package info.magnolia.cms.core;

import info.magnolia.cms.security.Permission;
import info.magnolia.cms.security.PermissionImpl;
import info.magnolia.cms.security.PrincipalUtil;
import info.magnolia.cms.security.auth.ACL;
import info.magnolia.cms.util.SimpleUrlPattern;
import info.magnolia.objectfactory.Classes;
import info.magnolia.objectfactory.MgnlInstantiationException;
import java.security.Principal;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.jcr.ItemNotFoundException;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.security.AccessControlPolicy;
import org.apache.jackrabbit.core.ItemImpl;
import org.apache.jackrabbit.core.security.authorization.AccessControlEditor;
import org.apache.jackrabbit.core.security.authorization.CompiledPermissions;
import org.apache.jackrabbit.core.security.authorization.combined.CombinedProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/magnolia-core-5.6.5.jar:info/magnolia/cms/core/MagnoliaAccessProvider.class */
public class MagnoliaAccessProvider extends CombinedProvider {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) MagnoliaAccessProvider.class);
    private CompiledPermissions RootOnlyPermission;
    private Map<?, ?> configuration;
    private Class<? extends DefaultACLBasedPermissions> permissionsClass;
    private final Class<? extends DefaultACLBasedPermissions> defaultPermissionsClass = DefaultACLBasedPermissions.class;
    private final String warnMessage = "Check settings of 'permissionsClass' parameter under Workspace>WorkspaceSecurity>AccessControlProvider>. Using default " + this.defaultPermissionsClass + " instead. Only classes extended from this default class can be used.";

    @Override // org.apache.jackrabbit.core.security.authorization.combined.CombinedProvider, org.apache.jackrabbit.core.security.authorization.AccessControlProvider
    public boolean canAccessRoot(Set<Principal> set) throws RepositoryException {
        checkInitialized();
        return true;
    }

    @Override // org.apache.jackrabbit.core.security.authorization.combined.CombinedProvider, org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider, org.apache.jackrabbit.core.security.authorization.AccessControlProvider
    public void close() {
        log.debug("close()");
        super.close();
    }

    @Override // org.apache.jackrabbit.core.security.authorization.combined.CombinedProvider, org.apache.jackrabbit.core.security.authorization.AccessControlProvider
    public CompiledPermissions compilePermissions(Set<Principal> set) throws RepositoryException {
        log.debug("compile permissions for {} at {}", printUserNames(set), this.session == null ? null : this.session.getWorkspace().getName());
        checkInitialized();
        if (isAdminOrSystem(set)) {
            return getAdminPermissions();
        }
        ACL findAccessControlList = PrincipalUtil.findAccessControlList(set, this.session.getWorkspace().getName());
        return findAccessControlList != null ? getUserPermissions(addJcrSystemReadPermissions(findAccessControlList.getList())) : this.RootOnlyPermission;
    }

    private CompiledPermissions getUserPermissions(List<Permission> list) {
        return (CompiledPermissions) Classes.getClassFactory().newInstance(this.permissionsClass, list, this.session, this.configuration);
    }

    @Override // org.apache.jackrabbit.core.security.authorization.combined.CombinedProvider, org.apache.jackrabbit.core.security.authorization.AccessControlProvider
    public AccessControlEditor getEditor(Session session) {
        log.debug("getEditor({})", session);
        return new MagnoliaACLEditor(super.getEditor(session));
    }

    @Override // org.apache.jackrabbit.core.security.authorization.combined.CombinedProvider, org.apache.jackrabbit.core.security.authorization.AccessControlProvider
    public AccessControlPolicy[] getEffectivePolicies(org.apache.jackrabbit.spi.Path path, CompiledPermissions compiledPermissions) throws ItemNotFoundException, RepositoryException {
        log.debug("getEffectivePolicies({}, {})", path, compiledPermissions);
        return super.getEffectivePolicies(path, compiledPermissions);
    }

    @Override // org.apache.jackrabbit.core.security.authorization.combined.CombinedProvider, org.apache.jackrabbit.core.security.authorization.AccessControlProvider
    public AccessControlPolicy[] getEffectivePolicies(Set<Principal> set, CompiledPermissions compiledPermissions) throws RepositoryException {
        log.debug("getEffectivePolicies({}, {})", set, compiledPermissions);
        return super.getEffectivePolicies(set, compiledPermissions);
    }

    @Override // org.apache.jackrabbit.core.security.authorization.combined.CombinedProvider, org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider, org.apache.jackrabbit.core.security.authorization.AccessControlProvider
    public void init(Session session, Map map) throws RepositoryException {
        log.debug("init({}, {})", session, map);
        super.init(session, map);
        this.RootOnlyPermission = new RootOnlyPermissions(this.session);
        this.configuration = map;
        Object obj = map.get("permissionsClass");
        if (obj == null) {
            this.permissionsClass = this.defaultPermissionsClass;
            return;
        }
        try {
            this.permissionsClass = Classes.getClassFactory().forName((String) obj);
            if (DefaultACLBasedPermissions.class.isAssignableFrom(this.permissionsClass)) {
                Classes.getClassFactory().newInstance(this.permissionsClass, new LinkedList(), this.session, map);
                log.info("Using {} for resolving permissions.", this.permissionsClass);
            } else {
                log.warn("The '{}' cannot be used as permissionClass. {}", this.permissionsClass, this.warnMessage, this.defaultPermissionsClass);
                this.permissionsClass = this.defaultPermissionsClass;
            }
        } catch (MgnlInstantiationException e) {
            log.warn("Cannot instantiate '{}'. The permissionClass must have constructor with exact same arguments like '{}'. Using the default permission class '{}' instead.", this.permissionsClass, this.defaultPermissionsClass);
            this.permissionsClass = this.defaultPermissionsClass;
        } catch (ClassNotFoundException e2) {
            log.warn("The class '{}' doesn't exist. {}", obj, this.warnMessage, this.defaultPermissionsClass);
            this.permissionsClass = this.defaultPermissionsClass;
        } catch (Exception e3) {
            log.warn("Cannot instantiate permissionsClass '{}'. {}", this.permissionsClass, this.warnMessage, e3);
            this.permissionsClass = this.defaultPermissionsClass;
        }
    }

    @Override // org.apache.jackrabbit.core.security.authorization.combined.CombinedProvider, org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider, org.apache.jackrabbit.core.security.authorization.AccessControlUtils
    public boolean isAcItem(ItemImpl itemImpl) throws RepositoryException {
        log.debug("isAcItem({})", itemImpl);
        return super.isAcItem(itemImpl);
    }

    @Override // org.apache.jackrabbit.core.security.authorization.combined.CombinedProvider, org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider, org.apache.jackrabbit.core.security.authorization.AccessControlUtils
    public boolean isAcItem(org.apache.jackrabbit.spi.Path path) throws RepositoryException {
        log.debug("isAcItem({})", path);
        return super.isAcItem(path);
    }

    private String printUserNames(Set<Principal> set) {
        StringBuilder sb = new StringBuilder();
        for (Principal principal : set) {
            sb.append(" or ").append(principal.getName()).append("[").append(principal.getClass().getName()).append("]");
        }
        sb.delete(0, 4);
        return sb.toString();
    }

    private List<Permission> addJcrSystemReadPermissions(List<Permission> list) {
        return addReadPermission(addReadPermission(list, "/jcr:system"), "/jcr:system/*");
    }

    private List<Permission> addReadPermission(List<Permission> list, String str) {
        if (!list.stream().anyMatch(permission -> {
            return permission.getPattern().match(str) && permission.getPermissions() == 8;
        })) {
            PermissionImpl permissionImpl = new PermissionImpl();
            permissionImpl.setPattern(new SimpleUrlPattern(str));
            permissionImpl.setPermissions(8L);
            list.add(0, permissionImpl);
        }
        return list;
    }
}
