package org.exist.security;

import com.evolvedbinary.j8fu.Either;
import com.evolvedbinary.j8fu.function.ConsumerE;
import java.io.IOException;
import java.util.List;
import java.util.Optional;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.exist.collections.Collection;
import org.exist.dom.persistent.DocumentImpl;
import org.exist.dom.persistent.LockedDocument;
import org.exist.security.internal.aider.ACEAider;
import org.exist.storage.DBBroker;
import org.exist.storage.lock.Lock;
import org.exist.storage.txn.Txn;
import org.exist.util.SyntaxException;
import org.exist.xmldb.XmldbURI;
import org.exist.xquery.XPathException;

/* loaded from: input_file:org/exist/security/PermissionFactory.class */
public class PermissionFactory {
    private static final Logger LOG = LogManager.getLogger(PermissionFactory.class);

    public static Permission getDefaultResourcePermission(SecurityManager securityManager) {
        Subject currentSubject = securityManager.getDatabase().getActiveBroker().getCurrentSubject();
        return new SimpleACLPermission(securityManager, currentSubject.getId(), currentSubject.getDefaultGroup().getId(), 438 & (currentSubject.getUserMask() ^ (-1)));
    }

    public static Permission getDefaultCollectionPermission(SecurityManager securityManager) {
        Subject currentSubject = securityManager.getDatabase().getActiveBroker().getCurrentSubject();
        return new SimpleACLPermission(securityManager, currentSubject.getId(), currentSubject.getDefaultGroup().getId(), 511 & (currentSubject.getUserMask() ^ (-1)));
    }

    public static Permission getPermission(SecurityManager securityManager, int i) {
        Subject currentSubject = securityManager.getDatabase().getActiveBroker().getCurrentSubject();
        return new SimpleACLPermission(securityManager, currentSubject.getId(), currentSubject.getDefaultGroup().getId(), i);
    }

    public static Permission getPermission(SecurityManager securityManager, int i, int i2, int i3) {
        return new SimpleACLPermission(securityManager, i, i2, i3);
    }

    public static Permission getPermission(SecurityManager securityManager, String str, String str2, int i) {
        Account account;
        SimpleACLPermission simpleACLPermission = null;
        try {
            account = securityManager.getAccount(str);
        } catch (Throwable th) {
            LOG.error("Exception while instantiating security permission class.", th);
        }
        if (account == null) {
            throw new IllegalArgumentException("User was not found '" + (str == null ? "" : str) + "'");
        }
        Group group = securityManager.getGroup(str2);
        if (group == null) {
            throw new IllegalArgumentException("Group was not found '" + (str == null ? "" : str2) + "'");
        }
        simpleACLPermission = new SimpleACLPermission(securityManager, account.getId(), group.getId(), i);
        return simpleACLPermission;
    }

    private static void updatePermissions(DBBroker dBBroker, Txn txn, XmldbURI xmldbURI, ConsumerE<Permission, PermissionDeniedException> consumerE) throws PermissionDeniedException {
        Throwable th;
        dBBroker.getBrokerPool();
        Throwable th2 = null;
        try {
            try {
                Collection openCollection = dBBroker.openCollection(xmldbURI, Lock.LockMode.WRITE_LOCK);
                try {
                    if (openCollection == null) {
                        th2 = null;
                        try {
                            LockedDocument xMLResource = dBBroker.getXMLResource(xmldbURI, Lock.LockMode.WRITE_LOCK);
                            try {
                                if (xMLResource == null) {
                                    throw new XPathException("Resource or collection '" + xmldbURI.toString() + "' does not exist.");
                                }
                                DocumentImpl document = xMLResource.getDocument();
                                consumerE.accept(document.getPermissions());
                                dBBroker.storeXMLResource(txn, document);
                                if (xMLResource != null) {
                                    xMLResource.close();
                                }
                            } catch (Throwable th3) {
                                if (xMLResource != null) {
                                    xMLResource.close();
                                }
                                throw th3;
                            }
                        } finally {
                        }
                    } else {
                        consumerE.accept(openCollection.getPermissionsNoLock());
                        dBBroker.saveCollection(txn, openCollection);
                    }
                    dBBroker.flush();
                    if (openCollection != null) {
                        openCollection.close();
                    }
                } catch (Throwable th4) {
                    if (openCollection != null) {
                        openCollection.close();
                    }
                    throw th4;
                }
            } finally {
            }
        } catch (IOException | PermissionDeniedException | XPathException e) {
            throw new PermissionDeniedException("Permission to modify permissions is denied for user '" + dBBroker.getCurrentSubject().getName() + "' on '" + xmldbURI.toString() + "': " + e.getMessage(), e);
        }
    }

    public static void chown(DBBroker dBBroker, Txn txn, XmldbURI xmldbURI, Optional<String> optional, Optional<String> optional2) throws PermissionDeniedException {
        updatePermissions(dBBroker, txn, xmldbURI, permission -> {
            chown(dBBroker, permission, (Optional<String>) optional, (Optional<String>) optional2);
        });
    }

    public static void chown(DBBroker dBBroker, Collection collection, Optional<String> optional, Optional<String> optional2) throws PermissionDeniedException {
        chown(dBBroker, collection.getPermissions(), optional, optional2);
    }

    public static void chown(DBBroker dBBroker, DocumentImpl documentImpl, Optional<String> optional, Optional<String> optional2) throws PermissionDeniedException {
        chown(dBBroker, documentImpl.getPermissions(), optional, optional2);
    }

    public static void chown(DBBroker dBBroker, Permission permission, Optional<String> optional, Optional<String> optional2) throws PermissionDeniedException {
        if (!optional.isPresent() && !optional2.isPresent()) {
            throw new IllegalArgumentException("Either owner or group must be provided");
        }
        boolean booleanValue = ((Boolean) optional.map(str -> {
            return Boolean.valueOf(!permission.getOwner().getName().equals(str));
        }).orElse(false)).booleanValue();
        boolean booleanValue2 = ((Boolean) optional2.map(str2 -> {
            return Boolean.valueOf(!permission.getGroup().getName().equals(str2));
        }).orElse(false)).booleanValue();
        if (((Boolean) dBBroker.getConfiguration().getProperty(DBBroker.POSIX_CHOWN_RESTRICTED_PROPERTY, true)).booleanValue()) {
            if (booleanValue && !permission.isCurrentSubjectDBA()) {
                throw new PermissionDeniedException("Only a DBA can change the user ID of a resource when posix-chown-restricted is in effect.");
            }
            if (booleanValue2 && !permission.isCurrentSubjectDBA()) {
                if (!permission.isCurrentSubjectOwner()) {
                    throw new PermissionDeniedException("You cannot change the group ID of a file you do not own when posix-chown-restricted is in effect.");
                }
                Group group = dBBroker.getBrokerPool().getSecurityManager().getGroup(optional2.get());
                if (group == null) {
                    booleanValue2 = false;
                } else if (!permission.isCurrentSubjectInGroup(group.getId())) {
                    throw new PermissionDeniedException("You cannot change the group ID of a file to a group of which you are not a member when posix-chown-restricted is in effect.");
                }
            }
        } else {
            if (booleanValue && !permission.isCurrentSubjectDBA() && !permission.isCurrentSubjectOwner()) {
                throw new PermissionDeniedException("Only a DBA or the resources owner can change the user ID of a resource.");
            }
            if (booleanValue2 && !permission.isCurrentSubjectDBA() && !permission.isCurrentSubjectOwner()) {
                throw new PermissionDeniedException("Only a DBA or the resources owner can change the group ID of a resource.");
            }
        }
        if (!permission.isCurrentSubjectDBA()) {
            if (permission.isSetUid()) {
                permission.setSetUid(false);
            }
            if (permission.isSetGid()) {
                permission.setSetGid(false);
            }
        }
        if (booleanValue) {
            permission.setOwner(optional.get());
        }
        if (booleanValue2) {
            permission.setGroup(optional2.get());
        }
    }

    public static void chmod_str(DBBroker dBBroker, Txn txn, XmldbURI xmldbURI, Optional<String> optional, Optional<List<ACEAider>> optional2) throws PermissionDeniedException {
        updatePermissions(dBBroker, txn, xmldbURI, permission -> {
            chmod_impl(dBBroker, permission, optional.map((v0) -> {
                return Either.Left(v0);
            }), optional2);
        });
    }

    public static void chmod_str(DBBroker dBBroker, Collection collection, Optional<String> optional, Optional<List<ACEAider>> optional2) throws PermissionDeniedException {
        chmod_impl(dBBroker, collection.getPermissions(), optional.map((v0) -> {
            return Either.Left(v0);
        }), optional2);
    }

    public static void chmod_str(DBBroker dBBroker, DocumentImpl documentImpl, Optional<String> optional, Optional<List<ACEAider>> optional2) throws PermissionDeniedException {
        chmod_impl(dBBroker, documentImpl.getPermissions(), optional.map((v0) -> {
            return Either.Left(v0);
        }), optional2);
    }

    public static void chmod(DBBroker dBBroker, Txn txn, XmldbURI xmldbURI, Optional<Integer> optional, Optional<List<ACEAider>> optional2) throws PermissionDeniedException {
        updatePermissions(dBBroker, txn, xmldbURI, permission -> {
            chmod_impl(dBBroker, permission, optional.map((v0) -> {
                return Either.Right(v0);
            }), optional2);
        });
    }

    public static void chmod(DBBroker dBBroker, Collection collection, Optional<Integer> optional, Optional<List<ACEAider>> optional2) throws PermissionDeniedException {
        chmod_impl(dBBroker, collection.getPermissions(), optional.map((v0) -> {
            return Either.Right(v0);
        }), optional2);
    }

    public static void chmod(DBBroker dBBroker, DocumentImpl documentImpl, Optional<Integer> optional, Optional<List<ACEAider>> optional2) throws PermissionDeniedException {
        chmod_impl(dBBroker, documentImpl.getPermissions(), optional.map((v0) -> {
            return Either.Right(v0);
        }), optional2);
    }

    public static void chmod_str(DBBroker dBBroker, Permission permission, Optional<String> optional, Optional<List<ACEAider>> optional2) throws PermissionDeniedException {
        chmod_impl(dBBroker, permission, optional.map((v0) -> {
            return Either.Left(v0);
        }), optional2);
    }

    public static void chmod(DBBroker dBBroker, Permission permission, Optional<Integer> optional, Optional<List<ACEAider>> optional2) throws PermissionDeniedException {
        chmod_impl(dBBroker, permission, optional.map((v0) -> {
            return Either.Right(v0);
        }), optional2);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void chmod_impl(DBBroker dBBroker, Permission permission, Optional<Either<String, Integer>> optional, Optional<List<ACEAider>> optional2) throws PermissionDeniedException {
        boolean z;
        if (!optional.isPresent() && !optional2.isPresent()) {
            throw new IllegalArgumentException("Either mode or acl must be provided");
        }
        try {
            if (!optional.isPresent()) {
                z = false;
            } else if (optional.get().isLeft()) {
                Subject currentSubject = dBBroker.getCurrentSubject();
                UnixStylePermission unixStylePermission = new UnixStylePermission(dBBroker.getBrokerPool().getSecurityManager(), currentSubject.getId(), currentSubject.getDefaultGroup().getId(), 0);
                unixStylePermission.setMode((String) optional.get().left().get());
                z = permission.getMode() != unixStylePermission.getMode();
            } else {
                z = permission.getMode() != ((Integer) optional.get().right().get()).intValue();
            }
            boolean booleanValue = ((Boolean) optional2.map(list -> {
                return Boolean.valueOf(!aclEquals(permission, list));
            }).orElse(false)).booleanValue();
            if ((z || booleanValue) && !permission.isCurrentSubjectDBA() && !permission.isCurrentSubjectOwner()) {
                throw new PermissionDeniedException("Only a DBA or the resources owner can change the mode of a resource.");
            }
            if (z) {
                boolean isCurrentSubjectInGroup = permission.isCurrentSubjectInGroup();
                if (permission.isCurrentSubjectDBA() || isCurrentSubjectInGroup) {
                    if (optional.get().isLeft()) {
                        permission.setMode((String) optional.get().left().get());
                    } else {
                        permission.setMode(((Integer) optional.get().right().get()).intValue());
                    }
                } else if (optional.get().isLeft()) {
                    permission.setMode(removeSetGid((String) optional.get().left().get()));
                } else {
                    permission.setMode(removeSetGid(((Integer) optional.get().right().get()).intValue()));
                }
            }
            if (booleanValue) {
                ACLPermission aCLPermission = (ACLPermission) permission;
                aCLPermission.clear();
                for (ACEAider aCEAider : optional2.get()) {
                    aCLPermission.addACE(aCEAider.getAccessType(), aCEAider.getTarget(), aCEAider.getWho(), aCEAider.getMode());
                }
            }
        } catch (SyntaxException e) {
            throw new PermissionDeniedException("Unrecognised mode syntax: " + e.getMessage(), e);
        }
    }

    public static void chacl(Permission permission, ConsumerE<ACLPermission, PermissionDeniedException> consumerE) throws PermissionDeniedException {
        if (!(permission instanceof SimpleACLPermission)) {
            throw new PermissionDeniedException("ACL like permissions have not been enabled");
        }
        chacl((SimpleACLPermission) permission, consumerE);
    }

    public static void chacl(DBBroker dBBroker, Txn txn, XmldbURI xmldbURI, ConsumerE<ACLPermission, PermissionDeniedException> consumerE) throws PermissionDeniedException {
        updatePermissions(dBBroker, txn, xmldbURI, permission -> {
            if (!(permission instanceof SimpleACLPermission)) {
                throw new PermissionDeniedException("ACL like permissions have not been enabled");
            }
            chacl((SimpleACLPermission) permission, (ConsumerE<ACLPermission, PermissionDeniedException>) consumerE);
        });
    }

    public static void chacl(SimpleACLPermission simpleACLPermission, ConsumerE<ACLPermission, PermissionDeniedException> consumerE) throws PermissionDeniedException {
        if (consumerE == null) {
            throw new IllegalArgumentException("permissionModifier must be provided");
        }
        if (!simpleACLPermission.isCurrentSubjectDBA() && !simpleACLPermission.isCurrentSubjectOwner()) {
            throw new PermissionDeniedException("Only a DBA or the resources owner can change the ACL of a resource.");
        }
        consumerE.accept(simpleACLPermission);
    }

    private static boolean aclEquals(Permission permission, List<ACEAider> list) {
        if (!(permission instanceof ACLPermission)) {
            return false;
        }
        ACLPermission aCLPermission = (ACLPermission) permission;
        if (aCLPermission.getACECount() != list.size()) {
            return false;
        }
        for (int i = 0; i < list.size(); i++) {
            ACEAider aCEAider = list.get(i);
            if (aCLPermission.getACEAccessType(i) != aCEAider.getAccessType() || aCLPermission.getACETarget(i) != aCEAider.getTarget() || !aCLPermission.getACEWho(i).equals(aCEAider.getWho()) || aCLPermission.getACEMode(i) != aCEAider.getMode()) {
                return false;
            }
        }
        return true;
    }

    private static String removeSetGid(String str) {
        if (AbstractUnixStylePermission.SIMPLE_SYMBOLIC_MODE_PATTERN.matcher(str).matches()) {
            char charAt = str.charAt(5);
            if (charAt == 'S') {
                return String.valueOf(str.substring(0, 5)) + '-' + str.substring(5);
            }
            if (charAt == 's') {
                return String.valueOf(str.substring(0, 5)) + 'x' + str.substring(5);
            }
        } else if (AbstractUnixStylePermission.UNIX_SYMBOLIC_MODE_PATTERN.matcher(str).matches()) {
            Matcher matcher = Pattern.compile("[^g]*(g\\+|=)([^,s]*s[^,s]*)[^g]*").matcher(str);
            if (matcher.matches()) {
                String group = matcher.group(1);
                String group2 = matcher.group(2);
                String replace = group2.replace("s", "");
                return replace.isEmpty() ? str.replace(String.valueOf(group) + group2, "") : str.replace(String.valueOf(group) + group2, String.valueOf(group) + replace);
            }
            Matcher matcher2 = Pattern.compile("[^a]*a(\\+|=)([^,s]*s[^,s]*)[^a]*").matcher(str);
            if (matcher2.matches()) {
                String group3 = matcher2.group(1);
                String group4 = matcher2.group(2);
                String replace2 = group4.replace("s", "");
                return String.valueOf('u') + group3 + group4 + "," + (replace2.isEmpty() ? "" : String.valueOf('g') + group3 + replace2 + ",") + 'o' + group4 + group4;
            }
        }
        return str;
    }

    private static int removeSetGid(int i) {
        return i & (-2049);
    }
}
