package org.alfresco.repo.security.permissions.impl.acegi;

import java.util.ArrayList;
import java.util.BitSet;
import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.StringTokenizer;
import net.sf.acegisecurity.AccessDeniedException;
import net.sf.acegisecurity.Authentication;
import net.sf.acegisecurity.ConfigAttribute;
import net.sf.acegisecurity.ConfigAttributeDefinition;
import net.sf.acegisecurity.afterinvocation.AfterInvocationProvider;
import org.alfresco.cmis.CMISResultSet;
import org.alfresco.repo.search.impl.lucene.PagingLuceneResultSet;
import org.alfresco.repo.search.impl.querymodel.QueryEngineResults;
import org.alfresco.repo.security.authentication.AuthenticationUtil;
import org.alfresco.repo.security.permissions.impl.SimplePermissionReference;
import org.alfresco.service.cmr.model.FileInfo;
import org.alfresco.service.cmr.repository.ChildAssociationRef;
import org.alfresco.service.cmr.repository.NodeRef;
import org.alfresco.service.cmr.repository.NodeService;
import org.alfresco.service.cmr.repository.StoreRef;
import org.alfresco.service.cmr.search.ResultSet;
import org.alfresco.service.cmr.security.AccessStatus;
import org.alfresco.service.cmr.security.AuthenticationService;
import org.alfresco.service.cmr.security.PermissionService;
import org.alfresco.service.namespace.NamespacePrefixResolver;
import org.alfresco.service.namespace.QName;
import org.aopalliance.intercept.MethodInvocation;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.springframework.beans.factory.InitializingBean;

/* loaded from: input_file:WEB-INF/lib/alfresco-repository-3.2r.jar:org/alfresco/repo/security/permissions/impl/acegi/ACLEntryAfterInvocationProvider.class */
public class ACLEntryAfterInvocationProvider implements AfterInvocationProvider, InitializingBean {
    private static Log log = LogFactory.getLog(ACLEntryAfterInvocationProvider.class);
    private static final String AFTER_ACL_NODE = "AFTER_ACL_NODE";
    private static final String AFTER_ACL_PARENT = "AFTER_ACL_PARENT";
    private PermissionService permissionService;
    private NamespacePrefixResolver nspr;
    private NodeService nodeService;
    private Set<QName> unfilteredForClassQNames = new HashSet();
    private Set<String> unfilteredFor = null;
    private int maxPermissionChecks = Integer.MAX_VALUE;
    private long maxPermissionCheckTimeMillis = Long.MAX_VALUE;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/alfresco-repository-3.2r.jar:org/alfresco/repo/security/permissions/impl/acegi/ACLEntryAfterInvocationProvider$ConfigAttributeDefintion.class */
    public class ConfigAttributeDefintion {
        String typeString;
        SimplePermissionReference required;

        ConfigAttributeDefintion(ConfigAttribute configAttribute) {
            StringTokenizer stringTokenizer = new StringTokenizer(configAttribute.getAttribute(), ".", false);
            if (stringTokenizer.countTokens() != 3) {
                throw new ACLEntryVoterException("There must be three . separated tokens in each config attribute");
            }
            this.typeString = stringTokenizer.nextToken();
            String nextToken = stringTokenizer.nextToken();
            String nextToken2 = stringTokenizer.nextToken();
            if (!this.typeString.equals(ACLEntryAfterInvocationProvider.AFTER_ACL_NODE) && !this.typeString.equals(ACLEntryAfterInvocationProvider.AFTER_ACL_PARENT)) {
                throw new ACLEntryVoterException("Invalid type: must be ACL_NODE or ACL_PARENT");
            }
            this.required = SimplePermissionReference.getPermissionReference(QName.createQName(nextToken, ACLEntryAfterInvocationProvider.this.nspr), nextToken2);
        }
    }

    public void setPermissionService(PermissionService permissionService) {
        this.permissionService = permissionService;
    }

    public PermissionService getPermissionService() {
        return this.permissionService;
    }

    public NamespacePrefixResolver getNamespacePrefixResolver() {
        return this.nspr;
    }

    public void setNamespacePrefixResolver(NamespacePrefixResolver namespacePrefixResolver) {
        this.nspr = namespacePrefixResolver;
    }

    public NodeService getNodeService() {
        return this.nodeService;
    }

    public void setNodeService(NodeService nodeService) {
        this.nodeService = nodeService;
    }

    public void setAuthenticationService(AuthenticationService authenticationService) {
        log.warn("Bean property 'authenticationService' no longer required.");
    }

    public void setMaxPermissionChecks(int i) {
        this.maxPermissionChecks = i;
    }

    public void setMaxPermissionCheckTimeMillis(long j) {
        this.maxPermissionCheckTimeMillis = j;
    }

    public void setUnfilteredFor(Set<String> set) {
        this.unfilteredFor = set;
    }

    @Override // org.springframework.beans.factory.InitializingBean
    public void afterPropertiesSet() throws Exception {
        if (this.permissionService == null) {
            throw new IllegalArgumentException("There must be a permission service");
        }
        if (this.nspr == null) {
            throw new IllegalArgumentException("There must be a namespace service");
        }
        if (this.nodeService == null) {
            throw new IllegalArgumentException("There must be a node service");
        }
        if (this.unfilteredFor != null) {
            Iterator<String> it = this.unfilteredFor.iterator();
            while (it.hasNext()) {
                this.unfilteredForClassQNames.add(QName.resolveToQName(this.nspr, it.next()));
            }
        }
    }

    @Override // net.sf.acegisecurity.afterinvocation.AfterInvocationProvider
    public Object decide(Authentication authentication, Object obj, ConfigAttributeDefinition configAttributeDefinition, Object obj2) throws AccessDeniedException {
        if (log.isDebugEnabled()) {
            log.debug("Method: " + ((MethodInvocation) obj).getMethod().toString());
        }
        try {
            if (AuthenticationUtil.isRunAsUserTheSystemUser()) {
                if (log.isDebugEnabled()) {
                    log.debug("Allowing system user access");
                }
                return obj2;
            }
            if (obj2 == null) {
                if (!log.isDebugEnabled()) {
                    return null;
                }
                log.debug("Allowing null object access");
                return null;
            }
            if (StoreRef.class.isAssignableFrom(obj2.getClass())) {
                if (log.isDebugEnabled()) {
                    log.debug("Store access");
                }
                return decide(authentication, obj, configAttributeDefinition, this.nodeService.getRootNode((StoreRef) obj2)).getStoreRef();
            }
            if (NodeRef.class.isAssignableFrom(obj2.getClass())) {
                if (log.isDebugEnabled()) {
                    log.debug("Node access");
                }
                return decide(authentication, obj, configAttributeDefinition, (NodeRef) obj2);
            }
            if (FileInfo.class.isAssignableFrom(obj2.getClass())) {
                return decide(authentication, obj, configAttributeDefinition, (FileInfo) obj2);
            }
            if (ChildAssociationRef.class.isAssignableFrom(obj2.getClass())) {
                if (log.isDebugEnabled()) {
                    log.debug("Child Association access");
                }
                return decide(authentication, obj, configAttributeDefinition, (ChildAssociationRef) obj2);
            }
            if (CMISResultSet.class.isAssignableFrom(obj2.getClass())) {
                if (log.isDebugEnabled()) {
                    log.debug("CMIS Result Set - already checked permissions for " + obj.getClass().getName());
                }
                return obj2;
            }
            if (PagingLuceneResultSet.class.isAssignableFrom(obj2.getClass())) {
                if (log.isDebugEnabled()) {
                    log.debug("Result Set access");
                }
                return decide(authentication, obj, configAttributeDefinition, (PagingLuceneResultSet) obj2);
            }
            if (ResultSet.class.isAssignableFrom(obj2.getClass())) {
                if (log.isDebugEnabled()) {
                    log.debug("Result Set access");
                }
                return decide(authentication, obj, configAttributeDefinition, (ResultSet) obj2);
            }
            if (QueryEngineResults.class.isAssignableFrom(obj2.getClass())) {
                if (log.isDebugEnabled()) {
                    log.debug("Result Set access");
                }
                return decide(authentication, obj, configAttributeDefinition, (QueryEngineResults) obj2);
            }
            if (Collection.class.isAssignableFrom(obj2.getClass())) {
                if (log.isDebugEnabled()) {
                    log.debug("Collection Access");
                }
                return decide(authentication, obj, configAttributeDefinition, (Collection) obj2);
            }
            if (obj2.getClass().isArray()) {
                if (log.isDebugEnabled()) {
                    log.debug("Array Access");
                }
                return decide(authentication, obj, configAttributeDefinition, (Object[]) obj2);
            }
            if (log.isDebugEnabled()) {
                log.debug("Uncontrolled object - access allowed for " + obj.getClass().getName());
            }
            return obj2;
        } catch (AccessDeniedException e) {
            if (log.isDebugEnabled()) {
                log.debug("Access denied");
                e.printStackTrace();
            }
            throw e;
        } catch (RuntimeException e2) {
            if (log.isDebugEnabled()) {
                log.debug("Access denied by runtime exception");
                e2.printStackTrace();
            }
            throw e2;
        }
    }

    private NodeRef decide(Authentication authentication, Object obj, ConfigAttributeDefinition configAttributeDefinition, NodeRef nodeRef) throws AccessDeniedException {
        if (nodeRef == null) {
            return null;
        }
        if (isUnfitered(nodeRef)) {
            return nodeRef;
        }
        List<ConfigAttributeDefintion> extractSupportedDefinitions = extractSupportedDefinitions(configAttributeDefinition);
        if (extractSupportedDefinitions.size() == 0) {
            return nodeRef;
        }
        for (ConfigAttributeDefintion configAttributeDefintion : extractSupportedDefinitions) {
            NodeRef nodeRef2 = null;
            if (configAttributeDefintion.typeString.equals(AFTER_ACL_NODE)) {
                nodeRef2 = nodeRef;
            } else if (configAttributeDefintion.typeString.equals(AFTER_ACL_PARENT)) {
                nodeRef2 = this.nodeService.getPrimaryParent(nodeRef).getParentRef();
            }
            if (nodeRef2 != null && this.permissionService.hasPermission(nodeRef2, configAttributeDefintion.required.toString()) == AccessStatus.DENIED) {
                throw new AccessDeniedException("Access Denied");
            }
        }
        return nodeRef;
    }

    private boolean isUnfitered(NodeRef nodeRef) {
        if (this.unfilteredForClassQNames.size() <= 0) {
            return false;
        }
        if (this.unfilteredForClassQNames.contains(this.nodeService.getType(nodeRef))) {
            return true;
        }
        Set<QName> aspects = this.nodeService.getAspects(nodeRef);
        Iterator<QName> it = this.unfilteredForClassQNames.iterator();
        while (it.hasNext()) {
            if (aspects.contains(it.next())) {
                return true;
            }
        }
        return false;
    }

    private FileInfo decide(Authentication authentication, Object obj, ConfigAttributeDefinition configAttributeDefinition, FileInfo fileInfo) throws AccessDeniedException {
        decide(authentication, obj, configAttributeDefinition, fileInfo.getNodeRef());
        return fileInfo;
    }

    private List<ConfigAttributeDefintion> extractSupportedDefinitions(ConfigAttributeDefinition configAttributeDefinition) {
        ArrayList arrayList = new ArrayList();
        Iterator configAttributes = configAttributeDefinition.getConfigAttributes();
        while (configAttributes.hasNext()) {
            ConfigAttribute configAttribute = (ConfigAttribute) configAttributes.next();
            if (supports(configAttribute)) {
                arrayList.add(new ConfigAttributeDefintion(configAttribute));
            }
        }
        return arrayList;
    }

    private ChildAssociationRef decide(Authentication authentication, Object obj, ConfigAttributeDefinition configAttributeDefinition, ChildAssociationRef childAssociationRef) throws AccessDeniedException {
        if (childAssociationRef == null) {
            return null;
        }
        List<ConfigAttributeDefintion> extractSupportedDefinitions = extractSupportedDefinitions(configAttributeDefinition);
        if (extractSupportedDefinitions.size() == 0) {
            return childAssociationRef;
        }
        for (ConfigAttributeDefintion configAttributeDefintion : extractSupportedDefinitions) {
            NodeRef nodeRef = null;
            if (configAttributeDefintion.typeString.equals(AFTER_ACL_NODE)) {
                nodeRef = childAssociationRef.getChildRef();
            } else if (configAttributeDefintion.typeString.equals(AFTER_ACL_PARENT)) {
                nodeRef = childAssociationRef.getParentRef();
            }
            if (!isUnfitered(nodeRef) && nodeRef != null && this.permissionService.hasPermission(nodeRef, configAttributeDefintion.required.toString()) == AccessStatus.DENIED) {
                throw new AccessDeniedException("Access Denied");
            }
        }
        return childAssociationRef;
    }

    private ResultSet decide(Authentication authentication, Object obj, ConfigAttributeDefinition configAttributeDefinition, PagingLuceneResultSet pagingLuceneResultSet) throws AccessDeniedException {
        return new PagingLuceneResultSet(decide(authentication, obj, configAttributeDefinition, pagingLuceneResultSet.getWrapped()), pagingLuceneResultSet.getResultSetMetaData().getSearchParameters(), this.nodeService);
    }

    /* JADX WARN: Code restructure failed: missing block: B:92:0x01e0, code lost:
    
        r0.setResultSetMetaData(new org.alfresco.repo.search.SimpleResultSetMetaData(org.alfresco.service.cmr.search.LimitBy.NUMBER_OF_PERMISSION_EVALUATIONS, org.alfresco.service.cmr.search.PermissionEvaluationMode.EAGER, r11.getResultSetMetaData().getSearchParameters()));
     */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    private org.alfresco.service.cmr.search.ResultSet decide(net.sf.acegisecurity.Authentication r8, java.lang.Object r9, net.sf.acegisecurity.ConfigAttributeDefinition r10, org.alfresco.service.cmr.search.ResultSet r11) throws net.sf.acegisecurity.AccessDeniedException {
        /*
            Method dump skipped, instructions count: 740
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.alfresco.repo.security.permissions.impl.acegi.ACLEntryAfterInvocationProvider.decide(net.sf.acegisecurity.Authentication, java.lang.Object, net.sf.acegisecurity.ConfigAttributeDefinition, org.alfresco.service.cmr.search.ResultSet):org.alfresco.service.cmr.search.ResultSet");
    }

    private QueryEngineResults decide(Authentication authentication, Object obj, ConfigAttributeDefinition configAttributeDefinition, QueryEngineResults queryEngineResults) throws AccessDeniedException {
        Map<Set<String>, ResultSet> results = queryEngineResults.getResults();
        HashMap hashMap = new HashMap(results.size(), 1.0f);
        for (Set<String> set : results.keySet()) {
            ResultSet resultSet = results.get(set);
            hashMap.put(set, PagingLuceneResultSet.class.isAssignableFrom(resultSet.getClass()) ? decide(authentication, obj, configAttributeDefinition, (PagingLuceneResultSet) resultSet) : decide(authentication, obj, configAttributeDefinition, resultSet));
        }
        return new QueryEngineResults(hashMap);
    }

    private Collection decide(Authentication authentication, Object obj, ConfigAttributeDefinition configAttributeDefinition, Collection collection) throws AccessDeniedException {
        if (collection == null) {
            return null;
        }
        List<ConfigAttributeDefintion> extractSupportedDefinitions = extractSupportedDefinitions(configAttributeDefinition);
        if (extractSupportedDefinitions.size() == 0) {
            return collection;
        }
        HashSet hashSet = new HashSet();
        if (log.isDebugEnabled()) {
            log.debug("Entries are " + extractSupportedDefinitions);
        }
        long currentTimeMillis = System.currentTimeMillis();
        Iterator it = collection.iterator();
        while (it.hasNext()) {
            Object next = it.next();
            long currentTimeMillis2 = System.currentTimeMillis();
            if (0 >= this.maxPermissionChecks || currentTimeMillis2 - currentTimeMillis > this.maxPermissionCheckTimeMillis) {
                it.remove();
            } else {
                boolean z = true;
                for (ConfigAttributeDefintion configAttributeDefintion : extractSupportedDefinitions) {
                    NodeRef nodeRef = null;
                    if (configAttributeDefintion.typeString.equals(AFTER_ACL_NODE)) {
                        if (StoreRef.class.isAssignableFrom(next.getClass())) {
                            nodeRef = this.nodeService.getRootNode((StoreRef) next);
                        } else if (NodeRef.class.isAssignableFrom(next.getClass())) {
                            nodeRef = (NodeRef) next;
                        } else if (ChildAssociationRef.class.isAssignableFrom(next.getClass())) {
                            nodeRef = ((ChildAssociationRef) next).getChildRef();
                        } else {
                            if (!FileInfo.class.isAssignableFrom(next.getClass())) {
                                throw new ACLEntryVoterException("The specified parameter is not a collection of NodeRefs, ChildAssociationRefs or FileInfos");
                            }
                            nodeRef = ((FileInfo) next).getNodeRef();
                        }
                    } else if (configAttributeDefintion.typeString.equals(AFTER_ACL_PARENT)) {
                        if (StoreRef.class.isAssignableFrom(next.getClass())) {
                            nodeRef = null;
                        } else if (NodeRef.class.isAssignableFrom(next.getClass())) {
                            nodeRef = this.nodeService.getPrimaryParent((NodeRef) next).getParentRef();
                        } else if (ChildAssociationRef.class.isAssignableFrom(next.getClass())) {
                            nodeRef = ((ChildAssociationRef) next).getParentRef();
                        } else {
                            if (!FileInfo.class.isAssignableFrom(next.getClass())) {
                                throw new ACLEntryVoterException("The specified parameter is not a collection of NodeRefs or ChildAssociationRefs");
                            }
                            nodeRef = ((FileInfo) next).getNodeRef();
                        }
                    }
                    if (log.isDebugEnabled()) {
                        log.debug("\t" + configAttributeDefintion.typeString + " test on " + nodeRef + " from " + next.getClass().getName());
                    }
                    if (!isUnfitered(nodeRef) && z && nodeRef != null && this.permissionService.hasPermission(nodeRef, configAttributeDefintion.required.toString()) == AccessStatus.DENIED) {
                        z = false;
                    }
                }
                if (!z) {
                    hashSet.add(next);
                }
            }
        }
        Iterator it2 = hashSet.iterator();
        while (it2.hasNext()) {
            do {
            } while (collection.remove(it2.next()));
        }
        return collection;
    }

    private Object[] decide(Authentication authentication, Object obj, ConfigAttributeDefinition configAttributeDefinition, Object[] objArr) throws AccessDeniedException {
        BitSet bitSet = new BitSet(objArr.length);
        if (objArr == null) {
            return null;
        }
        List<ConfigAttributeDefintion> extractSupportedDefinitions = extractSupportedDefinitions(configAttributeDefinition);
        if (extractSupportedDefinitions.size() == 0) {
            return objArr;
        }
        int length = objArr.length;
        for (int i = 0; i < length; i++) {
            Object obj2 = objArr[i];
            for (ConfigAttributeDefintion configAttributeDefintion : extractSupportedDefinitions) {
                bitSet.set(i, true);
                NodeRef nodeRef = null;
                if (configAttributeDefintion.typeString.equals(AFTER_ACL_NODE)) {
                    if (StoreRef.class.isAssignableFrom(obj2.getClass())) {
                        nodeRef = this.nodeService.getRootNode((StoreRef) obj2);
                    } else if (NodeRef.class.isAssignableFrom(obj2.getClass())) {
                        nodeRef = (NodeRef) obj2;
                    } else if (ChildAssociationRef.class.isAssignableFrom(obj2.getClass())) {
                        nodeRef = ((ChildAssociationRef) obj2).getChildRef();
                    } else {
                        if (!FileInfo.class.isAssignableFrom(obj2.getClass())) {
                            throw new ACLEntryVoterException("The specified array is not of NodeRef or ChildAssociationRef");
                        }
                        nodeRef = ((FileInfo) obj2).getNodeRef();
                    }
                } else if (configAttributeDefintion.typeString.equals(AFTER_ACL_PARENT)) {
                    if (StoreRef.class.isAssignableFrom(obj2.getClass())) {
                        nodeRef = null;
                    } else if (NodeRef.class.isAssignableFrom(obj2.getClass())) {
                        nodeRef = this.nodeService.getPrimaryParent((NodeRef) obj2).getParentRef();
                    } else if (ChildAssociationRef.class.isAssignableFrom(obj2.getClass())) {
                        nodeRef = ((ChildAssociationRef) obj2).getParentRef();
                    } else {
                        if (!FileInfo.class.isAssignableFrom(obj2.getClass())) {
                            throw new ACLEntryVoterException("The specified array is not of NodeRef or ChildAssociationRef");
                        }
                        nodeRef = ((FileInfo) obj2).getNodeRef();
                    }
                }
                if (log.isDebugEnabled()) {
                    log.debug("\t" + configAttributeDefintion.typeString + " test on " + nodeRef + " from " + obj2.getClass().getName());
                }
                if (!isUnfitered(nodeRef) && bitSet.get(i) && nodeRef != null && this.permissionService.hasPermission(nodeRef, configAttributeDefintion.required.toString()) == AccessStatus.DENIED) {
                    bitSet.set(i, false);
                }
            }
        }
        if (bitSet.cardinality() == objArr.length) {
            return objArr;
        }
        Object[] objArr2 = new Object[bitSet.cardinality()];
        int nextSetBit = bitSet.nextSetBit(0);
        int i2 = 0;
        while (nextSetBit >= 0) {
            objArr2[i2] = objArr[nextSetBit];
            nextSetBit = bitSet.nextSetBit(nextSetBit + 1);
            i2++;
        }
        return objArr2;
    }

    @Override // net.sf.acegisecurity.afterinvocation.AfterInvocationProvider
    public boolean supports(ConfigAttribute configAttribute) {
        if (configAttribute.getAttribute() != null) {
            return configAttribute.getAttribute().startsWith(AFTER_ACL_NODE) || configAttribute.getAttribute().startsWith(AFTER_ACL_PARENT);
        }
        return false;
    }

    @Override // net.sf.acegisecurity.afterinvocation.AfterInvocationProvider
    public boolean supports(Class cls) {
        return MethodInvocation.class.isAssignableFrom(cls);
    }
}
