package org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;

import com.google.common.base.Strings;
import com.google.common.collect.Maps;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.jcr.RepositoryException;
import javax.jcr.Value;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.security.authorization.PrincipalAccessControlList;
import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlList;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalPolicyImpl.class */
public class PrincipalPolicyImpl extends AbstractAccessControlList implements PrincipalAccessControlList {
    private static final Logger log = LoggerFactory.getLogger(PrincipalPolicyImpl.class);
    private final List<EntryImpl> entries;
    private final Principal principal;
    private final RestrictionProvider restrictionProvider;
    private final PrivilegeManager privilegeManager;
    private final PrivilegeBitsProvider privilegeBitsProvider;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalPolicyImpl$EntryImpl.class */
    public final class EntryImpl extends AbstractEntry {
        private EntryImpl(@Nullable String str, @NotNull PrivilegeBits privilegeBits, @NotNull Set<Restriction> set) throws AccessControlException {
            super(str, PrincipalPolicyImpl.this.principal, privilegeBits, set, PrincipalPolicyImpl.this.getNamePathMapper());
        }

        public Privilege[] getPrivileges() {
            return Utils.privilegesFromOakNames(PrincipalPolicyImpl.this.privilegeBitsProvider.getPrivilegeNames(getPrivilegeBits()), PrincipalPolicyImpl.this.privilegeManager, getNamePathMapper());
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl.AbstractEntry
        @NotNull
        NamePathMapper getNamePathMapper() {
            return PrincipalPolicyImpl.this.getNamePathMapper();
        }

        @NotNull
        protected PrivilegeBitsProvider getPrivilegeBitsProvider() {
            return PrincipalPolicyImpl.this.privilegeBitsProvider;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public PrincipalPolicyImpl(@NotNull Principal principal, @NotNull String str, @NotNull MgrProvider mgrProvider) {
        super(str, mgrProvider.getNamePathMapper());
        this.entries = new ArrayList();
        this.principal = principal;
        this.restrictionProvider = mgrProvider.getRestrictionProvider();
        this.privilegeManager = mgrProvider.getPrivilegeManager();
        this.privilegeBitsProvider = mgrProvider.getPrivilegeBitsProvider();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean addEntry(@NotNull Tree tree) throws AccessControlException {
        String emptyToNull = Strings.emptyToNull(TreeUtil.getString(tree, Constants.REP_EFFECTIVE_PATH));
        if (Utils.hasValidRestrictions(emptyToNull, tree, this.restrictionProvider)) {
            return addEntry(new EntryImpl(emptyToNull, this.privilegeBitsProvider.getBits((Iterable) tree.getProperty(Constants.REP_PRIVILEGES).getValue(Type.NAMES)), Utils.readRestrictions(this.restrictionProvider, emptyToNull, tree)));
        }
        return false;
    }

    @NotNull
    public List<EntryImpl> getEntries() {
        return this.entries;
    }

    @NotNull
    public RestrictionProvider getRestrictionProvider() {
        return this.restrictionProvider;
    }

    @NotNull
    public Principal getPrincipal() {
        return this.principal;
    }

    public boolean addEntry(@Nullable String str, @NotNull Privilege[] privilegeArr) throws RepositoryException {
        return addEntry(str, privilegeArr, Collections.emptyMap(), Collections.emptyMap());
    }

    public boolean addEntry(@Nullable String str, @NotNull Privilege[] privilegeArr, @NotNull Map<String, Value> map, @NotNull Map<String, Value[]> map2) throws RepositoryException {
        String oakPath = str == null ? null : getNamePathMapper().getOakPath(str);
        if (oakPath == null || PathUtils.isAbsolute(oakPath)) {
            return addEntry(new EntryImpl(oakPath, validatePrivileges(privilegeArr), validateRestrictions(oakPath, map, map2)));
        }
        throw new AccessControlException("Absolute path expected. Instead was " + str);
    }

    public boolean addEntry(@NotNull Principal principal, @NotNull Privilege[] privilegeArr, boolean z, @Nullable Map<String, Value> map, @Nullable Map<String, Value[]> map2) throws RepositoryException {
        if (!this.principal.equals(principal)) {
            throw new AccessControlException("Principal must be the one associated with the principal based policy.");
        }
        if (!z) {
            throw new AccessControlException("Principal based access control does not support DENY access control entries.");
        }
        String jcrName = getNamePathMapper().getJcrName("rep:nodePath");
        return addEntry(extractPathFromRestrictions(map, jcrName), privilegeArr, Maps.filterEntries(map, entry -> {
            return !jcrName.equals(entry.getKey());
        }), map2 == null ? Collections.emptyMap() : map2);
    }

    public void orderBefore(@NotNull AccessControlEntry accessControlEntry, @Nullable AccessControlEntry accessControlEntry2) throws RepositoryException {
        EntryImpl validateEntry = validateEntry(accessControlEntry);
        EntryImpl validateEntry2 = accessControlEntry2 == null ? null : validateEntry(accessControlEntry2);
        if (validateEntry.equals(validateEntry2)) {
            log.debug("'srcEntry' equals 'destEntry' -> no reordering.");
            return;
        }
        int i = -1;
        if (validateEntry2 != null) {
            i = this.entries.indexOf(validateEntry2);
            if (i < 0) {
                throw new AccessControlException("Destination entry not contained in this AccessControlList.");
            }
        }
        if (!this.entries.remove(validateEntry)) {
            throw new AccessControlException("Source entry not contained in this AccessControlList");
        }
        if (i != -1) {
            this.entries.add(i, validateEntry);
        } else {
            this.entries.add(validateEntry);
        }
    }

    public void removeAccessControlEntry(AccessControlEntry accessControlEntry) throws RepositoryException {
        validateEntry(accessControlEntry);
        if (!this.entries.remove(accessControlEntry)) {
            throw new AccessControlException("AccessControlEntry " + accessControlEntry + " not contained in AccessControlList");
        }
    }

    @NotNull
    private String getOakName(@NotNull String str) throws RepositoryException {
        return getNamePathMapper().getOakName(str);
    }

    @NotNull
    private Set<Restriction> validateRestrictions(@Nullable String str, @NotNull Map<String, Value> map, @NotNull Map<String, Value[]> map2) throws RepositoryException {
        for (RestrictionDefinition restrictionDefinition : getRestrictionProvider().getSupportedRestrictions(getOakPath())) {
            String jcrName = getNamePathMapper().getJcrName(restrictionDefinition.getName());
            if (restrictionDefinition.isMandatory()) {
                if (!(restrictionDefinition.getRequiredType().isArray() ? map2.containsKey(jcrName) : map.containsKey(jcrName))) {
                    throw new AccessControlException("Mandatory restriction " + jcrName + " is missing.");
                }
            }
        }
        return computeRestrictions(str, map, map2);
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v28, types: [java.util.Set] */
    @NotNull
    private Set<Restriction> computeRestrictions(@Nullable String str, @NotNull Map<String, Value> map, @NotNull Map<String, Value[]> map2) throws RepositoryException {
        HashSet hashSet;
        if (map.isEmpty() && map2.isEmpty()) {
            hashSet = Collections.emptySet();
        } else {
            RestrictionProvider restrictionProvider = getRestrictionProvider();
            hashSet = new HashSet();
            for (Map.Entry<String, Value> entry : map.entrySet()) {
                hashSet.add(restrictionProvider.createRestriction(str, getOakName(entry.getKey()), entry.getValue()));
            }
            for (Map.Entry<String, Value[]> entry2 : map2.entrySet()) {
                hashSet.add(restrictionProvider.createRestriction(str, getOakName(entry2.getKey()), entry2.getValue()));
            }
        }
        return hashSet;
    }

    @Nullable
    private static String extractPathFromRestrictions(@Nullable Map<String, Value> map, @NotNull String str) throws RepositoryException {
        if (map == null || !map.containsKey(str)) {
            throw new AccessControlException("Entries in principal based access control need to have a path specified. Add rep:nodePath restriction or use PrincipalAccessControlList.addEntry(String, Privilege[], Map, Map) instead.");
        }
        return Strings.emptyToNull(map.get(str).getString());
    }

    @NotNull
    private PrivilegeBits validatePrivileges(@NotNull Privilege[] privilegeArr) throws RepositoryException {
        if (privilegeArr.length == 0) {
            throw new AccessControlException("Privileges may not be an empty array");
        }
        for (Privilege privilege : privilegeArr) {
            if (this.privilegeManager.getPrivilege(privilege.getName()).isAbstract()) {
                throw new AccessControlException("Privilege " + privilege + " is abstract.");
            }
        }
        return this.privilegeBitsProvider.getBits(privilegeArr, getNamePathMapper());
    }

    @NotNull
    private static EntryImpl validateEntry(@Nullable AccessControlEntry accessControlEntry) throws AccessControlException {
        if (accessControlEntry instanceof EntryImpl) {
            return (EntryImpl) accessControlEntry;
        }
        throw new AccessControlException("Invalid AccessControlEntry " + accessControlEntry);
    }

    private boolean addEntry(@NotNull EntryImpl entryImpl) {
        if (this.entries.contains(entryImpl)) {
            return false;
        }
        return this.entries.add(entryImpl);
    }
}
