package org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;

import com.google.common.collect.Maps;
import java.security.Principal;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.jcr.RepositoryException;
import org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.principalbased.Filter;
import org.apache.jackrabbit.oak.spi.security.authorization.principalbased.FilterProvider;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalConfiguration;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalProvider;
import org.apache.jackrabbit.oak.spi.security.principal.SystemUserPrincipal;
import org.apache.jackrabbit.util.Text;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Modified;
import org.osgi.service.metatype.annotations.AttributeDefinition;
import org.osgi.service.metatype.annotations.Designate;
import org.osgi.service.metatype.annotations.ObjectClassDefinition;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Designate(ocd = Configuration.class)
@Component(service = {FilterProvider.class})
/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/FilterProviderImpl.class */
public class FilterProviderImpl implements FilterProvider {
    private static final Logger log = LoggerFactory.getLogger(FilterProviderImpl.class);
    private String oakPath;
    private final Map<String, String> validatedPrincipalNamesPathMap = Maps.newConcurrentMap();

    /* JADX INFO: Access modifiers changed from: package-private */
    @ObjectClassDefinition(name = "Apache Jackrabbit Oak Filter for Principal Based Authorization")
    /* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/FilterProviderImpl$Configuration.class */
    public @interface Configuration {
        @AttributeDefinition(name = "Path", description = "Required path underneath which all filtered principals must be located in the repository.")
        String path();
    }

    /* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/FilterProviderImpl$FilterImpl.class */
    private final class FilterImpl implements Filter {
        private final Root root;
        private final PrincipalProvider principalProvider;
        private final NamePathMapper namePathMapper;

        private FilterImpl(@NotNull Root root, @NotNull PrincipalProvider principalProvider, @NotNull NamePathMapper namePathMapper) {
            this.root = root;
            this.principalProvider = principalProvider;
            this.namePathMapper = namePathMapper;
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.principalbased.Filter
        public boolean canHandle(@NotNull Set<Principal> set) {
            if (set.isEmpty()) {
                return false;
            }
            Iterator<Principal> it = set.iterator();
            while (it.hasNext()) {
                if (!isValidPrincipal(it.next())) {
                    return false;
                }
            }
            return true;
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.principalbased.Filter
        @NotNull
        public String getOakPath(@NotNull Principal principal) {
            String str = (String) FilterProviderImpl.this.validatedPrincipalNamesPathMap.get(principal.getName());
            if (str == null) {
                throw new IllegalArgumentException("Invalid principal " + principal.getName());
            }
            return str;
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.principalbased.Filter
        @Nullable
        public Principal getValidPrincipal(@NotNull String str) {
            ItemBasedPrincipal itemBasedPrincipal = this.principalProvider.getItemBasedPrincipal(str);
            if (itemBasedPrincipal == null || !isValidPrincipal(itemBasedPrincipal)) {
                return null;
            }
            return itemBasedPrincipal;
        }

        private boolean isValidPrincipal(@NotNull Principal principal) {
            if (!(principal instanceof SystemUserPrincipal)) {
                return false;
            }
            String name = principal.getName();
            if (FilterProviderImpl.this.validatedPrincipalNamesPathMap.containsKey(name)) {
                return true;
            }
            String principalPath = getPrincipalPath(principal);
            if (principalPath == null || !FilterProviderImpl.this.handlesPath(principalPath)) {
                return false;
            }
            FilterProviderImpl.this.validatedPrincipalNamesPathMap.put(name, principalPath);
            return true;
        }

        @Nullable
        private String getPrincipalPath(@NotNull Principal principal) {
            String str = null;
            if (principal instanceof ItemBasedPrincipal) {
                str = getOakPath((ItemBasedPrincipal) principal);
            }
            if (str == null || !this.root.getTree(str).exists()) {
                Principal principal2 = this.principalProvider.getPrincipal(principal.getName());
                str = principal2 instanceof ItemBasedPrincipal ? getOakPath((ItemBasedPrincipal) principal2) : null;
            }
            return str;
        }

        @Nullable
        private String getOakPath(@NotNull ItemBasedPrincipal itemBasedPrincipal) {
            try {
                return this.namePathMapper.getOakPath(itemBasedPrincipal.getPath());
            } catch (RepositoryException e) {
                FilterProviderImpl.log.error("Error while retrieving path from ItemBasedPrincipal {}, {}", itemBasedPrincipal.getName(), e.getMessage());
                return null;
            }
        }
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.principalbased.FilterProvider
    public boolean handlesPath(@NotNull String str) {
        return Text.isDescendantOrEqual(this.oakPath, str);
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.principalbased.FilterProvider
    @NotNull
    public String getFilterRoot() {
        return this.oakPath;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.principalbased.FilterProvider
    @NotNull
    public Filter getFilter(@NotNull SecurityProvider securityProvider, @NotNull Root root, @NotNull NamePathMapper namePathMapper) {
        return new FilterImpl(root, ((PrincipalConfiguration) securityProvider.getConfiguration(PrincipalConfiguration.class)).getPrincipalProvider(root, namePathMapper), namePathMapper);
    }

    @Activate
    protected void activate(Configuration configuration, Map<String, Object> map) {
        setPath(configuration);
    }

    @Modified
    protected void modified(Configuration configuration, Map<String, Object> map) {
        setPath(configuration);
    }

    private void setPath(@NotNull Configuration configuration) {
        this.oakPath = configuration.path();
    }
}
