package org.apache.sling.jcr.jackrabbit.accessmanager.post;

import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.EnumMap;
import java.util.Enumeration;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.Value;
import javax.jcr.ValueFactory;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.AccessControlList;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.AccessControlPolicyIterator;
import javax.jcr.security.Privilege;
import javax.servlet.Servlet;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.authorization.PrincipalAccessControlList;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
import org.apache.sling.api.SlingHttpServletRequest;
import org.apache.sling.jcr.base.util.AccessControlUtil;
import org.apache.sling.jcr.jackrabbit.accessmanager.LocalPrivilege;
import org.apache.sling.jcr.jackrabbit.accessmanager.LocalRestriction;
import org.apache.sling.jcr.jackrabbit.accessmanager.ModifyAce;
import org.apache.sling.jcr.jackrabbit.accessmanager.impl.JsonConvert;
import org.apache.sling.jcr.jackrabbit.accessmanager.impl.PrivilegesHelper;
import org.apache.sling.servlets.post.Modification;
import org.apache.sling.servlets.post.PostResponse;
import org.apache.sling.servlets.post.PostResponseCreator;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicyOption;

@Component(service = {Servlet.class, ModifyAce.class}, property = {"sling.servlet.resourceTypes=sling/servlet/default", "sling.servlet.methods=POST", "sling.servlet.selectors=modifyAce", "sling.servlet.prefix:Integer=-1"}, reference = {@Reference(name = "RestrictionProvider", bind = "bindRestrictionProvider", cardinality = ReferenceCardinality.MULTIPLE, policyOption = ReferencePolicyOption.GREEDY, service = RestrictionProvider.class), @Reference(name = "PostResponseCreator", bind = "bindPostResponseCreator", cardinality = ReferenceCardinality.MULTIPLE, policyOption = ReferencePolicyOption.GREEDY, service = PostResponseCreator.class)})
/* loaded from: input_file:org/apache/sling/jcr/jackrabbit/accessmanager/post/ModifyAceServlet.class */
public class ModifyAceServlet extends AbstractAccessPostServlet implements ModifyAce {
    private static final long serialVersionUID = -9182485466670280437L;
    private static final String INVALID_OR_NOT_SUPPORTED_RESTRICTION_NAME_WAS_SUPPLIED = "Invalid restriction name was supplied";
    private static final Pattern PRIVILEGE_PATTERN = Pattern.compile(String.format("^privilege@(.+)(?<!%s)$", "@Delete"));
    private static final Pattern PRIVILEGE_PATTERN_DELETE = Pattern.compile(String.format("^privilege@(.+)%s$", "@Delete"));
    private static final Pattern RESTRICTION_PATTERN = Pattern.compile("^restriction@([^@]+)(@([^@]+)@(Allow|Deny))?$");
    private static final Pattern RESTRICTION_PATTERN_DELETE = Pattern.compile(String.format("^restriction@([^@]+)(@([^@]+))?%s$", "@Delete"));

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/sling/jcr/jackrabbit/accessmanager/post/ModifyAceServlet$DeleteValues.class */
    public enum DeleteValues {
        ALL("all"),
        ALLOW(JsonConvert.KEY_ALLOW),
        DENY(JsonConvert.KEY_DENY),
        INVALID("*");

        private String paramValue;

        DeleteValues(String str) {
            this.paramValue = str;
        }

        public static DeleteValues valueOfParam(String str) {
            return (DeleteValues) Stream.of((Object[]) values()).filter(deleteValues -> {
                return deleteValues.paramValue.equalsIgnoreCase(str);
            }).findFirst().orElse(INVALID);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/sling/jcr/jackrabbit/accessmanager/post/ModifyAceServlet$PrivilegeValues.class */
    public enum PrivilegeValues {
        ALLOW(JsonConvert.KEY_ALLOW),
        GRANTED("granted"),
        NONE("none"),
        DENIED("denied"),
        DENY(JsonConvert.KEY_DENY),
        INVALID("*");

        private String paramValue;

        PrivilegeValues(String str) {
            this.paramValue = str;
        }

        public String getParamValue() {
            return this.paramValue;
        }

        public static PrivilegeValues valueOfParam(String str) {
            return (PrivilegeValues) Stream.of((Object[]) values()).filter(privilegeValues -> {
                return privilegeValues.paramValue.equalsIgnoreCase(str);
            }).findFirst().orElse(INVALID);
        }
    }

    @Override // org.apache.sling.jcr.jackrabbit.accessmanager.post.AbstractAccessPostServlet
    protected void handleOperation(SlingHttpServletRequest slingHttpServletRequest, PostResponse postResponse, List<Modification> list) throws RepositoryException {
        Session session = (Session) slingHttpServletRequest.getResourceResolver().adaptTo(Session.class);
        String itemPath = getItemPath(slingHttpServletRequest);
        String parameter = slingHttpServletRequest.getParameter("principalId");
        String parameter2 = slingHttpServletRequest.getParameter(JsonConvert.KEY_ORDER);
        Principal validateArgs = validateArgs(session, itemPath, parameter);
        Map<String, RestrictionDefinition> buildRestrictionNameToDefinitionMap = buildRestrictionNameToDefinitionMap(itemPath);
        AccessControlManager accessControlManager = AccessControlUtil.getAccessControlManager(session);
        Map<Privilege, Integer> buildPrivilegeLongestDepthMap = PrivilegesHelper.buildPrivilegeLongestDepthMap(accessControlManager.privilegeFromName("jcr:all"));
        Map<Privilege, LocalPrivilege> loadStoredAce = loadStoredAce(accessControlManager, itemPath, validateArgs, buildRestrictionNameToDefinitionMap);
        processPostedPrivilegeDeleteParams(accessControlManager, slingHttpServletRequest, loadStoredAce);
        processPostedRestrictionDeleteParams(accessControlManager, slingHttpServletRequest, buildRestrictionNameToDefinitionMap, loadStoredAce);
        processPostedPrivilegeAndRestrictionParams(accessControlManager, slingHttpServletRequest, buildRestrictionNameToDefinitionMap, loadStoredAce, buildPrivilegeLongestDepthMap);
        PrivilegesHelper.consolidateAggregates(session, itemPath, loadStoredAce, buildPrivilegeLongestDepthMap);
        modifyAce(session, itemPath, parameter, loadStoredAce.values(), parameter2, false, list);
    }

    @NotNull
    protected Principal validateArgs(Session session, String str, String str2) throws RepositoryException {
        if (session == null) {
            throw new RepositoryException("JCR Session not found");
        }
        if (RestrictionProvider.EMPTY.equals(getRestrictionProvider())) {
            throw new IllegalStateException("No restriction provider is available so unable to process POSTed restriction values");
        }
        if (str2 == null) {
            throw new RepositoryException("principalId was not submitted.");
        }
        Principal principal = AccessControlUtil.getPrincipalManager(session).getPrincipal(str2);
        if (principal == null) {
            throw new RepositoryException("Invalid principalId was submitted.");
        }
        validateResourcePath(session, str);
        if (getAcl(AccessControlUtil.getAccessControlManager(session), str, principal) == null) {
            throw new IllegalStateException("No access control list is available so unable to process");
        }
        return principal;
    }

    @NotNull
    protected Map<String, RestrictionDefinition> buildRestrictionNameToDefinitionMap(@NotNull String str) {
        Set<RestrictionDefinition> supportedRestrictions = getRestrictionProvider().getSupportedRestrictions(str);
        HashMap hashMap = new HashMap();
        for (RestrictionDefinition restrictionDefinition : supportedRestrictions) {
            hashMap.put(restrictionDefinition.getName(), restrictionDefinition);
        }
        return hashMap;
    }

    @NotNull
    protected Map<Privilege, LocalPrivilege> loadStoredAce(@NotNull AccessControlManager accessControlManager, @NotNull String str, @NotNull Principal principal, @NotNull Map<String, RestrictionDefinition> map) throws RepositoryException {
        Privilege[] privileges;
        HashMap hashMap = new HashMap();
        for (AccessControlEntry accessControlEntry : getAcl(accessControlManager, str, principal).getAccessControlEntries()) {
            JackrabbitAccessControlEntry jackrabbitAccessControlEntry = getJackrabbitAccessControlEntry(accessControlEntry, str, principal);
            if (jackrabbitAccessControlEntry != null && (privileges = jackrabbitAccessControlEntry.getPrivileges()) != null) {
                boolean isAllow = jackrabbitAccessControlEntry.isAllow();
                String[] restrictionNames = jackrabbitAccessControlEntry.getRestrictionNames();
                HashSet hashSet = new HashSet();
                for (String str2 : restrictionNames) {
                    RestrictionDefinition restrictionDefinition = map.get(str2);
                    if (restrictionDefinition != null) {
                        if (restrictionDefinition.getRequiredType().isArray()) {
                            hashSet.add(new LocalRestriction(restrictionDefinition, jackrabbitAccessControlEntry.getRestrictions(str2)));
                        } else {
                            hashSet.add(new LocalRestriction(restrictionDefinition, jackrabbitAccessControlEntry.getRestriction(str2)));
                        }
                    }
                }
                if (isAllow) {
                    PrivilegesHelper.allow(hashMap, hashSet, Arrays.asList(privileges));
                } else {
                    PrivilegesHelper.deny(hashMap, hashSet, Arrays.asList(privileges));
                }
            }
        }
        return hashMap;
    }

    @Nullable
    protected JackrabbitAccessControlEntry getJackrabbitAccessControlEntry(@NotNull AccessControlEntry accessControlEntry, @NotNull String str, @NotNull Principal principal) {
        JackrabbitAccessControlEntry jackrabbitAccessControlEntry = null;
        if ((accessControlEntry instanceof JackrabbitAccessControlEntry) && accessControlEntry.getPrincipal().equals(principal)) {
            jackrabbitAccessControlEntry = (JackrabbitAccessControlEntry) accessControlEntry;
        }
        return jackrabbitAccessControlEntry;
    }

    @NotNull
    protected Map<String, Matcher> getMatchedRequestParameterNames(@NotNull SlingHttpServletRequest slingHttpServletRequest, @NotNull Pattern pattern) {
        HashMap hashMap = new HashMap();
        Enumeration parameterNames = slingHttpServletRequest.getParameterNames();
        while (parameterNames.hasMoreElements()) {
            String str = (String) parameterNames.nextElement();
            Matcher matcher = pattern.matcher(str);
            if (matcher.matches()) {
                hashMap.put(str, matcher);
            }
        }
        return hashMap;
    }

    protected void processPostedPrivilegeDeleteParams(@NotNull AccessControlManager accessControlManager, @NotNull SlingHttpServletRequest slingHttpServletRequest, @NotNull Map<Privilege, LocalPrivilege> map) throws RepositoryException {
        for (Map.Entry<String, Matcher> entry : getMatchedRequestParameterNames(slingHttpServletRequest, PRIVILEGE_PATTERN_DELETE).entrySet()) {
            String key = entry.getKey();
            Privilege privilegeFromName = accessControlManager.privilegeFromName(entry.getValue().group(1));
            DeleteValues valueOfParam = DeleteValues.valueOfParam(slingHttpServletRequest.getParameter(key));
            if (DeleteValues.ALL.equals(valueOfParam) || DeleteValues.ALLOW.equals(valueOfParam)) {
                PrivilegesHelper.unallow(map, Collections.singleton(privilegeFromName));
            }
            if (DeleteValues.ALL.equals(valueOfParam) || DeleteValues.DENY.equals(valueOfParam)) {
                PrivilegesHelper.undeny(map, Collections.singleton(privilegeFromName));
            }
        }
    }

    protected void processPostedRestrictionDeleteParams(@NotNull AccessControlManager accessControlManager, @NotNull SlingHttpServletRequest slingHttpServletRequest, @NotNull Map<String, RestrictionDefinition> map, @NotNull Map<Privilege, LocalPrivilege> map2) throws RepositoryException {
        String str;
        String group;
        for (Map.Entry<String, Matcher> entry : getMatchedRequestParameterNames(slingHttpServletRequest, RESTRICTION_PATTERN_DELETE).entrySet()) {
            String key = entry.getKey();
            Matcher value = entry.getValue();
            if (value.group(2) != null) {
                str = value.group(1);
                group = value.group(3);
            } else {
                str = null;
                group = value.group(1);
            }
            if (map.get(group) == null) {
                throw new AccessControlException(INVALID_OR_NOT_SUPPORTED_RESTRICTION_NAME_WAS_SUPPLIED);
            }
            Collection keySet = str == null ? map2.keySet() : Collections.singletonList(accessControlManager.privilegeFromName(str));
            int length = (str == null ? new String[]{"all"} : slingHttpServletRequest.getParameterValues(key)).length;
            for (int i = 0; i < length; i++) {
                switch (DeleteValues.valueOfParam(r0[i])) {
                    case ALL:
                        PrivilegesHelper.unallowOrUndenyRestriction(map2, group, keySet);
                        break;
                    case ALLOW:
                        PrivilegesHelper.unallowRestriction(map2, group, keySet);
                        break;
                    case DENY:
                        PrivilegesHelper.undenyRestriction(map2, group, keySet);
                        break;
                }
            }
        }
    }

    protected Set<LocalRestriction> postedRestrictionsForPrivilege(@NotNull SlingHttpServletRequest slingHttpServletRequest, @NotNull Map<String, RestrictionDefinition> map, @NotNull Privilege privilege, @NotNull PrivilegeValues privilegeValues, @NotNull Set<LocalRestriction> set) throws RepositoryException {
        String str;
        String group;
        PrivilegeValues privilegeValues2;
        HashSet hashSet = new HashSet(set);
        for (Map.Entry<String, Matcher> entry : getMatchedRequestParameterNames(slingHttpServletRequest, RESTRICTION_PATTERN).entrySet()) {
            String key = entry.getKey();
            Matcher value = entry.getValue();
            if (value.group(2) != null) {
                str = value.group(1);
                group = value.group(3);
                privilegeValues2 = PrivilegeValues.valueOfParam(value.group(4));
            } else {
                str = null;
                group = value.group(1);
                privilegeValues2 = null;
            }
            if (str == null || privilege.getName().equals(str)) {
                if (privilegeValues2 == null || privilegeValues.equals(privilegeValues2)) {
                    LocalRestriction localRestriction = toLocalRestriction(slingHttpServletRequest, map, group, key);
                    hashSet.removeIf(localRestriction2 -> {
                        return localRestriction2.getName().equals(localRestriction.getName());
                    });
                    hashSet.add(localRestriction);
                }
            }
        }
        return hashSet;
    }

    protected LocalRestriction toLocalRestriction(@NotNull SlingHttpServletRequest slingHttpServletRequest, @NotNull Map<String, RestrictionDefinition> map, @NotNull String str, @NotNull String str2) throws RepositoryException {
        LocalRestriction localRestriction;
        RestrictionDefinition restrictionDefinition = map.get(str);
        if (restrictionDefinition == null) {
            throw new AccessControlException(INVALID_OR_NOT_SUPPORTED_RESTRICTION_NAME_WAS_SUPPLIED);
        }
        ValueFactory valueFactory = ((Session) slingHttpServletRequest.getResourceResolver().adaptTo(Session.class)).getValueFactory();
        int tag = restrictionDefinition.getRequiredType().tag();
        if (restrictionDefinition.getRequiredType().isArray()) {
            String[] parameterValues = slingHttpServletRequest.getParameterValues(str2);
            Value[] valueArr = new Value[parameterValues.length];
            for (int i = 0; i < parameterValues.length; i++) {
                valueArr[i] = valueFactory.createValue(parameterValues[i], tag);
            }
            localRestriction = new LocalRestriction(restrictionDefinition, valueArr);
        } else {
            localRestriction = new LocalRestriction(restrictionDefinition, valueFactory.createValue(slingHttpServletRequest.getParameter(str2), tag));
        }
        return localRestriction;
    }

    protected void processPostedPrivilegeAndRestrictionParams(@NotNull AccessControlManager accessControlManager, @NotNull SlingHttpServletRequest slingHttpServletRequest, @NotNull Map<String, RestrictionDefinition> map, @NotNull Map<Privilege, LocalPrivilege> map2, @NotNull Map<Privilege, Integer> map3) throws RepositoryException {
        Map<String, Matcher> matchedRequestParameterNames = getMatchedRequestParameterNames(slingHttpServletRequest, PRIVILEGE_PATTERN);
        HashMap hashMap = new HashMap();
        for (Map.Entry<String, Matcher> entry : matchedRequestParameterNames.entrySet()) {
            ((Set) hashMap.computeIfAbsent(accessControlManager.privilegeFromName(entry.getValue().group(1)), privilege -> {
                return new HashSet();
            })).addAll(Arrays.asList(slingHttpServletRequest.getParameterValues(entry.getKey())));
        }
        HashSet hashSet = new HashSet();
        for (Map.Entry<String, Matcher> entry2 : getMatchedRequestParameterNames(slingHttpServletRequest, RESTRICTION_PATTERN).entrySet()) {
            Matcher value = entry2.getValue();
            if (value.group(2) != null) {
                PrivilegeValues valueOfParam = PrivilegeValues.valueOfParam(value.group(4));
                if (PrivilegeValues.ALLOW.equals(valueOfParam) || PrivilegeValues.DENY.equals(valueOfParam)) {
                    ((Set) hashMap.computeIfAbsent(accessControlManager.privilegeFromName(value.group(1)), privilege2 -> {
                        return new HashSet();
                    })).add(valueOfParam.getParamValue());
                }
            } else {
                LocalRestriction localRestriction = toLocalRestriction(slingHttpServletRequest, map, value.group(1), entry2.getKey());
                hashSet.removeIf(localRestriction2 -> {
                    return localRestriction2.getName().equals(localRestriction.getName());
                });
                hashSet.add(localRestriction);
            }
        }
        if (!hashSet.isEmpty()) {
            for (Map.Entry<Privilege, LocalPrivilege> entry3 : map2.entrySet()) {
                Privilege key = entry3.getKey();
                if (!hashMap.containsKey(key)) {
                    LocalPrivilege value2 = entry3.getValue();
                    applyPrivilegeAndRestrictions(map2, key, value2.isAllow(), hashSet, value2.isDeny(), hashSet);
                }
            }
        }
        ArrayList<Map.Entry> arrayList = new ArrayList(hashMap.entrySet());
        Collections.sort(arrayList, (entry4, entry5) -> {
            return ((Integer) map3.get(entry4.getKey())).compareTo((Integer) map3.get(entry5.getKey()));
        });
        for (Map.Entry entry6 : arrayList) {
            Set set = (Set) entry6.getValue();
            Privilege privilege3 = (Privilege) entry6.getKey();
            List<PrivilegeValues> list = (List) set.stream().map(PrivilegeValues::valueOfParam).sorted((privilegeValues, privilegeValues2) -> {
                return Integer.compare(privilegeValues2.ordinal(), privilegeValues.ordinal());
            }).collect(Collectors.toList());
            boolean z = false;
            boolean z2 = false;
            Set<LocalRestriction> emptySet = Collections.emptySet();
            boolean z3 = false;
            Set<LocalRestriction> emptySet2 = Collections.emptySet();
            for (PrivilegeValues privilegeValues3 : list) {
                switch (privilegeValues3) {
                    case DENY:
                    case DENIED:
                        z3 = true;
                        emptySet2 = postedRestrictionsForPrivilege(slingHttpServletRequest, map, privilege3, privilegeValues3, hashSet);
                        break;
                    case ALLOW:
                    case GRANTED:
                        z2 = true;
                        emptySet = postedRestrictionsForPrivilege(slingHttpServletRequest, map, privilege3, privilegeValues3, hashSet);
                        break;
                    case NONE:
                        z = true;
                        break;
                }
            }
            if (z) {
                PrivilegesHelper.none(map2, Collections.singleton(privilege3));
            }
            applyPrivilegeAndRestrictions(map2, privilege3, z2, emptySet, z3, emptySet2);
        }
    }

    protected void applyPrivilegeAndRestrictions(@NotNull Map<Privilege, LocalPrivilege> map, @NotNull Privilege privilege, boolean z, @NotNull Set<LocalRestriction> set, boolean z2, @NotNull Set<LocalRestriction> set2) throws RepositoryException {
        if (z) {
            PrivilegesHelper.unallowRestrictions(map, (Collection) set.stream().map((v0) -> {
                return v0.getName();
            }).collect(Collectors.toSet()), Collections.singleton(privilege));
        }
        if (z2) {
            PrivilegesHelper.undenyRestrictions(map, (Collection) set2.stream().map((v0) -> {
                return v0.getName();
            }).collect(Collectors.toSet()), Collections.singleton(privilege));
        }
        if (z && z2) {
            PrivilegesHelper.allowAndDeny(map, z, set, z2, set2, Collections.singleton(privilege));
        } else if (z) {
            PrivilegesHelper.allow(map, set, Collections.singleton(privilege));
        } else if (z2) {
            PrivilegesHelper.deny(map, set2, Collections.singleton(privilege));
        }
    }

    protected JackrabbitAccessControlList getAcl(@NotNull AccessControlManager accessControlManager, String str, Principal principal) throws RepositoryException {
        JackrabbitAccessControlList[] policies = accessControlManager.getPolicies(str);
        JackrabbitAccessControlList jackrabbitAccessControlList = null;
        int length = policies.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            JackrabbitAccessControlList jackrabbitAccessControlList2 = policies[i];
            if (jackrabbitAccessControlList2 instanceof JackrabbitAccessControlList) {
                jackrabbitAccessControlList = jackrabbitAccessControlList2;
                break;
            }
            i++;
        }
        if (jackrabbitAccessControlList == null) {
            AccessControlPolicyIterator applicablePolicies = accessControlManager.getApplicablePolicies(str);
            while (true) {
                if (!applicablePolicies.hasNext()) {
                    break;
                }
                AccessControlPolicy nextAccessControlPolicy = applicablePolicies.nextAccessControlPolicy();
                if (nextAccessControlPolicy instanceof JackrabbitAccessControlList) {
                    jackrabbitAccessControlList = (JackrabbitAccessControlList) nextAccessControlPolicy;
                    break;
                }
            }
        }
        return jackrabbitAccessControlList;
    }

    protected String removeAces(@NotNull String str, @Nullable String str2, @NotNull Principal principal, @NotNull JackrabbitAccessControlList jackrabbitAccessControlList) throws RepositoryException {
        AccessControlEntry[] accessControlEntries = jackrabbitAccessControlList.getAccessControlEntries();
        if (str2 == null || str2.length() == 0) {
            HashSet hashSet = new HashSet();
            int i = 0;
            while (true) {
                if (i >= accessControlEntries.length) {
                    break;
                }
                Principal principal2 = accessControlEntries[i].getPrincipal();
                if (principal2.equals(principal)) {
                    str2 = String.valueOf(hashSet.size());
                    break;
                }
                hashSet.add(principal2);
                i++;
            }
        }
        for (AccessControlEntry accessControlEntry : accessControlEntries) {
            if (accessControlEntry.getPrincipal().equals(principal)) {
                jackrabbitAccessControlList.removeAccessControlEntry(accessControlEntry);
            }
        }
        return str2;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void addAces(@NotNull String str, @NotNull Principal principal, @NotNull Map<Set<LocalRestriction>, List<LocalPrivilege>> map, boolean z, @NotNull JackrabbitAccessControlList jackrabbitAccessControlList, Map<Privilege, Integer> map2) throws RepositoryException {
        ArrayList<Map.Entry> arrayList = new ArrayList(map.entrySet());
        Collections.sort(arrayList, (entry, entry2) -> {
            int i = Integer.MAX_VALUE;
            Iterator it = ((List) entry.getValue()).iterator();
            while (it.hasNext()) {
                Integer num = (Integer) map2.get(((LocalPrivilege) it.next()).getPrivilege());
                if (num != null && num.intValue() < i) {
                    i = num.intValue();
                }
            }
            int i2 = Integer.MAX_VALUE;
            Iterator it2 = ((List) entry2.getValue()).iterator();
            while (it2.hasNext()) {
                Integer num2 = (Integer) map2.get(((LocalPrivilege) it2.next()).getPrivilege());
                if (num2 != null && num2.intValue() < i2) {
                    i2 = num2.intValue();
                }
            }
            return Integer.compare(i, i2);
        });
        for (Map.Entry entry3 : arrayList) {
            HashSet hashSet = new HashSet();
            HashMap hashMap = new HashMap();
            HashMap hashMap2 = new HashMap();
            for (LocalRestriction localRestriction : (Set) entry3.getKey()) {
                if (localRestriction.isMultiValue()) {
                    hashMap2.put(localRestriction.getName(), localRestriction.getValues());
                } else {
                    hashMap.put(localRestriction.getName(), localRestriction.getValue());
                }
            }
            Iterator it = ((List) entry3.getValue()).iterator();
            while (it.hasNext()) {
                hashSet.add(((LocalPrivilege) it.next()).getPrivilege());
            }
            if (!hashSet.isEmpty()) {
                if (jackrabbitAccessControlList instanceof PrincipalAccessControlList) {
                    ((PrincipalAccessControlList) jackrabbitAccessControlList).addEntry(str, (Privilege[]) hashSet.toArray(new Privilege[hashSet.size()]), hashMap, hashMap2);
                } else {
                    jackrabbitAccessControlList.addEntry(principal, (Privilege[]) hashSet.toArray(new Privilege[hashSet.size()]), z, hashMap, hashMap2);
                }
            }
        }
    }

    private static void reorderAccessControlEntries(AccessControlList accessControlList, Principal principal, String str) throws RepositoryException {
        if (str == null || str.length() == 0) {
            return;
        }
        if (!(accessControlList instanceof JackrabbitAccessControlList)) {
            throw new IllegalArgumentException("The acl must be an instance of JackrabbitAccessControlList");
        }
        JackrabbitAccessControlList jackrabbitAccessControlList = (JackrabbitAccessControlList) accessControlList;
        AccessControlEntry[] accessControlEntries = jackrabbitAccessControlList.getAccessControlEntries();
        if (accessControlEntries.length <= 1) {
            return;
        }
        AccessControlEntry accessControlEntry = null;
        if ("first".equals(str)) {
            accessControlEntry = accessControlEntries[0];
        } else if (!"last".equals(str)) {
            if (str.startsWith("before ")) {
                String substring = str.substring(7);
                int i = 0;
                while (true) {
                    if (i >= accessControlEntries.length) {
                        break;
                    }
                    if (substring.equals(accessControlEntries[i].getPrincipal().getName())) {
                        accessControlEntry = accessControlEntries[i];
                        break;
                    }
                    i++;
                }
                if (accessControlEntry == null) {
                    throw new IllegalArgumentException("No ACE was found for the specified principal: " + substring);
                }
            } else if (str.startsWith("after ")) {
                String substring2 = str.substring(6);
                int length = accessControlEntries.length - 1;
                while (true) {
                    if (length < 0) {
                        break;
                    } else if (substring2.equals(accessControlEntries[length].getPrincipal().getName())) {
                        accessControlEntry = length >= accessControlEntries.length - 1 ? null : accessControlEntries[length + 1];
                    } else {
                        length--;
                    }
                }
                if (accessControlEntry == null) {
                    throw new IllegalArgumentException("No ACE was found for the specified principal: " + substring2);
                }
            } else {
                try {
                    int parseInt = Integer.parseInt(str);
                    if (parseInt > accessControlEntries.length) {
                        throw new IndexOutOfBoundsException("Index value is too large: " + parseInt);
                    }
                    HashMap hashMap = new HashMap();
                    for (int i2 = 0; i2 < accessControlEntries.length; i2++) {
                        Principal principal2 = accessControlEntries[i2].getPrincipal();
                        Integer valueOf = Integer.valueOf(i2);
                        hashMap.computeIfAbsent(principal2, principal3 -> {
                            return valueOf;
                        });
                    }
                    Integer[] numArr = (Integer[]) hashMap.values().stream().sorted().toArray(i3 -> {
                        return new Integer[i3];
                    });
                    if (parseInt >= 0 && parseInt < numArr.length - 1) {
                        accessControlEntry = accessControlEntries[numArr[parseInt].intValue()];
                    }
                } catch (NumberFormatException e) {
                    throw new IllegalArgumentException("Illegal value for the order parameter: " + str);
                }
            }
        }
        if (accessControlEntry != null) {
            for (AccessControlEntry accessControlEntry2 : accessControlEntries) {
                if (principal.equals(accessControlEntry2.getPrincipal())) {
                    jackrabbitAccessControlList.orderBefore(accessControlEntry2, accessControlEntry);
                }
            }
        }
    }

    @Override // org.apache.sling.jcr.jackrabbit.accessmanager.ModifyAce
    public void modifyAce(Session session, String str, String str2, Map<String, String> map, String str3, boolean z) throws RepositoryException {
        modifyAce(session, str, str2, map, str3, null, null, null, z);
    }

    @Override // org.apache.sling.jcr.jackrabbit.accessmanager.ModifyAce
    public void modifyAce(Session session, String str, String str2, Map<String, String> map, String str3) throws RepositoryException {
        modifyAce(session, str, str2, map, str3, true);
    }

    @Override // org.apache.sling.jcr.jackrabbit.accessmanager.ModifyAce
    public void modifyAce(Session session, String str, String str2, Map<String, String> map, String str3, Map<String, Value> map2, Map<String, Value[]> map3, Set<String> set) throws RepositoryException {
        modifyAce(session, str, str2, map, str3, map2, map3, set, true);
    }

    @Override // org.apache.sling.jcr.jackrabbit.accessmanager.ModifyAce
    public void modifyAce(Session session, String str, String str2, Map<String, String> map, String str3, Map<String, Value> map2, Map<String, Value[]> map3, Set<String> set, boolean z) throws RepositoryException {
        modifyAce(session, str, str2, map, str3, map2, map3, set, z, null);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void modifyAce(Session session, String str, String str2, Map<String, String> map, String str3, Map<String, Value> map2, Map<String, Value[]> map3, Set<String> set, boolean z, List<Modification> list) throws RepositoryException {
        Principal validateArgs = validateArgs(session, str, str2);
        AccessControlManager accessControlManager = AccessControlUtil.getAccessControlManager(session);
        Map<String, RestrictionDefinition> buildRestrictionNameToDefinitionMap = buildRestrictionNameToDefinitionMap(str);
        Map<Privilege, Integer> buildPrivilegeLongestDepthMap = PrivilegesHelper.buildPrivilegeLongestDepthMap(accessControlManager.privilegeFromName("jcr:all"));
        Map<Privilege, LocalPrivilege> loadStoredAce = loadStoredAce(accessControlManager, str, validateArgs, buildRestrictionNameToDefinitionMap);
        for (LocalPrivilege localPrivilege : loadStoredAce.values()) {
            if (localPrivilege.isAllow()) {
                PrivilegesHelper.unallowRestrictions(loadStoredAce, set, Collections.singleton(localPrivilege.getPrivilege()));
            }
            if (localPrivilege.isDeny()) {
                PrivilegesHelper.undenyRestrictions(loadStoredAce, set, Collections.singleton(localPrivilege.getPrivilege()));
            }
        }
        HashSet hashSet = new HashSet();
        if (map2 != null) {
            for (Map.Entry<String, Value> entry : map2.entrySet()) {
                RestrictionDefinition restrictionDefinition = buildRestrictionNameToDefinitionMap.get(entry.getKey());
                if (restrictionDefinition == null) {
                    throw new AccessControlException(INVALID_OR_NOT_SUPPORTED_RESTRICTION_NAME_WAS_SUPPLIED);
                }
                hashSet.add(new LocalRestriction(restrictionDefinition, entry.getValue()));
            }
        }
        if (map3 != null) {
            for (Map.Entry<String, Value[]> entry2 : map3.entrySet()) {
                RestrictionDefinition restrictionDefinition2 = buildRestrictionNameToDefinitionMap.get(entry2.getKey());
                if (restrictionDefinition2 == null) {
                    throw new AccessControlException(INVALID_OR_NOT_SUPPORTED_RESTRICTION_NAME_WAS_SUPPLIED);
                }
                hashSet.add(new LocalRestriction(restrictionDefinition2, entry2.getValue()));
            }
        }
        EnumMap enumMap = new EnumMap(PrivilegeValues.class);
        for (Map.Entry<String, String> entry3 : map.entrySet()) {
            String key = entry3.getKey();
            if (key.startsWith("privilege@")) {
                key = key.substring(10);
            }
            ((Set) enumMap.computeIfAbsent(PrivilegeValues.valueOfParam(entry3.getValue()), privilegeValues -> {
                return new HashSet();
            })).add(accessControlManager.privilegeFromName(key));
        }
        for (Map.Entry entry4 : enumMap.entrySet()) {
            switch ((PrivilegeValues) entry4.getKey()) {
                case DENY:
                case DENIED:
                    PrivilegesHelper.deny(loadStoredAce, hashSet, (Collection) entry4.getValue());
                    break;
                case ALLOW:
                case GRANTED:
                    PrivilegesHelper.allow(loadStoredAce, hashSet, (Collection) entry4.getValue());
                    break;
                case NONE:
                    PrivilegesHelper.none(loadStoredAce, (Collection) entry4.getValue());
                    break;
            }
        }
        PrivilegesHelper.consolidateAggregates(session, str, loadStoredAce, buildPrivilegeLongestDepthMap);
        modifyAce(session, str, str2, loadStoredAce.values(), str3, z, list);
    }

    @Override // org.apache.sling.jcr.jackrabbit.accessmanager.ModifyAce
    public void modifyAce(Session session, String str, String str2, Collection<LocalPrivilege> collection, String str3, boolean z) throws RepositoryException {
        modifyAce(session, str, str2, collection, str3, z, null);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void modifyAce(Session session, String str, String str2, Collection<LocalPrivilege> collection, String str3, boolean z, List<Modification> list) throws RepositoryException {
        Principal validateArgs = validateArgs(session, str, str2);
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        for (LocalPrivilege localPrivilege : collection) {
            if (localPrivilege.isAllow()) {
                hashMap.computeIfAbsent(localPrivilege.getAllowRestrictions(), set -> {
                    return new ArrayList();
                }).add(localPrivilege);
            }
            if (localPrivilege.isDeny()) {
                hashMap2.computeIfAbsent(localPrivilege.getDenyRestrictions(), set2 -> {
                    return new ArrayList();
                }).add(localPrivilege);
            }
        }
        try {
            AccessControlManager accessControlManager = AccessControlUtil.getAccessControlManager(session);
            JackrabbitAccessControlList acl = getAcl(accessControlManager, str, validateArgs);
            String removeAces = removeAces(str, str3, validateArgs, acl);
            Map<Privilege, Integer> buildPrivilegeLongestDepthMap = PrivilegesHelper.buildPrivilegeLongestDepthMap(accessControlManager.privilegeFromName("jcr:all"));
            addAces(str, validateArgs, hashMap2, false, acl, buildPrivilegeLongestDepthMap);
            addAces(str, validateArgs, hashMap, true, acl, buildPrivilegeLongestDepthMap);
            reorderAccessControlEntries(acl, validateArgs, removeAces);
            accessControlManager.setPolicy(acl.getPath(), acl);
            if (list != null) {
                list.add(Modification.onModified(validateArgs.getName()));
            }
            if (z && session.hasPendingChanges()) {
                session.save();
            }
        } catch (RepositoryException e) {
            throw new RepositoryException("Failed to create ace.", e);
        }
    }
}
