package org.apache.jackrabbit.core.security.authorization.acl;

import java.security.Principal;
import java.security.acl.Group;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.Privilege;
import javax.jcr.version.VersionHistory;
import org.apache.commons.lang.ArrayUtils;
import org.apache.jackrabbit.core.NodeImpl;
import org.apache.jackrabbit.core.SessionImpl;
import org.apache.jackrabbit.core.id.NodeId;
import org.apache.jackrabbit.core.security.authorization.acl.EntryCollector;
import org.pentaho.platform.api.engine.IAuthorizationPolicy;
import org.pentaho.platform.api.engine.IPentahoSession;
import org.pentaho.platform.api.engine.ObjectFactoryException;
import org.pentaho.platform.api.mt.ITenant;
import org.pentaho.platform.engine.core.system.PentahoSessionHolder;
import org.pentaho.platform.engine.core.system.PentahoSystem;
import org.pentaho.platform.engine.security.SecurityHelper;
import org.pentaho.platform.repository2.unified.jcr.IAclMetadataStrategy;
import org.pentaho.platform.repository2.unified.jcr.JcrRepositoryFileAclUtils;
import org.pentaho.platform.repository2.unified.jcr.JcrTenantUtils;
import org.pentaho.platform.security.policy.rolebased.AbstractJcrBackedRoleBindingDao;
import org.pentaho.platform.security.policy.rolebased.IRoleAuthorizationPolicyRoleBindingDao;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.security.Authentication;
import org.springframework.security.GrantedAuthority;
import org.springframework.util.Assert;

/* loaded from: input_file:org/apache/jackrabbit/core/security/authorization/acl/PentahoEntryCollector.class */
public class PentahoEntryCollector extends EntryCollector {
    private static final Logger log = LoggerFactory.getLogger(PentahoEntryCollector.class);
    private List<MagicAceDefinition> magicAceDefinitions;

    public PentahoEntryCollector(SessionImpl sessionImpl, NodeId nodeId, Map map) throws RepositoryException {
        super(sessionImpl, nodeId);
        this.magicAceDefinitions = new ArrayList();
        parseMagicAceDefinitions(map);
    }

    protected void parseMagicAceDefinitions(Map map) throws RepositoryException {
        int i = 0;
        while (true) {
            String str = (String) map.get("magicAceDefinition" + i);
            if (str == null) {
                break;
            }
            this.magicAceDefinitions.add(parseMagicAceDefinition(str));
            i++;
        }
        if (log.isDebugEnabled()) {
            log.debug("magic ACE definitions: " + this.magicAceDefinitions);
        }
    }

    protected MagicAceDefinition parseMagicAceDefinition(String str) throws RepositoryException {
        String[] split = str.split("\\;");
        String str2 = split[0];
        String str3 = split[1];
        String str4 = split[2];
        boolean booleanValue = Boolean.valueOf(split[3]).booleanValue();
        boolean booleanValue2 = Boolean.valueOf(split[4]).booleanValue();
        boolean booleanValue3 = Boolean.valueOf(split[5]).booleanValue();
        String[] strArr = null;
        if (split.length > 6) {
            strArr = new String[split.length - 6];
            for (int i = 6; i < split.length; i++) {
                strArr[i - 6] = split[i];
            }
        }
        String[] split2 = str4.split("\\,");
        ArrayList arrayList = new ArrayList(split2.length);
        for (String str5 : split2) {
            arrayList.add(this.systemSession.getAccessControlManager().privilegeFromName(str5));
        }
        return new MagicAceDefinition(str2, str3, (Privilege[]) arrayList.toArray(new Privilege[0]), booleanValue, booleanValue2, booleanValue3, strArr);
    }

    protected NodeImpl findAccessControlledNode(NodeImpl nodeImpl) throws RepositoryException {
        NodeImpl nodeImpl2 = nodeImpl;
        while (true) {
            NodeImpl nodeImpl3 = nodeImpl2;
            if (ACLProvider.isAccessControlled(nodeImpl3)) {
                return nodeImpl3;
            }
            nodeImpl2 = (NodeImpl) nodeImpl3.getParent();
        }
    }

    protected NodeImpl findNonInheritingNode(NodeImpl nodeImpl) throws RepositoryException {
        NodeImpl findAccessControlledNode;
        NodeImpl nodeImpl2 = nodeImpl;
        while (true) {
            findAccessControlledNode = findAccessControlledNode(nodeImpl2);
            IAclMetadataStrategy.AclMetadata aclMetadata = JcrRepositoryFileAclUtils.getAclMetadata(this.systemSession, findAccessControlledNode.getPath(), new ACLTemplate(findAccessControlledNode.getNode(N_POLICY)));
            if (aclMetadata == null || !aclMetadata.isEntriesInheriting()) {
                break;
            }
            nodeImpl2 = (NodeImpl) findAccessControlledNode.getParent();
        }
        return findAccessControlledNode;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public EntryCollector.Entries getEntries(NodeImpl nodeImpl) throws RepositoryException {
        NodeImpl nodeImpl2 = nodeImpl;
        if (nodeImpl2.getPath().startsWith("/jcr:system/jcr:versionStorage")) {
            nodeImpl2 = getVersionable(nodeImpl2);
        }
        NodeImpl findAccessControlledNode = findAccessControlledNode(nodeImpl2);
        String str = null;
        IAclMetadataStrategy.AclMetadata aclMetadata = JcrRepositoryFileAclUtils.getAclMetadata(this.systemSession, findAccessControlledNode.getPath(), new ACLTemplate(findAccessControlledNode.getNode(N_POLICY)));
        if (aclMetadata != null) {
            str = aclMetadata.getOwner();
        }
        NodeImpl findNonInheritingNode = findNonInheritingNode(findAccessControlledNode);
        ACLTemplate aCLTemplate = new ACLTemplate(findNonInheritingNode.getNode(N_POLICY));
        if (!findNonInheritingNode.isSame(nodeImpl)) {
            Privilege privilegeFromName = this.systemSession.getAccessControlManager().privilegeFromName("{http://www.jcp.org/jcr/1.0}removeNode");
            Privilege privilegeFromName2 = this.systemSession.getAccessControlManager().privilegeFromName("{http://www.jcp.org/jcr/1.0}removeChildNodes");
            Iterator it = aCLTemplate.getEntries().iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                AccessControlEntry accessControlEntry = (AccessControlEntry) it.next();
                Privilege[] expandPrivileges = JcrRepositoryFileAclUtils.expandPrivileges(accessControlEntry.getPrivileges(), false);
                if (ArrayUtils.contains(expandPrivileges, privilegeFromName2) && !ArrayUtils.contains(expandPrivileges, privilegeFromName)) {
                    if (!aCLTemplate.addAccessControlEntry(accessControlEntry.getPrincipal(), new Privilege[]{privilegeFromName})) {
                        throw new RuntimeException();
                    }
                }
            }
        }
        ACLTemplate aCLTemplate2 = null;
        if (findAccessControlledNode.isSame(findNonInheritingNode) && !this.rootID.equals(findNonInheritingNode.getNodeId())) {
            aCLTemplate2 = new ACLTemplate(findNonInheritingNode((NodeImpl) findNonInheritingNode.getParent()).getNode(N_POLICY));
        }
        return new EntryCollector.Entries(new ArrayList(getAcesIncludingMagicAces(findNonInheritingNode.getPath(), str, aCLTemplate2, aCLTemplate)), (NodeId) null);
    }

    protected NodeImpl getVersionable(NodeImpl nodeImpl) throws RepositoryException {
        NodeImpl nodeImpl2;
        NodeImpl nodeImpl3 = nodeImpl;
        while (true) {
            nodeImpl2 = nodeImpl3;
            if (nodeImpl2.isNodeType("nt:versionHistory") || this.rootID.equals(nodeImpl2.getNodeId())) {
                break;
            }
            nodeImpl3 = (NodeImpl) nodeImpl2.getParent();
        }
        return this.rootID.equals(nodeImpl2.getNodeId()) ? nodeImpl2 : this.systemSession.getNodeByIdentifier(((VersionHistory) nodeImpl2).getVersionableIdentifier());
    }

    protected IAuthorizationPolicy getAuthorizationPolicy() {
        IAuthorizationPolicy iAuthorizationPolicy = (IAuthorizationPolicy) PentahoSystem.get(IAuthorizationPolicy.class);
        if (iAuthorizationPolicy == null) {
            throw new IllegalStateException();
        }
        return iAuthorizationPolicy;
    }

    protected IRoleAuthorizationPolicyRoleBindingDao getRoleBindingDao() {
        return (IRoleAuthorizationPolicyRoleBindingDao) PentahoSystem.get(IRoleAuthorizationPolicyRoleBindingDao.class);
    }

    protected List<AccessControlEntry> getAcesIncludingMagicAces(String str, String str2, ACLTemplate aCLTemplate, ACLTemplate aCLTemplate2) throws RepositoryException {
        if (PentahoSessionHolder.getSession() == null || PentahoSessionHolder.getSession().getId() == null || PentahoSessionHolder.getSession().getId().trim().equals("")) {
            if (log.isDebugEnabled()) {
                log.debug("no PentahoSession so no magic ACEs");
            }
            return Collections.emptyList();
        }
        if (str2 != null) {
            addOwnerAce(str2, aCLTemplate2);
        }
        IRoleAuthorizationPolicyRoleBindingDao iRoleAuthorizationPolicyRoleBindingDao = null;
        try {
            iRoleAuthorizationPolicyRoleBindingDao = (IRoleAuthorizationPolicyRoleBindingDao) PentahoSystem.getObjectFactory().get(IRoleAuthorizationPolicyRoleBindingDao.class, "roleAuthorizationPolicyRoleBindingDaoTarget", PentahoSessionHolder.getSession());
        } catch (ObjectFactoryException e) {
            e.printStackTrace();
        }
        ITenant tenant = JcrTenantUtils.getTenant();
        for (MagicAceDefinition magicAceDefinition : this.magicAceDefinitions) {
            String format = MessageFormat.format(magicAceDefinition.path, tenant.getRootFolderAbsolutePath());
            if (isAllowed(iRoleAuthorizationPolicyRoleBindingDao, magicAceDefinition.logicalRole)) {
                r11 = magicAceDefinition.applyToTarget ? str.equals(format) : false;
                if (!r11 && magicAceDefinition.applyToChildren) {
                    r11 = str.startsWith(format + "/");
                    if (r11 && magicAceDefinition.exceptChildren != null) {
                        String[] strArr = magicAceDefinition.exceptChildren;
                        int length = strArr.length;
                        int i = 0;
                        while (true) {
                            if (i >= length) {
                                break;
                            }
                            if (str.startsWith(MessageFormat.format(strArr[i], tenant.getRootFolderAbsolutePath()) + "/")) {
                                r11 = false;
                                break;
                            }
                            i++;
                        }
                    }
                }
                if (!r11 && magicAceDefinition.applyToAncestors) {
                    r11 = format.startsWith(str + "/");
                }
            }
            if (r11) {
                aCLTemplate2.addAccessControlEntry(new MagicPrincipal(JcrTenantUtils.getTenantedUser(PentahoSessionHolder.getSession().getName())), magicAceDefinition.privileges);
            }
        }
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(aCLTemplate2.getEntries());
        arrayList.addAll(getRelevantAncestorAces(aCLTemplate));
        return arrayList;
    }

    protected List<AccessControlEntry> getRelevantAncestorAces(ACLTemplate aCLTemplate) throws RepositoryException {
        if (aCLTemplate == null) {
            return Collections.emptyList();
        }
        EntryCollector.Entries entries = getEntries((NodeImpl) this.systemSession.getNode(aCLTemplate.getPath()));
        Privilege privilegeFromName = this.systemSession.getAccessControlManager().privilegeFromName("{http://www.jcp.org/jcr/1.0}addChildNodes");
        Privilege privilegeFromName2 = this.systemSession.getAccessControlManager().privilegeFromName("{http://www.jcp.org/jcr/1.0}removeChildNodes");
        for (AccessControlEntry accessControlEntry : entries.getACEs()) {
            ArrayList arrayList = new ArrayList(2);
            Privilege[] expandPrivileges = JcrRepositoryFileAclUtils.expandPrivileges(accessControlEntry.getPrivileges(), false);
            if (ArrayUtils.contains(expandPrivileges, privilegeFromName)) {
                arrayList.add(privilegeFromName);
            }
            if (ArrayUtils.contains(expandPrivileges, privilegeFromName2)) {
                arrayList.add(privilegeFromName2);
            }
            if (aCLTemplate.getEntries().contains(accessControlEntry)) {
                aCLTemplate.removeAccessControlEntry(accessControlEntry);
            }
            if (!arrayList.isEmpty()) {
                for (AccessControlEntry accessControlEntry2 : new LinkedList(aCLTemplate.getEntries())) {
                    if (accessControlEntry2.getPrincipal().getName().equals(accessControlEntry.getPrincipal().getName())) {
                        aCLTemplate.removeAccessControlEntry(accessControlEntry2);
                    }
                }
                if (!aCLTemplate.addAccessControlEntry(accessControlEntry.getPrincipal() instanceof Group ? new MagicGroup(accessControlEntry.getPrincipal().getName()) : new MagicPrincipal(accessControlEntry.getPrincipal().getName()), (Privilege[]) arrayList.toArray(new Privilege[arrayList.size()]))) {
                    throw new RuntimeException();
                }
            }
        }
        return aCLTemplate.getEntries();
    }

    protected void addOwnerAce(String str, ACLTemplate aCLTemplate) throws RepositoryException {
        Principal principal = this.systemSession.getPrincipalManager().getPrincipal(str);
        if (principal != null) {
            aCLTemplate.addAccessControlEntry(principal instanceof Group ? new MagicGroup(JcrTenantUtils.getTenantedUser(principal.getName())) : new MagicPrincipal(JcrTenantUtils.getTenantedUser(principal.getName())), new Privilege[]{this.systemSession.getAccessControlManager().privilegeFromName("jcr:all")});
        } else if (log.isDebugEnabled()) {
            log.debug("PrincipalManager cannot find owner=" + str);
        }
    }

    protected List<AccessControlEntry> collectEntries(NodeImpl nodeImpl, EntryFilter entryFilter) throws RepositoryException {
        LinkedList<AccessControlEntry> linkedList = new LinkedList<>();
        LinkedList<AccessControlEntry> linkedList2 = new LinkedList<>();
        if (nodeImpl != null) {
            EntryCollector.Entries entries = getEntries(nodeImpl);
            filterEntries(entryFilter, entries.getACEs(), linkedList, linkedList2);
            NodeId nextId = entries.getNextId();
            while (true) {
                NodeId nodeId = nextId;
                if (nodeId == null) {
                    break;
                }
                EntryCollector.Entries entries2 = getEntries(nodeId);
                filterEntries(entryFilter, entries2.getACEs(), linkedList, linkedList2);
                nextId = entries2.getNextId();
            }
        } else {
            NodeImpl rootNode = this.systemSession.getRootNode();
            if (ACLProvider.isRepoAccessControlled(rootNode)) {
                filterEntries(entryFilter, new ACLTemplate(rootNode.getNode(N_REPO_POLICY)).getEntries(), linkedList, linkedList2);
            }
        }
        ArrayList arrayList = new ArrayList(linkedList.size() + linkedList2.size());
        arrayList.addAll(linkedList);
        arrayList.addAll(linkedList2);
        return arrayList;
    }

    protected void filterEntries(EntryFilter entryFilter, List<AccessControlEntry> list, LinkedList<AccessControlEntry> linkedList, LinkedList<AccessControlEntry> linkedList2) {
        if (list.isEmpty() || entryFilter == null) {
            return;
        }
        entryFilter.filterEntries(list, new List[]{linkedList, linkedList2});
    }

    protected List<String> getRuntimeRoleNames() {
        IPentahoSession session = PentahoSessionHolder.getSession();
        ArrayList arrayList = new ArrayList();
        Assert.state(session != null);
        Authentication authentication = SecurityHelper.getInstance().getAuthentication();
        if (authentication != null) {
            for (GrantedAuthority grantedAuthority : authentication.getAuthorities()) {
                arrayList.add(grantedAuthority.getAuthority());
            }
        }
        return arrayList;
    }

    protected boolean isAllowed(IRoleAuthorizationPolicyRoleBindingDao iRoleAuthorizationPolicyRoleBindingDao, String str) throws RepositoryException {
        return iRoleAuthorizationPolicyRoleBindingDao instanceof AbstractJcrBackedRoleBindingDao ? ((AbstractJcrBackedRoleBindingDao) iRoleAuthorizationPolicyRoleBindingDao).getBoundLogicalRoleNames((Session) this.systemSession, getRuntimeRoleNames()).contains(str) : iRoleAuthorizationPolicyRoleBindingDao.getBoundLogicalRoleNames(getRuntimeRoleNames()).contains(str);
    }
}
