package org.alfresco.repo.security.permissions.impl.acegi;

import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.StringTokenizer;
import net.sf.acegisecurity.Authentication;
import net.sf.acegisecurity.ConfigAttribute;
import net.sf.acegisecurity.ConfigAttributeDefinition;
import net.sf.acegisecurity.vote.AccessDecisionVoter;
import org.alfresco.repo.security.permissions.impl.SimplePermissionReference;
import org.alfresco.service.cmr.repository.ChildAssociationRef;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService;
import org.alfresco.service.cmr.repository.StoreRef;
import org.alfresco.service.cmr.security.AccessStatus;
import org.alfresco.service.cmr.security.AuthenticationService;
import org.alfresco.service.cmr.security.AuthorityService;
import org.alfresco.service.cmr.security.PermissionService;
import org.alfresco.service.namespace.NamespacePrefixResolver;
import org.alfresco.service.namespace.QName;
import org.aopalliance.intercept.MethodInvocation;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.InitializingBean;

/* loaded from: input_file:WEB-INF/lib/alfresco-repository.jar:org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoter.class */
public class ACLEntryVoter implements AccessDecisionVoter, InitializingBean {
    private static Log log = LogFactory.getLog(ACLEntryVoter.class);
    private static final String ACL_NODE = "ACL_NODE";
    private static final String ACL_PARENT = "ACL_PARENT";
    private static final String ACL_ALLOW = "ACL_ALLOW";
    private static final String ACL_METHOD = "ACL_METHOD";
    private PermissionService permissionService;
    private NamespacePrefixResolver nspr;
    private NodeService nodeService;
    private AuthenticationService authenticationService;
    private AuthorityService authorityService;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/alfresco-repository.jar:org/alfresco/repo/security/permissions/impl/acegi/ACLEntryVoter$ConfigAttributeDefintion.class */
    public class ConfigAttributeDefintion {
        String typeString;
        SimplePermissionReference required;
        int parameter;
        String authority;

        ConfigAttributeDefintion(ConfigAttribute configAttribute) {
            StringTokenizer stringTokenizer = new StringTokenizer(configAttribute.getAttribute(), ".", false);
            if (stringTokenizer.countTokens() < 1) {
                throw new ACLEntryVoterException("There must be at least one token in a config attribute");
            }
            this.typeString = stringTokenizer.nextToken();
            if (!this.typeString.equals(ACLEntryVoter.ACL_NODE) && !this.typeString.equals(ACLEntryVoter.ACL_PARENT) && !this.typeString.equals(ACLEntryVoter.ACL_ALLOW) && !this.typeString.equals(ACLEntryVoter.ACL_METHOD)) {
                throw new ACLEntryVoterException("Invalid type: must be ACL_NODE, ACL_PARENT or ACL_ALLOW");
            }
            if (!this.typeString.equals(ACLEntryVoter.ACL_NODE) && !this.typeString.equals(ACLEntryVoter.ACL_PARENT)) {
                if (this.typeString.equals(ACLEntryVoter.ACL_METHOD)) {
                    if (stringTokenizer.countTokens() != 1) {
                        throw new ACLEntryVoterException("There must be two . separated tokens in each group or role config attribute");
                    }
                    this.authority = stringTokenizer.nextToken();
                    return;
                }
                return;
            }
            if (stringTokenizer.countTokens() != 3) {
                throw new ACLEntryVoterException("There must be four . separated tokens in each config attribute");
            }
            String nextToken = stringTokenizer.nextToken();
            String nextToken2 = stringTokenizer.nextToken();
            String nextToken3 = stringTokenizer.nextToken();
            this.parameter = Integer.parseInt(nextToken);
            this.required = SimplePermissionReference.getPermissionReference(QName.createQName(nextToken2, ACLEntryVoter.this.nspr), nextToken3);
        }
    }

    public void setPermissionService(PermissionService permissionService) {
        this.permissionService = permissionService;
    }

    public PermissionService getPermissionService() {
        return this.permissionService;
    }

    public NamespacePrefixResolver getNamespacePrefixResolver() {
        return this.nspr;
    }

    public void setNamespacePrefixResolver(NamespacePrefixResolver namespacePrefixResolver) {
        this.nspr = namespacePrefixResolver;
    }

    public NodeService getNodeService() {
        return this.nodeService;
    }

    public void setNodeService(NodeService nodeService) {
        this.nodeService = nodeService;
    }

    public AuthenticationService getAuthenticationService() {
        return this.authenticationService;
    }

    public void setAuthenticationService(AuthenticationService authenticationService) {
        this.authenticationService = authenticationService;
    }

    public void setAuthorityService(AuthorityService authorityService) {
        this.authorityService = authorityService;
    }

    @Override // org.springframework.beans.factory.InitializingBean
    public void afterPropertiesSet() throws Exception {
        if (this.permissionService == null) {
            throw new IllegalArgumentException("There must be a permission service");
        }
        if (this.nspr == null) {
            throw new IllegalArgumentException("There must be a namespace service");
        }
        if (this.nodeService == null) {
            throw new IllegalArgumentException("There must be a node service");
        }
        if (this.authenticationService == null) {
            throw new IllegalArgumentException("There must be an authentication service");
        }
        if (this.authorityService == null) {
            throw new IllegalArgumentException("There must be an authority service");
        }
    }

    @Override // net.sf.acegisecurity.vote.AccessDecisionVoter
    public boolean supports(ConfigAttribute configAttribute) {
        if (configAttribute.getAttribute() != null) {
            return configAttribute.getAttribute().startsWith(ACL_NODE) || configAttribute.getAttribute().startsWith(ACL_PARENT) || configAttribute.getAttribute().startsWith(ACL_ALLOW) || configAttribute.getAttribute().startsWith(ACL_METHOD);
        }
        return false;
    }

    @Override // net.sf.acegisecurity.vote.AccessDecisionVoter
    public boolean supports(Class cls) {
        return MethodInvocation.class.isAssignableFrom(cls);
    }

    @Override // net.sf.acegisecurity.vote.AccessDecisionVoter
    public int vote(Authentication authentication, Object obj, ConfigAttributeDefinition configAttributeDefinition) {
        if (log.isDebugEnabled()) {
            log.debug("Method: " + ((MethodInvocation) obj).getMethod().toString());
        }
        if (this.authenticationService.isCurrentUserTheSystemUser()) {
            if (!log.isDebugEnabled()) {
                return 1;
            }
            log.debug("Access granted for the system user");
            return 1;
        }
        List<ConfigAttributeDefintion> extractSupportedDefinitions = extractSupportedDefinitions(configAttributeDefinition);
        if (extractSupportedDefinitions.size() == 0) {
            return 1;
        }
        MethodInvocation methodInvocation = (MethodInvocation) obj;
        Class<?>[] parameterTypes = methodInvocation.getMethod().getParameterTypes();
        Boolean bool = null;
        for (ConfigAttributeDefintion configAttributeDefintion : extractSupportedDefinitions) {
            NodeRef nodeRef = null;
            if (configAttributeDefintion.typeString.equals(ACL_ALLOW)) {
                return 1;
            }
            if (configAttributeDefintion.typeString.equals(ACL_METHOD)) {
                if (bool == null) {
                    bool = Boolean.FALSE;
                }
                if (this.authenticationService.getCurrentUserName().equals(configAttributeDefintion.authority)) {
                    bool = Boolean.TRUE;
                } else if (this.authorityService.getAuthorities().contains(configAttributeDefintion.authority)) {
                    bool = Boolean.TRUE;
                }
            } else if (configAttributeDefintion.parameter >= methodInvocation.getArguments().length) {
                continue;
            } else if (configAttributeDefintion.typeString.equals(ACL_NODE)) {
                if (StoreRef.class.isAssignableFrom(parameterTypes[configAttributeDefintion.parameter])) {
                    if (methodInvocation.getArguments()[configAttributeDefintion.parameter] != null) {
                        if (log.isDebugEnabled()) {
                            log.debug("\tPermission test against the store - using permissions on the root node");
                        }
                        StoreRef storeRef = (StoreRef) methodInvocation.getArguments()[configAttributeDefintion.parameter];
                        if (this.nodeService.exists(storeRef)) {
                            nodeRef = this.nodeService.getRootNode(storeRef);
                        }
                    }
                } else if (NodeRef.class.isAssignableFrom(parameterTypes[configAttributeDefintion.parameter])) {
                    nodeRef = (NodeRef) methodInvocation.getArguments()[configAttributeDefintion.parameter];
                    if (log.isDebugEnabled()) {
                        if (this.nodeService.exists(nodeRef)) {
                            log.debug("\tPermission test on node " + this.nodeService.getPath(nodeRef));
                        } else {
                            log.debug("\tPermission test on non-existing node " + nodeRef);
                        }
                    }
                } else {
                    if (!ChildAssociationRef.class.isAssignableFrom(parameterTypes[configAttributeDefintion.parameter])) {
                        throw new ACLEntryVoterException("The specified parameter is not a NodeRef or ChildAssociationRef");
                    }
                    if (methodInvocation.getArguments()[configAttributeDefintion.parameter] != null) {
                        nodeRef = ((ChildAssociationRef) methodInvocation.getArguments()[configAttributeDefintion.parameter]).getChildRef();
                        if (log.isDebugEnabled()) {
                            if (this.nodeService.exists(nodeRef)) {
                                log.debug("\tPermission test on node " + this.nodeService.getPath(nodeRef));
                            } else {
                                log.debug("\tPermission test on non-existing node " + nodeRef);
                            }
                        }
                    }
                }
            } else if (configAttributeDefintion.typeString.equals(ACL_PARENT)) {
                if (NodeRef.class.isAssignableFrom(parameterTypes[configAttributeDefintion.parameter])) {
                    NodeRef nodeRef2 = (NodeRef) methodInvocation.getArguments()[configAttributeDefintion.parameter];
                    if (nodeRef2 != null) {
                        nodeRef = this.nodeService.getPrimaryParent(nodeRef2).getParentRef();
                        if (log.isDebugEnabled()) {
                            if (this.nodeService.exists(nodeRef)) {
                                log.debug("\tPermission test for parent on node " + this.nodeService.getPath(nodeRef));
                            } else {
                                log.debug("\tPermission test for parent on non-existing node " + nodeRef);
                            }
                            log.debug("\tPermission test for parent on node " + this.nodeService.getPath(nodeRef));
                        }
                    }
                } else {
                    if (!ChildAssociationRef.class.isAssignableFrom(parameterTypes[configAttributeDefintion.parameter])) {
                        throw new ACLEntryVoterException("The specified parameter is not a ChildAssociationRef");
                    }
                    if (methodInvocation.getArguments()[configAttributeDefintion.parameter] != null) {
                        nodeRef = ((ChildAssociationRef) methodInvocation.getArguments()[configAttributeDefintion.parameter]).getParentRef();
                        if (log.isDebugEnabled()) {
                            if (this.nodeService.exists(nodeRef)) {
                                log.debug("\tPermission test for parent on child assoc ref for node " + this.nodeService.getPath(nodeRef));
                            } else {
                                log.debug("\tPermission test for parent on child assoc ref for non existing node " + nodeRef);
                            }
                        }
                    }
                }
            }
            if (nodeRef == null) {
                continue;
            } else {
                if (log.isDebugEnabled()) {
                    log.debug("\t\tNode ref is not null");
                }
                if (this.permissionService.hasPermission(nodeRef, configAttributeDefintion.required.toString()) == AccessStatus.DENIED) {
                    if (!log.isDebugEnabled()) {
                        return -1;
                    }
                    log.debug("\t\tPermission is denied");
                    Thread.dumpStack();
                    return -1;
                }
            }
        }
        return (bool == null || bool.booleanValue()) ? 1 : -1;
    }

    private List<ConfigAttributeDefintion> extractSupportedDefinitions(ConfigAttributeDefinition configAttributeDefinition) {
        ArrayList arrayList = new ArrayList(2);
        Iterator configAttributes = configAttributeDefinition.getConfigAttributes();
        while (configAttributes.hasNext()) {
            ConfigAttribute configAttribute = (ConfigAttribute) configAttributes.next();
            if (supports(configAttribute)) {
                arrayList.add(new ConfigAttributeDefintion(configAttribute));
            }
        }
        return arrayList;
    }
}
