package org.apache.jackrabbit.oak.security.authorization.accesscontrol;

import com.google.common.base.Objects;
import com.google.common.base.Preconditions;
import com.google.common.collect.Iterables;
import com.google.common.collect.Sets;
import java.util.Collections;
import java.util.HashSet;
import java.util.Set;
import javax.jcr.RepositoryException;
import javax.jcr.security.AccessControlException;
import org.apache.jackrabbit.JcrConstants;
import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.core.AbstractTree;
import org.apache.jackrabbit.oak.core.ImmutableTree;
import org.apache.jackrabbit.oak.plugins.nodetype.TypePredicate;
import org.apache.jackrabbit.oak.spi.commit.DefaultValidator;
import org.apache.jackrabbit.oak.spi.commit.Validator;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.apache.jackrabbit.oak.util.TreeUtil;
import org.apache.jackrabbit.util.Text;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:WEB-INF/lib/oak-core-0.15.jar:org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlValidator.class */
public class AccessControlValidator extends DefaultValidator implements AccessControlConstants {
    private final ImmutableTree parentAfter;
    private final PrivilegeBitsProvider privilegeBitsProvider;
    private final PrivilegeManager privilegeManager;
    private final RestrictionProvider restrictionProvider;
    private final TypePredicate isRepoAccessControllable;
    private final TypePredicate isAccessControllable;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/oak-core-0.15.jar:org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlValidator$Entry.class */
    public class Entry {
        private final String principalName;
        private final PrivilegeBits privilegeBits;
        private final Set<Restriction> restrictions;

        private Entry(String str, Tree tree) {
            this.principalName = (String) tree.getProperty("rep:principalName").getValue(Type.STRING);
            this.privilegeBits = AccessControlValidator.this.privilegeBitsProvider.getBits((Iterable<String>) tree.getProperty("rep:privileges").getValue(Type.NAMES));
            this.restrictions = AccessControlValidator.this.restrictionProvider.readRestrictions(str, tree);
        }

        public int hashCode() {
            return Objects.hashCode(this.principalName, this.privilegeBits, this.restrictions);
        }

        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof Entry)) {
                return false;
            }
            Entry entry = (Entry) obj;
            return Objects.equal(this.principalName, entry.principalName) && this.privilegeBits.equals(entry.privilegeBits) && this.restrictions.equals(entry.restrictions);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public AccessControlValidator(ImmutableTree immutableTree, PrivilegeManager privilegeManager, PrivilegeBitsProvider privilegeBitsProvider, RestrictionProvider restrictionProvider) {
        this.parentAfter = immutableTree;
        this.privilegeBitsProvider = privilegeBitsProvider;
        this.privilegeManager = privilegeManager;
        this.restrictionProvider = restrictionProvider;
        this.isRepoAccessControllable = new TypePredicate(immutableTree.getNodeState(), AccessControlConstants.MIX_REP_REPO_ACCESS_CONTROLLABLE);
        this.isAccessControllable = new TypePredicate(immutableTree.getNodeState(), AccessControlConstants.MIX_REP_ACCESS_CONTROLLABLE);
    }

    private AccessControlValidator(AccessControlValidator accessControlValidator, ImmutableTree immutableTree) {
        this.parentAfter = immutableTree;
        this.privilegeBitsProvider = accessControlValidator.privilegeBitsProvider;
        this.privilegeManager = accessControlValidator.privilegeManager;
        this.restrictionProvider = accessControlValidator.restrictionProvider;
        this.isRepoAccessControllable = accessControlValidator.isRepoAccessControllable;
        this.isAccessControllable = accessControlValidator.isAccessControllable;
    }

    @Override // org.apache.jackrabbit.oak.spi.commit.DefaultValidator, org.apache.jackrabbit.oak.spi.commit.Validator, org.apache.jackrabbit.oak.spi.commit.Editor
    public void propertyAdded(PropertyState propertyState) throws CommitFailedException {
        if (isAccessControlEntry(this.parentAfter)) {
            checkValidAccessControlEntry(this.parentAfter);
        }
        if (JcrConstants.JCR_MIXINTYPES.equals(propertyState.getName())) {
            checkMixinTypes(this.parentAfter);
        }
    }

    @Override // org.apache.jackrabbit.oak.spi.commit.DefaultValidator, org.apache.jackrabbit.oak.spi.commit.Validator, org.apache.jackrabbit.oak.spi.commit.Editor
    public void propertyChanged(PropertyState propertyState, PropertyState propertyState2) throws CommitFailedException {
        if (isAccessControlEntry(this.parentAfter)) {
            checkValidAccessControlEntry(this.parentAfter);
        }
        if (JcrConstants.JCR_MIXINTYPES.equals(propertyState2.getName())) {
            checkMixinTypes(this.parentAfter);
        }
    }

    @Override // org.apache.jackrabbit.oak.spi.commit.DefaultValidator, org.apache.jackrabbit.oak.spi.commit.Validator, org.apache.jackrabbit.oak.spi.commit.Editor
    public void propertyDeleted(PropertyState propertyState) throws CommitFailedException {
    }

    @Override // org.apache.jackrabbit.oak.spi.commit.DefaultValidator, org.apache.jackrabbit.oak.spi.commit.Editor
    public Validator childNodeAdded(String str, NodeState nodeState) throws CommitFailedException {
        ImmutableTree immutableTree = (ImmutableTree) Preconditions.checkNotNull(this.parentAfter.getChild(str));
        checkValidTree(this.parentAfter, immutableTree, nodeState);
        return new AccessControlValidator(this, immutableTree);
    }

    @Override // org.apache.jackrabbit.oak.spi.commit.DefaultValidator, org.apache.jackrabbit.oak.spi.commit.Editor
    public Validator childNodeChanged(String str, NodeState nodeState, NodeState nodeState2) throws CommitFailedException {
        ImmutableTree immutableTree = (ImmutableTree) Preconditions.checkNotNull(this.parentAfter.getChild(str));
        checkValidTree(this.parentAfter, immutableTree, nodeState2);
        return new AccessControlValidator(this, immutableTree);
    }

    @Override // org.apache.jackrabbit.oak.spi.commit.DefaultValidator, org.apache.jackrabbit.oak.spi.commit.Editor
    public Validator childNodeDeleted(String str, NodeState nodeState) throws CommitFailedException {
        return null;
    }

    private void checkValidTree(ImmutableTree immutableTree, Tree tree, NodeState nodeState) throws CommitFailedException {
        if (isPolicy(tree)) {
            checkValidPolicy(immutableTree, tree, nodeState);
            return;
        }
        if (isAccessControlEntry(tree)) {
            checkValidAccessControlEntry(tree);
        } else if (AccessControlConstants.NT_REP_RESTRICTIONS.equals(TreeUtil.getPrimaryTypeName(tree))) {
            checkIsAccessControlEntry(immutableTree);
            checkValidRestrictions(immutableTree);
        }
    }

    private static boolean isPolicy(Tree tree) {
        return AccessControlConstants.NT_REP_ACL.equals(TreeUtil.getPrimaryTypeName(tree));
    }

    private static boolean isAccessControlEntry(Tree tree) {
        String primaryTypeName = TreeUtil.getPrimaryTypeName(tree);
        return AccessControlConstants.NT_REP_DENY_ACE.equals(primaryTypeName) || AccessControlConstants.NT_REP_GRANT_ACE.equals(primaryTypeName);
    }

    private static void checkIsAccessControlEntry(Tree tree) throws CommitFailedException {
        if (!isAccessControlEntry(tree)) {
            throw accessViolation(2, "Access control entry node expected.");
        }
    }

    private void checkValidPolicy(ImmutableTree immutableTree, Tree tree, NodeState nodeState) throws CommitFailedException {
        if (AccessControlConstants.REP_REPO_POLICY.equals(tree.getName())) {
            checkValidAccessControlledNode(immutableTree, this.isRepoAccessControllable);
            checkValidRepoAccessControlled(immutableTree);
        } else {
            checkValidAccessControlledNode(immutableTree, this.isAccessControllable);
        }
        if (!(immutableTree.isRoot() ? POLICY_NODE_NAMES : Collections.singleton(AccessControlConstants.REP_POLICY)).contains(tree.getName())) {
            throw accessViolation(3, "Invalid policy name " + tree.getName());
        }
        if (!nodeState.hasProperty(AbstractTree.OAK_CHILD_ORDER)) {
            throw accessViolation(4, "Invalid policy node: Order of children is not stable.");
        }
        HashSet newHashSet = Sets.newHashSet();
        for (Tree tree2 : tree.getChildren()) {
            if (isAccessControlEntry(tree2) && !newHashSet.add(new Entry(immutableTree.getPath(), tree2))) {
                throw accessViolation(13, "Duplicate ACE found in policy");
            }
        }
    }

    private void checkValidAccessControlledNode(ImmutableTree immutableTree, TypePredicate typePredicate) throws CommitFailedException {
        if (AC_NODETYPE_NAMES.contains(TreeUtil.getPrimaryTypeName(immutableTree))) {
            throw accessViolation(5, "Access control policy within access control content (" + immutableTree.getPath() + ')');
        }
        if (!typePredicate.apply(immutableTree.getNodeState())) {
            throw accessViolation(6, "Isolated policy node. Parent is not of type " + typePredicate);
        }
    }

    private void checkValidAccessControlEntry(Tree tree) throws CommitFailedException {
        Tree parent = tree.getParent();
        if (!parent.exists() || !AccessControlConstants.NT_REP_ACL.equals(TreeUtil.getPrimaryTypeName(parent))) {
            throw accessViolation(7, "Isolated access control entry at " + tree.getPath());
        }
        checkValidPrincipal(TreeUtil.getString(tree, "rep:principalName"));
        checkValidPrivileges(TreeUtil.getStrings(tree, "rep:privileges"));
        checkValidRestrictions(tree);
    }

    private void checkValidPrincipal(String str) throws CommitFailedException {
        if (str == null || str.isEmpty()) {
            throw accessViolation(8, "Missing principal name.");
        }
    }

    private void checkValidPrivileges(Iterable<String> iterable) throws CommitFailedException {
        if (iterable == null || Iterables.isEmpty(iterable)) {
            throw accessViolation(9, "Missing privileges.");
        }
        for (String str : iterable) {
            try {
                if (this.privilegeManager.getPrivilege(str).isAbstract()) {
                    throw accessViolation(11, "Abstract privilege " + str);
                }
            } catch (AccessControlException e) {
                throw accessViolation(10, "Invalid privilege " + str);
            } catch (RepositoryException e2) {
                throw new IllegalStateException("Failed to read privileges", e2);
            }
        }
    }

    private void checkValidRestrictions(Tree tree) throws CommitFailedException {
        String path = ((Tree) Preconditions.checkNotNull(tree.getParent())).getPath();
        try {
            this.restrictionProvider.validateRestrictions(AccessControlConstants.REP_REPO_POLICY.equals(Text.getName(path)) ? null : Text.getRelativeParent(path, 1), tree);
        } catch (RepositoryException e) {
            throw new CommitFailedException(CommitFailedException.OAK, 13, "Internal error", e);
        } catch (AccessControlException e2) {
            throw new CommitFailedException(CommitFailedException.ACCESS_CONTROL, 1, "Access control violation", e2);
        }
    }

    private static void checkMixinTypes(Tree tree) throws CommitFailedException {
        if (Iterables.contains(TreeUtil.getNames(tree, JcrConstants.JCR_MIXINTYPES), AccessControlConstants.MIX_REP_REPO_ACCESS_CONTROLLABLE)) {
            checkValidRepoAccessControlled(tree);
        }
    }

    private static void checkValidRepoAccessControlled(Tree tree) throws CommitFailedException {
        if (!tree.isRoot()) {
            throw accessViolation(12, "Only root can store repository level policies.");
        }
    }

    private static CommitFailedException accessViolation(int i, String str) {
        return new CommitFailedException(CommitFailedException.ACCESS_CONTROL, i, str);
    }
}
