package org.apache.jackrabbit.oak.spi.security.user.action;

import java.security.Principal;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.jcr.RepositoryException;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.AccessControlPolicyIterator;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration;
import org.apache.jackrabbit.oak.spi.security.user.util.UserUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/lib/oak-upgrade-1.0.39.jar:org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.class
 */
/* loaded from: input_file:WEB-INF/lib/oak-core-1.0.39.jar:org/apache/jackrabbit/oak/spi/security/user/action/AccessControlAction.class */
public class AccessControlAction extends AbstractAuthorizableAction {
    private static final Logger log = LoggerFactory.getLogger(AccessControlAction.class);
    public static final String USER_PRIVILEGE_NAMES = "userPrivilegeNames";
    public static final String GROUP_PRIVILEGE_NAMES = "groupPrivilegeNames";
    private SecurityProvider securityProvider;
    private String[] groupPrivilegeNames = new String[0];
    private String[] userPrivilegeNames = new String[0];

    @Override // org.apache.jackrabbit.oak.spi.security.user.action.AbstractAuthorizableAction, org.apache.jackrabbit.oak.spi.security.user.action.AuthorizableAction
    public void init(SecurityProvider securityProvider, ConfigurationParameters configurationParameters) {
        this.securityProvider = securityProvider;
        this.userPrivilegeNames = privilegeNames(configurationParameters, USER_PRIVILEGE_NAMES);
        this.groupPrivilegeNames = privilegeNames(configurationParameters, GROUP_PRIVILEGE_NAMES);
    }

    @Override // org.apache.jackrabbit.oak.spi.security.user.action.AbstractAuthorizableAction, org.apache.jackrabbit.oak.spi.security.user.action.AuthorizableAction
    public void onCreate(Group group, Root root, NamePathMapper namePathMapper) throws RepositoryException {
        setAC(group, root, namePathMapper);
    }

    @Override // org.apache.jackrabbit.oak.spi.security.user.action.AbstractAuthorizableAction, org.apache.jackrabbit.oak.spi.security.user.action.AuthorizableAction
    public void onCreate(User user, String str, Root root, NamePathMapper namePathMapper) throws RepositoryException {
        setAC(user, root, namePathMapper);
    }

    private static String[] privilegeNames(ConfigurationParameters configurationParameters, String str) {
        String[] strArr = (String[]) configurationParameters.getConfigValue(str, null, String[].class);
        return (strArr == null || strArr.length <= 0) ? new String[0] : strArr;
    }

    private void setAC(@Nonnull Authorizable authorizable, @Nonnull Root root, @Nonnull NamePathMapper namePathMapper) throws RepositoryException {
        if (this.securityProvider == null) {
            throw new IllegalStateException("Not initialized");
        }
        if (isSystemUser(authorizable)) {
            log.debug("System user: " + authorizable.getID() + "; omit ac setup.");
            return;
        }
        if (this.groupPrivilegeNames.length == 0 && this.userPrivilegeNames.length == 0) {
            log.debug("No privileges configured for groups and users; omit ac setup.");
            return;
        }
        String path = authorizable.getPath();
        AccessControlManager accessControlManager = ((AuthorizationConfiguration) this.securityProvider.getConfiguration(AuthorizationConfiguration.class)).getAccessControlManager(root, namePathMapper);
        JackrabbitAccessControlList jackrabbitAccessControlList = null;
        AccessControlPolicyIterator applicablePolicies = accessControlManager.getApplicablePolicies(path);
        while (true) {
            if (!applicablePolicies.hasNext()) {
                break;
            }
            AccessControlPolicy nextAccessControlPolicy = applicablePolicies.nextAccessControlPolicy();
            if (nextAccessControlPolicy instanceof JackrabbitAccessControlList) {
                jackrabbitAccessControlList = (JackrabbitAccessControlList) nextAccessControlPolicy;
                break;
            }
        }
        if (jackrabbitAccessControlList == null) {
            log.warn("Cannot process AccessControlAction: no applicable ACL at " + path);
            return;
        }
        Principal principal = authorizable.getPrincipal();
        boolean z = false;
        if (authorizable.isGroup()) {
            if (this.groupPrivilegeNames.length > 0) {
                z = jackrabbitAccessControlList.addAccessControlEntry(principal, getPrivileges(this.groupPrivilegeNames, accessControlManager));
            }
        } else if (this.userPrivilegeNames.length > 0) {
            z = jackrabbitAccessControlList.addAccessControlEntry(principal, getPrivileges(this.userPrivilegeNames, accessControlManager));
        }
        if (z) {
            accessControlManager.setPolicy(path, jackrabbitAccessControlList);
        }
    }

    private boolean isSystemUser(@Nonnull Authorizable authorizable) throws RepositoryException {
        if (authorizable.isGroup()) {
            return false;
        }
        ConfigurationParameters parameters = ((UserConfiguration) this.securityProvider.getConfiguration(UserConfiguration.class)).getParameters();
        String id = authorizable.getID();
        return UserUtil.getAdminId(parameters).equals(id) || UserUtil.getAnonymousId(parameters).equals(id);
    }

    private static Privilege[] getPrivileges(@Nullable String[] strArr, @Nonnull AccessControlManager accessControlManager) throws RepositoryException {
        if (strArr == null || strArr.length == 0) {
            return new Privilege[0];
        }
        Privilege[] privilegeArr = new Privilege[strArr.length];
        for (int i = 0; i < strArr.length; i++) {
            privilegeArr[i] = accessControlManager.privilegeFromName(strArr[i]);
        }
        return privilegeArr;
    }
}
