package org.pentaho.platform.repository2.unified.jcr;

import java.io.IOException;
import java.io.Serializable;
import java.security.Principal;
import java.security.acl.Group;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.EnumSet;
import java.util.List;
import javax.jcr.Node;
import javax.jcr.PathNotFoundException;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlList;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.AccessControlPolicyIterator;
import javax.jcr.security.Privilege;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.pentaho.platform.api.mt.ITenant;
import org.pentaho.platform.api.repository2.unified.RepositoryFileAce;
import org.pentaho.platform.api.repository2.unified.RepositoryFileAcl;
import org.pentaho.platform.api.repository2.unified.RepositoryFilePermission;
import org.pentaho.platform.api.repository2.unified.RepositoryFileSid;
import org.pentaho.platform.engine.core.system.PentahoSystem;
import org.pentaho.platform.repository2.messages.Messages;
import org.pentaho.platform.repository2.unified.IRepositoryFileAclDao;
import org.pentaho.platform.repository2.unified.jcr.IAclMetadataStrategy;
import org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.SpringSecurityRolePrincipal;
import org.pentaho.platform.repository2.unified.jcr.jackrabbit.security.SpringSecurityUserPrincipal;
import org.springframework.extensions.jcr.JcrCallback;
import org.springframework.extensions.jcr.JcrTemplate;
import org.springframework.util.Assert;

/* loaded from: input_file:org/pentaho/platform/repository2/unified/jcr/JcrRepositoryFileAclDao.class */
public class JcrRepositoryFileAclDao implements IRepositoryFileAclDao {
    private static final Log logger = LogFactory.getLog(JcrRepositoryFileAclDao.class);
    private JcrTemplate jcrTemplate;
    private IPathConversionHelper pathConversionHelper;
    private String tenantAdminAuthorityName;

    /* loaded from: input_file:org/pentaho/platform/repository2/unified/jcr/JcrRepositoryFileAclDao$IPermissionConversionHelper.class */
    public interface IPermissionConversionHelper {
        Privilege[] pentahoPermissionsToPrivileges(Session session, EnumSet<RepositoryFilePermission> enumSet) throws RepositoryException;

        EnumSet<RepositoryFilePermission> privilegesToPentahoPermissions(Session session, Privilege[] privilegeArr) throws RepositoryException;
    }

    public JcrRepositoryFileAclDao(JcrTemplate jcrTemplate, IPathConversionHelper iPathConversionHelper, String str) {
        this.jcrTemplate = jcrTemplate;
        this.pathConversionHelper = iPathConversionHelper;
        this.tenantAdminAuthorityName = str;
    }

    @Override // org.pentaho.platform.repository2.unified.IRepositoryFileAclDao
    public List<RepositoryFileAce> getEffectiveAces(final Serializable serializable, final boolean z) {
        return (List) this.jcrTemplate.execute(new JcrCallback() { // from class: org.pentaho.platform.repository2.unified.jcr.JcrRepositoryFileAclDao.1
            public Object doInJcr(Session session) throws RepositoryException, IOException {
                Node nodeByIdentifier = session.getNodeByIdentifier(serializable.toString());
                if (nodeByIdentifier == null) {
                    throw new RepositoryException(Messages.getInstance().getString("JackrabbitRepositoryFileAclDao.ERROR_0001_NODE_NOT_FOUND", new Object[]{serializable.toString()}));
                }
                if (z && session.getNodeByIdentifier(serializable.toString()).getParent() != null) {
                    nodeByIdentifier = nodeByIdentifier.getParent();
                }
                String path = nodeByIdentifier.getPath();
                AccessControlList[] effectivePolicies = session.getAccessControlManager().getEffectivePolicies(path);
                for (AccessControlList accessControlList : effectivePolicies) {
                    Assert.isTrue(accessControlList instanceof AccessControlList);
                    AccessControlList accessControlList2 = accessControlList;
                    if (!JcrRepositoryFileAclDao.this.isEntriesInheriting(session, path, accessControlList2)) {
                        ArrayList arrayList = new ArrayList();
                        for (AccessControlEntry accessControlEntry : JcrRepositoryFileAclUtils.removeAclMetadata(Arrays.asList(accessControlList2.getAccessControlEntries()))) {
                            if (!accessControlEntry.getPrincipal().equals(new SpringSecurityRolePrincipal(JcrTenantUtils.getTenantedRole(JcrRepositoryFileAclDao.this.tenantAdminAuthorityName)))) {
                                arrayList.add(JcrRepositoryFileAclDao.this.toAce(session, accessControlEntry));
                            }
                        }
                        return arrayList;
                    }
                }
                AccessControlList accessControlList3 = effectivePolicies[effectivePolicies.length - 1];
                ArrayList arrayList2 = new ArrayList();
                for (AccessControlEntry accessControlEntry2 : JcrRepositoryFileAclUtils.removeAclMetadata(Arrays.asList(accessControlList3.getAccessControlEntries()))) {
                    if (!accessControlEntry2.getPrincipal().equals(new SpringSecurityRolePrincipal(JcrTenantUtils.getTenantedRole(JcrRepositoryFileAclDao.this.tenantAdminAuthorityName)))) {
                        arrayList2.add(JcrRepositoryFileAclDao.this.toAce(session, accessControlEntry2));
                    }
                }
                return arrayList2;
            }
        });
    }

    protected String getOwner(Session session, String str, AccessControlList accessControlList) throws RepositoryException {
        IAclMetadataStrategy.AclMetadata aclMetadata = JcrRepositoryFileAclUtils.getAclMetadata(session, str, accessControlList);
        if (aclMetadata != null) {
            return aclMetadata.getOwner();
        }
        return null;
    }

    protected boolean isEntriesInheriting(Session session, String str, AccessControlList accessControlList) throws RepositoryException {
        IAclMetadataStrategy.AclMetadata aclMetadata = JcrRepositoryFileAclUtils.getAclMetadata(session, str, accessControlList);
        if (aclMetadata != null) {
            return aclMetadata.isEntriesInheriting();
        }
        return false;
    }

    @Override // org.pentaho.platform.repository2.unified.IRepositoryFileAclDao
    public boolean hasAccess(final String str, final EnumSet<RepositoryFilePermission> enumSet) {
        return ((Boolean) this.jcrTemplate.execute(new JcrCallback() { // from class: org.pentaho.platform.repository2.unified.jcr.JcrRepositoryFileAclDao.2
            public Object doInJcr(Session session) throws RepositoryException, IOException {
                Privilege[] pentahoPermissionsToPrivileges = new DefaultPermissionConversionHelper(session).pentahoPermissionsToPrivileges(session, enumSet);
                try {
                    return Boolean.valueOf(session.getAccessControlManager().hasPrivileges(JcrRepositoryFileAclDao.this.pathConversionHelper.relToAbs(str), pentahoPermissionsToPrivileges));
                } catch (PathNotFoundException e) {
                    return false;
                }
            }
        })).booleanValue();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public RepositoryFileAcl toAcl(Session session, PentahoJcrConstants pentahoJcrConstants, Serializable serializable) throws RepositoryException {
        Node nodeByIdentifier = session.getNodeByIdentifier(serializable.toString());
        if (nodeByIdentifier == null) {
            throw new RepositoryException(Messages.getInstance().getString("JackrabbitRepositoryFileAclDao.ERROR_0001_NODE_NOT_FOUND", new Object[]{serializable.toString()}));
        }
        String path = nodeByIdentifier.getPath();
        AccessControlList accessControlList = getAccessControlList(session.getAccessControlManager(), path);
        String owner = getOwner(session, path, accessControlList);
        RepositoryFileAcl.Builder builder = new RepositoryFileAcl.Builder(serializable, owner != null ? new RepositoryFileSid(JcrTenantUtils.getUserNameUtils().getPrincipleName(owner), RepositoryFileSid.Type.USER) : null);
        builder.entriesInheriting(isEntriesInheriting(session, path, accessControlList));
        for (AccessControlEntry accessControlEntry : JcrRepositoryFileAclUtils.removeAclMetadata(Arrays.asList(accessControlList.getAccessControlEntries()))) {
            if (!accessControlEntry.getPrincipal().equals(new SpringSecurityRolePrincipal(JcrTenantUtils.getTenantedRole(this.tenantAdminAuthorityName)))) {
                builder.ace(toAce(session, accessControlEntry));
            }
        }
        return builder.build();
    }

    protected RepositoryFileAce toAce(Session session, AccessControlEntry accessControlEntry) throws RepositoryException {
        Principal principal = accessControlEntry.getPrincipal();
        String name = principal.getName();
        DefaultPermissionConversionHelper defaultPermissionConversionHelper = new DefaultPermissionConversionHelper(session);
        RepositoryFileSid repositoryFileSid = principal instanceof Group ? new RepositoryFileSid(JcrTenantUtils.getRoleNameUtils().getPrincipleName(name), RepositoryFileSid.Type.ROLE) : new RepositoryFileSid(JcrTenantUtils.getUserNameUtils().getPrincipleName(name), RepositoryFileSid.Type.USER);
        logger.debug(String.format("principal class [%s]", principal.getClass().getName()));
        return new RepositoryFileAce(repositoryFileSid, defaultPermissionConversionHelper.privilegesToPentahoPermissions(session, accessControlEntry.getPrivileges()));
    }

    @Override // org.pentaho.platform.repository2.unified.IRepositoryFileAclDao
    public void addAce(Serializable serializable, RepositoryFileSid repositoryFileSid, EnumSet<RepositoryFilePermission> enumSet) {
        if (isKioskEnabled()) {
            throw new RuntimeException(Messages.getInstance().getString("JcrRepositoryFileDao.ERROR_0006_ACCESS_DENIED"));
        }
        Assert.notNull(serializable);
        Assert.notNull(repositoryFileSid);
        Assert.notNull(enumSet);
        RepositoryFileAcl acl = getAcl(serializable);
        Assert.notNull(acl);
        RepositoryFileSid repositoryFileSid2 = repositoryFileSid;
        if (repositoryFileSid.getType().equals(RepositoryFileSid.Type.USER)) {
            if (JcrTenantUtils.getUserNameUtils().getTenant(repositoryFileSid.getName()) == null) {
                repositoryFileSid2 = new RepositoryFileSid(JcrTenantUtils.getTenantedUser(repositoryFileSid.getName()), repositoryFileSid.getType());
            }
        } else if (JcrTenantUtils.getRoleNameUtils().getTenant(repositoryFileSid.getName()) == null) {
            repositoryFileSid2 = new RepositoryFileSid(JcrTenantUtils.getTenantedRole(repositoryFileSid.getName()), repositoryFileSid.getType());
        }
        updateAcl(new RepositoryFileAcl.Builder(acl).ace(repositoryFileSid2, enumSet).build());
        logger.debug("added ace: id=" + serializable + ", sid=" + repositoryFileSid + ", permission=" + enumSet);
    }

    @Override // org.pentaho.platform.repository2.unified.IRepositoryFileAclDao
    public RepositoryFileAcl createAcl(final Serializable serializable, final RepositoryFileAcl repositoryFileAcl) {
        if (isKioskEnabled()) {
            throw new RuntimeException(Messages.getInstance().getString("JcrRepositoryFileDao.ERROR_0006_ACCESS_DENIED"));
        }
        return (RepositoryFileAcl) this.jcrTemplate.execute(new JcrCallback() { // from class: org.pentaho.platform.repository2.unified.jcr.JcrRepositoryFileAclDao.3
            public Object doInJcr(Session session) throws RepositoryException, IOException {
                PentahoJcrConstants pentahoJcrConstants = new PentahoJcrConstants(session);
                String path = session.getNodeByIdentifier(serializable.toString()).getPath();
                AccessControlManager accessControlManager = session.getAccessControlManager();
                accessControlManager.setPolicy(path, JcrRepositoryFileAclDao.this.getAccessControlList(accessControlManager, path));
                return JcrRepositoryFileAclDao.this.internalUpdateAcl(session, pentahoJcrConstants, serializable, repositoryFileAcl);
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public AccessControlList getAccessControlList(AccessControlManager accessControlManager, String str) throws RepositoryException {
        AccessControlPolicyIterator applicablePolicies = accessControlManager.getApplicablePolicies(str);
        while (applicablePolicies.hasNext()) {
            AccessControlList nextAccessControlPolicy = applicablePolicies.nextAccessControlPolicy();
            if (nextAccessControlPolicy instanceof AccessControlList) {
                return nextAccessControlPolicy;
            }
        }
        AccessControlList[] policies = accessControlManager.getPolicies(str);
        for (int i = 0; i < policies.length; i++) {
            if (policies[i] instanceof AccessControlList) {
                return policies[i];
            }
        }
        throw new IllegalStateException("no access control list applies or is bound to node");
    }

    @Override // org.pentaho.platform.repository2.unified.IRepositoryFileAclDao
    public RepositoryFileAcl getAcl(final Serializable serializable) {
        return (RepositoryFileAcl) this.jcrTemplate.execute(new JcrCallback() { // from class: org.pentaho.platform.repository2.unified.jcr.JcrRepositoryFileAclDao.4
            public Object doInJcr(Session session) throws RepositoryException, IOException {
                return JcrRepositoryFileAclDao.this.toAcl(session, new PentahoJcrConstants(session), serializable);
            }
        });
    }

    protected RepositoryFileAcl getParentAcl(final Serializable serializable) {
        return (RepositoryFileAcl) this.jcrTemplate.execute(new JcrCallback() { // from class: org.pentaho.platform.repository2.unified.jcr.JcrRepositoryFileAclDao.5
            public Object doInJcr(Session session) throws RepositoryException, IOException {
                PentahoJcrConstants pentahoJcrConstants = new PentahoJcrConstants(session);
                Node nodeByIdentifier = session.getNodeByIdentifier(serializable.toString());
                if (nodeByIdentifier.getParent().isSame(session.getRootNode())) {
                    return null;
                }
                return JcrRepositoryFileAclDao.this.toAcl(session, pentahoJcrConstants, nodeByIdentifier.getParent().getIdentifier());
            }
        });
    }

    @Override // org.pentaho.platform.repository2.unified.IRepositoryFileAclDao
    public void setFullControl(Serializable serializable, RepositoryFileSid repositoryFileSid, RepositoryFilePermission repositoryFilePermission) {
        addAce(serializable, repositoryFileSid, EnumSet.of(repositoryFilePermission));
    }

    @Override // org.pentaho.platform.repository2.unified.IRepositoryFileAclDao
    public RepositoryFileAcl updateAcl(final RepositoryFileAcl repositoryFileAcl) {
        return (RepositoryFileAcl) this.jcrTemplate.execute(new JcrCallback() { // from class: org.pentaho.platform.repository2.unified.jcr.JcrRepositoryFileAclDao.6
            public Object doInJcr(Session session) throws RepositoryException, IOException {
                PentahoJcrConstants pentahoJcrConstants = new PentahoJcrConstants(session);
                JcrRepositoryFileUtils.checkoutNearestVersionableFileIfNecessary(session, pentahoJcrConstants, repositoryFileAcl.getId());
                RepositoryFileAcl internalUpdateAcl = JcrRepositoryFileAclDao.this.internalUpdateAcl(session, pentahoJcrConstants, repositoryFileAcl.getId(), repositoryFileAcl);
                JcrRepositoryFileUtils.checkinNearestVersionableFileIfNecessary(session, pentahoJcrConstants, repositoryFileAcl.getId(), null, null, true);
                return internalUpdateAcl;
            }
        });
    }

    protected RepositoryFileAcl internalUpdateAcl(Session session, PentahoJcrConstants pentahoJcrConstants, Serializable serializable, RepositoryFileAcl repositoryFileAcl) throws RepositoryException {
        Principal springSecurityUserPrincipal;
        if (isKioskEnabled()) {
            throw new RuntimeException(Messages.getInstance().getString("JcrRepositoryFileDao.ERROR_0006_ACCESS_DENIED"));
        }
        DefaultPermissionConversionHelper defaultPermissionConversionHelper = new DefaultPermissionConversionHelper(session);
        Node nodeByIdentifier = session.getNodeByIdentifier(serializable.toString());
        if (nodeByIdentifier == null) {
            throw new RepositoryException(Messages.getInstance().getString("JackrabbitRepositoryFileAclDao.ERROR_0001_NODE_NOT_FOUND", new Object[]{serializable.toString()}));
        }
        String path = nodeByIdentifier.getPath();
        AccessControlManager accessControlManager = session.getAccessControlManager();
        AccessControlList accessControlList = getAccessControlList(accessControlManager, path);
        for (AccessControlEntry accessControlEntry : accessControlList.getAccessControlEntries()) {
            accessControlList.removeAccessControlEntry(accessControlEntry);
        }
        JcrRepositoryFileAclUtils.setAclMetadata(session, path, accessControlList, new IAclMetadataStrategy.AclMetadata(repositoryFileAcl.getOwner().getName(), repositoryFileAcl.isEntriesInheriting()));
        boolean z = false;
        ITenant iTenant = null;
        if (!repositoryFileAcl.isEntriesInheriting()) {
            for (RepositoryFileAce repositoryFileAce : repositoryFileAcl.getAces()) {
                if (RepositoryFileSid.Type.ROLE == repositoryFileAce.getSid().getType()) {
                    if (this.tenantAdminAuthorityName.equals(JcrTenantUtils.getRoleNameUtils().getPrincipleName(repositoryFileAce.getSid().getName()))) {
                        z = true;
                    }
                    springSecurityUserPrincipal = new SpringSecurityRolePrincipal(JcrTenantUtils.getTenantedRole(repositoryFileAce.getSid().getName()));
                } else {
                    springSecurityUserPrincipal = new SpringSecurityUserPrincipal(JcrTenantUtils.getTenantedUser(repositoryFileAce.getSid().getName()));
                }
                accessControlList.addAccessControlEntry(springSecurityUserPrincipal, defaultPermissionConversionHelper.pentahoPermissionsToPrivileges(session, repositoryFileAce.getPermissions()));
            }
            if (!z) {
                if (repositoryFileAcl.getAces() != null && repositoryFileAcl.getAces().size() > 0) {
                    iTenant = JcrTenantUtils.getRoleNameUtils().getTenant(((RepositoryFileAce) repositoryFileAcl.getAces().get(0)).getSid().getName());
                }
                if (iTenant == null || iTenant.getId() == null) {
                    iTenant = JcrTenantUtils.getTenant();
                }
                ArrayList arrayList = new ArrayList();
                arrayList.add(RepositoryFilePermission.ALL);
                accessControlList.addAccessControlEntry(new SpringSecurityRolePrincipal(JcrTenantUtils.getRoleNameUtils().getPrincipleId(iTenant, this.tenantAdminAuthorityName)), defaultPermissionConversionHelper.pentahoPermissionsToPrivileges(session, EnumSet.copyOf((Collection) arrayList)));
            }
        }
        accessControlManager.setPolicy(path, accessControlList);
        session.save();
        return getAcl(serializable);
    }

    private boolean isKioskEnabled() {
        if (PentahoSystem.getInitializedOK()) {
            return "true".equals(PentahoSystem.getSystemSetting("kiosk-mode", "false"));
        }
        return false;
    }
}
