package biz.netcentric.cq.tools.actool.configreader;

import biz.netcentric.cq.tools.actool.configmodel.AceBean;
import biz.netcentric.cq.tools.actool.configmodel.AcesConfig;
import biz.netcentric.cq.tools.actool.configmodel.AuthorizableConfigBean;
import biz.netcentric.cq.tools.actool.configmodel.AuthorizablesConfig;
import biz.netcentric.cq.tools.actool.configmodel.GlobalConfiguration;
import biz.netcentric.cq.tools.actool.configmodel.pkcs.Key;
import biz.netcentric.cq.tools.actool.configmodel.pkcs.PrivateKeyDecryptor;
import biz.netcentric.cq.tools.actool.crypto.DecryptionService;
import biz.netcentric.cq.tools.actool.helper.Constants;
import biz.netcentric.cq.tools.actool.helper.QueryHelper;
import biz.netcentric.cq.tools.actool.validators.AceBeanValidator;
import biz.netcentric.cq.tools.actool.validators.AuthorizableValidator;
import biz.netcentric.cq.tools.actool.validators.exceptions.AcConfigBeanValidationException;
import biz.netcentric.cq.tools.actool.validators.exceptions.InvalidAuthorizableException;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.query.InvalidQueryException;
import org.apache.commons.lang3.StringUtils;
import org.apache.jackrabbit.util.ISO9075;
import org.apache.sling.jcr.api.SlingRepository;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferencePolicyOption;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component
/* loaded from: input_file:biz/netcentric/cq/tools/actool/configreader/YamlConfigReader.class */
public class YamlConfigReader implements ConfigReader {
    private static final Logger LOG = LoggerFactory.getLogger(YamlConfigReader.class);
    protected static final String ACE_CONFIG_PROPERTY_GLOB = "repGlob";
    protected static final String ACE_CONFIG_PROPERTY_RESTRICTIONS = "restrictions";
    protected static final String ACE_CONFIG_PROPERTY_PERMISSION = "permission";
    protected static final String ACE_CONFIG_PROPERTY_PRIVILEGES = "privileges";
    protected static final String ACE_CONFIG_PROPERTY_ACTIONS = "actions";
    protected static final String ACE_CONFIG_PROPERTY_PATH = "path";
    protected static final String ACE_CONFIG_PROPERTY_KEEP_ORDER = "keepOrder";
    protected static final String ACE_CONFIG_INITIAL_CONTENT = "initialContent";
    private static final String GROUP_CONFIG_PROPERTY_IS_MEMBER_OF = "isMemberOf";
    private static final String GROUP_CONFIG_PROPERTY_MEMBER_OF_LEGACY = "memberOf";
    private static final String GROUP_CONFIG_PROPERTY_MEMBERS = "members";
    private static final String GROUP_CONFIG_PROPERTY_PATH = "path";
    private static final String GROUP_CONFIG_PROPERTY_PASSWORD = "password";
    protected static final String GROUP_CONFIG_PROPERTY_NAME = "name";
    private static final String GROUP_CONFIG_PROPERTY_DESCRIPTION = "description";
    private static final String GROUP_CONFIG_PROPERTY_EXTERNAL_ID = "externalId";
    private static final String GROUP_CONFIG_PROPERTY_MIGRATE_FROM = "migrateFrom";
    private static final String GROUP_CONFIG_PROPERTY_UNMANAGED_ACE_PATHS_REGEX = "unmanagedAcePathsRegex";
    private static final String GROUP_CONFIG_PROPERTY_UNMANAGED_EXTERNAL_ISMEMBEROF_REGEX = "unmanagedExternalIsMemberOfRegex";
    private static final String GROUP_CONFIG_PROPERTY_UNMANAGED_EXTERNAL_MEMBERS_REGEX = "unmanagedExternalMembersRegex";
    private static final String GROUP_CONFIG_IS_VIRTUAL = "virtual";
    private static final String GROUP_CONFIG_EXTERNAL_SYNC = "externalSync";
    private static final String USER_CONFIG_PROPERTY_IS_SYSTEM_USER = "isSystemUser";
    private static final String USER_CONFIG_PROFILE_CONTENT = "profileContent";
    private static final String USER_CONFIG_PREFERENCES_CONTENT = "preferencesContent";
    private static final String USER_CONFIG_SOCIAL_CONTENT = "socialContent";
    private static final String USER_CONFIG_PROPERTY_EMAIL = "email";
    private static final String USER_CONFIG_DISABLED = "disabled";
    private static final String USER_CONFIG_KEYS = "keys";
    private static final String USER_CONFIG_APPEND_TO_KEYSTORE = "appendToKeyStore";
    private static final String USER_CONFIG_KEYSTORE_PASSWORD = "keyStorePassword";
    private static final String USER_CONFIG_KEY_PUBLIC = "public";
    private static final String USER_CONFIG_KEY_PRIVATE_PASSWORD = "privatePassword";
    private static final String USER_CONFIG_KEY_PRIVATE = "private";
    private static final String USER_CONFIG_KEY_CERTIFICATE = "certificate";
    private static final String USER_CONFIG_IMPERSONATION_ALLOWED_FOR = "impersonationAllowedFor";

    @Reference(policyOption = ReferencePolicyOption.GREEDY)
    private SlingRepository repository;

    @Reference(policyOption = ReferencePolicyOption.GREEDY)
    DecryptionService decryptionService;

    @Reference(policyOption = ReferencePolicyOption.GREEDY)
    PrivateKeyDecryptor privateKeyDecryptor;

    @Override // biz.netcentric.cq.tools.actool.configreader.ConfigReader
    public AcesConfig getAceConfigurationBeans(Collection<?> collection, AceBeanValidator aceBeanValidator, Session session, String str) throws RepositoryException, AcConfigBeanValidationException {
        List<LinkedHashMap> list = (List) getConfigSection(Constants.ACE_CONFIGURATION_KEY, collection);
        if (list != null) {
            return getPreservedOrderdAceSet(list, aceBeanValidator, session, str);
        }
        LOG.debug("ACL configuration not found in this YAML configuration file");
        return null;
    }

    @Override // biz.netcentric.cq.tools.actool.configreader.ConfigReader
    public AuthorizablesConfig getGroupConfigurationBeans(Collection collection, AuthorizableValidator authorizableValidator) throws AcConfigBeanValidationException {
        List<LinkedHashMap> list = (List) getConfigSection(Constants.GROUP_CONFIGURATION_KEY, collection);
        if (list != null) {
            return getAuthorizableBeans(list, authorizableValidator, true);
        }
        LOG.debug("Group configuration not found in this YAML configuration file");
        return null;
    }

    @Override // biz.netcentric.cq.tools.actool.configreader.ConfigReader
    public AuthorizablesConfig getUserConfigurationBeans(Collection collection, AuthorizableValidator authorizableValidator) throws AcConfigBeanValidationException {
        return getAuthorizableBeans((List) getConfigSection(Constants.USER_CONFIGURATION_KEY, collection), authorizableValidator, false);
    }

    @Override // biz.netcentric.cq.tools.actool.configreader.ConfigReader
    public GlobalConfiguration getGlobalConfiguration(Collection collection) {
        return new GlobalConfiguration((Map) getConfigSection(Constants.GLOBAL_CONFIGURATION_KEY, collection));
    }

    @Override // biz.netcentric.cq.tools.actool.configreader.ConfigReader
    public Set<String> getObsoluteAuthorizables(Collection collection) {
        List list = (List) getConfigSection(Constants.OBSOLETE_AUTHORIZABLES_KEY, collection);
        HashSet hashSet = new HashSet();
        if (list != null) {
            for (Object obj : list) {
                if (obj instanceof String) {
                    hashSet.add((String) obj);
                } else if (obj instanceof Map) {
                    hashSet.add((String) ((Map) obj).keySet().iterator().next());
                }
            }
        }
        return hashSet;
    }

    private Object getConfigSection(String str, Collection collection) {
        for (LinkedHashMap linkedHashMap : new ArrayList(collection)) {
            Iterator it = linkedHashMap.keySet().iterator();
            if (it.hasNext() && str.equals(it.next())) {
                return linkedHashMap.get(str);
            }
        }
        return null;
    }

    private AuthorizablesConfig getAuthorizableBeans(List<LinkedHashMap> list, AuthorizableValidator authorizableValidator, boolean z) throws AcConfigBeanValidationException {
        HashSet hashSet = new HashSet();
        AuthorizablesConfig authorizablesConfig = new AuthorizablesConfig();
        if (list == null) {
            return authorizablesConfig;
        }
        for (LinkedHashMap linkedHashMap : list) {
            String str = (String) linkedHashMap.keySet().iterator().next();
            if (!hashSet.add(str)) {
                throw new IllegalArgumentException("There is more than one group definition for group: " + str);
            }
            LOG.trace("Found principal: {} in config", str);
            List list2 = (List) linkedHashMap.get(str);
            if (list2 != null && !list2.isEmpty()) {
                if (list2.size() > 1) {
                    throw new AcConfigBeanValidationException("Invalid authorizable " + str + " - configuration needs to contain exactly one yaml list entry");
                }
                try {
                    Map<String, Object> map = (Map) list2.get(0);
                    AuthorizableConfigBean newAuthorizableConfigBean = getNewAuthorizableConfigBean();
                    setupAuthorizableBean(newAuthorizableConfigBean, map, str, z);
                    if (authorizableValidator != null) {
                        authorizableValidator.validate(newAuthorizableConfigBean);
                    }
                    authorizablesConfig.add(newAuthorizableConfigBean);
                } catch (AcConfigBeanValidationException e) {
                    throw new AcConfigBeanValidationException("Invalid authorizable " + str, e);
                }
            }
        }
        return authorizablesConfig;
    }

    private AcesConfig getPreservedOrderdAceSet(List<LinkedHashMap> list, AceBeanValidator aceBeanValidator, Session session, String str) throws RepositoryException, AcConfigBeanValidationException {
        AcesConfig acesConfig = new AcesConfig();
        if (list == null) {
            return acesConfig;
        }
        for (LinkedHashMap linkedHashMap : list) {
            String str2 = (String) linkedHashMap.keySet().iterator().next();
            List<Map<String, ?>> list2 = (List) linkedHashMap.get(str2);
            LOG.trace("Start reading ACE configuration of authorizable: {}", str2);
            if (list2 == null || list2.isEmpty()) {
                LOG.warn("No ACE definition(s) found for authorizable: {}", str2);
            } else {
                for (Map<String, ?> map : list2) {
                    AceBean newAceBean = getNewAceBean();
                    setupAceBean(str2, map, newAceBean, str);
                    if (aceBeanValidator != null) {
                        aceBeanValidator.validate(newAceBean, session.getAccessControlManager());
                    }
                    if (newAceBean.getJcrPath() == null || !newAceBean.getJcrPath().contains("*") || null == session) {
                        acesConfig.add(newAceBean);
                    } else {
                        handleWildcards(session, acesConfig, str2, newAceBean);
                    }
                }
            }
        }
        return acesConfig;
    }

    protected void handleWildcards(Session session, Set<AceBean> set, String str, AceBean aceBean) throws InvalidQueryException, RepositoryException {
        Set<String> nodePathsFromQuery = QueryHelper.getNodePathsFromQuery(session, createXPathQueryForPathWithWildcards(aceBean.getJcrPath()));
        if (nodePathsFromQuery.isEmpty()) {
            return;
        }
        for (String str2 : nodePathsFromQuery) {
            if (!str2.contains("/rep:policy")) {
                AceBean m13clone = aceBean.m13clone();
                m13clone.setJcrPath(str2);
                if (set.add(m13clone)) {
                    LOG.info("Wildcard replacement: Cloned " + aceBean + " to " + m13clone);
                } else {
                    LOG.warn("Wildcard replacement failed: Cloned " + aceBean + " to " + m13clone + " but bean was already in set");
                }
            }
        }
    }

    static final String createXPathQueryForPathWithWildcards(String str) {
        return ("/jcr:root" + ISO9075.encodePath(str)).replace("_x002a_", "*");
    }

    protected AceBean getNewAceBean() {
        return new AceBean();
    }

    protected AuthorizableConfigBean getNewAuthorizableConfigBean() {
        return new AuthorizableConfigBean();
    }

    protected void setupAceBean(String str, Map<String, ?> map, AceBean aceBean, String str2) {
        aceBean.setAuthorizableId(str);
        aceBean.setPrincipalName(str);
        String trim = getMapValueAsString(map, "path").trim();
        aceBean.setJcrPath((trim.equals("/") || !trim.endsWith("/")) ? trim : StringUtils.removeEnd(trim, "/"));
        aceBean.setPrivilegesString(getMapValueAsString(map, ACE_CONFIG_PROPERTY_PRIVILEGES));
        aceBean.setPermission(getMapValueAsString(map, ACE_CONFIG_PROPERTY_PERMISSION));
        aceBean.setRestrictions(map.get(ACE_CONFIG_PROPERTY_RESTRICTIONS), (String) map.get(ACE_CONFIG_PROPERTY_GLOB));
        aceBean.setActions(parseActionsString(getMapValueAsString(map, ACE_CONFIG_PROPERTY_ACTIONS)));
        aceBean.setKeepOrder(Boolean.valueOf(getMapValueAsString(map, ACE_CONFIG_PROPERTY_KEEP_ORDER)).booleanValue());
        aceBean.setInitialContent(getMapValueAsString(map, ACE_CONFIG_INITIAL_CONTENT));
        aceBean.setConfigSource(str2);
    }

    public static String[] parseActionsString(String str) {
        return StringUtils.isNotBlank(str) ? str.split(",") : new String[0];
    }

    protected void setupAuthorizableBean(AuthorizableConfigBean authorizableConfigBean, Map<String, Object> map, String str, boolean z) throws AcConfigBeanValidationException {
        authorizableConfigBean.setAuthorizableId(str);
        authorizableConfigBean.setName(getMapValueAsString(map, GROUP_CONFIG_PROPERTY_NAME));
        authorizableConfigBean.setEmail(getMapValueAsString(map, USER_CONFIG_PROPERTY_EMAIL));
        authorizableConfigBean.setDescription(getMapValueAsString(map, GROUP_CONFIG_PROPERTY_DESCRIPTION));
        String mapValueAsString = getMapValueAsString(map, GROUP_CONFIG_PROPERTY_EXTERNAL_ID);
        if (StringUtils.isNotBlank(mapValueAsString)) {
            authorizableConfigBean.setExternalId(mapValueAsString);
            authorizableConfigBean.setPrincipalName(StringUtils.substringBeforeLast(mapValueAsString, ";"));
        } else {
            authorizableConfigBean.setPrincipalName(str);
        }
        Object obj = map.containsKey(GROUP_CONFIG_PROPERTY_IS_MEMBER_OF) ? map.get(GROUP_CONFIG_PROPERTY_IS_MEMBER_OF) : map.get(GROUP_CONFIG_PROPERTY_MEMBER_OF_LEGACY);
        if (obj instanceof String) {
            authorizableConfigBean.setIsMemberOf(((String) obj).trim().split("\\s*,\\s*"));
        } else if (obj instanceof List) {
            authorizableConfigBean.setIsMemberOf((List<String>) obj);
        }
        Object obj2 = map.get(GROUP_CONFIG_PROPERTY_MEMBERS);
        if (obj2 instanceof String) {
            authorizableConfigBean.setMembers(((String) obj2).trim().split("\\s*,\\s*"));
        } else if (obj2 instanceof List) {
            List list = (List) obj2;
            authorizableConfigBean.setMembers((String[]) list.toArray(new String[list.size()]));
        }
        authorizableConfigBean.setPath(normalizePath(getMapValueAsString(map, "path")));
        authorizableConfigBean.setMigrateFrom(getMapValueAsString(map, GROUP_CONFIG_PROPERTY_MIGRATE_FROM));
        authorizableConfigBean.setUnmanagedAcePathsRegex(getMapValueAsString(map, GROUP_CONFIG_PROPERTY_UNMANAGED_ACE_PATHS_REGEX));
        authorizableConfigBean.setUnmanagedExternalIsMemberOfRegex(getMapValueAsString(map, GROUP_CONFIG_PROPERTY_UNMANAGED_EXTERNAL_ISMEMBEROF_REGEX));
        authorizableConfigBean.setUnmanagedExternalMembersRegex(getMapValueAsString(map, GROUP_CONFIG_PROPERTY_UNMANAGED_EXTERNAL_MEMBERS_REGEX));
        authorizableConfigBean.setVirtual(Boolean.valueOf(getMapValueAsString(map, GROUP_CONFIG_IS_VIRTUAL)).booleanValue());
        authorizableConfigBean.setExternalSync(Boolean.valueOf(getMapValueAsString(map, GROUP_CONFIG_EXTERNAL_SYNC)).booleanValue());
        authorizableConfigBean.setIsGroup(z);
        authorizableConfigBean.setIsSystemUser(Boolean.valueOf(getMapValueAsString(map, USER_CONFIG_PROPERTY_IS_SYSTEM_USER)).booleanValue());
        if (map.containsKey(GROUP_CONFIG_PROPERTY_PASSWORD)) {
            authorizableConfigBean.setPassword(getMapValueAsString(map, GROUP_CONFIG_PROPERTY_PASSWORD));
        }
        authorizableConfigBean.setProfileContent(getMapValueAsString(map, USER_CONFIG_PROFILE_CONTENT));
        authorizableConfigBean.setPreferencesContent(getMapValueAsString(map, USER_CONFIG_PREFERENCES_CONTENT));
        authorizableConfigBean.setSocialContent(getMapValueAsString(map, USER_CONFIG_SOCIAL_CONTENT));
        if (map.containsKey(USER_CONFIG_DISABLED)) {
            authorizableConfigBean.setDisabled(getMapValueAsString(map, USER_CONFIG_DISABLED));
        }
        authorizableConfigBean.setAppendToKeyStore(Boolean.valueOf(getMapValueAsString(map, USER_CONFIG_APPEND_TO_KEYSTORE)).booleanValue());
        if (map.containsKey(USER_CONFIG_KEYS)) {
            Object obj3 = map.get(USER_CONFIG_KEYS);
            if (!(obj3 instanceof Map)) {
                throw new InvalidAuthorizableException("Field 'keys' must be a map but is a " + obj3.getClass());
            }
            try {
                setupAuthorizableKeys(authorizableConfigBean, (Map) obj3);
            } catch (IOException | GeneralSecurityException e) {
                throw new InvalidAuthorizableException("Invalid key format given", e);
            }
        }
        if (map.containsKey(USER_CONFIG_IMPERSONATION_ALLOWED_FOR)) {
            Object obj4 = map.get(USER_CONFIG_IMPERSONATION_ALLOWED_FOR);
            if (obj4 instanceof String) {
                authorizableConfigBean.setImpersonationAllowedFor(Arrays.asList(((String) obj4).trim().split("\\s*,\\s*")));
            } else {
                if (!(obj4 instanceof List)) {
                    throw new InvalidAuthorizableException("Field 'impersonationAllowedFor' must be a list (yaml list or comma-separated string) but is a " + obj4.getClass());
                }
                authorizableConfigBean.setImpersonationAllowedFor((List) obj4);
            }
        }
        String mapValueAsString2 = getMapValueAsString(map, USER_CONFIG_KEYSTORE_PASSWORD);
        if (mapValueAsString2.isEmpty()) {
            return;
        }
        authorizableConfigBean.setKeyStorePassword(mapValueAsString2);
    }

    private void setupAuthorizableKeys(AuthorizableConfigBean authorizableConfigBean, Map<String, Object> map) throws InvalidAuthorizableException, IOException, GeneralSecurityException {
        HashMap hashMap = new HashMap();
        for (Map.Entry<String, Object> entry : map.entrySet()) {
            if (!(entry.getValue() instanceof Map)) {
                throw new InvalidAuthorizableException("Field '" + entry.getKey() + "' must be a map but is a " + entry.getValue().getClass());
            }
            Map map2 = (Map) entry.getValue();
            hashMap.put(entry.getKey(), StringUtils.isNotBlank((CharSequence) map2.get(USER_CONFIG_KEY_CERTIFICATE)) ? Key.createFromPrivateKeyAndCertificate(this.decryptionService, (String) map2.get(USER_CONFIG_KEY_PRIVATE), (String) map2.get(USER_CONFIG_KEY_PRIVATE_PASSWORD), (String) map2.get(USER_CONFIG_KEY_CERTIFICATE), this.privateKeyDecryptor) : Key.createFromKeyPair(this.decryptionService, (String) map2.get(USER_CONFIG_KEY_PRIVATE), (String) map2.get(USER_CONFIG_KEY_PRIVATE_PASSWORD), (String) map2.get(USER_CONFIG_KEY_PUBLIC), this.privateKeyDecryptor));
        }
        authorizableConfigBean.setKeys(hashMap);
    }

    protected String getMapValueAsString(Map<String, ?> map, String str) {
        return map.get(str) != null ? map.get(str).toString() : "";
    }

    private static String normalizePath(String str) {
        return (!str.endsWith("/") || str.length() <= 1) ? str : str.substring(0, str.length() - 1);
    }
}
