package org.apache.jackrabbit.vault.fs.impl.io;

import java.io.IOException;
import java.util.Arrays;
import java.util.Collection;
import java.util.Deque;
import java.util.HashSet;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import javax.jcr.NamespaceException;
import javax.jcr.Node;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.Value;
import javax.jcr.ValueFormatException;
import org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl.Constants;
import org.apache.jackrabbit.spi.Name;
import org.apache.jackrabbit.spi.commons.conversion.DefaultNamePathResolver;
import org.apache.jackrabbit.spi.commons.conversion.NamePathResolver;
import org.apache.jackrabbit.spi.commons.name.NameConstants;
import org.apache.jackrabbit.spi.commons.name.NameFactoryImpl;
import org.apache.jackrabbit.vault.fs.io.AccessControlHandling;
import org.apache.jackrabbit.vault.fs.spi.impl.jcr20.JackrabbitACLManagement;
import org.apache.jackrabbit.vault.fs.spi.impl.jcr20.accesscontrol.AbstractAccessControlEntry;
import org.apache.jackrabbit.vault.fs.spi.impl.jcr20.accesscontrol.JackrabbitAccessControlEntryBuilder;
import org.apache.jackrabbit.vault.fs.spi.impl.jcr20.accesscontrol.JackrabbitAccessControlPolicyBuilder;
import org.apache.jackrabbit.vault.fs.spi.impl.jcr20.accesscontrol.PrincipalBasedAccessControlEntry;
import org.apache.jackrabbit.vault.fs.spi.impl.jcr20.accesscontrol.PrincipalBasedAccessControlList;
import org.apache.jackrabbit.vault.fs.spi.impl.jcr20.accesscontrol.PrincipalSetAccessControlPolicy;
import org.apache.jackrabbit.vault.fs.spi.impl.jcr20.accesscontrol.ResourceBasedAccessControlEntry;
import org.apache.jackrabbit.vault.fs.spi.impl.jcr20.accesscontrol.ResourceBasedAccessControlList;
import org.apache.jackrabbit.vault.util.DocViewNode2;
import org.apache.jackrabbit.vault.util.UncheckedRepositoryException;
import org.apache.jackrabbit.vault.util.UncheckedValueFormatException;
import org.slf4j.Logger;

/* loaded from: input_file:lib/slingcms.far:org/apache/jackrabbit/vault/org.apache.jackrabbit.vault/3.7.0/org.apache.jackrabbit.vault-3.7.0.jar:org/apache/jackrabbit/vault/fs/impl/io/JackrabbitACLImporter.class */
public class JackrabbitACLImporter implements DocViewAdapter {
    private final Session session;
    private final AccessControlHandling aclHandling;
    private final String accessControlledPath;
    private final NamePathResolver resolver;
    private JackrabbitAccessControlPolicyBuilder<?> policyBuilder;
    private JackrabbitAccessControlEntryBuilder<? extends AbstractAccessControlEntry> entryBuilder;
    private final Deque<State> states;
    private static final Name NAME_REP_EFFECTIVE_PATH = NameFactoryImpl.getInstance().create("internal", "effectivePath");
    private static final Name NAME_REP_PRINCIPAL_NAMES = NameFactoryImpl.getInstance().create("internal", "principalNames");
    private static final Logger log = DocViewImporter.log;
    private static final Set<Name> NON_RESTRICTION_PROPERTY_NAMES = new HashSet(Arrays.asList(NameConstants.REP_PRINCIPAL_NAME, NameConstants.JCR_PRIMARYTYPE, NameConstants.JCR_MIXINTYPES, NameConstants.REP_PRIVILEGES));

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/slingcms.far:org/apache/jackrabbit/vault/org.apache.jackrabbit.vault/3.7.0/org.apache.jackrabbit.vault-3.7.0.jar:org/apache/jackrabbit/vault/fs/impl/io/JackrabbitACLImporter$State.class */
    public enum State {
        INITIAL,
        RESOURCE_BASED_ACL,
        PRINCIPAL_BASED_ACL,
        PRINCIPAL_SET_POLICY,
        RESOURCE_BASED_ACE,
        PRINCIPAL_BASED_ACE,
        RESTRICTION
    }

    public JackrabbitACLImporter(Node node, AccessControlHandling accessControlHandling) throws RepositoryException {
        this(node.getSession(), node.getPath(), accessControlHandling);
    }

    public JackrabbitACLImporter(Session session, AccessControlHandling accessControlHandling) throws RepositoryException {
        this(session, null, accessControlHandling);
    }

    private JackrabbitACLImporter(Session session, String str, AccessControlHandling accessControlHandling) throws RepositoryException {
        this.states = new LinkedList();
        if (accessControlHandling == AccessControlHandling.CLEAR || accessControlHandling == AccessControlHandling.IGNORE) {
            throw new RepositoryException("Error while reading access control content: unsupported AccessControlHandling: " + accessControlHandling);
        }
        this.accessControlledPath = str;
        this.session = session;
        this.aclHandling = accessControlHandling;
        this.states.push(State.INITIAL);
        this.resolver = new DefaultNamePathResolver(session);
    }

    @Override // org.apache.jackrabbit.vault.fs.impl.io.DocViewAdapter
    public void startNode(DocViewNode2 docViewNode2) throws RepositoryException, IOException {
        State peek = this.states.peek();
        try {
            switch (peek) {
                case INITIAL:
                    String orElseThrow = docViewNode2.getPrimaryType().orElseThrow(() -> {
                        return new IllegalStateException("Error while reading access control content: Missing 'jcr:primaryType'");
                    });
                    if ("rep:ACL".equals(orElseThrow)) {
                        this.policyBuilder = new ResourceBasedAccessControlList.Builder();
                        peek = State.RESOURCE_BASED_ACL;
                        break;
                    } else if (JackrabbitACLManagement.NT_REP_CUG_POLICY.equals(orElseThrow)) {
                        this.policyBuilder = new PrincipalSetAccessControlPolicy.Builder(docViewNode2.getPropertyValues(NAME_REP_PRINCIPAL_NAMES));
                        peek = State.PRINCIPAL_SET_POLICY;
                        break;
                    } else {
                        if (!"rep:PrincipalPolicy".equals(orElseThrow)) {
                            throw new IOException("Error while reading access control content: Expected rep:ACL, rep:PrincipalPolicy or rep:CugPolicy primary type but found: " + docViewNode2.getPrimaryType().toString());
                        }
                        this.policyBuilder = new PrincipalBasedAccessControlList.Builder(docViewNode2.getPropertyValue(NameConstants.REP_PRINCIPAL_NAME).orElseThrow(() -> {
                            return new IllegalStateException("mandatory property 'rep:principalName' missing on principal policy node");
                        }));
                        peek = State.PRINCIPAL_BASED_ACL;
                        break;
                    }
                case RESOURCE_BASED_ACL:
                case PRINCIPAL_BASED_ACL:
                case RESOURCE_BASED_ACE:
                case PRINCIPAL_BASED_ACE:
                case RESTRICTION:
                    peek = startEntryNode(docViewNode2, peek);
                    break;
                case PRINCIPAL_SET_POLICY:
                    throw new IOException("Error while reading access control content: Unexpected node: " + docViewNode2.getPrimaryType().orElse("") + " for state " + peek);
            }
            this.states.push(peek);
        } catch (UncheckedRepositoryException e) {
            throw e.getCause();
        }
    }

    private State startEntryNode(DocViewNode2 docViewNode2, State state) throws IOException {
        State state2;
        boolean z;
        switch (state) {
            case RESOURCE_BASED_ACL:
                String orElseThrow = docViewNode2.getPrimaryType().orElseThrow(() -> {
                    return new IllegalStateException("mandatory property 'jcr:primaryType' missing on ace node");
                });
                if ("rep:GrantACE".equals(orElseThrow)) {
                    z = true;
                } else {
                    if (!"rep:DenyACE".equals(orElseThrow)) {
                        throw new IOException("Unexpected node ACE type inside resource based ACL: " + docViewNode2.getPrimaryType());
                    }
                    z = false;
                }
                this.entryBuilder = new ResourceBasedAccessControlEntry.Builder(docViewNode2.getPropertyValues(NameConstants.REP_PRIVILEGES), z, docViewNode2.getPropertyValue(NameConstants.REP_PRINCIPAL_NAME).orElseThrow(() -> {
                    return new IllegalStateException("mandatory property 'rep:principalName' missing");
                }));
                extractRestrictions(docViewNode2).entrySet().stream().forEach(entry -> {
                    this.entryBuilder.addRestriction((String) entry.getKey(), (Value[]) entry.getValue());
                });
                state2 = State.RESOURCE_BASED_ACE;
                break;
            case PRINCIPAL_BASED_ACL:
                if (!Constants.NT_REP_PRINCIPAL_ENTRY.equals(docViewNode2.getPrimaryType().orElseThrow(() -> {
                    return new IllegalStateException("mandatory property 'jcr:primaryType' missing on principal policy node");
                }))) {
                    throw new IOException("Unexpected node ACE type inside principal based ACL: " + docViewNode2.getPrimaryType());
                }
                Collection<String> propertyValues = docViewNode2.getPropertyValues(NameConstants.REP_PRIVILEGES);
                String orElseThrow2 = docViewNode2.getPropertyValue(NAME_REP_EFFECTIVE_PATH).orElseThrow(() -> {
                    return new IllegalStateException("mandatory property 'rep:effectivePath ' missing on principal entry node");
                });
                this.entryBuilder = new PrincipalBasedAccessControlEntry.Builder(propertyValues, orElseThrow2.isEmpty() ? null : orElseThrow2);
                state2 = State.PRINCIPAL_BASED_ACE;
                break;
            case RESOURCE_BASED_ACE:
            case PRINCIPAL_BASED_ACE:
                if (!"rep:Restrictions".equals(docViewNode2.getPrimaryType().orElseThrow(() -> {
                    return new IllegalStateException("mandatory property 'jcr:primaryType' missing on principal policy node");
                }))) {
                    throw new IllegalArgumentException("Unexpected restriction type inside principal or resource based ACE: " + docViewNode2.getPrimaryType());
                }
                extractRestrictions(docViewNode2).entrySet().stream().forEach(entry2 -> {
                    this.entryBuilder.addRestriction((String) entry2.getKey(), (Value[]) entry2.getValue());
                });
                state2 = State.RESTRICTION;
                break;
            case RESTRICTION:
                throw new IOException("Restriction nodes are not supposed to have any children but found " + docViewNode2.toString());
            default:
                throw new IllegalArgumentException("This method must not be called with state " + state);
        }
        return state2;
    }

    private Map<String, Value[]> extractRestrictions(DocViewNode2 docViewNode2) {
        return (Map) docViewNode2.getProperties().stream().filter(docViewProperty2 -> {
            return !NON_RESTRICTION_PROPERTY_NAMES.contains(docViewProperty2.getName());
        }).collect(Collectors.toMap(docViewProperty22 -> {
            try {
                return this.resolver.getJCRName(docViewProperty22.getName());
            } catch (NamespaceException e) {
                throw new IllegalStateException("Cannot retrieve qualified name for " + docViewProperty22.getName().toString(), e);
            }
        }, docViewProperty23 -> {
            try {
                return (Value[]) docViewProperty23.getValues(this.session.getValueFactory()).toArray(new Value[0]);
            } catch (ValueFormatException e) {
                throw new UncheckedValueFormatException(e);
            } catch (RepositoryException e2) {
                throw new UncheckedRepositoryException(e2);
            }
        }));
    }

    @Override // org.apache.jackrabbit.vault.fs.impl.io.DocViewAdapter
    public void endNode() {
        switch (this.states.pop()) {
            case RESOURCE_BASED_ACE:
            case PRINCIPAL_BASED_ACE:
                this.policyBuilder.addEntry(this.entryBuilder.build());
                return;
            default:
                return;
        }
    }

    /* JADX WARN: Type inference failed for: r0v5, types: [org.apache.jackrabbit.vault.fs.spi.impl.jcr20.accesscontrol.JackrabbitAccessControlPolicy] */
    @Override // org.apache.jackrabbit.vault.fs.impl.io.DocViewAdapter
    public List<String> close() throws RepositoryException {
        if (this.states.peek() != State.INITIAL) {
            log.error("Unexpected end state: {}", this.states.peek());
        }
        return this.policyBuilder.build2().apply(this.session, this.aclHandling, this.accessControlledPath);
    }
}
