package pl.ds.websight.usermanager.rest.permission;

import com.fasterxml.jackson.databind.DeserializationFeature;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.ObjectReader;
import com.fasterxml.jackson.databind.type.CollectionType;
import com.fasterxml.jackson.databind.type.MapType;
import com.fasterxml.jackson.databind.type.TypeFactory;
import java.io.IOException;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.annotation.PostConstruct;
import javax.validation.constraints.NotBlank;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.models.annotations.Default;
import org.apache.sling.models.annotations.Model;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import pl.ds.websight.packagemanager.rest.Messages;
import pl.ds.websight.request.parameters.support.annotations.RequestParameter;
import pl.ds.websight.rest.framework.Errors;

@Model(adaptables = {SlingHttpServletRequest.class})
/* loaded from: input_file:resources/install/0/websight-release-admin-sling-1.0.6.zip:jcr_root/apps/websight/install/websight-user-manager-service-1.0.3.jar:pl/ds/websight/usermanager/rest/permission/AclEntryRestModel.class */
public class AclEntryRestModel extends PrincipalValidatableRestModel {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) AclEntryRestModel.class);
    private static final CollectionType PRIVILEGES_TYPE = TypeFactory.defaultInstance().constructCollectionType(Set.class, String.class);
    private static final ObjectReader PRIVILEGES_READER = new ObjectMapper().readerFor(PRIVILEGES_TYPE);
    private static final CollectionType RESTRICTIONS_VALUES_TYPE = TypeFactory.defaultInstance().constructCollectionType(List.class, String.class);
    private static final MapType RESTRICTIONS_MAP_TYPE = TypeFactory.defaultInstance().constructMapType(Map.class, TypeFactory.defaultInstance().constructType(String.class), RESTRICTIONS_VALUES_TYPE);
    private static final ObjectReader RESTRICTIONS_READER = new ObjectMapper().enable(DeserializationFeature.READ_ENUMS_USING_TO_STRING).readerFor(RESTRICTIONS_MAP_TYPE);
    private static final String RESTRICTIONS_PARAM_NAME = "restrictions";
    private static final String PRIVILEGES_PARAM_NAME = "privileges";

    @NotBlank(message = Messages.PACKAGE_PATH_VALIDATION_ERROR_BLANK_PATH)
    @RequestParameter
    private String path;

    @Default(booleanValues = {false})
    @RequestParameter(name = "allow")
    private boolean isAllow;

    @RequestParameter(name = RESTRICTIONS_PARAM_NAME)
    private String restrictionsJson;

    @RequestParameter(name = "privileges")
    private String privilegesJson;
    private String[] privilegesNames;
    private Map<String, List<String>> restrictions;

    @PostConstruct
    protected void init() {
        this.privilegesNames = StringUtils.isNotBlank(this.privilegesJson) ? (String[]) readPrivileges(this.privilegesJson).toArray(ArrayUtils.EMPTY_STRING_ARRAY) : ArrayUtils.EMPTY_STRING_ARRAY;
        this.restrictions = StringUtils.isNotBlank(this.restrictionsJson) ? readRestrictions(this.restrictionsJson) : Collections.emptyMap();
    }

    private static Set<String> readPrivileges(String str) {
        try {
            return (Set) PRIVILEGES_READER.readValue(str);
        } catch (IOException e) {
            LOG.warn("Could not read updated privileges", (Throwable) e);
            return Collections.emptySet();
        }
    }

    private static Map<String, List<String>> readRestrictions(String str) {
        try {
            return (Map) RESTRICTIONS_READER.readValue(str);
        } catch (IOException e) {
            LOG.warn("Could not read updated restrictions", (Throwable) e);
            return Collections.emptyMap();
        }
    }

    public String getPath() {
        return this.path;
    }

    public boolean isAllow() {
        return this.isAllow;
    }

    public String[] getPrivilegesNames() {
        return this.privilegesNames;
    }

    public Map<String, List<String>> getRestrictions() {
        return this.restrictions;
    }

    @Override // pl.ds.websight.usermanager.rest.permission.PrincipalValidatableRestModel, pl.ds.websight.rest.framework.Validatable
    public Errors validate() {
        Errors validate = super.validate();
        if (this.privilegesNames.length == 0) {
            validate.add("privileges", this.privilegesJson, "ACL Entry should contain at least one privilege");
        }
        if (!this.path.startsWith("/")) {
            validate.add("path", this.path, "Path for ACE cannot be relative");
        }
        validateRestrictions(validate);
        return validate;
    }

    private void validateRestrictions(Errors errors) {
        if (this.restrictions == null) {
            return;
        }
        for (Map.Entry<String, List<String>> entry : this.restrictions.entrySet()) {
            String key = entry.getKey();
            List<String> value = entry.getValue();
            if (AccessControlConstants.REP_GLOB.equals(key)) {
                if (value == null || value.size() > 1) {
                    errors.add(RESTRICTIONS_PARAM_NAME, value, "rep:glob should have exactly one value");
                }
            } else if (value == null || value.isEmpty() || value.stream().anyMatch((v0) -> {
                return StringUtils.isBlank(v0);
            })) {
                errors.add(RESTRICTIONS_PARAM_NAME, value, key + " cannot have blank values");
            }
        }
    }

    public static String getRuleType(boolean z) {
        return z ? "ALLOW" : "DENY";
    }
}
