package com.adobe.acs.commons.users.impl;

import com.adobe.acs.commons.cqsearch.QueryUtil;
import com.day.cq.search.PredicateGroup;
import com.day.cq.search.Query;
import com.day.cq.search.QueryBuilder;
import com.day.cq.search.result.Hit;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.Value;
import javax.jcr.ValueFactory;
import javax.jcr.ValueFormatException;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.Privilege;
import org.apache.commons.lang3.StringUtils;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.Service;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.sling.api.resource.Resource;
import org.apache.sling.api.resource.ResourceResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Service({EnsureAce.class})
@Component
/* loaded from: input_file:com/adobe/acs/commons/users/impl/EnsureAce.class */
public class EnsureAce {
    private static final Logger log = LoggerFactory.getLogger(EnsureAce.class);
    private static final String PROP_REP_GLOB = "rep:glob";
    private static final String PROP_REP_NT_NAMES = "rep:ntNames";
    private static final String PROP_REP_ITEM_NAMES = "rep:itemNames";
    private static final String PROP_REP_PREFIXES = "rep:prefixes";
    private static final String PROP_NT_REP_ACE = "rep:ACE";
    private static final String PROP_REP_PRINCIPAL_NAME = "rep:principalName";

    @Reference
    private QueryBuilder queryBuilder;

    public int ensureAces(ResourceResolver resourceResolver, Authorizable authorizable, AbstractAuthorizable abstractAuthorizable) throws RepositoryException {
        int i = 0;
        Session session = (Session) resourceResolver.adaptTo(Session.class);
        AccessControlManager accessControlManager = (JackrabbitAccessControlManager) session.getAccessControlManager();
        for (JackrabbitAccessControlList jackrabbitAccessControlList : findAcls(resourceResolver, abstractAuthorizable.getPrincipalName(), accessControlManager)) {
            JackrabbitAccessControlEntry[] jackrabbitAccessControlEntryArr = (JackrabbitAccessControlEntry[]) jackrabbitAccessControlList.getAccessControlEntries();
            boolean hasAceAt = abstractAuthorizable.hasAceAt(jackrabbitAccessControlList.getPath());
            for (JackrabbitAccessControlEntry jackrabbitAccessControlEntry : jackrabbitAccessControlEntryArr) {
                if (StringUtils.equals(abstractAuthorizable.getPrincipalName(), jackrabbitAccessControlEntry.getPrincipal().getName()) && !StringUtils.startsWith(jackrabbitAccessControlList.getPath(), authorizable.getPath())) {
                    if (hasAceAt) {
                        Ace ace = abstractAuthorizable.getAce(jackrabbitAccessControlEntry, jackrabbitAccessControlList.getPath());
                        if (ace == null) {
                            jackrabbitAccessControlList.removeAccessControlEntry(jackrabbitAccessControlEntry);
                            log.debug("Removed System ACE as it doesn't exist in Service User [ {} ] configuration", abstractAuthorizable.getPrincipalName());
                        } else {
                            ace.setExists(true);
                            log.debug("No-op on System ACE as it already matches Service User [ {} ] configuration", abstractAuthorizable.getPrincipalName());
                        }
                    } else {
                        log.debug("Service user does NOT cover the path yet has an ACE; ensure removal of the ace! {}", jackrabbitAccessControlEntry);
                        jackrabbitAccessControlList.removeAccessControlEntry(jackrabbitAccessControlEntry);
                    }
                }
            }
            accessControlManager.setPolicy(jackrabbitAccessControlList.getPath(), jackrabbitAccessControlList);
        }
        for (Ace ace2 : abstractAuthorizable.getMissingAces()) {
            if (resourceResolver.getResource(ace2.getContentPath()) == null) {
                log.warn("Unable to apply Service User [ {} ] privileges due to missing path at [ {} ]. Please create the path and re-ensure this service user.", abstractAuthorizable.getPrincipalName(), ace2.getContentPath());
                i++;
            } else {
                JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(session, ace2.getContentPath());
                HashMap hashMap = new HashMap();
                HashMap hashMap2 = new HashMap();
                ValueFactory valueFactory = session.getValueFactory();
                if (ace2.hasRepGlob()) {
                    hashMap.put(PROP_REP_GLOB, valueFactory.createValue(ace2.getRepGlob(), 1));
                }
                if (ace2.hasRepNtNames()) {
                    hashMap2.put(PROP_REP_NT_NAMES, getMultiValues(valueFactory, ace2.getRepNtNames(), 7));
                }
                if (ace2.hasRepItemNames()) {
                    hashMap2.put(PROP_REP_ITEM_NAMES, getMultiValues(valueFactory, ace2.getRepItemNames(), 7));
                }
                if (ace2.hasRepPrefixes()) {
                    hashMap2.put(PROP_REP_PREFIXES, getMultiValues(valueFactory, ace2.getRepPrefixes(), 1));
                }
                accessControlList.addEntry(authorizable.getPrincipal(), (Privilege[]) ace2.getPrivileges(accessControlManager).toArray(new Privilege[0]), ace2.isAllow(), hashMap, hashMap2);
                accessControlManager.setPolicy(ace2.getContentPath(), accessControlList);
                log.debug("Added Service User ACE for [ {} ] to [ {} ]", abstractAuthorizable.getPrincipalName(), ace2.getContentPath());
            }
        }
        return i;
    }

    public void removeAces(ResourceResolver resourceResolver, Authorizable authorizable, AbstractAuthorizable abstractAuthorizable) throws RepositoryException {
        JackrabbitAccessControlManager jackrabbitAccessControlManager = (JackrabbitAccessControlManager) ((Session) resourceResolver.adaptTo(Session.class)).getAccessControlManager();
        for (JackrabbitAccessControlList jackrabbitAccessControlList : findAcls(resourceResolver, abstractAuthorizable.getPrincipalName(), jackrabbitAccessControlManager)) {
            for (JackrabbitAccessControlEntry jackrabbitAccessControlEntry : jackrabbitAccessControlList.getAccessControlEntries()) {
                if (StringUtils.equals(abstractAuthorizable.getPrincipalName(), jackrabbitAccessControlEntry.getPrincipal().getName()) && (authorizable == null || !StringUtils.startsWith(jackrabbitAccessControlList.getPath(), authorizable.getPath()))) {
                    jackrabbitAccessControlList.removeAccessControlEntry(jackrabbitAccessControlEntry);
                }
            }
            jackrabbitAccessControlManager.setPolicy(jackrabbitAccessControlList.getPath(), jackrabbitAccessControlList);
            log.debug("Removed ACE from ACL at [ {} ] for [ {} ]", jackrabbitAccessControlList.getPath(), abstractAuthorizable.getPrincipalName());
        }
    }

    private List<JackrabbitAccessControlList> findAcls(ResourceResolver resourceResolver, String str, JackrabbitAccessControlManager jackrabbitAccessControlManager) {
        HashSet hashSet = new HashSet();
        ArrayList arrayList = new ArrayList();
        HashMap hashMap = new HashMap();
        hashMap.put("type", PROP_NT_REP_ACE);
        hashMap.put("property", PROP_REP_PRINCIPAL_NAME);
        hashMap.put("property.value", str);
        hashMap.put("p.limit", "-1");
        Query createQuery = this.queryBuilder.createQuery(PredicateGroup.create(hashMap), (Session) resourceResolver.adaptTo(Session.class));
        QueryUtil.setResourceResolverOn(resourceResolver, createQuery);
        Iterator it = createQuery.getResult().getHits().iterator();
        while (it.hasNext()) {
            try {
                Resource parent = resourceResolver.getResource(((Hit) it.next()).getPath()).getParent().getParent();
                if (!hashSet.contains(parent.getPath())) {
                    hashSet.add(parent.getPath());
                    JackrabbitAccessControlList[] policies = jackrabbitAccessControlManager.getPolicies(parent.getPath());
                    int length = policies.length;
                    int i = 0;
                    while (true) {
                        if (i >= length) {
                            break;
                        }
                        JackrabbitAccessControlList jackrabbitAccessControlList = policies[i];
                        if (jackrabbitAccessControlList instanceof JackrabbitAccessControlList) {
                            arrayList.add(jackrabbitAccessControlList);
                            break;
                        }
                        i++;
                    }
                }
            } catch (RepositoryException e) {
                log.error("Failed to get resource for query result.", e);
            }
        }
        return arrayList;
    }

    private Value[] getMultiValues(ValueFactory valueFactory, List<String> list, int i) throws ValueFormatException {
        ArrayList arrayList = new ArrayList();
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            arrayList.add(valueFactory.createValue(it.next(), i));
        }
        return (Value[]) arrayList.toArray(new Value[arrayList.size()]);
    }

    protected void bindQueryBuilder(QueryBuilder queryBuilder) {
        this.queryBuilder = queryBuilder;
    }

    protected void unbindQueryBuilder(QueryBuilder queryBuilder) {
        if (this.queryBuilder == queryBuilder) {
            this.queryBuilder = null;
        }
    }
}
