package org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal;

import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.commons.collections.IterableUtils;
import org.apache.jackrabbit.oak.commons.conditions.Validate;
import org.apache.jackrabbit.oak.plugins.tree.RootProvider;
import org.apache.jackrabbit.oak.plugins.tree.TreeProvider;
import org.apache.jackrabbit.oak.spi.commit.CommitInfo;
import org.apache.jackrabbit.oak.spi.commit.DefaultValidator;
import org.apache.jackrabbit.oak.spi.commit.SubtreeValidator;
import org.apache.jackrabbit.oak.spi.commit.Validator;
import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider;
import org.apache.jackrabbit.oak.spi.security.Context;
import org.apache.jackrabbit.oak.spi.security.SecurityConfiguration;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ProtectionConfig;
import org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalIdentityConstants;
import org.apache.jackrabbit.oak.spi.security.user.AuthorizableType;
import org.apache.jackrabbit.oak.spi.security.user.util.UserUtil;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalUserValidatorProvider.class */
public class ExternalUserValidatorProvider extends ValidatorProvider implements ExternalIdentityConstants {
    private static final Logger log = LoggerFactory.getLogger(ExternalUserValidatorProvider.class);
    private final RootProvider rootProvider;
    private final TreeProvider treeProvider;
    private final String authorizableRootPath;
    private final Context aggregatedCtx;
    private final IdentityProtectionType protectionType;
    private final ProtectionConfig protectionConfig;
    private Root rootBefore;
    private Root rootAfter;

    /* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalUserValidatorProvider$AggregatedContext.class */
    private static final class AggregatedContext extends Context.Default {
        List<Context> ctxs;

        private AggregatedContext(@NotNull SecurityProvider securityProvider) {
            ArrayList arrayList = new ArrayList();
            for (SecurityConfiguration securityConfiguration : securityProvider.getConfigurations()) {
                if (!"org.apache.jackrabbit.oak.user".equals(securityConfiguration.getName())) {
                    arrayList.add(securityConfiguration.getContext());
                }
            }
            this.ctxs = Collections.unmodifiableList(arrayList);
        }

        public boolean definesProperty(@NotNull Tree tree, @NotNull PropertyState propertyState) {
            return this.ctxs.stream().anyMatch(context -> {
                return context.definesProperty(tree, propertyState);
            });
        }

        public boolean definesTree(@NotNull Tree tree) {
            return this.ctxs.stream().anyMatch(context -> {
                return context.definesTree(tree);
            });
        }
    }

    /* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalUserValidatorProvider$ExternalUserValidator.class */
    private class ExternalUserValidator extends DefaultValidator {
        private Tree parentBefore;
        private Tree parentAfter;
        boolean isExternalIdentity = false;

        private ExternalUserValidator() {
        }

        private ExternalUserValidator(@NotNull ExternalUserValidator externalUserValidator, @NotNull Tree tree, @NotNull Tree tree2) {
            this.parentBefore = tree;
            this.parentAfter = tree2;
            setExternalIdentity(externalUserValidator, tree);
        }

        private ExternalUserValidator(@NotNull ExternalUserValidator externalUserValidator, @NotNull Tree tree, boolean z) {
            if (z) {
                this.parentBefore = tree;
                setExternalIdentity(externalUserValidator, this.parentBefore);
            } else {
                this.parentAfter = tree;
                setExternalIdentity(externalUserValidator, this.parentAfter);
            }
        }

        public void propertyAdded(PropertyState propertyState) throws CommitFailedException {
            Tree parentAfter = getParentAfter();
            if (!definedSecurityContext(parentAfter, propertyState) && isModifyingExternalIdentity(this.isExternalIdentity, parentAfter, propertyState)) {
                handleViolation(String.format("Attempt to add property '%s' to protected external identity node '%s'", propertyState.getName(), parentAfter.getPath()));
            }
        }

        public void propertyChanged(PropertyState propertyState, PropertyState propertyState2) throws CommitFailedException {
            Tree parentBefore = getParentBefore();
            if (!definedSecurityContext(parentBefore, propertyState) && isModifyingExternalIdentity(this.isExternalIdentity, parentBefore, propertyState)) {
                handleViolation(String.format("Attempt to modify property '%s' at protected external identity node '%s'", propertyState.getName(), parentBefore.getPath()));
            }
        }

        public void propertyDeleted(PropertyState propertyState) throws CommitFailedException {
            Tree parentBefore = getParentBefore();
            if (!definedSecurityContext(parentBefore, propertyState) && isModifyingExternalIdentity(this.isExternalIdentity, parentBefore, propertyState)) {
                handleViolation(String.format("Attempt to delete property '%s' from protected external identity node '%s'", propertyState.getName(), parentBefore.getPath()));
            }
        }

        @Nullable
        /* renamed from: childNodeAdded, reason: merged with bridge method [inline-methods] */
        public Validator m31childNodeAdded(String str, NodeState nodeState) throws CommitFailedException {
            Tree parentAfter = getParentAfter();
            Tree createReadOnlyTree = ExternalUserValidatorProvider.this.treeProvider.createReadOnlyTree(parentAfter, str, nodeState);
            if (definedSecurityContext(createReadOnlyTree, null)) {
                return null;
            }
            if (isExternalIdentity(createReadOnlyTree)) {
                handleViolation(String.format("Attempt to add protected external identity '%s'", createReadOnlyTree.getPath()));
                return null;
            }
            if (isModifyingExternalIdentity(this.isExternalIdentity, createReadOnlyTree, null)) {
                handleViolation(String.format("Attempt to add node '%s' to protected external identity node '%s'", str, parentAfter.getPath()));
                return null;
            }
            if (UserUtil.isType(createReadOnlyTree, AuthorizableType.AUTHORIZABLE)) {
                return null;
            }
            return new ExternalUserValidator(this, createReadOnlyTree, false);
        }

        @Nullable
        /* renamed from: childNodeChanged, reason: merged with bridge method [inline-methods] */
        public Validator m30childNodeChanged(String str, NodeState nodeState, NodeState nodeState2) {
            Tree createReadOnlyTree = ExternalUserValidatorProvider.this.treeProvider.createReadOnlyTree(getParentBefore(), str, nodeState);
            Tree createReadOnlyTree2 = ExternalUserValidatorProvider.this.treeProvider.createReadOnlyTree(getParentAfter(), str, nodeState2);
            if (definedSecurityContext(createReadOnlyTree, null)) {
                return null;
            }
            return new ExternalUserValidator(this, createReadOnlyTree, createReadOnlyTree2);
        }

        @Nullable
        /* renamed from: childNodeDeleted, reason: merged with bridge method [inline-methods] */
        public Validator m29childNodeDeleted(String str, NodeState nodeState) throws CommitFailedException {
            Tree createReadOnlyTree = ExternalUserValidatorProvider.this.treeProvider.createReadOnlyTree(getParentBefore(), str, nodeState);
            if (definedSecurityContext(createReadOnlyTree, null)) {
                return null;
            }
            if (isExternalIdentity(createReadOnlyTree)) {
                handleViolation(String.format("Attempt to remove protected external identity '%s'", createReadOnlyTree.getPath()));
                return null;
            }
            if (!isModifyingExternalIdentity(this.isExternalIdentity, createReadOnlyTree, null)) {
                return new ExternalUserValidator(this, createReadOnlyTree, true);
            }
            handleViolation(String.format("Attempt to remove node '%s' from protected external identity", createReadOnlyTree.getPath()));
            return null;
        }

        private void setExternalIdentity(@NotNull ExternalUserValidator externalUserValidator, @NotNull Tree tree) {
            if (externalUserValidator.isExternalIdentity) {
                this.isExternalIdentity = true;
            } else {
                this.isExternalIdentity = isExternalIdentity(tree);
            }
        }

        private boolean isExternalIdentity(@NotNull Tree tree) {
            return UserUtil.isType(tree, AuthorizableType.AUTHORIZABLE) && tree.hasProperty("rep:externalId");
        }

        @NotNull
        private Tree getParentBefore() {
            if (this.parentBefore == null) {
                this.parentBefore = ExternalUserValidatorProvider.this.rootBefore.getTree(ExternalUserValidatorProvider.this.authorizableRootPath);
            }
            return this.parentBefore;
        }

        @NotNull
        private Tree getParentAfter() {
            if (this.parentAfter == null) {
                this.parentAfter = ExternalUserValidatorProvider.this.rootAfter.getTree(ExternalUserValidatorProvider.this.authorizableRootPath);
            }
            return this.parentAfter;
        }

        private boolean isModifyingExternalIdentity(boolean z, @NotNull Tree tree, @Nullable PropertyState propertyState) {
            return z && isProtected(tree, propertyState);
        }

        private boolean isProtected(@NotNull Tree tree, @Nullable PropertyState propertyState) {
            if (propertyState == null) {
                return ExternalUserValidatorProvider.this.protectionConfig.isProtectedTree(tree);
            }
            if ("jcr:mixinTypes".equals(propertyState.getName())) {
                return false;
            }
            return ExternalUserValidatorProvider.this.protectionConfig.isProtectedProperty(tree, propertyState);
        }

        private boolean definedSecurityContext(@NotNull Tree tree, @Nullable PropertyState propertyState) {
            return propertyState != null ? ExternalUserValidatorProvider.this.aggregatedCtx.definesProperty(tree, propertyState) : ExternalUserValidatorProvider.this.aggregatedCtx.definesTree(tree);
        }

        private void handleViolation(@NotNull String str) throws CommitFailedException {
            if (ExternalUserValidatorProvider.this.protectionType != IdentityProtectionType.WARN) {
                throw new CommitFailedException("Constraint", 76, str);
            }
            ExternalUserValidatorProvider.log.warn(str);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ExternalUserValidatorProvider(@NotNull RootProvider rootProvider, @NotNull TreeProvider treeProvider, @NotNull SecurityProvider securityProvider, @NotNull IdentityProtectionType identityProtectionType, @NotNull ProtectionConfig protectionConfig) {
        Validate.checkArgument(identityProtectionType != IdentityProtectionType.NONE);
        this.rootProvider = rootProvider;
        this.treeProvider = treeProvider;
        this.protectionType = identityProtectionType;
        this.protectionConfig = protectionConfig;
        this.authorizableRootPath = UserUtil.getAuthorizableRootPath(securityProvider.getParameters("org.apache.jackrabbit.oak.user"), AuthorizableType.AUTHORIZABLE);
        this.aggregatedCtx = new AggregatedContext(securityProvider);
    }

    @NotNull
    protected Validator getRootValidator(NodeState nodeState, NodeState nodeState2, CommitInfo commitInfo) {
        this.rootBefore = this.rootProvider.createReadOnlyRoot(nodeState);
        this.rootAfter = this.rootProvider.createReadOnlyRoot(nodeState2);
        return new SubtreeValidator(new ExternalUserValidator(), (String[]) IterableUtils.toArray(PathUtils.elements(this.authorizableRootPath), String.class));
    }
}
