package org.nuxeo.ecm.core.repository.jcr;

import java.util.Iterator;
import javax.jcr.ItemExistsException;
import javax.jcr.Node;
import javax.jcr.NodeIterator;
import javax.jcr.PathNotFoundException;
import javax.jcr.RepositoryException;
import javax.jcr.Value;
import org.apache.jackrabbit.util.ISO9075;
import org.nuxeo.ecm.core.api.DocumentException;
import org.nuxeo.ecm.core.api.security.ACE;
import org.nuxeo.ecm.core.api.security.ACL;
import org.nuxeo.ecm.core.api.security.ACP;
import org.nuxeo.ecm.core.api.security.Access;
import org.nuxeo.ecm.core.api.security.impl.ACLImpl;
import org.nuxeo.ecm.core.api.security.impl.ACPImpl;
import org.nuxeo.ecm.core.model.Document;
import org.nuxeo.ecm.core.model.Session;
import org.nuxeo.ecm.core.security.SecurityException;
import org.nuxeo.ecm.core.security.SecurityManager;

/* loaded from: input_file:org/nuxeo/ecm/core/repository/jcr/JCRSecurityManager.class */
public class JCRSecurityManager implements SecurityManager {
    public void invalidateCache(Session session) {
    }

    public boolean checkPermission(Document document, String str, String str2) throws SecurityException {
        return getAccess(document, str, str2).toBoolean();
    }

    public Access getAccess(Document document, String str, String str2) throws SecurityException {
        ACP mergedACP = getMergedACP(document);
        return mergedACP != null ? mergedACP.getAccess(str, str2) : Access.UNKNOWN;
    }

    public ACP getMergedACP(Document document) throws SecurityException {
        try {
            ACL inheritedACLs = getInheritedACLs(document);
            ACP acp = getACP(document);
            if (document.getParent() == null) {
                return acp;
            }
            if (acp == null) {
                if (inheritedACLs == null) {
                    return null;
                }
                acp = new ACPImpl();
            }
            if (inheritedACLs != null) {
                acp.addACL(inheritedACLs);
            }
            return acp;
        } catch (DocumentException e) {
            throw new SecurityException("Failed to get merged acp", e);
        }
    }

    public ACP getACP(Document document) throws SecurityException {
        Node aCPNode = getACPNode(((JCRDocument) document).getNode(), false);
        if (aCPNode == null) {
            return null;
        }
        ACPImpl aCPImpl = new ACPImpl();
        collectOwners(aCPImpl, aCPNode);
        collectACLs(aCPImpl, aCPNode);
        return aCPImpl;
    }

    public void setACP(Document document, ACP acp, boolean z) throws SecurityException {
        if (z) {
            replaceACP(document, acp);
        } else {
            updateACP(document, acp);
        }
    }

    public void replaceACP(Document document, ACP acp) throws SecurityException {
        if (acp == null) {
            removeACP(document);
            return;
        }
        try {
            Node node = ((JCRDocument) document).getNode();
            Node aCPNode = getACPNode(node, false);
            if (aCPNode != null) {
                aCPNode.remove();
            }
            writeACP(node.addNode(NodeConstants.ECM_ACP.rawname, NodeConstants.ECM_NT_ACP.rawname), acp);
        } catch (RepositoryException e) {
            throw new SecurityException("Failed to write ACP", e);
        }
    }

    public void updateACP(Document document, ACP acp) throws SecurityException {
        if (acp == null) {
            return;
        }
        try {
            Node node = ((JCRDocument) document).getNode();
            Node aCPNode = getACPNode(node, false);
            if (aCPNode == null) {
                writeACP(node.addNode(NodeConstants.ECM_ACP.rawname, NodeConstants.ECM_NT_ACP.rawname), acp);
            } else {
                String[] owners = acp.getOwners();
                if (owners != null) {
                    writeOwners(aCPNode, owners);
                }
                for (ACL acl : acp.getACLs()) {
                    updateACL(getACLNode(aCPNode, acl.getName(), true), acl);
                }
            }
        } catch (DocumentException e) {
            throw new SecurityException("Failed to write ACP", e);
        } catch (RepositoryException e2) {
            throw new SecurityException("Failed to write ACP", e2);
        }
    }

    private static void collectOwners(ACP acp, Node node) throws SecurityException {
        try {
            for (Value value : node.getProperty(NodeConstants.ECM_OWNERS.rawname).getValues()) {
                acp.addOwner(value.getString());
            }
        } catch (PathNotFoundException e) {
        } catch (RepositoryException e2) {
            throw new SecurityException("Failed to collect ACP owners", e2);
        }
    }

    private void collectACLs(ACP acp, Node node) throws SecurityException {
        try {
            NodeIterator nodes = node.getNodes();
            while (nodes.hasNext()) {
                Node nextNode = nodes.nextNode();
                ACLImpl aCLImpl = new ACLImpl(nextNode.getName());
                collectACEs(aCLImpl, nextNode);
                acp.addACL(aCLImpl);
            }
        } catch (RepositoryException e) {
            throw new SecurityException("Failed to collect ACEs", e);
        }
    }

    private static void collectACEs(ACL acl, Node node) throws SecurityException {
        try {
            NodeIterator nodes = node.getNodes();
            while (nodes.hasNext()) {
                acl.add(getACE(nodes.nextNode()));
            }
        } catch (RepositoryException e) {
            throw new SecurityException("cannot get ACEs", e);
        }
    }

    private static ACE getACE(Node node) throws SecurityException {
        try {
            return new ACE(node.getProperty(NodeConstants.ECM_PRINCIPAL.rawname).getString(), node.getProperty(NodeConstants.ECM_PERMISSION.rawname).getString(), node.getProperty(NodeConstants.ECM_TYPE.rawname).getBoolean());
        } catch (RepositoryException e) {
            throw new SecurityException("Failed to get ACE type", e);
        }
    }

    private static void writeACP(Node node, ACP acp) throws SecurityException {
        writeOwners(node, acp.getOwners());
        for (ACL acl : acp.getACLs()) {
            if (!"inherited".equals(acl.getName())) {
                writeACL(node, acl);
            }
        }
    }

    private static void writeOwners(Node node, String[] strArr) throws SecurityException {
        try {
            node.setProperty(NodeConstants.ECM_OWNERS.rawname, strArr);
        } catch (RepositoryException e) {
            throw new SecurityException("Failed to write ACP", e);
        }
    }

    private static void writeACL(Node node, ACL acl) throws SecurityException {
        try {
            Node addNode = node.addNode(acl.getName(), NodeConstants.ECM_NT_ACL.rawname);
            Iterator it = acl.iterator();
            while (it.hasNext()) {
                ACE ace = (ACE) it.next();
                try {
                    Node addNode2 = addNode.addNode(ISO9075.encode(ace.getUsername()) + '@' + ace.getPermission(), NodeConstants.ECM_NT_ACE.rawname);
                    addNode2.setProperty(NodeConstants.ECM_PRINCIPAL.rawname, ace.getUsername());
                    addNode2.setProperty(NodeConstants.ECM_PERMISSION.rawname, ace.getPermission());
                    addNode2.setProperty(NodeConstants.ECM_TYPE.rawname, ace.isGranted());
                } catch (ItemExistsException e) {
                }
            }
        } catch (RepositoryException e2) {
            throw new SecurityException("Failed to write ACL", e2);
        }
    }

    private static void updateACL(Node node, ACL acl) throws SecurityException {
        try {
            Iterator it = acl.iterator();
            while (it.hasNext()) {
                ACE ace = (ACE) it.next();
                String str = ISO9075.encode(ace.getUsername()) + '@' + ace.getPermission();
                if (node.hasNode(str)) {
                    node.getNode(str).remove();
                }
                Node addNode = node.addNode(str, NodeConstants.ECM_NT_ACE.rawname);
                addNode.setProperty(NodeConstants.ECM_PRINCIPAL.rawname, ace.getUsername());
                addNode.setProperty(NodeConstants.ECM_PERMISSION.rawname, ace.getPermission());
                addNode.setProperty(NodeConstants.ECM_TYPE.rawname, ace.isGranted());
            }
        } catch (RepositoryException e) {
            throw new SecurityException("Failed to write ACL", e);
        }
    }

    private static Node getACPNode(Node node, boolean z) throws SecurityException {
        try {
            if (node.hasNode(NodeConstants.ECM_ACP.rawname)) {
                return node.getNode(NodeConstants.ECM_ACP.rawname);
            }
            if (z) {
                return node.addNode(NodeConstants.ECM_ACP.rawname, NodeConstants.ECM_NT_ACP.rawname);
            }
            return null;
        } catch (RepositoryException e) {
            throw new SecurityException("cannot get ACP", e);
        }
    }

    public static void setACL(Document document, ACL acl, String str) throws DocumentException, RepositoryException {
        if (acl == null) {
            return;
        }
        Node aCPNode = getACPNode(((JCRDocument) document).getNode(), true);
        Node aCLNode = getACLNode(aCPNode, acl.getName(), false);
        if (aCLNode != null) {
            aCLNode.remove();
        }
        writeACL(aCPNode, acl);
        if (str != null) {
            aCPNode.orderBefore(acl.getName(), str);
        }
    }

    public static ACL getACL(Document document, String str) throws DocumentException {
        Node aCPNode = getACPNode(((JCRDocument) document).getNode(), false);
        if (aCPNode == null) {
            return null;
        }
        Node aCLNode = getACLNode(aCPNode, str, false);
        ACLImpl aCLImpl = new ACLImpl(str);
        collectACEs(aCLImpl, aCLNode);
        return aCLImpl;
    }

    private static Node getACLNode(Node node, String str, boolean z) throws DocumentException {
        try {
            if (node.hasNode(str)) {
                return node.getNode(str);
            }
            if (z) {
                return node.addNode(str, NodeConstants.ECM_NT_ACL.rawname);
            }
            return null;
        } catch (RepositoryException e) {
            throw new DocumentException("cannot get ACP", e);
        }
    }

    public static boolean hasACL(Document document, String str) throws DocumentException {
        Node aCPNode = getACPNode(((JCRDocument) document).getNode(), false);
        if (aCPNode == null) {
            return false;
        }
        try {
            return aCPNode.hasNode(str);
        } catch (RepositoryException e) {
            throw new DocumentException("Failed to check acl node", e);
        }
    }

    public static void removeACP(Document document) throws SecurityException {
        Node aCPNode = getACPNode(((JCRDocument) document).getNode(), false);
        if (aCPNode != null) {
            try {
                aCPNode.remove();
            } catch (RepositoryException e) {
                throw new SecurityException("Failed to remove acp node", e);
            }
        }
    }

    public static void removeACL(Document document, String str) throws DocumentException {
        Node aCLNode;
        Node aCPNode = getACPNode(((JCRDocument) document).getNode(), false);
        if (aCPNode == null || (aCLNode = getACLNode(aCPNode, str, false)) == null) {
            return;
        }
        try {
            aCLNode.remove();
        } catch (RepositoryException e) {
            throw new DocumentException("Failed to remove acl node", e);
        }
    }

    public ACL getInheritedACLs(Document document) throws DocumentException {
        ACL acl = null;
        Document parent = document.getParent();
        while (true) {
            Document document2 = parent;
            if (document2 == null) {
                break;
            }
            ACP acp = getACP(document2);
            if (acp != null) {
                ACL mergedACLs = acp.getMergedACLs("inherited");
                if (mergedACLs != null) {
                    if (acl == null) {
                        acl = mergedACLs;
                    } else {
                        acl.addAll(mergedACLs);
                    }
                }
                if (acp.getAccess("Everyone", "Everything") == Access.DENY) {
                    break;
                }
            }
            parent = document2.getParent();
        }
        return acl;
    }
}
