package org.apache.jackrabbit.oak.security.authorization;

import com.google.common.base.Preconditions;
import java.util.Arrays;
import java.util.Collections;
import java.util.Map;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.JcrConstants;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.core.TreeImpl;
import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager;
import org.apache.jackrabbit.oak.spi.commit.DefaultValidator;
import org.apache.jackrabbit.oak.spi.commit.Validator;
import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.apache.jackrabbit.oak.util.TreeUtil;
import org.apache.jackrabbit.util.Text;

/* loaded from: input_file:WEB-INF/lib/oak-core-0.8.jar:org/apache/jackrabbit/oak/security/authorization/AccessControlValidator.class */
class AccessControlValidator extends DefaultValidator implements AccessControlConstants {
    private final Tree parentBefore;
    private final Tree parentAfter;
    private final Map<String, Privilege> privileges;
    private final RestrictionProvider restrictionProvider;
    private final ReadOnlyNodeTypeManager ntMgr;

    /* JADX INFO: Access modifiers changed from: package-private */
    public AccessControlValidator(Tree tree, Tree tree2, Map<String, Privilege> map, RestrictionProvider restrictionProvider, ReadOnlyNodeTypeManager readOnlyNodeTypeManager) {
        this.parentBefore = tree;
        this.parentAfter = tree2;
        this.privileges = map;
        this.restrictionProvider = restrictionProvider;
        this.ntMgr = readOnlyNodeTypeManager;
    }

    @Override // org.apache.jackrabbit.oak.spi.commit.DefaultValidator, org.apache.jackrabbit.oak.spi.commit.Validator, org.apache.jackrabbit.oak.spi.commit.Editor
    public void propertyAdded(PropertyState propertyState) throws CommitFailedException {
        if (isAccessControlEntry(this.parentAfter)) {
            checkValidAccessControlEntry(this.parentAfter);
        }
        if (JcrConstants.JCR_MIXINTYPES.equals(propertyState.getName())) {
            checkMixinTypes(this.parentAfter);
        }
    }

    @Override // org.apache.jackrabbit.oak.spi.commit.DefaultValidator, org.apache.jackrabbit.oak.spi.commit.Validator, org.apache.jackrabbit.oak.spi.commit.Editor
    public void propertyChanged(PropertyState propertyState, PropertyState propertyState2) throws CommitFailedException {
        if (isAccessControlEntry(this.parentAfter)) {
            checkValidAccessControlEntry(this.parentAfter);
        }
        if (JcrConstants.JCR_MIXINTYPES.equals(propertyState2.getName())) {
            checkMixinTypes(this.parentAfter);
        }
    }

    @Override // org.apache.jackrabbit.oak.spi.commit.DefaultValidator, org.apache.jackrabbit.oak.spi.commit.Validator, org.apache.jackrabbit.oak.spi.commit.Editor
    public void propertyDeleted(PropertyState propertyState) throws CommitFailedException {
    }

    @Override // org.apache.jackrabbit.oak.spi.commit.DefaultValidator, org.apache.jackrabbit.oak.spi.commit.Editor
    public Validator childNodeAdded(String str, NodeState nodeState) throws CommitFailedException {
        Tree tree = (Tree) Preconditions.checkNotNull(this.parentAfter.getChild(str));
        checkValidTree(this.parentAfter, tree);
        return new AccessControlValidator(null, tree, this.privileges, this.restrictionProvider, this.ntMgr);
    }

    @Override // org.apache.jackrabbit.oak.spi.commit.DefaultValidator, org.apache.jackrabbit.oak.spi.commit.Editor
    public Validator childNodeChanged(String str, NodeState nodeState, NodeState nodeState2) throws CommitFailedException {
        Tree tree = (Tree) Preconditions.checkNotNull(this.parentBefore.getChild(str));
        Tree tree2 = (Tree) Preconditions.checkNotNull(this.parentAfter.getChild(str));
        checkValidTree(this.parentAfter, tree2);
        return new AccessControlValidator(tree, tree2, this.privileges, this.restrictionProvider, this.ntMgr);
    }

    @Override // org.apache.jackrabbit.oak.spi.commit.DefaultValidator, org.apache.jackrabbit.oak.spi.commit.Editor
    public Validator childNodeDeleted(String str, NodeState nodeState) throws CommitFailedException {
        return null;
    }

    private void checkValidTree(Tree tree, Tree tree2) throws CommitFailedException {
        if (isPolicy(tree2)) {
            checkValidPolicy(tree, tree2);
            return;
        }
        if (isAccessControlEntry(tree2)) {
            checkValidAccessControlEntry(tree2);
        } else if (AccessControlConstants.NT_REP_RESTRICTIONS.equals(TreeUtil.getPrimaryTypeName(tree2))) {
            checkIsAccessControlEntry(tree);
            checkValidRestrictions(tree);
        }
    }

    private static boolean isPolicy(Tree tree) {
        return AccessControlConstants.NT_REP_ACL.equals(TreeUtil.getPrimaryTypeName(tree));
    }

    private static boolean isAccessControlEntry(Tree tree) {
        String primaryTypeName = TreeUtil.getPrimaryTypeName(tree);
        return AccessControlConstants.NT_REP_DENY_ACE.equals(primaryTypeName) || AccessControlConstants.NT_REP_GRANT_ACE.equals(primaryTypeName);
    }

    private static void checkIsAccessControlEntry(Tree tree) throws CommitFailedException {
        if (!isAccessControlEntry(tree)) {
            throw accessViolation(2, "Access control entry node expected.");
        }
    }

    private void checkValidPolicy(Tree tree, Tree tree2) throws CommitFailedException {
        checkValidAccessControlledNode(tree, AccessControlConstants.REP_REPO_POLICY.equals(tree2.getName()) ? AccessControlConstants.MIX_REP_REPO_ACCESS_CONTROLLABLE : AccessControlConstants.MIX_REP_ACCESS_CONTROLLABLE);
        if (!(tree.isRoot() ? POLICY_NODE_NAMES : Collections.singleton(AccessControlConstants.REP_POLICY)).contains(tree2.getName())) {
            throw accessViolation(3, "Invalid policy name " + tree2.getName());
        }
        if (!tree2.hasProperty(TreeImpl.OAK_CHILD_ORDER)) {
            throw accessViolation(4, "Invalid policy node: Order of children is not stable.");
        }
    }

    private void checkValidAccessControlledNode(Tree tree, String str) throws CommitFailedException {
        if (AC_NODETYPE_NAMES.contains(TreeUtil.getPrimaryTypeName(tree))) {
            throw accessViolation(5, "Access control policy within access control content (" + tree.getPath() + ')');
        }
        String str2 = "Isolated policy node. Parent is not of type " + str;
        if (!this.ntMgr.isNodeType(tree, str)) {
            throw accessViolation(6, str2);
        }
        if (AccessControlConstants.MIX_REP_REPO_ACCESS_CONTROLLABLE.equals(str)) {
            checkValidRepoAccessControlled(tree);
        }
    }

    private void checkValidAccessControlEntry(Tree tree) throws CommitFailedException {
        Tree parent = tree.getParent();
        if (!parent.exists() || !AccessControlConstants.NT_REP_ACL.equals(TreeUtil.getPrimaryTypeName(parent))) {
            throw accessViolation(7, "Isolated access control entry at " + tree.getPath());
        }
        checkValidPrincipal(TreeUtil.getString(tree, "rep:principalName"));
        checkValidPrivileges(TreeUtil.getStrings(tree, "rep:privileges"));
        checkValidRestrictions(tree);
    }

    private void checkValidPrincipal(String str) throws CommitFailedException {
        if (str == null || str.isEmpty()) {
            throw accessViolation(8, "Missing principal name.");
        }
    }

    private void checkValidPrivileges(String[] strArr) throws CommitFailedException {
        if (strArr == null || strArr.length == 0) {
            throw accessViolation(9, "Missing privileges.");
        }
        for (String str : strArr) {
            if (str == null || !this.privileges.containsKey(str)) {
                throw accessViolation(10, "Invalid privilege " + str);
            }
            if (this.privileges.get(str).isAbstract()) {
                throw accessViolation(11, "Abstract privilege " + str);
            }
        }
    }

    private void checkValidRestrictions(Tree tree) throws CommitFailedException {
        String path = ((Tree) Preconditions.checkNotNull(tree.getParent())).getPath();
        try {
            this.restrictionProvider.validateRestrictions(AccessControlConstants.REP_REPO_POLICY.equals(Text.getName(path)) ? null : Text.getRelativeParent(path, 1), tree);
        } catch (AccessControlException e) {
            throw new CommitFailedException(CommitFailedException.ACCESS, 1, "Access control violation", e);
        }
    }

    private static void checkMixinTypes(Tree tree) throws CommitFailedException {
        String[] strings = TreeUtil.getStrings(tree, JcrConstants.JCR_MIXINTYPES);
        if (strings == null || !Arrays.asList(strings).contains(AccessControlConstants.MIX_REP_REPO_ACCESS_CONTROLLABLE)) {
            return;
        }
        checkValidRepoAccessControlled(tree);
    }

    private static void checkValidRepoAccessControlled(Tree tree) throws CommitFailedException {
        if (!tree.isRoot()) {
            throw accessViolation(12, "Only root can store repository level policies.");
        }
    }

    private static CommitFailedException accessViolation(int i, String str) {
        return new CommitFailedException(CommitFailedException.ACCESS, i, str);
    }
}
