package org.nuxeo.ecm.webapp.security;

import java.io.Serializable;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import javax.annotation.security.PermitAll;
import javax.ejb.PostActivate;
import javax.ejb.PrePassivate;
import javax.ejb.Remove;
import javax.faces.application.FacesMessage;
import javax.faces.context.FacesContext;
import javax.faces.model.SelectItem;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.jboss.seam.ScopeType;
import org.jboss.seam.annotations.Destroy;
import org.jboss.seam.annotations.In;
import org.jboss.seam.annotations.Name;
import org.jboss.seam.annotations.Observer;
import org.jboss.seam.annotations.Scope;
import org.jboss.seam.core.Events;
import org.jboss.seam.faces.FacesMessages;
import org.nuxeo.common.utils.i18n.Labeler;
import org.nuxeo.ecm.core.api.ClientException;
import org.nuxeo.ecm.core.api.CoreSession;
import org.nuxeo.ecm.core.api.DocumentModel;
import org.nuxeo.ecm.core.api.NuxeoPrincipal;
import org.nuxeo.ecm.core.api.security.ACP;
import org.nuxeo.ecm.core.api.security.PermissionProvider;
import org.nuxeo.ecm.core.api.security.UserEntry;
import org.nuxeo.ecm.core.api.security.UserVisiblePermission;
import org.nuxeo.ecm.core.api.security.impl.ACPImpl;
import org.nuxeo.ecm.platform.ui.web.api.NavigationContext;
import org.nuxeo.ecm.platform.ui.web.util.ComponentUtils;
import org.nuxeo.ecm.platform.usermanager.UserManager;
import org.nuxeo.ecm.platform.util.ECInvalidParameterException;
import org.nuxeo.ecm.webapp.base.InputController;
import org.nuxeo.ecm.webapp.helpers.EventNames;
import org.nuxeo.ecm.webapp.table.cell.IconTableCell;
import org.nuxeo.ecm.webapp.table.cell.PermissionsTableCell;
import org.nuxeo.ecm.webapp.table.cell.SelectionTableCell;
import org.nuxeo.ecm.webapp.table.cell.UserTableCell;
import org.nuxeo.ecm.webapp.table.header.CheckBoxColHeader;
import org.nuxeo.ecm.webapp.table.header.TableColHeader;
import org.nuxeo.ecm.webapp.table.model.UserPermissionsTableModel;
import org.nuxeo.ecm.webapp.table.row.UserPermissionsTableRow;
import org.nuxeo.runtime.api.Framework;

@Name("securityActions")
@Scope(ScopeType.CONVERSATION)
/* loaded from: input_file:org/nuxeo/ecm/webapp/security/SecurityActionsBean.class */
public class SecurityActionsBean extends InputController implements SecurityActions, Serializable {
    private static final long serialVersionUID = -7190826911734958662L;
    protected String[] CACHED_PERMISSION_TO_CHECK;
    protected SecurityData securityData;
    protected boolean obsoleteSecurityData = true;
    protected UserPermissionsTableModel tableModel;
    protected List<String> selectedUsers;
    protected transient List<String> cachedValidatedUserAndGroups;
    protected transient List<String> cachedDeletedUserAndGroups;

    @In(create = true)
    protected transient NavigationContext navigationContext;

    @In(create = true, required = false)
    protected transient CoreSession documentManager;

    @In(create = true)
    protected PermissionActionListManager permissionActionListManager;

    @In(create = true)
    protected PermissionListManager permissionListManager;

    @In(create = true)
    protected PrincipalListManager principalListManager;

    @In(create = true)
    protected transient UserManager userManager;

    @In(create = true)
    protected NuxeoPrincipal currentUser;
    private Boolean blockRightInheritance;
    protected static final String[] SEED_PERMISSIONS_TO_CHECK = {"WriteSecurity", "ReadSecurity"};
    private static final Log log = LogFactory.getLog(SecurityActionsBean.class);
    private static final Labeler labeler = new Labeler("label.security.permission");
    protected static final Map<String, List<UserVisiblePermission>> visibleUserPermissions = new HashMap();

    @Override // org.nuxeo.ecm.webapp.security.SecurityActions
    @Observer(value = {EventNames.USER_ALL_DOCUMENT_TYPES_SELECTION_CHANGED}, create = false, inject = false)
    public void resetSecurityData() throws ClientException {
        this.obsoleteSecurityData = true;
        this.blockRightInheritance = null;
    }

    @Override // org.nuxeo.ecm.webapp.security.SecurityActions
    public void rebuildSecurityData() throws ClientException {
        DocumentModel currentDocument = this.navigationContext.getCurrentDocument();
        if (null != currentDocument) {
            try {
                if (null == this.securityData) {
                    this.securityData = new SecurityData();
                    this.securityData.setDocumentType(currentDocument.getType());
                }
                ACP acp = this.documentManager.getACP(currentDocument.getRef());
                if (null != acp) {
                    SecurityDataConverter.convertToSecurityData(acp, this.securityData);
                } else {
                    this.securityData.clear();
                }
                reconstructTableModel();
                if (this.blockRightInheritance == null) {
                    this.blockRightInheritance = false;
                }
                this.obsoleteSecurityData = false;
            } catch (Throwable th) {
                throw ClientException.wrap(th);
            }
        }
    }

    @Override // org.nuxeo.ecm.webapp.security.SecurityActions
    @Remove
    @PermitAll
    @Destroy
    public void destroy() {
        log.debug("Removing SEAM action listener...");
    }

    protected UserPermissionsTableModel reconstructTableModel() throws ClientException {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new CheckBoxColHeader("label.content.header.selection", "c0", false));
        arrayList.add(new TableColHeader("label.content.header.type", "c4"));
        arrayList.add(new TableColHeader("label.username", "c1"));
        arrayList.add(new TableColHeader("label.security.grantedPerms", "c2"));
        arrayList.add(new TableColHeader("label.security.deniedPerms", "c3"));
        ArrayList arrayList2 = new ArrayList();
        Iterator<String> it = getCurrentDocumentUsers().iterator();
        while (it.hasNext()) {
            UserPermissionsTableRow createDataTableRow = createDataTableRow(it.next());
            if (createDataTableRow != null) {
                arrayList2.add(createDataTableRow);
            }
        }
        this.tableModel = new UserPermissionsTableModel(arrayList, arrayList2);
        return this.tableModel;
    }

    protected UserPermissionsTableRow createDataTableRow(String str) throws ClientException {
        ArrayList arrayList = new ArrayList();
        if (str.equals("Everyone") && this.securityData.getCurrentDocDeny().get(str).contains("Everything")) {
            this.blockRightInheritance = true;
            return null;
        }
        arrayList.add(new SelectionTableCell(false));
        String principalType = this.principalListManager.getPrincipalType(str);
        IconTableCell iconTableCell = new IconTableCell(getIconPathMap().get(principalType));
        iconTableCell.setIconAlt(getIconAltMap().get(principalType));
        arrayList.add(iconTableCell);
        arrayList.add(new UserTableCell(str, principalType));
        arrayList.add(new PermissionsTableCell(str, this.securityData.getCurrentDocGrant().get(str)));
        arrayList.add(new PermissionsTableCell(str, this.securityData.getCurrentDocDeny().get(str)));
        return new UserPermissionsTableRow(str, arrayList);
    }

    @Override // org.nuxeo.ecm.webapp.security.SecurityActions
    public UserPermissionsTableModel getDataTableModel() throws ClientException, ECInvalidParameterException {
        if (this.obsoleteSecurityData) {
            rebuildSecurityData();
        }
        return this.tableModel;
    }

    @Override // org.nuxeo.ecm.webapp.security.SecurityActions
    public SecurityData getSecurityData() throws ClientException {
        if (this.obsoleteSecurityData) {
            rebuildSecurityData();
        }
        return this.securityData;
    }

    @Override // org.nuxeo.ecm.webapp.security.SecurityActions
    public String updateSecurityOnDocument() throws ClientException {
        try {
            List<UserEntry> convertToUserEntries = SecurityDataConverter.convertToUserEntries(this.securityData);
            ACPImpl acp = this.currentDocument.getACP();
            if (null == acp) {
                acp = new ACPImpl();
            }
            acp.setRules((UserEntry[]) convertToUserEntries.toArray(new UserEntry[0]));
            this.documentManager.setACP(this.currentDocument.getRef(), acp, true);
            this.documentManager.save();
            Events.instance().raiseEvent(EventNames.DOCUMENT_SECURITY_CHANGED, new Object[0]);
            rebuildSecurityData();
            return null;
        } catch (Throwable th) {
            throw ClientException.wrap(th);
        }
    }

    @Override // org.nuxeo.ecm.webapp.security.SecurityActions
    public String addPermission(String str, String str2, boolean z) {
        if (this.securityData == null) {
            try {
                this.securityData = getSecurityData();
            } catch (ClientException e) {
                log.error(e);
                return null;
            }
        }
        String str3 = str2;
        String str4 = str2;
        if (visibleUserPermissions != null) {
            List<UserVisiblePermission> list = visibleUserPermissions.get(this.securityData.getDocumentType());
            if (list != null) {
                Iterator<UserVisiblePermission> it = list.iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    UserVisiblePermission next = it.next();
                    if (next.getId().equals(str2)) {
                        str3 = next.getPermission();
                        str4 = next.getDenyPermission();
                        break;
                    }
                }
            } else {
                log.debug("no entry for documentType in visibleUserPermissions this should never happend, using default mapping ...");
            }
        } else {
            log.debug("visibleUserPermissions is null this should never happend, using default mapping ...");
        }
        if (z) {
            boolean removeModifiablePrivilege = this.securityData.removeModifiablePrivilege(str, str4, !z);
            if (!removeModifiablePrivilege) {
                removeModifiablePrivilege = this.securityData.removeModifiablePrivilege(str, str3, !z);
            }
            if (!removeModifiablePrivilege) {
                this.securityData.addModifiablePrivilege(str, str3, z);
            }
        } else {
            boolean removeModifiablePrivilege2 = this.securityData.removeModifiablePrivilege(str, str3, !z);
            if (!removeModifiablePrivilege2) {
                removeModifiablePrivilege2 = this.securityData.removeModifiablePrivilege(str, str4, !z);
            }
            if (!removeModifiablePrivilege2) {
                this.securityData.addModifiablePrivilege(str, str4, z);
            }
        }
        try {
            reconstructTableModel();
            return null;
        } catch (ClientException e2) {
            log.error("Error whil reconstructing security data", e2);
            return null;
        }
    }

    @Override // org.nuxeo.ecm.webapp.security.SecurityActions
    public String addPermission() {
        return addPermission(this.principalListManager.getSelectedPrincipal(), this.permissionListManager.getSelectedPermission(), this.permissionActionListManager.getSelectedGrant().equals("Grant"));
    }

    @Override // org.nuxeo.ecm.webapp.security.SecurityActions
    public String addPermissions() {
        if (this.principalListManager.getSelectedUserListEmpty()) {
            FacesMessages.instance().add(ComponentUtils.translate(FacesContext.getCurrentInstance(), "error.rightsManager.noUsersSelected"), new Object[0]);
            return null;
        }
        List<String> selectedUsers = this.principalListManager.getSelectedUsers();
        String selectedPermission = this.permissionListManager.getSelectedPermission();
        boolean equals = this.permissionActionListManager.getSelectedGrant().equals("Grant");
        Iterator<String> it = selectedUsers.iterator();
        while (it.hasNext()) {
            addPermission(it.next(), selectedPermission, equals);
        }
        return null;
    }

    @Override // org.nuxeo.ecm.webapp.security.SecurityActions
    public String addPermissionAndUpdate() throws ClientException {
        addPermission();
        updateSecurityOnDocument();
        return null;
    }

    @Override // org.nuxeo.ecm.webapp.security.SecurityActions
    public String addPermissionsAndUpdate() throws ClientException {
        addPermissions();
        updateSecurityOnDocument();
        this.principalListManager.resetSelectedUserList();
        this.facesMessages.add(FacesMessage.SEVERITY_INFO, this.resourcesAccessor.getMessages().get("message.updated.rights"), new Object[0]);
        return null;
    }

    @Override // org.nuxeo.ecm.webapp.security.SecurityActions
    public String saveSecurityUpdates() throws ClientException {
        updateSecurityOnDocument();
        this.principalListManager.resetSelectedUserList();
        this.facesMessages.add(FacesMessage.SEVERITY_INFO, this.resourcesAccessor.getMessages().get("message.updated.rights"), new Object[0]);
        return null;
    }

    @Override // org.nuxeo.ecm.webapp.security.SecurityActions
    public String removePermission() {
        this.securityData.removeModifiablePrivilege(this.principalListManager.getSelectedPrincipal(), this.permissionListManager.getSelectedPermission(), this.permissionActionListManager.getSelectedGrant().equals("Grant"));
        try {
            reconstructTableModel();
            return null;
        } catch (ClientException e) {
            log.error("Error whil reconstructing security data", e);
            return null;
        }
    }

    @Override // org.nuxeo.ecm.webapp.security.SecurityActions
    public String removePermissionAndUpdate() throws ClientException {
        removePermission();
        if (checkPermissions()) {
            updateSecurityOnDocument();
            return null;
        }
        this.facesMessages.add(FacesMessage.SEVERITY_ERROR, this.resourcesAccessor.getMessages().get("message.updated.rights"), new Object[0]);
        return null;
    }

    @Override // org.nuxeo.ecm.webapp.security.SecurityActions
    public String removePermissions() throws ClientException, ECInvalidParameterException {
        Iterator<String> it = getDataTableModel().getSelectedUsers().iterator();
        while (it.hasNext()) {
            this.securityData.removeModifiablePrivilege(it.next());
            if (!checkPermissions()) {
                this.facesMessages.add(FacesMessage.SEVERITY_ERROR, this.resourcesAccessor.getMessages().get("message.error.removeRight"), new Object[0]);
                return null;
            }
        }
        reconstructTableModel();
        return null;
    }

    @Override // org.nuxeo.ecm.webapp.security.SecurityActions
    public String removePermissionsAndUpdate() throws ClientException, ECInvalidParameterException {
        Iterator<String> it = getDataTableModel().getSelectedUsers().iterator();
        while (it.hasNext()) {
            this.securityData.removeModifiablePrivilege(it.next());
            if (!checkPermissions()) {
                this.facesMessages.add(FacesMessage.SEVERITY_ERROR, this.resourcesAccessor.getMessages().get("message.error.removeRight"), new Object[0]);
                return null;
            }
        }
        updateSecurityOnDocument();
        this.facesMessages.add(FacesMessage.SEVERITY_INFO, this.resourcesAccessor.getMessages().get("message.updated.rights"), new Object[0]);
        return null;
    }

    @Override // org.nuxeo.ecm.webapp.security.SecurityActions
    public boolean getCanAddSecurityRules() throws ClientException {
        return this.documentManager.hasPermission(this.currentDocument.getRef(), "WriteSecurity");
    }

    @Override // org.nuxeo.ecm.webapp.security.SecurityActions
    public boolean getCanRemoveSecurityRules() throws ClientException {
        try {
            if (this.documentManager.hasPermission(this.currentDocument.getRef(), "WriteSecurity")) {
                if (!getDataTableModel().getSelectedRows().isEmpty()) {
                    return true;
                }
            }
            return false;
        } catch (Exception e) {
            throw ClientException.wrap(e);
        }
    }

    @Override // org.nuxeo.ecm.webapp.security.SecurityActions
    public List<SelectItem> getSettablePermissions() throws ClientException {
        String type = this.navigationContext.getCurrentDocument().getType();
        String[] uIPermissions = ((UIPermissionService) Framework.getRuntime().getComponent(UIPermissionService.NAME)).getUIPermissions(type);
        if (uIPermissions == null || uIPermissions.length == 0) {
            List<UserVisiblePermission> list = visibleUserPermissions.get(type);
            if (list == null) {
                try {
                    PermissionProvider permissionProvider = (PermissionProvider) Framework.getService(PermissionProvider.class);
                    synchronized (visibleUserPermissions) {
                        list = permissionProvider.getUserVisiblePermissionDescriptors(type);
                        visibleUserPermissions.put(type, list);
                    }
                } catch (Exception e) {
                    throw new ClientException("Unable to get PermissionProvider", e);
                }
            }
            uIPermissions = new String[list.size()];
            int i = 0;
            Iterator<UserVisiblePermission> it = list.iterator();
            while (it.hasNext()) {
                uIPermissions[i] = it.next().getId();
                i++;
            }
        }
        ArrayList arrayList = new ArrayList();
        for (String str : uIPermissions) {
            arrayList.add(new SelectItem(str, this.resourcesAccessor.getMessages().get(labeler.makeLabel(str))));
        }
        return arrayList;
    }

    @Override // org.nuxeo.ecm.webapp.base.StatefulBaseLifeCycle
    @PrePassivate
    public void saveState() {
        log.info("PrePassivate");
    }

    @Override // org.nuxeo.ecm.webapp.base.StatefulBaseLifeCycle
    @PostActivate
    public void readState() {
        log.info("PostActivate");
    }

    @Override // org.nuxeo.ecm.webapp.security.SecurityActions
    public Map<String, String> getIconAltMap() {
        return this.principalListManager.iconAlt;
    }

    @Override // org.nuxeo.ecm.webapp.security.SecurityActions
    public Map<String, String> getIconPathMap() {
        return this.principalListManager.iconPath;
    }

    @Override // org.nuxeo.ecm.webapp.security.SecurityActions
    public Boolean getBlockRightInheritance() {
        return this.blockRightInheritance;
    }

    @Override // org.nuxeo.ecm.webapp.security.SecurityActions
    public void setBlockRightInheritance(Boolean bool) throws ClientException {
        if (bool.booleanValue()) {
            this.securityData.addModifiablePrivilege("Everyone", "Everything", false);
            Principal userPrincipal = FacesContext.getCurrentInstance().getExternalContext().getUserPrincipal();
            if (this.securityData.getCurrentDocumentUsers() != null && !this.securityData.getCurrentDocumentUsers().contains(userPrincipal.getName())) {
                this.securityData.addModifiablePrivilege(userPrincipal.getName(), "Everything", true);
                this.securityData.addModifiablePrivilege("administrators", "Everything", true);
            }
        } else {
            this.securityData.removeModifiablePrivilege("Everyone", "Everything", false);
        }
        updateSecurityOnDocument();
        resetSecurityData();
    }

    @Override // org.nuxeo.ecm.webapp.security.SecurityActions
    public Boolean displayInheritedPermissions() throws ClientException {
        return Boolean.valueOf(getDisplayInheritedPermissions());
    }

    @Override // org.nuxeo.ecm.webapp.security.SecurityActions
    public boolean getDisplayInheritedPermissions() throws ClientException {
        if (this.blockRightInheritance == null) {
            rebuildSecurityData();
        }
        return (this.blockRightInheritance.booleanValue() || this.securityData.getParentDocumentsUsers().isEmpty()) ? false : true;
    }

    protected List<String> getSelectedUsers() {
        if (this.selectedUsers == null) {
            this.selectedUsers = new ArrayList();
        }
        return this.selectedUsers;
    }

    @Override // org.nuxeo.ecm.webapp.security.SecurityActions
    public List<String> getCurrentDocumentUsers() throws ClientException {
        return validateUserGroupList(this.securityData.getCurrentDocumentUsers());
    }

    @Override // org.nuxeo.ecm.webapp.security.SecurityActions
    public List<String> getParentDocumentsUsers() throws ClientException {
        return validateUserGroupList(this.securityData.getParentDocumentsUsers());
    }

    private List<String> validateUserGroupList(List<String> list) throws ClientException {
        ArrayList arrayList = new ArrayList();
        for (String str : list) {
            if (str.equals("Everyone")) {
                arrayList.add(str);
            } else if (isUserGroupInCache(str).booleanValue()) {
                arrayList.add(str);
            } else if (!isUserGroupInDeletedCache(str).booleanValue()) {
                if (this.userManager.getPrincipal(str) != null) {
                    arrayList.add(str);
                    addUserGroupInCache(str);
                } else if (this.userManager.getGroup(str) != null) {
                    arrayList.add(str);
                    addUserGroupInCache(str);
                } else {
                    addUserGroupInDeletedCache(str);
                }
            }
        }
        return arrayList;
    }

    private Boolean isUserGroupInCache(String str) {
        if (this.cachedValidatedUserAndGroups == null) {
            return false;
        }
        return Boolean.valueOf(this.cachedValidatedUserAndGroups.contains(str));
    }

    private void addUserGroupInCache(String str) {
        if (this.cachedValidatedUserAndGroups == null) {
            this.cachedValidatedUserAndGroups = new ArrayList();
        }
        this.cachedValidatedUserAndGroups.add(str);
    }

    private Boolean isUserGroupInDeletedCache(String str) {
        if (this.cachedDeletedUserAndGroups == null) {
            return false;
        }
        return Boolean.valueOf(this.cachedDeletedUserAndGroups.contains(str));
    }

    private void addUserGroupInDeletedCache(String str) {
        if (this.cachedDeletedUserAndGroups == null) {
            this.cachedDeletedUserAndGroups = new ArrayList();
        }
        this.cachedDeletedUserAndGroups.add(str);
    }

    private boolean checkPermissions() throws ClientException {
        ArrayList arrayList = new ArrayList();
        arrayList.add(this.currentUser.getName());
        arrayList.addAll(this.currentUser.getAllGroups());
        ACPImpl acp = this.currentDocument.getACP();
        new SecurityDataConverter();
        List<UserEntry> convertToUserEntries = SecurityDataConverter.convertToUserEntries(this.securityData);
        if (null == acp) {
            acp = new ACPImpl();
        }
        acp.setRules((UserEntry[]) convertToUserEntries.toArray(new UserEntry[0]));
        boolean z = acp.getAccess((String[]) arrayList.toArray(new String[0]), getPermissionsToCheck()).toBoolean();
        if (!z) {
            rebuildSecurityData();
        }
        return z;
    }

    protected String[] getPermissionsToCheck() throws ClientException {
        if (this.CACHED_PERMISSION_TO_CHECK == null) {
            try {
                PermissionProvider permissionProvider = (PermissionProvider) Framework.getService(PermissionProvider.class);
                LinkedList linkedList = new LinkedList();
                for (String str : SEED_PERMISSIONS_TO_CHECK) {
                    linkedList.add(str);
                    String[] permissionGroups = permissionProvider.getPermissionGroups(str);
                    if (permissionGroups != null) {
                        linkedList.addAll(Arrays.asList(permissionGroups));
                    }
                }
                this.CACHED_PERMISSION_TO_CHECK = (String[]) linkedList.toArray(new String[linkedList.size()]);
            } catch (Exception e) {
                throw new ClientException(e);
            }
        }
        return this.CACHED_PERMISSION_TO_CHECK;
    }
}
