package org.nuxeo.ecm.core.security;

import java.net.URL;
import java.security.Principal;
import java.util.Iterator;
import java.util.List;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.nuxeo.ecm.core.api.NuxeoPrincipal;
import org.nuxeo.ecm.core.api.security.ACP;
import org.nuxeo.ecm.core.api.security.Access;
import org.nuxeo.ecm.core.api.security.SecurityConstants;
import org.nuxeo.ecm.core.model.Document;
import org.nuxeo.ecm.core.model.Session;
import org.nuxeo.runtime.model.ComponentContext;
import org.nuxeo.runtime.model.ComponentName;
import org.nuxeo.runtime.model.DefaultComponent;
import org.nuxeo.runtime.model.RuntimeContext;

/* loaded from: input_file:org/nuxeo/ecm/core/security/SecurityService.class */
public class SecurityService extends DefaultComponent implements SecurityConstants {
    public static final ComponentName NAME = new ComponentName("org.nuxeo.ecm.core.security.SecurityService");
    private static final Log log = LogFactory.getLog(SecurityService.class);
    private PermissionProvider permissionProvider;

    public void activate(ComponentContext componentContext) throws Exception {
        super.activate(componentContext);
        this.permissionProvider = new DefaultPermissionProvider();
        RuntimeContext runtimeContext = componentContext.getRuntimeContext();
        URL localResource = runtimeContext.getLocalResource("OSGI-INF/permissions.xml");
        if (localResource == null) {
            localResource = runtimeContext.getLocalResource("permissions.xml");
        }
        if (localResource != null) {
            ((DefaultPermissionProvider) this.permissionProvider).load(localResource.openStream());
        } else {
            log.error("No permissions file found. Only Everything permission is available.");
        }
    }

    public void deactivate(ComponentContext componentContext) throws Exception {
        super.deactivate(componentContext);
        this.permissionProvider = null;
    }

    public PermissionProvider getPermissionProvider() {
        return this.permissionProvider;
    }

    public void invalidateCache(Session session, String str) {
        session.getRepository().getSecurityManager().invalidateCache(session);
    }

    public boolean checkPermission(Document document, Principal principal, String str) throws SecurityException {
        String name = principal.getName();
        if (name.equals("system")) {
            return true;
        }
        try {
            String lock = document.getLock();
            if (lock != null && !lock.startsWith(name + ':')) {
                if (str.equals("Write")) {
                    return false;
                }
            }
        } catch (Exception e) {
            log.debug("Failed to get lock status on document ", e);
        }
        ACP mergedACP = document.getSession().getRepository().getSecurityManager().getMergedACP(document);
        if (mergedACP == null) {
            return false;
        }
        return mergedACP.getAccess(getPrincipalsToCheck((NuxeoPrincipal) principal), getPermissionsToCheck(str)).toBoolean();
    }

    public String[] getPermissionsToCheck(String str) {
        String[] permissionGroups = this.permissionProvider.getPermissionGroups(str);
        if (permissionGroups == null) {
            return new String[]{str};
        }
        String[] strArr = new String[permissionGroups.length + 1];
        strArr[0] = str;
        System.arraycopy(permissionGroups, 0, strArr, 1, permissionGroups.length);
        return strArr;
    }

    protected String[] getPrincipalsToCheck(NuxeoPrincipal nuxeoPrincipal) {
        List allGroups = nuxeoPrincipal.getAllGroups();
        if (allGroups == null) {
            return new String[]{nuxeoPrincipal.getName()};
        }
        String[] strArr = (String[]) allGroups.toArray(new String[allGroups.size()]);
        String[] strArr2 = new String[strArr.length + 1];
        strArr2[0] = nuxeoPrincipal.getName();
        System.arraycopy(strArr, 0, strArr2, 1, strArr.length);
        return strArr2;
    }

    public boolean checkPermissionOld(Document document, Principal principal, String str) throws SecurityException {
        List allGroups;
        String name = principal.getName();
        if (name.equals("system")) {
            return true;
        }
        try {
            String lock = document.getLock();
            if (lock != null && !lock.startsWith(name + ':')) {
                if (str.equals("Write")) {
                    return false;
                }
            }
        } catch (Exception e) {
            log.debug("Failed to get lock status on document ", e);
        }
        SecurityManager securityManager = document.getSession().getRepository().getSecurityManager();
        Access checkPermissionForUser = checkPermissionForUser(securityManager, document, name, str);
        if (checkPermissionForUser == Access.UNKNOWN && (principal instanceof NuxeoPrincipal) && (allGroups = ((NuxeoPrincipal) principal).getAllGroups()) != null && !allGroups.isEmpty()) {
            Iterator it = allGroups.iterator();
            while (it.hasNext()) {
                checkPermissionForUser = checkPermissionForUser(securityManager, document, (String) it.next(), str);
                if (checkPermissionForUser != Access.UNKNOWN) {
                    break;
                }
            }
        }
        return checkPermissionForUser.toBoolean();
    }

    private Access checkPermissionForUser(SecurityManager securityManager, Document document, String str, String str2) throws SecurityException {
        Access access = securityManager.getAccess(document, str, str2);
        if (access != Access.UNKNOWN) {
            return access;
        }
        String[] permissionGroups = this.permissionProvider.getPermissionGroups(str2);
        if (permissionGroups != null) {
            for (String str3 : permissionGroups) {
                Access access2 = securityManager.getAccess(document, str, str3);
                if (access2 != Access.UNKNOWN) {
                    return access2;
                }
            }
        }
        return Access.UNKNOWN;
    }
}
