPath)) {
                JackrabbitACLImporter.this.addPathIfExists(list, "/rep:cugPolicy");
            } else {
                JackrabbitACLImporter.this.addPathIfExists(list, JackrabbitACLImporter.this.accessControlledPath + "/rep:cugPolicy");
            }
        }
    }

    /* loaded from: input_file:org/apache/jackrabbit/vault/fs/impl/io/JackrabbitACLImporter$PrincipalEntry.class */
    private static class PrincipalEntry extends AbstractEntry {
        private final String effectivePath;

        private PrincipalEntry(DocViewNode2 docViewNode2) {
            super(docViewNode2);
            String orElseThrow = docViewNode2.getPropertyValue(JackrabbitACLImporter.NAME_REP_EFFECTIVE_PATH).orElseThrow(() -> {
                return new IllegalStateException("mandatory property 'rep:effectivePath ' missing on principal entry node");
            });
            if (orElseThrow.isEmpty()) {
                this.effectivePath = null;
            } else {
                this.effectivePath = orElseThrow;
            }
        }
    }

    /* loaded from: input_file:org/apache/jackrabbit/vault/fs/impl/io/JackrabbitACLImporter$State.class */
    private enum State {
        INITIAL,
        ACL,
        ACE,
        RESTRICTION,
        ERROR,
        PRINCIPAL_SET_POLICY
    }

    public JackrabbitACLImporter(Node node, AccessControlHandling accessControlHandling) throws RepositoryException {
        this(node.getSession(), node.getPath(), accessControlHandling);
    }

    public JackrabbitACLImporter(Session session, AccessControlHandling accessControlHandling) throws RepositoryException {
        this(session, null, accessControlHandling);
    }

    private JackrabbitACLImporter(Session session, String str, AccessControlHandling accessControlHandling) throws RepositoryException {
        this.states = new LinkedList();
        if (accessControlHandling == AccessControlHandling.CLEAR || accessControlHandling == AccessControlHandling.IGNORE) {
            throw new RepositoryException("Error while reading access control content: unsupported AccessControlHandling: " + accessControlHandling);
        }
        this.accessControlledPath = str;
        this.session = (JackrabbitSession) session;
        this.acMgr = this.session.getAccessControlManager();
        this.pMgr = this.session.getPrincipalManager();
        this.aclHandling = accessControlHandling;
        this.states.push(State.INITIAL);
        this.resolver = new DefaultNamePathResolver(session);
    }

    @Override // org.apache.jackrabbit.vault.fs.impl.io.DocViewAdapter
    public void startNode(DocViewNode2 docViewNode2) {
        State peek = this.states.peek();
        switch (peek) {
            case INITIAL:
                String orElseThrow = docViewNode2.getPrimaryType().orElseThrow(() -> {
                    return new IllegalStateException("Error while reading access control content: Missing 'jcr:primaryType'");
                });
                if (!"rep:ACL".equals(orElseThrow)) {
                    if (!"rep:CugPolicy".equals(orElseThrow)) {
                        if (!"rep:PrincipalPolicy".equals(orElseThrow)) {
                            log.error("Error while reading access control content: Expected rep:ACL or rep:CugPolicy but was: {}", docViewNode2.getPrimaryType());
                            peek = State.ERROR;
                            break;
                        } else {
                            this.importPolicy = new ImportedPrincipalAcList(docViewNode2);
                            peek = State.ACL;
                            break;
                        }
                    } else {
                        this.importPolicy = new ImportedPrincipalSet(docViewNode2);
                        peek = State.PRINCIPAL_SET_POLICY;
                        break;
                    }
                } else {
                    this.importPolicy = new ImportedAcList();
                    peek = State.ACL;
                    break;
                }
            case ACL:
            case ACE:
            case RESTRICTION:
                peek = this.importPolicy.append(peek, docViewNode2);
                break;
            case PRINCIPAL_SET_POLICY:
                peek = this.importPolicy.append(peek, docViewNode2);
                break;
        }
        this.states.push(peek);
    }

    @Override // org.apache.jackrabbit.vault.fs.impl.io.DocViewAdapter
    public void endNode() {
        this.importPolicy.endNode(this.states.pop());
    }

    @Override // org.apache.jackrabbit.vault.fs.impl.io.DocViewAdapter
    public List<String> close() throws RepositoryException {
        if (this.states.peek() != State.INITIAL) {
            log.error("Unexpected end state: {}", this.states.peek());
        }
        ArrayList arrayList = new ArrayList();
        this.importPolicy.apply(arrayList, this.resolver);
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void addPathIfExists(List<String> list, String str) throws RepositoryException {
        if (this.session.nodeExists(str)) {
            list.add(str);
        }
    }
}
