package org.nuxeo.ecm.permissions;

import org.nuxeo.ecm.core.api.CoreInstance;
import org.nuxeo.ecm.core.api.DocumentModel;
import org.nuxeo.ecm.core.api.NuxeoPrincipal;
import org.nuxeo.ecm.core.api.security.ACE;
import org.nuxeo.ecm.core.api.security.ACL;
import org.nuxeo.ecm.core.query.sql.NXQL;
import org.nuxeo.ecm.tokenauth.service.TokenAuthenticationService;
import org.nuxeo.runtime.api.Framework;
import org.nuxeo.runtime.services.config.ConfigurationService;

/* loaded from: input_file:org/nuxeo/ecm/permissions/TransientUserPermissionHelper.class */
public class TransientUserPermissionHelper {
    public static final String OTHER_DOCUMENT_WITH_PENDING_OR_EFFECTIVE_ACL_QUERY = "SELECT ecm:uuid FROM Document, Relation WHERE (ecm:acl/*1/status is NULL OR ecm:acl/*1/status = 0 OR ecm:acl/*1/status = 1) AND ecm:acl/*1/principal = %s AND ecm:uuid <> %s";
    public static final String TRANSIENT_APP_NAME = "transient/appName";
    public static final String TRANSIENT_DEVICE_ID = "transient/deviceId";
    public static final String TRANSIENT_PERMISSION = "transient/permission";

    private TransientUserPermissionHelper() {
    }

    @Deprecated
    public static String acquireToken(String str, DocumentModel documentModel, String str2) {
        addToken(str);
        return null;
    }

    public static void addToken(String str) {
        if (NuxeoPrincipal.isTransientUsername(str)) {
            ((TokenAuthenticationService) Framework.getService(TokenAuthenticationService.class)).acquireToken(str, TRANSIENT_APP_NAME, TRANSIENT_DEVICE_ID, (String) null, TRANSIENT_PERMISSION);
        }
    }

    public static String getToken(String str) {
        return ((TokenAuthenticationService) Framework.getService(TokenAuthenticationService.class)).getToken(str, TRANSIENT_APP_NAME, TRANSIENT_DEVICE_ID);
    }

    public static void revokeToken(String str, DocumentModel documentModel) {
        if (!NuxeoPrincipal.isTransientUsername(str) || hasOtherPermission(str, documentModel)) {
            return;
        }
        for (ACL<ACE> acl : documentModel.getACP().getACLs()) {
            if (!"inherited".equals(acl.getName())) {
                for (ACE ace : acl) {
                    if (str.equals(ace.getUsername()) && !ace.isArchived()) {
                        return;
                    }
                }
            }
        }
        TokenAuthenticationService tokenAuthenticationService = (TokenAuthenticationService) Framework.getService(TokenAuthenticationService.class);
        String token = tokenAuthenticationService.getToken(str, TRANSIENT_APP_NAME, TRANSIENT_DEVICE_ID);
        if (token != null) {
            tokenAuthenticationService.revokeToken(token);
        }
        String token2 = tokenAuthenticationService.getToken(str, documentModel.getRepositoryName(), documentModel.getId());
        if (token2 != null) {
            tokenAuthenticationService.revokeToken(token2);
        }
    }

    protected static boolean hasOtherPermission(String str, DocumentModel documentModel) {
        if (((ConfigurationService) Framework.getService(ConfigurationService.class)).isBooleanTrue("nuxeo.transient.username.unique")) {
            return false;
        }
        String format = String.format(OTHER_DOCUMENT_WITH_PENDING_OR_EFFECTIVE_ACL_QUERY, NXQL.escapeString(str), NXQL.escapeString(documentModel.getId()));
        return ((Boolean) CoreInstance.doPrivileged(documentModel.getRepositoryName(), coreSession -> {
            return Boolean.valueOf(!coreSession.queryProjection(format, 1L, 0L).isEmpty());
        })).booleanValue();
    }
}
