package org.jahia.modules.contentintegrity.services.checks;

import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.stream.Collectors;
import javax.jcr.Node;
import javax.jcr.NodeIterator;
import javax.jcr.PropertyIterator;
import javax.jcr.RepositoryException;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.jahia.modules.contentintegrity.api.ContentIntegrityCheck;
import org.jahia.modules.contentintegrity.services.ContentIntegrityError;
import org.jahia.modules.contentintegrity.services.ContentIntegrityErrorList;
import org.jahia.modules.contentintegrity.services.impl.AbstractContentIntegrityCheck;
import org.jahia.services.content.JCRNodeWrapper;
import org.jahia.services.content.JCRPropertyWrapper;
import org.jahia.services.content.JCRSessionFactory;
import org.jahia.services.content.JCRValueWrapper;
import org.jahia.services.content.decorator.JCRSiteNode;
import org.jahia.services.content.decorator.JCRUserNode;
import org.jahia.services.usermanager.JahiaGroupManagerService;
import org.jahia.services.usermanager.JahiaUserManagerService;
import org.osgi.service.component.annotations.Component;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(service = {ContentIntegrityCheck.class}, immediate = true, property = {"applyOnNodeTypes=jnt:ace"})
/* loaded from: input_file:org/jahia/modules/contentintegrity/services/checks/AceSanityCheck.class */
public class AceSanityCheck extends AbstractContentIntegrityCheck implements ContentIntegrityCheck.SupportsIntegrityErrorFix {
    private static final Logger logger = LoggerFactory.getLogger(AceSanityCheck.class);
    private static final String JNT_EXTERNAL_ACE = "jnt:externalAce";
    private static final String JNT_EXTERNAL_PERMISSIONS = "jnt:externalPermissions";
    private static final String J_PRINCIPAL = "j:principal";
    private static final String J_EXTERNAL_PERMISSIONS_NAME = "j:externalPermissionsName";
    private static final String J_ROLES = "j:roles";
    private static final String J_SOURCE_ACE = "j:sourceAce";
    private static final String J_PATH = "j:path";
    private static final String J_ACE_TYPE = "j:aceType";
    private final Map<String, Role> roles = new HashMap();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/jahia/modules/contentintegrity/services/checks/AceSanityCheck$ErrorType.class */
    public enum ErrorType {
        NO_PRINCIPAL,
        INVALID_PRINCIPAL,
        NO_ACE_TYPE_PROP,
        INVALID_ACE_TYPE_PROP,
        NO_SOURCE_ACE_PROP,
        EMPTY_SOURCE_ACE_PROP,
        SOURCE_ACE_BROKEN_REF,
        SOURCE_ACE_DIFFERENT_SITE,
        SOURCE_ACE_NOT_TYPE_GRANT,
        NO_ROLES_PROP,
        INVALID_ROLES_PROP,
        ACE_NON_GRANT_WITH_EXTERNAL_ACE,
        ROLES_DIFFER_ON_SOURCE_ACE,
        ROLE_DOESNT_EXIST
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/jahia/modules/contentintegrity/services/checks/AceSanityCheck$Role.class */
    public class Role {
        String name;
        String uuid;
        Map<String, String> externalPermissions = new HashMap();

        public Role(String str, String str2) {
            this.name = str;
            this.uuid = str2;
        }

        public String getName() {
            return this.name;
        }

        public String getUuid() {
            return this.uuid;
        }

        public Map<String, String> getExternalPermissions() {
            return this.externalPermissions;
        }

        public void addExternalPermission(String str, String str2) {
            this.externalPermissions.put(str, str2);
        }
    }

    @Override // org.jahia.modules.contentintegrity.services.impl.AbstractContentIntegrityCheck
    public void initializeIntegrityTestInternal() {
        try {
            NodeIterator nodes = JCRSessionFactory.getInstance().getCurrentSystemSession("default", (Locale) null, (Locale) null).getWorkspace().getQueryManager().createQuery("SELECT * FROM [jnt:role] WHERE ISDESCENDANTNODE('/roles')", "JCR-SQL2").execute().getNodes();
            while (nodes.hasNext()) {
                JCRNodeWrapper jCRNodeWrapper = (JCRNodeWrapper) nodes.next();
                Role role = new Role(jCRNodeWrapper.getName(), jCRNodeWrapper.getIdentifier());
                for (JCRNodeWrapper jCRNodeWrapper2 : jCRNodeWrapper.getNodes()) {
                    if (jCRNodeWrapper2.isNodeType(JNT_EXTERNAL_PERMISSIONS)) {
                        if (jCRNodeWrapper2.hasProperty(J_PATH)) {
                            role.addExternalPermission(jCRNodeWrapper2.getName(), jCRNodeWrapper2.getPropertyAsString(J_PATH));
                        } else {
                            logger.error(String.format("Skipping the extenal permission %s since it is invalid (no %s property)", jCRNodeWrapper2.getPath(), J_PATH));
                        }
                    }
                }
                this.roles.put(role.getName(), role);
            }
        } catch (RepositoryException e) {
            logger.error("Error whole loading the available roles", e);
        }
    }

    @Override // org.jahia.modules.contentintegrity.services.impl.AbstractContentIntegrityCheck
    public void finalizeIntegrityTestInternal() {
        this.roles.clear();
    }

    @Override // org.jahia.modules.contentintegrity.services.impl.AbstractContentIntegrityCheck, org.jahia.modules.contentintegrity.api.ContentIntegrityCheck
    public ContentIntegrityErrorList checkIntegrityBeforeChildren(JCRNodeWrapper jCRNodeWrapper) {
        try {
            return jCRNodeWrapper.isNodeType(JNT_EXTERNAL_ACE) ? checkExternalAce(jCRNodeWrapper) : checkRegularAce(jCRNodeWrapper);
        } catch (RepositoryException e) {
            logger.error("", e);
            return null;
        }
    }

    private ContentIntegrityErrorList checkExternalAce(JCRNodeWrapper jCRNodeWrapper) throws RepositoryException {
        ContentIntegrityErrorList createEmptyErrorsList = createEmptyErrorsList();
        createEmptyErrorsList.addAll(checkPrincipalOnAce(jCRNodeWrapper));
        if (jCRNodeWrapper.hasProperty(J_ACE_TYPE)) {
            String propertyAsString = jCRNodeWrapper.getPropertyAsString(J_ACE_TYPE);
            if (!StringUtils.equals("GRANT", propertyAsString)) {
                ContentIntegrityError createError = createError(jCRNodeWrapper, String.format("External ACE with an invalid value for %s : %s", J_ACE_TYPE, propertyAsString));
                createError.setExtraInfos(ErrorType.INVALID_ACE_TYPE_PROP);
                createEmptyErrorsList.addError(createError);
            }
        } else {
            ContentIntegrityError createError2 = createError(jCRNodeWrapper, "External ACE without property ".concat(J_ACE_TYPE));
            createError2.setExtraInfos(ErrorType.NO_ACE_TYPE_PROP);
            createEmptyErrorsList.addError(createError2);
        }
        boolean z = true;
        boolean z2 = true;
        if (!jCRNodeWrapper.hasProperty(J_SOURCE_ACE)) {
            z = false;
            ContentIntegrityError createError3 = createError(jCRNodeWrapper, "External ACE without source ACE");
            createError3.setExtraInfos(ErrorType.NO_SOURCE_ACE_PROP);
            createEmptyErrorsList.addError(createError3);
        }
        if (!jCRNodeWrapper.hasProperty(J_ROLES)) {
            z2 = false;
            ContentIntegrityError createError4 = createError(jCRNodeWrapper, "External ACE without property j:roles");
            createError4.setExtraInfos(ErrorType.NO_ROLES_PROP);
            createEmptyErrorsList.addError(createError4);
        }
        if (z) {
            JCRValueWrapper[] values = jCRNodeWrapper.getProperty(J_SOURCE_ACE).getValues();
            if (values.length == 0) {
                ContentIntegrityError createError5 = createError(jCRNodeWrapper, "External ACE without source ACE");
                createError5.setExtraInfos(ErrorType.EMPTY_SOURCE_ACE_PROP);
                createEmptyErrorsList.addError(createError5);
            }
            for (JCRValueWrapper jCRValueWrapper : values) {
                JCRNodeWrapper jCRNodeWrapper2 = null;
                try {
                    jCRNodeWrapper2 = jCRValueWrapper.getNode();
                } catch (RepositoryException e) {
                }
                if (jCRNodeWrapper2 == null) {
                    boolean z3 = false;
                    if (isInLiveWorkspace(jCRNodeWrapper) && nodeExists(jCRValueWrapper.getString(), JCRSessionFactory.getInstance().getCurrentSystemSession("default", (Locale) null, (Locale) null))) {
                        z3 = true;
                    }
                    if (!z3) {
                        createEmptyErrorsList.addError(createErrorWithInfos(jCRNodeWrapper, null, "Broken reference to source ACE", ErrorType.SOURCE_ACE_BROKEN_REF));
                    }
                } else {
                    String identifier = jCRNodeWrapper2.getIdentifier();
                    if (jCRNodeWrapper2.hasProperty(J_ACE_TYPE)) {
                        String propertyAsString2 = jCRNodeWrapper2.getPropertyAsString(J_ACE_TYPE);
                        if (!StringUtils.equals("GRANT", propertyAsString2)) {
                            ContentIntegrityError createError6 = createError(jCRNodeWrapper, String.format("The source ACE (%s) is not of type GRANT (type=%s)", identifier, propertyAsString2));
                            createError6.addExtraInfo("error-type", ErrorType.SOURCE_ACE_NOT_TYPE_GRANT).addExtraInfo("src-ace-uuid", identifier).addExtraInfo("src-ace-type", propertyAsString2);
                            createEmptyErrorsList.addError(createError6);
                        }
                    }
                    if (z2) {
                        if (jCRNodeWrapper2.hasProperty(J_ROLES)) {
                            List<String> roleNames = getRoleNames(jCRNodeWrapper);
                            if (CollectionUtils.isEmpty(roleNames)) {
                                createEmptyErrorsList.addError(createErrorWithInfos(jCRNodeWrapper, null, String.format("The property %s has no value", J_ROLES), ErrorType.INVALID_ROLES_PROP));
                            } else if (roleNames.size() > 1) {
                                createEmptyErrorsList.addError(createErrorWithInfos(jCRNodeWrapper, null, String.format("Unexpected number of roles in the property %s", J_ROLES), ErrorType.INVALID_ROLES_PROP));
                            } else {
                                List<String> roleNames2 = getRoleNames(jCRNodeWrapper2);
                                String str = roleNames.get(0);
                                if (this.roles.containsKey(str) && this.roles.get(str).getExternalPermissions().getOrDefault(jCRNodeWrapper.getPropertyAsString(J_EXTERNAL_PERMISSIONS_NAME), "").equals("currentSite")) {
                                    String resolveSiteKey = resolveSiteKey(jCRNodeWrapper);
                                    if (!StringUtils.equals(resolveSiteKey, resolveSiteKey(jCRNodeWrapper2))) {
                                        HashMap hashMap = new HashMap(4);
                                        hashMap.put("error-type", ErrorType.SOURCE_ACE_DIFFERENT_SITE);
                                        hashMap.put("ace-uuid", identifier);
                                        hashMap.put("ace-path", jCRNodeWrapper2.getPath());
                                        hashMap.put("ace-site", resolveSiteKey);
                                        createErrorWithInfos(jCRNodeWrapper, null, "The external ACE and the source ACE are stored in different sites", hashMap);
                                    }
                                }
                                if (!roleNames2.contains(str)) {
                                    HashMap hashMap2 = new HashMap();
                                    hashMap2.put("error-type", ErrorType.ROLES_DIFFER_ON_SOURCE_ACE);
                                    hashMap2.put("ace-uuid", identifier);
                                    createEmptyErrorsList.addError(createErrorWithInfos(jCRNodeWrapper, null, String.format("The external ACE is defined for the role %s, but the ace (%s) has not this role", str, identifier), ErrorType.ROLES_DIFFER_ON_SOURCE_ACE));
                                }
                            }
                        } else {
                            createEmptyErrorsList.addError(createErrorWithInfos(jCRNodeWrapper, null, String.format("The roles differ on the external and source ACE, since the %s property is missing on the source ACE", J_ROLES), ErrorType.ROLES_DIFFER_ON_SOURCE_ACE));
                        }
                    }
                }
            }
        }
        return createEmptyErrorsList;
    }

    private List<String> getRoleNames(JCRNodeWrapper jCRNodeWrapper) throws RepositoryException {
        return (List) Arrays.stream(jCRNodeWrapper.getProperty(J_ROLES).getValues()).map(jCRValueWrapper -> {
            try {
                return jCRValueWrapper.getString();
            } catch (RepositoryException e) {
                logger.error("", e);
                return null;
            }
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).collect(Collectors.toList());
    }

    private ContentIntegrityErrorList checkRegularAce(JCRNodeWrapper jCRNodeWrapper) throws RepositoryException {
        ContentIntegrityErrorList createEmptyErrorsList = createEmptyErrorsList();
        createEmptyErrorsList.addAll(checkPrincipalOnAce(jCRNodeWrapper));
        boolean z = true;
        if (jCRNodeWrapper.hasProperty(J_ACE_TYPE)) {
            String propertyAsString = jCRNodeWrapper.getPropertyAsString(J_ACE_TYPE);
            if (!StringUtils.equals(propertyAsString, "GRANT")) {
                z = false;
                PropertyIterator weakReferences = jCRNodeWrapper.getWeakReferences();
                while (weakReferences.hasNext()) {
                    Node parent = weakReferences.nextProperty().getParent();
                    if (parent.isNodeType(JNT_EXTERNAL_ACE)) {
                        createEmptyErrorsList.addError(createError(jCRNodeWrapper, "ACE not of GRANT type referenced by an external ACE").addExtraInfo("error-type", ErrorType.ACE_NON_GRANT_WITH_EXTERNAL_ACE).addExtraInfo("ace-type", propertyAsString).addExtraInfo("external-ace-uuid", parent.getIdentifier()));
                    }
                }
            }
        } else {
            ContentIntegrityError createError = createError(jCRNodeWrapper, "ACE without property ".concat(J_ACE_TYPE));
            createError.setExtraInfos(ErrorType.NO_ACE_TYPE_PROP);
            createEmptyErrorsList.addError(createError);
        }
        if (jCRNodeWrapper.hasProperty(J_ROLES)) {
            for (JCRValueWrapper jCRValueWrapper : jCRNodeWrapper.getProperty(J_ROLES).getValues()) {
                String string = jCRValueWrapper.getString();
                if (!this.roles.containsKey(string)) {
                    HashMap hashMap = new HashMap(2);
                    hashMap.put("error-type", ErrorType.ROLE_DOESNT_EXIST);
                    hashMap.put("role", string);
                    createEmptyErrorsList.addError(createErrorWithInfos(jCRNodeWrapper, null, "ACE with a role that doesn't exist", hashMap));
                } else if (z) {
                    for (String str : this.roles.get(string).getExternalPermissions().keySet()) {
                        PropertyIterator weakReferences2 = jCRNodeWrapper.getWeakReferences();
                        boolean z2 = false;
                        while (!z2 && weakReferences2.hasNext()) {
                            Node parent2 = weakReferences2.nextProperty().getParent();
                            if (parent2.isNodeType(JNT_EXTERNAL_ACE) && parent2.hasProperty(J_EXTERNAL_PERMISSIONS_NAME) && StringUtils.equals(str, parent2.getProperty(J_EXTERNAL_PERMISSIONS_NAME).getString())) {
                                z2 = true;
                            }
                        }
                        if (!z2) {
                            createEmptyErrorsList.addError(createErrorWithInfos(jCRNodeWrapper, null, String.format("The ACE has a role (%s) which defines external permissions (%s) but no related %s exist", string, str, JNT_EXTERNAL_ACE), new Object[0]));
                        }
                    }
                }
            }
        } else {
            createEmptyErrorsList.addError(createErrorWithInfos(jCRNodeWrapper, null, "ACE without property j:roles", ErrorType.NO_ROLES_PROP));
        }
        return createEmptyErrorsList;
    }

    private ContentIntegrityErrorList checkPrincipalOnAce(JCRNodeWrapper jCRNodeWrapper) throws RepositoryException {
        if (!jCRNodeWrapper.hasProperty(J_PRINCIPAL)) {
            return createSingleError(createErrorWithInfos(jCRNodeWrapper, null, "ACE without principal", ErrorType.NO_PRINCIPAL));
        }
        String string = jCRNodeWrapper.getProperty(J_PRINCIPAL).getString();
        JCRSiteNode resolveSite = jCRNodeWrapper.getResolveSite();
        if (getPrincipal(resolveSite == null ? null : resolveSite.getSiteKey(), string) == null) {
            return createSingleError(createErrorWithInfos(jCRNodeWrapper, null, String.format("%s not found, but an ACE is defined for it", string), ErrorType.INVALID_PRINCIPAL));
        }
        return null;
    }

    private JCRNodeWrapper getPrincipal(String str, String str2) {
        JCRUserNode jCRUserNode = null;
        String substring = str2.substring(2);
        if (str2.startsWith("u:")) {
            jCRUserNode = JahiaUserManagerService.getInstance().lookupUser(substring, str);
        } else if (str2.startsWith("g:")) {
            JahiaGroupManagerService jahiaGroupManagerService = JahiaGroupManagerService.getInstance();
            jCRUserNode = jahiaGroupManagerService.lookupGroup(str, substring);
            if (jCRUserNode == null) {
                jCRUserNode = jahiaGroupManagerService.lookupGroup((String) null, substring);
            }
        }
        return jCRUserNode;
    }

    private String resolveSiteKey(JCRNodeWrapper jCRNodeWrapper) {
        if (jCRNodeWrapper == null) {
            return null;
        }
        String path = jCRNodeWrapper.getPath();
        if (path.startsWith("/sites/")) {
            return StringUtils.split(path, '/')[1];
        }
        return null;
    }

    @Override // org.jahia.modules.contentintegrity.api.ContentIntegrityCheck.SupportsIntegrityErrorFix
    public boolean fixError(JCRNodeWrapper jCRNodeWrapper, ContentIntegrityError contentIntegrityError) throws RepositoryException {
        if (!"default".equals(jCRNodeWrapper.getSession().getWorkspace().getName())) {
            return false;
        }
        Object extraInfos = contentIntegrityError.getExtraInfos();
        if (!(extraInfos instanceof ErrorType)) {
            logger.error("Unexpected error type: " + extraInfos);
            return false;
        }
        ErrorType errorType = (ErrorType) extraInfos;
        JCRNodeWrapper parent = jCRNodeWrapper.getParent().getParent();
        switch (errorType) {
            case NO_PRINCIPAL:
                return false;
            case INVALID_PRINCIPAL:
                String propertyAsString = jCRNodeWrapper.getPropertyAsString(J_PRINCIPAL);
                JCRPropertyWrapper property = jCRNodeWrapper.getProperty(J_ROLES);
                HashMap hashMap = new HashMap();
                for (JCRValueWrapper jCRValueWrapper : property.getValues()) {
                    hashMap.put(jCRValueWrapper.getString(), "REMOVE");
                }
                if (!parent.changeRoles(propertyAsString, hashMap)) {
                    return false;
                }
                parent.saveSession();
                return true;
            default:
                return false;
        }
    }
}
