package org.apache.jackrabbit.oak.security.authorization.permission;

import com.google.common.base.Objects;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.collect.Lists;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import org.apache.jackrabbit.JcrConstants;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.core.ImmutableRoot;
import org.apache.jackrabbit.oak.core.ImmutableTree;
import org.apache.jackrabbit.oak.core.TreeImpl;
import org.apache.jackrabbit.oak.core.TreeTypeProvider;
import org.apache.jackrabbit.oak.plugins.memory.EmptyNodeState;
import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager;
import org.apache.jackrabbit.oak.security.privilege.PrivilegeBits;
import org.apache.jackrabbit.oak.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.spi.commit.PostValidationHook;
import org.apache.jackrabbit.oak.spi.security.authorization.AccessControlConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
import org.apache.jackrabbit.oak.spi.state.DefaultNodeStateDiff;
import org.apache.jackrabbit.oak.spi.state.NodeBuilder;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.apache.jackrabbit.oak.spi.state.NodeStateUtils;
import org.apache.jackrabbit.oak.util.TreeUtil;
import org.apache.jackrabbit.util.Text;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/oak-core-0.8.jar:org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.class */
public class PermissionHook implements PostValidationHook, AccessControlConstants, PermissionConstants {
    private static final Logger log = LoggerFactory.getLogger(PermissionHook.class);
    private final RestrictionProvider restrictionProvider;
    private final String workspaceName;
    private NodeBuilder permissionRoot;
    private ReadOnlyNodeTypeManager ntMgr;
    private PrivilegeBitsProvider bitsProvider;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/oak-core-0.8.jar:org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook$AfterNode.class */
    public static final class AfterNode extends Node {
        private final NodeBuilder builder;

        private AfterNode(NodeBuilder nodeBuilder) {
            super("/");
            this.builder = nodeBuilder;
        }

        private AfterNode(String str, String str2, NodeState nodeState) {
            super(str, str2);
            this.builder = nodeState.builder();
        }

        private AfterNode(AfterNode afterNode, String str) {
            super(afterNode.getPath(), str);
            this.builder = afterNode.builder.child(str);
        }

        @Override // org.apache.jackrabbit.oak.security.authorization.permission.PermissionHook.Node
        NodeState getNodeState() {
            return this.builder.getNodeState();
        }
    }

    /* loaded from: input_file:WEB-INF/lib/oak-core-0.8.jar:org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook$BeforeNode.class */
    private static final class BeforeNode extends Node {
        private final NodeState nodeState;

        BeforeNode(NodeState nodeState) {
            super("/");
            this.nodeState = nodeState;
        }

        BeforeNode(String str, String str2, NodeState nodeState) {
            super(str, str2);
            this.nodeState = nodeState;
        }

        @Override // org.apache.jackrabbit.oak.security.authorization.permission.PermissionHook.Node
        NodeState getNodeState() {
            return this.nodeState;
        }
    }

    /* loaded from: input_file:WEB-INF/lib/oak-core-0.8.jar:org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook$Diff.class */
    private class Diff extends DefaultNodeStateDiff {
        private final Node parentBefore;
        private final AfterNode parentAfter;
        private final List<String> processed;

        private Diff(@Nonnull Node node, @Nonnull AfterNode afterNode) {
            this.processed = new ArrayList();
            this.parentBefore = node;
            this.parentAfter = afterNode;
        }

        @Override // org.apache.jackrabbit.oak.spi.state.DefaultNodeStateDiff, org.apache.jackrabbit.oak.spi.state.NodeStateDiff
        public boolean propertyChanged(PropertyState propertyState, PropertyState propertyState2) {
            if (!isACL(this.parentAfter) || !TreeImpl.OAK_CHILD_ORDER.equals(propertyState.getName())) {
                return true;
            }
            for (String str : new ChildOrderDiff(propertyState, propertyState2).getReordered()) {
                updateEntry(str, this.parentBefore.getNodeState().getChildNode(str), this.parentAfter.getNodeState().getChildNode(str));
                PermissionHook.log.debug("Processed reordered child node " + str);
                this.processed.add(str);
            }
            return true;
        }

        @Override // org.apache.jackrabbit.oak.spi.state.DefaultNodeStateDiff, org.apache.jackrabbit.oak.spi.state.NodeStateDiff
        public boolean childNodeAdded(String str, NodeState nodeState) {
            if (NodeStateUtils.isHidden(str)) {
                return true;
            }
            if (isACE(str, nodeState)) {
                addEntry(str, nodeState);
                return true;
            }
            BeforeNode beforeNode = new BeforeNode(this.parentBefore.getPath(), str, EmptyNodeState.EMPTY_NODE);
            nodeState.compareAgainstBaseState(beforeNode.getNodeState(), new Diff(beforeNode, new AfterNode(this.parentAfter, str)));
            return true;
        }

        @Override // org.apache.jackrabbit.oak.spi.state.DefaultNodeStateDiff, org.apache.jackrabbit.oak.spi.state.NodeStateDiff
        public boolean childNodeChanged(String str, NodeState nodeState, NodeState nodeState2) {
            if (NodeStateUtils.isHidden(str)) {
                return true;
            }
            if (isACE(str, nodeState) || isACE(str, nodeState2)) {
                updateEntry(str, nodeState, nodeState2);
                return true;
            }
            nodeState2.compareAgainstBaseState(nodeState, new Diff(new BeforeNode(this.parentBefore.getPath(), str, nodeState), new AfterNode(this.parentAfter, str)));
            return true;
        }

        @Override // org.apache.jackrabbit.oak.spi.state.DefaultNodeStateDiff, org.apache.jackrabbit.oak.spi.state.NodeStateDiff
        public boolean childNodeDeleted(String str, NodeState nodeState) {
            if (NodeStateUtils.isHidden(str)) {
                return true;
            }
            if (isACE(str, nodeState)) {
                removeEntry(str, nodeState);
                return true;
            }
            BeforeNode beforeNode = new BeforeNode(this.parentBefore.getPath(), str, nodeState);
            AfterNode afterNode = new AfterNode(this.parentAfter.getPath(), str, EmptyNodeState.EMPTY_NODE);
            afterNode.getNodeState().compareAgainstBaseState(nodeState, new Diff(beforeNode, afterNode));
            return true;
        }

        private boolean isACL(Node node) {
            return PermissionHook.this.ntMgr.isNodeType(PermissionHook.getTree(node.getName(), node.getNodeState()), AccessControlConstants.NT_REP_POLICY);
        }

        private boolean isACE(String str, NodeState nodeState) {
            return PermissionHook.this.ntMgr.isNodeType(PermissionHook.getTree(str, nodeState), AccessControlConstants.NT_REP_ACE);
        }

        private void addEntry(String str, NodeState nodeState) {
            createPermissionEntry(str, nodeState, this.parentAfter).writeTo(PermissionHook.this.permissionRoot);
        }

        private void removeEntry(String str, NodeState nodeState) {
            PermissionEntry createPermissionEntry = createPermissionEntry(str, nodeState, this.parentBefore);
            NodeBuilder principalRoot = PermissionHook.this.getPrincipalRoot(createPermissionEntry.principalName);
            if (principalRoot != null) {
                principalRoot.removeChildNode(createPermissionEntry.nodeName);
            }
        }

        private void updateEntry(String str, NodeState nodeState, NodeState nodeState2) {
            if (this.processed.contains(str)) {
                PermissionHook.log.debug("ACE entry already processed -> skip updateEntry.");
            } else {
                removeEntry(str, nodeState);
                addEntry(str, nodeState2);
            }
        }

        @Nonnull
        private PermissionEntry createPermissionEntry(String str, NodeState nodeState, Node node) {
            Tree tree = PermissionHook.getTree(str, nodeState);
            String accessControlledPath = PermissionHook.getAccessControlledPath(node);
            return new PermissionEntry(accessControlledPath, PermissionHook.getAceIndex(node, str), (String) Preconditions.checkNotNull(TreeUtil.getString(tree, "rep:principalName")), PermissionHook.this.bitsProvider.getBits(TreeUtil.getStrings(tree, "rep:privileges")), AccessControlConstants.NT_REP_GRANT_ACE.equals(TreeUtil.getPrimaryTypeName(tree)), PermissionHook.this.getRestrictions(accessControlledPath, tree));
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/oak-core-0.8.jar:org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook$Node.class */
    public static abstract class Node {
        private final String path;

        private Node(String str) {
            this.path = str;
        }

        private Node(String str, String str2) {
            this.path = PathUtils.concat(str, str2);
        }

        String getName() {
            return Text.getName(this.path);
        }

        String getPath() {
            return this.path;
        }

        abstract NodeState getNodeState();
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/oak-core-0.8.jar:org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook$PermissionEntry.class */
    public final class PermissionEntry {
        private final String accessControlledPath;
        private final int index;
        private final String principalName;
        private final PrivilegeBits privilegeBits;
        private final boolean isAllow;
        private final Set<Restriction> restrictions;
        private final String nodeName;

        private PermissionEntry(@Nonnull String str, int i, @Nonnull String str2, @Nonnull PrivilegeBits privilegeBits, boolean z, Set<Restriction> set) {
            this.accessControlledPath = str;
            this.index = i;
            this.principalName = Text.escapeIllegalJcrChars(str2);
            this.privilegeBits = privilegeBits;
            this.isAllow = z;
            this.restrictions = set;
            StringBuilder sb = new StringBuilder();
            sb.append(z ? 'a' : 'd').append('-');
            sb.append(Objects.hashCode(str, str2, Integer.valueOf(i), privilegeBits, Boolean.valueOf(z), set));
            this.nodeName = sb.toString();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void writeTo(NodeBuilder nodeBuilder) {
            NodeBuilder child = nodeBuilder.child(this.principalName);
            if (!child.hasProperty("jcr:primaryType")) {
                child.setProperty("jcr:primaryType", PermissionConstants.NT_REP_PERMISSION_STORE, Type.NAME);
            }
            NodeBuilder property = child.child(this.nodeName).setProperty("jcr:primaryType", PermissionConstants.NT_REP_PERMISSIONS, Type.NAME).setProperty(PermissionConstants.REP_ACCESS_CONTROLLED_PATH, this.accessControlledPath).setProperty(PermissionConstants.REP_INDEX, Integer.valueOf(this.index)).setProperty(this.privilegeBits.asPropertyState("rep:privileges"));
            Iterator<Restriction> it = this.restrictions.iterator();
            while (it.hasNext()) {
                property.setProperty(it.next().getProperty());
            }
        }

        public String toString() {
            StringBuilder sb = new StringBuilder();
            sb.append("permission entry: ").append(this.accessControlledPath);
            sb.append(';').append(this.index);
            sb.append(';').append(this.principalName);
            sb.append(';').append(this.isAllow ? "allow" : "deny");
            sb.append(';').append(this.privilegeBits);
            sb.append(';').append(this.restrictions);
            return sb.toString();
        }
    }

    public PermissionHook(String str, RestrictionProvider restrictionProvider) {
        this.workspaceName = str;
        this.restrictionProvider = restrictionProvider;
    }

    @Override // org.apache.jackrabbit.oak.spi.commit.CommitHook
    @Nonnull
    public NodeState processCommit(NodeState nodeState, NodeState nodeState2) throws CommitFailedException {
        NodeBuilder builder = nodeState2.builder();
        this.permissionRoot = getPermissionRoot(builder);
        this.ntMgr = ReadOnlyNodeTypeManager.getInstance(nodeState);
        this.bitsProvider = new PrivilegeBitsProvider(new ImmutableRoot(nodeState));
        nodeState2.compareAgainstBaseState(nodeState, new Diff(new BeforeNode(nodeState), new AfterNode(builder)));
        return builder.getNodeState();
    }

    @Nonnull
    private NodeBuilder getPermissionRoot(NodeBuilder nodeBuilder) {
        return nodeBuilder.child(JcrConstants.JCR_SYSTEM).child(PermissionConstants.REP_PERMISSION_STORE).child(this.workspaceName);
    }

    /* JADX INFO: Access modifiers changed from: private */
    @CheckForNull
    public NodeBuilder getPrincipalRoot(String str) {
        if (this.permissionRoot.hasChildNode(str)) {
            return this.permissionRoot.child(str);
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Tree getTree(String str, NodeState nodeState) {
        return new ImmutableTree(ImmutableTree.ParentProvider.UNSUPPORTED, str, nodeState, TreeTypeProvider.EMPTY);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String getAccessControlledPath(Node node) {
        return AccessControlConstants.REP_REPO_POLICY.equals(node.getName()) ? "" : Text.getRelativeParent(node.getPath(), 1);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static int getAceIndex(Node node, String str) {
        return Lists.newArrayList((Iterable) ((PropertyState) Preconditions.checkNotNull(node.getNodeState().getProperty(TreeImpl.OAK_CHILD_ORDER))).getValue(Type.STRINGS)).indexOf(str);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public Set<Restriction> getRestrictions(String str, Tree tree) {
        return this.restrictionProvider.readRestrictions(Strings.emptyToNull(str), tree);
    }
}
