package org.pentaho.platform.repository2.unified.jcr;

import java.io.Serializable;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.EnumSet;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import javax.jcr.ItemNotFoundException;
import javax.jcr.Node;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlList;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.AccessControlPolicyIterator;
import javax.jcr.security.Privilege;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.jackrabbit.api.security.user.Group;
import org.pentaho.platform.api.repository2.unified.RepositoryFile;
import org.pentaho.platform.api.repository2.unified.RepositoryFileAce;
import org.pentaho.platform.api.repository2.unified.RepositoryFileAcl;
import org.pentaho.platform.api.repository2.unified.RepositoryFilePermission;
import org.pentaho.platform.api.repository2.unified.RepositoryFileSid;
import org.pentaho.platform.repository2.messages.Messages;
import org.pentaho.platform.repository2.unified.jcr.IAclMetadataStrategy;
import org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.SpringSecurityRolePrincipal;
import org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.SpringSecurityUserPrincipal;
import org.pentaho.platform.repository2.unified.jcr.sejcr.ntdproviders.NodeTypeDefinitionProviderUtils;

/* loaded from: input_file:org/pentaho/platform/repository2/unified/jcr/JcrRepositoryFileAclUtils.class */
public class JcrRepositoryFileAclUtils {
    public static final String DEFAULT = "DEFAULT";
    private static IAclMetadataStrategy strategy;
    private static final Log logger = LogFactory.getLog(JcrRepositoryFileAclUtils.class);
    public static final String SYSTEM_PROPERTY = "pentaho.repository.server.aclMetadataStrategy";
    private static String strategyName = System.getProperty(SYSTEM_PROPERTY);

    private JcrRepositoryFileAclUtils() {
    }

    private static void initialize() {
        if (strategyName == null || "".equals(strategyName)) {
            strategyName = "DEFAULT";
        }
        if (strategyName.equals("DEFAULT")) {
            strategy = new JcrAclMetadataStrategy();
        } else {
            try {
                strategy = (IAclMetadataStrategy) Class.forName(strategyName).getConstructor(new Class[0]).newInstance(new Object[0]);
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }
        logger.debug("JcrRepositoryFileAclUtils initialized: strategy=" + strategyName);
    }

    public static IAclMetadataStrategy.AclMetadata getAclMetadata(Session session, String str, AccessControlList accessControlList) throws RepositoryException {
        return strategy.getAclMetadata(session, str, accessControlList);
    }

    public static void setAclMetadata(Session session, String str, AccessControlList accessControlList, IAclMetadataStrategy.AclMetadata aclMetadata) throws RepositoryException {
        strategy.setAclMetadata(session, str, accessControlList, aclMetadata);
    }

    public static List<AccessControlEntry> removeAclMetadata(List<AccessControlEntry> list) throws RepositoryException {
        return strategy.removeAclMetadata(list);
    }

    public static Privilege[] expandPrivileges(Privilege[] privilegeArr, boolean z) {
        boolean z2;
        HashSet hashSet = new HashSet(Arrays.asList(privilegeArr));
        do {
            z2 = false;
            for (Privilege privilege : new ArrayList(hashSet)) {
                if (!z || !privilege.getName().startsWith(NodeTypeDefinitionProviderUtils.JCR)) {
                    if (privilege.isAggregate()) {
                        hashSet.remove(privilege);
                        hashSet.addAll(Arrays.asList(privilege.getAggregatePrivileges()));
                        z2 = true;
                    }
                }
            }
        } while (z2);
        return (Privilege[]) hashSet.toArray(new Privilege[0]);
    }

    public static RepositoryFileAcl createAcl(Session session, PentahoJcrConstants pentahoJcrConstants, Serializable serializable, RepositoryFileAcl repositoryFileAcl) throws ItemNotFoundException, RepositoryException {
        String path = session.getNodeByIdentifier(serializable.toString()).getPath();
        AccessControlManager accessControlManager = session.getAccessControlManager();
        accessControlManager.setPolicy(path, getAccessControlList(accessControlManager, path));
        return internalUpdateAcl(session, pentahoJcrConstants, serializable, repositoryFileAcl);
    }

    public static void addPermission(Session session, PentahoJcrConstants pentahoJcrConstants, Serializable serializable, RepositoryFileSid repositoryFileSid, EnumSet<RepositoryFilePermission> enumSet) throws RepositoryException {
        addAce(session, pentahoJcrConstants, serializable, repositoryFileSid, enumSet);
    }

    public static void setOwner(Session session, PentahoJcrConstants pentahoJcrConstants, RepositoryFile repositoryFile, RepositoryFileSid repositoryFileSid) throws RepositoryException {
        RepositoryFileSid repositoryFileSid2 = repositoryFileSid;
        if (JcrTenantUtils.getUserNameUtils().getTenant(repositoryFileSid.getName()) == null) {
            repositoryFileSid2 = new RepositoryFileSid(JcrTenantUtils.getTenantedUser(repositoryFileSid.getName()), repositoryFileSid.getType());
        }
        updateAcl(session, new RepositoryFileAcl.Builder(getAcl(session, pentahoJcrConstants, repositoryFile.getId())).owner(repositoryFileSid2).build());
    }

    public static void setFullControl(Session session, PentahoJcrConstants pentahoJcrConstants, Serializable serializable, RepositoryFileSid repositoryFileSid) throws RepositoryException {
        addAce(session, pentahoJcrConstants, serializable, repositoryFileSid, EnumSet.of(RepositoryFilePermission.ALL));
    }

    public static void addAce(Session session, PentahoJcrConstants pentahoJcrConstants, Serializable serializable, RepositoryFileSid repositoryFileSid, EnumSet<RepositoryFilePermission> enumSet) throws RepositoryException {
        RepositoryFileSid repositoryFileSid2 = repositoryFileSid;
        if (JcrTenantUtils.getUserNameUtils().getTenant(repositoryFileSid.getName()) == null) {
            repositoryFileSid2 = new RepositoryFileSid(JcrTenantUtils.getTenantedUser(repositoryFileSid.getName()), repositoryFileSid.getType());
        }
        updateAcl(session, new RepositoryFileAcl.Builder(getAcl(session, pentahoJcrConstants, serializable)).ace(repositoryFileSid2, enumSet).build());
    }

    private static RepositoryFileAcl internalUpdateAcl(Session session, PentahoJcrConstants pentahoJcrConstants, Serializable serializable, RepositoryFileAcl repositoryFileAcl) throws RepositoryException {
        Node nodeByIdentifier = session.getNodeByIdentifier(serializable.toString());
        if (nodeByIdentifier == null) {
            throw new RepositoryException("Node not found");
        }
        String path = nodeByIdentifier.getPath();
        AccessControlManager accessControlManager = session.getAccessControlManager();
        AccessControlList accessControlList = getAccessControlList(accessControlManager, path);
        for (AccessControlEntry accessControlEntry : accessControlList.getAccessControlEntries()) {
            accessControlList.removeAccessControlEntry(accessControlEntry);
        }
        setAclMetadata(session, path, accessControlList, new IAclMetadataStrategy.AclMetadata(repositoryFileAcl.getOwner().getName(), repositoryFileAcl.isEntriesInheriting()));
        if (!repositoryFileAcl.isEntriesInheriting()) {
            for (RepositoryFileAce repositoryFileAce : repositoryFileAcl.getAces()) {
                accessControlList.addAccessControlEntry(RepositoryFileSid.Type.ROLE == repositoryFileAce.getSid().getType() ? new SpringSecurityRolePrincipal(JcrTenantUtils.getTenantedRole(repositoryFileAce.getSid().getName())) : new SpringSecurityUserPrincipal(JcrTenantUtils.getTenantedUser(repositoryFileAce.getSid().getName())), new DefaultPermissionConversionHelper(session).pentahoPermissionsToPrivileges(session, repositoryFileAce.getPermissions()));
            }
        }
        accessControlManager.setPolicy(path, accessControlList);
        session.save();
        return getAcl(session, pentahoJcrConstants, serializable);
    }

    public static void updateAcl(Session session, RepositoryFileAcl repositoryFileAcl) throws RepositoryException {
        PentahoJcrConstants pentahoJcrConstants = new PentahoJcrConstants(session);
        JcrRepositoryFileUtils.checkoutNearestVersionableFileIfNecessary(session, pentahoJcrConstants, repositoryFileAcl.getId());
        internalUpdateAcl(session, pentahoJcrConstants, repositoryFileAcl.getId(), repositoryFileAcl);
        JcrRepositoryFileUtils.checkinNearestVersionableFileIfNecessary(session, pentahoJcrConstants, repositoryFileAcl.getId(), null, null, true);
    }

    public static RepositoryFileAcl getAcl(Session session, PentahoJcrConstants pentahoJcrConstants, Serializable serializable) throws RepositoryException {
        Node nodeByIdentifier = session.getNodeByIdentifier(serializable.toString());
        if (nodeByIdentifier == null) {
            throw new RepositoryException(Messages.getInstance().getString("JackrabbitRepositoryFileAclDao.ERROR_0001_NODE_NOT_FOUND", new Object[]{serializable.toString()}));
        }
        String path = nodeByIdentifier.getPath();
        AccessControlList accessControlList = getAccessControlList(session.getAccessControlManager(), path);
        RepositoryFileSid repositoryFileSid = null;
        String principleName = JcrTenantUtils.getUserNameUtils().getPrincipleName(getOwner(session, path, accessControlList));
        if (principleName != null) {
            repositoryFileSid = new RepositoryFileSid(principleName, RepositoryFileSid.Type.USER);
        }
        RepositoryFileAcl.Builder builder = new RepositoryFileAcl.Builder(serializable, repositoryFileSid);
        builder.entriesInheriting(isEntriesInheriting(session, path, accessControlList));
        Iterator<AccessControlEntry> it = removeAclMetadata(Arrays.asList(accessControlList.getAccessControlEntries())).iterator();
        while (it.hasNext()) {
            builder.ace(toAce(session, it.next()));
        }
        return builder.build();
    }

    private static AccessControlList getAccessControlList(AccessControlManager accessControlManager, String str) throws RepositoryException {
        AccessControlPolicyIterator applicablePolicies = accessControlManager.getApplicablePolicies(str);
        while (applicablePolicies.hasNext()) {
            AccessControlList nextAccessControlPolicy = applicablePolicies.nextAccessControlPolicy();
            if (nextAccessControlPolicy instanceof AccessControlList) {
                return nextAccessControlPolicy;
            }
        }
        AccessControlList[] policies = accessControlManager.getPolicies(str);
        for (int i = 0; i < policies.length; i++) {
            if (policies[i] instanceof AccessControlList) {
                return policies[i];
            }
        }
        throw new IllegalStateException("no access control list applies or is bound to node");
    }

    private static String getOwner(Session session, String str, AccessControlList accessControlList) throws RepositoryException {
        IAclMetadataStrategy.AclMetadata aclMetadata = getAclMetadata(session, str, accessControlList);
        if (aclMetadata != null) {
            return aclMetadata.getOwner();
        }
        return null;
    }

    private static boolean isEntriesInheriting(Session session, String str, AccessControlList accessControlList) throws RepositoryException {
        IAclMetadataStrategy.AclMetadata aclMetadata = getAclMetadata(session, str, accessControlList);
        if (aclMetadata != null) {
            return aclMetadata.isEntriesInheriting();
        }
        return false;
    }

    private static RepositoryFileAce toAce(Session session, AccessControlEntry accessControlEntry) throws RepositoryException {
        Principal principal = accessControlEntry.getPrincipal();
        return new RepositoryFileAce(principal instanceof Group ? new RepositoryFileSid(principal.getName(), RepositoryFileSid.Type.ROLE) : new RepositoryFileSid(principal.getName(), RepositoryFileSid.Type.USER), new DefaultPermissionConversionHelper(session).privilegesToPentahoPermissions(session, accessControlEntry.getPrivileges()));
    }

    static {
        initialize();
    }
}
