package org.apache.jackrabbit.oak.security.authorization.permission;

import com.google.common.base.Preconditions;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.apache.jackrabbit.JcrConstants;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.plugins.index.IndexConstants;
import org.apache.jackrabbit.oak.plugins.lock.LockConstants;
import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
import org.apache.jackrabbit.oak.plugins.nodetype.TypePredicate;
import org.apache.jackrabbit.oak.plugins.tree.ChildOrderDiff;
import org.apache.jackrabbit.oak.plugins.tree.ImmutableTree;
import org.apache.jackrabbit.oak.plugins.tree.TreeConstants;
import org.apache.jackrabbit.oak.plugins.version.VersionConstants;
import org.apache.jackrabbit.oak.spi.commit.DefaultValidator;
import org.apache.jackrabbit.oak.spi.commit.Validator;
import org.apache.jackrabbit.oak.spi.commit.VisibleValidator;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.apache.jackrabbit.oak.spi.state.NodeStateUtils;
import org.apache.jackrabbit.oak.util.TreeUtil;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/lib/oak-upgrade-1.0.39.jar:org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.class
 */
/* loaded from: input_file:WEB-INF/lib/oak-core-1.0.39.jar:org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidator.class */
class PermissionValidator extends DefaultValidator {
    private final ImmutableTree parentBefore;
    private final ImmutableTree parentAfter;
    private final TreePermission parentPermission;
    private final PermissionProvider permissionProvider;
    private final PermissionValidatorProvider provider;
    private final TypePredicate isReferenceable;
    private final TypePredicate isCreated;
    private final long permission;

    /* JADX INFO: Access modifiers changed from: package-private */
    public PermissionValidator(@Nonnull ImmutableTree immutableTree, @Nonnull ImmutableTree immutableTree2, @Nonnull PermissionProvider permissionProvider, @Nonnull PermissionValidatorProvider permissionValidatorProvider) {
        this.parentBefore = immutableTree;
        this.parentAfter = immutableTree2;
        this.parentPermission = permissionProvider.getTreePermission(this.parentBefore, TreePermission.EMPTY);
        this.permissionProvider = permissionProvider;
        this.provider = permissionValidatorProvider;
        this.isReferenceable = new TypePredicate(immutableTree2.getNodeState(), JcrConstants.MIX_REFERENCEABLE);
        this.isCreated = new TypePredicate(immutableTree2.getNodeState(), NodeTypeConstants.MIX_CREATED);
        this.permission = Permissions.getPermission(PermissionUtil.getPath(this.parentBefore, this.parentAfter), 0L);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public PermissionValidator(@Nullable ImmutableTree immutableTree, @Nullable ImmutableTree immutableTree2, @Nullable TreePermission treePermission, @Nonnull PermissionValidator permissionValidator) {
        this.parentBefore = immutableTree;
        this.parentAfter = immutableTree2;
        this.parentPermission = treePermission;
        this.permissionProvider = permissionValidator.permissionProvider;
        this.provider = permissionValidator.provider;
        this.isReferenceable = permissionValidator.isReferenceable;
        this.isCreated = permissionValidator.isCreated;
        if (0 == permissionValidator.permission) {
            this.permission = Permissions.getPermission(PermissionUtil.getPath(immutableTree, immutableTree2), 0L);
        } else {
            this.permission = permissionValidator.permission;
        }
    }

    @Override // org.apache.jackrabbit.oak.spi.commit.DefaultValidator, org.apache.jackrabbit.oak.spi.commit.Validator, org.apache.jackrabbit.oak.spi.commit.Editor
    public void propertyAdded(PropertyState propertyState) throws CommitFailedException {
        String name = propertyState.getName();
        if (TreeConstants.OAK_CHILD_ORDER.equals(name) || isImmutableProperty(name, this.parentAfter)) {
            return;
        }
        checkPermissions(this.parentAfter, propertyState, 4L);
    }

    @Override // org.apache.jackrabbit.oak.spi.commit.DefaultValidator, org.apache.jackrabbit.oak.spi.commit.Validator, org.apache.jackrabbit.oak.spi.commit.Editor
    public void propertyChanged(PropertyState propertyState, PropertyState propertyState2) throws CommitFailedException {
        String name = propertyState2.getName();
        if (TreeConstants.OAK_CHILD_ORDER.equals(name)) {
            if (ChildOrderDiff.firstReordered(propertyState, propertyState2) != null) {
                checkPermissions(this.parentAfter, false, Permissions.MODIFY_CHILD_NODE_COLLECTION);
            }
        } else if (isImmutableProperty(name, this.parentAfter)) {
            checkPermissions(this.parentAfter, false, 96L);
        } else {
            checkPermissions(this.parentAfter, propertyState2, 8L);
        }
    }

    @Override // org.apache.jackrabbit.oak.spi.commit.DefaultValidator, org.apache.jackrabbit.oak.spi.commit.Validator, org.apache.jackrabbit.oak.spi.commit.Editor
    public void propertyDeleted(PropertyState propertyState) throws CommitFailedException {
        String name = propertyState.getName();
        if (TreeConstants.OAK_CHILD_ORDER.equals(name) || isImmutableProperty(name, this.parentBefore)) {
            return;
        }
        checkPermissions(this.parentBefore, propertyState, 16L);
    }

    @Override // org.apache.jackrabbit.oak.spi.commit.DefaultValidator, org.apache.jackrabbit.oak.spi.commit.Editor
    public Validator childNodeAdded(String str, NodeState nodeState) throws CommitFailedException {
        ImmutableTree immutableTree = (ImmutableTree) Preconditions.checkNotNull(this.parentAfter.getChild(str));
        if (isVersionstorageTree(immutableTree)) {
            immutableTree = getVersionHistoryTree(immutableTree);
            if (immutableTree == null) {
                throw new CommitFailedException(CommitFailedException.ACCESS, 21, "New version storage node without version history: cannot verify permissions.");
            }
        }
        return checkPermissions(immutableTree, false, 32L);
    }

    @Override // org.apache.jackrabbit.oak.spi.commit.DefaultValidator, org.apache.jackrabbit.oak.spi.commit.Editor
    public Validator childNodeChanged(String str, NodeState nodeState, NodeState nodeState2) throws CommitFailedException {
        return nextValidator(this.parentBefore.getChild(str), this.parentAfter.getChild(str), this.parentPermission.getChildPermission(str, nodeState));
    }

    @Override // org.apache.jackrabbit.oak.spi.commit.DefaultValidator, org.apache.jackrabbit.oak.spi.commit.Editor
    public Validator childNodeDeleted(String str, NodeState nodeState) throws CommitFailedException {
        ImmutableTree child = this.parentBefore.getChild(str);
        if (isVersionstorageTree(child)) {
            throw new CommitFailedException(CommitFailedException.ACCESS, 22, "Attempt to remove versionstorage node: Fail to verify delete permission.");
        }
        return checkPermissions(child, true, 64L);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nonnull
    public PermissionValidator createValidator(@Nullable ImmutableTree immutableTree, @Nullable ImmutableTree immutableTree2, @Nonnull TreePermission treePermission, @Nonnull PermissionValidator permissionValidator) {
        return new PermissionValidator(immutableTree, immutableTree2, treePermission, permissionValidator);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @CheckForNull
    public Tree getParentAfter() {
        return this.parentAfter;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @CheckForNull
    public Tree getParentBefore() {
        return this.parentBefore;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nonnull
    public PermissionProvider getPermissionProvider() {
        return this.permissionProvider;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @CheckForNull
    public Validator checkPermissions(@Nonnull ImmutableTree immutableTree, boolean z, long j) throws CommitFailedException {
        long permission = getPermission(immutableTree, j);
        if (Permissions.isRepositoryPermission(permission)) {
            if (this.permissionProvider.getRepositoryPermission().isGranted(permission)) {
                return null;
            }
            throw new CommitFailedException(CommitFailedException.ACCESS, 0, "Access denied");
        }
        TreePermission childPermission = this.parentPermission.getChildPermission(immutableTree.getName(), immutableTree.getNodeState());
        if (!childPermission.isGranted(permission)) {
            throw new CommitFailedException(CommitFailedException.ACCESS, 0, "Access denied");
        }
        if (noTraverse(permission, j)) {
            return null;
        }
        return z ? nextValidator(immutableTree, null, childPermission) : nextValidator(null, immutableTree, childPermission);
    }

    private void checkPermissions(@Nonnull ImmutableTree immutableTree, @Nonnull PropertyState propertyState, long j) throws CommitFailedException {
        if (NodeStateUtils.isHidden(propertyState.getName())) {
            return;
        }
        long permission = getPermission(immutableTree, propertyState, j);
        if (permission != 0) {
            if (!(Permissions.isRepositoryPermission(permission) ? this.permissionProvider.getRepositoryPermission().isGranted(permission) : this.parentPermission.isGranted(permission, propertyState))) {
                throw new CommitFailedException(CommitFailedException.ACCESS, 0, "Access denied");
            }
        }
    }

    @Nonnull
    private Validator nextValidator(@Nullable ImmutableTree immutableTree, @Nullable ImmutableTree immutableTree2, @Nonnull TreePermission treePermission) {
        return new VisibleValidator(createValidator(immutableTree, immutableTree2, treePermission, this), true, false);
    }

    private long getPermission(@Nonnull Tree tree, long j) {
        if (this.permission != 0) {
            return this.permission;
        }
        return testAccessControlPermission(tree) ? 256L : testUserPermission(tree) ? 524288L : isIndexDefinition(tree) ? 1048576L : j;
    }

    private long getPermission(@Nonnull ImmutableTree immutableTree, @Nonnull PropertyState propertyState, long j) {
        if (this.permission != 0) {
            return this.permission;
        }
        String name = propertyState.getName();
        return "jcr:primaryType".equals(name) ? j == 8 ? getPermission(immutableTree, 512L) : 0L : JcrConstants.JCR_MIXINTYPES.equals(name) ? 512L : LockConstants.LOCK_PROPERTY_NAMES.contains(name) ? 2048L : VersionConstants.VERSION_PROPERTY_NAMES.contains(name) ? 1024L : this.provider.getAccessControlContext().definesProperty(immutableTree, propertyState) ? 256L : (!this.provider.getUserContext().definesProperty(immutableTree, propertyState) || this.provider.requiresJr2Permissions(Permissions.USER_MANAGEMENT)) ? isIndexDefinition(immutableTree) ? 1048576L : j : 524288L;
    }

    private boolean noTraverse(long j, long j2) {
        if (j2 == 64 && this.provider.requiresJr2Permissions(64L)) {
            return false;
        }
        return j == 256 || j == 1024 || j == 64 || j2 == 64;
    }

    private boolean isImmutableProperty(@Nonnull String str, @Nonnull ImmutableTree immutableTree) {
        if (JcrConstants.JCR_UUID.equals(str) && this.isReferenceable.apply(immutableTree.getNodeState())) {
            return true;
        }
        return (JcrConstants.JCR_CREATED.equals(str) || NodeTypeConstants.JCR_CREATEDBY.equals(str)) && this.isCreated.apply(immutableTree.getNodeState());
    }

    private boolean testUserPermission(@Nonnull Tree tree) {
        return this.provider.getUserContext().definesTree(tree) && !this.provider.requiresJr2Permissions(Permissions.USER_MANAGEMENT);
    }

    private boolean testAccessControlPermission(@Nonnull Tree tree) {
        return this.provider.getAccessControlContext().definesTree(tree);
    }

    private boolean isVersionstorageTree(Tree tree) {
        return this.permission == 1024 && VersionConstants.REP_VERSIONSTORAGE.equals(TreeUtil.getPrimaryTypeName(tree));
    }

    @CheckForNull
    private ImmutableTree getVersionHistoryTree(Tree tree) throws CommitFailedException {
        Tree tree2 = null;
        for (Tree tree3 : tree.getChildren()) {
            if (JcrConstants.NT_VERSIONHISTORY.equals(TreeUtil.getPrimaryTypeName(tree3))) {
                tree2 = tree3;
            } else {
                if (!isVersionstorageTree(tree3)) {
                    throw new CommitFailedException("Misc", 0, "unexpected node");
                }
                tree2 = getVersionHistoryTree(tree3);
            }
        }
        return (ImmutableTree) tree2;
    }

    private boolean isIndexDefinition(@Nonnull Tree tree) {
        return tree.getPath().contains(IndexConstants.INDEX_DEFINITIONS_NAME);
    }
}
