package org.apache.jackrabbit.oak.security.authorization.permission;

import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import org.apache.jackrabbit.oak.plugins.memory.EmptyNodeState;
import org.apache.jackrabbit.oak.plugins.nodetype.TypePredicate;
import org.apache.jackrabbit.oak.security.authorization.ProviderCtx;
import org.apache.jackrabbit.oak.spi.commit.CommitInfo;
import org.apache.jackrabbit.oak.spi.commit.PostValidationHook;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.spi.state.DefaultNodeStateDiff;
import org.apache.jackrabbit.oak.spi.state.NodeBuilder;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.apache.jackrabbit.oak.spi.state.NodeStateUtils;
import org.jetbrains.annotations.NotNull;

/* loaded from: input_file:lib/slingcms.far:org/apache/jackrabbit/oak-core/1.58.0/oak-core-1.58.0.jar:org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.class */
public class PermissionHook implements PostValidationHook, AccessControlConstants, PermissionConstants {
    private final RestrictionProvider restrictionProvider;
    private final String workspaceName;
    private final ProviderCtx providerCtx;
    private NodeBuilder permissionStore;
    private PrivilegeBitsProvider bitsProvider;
    private TypePredicate isACL;
    private TypePredicate isACE;
    private TypePredicate isGrantACE;
    private Map<String, PermissionStoreEditor> modified = new HashMap();
    private Map<String, PermissionStoreEditor> deleted = new HashMap();

    /* loaded from: input_file:lib/slingcms.far:org/apache/jackrabbit/oak-core/1.58.0/oak-core-1.58.0.jar:org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook$Diff.class */
    private final class Diff extends DefaultNodeStateDiff {
        private final String parentPath;

        private Diff(@NotNull String str) {
            this.parentPath = str;
        }

        @Override // org.apache.jackrabbit.oak.spi.state.DefaultNodeStateDiff, org.apache.jackrabbit.oak.spi.state.NodeStateDiff
        public boolean childNodeAdded(String str, NodeState nodeState) {
            if (NodeStateUtils.isHidden(str)) {
                return true;
            }
            String str2 = this.parentPath + "/" + str;
            if (!PermissionHook.this.isACL.test(nodeState)) {
                nodeState.compareAgainstBaseState(EmptyNodeState.EMPTY_NODE, new Diff(str2));
                return true;
            }
            PermissionStoreEditor createPermissionStoreEditor = createPermissionStoreEditor(str, nodeState);
            PermissionHook.this.modified.put(createPermissionStoreEditor.getPath(), createPermissionStoreEditor);
            return true;
        }

        @Override // org.apache.jackrabbit.oak.spi.state.DefaultNodeStateDiff, org.apache.jackrabbit.oak.spi.state.NodeStateDiff
        public boolean childNodeChanged(String str, NodeState nodeState, NodeState nodeState2) {
            if (NodeStateUtils.isHidden(str)) {
                return true;
            }
            String str2 = this.parentPath + "/" + str;
            if (!PermissionHook.this.isACL.test(nodeState)) {
                if (!PermissionHook.this.isACL.test(nodeState2)) {
                    nodeState2.compareAgainstBaseState(nodeState, new Diff(str2));
                    return true;
                }
                PermissionStoreEditor createPermissionStoreEditor = createPermissionStoreEditor(str, nodeState2);
                PermissionHook.this.modified.put(createPermissionStoreEditor.getPath(), createPermissionStoreEditor);
                return true;
            }
            if (!PermissionHook.this.isACL.test(nodeState2)) {
                PermissionStoreEditor createPermissionStoreEditor2 = createPermissionStoreEditor(str, nodeState);
                PermissionHook.this.deleted.put(createPermissionStoreEditor2.getPath(), createPermissionStoreEditor2);
                return true;
            }
            PermissionStoreEditor createPermissionStoreEditor3 = createPermissionStoreEditor(str, nodeState2);
            PermissionHook.this.modified.put(createPermissionStoreEditor3.getPath(), createPermissionStoreEditor3);
            PermissionStoreEditor createPermissionStoreEditor4 = createPermissionStoreEditor(str, nodeState);
            createPermissionStoreEditor4.removePermissionEntries(createPermissionStoreEditor3);
            if (createPermissionStoreEditor4.isEmpty()) {
                return true;
            }
            PermissionHook.this.deleted.put(this.parentPath, createPermissionStoreEditor4);
            return true;
        }

        @Override // org.apache.jackrabbit.oak.spi.state.DefaultNodeStateDiff, org.apache.jackrabbit.oak.spi.state.NodeStateDiff
        public boolean childNodeDeleted(String str, NodeState nodeState) {
            if (NodeStateUtils.isHidden(str)) {
                return true;
            }
            String str2 = this.parentPath + "/" + str;
            if (!PermissionHook.this.isACL.test(nodeState)) {
                EmptyNodeState.EMPTY_NODE.compareAgainstBaseState(nodeState, new Diff(str2));
                return true;
            }
            PermissionStoreEditor createPermissionStoreEditor = createPermissionStoreEditor(str, nodeState);
            PermissionHook.this.deleted.put(createPermissionStoreEditor.getPath(), createPermissionStoreEditor);
            return true;
        }

        @NotNull
        private PermissionStoreEditor createPermissionStoreEditor(@NotNull String str, @NotNull NodeState nodeState) {
            return new PermissionStoreEditor(this.parentPath, str, nodeState, PermissionHook.this.getPermissionRoot(this.parentPath), PermissionHook.this.isACE, PermissionHook.this.isGrantACE, PermissionHook.this.bitsProvider, PermissionHook.this.restrictionProvider, PermissionHook.this.providerCtx);
        }
    }

    public PermissionHook(@NotNull String str, @NotNull RestrictionProvider restrictionProvider, @NotNull ProviderCtx providerCtx) {
        this.workspaceName = str;
        this.restrictionProvider = restrictionProvider;
        this.providerCtx = providerCtx;
    }

    @Override // org.apache.jackrabbit.oak.spi.commit.CommitHook
    @NotNull
    public NodeState processCommit(NodeState nodeState, NodeState nodeState2, CommitInfo commitInfo) {
        NodeBuilder builder = nodeState2.builder();
        this.permissionStore = getPermissionStore(builder);
        this.bitsProvider = new PrivilegeBitsProvider(this.providerCtx.getRootProvider().createReadOnlyRoot(nodeState2));
        this.isACL = new TypePredicate(nodeState2, "rep:ACL");
        this.isACE = new TypePredicate(nodeState2, "rep:ACE");
        this.isGrantACE = new TypePredicate(nodeState2, "rep:GrantACE");
        nodeState2.compareAgainstBaseState(nodeState, new Diff(""));
        apply();
        return builder.getNodeState();
    }

    public String toString() {
        return "PermissionHook";
    }

    private void apply() {
        Iterator<Map.Entry<String, PermissionStoreEditor>> it = this.deleted.entrySet().iterator();
        while (it.hasNext()) {
            it.next().getValue().removePermissionEntries();
        }
        Iterator<Map.Entry<String, PermissionStoreEditor>> it2 = this.modified.entrySet().iterator();
        while (it2.hasNext()) {
            it2.next().getValue().updatePermissionEntries();
        }
        this.modified.clear();
        this.deleted.clear();
    }

    @NotNull
    private static NodeBuilder getPermissionStore(@NotNull NodeBuilder nodeBuilder) {
        return nodeBuilder.getChildNode("jcr:system").getChildNode(PermissionConstants.REP_PERMISSION_STORE);
    }

    @NotNull
    private NodeBuilder getPermissionRoot(@NotNull String str) {
        return this.permissionStore.getChildNode(MountPermissionProvider.getPermissionRootName(this.providerCtx.getMountInfoProvider().getMountByPath(str), this.workspaceName));
    }
}
