package org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.Iterables;
import java.io.IOException;
import java.io.InputStream;
import java.security.Principal;
import java.util.Collections;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.jcr.RepositoryException;
import javax.jcr.security.AccessControlManager;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.memory.MemoryNodeStore;
import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager;
import org.apache.jackrabbit.oak.plugins.nodetype.write.NodeTypeRegistry;
import org.apache.jackrabbit.oak.spi.commit.CommitHook;
import org.apache.jackrabbit.oak.spi.commit.MoveTracker;
import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider;
import org.apache.jackrabbit.oak.spi.lifecycle.RepositoryInitializer;
import org.apache.jackrabbit.oak.spi.mount.Mount;
import org.apache.jackrabbit.oak.spi.mount.MountInfoProvider;
import org.apache.jackrabbit.oak.spi.security.ConfigurationBase;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.Context;
import org.apache.jackrabbit.oak.spi.security.SecurityConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregationFilter;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.EmptyPermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.principalbased.Filter;
import org.apache.jackrabbit.oak.spi.security.authorization.principalbased.FilterProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
import org.apache.jackrabbit.oak.spi.state.ApplyDiff;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter;
import org.jetbrains.annotations.NotNull;
import org.osgi.framework.BundleContext;
import org.osgi.framework.ServiceRegistration;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Modified;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.metatype.annotations.AttributeDefinition;
import org.osgi.service.metatype.annotations.Designate;
import org.osgi.service.metatype.annotations.ObjectClassDefinition;

@Designate(ocd = Configuration.class)
@Component(service = {AuthorizationConfiguration.class, SecurityConfiguration.class}, property = {"oak.security.name=org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl.PrincipalBasedAuthorizationConfiguration"})
/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAuthorizationConfiguration.class */
public class PrincipalBasedAuthorizationConfiguration extends ConfigurationBase implements AuthorizationConfiguration {
    private FilterProvider filterProvider;
    private MountInfoProvider mountInfoProvider;
    private ServiceRegistration aggregationFilterRegistration;

    /* JADX INFO: Access modifiers changed from: package-private */
    @ObjectClassDefinition(name = "Apache Jackrabbit Oak Principal Based AuthorizationConfiguration")
    /* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAuthorizationConfiguration$Configuration.class */
    public @interface Configuration {
        @AttributeDefinition(name = "Ranking", description = "Ranking of this configuration in a setup with multiple authorization configurations.")
        int configurationRanking() default 500;

        @AttributeDefinition(name = "Enable AggregationFilter", description = "If enabled effective permission evaluation will stop after this module.")
        boolean enableAggregationFilter() default false;
    }

    @NotNull
    public AccessControlManager getAccessControlManager(@NotNull Root root, @NotNull NamePathMapper namePathMapper) {
        return new PrincipalBasedAccessControlManager(new MgrProviderImpl(this, root, namePathMapper), this.filterProvider);
    }

    @NotNull
    public RestrictionProvider getRestrictionProvider() {
        return (RestrictionProvider) getParameters().getConfigValue("restrictionProvider", RestrictionProvider.EMPTY, RestrictionProvider.class);
    }

    @NotNull
    public PermissionProvider getPermissionProvider(@NotNull Root root, @NotNull String str, @NotNull Set<Principal> set) {
        Filter filter = this.filterProvider.getFilter(getSecurityProvider(), getRootProvider().createReadOnlyRoot(root), NamePathMapper.DEFAULT);
        if (!filter.canHandle(set)) {
            return EmptyPermissionProvider.getInstance();
        }
        filter.getClass();
        return new PrincipalBasedPermissionProvider(root, str, Iterables.transform(set, filter::getOakPath), this);
    }

    @NotNull
    public String getName() {
        return "org.apache.jackrabbit.oak.authorization";
    }

    @NotNull
    public RepositoryInitializer getRepositoryInitializer() {
        return nodeBuilder -> {
            NodeState nodeState = nodeBuilder.getNodeState();
            MemoryNodeStore memoryNodeStore = new MemoryNodeStore(nodeState);
            if (registerNodeTypes(getRootProvider().createSystemRoot(memoryNodeStore, (CommitHook) null))) {
                memoryNodeStore.getRoot().compareAgainstBaseState(nodeState, new ApplyDiff(nodeBuilder));
            }
        };
    }

    @NotNull
    public List<? extends CommitHook> getCommitHooks(@NotNull String str) {
        return Collections.emptyList();
    }

    @NotNull
    public List<? extends ValidatorProvider> getValidators(@NotNull String str, @NotNull Set<Principal> set, @NotNull MoveTracker moveTracker) {
        return ImmutableList.of(new PrincipalPolicyValidatorProvider(new MgrProviderImpl(this), set, str));
    }

    @NotNull
    public List<ProtectedItemImporter> getProtectedItemImporters() {
        return Collections.singletonList(new PrincipalPolicyImporter(this.filterProvider, new MgrProviderImpl(this)));
    }

    @NotNull
    public Context getContext() {
        return ContextImpl.INSTANCE;
    }

    @Activate
    public void activate(@NotNull BundleContext bundleContext, @NotNull Configuration configuration) {
        checkConflictingMount();
        setParameters(ConfigurationParameters.of("configurationRanking", Integer.valueOf(configuration.configurationRanking()), Constants.PARAM_ENABLE_AGGREGATION_FILTER, Boolean.valueOf(configuration.enableAggregationFilter())));
        if (configuration.enableAggregationFilter()) {
            registerAggregationFilter(bundleContext);
        } else {
            unregisterAggregationFilter();
        }
    }

    @Modified
    public void modified(@NotNull BundleContext bundleContext, @NotNull Configuration configuration) {
        activate(bundleContext, configuration);
    }

    @Deactivate
    public void deactivate(@NotNull BundleContext bundleContext, @NotNull Configuration configuration) {
        unregisterAggregationFilter();
    }

    @Reference(name = "filterProvider", cardinality = ReferenceCardinality.MANDATORY)
    public void bindFilterProvider(@NotNull FilterProvider filterProvider) {
        this.filterProvider = filterProvider;
    }

    public void unbindFilterProvider(@NotNull FilterProvider filterProvider) {
        this.filterProvider = null;
    }

    @Reference(name = "mountInfoProvider", cardinality = ReferenceCardinality.MANDATORY)
    public void bindMountInfoProvider(@NotNull MountInfoProvider mountInfoProvider) {
        this.mountInfoProvider = mountInfoProvider;
    }

    public void unbindMountInfoProvider(@NotNull MountInfoProvider mountInfoProvider) {
        this.mountInfoProvider = null;
    }

    private void checkConflictingMount() {
        String filterRoot = this.filterProvider.getFilterRoot();
        Iterator it = this.mountInfoProvider.getNonDefaultMounts().iterator();
        while (it.hasNext()) {
            if (((Mount) it.next()).isUnder(filterRoot)) {
                throw new IllegalStateException("Mount found below filter root " + filterRoot);
            }
        }
    }

    private static boolean registerNodeTypes(@NotNull final Root root) {
        try {
            if (new ReadOnlyNodeTypeManager() { // from class: org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl.PrincipalBasedAuthorizationConfiguration.1
                @NotNull
                protected Tree getTypes() {
                    return root.getTree("/jcr:system/jcr:nodeTypes");
                }
            }.hasNodeType(Constants.NT_REP_PRINCIPAL_POLICY)) {
                return false;
            }
            InputStream resourceAsStream = PrincipalBasedAuthorizationConfiguration.class.getResourceAsStream("nodetypes.cnd");
            Throwable th = null;
            try {
                try {
                    NodeTypeRegistry.register(root, resourceAsStream, "node types for principal based authorization");
                    if (resourceAsStream != null) {
                        if (0 != 0) {
                            try {
                                resourceAsStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            resourceAsStream.close();
                        }
                    }
                    return true;
                } finally {
                }
            } finally {
            }
        } catch (IOException | RepositoryException e) {
            throw new IllegalStateException("Unable to read node types for principal based authorization", e);
        }
    }

    private void registerAggregationFilter(@NotNull BundleContext bundleContext) {
        if (this.aggregationFilterRegistration == null) {
            this.aggregationFilterRegistration = bundleContext.registerService(AggregationFilter.class.getName(), new AggregationFilterImpl(), new Hashtable());
        }
    }

    private void unregisterAggregationFilter() {
        if (this.aggregationFilterRegistration != null) {
            this.aggregationFilterRegistration.unregister();
            this.aggregationFilterRegistration = null;
        }
    }
}
