package org.apache.jackrabbit.oak.security.authorization.accesscontrol;

import java.security.Principal;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.TreeSet;
import java.util.function.Predicate;
import java.util.stream.Stream;
import javax.jcr.AccessDeniedException;
import javax.jcr.RepositoryException;
import javax.jcr.UnsupportedRepositoryOperationException;
import javax.jcr.Value;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.AccessControlPolicyIterator;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
import org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.commons.iterator.AccessControlPolicyIteratorAdapter;
import org.apache.jackrabbit.guava.common.base.Objects;
import org.apache.jackrabbit.guava.common.base.Preconditions;
import org.apache.jackrabbit.guava.common.base.Strings;
import org.apache.jackrabbit.guava.common.collect.ImmutableSet;
import org.apache.jackrabbit.guava.common.collect.Iterables;
import org.apache.jackrabbit.guava.common.collect.Lists;
import org.apache.jackrabbit.guava.common.collect.Sets;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.QueryEngine;
import org.apache.jackrabbit.oak.api.Result;
import org.apache.jackrabbit.oak.api.ResultRow;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.memory.PropertyBuilder;
import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.apache.jackrabbit.oak.security.authorization.permission.PermissionUtil;
import org.apache.jackrabbit.oak.security.authorization.restriction.PrincipalRestrictionProvider;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ACE;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlManager;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ImmutableACL;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.PolicyOwner;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ReadPolicy;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionPattern;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalConfiguration;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.util.ISO9075;
import org.apache.jackrabbit.util.Text;
import org.apache.pdfbox.contentstream.operator.OperatorName;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:lib/slingcms.far:org/apache/jackrabbit/oak-core/1.58.0/oak-core-1.58.0.jar:org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.class */
public class AccessControlManagerImpl extends AbstractAccessControlManager implements PolicyOwner {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) AccessControlManagerImpl.class);
    private final ReadOnlyNodeTypeManager ntMgr;
    private final PrincipalManager principalManager;
    private final RestrictionProvider restrictionProvider;
    private final ConfigurationParameters configParams;
    private final Set<String> readPaths;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/slingcms.far:org/apache/jackrabbit/oak-core/1.58.0/oak-core-1.58.0.jar:org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl$Entry.class */
    public final class Entry extends ACE {
        private Entry(@NotNull Principal principal, @NotNull PrivilegeBits privilegeBits, boolean z, @NotNull Set<Restriction> set, NamePathMapper namePathMapper) throws AccessControlException {
            super(principal, privilegeBits, z, set, namePathMapper);
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ACE
        @NotNull
        protected PrivilegeBitsProvider getPrivilegeBitsProvider() {
            return AccessControlManagerImpl.this.getPrivilegeBitsProvider();
        }

        @Override // javax.jcr.security.AccessControlEntry
        public Privilege[] getPrivileges() {
            HashSet hashSet = new HashSet();
            for (String str : getPrivilegeBitsProvider().getPrivilegeNames(getPrivilegeBits())) {
                try {
                    hashSet.add(AccessControlManagerImpl.this.getPrivilegeManager().getPrivilege(AccessControlManagerImpl.this.getNamePathMapper().getJcrName(str)));
                } catch (RepositoryException e) {
                    AccessControlManagerImpl.log.warn("Unable to get privilege with name : {}", str, e);
                }
            }
            return (Privilege[]) hashSet.toArray(new Privilege[0]);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/slingcms.far:org/apache/jackrabbit/oak-core/1.58.0/oak-core-1.58.0.jar:org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl$NodeACL.class */
    public class NodeACL extends ACL {
        NodeACL(@Nullable AccessControlManagerImpl accessControlManagerImpl, String str) {
            this(str, null);
        }

        NodeACL(@Nullable String str, @Nullable List<ACE> list) {
            super(str, list, AccessControlManagerImpl.this.getNamePathMapper());
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlList
        @NotNull
        public RestrictionProvider getRestrictionProvider() {
            return AccessControlManagerImpl.this.restrictionProvider;
        }

        @Override // org.apache.jackrabbit.oak.security.authorization.accesscontrol.ACL
        @NotNull
        ACE createACE(@NotNull Principal principal, @NotNull PrivilegeBits privilegeBits, boolean z, @NotNull Set<Restriction> set) throws RepositoryException {
            return new Entry(principal, privilegeBits, z, set, getNamePathMapper());
        }

        @Override // org.apache.jackrabbit.oak.security.authorization.accesscontrol.ACL
        boolean checkValidPrincipal(@Nullable Principal principal) throws AccessControlException {
            int importBehavior = Util.getImportBehavior(AccessControlManagerImpl.this.getConfig());
            Principal checkValidPrincipal = Util.checkValidPrincipal(principal);
            if (!Util.checkValidPrincipal(checkValidPrincipal, AccessControlManagerImpl.this.principalManager, importBehavior)) {
                return false;
            }
            if (!PermissionUtil.isAdminOrSystem(ImmutableSet.of(checkValidPrincipal), AccessControlManagerImpl.this.configParams)) {
                return true;
            }
            AccessControlManagerImpl.log.warn("Attempt to create an ACE for an administrative principal which always has full access: {}", getPath());
            switch (importBehavior) {
                case 1:
                    return false;
                case 2:
                    return true;
                case 3:
                default:
                    throw new AccessControlException("Attempt to create an ACE for an administrative principal which always has full access.");
            }
        }

        @Override // org.apache.jackrabbit.oak.security.authorization.accesscontrol.ACL
        @NotNull
        PrivilegeManager getPrivilegeManager() {
            return AccessControlManagerImpl.this.getPrivilegeManager();
        }

        @Override // org.apache.jackrabbit.oak.security.authorization.accesscontrol.ACL
        @NotNull
        PrivilegeBits getPrivilegeBits(@NotNull Privilege[] privilegeArr) {
            return AccessControlManagerImpl.this.getPrivilegeBitsProvider().getBits(privilegeArr, getNamePathMapper());
        }

        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof NodeACL)) {
                return false;
            }
            NodeACL nodeACL = (NodeACL) obj;
            return Objects.equal(getOakPath(), nodeACL.getOakPath()) && getEntries().equals(nodeACL.getEntries());
        }

        public int hashCode() {
            return 0;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/slingcms.far:org/apache/jackrabbit/oak-core/1.58.0/oak-core-1.58.0.jar:org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl$PrincipalACL.class */
    public final class PrincipalACL extends ACL {
        private final Principal principal;
        private final RestrictionProvider rProvider;

        private PrincipalACL(@Nullable AccessControlManagerImpl accessControlManagerImpl, @NotNull String str, Principal principal) {
            this(str, principal, null, new PrincipalRestrictionProvider(accessControlManagerImpl.restrictionProvider));
        }

        private PrincipalACL(@Nullable String str, @NotNull Principal principal, @Nullable List<ACE> list, @NotNull RestrictionProvider restrictionProvider) {
            super(str, list, AccessControlManagerImpl.this.getNamePathMapper());
            this.principal = principal;
            this.rProvider = restrictionProvider;
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlList
        @NotNull
        public RestrictionProvider getRestrictionProvider() {
            return this.rProvider;
        }

        @Override // org.apache.jackrabbit.oak.security.authorization.accesscontrol.ACL
        @NotNull
        ACE createACE(@NotNull Principal principal, @NotNull PrivilegeBits privilegeBits, boolean z, @NotNull Set<Restriction> set) throws RepositoryException {
            return new Entry(principal, privilegeBits, z, set, getNamePathMapper());
        }

        @Override // org.apache.jackrabbit.oak.security.authorization.accesscontrol.ACL
        boolean checkValidPrincipal(@Nullable Principal principal) throws AccessControlException {
            if (principal == null || !this.principal.getName().equals(principal.getName())) {
                throw new AccessControlException("Principal mismatch.");
            }
            return true;
        }

        @Override // org.apache.jackrabbit.oak.security.authorization.accesscontrol.ACL
        @NotNull
        PrivilegeManager getPrivilegeManager() {
            return AccessControlManagerImpl.this.getPrivilegeManager();
        }

        @Override // org.apache.jackrabbit.oak.security.authorization.accesscontrol.ACL
        @NotNull
        PrivilegeBits getPrivilegeBits(@NotNull Privilege[] privilegeArr) {
            return AccessControlManagerImpl.this.getPrivilegeBitsProvider().getBits(privilegeArr, getNamePathMapper());
        }

        @Override // org.apache.jackrabbit.oak.security.authorization.accesscontrol.ACL, org.apache.jackrabbit.api.security.JackrabbitAccessControlList
        public void orderBefore(@NotNull AccessControlEntry accessControlEntry, @Nullable AccessControlEntry accessControlEntry2) throws RepositoryException {
            throw new UnsupportedRepositoryOperationException("reordering is not supported");
        }

        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof PrincipalACL)) {
                return false;
            }
            PrincipalACL principalACL = (PrincipalACL) obj;
            return this.principal.equals(principalACL.principal) && Objects.equal(getOakPath(), principalACL.getOakPath()) && getEntries().equals(principalACL.getEntries());
        }

        public int hashCode() {
            return 0;
        }

        private void remove(Map<String, Principal> map) throws RepositoryException {
            for (ACE ace : getEntries()) {
                String nodePath = AccessControlManagerImpl.this.getNodePath(ace);
                Tree aclTree = AccessControlManagerImpl.this.getAclTree(nodePath, AccessControlManagerImpl.this.getTree(nodePath, 256L, true));
                if (aclTree == null) {
                    throw new AccessControlException("Unable to retrieve policy node at " + nodePath);
                }
                for (Tree tree : aclTree.getChildren()) {
                    if (ace.equals(AccessControlManagerImpl.this.createEntryWithPrincipalMap(nodePath, tree, this.rProvider, map))) {
                        tree.remove();
                    }
                }
                if (!aclTree.getChildren().iterator().hasNext()) {
                    aclTree.remove();
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:lib/slingcms.far:org/apache/jackrabbit/oak-core/1.58.0/oak-core-1.58.0.jar:org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl$PrincipalPredicate.class */
    public final class PrincipalPredicate implements Predicate<Tree> {
        private final String accessControlledPath;
        private final Iterable<String> principalNames;
        private final Collection<String> oakPaths;

        private PrincipalPredicate(@Nullable String str, @NotNull Set<Principal> set, @NotNull Collection<String> collection) {
            this.accessControlledPath = str;
            this.principalNames = Iterables.transform(set, (v0) -> {
                return v0.getName();
            });
            this.oakPaths = collection;
        }

        @Override // java.util.function.Predicate
        public boolean test(@NotNull Tree tree) {
            return matchingPrincipal(tree) && matchingRestrictions(tree);
        }

        private boolean matchingPrincipal(@NotNull Tree tree) {
            return Iterables.contains(this.principalNames, TreeUtil.getString(tree, "rep:principalName"));
        }

        private boolean matchingRestrictions(@NotNull Tree tree) {
            if (this.oakPaths.isEmpty()) {
                return true;
            }
            RestrictionPattern pattern = AccessControlManagerImpl.this.restrictionProvider.getPattern(this.accessControlledPath, AccessControlManagerImpl.this.restrictionProvider.readRestrictions(this.accessControlledPath, tree));
            Stream<String> stream = this.oakPaths.stream();
            java.util.Objects.requireNonNull(pattern);
            return stream.anyMatch(pattern::matches);
        }
    }

    public AccessControlManagerImpl(@NotNull Root root, @NotNull NamePathMapper namePathMapper, @NotNull SecurityProvider securityProvider) {
        super(root, namePathMapper, securityProvider);
        this.ntMgr = ReadOnlyNodeTypeManager.getInstance(root, namePathMapper);
        this.principalManager = ((PrincipalConfiguration) securityProvider.getConfiguration(PrincipalConfiguration.class)).getPrincipalManager(root, namePathMapper);
        this.restrictionProvider = getConfig().getRestrictionProvider();
        this.configParams = getConfig().getParameters();
        this.readPaths = (Set) this.configParams.getConfigValue(PermissionConstants.PARAM_READ_PATHS, PermissionConstants.DEFAULT_READ_PATHS);
    }

    @Override // javax.jcr.security.AccessControlManager
    @NotNull
    public AccessControlPolicy[] getPolicies(@Nullable String str) throws RepositoryException {
        String oakPath = getOakPath(str);
        JackrabbitAccessControlList createACL = createACL(oakPath, getTree(oakPath, 128L, true), false);
        ArrayList arrayList = new ArrayList(2);
        if (createACL != null) {
            arrayList.add(createACL);
        }
        if (this.readPaths.contains(oakPath)) {
            arrayList.add(ReadPolicy.INSTANCE);
        }
        return (AccessControlPolicy[]) arrayList.toArray(new AccessControlPolicy[0]);
    }

    @Override // javax.jcr.security.AccessControlManager
    @NotNull
    public AccessControlPolicy[] getEffectivePolicies(@Nullable String str) throws RepositoryException {
        String oakPath = getOakPath(str);
        Tree tree = getTree(oakPath, 128L, true);
        Root latestRoot = getRoot().getContentSession().getLatestRoot();
        Tree tree2 = latestRoot.getTree(tree.getPath());
        ArrayList arrayList = new ArrayList();
        JackrabbitAccessControlList createACL = createACL(oakPath, tree2, true);
        if (createACL != null) {
            arrayList.add(createACL);
        }
        if (oakPath != null) {
            String relativeParent = Text.getRelativeParent(oakPath, 1);
            while (true) {
                String str2 = relativeParent;
                if (str2.isEmpty()) {
                    break;
                }
                JackrabbitAccessControlList createACL2 = createACL(str2, latestRoot.getTree(str2), true);
                if (createACL2 != null) {
                    arrayList.add(createACL2);
                }
                relativeParent = PathUtils.denotesRoot(str2) ? "" : Text.getRelativeParent(str2, 1);
            }
        }
        if (ReadPolicy.hasEffectiveReadPolicy(this.readPaths, oakPath)) {
            arrayList.add(ReadPolicy.INSTANCE);
        }
        return (AccessControlPolicy[]) arrayList.toArray(new AccessControlPolicy[0]);
    }

    @Override // javax.jcr.security.AccessControlManager
    @NotNull
    public AccessControlPolicyIterator getApplicablePolicies(@Nullable String str) throws RepositoryException {
        String oakPath = getOakPath(str);
        Tree tree = getTree(oakPath, 128L, true);
        NodeACL nodeACL = null;
        if (getAclTree(oakPath, tree) == null) {
            if (tree.hasChild(Util.getAclName(oakPath))) {
                log.warn("Colliding policy child without node being access controllable ({}).", str);
            } else {
                String mixinName = Util.getMixinName(oakPath);
                if (this.ntMgr.isNodeType(tree, mixinName) || this.ntMgr.getEffectiveNodeType(tree).supportsMixin(mixinName)) {
                    nodeACL = new NodeACL(this, oakPath);
                } else {
                    log.warn("Node {} cannot be made access controllable.", str);
                }
            }
        }
        return nodeACL == null ? AccessControlPolicyIteratorAdapter.EMPTY : new AccessControlPolicyIteratorAdapter(Collections.singleton(nodeACL));
    }

    @Override // javax.jcr.security.AccessControlManager
    public void setPolicy(@Nullable String str, @NotNull AccessControlPolicy accessControlPolicy) throws RepositoryException {
        String oakPath = getOakPath(str);
        Util.checkValidPolicy(oakPath, accessControlPolicy);
        if (accessControlPolicy instanceof PrincipalACL) {
            setPrincipalBasedAcl((PrincipalACL) accessControlPolicy);
        } else {
            setNodeBasedAcl(oakPath, getTree(oakPath, 256L, true), (ACL) accessControlPolicy);
        }
    }

    private void setPrincipalBasedAcl(@NotNull PrincipalACL principalACL) throws RepositoryException {
        JackrabbitAccessControlPolicy[] policies = getPolicies(principalACL.principal);
        PrincipalACL principalACL2 = policies.length == 0 ? null : (PrincipalACL) policies[0];
        ArrayList<ACE> newArrayList = Lists.newArrayList(principalACL.getEntries());
        List<ACE> emptyList = Collections.emptyList();
        if (principalACL2 != null) {
            newArrayList.removeAll(principalACL2.getEntries());
            emptyList = principalACL2.getEntries();
            emptyList.removeAll(principalACL.getEntries());
        }
        for (ACE ace : newArrayList) {
            String nodePath = getNodePath(ace);
            Tree tree = getTree(nodePath, 256L, true);
            setNodeBasedAcl(nodePath, tree, populateNodeBasedAcl(ace, nodePath, tree));
        }
        for (ACE ace2 : emptyList) {
            String nodePath2 = getNodePath(ace2);
            Tree tree2 = getTree(nodePath2, 256L, true);
            ACL acl = (ACL) createACL(nodePath2, tree2, false);
            if (acl != null) {
                HashSet newHashSet = Sets.newHashSet(ace2.getRestrictions());
                newHashSet.removeIf(restriction -> {
                    return AccessControlConstants.REP_NODE_PATH.equals(restriction.getDefinition().getName());
                });
                acl.removeAccessControlEntry(new Entry(ace2.getPrincipal(), ace2.getPrivilegeBits(), ace2.isAllow(), newHashSet, getNamePathMapper()));
                setNodeBasedAcl(nodePath2, tree2, acl);
            } else {
                log.debug("Missing ACL at {}; cannot remove entry {}", nodePath2, ace2);
            }
        }
    }

    @NotNull
    private ACL populateNodeBasedAcl(@NotNull ACE ace, @Nullable String str, @NotNull Tree tree) throws RepositoryException {
        ACL acl = (ACL) createACL(str, tree, false);
        if (acl == null) {
            acl = new NodeACL(this, str);
        }
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        for (Restriction restriction : ace.getRestrictions()) {
            String name = restriction.getDefinition().getName();
            if (!AccessControlConstants.REP_NODE_PATH.equals(name)) {
                if (restriction.getDefinition().getRequiredType().isArray()) {
                    hashMap2.put(name, ace.getRestrictions(name));
                } else {
                    hashMap.put(name, ace.getRestriction(name));
                }
            }
        }
        acl.addEntry(ace.getPrincipal(), ace.getPrivileges(), ace.isAllow(), hashMap, hashMap2);
        return acl;
    }

    private void setNodeBasedAcl(@Nullable String str, @NotNull Tree tree, @NotNull ACL acl) throws RepositoryException {
        Tree aclTree = getAclTree(str, tree);
        if (aclTree != null) {
            Iterator<Tree> it = aclTree.getChildren().iterator();
            while (it.hasNext()) {
                it.next().remove();
            }
        } else {
            aclTree = createAclTree(str, tree);
        }
        aclTree.setOrderableChildren(true);
        List<ACE> entries = acl.getEntries();
        for (int i = 0; i < entries.size(); i++) {
            ACE ace = entries.get(i);
            Tree addChild = TreeUtil.addChild(aclTree, Util.generateAceName(ace, i), ace.isAllow() ? "rep:GrantACE" : "rep:DenyACE");
            addChild.setProperty("rep:principalName", ace.getPrincipal().getName());
            addChild.setProperty("rep:privileges", getPrivilegeBitsProvider().getPrivilegeNames(ace.getPrivilegeBits()), Type.NAMES);
            this.restrictionProvider.writeRestrictions(str, addChild, ace.getRestrictions());
        }
    }

    @Override // javax.jcr.security.AccessControlManager
    public void removePolicy(@Nullable String str, @NotNull AccessControlPolicy accessControlPolicy) throws RepositoryException {
        String oakPath = getOakPath(str);
        Util.checkValidPolicy(oakPath, accessControlPolicy);
        HashMap hashMap = new HashMap();
        if (accessControlPolicy instanceof PrincipalACL) {
            ((PrincipalACL) accessControlPolicy).remove(hashMap);
            return;
        }
        Tree aclTree = getAclTree(oakPath, getTree(oakPath, 256L, true));
        if (aclTree == null) {
            throw new AccessControlException("No policy to remove at " + str);
        }
        aclTree.remove();
    }

    @Override // org.apache.jackrabbit.api.security.JackrabbitAccessControlManager
    @NotNull
    public JackrabbitAccessControlPolicy[] getApplicablePolicies(@NotNull Principal principal) throws RepositoryException {
        if (!Util.checkValidPrincipal(principal, this.principalManager, Util.getImportBehavior(getConfig()))) {
            return new JackrabbitAccessControlPolicy[0];
        }
        String path = principal instanceof ItemBasedPrincipal ? ((ItemBasedPrincipal) principal).getPath() : null;
        return createPrincipalACL(path, principal) != null ? new JackrabbitAccessControlPolicy[0] : new JackrabbitAccessControlPolicy[]{new PrincipalACL(this, path, principal)};
    }

    @Override // org.apache.jackrabbit.api.security.JackrabbitAccessControlManager
    @NotNull
    public JackrabbitAccessControlPolicy[] getPolicies(@NotNull Principal principal) throws RepositoryException {
        if (!Util.checkValidPrincipal(principal, this.principalManager, Util.getImportBehavior(getConfig()))) {
            return new JackrabbitAccessControlPolicy[0];
        }
        JackrabbitAccessControlList createPrincipalACL = createPrincipalACL(principal instanceof ItemBasedPrincipal ? ((ItemBasedPrincipal) principal).getPath() : null, principal);
        return createPrincipalACL != null ? new JackrabbitAccessControlPolicy[]{createPrincipalACL} : new JackrabbitAccessControlPolicy[0];
    }

    @Override // org.apache.jackrabbit.api.security.JackrabbitAccessControlManager
    @NotNull
    public AccessControlPolicy[] getEffectivePolicies(@NotNull Set<Principal> set) throws RepositoryException {
        if (!Util.checkValidPrincipals(set, this.principalManager, Util.getImportBehavior(getConfig()))) {
            return new AccessControlPolicy[0];
        }
        Set<AccessControlPolicy> internalGetEffectivePolicies = internalGetEffectivePolicies(set, Collections.emptySet());
        if (ReadPolicy.canAccessReadPolicy(getPermissionProvider(), (String[]) this.readPaths.toArray(new String[0]))) {
            internalGetEffectivePolicies.add(ReadPolicy.INSTANCE);
        }
        return (AccessControlPolicy[]) internalGetEffectivePolicies.toArray(new AccessControlPolicy[0]);
    }

    @Override // org.apache.jackrabbit.api.security.JackrabbitAccessControlManager
    @NotNull
    public Iterator<AccessControlPolicy> getEffectivePolicies(@NotNull Set<Principal> set, @Nullable String... strArr) throws RepositoryException {
        if (!Util.checkValidPrincipals(set, this.principalManager, Util.getImportBehavior(getConfig()))) {
            return Collections.emptyIterator();
        }
        Collection<String> oakPaths = getOakPaths(strArr);
        Set<AccessControlPolicy> internalGetEffectivePolicies = internalGetEffectivePolicies(set, oakPaths);
        if ((oakPaths.isEmpty() || oakPaths.stream().anyMatch(str -> {
            return ReadPolicy.hasEffectiveReadPolicy(this.readPaths, str);
        })) && ReadPolicy.canAccessReadPolicy(getPermissionProvider(), (String[]) this.readPaths.toArray(new String[0]))) {
            internalGetEffectivePolicies.add(ReadPolicy.INSTANCE);
        }
        return internalGetEffectivePolicies.iterator();
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.PolicyOwner
    public boolean defines(String str, @NotNull AccessControlPolicy accessControlPolicy) {
        try {
            return Util.isValidPolicy(getOakPath(str), accessControlPolicy);
        } catch (RepositoryException e) {
            log.warn("Invalid absolute path '{}': {}", str, e.getMessage());
            return false;
        }
    }

    @Nullable
    private Tree getAclTree(@Nullable String str, @NotNull Tree tree) {
        if (!Util.isAccessControlled(str, tree, this.ntMgr)) {
            return null;
        }
        Tree child = tree.getChild(Util.getAclName(str));
        if (child.exists()) {
            return child;
        }
        return null;
    }

    @NotNull
    private Tree createAclTree(@Nullable String str, @NotNull Tree tree) throws AccessDeniedException {
        if (!Util.isAccessControlled(str, tree, this.ntMgr)) {
            PropertyState property = tree.getProperty("jcr:mixinTypes");
            String mixinName = Util.getMixinName(str);
            if (property == null) {
                tree.setProperty("jcr:mixinTypes", Collections.singleton(mixinName), Type.NAMES);
            } else {
                PropertyBuilder copy = PropertyBuilder.copy(Type.NAME, property);
                copy.addValue(mixinName);
                tree.setProperty(copy.getPropertyState());
            }
        }
        return TreeUtil.addChild(tree, Util.getAclName(str), "rep:ACL");
    }

    @Nullable
    private JackrabbitAccessControlList createACL(@Nullable String str, @NotNull Tree tree, boolean z) throws RepositoryException {
        return createACL(str, tree, z, tree2 -> {
            return true;
        });
    }

    @Nullable
    private JackrabbitAccessControlList createACL(@Nullable String str, @NotNull Tree tree, boolean z, @NotNull Predicate<Tree> predicate) throws RepositoryException {
        if (!tree.exists() || !Util.isAccessControlled(str, tree, this.ntMgr)) {
            return null;
        }
        Tree child = tree.getChild(Util.getAclName(str));
        if (!child.exists()) {
            return null;
        }
        ArrayList arrayList = new ArrayList();
        HashMap hashMap = new HashMap();
        for (Tree tree2 : child.getChildren()) {
            if (Util.isACE(tree2, this.ntMgr) && predicate.test(tree2) && hasValidRestrictions(str, tree2)) {
                arrayList.add(createEntryWithPrincipalMap(str, tree2, this.restrictionProvider, hashMap));
            }
        }
        if (!z) {
            return new NodeACL(str, arrayList);
        }
        if (arrayList.isEmpty()) {
            return null;
        }
        return new ImmutableACL(str, arrayList, this.restrictionProvider, getNamePathMapper());
    }

    private boolean hasValidRestrictions(@Nullable String str, @NotNull Tree tree) {
        try {
            this.restrictionProvider.validateRestrictions(str, tree);
            return true;
        } catch (RepositoryException e) {
            log.warn("Access control entry at {} contains unsupported restrictions: {}", str, e.getMessage());
            return false;
        }
    }

    @Nullable
    private JackrabbitAccessControlList createPrincipalACL(@Nullable String str, @NotNull Principal principal) throws RepositoryException {
        Result searchAces = searchAces(Collections.singleton(principal), getRoot());
        PrincipalRestrictionProvider principalRestrictionProvider = new PrincipalRestrictionProvider(this.restrictionProvider);
        ArrayList arrayList = new ArrayList();
        HashMap hashMap = new HashMap();
        Iterator<? extends ResultRow> it = searchAces.getRows().iterator();
        while (it.hasNext()) {
            Tree tree = it.next().getTree(null);
            if (Util.isACE(tree, this.ntMgr)) {
                String relativeParent = Text.getRelativeParent(tree.getPath(), 1);
                arrayList.add(createEntryWithPrincipalMap(relativeParent.endsWith("rep:repoPolicy") ? null : Text.getRelativeParent(relativeParent, 1), tree, principalRestrictionProvider, hashMap));
            }
        }
        if (arrayList.isEmpty()) {
            return null;
        }
        return new PrincipalACL(str, principal, arrayList, principalRestrictionProvider);
    }

    @NotNull
    private ACE createEntryWithPrincipalMap(@Nullable String str, @NotNull Tree tree, @NotNull RestrictionProvider restrictionProvider, @NotNull Map<String, Principal> map) throws RepositoryException {
        return new Entry(getPrincipal(tree, map), getPrivilegeBitsProvider().getBits((Iterable<String>) Preconditions.checkNotNull(TreeUtil.getStrings(tree, "rep:privileges"))), "rep:GrantACE".equals(TreeUtil.getPrimaryTypeName(tree)), restrictionProvider.readRestrictions(str, tree), getNamePathMapper());
    }

    @NotNull
    private static Result searchAces(@NotNull Set<Principal> set, @NotNull Root root) throws RepositoryException {
        StringBuilder sb = new StringBuilder("/jcr:root");
        sb.append("//element(*,");
        sb.append("rep:ACE");
        sb.append(")[");
        int i = 0;
        for (Principal principal : set) {
            if (i > 0) {
                sb.append(" or ");
            }
            sb.append('@');
            sb.append(ISO9075.encode("rep:principalName"));
            sb.append("='");
            sb.append(principal.getName().replace(OperatorName.SHOW_TEXT_LINE, "''"));
            sb.append('\'');
            i++;
        }
        sb.append(']');
        sb.append(" order by jcr:path");
        try {
            return root.getQueryEngine().executeQuery(sb.toString(), "xpath", QueryEngine.NO_BINDINGS, QueryEngine.NO_MAPPINGS);
        } catch (ParseException e) {
            log.error("Error while collecting effective policies.", (Throwable) e);
            throw new RepositoryException("Error while collecting effective policies.", e);
        }
    }

    @NotNull
    private Principal getPrincipal(@NotNull Tree tree, @NotNull Map<String, Principal> map) {
        return map.computeIfAbsent((String) Preconditions.checkNotNull(TreeUtil.getString(tree, "rep:principalName")), str -> {
            Principal principal = this.principalManager.getPrincipal(str);
            if (principal == null) {
                principal = new PrincipalImpl(str);
            }
            return principal;
        });
    }

    @Nullable
    private String getNodePath(@NotNull ACE ace) throws RepositoryException {
        Value restriction = ace.getRestriction(AccessControlConstants.REP_NODE_PATH);
        if (restriction == null) {
            throw new AccessControlException("Missing mandatory restriction rep:nodePath");
        }
        return getOakPath(Strings.emptyToNull(restriction.getString()));
    }

    @NotNull
    private Set<AccessControlPolicy> internalGetEffectivePolicies(@NotNull Set<Principal> set, Collection<String> collection) throws RepositoryException {
        JackrabbitAccessControlList createACL;
        Result searchAces = searchAces(set, getLatestRoot());
        TreeSet newTreeSet = Sets.newTreeSet(new PolicyComparator());
        HashSet newHashSet = Sets.newHashSet();
        Iterator<? extends ResultRow> it = searchAces.getRows().iterator();
        while (it.hasNext()) {
            Tree tree = it.next().getTree(null);
            String path = tree.getPath();
            String name = Text.getName(Text.getRelativeParent(path, 1));
            Tree parent = tree.getParent().getParent();
            if (POLICY_NODE_NAMES.contains(name) && parent.exists()) {
                String path2 = "rep:repoPolicy".equals(name) ? null : parent.getPath();
                if (!newHashSet.contains(path2) && matchingPath(path2, collection) && (createACL = createACL(path2, parent, true, new PrincipalPredicate(path2, set, collection))) != null) {
                    newTreeSet.add(createACL);
                    newHashSet.add(path2);
                }
            } else {
                log.debug("Isolated access control entry -> ignore query result at {}", path);
            }
        }
        return newTreeSet;
    }

    private static boolean matchingPath(@Nullable String str, @NotNull Collection<String> collection) {
        if (collection.isEmpty()) {
            return true;
        }
        return collection.stream().anyMatch(str2 -> {
            return str2 == null ? str == null : str != null && Text.isDescendantOrEqual(str, str2);
        });
    }
}
