package org.apache.sling.feature.cpconverter.accesscontrol;

import java.io.IOException;
import java.io.StringReader;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Formatter;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.LinkedHashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Predicate;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.jcr.NamespaceException;
import org.apache.jackrabbit.spi.PrivilegeDefinition;
import org.apache.jackrabbit.spi.commons.conversion.DefaultNamePathResolver;
import org.apache.jackrabbit.spi.commons.conversion.NameResolver;
import org.apache.jackrabbit.util.Text;
import org.apache.jackrabbit.vault.fs.spi.PrivilegeDefinitions;
import org.apache.sling.feature.cpconverter.ConverterException;
import org.apache.sling.feature.cpconverter.features.FeaturesManager;
import org.apache.sling.feature.cpconverter.repoinit.NoOpVisitor;
import org.apache.sling.feature.cpconverter.repoinit.OperationProcessor;
import org.apache.sling.feature.cpconverter.repoinit.createpath.CreatePathSegmentProcessor;
import org.apache.sling.feature.cpconverter.shared.ConverterConstants;
import org.apache.sling.feature.cpconverter.shared.RepoPath;
import org.apache.sling.feature.cpconverter.vltpkg.VaultPackageAssembler;
import org.apache.sling.repoinit.parser.RepoInitParsingException;
import org.apache.sling.repoinit.parser.impl.RepoInitParserService;
import org.apache.sling.repoinit.parser.operations.AclLine;
import org.apache.sling.repoinit.parser.operations.CreatePath;
import org.apache.sling.repoinit.parser.operations.CreateServiceUser;
import org.apache.sling.repoinit.parser.operations.DisableServiceUser;
import org.apache.sling.repoinit.parser.operations.Operation;
import org.apache.sling.repoinit.parser.operations.RegisterNodetypes;
import org.apache.sling.repoinit.parser.operations.RegisterPrivilege;
import org.apache.sling.repoinit.parser.operations.SetAclPrincipalBased;
import org.apache.sling.repoinit.parser.operations.SetAclPrincipals;
import org.apache.sling.repoinit.parser.operations.WithPathOptions;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/sling/feature/cpconverter/accesscontrol/DefaultAclManager.class */
public class DefaultAclManager implements AclManager, EnforceInfo {
    private static final Logger log = LoggerFactory.getLogger(DefaultAclManager.class);
    private final RepoPath enforcePrincipalBasedSupportedPath;
    private final String systemRelPath;
    private final OperationProcessor processor;
    private final Set<SystemUser> systemUsers;
    private final Set<SystemUser> globalSystemUsers;
    private final Set<String> systemUserIds;
    private final Set<Group> groups;
    private final Set<User> users;
    private final Set<Mapping> mappings;
    private final Set<String> mappedById;
    private final Map<String, List<AccessControlEntry>> acls;
    private final List<RegisterNodetypes> nodetypeOperations;
    private volatile PrivilegeDefinitions privilegeDefinitions;
    private RepoPath userRootPath;

    public DefaultAclManager() {
        this(null, ConverterConstants.SYSTEM_USER_REL_PATH_DEFAULT);
    }

    public DefaultAclManager(@Nullable String str, @NotNull String str2) {
        this.processor = new OperationProcessor();
        this.systemUsers = new LinkedHashSet();
        this.globalSystemUsers = new LinkedHashSet();
        this.systemUserIds = new LinkedHashSet();
        this.groups = new LinkedHashSet();
        this.users = new LinkedHashSet();
        this.mappings = new HashSet();
        this.mappedById = new HashSet();
        this.acls = new HashMap();
        this.nodetypeOperations = new LinkedList();
        if (str != null && !str.contains(str2)) {
            throw new RuntimeException("Relative path for system users " + str2 + " not included in " + str);
        }
        this.enforcePrincipalBasedSupportedPath = str == null ? null : new RepoPath(str);
        this.systemRelPath = str2;
    }

    @Override // org.apache.sling.feature.cpconverter.accesscontrol.AclManager
    public boolean addUser(@NotNull User user) {
        return this.users.add(user);
    }

    @Override // org.apache.sling.feature.cpconverter.accesscontrol.AclManager
    public boolean addGroup(@NotNull Group group) {
        return this.groups.add(group);
    }

    @Override // org.apache.sling.feature.cpconverter.accesscontrol.AclManager
    public boolean addSystemUser(@NotNull SystemUser systemUser) {
        this.globalSystemUsers.add(systemUser);
        if (!this.systemUsers.add(systemUser)) {
            return false;
        }
        recordSystemUserIds(systemUser.getId());
        setUserRoot(systemUser.getPath());
        return true;
    }

    @Override // org.apache.sling.feature.cpconverter.accesscontrol.AclManager
    public void addMapping(@NotNull Mapping mapping) {
        if (this.mappings.add(mapping)) {
            for (SystemUser systemUser : this.globalSystemUsers) {
                if (mapping.mapsUser(systemUser.getId())) {
                    this.mappedById.add(systemUser.getId());
                }
            }
        }
    }

    @Override // org.apache.sling.feature.cpconverter.accesscontrol.AclManager
    public boolean addAccessControlEntry(@NotNull String str, @NotNull AccessControlEntry accessControlEntry) {
        if (!this.globalSystemUsers.stream().filter(systemUser -> {
            return systemUser.getId().equals(str);
        }).findFirst().isPresent()) {
            return false;
        }
        this.acls.computeIfAbsent(str, str2 -> {
            return new LinkedList();
        }).add(accessControlEntry);
        return true;
    }

    @Override // org.apache.sling.feature.cpconverter.accesscontrol.AclManager
    public void addRepoinitExtension(@NotNull List<VaultPackageAssembler> list, @NotNull FeaturesManager featuresManager) throws IOException, ConverterException {
        Formatter formatter = new Formatter();
        try {
            if (this.privilegeDefinitions != null) {
                registerPrivileges(this.privilegeDefinitions, formatter);
            }
            Iterator<RegisterNodetypes> it = this.nodetypeOperations.iterator();
            while (it.hasNext()) {
                formatter.format("%s", it.next().asRepoInitString());
            }
            addUsersAndGroups(formatter);
            addPaths(formatter, list);
            this.acls.forEach((str, list2) -> {
                this.globalSystemUsers.stream().filter(systemUser -> {
                    return systemUser.getId().equals(str);
                }).findFirst().ifPresent(systemUser2 -> {
                    addStatements(systemUser2, list2, formatter);
                });
            });
            String formatter2 = formatter.toString();
            if (!formatter2.isEmpty()) {
                featuresManager.addOrAppendRepoInitExtension("content-package", formatter2, null);
            }
            formatter.close();
        } catch (Throwable th) {
            try {
                formatter.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    @Override // org.apache.sling.feature.cpconverter.accesscontrol.AclManager
    public void addRepoinitExtention(@NotNull String str, @Nullable String str2, @Nullable String str3, @NotNull FeaturesManager featuresManager) throws IOException, ConverterException {
        if (str2 == null || str2.trim().isEmpty()) {
            return;
        }
        if ("seed".equalsIgnoreCase(str3)) {
            try {
                Iterator it = new RepoInitParserService().parse(new StringReader(str2)).iterator();
                while (it.hasNext()) {
                    ((Operation) it.next()).accept(new NoOpVisitor() { // from class: org.apache.sling.feature.cpconverter.accesscontrol.DefaultAclManager.1
                        @Override // org.apache.sling.feature.cpconverter.repoinit.NoOpVisitor
                        public void visitCreateServiceUser(CreateServiceUser createServiceUser) {
                            DefaultAclManager.this.recordSystemUserIds(createServiceUser.getUsername());
                        }
                    });
                }
                return;
            } catch (RepoInitParsingException e) {
                throw new ConverterException(e.getMessage(), e);
            }
        }
        try {
            Formatter formatter = new Formatter();
            try {
                if (enforcePrincipalBased()) {
                    this.processor.apply(new RepoInitParserService().parse(new StringReader(str2)), formatter, this);
                } else {
                    formatter.format("%s", str2);
                }
                String trim = formatter.toString().trim();
                if (!trim.isEmpty()) {
                    featuresManager.addOrAppendRepoInitExtension(str, trim, str3);
                }
                formatter.close();
            } finally {
            }
        } catch (RepoInitParsingException e2) {
            throw new ConverterException(e2.getMessage(), e2);
        }
    }

    private void addUsersAndGroups(@NotNull Formatter formatter) throws ConverterException {
        for (SystemUser systemUser : this.systemUsers) {
            formatter.format("%s", new CreateServiceUser(systemUser.getId(), new WithPathOptions(calculateIntermediatePath(systemUser), enforcePrincipalBased(systemUser))).asRepoInitString());
            if (systemUser.getDisabledReason() != null) {
                DisableServiceUser disableServiceUser = new DisableServiceUser(systemUser.getId(), systemUser.getDisabledReason());
                disableServiceUser.setServiceUser(true);
                formatter.format("%s", disableServiceUser.asRepoInitString());
            }
            if (aclIsBelow(systemUser.getPath())) {
                throw new ConverterException("Detected policy on subpath of system-user: " + systemUser);
            }
        }
        for (Group group : this.groups) {
            if (aclStartsWith(group.getPath())) {
                throw new ConverterException("Detected policy on group: " + group);
            }
        }
        for (User user : this.users) {
            if (aclStartsWith(user.getPath())) {
                throw new ConverterException("Detected policy on user: " + user);
            }
        }
    }

    @NotNull
    private String calculateIntermediatePath(@NotNull SystemUser systemUser) throws ConverterException {
        RepoPath intermediatePath = systemUser.getIntermediatePath();
        return enforcePrincipalBased(systemUser) ? calculateEnforcedIntermediatePath(intermediatePath.toString()) : getRelativeIntermediatePath(intermediatePath.toString());
    }

    private void addPaths(@NotNull Formatter formatter, @NotNull List<VaultPackageAssembler> list) {
        Stream flatMap = this.acls.entrySet().stream().filter(entry -> {
            Optional<SystemUser> systemUser = getSystemUser((String) entry.getKey());
            return systemUser.isPresent() && !enforcePrincipalBased(systemUser.get());
        }).map((v0) -> {
            return v0.getValue();
        }).flatMap((v0) -> {
            return v0.stream();
        });
        Predicate predicate = (v0) -> {
            return v0.isPrincipalBased();
        };
        Set set = (Set) flatMap.filter(predicate.negate()).map((v0) -> {
            return v0.getRepositoryPath();
        }).collect(Collectors.toSet());
        Stream filter = set.stream().filter(repoPath -> {
            return set.stream().noneMatch(repoPath -> {
                return !repoPath.equals(repoPath) && repoPath.startsWith(repoPath);
            });
        });
        Predicate predicate2 = (v0) -> {
            return v0.isRepositoryPath();
        };
        filter.filter(predicate2.negate()).filter(repoPath2 -> {
            return Stream.of((Object[]) new Set[]{this.systemUsers, this.users, this.groups}).flatMap((v0) -> {
                return v0.stream();
            }).noneMatch(abstractUser -> {
                return abstractUser.getPath().startsWith(repoPath2);
            });
        }).map(repoPath3 -> {
            return getCreatePath(repoPath3, list);
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).forEach(createPath -> {
            formatter.format("%s", createPath.asRepoInitString());
        });
    }

    private boolean aclStartsWith(@NotNull RepoPath repoPath) {
        return this.acls.values().stream().flatMap((v0) -> {
            return v0.stream();
        }).anyMatch(accessControlEntry -> {
            return accessControlEntry.getRepositoryPath().startsWith(repoPath);
        });
    }

    private boolean aclIsBelow(@NotNull RepoPath repoPath) {
        return this.acls.values().stream().flatMap((v0) -> {
            return v0.stream();
        }).anyMatch(accessControlEntry -> {
            return accessControlEntry.getRepositoryPath().startsWith(repoPath) && !accessControlEntry.getRepositoryPath().equals(repoPath);
        });
    }

    private void addStatements(@NotNull SystemUser systemUser, @NotNull List<AccessControlEntry> list, @NotNull Formatter formatter) {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        LinkedHashMap linkedHashMap2 = new LinkedHashMap();
        list.forEach(accessControlEntry -> {
            String repoInitPath = getRepoInitPath(accessControlEntry.getRepositoryPath(), systemUser);
            if (accessControlEntry.isPrincipalBased() || enforcePrincipalBased(systemUser)) {
                linkedHashMap2.put(accessControlEntry, repoInitPath);
            } else {
                linkedHashMap.put(accessControlEntry, repoInitPath);
            }
        });
        if (!linkedHashMap2.isEmpty()) {
            formatter.format("%s", new SetAclPrincipalBased(Collections.singletonList(systemUser.getId()), asAcLines(linkedHashMap2)).asRepoInitString());
        }
        if (linkedHashMap.isEmpty()) {
            return;
        }
        formatter.format("%s", new SetAclPrincipals(Collections.singletonList(systemUser.getId()), asAcLines(linkedHashMap)).asRepoInitString());
    }

    private static List<AclLine> asAcLines(@NotNull Map<AccessControlEntry, String> map) {
        ArrayList arrayList = new ArrayList();
        map.forEach((accessControlEntry, str) -> {
            arrayList.add(accessControlEntry.asAclLine(str));
        });
        return arrayList;
    }

    private boolean enforcePrincipalBased() {
        return this.enforcePrincipalBasedSupportedPath != null;
    }

    private boolean enforcePrincipalBased(@NotNull SystemUser systemUser) {
        return enforcePrincipalBased(systemUser.getId());
    }

    @NotNull
    private Optional<SystemUser> getSystemUser(@NotNull String str) {
        return this.systemUsers.stream().filter(systemUser -> {
            return systemUser.getId().equals(str);
        }).findFirst();
    }

    @Override // org.apache.sling.feature.cpconverter.accesscontrol.AclManager
    public void addNodetypeRegistration(@NotNull String str) {
        this.nodetypeOperations.add(new RegisterNodetypes(str));
    }

    @Override // org.apache.sling.feature.cpconverter.accesscontrol.AclManager
    public void addPrivilegeDefinitions(@NotNull PrivilegeDefinitions privilegeDefinitions) {
        this.privilegeDefinitions = privilegeDefinitions;
    }

    @Override // org.apache.sling.feature.cpconverter.accesscontrol.AclManager
    public void reset() {
        this.systemUsers.clear();
        this.acls.clear();
        this.nodetypeOperations.clear();
        this.privilegeDefinitions = null;
    }

    @Override // org.apache.sling.feature.cpconverter.accesscontrol.EnforceInfo
    public void recordSystemUserIds(@NotNull String... strArr) {
        for (String str : strArr) {
            if (this.systemUserIds.add(str) && this.mappings.stream().anyMatch(mapping -> {
                return mapping.mapsUser(str);
            })) {
                this.mappedById.add(str);
            }
        }
    }

    @Override // org.apache.sling.feature.cpconverter.accesscontrol.EnforceInfo
    public boolean enforcePrincipalBased(@NotNull String str) {
        if (!enforcePrincipalBased() || !this.systemUserIds.contains(str)) {
            return false;
        }
        if (!this.mappedById.contains(str)) {
            return true;
        }
        log.warn("Skip enforcing principal-based access control setup for system user '{}' due to existing mapping by id.", str);
        return false;
    }

    @Override // org.apache.sling.feature.cpconverter.accesscontrol.EnforceInfo
    @NotNull
    public String calculateEnforcedIntermediatePath(@Nullable String str) throws ConverterException {
        if (this.enforcePrincipalBasedSupportedPath == null) {
            throw new IllegalStateException("No supported path configured");
        }
        String relativeIntermediatePath = getRelativeIntermediatePath(this.enforcePrincipalBasedSupportedPath.toString());
        if (str == null || str.isEmpty()) {
            return relativeIntermediatePath;
        }
        String relativeIntermediatePath2 = getRelativeIntermediatePath(str);
        if (Text.isDescendantOrEqual(relativeIntermediatePath, relativeIntermediatePath2)) {
            return relativeIntermediatePath2;
        }
        if (Text.isDescendant(relativeIntermediatePath2, relativeIntermediatePath)) {
            return relativeIntermediatePath;
        }
        String relativeParent = Text.getRelativeParent(relativeIntermediatePath2, 1);
        while (true) {
            String str2 = relativeParent;
            if (str2.isEmpty() || ConverterConstants.SLASH.equals(str2)) {
                break;
            }
            if (Text.isDescendantOrEqual(str2, relativeIntermediatePath)) {
                return relativeIntermediatePath + relativeIntermediatePath2.substring(str2.length());
            }
            relativeParent = Text.getRelativeParent(str2, 1);
        }
        throw new ConverterException("Cannot calculate intermediate path for service user. Configured Supported path " + this.enforcePrincipalBasedSupportedPath + " has no common ancestor with " + str);
    }

    @NotNull
    private String getRelativeIntermediatePath(@NotNull String str) throws ConverterException {
        if (str.equals(this.systemRelPath) || str.startsWith(this.systemRelPath + ConverterConstants.SLASH)) {
            return str;
        }
        int indexOf = (str + ConverterConstants.SLASH).indexOf(ConverterConstants.SLASH + this.systemRelPath + ConverterConstants.SLASH);
        if (indexOf == -1) {
            throw new ConverterException("Invalid intermediate path for system user " + str + ". Must include " + this.systemRelPath);
        }
        return str.substring(indexOf + 1);
    }

    @Nullable
    protected CreatePath getCreatePath(@NotNull RepoPath repoPath, @NotNull List<VaultPackageAssembler> list) {
        if (repoPath.getParent() == null) {
            log.debug("Omit create path statement for path '{}'", repoPath);
            return null;
        }
        CreatePath createPath = new CreatePath((String) null);
        if (CreatePathSegmentProcessor.processSegments(repoPath, list, createPath) || !isBelowUserRoot(repoPath)) {
            return createPath;
        }
        log.warn("Failed to extract primary type information for node at path '{}'", repoPath);
        return null;
    }

    @NotNull
    private String getRepoInitPath(@NotNull RepoPath repoPath, @NotNull SystemUser systemUser) {
        if (repoPath.isRepositoryPath()) {
            return ":repository";
        }
        if (isHomePath(repoPath, systemUser.getPath())) {
            return getHomePath(systemUser);
        }
        AbstractUser otherUser = getOtherUser(repoPath, Stream.of((Object[]) new Set[]{this.systemUsers, this.groups}).flatMap((v0) -> {
            return v0.stream();
        }));
        return otherUser != null ? getHomePath(otherUser) : repoPath.toString();
    }

    private static boolean isHomePath(@NotNull RepoPath repoPath, @NotNull RepoPath repoPath2) {
        return repoPath.equals(repoPath2);
    }

    @Nullable
    private static AbstractUser getOtherUser(@NotNull RepoPath repoPath, @NotNull Stream<? extends AbstractUser> stream) {
        return stream.filter(abstractUser -> {
            return repoPath.startsWith(abstractUser.getPath());
        }).findFirst().orElse(null);
    }

    @NotNull
    private static String getHomePath(@NotNull AbstractUser abstractUser) {
        return "home(" + abstractUser.getId() + ")";
    }

    private static void registerPrivileges(@NotNull PrivilegeDefinitions privilegeDefinitions, @NotNull Formatter formatter) {
        DefaultNamePathResolver defaultNamePathResolver = new DefaultNamePathResolver(privilegeDefinitions.getNamespaceMapping());
        for (PrivilegeDefinition privilegeDefinition : privilegeDefinitions.getDefinitions()) {
            try {
                formatter.format("%s", new RegisterPrivilege(defaultNamePathResolver.getJCRName(privilegeDefinition.getName()), privilegeDefinition.isAbstract(), getAggregatedNames(privilegeDefinition, defaultNamePathResolver)).asRepoInitString());
            } catch (NamespaceException e) {
                throw new IllegalStateException((Throwable) e);
            }
        }
    }

    @NotNull
    private static List<String> getAggregatedNames(@NotNull PrivilegeDefinition privilegeDefinition, @NotNull NameResolver nameResolver) {
        Set declaredAggregateNames = privilegeDefinition.getDeclaredAggregateNames();
        return declaredAggregateNames.isEmpty() ? Collections.emptyList() : (List) declaredAggregateNames.stream().map(name -> {
            try {
                return nameResolver.getJCRName(name);
            } catch (NamespaceException e) {
                throw new IllegalStateException((Throwable) e);
            }
        }).collect(Collectors.toList());
    }

    private void setUserRoot(@NotNull RepoPath repoPath) {
        if (this.userRootPath == null) {
            this.userRootPath = new RepoPath(Text.getAbsoluteParent(repoPath.toString(), 0));
        }
    }

    private boolean isBelowUserRoot(@NotNull RepoPath repoPath) {
        return this.userRootPath != null && repoPath.startsWith(this.userRootPath);
    }
}
