package org.apache.jackrabbit.core.security.user;

import java.security.Principal;
import java.security.acl.Group;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.jcr.ItemNotFoundException;
import javax.jcr.Node;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.observation.Event;
import javax.jcr.observation.EventIterator;
import javax.jcr.security.AccessControlPolicy;
import org.apache.jackrabbit.api.JackrabbitWorkspace;
import org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.core.ItemImpl;
import org.apache.jackrabbit.core.NodeImpl;
import org.apache.jackrabbit.core.SessionImpl;
import org.apache.jackrabbit.core.id.ItemId;
import org.apache.jackrabbit.core.nodetype.NodeTypeImpl;
import org.apache.jackrabbit.core.observation.SynchronousEventListener;
import org.apache.jackrabbit.core.security.AnonymousPrincipal;
import org.apache.jackrabbit.core.security.SecurityConstants;
import org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider;
import org.apache.jackrabbit.core.security.authorization.AbstractCompiledPermissions;
import org.apache.jackrabbit.core.security.authorization.AccessControlEditor;
import org.apache.jackrabbit.core.security.authorization.CompiledPermissions;
import org.apache.jackrabbit.core.security.authorization.NamedAccessControlPolicyImpl;
import org.apache.jackrabbit.core.security.authorization.PrivilegeBits;
import org.apache.jackrabbit.core.security.authorization.PrivilegeManagerImpl;
import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
import org.apache.jackrabbit.core.security.principal.PrincipalImpl;
import org.apache.jackrabbit.spi.Name;
import org.apache.jackrabbit.spi.Path;
import org.apache.jackrabbit.util.Text;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:jackrabbit-core-2.7.5.jar:org/apache/jackrabbit/core/security/user/UserAccessControlProvider.class */
public class UserAccessControlProvider extends AbstractAccessControlProvider implements UserConstants {
    private static Logger log = LoggerFactory.getLogger(UserAccessControlProvider.class);
    public static final String PARAM_ANONYMOUS_ID = "anonymousId";
    public static final String PARAM_ANONYMOUS_ACCESS = "anonymousAccess";
    private final AccessControlPolicy policy = new NamedAccessControlPolicyImpl("userPolicy");
    private String groupsPath;
    private String usersPath;
    private Principal userAdminGroup;
    private Principal groupAdminGroup;
    private String userAdminGroupPath;
    private String groupAdminGroupPath;
    private String administratorsGroupPath;
    private boolean membersInProperty;
    private String anonymousId;
    private boolean anonymousAccess;

    /* loaded from: input_file:jackrabbit-core-2.7.5.jar:org/apache/jackrabbit/core/security/user/UserAccessControlProvider$CompiledPermissionsImpl.class */
    private class CompiledPermissionsImpl extends AbstractCompiledPermissions implements SynchronousEventListener {
        private final String userNodePath;
        private final Set<Principal> principals;

        protected CompiledPermissionsImpl(Set<Principal> set, String str) throws RepositoryException {
            this.userNodePath = str;
            this.principals = set;
            UserAccessControlProvider.this.observationMgr.addEventListener(this, 28, UserAccessControlProvider.this.groupsPath, true, (String[]) null, (String[]) null, false);
        }

        private PrivilegeBits getPrivilegeBits(String... strArr) throws RepositoryException {
            PrivilegeManagerImpl privilegeManagerImpl = getPrivilegeManagerImpl();
            Name[] nameArr = new Name[strArr.length];
            for (int i = 0; i < strArr.length; i++) {
                nameArr[i] = UserAccessControlProvider.this.session.getQName(strArr[i]);
            }
            return privilegeManagerImpl.getBits(nameArr);
        }

        private PrivilegeBits assertModifiable(PrivilegeBits privilegeBits) {
            return privilegeBits.isModifiable() ? privilegeBits : PrivilegeBits.getInstance(privilegeBits);
        }

        @Override // org.apache.jackrabbit.core.security.authorization.AbstractCompiledPermissions
        protected AbstractCompiledPermissions.Result buildResult(Path path) throws RepositoryException {
            NodeImpl nodeImpl = null;
            try {
                if (UserAccessControlProvider.this.session.nodeExists(this.userNodePath)) {
                    nodeImpl = (NodeImpl) UserAccessControlProvider.this.session.getNode(this.userNodePath);
                }
            } catch (RepositoryException e) {
            }
            if (nodeImpl == null) {
                UserAccessControlProvider.log.debug("No node at " + this.userNodePath);
                return AbstractCompiledPermissions.Result.EMPTY;
            }
            int i = 1;
            String jCRPath = UserAccessControlProvider.this.session.getJCRPath(path.getNormalizedPath());
            boolean nodeExists = UserAccessControlProvider.this.session.nodeExists(jCRPath);
            PrivilegeBits privilegeBits = nodeExists ? getPrivilegeBits("{http://www.jcp.org/jcr/1.0}read") : PrivilegeBits.EMPTY;
            if (Text.isDescendant(UserAccessControlProvider.this.usersPath, jCRPath)) {
                boolean containsGroup = UserAccessControlProvider.containsGroup(this.principals, UserAccessControlProvider.this.userAdminGroup);
                NodeImpl nodeImpl2 = (NodeImpl) UserAccessControlProvider.this.getExistingNode(path);
                if (nodeImpl2.isNodeType(UserConstants.NT_REP_AUTHORIZABLE_FOLDER)) {
                    if (containsGroup) {
                        i = 1 | 158;
                        if (nodeExists) {
                            privilegeBits = assertModifiable(privilegeBits);
                            privilegeBits.add(getPrivilegeBits(PrivilegeRegistry.REP_WRITE));
                        }
                    }
                } else if (nodeImpl2.isSame(nodeImpl)) {
                    i = 1 | 18;
                    if (nodeExists) {
                        privilegeBits = assertModifiable(privilegeBits);
                        privilegeBits.add(getPrivilegeBits("{http://www.jcp.org/jcr/1.0}modifyProperties"));
                    }
                } else if (containsGroup) {
                    i = 1 | 158;
                    if (nodeExists) {
                        privilegeBits = assertModifiable(privilegeBits);
                        privilegeBits.add(getPrivilegeBits(PrivilegeRegistry.REP_WRITE));
                    }
                }
            } else if (Text.isDescendant(UserAccessControlProvider.this.groupsPath, jCRPath) && UserAccessControlProvider.containsGroup(this.principals, UserAccessControlProvider.this.groupAdminGroup) && !jCRPath.startsWith(UserAccessControlProvider.this.administratorsGroupPath) && !jCRPath.startsWith(UserAccessControlProvider.this.userAdminGroupPath)) {
                if (jCRPath.equals(UserAccessControlProvider.this.groupAdminGroupPath)) {
                    i = 1 | 150;
                    if (nodeExists) {
                        privilegeBits = assertModifiable(privilegeBits);
                        privilegeBits.add(getPrivilegeBits("{http://www.jcp.org/jcr/1.0}addChildNodes", "{http://www.jcp.org/jcr/1.0}modifyProperties", "{http://www.jcp.org/jcr/1.0}nodeTypeManagement"));
                    }
                } else {
                    i = 1 | 158;
                    if (nodeExists) {
                        privilegeBits = assertModifiable(privilegeBits);
                        privilegeBits.add(getPrivilegeBits(PrivilegeRegistry.REP_WRITE));
                    }
                }
            }
            return new AbstractCompiledPermissions.Result(i, 0, privilegeBits, PrivilegeBits.EMPTY);
        }

        @Override // org.apache.jackrabbit.core.security.authorization.AbstractCompiledPermissions
        protected AbstractCompiledPermissions.Result buildRepositoryResult() throws RepositoryException {
            UserAccessControlProvider.log.warn("TODO: JCR-2774 - Repository level permissions.");
            return new AbstractCompiledPermissions.Result(0, 0, PrivilegeBits.EMPTY, PrivilegeBits.EMPTY);
        }

        @Override // org.apache.jackrabbit.core.security.authorization.AbstractCompiledPermissions
        protected PrivilegeManagerImpl getPrivilegeManagerImpl() throws RepositoryException {
            return (PrivilegeManagerImpl) ((JackrabbitWorkspace) UserAccessControlProvider.this.session.getWorkspace()).getPrivilegeManager();
        }

        @Override // org.apache.jackrabbit.core.security.authorization.AbstractCompiledPermissions, org.apache.jackrabbit.core.security.authorization.CompiledPermissions
        public void close() {
            try {
                UserAccessControlProvider.this.observationMgr.removeEventListener(this);
            } catch (RepositoryException e) {
                UserAccessControlProvider.log.error("Internal error: {}", e.getMessage());
            }
            super.close();
        }

        @Override // org.apache.jackrabbit.core.security.authorization.AbstractCompiledPermissions, org.apache.jackrabbit.core.security.authorization.CompiledPermissions
        public boolean grants(Path path, int i) throws RepositoryException {
            return i == 1 ? canReadAll() : super.grants(path, i);
        }

        @Override // org.apache.jackrabbit.core.security.authorization.AbstractCompiledPermissions, org.apache.jackrabbit.core.security.authorization.CompiledPermissions
        public boolean canReadAll() throws RepositoryException {
            return UserAccessControlProvider.this.session.nodeExists(this.userNodePath);
        }

        @Override // org.apache.jackrabbit.core.security.authorization.CompiledPermissions
        public boolean canRead(Path path, ItemId itemId) throws RepositoryException {
            return canReadAll();
        }

        public void onEvent(EventIterator eventIterator) {
            while (eventIterator.hasNext()) {
                Event nextEvent = eventIterator.nextEvent();
                try {
                } catch (RepositoryException e) {
                    UserAccessControlProvider.log.warn("Internal error: {}", e.getMessage());
                    clearCache();
                }
                if (UserAccessControlProvider.this.session.getJCRName(UserConstants.P_MEMBERS).equals(Text.getName(nextEvent.getPath()))) {
                    clearCache();
                    return;
                } else if (!UserAccessControlProvider.this.membersInProperty) {
                    if (UserConstants.NT_REP_MEMBERS.equals(((NodeTypeImpl) UserAccessControlProvider.this.session.getNodeByIdentifier(nextEvent.getIdentifier()).getPrimaryNodeType()).getQName())) {
                        clearCache();
                    }
                }
            }
        }
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider, org.apache.jackrabbit.core.security.authorization.AccessControlUtils
    public boolean isAcItem(Path path) throws RepositoryException {
        return false;
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider, org.apache.jackrabbit.core.security.authorization.AccessControlUtils
    public boolean isAcItem(ItemImpl itemImpl) throws RepositoryException {
        return false;
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider, org.apache.jackrabbit.core.security.authorization.AccessControlProvider
    public void init(Session session, Map map) throws RepositoryException {
        super.init(session, map);
        if (!(session instanceof SessionImpl)) {
            throw new RepositoryException("SessionImpl (system session) expected.");
        }
        SessionImpl sessionImpl = (SessionImpl) session;
        String obj = map.containsKey(UserConstants.USER_ADMIN_GROUP_NAME) ? map.get(UserConstants.USER_ADMIN_GROUP_NAME).toString() : UserConstants.USER_ADMIN_GROUP_NAME;
        String obj2 = map.containsKey(UserConstants.GROUP_ADMIN_GROUP_NAME) ? map.get(UserConstants.GROUP_ADMIN_GROUP_NAME).toString() : UserConstants.GROUP_ADMIN_GROUP_NAME;
        UserManager userManager = sessionImpl.getUserManager();
        this.userAdminGroup = initGroup(userManager, obj);
        if (this.userAdminGroup != null && (this.userAdminGroup instanceof ItemBasedPrincipal)) {
            this.userAdminGroupPath = ((ItemBasedPrincipal) this.userAdminGroup).getPath();
        }
        this.groupAdminGroup = initGroup(userManager, obj2);
        if (this.groupAdminGroup != null && (this.groupAdminGroup instanceof ItemBasedPrincipal)) {
            this.groupAdminGroupPath = ((ItemBasedPrincipal) this.groupAdminGroup).getPath();
        }
        Principal initGroup = initGroup(userManager, SecurityConstants.ADMINISTRATORS_NAME);
        if (initGroup != null && (initGroup instanceof ItemBasedPrincipal)) {
            this.administratorsGroupPath = ((ItemBasedPrincipal) initGroup).getPath();
        }
        this.usersPath = userManager instanceof UserManagerImpl ? ((UserManagerImpl) userManager).getUsersPath() : UserConstants.USERS_PATH;
        this.groupsPath = userManager instanceof UserManagerImpl ? ((UserManagerImpl) userManager).getGroupsPath() : UserConstants.GROUPS_PATH;
        this.membersInProperty = ((userManager instanceof UserManagerImpl) && ((UserManagerImpl) userManager).hasMemberSplitSize()) ? false : true;
        if (map.containsKey("anonymousId")) {
            this.anonymousId = (String) map.get("anonymousId");
        } else {
            this.anonymousId = SecurityConstants.ANONYMOUS_ID;
        }
        if (map.containsKey(PARAM_ANONYMOUS_ACCESS)) {
            this.anonymousAccess = Boolean.parseBoolean((String) map.get(PARAM_ANONYMOUS_ACCESS));
        } else {
            this.anonymousAccess = true;
        }
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AccessControlProvider
    public AccessControlPolicy[] getEffectivePolicies(Path path, CompiledPermissions compiledPermissions) throws ItemNotFoundException, RepositoryException {
        checkInitialized();
        return new AccessControlPolicy[]{this.policy};
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AccessControlProvider
    public AccessControlPolicy[] getEffectivePolicies(Set<Principal> set, CompiledPermissions compiledPermissions) throws ItemNotFoundException, RepositoryException {
        checkInitialized();
        return new AccessControlPolicy[]{this.policy};
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AccessControlProvider
    public AccessControlEditor getEditor(Session session) {
        checkInitialized();
        return null;
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AccessControlProvider
    public CompiledPermissions compilePermissions(Set<Principal> set) throws RepositoryException {
        NodeImpl userNode;
        checkInitialized();
        if (isAdminOrSystem(set)) {
            return getAdminPermissions();
        }
        if ((this.anonymousAccess || !isAnonymous(set)) && (userNode = getUserNode(getUserPrincipal(set))) != null) {
            return new CompiledPermissionsImpl(set, userNode.getPath());
        }
        return CompiledPermissions.NO_PERMISSION;
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AccessControlProvider
    public boolean canAccessRoot(Set<Principal> set) throws RepositoryException {
        checkInitialized();
        return this.anonymousAccess || !isAnonymous(set);
    }

    private ItemBasedPrincipal getUserPrincipal(Set<Principal> set) {
        try {
            UserManager userManager = this.session.getUserManager();
            for (Principal principal : set) {
                if (!(principal instanceof Group) && (principal instanceof ItemBasedPrincipal) && userManager.getAuthorizable(principal) != null) {
                    return (ItemBasedPrincipal) principal;
                }
            }
            return null;
        } catch (RepositoryException e) {
            log.error("Internal error while retrieving user principal: {}", e.getMessage());
            return null;
        }
    }

    private NodeImpl getUserNode(ItemBasedPrincipal itemBasedPrincipal) {
        NodeImpl nodeImpl = null;
        if (itemBasedPrincipal != null) {
            try {
                nodeImpl = (NodeImpl) this.session.getNode(itemBasedPrincipal.getPath());
            } catch (RepositoryException e) {
                log.warn("Error while retrieving user node. {}", e.getMessage());
            }
        }
        return nodeImpl;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Node getExistingNode(Path path) throws RepositoryException {
        String jCRPath = this.session.getJCRPath(path.getNormalizedPath());
        if (this.session.nodeExists(jCRPath)) {
            return this.session.getNode(jCRPath);
        }
        if (this.session.propertyExists(jCRPath)) {
            return this.session.getProperty(jCRPath).getParent();
        }
        String relativeParent = Text.getRelativeParent(jCRPath, 1);
        while (true) {
            String str = relativeParent;
            if ("/".equals(str)) {
                throw new ItemNotFoundException("Unable to determine permissions: No item and no existing parent for target path " + jCRPath);
            }
            if (this.session.nodeExists(str)) {
                return this.session.getNode(str);
            }
            relativeParent = Text.getRelativeParent(str, 1);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean containsGroup(Set<Principal> set, Principal principal) {
        Iterator<Principal> it = set.iterator();
        while (it.hasNext() && principal != null) {
            if (it.next().getName().equals(principal.getName())) {
                return true;
            }
        }
        return false;
    }

    private static Principal initGroup(UserManager userManager, String str) {
        PrincipalImpl principalImpl = new PrincipalImpl(str);
        try {
            Authorizable authorizable = userManager.getAuthorizable(principalImpl);
            if (authorizable == null) {
                authorizable = userManager.createGroup(principalImpl);
            } else if (!authorizable.isGroup()) {
                log.warn("Cannot create group '" + str + "'; User with that principal already exists.");
                authorizable = null;
            }
            if (authorizable != null) {
                return authorizable.getPrincipal();
            }
            return null;
        } catch (RepositoryException e) {
            log.error("Error while initializing user/group administrators: ()", e.getMessage());
            return null;
        }
    }

    private boolean isAnonymous(Set<Principal> set) {
        for (Principal principal : set) {
            if ((principal instanceof AnonymousPrincipal) || principal.getName().equals(this.anonymousId)) {
                return true;
            }
        }
        return false;
    }
}
