package org.apache.jackrabbit.oak.spi.security.authorization.cug.impl;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import java.io.IOException;
import java.io.InputStream;
import java.security.Principal;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.jcr.RepositoryException;
import javax.jcr.security.AccessControlManager;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.ConfigurationPolicy;
import org.apache.felix.scr.annotations.Modified;
import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.memory.MemoryNodeStore;
import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager;
import org.apache.jackrabbit.oak.plugins.nodetype.write.NodeTypeRegistry;
import org.apache.jackrabbit.oak.spi.commit.CommitHook;
import org.apache.jackrabbit.oak.spi.commit.MoveTracker;
import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider;
import org.apache.jackrabbit.oak.spi.lifecycle.RepositoryInitializer;
import org.apache.jackrabbit.oak.spi.mount.MountInfoProvider;
import org.apache.jackrabbit.oak.spi.mount.Mounts;
import org.apache.jackrabbit.oak.spi.security.ConfigurationBase;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.Context;
import org.apache.jackrabbit.oak.spi.security.SecurityConfiguration;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.cug.CugExclude;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.EmptyPermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
import org.apache.jackrabbit.oak.spi.state.ApplyDiff;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter;
import org.jetbrains.annotations.NotNull;

@Service({AuthorizationConfiguration.class, SecurityConfiguration.class})
@Component(metatype = true, label = "Apache Jackrabbit Oak CUG Configuration", description = "Authorization configuration dedicated to setup and evaluate 'Closed User Group' permissions.", policy = ConfigurationPolicy.REQUIRE)
@Properties({@Property(name = CugConstants.PARAM_CUG_SUPPORTED_PATHS, label = "Supported Paths", description = "Paths under which CUGs can be created and will be evaluated.", cardinality = Integer.MAX_VALUE), @Property(name = CugConstants.PARAM_CUG_ENABLED, label = "CUG Evaluation Enabled", description = "Flag to enable the evaluation of the configured CUG policies.", boolValue = {false}), @Property(name = "configurationRanking", label = "Ranking", description = "Ranking of this configuration in a setup with multiple authorization configurations.", intValue = {200}), @Property(name = "oak.security.name", propertyPrivate = true, value = {"org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.CugConfiguration"})})
/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.class */
public class CugConfiguration extends ConfigurationBase implements AuthorizationConfiguration, CugConstants {

    @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
    private CugExclude exclude;

    @Reference
    private MountInfoProvider mountInfoProvider;
    private Set<String> supportedPaths;

    public CugConfiguration() {
        this.mountInfoProvider = Mounts.defaultMountInfoProvider();
        this.supportedPaths = ImmutableSet.of();
    }

    public CugConfiguration(@NotNull SecurityProvider securityProvider) {
        super(securityProvider, securityProvider.getParameters("org.apache.jackrabbit.oak.authorization"));
        this.mountInfoProvider = Mounts.defaultMountInfoProvider();
        this.supportedPaths = ImmutableSet.of();
    }

    @NotNull
    public AccessControlManager getAccessControlManager(@NotNull Root root, @NotNull NamePathMapper namePathMapper) {
        return new CugAccessControlManager(root, namePathMapper, getSecurityProvider(), this.supportedPaths);
    }

    @NotNull
    public RestrictionProvider getRestrictionProvider() {
        return RestrictionProvider.EMPTY;
    }

    @NotNull
    public PermissionProvider getPermissionProvider(@NotNull Root root, @NotNull String str, @NotNull Set<Principal> set) {
        return (!((Boolean) getParameters().getConfigValue(CugConstants.PARAM_CUG_ENABLED, false)).booleanValue() || this.supportedPaths.isEmpty() || getExclude().isExcluded(set)) ? EmptyPermissionProvider.getInstance() : new CugPermissionProvider(root, str, set, this.supportedPaths, ((AuthorizationConfiguration) getSecurityProvider().getConfiguration(AuthorizationConfiguration.class)).getContext(), getRootProvider(), getTreeProvider());
    }

    @NotNull
    public String getName() {
        return "org.apache.jackrabbit.oak.authorization";
    }

    @NotNull
    public RepositoryInitializer getRepositoryInitializer() {
        return nodeBuilder -> {
            NodeState nodeState = nodeBuilder.getNodeState();
            MemoryNodeStore memoryNodeStore = new MemoryNodeStore(nodeState);
            if (registerCugNodeTypes(getRootProvider().createSystemRoot(memoryNodeStore, (CommitHook) null))) {
                memoryNodeStore.getRoot().compareAgainstBaseState(nodeState, new ApplyDiff(nodeBuilder));
            }
        };
    }

    @NotNull
    public List<? extends CommitHook> getCommitHooks(@NotNull String str) {
        return Collections.singletonList(new NestedCugHook());
    }

    @NotNull
    public List<? extends ValidatorProvider> getValidators(@NotNull String str, @NotNull Set<Principal> set, @NotNull MoveTracker moveTracker) {
        return ImmutableList.of(new CugValidatorProvider());
    }

    @NotNull
    public List<ProtectedItemImporter> getProtectedItemImporters() {
        return Collections.singletonList(new CugImporter(this.mountInfoProvider));
    }

    @NotNull
    public Context getContext() {
        return CugContext.INSTANCE;
    }

    public void setParameters(@NotNull ConfigurationParameters configurationParameters) {
        super.setParameters(configurationParameters);
        this.supportedPaths = CugUtil.getSupportedPaths(configurationParameters, this.mountInfoProvider);
    }

    @Activate
    protected void activate(Map<String, Object> map) {
        setParameters(ConfigurationParameters.of(map));
    }

    @Modified
    protected void modified(Map<String, Object> map) {
        activate(map);
    }

    public void bindMountInfoProvider(MountInfoProvider mountInfoProvider) {
        this.mountInfoProvider = mountInfoProvider;
    }

    public void unbindMountInfoProvider(MountInfoProvider mountInfoProvider) {
        this.mountInfoProvider = null;
    }

    public void bindExclude(CugExclude cugExclude) {
        this.exclude = cugExclude;
    }

    public void unbindExclude(CugExclude cugExclude) {
        this.exclude = null;
    }

    @NotNull
    private CugExclude getExclude() {
        return this.exclude == null ? new CugExclude.Default() : this.exclude;
    }

    static boolean registerCugNodeTypes(@NotNull final Root root) {
        try {
            if (new ReadOnlyNodeTypeManager() { // from class: org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.CugConfiguration.1
                protected Tree getTypes() {
                    return root.getTree("/jcr:system/jcr:nodeTypes");
                }
            }.hasNodeType(CugConstants.NT_REP_CUG_POLICY)) {
                return false;
            }
            InputStream resourceAsStream = CugConfiguration.class.getResourceAsStream("cug_nodetypes.cnd");
            Throwable th = null;
            try {
                try {
                    NodeTypeRegistry.register(root, resourceAsStream, "cug node types");
                    if (resourceAsStream != null) {
                        if (0 != 0) {
                            try {
                                resourceAsStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            resourceAsStream.close();
                        }
                    }
                    return true;
                } finally {
                }
            } finally {
            }
        } catch (IOException | RepositoryException e) {
            throw new IllegalStateException("Unable to read cug node types", e);
        }
    }
}
