package org.apache.jackrabbit.oak.spi.security.authorization.cug.impl;

import com.google.common.base.Function;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Set;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.jcr.RepositoryException;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.AccessControlPolicyIterator;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.commons.iterator.AccessControlPolicyIteratorAdapter;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlManager;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.PolicyOwner;
import org.apache.jackrabbit.oak.spi.security.authorization.cug.CugPolicy;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalConfiguration;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.apache.jackrabbit.oak.util.TreeUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugAccessControlManager.class */
public class CugAccessControlManager extends AbstractAccessControlManager implements CugConstants, PolicyOwner {
    private static final Logger log = LoggerFactory.getLogger(CugAccessControlManager.class);
    private final ConfigurationParameters config;
    private final PrincipalManager principalManager;

    public CugAccessControlManager(@Nonnull Root root, @Nonnull NamePathMapper namePathMapper, @Nonnull SecurityProvider securityProvider) {
        super(root, namePathMapper, securityProvider);
        this.config = ((AuthorizationConfiguration) securityProvider.getConfiguration(AuthorizationConfiguration.class)).getParameters();
        this.principalManager = ((PrincipalConfiguration) securityProvider.getConfiguration(PrincipalConfiguration.class)).getPrincipalManager(root, namePathMapper);
    }

    @Nonnull
    public Privilege[] getSupportedPrivileges(@Nullable String str) throws RepositoryException {
        return isSupportedPath(getOakPath(str)) ? new Privilege[]{privilegeFromName("jcr:read")} : new Privilege[0];
    }

    public AccessControlPolicy[] getPolicies(String str) throws RepositoryException {
        AccessControlPolicy cugPolicy;
        String oakPath = getOakPath(str);
        return (oakPath == null || !isSupportedPath(oakPath) || (cugPolicy = getCugPolicy(oakPath)) == null) ? new AccessControlPolicy[0] : new AccessControlPolicy[]{cugPolicy};
    }

    public AccessControlPolicy[] getEffectivePolicies(String str) throws RepositoryException {
        CugPolicy cugPolicy;
        String oakPath = getOakPath(str);
        getTree(oakPath, 128L, true);
        if (!((Boolean) this.config.getConfigValue(CugConstants.PARAM_CUG_ENABLED, false)).booleanValue()) {
            return new AccessControlPolicy[0];
        }
        Root latestRoot = getRoot().getContentSession().getLatestRoot();
        ArrayList arrayList = new ArrayList();
        while (oakPath != null) {
            if (isSupportedPath(oakPath) && (cugPolicy = getCugPolicy(oakPath, latestRoot.getTree(oakPath))) != null) {
                arrayList.add(cugPolicy);
            }
            oakPath = PathUtils.denotesRoot(oakPath) ? null : PathUtils.getAncestorPath(oakPath, 1);
        }
        return (AccessControlPolicy[]) arrayList.toArray(new AccessControlPolicy[arrayList.size()]);
    }

    public AccessControlPolicyIterator getApplicablePolicies(String str) throws RepositoryException {
        String oakPath = getOakPath(str);
        return (oakPath == null || !isSupportedPath(oakPath)) ? AccessControlPolicyIteratorAdapter.EMPTY : getCugPolicy(oakPath) == null ? new AccessControlPolicyIteratorAdapter(ImmutableSet.of(new CugPolicyImpl(oakPath, getNamePathMapper(), this.principalManager, CugUtil.getImportBehavior(this.config)))) : AccessControlPolicyIteratorAdapter.EMPTY;
    }

    public void removePolicy(String str, AccessControlPolicy accessControlPolicy) throws RepositoryException {
        String oakPath = getOakPath(str);
        if (!isSupportedPath(oakPath)) {
            throw new AccessControlException("Unsupported path: " + str);
        }
        checkValidPolicy(str, accessControlPolicy);
        Tree child = getTree(oakPath, 256L, true).getChild(CugConstants.REP_CUG_POLICY);
        if (!CugUtil.definesCug(child)) {
            throw new AccessControlException("Unexpected primary type of node rep:cugPolicy.");
        }
        child.remove();
    }

    public void setPolicy(String str, AccessControlPolicy accessControlPolicy) throws RepositoryException {
        Tree addChild;
        String oakPath = getOakPath(str);
        if (!isSupportedPath(oakPath)) {
            throw new AccessControlException("Unsupported path: " + str);
        }
        checkValidPolicy(str, accessControlPolicy);
        Tree tree = getTree(oakPath, 256L, true);
        Tree tree2 = getRoot().getTree("/jcr:system/jcr:nodeTypes");
        if (!TreeUtil.isNodeType(tree, CugConstants.MIX_REP_CUG_MIXIN, tree2)) {
            TreeUtil.addMixin(tree, CugConstants.MIX_REP_CUG_MIXIN, tree2, (String) null);
        }
        if (tree.hasChild(CugConstants.REP_CUG_POLICY)) {
            addChild = tree.getChild(CugConstants.REP_CUG_POLICY);
            if (!CugUtil.definesCug(addChild)) {
                throw new AccessControlException("Unexpected primary type of node rep:cugPolicy.");
            }
        } else {
            addChild = TreeUtil.addChild(tree, CugConstants.REP_CUG_POLICY, CugConstants.NT_REP_CUG_POLICY, tree2, (String) null);
        }
        addChild.setProperty(CugConstants.REP_PRINCIPAL_NAMES, ((CugPolicyImpl) accessControlPolicy).getPrincipalNames(), Type.STRINGS);
    }

    public JackrabbitAccessControlPolicy[] getApplicablePolicies(Principal principal) throws RepositoryException {
        return new JackrabbitAccessControlPolicy[0];
    }

    public JackrabbitAccessControlPolicy[] getPolicies(Principal principal) throws RepositoryException {
        return new JackrabbitAccessControlPolicy[0];
    }

    public AccessControlPolicy[] getEffectivePolicies(Set<Principal> set) throws RepositoryException {
        return new AccessControlPolicy[0];
    }

    public boolean defines(@Nullable String str, @Nonnull AccessControlPolicy accessControlPolicy) {
        return isValidPolicy(str, accessControlPolicy);
    }

    private boolean isSupportedPath(@Nullable String str) throws RepositoryException {
        checkValidPath(str);
        return CugUtil.isSupportedPath(str, this.config);
    }

    private void checkValidPath(@Nullable String str) throws RepositoryException {
        if (str != null) {
            getTree(str, 0L, false);
        }
    }

    @CheckForNull
    private CugPolicy getCugPolicy(@Nonnull String str) throws RepositoryException {
        return getCugPolicy(str, getTree(str, 128L, true));
    }

    @CheckForNull
    private CugPolicy getCugPolicy(@Nonnull String str, @Nonnull Tree tree) {
        Tree child = tree.getChild(CugConstants.REP_CUG_POLICY);
        if (CugUtil.definesCug(child)) {
            return new CugPolicyImpl(str, getNamePathMapper(), this.principalManager, CugUtil.getImportBehavior(this.config), getPrincipals(child));
        }
        return null;
    }

    private Set<Principal> getPrincipals(@Nonnull Tree tree) {
        PropertyState property = tree.getProperty(CugConstants.REP_PRINCIPAL_NAMES);
        return property == null ? Collections.emptySet() : ImmutableSet.copyOf(Iterables.transform((Iterable) property.getValue(Type.STRINGS), new Function<String, Principal>() { // from class: org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.CugAccessControlManager.1
            public Principal apply(String str) {
                PrincipalImpl principal = CugAccessControlManager.this.principalManager.getPrincipal(str);
                if (principal == null) {
                    CugAccessControlManager.log.debug("Unknown principal " + str);
                    principal = new PrincipalImpl(str);
                }
                return principal;
            }
        }));
    }

    private static boolean isValidPolicy(@Nullable String str, @Nonnull AccessControlPolicy accessControlPolicy) {
        return (accessControlPolicy instanceof CugPolicyImpl) && ((CugPolicyImpl) accessControlPolicy).getPath().equals(str);
    }

    private static void checkValidPolicy(@Nullable String str, @Nonnull AccessControlPolicy accessControlPolicy) throws AccessControlException {
        if (!(accessControlPolicy instanceof CugPolicyImpl)) {
            throw new AccessControlException("Unsupported policy implementation: " + accessControlPolicy);
        }
        CugPolicyImpl cugPolicyImpl = (CugPolicyImpl) accessControlPolicy;
        if (!cugPolicyImpl.getPath().equals(str)) {
            throw new AccessControlException("Path mismatch: Expected " + cugPolicyImpl.getPath() + ", Found: " + str);
        }
    }
}
