package org.apache.jackrabbit.core.security;

import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Set;
import javax.jcr.AccessDeniedException;
import javax.jcr.ItemNotFoundException;
import javax.jcr.PathNotFoundException;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.UnsupportedRepositoryOperationException;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.AccessControlPolicyIterator;
import javax.jcr.security.Privilege;
import javax.security.auth.Subject;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
import org.apache.jackrabbit.commons.iterator.AccessControlPolicyIteratorAdapter;
import org.apache.jackrabbit.core.HierarchyManager;
import org.apache.jackrabbit.core.SessionImpl;
import org.apache.jackrabbit.core.id.ItemId;
import org.apache.jackrabbit.core.security.authorization.AccessControlEditor;
import org.apache.jackrabbit.core.security.authorization.AccessControlProvider;
import org.apache.jackrabbit.core.security.authorization.CompiledPermissions;
import org.apache.jackrabbit.core.security.authorization.WorkspaceAccessManager;
import org.apache.jackrabbit.spi.Name;
import org.apache.jackrabbit.spi.Path;
import org.apache.jackrabbit.spi.commons.conversion.NamePathResolver;
import org.apache.jackrabbit.spi.commons.name.PathFactoryImpl;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:jackrabbit-core-2.15.6.jar:org/apache/jackrabbit/core/security/DefaultAccessManager.class */
public class DefaultAccessManager extends AbstractAccessControlManager implements AccessManager {
    private static final Logger log = LoggerFactory.getLogger(DefaultAccessManager.class);
    private boolean initialized;
    private NamePathResolver resolver;
    private Set<Principal> principals;
    private AccessControlProvider acProvider;
    private AccessControlEditor editor;
    private WorkspaceAccess wspAccess;
    private HierarchyManager hierMgr;
    private PrivilegeManager privilegeManager;
    private CompiledPermissions compiledPermissions;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:jackrabbit-core-2.15.6.jar:org/apache/jackrabbit/core/security/DefaultAccessManager$WorkspaceAccess.class */
    public class WorkspaceAccess {
        private final WorkspaceAccessManager wspAccessManager;
        private final boolean alwaysAllowed;
        private final List<String> allowed;
        private final List<String> denied;

        private WorkspaceAccess(WorkspaceAccessManager workspaceAccessManager, boolean z) {
            this.wspAccessManager = workspaceAccessManager;
            this.alwaysAllowed = z;
            if (z) {
                this.denied = null;
                this.allowed = null;
            } else {
                this.allowed = new ArrayList(5);
                this.denied = new ArrayList(5);
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean canAccess(String str) throws RepositoryException {
            if (this.alwaysAllowed || this.wspAccessManager == null || this.allowed.contains(str)) {
                return true;
            }
            if (this.denied.contains(str)) {
                return false;
            }
            boolean grants = this.wspAccessManager.grants(DefaultAccessManager.this.principals, str);
            if (grants) {
                this.allowed.add(str);
            } else {
                this.denied.add(str);
            }
            return grants;
        }
    }

    @Override // org.apache.jackrabbit.core.security.AccessManager
    public void init(AMContext aMContext) throws AccessDeniedException, Exception {
        init(aMContext, null, null);
    }

    @Override // org.apache.jackrabbit.core.security.AccessManager
    public void init(AMContext aMContext, AccessControlProvider accessControlProvider, WorkspaceAccessManager workspaceAccessManager) throws AccessDeniedException, Exception {
        if (this.initialized) {
            throw new IllegalStateException("Already initialized.");
        }
        this.acProvider = accessControlProvider;
        this.resolver = aMContext.getNamePathResolver();
        this.hierMgr = aMContext.getHierarchyManager();
        Subject subject = aMContext.getSubject();
        if (subject == null) {
            this.principals = Collections.emptySet();
        } else {
            this.principals = subject.getPrincipals();
        }
        this.wspAccess = new WorkspaceAccess(workspaceAccessManager, isSystemOrAdmin(aMContext.getSession()));
        this.privilegeManager = aMContext.getPrivilegeManager();
        if (accessControlProvider != null) {
            this.editor = accessControlProvider.getEditor(aMContext.getSession());
            this.compiledPermissions = accessControlProvider.compilePermissions(this.principals);
        } else {
            log.warn("No AccessControlProvider defined -> no access is granted.");
            this.editor = null;
            this.compiledPermissions = CompiledPermissions.NO_PERMISSION;
        }
        this.initialized = true;
        if (!canAccess(aMContext.getWorkspaceName())) {
            throw new AccessDeniedException("Not allowed to access Workspace " + aMContext.getWorkspaceName());
        }
    }

    @Override // org.apache.jackrabbit.core.security.AccessManager
    public void close() throws Exception {
        if (!this.initialized) {
            throw new IllegalStateException("Manager is not initialized.");
        }
        this.initialized = false;
        this.compiledPermissions.close();
        this.hierMgr = null;
        this.acProvider = null;
        this.editor = null;
        this.wspAccess = null;
    }

    @Override // org.apache.jackrabbit.core.security.AccessManager
    public void checkPermission(ItemId itemId, int i) throws AccessDeniedException, ItemNotFoundException, RepositoryException {
        if (!isGranted(itemId, i)) {
            throw new AccessDeniedException("Access denied.");
        }
    }

    @Override // org.apache.jackrabbit.core.security.AccessManager
    public void checkPermission(Path path, int i) throws AccessDeniedException, RepositoryException {
        if (!isGranted(path, i)) {
            throw new AccessDeniedException("Access denied.");
        }
    }

    @Override // org.apache.jackrabbit.core.security.AccessManager
    public void checkRepositoryPermission(int i) throws AccessDeniedException, RepositoryException {
        checkInitialized();
        if (!this.compiledPermissions.grants(null, i)) {
            throw new AccessDeniedException("Access denied.");
        }
    }

    @Override // org.apache.jackrabbit.core.security.AccessManager
    public boolean isGranted(ItemId itemId, int i) throws ItemNotFoundException, RepositoryException {
        checkInitialized();
        if (i == 1 && this.compiledPermissions.canReadAll()) {
            return true;
        }
        int i2 = 0;
        if ((i & 1) == 1) {
            i2 = 0 | 1;
        }
        if ((i & 2) == 2) {
            i2 = itemId.denotesNode() ? i2 | 2 | 4 : i2 | 2;
        }
        if ((i & 4) == 4) {
            i2 |= itemId.denotesNode() ? 8 : 16;
        }
        return isGranted(this.hierMgr.getPath(itemId), i2);
    }

    @Override // org.apache.jackrabbit.core.security.AccessManager
    public boolean isGranted(Path path, int i) throws RepositoryException {
        checkInitialized();
        if (path.isAbsolute()) {
            return this.compiledPermissions.grants(path, i);
        }
        throw new RepositoryException("Absolute path expected");
    }

    @Override // org.apache.jackrabbit.core.security.AccessManager
    public boolean isGranted(Path path, Name name, int i) throws RepositoryException {
        return isGranted(PathFactoryImpl.getInstance().create(path, name, true), i);
    }

    @Override // org.apache.jackrabbit.core.security.AccessManager
    public boolean canRead(Path path, ItemId itemId) throws RepositoryException {
        checkInitialized();
        if (this.compiledPermissions.canReadAll()) {
            return true;
        }
        return this.compiledPermissions.canRead(path, itemId);
    }

    @Override // org.apache.jackrabbit.core.security.AccessManager
    public boolean canAccess(String str) throws RepositoryException {
        checkInitialized();
        return this.wspAccess.canAccess(str);
    }

    public boolean hasPrivileges(String str, Privilege[] privilegeArr) throws PathNotFoundException, RepositoryException {
        checkInitialized();
        checkValidNodePath(str);
        if (privilegeArr == null || privilegeArr.length == 0) {
            log.debug("No privileges passed -> allowed.");
            return true;
        }
        return this.compiledPermissions.hasPrivileges(getPath(str), privilegeArr);
    }

    public Privilege[] getPrivileges(String str) throws PathNotFoundException, RepositoryException {
        checkInitialized();
        checkValidNodePath(str);
        Set<Privilege> privilegeSet = this.compiledPermissions.getPrivilegeSet(getPath(str));
        return (Privilege[]) privilegeSet.toArray(new Privilege[privilegeSet.size()]);
    }

    @Override // org.apache.jackrabbit.core.security.AbstractAccessControlManager
    public AccessControlPolicy[] getPolicies(String str) throws PathNotFoundException, AccessDeniedException, RepositoryException {
        checkInitialized();
        checkPermission(str, 32);
        return this.editor != null ? this.editor.getPolicies(str) : new AccessControlPolicy[0];
    }

    public AccessControlPolicy[] getEffectivePolicies(String str) throws PathNotFoundException, AccessDeniedException, RepositoryException {
        checkInitialized();
        checkPermission(str, 32);
        return this.acProvider.getEffectivePolicies(getPath(str), this.compiledPermissions);
    }

    @Override // org.apache.jackrabbit.core.security.AbstractAccessControlManager
    public AccessControlPolicyIterator getApplicablePolicies(String str) throws PathNotFoundException, AccessDeniedException, RepositoryException {
        checkInitialized();
        checkPermission(str, 32);
        if (this.editor != null) {
            try {
                return new AccessControlPolicyIteratorAdapter(Arrays.asList(this.editor.editAccessControlPolicies(str)));
            } catch (AccessControlException e) {
                log.debug("No applicable policy at " + str);
            }
        }
        return AccessControlPolicyIteratorAdapter.EMPTY;
    }

    @Override // org.apache.jackrabbit.core.security.AbstractAccessControlManager
    public void setPolicy(String str, AccessControlPolicy accessControlPolicy) throws PathNotFoundException, AccessControlException, AccessDeniedException, RepositoryException {
        checkInitialized();
        checkPermission(str, 64);
        if (this.editor == null) {
            throw new UnsupportedRepositoryOperationException("Modification of AccessControlPolicies is not supported. ");
        }
        this.editor.setPolicy(str, accessControlPolicy);
    }

    @Override // org.apache.jackrabbit.core.security.AbstractAccessControlManager
    public void removePolicy(String str, AccessControlPolicy accessControlPolicy) throws PathNotFoundException, AccessControlException, AccessDeniedException, RepositoryException {
        checkInitialized();
        checkPermission(str, 64);
        if (this.editor == null) {
            throw new UnsupportedRepositoryOperationException("Removal of AccessControlPolicies is not supported.");
        }
        this.editor.removePolicy(str, accessControlPolicy);
    }

    @Override // org.apache.jackrabbit.core.security.AbstractAccessControlManager, org.apache.jackrabbit.api.security.JackrabbitAccessControlManager
    public JackrabbitAccessControlPolicy[] getApplicablePolicies(Principal principal) throws AccessDeniedException, AccessControlException, UnsupportedRepositoryOperationException, RepositoryException {
        checkInitialized();
        if (this.editor == null) {
            throw new UnsupportedRepositoryOperationException("Editing of access control policies is not supported.");
        }
        return this.editor.editAccessControlPolicies(principal);
    }

    @Override // org.apache.jackrabbit.core.security.AbstractAccessControlManager, org.apache.jackrabbit.api.security.JackrabbitAccessControlManager
    public JackrabbitAccessControlPolicy[] getPolicies(Principal principal) throws AccessDeniedException, AccessControlException, UnsupportedRepositoryOperationException, RepositoryException {
        checkInitialized();
        if (this.editor == null) {
            throw new UnsupportedRepositoryOperationException("Editing of access control policies is not supported.");
        }
        return this.editor.getPolicies(principal);
    }

    @Override // org.apache.jackrabbit.api.security.JackrabbitAccessControlManager
    public AccessControlPolicy[] getEffectivePolicies(Set<Principal> set) throws AccessDeniedException, AccessControlException, UnsupportedRepositoryOperationException, RepositoryException {
        checkInitialized();
        return this.acProvider.getEffectivePolicies(set, this.compiledPermissions);
    }

    @Override // org.apache.jackrabbit.api.security.JackrabbitAccessControlManager
    public boolean hasPrivileges(String str, Set<Principal> set, Privilege[] privilegeArr) throws PathNotFoundException, RepositoryException {
        checkInitialized();
        checkValidNodePath(str);
        checkPermission(str, 32);
        if (privilegeArr == null || privilegeArr.length == 0) {
            log.debug("No privileges passed -> allowed.");
            return true;
        }
        Path path = getPath(str);
        CompiledPermissions compilePermissions = this.acProvider.compilePermissions(set);
        try {
            boolean hasPrivileges = compilePermissions.hasPrivileges(path, privilegeArr);
            compilePermissions.close();
            return hasPrivileges;
        } catch (Throwable th) {
            compilePermissions.close();
            throw th;
        }
    }

    @Override // org.apache.jackrabbit.api.security.JackrabbitAccessControlManager
    public Privilege[] getPrivileges(String str, Set<Principal> set) throws PathNotFoundException, RepositoryException {
        checkInitialized();
        checkValidNodePath(str);
        checkPermission(str, 32);
        CompiledPermissions compilePermissions = this.acProvider.compilePermissions(set);
        try {
            Set<Privilege> privilegeSet = compilePermissions.getPrivilegeSet(getPath(str));
            Privilege[] privilegeArr = (Privilege[]) privilegeSet.toArray(new Privilege[privilegeSet.size()]);
            compilePermissions.close();
            return privilegeArr;
        } catch (Throwable th) {
            compilePermissions.close();
            throw th;
        }
    }

    @Override // org.apache.jackrabbit.core.security.AbstractAccessControlManager
    protected void checkInitialized() {
        if (!this.initialized) {
            throw new IllegalStateException("not initialized");
        }
    }

    @Override // org.apache.jackrabbit.core.security.AbstractAccessControlManager
    protected void checkValidNodePath(String str) throws PathNotFoundException, RepositoryException {
        Path path = getPath(str);
        if (path != null) {
            if (!path.isAbsolute()) {
                throw new RepositoryException("Absolute path expected.");
            }
            if (this.hierMgr.resolveNodePath(path) == null) {
                throw new PathNotFoundException("No such node " + str);
            }
        }
    }

    @Override // org.apache.jackrabbit.core.security.AbstractAccessControlManager
    protected void checkPermission(String str, int i) throws AccessDeniedException, RepositoryException {
        checkValidNodePath(str);
        if (!this.compiledPermissions.grants(getPath(str), i)) {
            throw new AccessDeniedException("Access denied at " + str);
        }
    }

    @Override // org.apache.jackrabbit.core.security.AbstractAccessControlManager
    protected PrivilegeManager getPrivilegeManager() throws RepositoryException {
        checkInitialized();
        return this.privilegeManager;
    }

    private Path getPath(String str) throws RepositoryException {
        if (str == null) {
            return null;
        }
        return this.resolver.getQPath(str);
    }

    private static boolean isSystemOrAdmin(Session session) {
        if (session == null || !(session instanceof SessionImpl)) {
            return false;
        }
        SessionImpl sessionImpl = (SessionImpl) session;
        return sessionImpl.isSystem() || sessionImpl.isAdmin();
    }
}
