package org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;

import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.collect.Iterables;
import java.security.Principal;
import java.util.Set;
import javax.jcr.RepositoryException;
import javax.jcr.security.AccessControlException;
import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.nodetype.TypePredicate;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.apache.jackrabbit.oak.spi.commit.CommitInfo;
import org.apache.jackrabbit.oak.spi.commit.DefaultValidator;
import org.apache.jackrabbit.oak.spi.commit.Validator;
import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider;
import org.apache.jackrabbit.oak.spi.commit.VisibleValidator;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.apache.jackrabbit.oak.spi.state.NodeStateUtils;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalPolicyValidatorProvider.class */
public class PrincipalPolicyValidatorProvider extends ValidatorProvider implements Constants {
    private final MgrProvider mgrProvider;
    private final Set<Principal> principals;
    private final String workspaceName;
    private PermissionProvider permissionProvider;
    private TypePredicate isMixPrincipalBased;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalPolicyValidatorProvider$PolicyValidator.class */
    public final class PolicyValidator extends DefaultValidator {
        private final Tree parentBefore;
        private final Tree parentAfter;
        private final boolean isNodetypeTree;

        private PolicyValidator(@NotNull NodeState nodeState, @NotNull NodeState nodeState2) {
            PrincipalPolicyValidatorProvider.this.mgrProvider.reset(PrincipalPolicyValidatorProvider.this.mgrProvider.getRootProvider().createReadOnlyRoot(nodeState2), NamePathMapper.DEFAULT);
            this.parentBefore = PrincipalPolicyValidatorProvider.this.mgrProvider.getTreeProvider().createReadOnlyTree(nodeState);
            this.parentAfter = PrincipalPolicyValidatorProvider.this.mgrProvider.getTreeProvider().createReadOnlyTree(nodeState2);
            this.isNodetypeTree = false;
        }

        private PolicyValidator(@NotNull PolicyValidator policyValidator, @NotNull Tree tree, @NotNull Tree tree2) {
            this.parentBefore = tree;
            this.parentAfter = tree2;
            if (policyValidator.isNodetypeTree) {
                this.isNodetypeTree = true;
            } else {
                this.isNodetypeTree = "jcr:nodeTypes".equals(tree2.getName()) && "jcr:system".equals(policyValidator.getName());
            }
        }

        private PolicyValidator(@NotNull PolicyValidator policyValidator, @NotNull Tree tree, boolean z) {
            this.parentBefore = z ? null : tree;
            this.parentAfter = z ? tree : null;
            if (policyValidator.isNodetypeTree) {
                this.isNodetypeTree = true;
            } else {
                this.isNodetypeTree = "jcr:nodeTypes".equals(tree.getName()) && "jcr:system".equals(policyValidator.getName());
            }
        }

        @NotNull
        private String getName() {
            return this.parentBefore == null ? verifyNotNull(this.parentAfter).getName() : this.parentBefore.getName();
        }

        public void propertyAdded(PropertyState propertyState) throws CommitFailedException {
            if ("jcr:primaryType".equals(propertyState.getName()) && Constants.NT_REP_PRINCIPAL_POLICY.equals(propertyState.getValue(Type.NAME)) && !Constants.REP_PRINCIPAL_POLICY.equals(verifyNotNull(this.parentAfter).getName())) {
                throw accessControlViolation(30, "Attempt create policy node with different name than 'rep:principalPolicy'.");
            }
        }

        public void propertyChanged(PropertyState propertyState, PropertyState propertyState2) throws CommitFailedException {
            if ("jcr:primaryType".equals(propertyState2.getName())) {
                if (Constants.NT_REP_PRINCIPAL_POLICY.equals(propertyState.getValue(Type.STRING)) || Constants.NT_REP_PRINCIPAL_POLICY.equals(propertyState2.getValue(Type.STRING))) {
                    throw accessControlViolation(31, "Attempt to change primary type from/to rep:PrincipalPolicy.");
                }
            }
        }

        /* renamed from: childNodeAdded, reason: merged with bridge method [inline-methods] */
        public Validator m13childNodeAdded(String str, NodeState nodeState) throws CommitFailedException {
            if (!this.isNodetypeTree) {
                if (Constants.REP_PRINCIPAL_POLICY.equals(str)) {
                    validatePolicyNode(verifyNotNull(this.parentAfter), nodeState);
                } else if (Constants.REP_RESTRICTIONS.equals(str)) {
                    validateRestrictions(nodeState);
                } else if (Constants.NT_REP_PRINCIPAL_ENTRY.equals(NodeStateUtils.getPrimaryTypeName(nodeState))) {
                    validateEntry(str, nodeState);
                }
            }
            return new VisibleValidator(nextValidator(str, nodeState, true), true, true);
        }

        /* renamed from: childNodeChanged, reason: merged with bridge method [inline-methods] */
        public Validator m12childNodeChanged(String str, NodeState nodeState, NodeState nodeState2) throws CommitFailedException {
            if (!this.isNodetypeTree) {
                if (nodeState2.hasChildNode(Constants.REP_PRINCIPAL_POLICY)) {
                    validatePolicyNode(PrincipalPolicyValidatorProvider.this.mgrProvider.getTreeProvider().createReadOnlyTree(verifyNotNull(this.parentAfter), str, nodeState2), nodeState2.getChildNode(Constants.REP_PRINCIPAL_POLICY));
                } else if (Constants.REP_RESTRICTIONS.equals(str)) {
                    validateRestrictions(nodeState2);
                } else if (Constants.NT_REP_PRINCIPAL_ENTRY.equals(NodeStateUtils.getPrimaryTypeName(nodeState2))) {
                    validateEntry(str, nodeState2);
                }
            }
            return new VisibleValidator(nextValidator(str, nodeState, nodeState2), true, true);
        }

        /* renamed from: childNodeDeleted, reason: merged with bridge method [inline-methods] */
        public Validator m11childNodeDeleted(String str, NodeState nodeState) throws CommitFailedException {
            if (!this.isNodetypeTree) {
                PropertyState propertyState = null;
                if (Constants.REP_RESTRICTIONS.equals(str)) {
                    propertyState = verifyNotNull(this.parentBefore).getProperty(Constants.REP_EFFECTIVE_PATH);
                } else if (Constants.NT_REP_PRINCIPAL_ENTRY.equals(NodeStateUtils.getPrimaryTypeName(nodeState))) {
                    propertyState = nodeState.getProperty(Constants.REP_EFFECTIVE_PATH);
                }
                if (propertyState != null && !Utils.hasModAcPermission(PrincipalPolicyValidatorProvider.this.permissionProvider, (String) propertyState.getValue(Type.PATH))) {
                    throw new CommitFailedException("Access", 3, "Access denied");
                }
            }
            return new VisibleValidator(nextValidator(str, nodeState, false), true, true);
        }

        private void validatePolicyNode(@NotNull Tree tree, @NotNull NodeState nodeState) throws CommitFailedException {
            if (!Constants.NT_REP_PRINCIPAL_POLICY.equals(NodeStateUtils.getPrimaryTypeName(nodeState))) {
                throw accessControlViolation(32, "Reserved node name 'rep:principalPolicy' must only be used for nodes of type 'rep:PrincipalPolicy'.");
            }
            if (!PrincipalPolicyValidatorProvider.this.isMixPrincipalBased.apply(tree)) {
                throw accessControlViolation(33, "Parent node not of mixin type 'rep:PrincipalBasedMixin'.");
            }
        }

        private void validateRestrictions(@NotNull NodeState nodeState) throws CommitFailedException {
            if (!Constants.NT_REP_RESTRICTIONS.equals(NodeStateUtils.getPrimaryTypeName(nodeState))) {
                throw accessControlViolation(34, "Reserved node name 'rep:restrictions' must only be used for nodes of type 'rep:Restrictions'.");
            }
            Tree verifyNotNull = verifyNotNull(this.parentAfter);
            if (!Constants.NT_REP_PRINCIPAL_ENTRY.equals(TreeUtil.getPrimaryTypeName(verifyNotNull))) {
                if (!PrincipalPolicyValidatorProvider.this.mgrProvider.getContext().definesTree(verifyNotNull)) {
                    throw new CommitFailedException("AccessControl", 2, "Expected access control entry parent (isolated restriction).");
                }
                return;
            }
            try {
                PrincipalPolicyValidatorProvider.this.mgrProvider.getRestrictionProvider().validateRestrictions(Strings.emptyToNull(TreeUtil.getString(verifyNotNull, Constants.REP_EFFECTIVE_PATH)), verifyNotNull);
            } catch (RepositoryException e) {
                throw new CommitFailedException("Oak", 13, "Internal error", e);
            } catch (AccessControlException e2) {
                throw new CommitFailedException("AccessControl", 35, "Invalid restrictions", e2);
            }
        }

        private void validateEntry(@NotNull String str, @NotNull NodeState nodeState) throws CommitFailedException {
            Tree verifyNotNull = verifyNotNull(this.parentAfter);
            String concat = PathUtils.concat(verifyNotNull.getPath(), str);
            if (!Constants.REP_PRINCIPAL_POLICY.equals(verifyNotNull.getName())) {
                throw accessControlViolation(36, "Isolated entry of principal policy at " + concat);
            }
            Iterable<String> names = nodeState.getNames(Constants.REP_PRIVILEGES);
            if (Iterables.isEmpty(names)) {
                throw accessControlViolation(37, "Empty rep:privileges property at " + concat);
            }
            PrivilegeManager privilegeManager = PrincipalPolicyValidatorProvider.this.mgrProvider.getPrivilegeManager();
            for (String str2 : names) {
                try {
                    if (privilegeManager.getPrivilege(str2).isAbstract()) {
                        throw accessControlViolation(38, "Abstract privilege " + str2 + " at " + concat);
                    }
                } catch (AccessControlException e) {
                    throw accessControlViolation(39, "Invalid privilege " + str2 + " at " + concat);
                } catch (RepositoryException e2) {
                    throw new CommitFailedException("Oak", 13, "Internal error", e2);
                }
            }
            PropertyState property = nodeState.getProperty(Constants.REP_EFFECTIVE_PATH);
            if (property == null) {
                throw new CommitFailedException("Constraint", 21, "Missing mandatory rep:effectivePath property at " + concat);
            }
            if (!Utils.hasModAcPermission(PrincipalPolicyValidatorProvider.this.permissionProvider, (String) property.getValue(Type.PATH))) {
                throw new CommitFailedException("Access", 3, "Access denied");
            }
        }

        private CommitFailedException accessControlViolation(int i, String str) {
            return new CommitFailedException("AccessControl", i, str);
        }

        private PolicyValidator nextValidator(@NotNull String str, @NotNull NodeState nodeState, @NotNull NodeState nodeState2) {
            return new PolicyValidator(this, PrincipalPolicyValidatorProvider.this.mgrProvider.getTreeProvider().createReadOnlyTree(verifyNotNull(this.parentBefore), str, nodeState), PrincipalPolicyValidatorProvider.this.mgrProvider.getTreeProvider().createReadOnlyTree(verifyNotNull(this.parentAfter), str, nodeState2));
        }

        private PolicyValidator nextValidator(@NotNull String str, @NotNull NodeState nodeState, boolean z) {
            return new PolicyValidator(this, PrincipalPolicyValidatorProvider.this.mgrProvider.getTreeProvider().createReadOnlyTree(verifyNotNull(z ? this.parentAfter : this.parentBefore), str, nodeState), z);
        }

        @NotNull
        private Tree verifyNotNull(@Nullable Tree tree) {
            Preconditions.checkState(tree != null);
            return tree;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public PrincipalPolicyValidatorProvider(@NotNull MgrProvider mgrProvider, @NotNull Set<Principal> set, @NotNull String str) {
        this.mgrProvider = mgrProvider;
        this.principals = set;
        this.workspaceName = str;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    /* renamed from: getRootValidator, reason: merged with bridge method [inline-methods] */
    public PolicyValidator m10getRootValidator(NodeState nodeState, NodeState nodeState2, CommitInfo commitInfo) {
        this.permissionProvider = ((AuthorizationConfiguration) this.mgrProvider.getSecurityProvider().getConfiguration(AuthorizationConfiguration.class)).getPermissionProvider(this.mgrProvider.getRootProvider().createReadOnlyRoot(nodeState), this.workspaceName, this.principals);
        this.isMixPrincipalBased = new TypePredicate(nodeState2, Constants.MIX_REP_PRINCIPAL_BASED_MIXIN);
        return new PolicyValidator(nodeState, nodeState2);
    }
}
