package com.composum.sling.core.service.impl;

import com.composum.sling.core.service.ServiceRestrictions;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
import java.util.TreeSet;
import java.util.regex.Pattern;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang3.StringUtils;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.sling.api.SlingHttpServletRequest;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.osgi.framework.BundleContext;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Modified;
import org.osgi.service.metatype.annotations.AttributeDefinition;
import org.osgi.service.metatype.annotations.Designate;
import org.osgi.service.metatype.annotations.ObjectClassDefinition;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Designate(ocd = Config.class)
@Component(service = {ServiceRestrictions.class}, property = {"service.description=Composum Service Restrictions", "sling.filter.scope=REQUEST"}, immediate = true)
/* loaded from: input_file:lib/slingcms.far:com/composum/nodes/composum-nodes-commons/4.2.2/composum-nodes-commons-4.2.2.jar:com/composum/sling/core/service/impl/ServiceRestrictionsImpl.class */
public class ServiceRestrictionsImpl implements ServiceRestrictions {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) ServiceRestrictionsImpl.class);
    private BundleContext bundleContext;
    private Config config;
    private final Map<ServiceRestrictions.Key, ServiceRestrictions.Restriction> restrictions = Collections.synchronizedMap(new HashMap());
    private final Map<ServiceRestrictions.Permission, Set<String>> userOptions = Collections.synchronizedMap(new HashMap());
    private final Map<Pattern, ServiceRestrictions.Key> restrictedPaths = new LinkedHashMap();

    @ObjectClassDefinition(name = "Composum Service Restrictions Configuration")
    /* loaded from: input_file:lib/slingcms.far:com/composum/nodes/composum-nodes-commons/4.2.2/composum-nodes-commons-4.2.2.jar:com/composum/sling/core/service/impl/ServiceRestrictionsImpl$Config.class */
    public @interface Config {
        @AttributeDefinition(description = "the general on/off switch for the restrictions (default: true)")
        boolean enabled() default true;

        @AttributeDefinition(description = "the default permission if no restriction specified for a feature (default: write)")
        ServiceRestrictions.Permission defaultPermission() default ServiceRestrictions.Permission.write;

        @AttributeDefinition(description = "the permission limit for the individual choice in the users session (default: 'write:admin')")
        String userOption() default "write:admin";

        @AttributeDefinition(description = "the set of service restrictions")
        String[] restrictions();
    }

    @Activate
    @Modified
    protected void activate(BundleContext bundleContext, Config config) {
        this.bundleContext = bundleContext;
        this.config = config;
        this.restrictions.clear();
        for (String str : config.restrictions()) {
            addRestriction(str);
        }
        this.userOptions.clear();
        for (String str2 : StringUtils.split(config.userOption(), ",")) {
            String[] split = StringUtils.split(str2, ":", 2);
            try {
                this.userOptions.computeIfAbsent(ServiceRestrictions.Permission.valueOf(split[0]), permission -> {
                    return new TreeSet();
                }).add(split.length > 1 ? split[1] : "");
            } catch (IllegalArgumentException e) {
                LOG.error(e.toString());
            }
        }
    }

    @Override // com.composum.sling.core.service.ServiceRestrictions
    public boolean isUserOptionAllowed(@NotNull SlingHttpServletRequest slingHttpServletRequest, @NotNull ServiceRestrictions.Permission permission) {
        String userID = slingHttpServletRequest.getResourceResolver().getUserID();
        Authorizable authorizable = null;
        for (ServiceRestrictions.Permission permission2 : this.userOptions.keySet()) {
            if (permission2.compareTo(permission) >= 0) {
                for (String str : this.userOptions.get(permission2)) {
                    if (StringUtils.isBlank(str)) {
                        return true;
                    }
                    if (StringUtils.isNotBlank(userID)) {
                        if (userID.equals(str)) {
                            return true;
                        }
                        if (authorizable == null) {
                            authorizable = getAuthorizable(slingHttpServletRequest);
                        }
                        if (authorizable != null) {
                            try {
                                Iterator<Group> memberOf = authorizable.memberOf();
                                if (memberOf != null) {
                                    while (memberOf.hasNext()) {
                                        if (memberOf.next().getID().equals(str)) {
                                            return true;
                                        }
                                    }
                                } else {
                                    continue;
                                }
                            } catch (RepositoryException e) {
                                LOG.error(e.getMessage(), (Throwable) e);
                            }
                        } else {
                            continue;
                        }
                    }
                }
            }
        }
        return false;
    }

    @Override // com.composum.sling.core.service.ServiceRestrictions
    public ServiceRestrictions.Permission getDefaultPermisson() {
        return this.config.defaultPermission();
    }

    protected void addRestriction(@NotNull String str) {
        String[] split = StringUtils.split(str, "=", 2);
        if (split.length == 2) {
            this.restrictions.put(new ServiceRestrictions.Key(split[0]), new ServiceRestrictions.Restriction(split[1]));
        }
    }

    @NotNull
    protected ServiceRestrictions.Restriction getRestriction(@NotNull ServiceRestrictions.Key key) {
        ServiceRestrictions.Restriction restriction;
        ServiceRestrictions.Restriction restriction2 = this.restrictions.get(key);
        if (restriction2 == null) {
            while (restriction2 == null) {
                String key2 = key.toString();
                ServiceRestrictions.Key key3 = new ServiceRestrictions.Key(key2.substring(0, key2.lastIndexOf(47) + 1));
                key = key3;
                if (key3.isEmpty()) {
                    break;
                }
                restriction2 = this.restrictions.get(key);
            }
            Map<ServiceRestrictions.Key, ServiceRestrictions.Restriction> map = this.restrictions;
            ServiceRestrictions.Key key4 = key;
            if (restriction2 != null) {
                restriction = restriction2;
            } else {
                restriction = new ServiceRestrictions.Restriction();
                restriction2 = restriction;
            }
            map.put(key4, restriction);
        }
        return restriction2;
    }

    @Override // com.composum.sling.core.service.ServiceRestrictions
    public boolean isPermissible(@Nullable SlingHttpServletRequest slingHttpServletRequest, @Nullable ServiceRestrictions.Key key, @NotNull ServiceRestrictions.Permission permission) {
        HttpSession session;
        if (!this.config.enabled()) {
            return true;
        }
        ServiceRestrictions.Permission permission2 = getPermission(key);
        if (slingHttpServletRequest != null && (session = slingHttpServletRequest.getSession(false)) != null) {
            Object attribute = session.getAttribute(SA_PERMISSION);
            if ((attribute instanceof ServiceRestrictions.Permission) && isUserOptionAllowed(slingHttpServletRequest, (ServiceRestrictions.Permission) attribute)) {
                permission2 = (ServiceRestrictions.Permission) attribute;
            }
        }
        return permission2.matches(permission);
    }

    @Override // com.composum.sling.core.service.ServiceRestrictions
    @NotNull
    public ServiceRestrictions.Permission getPermission(@Nullable ServiceRestrictions.Key key) {
        if (!this.config.enabled()) {
            return ServiceRestrictions.Permission.write;
        }
        ServiceRestrictions.Restriction restriction = key != null ? getRestriction(key) : null;
        return (restriction == null || restriction.permission == null) ? this.config.defaultPermission() : restriction.permission;
    }

    @Override // com.composum.sling.core.service.ServiceRestrictions
    @Nullable
    public String getRestrictions(@Nullable ServiceRestrictions.Key key) {
        if (!this.config.enabled() || key == null) {
            return null;
        }
        return getRestriction(key).restrictions;
    }

    @Nullable
    public Authorizable getAuthorizable(@NotNull SlingHttpServletRequest slingHttpServletRequest) {
        Session session;
        String userID = slingHttpServletRequest.getResourceResolver().getUserID();
        if (!StringUtils.isNotBlank(userID) || (session = (Session) slingHttpServletRequest.getResourceResolver().adaptTo(Session.class)) == null) {
            return null;
        }
        try {
            UserManager userManager = session instanceof JackrabbitSession ? ((JackrabbitSession) session).getUserManager() : null;
            if (userManager != null) {
                return userManager.getAuthorizable(userID);
            }
            return null;
        } catch (RepositoryException e) {
            LOG.error(e.getMessage(), (Throwable) e);
            return null;
        }
    }

    @Override // com.composum.sling.core.service.ServiceRestrictions
    public boolean checkAuthorizables(@NotNull SlingHttpServletRequest slingHttpServletRequest, @Nullable String str) {
        int i;
        if (!StringUtils.isNotBlank(str) || !str.startsWith(ServiceRestrictions.AUTHORIZABLE_RESTRICTION_PREFIX)) {
            return true;
        }
        Authorizable authorizable = getAuthorizable(slingHttpServletRequest);
        if (!(authorizable instanceof User)) {
            return false;
        }
        try {
            authorizable.getID();
            for (String str2 : StringUtils.split(str.substring(ServiceRestrictions.AUTHORIZABLE_RESTRICTION_PREFIX.length()), ",")) {
                if (authorizable.getID().equals(str2)) {
                    return true;
                }
                Iterator<Group> memberOf = authorizable.memberOf();
                i = memberOf == null ? i + 1 : 0;
                while (memberOf.hasNext()) {
                    if (memberOf.next().getID().equals(str2)) {
                        return true;
                    }
                }
            }
            return false;
        } catch (RepositoryException e) {
            LOG.error(e.getMessage(), (Throwable) e);
            return false;
        }
    }
}
