package info.magnolia.security.app.dialog.action;

import com.vaadin.data.Item;
import com.vaadin.data.Property;
import info.magnolia.cms.security.Permission;
import info.magnolia.cms.security.PrincipalUtil;
import info.magnolia.cms.security.RoleManager;
import info.magnolia.cms.security.SecuritySupport;
import info.magnolia.cms.security.auth.ACL;
import info.magnolia.context.MgnlContext;
import info.magnolia.jcr.util.NodeUtil;
import info.magnolia.objectfactory.Components;
import info.magnolia.security.app.dialog.field.AccessControlList;
import info.magnolia.security.app.dialog.field.WorkspaceAccessFieldFactory;
import info.magnolia.security.app.util.UsersWorkspaceUtil;
import info.magnolia.ui.admincentral.dialog.action.SaveDialogAction;
import info.magnolia.ui.admincentral.dialog.action.SaveDialogActionDefinition;
import info.magnolia.ui.api.ModelConstants;
import info.magnolia.ui.api.action.ActionExecutionException;
import info.magnolia.ui.form.EditorCallback;
import info.magnolia.ui.form.EditorValidator;
import info.magnolia.ui.vaadin.integration.jcr.AbstractJcrNodeAdapter;
import info.magnolia.ui.vaadin.integration.jcr.JcrNewNodeAdapter;
import info.magnolia.ui.vaadin.integration.jcr.JcrNodeAdapter;
import java.security.AccessControlException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import javax.jcr.Node;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.Value;
import org.apache.commons.lang.StringUtils;
import org.apache.xerces.impl.xs.SchemaSymbols;

/* loaded from: input_file:WEB-INF/lib/magnolia-security-app-5.2.3.jar:info/magnolia/security/app/dialog/action/SaveRoleDialogAction.class */
public class SaveRoleDialogAction extends SaveDialogAction {
    private final SecuritySupport securitySupport;

    public SaveRoleDialogAction(SaveDialogActionDefinition saveDialogActionDefinition, Item item, EditorValidator editorValidator, EditorCallback editorCallback, SecuritySupport securitySupport) {
        super(saveDialogActionDefinition, item, editorValidator, editorCallback);
        this.securitySupport = securitySupport;
    }

    public SaveRoleDialogAction(SaveDialogActionDefinition saveDialogActionDefinition, Item item, EditorValidator editorValidator, EditorCallback editorCallback) {
        this(saveDialogActionDefinition, item, editorValidator, editorCallback, (SecuritySupport) Components.getComponent(SecuritySupport.class));
    }

    /* JADX WARN: Type inference failed for: r1v4, types: [info.magnolia.ui.api.action.ActionDefinition] */
    @Override // info.magnolia.ui.admincentral.dialog.action.SaveDialogAction, info.magnolia.ui.api.action.Action
    public void execute() throws ActionExecutionException {
        JcrNodeAdapter jcrNodeAdapter = (JcrNodeAdapter) this.item;
        this.validator.showValidation(true);
        if (this.validator.isValid() && validateAccessControlLists(jcrNodeAdapter)) {
            createOrUpdateRole(jcrNodeAdapter);
            this.callback.onSuccess(getDefinition2().getName());
        }
    }

    private void createOrUpdateRole(JcrNodeAdapter jcrNodeAdapter) throws ActionExecutionException {
        try {
            RoleManager roleManager = this.securitySupport.getRoleManager();
            String str = (String) jcrNodeAdapter.getItemProperty(ModelConstants.JCR_NAME).getValue();
            if (jcrNodeAdapter instanceof JcrNewNodeAdapter) {
                Node jcrItem = jcrNodeAdapter.getJcrItem();
                jcrNodeAdapter = convertNewNodeAdapterForUpdating((JcrNewNodeAdapter) jcrNodeAdapter, jcrItem.getNode(roleManager.createRole(jcrItem.getPath(), str).getName()));
            } else {
                Node jcrItem2 = jcrNodeAdapter.getJcrItem();
                if (!StringUtils.equals(jcrItem2.getName(), str)) {
                    String path = jcrItem2.getPath();
                    NodeUtil.renameNode(jcrItem2, str);
                    jcrItem2.setProperty("name", str);
                    UsersWorkspaceUtil.updateAcls(jcrItem2, path);
                }
            }
            Node applyChanges = jcrNodeAdapter.applyChanges();
            if (applyChanges.hasNode("acl_userroles/0")) {
                Node node = applyChanges.getNode("acl_userroles/0");
                node.setProperty(WorkspaceAccessFieldFactory.INTERMEDIARY_FORMAT_PROPERTY_NAME, SchemaSymbols.ATTVAL_TRUE);
                node.setProperty(WorkspaceAccessFieldFactory.ACCESS_TYPE_PROPERTY_NAME, 1L);
                node.getSession().save();
            }
            for (Node node2 : NodeUtil.getNodes(applyChanges)) {
                if (node2.getName().startsWith("acl_") && !node2.getName().equals("acl_uri")) {
                    AccessControlList accessControlList = new AccessControlList();
                    for (Node node3 : NodeUtil.getNodes(node2)) {
                        if (node3.hasProperty(WorkspaceAccessFieldFactory.INTERMEDIARY_FORMAT_PROPERTY_NAME)) {
                            String string = node3.getProperty("path").getString();
                            long j = node3.getProperty(WorkspaceAccessFieldFactory.ACCESS_TYPE_PROPERTY_NAME).getLong();
                            long j2 = node3.getProperty(AccessControlList.PERMISSIONS_PROPERTY_NAME).getLong();
                            String stripWildcardsFromPath = stripWildcardsFromPath(string);
                            if (StringUtils.isNotBlank(stripWildcardsFromPath)) {
                                accessControlList.addEntry(new AccessControlList.Entry(j2, j, stripWildcardsFromPath));
                            }
                        }
                        node3.remove();
                    }
                    node2.setProperty(WorkspaceAccessFieldFactory.INTERMEDIARY_FORMAT_PROPERTY_NAME, (Value) null);
                    accessControlList.saveEntries(node2);
                }
            }
            applyChanges.getSession().save();
        } catch (Exception e) {
            throw new ActionExecutionException(e);
        }
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v0, types: [info.magnolia.ui.vaadin.integration.jcr.JcrNodeAdapter, info.magnolia.ui.vaadin.integration.jcr.AbstractJcrNodeAdapter] */
    /* JADX WARN: Type inference failed for: r10v0, types: [info.magnolia.ui.vaadin.integration.jcr.AbstractJcrNodeAdapter] */
    /* JADX WARN: Type inference failed for: r10v1 */
    /* JADX WARN: Type inference failed for: r10v2, types: [info.magnolia.ui.vaadin.integration.jcr.AbstractJcrNodeAdapter] */
    private JcrNodeAdapter convertNewNodeAdapterForUpdating(JcrNewNodeAdapter jcrNewNodeAdapter, Node node) throws RepositoryException {
        ?? jcrNodeAdapter = new JcrNodeAdapter(node);
        for (Object obj : jcrNewNodeAdapter.getItemPropertyIds()) {
            Property itemProperty = jcrNodeAdapter.getItemProperty(obj);
            if (itemProperty == null) {
                jcrNodeAdapter.addItemProperty(obj, jcrNewNodeAdapter.getItemProperty(obj));
            } else {
                itemProperty.setValue(jcrNewNodeAdapter.getItemProperty(obj).getValue());
            }
        }
        jcrNodeAdapter.getChildren().clear();
        for (AbstractJcrNodeAdapter abstractJcrNodeAdapter : jcrNewNodeAdapter.getChildren().values()) {
            if (abstractJcrNodeAdapter instanceof JcrNewNodeAdapter) {
                if (!node.hasNode(abstractJcrNodeAdapter.getNodeName())) {
                    abstractJcrNodeAdapter.setParent(jcrNodeAdapter);
                    abstractJcrNodeAdapter.setItemId(jcrNodeAdapter.getItemId());
                } else if (abstractJcrNodeAdapter.getNodeName().startsWith("acl_")) {
                    abstractJcrNodeAdapter = convertNewNodeAdapterForUpdating((JcrNewNodeAdapter) abstractJcrNodeAdapter, node.getNode(abstractJcrNodeAdapter.getNodeName()));
                    jcrNodeAdapter.addChild(abstractJcrNodeAdapter);
                } else {
                    abstractJcrNodeAdapter.setNodeName(getUniqueNodeNameForChild(abstractJcrNodeAdapter.getParent()));
                    abstractJcrNodeAdapter.setParent(jcrNodeAdapter);
                    abstractJcrNodeAdapter.setItemId(jcrNodeAdapter.getItemId());
                }
            }
            jcrNodeAdapter.addChild(abstractJcrNodeAdapter);
        }
        return jcrNodeAdapter;
    }

    private String getUniqueNodeNameForChild(AbstractJcrNodeAdapter abstractJcrNodeAdapter) throws RepositoryException {
        Node node = null;
        if (!(abstractJcrNodeAdapter instanceof JcrNewNodeAdapter)) {
            node = abstractJcrNodeAdapter.getJcrItem();
        }
        int i = 0;
        while (true) {
            if (abstractJcrNodeAdapter.getChild(String.valueOf(i)) != null) {
                i++;
            } else {
                if (node == null || !node.hasNode(String.valueOf(i))) {
                    break;
                }
                i++;
            }
        }
        return String.valueOf(i);
    }

    private boolean validateAccessControlLists(JcrNodeAdapter jcrNodeAdapter) throws ActionExecutionException {
        if (MgnlContext.getUser().hasRole("superuser")) {
            return true;
        }
        try {
            if (jcrNodeAdapter instanceof JcrNewNodeAdapter) {
                Node jcrItem = jcrNodeAdapter.getJcrItem();
                jcrItem.getSession().checkPermission(jcrItem.getPath(), Session.ACTION_ADD_NODE);
            }
            for (AbstractJcrNodeAdapter abstractJcrNodeAdapter : jcrNodeAdapter.getChildren().values()) {
                String nodeName = abstractJcrNodeAdapter.getNodeName();
                if (nodeName.startsWith("acl_")) {
                    if (abstractJcrNodeAdapter.getItemProperty(WorkspaceAccessFieldFactory.INTERMEDIARY_FORMAT_PROPERTY_NAME) != null) {
                        for (AbstractJcrNodeAdapter abstractJcrNodeAdapter2 : abstractJcrNodeAdapter.getChildren().values()) {
                            if (!isCurrentUserEntitledToGrantRights(StringUtils.replace(abstractJcrNodeAdapter.getNodeName(), "acl_", ""), (String) abstractJcrNodeAdapter2.getItemProperty("path").getValue(), ((Long) abstractJcrNodeAdapter2.getItemProperty(WorkspaceAccessFieldFactory.ACCESS_TYPE_PROPERTY_NAME).getValue()).longValue(), ((Long) abstractJcrNodeAdapter2.getItemProperty(AccessControlList.PERMISSIONS_PROPERTY_NAME).getValue()).longValue())) {
                                throw new ActionExecutionException("Access violation: could not create role. Have you the necessary grants to create such a role?");
                            }
                        }
                    } else if (nodeName.equals("acl_uri")) {
                        for (AbstractJcrNodeAdapter abstractJcrNodeAdapter3 : abstractJcrNodeAdapter.getChildren().values()) {
                            if (!isCurrentUserEntitledToGrantUriRights((String) abstractJcrNodeAdapter3.getItemProperty("path").getValue(), ((Long) abstractJcrNodeAdapter3.getItemProperty(AccessControlList.PERMISSIONS_PROPERTY_NAME).getValue()).longValue())) {
                                throw new ActionExecutionException("Access violation: could not create role. Have you the necessary grants to create such a role?");
                            }
                        }
                    } else {
                        continue;
                    }
                }
            }
            return true;
        } catch (AccessControlException e) {
            throw new ActionExecutionException(e);
        } catch (RepositoryException e2) {
            throw new ActionExecutionException(e2);
        }
    }

    private boolean isCurrentUserEntitledToGrantRights(String str, String str2, long j, long j2) throws RepositoryException {
        Permission findBestMatchingPermissions;
        if (MgnlContext.getUser().hasRole("superuser")) {
            return true;
        }
        if (j2 == 0) {
            j2 = 8;
        }
        ACL findAccessControlList = PrincipalUtil.findAccessControlList(MgnlContext.getSubject(), str);
        if (findAccessControlList == null || (findBestMatchingPermissions = findBestMatchingPermissions(findAccessControlList.getList(), stripWildcardsFromPath(str2))) == null) {
            return false;
        }
        if (!((j & 2) != 0) || findBestMatchingPermissions.getPattern().getPatternString().endsWith("/*")) {
            return granted(findBestMatchingPermissions, j2);
        }
        return false;
    }

    private boolean isCurrentUserEntitledToGrantUriRights(String str, long j) throws RepositoryException {
        if (MgnlContext.getUser().hasRole("superuser")) {
            return true;
        }
        if (j == 0) {
            j = 8;
        }
        ACL findAccessControlList = PrincipalUtil.findAccessControlList(MgnlContext.getSubject(), "uri");
        if (findAccessControlList == null) {
            return false;
        }
        boolean endsWith = str.endsWith("*");
        Permission findBestMatchingPermissions = findBestMatchingPermissions(findAccessControlList.getList(), stripWildcardsFromPath(str));
        if (findBestMatchingPermissions == null) {
            return false;
        }
        if (!endsWith || findBestMatchingPermissions.getPattern().getPatternString().endsWith("*")) {
            return granted(findBestMatchingPermissions, j);
        }
        return false;
    }

    private String stripWildcardsFromPath(String str) {
        String stripEnd = StringUtils.stripEnd(str, "/*");
        if (StringUtils.isBlank(stripEnd)) {
            stripEnd = "/";
        }
        return stripEnd;
    }

    private boolean granted(Permission permission, long j) {
        return (permission.getPermissions() & j) == j;
    }

    private Permission findBestMatchingPermissions(List<Permission> list, String str) {
        if (list == null) {
            return null;
        }
        Permission permission = null;
        long j = 0;
        int i = 0;
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(list);
        Iterator it2 = arrayList.iterator();
        while (it2.hasNext()) {
            Permission permission2 = (Permission) it2.next();
            if (permission2.match(str)) {
                int length = permission2.getPattern().getLength();
                if (i == length && j < permission2.getPermissions()) {
                    j = permission2.getPermissions();
                    permission = permission2;
                } else if (i < length) {
                    i = length;
                    j = permission2.getPermissions();
                    permission = permission2;
                }
            }
        }
        return permission;
    }
}
