package org.fcrepo.auth.roles.common;

import java.security.Principal;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.jcr.Node;
import javax.jcr.NodeIterator;
import javax.jcr.PathNotFoundException;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import org.fcrepo.auth.common.FedoraAuthorizationDelegate;
import org.fcrepo.http.commons.session.SessionFactory;
import org.fcrepo.kernel.exception.RepositoryRuntimeException;
import org.modeshape.jcr.value.Path;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;

/* loaded from: input_file:org/fcrepo/auth/roles/common/AbstractRolesAuthorizationDelegate.class */
public abstract class AbstractRolesAuthorizationDelegate implements FedoraAuthorizationDelegate {
    protected static final String AUTHZ_DETECTION = "/{http://fedora.info/definitions/v4/authorization#}";

    @Autowired
    private AccessRolesProvider accessRolesProvider = null;

    @Autowired
    private SessionFactory sessionFactory = null;
    private static final Logger LOGGER = LoggerFactory.getLogger(AbstractRolesAuthorizationDelegate.class);
    private static final String[] REMOVE_ACTIONS = {"remove"};

    public static Set<String> resolveUserRoles(Map<String, List<String>> map, Set<Principal> set) {
        HashSet hashSet = new HashSet();
        for (Principal principal : set) {
            List<String> list = map.get(principal.getName());
            if (list != null) {
                LOGGER.debug("request principal matched role assignment: {}", principal.getName());
                hashSet.addAll(list);
            }
        }
        return hashSet;
    }

    public boolean hasPermission(Session session, Path path, String[] strArr) {
        Set<Principal> principals;
        if (getUserPrincipal(session) == null || (principals = getPrincipals(session)) == null) {
            return false;
        }
        try {
            Set<String> resolveUserRoles = resolveUserRoles(this.accessRolesProvider.findRolesForPath(path, this.sessionFactory.getInternalSession()), principals);
            LOGGER.debug("roles for this request: {}", resolveUserRoles);
            if (LOGGER.isDebugEnabled()) {
                LOGGER.debug("{}\t{}\t{}", new Object[]{resolveUserRoles, strArr, path});
                if (strArr.length > 1) {
                    LOGGER.debug("FOUND MULTIPLE ACTIONS: {}", Arrays.toString(strArr));
                }
            }
            if (strArr.length == 1 && "remove_child_nodes".equals(strArr[0])) {
                return true;
            }
            if (!rolesHavePermission(session, path.toString(), strArr, resolveUserRoles)) {
                return false;
            }
            if (strArr.length == 1 && "remove".equals(strArr[0])) {
                return canRemoveChildrenRecursive(session, path.toString(), principals, resolveUserRoles);
            }
            return true;
        } catch (RepositoryException e) {
            throw new RepositoryRuntimeException("Cannot look up node information on " + path + " for permissions check.", e);
        }
    }

    private static Principal getUserPrincipal(Session session) {
        Object attribute = session.getAttribute("fedora-user-principal");
        if (attribute instanceof Principal) {
            return (Principal) attribute;
        }
        return null;
    }

    private static Set<Principal> getPrincipals(Session session) {
        Object attribute = session.getAttribute("fedora-all-principals");
        if (attribute instanceof Set) {
            return (Set) attribute;
        }
        return null;
    }

    private boolean canRemoveChildrenRecursive(Session session, String str, Set<Principal> set, Set<String> set2) {
        try {
            Session internalSession = this.sessionFactory.getInternalSession();
            LOGGER.debug("Recursive child remove permission checks for: {}", str);
            Node node = internalSession.getNode(str);
            if (!node.hasNodes()) {
                return true;
            }
            NodeIterator nodes = node.getNodes();
            while (nodes.hasNext()) {
                Node nextNode = nodes.nextNode();
                Map<String, List<String>> map = null;
                try {
                    map = this.accessRolesProvider.getRoles(nextNode, false);
                } catch (PathNotFoundException e) {
                    LOGGER.trace("Path not found when removing roles", e);
                }
                Set<String> resolveUserRoles = map != null ? resolveUserRoles(map, set) : set2;
                if (!rolesHavePermission(session, nextNode.getPath(), REMOVE_ACTIONS, resolveUserRoles)) {
                    LOGGER.info("Remove permission denied at {} with roles {}", nextNode.getPath(), resolveUserRoles);
                    return false;
                }
                if (!canRemoveChildrenRecursive(session, nextNode.getPath(), set, resolveUserRoles)) {
                    return false;
                }
            }
            return true;
        } catch (RepositoryException e2) {
            throw new RepositoryRuntimeException("Cannot lookup child permission check information for " + str, e2);
        }
    }

    public abstract boolean rolesHavePermission(Session session, String str, String[] strArr, Set<String> set);
}
