package org.alfresco.repo.security.permissions.impl.acegi;

import java.util.ArrayList;
import java.util.BitSet;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.StringTokenizer;
import net.sf.acegisecurity.AccessDeniedException;
import net.sf.acegisecurity.Authentication;
import net.sf.acegisecurity.ConfigAttribute;
import net.sf.acegisecurity.ConfigAttributeDefinition;
import net.sf.acegisecurity.afterinvocation.AfterInvocationProvider;
import org.alfresco.opencmis.search.CMISResultSet;
import org.alfresco.repo.forms.processor.node.FormFieldConstants;
import org.alfresco.repo.search.SimpleResultSetMetaData;
import org.alfresco.repo.search.impl.lucene.PagingLuceneResultSet;
import org.alfresco.repo.search.impl.lucene.SolrJSONResultSet;
import org.alfresco.repo.search.impl.querymodel.QueryEngineResults;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.permissions.PermissionCheckValue;
import org.alfresco.repo.security.permissions.PermissionCheckedValue;
import org.alfresco.repo.security.permissions.impl.SimplePermissionReference;
import org.alfresco.service.cmr.repository.ChildAssociationRef;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService;
import org.alfresco.service.cmr.repository.StoreRef;
import org.alfresco.service.cmr.search.LimitBy;
import org.alfresco.service.cmr.search.PermissionEvaluationMode;
import org.alfresco.service.cmr.search.ResultSet;
import org.alfresco.service.cmr.security.AccessStatus;
import org.alfresco.service.cmr.security.PermissionService;
import org.alfresco.service.namespace.NamespacePrefixResolver;
import org.alfresco.service.namespace.QName;
import org.alfresco.util.Pair;
import org.aopalliance.intercept.MethodInvocation;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.InitializingBean;

/* loaded from: input_file:org/alfresco/repo/security/permissions/impl/acegi/ACLEntryAfterInvocationProvider.class */
public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider, InitializingBean {
    private static Log log = LogFactory.getLog(ACLEntryAfterInvocationProvider.class);
    private static final String AFTER_ACL_NODE = "AFTER_ACL_NODE";
    private static final String AFTER_ACL_PARENT = "AFTER_ACL_PARENT";
    private PermissionService permissionService;
    private NamespacePrefixResolver nspr;
    private NodeService nodeService;
    private boolean optimisePermissionsCheck;
    private int optimisePermissionsBulkFetchSize;
    private Set<QName> unfilteredForClassQNames = new HashSet();
    private Set<String> unfilteredFor = null;
    private boolean anyDenyDenies = false;
    private boolean postProcessDenies = false;
    private int maxPermissionChecks = Integer.MAX_VALUE;
    private long maxPermissionCheckTimeMillis = Long.MAX_VALUE;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/alfresco/repo/security/permissions/impl/acegi/ACLEntryAfterInvocationProvider$ConfigAttributeDefintion.class */
    public class ConfigAttributeDefintion {
        String typeString;
        SimplePermissionReference required;

        ConfigAttributeDefintion(ConfigAttribute configAttribute) {
            StringTokenizer stringTokenizer = new StringTokenizer(configAttribute.getAttribute(), FormFieldConstants.DOT_CHARACTER, false);
            if (stringTokenizer.countTokens() != 3) {
                throw new ACLEntryVoterException("There must be three . separated tokens in each config attribute");
            }
            this.typeString = stringTokenizer.nextToken();
            String nextToken = stringTokenizer.nextToken();
            String nextToken2 = stringTokenizer.nextToken();
            if (!this.typeString.equals(ACLEntryAfterInvocationProvider.AFTER_ACL_NODE) && !this.typeString.equals(ACLEntryAfterInvocationProvider.AFTER_ACL_PARENT)) {
                throw new ACLEntryVoterException("Invalid type: must be ACL_NODE or ACL_PARENT");
            }
            this.required = SimplePermissionReference.getPermissionReference(QName.createQName(nextToken, ACLEntryAfterInvocationProvider.this.nspr), nextToken2);
        }
    }

    public void setPermissionService(PermissionService permissionService) {
        this.permissionService = permissionService;
    }

    public PermissionService getPermissionService() {
        return this.permissionService;
    }

    public NamespacePrefixResolver getNamespacePrefixResolver() {
        return this.nspr;
    }

    public void setNamespacePrefixResolver(NamespacePrefixResolver namespacePrefixResolver) {
        this.nspr = namespacePrefixResolver;
    }

    public NodeService getNodeService() {
        return this.nodeService;
    }

    public void setNodeService(NodeService nodeService) {
        this.nodeService = nodeService;
    }

    public void setMaxPermissionChecks(int i) {
        this.maxPermissionChecks = i;
    }

    public void setMaxPermissionCheckTimeMillis(long j) {
        this.maxPermissionCheckTimeMillis = j;
    }

    public void setUnfilteredFor(Set<String> set) {
        this.unfilteredFor = set;
    }

    public void afterPropertiesSet() throws Exception {
        if (this.permissionService == null) {
            throw new IllegalArgumentException("There must be a permission service");
        }
        if (this.nspr == null) {
            throw new IllegalArgumentException("There must be a namespace service");
        }
        if (this.nodeService == null) {
            throw new IllegalArgumentException("There must be a node service");
        }
        if (this.unfilteredFor != null) {
            Iterator<String> it = this.unfilteredFor.iterator();
            while (it.hasNext()) {
                this.unfilteredForClassQNames.add(QName.resolveToQName(this.nspr, it.next()));
            }
        }
    }

    public Object decide(Authentication authentication, Object obj, ConfigAttributeDefinition configAttributeDefinition, Object obj2) throws AccessDeniedException {
        if (log.isDebugEnabled() && (obj instanceof MethodInvocation)) {
            log.debug("Method: " + ((MethodInvocation) obj).getMethod().toString());
        }
        try {
            if (AuthenticationUtil.isRunAsUserTheSystemUser()) {
                if (log.isDebugEnabled()) {
                    log.debug("Allowing system user access");
                }
                return obj2;
            }
            if (obj2 == null) {
                if (!log.isDebugEnabled()) {
                    return null;
                }
                log.debug("Allowing null object access");
                return null;
            }
            if (PermissionCheckedValue.class.isAssignableFrom(obj2.getClass())) {
                return decide(authentication, obj, configAttributeDefinition, (PermissionCheckedValue) obj2);
            }
            if (PermissionCheckValue.class.isAssignableFrom(obj2.getClass())) {
                return decide(authentication, obj, configAttributeDefinition, (PermissionCheckValue) obj2);
            }
            if (StoreRef.class.isAssignableFrom(obj2.getClass())) {
                return decide(authentication, obj, configAttributeDefinition, this.nodeService.getRootNode((StoreRef) obj2)).getStoreRef();
            }
            if (NodeRef.class.isAssignableFrom(obj2.getClass())) {
                return decide(authentication, obj, configAttributeDefinition, (NodeRef) obj2);
            }
            if (Pair.class.isAssignableFrom(obj2.getClass())) {
                return decide(authentication, obj, configAttributeDefinition, (Pair) obj2);
            }
            if (ChildAssociationRef.class.isAssignableFrom(obj2.getClass())) {
                return decide(authentication, obj, configAttributeDefinition, (ChildAssociationRef) obj2);
            }
            if (SolrJSONResultSet.class.isAssignableFrom(obj2.getClass()) && (!this.anyDenyDenies || (!this.postProcessDenies && ((SolrJSONResultSet) obj2).getProcessedDenies()))) {
                return obj2;
            }
            if (CMISResultSet.class.isAssignableFrom(obj2.getClass())) {
                return obj2;
            }
            if (PagingLuceneResultSet.class.isAssignableFrom(obj2.getClass())) {
                return decide(authentication, obj, configAttributeDefinition, (PagingLuceneResultSet) obj2);
            }
            if (ResultSet.class.isAssignableFrom(obj2.getClass())) {
                return decide(authentication, obj, configAttributeDefinition, (ResultSet) obj2);
            }
            if (QueryEngineResults.class.isAssignableFrom(obj2.getClass())) {
                return decide(authentication, obj, configAttributeDefinition, (QueryEngineResults) obj2);
            }
            if (Collection.class.isAssignableFrom(obj2.getClass())) {
                return decide(authentication, obj, configAttributeDefinition, (Collection) obj2);
            }
            if (obj2.getClass().isArray()) {
                return decide(authentication, obj, configAttributeDefinition, (Object[]) obj2);
            }
            if (log.isDebugEnabled()) {
                log.debug("Uncontrolled object - access allowed for " + obj.getClass().getName());
            }
            return obj2;
        } catch (RuntimeException e) {
            if (log.isDebugEnabled()) {
                log.debug("Access denied by runtime exception");
                e.printStackTrace();
            }
            throw e;
        } catch (AccessDeniedException e2) {
            if (log.isDebugEnabled()) {
                log.debug("Access denied");
                e2.printStackTrace();
            }
            throw e2;
        }
    }

    private NodeRef decide(Authentication authentication, Object obj, ConfigAttributeDefinition configAttributeDefinition, NodeRef nodeRef) throws AccessDeniedException {
        if (nodeRef == null) {
            return null;
        }
        if (isUnfiltered(nodeRef)) {
            return nodeRef;
        }
        List<ConfigAttributeDefintion> extractSupportedDefinitions = extractSupportedDefinitions(configAttributeDefinition);
        if (extractSupportedDefinitions.size() == 0) {
            return nodeRef;
        }
        for (ConfigAttributeDefintion configAttributeDefintion : extractSupportedDefinitions) {
            NodeRef nodeRef2 = null;
            if (configAttributeDefintion.typeString.equals(AFTER_ACL_NODE)) {
                nodeRef2 = nodeRef;
            } else if (configAttributeDefintion.typeString.equals(AFTER_ACL_PARENT)) {
                nodeRef2 = this.nodeService.getPrimaryParent(nodeRef).getParentRef();
            }
            if (nodeRef2 != null && this.permissionService.hasPermission(nodeRef2, configAttributeDefintion.required.toString()) == AccessStatus.DENIED) {
                throw new AccessDeniedException("Access Denied");
            }
        }
        return nodeRef;
    }

    private boolean isUnfiltered(NodeRef nodeRef) {
        if (nodeRef == null || !this.nodeService.exists(nodeRef)) {
            return true;
        }
        if (this.unfilteredForClassQNames.size() <= 0) {
            return false;
        }
        if (this.unfilteredForClassQNames.contains(this.nodeService.getType(nodeRef))) {
            return true;
        }
        Set aspects = this.nodeService.getAspects(nodeRef);
        Iterator<QName> it = this.unfilteredForClassQNames.iterator();
        while (it.hasNext()) {
            if (aspects.contains(it.next())) {
                return true;
            }
        }
        return false;
    }

    private PermissionCheckedValue decide(Authentication authentication, Object obj, ConfigAttributeDefinition configAttributeDefinition, PermissionCheckedValue permissionCheckedValue) throws AccessDeniedException {
        return permissionCheckedValue;
    }

    private PermissionCheckValue decide(Authentication authentication, Object obj, ConfigAttributeDefinition configAttributeDefinition, PermissionCheckValue permissionCheckValue) throws AccessDeniedException {
        decide(authentication, obj, configAttributeDefinition, permissionCheckValue.getNodeRef());
        return permissionCheckValue;
    }

    private Pair decide(Authentication authentication, Object obj, ConfigAttributeDefinition configAttributeDefinition, Pair pair) throws AccessDeniedException {
        decide(authentication, obj, configAttributeDefinition, (NodeRef) pair.getSecond());
        return pair;
    }

    private List<ConfigAttributeDefintion> extractSupportedDefinitions(ConfigAttributeDefinition configAttributeDefinition) {
        ArrayList arrayList = new ArrayList();
        Iterator configAttributes = configAttributeDefinition.getConfigAttributes();
        while (configAttributes.hasNext()) {
            ConfigAttribute configAttribute = (ConfigAttribute) configAttributes.next();
            if (supports(configAttribute)) {
                arrayList.add(new ConfigAttributeDefintion(configAttribute));
            }
        }
        return arrayList;
    }

    private ChildAssociationRef decide(Authentication authentication, Object obj, ConfigAttributeDefinition configAttributeDefinition, ChildAssociationRef childAssociationRef) throws AccessDeniedException {
        if (childAssociationRef == null) {
            return null;
        }
        List<ConfigAttributeDefintion> extractSupportedDefinitions = extractSupportedDefinitions(configAttributeDefinition);
        if (extractSupportedDefinitions.size() == 0) {
            return childAssociationRef;
        }
        for (ConfigAttributeDefintion configAttributeDefintion : extractSupportedDefinitions) {
            NodeRef nodeRef = null;
            if (configAttributeDefintion.typeString.equals(AFTER_ACL_NODE)) {
                nodeRef = childAssociationRef.getChildRef();
            } else if (configAttributeDefintion.typeString.equals(AFTER_ACL_PARENT)) {
                nodeRef = childAssociationRef.getParentRef();
            }
            if (!isUnfiltered(nodeRef) && nodeRef != null && this.permissionService.hasPermission(nodeRef, configAttributeDefintion.required.toString()) == AccessStatus.DENIED) {
                throw new AccessDeniedException("Access Denied");
            }
        }
        return childAssociationRef;
    }

    private ResultSet decide(Authentication authentication, Object obj, ConfigAttributeDefinition configAttributeDefinition, PagingLuceneResultSet pagingLuceneResultSet) throws AccessDeniedException {
        ResultSet wrapped = pagingLuceneResultSet.getWrapped();
        return wrapped instanceof FilteringResultSet ? pagingLuceneResultSet : new PagingLuceneResultSet(decide(authentication, obj, configAttributeDefinition, wrapped), pagingLuceneResultSet.getResultSetMetaData().getSearchParameters(), this.nodeService);
    }

    public void setOptimisePermissionsCheck(boolean z) {
        this.optimisePermissionsCheck = z;
    }

    public void setOptimisePermissionsBulkFetchSize(int i) {
        this.optimisePermissionsBulkFetchSize = i;
    }

    public void setAnyDenyDenies(boolean z) {
        this.anyDenyDenies = z;
    }

    public void setPostProcessDenies(boolean z) {
        this.postProcessDenies = z;
    }

    private ResultSet decide(Authentication authentication, Object obj, ConfigAttributeDefinition configAttributeDefinition, ResultSet resultSet) throws AccessDeniedException {
        return this.optimisePermissionsCheck ? decideNew(authentication, obj, configAttributeDefinition, resultSet) : decideOld(authentication, obj, configAttributeDefinition, resultSet);
    }

    private ResultSet decideNew(Authentication authentication, Object obj, ConfigAttributeDefinition configAttributeDefinition, ResultSet resultSet) throws AccessDeniedException {
        if (resultSet == null) {
            return null;
        }
        FilteringResultSet filteringResultSet = new FilteringResultSet(resultSet);
        List<ConfigAttributeDefintion> extractSupportedDefinitions = extractSupportedDefinitions(configAttributeDefinition);
        Integer num = resultSet.getResultSetMetaData().getSearchParameters().getMaxItems() >= 0 ? new Integer(resultSet.getResultSetMetaData().getSearchParameters().getMaxItems()) : null;
        if (num == null && resultSet.getResultSetMetaData().getSearchParameters().getLimitBy() == LimitBy.FINAL_SIZE) {
            num = new Integer(resultSet.getResultSetMetaData().getSearchParameters().getLimit());
        }
        if (num != null && resultSet.getResultSetMetaData().getSearchParameters().getSkipCount() >= 0) {
            num = new Integer(num.intValue() + resultSet.getResultSetMetaData().getSearchParameters().getSkipCount());
        }
        int i = this.maxPermissionChecks;
        if (resultSet.getResultSetMetaData().getSearchParameters().getMaxPermissionChecks() >= 0) {
            i = resultSet.getResultSetMetaData().getSearchParameters().getMaxPermissionChecks();
        }
        long j = this.maxPermissionCheckTimeMillis;
        if (resultSet.getResultSetMetaData().getSearchParameters().getMaxPermissionCheckTimeMillis() >= 0) {
            j = resultSet.getResultSetMetaData().getSearchParameters().getMaxPermissionCheckTimeMillis();
        }
        if (extractSupportedDefinitions.size() == 0) {
            if (num == null) {
                return resultSet;
            }
            if (resultSet.length() > num.intValue()) {
                for (int i2 = 0; i2 < num.intValue(); i2++) {
                    filteringResultSet.setIncluded(i2, true);
                }
                filteringResultSet.setResultSetMetaData(new SimpleResultSetMetaData(LimitBy.FINAL_SIZE, PermissionEvaluationMode.EAGER, resultSet.getResultSetMetaData().getSearchParameters()));
            } else {
                for (int i3 = 0; i3 < num.intValue(); i3++) {
                    filteringResultSet.setIncluded(i3, true);
                }
                filteringResultSet.setResultSetMetaData(new SimpleResultSetMetaData(LimitBy.UNLIMITED, PermissionEvaluationMode.EAGER, resultSet.getResultSetMetaData().getSearchParameters()));
            }
        }
        if (resultSet.length() > 0) {
            boolean bulkFetch = resultSet.getBulkFetch();
            resultSet.setBulkFetch(false);
            resultSet.getNodeRef(resultSet.length() - 1);
            resultSet.setBulkFetch(bulkFetch);
        }
        long currentTimeMillis = System.currentTimeMillis();
        filteringResultSet.setResultSetMetaData(new SimpleResultSetMetaData(LimitBy.UNLIMITED, PermissionEvaluationMode.EAGER, resultSet.getResultSetMetaData().getSearchParameters()));
        boolean bulkFetch2 = resultSet.setBulkFetch(true);
        int bulkFetchSize = resultSet.setBulkFetchSize(this.optimisePermissionsBulkFetchSize);
        int i4 = 0;
        while (true) {
            try {
                if (i4 >= resultSet.length()) {
                    break;
                }
                long currentTimeMillis2 = System.currentTimeMillis();
                if (i4 >= i) {
                    log.warn("maxChecks exceeded (" + i + ")", new Exception("Back Trace"));
                    filteringResultSet.setResultSetMetaData(new SimpleResultSetMetaData(LimitBy.NUMBER_OF_PERMISSION_EVALUATIONS, PermissionEvaluationMode.EAGER, resultSet.getResultSetMetaData().getSearchParameters()));
                    break;
                }
                if (currentTimeMillis2 - currentTimeMillis > j) {
                    log.warn("maxCheckTime exceeded (" + (currentTimeMillis2 - currentTimeMillis) + " milliseconds)", new Exception("Back Trace"));
                    filteringResultSet.setResultSetMetaData(new SimpleResultSetMetaData(LimitBy.NUMBER_OF_PERMISSION_EVALUATIONS, PermissionEvaluationMode.EAGER, resultSet.getResultSetMetaData().getSearchParameters()));
                    break;
                }
                filteringResultSet.setIncluded(i4, true);
                NodeRef nodeRef = resultSet.getNodeRef(i4);
                if (filteringResultSet.getIncluded(i4) && nodeRef == null) {
                    filteringResultSet.setIncluded(i4, false);
                }
                if (filteringResultSet.getIncluded(i4) && this.permissionService.hasReadPermission(nodeRef) == AccessStatus.DENIED) {
                    filteringResultSet.setIncluded(i4, false);
                }
                if (num != null && filteringResultSet.length() > num.intValue()) {
                    filteringResultSet.setIncluded(i4, false);
                    filteringResultSet.setResultSetMetaData(new SimpleResultSetMetaData(LimitBy.FINAL_SIZE, PermissionEvaluationMode.EAGER, resultSet.getResultSetMetaData().getSearchParameters()));
                    break;
                }
                i4++;
            } finally {
                resultSet.setBulkFetch(bulkFetch2);
                resultSet.setBulkFetchSize(bulkFetchSize);
            }
        }
        return filteringResultSet;
    }

    private ResultSet decideOld(Authentication authentication, Object obj, ConfigAttributeDefinition configAttributeDefinition, ResultSet resultSet) throws AccessDeniedException {
        if (resultSet == null) {
            return null;
        }
        FilteringResultSet filteringResultSet = new FilteringResultSet(resultSet);
        List<ConfigAttributeDefintion> extractSupportedDefinitions = extractSupportedDefinitions(configAttributeDefinition);
        Integer num = resultSet.getResultSetMetaData().getSearchParameters().getMaxItems() >= 0 ? new Integer(resultSet.getResultSetMetaData().getSearchParameters().getMaxItems()) : null;
        if (num == null && resultSet.getResultSetMetaData().getSearchParameters().getLimitBy() == LimitBy.FINAL_SIZE) {
            num = new Integer(resultSet.getResultSetMetaData().getSearchParameters().getLimit());
        }
        if (num != null && resultSet.getResultSetMetaData().getSearchParameters().getSkipCount() >= 0) {
            num = new Integer(num.intValue() + resultSet.getResultSetMetaData().getSearchParameters().getSkipCount());
        }
        int i = this.maxPermissionChecks;
        if (resultSet.getResultSetMetaData().getSearchParameters().getMaxPermissionChecks() >= 0) {
            i = resultSet.getResultSetMetaData().getSearchParameters().getMaxPermissionChecks();
        }
        long j = this.maxPermissionCheckTimeMillis;
        if (resultSet.getResultSetMetaData().getSearchParameters().getMaxPermissionCheckTimeMillis() >= 0) {
            j = resultSet.getResultSetMetaData().getSearchParameters().getMaxPermissionCheckTimeMillis();
        }
        if (extractSupportedDefinitions.size() == 0) {
            if (num == null) {
                return resultSet;
            }
            if (resultSet.length() > num.intValue()) {
                for (int i2 = 0; i2 < num.intValue(); i2++) {
                    filteringResultSet.setIncluded(i2, true);
                }
                filteringResultSet.setResultSetMetaData(new SimpleResultSetMetaData(LimitBy.FINAL_SIZE, PermissionEvaluationMode.EAGER, resultSet.getResultSetMetaData().getSearchParameters()));
                return filteringResultSet;
            }
            for (int i3 = 0; i3 < resultSet.length(); i3++) {
                filteringResultSet.setIncluded(i3, true);
            }
            filteringResultSet.setResultSetMetaData(new SimpleResultSetMetaData(resultSet.getResultSetMetaData().getLimitedBy(), PermissionEvaluationMode.EAGER, resultSet.getResultSetMetaData().getSearchParameters()));
            return filteringResultSet;
        }
        if (resultSet.length() > 0) {
            boolean bulkFetch = resultSet.getBulkFetch();
            resultSet.setBulkFetch(false);
            resultSet.getNodeRef(resultSet.length() - 1);
            resultSet.setBulkFetch(bulkFetch);
        }
        long currentTimeMillis = System.currentTimeMillis();
        filteringResultSet.setResultSetMetaData(new SimpleResultSetMetaData(resultSet.getResultSetMetaData().getLimitedBy(), PermissionEvaluationMode.EAGER, resultSet.getResultSetMetaData().getSearchParameters()));
        int i4 = 0;
        while (true) {
            if (i4 >= resultSet.length()) {
                break;
            }
            long currentTimeMillis2 = System.currentTimeMillis();
            if (i4 >= i) {
                log.warn("maxChecks exceeded (" + i + ")", new Exception("Back Trace"));
                filteringResultSet.setResultSetMetaData(new SimpleResultSetMetaData(LimitBy.NUMBER_OF_PERMISSION_EVALUATIONS, PermissionEvaluationMode.EAGER, resultSet.getResultSetMetaData().getSearchParameters()));
                break;
            }
            if (currentTimeMillis2 - currentTimeMillis > j) {
                log.warn("maxCheckTime exceeded (" + (currentTimeMillis2 - currentTimeMillis) + " milliseconds)", new Exception("Back Trace"));
                filteringResultSet.setResultSetMetaData(new SimpleResultSetMetaData(LimitBy.NUMBER_OF_PERMISSION_EVALUATIONS, PermissionEvaluationMode.EAGER, resultSet.getResultSetMetaData().getSearchParameters()));
                break;
            }
            filteringResultSet.setIncluded(i4, true);
            for (ConfigAttributeDefintion configAttributeDefintion : extractSupportedDefinitions) {
                NodeRef nodeRef = null;
                if (configAttributeDefintion.typeString.equals(AFTER_ACL_NODE)) {
                    nodeRef = resultSet.getNodeRef(i4);
                } else if (configAttributeDefintion.typeString.equals(AFTER_ACL_PARENT)) {
                    nodeRef = resultSet.getChildAssocRef(i4).getParentRef();
                }
                if (!isUnfiltered(nodeRef) && filteringResultSet.getIncluded(i4) && nodeRef != null && this.permissionService.hasPermission(nodeRef, configAttributeDefintion.required.toString()) == AccessStatus.DENIED) {
                    filteringResultSet.setIncluded(i4, false);
                }
            }
            if (num != null && filteringResultSet.length() > num.intValue()) {
                filteringResultSet.setIncluded(i4, false);
                filteringResultSet.setResultSetMetaData(new SimpleResultSetMetaData(LimitBy.FINAL_SIZE, PermissionEvaluationMode.EAGER, resultSet.getResultSetMetaData().getSearchParameters()));
                break;
            }
            i4++;
        }
        return filteringResultSet;
    }

    private QueryEngineResults decide(Authentication authentication, Object obj, ConfigAttributeDefinition configAttributeDefinition, QueryEngineResults queryEngineResults) throws AccessDeniedException {
        Map results = queryEngineResults.getResults();
        HashMap hashMap = new HashMap(results.size(), 1.0f);
        for (Set set : results.keySet()) {
            ResultSet resultSet = (ResultSet) results.get(set);
            hashMap.put(set, PagingLuceneResultSet.class.isAssignableFrom(resultSet.getClass()) ? decide(authentication, obj, configAttributeDefinition, (PagingLuceneResultSet) resultSet) : decide(authentication, obj, configAttributeDefinition, resultSet));
        }
        return new QueryEngineResults(hashMap);
    }

    /* JADX WARN: Code restructure failed: missing block: B:111:0x03d2, code lost:
    
        r0 = r11.size();
        r0 = r0 - r21;
     */
    /* JADX WARN: Code restructure failed: missing block: B:112:0x03eb, code lost:
    
        if (r0.size() >= r0) goto L106;
     */
    /* JADX WARN: Code restructure failed: missing block: B:114:0x041c, code lost:
    
        return org.alfresco.repo.security.permissions.PermissionCheckedCollection.PermissionCheckedCollectionMixin.create(r11, r18, r0, r0);
     */
    /* JADX WARN: Code restructure failed: missing block: B:116:0x03ee, code lost:
    
        r11.clear();
        r11.addAll(r0);
     */
    /* JADX WARN: Code restructure failed: missing block: B:118:0x0402, code lost:
    
        r25 = move-exception;
     */
    /* JADX WARN: Code restructure failed: missing block: B:120:0x0410, code lost:
    
        throw new net.sf.acegisecurity.AccessDeniedException("Permission-checked list must be modifiable", r25);
     */
    /* JADX WARN: Code restructure failed: missing block: B:53:0x03b6, code lost:
    
        r21 = r21 + 1;
     */
    /* JADX WARN: Code restructure failed: missing block: B:54:0x03bb, code lost:
    
        if (r27 == false) goto L118;
     */
    /* JADX WARN: Code restructure failed: missing block: B:56:0x03be, code lost:
    
        r0.add(r0);
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private java.util.Collection decide(net.sf.acegisecurity.Authentication r8, java.lang.Object r9, net.sf.acegisecurity.ConfigAttributeDefinition r10, java.util.Collection r11) throws net.sf.acegisecurity.AccessDeniedException {
        /*
            Method dump skipped, instructions count: 1053
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.alfresco.repo.security.permissions.impl.acegi.ACLEntryAfterInvocationProvider.decide(net.sf.acegisecurity.Authentication, java.lang.Object, net.sf.acegisecurity.ConfigAttributeDefinition, java.util.Collection):java.util.Collection");
    }

    private Object[] decide(Authentication authentication, Object obj, ConfigAttributeDefinition configAttributeDefinition, Object[] objArr) throws AccessDeniedException {
        BitSet bitSet = new BitSet(objArr.length);
        List<ConfigAttributeDefintion> extractSupportedDefinitions = extractSupportedDefinitions(configAttributeDefinition);
        if (extractSupportedDefinitions.size() == 0) {
            return objArr;
        }
        int length = objArr.length;
        for (int i = 0; i < length; i++) {
            Object obj2 = objArr[i];
            for (ConfigAttributeDefintion configAttributeDefintion : extractSupportedDefinitions) {
                bitSet.set(i, true);
                NodeRef nodeRef = null;
                if (configAttributeDefintion.typeString.equals(AFTER_ACL_NODE)) {
                    if (StoreRef.class.isAssignableFrom(obj2.getClass())) {
                        nodeRef = this.nodeService.getRootNode((StoreRef) obj2);
                    } else if (NodeRef.class.isAssignableFrom(obj2.getClass())) {
                        nodeRef = (NodeRef) obj2;
                    } else if (ChildAssociationRef.class.isAssignableFrom(obj2.getClass())) {
                        nodeRef = ((ChildAssociationRef) obj2).getChildRef();
                    } else if (Pair.class.isAssignableFrom(obj2.getClass())) {
                        nodeRef = (NodeRef) ((Pair) obj2).getSecond();
                    } else {
                        if (!PermissionCheckValue.class.isAssignableFrom(obj2.getClass())) {
                            throw new ACLEntryVoterException("The specified parameter is recognized: " + obj2.getClass());
                        }
                        nodeRef = ((PermissionCheckValue) obj2).getNodeRef();
                    }
                } else if (configAttributeDefintion.typeString.equals(AFTER_ACL_PARENT)) {
                    if (StoreRef.class.isAssignableFrom(obj2.getClass())) {
                        nodeRef = null;
                    } else if (NodeRef.class.isAssignableFrom(obj2.getClass())) {
                        nodeRef = this.nodeService.getPrimaryParent((NodeRef) obj2).getParentRef();
                    } else if (ChildAssociationRef.class.isAssignableFrom(obj2.getClass())) {
                        nodeRef = ((ChildAssociationRef) obj2).getParentRef();
                    } else if (Pair.class.isAssignableFrom(obj2.getClass())) {
                        nodeRef = (NodeRef) ((Pair) obj2).getSecond();
                    } else {
                        if (!PermissionCheckValue.class.isAssignableFrom(obj2.getClass())) {
                            throw new ACLEntryVoterException("The specified parameter is recognized: " + obj2.getClass());
                        }
                        nodeRef = this.nodeService.getPrimaryParent(((PermissionCheckValue) obj2).getNodeRef()).getParentRef();
                    }
                }
                if (log.isDebugEnabled()) {
                    log.debug("\t" + configAttributeDefintion.typeString + " test on " + nodeRef + " from " + obj2.getClass().getName());
                }
                if (!isUnfiltered(nodeRef) && bitSet.get(i) && nodeRef != null && this.permissionService.hasPermission(nodeRef, configAttributeDefintion.required.toString()) == AccessStatus.DENIED) {
                    bitSet.set(i, false);
                }
            }
        }
        if (bitSet.cardinality() == objArr.length) {
            return objArr;
        }
        Object[] objArr2 = new Object[bitSet.cardinality()];
        int nextSetBit = bitSet.nextSetBit(0);
        int i2 = 0;
        while (nextSetBit >= 0) {
            objArr2[i2] = objArr[nextSetBit];
            nextSetBit = bitSet.nextSetBit(nextSetBit + 1);
            i2++;
        }
        return objArr2;
    }

    public boolean supports(ConfigAttribute configAttribute) {
        if (configAttribute.getAttribute() != null) {
            return configAttribute.getAttribute().startsWith(AFTER_ACL_NODE) || configAttribute.getAttribute().startsWith(AFTER_ACL_PARENT);
        }
        return false;
    }

    public boolean supports(Class cls) {
        return MethodInvocation.class.isAssignableFrom(cls);
    }
}
