package org.apache.jackrabbit.oak.security.authorization.permission;

import com.google.common.base.Objects;
import com.google.common.base.Strings;
import com.google.common.collect.Iterables;
import com.google.common.collect.Sets;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.annotation.Nonnull;
import org.apache.jackrabbit.JcrConstants;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.core.AbstractTree;
import org.apache.jackrabbit.oak.core.ImmutableRoot;
import org.apache.jackrabbit.oak.core.ImmutableTree;
import org.apache.jackrabbit.oak.plugins.memory.EmptyNodeState;
import org.apache.jackrabbit.oak.plugins.nodetype.TypePredicate;
import org.apache.jackrabbit.oak.spi.commit.PostValidationHook;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.spi.state.DefaultNodeStateDiff;
import org.apache.jackrabbit.oak.spi.state.NodeBuilder;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.apache.jackrabbit.oak.spi.state.NodeStateUtils;
import org.apache.jackrabbit.util.Text;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:WEB-INF/lib/oak-core-0.15.jar:org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.class */
public class PermissionHook implements PostValidationHook, AccessControlConstants, PermissionConstants {
    private static final Logger log = LoggerFactory.getLogger(PermissionHook.class);
    private final RestrictionProvider restrictionProvider;
    private final String workspaceName;
    private final PermissionEntryCache cache;
    private NodeBuilder permissionRoot;
    private PrivilegeBitsProvider bitsProvider;
    private TypePredicate isACL;
    private TypePredicate isACE;
    private TypePredicate isGrantACE;
    private Map<String, Acl> modified = new HashMap();
    private Map<String, Acl> deleted = new HashMap();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/oak-core-0.15.jar:org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook$AcEntry.class */
    public final class AcEntry {
        private final String accessControlledPath;
        private final String principalName;
        private final PrivilegeBits privilegeBits;
        private final boolean isAllow;
        private final Set<Restriction> restrictions;
        private final int index;
        private int hashCode;

        private AcEntry(@Nonnull NodeState nodeState, @Nonnull String str, int i) {
            this.hashCode = -1;
            this.accessControlledPath = str;
            this.index = i;
            this.principalName = Text.escapeIllegalJcrChars(nodeState.getString("rep:principalName"));
            this.privilegeBits = PermissionHook.this.bitsProvider.getBits(nodeState.getNames("rep:privileges"));
            this.isAllow = PermissionHook.this.isGrantACE.apply(nodeState);
            this.restrictions = PermissionHook.this.restrictionProvider.readRestrictions(Strings.emptyToNull(str), new ImmutableTree(nodeState));
        }

        public int hashCode() {
            if (this.hashCode == -1) {
                this.hashCode = Objects.hashCode(this.accessControlledPath, this.principalName, this.privilegeBits, Boolean.valueOf(this.isAllow), this.restrictions);
            }
            return this.hashCode;
        }

        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof AcEntry)) {
                return false;
            }
            AcEntry acEntry = (AcEntry) obj;
            return this.isAllow == acEntry.isAllow && this.privilegeBits.equals(acEntry.privilegeBits) && this.principalName.equals(acEntry.principalName) && this.accessControlledPath.equals(acEntry.accessControlledPath) && this.restrictions.equals(acEntry.restrictions);
        }

        public String toString() {
            StringBuilder sb = new StringBuilder();
            sb.append(this.accessControlledPath);
            sb.append(';').append(this.principalName);
            sb.append(';').append(this.isAllow ? "allow" : "deny");
            sb.append(';').append(PermissionHook.this.bitsProvider.getPrivilegeNames(this.privilegeBits));
            sb.append(';').append(this.restrictions);
            return sb.toString();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/oak-core-0.15.jar:org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook$Acl.class */
    public final class Acl {
        private final String accessControlledPath;
        private final String nodeName;
        private final Map<String, List<AcEntry>> entries;

        private Acl(String str, String str2, @Nonnull NodeState nodeState) {
            this.entries = new HashMap();
            if (str2.equals(AccessControlConstants.REP_REPO_POLICY)) {
                this.accessControlledPath = "";
            } else {
                this.accessControlledPath = str.length() == 0 ? "/" : str;
            }
            this.nodeName = PermissionUtil.getEntryName(this.accessControlledPath);
            LinkedHashSet newLinkedHashSet = Sets.newLinkedHashSet(nodeState.getNames(AbstractTree.OAK_CHILD_ORDER));
            long size = newLinkedHashSet.size();
            if (nodeState.getChildNodeCount(size + 1) > size) {
                Iterables.addAll(newLinkedHashSet, nodeState.getChildNodeNames());
            }
            int i = 0;
            Iterator it = newLinkedHashSet.iterator();
            while (it.hasNext()) {
                NodeState childNode = nodeState.getChildNode((String) it.next());
                if (PermissionHook.this.isACE.apply(childNode)) {
                    AcEntry acEntry = new AcEntry(childNode, this.accessControlledPath, i);
                    List<AcEntry> list = this.entries.get(acEntry.principalName);
                    if (list == null) {
                        list = new ArrayList();
                        this.entries.put(acEntry.principalName, list);
                    }
                    list.add(acEntry);
                    i++;
                }
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void remove(Set<String> set) {
            for (String str : this.entries.keySet()) {
                if (PermissionHook.this.permissionRoot.hasChildNode(str)) {
                    set.add(str);
                    NodeBuilder childNode = PermissionHook.this.permissionRoot.getChildNode(str);
                    NodeBuilder childNode2 = childNode.getChildNode(this.nodeName);
                    if (childNode2.exists()) {
                        long numPermissions = PermissionUtil.getNumPermissions(childNode);
                        if (PermissionUtil.checkACLPath(childNode2, this.accessControlledPath)) {
                            NodeBuilder nodeBuilder = null;
                            for (String str2 : childNode2.getChildNodeNames()) {
                                if (str2.charAt(0) != 'c') {
                                    numPermissions--;
                                } else {
                                    NodeBuilder childNode3 = childNode2.getChildNode(str2);
                                    if (nodeBuilder == null) {
                                        nodeBuilder = childNode3;
                                    } else {
                                        nodeBuilder.setChildNode(str2, childNode3.getNodeState());
                                        childNode3.remove();
                                    }
                                }
                            }
                            childNode2.remove();
                            if (nodeBuilder != null) {
                                childNode.setChildNode(this.nodeName, nodeBuilder.getNodeState());
                            }
                        } else {
                            for (String str3 : childNode2.getChildNodeNames()) {
                                if (str3.charAt(0) == 'c') {
                                    NodeBuilder childNode4 = childNode2.getChildNode(str3);
                                    if (PermissionUtil.checkACLPath(childNode4, this.accessControlledPath)) {
                                        for (String str4 : childNode4.getChildNodeNames()) {
                                            numPermissions--;
                                        }
                                        childNode4.remove();
                                    }
                                }
                            }
                        }
                        touch(childNode, numPermissions);
                    }
                } else {
                    PermissionHook.log.error("{} {}: Principal root missing.", "Unable to remove permission entry", this);
                }
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void update(Set<String> set) {
            for (String str : this.entries.keySet()) {
                set.add(str);
                NodeBuilder child = PermissionHook.this.permissionRoot.child(str);
                if (!child.hasProperty("jcr:primaryType")) {
                    child.setProperty("jcr:primaryType", PermissionConstants.NT_REP_PERMISSION_STORE, Type.NAME);
                }
                NodeBuilder child2 = child.child(this.nodeName);
                if (!child2.hasProperty("jcr:primaryType")) {
                    child2.setProperty("jcr:primaryType", PermissionConstants.NT_REP_PERMISSION_STORE, Type.NAME);
                }
                if (!child2.hasProperty(PermissionConstants.REP_ACCESS_CONTROLLED_PATH)) {
                    child2.setProperty(PermissionConstants.REP_ACCESS_CONTROLLED_PATH, this.accessControlledPath);
                } else if (!PermissionUtil.checkACLPath(child2, this.accessControlledPath)) {
                    NodeBuilder nodeBuilder = null;
                    int i = 0;
                    for (String str2 : child2.getChildNodeNames()) {
                        if (str2.charAt(0) == 'c') {
                            nodeBuilder = child2.getChildNode(str2);
                            if (PermissionUtil.checkACLPath(nodeBuilder, this.accessControlledPath)) {
                                break;
                            }
                            nodeBuilder = null;
                            i++;
                        }
                    }
                    while (nodeBuilder == null) {
                        int i2 = i;
                        i++;
                        String str3 = 'c' + String.valueOf(i2);
                        if (child2.getChildNode(str3).exists()) {
                            nodeBuilder = null;
                        } else {
                            nodeBuilder = child2.child(str3);
                            nodeBuilder.setProperty("jcr:primaryType", PermissionConstants.NT_REP_PERMISSION_STORE, Type.NAME);
                        }
                    }
                    child2 = nodeBuilder;
                    child2.setProperty(PermissionConstants.REP_ACCESS_CONTROLLED_PATH, this.accessControlledPath);
                }
                touch(child, PermissionUtil.getNumPermissions(child) + updateEntries(child2, this.entries.get(str)));
            }
        }

        private long updateEntries(NodeBuilder nodeBuilder, List<AcEntry> list) {
            long j = 0;
            for (String str : nodeBuilder.getChildNodeNames()) {
                if (str.charAt(0) != 'c') {
                    nodeBuilder.getChildNode(str).remove();
                    j--;
                }
            }
            for (AcEntry acEntry : list) {
                PermissionEntry.write(nodeBuilder, acEntry.isAllow, acEntry.index, acEntry.privilegeBits, acEntry.restrictions);
                j++;
            }
            return j;
        }

        private void touch(NodeBuilder nodeBuilder, long j) {
            PropertyState property = nodeBuilder.getProperty(PermissionConstants.REP_MOD_COUNT);
            nodeBuilder.setProperty(PermissionConstants.REP_MOD_COUNT, Long.valueOf(property == null ? 1L : ((Long) property.getValue(Type.LONG)).longValue() + 1));
            nodeBuilder.setProperty(PermissionConstants.REP_NUM_PERMISSIONS, Long.valueOf(j));
        }
    }

    /* loaded from: input_file:WEB-INF/lib/oak-core-0.15.jar:org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook$Diff.class */
    private class Diff extends DefaultNodeStateDiff {
        private final String parentPath;

        private Diff(String str) {
            this.parentPath = str;
        }

        @Override // org.apache.jackrabbit.oak.spi.state.DefaultNodeStateDiff, org.apache.jackrabbit.oak.spi.state.NodeStateDiff
        public boolean childNodeAdded(String str, NodeState nodeState) {
            if (NodeStateUtils.isHidden(str)) {
                return true;
            }
            String str2 = this.parentPath + '/' + str;
            if (!PermissionHook.this.isACL.apply(nodeState)) {
                nodeState.compareAgainstBaseState(EmptyNodeState.EMPTY_NODE, new Diff(str2));
                return true;
            }
            Acl acl = new Acl(this.parentPath, str, nodeState);
            PermissionHook.this.modified.put(acl.accessControlledPath, acl);
            return true;
        }

        @Override // org.apache.jackrabbit.oak.spi.state.DefaultNodeStateDiff, org.apache.jackrabbit.oak.spi.state.NodeStateDiff
        public boolean childNodeChanged(String str, NodeState nodeState, NodeState nodeState2) {
            if (NodeStateUtils.isHidden(str)) {
                return true;
            }
            String str2 = this.parentPath + '/' + str;
            if (!PermissionHook.this.isACL.apply(nodeState)) {
                if (!PermissionHook.this.isACL.apply(nodeState2)) {
                    nodeState2.compareAgainstBaseState(nodeState, new Diff(str2));
                    return true;
                }
                Acl acl = new Acl(this.parentPath, str, nodeState2);
                PermissionHook.this.modified.put(acl.accessControlledPath, acl);
                return true;
            }
            if (!PermissionHook.this.isACL.apply(nodeState2)) {
                Acl acl2 = new Acl(this.parentPath, str, nodeState);
                PermissionHook.this.deleted.put(acl2.accessControlledPath, acl2);
                return true;
            }
            Acl acl3 = new Acl(this.parentPath, str, nodeState2);
            PermissionHook.this.modified.put(acl3.accessControlledPath, acl3);
            Acl acl4 = new Acl(this.parentPath, str, nodeState);
            acl4.entries.keySet().removeAll(acl3.entries.keySet());
            if (acl4.entries.isEmpty()) {
                return true;
            }
            PermissionHook.this.deleted.put(this.parentPath, acl4);
            return true;
        }

        @Override // org.apache.jackrabbit.oak.spi.state.DefaultNodeStateDiff, org.apache.jackrabbit.oak.spi.state.NodeStateDiff
        public boolean childNodeDeleted(String str, NodeState nodeState) {
            if (NodeStateUtils.isHidden(str)) {
                return true;
            }
            String str2 = this.parentPath + '/' + str;
            if (!PermissionHook.this.isACL.apply(nodeState)) {
                EmptyNodeState.EMPTY_NODE.compareAgainstBaseState(nodeState, new Diff(str2));
                return true;
            }
            Acl acl = new Acl(this.parentPath, str, nodeState);
            PermissionHook.this.deleted.put(acl.accessControlledPath, acl);
            return true;
        }
    }

    public PermissionHook(String str, RestrictionProvider restrictionProvider, PermissionEntryCache permissionEntryCache) {
        this.workspaceName = str;
        this.restrictionProvider = restrictionProvider;
        this.cache = permissionEntryCache;
    }

    @Override // org.apache.jackrabbit.oak.spi.commit.CommitHook
    @Nonnull
    public NodeState processCommit(NodeState nodeState, NodeState nodeState2) throws CommitFailedException {
        NodeBuilder builder = nodeState2.builder();
        this.permissionRoot = getPermissionRoot(builder);
        this.bitsProvider = new PrivilegeBitsProvider(new ImmutableRoot(nodeState));
        this.isACL = new TypePredicate(nodeState2, AccessControlConstants.NT_REP_ACL);
        this.isACE = new TypePredicate(nodeState2, AccessControlConstants.NT_REP_ACE);
        this.isGrantACE = new TypePredicate(nodeState2, AccessControlConstants.NT_REP_GRANT_ACE);
        nodeState2.compareAgainstBaseState(nodeState, new Diff(""));
        apply();
        return builder.getNodeState();
    }

    private void apply() {
        HashSet hashSet = new HashSet();
        Iterator<Map.Entry<String, Acl>> it = this.deleted.entrySet().iterator();
        while (it.hasNext()) {
            it.next().getValue().remove(hashSet);
        }
        Iterator<Map.Entry<String, Acl>> it2 = this.modified.entrySet().iterator();
        while (it2.hasNext()) {
            it2.next().getValue().update(hashSet);
        }
        this.cache.flush(hashSet);
    }

    @Nonnull
    private NodeBuilder getPermissionRoot(NodeBuilder nodeBuilder) {
        return nodeBuilder.getChildNode(JcrConstants.JCR_SYSTEM).getChildNode(PermissionConstants.REP_PERMISSION_STORE).getChildNode(this.workspaceName);
    }
}
