package org.jahia.modules.contentintegrity.services.checks;

import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import javax.jcr.Node;
import javax.jcr.NodeIterator;
import javax.jcr.PropertyIterator;
import javax.jcr.RepositoryException;
import org.apache.commons.collections.CollectionUtils;
import org.apache.commons.lang.StringUtils;
import org.jahia.modules.contentintegrity.api.ContentIntegrityCheck;
import org.jahia.modules.contentintegrity.services.ContentIntegrityError;
import org.jahia.modules.contentintegrity.services.ContentIntegrityErrorList;
import org.jahia.modules.contentintegrity.services.impl.AbstractContentIntegrityCheck;
import org.jahia.services.content.JCRNodeWrapper;
import org.jahia.services.content.JCRPropertyWrapper;
import org.jahia.services.content.JCRValueWrapper;
import org.jahia.services.content.decorator.JCRSiteNode;
import org.jahia.services.content.decorator.JCRUserNode;
import org.jahia.services.usermanager.JahiaGroupManagerService;
import org.jahia.services.usermanager.JahiaUserManagerService;
import org.osgi.service.component.annotations.Component;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Component(service = {ContentIntegrityCheck.class}, immediate = true, property = {"applyOnNodeTypes=jnt:ace"})
/* loaded from: input_file:org/jahia/modules/contentintegrity/services/checks/AceSanityCheck.class */
public class AceSanityCheck extends AbstractContentIntegrityCheck implements ContentIntegrityCheck.SupportsIntegrityErrorFix {
    private static final String JNT_EXTERNAL_ACE = "jnt:externalAce";
    private static final String JNT_EXTERNAL_PERMISSIONS = "jnt:externalPermissions";
    private static final String J_PRINCIPAL = "j:principal";
    private static final String J_EXTERNAL_PERMISSIONS_NAME = "j:externalPermissionsName";
    private static final String J_ROLES = "j:roles";
    private static final String J_SOURCE_ACE = "j:sourceAce";
    private static final String J_PATH = "j:path";
    private static final String J_ACE_TYPE = "j:aceType";
    private final Map<String, Role> roles = new HashMap();
    private static final Logger logger = LoggerFactory.getLogger(AceSanityCheck.class);
    private static final Pattern CURRENT_SITE_PATTERN = Pattern.compile("^currentSite");

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/jahia/modules/contentintegrity/services/checks/AceSanityCheck$ErrorType.class */
    public enum ErrorType {
        NO_PRINCIPAL,
        INVALID_PRINCIPAL,
        NO_ACE_TYPE_PROP,
        INVALID_ACE_TYPE_PROP,
        NO_SOURCE_ACE_PROP,
        EMPTY_SOURCE_ACE_PROP,
        SOURCE_ACE_BROKEN_REF,
        INVALID_EXTERNAL_ACE_PATH,
        SOURCE_ACE_NOT_TYPE_GRANT,
        INVALID_EXTERNAL_PERMISSIONS,
        MISSING_EXTERNAL_ACE,
        ACE_NON_GRANT_WITH_EXTERNAL_ACE,
        NO_ROLES_PROP,
        INVALID_ROLES_PROP,
        ROLES_DIFFER_ON_SOURCE_ACE,
        ROLE_DOESNT_EXIST
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/jahia/modules/contentintegrity/services/checks/AceSanityCheck$Role.class */
    public static class Role {
        String name;
        String uuid;
        Map<String, String> externalPermissions = new HashMap();

        public Role(String str, String str2) {
            this.name = str;
            this.uuid = str2;
        }

        public String getName() {
            return this.name;
        }

        public String getUuid() {
            return this.uuid;
        }

        public Map<String, String> getExternalPermissions() {
            return this.externalPermissions;
        }

        public void addExternalPermission(String str, String str2) {
            this.externalPermissions.put(str, str2);
        }
    }

    @Override // org.jahia.modules.contentintegrity.services.impl.AbstractContentIntegrityCheck
    public void initializeIntegrityTestInternal(JCRNodeWrapper jCRNodeWrapper, Collection<String> collection) {
        try {
            NodeIterator nodes = getSystemSession("default", false).getWorkspace().getQueryManager().createQuery("SELECT * FROM [jnt:role] WHERE ISDESCENDANTNODE('/roles')", "JCR-SQL2").execute().getNodes();
            while (nodes.hasNext()) {
                JCRNodeWrapper jCRNodeWrapper2 = (JCRNodeWrapper) nodes.next();
                Role role = new Role(jCRNodeWrapper2.getName(), jCRNodeWrapper2.getIdentifier());
                for (JCRNodeWrapper jCRNodeWrapper3 : jCRNodeWrapper2.getNodes()) {
                    if (jCRNodeWrapper3.isNodeType(JNT_EXTERNAL_PERMISSIONS)) {
                        if (jCRNodeWrapper3.hasProperty(J_PATH)) {
                            role.addExternalPermission(jCRNodeWrapper3.getName(), jCRNodeWrapper3.getPropertyAsString(J_PATH));
                        } else {
                            logger.error(String.format("Skipping the external permission %s since it is invalid (no %s property)", jCRNodeWrapper3.getPath(), J_PATH));
                        }
                    }
                }
                this.roles.put(role.getName(), role);
            }
        } catch (RepositoryException e) {
            logger.error("Error whole loading the available roles", e);
        }
    }

    @Override // org.jahia.modules.contentintegrity.services.impl.AbstractContentIntegrityCheck
    public void finalizeIntegrityTestInternal(JCRNodeWrapper jCRNodeWrapper, Collection<String> collection) {
        this.roles.clear();
    }

    @Override // org.jahia.modules.contentintegrity.services.impl.AbstractContentIntegrityCheck, org.jahia.modules.contentintegrity.api.ContentIntegrityCheck
    public ContentIntegrityErrorList checkIntegrityBeforeChildren(JCRNodeWrapper jCRNodeWrapper) {
        try {
            return jCRNodeWrapper.isNodeType(JNT_EXTERNAL_ACE) ? checkExternalAce(jCRNodeWrapper) : checkRegularAce(jCRNodeWrapper);
        } catch (RepositoryException e) {
            logger.error("", e);
            return null;
        }
    }

    private ContentIntegrityErrorList checkExternalAce(JCRNodeWrapper jCRNodeWrapper) throws RepositoryException {
        ContentIntegrityErrorList createEmptyErrorsList = createEmptyErrorsList();
        createEmptyErrorsList.addAll(checkPrincipalOnAce(jCRNodeWrapper));
        if (jCRNodeWrapper.hasProperty(J_ACE_TYPE)) {
            String propertyAsString = jCRNodeWrapper.getPropertyAsString(J_ACE_TYPE);
            if (!StringUtils.equals("GRANT", propertyAsString)) {
                createEmptyErrorsList.addError(createError(jCRNodeWrapper, "External ACE with an invalid ".concat(J_ACE_TYPE)).setErrorType(ErrorType.INVALID_ACE_TYPE_PROP).addExtraInfo("defined-ace-type", propertyAsString));
            }
        } else {
            createEmptyErrorsList.addError(createError(jCRNodeWrapper, "External ACE without property ".concat(J_ACE_TYPE)).setErrorType(ErrorType.NO_ACE_TYPE_PROP));
        }
        boolean z = true;
        boolean z2 = true;
        if (!jCRNodeWrapper.hasProperty(J_SOURCE_ACE)) {
            z = false;
            createEmptyErrorsList.addError(createError(jCRNodeWrapper, "External ACE without source ACE").setErrorType(ErrorType.NO_SOURCE_ACE_PROP));
        }
        if (!jCRNodeWrapper.hasProperty(J_ROLES)) {
            z2 = false;
            createEmptyErrorsList.addError(createError(jCRNodeWrapper, "External ACE without property j:roles").setErrorType(ErrorType.NO_ROLES_PROP));
        }
        if (z) {
            JCRValueWrapper[] values = jCRNodeWrapper.getProperty(J_SOURCE_ACE).getValues();
            if (values.length == 0) {
                createEmptyErrorsList.addError(createError(jCRNodeWrapper, "External ACE without source ACE").setErrorType(ErrorType.EMPTY_SOURCE_ACE_PROP));
            }
            for (JCRValueWrapper jCRValueWrapper : values) {
                JCRNodeWrapper jCRNodeWrapper2 = null;
                try {
                    jCRNodeWrapper2 = jCRValueWrapper.getNode();
                } catch (RepositoryException e) {
                }
                if (jCRNodeWrapper2 == null) {
                    boolean z3 = false;
                    if (isInLiveWorkspace(jCRNodeWrapper) && nodeExists(jCRValueWrapper.getString(), getSystemSession("default", true))) {
                        z3 = true;
                    }
                    if (!z3) {
                        createEmptyErrorsList.addError(createError(jCRNodeWrapper, "Broken reference to source ACE").setErrorType(ErrorType.SOURCE_ACE_BROKEN_REF));
                    }
                } else {
                    String identifier = jCRNodeWrapper2.getIdentifier();
                    if (jCRNodeWrapper2.hasProperty(J_ACE_TYPE)) {
                        String propertyAsString2 = jCRNodeWrapper2.getPropertyAsString(J_ACE_TYPE);
                        if (!StringUtils.equals("GRANT", propertyAsString2)) {
                            createEmptyErrorsList.addError(createError(jCRNodeWrapper, "The source ACE is not of type GRANT").setErrorType(ErrorType.SOURCE_ACE_NOT_TYPE_GRANT).addExtraInfo("src-ace-uuid", identifier).addExtraInfo("src-ace-path", jCRNodeWrapper2.getPath()).addExtraInfo("src-ace-type", propertyAsString2).setExtraMsg("External ACE are defined only for the ACE of type GRANT"));
                        }
                    }
                    if (z2) {
                        if (jCRNodeWrapper2.hasProperty(J_ROLES)) {
                            List<String> roleNames = getRoleNames(jCRNodeWrapper);
                            if (CollectionUtils.isEmpty(roleNames)) {
                                createEmptyErrorsList.addError(createError(jCRNodeWrapper, String.format("The property %s has no value", J_ROLES)).setErrorType(ErrorType.INVALID_ROLES_PROP));
                            } else if (roleNames.size() > 1) {
                                createEmptyErrorsList.addError(createError(jCRNodeWrapper, String.format("Unexpected number of roles in the property %s", J_ROLES)).setErrorType(ErrorType.INVALID_ROLES_PROP).addExtraInfo(J_ROLES, roleNames));
                            } else {
                                List<String> roleNames2 = getRoleNames(jCRNodeWrapper2);
                                String str = roleNames.get(0);
                                if (this.roles.containsKey(str)) {
                                    Map<String, String> externalPermissions = this.roles.get(str).getExternalPermissions();
                                    String propertyAsString3 = jCRNodeWrapper.getPropertyAsString(J_EXTERNAL_PERMISSIONS_NAME);
                                    if (externalPermissions.containsKey(propertyAsString3)) {
                                        String str2 = externalPermissions.get(propertyAsString3);
                                        StringBuilder sb = new StringBuilder();
                                        Matcher matcher = CURRENT_SITE_PATTERN.matcher(str2);
                                        if (matcher.find()) {
                                            sb.append(matcher.replaceFirst(jCRNodeWrapper2.getResolveSite().getPath()));
                                        } else {
                                            sb.append(str2);
                                        }
                                        if (sb.charAt(sb.length() - 1) != '/') {
                                            sb.append('/');
                                        }
                                        sb.append("j:acl/").append(jCRNodeWrapper.getName());
                                        if (!StringUtils.equals(sb.toString(), jCRNodeWrapper.getPath())) {
                                            createEmptyErrorsList.addError(createError(jCRNodeWrapper, "The external ACE has not the expected path").setErrorType(ErrorType.INVALID_EXTERNAL_ACE_PATH).addExtraInfo("ace-uuid", identifier).addExtraInfo("ace-path", jCRNodeWrapper2.getPath()).addExtraInfo("role", str).addExtraInfo("external-permissions-name", propertyAsString3).addExtraInfo("external-permissions-path", str2).addExtraInfo("external-ace-expected-path", sb));
                                        }
                                    } else {
                                        createEmptyErrorsList.addError(createError(jCRNodeWrapper, "External ACE defined for external permissions which are not declared by the role").setErrorType(ErrorType.INVALID_EXTERNAL_PERMISSIONS).addExtraInfo("role", str).addExtraInfo("external-permissions-name", propertyAsString3).addExtraInfo("expected-external-permissions-names", externalPermissions.keySet()));
                                    }
                                } else {
                                    createEmptyErrorsList.addError(createError(jCRNodeWrapper, "External ACE defined for a role which does not exist").setErrorType(ErrorType.ROLE_DOESNT_EXIST).addExtraInfo("role", str));
                                }
                                if (!roleNames2.contains(str)) {
                                    createEmptyErrorsList.addError(createError(jCRNodeWrapper, "External ACE defined for a role which is not defined on the source ACE").setErrorType(ErrorType.ROLES_DIFFER_ON_SOURCE_ACE).addExtraInfo("role", str).addExtraInfo("ace-uuid", identifier).addExtraInfo("ace-path", jCRNodeWrapper2.getPath()).addExtraInfo("ace-roles", roleNames2));
                                }
                            }
                        } else {
                            createEmptyErrorsList.addError(createError(jCRNodeWrapper, String.format("Missing %s property on the source ACE", J_ROLES)).setErrorType(ErrorType.ROLES_DIFFER_ON_SOURCE_ACE).addExtraInfo("src-ace-uuid", identifier).addExtraInfo("src-ace-path", jCRNodeWrapper2.getPath()).setExtraMsg(String.format("Impossible to check if the roles defined on the external ACE and the source ACE are consistant, since the property %s is missing on the source ACE", J_ROLES)));
                        }
                    }
                }
            }
        }
        return createEmptyErrorsList;
    }

    private List<String> getRoleNames(JCRNodeWrapper jCRNodeWrapper) throws RepositoryException {
        return (List) Arrays.stream(jCRNodeWrapper.getProperty(J_ROLES).getValues()).map(jCRValueWrapper -> {
            try {
                return jCRValueWrapper.getString();
            } catch (RepositoryException e) {
                logger.error("", e);
                return null;
            }
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).collect(Collectors.toList());
    }

    private ContentIntegrityErrorList checkRegularAce(JCRNodeWrapper jCRNodeWrapper) throws RepositoryException {
        String propertyAsString;
        boolean equals;
        ContentIntegrityErrorList createEmptyErrorsList = createEmptyErrorsList();
        createEmptyErrorsList.addAll(checkPrincipalOnAce(jCRNodeWrapper));
        if (jCRNodeWrapper.hasProperty(J_ACE_TYPE)) {
            propertyAsString = jCRNodeWrapper.getPropertyAsString(J_ACE_TYPE);
            equals = StringUtils.equals(propertyAsString, "GRANT");
        } else {
            equals = false;
            propertyAsString = "";
            createEmptyErrorsList.addError(createError(jCRNodeWrapper, "ACE without property ".concat(J_ACE_TYPE)).setErrorType(ErrorType.NO_ACE_TYPE_PROP));
        }
        if (jCRNodeWrapper.hasProperty(J_ROLES)) {
            for (JCRValueWrapper jCRValueWrapper : jCRNodeWrapper.getProperty(J_ROLES).getValues()) {
                String string = jCRValueWrapper.getString();
                if (!this.roles.containsKey(string)) {
                    createEmptyErrorsList.addError(createError(jCRNodeWrapper, "ACE with a role that doesn't exist").setErrorType(ErrorType.ROLE_DOESNT_EXIST).addExtraInfo("role", string));
                } else if (equals) {
                    Role role = this.roles.get(string);
                    for (String str : role.getExternalPermissions().keySet()) {
                        PropertyIterator weakReferences = jCRNodeWrapper.getWeakReferences();
                        boolean z = false;
                        while (!z && weakReferences.hasNext()) {
                            Node parent = weakReferences.nextProperty().getParent();
                            if (parent.isNodeType(JNT_EXTERNAL_ACE) && parent.hasProperty(J_EXTERNAL_PERMISSIONS_NAME) && StringUtils.equals(str, parent.getProperty(J_EXTERNAL_PERMISSIONS_NAME).getString())) {
                                z = true;
                            }
                        }
                        if (!z) {
                            createEmptyErrorsList.addError(createError(jCRNodeWrapper, "ACE with a missing external ACE").setErrorType(ErrorType.MISSING_EXTERNAL_ACE).addExtraInfo("role", string).addExtraInfo("external-permissions", str).addExtraInfo("external-ace-scope", role.getExternalPermissions().get(str)));
                        }
                    }
                }
            }
        } else {
            createEmptyErrorsList.addError(createError(jCRNodeWrapper, "ACE without property ".concat(J_ROLES)).setErrorType(ErrorType.NO_ROLES_PROP));
        }
        if (!equals) {
            PropertyIterator weakReferences2 = jCRNodeWrapper.getWeakReferences();
            while (weakReferences2.hasNext()) {
                Node parent2 = weakReferences2.nextProperty().getParent();
                if (parent2.isNodeType(JNT_EXTERNAL_ACE)) {
                    createEmptyErrorsList.addError(createError(jCRNodeWrapper, "ACE of type different from GRANT with a missing external ACE").setErrorType(ErrorType.ACE_NON_GRANT_WITH_EXTERNAL_ACE).addExtraInfo("ace-type", propertyAsString).addExtraInfo("external-ace", parent2.getPath()));
                }
            }
        }
        return createEmptyErrorsList;
    }

    private ContentIntegrityErrorList checkPrincipalOnAce(JCRNodeWrapper jCRNodeWrapper) throws RepositoryException {
        if (!jCRNodeWrapper.hasProperty(J_PRINCIPAL)) {
            return createSingleError(createError(jCRNodeWrapper, "ACE without principal").setErrorType(ErrorType.NO_PRINCIPAL));
        }
        String string = jCRNodeWrapper.getProperty(J_PRINCIPAL).getString();
        JCRSiteNode resolveSite = jCRNodeWrapper.getResolveSite();
        String siteKey = resolveSite == null ? null : resolveSite.getSiteKey();
        if (getPrincipal(siteKey, string) == null) {
            return createSingleError(createError(jCRNodeWrapper, "ACE with an invalid principal").setErrorType(ErrorType.INVALID_PRINCIPAL).addExtraInfo("invalid principal", string).addExtraInfo("site", siteKey).setExtraMsg("If the principal exists, check if it is defined at site level, and if does, if this site differs from the current site. Warning: if the principal comes from an external source such as a LDAP, it might be just temporarily missing because of a connectivity issue"));
        }
        return null;
    }

    private JCRNodeWrapper getPrincipal(String str, String str2) {
        JCRUserNode jCRUserNode = null;
        String substring = str2.substring(2);
        if (str2.startsWith("u:")) {
            jCRUserNode = JahiaUserManagerService.getInstance().lookupUser(substring, str);
        } else if (str2.startsWith("g:")) {
            JahiaGroupManagerService jahiaGroupManagerService = JahiaGroupManagerService.getInstance();
            jCRUserNode = jahiaGroupManagerService.lookupGroup(str, substring);
            if (jCRUserNode == null) {
                jCRUserNode = jahiaGroupManagerService.lookupGroup((String) null, substring);
            }
        }
        return jCRUserNode;
    }

    @Override // org.jahia.modules.contentintegrity.api.ContentIntegrityCheck.SupportsIntegrityErrorFix
    public boolean fixError(JCRNodeWrapper jCRNodeWrapper, ContentIntegrityError contentIntegrityError) throws RepositoryException {
        if (!"default".equals(jCRNodeWrapper.getSession().getWorkspace().getName())) {
            return false;
        }
        Object errorType = contentIntegrityError.getErrorType();
        if (!(errorType instanceof ErrorType)) {
            logger.error("Unexpected error type: " + errorType);
            return false;
        }
        ErrorType errorType2 = (ErrorType) errorType;
        JCRNodeWrapper parent = jCRNodeWrapper.getParent().getParent();
        switch (errorType2) {
            case NO_PRINCIPAL:
                return false;
            case INVALID_PRINCIPAL:
                String propertyAsString = jCRNodeWrapper.getPropertyAsString(J_PRINCIPAL);
                JCRPropertyWrapper property = jCRNodeWrapper.getProperty(J_ROLES);
                HashMap hashMap = new HashMap();
                for (JCRValueWrapper jCRValueWrapper : property.getValues()) {
                    hashMap.put(jCRValueWrapper.getString(), "REMOVE");
                }
                if (!parent.changeRoles(propertyAsString, hashMap)) {
                    return false;
                }
                parent.saveSession();
                return true;
            default:
                return false;
        }
    }
}
