package org.jahia.modules.securityfilter.impl;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Comparator;
import java.util.Dictionary;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.regex.Pattern;
import javax.jcr.Node;
import javax.jcr.RepositoryException;
import javax.jcr.security.Privilege;
import org.apache.commons.lang.StringUtils;
import org.apache.jackrabbit.core.security.JahiaPrivilegeRegistry;
import org.jahia.exceptions.JahiaRuntimeException;
import org.jahia.modules.securityfilter.PermissionService;
import org.jahia.modules.securityfilter.impl.Permission;
import org.jahia.services.content.JCRCallback;
import org.jahia.services.content.JCRContentUtils;
import org.jahia.services.content.JCRNodeWrapper;
import org.jahia.services.content.JCRSessionWrapper;
import org.jahia.services.content.JCRTemplate;
import org.osgi.service.cm.ManagedServiceFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.InitializingBean;

/* loaded from: input_file:org/jahia/modules/securityfilter/impl/PermissionsConfig.class */
public class PermissionsConfig implements PermissionService, ManagedServiceFactory, InitializingBean {
    private static final Logger logger = LoggerFactory.getLogger(PermissionsConfig.class);
    private static final Comparator<Permission> PERMISSION_COMPARATOR = new Comparator<Permission>() { // from class: org.jahia.modules.securityfilter.impl.PermissionsConfig.1
        @Override // java.util.Comparator
        public int compare(Permission permission, Permission permission2) {
            return permission.getPriority() - permission2.getPriority();
        }
    };
    private List<Permission> permissions = new ArrayList();
    private Map<String, List<Permission>> permissionsByPid = new HashMap();
    private String restrictedAccessPermissionFallbackName;
    private String restrictedAccessPermissionName;

    private static boolean apiMatches(String str, Permission permission) {
        if (permission.getApis().isEmpty()) {
            return true;
        }
        for (String str2 : permission.getApis()) {
            if (str2.equals(str) || str.startsWith(str2 + ".")) {
                return true;
            }
        }
        return false;
    }

    private static boolean checkPermissionExists(final String str) {
        try {
            return ((Boolean) JCRTemplate.getInstance().doExecuteWithSystemSession(new JCRCallback<Boolean>() { // from class: org.jahia.modules.securityfilter.impl.PermissionsConfig.2
                /* renamed from: doInJCR, reason: merged with bridge method [inline-methods] */
                public Boolean m2doInJCR(JCRSessionWrapper jCRSessionWrapper) throws RepositoryException {
                    String expandedName = JCRContentUtils.getExpandedName(str, jCRSessionWrapper.getWorkspace().getNamespaceRegistry());
                    for (Privilege privilege : JahiaPrivilegeRegistry.getRegisteredPrivileges()) {
                        if (privilege.getName().equals(expandedName)) {
                            return Boolean.TRUE;
                        }
                    }
                    return Boolean.FALSE;
                }
            })).booleanValue();
        } catch (RepositoryException e) {
            throw new JahiaRuntimeException("Unable to check the presence of the configured permission for the restricted API access: " + str, e);
        }
    }

    private static boolean nodeTypeMatches(Node node, Permission permission) throws RepositoryException {
        if (permission.getNodeTypes().isEmpty()) {
            return true;
        }
        Iterator<String> it = permission.getNodeTypes().iterator();
        while (it.hasNext()) {
            if (node.isNodeType(it.next())) {
                return true;
            }
        }
        return false;
    }

    private static boolean pathMatches(String str, Permission permission) {
        if (permission.getPathPatterns().isEmpty()) {
            return true;
        }
        Iterator<Pattern> it = permission.getPathPatterns().iterator();
        while (it.hasNext()) {
            if (it.next().matcher(str).matches()) {
                return true;
            }
        }
        return false;
    }

    private static boolean workspaceMatches(Node node, Permission permission) throws RepositoryException {
        return permission.getWorkspaces().isEmpty() || permission.getWorkspaces().contains(node.getSession().getWorkspace().getName());
    }

    private PermissionsConfig() {
    }

    public String getName() {
        return "API Security configuration";
    }

    public void updated(String str, Dictionary<String, ?> dictionary) {
        ArrayList arrayList = new ArrayList();
        if (dictionary != null) {
            Enumeration<String> keys = dictionary.keys();
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            while (keys.hasMoreElements()) {
                String nextElement = keys.nextElement();
                if (StringUtils.startsWith(nextElement, "permission.")) {
                    String substringAfter = StringUtils.substringAfter(nextElement, "permission.");
                    String substringBefore = StringUtils.substringBefore(substringAfter, ".");
                    if (!linkedHashMap.containsKey(substringBefore)) {
                        linkedHashMap.put(substringBefore, new LinkedHashMap());
                    }
                    ((Map) linkedHashMap.get(substringBefore)).put(StringUtils.substringAfter(substringAfter, "."), (String) dictionary.get(nextElement));
                }
            }
            for (Map map : linkedHashMap.values()) {
                Permission permission = new Permission();
                permission.setAccess((String) map.get("access"));
                permission.setRequiredPermission((String) map.get("requiredPermission"));
                if (map.containsKey("nodeType")) {
                    permission.setNodeTypes(new LinkedHashSet(Arrays.asList(StringUtils.split((String) map.get("nodeType"), ", "))));
                }
                if (map.containsKey("api")) {
                    permission.setApis(new LinkedHashSet(Arrays.asList(StringUtils.split((String) map.get("api"), ", "))));
                }
                if (map.containsKey("pathPattern")) {
                    LinkedHashSet linkedHashSet = new LinkedHashSet();
                    for (String str2 : StringUtils.split((String) map.get("pathPattern"), ", ")) {
                        linkedHashSet.add(Pattern.compile(str2));
                    }
                    permission.setPathPatterns(linkedHashSet);
                }
                if (map.containsKey("workspace")) {
                    permission.setWorkspaces(new HashSet(Arrays.asList(StringUtils.split((String) map.get("workspace"), ", "))));
                }
                if (map.containsKey("priority")) {
                    permission.setPriority(Integer.parseInt((String) map.get("priority")));
                }
                arrayList.add(permission);
            }
        }
        this.permissionsByPid.put(str, arrayList);
        updatePermissions();
    }

    public void deleted(String str) {
        this.permissionsByPid.remove(str);
        updatePermissions();
    }

    private void updatePermissions() {
        ArrayList arrayList = new ArrayList();
        Iterator<List<Permission>> it = this.permissionsByPid.values().iterator();
        while (it.hasNext()) {
            arrayList.addAll(it.next());
        }
        Collections.sort(arrayList, PERMISSION_COMPARATOR);
        this.permissions = arrayList;
        logger.info("Security configuration reloaded");
    }

    @Override // org.jahia.modules.securityfilter.PermissionService
    public boolean hasPermission(String str, Node node) throws RepositoryException {
        String path = node.getPath();
        boolean hasPermissionInternal = hasPermissionInternal(str, path, node);
        if (hasPermissionInternal) {
            logger.debug("Checking api permission '{}' for {}: GRANTED", str, path);
        } else {
            logger.debug("Checking api permission '{}' for {}: DENIED", str, path);
        }
        return hasPermissionInternal;
    }

    private boolean hasPermissionInternal(String str, String str2, Node node) throws RepositoryException {
        for (Permission permission : this.permissions) {
            if (workspaceMatches(node, permission) && apiMatches(str, permission) && pathMatches(str2, permission) && nodeTypeMatches(node, permission)) {
                if (permission.getAccess() != null) {
                    if (permission.getAccess() == Permission.AccessType.denied) {
                        return false;
                    }
                    if (permission.getAccess() == Permission.AccessType.restricted) {
                        JCRNodeWrapper jCRNodeWrapper = (JCRNodeWrapper) node;
                        return jCRNodeWrapper.hasPermission(getRestrictedPermissionName(jCRNodeWrapper));
                    }
                }
                return permission.getRequiredPermission() == null || ((JCRNodeWrapper) node).hasPermission(permission.getRequiredPermission());
            }
        }
        return true;
    }

    private String getRestrictedPermissionName(JCRNodeWrapper jCRNodeWrapper) {
        return jCRNodeWrapper.getProvider().isDefault() ? this.restrictedAccessPermissionName : this.restrictedAccessPermissionFallbackName;
    }

    public void setRestrictedAccessPermissionFallbackName(String str) {
        this.restrictedAccessPermissionFallbackName = str;
    }

    public void setRestrictedAccessPermissionName(String str) {
        this.restrictedAccessPermissionName = str;
    }

    public void afterPropertiesSet() throws Exception {
        if (!this.restrictedAccessPermissionFallbackName.equals(this.restrictedAccessPermissionName) && !checkPermissionExists(this.restrictedAccessPermissionName)) {
            this.restrictedAccessPermissionName = this.restrictedAccessPermissionFallbackName;
        }
        logger.info("Using {} permission for restricted access", this.restrictedAccessPermissionName);
    }
}
