package org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;

import com.google.common.base.Predicates;
import com.google.common.base.Strings;
import com.google.common.collect.Collections2;
import java.security.Principal;
import java.util.Collections;
import java.util.Set;
import javax.jcr.RepositoryException;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import org.apache.jackrabbit.oak.spi.security.authorization.principalbased.Filter;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/Utils.class */
final class Utils implements Constants {
    private static final Logger log = LoggerFactory.getLogger(Utils.class);

    private Utils() {
    }

    public static boolean isPrincipalPolicyTree(@NotNull Tree tree) {
        return tree.exists() && Constants.REP_PRINCIPAL_POLICY.equals(tree.getName()) && Constants.NT_REP_PRINCIPAL_POLICY.equals(TreeUtil.getPrimaryTypeName(tree));
    }

    public static boolean isPrincipalEntry(@NotNull Tree tree) {
        return Constants.NT_REP_PRINCIPAL_ENTRY.equals(TreeUtil.getPrimaryTypeName(tree));
    }

    public static boolean canHandle(@NotNull Principal principal, @NotNull Filter filter, int i) throws AccessControlException {
        String name = principal.getName();
        if (Strings.isNullOrEmpty(name)) {
            throw new AccessControlException("Invalid principal " + name);
        }
        boolean canHandle = filter.canHandle(Collections.singleton(principal));
        switch (i) {
            case 1:
            case 2:
                log.debug("Ignoring unsupported principal {}", name);
                break;
            case 3:
                if (!canHandle) {
                    throw new AccessControlException("Unsupported principal " + name);
                }
                break;
            default:
                throw new IllegalArgumentException("Unsupported import behavior " + i);
        }
        return canHandle;
    }

    public static Privilege[] privilegesFromOakNames(@NotNull Set<String> set, @NotNull PrivilegeManager privilegeManager, @NotNull NamePathMapper namePathMapper) {
        return (Privilege[]) Collections2.filter(Collections2.transform(set, str -> {
            try {
                return privilegeManager.getPrivilege(namePathMapper.getJcrName(str));
            } catch (RepositoryException e) {
                log.error("Unknown privilege in access control entry : {}", str);
                return null;
            }
        }), Predicates.notNull()).toArray(new Privilege[0]);
    }

    public static boolean hasModAcPermission(@NotNull PermissionProvider permissionProvider, @NotNull String str) {
        return Constants.REPOSITORY_PERMISSION_PATH.equals(str) ? permissionProvider.getRepositoryPermission().isGranted(256L) : permissionProvider.isGranted(str, Permissions.getString(256L));
    }

    public static boolean hasRestrictions(@NotNull Tree tree) {
        return tree.hasChild(Constants.REP_RESTRICTIONS);
    }

    public static boolean hasValidRestrictions(@Nullable String str, @NotNull Tree tree, @NotNull RestrictionProvider restrictionProvider) {
        if (!hasRestrictions(tree)) {
            return true;
        }
        try {
            restrictionProvider.validateRestrictions(str, tree);
            return true;
        } catch (RepositoryException e) {
            log.warn("Access control entry at {} contains unsupported restrictions: {}", str, e.getMessage());
            return false;
        }
    }

    public static Set<Restriction> readRestrictions(@NotNull RestrictionProvider restrictionProvider, @Nullable String str, @NotNull Tree tree) {
        return hasRestrictions(tree) ? restrictionProvider.readRestrictions(str, tree) : Collections.emptySet();
    }
}
