package pl.ds.websight.usermanager.rest.permission;

import java.security.Principal;
import java.util.Arrays;
import java.util.Comparator;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.jcr.Node;
import javax.jcr.NodeIterator;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.Value;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.Privilege;
import org.apache.commons.lang3.ArrayUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import org.apache.sling.jcr.base.util.AccessControlUtil;
import org.osgi.service.component.annotations.Component;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import pl.ds.websight.rest.framework.RestAction;
import pl.ds.websight.rest.framework.RestActionResult;
import pl.ds.websight.rest.framework.annotations.SlingAction;
import pl.ds.websight.usermanager.dto.PermissionsDto;
import pl.ds.websight.usermanager.rest.AbstractRestAction;
import pl.ds.websight.usermanager.rest.Messages;
import pl.ds.websight.usermanager.rest.requestparameters.Action;
import pl.ds.websight.usermanager.util.JcrSecurityUtil;

@SlingAction(SlingAction.HttpMethod.GET)
@Component
/* loaded from: input_file:resources/install/0/websight-release-admin-sling-1.0.6.zip:jcr_root/apps/websight/install/websight-user-manager-service-1.0.3.jar:pl/ds/websight/usermanager/rest/permission/GetPermissionsRestAction.class */
public class GetPermissionsRestAction extends AbstractRestAction<GetPermissionsRestModel, List<PermissionsDto>> implements RestAction<GetPermissionsRestModel, List<PermissionsDto>> {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) GetPermissionsRestAction.class);

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // pl.ds.websight.usermanager.rest.AbstractRestAction
    public RestActionResult<List<PermissionsDto>> performAction(GetPermissionsRestModel getPermissionsRestModel) throws RepositoryException {
        List<String> paths = getPermissionsRestModel.getPaths();
        Session session = getPermissionsRestModel.getSession();
        LinkedList linkedList = new LinkedList();
        for (String str : paths) {
            Node node = session.getNode(str);
            if (node == null) {
                LOG.warn("Could not get permissions. Node at {} does not exist", str);
                return RestActionResult.failure(Messages.GET_PERMISSIONS_ERROR, Messages.formatMessage("Could not find node '%s'", str));
            }
            Set<Principal> principals = getPermissionsRestModel.getPrincipals();
            PermissionsDto createPermissionDto = createPermissionDto(session, principals, node);
            NodeIterator nodes = node.getNodes();
            while (nodes.hasNext()) {
                Node nextNode = nodes.nextNode();
                if (isValidNode(nextNode)) {
                    createPermissionDto.addChild(createPermissionDto(session, principals, nextNode));
                }
            }
            if (createPermissionDto.isHasChildren() && shouldSortAlphabetically(node, str)) {
                createPermissionDto.getChildren().sort(Comparator.comparing((v0) -> {
                    return v0.getName();
                }, String.CASE_INSENSITIVE_ORDER));
            }
            linkedList.add(createPermissionDto);
        }
        return RestActionResult.success(linkedList);
    }

    private static PermissionsDto createPermissionDto(Session session, Set<Principal> set, Node node) throws RepositoryException {
        String path = node.getPath();
        Map<String, Boolean> actions = getActions(session.getAccessControlManager(), path, set);
        return new PermissionsDto(node.getName(), path, hasChildren(node), actions, getDeclaredActionRules(session, actions, set, path));
    }

    private static Map<String, Boolean> getActions(AccessControlManager accessControlManager, String str, Set<Principal> set) throws RepositoryException {
        HashMap hashMap = new HashMap();
        Set<String> allowedActions = getAllowedActions(accessControlManager, str, set);
        for (Action action : Action.values()) {
            hashMap.put(action.getName(), Boolean.valueOf(allowedActions.contains(action.getName())));
        }
        return hashMap;
    }

    private static Set<String> getAllowedActions(AccessControlManager accessControlManager, String str, Set<Principal> set) throws RepositoryException {
        HashSet hashSet = new HashSet();
        Set<Privilege> privileges = getPrivileges(accessControlManager, str, set);
        for (Action action : Action.values()) {
            if (privileges.containsAll(getAggregateRequiredPrivileges(accessControlManager, action))) {
                hashSet.add(action.getName());
            }
        }
        return hashSet;
    }

    private static Set<Privilege> getPrivileges(AccessControlManager accessControlManager, String str, Set<Principal> set) throws RepositoryException {
        return getAggregatePrivileges(set.isEmpty() ? accessControlManager.getPrivileges(str) : ((JackrabbitAccessControlManager) accessControlManager).getPrivileges(str, set));
    }

    private static Map<String, PermissionsDto.Rules> getDeclaredActionRules(Session session, Map<String, Boolean> map, Set<Principal> set, String str) throws RepositoryException {
        HashMap hashMap = new HashMap();
        for (AccessControlEntry accessControlEntry : AccessControlUtils.getAccessControlList(session, str).getAccessControlEntries()) {
            addRulesFromAcEntry(hashMap, session, map, set, accessControlEntry);
        }
        return hashMap;
    }

    private static void addRulesFromAcEntry(Map<String, PermissionsDto.Rules> map, Session session, Map<String, Boolean> map2, Set<Principal> set, AccessControlEntry accessControlEntry) throws RepositoryException {
        UserManager userManager = AccessControlUtil.getUserManager(session);
        AccessControlManager accessControlManager = session.getAccessControlManager();
        Principal principal = accessControlEntry.getPrincipal();
        Authorizable authorizable = userManager.getAuthorizable(principal);
        if (set.contains(principal)) {
            boolean isDeclaredAllow = isDeclaredAllow(accessControlEntry);
            boolean isUnrestricted = isUnrestricted(accessControlEntry);
            Set<Privilege> aggregatePrivileges = getAggregatePrivileges(accessControlEntry.getPrivileges());
            for (Action action : Action.values()) {
                if (aggregatePrivileges.containsAll(getAggregateRequiredPrivileges(accessControlManager, action))) {
                    Set<PermissionsDto.Rule> orCreateDeclaredRules = getOrCreateDeclaredRules(map, action.getName(), isDeclaredAllow == map2.get(action.getName()).booleanValue() && isUnrestricted);
                    Map<String, List<String>> restrictions = JcrSecurityUtil.getRestrictions(accessControlEntry, true);
                    if (authorizable == null) {
                        orCreateDeclaredRules.add(new PermissionsDto.Rule(principal.getName(), isDeclaredAllow, true, restrictions));
                    } else {
                        orCreateDeclaredRules.add(new PermissionsDto.Rule(authorizable.getID(), isDeclaredAllow, authorizable.isGroup(), restrictions));
                    }
                }
            }
        }
    }

    private static boolean isDeclaredAllow(AccessControlEntry accessControlEntry) {
        if (accessControlEntry instanceof JackrabbitAccessControlEntry) {
            return ((JackrabbitAccessControlEntry) accessControlEntry).isAllow();
        }
        return true;
    }

    private static boolean isUnrestricted(AccessControlEntry accessControlEntry) throws RepositoryException {
        if (!(accessControlEntry instanceof JackrabbitAccessControlEntry)) {
            return true;
        }
        JackrabbitAccessControlEntry jackrabbitAccessControlEntry = (JackrabbitAccessControlEntry) accessControlEntry;
        if (!ArrayUtils.isNotEmpty(jackrabbitAccessControlEntry.getRestrictionNames())) {
            return true;
        }
        Value restriction = jackrabbitAccessControlEntry.getRestriction(AccessControlConstants.REP_GLOB);
        return restriction != null && (StringUtils.isEmpty(restriction.getString()) || StringUtils.equals(restriction.getString(), "*"));
    }

    private static Set<Privilege> getAggregatePrivileges(Privilege[] privilegeArr) {
        HashSet hashSet = new HashSet();
        for (Privilege privilege : privilegeArr) {
            addAggregatePrivileges(hashSet, privilege);
        }
        return hashSet;
    }

    private static Set<Privilege> getAggregateRequiredPrivileges(AccessControlManager accessControlManager, Action action) throws RepositoryException {
        HashSet hashSet = new HashSet();
        Iterator<String> it = action.getRequiredPrivileges().iterator();
        while (it.hasNext()) {
            addAggregatePrivileges(hashSet, accessControlManager.privilegeFromName(it.next()));
        }
        return hashSet;
    }

    private static void addAggregatePrivileges(Set<Privilege> set, Privilege privilege) {
        if (privilege.isAggregate()) {
            set.addAll(Arrays.asList(privilege.getAggregatePrivileges()));
        } else {
            set.add(privilege);
        }
    }

    private static Set<PermissionsDto.Rule> getOrCreateDeclaredRules(Map<String, PermissionsDto.Rules> map, String str, boolean z) {
        map.putIfAbsent(str, new PermissionsDto.Rules());
        PermissionsDto.Rules rules = map.get(str);
        return z ? rules.getEffective() : rules.getIneffective();
    }

    private static boolean hasChildren(Node node) throws RepositoryException {
        if (!node.hasNodes()) {
            return false;
        }
        NodeIterator nodes = node.getNodes();
        while (nodes.hasNext()) {
            if (isValidNode(nodes.nextNode())) {
                return true;
            }
        }
        return false;
    }

    private static boolean isValidNode(Node node) throws RepositoryException {
        return (node.isNodeType("nt:hierarchyNode") || node.isNodeType("nt:unstructured")) && (!StringUtils.equals(node.getName(), "jcr:content") || Arrays.stream(node.getPrimaryNodeType().getChildNodeDefinitions()).anyMatch(nodeDefinition -> {
            return StringUtils.equals(nodeDefinition.getName(), "jcr:content");
        }));
    }

    public static boolean shouldSortAlphabetically(Node node, String str) {
        if (node == null) {
            return true;
        }
        try {
            return !hasOrderableChildNodes(node);
        } catch (RepositoryException e) {
            LOG.warn("Could not get Node Type Definition for Node: {}", str, e);
            return true;
        }
    }

    private static boolean hasOrderableChildNodes(Node node) throws RepositoryException {
        return node.getPrimaryNodeType().hasOrderableChildNodes() || Arrays.stream(node.getMixinNodeTypes()).anyMatch((v0) -> {
            return v0.hasOrderableChildNodes();
        });
    }

    @Override // pl.ds.websight.usermanager.rest.AbstractRestAction
    protected String getUnexpectedErrorMessage() {
        return Messages.GET_PERMISSIONS_ERROR;
    }
}
