package org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal;

import java.util.Objects;
import java.util.Set;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.commons.collections.IterableUtils;
import org.apache.jackrabbit.oak.commons.collections.SetUtils;
import org.apache.jackrabbit.oak.plugins.tree.RootProvider;
import org.apache.jackrabbit.oak.plugins.tree.TreeProvider;
import org.apache.jackrabbit.oak.spi.commit.CommitInfo;
import org.apache.jackrabbit.oak.spi.commit.DefaultValidator;
import org.apache.jackrabbit.oak.spi.commit.SubtreeValidator;
import org.apache.jackrabbit.oak.spi.commit.Validator;
import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef;
import org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalIdentityConstants;
import org.apache.jackrabbit.oak.spi.security.user.AuthorizableType;
import org.apache.jackrabbit.oak.spi.security.user.util.UserUtil;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.jetbrains.annotations.NotNull;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/DynamicGroupValidatorProvider.class */
public class DynamicGroupValidatorProvider extends ValidatorProvider implements ExternalIdentityConstants {
    private final RootProvider rootProvider;
    private final TreeProvider treeProvider;
    private final Set<String> idpNamesWithDynamicGroups;
    private final String groupRootPath;
    private Root rootBefore;
    private Root rootAfter;

    /* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/DynamicGroupValidatorProvider$DynamicGroupValidator.class */
    private class DynamicGroupValidator extends DefaultValidator {
        private Tree parentBefore;
        private Tree parentAfter;
        boolean isDynamicGroup;

        private DynamicGroupValidator() {
            this.isDynamicGroup = false;
        }

        private DynamicGroupValidator(@NotNull Tree tree, @NotNull Tree tree2, boolean z) {
            this.isDynamicGroup = false;
            this.parentBefore = tree;
            this.parentAfter = tree2;
            this.isDynamicGroup = z;
        }

        private DynamicGroupValidator(@NotNull Tree tree, boolean z) {
            this.isDynamicGroup = false;
            this.parentAfter = tree;
            this.isDynamicGroup = z;
        }

        public void propertyAdded(PropertyState propertyState) throws CommitFailedException {
            if (this.isDynamicGroup && DynamicGroupUtil.isMemberProperty(propertyState)) {
                throw commitFailedException(getParentAfter());
            }
        }

        public void propertyChanged(PropertyState propertyState, PropertyState propertyState2) throws CommitFailedException {
            if (this.isDynamicGroup && DynamicGroupUtil.isMemberProperty(propertyState)) {
                Set set = SetUtils.toSet((Iterable) propertyState.getValue(Type.STRINGS));
                Set set2 = SetUtils.toSet((Iterable) propertyState2.getValue(Type.STRINGS));
                set2.removeAll(set);
                if (!set2.isEmpty()) {
                    throw commitFailedException(getParentBefore());
                }
            }
        }

        /* renamed from: childNodeAdded, reason: merged with bridge method [inline-methods] */
        public Validator m19childNodeAdded(String str, NodeState nodeState) throws CommitFailedException {
            Tree createReadOnlyTree = DynamicGroupValidatorProvider.this.treeProvider.createReadOnlyTree(getParentAfter(), str, nodeState);
            if (isDynamicGroup(this, createReadOnlyTree)) {
                if (DynamicGroupUtil.isMembersType(createReadOnlyTree)) {
                    throw commitFailedException(getParentAfter());
                }
                return new DynamicGroupValidator(createReadOnlyTree, true);
            }
            if (DynamicGroupUtil.isGroup(createReadOnlyTree)) {
                return null;
            }
            return new DynamicGroupValidator(createReadOnlyTree, false);
        }

        /* renamed from: childNodeChanged, reason: merged with bridge method [inline-methods] */
        public Validator m18childNodeChanged(String str, NodeState nodeState, NodeState nodeState2) {
            Tree createReadOnlyTree = DynamicGroupValidatorProvider.this.treeProvider.createReadOnlyTree(getParentBefore(), str, nodeState);
            Tree createReadOnlyTree2 = DynamicGroupValidatorProvider.this.treeProvider.createReadOnlyTree(getParentAfter(), str, nodeState2);
            boolean isDynamicGroup = isDynamicGroup(this, createReadOnlyTree);
            if (isDynamicGroup || !DynamicGroupUtil.isGroup(createReadOnlyTree)) {
                return new DynamicGroupValidator(createReadOnlyTree, createReadOnlyTree2, isDynamicGroup);
            }
            return null;
        }

        private boolean isDynamicGroup(@NotNull DynamicGroupValidator dynamicGroupValidator, @NotNull Tree tree) {
            if (dynamicGroupValidator.isDynamicGroup) {
                return true;
            }
            return isDynamicGroup(tree);
        }

        private boolean isDynamicGroup(@NotNull Tree tree) {
            PropertyState property;
            String providerName;
            return UserUtil.isType(tree, AuthorizableType.GROUP) && (property = tree.getProperty("rep:externalId")) != null && (providerName = ExternalIdentityRef.fromString((String) property.getValue(Type.STRING)).getProviderName()) != null && DynamicGroupValidatorProvider.this.idpNamesWithDynamicGroups.contains(providerName);
        }

        @NotNull
        private Tree getParentBefore() {
            if (this.parentBefore == null) {
                this.parentBefore = DynamicGroupValidatorProvider.this.rootBefore.getTree(DynamicGroupValidatorProvider.this.groupRootPath);
            }
            return this.parentBefore;
        }

        @NotNull
        private Tree getParentAfter() {
            if (this.parentAfter == null) {
                this.parentAfter = DynamicGroupValidatorProvider.this.rootAfter.getTree(DynamicGroupValidatorProvider.this.groupRootPath);
            }
            return this.parentAfter;
        }

        @NotNull
        private CommitFailedException commitFailedException(@NotNull Tree tree) {
            return new CommitFailedException("Constraint", 77, String.format("Attempt to add members to dynamic group '%s' at '%s'", DynamicGroupUtil.findGroupIdInHierarchy(tree), tree.getPath()));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public DynamicGroupValidatorProvider(@NotNull RootProvider rootProvider, @NotNull TreeProvider treeProvider, @NotNull SecurityProvider securityProvider, @NotNull Set<String> set) {
        this.rootProvider = rootProvider;
        this.treeProvider = treeProvider;
        this.idpNamesWithDynamicGroups = set;
        this.groupRootPath = (String) Objects.requireNonNull(UserUtil.getAuthorizableRootPath(securityProvider.getParameters("org.apache.jackrabbit.oak.user"), AuthorizableType.GROUP));
    }

    @NotNull
    protected Validator getRootValidator(NodeState nodeState, NodeState nodeState2, CommitInfo commitInfo) {
        if (this.idpNamesWithDynamicGroups.isEmpty()) {
            return DefaultValidator.INSTANCE;
        }
        this.rootBefore = this.rootProvider.createReadOnlyRoot(nodeState);
        this.rootAfter = this.rootProvider.createReadOnlyRoot(nodeState2);
        return new SubtreeValidator(new DynamicGroupValidator(), (String[]) IterableUtils.toArray(PathUtils.elements(this.groupRootPath), String.class));
    }
}
