package org.jahia.services.content;

import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.regex.Pattern;
import javax.jcr.InvalidItemStateException;
import javax.jcr.ItemNotFoundException;
import javax.jcr.NodeIterator;
import javax.jcr.PathNotFoundException;
import javax.jcr.RepositoryException;
import javax.jcr.Value;
import javax.jcr.observation.Event;
import javax.jcr.observation.EventIterator;
import org.apache.commons.lang.StringUtils;
import org.apache.solr.client.solrj.response.FacetField;
import org.jahia.content.ObjectKeyInterface;
import org.jahia.services.categories.Category;
import org.jahia.services.content.decorator.JCRGroupNode;
import org.jahia.services.content.decorator.JCRNodeDecorator;
import org.jahia.services.query.QueryResultWrapper;
import org.jahia.services.sites.JahiaSitesService;
import org.jahia.services.usermanager.JahiaGroupManagerService;
import org.jahia.services.usermanager.JahiaUserManagerService;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/jahia/services/content/AclListener.class */
public class AclListener extends DefaultEventListener {
    private static final Pattern CURRENT_SITE_PATTERN = Pattern.compile("^currentSite");
    private static final Logger logger = LoggerFactory.getLogger(AclListener.class);
    private static ThreadLocal<Boolean> inListener = new ThreadLocal<>();
    public static final List<String> PRIVILEGED_GROUPS = Arrays.asList("g:privileged", "g:site-privileged");
    private JCRPublicationService publicationService;
    private JahiaUserManagerService userService;
    private JahiaGroupManagerService groupService;
    private Map<String, String> foundRoles = new HashMap();

    public void setPublicationService(JCRPublicationService jCRPublicationService) {
        this.publicationService = jCRPublicationService;
    }

    public void setUserService(JahiaUserManagerService jahiaUserManagerService) {
        this.userService = jahiaUserManagerService;
    }

    public void setGroupService(JahiaGroupManagerService jahiaGroupManagerService) {
        this.groupService = jahiaGroupManagerService;
    }

    @Override // org.jahia.services.content.DefaultEventListener
    public int getEventTypes() {
        return 31;
    }

    public void onEvent(final EventIterator eventIterator) {
        JCRSessionWrapper session = ((JCREventIterator) eventIterator).getSession();
        try {
            if (inListener.get() == Boolean.TRUE) {
                return;
            }
            try {
                inListener.set(Boolean.TRUE);
                final ArrayList arrayList = new ArrayList();
                while (eventIterator.hasNext()) {
                    Event nextEvent = eventIterator.nextEvent();
                    if (nextEvent.getPath().contains("/j:acl/") || nextEvent.getPath().startsWith("/roles/")) {
                        arrayList.add(nextEvent);
                    }
                }
                if (arrayList.isEmpty()) {
                    inListener.set(Boolean.FALSE);
                } else {
                    JCRTemplate.getInstance().doExecuteWithSystemSessionAsUser(null, session.m257getWorkspace().getName(), session.getLocale(), new JCRCallback<Object>() { // from class: org.jahia.services.content.AclListener.1
                        @Override // org.jahia.services.content.JCRCallback
                        public Object doInJCR(JCRSessionWrapper jCRSessionWrapper) throws RepositoryException {
                            HashSet hashSet = new HashSet();
                            HashSet hashSet2 = new HashSet();
                            HashSet hashSet3 = new HashSet();
                            HashSet hashSet4 = new HashSet();
                            HashSet hashSet5 = new HashSet();
                            HashSet hashSet6 = new HashSet();
                            AclListener.this.parseEvents(jCRSessionWrapper, arrayList, hashSet, hashSet2, hashSet3, hashSet4, hashSet5, hashSet6);
                            AclListener.this.handleAclModifications(jCRSessionWrapper, hashSet, hashSet2, hashSet3, (JCREventIterator) eventIterator);
                            AclListener.this.handleRoleModifications(jCRSessionWrapper, hashSet4, hashSet5);
                            if (hashSet6.size() <= 0) {
                                return null;
                            }
                            AclListener.this.handleRemovedRole(jCRSessionWrapper, hashSet6);
                            JCRTemplate.getInstance().doExecuteWithSystemSessionAsUser(null, "live", null, jCRSessionWrapper2 -> {
                                AclListener.this.handleRemovedRole(jCRSessionWrapper2, hashSet6);
                                return null;
                            });
                            return null;
                        }
                    });
                    inListener.set(Boolean.FALSE);
                }
            } catch (RepositoryException e) {
                logger.error("Cannot propagate external ACL", e);
                inListener.set(Boolean.FALSE);
            }
        } catch (Throwable th) {
            inListener.set(Boolean.FALSE);
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void parseEvents(JCRSessionWrapper jCRSessionWrapper, List<Event> list, Set<String> set, Set<String> set2, Set<String> set3, Set<String> set4, Set<List<String>> set5, Set<String> set6) throws RepositoryException {
        String identifier;
        for (Event event : list) {
            if (event.getPath().contains("/j:acl/")) {
                if (event.getType() == 4 || event.getType() == 16) {
                    try {
                        JCRNodeWrapper m254getNodeByIdentifier = jCRSessionWrapper.m254getNodeByIdentifier(event.getIdentifier());
                        if (m254getNodeByIdentifier.isNodeType("jnt:ace") && !m254getNodeByIdentifier.isNodeType("jnt:externalAce") && m254getNodeByIdentifier.mo209getProperty("j:aceType").mo239getValue().getString().equals("GRANT") && (identifier = event.getIdentifier()) != null) {
                            set.add(identifier);
                            if (event.getType() == 4) {
                                set2.add(identifier);
                            }
                        }
                    } catch (ItemNotFoundException e) {
                        logger.error("unable to read node " + event.getPath());
                    }
                } else if (event.getType() == 2 && StringUtils.substringAfterLast(event.getPath(), Category.PATH_DELIMITER).startsWith("GRANT_")) {
                    String identifier2 = event.getIdentifier();
                    if (identifier2 != null) {
                        set.add(identifier2);
                    }
                    set3.add(event.getPath());
                }
            } else if (event.getPath().startsWith("/roles/")) {
                if (event.getType() == 1) {
                    String identifier3 = event.getIdentifier();
                    if (jCRSessionWrapper.m254getNodeByIdentifier(identifier3).isNodeType("jnt:externalPermissions")) {
                        set4.add(identifier3);
                    }
                } else if (event.getType() == 2) {
                    String path = event.getPath();
                    if (path.endsWith("-access")) {
                        set5.add(Arrays.asList(StringUtils.substringAfterLast(StringUtils.substringBeforeLast(path, Category.PATH_DELIMITER), Category.PATH_DELIMITER), StringUtils.substringAfterLast(path, Category.PATH_DELIMITER)));
                    } else {
                        set6.add(StringUtils.substringAfterLast(path, Category.PATH_DELIMITER));
                    }
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void handleAclModifications(final JCRSessionWrapper jCRSessionWrapper, Set<String> set, final Set<String> set2, Set<String> set3, final JCREventIterator jCREventIterator) throws RepositoryException {
        final HashMap hashMap = new HashMap();
        final HashMap hashMap2 = new HashMap();
        HashMap hashMap3 = new HashMap();
        for (final String str : set) {
            final HashSet hashSet = new HashSet();
            JCRNodeWrapper jCRNodeWrapper = null;
            String str2 = null;
            try {
                jCRNodeWrapper = jCRSessionWrapper.m254getNodeByIdentifier(str);
                str2 = jCRNodeWrapper.mo209getProperty("j:principal").getString();
                if (jCRNodeWrapper.hasProperty("j:roles")) {
                    for (JCRValueWrapper jCRValueWrapper : jCRNodeWrapper.mo209getProperty("j:roles").mo238getValues()) {
                        hashSet.add(jCRValueWrapper.getString());
                    }
                } else {
                    logger.warn("Missing roles property for acl on " + jCRNodeWrapper.getPath());
                }
            } catch (InvalidItemStateException e) {
            } catch (ItemNotFoundException e2) {
            }
            if (!set2.contains(str)) {
                NodeIterator nodes = jCRSessionWrapper.m257getWorkspace().m266getQueryManager().createQuery("select * from [jnt:externalAce] as ace where ace.[j:sourceAce] = '" + str + "'", "JCR-SQL2").execute().getNodes();
                while (nodes.hasNext()) {
                    JCRNodeWrapper jCRNodeWrapper2 = (JCRNodeWrapper) nodes.nextNode();
                    if (!hashSet.contains(jCRNodeWrapper2.mo209getProperty("j:roles").mo238getValues()[0].getString())) {
                        ArrayList arrayList = new ArrayList();
                        for (JCRValueWrapper jCRValueWrapper2 : jCRNodeWrapper2.mo209getProperty("j:sourceAce").mo238getValues()) {
                            if (!jCRValueWrapper2.getString().equals(str)) {
                                arrayList.add(jCRValueWrapper2);
                            }
                        }
                        if (arrayList.size() == 0) {
                            jCRNodeWrapper2.remove();
                        } else {
                            jCRNodeWrapper2.mo227setProperty("j:sourceAce", (Value[]) arrayList.toArray(new Value[arrayList.size()]));
                        }
                    }
                }
            }
            if (!hashSet.isEmpty()) {
                if (jCRSessionWrapper.m257getWorkspace().getName().equals("live")) {
                    final JCRNodeWrapper jCRNodeWrapper3 = jCRNodeWrapper;
                    final String str3 = str2;
                    JCRTemplate.getInstance().doExecuteWithSystemSessionAsUser(null, "default", jCRSessionWrapper.getLocale(), new JCRCallback<Object>() { // from class: org.jahia.services.content.AclListener.2
                        @Override // org.jahia.services.content.JCRCallback
                        public Object doInJCR(JCRSessionWrapper jCRSessionWrapper2) throws RepositoryException {
                            AclListener.this.handleAclModifications(jCRSessionWrapper, jCRSessionWrapper2, hashSet, jCRNodeWrapper3, str3, hashMap, hashMap2, new HashMap(), set2.contains(str), jCREventIterator.getOperationType() == 4 || jCREventIterator.getLastOperationType() == 4);
                            return null;
                        }
                    });
                } else {
                    handleAclModifications(jCRSessionWrapper, jCRSessionWrapper, hashSet, jCRNodeWrapper, str2, hashMap, hashMap2, hashMap3, set2.contains(str), false);
                }
            }
        }
        jCRSessionWrapper.save();
        if (!jCRSessionWrapper.m257getWorkspace().getName().equals("live")) {
            for (String str4 : set3) {
                String substringAfterLast = StringUtils.substringAfterLast(str4, Category.PATH_DELIMITER);
                if (!substringAfterLast.startsWith("REF")) {
                    String substringBefore = str4.startsWith("/sites/") ? StringUtils.substringBefore(str4.substring("/sites/".length()), Category.PATH_DELIMITER) : JahiaSitesService.SYSTEM_SITE_KEY;
                    String replaceFirst = StringUtils.substringAfter(substringAfterLast, ObjectKeyInterface.KEY_SEPARATOR).replaceFirst(ObjectKeyInterface.KEY_SEPARATOR, ":");
                    if (replaceFirst.startsWith("jcr:read") || replaceFirst.startsWith("jcr:write")) {
                        replaceFirst = StringUtils.substringAfter(replaceFirst, ObjectKeyInterface.KEY_SEPARATOR).replaceFirst(ObjectKeyInterface.KEY_SEPARATOR, ":");
                    }
                    if (!PRIVILEGED_GROUPS.contains(replaceFirst)) {
                        if (!hashMap2.containsKey(substringBefore)) {
                            hashMap2.put(substringBefore, new HashSet());
                        }
                        hashMap2.get(substringBefore).add(replaceFirst);
                    }
                }
            }
            for (Map.Entry<String, Set<String>> entry : hashMap2.entrySet()) {
                if (hashMap.get(entry.getKey()) != null) {
                    entry.getValue().removeAll(hashMap.get(entry.getKey()));
                }
            }
            HashSet hashSet2 = new HashSet();
            for (Map.Entry<String, Set<String>> entry2 : hashMap2.entrySet()) {
                String key = entry2.getKey();
                JCRGroupNode lookupGroup = this.groupService.lookupGroup(key, JahiaGroupManagerService.SITE_PRIVILEGED_GROUPNAME, jCRSessionWrapper);
                if (lookupGroup != null) {
                    for (String str5 : entry2.getValue()) {
                        JCRNodeWrapper principal = getPrincipal(key, str5);
                        if (principal != null && lookupGroup.isMember(principal)) {
                            ArrayList arrayList2 = new ArrayList();
                            boolean z = false;
                            StringBuilder sb = new StringBuilder();
                            sb.append("select ace.[j:roles] AS [rep:facet(facet.mincount=1)] from [jnt:ace] as ace");
                            sb.append(" where (not ([j:externalPermissionsName] is not null)) and ace.[j:aceType]='GRANT'");
                            sb.append(" and ace.[j:principal] = '");
                            sb.append(str5);
                            sb.append("' and (isdescendantnode(ace, ['/sites/");
                            sb.append(key);
                            sb.append("'])");
                            if (StringUtils.equals(key, JahiaSitesService.SYSTEM_SITE_KEY)) {
                                sb.append(" or isdescendantnode(ace, ['/mounts'])");
                                sb.append(" or isdescendantnode(ace, ['/j:acl'])");
                                sb.append(" or isdescendantnode(ace, ['/groups'])");
                                sb.append(" or isdescendantnode(ace, ['/users'])");
                                sb.append(" or isdescendantnode(ace, ['/modules'])");
                            }
                            sb.append(')');
                            arrayList2.addAll(getRolesName(jCRSessionWrapper, sb.toString()));
                            try {
                                Iterator it = arrayList2.iterator();
                                while (true) {
                                    if (!it.hasNext()) {
                                        break;
                                    }
                                    JCRNodeWrapper role = getRole(jCRSessionWrapper, (String) it.next(), hashMap3);
                                    if (role != null && role.hasProperty("j:privilegedAccess") && role.mo209getProperty("j:privilegedAccess").getBoolean()) {
                                        z = true;
                                        break;
                                    }
                                }
                            } catch (PathNotFoundException e3) {
                            }
                            if (!z) {
                                logger.info(str5 + " do not need privileged access");
                                lookupGroup.removeMember(principal);
                                hashSet2.add(lookupGroup.getPath());
                            }
                        }
                    }
                }
            }
            for (Map.Entry<String, Set<String>> entry3 : hashMap.entrySet()) {
                String key2 = entry3.getKey();
                JCRGroupNode lookupGroup2 = this.groupService.lookupGroup(key2, JahiaGroupManagerService.SITE_PRIVILEGED_GROUPNAME, jCRSessionWrapper);
                if (lookupGroup2 != null) {
                    for (String str6 : entry3.getValue()) {
                        JCRNodeWrapper principal2 = getPrincipal(key2, str6);
                        if (principal2 != null) {
                            if (lookupGroup2.getMembers().stream().filter(jCRNodeWrapper4 -> {
                                return jCRNodeWrapper4.getPath().equals(principal2.getPath());
                            }).findAny().isPresent()) {
                                if (hashSet2.contains(lookupGroup2.getPath())) {
                                    jCRSessionWrapper.save();
                                    hashSet2.clear();
                                    if (lookupGroup2.isMember(principal2)) {
                                    }
                                }
                            }
                            logger.info(str6 + " need privileged access");
                            lookupGroup2.addMember(principal2);
                        }
                    }
                }
            }
        }
        jCRSessionWrapper.save();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void handleAclModifications(JCRSessionWrapper jCRSessionWrapper, JCRSessionWrapper jCRSessionWrapper2, Set<String> set, JCRNodeWrapper jCRNodeWrapper, String str, Map<String, Set<String>> map, Map<String, Set<String>> map2, Map<String, JCRNodeWrapper> map3, boolean z, boolean z2) throws RepositoryException {
        boolean z3 = false;
        for (String str2 : set) {
            JCRNodeWrapper role = getRole(jCRSessionWrapper2, str2, map3);
            if (role != null) {
                do {
                    JCRNodeIteratorWrapper mo212getNodes = role.mo212getNodes();
                    while (mo212getNodes.hasNext()) {
                        JCRNodeWrapper jCRNodeWrapper2 = (JCRNodeWrapper) mo212getNodes.nextNode();
                        if (jCRNodeWrapper2.isNodeType("jnt:externalPermissions")) {
                            if (z2) {
                                publishExternalACE(jCRSessionWrapper2, jCRNodeWrapper, str, str2, jCRNodeWrapper2);
                            } else {
                                createOrUpdateExternalACE(jCRSessionWrapper, jCRNodeWrapper, str, str2, jCRNodeWrapper2);
                            }
                        }
                    }
                    if (role.hasProperty("j:privilegedAccess") && role.mo209getProperty("j:privilegedAccess").getBoolean()) {
                        z3 = true;
                    }
                    role = role.mo195getParent();
                } while (role.isNodeType("jnt:role"));
            }
        }
        if (jCRSessionWrapper.m257getWorkspace().getName().equals("live") || PRIVILEGED_GROUPS.contains(str)) {
            return;
        }
        if (z3 || !z) {
            Map<String, Set<String>> map4 = z3 ? map : map2;
            if (!map4.containsKey(jCRNodeWrapper.getResolveSite().getSiteKey())) {
                map4.put(jCRNodeWrapper.getResolveSite().getSiteKey(), new HashSet());
            }
            map4.get(jCRNodeWrapper.getResolveSite().getSiteKey()).add(str);
        }
    }

    private JCRNodeWrapper getRole(JCRSessionWrapper jCRSessionWrapper, String str, Map<String, JCRNodeWrapper> map) throws RepositoryException {
        if (map.containsKey(str)) {
            return map.get(str);
        }
        if (this.foundRoles.containsKey(str) && jCRSessionWrapper.itemExists(this.foundRoles.get(str))) {
            JCRNodeWrapper m252getNode = jCRSessionWrapper.m252getNode(this.foundRoles.get(str));
            map.put(str, m252getNode);
            return m252getNode;
        }
        JCRNodeIteratorWrapper mo470getNodes = jCRSessionWrapper.m257getWorkspace().m266getQueryManager().mo279createQuery("select * from [jnt:role] as r where localname()='" + JCRContentUtils.sqlEncode(str) + "' and isdescendantnode(r,['/roles'])", "JCR-SQL2").m475execute().mo470getNodes();
        if (!mo470getNodes.hasNext()) {
            map.put(str, null);
            this.foundRoles.remove(str);
            return null;
        }
        JCRNodeWrapper jCRNodeWrapper = (JCRNodeWrapper) mo470getNodes.nextNode();
        map.put(str, jCRNodeWrapper);
        this.foundRoles.put(str, jCRNodeWrapper.getPath());
        return jCRNodeWrapper;
    }

    private JCRNodeWrapper getPrincipal(String str, String str2) {
        JCRNodeDecorator jCRNodeDecorator = null;
        String substring = str2.substring(2);
        if (str2.startsWith("u:")) {
            jCRNodeDecorator = this.userService.lookupUser(substring, str);
        } else if (str2.startsWith("g:")) {
            jCRNodeDecorator = this.groupService.lookupGroup(str, substring);
            if (jCRNodeDecorator == null) {
                jCRNodeDecorator = this.groupService.lookupGroup(null, substring);
            }
        }
        return jCRNodeDecorator;
    }

    private List<String> getRolesName(JCRSessionWrapper jCRSessionWrapper, String str) throws RepositoryException {
        QueryManagerWrapper m266getQueryManager = jCRSessionWrapper.m257getWorkspace().m266getQueryManager();
        ArrayList arrayList = new ArrayList();
        for (FacetField facetField : ((QueryResultWrapper) m266getQueryManager.createQuery(str, "JCR-SQL2").execute()).getFacetFields()) {
            if (facetField.getValues() != null) {
                Iterator it = facetField.getValues().iterator();
                while (it.hasNext()) {
                    arrayList.add(((FacetField.Count) it.next()).getName());
                }
            }
        }
        return arrayList;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void handleRoleModifications(JCRSessionWrapper jCRSessionWrapper, Set<String> set, Set<List<String>> set2) {
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            try {
                JCRNodeWrapper m254getNodeByIdentifier = jCRSessionWrapper.m254getNodeByIdentifier(it.next());
                QueryManagerWrapper m266getQueryManager = jCRSessionWrapper.m257getWorkspace().m266getQueryManager();
                String name2 = m254getNodeByIdentifier.mo195getParent().getName();
                NodeIterator nodes = m266getQueryManager.createQuery("select * from [jnt:ace] as ace where ace.[j:roles] = '" + JCRContentUtils.sqlEncode(name2) + "'", "JCR-SQL2").execute().getNodes();
                while (nodes.hasNext()) {
                    JCRNodeWrapper jCRNodeWrapper = (JCRNodeWrapper) nodes.nextNode();
                    if (!jCRNodeWrapper.isNodeType("jnt:externalAce")) {
                        createOrUpdateExternalACE(jCRSessionWrapper, jCRNodeWrapper, jCRNodeWrapper.mo209getProperty("j:principal").getString(), name2, m254getNodeByIdentifier);
                    }
                }
                jCRSessionWrapper.save();
            } catch (RepositoryException e) {
                logger.error("Cannot create or update external ACE", e);
            }
        }
        for (List<String> list : set2) {
            try {
                NodeIterator nodes2 = jCRSessionWrapper.m257getWorkspace().m266getQueryManager().createQuery("select * from [jnt:externalAce] as ace where ace.[j:roles] = '" + JCRContentUtils.sqlEncode(list.get(0)) + "' and ace.[j:externalPermissionsName] ='" + JCRContentUtils.sqlEncode(list.get(1)) + "'", "JCR-SQL2").execute().getNodes();
                while (nodes2.hasNext()) {
                    ((JCRNodeWrapper) nodes2.nextNode()).remove();
                }
                jCRSessionWrapper.save();
            } catch (RepositoryException e2) {
                logger.error("Cannot remove external ACE", e2);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void handleRemovedRole(JCRSessionWrapper jCRSessionWrapper, Set<String> set) {
        for (String str : set) {
            try {
                NodeIterator nodes = jCRSessionWrapper.m257getWorkspace().m266getQueryManager().createQuery("select * from [jnt:ace] as ace where ace.[j:roles] = '" + JCRContentUtils.sqlEncode(str) + "'", "JCR-SQL2").execute().getNodes();
                while (nodes.hasNext()) {
                    JCRNodeWrapper jCRNodeWrapper = (JCRNodeWrapper) nodes.nextNode();
                    if (!jCRNodeWrapper.isNodeType("jnt:externalAce")) {
                        JCRValueWrapper[] mo238getValues = jCRNodeWrapper.mo209getProperty("j:roles").mo238getValues();
                        ArrayList arrayList = new ArrayList();
                        for (JCRValueWrapper jCRValueWrapper : mo238getValues) {
                            String string = jCRValueWrapper.getString();
                            if (!str.equals(string)) {
                                arrayList.add(string);
                            }
                        }
                        if (arrayList.isEmpty()) {
                            jCRNodeWrapper.remove();
                        } else {
                            jCRNodeWrapper.mo225setProperty("j:roles", (String[]) arrayList.toArray(new String[arrayList.size()]));
                        }
                    }
                }
                jCRSessionWrapper.save();
            } catch (RepositoryException e) {
                logger.error("Cannot remove external ACE", e);
            }
        }
    }

    private void createOrUpdateExternalACE(JCRSessionWrapper jCRSessionWrapper, JCRNodeWrapper jCRNodeWrapper, String str, String str2, JCRNodeWrapper jCRNodeWrapper2) throws RepositoryException {
        JCRNodeWrapper refAclNode = getRefAclNode(jCRSessionWrapper, jCRNodeWrapper, str2, jCRNodeWrapper2);
        if (refAclNode == null) {
            return;
        }
        if (!refAclNode.hasNode("j:acl")) {
            refAclNode.addMixin("jmix:accessControlled");
            refAclNode.mo230addNode("j:acl", "jnt:acl");
        }
        JCRNodeWrapper principal = getPrincipal(jCRNodeWrapper.getResolveSite().getSiteKey(), str);
        if (principal == null || principal.getResolveSite() == null) {
            return;
        }
        if (principal.getResolveSite().getSiteKey().equals(JahiaSitesService.SYSTEM_SITE_KEY) || principal.getResolveSite().getSiteKey().equals(refAclNode.getResolveSite().getSiteKey())) {
            JCRNodeWrapper mo213getNode = refAclNode.mo213getNode("j:acl");
            String str3 = "REF" + str2 + ObjectKeyInterface.KEY_SEPARATOR + jCRNodeWrapper2.getName() + ObjectKeyInterface.KEY_SEPARATOR + JCRContentUtils.replaceColon(str);
            if (mo213getNode.hasNode(str3)) {
                JCRNodeWrapper mo213getNode2 = mo213getNode.mo213getNode(str3);
                if (mo213getNode2.hasProperty("j:sourceAce")) {
                    mo213getNode2.mo209getProperty("j:sourceAce").addValue(jCRSessionWrapper.getValueFactory().createValue(jCRNodeWrapper, true));
                    return;
                } else {
                    mo213getNode2.mo227setProperty("j:sourceAce", new Value[]{jCRSessionWrapper.getValueFactory().createValue(jCRNodeWrapper, true)});
                    return;
                }
            }
            JCRNodeWrapper mo230addNode = mo213getNode.mo230addNode(str3, "jnt:externalAce");
            mo230addNode.mo223setProperty("j:aceType", "GRANT");
            mo230addNode.mo223setProperty("j:principal", str);
            mo230addNode.mo225setProperty("j:roles", new String[]{str2});
            mo230addNode.mo223setProperty("j:externalPermissionsName", jCRNodeWrapper2.getName());
            mo230addNode.mo219setProperty("j:protected", true);
            mo230addNode.mo227setProperty("j:sourceAce", new Value[]{jCRSessionWrapper.getValueFactory().createValue(jCRNodeWrapper, true)});
        }
    }

    private void publishExternalACE(JCRSessionWrapper jCRSessionWrapper, JCRNodeWrapper jCRNodeWrapper, String str, String str2, JCRNodeWrapper jCRNodeWrapper2) throws RepositoryException {
        JCRNodeWrapper refAclNode = getRefAclNode(jCRSessionWrapper, jCRNodeWrapper, str2, jCRNodeWrapper2);
        if (refAclNode == null) {
            return;
        }
        String str3 = "REF" + str2 + ObjectKeyInterface.KEY_SEPARATOR + jCRNodeWrapper2.getName() + ObjectKeyInterface.KEY_SEPARATOR + JCRContentUtils.replaceColon(str);
        if (refAclNode.hasNode("j:acl/" + str3)) {
            this.publicationService.publishByMainId(refAclNode.mo213getNode("j:acl").mo213getNode(str3).getIdentifier());
        }
    }

    public JCRNodeWrapper getRefAclNode(JCRSessionWrapper jCRSessionWrapper, JCRNodeWrapper jCRNodeWrapper, String str, JCRNodeWrapper jCRNodeWrapper2) throws RepositoryException {
        String replaceFirst = CURRENT_SITE_PATTERN.matcher(jCRNodeWrapper2.mo209getProperty("j:path").getString()).replaceFirst(jCRNodeWrapper.getResolveSite().getPath());
        if (jCRSessionWrapper.nodeExists(replaceFirst)) {
            if (logger.isDebugEnabled()) {
                logger.debug(jCRNodeWrapper.getPath() + " / " + str + " ---> " + jCRNodeWrapper2.getName() + " on " + replaceFirst);
            }
            return jCRSessionWrapper.m252getNode(replaceFirst);
        }
        if (!logger.isDebugEnabled()) {
            return null;
        }
        logger.debug("Cannot create or update external ACE " + jCRNodeWrapper2.getName() + " because the node " + replaceFirst + "doesn't exist.");
        return null;
    }
}
