package org.nuxeo.ecm.permissions;

import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.nuxeo.ecm.core.api.DocumentModel;
import org.nuxeo.ecm.core.api.NuxeoException;
import org.nuxeo.ecm.core.api.security.ACE;
import org.nuxeo.ecm.core.api.security.ACL;
import org.nuxeo.ecm.core.api.security.ACP;
import org.nuxeo.ecm.core.event.Event;
import org.nuxeo.ecm.core.event.EventContext;
import org.nuxeo.ecm.core.event.EventListener;
import org.nuxeo.ecm.core.event.EventService;
import org.nuxeo.ecm.core.event.impl.DocumentEventContext;
import org.nuxeo.ecm.directory.Session;
import org.nuxeo.ecm.directory.api.DirectoryService;
import org.nuxeo.runtime.api.Framework;

/* loaded from: input_file:org/nuxeo/ecm/permissions/PermissionListener.class */
public class PermissionListener implements EventListener {

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/nuxeo/ecm/permissions/PermissionListener$ACLDiff.class */
    public static class ACLDiff {
        public final String aclName;
        public final List<ACE> addedACEs;
        public final List<ACE> removedACEs;

        private ACLDiff(String str, List<ACE> list, List<ACE> list2) {
            this.aclName = str;
            this.addedACEs = list != null ? list : Collections.emptyList();
            this.removedACEs = list2 != null ? list2 : Collections.emptyList();
        }
    }

    public void handleEvent(Event event) {
        EventContext context = event.getContext();
        if ((context instanceof DocumentEventContext) && "documentSecurityUpdated".equals(event.getName())) {
            updateDirectory((DocumentEventContext) context);
        }
    }

    protected void updateDirectory(DocumentEventContext documentEventContext) {
        ACP acp = (ACP) documentEventContext.getProperty("oldACP");
        ACP acp2 = (ACP) documentEventContext.getProperty("newACP");
        if (acp == null || acp2 == null) {
            return;
        }
        handleUpdateACP(documentEventContext, acp, acp2);
    }

    protected void doAsSystemUser(Runnable runnable) {
        try {
            LoginContext login = Framework.login();
            try {
                runnable.run();
                if (login != null) {
                    try {
                        login.logout();
                    } catch (LoginException e) {
                        throw new NuxeoException("Cannot log out system user", e);
                    }
                }
            } catch (Throwable th) {
                if (login != null) {
                    try {
                        login.logout();
                    } catch (LoginException e2) {
                        throw new NuxeoException("Cannot log out system user", e2);
                    }
                }
                throw th;
            }
        } catch (LoginException e3) {
            throw new NuxeoException(e3);
        }
    }

    protected void handleUpdateACP(DocumentEventContext documentEventContext, ACP acp, ACP acp2) {
        doAsSystemUser(() -> {
            DocumentModel sourceDocument = documentEventContext.getSourceDocument();
            List<ACLDiff> extractACLDiffs = extractACLDiffs(acp, acp2);
            DirectoryService directoryService = (DirectoryService) Framework.getLocalService(DirectoryService.class);
            for (ACLDiff aCLDiff : extractACLDiffs) {
                Session open = directoryService.open(Constants.ACE_INFO_DIRECTORY);
                Throwable th = null;
                try {
                    try {
                        for (ACE ace : aCLDiff.removedACEs) {
                            open.deleteEntry(PermissionHelper.computeDirectoryId(sourceDocument, aCLDiff.aclName, ace.getId()));
                            removeToken(sourceDocument, ace);
                        }
                        for (ACE ace2 : aCLDiff.addedACEs) {
                            String computeDirectoryId = PermissionHelper.computeDirectoryId(sourceDocument, aCLDiff.aclName, ace2.getId());
                            if (open.hasEntry(computeDirectoryId)) {
                                open.deleteEntry(computeDirectoryId);
                            }
                            Boolean bool = (Boolean) ace2.getContextData(Constants.NOTIFY_KEY);
                            String str = (String) ace2.getContextData(Constants.COMMENT_KEY);
                            Boolean valueOf = Boolean.valueOf(bool != null ? bool.booleanValue() : false);
                            open.createEntry(PermissionHelper.createDirectoryEntry(sourceDocument, aCLDiff.aclName, ace2, valueOf.booleanValue(), str));
                            addToken(sourceDocument, ace2);
                            if (valueOf.booleanValue() && ace2.isGranted() && ace2.isEffective()) {
                                firePermissionNotificationEvent(documentEventContext, aCLDiff.aclName, ace2);
                            }
                        }
                        if (open != null) {
                            if (0 != 0) {
                                try {
                                    open.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                open.close();
                            }
                        }
                    } catch (Throwable th3) {
                        if (open != null) {
                            if (th != null) {
                                try {
                                    open.close();
                                } catch (Throwable th4) {
                                    th.addSuppressed(th4);
                                }
                            } else {
                                open.close();
                            }
                        }
                        throw th3;
                    }
                } finally {
                }
            }
        });
    }

    @Deprecated
    protected void handleReplaceACE(DocumentEventContext documentEventContext, String str, ACE ace, ACE ace2) {
        doAsSystemUser(() -> {
            DocumentModel sourceDocument = documentEventContext.getSourceDocument();
            Session open = ((DirectoryService) Framework.getLocalService(DirectoryService.class)).open(Constants.ACE_INFO_DIRECTORY);
            Throwable th = null;
            try {
                try {
                    Boolean bool = (Boolean) ace2.getContextData(Constants.NOTIFY_KEY);
                    String str2 = (String) ace2.getContextData(Constants.COMMENT_KEY);
                    String computeDirectoryId = PermissionHelper.computeDirectoryId(sourceDocument, str, ace.getId());
                    if (open.getEntry(computeDirectoryId) != null) {
                        open.deleteEntry(computeDirectoryId);
                    }
                    Boolean valueOf = Boolean.valueOf(bool != null ? bool.booleanValue() : false);
                    open.createEntry(PermissionHelper.createDirectoryEntry(sourceDocument, str, ace2, valueOf.booleanValue(), str2));
                    if (valueOf.booleanValue() && ace2.isGranted() && ace2.isEffective()) {
                        firePermissionNotificationEvent(documentEventContext, str, ace2);
                    }
                    if (open != null) {
                        if (0 == 0) {
                            open.close();
                            return;
                        }
                        try {
                            open.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                } catch (Throwable th3) {
                    th = th3;
                    throw th3;
                }
            } catch (Throwable th4) {
                if (open != null) {
                    if (th != null) {
                        try {
                            open.close();
                        } catch (Throwable th5) {
                            th.addSuppressed(th5);
                        }
                    } else {
                        open.close();
                    }
                }
                throw th4;
            }
        });
    }

    protected List<ACLDiff> extractACLDiffs(ACP acp, ACP acp2) {
        ArrayList arrayList = new ArrayList();
        List<String> aCLNames = toACLNames(acp);
        List<String> aCLNames2 = toACLNames(acp2);
        List<String> aCLNames3 = toACLNames(acp2);
        List<String> aCLNames4 = toACLNames(acp);
        aCLNames3.removeAll(aCLNames);
        aCLNames4.removeAll(aCLNames2);
        for (String str : aCLNames3) {
            arrayList.add(new ACLDiff(str, new ArrayList((Collection) acp2.getACL(str)), null));
        }
        for (String str2 : aCLNames4) {
            arrayList.add(new ACLDiff(str2, null, new ArrayList((Collection) acp.getACL(str2))));
        }
        for (Collection<?> collection : acp2.getACLs()) {
            Collection<?> acl = acp.getACL(collection.getName());
            if (acl != null) {
                ArrayList arrayList2 = new ArrayList(collection);
                ArrayList arrayList3 = new ArrayList(acl);
                arrayList2.removeAll(acl);
                arrayList3.removeAll(collection);
                arrayList.add(new ACLDiff(collection.getName(), arrayList2, arrayList3));
            }
        }
        return arrayList;
    }

    protected List<String> toACLNames(ACP acp) {
        ArrayList arrayList = new ArrayList();
        for (ACL acl : acp.getACLs()) {
            arrayList.add(acl.getName());
        }
        return arrayList;
    }

    protected void firePermissionNotificationEvent(DocumentEventContext documentEventContext, String str, ACE ace) {
        documentEventContext.setProperty(Constants.ACE_KEY, ace);
        documentEventContext.setProperty(Constants.ACL_NAME_KEY, str);
        ((EventService) Framework.getService(EventService.class)).fireEvent(Constants.PERMISSION_NOTIFICATION_EVENT, documentEventContext);
    }

    protected void addToken(DocumentModel documentModel, ACE ace) {
        if (ace.isArchived()) {
            return;
        }
        TransientUserPermissionHelper.acquireToken(ace.getUsername(), documentModel, ace.getPermission());
    }

    protected void removeToken(DocumentModel documentModel, ACE ace) {
        TransientUserPermissionHelper.revokeToken(ace.getUsername(), documentModel);
    }
}
