package org.apache.jackrabbit.core.xml;

import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
import java.util.Stack;
import javax.jcr.AccessDeniedException;
import javax.jcr.RepositoryException;
import javax.jcr.UnsupportedRepositoryOperationException;
import javax.jcr.Value;
import javax.jcr.nodetype.ConstraintViolationException;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.core.NodeImpl;
import org.apache.jackrabbit.core.security.authorization.AccessControlConstants;
import org.apache.jackrabbit.core.security.principal.PrincipalImpl;
import org.apache.jackrabbit.core.security.principal.UnknownPrincipal;
import org.apache.jackrabbit.core.state.NodeState;
import org.apache.jackrabbit.core.util.ReferenceChangeTracker;
import org.apache.jackrabbit.spi.Name;
import org.apache.jackrabbit.spi.commons.conversion.NamePathResolver;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/jackrabbit-core-2.12.4.jar:org/apache/jackrabbit/core/xml/AccessControlImporter.class */
public class AccessControlImporter extends DefaultProtectedNodeImporter {
    private static final int STATUS_UNDEFINED = 0;
    private static final int STATUS_AC_FOLDER = 1;
    private static final int STATUS_PRINCIPAL_AC = 2;
    private static final int STATUS_ACL = 3;
    private static final int STATUS_ACE = 4;
    private AccessControlManager acMgr;
    private static final Logger log = LoggerFactory.getLogger((Class<?>) AccessControlImporter.class);
    private static final Set<Name> ACE_NODETYPES = new HashSet(2);
    private final Stack<Integer> prevStatus = new Stack<>();
    private int status = 0;
    private NodeImpl parent = null;
    private boolean principalbased = false;
    private boolean initialized = false;
    private ImportBehavior importBehavior = ImportBehavior.BEST_EFFORT;
    private JackrabbitAccessControlList acl = null;

    /* loaded from: input_file:WEB-INF/lib/jackrabbit-core-2.12.4.jar:org/apache/jackrabbit/core/xml/AccessControlImporter$ImportBehavior.class */
    public enum ImportBehavior {
        DEFAULT("default"),
        BEST_EFFORT("bestEffort");

        private final String value;

        ImportBehavior(String str) {
            this.value = str;
        }

        public static ImportBehavior fromString(String str) {
            return str.equals("bestEffort") ? BEST_EFFORT : valueOf(str.toUpperCase());
        }

        public String getString() {
            return this.value;
        }
    }

    @Override // org.apache.jackrabbit.core.xml.DefaultProtectedItemImporter, org.apache.jackrabbit.core.xml.ProtectedItemImporter
    public boolean init(JackrabbitSession jackrabbitSession, NamePathResolver namePathResolver, boolean z, int i, ReferenceChangeTracker referenceChangeTracker) {
        if (super.init(jackrabbitSession, namePathResolver, z, i, referenceChangeTracker)) {
            if (this.initialized) {
                throw new IllegalStateException("Already initialized");
            }
            try {
                this.acMgr = jackrabbitSession.getAccessControlManager();
                this.initialized = true;
            } catch (RepositoryException e) {
            }
        }
        return this.initialized;
    }

    @Override // org.apache.jackrabbit.core.xml.DefaultProtectedItemImporter, org.apache.jackrabbit.core.xml.ProtectedNodeImporter
    public boolean start(NodeImpl nodeImpl) throws RepositoryException {
        if (!this.initialized) {
            throw new IllegalStateException("Not initialized");
        }
        if (isStarted()) {
            if (nodeImpl.isSame(this.parent)) {
                return true;
            }
            throw new IllegalStateException();
        }
        if (this.isWorkspaceImport) {
            log.debug("AccessControlImporter may not be used with the WorkspaceImporter");
            return false;
        }
        if (!nodeImpl.getDefinition().isProtected()) {
            log.debug("AccessControlImporter may not be started with a non-protected parent.");
            return false;
        }
        if (isPolicyNode(nodeImpl)) {
            String path = nodeImpl.getParent().getPath();
            this.acl = getACL(path);
            if (this.acl == null) {
                log.warn("AccessControlImporter cannot be started: no ACL for {}.", path);
                return false;
            }
            this.status = 3;
        } else if (isRepoPolicyNode(nodeImpl)) {
            this.acl = getACL(null);
            if (this.acl == null) {
                log.warn("AccessControlImporter cannot be started: no Repo ACL.");
                return false;
            }
            this.status = 3;
        } else if (nodeImpl.isNodeType(AccessControlConstants.NT_REP_ACCESS_CONTROL)) {
            this.status = 1;
            this.principalbased = true;
            this.acl = null;
        }
        if (!isStarted()) {
            return false;
        }
        this.parent = nodeImpl;
        return true;
    }

    private JackrabbitAccessControlList getACL(String str) throws RepositoryException, AccessDeniedException {
        JackrabbitAccessControlList jackrabbitAccessControlList = null;
        AccessControlPolicy[] policies = this.acMgr.getPolicies(str);
        int length = policies.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            AccessControlPolicy accessControlPolicy = policies[i];
            if (accessControlPolicy instanceof JackrabbitAccessControlList) {
                jackrabbitAccessControlList = (JackrabbitAccessControlList) accessControlPolicy;
                break;
            }
            i++;
        }
        if (jackrabbitAccessControlList != null) {
            for (AccessControlEntry accessControlEntry : jackrabbitAccessControlList.getAccessControlEntries()) {
                jackrabbitAccessControlList.removeAccessControlEntry(accessControlEntry);
            }
        }
        return jackrabbitAccessControlList;
    }

    @Override // org.apache.jackrabbit.core.xml.DefaultProtectedItemImporter, org.apache.jackrabbit.core.xml.ProtectedNodeImporter
    public boolean start(NodeState nodeState) throws IllegalStateException, RepositoryException {
        if (isStarted()) {
            throw new IllegalStateException();
        }
        if (!this.isWorkspaceImport) {
            return false;
        }
        log.debug("AccessControlImporter may not be used with the WorkspaceImporter");
        return false;
    }

    @Override // org.apache.jackrabbit.core.xml.DefaultProtectedItemImporter, org.apache.jackrabbit.core.xml.ProtectedNodeImporter
    public void end(NodeImpl nodeImpl) throws RepositoryException {
        if (isStarted()) {
            if (this.principalbased) {
                checkStatus(1, "STATUS_AC_FOLDER expected.");
                if (!this.prevStatus.isEmpty()) {
                    throw new ConstraintViolationException("Incomplete protected item tree: " + this.prevStatus.size() + " calls to 'endChildInfo' missing.");
                }
            } else {
                checkStatus(3, "STATUS_ACL expected.");
                this.acMgr.setPolicy(this.acl.getPath(), this.acl);
            }
            reset();
        }
    }

    @Override // org.apache.jackrabbit.core.xml.DefaultProtectedItemImporter, org.apache.jackrabbit.core.xml.ProtectedNodeImporter
    public void end(NodeState nodeState) throws IllegalStateException, ConstraintViolationException, RepositoryException {
    }

    @Override // org.apache.jackrabbit.core.xml.DefaultProtectedItemImporter, org.apache.jackrabbit.core.xml.ProtectedNodeImporter
    public void startChildInfo(NodeInfo nodeInfo, List<PropInfo> list) throws RepositoryException {
        if (isStarted()) {
            Name nodeTypeName = nodeInfo.getNodeTypeName();
            int i = this.status;
            if (this.principalbased) {
                switch (this.status) {
                    case 1:
                        if (AccessControlConstants.NT_REP_ACCESS_CONTROL.equals(nodeTypeName)) {
                            this.status = 1;
                        } else {
                            if (!AccessControlConstants.NT_REP_PRINCIPAL_ACCESS_CONTROL.equals(nodeTypeName)) {
                                throw new ConstraintViolationException("Unexpected node type " + nodeTypeName + ". Should be rep:AccessControl or rep:PrincipalAccessControl.");
                            }
                            this.status = 2;
                        }
                        checkIdMixins(nodeInfo);
                        break;
                    case 2:
                        if (AccessControlConstants.NT_REP_ACCESS_CONTROL.equals(nodeTypeName)) {
                            this.status = 1;
                        } else if (AccessControlConstants.NT_REP_PRINCIPAL_ACCESS_CONTROL.equals(nodeTypeName)) {
                            this.status = 2;
                        } else {
                            checkDefinition(nodeInfo, AccessControlConstants.N_POLICY, AccessControlConstants.NT_REP_ACL);
                            this.status = 3;
                        }
                        checkIdMixins(nodeInfo);
                        break;
                    case 3:
                        addACE(nodeInfo, list);
                        this.status = 4;
                        break;
                    default:
                        throw new ConstraintViolationException("Cannot handle childInfo " + nodeInfo + "; unexpected status " + this.status + " .");
                }
            } else {
                checkStatus(3, "Cannot handle childInfo " + nodeInfo + "; rep:ACL may only contain a single level of child nodes representing the ACEs");
                addACE(nodeInfo, list);
                this.status = 4;
            }
            this.prevStatus.push(Integer.valueOf(i));
        }
    }

    @Override // org.apache.jackrabbit.core.xml.DefaultProtectedItemImporter, org.apache.jackrabbit.core.xml.ProtectedNodeImporter
    public void endChildInfo() throws RepositoryException {
        if (isStarted()) {
            if (!this.principalbased) {
                checkStatus(4, "Upon completion of a NodeInfo the status must be STATUS_ACE.");
            }
            this.status = this.prevStatus.pop().intValue();
        }
    }

    private boolean isStarted() {
        return this.status > 0;
    }

    private void reset() {
        this.status = 0;
        this.parent = null;
        this.acl = null;
    }

    private void checkStatus(int i, String str) throws ConstraintViolationException {
        if (this.status != i) {
            throw new ConstraintViolationException(str);
        }
    }

    private static boolean isPolicyNode(NodeImpl nodeImpl) throws RepositoryException {
        return AccessControlConstants.N_POLICY.equals(nodeImpl.getQName()) && nodeImpl.isNodeType(AccessControlConstants.NT_REP_ACL);
    }

    private static boolean isRepoPolicyNode(NodeImpl nodeImpl) throws RepositoryException {
        return AccessControlConstants.N_REPO_POLICY.equals(nodeImpl.getQName()) && nodeImpl.isNodeType(AccessControlConstants.NT_REP_ACL) && nodeImpl.getDepth() == 1;
    }

    private static void checkDefinition(NodeInfo nodeInfo, Name name2, Name name3) throws ConstraintViolationException {
        if (name2 != null && !name2.equals(nodeInfo.getName())) {
            throw new ConstraintViolationException("Unexpected Node name " + nodeInfo.getName() + ". Node name should be " + name2 + ".");
        }
        if (name3 != null && !name3.equals(nodeInfo.getNodeTypeName())) {
            throw new ConstraintViolationException("Unexpected node type " + nodeInfo.getNodeTypeName() + ". Node type should be " + name3 + ".");
        }
    }

    private static void checkIdMixins(NodeInfo nodeInfo) throws ConstraintViolationException {
        Name[] mixinNames = nodeInfo.getMixinNames();
        if (nodeInfo.getId() != null || mixinNames != null) {
            throw new ConstraintViolationException("The node represented by NodeInfo " + nodeInfo + " may neither be referenceable nor have mixin types.");
        }
    }

    private void addACE(NodeInfo nodeInfo, List<PropInfo> list) throws RepositoryException, UnsupportedRepositoryOperationException {
        Name nodeTypeName = nodeInfo.getNodeTypeName();
        if (!ACE_NODETYPES.contains(nodeTypeName)) {
            throw new ConstraintViolationException("Cannot handle childInfo " + nodeInfo + "; expected a valid, applicable rep:ACE node definition.");
        }
        checkIdMixins(nodeInfo);
        boolean equals = AccessControlConstants.NT_REP_GRANT_ACE.equals(nodeTypeName);
        Principal principal = null;
        Privilege[] privilegeArr = null;
        HashMap hashMap = new HashMap();
        for (PropInfo propInfo : list) {
            Name name2 = propInfo.getName();
            if (AccessControlConstants.P_PRINCIPAL_NAME.equals(name2)) {
                Value[] values = propInfo.getValues(1, this.resolver);
                if (values == null || values.length != 1) {
                    throw new ConstraintViolationException("");
                }
                String string = values[0].getString();
                principal = this.session.getPrincipalManager().getPrincipal(string);
                if (principal == null) {
                    principal = this.importBehavior == ImportBehavior.BEST_EFFORT ? new UnknownPrincipal(string) : new PrincipalImpl(string);
                }
            } else if (AccessControlConstants.P_PRIVILEGES.equals(name2)) {
                Value[] values2 = propInfo.getValues(7, this.resolver);
                privilegeArr = new Privilege[values2.length];
                for (int i = 0; i < values2.length; i++) {
                    privilegeArr[i] = this.acMgr.privilegeFromName(values2[i].getString());
                }
            } else {
                for (TextValue textValue : propInfo.getTextValues()) {
                    hashMap.put(this.resolver.getJCRName(name2), textValue);
                }
            }
        }
        if (!this.principalbased) {
            HashMap hashMap2 = new HashMap();
            for (String str : this.acl.getRestrictionNames()) {
                TextValue textValue2 = (TextValue) hashMap.remove(str);
                if (textValue2 != null) {
                    hashMap2.put(str, textValue2.getValue(this.acl.getRestrictionType(str), this.resolver));
                }
            }
            if (!hashMap.isEmpty()) {
                throw new ConstraintViolationException("ACE childInfo contained restrictions that could not be applied.");
            }
            this.acl.addEntry(principal, privilegeArr, equals, hashMap2);
            return;
        }
        ArrayList<AccessControlPolicy> arrayList = new ArrayList();
        if (this.acMgr instanceof JackrabbitAccessControlManager) {
            JackrabbitAccessControlManager jackrabbitAccessControlManager = (JackrabbitAccessControlManager) this.acMgr;
            arrayList.addAll(Arrays.asList(jackrabbitAccessControlManager.getPolicies(principal)));
            arrayList.addAll(Arrays.asList(jackrabbitAccessControlManager.getApplicablePolicies(principal)));
        }
        for (AccessControlPolicy accessControlPolicy : arrayList) {
            if (accessControlPolicy instanceof JackrabbitAccessControlList) {
                JackrabbitAccessControlList jackrabbitAccessControlList = (JackrabbitAccessControlList) accessControlPolicy;
                HashMap hashMap3 = new HashMap();
                for (String str2 : jackrabbitAccessControlList.getRestrictionNames()) {
                    TextValue textValue3 = (TextValue) hashMap.remove(str2);
                    if (textValue3 != null) {
                        hashMap3.put(str2, textValue3.getValue(jackrabbitAccessControlList.getRestrictionType(str2), this.resolver));
                    }
                }
                if (!hashMap.isEmpty()) {
                    throw new ConstraintViolationException("ACE childInfo contained restrictions that could not be applied.");
                }
                jackrabbitAccessControlList.addEntry(principal, privilegeArr, equals, hashMap3);
                this.acMgr.setPolicy(jackrabbitAccessControlList.getPath(), jackrabbitAccessControlList);
                return;
            }
        }
        throw new ConstraintViolationException("Cannot handle childInfo " + nodeInfo + "; No policy found to apply the ACE.");
    }

    public String getImportBehavior() {
        return this.importBehavior.getString();
    }

    public void setImportBehavior(String str) {
        this.importBehavior = ImportBehavior.fromString(str);
    }

    static {
        ACE_NODETYPES.add(AccessControlConstants.NT_REP_DENY_ACE);
        ACE_NODETYPES.add(AccessControlConstants.NT_REP_GRANT_ACE);
    }
}
