package info.magnolia.security.app.dialog.field.validator;

import com.vaadin.v7.data.validator.AbstractValidator;
import info.magnolia.cms.security.Permission;
import info.magnolia.cms.security.PrincipalUtil;
import info.magnolia.cms.security.auth.ACL;
import info.magnolia.context.MgnlContext;
import info.magnolia.security.app.dialog.field.AccessControlList;
import info.magnolia.security.app.util.AccessControlPropertyUtil;
import java.security.AccessControlException;
import java.text.MessageFormat;
import javax.jcr.RepositoryException;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/magnolia-security-app-5.6.jar:info/magnolia/security/app/dialog/field/validator/WebAccessControlValidator.class */
public class WebAccessControlValidator extends AbstractValidator<AccessControlList.Entry> {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) WebAccessControlValidator.class);
    private final String originalErrorMessage;

    public WebAccessControlValidator(String str) {
        super(str);
        this.originalErrorMessage = str;
    }

    @Override // com.vaadin.v7.data.validator.AbstractValidator
    public Class<AccessControlList.Entry> getType() {
        return AccessControlList.Entry.class;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.vaadin.v7.data.validator.AbstractValidator
    public boolean isValidValue(AccessControlList.Entry entry) {
        boolean z = true;
        if (MgnlContext.getUser().hasRole("superuser")) {
            return true;
        }
        String path = entry.getPath();
        long permissions = entry.getPermissions();
        try {
            if (!isCurrentUserEntitledToGrantUriRights(path, permissions)) {
                z = 1 == 0;
            }
        } catch (AccessControlException e) {
            z = 1 == 0;
        } catch (RepositoryException e2) {
            log.error("Could not validate current user permissions: ", (Throwable) e2);
            z = 1 == 0;
        }
        if (!z) {
            setErrorMessage(MessageFormat.format(this.originalErrorMessage, Long.valueOf(permissions), path));
        }
        return z;
    }

    private boolean isCurrentUserEntitledToGrantUriRights(String str, long j) throws RepositoryException {
        Permission findBestMatchingPermissions;
        if (j == 0) {
            j = 8;
        }
        ACL findAccessControlList = PrincipalUtil.findAccessControlList(MgnlContext.getSubject(), "uri");
        if (findAccessControlList == null) {
            return false;
        }
        Permission findBestMatchingPermissions2 = AccessControlPropertyUtil.findBestMatchingPermissions(findAccessControlList.getList(), stripWildcardsFromPath(str));
        if (findBestMatchingPermissions2 == null || !granted(findBestMatchingPermissions2, j)) {
            return false;
        }
        if (str.endsWith("*")) {
            return AccessControlPropertyUtil.findViolatedPermissions(findAccessControlList.getList(), str, j).isEmpty() && (findBestMatchingPermissions = AccessControlPropertyUtil.findBestMatchingPermissions(findAccessControlList.getList(), str)) != null && granted(findBestMatchingPermissions, j) && StringUtils.endsWith(findBestMatchingPermissions.getPattern().getPatternString(), "*");
        }
        return true;
    }

    private String stripWildcardsFromPath(String str) {
        String stripEnd = StringUtils.stripEnd(str, "/*");
        if (StringUtils.isBlank(stripEnd)) {
            stripEnd = "/";
        }
        return stripEnd;
    }

    private boolean granted(Permission permission, long j) {
        return (permission.getPermissions() & j) == j;
    }
}
