package info.magnolia.security.app.dialog.field.validator;

import com.vaadin.v7.data.validator.AbstractValidator;
import info.magnolia.cms.security.Permission;
import info.magnolia.cms.security.PrincipalUtil;
import info.magnolia.cms.security.auth.ACL;
import info.magnolia.context.MgnlContext;
import info.magnolia.security.app.dialog.field.WorkspaceAccessControlList;
import info.magnolia.security.app.util.AccessControlPropertyUtil;
import java.security.AccessControlException;
import java.text.MessageFormat;
import javax.jcr.RepositoryException;
import org.apache.commons.lang3.StringUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/magnolia-security-app-5.6.jar:info/magnolia/security/app/dialog/field/validator/WorkspaceAccessControlValidator.class */
public class WorkspaceAccessControlValidator extends AbstractValidator<WorkspaceAccessControlList.Entry> {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) WorkspaceAccessControlValidator.class);
    private final String originalErrorMessage;
    private String workspace;

    public WorkspaceAccessControlValidator(String str, String str2) {
        super(str2);
        this.workspace = str;
        this.originalErrorMessage = str2;
    }

    @Override // com.vaadin.v7.data.validator.AbstractValidator
    public Class<WorkspaceAccessControlList.Entry> getType() {
        return WorkspaceAccessControlList.Entry.class;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // com.vaadin.v7.data.validator.AbstractValidator
    public boolean isValidValue(WorkspaceAccessControlList.Entry entry) {
        boolean z = true;
        if (MgnlContext.getUser().hasRole("superuser")) {
            return true;
        }
        String path = entry.getPath();
        long accessType = entry.getAccessType();
        long permissions = entry.getPermissions();
        if (accessType < 1 || accessType > 3) {
            throw new IllegalArgumentException("Access type should be one of ACCESS_TYPE_NODE (1), ACCESS_TYPE_CHILDREN (2) or ACCESS_TYPE_NODE_AND_CHILDREN (3)");
        }
        try {
            if (!isCurrentUserEntitledToGrantRights(this.workspace, path, accessType, permissions)) {
                z = 1 == 0;
            }
        } catch (AccessControlException e) {
            z = 1 == 0;
        } catch (RepositoryException e2) {
            log.error("Could not validate current user permissions: ", (Throwable) e2);
            z = 1 == 0;
        }
        if (!z) {
            setErrorMessage(MessageFormat.format(this.originalErrorMessage, Long.valueOf(permissions), path, Long.valueOf(accessType)));
        }
        return z;
    }

    private boolean isCurrentUserEntitledToGrantRights(String str, String str2, long j, long j2) throws RepositoryException {
        Permission findBestMatchingPermissions;
        Permission findBestMatchingPermissions2;
        if (j2 == 0) {
            j2 = 8;
        }
        ACL findAccessControlList = PrincipalUtil.findAccessControlList(MgnlContext.getSubject(), str);
        if (findAccessControlList == null) {
            return false;
        }
        String stripWildcardsFromPath = stripWildcardsFromPath(str2);
        if ((j & 1) == 1 && ((findBestMatchingPermissions2 = AccessControlPropertyUtil.findBestMatchingPermissions(findAccessControlList.getList(), stripWildcardsFromPath)) == null || !granted(findBestMatchingPermissions2, j2))) {
            return false;
        }
        if ((j & 2) != 2) {
            return true;
        }
        String str3 = stripWildcardsFromPath + (stripWildcardsFromPath.equals("/") ? "*" : "/*");
        return AccessControlPropertyUtil.findViolatedPermissions(findAccessControlList.getList(), str3, j2).isEmpty() && (findBestMatchingPermissions = AccessControlPropertyUtil.findBestMatchingPermissions(findAccessControlList.getList(), str3)) != null && granted(findBestMatchingPermissions, j2) && StringUtils.endsWith(findBestMatchingPermissions.getPattern().getPatternString(), "/*");
    }

    private String stripWildcardsFromPath(String str) {
        String stripEnd = StringUtils.stripEnd(str, "/*");
        if (StringUtils.isBlank(stripEnd)) {
            stripEnd = "/";
        }
        return stripEnd;
    }

    private boolean granted(Permission permission, long j) {
        return (permission.getPermissions() & j) == j;
    }
}
