package org.apache.jackrabbit.oak.spi.security.authorization.cug.impl;

import com.google.common.base.Predicates;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import java.security.Principal;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.plugins.tree.RootFactory;
import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
import org.apache.jackrabbit.oak.spi.security.Context;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.apache.jackrabbit.oak.util.TreeUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.class */
public class CugPermissionProvider implements PermissionProvider, AggregatedPermissionProvider, CugConstants {
    private static final Logger log = LoggerFactory.getLogger(CugPermissionProvider.class);
    private static final Set<String> READ_NAMES = ImmutableSet.of("read", Permissions.PERMISSION_NAMES.get(3L), Permissions.PERMISSION_NAMES.get(1L), Permissions.PERMISSION_NAMES.get(2L));
    private static final Set<String> READ_PRIVILEGE_NAMES = ImmutableSet.of("jcr:read", "rep:readNodes", "rep:readProperties");
    private static final Set<PrivilegeBits> READ_PRIVILEGE_BITS = ImmutableSet.of(PrivilegeBits.BUILT_IN.get("jcr:read"), PrivilegeBits.BUILT_IN.get("rep:readNodes"), PrivilegeBits.BUILT_IN.get("rep:readProperties"));
    private final Root root;
    private final Set<String> principalNames;
    private final Context ctx;
    private final SupportedPaths supportedPaths;
    private Root immutableRoot;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider$CugTreePermission.class */
    public final class CugTreePermission implements TreePermission {
        private final Tree tree;
        private final boolean allow;

        private CugTreePermission(@Nonnull Tree tree, boolean z) {
            this.tree = tree;
            this.allow = z;
        }

        @Nonnull
        public TreePermission getChildPermission(@Nonnull String str, @Nonnull NodeState nodeState) {
            return CugPermissionProvider.this.getTreePermission(this.tree.getChild(str), this);
        }

        public boolean canRead() {
            return this.allow;
        }

        public boolean canRead(@Nonnull PropertyState propertyState) {
            return this.allow;
        }

        public boolean canReadAll() {
            return false;
        }

        public boolean canReadProperties() {
            return false;
        }

        public boolean isGranted(long j) {
            return this.allow && j == 1;
        }

        public boolean isGranted(long j, @Nonnull PropertyState propertyState) {
            return this.allow && j == 2;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider$EmptyCugPermission.class */
    public final class EmptyCugPermission implements TreePermission {
        private Tree tree;

        private EmptyCugPermission(@Nonnull Tree tree) {
            this.tree = tree;
        }

        @Nonnull
        public TreePermission getChildPermission(@Nonnull String str, @Nonnull NodeState nodeState) {
            return CugPermissionProvider.this.getTreePermission(this.tree.getChild(str), this);
        }

        public boolean canRead() {
            return false;
        }

        public boolean canRead(@Nonnull PropertyState propertyState) {
            return false;
        }

        public boolean canReadAll() {
            return false;
        }

        public boolean canReadProperties() {
            return false;
        }

        public boolean isGranted(long j) {
            return false;
        }

        public boolean isGranted(long j, @Nonnull PropertyState propertyState) {
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CugPermissionProvider(@Nonnull Root root, @Nonnull Set<Principal> set, @Nonnull Set<String> set2, @Nonnull Context context) {
        this.root = root;
        this.immutableRoot = RootFactory.createReadOnlyRoot(root);
        this.principalNames = new HashSet(set.size());
        Iterator it = Iterables.filter(set, Predicates.notNull()).iterator();
        while (it.hasNext()) {
            this.principalNames.add(((Principal) it.next()).getName());
        }
        this.supportedPaths = new SupportedPaths(set2);
        this.ctx = context;
    }

    public boolean handles(@Nonnull String str, @Nonnull String str2) {
        return isReadAction(str2) && includesCug(this.immutableRoot.getTree(str), str);
    }

    public boolean handles(@Nonnull Tree tree, @Nonnull PrivilegeBits privilegeBits) {
        return READ_PRIVILEGE_BITS.contains(privilegeBits) && includesCug(tree, tree.getPath());
    }

    public boolean handles(@Nonnull Tree tree, long j) {
        return isRead(j) && includesCug(tree, tree.getPath());
    }

    public boolean handles(@Nonnull TreePermission treePermission, long j) {
        if (isRead(j)) {
            return treePermission instanceof CugTreePermission;
        }
        return false;
    }

    public boolean handlesRepositoryPermissions() {
        return false;
    }

    public void refresh() {
        this.immutableRoot = RootFactory.createReadOnlyRoot(this.root);
    }

    @Nonnull
    public Set<String> getPrivileges(@Nullable Tree tree) {
        return (tree == null || !canRead(tree)) ? Collections.emptySet() : READ_PRIVILEGE_NAMES;
    }

    public boolean hasPrivileges(@Nullable Tree tree, @Nonnull String... strArr) {
        if (tree == null) {
            return false;
        }
        for (String str : strArr) {
            if (!READ_PRIVILEGE_NAMES.contains(str)) {
                return false;
            }
        }
        return canRead(tree);
    }

    @Nonnull
    public RepositoryPermission getRepositoryPermission() {
        throw new UnsupportedOperationException("Not supported");
    }

    @Nonnull
    public TreePermission getTreePermission(@Nonnull Tree tree, @Nonnull TreePermission treePermission) {
        TreePermission createCugPermission;
        Tree immutableTree = getImmutableTree(tree);
        if ((treePermission == TreePermission.EMPTY && !immutableTree.isRoot()) || isAcContent(immutableTree, true)) {
            return TreePermission.EMPTY;
        }
        if (treePermission instanceof CugTreePermission) {
            createCugPermission = new CugTreePermission(immutableTree, ((CugTreePermission) treePermission).allow);
            if (hasCug(immutableTree)) {
                createCugPermission = createCugPermission(immutableTree, createCugPermission);
            }
        } else {
            String path = immutableTree.getPath();
            createCugPermission = this.supportedPaths.includes(path) ? createCugPermission(immutableTree, null) : this.supportedPaths.mayContainCug(path) ? new EmptyCugPermission(immutableTree) : TreePermission.EMPTY;
        }
        return createCugPermission;
    }

    public boolean isGranted(@Nonnull Tree tree, PropertyState propertyState, long j) {
        if (isRead(j)) {
            return canRead(tree);
        }
        return false;
    }

    public boolean isGranted(@Nonnull String str, @Nonnull String str2) {
        Tree tree;
        TreeLocation create = TreeLocation.create(this.immutableRoot, str);
        long permissions = Permissions.getPermissions(str2, create, isAcContent(create));
        if (!isRead(permissions)) {
            return false;
        }
        PropertyState property = create.getProperty();
        Tree tree2 = property == null ? create.getTree() : create.getParent().getTree();
        while (true) {
            tree = tree2;
            if (tree != null || PathUtils.denotesRoot(create.getPath())) {
                break;
            }
            create = create.getParent();
            tree2 = create.getTree();
        }
        if (tree != null) {
            return isGranted(tree, property, permissions);
        }
        return false;
    }

    private static boolean isRead(long j) {
        return j == 1 || j == 2 || j == 3;
    }

    private static boolean isReadAction(@Nonnull String str) {
        return READ_NAMES.contains(str);
    }

    private static boolean hasCug(@Nonnull Tree tree) {
        return tree.exists() && tree.hasChild(CugConstants.REP_CUG_POLICY);
    }

    private boolean isAcContent(@Nonnull Tree tree, boolean z) {
        return z ? this.ctx.definesContextRoot(tree) : this.ctx.definesTree(tree);
    }

    private boolean isAcContent(@Nonnull TreeLocation treeLocation) {
        return this.ctx.definesLocation(treeLocation);
    }

    private boolean includesCug(@Nonnull Tree tree, @Nonnull String str) {
        return getCugRoot(tree, str) != null;
    }

    @CheckForNull
    private Tree getCugRoot(@Nonnull Tree tree, @Nonnull String str) {
        if (!this.supportedPaths.includes(str)) {
            return null;
        }
        Tree immutableTree = getImmutableTree(tree);
        if (hasCug(immutableTree)) {
            return immutableTree;
        }
        while (!immutableTree.isRoot()) {
            if (!this.supportedPaths.includes(PathUtils.getParentPath(str))) {
                return null;
            }
            immutableTree = immutableTree.getParent();
            if (hasCug(immutableTree)) {
                return immutableTree;
            }
        }
        return null;
    }

    private boolean canRead(@Nonnull Tree tree) {
        Tree cugRoot;
        Tree immutableTree = getImmutableTree(tree);
        return (isAcContent(immutableTree, false) || (cugRoot = getCugRoot(immutableTree, immutableTree.getPath())) == null || !createCugPermission(cugRoot, null).canRead()) ? false : true;
    }

    @Nonnull
    private Tree getImmutableTree(@Nonnull Tree tree) {
        return TreeUtil.isReadOnlyTree(tree) ? tree : this.immutableRoot.getTree(tree.getPath());
    }

    @Nonnull
    private TreePermission createCugPermission(@Nonnull Tree tree, @Nullable TreePermission treePermission) {
        Tree child = tree.getChild(CugConstants.REP_CUG_POLICY);
        if (CugUtil.definesCug(child)) {
            PropertyState property = child.getProperty(CugConstants.REP_PRINCIPAL_NAMES);
            if (property != null) {
                boolean z = false;
                Iterator it = ((Iterable) property.getValue(Type.STRINGS)).iterator();
                while (true) {
                    if (!it.hasNext()) {
                        break;
                    }
                    if (this.principalNames.contains((String) it.next())) {
                        z = true;
                        break;
                    }
                }
                return new CugTreePermission(tree, z);
            }
            log.warn("Tree at {0} doesn't represent a valid CUG.", child.getPath());
        }
        return treePermission == null ? new EmptyCugPermission(tree) : treePermission;
    }
}
