package pl.ds.websight.usermanager.rest.permission;

import java.security.Principal;
import java.util.ArrayDeque;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.LinkedHashSet;
import java.util.Map;
import java.util.Set;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.osgi.service.component.annotations.Component;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import pl.ds.websight.rest.framework.RestAction;
import pl.ds.websight.rest.framework.RestActionResult;
import pl.ds.websight.rest.framework.annotations.SlingAction;
import pl.ds.websight.usermanager.dto.AclEntriesDto;
import pl.ds.websight.usermanager.rest.AbstractRestAction;
import pl.ds.websight.usermanager.rest.Messages;
import pl.ds.websight.usermanager.util.JcrSecurityUtil;
import pl.ds.websight.usermanager.util.PathAccessUtil;

@SlingAction(SlingAction.HttpMethod.GET)
@Component
/* loaded from: input_file:resources/install/0/websight-release-admin-sling-1.0.3.zip:jcr_root/apps/websight/install/websight-user-manager-service-1.0.2.jar:pl/ds/websight/usermanager/rest/permission/FindAclEntriesRestAction.class */
public class FindAclEntriesRestAction extends AbstractRestAction<PrincipalValidatableRestModel, AclEntriesDto> implements RestAction<PrincipalValidatableRestModel, AclEntriesDto> {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) FindAclEntriesRestAction.class);

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // pl.ds.websight.usermanager.rest.AbstractRestAction
    public RestActionResult<AclEntriesDto> performAction(PrincipalValidatableRestModel principalValidatableRestModel) throws Exception {
        Session session = principalValidatableRestModel.getSession();
        JackrabbitAccessControlManager jackrabbitAccessControlManager = (JackrabbitAccessControlManager) session.getAccessControlManager();
        Authorizable authorizable = principalValidatableRestModel.getAuthorizable();
        return RestActionResult.success(new AclEntriesDto(getPoliciesMap(authorizable.getPrincipal(), jackrabbitAccessControlManager), getInheritedMembershipPolicies(authorizable, jackrabbitAccessControlManager, session)));
    }

    private static Set<InheritedMembershipInfo> getInheritedMembershipPolicies(Authorizable authorizable, JackrabbitAccessControlManager jackrabbitAccessControlManager, Session session) throws RepositoryException {
        Principal everyonePrincipal = AccessControlUtils.getEveryonePrincipal(session);
        if (everyonePrincipal.equals(authorizable.getPrincipal())) {
            LOG.debug("'Everyone' group doesn't contain any inherited policies");
            return Collections.emptySet();
        }
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        ArrayDeque arrayDeque = new ArrayDeque();
        InheritedMembershipInfo wrapRoot = InheritedMembershipInfo.wrapRoot(authorizable);
        arrayDeque.add(wrapRoot);
        while (!arrayDeque.isEmpty()) {
            InheritedMembershipInfo inheritedMembershipInfo = (InheritedMembershipInfo) arrayDeque.remove();
            LOG.debug("Added info about inherited entries for authorizable {} with root: {}", inheritedMembershipInfo.getAuthorizable().getID(), wrapRoot.getAuthorizable().getID());
            linkedHashSet.add(inheritedMembershipInfo);
            Iterator<Group> declaredMemberOf = inheritedMembershipInfo.getAuthorizable().declaredMemberOf();
            while (declaredMemberOf.hasNext()) {
                Group next = declaredMemberOf.next();
                InheritedMembershipInfo wrap = InheritedMembershipInfo.wrap(next, inheritedMembershipInfo, null);
                if (!linkedHashSet.contains(wrap)) {
                    wrap.setPolicies(getPoliciesMap(next.getPrincipal(), jackrabbitAccessControlManager));
                    arrayDeque.add(wrap);
                }
            }
        }
        linkedHashSet.remove(wrapRoot);
        linkedHashSet.add(InheritedMembershipInfo.wrapEveryoneGroup(getPoliciesMap(everyonePrincipal, jackrabbitAccessControlManager)));
        return linkedHashSet;
    }

    private static Map<String, JackrabbitAccessControlEntry[]> getPoliciesMap(Principal principal, JackrabbitAccessControlManager jackrabbitAccessControlManager) throws RepositoryException {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        for (JackrabbitAccessControlPolicy jackrabbitAccessControlPolicy : jackrabbitAccessControlManager.getPolicies(principal)) {
            if (jackrabbitAccessControlPolicy instanceof JackrabbitAccessControlList) {
                addReadableEntries(linkedHashMap, (JackrabbitAccessControlList) jackrabbitAccessControlPolicy, jackrabbitAccessControlManager);
            }
        }
        return linkedHashMap;
    }

    private static void addReadableEntries(Map<String, JackrabbitAccessControlEntry[]> map, JackrabbitAccessControlList jackrabbitAccessControlList, JackrabbitAccessControlManager jackrabbitAccessControlManager) throws RepositoryException {
        JackrabbitAccessControlEntry[] jackrabbitAccessControlEntryArr = (JackrabbitAccessControlEntry[]) jackrabbitAccessControlList.getAccessControlEntries();
        ArrayList arrayList = new ArrayList();
        for (JackrabbitAccessControlEntry jackrabbitAccessControlEntry : jackrabbitAccessControlEntryArr) {
            if (canReadAcl(PathAccessUtil.getPath(jackrabbitAccessControlEntry), jackrabbitAccessControlManager)) {
                arrayList.add(jackrabbitAccessControlEntry);
            }
        }
        if (arrayList.isEmpty()) {
            return;
        }
        map.merge(JcrSecurityUtil.getPolicyId(jackrabbitAccessControlList), (JackrabbitAccessControlEntry[]) arrayList.toArray(new JackrabbitAccessControlEntry[0]), (v0, v1) -> {
            return ArrayUtils.addAll(v0, v1);
        });
    }

    private static boolean canReadAcl(String str, JackrabbitAccessControlManager jackrabbitAccessControlManager) {
        try {
            return PathAccessUtil.hasPrivilege(str, PrivilegeConstants.JCR_READ_ACCESS_CONTROL, jackrabbitAccessControlManager);
        } catch (RepositoryException e) {
            LOG.warn("Could not check if Access Control Manager could read ACLs", (Throwable) e);
            return false;
        }
    }

    @Override // pl.ds.websight.usermanager.rest.AbstractRestAction
    protected String getUnexpectedErrorMessage() {
        return Messages.FIND_ACL_ENTRIES_ERROR;
    }
}
