package org.apache.jackrabbit.vault.fs.impl.io;

import java.security.Principal;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.Stack;
import javax.jcr.Node;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.Value;
import javax.jcr.ValueFactory;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.AccessControlPolicyIterator;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.api.security.authorization.PrincipalAccessControlList;
import org.apache.jackrabbit.api.security.authorization.PrincipalSetPolicy;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.vault.fs.io.AccessControlHandling;
import org.apache.jackrabbit.vault.util.DocViewNode;
import org.apache.jackrabbit.vault.util.DocViewProperty;
import org.slf4j.Logger;
import org.xml.sax.SAXException;

/* loaded from: input_file:org/apache/jackrabbit/vault/fs/impl/io/JackrabbitACLImporter.class */
public class JackrabbitACLImporter implements DocViewAdapter {
    private static final Logger log = DocViewSAXImporter.log;
    private final JackrabbitSession session;
    private final AccessControlHandling aclHandling;
    private final AccessControlManager acMgr;
    private final PrincipalManager pMgr;
    private final String accessControlledPath;
    private ImportedPolicy<? extends AccessControlPolicy> importPolicy;
    private final Stack<State> states;

    /* renamed from: org.apache.jackrabbit.vault.fs.impl.io.JackrabbitACLImporter$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/jackrabbit/vault/fs/impl/io/JackrabbitACLImporter$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$jackrabbit$vault$fs$impl$io$JackrabbitACLImporter$State = new int[State.values().length];

        static {
            try {
                $SwitchMap$org$apache$jackrabbit$vault$fs$impl$io$JackrabbitACLImporter$State[State.INITIAL.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$jackrabbit$vault$fs$impl$io$JackrabbitACLImporter$State[State.ACL.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$jackrabbit$vault$fs$impl$io$JackrabbitACLImporter$State[State.ACE.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$apache$jackrabbit$vault$fs$impl$io$JackrabbitACLImporter$State[State.RESTRICTION.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$apache$jackrabbit$vault$fs$impl$io$JackrabbitACLImporter$State[State.PRINCIPAL_SET_POLICY.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$apache$jackrabbit$vault$fs$impl$io$JackrabbitACLImporter$State[State.ERROR.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
        }
    }

    /* loaded from: input_file:org/apache/jackrabbit/vault/fs/impl/io/JackrabbitACLImporter$ACE.class */
    private static class ACE extends AbstractEntry {
        private final boolean allow;
        private final String principalName;

        private ACE(DocViewNode docViewNode) {
            super(docViewNode, null);
            if ("rep:GrantACE".equals(docViewNode.primary)) {
                this.allow = true;
            } else {
                if (!"rep:DenyACE".equals(docViewNode.primary)) {
                    throw new IllegalArgumentException("Unexpected node ACE type: " + docViewNode.primary);
                }
                this.allow = false;
            }
            this.principalName = docViewNode.getValue("rep:principalName");
        }

        /* synthetic */ ACE(DocViewNode docViewNode, AnonymousClass1 anonymousClass1) {
            this(docViewNode);
        }
    }

    /* loaded from: input_file:org/apache/jackrabbit/vault/fs/impl/io/JackrabbitACLImporter$AbstractEntry.class */
    private static class AbstractEntry {
        private final String[] privileges;
        private final Map<String, DocViewProperty> restrictions;

        private AbstractEntry(DocViewNode docViewNode) {
            this.restrictions = new HashMap();
            this.privileges = docViewNode.getValues("rep:privileges");
            addRestrictions(docViewNode);
        }

        void addRestrictions(DocViewNode docViewNode) {
            this.restrictions.putAll(docViewNode.props);
        }

        void convertRestrictions(JackrabbitAccessControlList jackrabbitAccessControlList, ValueFactory valueFactory, Map<String, Value> map, Map<String, Value[]> map2) throws RepositoryException {
            for (String str : jackrabbitAccessControlList.getRestrictionNames()) {
                DocViewProperty docViewProperty = this.restrictions.get(str);
                if (docViewProperty != null) {
                    Value[] valueArr = new Value[docViewProperty.values.length];
                    int restrictionType = jackrabbitAccessControlList.getRestrictionType(str);
                    for (int i = 0; i < valueArr.length; i++) {
                        valueArr[i] = valueFactory.createValue(docViewProperty.values[i], restrictionType);
                    }
                    if (docViewProperty.isMulti) {
                        map2.put(str, valueArr);
                    } else {
                        map.put(str, valueArr[0]);
                    }
                }
            }
        }

        Privilege[] getPrivileges(AccessControlManager accessControlManager) throws RepositoryException {
            return AccessControlUtils.privilegesFromNames(accessControlManager, this.privileges);
        }

        /* synthetic */ AbstractEntry(DocViewNode docViewNode, AnonymousClass1 anonymousClass1) {
            this(docViewNode);
        }
    }

    /* loaded from: input_file:org/apache/jackrabbit/vault/fs/impl/io/JackrabbitACLImporter$ImportedAcList.class */
    private final class ImportedAcList extends ImportedPolicy<JackrabbitAccessControlList> {
        private List<ACE> aceList;
        private ACE currentACE;

        private ImportedAcList() {
            super(JackrabbitACLImporter.this, null);
            this.aceList = new ArrayList();
        }

        @Override // org.apache.jackrabbit.vault.fs.impl.io.JackrabbitACLImporter.ImportedPolicy
        State append(State state, DocViewNode docViewNode) {
            if (state != State.ACL) {
                if (state == State.ACE) {
                    this.currentACE.addRestrictions(docViewNode);
                    return State.RESTRICTION;
                }
                JackrabbitACLImporter.log.error("Error while reading access control content: Unexpected node: {} for state {}", docViewNode.primary, state);
                return State.ERROR;
            }
            try {
                this.currentACE = new ACE(docViewNode, null);
                this.aceList.add(this.currentACE);
                return State.ACE;
            } catch (IllegalArgumentException e) {
                JackrabbitACLImporter.log.error("Error while reading access control content: {}", e);
                return State.ERROR;
            }
        }

        @Override // org.apache.jackrabbit.vault.fs.impl.io.JackrabbitACLImporter.ImportedPolicy
        void endNode(State state) {
            if (state == State.ACE) {
                this.currentACE = null;
            }
        }

        @Override // org.apache.jackrabbit.vault.fs.impl.io.JackrabbitACLImporter.ImportedPolicy
        void apply(List<String> list) throws RepositoryException {
            JackrabbitAccessControlList policy = getPolicy(JackrabbitAccessControlList.class);
            HashSet hashSet = new HashSet();
            if (policy != null) {
                for (AccessControlEntry accessControlEntry : policy.getAccessControlEntries()) {
                    hashSet.add(accessControlEntry.getPrincipal().getName());
                }
                if (JackrabbitACLImporter.this.aclHandling == AccessControlHandling.OVERWRITE) {
                    JackrabbitACLImporter.this.acMgr.removePolicy(JackrabbitACLImporter.this.accessControlledPath, policy);
                    policy = null;
                }
            }
            if (policy == null) {
                policy = getApplicablePolicy(JackrabbitAccessControlList.class);
            }
            if (JackrabbitACLImporter.this.aclHandling == AccessControlHandling.MERGE) {
                for (ACE ace : this.aceList) {
                    for (AccessControlEntry accessControlEntry2 : policy.getAccessControlEntries()) {
                        if (accessControlEntry2.getPrincipal().getName().equals(ace.principalName)) {
                            policy.removeAccessControlEntry(accessControlEntry2);
                        }
                    }
                }
            }
            for (ACE ace2 : this.aceList) {
                String str = ace2.principalName;
                if (JackrabbitACLImporter.this.aclHandling != AccessControlHandling.MERGE_PRESERVE || !hashSet.contains(str)) {
                    Principal principal = getPrincipal(str);
                    HashMap hashMap = new HashMap();
                    HashMap hashMap2 = new HashMap();
                    ace2.convertRestrictions(policy, JackrabbitACLImporter.this.session.getValueFactory(), hashMap, hashMap2);
                    policy.addEntry(principal, ace2.getPrivileges(JackrabbitACLImporter.this.acMgr), ace2.allow, hashMap, hashMap2);
                }
            }
            JackrabbitACLImporter.this.acMgr.setPolicy(JackrabbitACLImporter.this.accessControlledPath, policy);
            if (JackrabbitACLImporter.this.accessControlledPath == null) {
                JackrabbitACLImporter.this.addPathIfExists(list, "/rep:repoPolicy");
            } else if ("/".equals(JackrabbitACLImporter.this.accessControlledPath)) {
                JackrabbitACLImporter.this.addPathIfExists(list, "/rep:policy");
            } else {
                JackrabbitACLImporter.this.addPathIfExists(list, JackrabbitACLImporter.this.accessControlledPath + "/rep:policy");
            }
        }

        /* synthetic */ ImportedAcList(JackrabbitACLImporter jackrabbitACLImporter, AnonymousClass1 anonymousClass1) {
            this();
        }
    }

    /* loaded from: input_file:org/apache/jackrabbit/vault/fs/impl/io/JackrabbitACLImporter$ImportedPolicy.class */
    private abstract class ImportedPolicy<T extends AccessControlPolicy> {
        private ImportedPolicy() {
        }

        abstract State append(State state, DocViewNode docViewNode);

        abstract void endNode(State state);

        abstract void apply(List<String> list) throws RepositoryException;

        Principal getPrincipal(final String str) {
            return new Principal() { // from class: org.apache.jackrabbit.vault.fs.impl.io.JackrabbitACLImporter.ImportedPolicy.1
                @Override // java.security.Principal
                public String getName() {
                    return str;
                }
            };
        }

        T getPolicy(Class<T> cls) throws RepositoryException {
            for (AccessControlPolicy accessControlPolicy : JackrabbitACLImporter.this.acMgr.getPolicies(JackrabbitACLImporter.this.accessControlledPath)) {
                T t = (T) accessControlPolicy;
                if (cls.isAssignableFrom(t.getClass())) {
                    return t;
                }
            }
            return null;
        }

        T getPolicy(Class<T> cls, Principal principal) throws RepositoryException {
            if (!(JackrabbitACLImporter.this.acMgr instanceof JackrabbitAccessControlManager)) {
                return null;
            }
            for (T t : JackrabbitACLImporter.this.acMgr.getPolicies(principal)) {
                if (cls.isAssignableFrom(t.getClass())) {
                    return t;
                }
            }
            return null;
        }

        T getApplicablePolicy(Class<T> cls) throws RepositoryException {
            AccessControlPolicyIterator applicablePolicies = JackrabbitACLImporter.this.acMgr.getApplicablePolicies(JackrabbitACLImporter.this.accessControlledPath);
            while (applicablePolicies.hasNext()) {
                T t = (T) applicablePolicies.nextAccessControlPolicy();
                if (cls.isAssignableFrom(t.getClass())) {
                    return t;
                }
            }
            throw new RepositoryException("no applicable AccessControlPolicy of type " + cls + " on " + (JackrabbitACLImporter.this.accessControlledPath == null ? "'root'" : JackrabbitACLImporter.this.accessControlledPath));
        }

        T getApplicablePolicy(Class<T> cls, Principal principal) throws RepositoryException {
            if (JackrabbitACLImporter.this.acMgr instanceof JackrabbitAccessControlManager) {
                for (T t : JackrabbitACLImporter.this.acMgr.getApplicablePolicies(principal)) {
                    if (cls.isAssignableFrom(t.getClass())) {
                        return t;
                    }
                }
            }
            throw new AccessControlException("no applicable AccessControlPolicy of type " + cls + " for " + principal.getName());
        }

        /* synthetic */ ImportedPolicy(JackrabbitACLImporter jackrabbitACLImporter, AnonymousClass1 anonymousClass1) {
            this();
        }
    }

    /* loaded from: input_file:org/apache/jackrabbit/vault/fs/impl/io/JackrabbitACLImporter$ImportedPrincipalAcList.class */
    private final class ImportedPrincipalAcList extends ImportedPolicy<PrincipalAccessControlList> {
        private final Principal principal;
        private final List<PrincipalEntry> entries;
        private PrincipalEntry currentEntry;

        private ImportedPrincipalAcList(DocViewNode docViewNode) {
            super(JackrabbitACLImporter.this, null);
            this.entries = new ArrayList();
            String value = docViewNode.getValue("rep:principalName");
            Principal principal = JackrabbitACLImporter.this.pMgr.getPrincipal(value);
            if (principal == null) {
                try {
                    Authorizable authorizableByPath = JackrabbitACLImporter.this.session.getUserManager().getAuthorizableByPath(JackrabbitACLImporter.this.accessControlledPath);
                    if (authorizableByPath != null) {
                        principal = authorizableByPath.getPrincipal();
                    }
                } catch (RepositoryException e) {
                    JackrabbitACLImporter.log.debug("Error while trying to retrieve user/group from access controlled path {}, {}", JackrabbitACLImporter.this.accessControlledPath, e.getMessage());
                }
                if (principal == null) {
                    principal = getPrincipal(value);
                }
            }
            this.principal = principal;
        }

        @Override // org.apache.jackrabbit.vault.fs.impl.io.JackrabbitACLImporter.ImportedPolicy
        State append(State state, DocViewNode docViewNode) {
            if (state != State.ACL) {
                if (state == State.ACE) {
                    this.currentEntry.addRestrictions(docViewNode);
                    return State.RESTRICTION;
                }
                JackrabbitACLImporter.log.error("Error while reading access control content: Unexpected node: {} for state {}", docViewNode.primary, state);
                return State.ERROR;
            }
            if (!"rep:PrincipalEntry".equals(docViewNode.primary)) {
                JackrabbitACLImporter.log.error("Unexpected node type of access control entry: {}", docViewNode.primary);
                return State.ERROR;
            }
            this.currentEntry = new PrincipalEntry(docViewNode, null);
            this.entries.add(this.currentEntry);
            return State.ACE;
        }

        @Override // org.apache.jackrabbit.vault.fs.impl.io.JackrabbitACLImporter.ImportedPolicy
        void endNode(State state) {
            if (state == State.ACE) {
                this.currentEntry = null;
            }
        }

        @Override // org.apache.jackrabbit.vault.fs.impl.io.JackrabbitACLImporter.ImportedPolicy
        void apply(List<String> list) throws RepositoryException {
            if (JackrabbitACLImporter.this.aclHandling == AccessControlHandling.MERGE_PRESERVE) {
                JackrabbitACLImporter.log.debug("MERGE_PRESERVE for principal-based access control list is equivalent to IGNORE.");
                return;
            }
            PrincipalAccessControlList policy = getPolicy(PrincipalAccessControlList.class, this.principal);
            if (policy != null && JackrabbitACLImporter.this.aclHandling == AccessControlHandling.OVERWRITE) {
                JackrabbitACLImporter.this.acMgr.removePolicy(policy.getPath(), policy);
                policy = null;
            }
            if (policy == null) {
                policy = getApplicablePolicy(PrincipalAccessControlList.class, this.principal);
            }
            for (PrincipalEntry principalEntry : this.entries) {
                HashMap hashMap = new HashMap();
                HashMap hashMap2 = new HashMap();
                principalEntry.convertRestrictions(policy, JackrabbitACLImporter.this.session.getValueFactory(), hashMap, hashMap2);
                policy.addEntry(principalEntry.effectivePath, principalEntry.getPrivileges(JackrabbitACLImporter.this.acMgr), hashMap, hashMap2);
            }
            JackrabbitACLImporter.this.acMgr.setPolicy(policy.getPath(), policy);
            if (JackrabbitACLImporter.this.accessControlledPath == null) {
                JackrabbitACLImporter.this.addPathIfExists(list, "/rep:repoPolicy");
            } else if ("/".equals(JackrabbitACLImporter.this.accessControlledPath)) {
                JackrabbitACLImporter.this.addPathIfExists(list, "/rep:policy");
            } else {
                JackrabbitACLImporter.this.addPathIfExists(list, JackrabbitACLImporter.this.accessControlledPath + "/rep:policy");
            }
        }

        /* synthetic */ ImportedPrincipalAcList(JackrabbitACLImporter jackrabbitACLImporter, DocViewNode docViewNode, AnonymousClass1 anonymousClass1) {
            this(docViewNode);
        }
    }

    /* loaded from: input_file:org/apache/jackrabbit/vault/fs/impl/io/JackrabbitACLImporter$ImportedPrincipalSet.class */
    private final class ImportedPrincipalSet extends ImportedPolicy<PrincipalSetPolicy> {
        private final String[] principalNames;

        private ImportedPrincipalSet(DocViewNode docViewNode) {
            super(JackrabbitACLImporter.this, null);
            this.principalNames = docViewNode.getValues("rep:principalNames");
        }

        @Override // org.apache.jackrabbit.vault.fs.impl.io.JackrabbitACLImporter.ImportedPolicy
        State append(State state, DocViewNode docViewNode) {
            JackrabbitACLImporter.log.error("Error while reading access control content: Unexpected node: {} for state {}", docViewNode.primary, state);
            return State.ERROR;
        }

        @Override // org.apache.jackrabbit.vault.fs.impl.io.JackrabbitACLImporter.ImportedPolicy
        void endNode(State state) {
        }

        @Override // org.apache.jackrabbit.vault.fs.impl.io.JackrabbitACLImporter.ImportedPolicy
        void apply(List<String> list) throws RepositoryException {
            AccessControlPolicy accessControlPolicy = (PrincipalSetPolicy) getPolicy(PrincipalSetPolicy.class);
            if (accessControlPolicy != null) {
                Set principals = accessControlPolicy.getPrincipals();
                if (JackrabbitACLImporter.this.aclHandling == AccessControlHandling.OVERWRITE) {
                    accessControlPolicy.removePrincipals((Principal[]) principals.toArray(new Principal[principals.size()]));
                }
            } else {
                accessControlPolicy = (PrincipalSetPolicy) getApplicablePolicy(PrincipalSetPolicy.class);
            }
            Principal[] principalArr = new Principal[this.principalNames.length];
            for (int i = 0; i < principalArr.length; i++) {
                principalArr[i] = getPrincipal(this.principalNames[i]);
            }
            accessControlPolicy.addPrincipals(principalArr);
            JackrabbitACLImporter.this.acMgr.setPolicy(JackrabbitACLImporter.this.accessControlledPath, accessControlPolicy);
            if ("/".equals(JackrabbitACLImporter.this.accessControlledPath)) {
                JackrabbitACLImporter.this.addPathIfExists(list, "/rep:cugPolicy");
            } else {
                JackrabbitACLImporter.this.addPathIfExists(list, JackrabbitACLImporter.this.accessControlledPath + "/rep:cugPolicy");
            }
        }

        /* synthetic */ ImportedPrincipalSet(JackrabbitACLImporter jackrabbitACLImporter, DocViewNode docViewNode, AnonymousClass1 anonymousClass1) {
            this(docViewNode);
        }
    }

    /* loaded from: input_file:org/apache/jackrabbit/vault/fs/impl/io/JackrabbitACLImporter$PrincipalEntry.class */
    private static class PrincipalEntry extends AbstractEntry {
        private final String effectivePath;

        private PrincipalEntry(DocViewNode docViewNode) {
            super(docViewNode, null);
            String value = docViewNode.getValue("rep:effectivePath");
            if (value.isEmpty()) {
                this.effectivePath = null;
            } else {
                this.effectivePath = value;
            }
        }

        /* synthetic */ PrincipalEntry(DocViewNode docViewNode, AnonymousClass1 anonymousClass1) {
            this(docViewNode);
        }
    }

    /* loaded from: input_file:org/apache/jackrabbit/vault/fs/impl/io/JackrabbitACLImporter$State.class */
    private enum State {
        INITIAL,
        ACL,
        ACE,
        RESTRICTION,
        ERROR,
        PRINCIPAL_SET_POLICY
    }

    public JackrabbitACLImporter(Node node, AccessControlHandling accessControlHandling) throws RepositoryException {
        this(node.getSession(), node.getPath(), accessControlHandling);
    }

    public JackrabbitACLImporter(Session session, AccessControlHandling accessControlHandling) throws RepositoryException {
        this(session, null, accessControlHandling);
    }

    private JackrabbitACLImporter(Session session, String str, AccessControlHandling accessControlHandling) throws RepositoryException {
        this.states = new Stack<>();
        if (accessControlHandling == AccessControlHandling.CLEAR || accessControlHandling == AccessControlHandling.IGNORE) {
            throw new RepositoryException("Error while reading access control content: unsupported AccessControlHandling: " + accessControlHandling);
        }
        this.accessControlledPath = str;
        this.session = (JackrabbitSession) session;
        this.acMgr = this.session.getAccessControlManager();
        this.pMgr = this.session.getPrincipalManager();
        this.aclHandling = accessControlHandling;
        this.states.push(State.INITIAL);
    }

    @Override // org.apache.jackrabbit.vault.fs.impl.io.DocViewAdapter
    public void startNode(DocViewNode docViewNode) {
        State peek = this.states.peek();
        switch (AnonymousClass1.$SwitchMap$org$apache$jackrabbit$vault$fs$impl$io$JackrabbitACLImporter$State[peek.ordinal()]) {
            case 1:
                if (!"rep:ACL".equals(docViewNode.primary)) {
                    if (!"rep:CugPolicy".equals(docViewNode.primary)) {
                        if (!"rep:PrincipalPolicy".equals(docViewNode.primary)) {
                            log.error("Error while reading access control content: Expected rep:ACL or rep:CugPolicy but was: {}", docViewNode.primary);
                            peek = State.ERROR;
                            break;
                        } else {
                            this.importPolicy = new ImportedPrincipalAcList(this, docViewNode, null);
                            peek = State.ACL;
                            break;
                        }
                    } else {
                        this.importPolicy = new ImportedPrincipalSet(this, docViewNode, null);
                        peek = State.PRINCIPAL_SET_POLICY;
                        break;
                    }
                } else {
                    this.importPolicy = new ImportedAcList(this, null);
                    peek = State.ACL;
                    break;
                }
            case 2:
            case 3:
            case 4:
                peek = this.importPolicy.append(peek, docViewNode);
                break;
            case 5:
                peek = this.importPolicy.append(peek, docViewNode);
                break;
        }
        this.states.push(peek);
    }

    @Override // org.apache.jackrabbit.vault.fs.impl.io.DocViewAdapter
    public void endNode() throws SAXException {
        this.importPolicy.endNode(this.states.pop());
    }

    @Override // org.apache.jackrabbit.vault.fs.impl.io.DocViewAdapter
    public List<String> close() throws SAXException, RepositoryException {
        if (this.states.peek() != State.INITIAL) {
            log.error("Unexpected end state: {}", this.states.peek());
        }
        ArrayList arrayList = new ArrayList();
        this.importPolicy.apply(arrayList);
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void addPathIfExists(List<String> list, String str) throws RepositoryException {
        if (this.session.nodeExists(str)) {
            list.add(str);
        }
    }
}
