package org.apache.jackrabbit.core.security.authorization.acl;

import java.security.Principal;
import java.security.acl.Group;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.Value;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.Privilege;
import javax.jcr.version.VersionHistory;
import org.apache.commons.lang.ArrayUtils;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.core.NodeImpl;
import org.apache.jackrabbit.core.SessionImpl;
import org.apache.jackrabbit.core.id.NodeId;
import org.apache.jackrabbit.core.security.authorization.AccessControlModifications;
import org.apache.jackrabbit.core.security.authorization.PrivilegeBits;
import org.apache.jackrabbit.core.security.authorization.PrivilegeManagerImpl;
import org.apache.jackrabbit.core.security.authorization.acl.ACLTemplate;
import org.apache.jackrabbit.core.security.authorization.acl.EntryCollector;
import org.apache.jackrabbit.spi.Name;
import org.pentaho.platform.api.engine.IAuthorizationPolicy;
import org.pentaho.platform.api.engine.IPentahoSession;
import org.pentaho.platform.api.engine.ObjectFactoryException;
import org.pentaho.platform.api.mt.ITenant;
import org.pentaho.platform.engine.core.system.PentahoSessionHolder;
import org.pentaho.platform.engine.core.system.PentahoSystem;
import org.pentaho.platform.engine.security.SecurityHelper;
import org.pentaho.platform.repository2.unified.jcr.IAclMetadataStrategy;
import org.pentaho.platform.repository2.unified.jcr.JcrRepositoryFileAclUtils;
import org.pentaho.platform.repository2.unified.jcr.JcrTenantUtils;
import org.pentaho.platform.security.policy.rolebased.IRoleAuthorizationPolicyRoleBindingDao;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.GrantedAuthority;
import org.springframework.util.Assert;

/* loaded from: input_file:org/apache/jackrabbit/core/security/authorization/acl/PentahoEntryCollector.class */
public class PentahoEntryCollector extends EntryCollector {
    private static final Logger log = LoggerFactory.getLogger(PentahoEntryCollector.class);
    private List<MagicAceDefinition> magicAceDefinitions;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/jackrabbit/core/security/authorization/acl/PentahoEntryCollector$PentahoEntries.class */
    public static class PentahoEntries extends EntryCollector.Entries {
        private List<PentahoEntry> aces;

        PentahoEntries(List list, NodeId nodeId) {
            super((List) null, nodeId);
            this.aces = list;
        }

        /* JADX INFO: Access modifiers changed from: package-private */
        public PentahoEntries(EntryCollector.Entries entries) {
            super(entries.getACEs(), entries.getNextId());
            this.aces = new ArrayList();
        }

        public List getACEs() {
            return this.aces;
        }

        public boolean isEmpty() {
            return this.aces == null || this.aces.isEmpty();
        }

        public String toString() {
            StringBuilder sb = new StringBuilder();
            sb.append("size = ").append(getACEs() != null ? getACEs().size() : 0).append(", ");
            sb.append("nextNodeId = ").append(getNextId());
            return sb.toString();
        }
    }

    private List<MagicAceDefinition> getMagicAceDefinitions() {
        return Collections.unmodifiableList(this.magicAceDefinitions);
    }

    public PentahoEntryCollector(SessionImpl sessionImpl, NodeId nodeId, Map map) throws RepositoryException {
        super(sessionImpl, nodeId);
        this.magicAceDefinitions = new ArrayList();
        createMagicAceDefinitions(sessionImpl);
    }

    private void createMagicAceDefinitions(SessionImpl sessionImpl) throws RepositoryException {
        this.magicAceDefinitions = MagicAceDefinition.parseYamlMagicAceDefinitions(getClass().getClassLoader().getResourceAsStream("jcr/config.yaml"), sessionImpl);
    }

    protected NodeImpl findAccessControlledNode(NodeImpl nodeImpl) throws RepositoryException {
        NodeImpl nodeImpl2 = nodeImpl;
        while (true) {
            NodeImpl nodeImpl3 = nodeImpl2;
            if (ACLProvider.isAccessControlled(nodeImpl3)) {
                return nodeImpl3;
            }
            nodeImpl2 = (NodeImpl) nodeImpl3.getParent();
        }
    }

    protected NodeImpl findNonInheritingNode(NodeImpl nodeImpl) throws RepositoryException {
        NodeImpl findAccessControlledNode;
        NodeImpl nodeImpl2 = nodeImpl;
        while (true) {
            findAccessControlledNode = findAccessControlledNode(nodeImpl2);
            NodeImpl node = findAccessControlledNode.getNode(N_POLICY);
            IAclMetadataStrategy.AclMetadata aclMetadata = JcrRepositoryFileAclUtils.getAclMetadata(this.systemSession, findAccessControlledNode.getPath(), new ACLTemplate(node, node != null ? node.getParent().getPath() : null, false));
            if (aclMetadata == null || !aclMetadata.isEntriesInheriting()) {
                break;
            }
            nodeImpl2 = (NodeImpl) findAccessControlledNode.getParent();
        }
        return findAccessControlledNode;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // 
    /* renamed from: getEntries, reason: merged with bridge method [inline-methods] */
    public PentahoEntries mo4getEntries(NodeImpl nodeImpl) throws RepositoryException {
        NodeImpl nodeImpl2 = nodeImpl;
        if (nodeImpl2.getPath().startsWith("/jcr:system/jcr:versionStorage")) {
            nodeImpl2 = getVersionable(nodeImpl2);
        }
        NodeImpl findAccessControlledNode = findAccessControlledNode(nodeImpl2);
        String str = null;
        IAclMetadataStrategy.AclMetadata aclMetadata = JcrRepositoryFileAclUtils.getAclMetadata(this.systemSession, findAccessControlledNode.getPath(), new ACLTemplate(findAccessControlledNode.getNode(N_POLICY), findAccessControlledNode.getPath(), false));
        if (aclMetadata != null) {
            str = aclMetadata.getOwner();
        }
        NodeImpl findNonInheritingNode = findNonInheritingNode(findAccessControlledNode);
        ACLTemplate aCLTemplate = new ACLTemplate(findNonInheritingNode.getNode(N_POLICY), findNonInheritingNode.getPath(), false);
        if (!findNonInheritingNode.isSame(nodeImpl)) {
            Privilege privilegeFromName = this.systemSession.getAccessControlManager().privilegeFromName("{http://www.jcp.org/jcr/1.0}removeNode");
            Privilege privilegeFromName2 = this.systemSession.getAccessControlManager().privilegeFromName("{http://www.jcp.org/jcr/1.0}removeChildNodes");
            Iterator it = aCLTemplate.getEntries().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                AccessControlEntry accessControlEntry = (AccessControlEntry) it.next();
                Privilege[] expandPrivileges = JcrRepositoryFileAclUtils.expandPrivileges(accessControlEntry.getPrivileges(), false);
                if (ArrayUtils.contains(expandPrivileges, privilegeFromName2) && !ArrayUtils.contains(expandPrivileges, privilegeFromName)) {
                    if (!aCLTemplate.addAccessControlEntry(accessControlEntry.getPrincipal(), new Privilege[]{privilegeFromName})) {
                        throw new RuntimeException();
                    }
                }
            }
        }
        ACLTemplate aCLTemplate2 = null;
        if (findAccessControlledNode.isSame(findNonInheritingNode) && !this.rootID.equals(findNonInheritingNode.getNodeId())) {
            NodeImpl findNonInheritingNode2 = findNonInheritingNode((NodeImpl) findNonInheritingNode.getParent());
            aCLTemplate2 = new ACLTemplate(findNonInheritingNode2.getNode(N_POLICY), findNonInheritingNode2.getPath(), false);
        }
        return new PentahoEntries(getAcesIncludingMagicAces(findNonInheritingNode.getPath(), str, aCLTemplate2, aCLTemplate), null);
    }

    protected NodeImpl getVersionable(NodeImpl nodeImpl) throws RepositoryException {
        NodeImpl nodeImpl2;
        NodeImpl nodeImpl3 = nodeImpl;
        while (true) {
            nodeImpl2 = nodeImpl3;
            if (nodeImpl2.isNodeType("nt:versionHistory") || this.rootID.equals(nodeImpl2.getNodeId())) {
                break;
            }
            nodeImpl3 = (NodeImpl) nodeImpl2.getParent();
        }
        return this.rootID.equals(nodeImpl2.getNodeId()) ? nodeImpl2 : this.systemSession.getNodeByIdentifier(((VersionHistory) nodeImpl2).getVersionableIdentifier());
    }

    protected IAuthorizationPolicy getAuthorizationPolicy() {
        IAuthorizationPolicy iAuthorizationPolicy = (IAuthorizationPolicy) PentahoSystem.get(IAuthorizationPolicy.class);
        if (iAuthorizationPolicy == null) {
            throw new IllegalStateException();
        }
        return iAuthorizationPolicy;
    }

    protected IRoleAuthorizationPolicyRoleBindingDao getRoleBindingDao() {
        return (IRoleAuthorizationPolicyRoleBindingDao) PentahoSystem.get(IRoleAuthorizationPolicyRoleBindingDao.class);
    }

    protected List<PentahoEntry> getAcesIncludingMagicAces(String str, String str2, ACLTemplate aCLTemplate, ACLTemplate aCLTemplate2) throws RepositoryException {
        if (PentahoSessionHolder.getSession() == null || PentahoSessionHolder.getSession().getId() == null || PentahoSessionHolder.getSession().getId().trim().equals("")) {
            if (log.isDebugEnabled()) {
                log.debug("no PentahoSession so no magic ACEs");
            }
            return Collections.emptyList();
        }
        if (str2 != null) {
            addOwnerAce(str2, aCLTemplate2);
        }
        IRoleAuthorizationPolicyRoleBindingDao iRoleAuthorizationPolicyRoleBindingDao = null;
        try {
            iRoleAuthorizationPolicyRoleBindingDao = (IRoleAuthorizationPolicyRoleBindingDao) PentahoSystem.getObjectFactory().get(IRoleAuthorizationPolicyRoleBindingDao.class, "roleAuthorizationPolicyRoleBindingDaoTarget", PentahoSessionHolder.getSession());
        } catch (ObjectFactoryException e) {
            e.printStackTrace();
        }
        ITenant tenant = JcrTenantUtils.getTenant();
        for (MagicAceDefinition magicAceDefinition : getMagicAceDefinitions()) {
            String format = MessageFormat.format(magicAceDefinition.path, tenant.getRootFolderAbsolutePath());
            if (isAllowed(iRoleAuthorizationPolicyRoleBindingDao, magicAceDefinition.logicalRole)) {
                r11 = magicAceDefinition.applyToTarget ? str.equals(format) : false;
                if (!r11 && magicAceDefinition.applyToChildren) {
                    r11 = str.startsWith(format + "/");
                    if (r11 && magicAceDefinition.exceptChildren != null) {
                        String[] strArr = magicAceDefinition.exceptChildren;
                        int length = strArr.length;
                        int i = 0;
                        while (true) {
                            if (i >= length) {
                                break;
                            }
                            if (str.startsWith(MessageFormat.format(strArr[i], tenant.getRootFolderAbsolutePath()) + "/")) {
                                r11 = false;
                                break;
                            }
                            i++;
                        }
                    }
                }
                if (!r11 && magicAceDefinition.applyToAncestors) {
                    r11 = format.startsWith(str + "/");
                }
            }
            if (r11) {
                aCLTemplate2.addAccessControlEntry(new MagicPrincipal(JcrTenantUtils.getTenantedUser(PentahoSessionHolder.getSession().getName())), magicAceDefinition.privileges);
            }
        }
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(buildPentahoEntries(aCLTemplate2));
        arrayList.addAll(getRelevantAncestorAces(aCLTemplate));
        return arrayList;
    }

    protected List<PentahoEntry> getRelevantAncestorAces(ACLTemplate aCLTemplate) throws RepositoryException {
        if (aCLTemplate == null) {
            return Collections.emptyList();
        }
        NodeImpl nodeImpl = (NodeImpl) this.systemSession.getNode(aCLTemplate.getPath());
        PentahoEntries mo4getEntries = mo4getEntries(nodeImpl);
        JackrabbitAccessControlManager accessControlManager = this.systemSession.getAccessControlManager();
        PrivilegeManagerImpl privilegeManager = this.systemSession.getWorkspace().getPrivilegeManager();
        Privilege privilegeFromName = accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}addChildNodes");
        PrivilegeBits bits = privilegeManager.getBits(new Privilege[]{privilegeFromName});
        Privilege privilegeFromName2 = accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}removeChildNodes");
        PrivilegeBits bits2 = privilegeManager.getBits(new Privilege[]{privilegeFromName2});
        for (PentahoEntry pentahoEntry : mo4getEntries.getACEs()) {
            ArrayList arrayList = new ArrayList(2);
            if (pentahoEntry.getPrivilegeBits().includes(bits)) {
                arrayList.add(privilegeFromName);
            }
            if (pentahoEntry.getPrivilegeBits().includes(bits2)) {
                arrayList.add(privilegeFromName2);
            }
            for (AccessControlEntry accessControlEntry : (AccessControlEntry[]) aCLTemplate.getEntries().toArray(new AccessControlEntry[0])) {
                if (pentahoEntry.equals(buildPentahoEntry(nodeImpl.getNodeId(), aCLTemplate.getPath(), accessControlEntry))) {
                    aCLTemplate.removeAccessControlEntry(accessControlEntry);
                }
            }
            if (!arrayList.isEmpty()) {
                for (AccessControlEntry accessControlEntry2 : new LinkedList(aCLTemplate.getEntries())) {
                    if (accessControlEntry2.getPrincipal().getName().equals(pentahoEntry.getPrincipalName())) {
                        aCLTemplate.removeAccessControlEntry(accessControlEntry2);
                    }
                }
                if (!aCLTemplate.addAccessControlEntry(pentahoEntry.isGroupEntry() ? new MagicGroup(pentahoEntry.getPrincipalName()) : new MagicPrincipal(pentahoEntry.getPrincipalName()), (Privilege[]) arrayList.toArray(new Privilege[arrayList.size()]))) {
                    throw new RuntimeException();
                }
            }
        }
        return buildPentahoEntries(aCLTemplate);
    }

    protected void addOwnerAce(String str, ACLTemplate aCLTemplate) throws RepositoryException {
        Principal principal = this.systemSession.getPrincipalManager().getPrincipal(str);
        if (principal != null) {
            aCLTemplate.addAccessControlEntry(principal instanceof Group ? new MagicGroup(JcrTenantUtils.getTenantedUser(principal.getName())) : new MagicPrincipal(JcrTenantUtils.getTenantedUser(principal.getName())), new Privilege[]{this.systemSession.getAccessControlManager().privilegeFromName("jcr:all")});
        } else if (log.isDebugEnabled()) {
            log.debug("PrincipalManager cannot find owner=" + str);
        }
    }

    protected List collectEntries(NodeImpl nodeImpl, EntryFilter entryFilter) throws RepositoryException {
        LinkedList linkedList = new LinkedList();
        LinkedList linkedList2 = new LinkedList();
        if (nodeImpl != null) {
            PentahoEntries mo4getEntries = mo4getEntries(nodeImpl);
            filterEntries(entryFilter, mo4getEntries.getACEs(), linkedList, linkedList2);
            NodeId nextId = mo4getEntries.getNextId();
            while (true) {
                NodeId nodeId = nextId;
                if (nodeId == null) {
                    break;
                }
                EntryCollector.Entries entries = getEntries(nodeId);
                filterEntries(entryFilter, entries.getACEs(), linkedList, linkedList2);
                nextId = entries.getNextId();
            }
        } else {
            NodeImpl rootNode = this.systemSession.getRootNode();
            if (ACLProvider.isRepoAccessControlled(rootNode)) {
                NodeImpl node = rootNode.getNode(N_REPO_POLICY);
                String path = node != null ? node.getParent().getPath() : null;
                if (entryFilter instanceof PentahoEntryFilter) {
                    filterEntries(entryFilter, PentahoEntry.readEntries(node, path), linkedList, linkedList2);
                } else {
                    filterEntries(entryFilter, Entry.readEntries(node, path), linkedList, linkedList2);
                }
            }
        }
        ArrayList arrayList = new ArrayList(linkedList.size() + linkedList2.size());
        arrayList.addAll(linkedList);
        arrayList.addAll(linkedList2);
        return arrayList;
    }

    protected void filterEntries(EntryFilter entryFilter, List list, LinkedList linkedList, LinkedList linkedList2) {
        if (list.isEmpty() || entryFilter == null) {
            return;
        }
        entryFilter.filterEntries(list, new List[]{linkedList, linkedList2});
    }

    protected List<String> getRuntimeRoleNames() {
        IPentahoSession session = PentahoSessionHolder.getSession();
        ArrayList arrayList = new ArrayList();
        Assert.state(session != null);
        Authentication authentication = SecurityHelper.getInstance().getAuthentication();
        if (authentication != null) {
            Iterator it = authentication.getAuthorities().iterator();
            while (it.hasNext()) {
                arrayList.add(((GrantedAuthority) it.next()).getAuthority());
            }
        }
        return arrayList;
    }

    protected boolean isAllowed(IRoleAuthorizationPolicyRoleBindingDao iRoleAuthorizationPolicyRoleBindingDao, String str) throws RepositoryException {
        return iRoleAuthorizationPolicyRoleBindingDao.getBoundLogicalRoleNames((Session) this.systemSession, getRuntimeRoleNames()).contains(str);
    }

    private List<PentahoEntry> buildPentahoEntries(ACLTemplate aCLTemplate) throws RepositoryException {
        ArrayList arrayList = new ArrayList();
        if (aCLTemplate != null && aCLTemplate.getEntries() != null && aCLTemplate.getEntries().size() > 0) {
            NodeImpl node = this.systemSession.getNode(aCLTemplate.getPath());
            Iterator it = aCLTemplate.getEntries().iterator();
            while (it.hasNext()) {
                arrayList.add(buildPentahoEntry(node.getNodeId(), aCLTemplate.getPath(), (AccessControlEntry) it.next()));
            }
        }
        return arrayList;
    }

    private PentahoEntry buildPentahoEntry(NodeId nodeId, String str, AccessControlEntry accessControlEntry) throws RepositoryException {
        PentahoEntry pentahoEntry = null;
        if (accessControlEntry != null) {
            Principal principal = accessControlEntry.getPrincipal();
            pentahoEntry = new PentahoEntry(nodeId, principal.getName(), principal instanceof Group, ((ACLTemplate.Entry) accessControlEntry).getPrivilegeBits(), ((ACLTemplate.Entry) accessControlEntry).isAllow(), str, (Map<Name, Value>) ((ACLTemplate.Entry) accessControlEntry).getRestrictions());
        }
        return pentahoEntry;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void notifyListeners(AccessControlModifications accessControlModifications) {
        super.notifyListeners(accessControlModifications);
        Iterator it = accessControlModifications.getNodeIdentifiers().iterator();
        while (it.hasNext()) {
            if (it.next() instanceof NodeId) {
                try {
                    createMagicAceDefinitions(this.systemSession);
                } catch (RepositoryException e) {
                    log.error("Failed to recreate magic ace definitions on repository policy changed", e);
                }
            } else {
                log.warn("Cannot process AC modificationMap entry. Keys must be NodeId.");
            }
        }
        super.notifyListeners(accessControlModifications);
    }
}
