package org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;

import com.composum.sling.core.pckgmgr.Packages;
import java.security.Principal;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.jcr.AccessDeniedException;
import javax.jcr.RepositoryException;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.AccessControlPolicyIterator;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
import org.apache.jackrabbit.api.security.authorization.PrincipalAccessControlList;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.commons.iterator.AccessControlPolicyIteratorAdapter;
import org.apache.jackrabbit.guava.common.base.Strings;
import org.apache.jackrabbit.guava.common.collect.Iterables;
import org.apache.jackrabbit.guava.common.collect.Lists;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.QueryEngine;
import org.apache.jackrabbit.oak.api.Result;
import org.apache.jackrabbit.oak.api.ResultRow;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.commons.QueryUtils;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlManager;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.PolicyOwner;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ReadPolicy;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.principalbased.Filter;
import org.apache.jackrabbit.oak.spi.security.authorization.principalbased.FilterProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl.PrincipalPolicyImpl;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.spi.xml.ImportBehavior;
import org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter;
import org.apache.jackrabbit.util.ISO9075;
import org.apache.pdfbox.contentstream.operator.OperatorName;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:lib/slingcms.far:org/apache/jackrabbit/oak-authorization-principalbased/1.58.0/oak-authorization-principalbased-1.58.0.jar:org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManager.class */
class PrincipalBasedAccessControlManager extends AbstractAccessControlManager implements PolicyOwner, Constants {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) PrincipalBasedAccessControlManager.class);
    private final MgrProvider mgrProvider;
    private final int importBehavior;
    private final Set<String> readPaths;
    private final PrincipalManager principalManager;
    private final PrivilegeBitsProvider privilegeBitsProvider;
    private final FilterProvider filterProvider;
    private final Filter filter;

    /* JADX INFO: Access modifiers changed from: package-private */
    public PrincipalBasedAccessControlManager(@NotNull MgrProvider mgrProvider, @NotNull FilterProvider filterProvider) {
        super(mgrProvider.getRoot(), mgrProvider.getNamePathMapper(), mgrProvider.getSecurityProvider());
        this.mgrProvider = mgrProvider;
        ConfigurationParameters parameters = getConfig().getParameters();
        this.importBehavior = ImportBehavior.valueFromString((String) parameters.getConfigValue(ProtectedItemImporter.PARAM_IMPORT_BEHAVIOR, ImportBehavior.NAME_ABORT));
        this.readPaths = (Set) parameters.getConfigValue(PermissionConstants.PARAM_READ_PATHS, PermissionConstants.DEFAULT_READ_PATHS);
        this.principalManager = mgrProvider.getPrincipalManager();
        this.privilegeBitsProvider = mgrProvider.getPrivilegeBitsProvider();
        this.filterProvider = filterProvider;
        this.filter = filterProvider.getFilter(mgrProvider.getSecurityProvider(), mgrProvider.getRoot(), mgrProvider.getNamePathMapper());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlManager
    @NotNull
    public PrivilegeBitsProvider getPrivilegeBitsProvider() {
        return this.mgrProvider.getPrivilegeBitsProvider();
    }

    @Override // org.apache.jackrabbit.api.security.JackrabbitAccessControlManager
    @NotNull
    public JackrabbitAccessControlPolicy[] getApplicablePolicies(@NotNull Principal principal) throws RepositoryException {
        if (canHandle(principal)) {
            String oakPath = this.filter.getOakPath(principal);
            if (!getTree(oakPath, 128L, true).hasChild("rep:principalPolicy")) {
                return new JackrabbitAccessControlPolicy[]{new PrincipalPolicyImpl(principal, oakPath, this.mgrProvider)};
            }
        }
        return new JackrabbitAccessControlPolicy[0];
    }

    @Override // org.apache.jackrabbit.api.security.JackrabbitAccessControlManager
    @NotNull
    public JackrabbitAccessControlPolicy[] getPolicies(@NotNull Principal principal) throws RepositoryException {
        JackrabbitAccessControlPolicy jackrabbitAccessControlPolicy = null;
        if (canHandle(principal)) {
            jackrabbitAccessControlPolicy = createPolicy(principal, false, Collections.emptyList());
        }
        return jackrabbitAccessControlPolicy == null ? new JackrabbitAccessControlPolicy[0] : new JackrabbitAccessControlPolicy[]{jackrabbitAccessControlPolicy};
    }

    @Override // org.apache.jackrabbit.api.security.JackrabbitAccessControlManager
    @NotNull
    public AccessControlPolicy[] getEffectivePolicies(@NotNull Set<Principal> set) throws RepositoryException {
        if (!canHandle(set)) {
            return new JackrabbitAccessControlPolicy[0];
        }
        ArrayList arrayList = new ArrayList(set.size());
        Iterator<Principal> it = set.iterator();
        while (it.hasNext()) {
            JackrabbitAccessControlPolicy createPolicy = createPolicy(it.next(), true, Collections.emptyList());
            if (createPolicy != null) {
                arrayList.add(createPolicy);
            }
        }
        if (ReadPolicy.canAccessReadPolicy(getPermissionProvider(), (String[]) this.readPaths.toArray(new String[0]))) {
            arrayList.add(ReadPolicy.INSTANCE);
        }
        return (AccessControlPolicy[]) arrayList.toArray(new AccessControlPolicy[0]);
    }

    @Override // org.apache.jackrabbit.api.security.JackrabbitAccessControlManager
    @NotNull
    public Iterator<AccessControlPolicy> getEffectivePolicies(@NotNull Set<Principal> set, @Nullable String... strArr) throws RepositoryException {
        if (!canHandle(set)) {
            return Collections.emptyIterator();
        }
        Collection<String> oakPaths = getOakPaths(strArr);
        ArrayList arrayList = new ArrayList(set.size());
        Iterator<Principal> it = set.iterator();
        while (it.hasNext()) {
            JackrabbitAccessControlPolicy createPolicy = createPolicy(it.next(), true, oakPaths);
            if (createPolicy != null) {
                arrayList.add(createPolicy);
            }
        }
        if (oakPaths.isEmpty() || oakPaths.stream().anyMatch(str -> {
            return ReadPolicy.hasEffectiveReadPolicy(this.readPaths, str);
        })) {
            arrayList.add(ReadPolicy.INSTANCE);
        }
        return arrayList.iterator();
    }

    @Override // javax.jcr.security.AccessControlManager
    public AccessControlPolicy[] getPolicies(String str) throws RepositoryException {
        getTree(getOakPath(str), 128L, true);
        log.debug("Editing access control policies by path is not supported. Use JackrabbitAccessControlManager.getPolicies(Principal principal)");
        return new AccessControlPolicy[0];
    }

    @Override // javax.jcr.security.AccessControlManager
    public AccessControlPolicy[] getEffectivePolicies(String str) throws RepositoryException {
        String oakPath = getOakPath(str);
        getTree(oakPath, 128L, true);
        StringBuilder sb = new StringBuilder("/jcr:root");
        sb.append(this.filterProvider.getFilterRoot());
        sb.append("//element(*,").append(Constants.NT_REP_PRINCIPAL_ENTRY).append(")[");
        String str2 = "";
        for (String str3 : getEffectivePaths(oakPath)) {
            sb.append(str2);
            sb.append(Packages.REGISTRY_PATH_PREFIX).append(ISO9075.encode(Constants.REP_EFFECTIVE_PATH));
            sb.append("='").append(QueryUtils.escapeForQuery(str3));
            sb.append(OperatorName.SHOW_TEXT_LINE);
            str2 = " or ";
        }
        sb.append("] order by jcr:path option (traversal ok)");
        try {
            Result executeQuery = getLatestRoot().getQueryEngine().executeQuery(sb.toString(), "xpath", QueryEngine.NO_BINDINGS, QueryEngine.NO_MAPPINGS);
            HashMap hashMap = new HashMap();
            Iterator<? extends ResultRow> it = executeQuery.getRows().iterator();
            while (it.hasNext()) {
                AbstractEntry createEffectiveEntry = createEffectiveEntry(it.next().getTree(null));
                if (createEffectiveEntry != null) {
                    ((List) hashMap.computeIfAbsent(createEffectiveEntry.getPrincipal(), principal -> {
                        return new ArrayList();
                    })).add(createEffectiveEntry);
                }
            }
            Iterable transform = Iterables.transform(hashMap.entrySet(), entry -> {
                return new ImmutablePrincipalPolicy((Principal) entry.getKey(), this.filter.getOakPath((Principal) entry.getKey()), (List) entry.getValue(), this.mgrProvider.getRestrictionProvider(), getNamePathMapper());
            });
            return ReadPolicy.hasEffectiveReadPolicy(this.readPaths, oakPath) ? (AccessControlPolicy[]) Iterables.toArray(Iterables.concat(transform, Collections.singleton(ReadPolicy.INSTANCE)), AccessControlPolicy.class) : (AccessControlPolicy[]) Iterables.toArray(transform, PrincipalAccessControlList.class);
        } catch (ParseException e) {
            String str4 = "Error while collecting effective policies at " + str;
            log.error(str4, (Throwable) e);
            throw new RepositoryException(str4, e);
        }
    }

    @Override // javax.jcr.security.AccessControlManager
    public AccessControlPolicyIterator getApplicablePolicies(String str) throws RepositoryException {
        getTree(getOakPath(str), 128L, true);
        log.debug("Editing access control policies by path is not supported. Use JackrabbitAccessControlManager.getApplicablePolicies(Principal principal)");
        return AccessControlPolicyIteratorAdapter.EMPTY;
    }

    @Override // javax.jcr.security.AccessControlManager
    public void setPolicy(String str, AccessControlPolicy accessControlPolicy) throws RepositoryException {
        PrincipalPolicyImpl checkValidPolicy = checkValidPolicy(str, accessControlPolicy);
        String oakPath = checkValidPolicy.getOakPath();
        Tree tree = getTree(oakPath, 256L, true);
        Tree policyTree = getPolicyTree(tree);
        if (policyTree.exists()) {
            policyTree.remove();
        }
        TreeUtil.addMixin(tree, "rep:PrincipalBasedMixin", getRoot().getTree("/jcr:system/jcr:nodeTypes"), getRoot().getContentSession().getAuthInfo().getUserID());
        Tree addChild = TreeUtil.addChild(tree, "rep:principalPolicy", "rep:PrincipalPolicy");
        addChild.setOrderableChildren(true);
        addChild.setProperty("rep:principalName", checkValidPolicy.getPrincipal().getName());
        int i = 0;
        RestrictionProvider restrictionProvider = this.mgrProvider.getRestrictionProvider();
        for (PrincipalPolicyImpl.EntryImpl entryImpl : checkValidPolicy.getEntries()) {
            String nullToEmpty = Strings.nullToEmpty(entryImpl.getOakPath());
            int i2 = i;
            i++;
            Tree addChild2 = TreeUtil.addChild(addChild, "entry" + i2, Constants.NT_REP_PRINCIPAL_ENTRY);
            if (!Utils.hasModAcPermission(getPermissionProvider(), nullToEmpty)) {
                throw new AccessDeniedException("Access denied.");
            }
            addChild2.setProperty(Constants.REP_EFFECTIVE_PATH, nullToEmpty, Type.PATH);
            addChild2.setProperty("rep:privileges", this.privilegeBitsProvider.getPrivilegeNames(entryImpl.getPrivilegeBits()), Type.NAMES);
            restrictionProvider.writeRestrictions(oakPath, addChild2, entryImpl.getRestrictions());
        }
    }

    @Override // javax.jcr.security.AccessControlManager
    public void removePolicy(String str, AccessControlPolicy accessControlPolicy) throws RepositoryException {
        Tree policyTree = getPolicyTree(getTree(checkValidPolicy(str, accessControlPolicy).getOakPath(), 256L, true));
        if (!policyTree.exists()) {
            throw new AccessControlException("No policy to remove at " + str);
        }
        for (Tree tree : policyTree.getChildren()) {
            if (Utils.isPrincipalEntry(tree)) {
                PropertyState property = tree.getProperty(Constants.REP_EFFECTIVE_PATH);
                if (property == null) {
                    throw new AccessControlException("Missing mandatory property rep:effectivePath; cannot validate permissions to modify policy.");
                }
                if (!Utils.hasModAcPermission(getPermissionProvider(), (String) property.getValue(Type.PATH))) {
                    throw new AccessDeniedException("Access denied.");
                }
            }
        }
        policyTree.remove();
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.PolicyOwner
    public boolean defines(@Nullable String str, @NotNull AccessControlPolicy accessControlPolicy) {
        String oakPath = str == null ? null : getNamePathMapper().getOakPath(str);
        if (oakPath != null && this.filterProvider.handlesPath(oakPath) && (accessControlPolicy instanceof PrincipalPolicyImpl)) {
            return oakPath.equals(((PrincipalPolicyImpl) accessControlPolicy).getOakPath());
        }
        return false;
    }

    private boolean canHandle(@Nullable Principal principal) throws AccessControlException {
        String name = principal == null ? null : principal.getName();
        if (Strings.isNullOrEmpty(name)) {
            throw new AccessControlException("Invalid principal " + name);
        }
        if (this.importBehavior == 3 || this.importBehavior == 1) {
            principal = this.principalManager.getPrincipal(name);
            if (principal == null) {
                if (this.importBehavior != 1) {
                    throw new AccessControlException("Unsupported principal " + name);
                }
                log.debug("Ignoring unknown principal {}", name);
                return false;
            }
        }
        return this.filter.canHandle(Collections.singleton(principal));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean canHandle(@NotNull Set<Principal> set) throws AccessControlException {
        Iterator<Principal> it = set.iterator();
        while (it.hasNext()) {
            if (!canHandle(it.next())) {
                return false;
            }
        }
        return true;
    }

    private PrincipalPolicyImpl checkValidPolicy(@Nullable String str, @NotNull AccessControlPolicy accessControlPolicy) throws AccessControlException {
        if (defines(str, accessControlPolicy)) {
            return (PrincipalPolicyImpl) accessControlPolicy;
        }
        throw new AccessControlException("Invalid policy " + accessControlPolicy + " at path " + str);
    }

    @NotNull
    private static Tree getPolicyTree(@NotNull Tree tree) {
        return tree.getChild("rep:principalPolicy");
    }

    @Nullable
    private JackrabbitAccessControlPolicy createPolicy(@NotNull Principal principal, boolean z, @NotNull Collection<String> collection) throws RepositoryException {
        String oakPath = this.filter.getOakPath(principal);
        Tree tree = getTree(oakPath, 128L, true);
        if (z) {
            tree = getRoot().getContentSession().getLatestRoot().getTree(tree.getPath());
        }
        if (!isAccessControlled(tree)) {
            return null;
        }
        PrincipalPolicyImpl principalPolicyImpl = null;
        Tree policyTree = getPolicyTree(tree);
        if (Utils.isPrincipalPolicyTree(policyTree)) {
            principalPolicyImpl = new PrincipalPolicyImpl(principal, oakPath, this.mgrProvider);
            for (Tree tree2 : policyTree.getChildren()) {
                if (Utils.isPrincipalEntry(tree2)) {
                    principalPolicyImpl.addEntry(tree2, collection);
                }
            }
        }
        if (!z || principalPolicyImpl == null) {
            return principalPolicyImpl;
        }
        if (principalPolicyImpl.isEmpty()) {
            return null;
        }
        return new ImmutablePrincipalPolicy(principalPolicyImpl);
    }

    private boolean isAccessControlled(@NotNull Tree tree) {
        return tree.exists() && TreeUtil.isNodeType(tree, "rep:PrincipalBasedMixin", getRoot().getTree("/jcr:system/jcr:nodeTypes"));
    }

    private static Iterable<String> getEffectivePaths(@Nullable String str) {
        ArrayList newArrayList = Lists.newArrayList();
        newArrayList.add(Strings.nullToEmpty(str));
        String str2 = str;
        while (str2 != null && !PathUtils.denotesRoot(str2)) {
            str2 = PathUtils.getParentPath(str2);
            newArrayList.add(str2);
        }
        return newArrayList;
    }

    @Nullable
    private AbstractEntry createEffectiveEntry(@NotNull Tree tree) throws AccessControlException {
        Principal principal = this.principalManager.getPrincipal(TreeUtil.getString(tree.getParent(), "rep:principalName"));
        if (principal == null || !this.filter.canHandle(Collections.singleton(principal))) {
            return null;
        }
        String emptyToNull = Strings.emptyToNull(TreeUtil.getString(tree, Constants.REP_EFFECTIVE_PATH));
        PrivilegeBits bits = this.privilegeBitsProvider.getBits((Iterable<String>) tree.getProperty("rep:privileges").getValue(Type.NAMES));
        RestrictionProvider restrictionProvider = this.mgrProvider.getRestrictionProvider();
        if (!Utils.hasValidRestrictions(emptyToNull, tree, restrictionProvider)) {
            return null;
        }
        Set<Restriction> readRestrictions = Utils.readRestrictions(restrictionProvider, emptyToNull, tree);
        final NamePathMapper namePathMapper = getNamePathMapper();
        return new AbstractEntry(emptyToNull, principal, bits, readRestrictions, namePathMapper) { // from class: org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl.PrincipalBasedAccessControlManager.1
            @Override // org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl.AbstractEntry
            @NotNull
            NamePathMapper getNamePathMapper() {
                return namePathMapper;
            }

            @Override // org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ACE
            @NotNull
            protected PrivilegeBitsProvider getPrivilegeBitsProvider() {
                return PrincipalBasedAccessControlManager.this.privilegeBitsProvider;
            }

            @Override // javax.jcr.security.AccessControlEntry
            public Privilege[] getPrivileges() {
                return Utils.privilegesFromOakNames(PrincipalBasedAccessControlManager.this.privilegeBitsProvider.getPrivilegeNames(getPrivilegeBits()), PrincipalBasedAccessControlManager.this.mgrProvider.getPrivilegeManager(), getNamePathMapper());
            }
        };
    }
}
