package pl.ds.websight.usermanager.rest.permission;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.stream.Collectors;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.Value;
import javax.jcr.ValueFactory;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import pl.ds.websight.usermanager.util.JcrSecurityUtil;
import pl.ds.websight.usermanager.util.PathAccessUtil;

/* loaded from: input_file:resources/install/0/websight-release-admin-sling-1.0.3.zip:jcr_root/apps/websight/install/websight-user-manager-service-1.0.2.jar:pl/ds/websight/usermanager/rest/permission/AccessModifyFacade.class */
final class AccessModifyFacade {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) AccessModifyFacade.class);
    private final Authorizable authorizable;
    private final Session session;
    private final JackrabbitAccessControlManager acm;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:resources/install/0/websight-release-admin-sling-1.0.3.zip:jcr_root/apps/websight/install/websight-user-manager-service-1.0.2.jar:pl/ds/websight/usermanager/rest/permission/AccessModifyFacade$EntryReplacement.class */
    public interface EntryReplacement {
        void replace(JackrabbitAccessControlList jackrabbitAccessControlList) throws RepositoryException;
    }

    private AccessModifyFacade(Authorizable authorizable, Session session, JackrabbitAccessControlManager jackrabbitAccessControlManager) {
        this.authorizable = authorizable;
        this.session = session;
        this.acm = jackrabbitAccessControlManager;
    }

    public static AccessModifyFacade forAuthorizable(Authorizable authorizable, Session session) throws RepositoryException {
        return new AccessModifyFacade(authorizable, session, (JackrabbitAccessControlManager) session.getAccessControlManager());
    }

    public boolean createAclEntry(String str, Privilege[] privilegeArr, boolean z, Map<String, List<String>> map) throws RepositoryException {
        JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(this.acm, str);
        if (accessControlList == null) {
            LOG.warn("Could not get {} for path: {}", JackrabbitAccessControlList.class.getName(), str);
            return false;
        }
        if (!accessControlList.addEntry(this.authorizable.getPrincipal(), privilegeArr, z, createSimpleRestrictionsMap(accessControlList, this.session.getValueFactory(), map), createMultiRestrictionsMap(accessControlList, this.session.getValueFactory(), map))) {
            return true;
        }
        savePolicyChanges(accessControlList);
        return true;
    }

    public boolean updateAclEntry(String str, String str2, String str3, Privilege[] privilegeArr, boolean z, Map<String, List<String>> map) throws RepositoryException {
        return removeAclEntry(str, str2, jackrabbitAccessControlList -> {
            Value restrictionValue = toRestrictionValue(str3, jackrabbitAccessControlList, AccessControlConstants.REP_NODE_PATH, this.session.getValueFactory());
            if (restrictionValue == null) {
                LOG.warn("Could not define path: {} for replacing restriction", str3);
                return;
            }
            Map<String, Value> createSimpleRestrictionsMap = createSimpleRestrictionsMap(jackrabbitAccessControlList, this.session.getValueFactory(), map);
            createSimpleRestrictionsMap.put(AccessControlConstants.REP_NODE_PATH, restrictionValue);
            if (jackrabbitAccessControlList.addEntry(this.authorizable.getPrincipal(), privilegeArr, z, createSimpleRestrictionsMap, createMultiRestrictionsMap(jackrabbitAccessControlList, this.session.getValueFactory(), map))) {
                savePolicyChanges(jackrabbitAccessControlList);
            }
        });
    }

    private static Map<String, Value> createSimpleRestrictionsMap(JackrabbitAccessControlList jackrabbitAccessControlList, ValueFactory valueFactory, Map<String, List<String>> map) throws RepositoryException {
        Map map2 = (Map) map.entrySet().stream().filter(entry -> {
            return ((List) entry.getValue()).size() == 1;
        }).collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, entry2 -> {
            return (String) ((List) entry2.getValue()).get(0);
        }));
        HashMap hashMap = new HashMap();
        for (Map.Entry entry3 : map2.entrySet()) {
            String str = (String) entry3.getKey();
            Value restrictionValue = toRestrictionValue((String) entry3.getValue(), jackrabbitAccessControlList, str, valueFactory);
            if (restrictionValue != null) {
                hashMap.put(str, restrictionValue);
            }
        }
        return hashMap;
    }

    private static Map<String, Value[]> createMultiRestrictionsMap(JackrabbitAccessControlList jackrabbitAccessControlList, ValueFactory valueFactory, Map<String, List<String>> map) throws RepositoryException {
        Map map2 = (Map) map.entrySet().stream().filter(entry -> {
            return ((List) entry.getValue()).size() > 1;
        }).collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, (v0) -> {
            return v0.getValue();
        }));
        HashMap hashMap = new HashMap();
        for (Map.Entry entry2 : map2.entrySet()) {
            addMultiRestrictions(hashMap, (String) entry2.getKey(), (List) entry2.getValue(), jackrabbitAccessControlList, valueFactory);
        }
        return hashMap;
    }

    private static void addMultiRestrictions(Map<String, Value[]> map, String str, List<String> list, JackrabbitAccessControlList jackrabbitAccessControlList, ValueFactory valueFactory) throws RepositoryException {
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            Value restrictionValue = toRestrictionValue(it.next(), jackrabbitAccessControlList, str, valueFactory);
            if (restrictionValue != null) {
                arrayList.add(restrictionValue);
            }
        }
        map.put(str, (Value[]) arrayList.toArray(new Value[0]));
    }

    private static Value toRestrictionValue(String str, JackrabbitAccessControlList jackrabbitAccessControlList, String str2, ValueFactory valueFactory) throws RepositoryException {
        int restrictionType = jackrabbitAccessControlList.getRestrictionType(str2);
        if (0 != restrictionType) {
            return valueFactory.createValue(str, restrictionType);
        }
        LOG.warn("Could not find a type of restriction: {}", str2);
        return null;
    }

    public boolean removeAclEntry(String str, String str2) throws RepositoryException {
        return removeAclEntry(str, str2, null);
    }

    private boolean removeAclEntry(String str, String str2, EntryReplacement entryReplacement) throws RepositoryException {
        for (JackrabbitAccessControlPolicy jackrabbitAccessControlPolicy : this.acm.getPolicies(this.authorizable.getPrincipal())) {
            if (matchesPolicyId(jackrabbitAccessControlPolicy, str2)) {
                JackrabbitAccessControlList jackrabbitAccessControlList = (JackrabbitAccessControlList) jackrabbitAccessControlPolicy;
                JackrabbitAccessControlEntry aclEntry = getAclEntry(str, jackrabbitAccessControlList);
                if (aclEntry == null) {
                    return false;
                }
                String path = PathAccessUtil.getPath(aclEntry);
                if (!canEditAcl(path)) {
                    LOG.warn("Could not remove ACL Entry due to lack of edit permission for path: {} and user: {}", path, this.session.getUserID());
                    return false;
                }
                jackrabbitAccessControlList.removeAccessControlEntry(aclEntry);
                savePolicyChanges(jackrabbitAccessControlList);
                if (entryReplacement == null) {
                    return true;
                }
                entryReplacement.replace(jackrabbitAccessControlList);
                return true;
            }
        }
        return false;
    }

    private static boolean matchesPolicyId(AccessControlPolicy accessControlPolicy, String str) throws RepositoryException {
        return (accessControlPolicy instanceof JackrabbitAccessControlList) && JcrSecurityUtil.getPolicyId(accessControlPolicy).equals(str);
    }

    private static JackrabbitAccessControlEntry getAclEntry(String str, JackrabbitAccessControlList jackrabbitAccessControlList) throws RepositoryException {
        return (JackrabbitAccessControlEntry) Arrays.stream(jackrabbitAccessControlList.getAccessControlEntries()).filter(accessControlEntry -> {
            return JcrSecurityUtil.getEntryId(accessControlEntry).equals(str);
        }).findFirst().orElse(null);
    }

    private boolean canEditAcl(String str) {
        try {
            return PathAccessUtil.hasPrivilege(str, Privilege.JCR_MODIFY_ACCESS_CONTROL, this.acm);
        } catch (RepositoryException e) {
            LOG.warn("Could not check if Access Control Manager could edit ACLs", (Throwable) e);
            return false;
        }
    }

    private void savePolicyChanges(JackrabbitAccessControlList jackrabbitAccessControlList) throws RepositoryException {
        this.acm.setPolicy(jackrabbitAccessControlList.getPath(), jackrabbitAccessControlList);
        this.session.save();
    }
}
