package org.apache.jackrabbit.oak.security.authorization.accesscontrol;

import com.google.common.base.Preconditions;
import com.google.common.collect.Iterables;
import com.google.common.collect.Lists;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.jcr.RepositoryException;
import javax.jcr.Value;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ACE;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlList;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACL.class */
abstract class ACL extends AbstractAccessControlList {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) ACL.class);
    private final List<ACE> entries;

    /* JADX INFO: Access modifiers changed from: package-private */
    public ACL(@Nullable String str, @Nullable List<ACE> list, @NotNull NamePathMapper namePathMapper) {
        super(str, namePathMapper);
        this.entries = new ArrayList();
        if (list != null) {
            this.entries.addAll(list);
        }
    }

    abstract ACE createACE(Principal principal, PrivilegeBits privilegeBits, boolean z, Set<Restriction> set) throws RepositoryException;

    abstract boolean checkValidPrincipal(Principal principal) throws AccessControlException;

    abstract PrivilegeManager getPrivilegeManager();

    abstract PrivilegeBits getPrivilegeBits(Privilege[] privilegeArr);

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlList
    @NotNull
    public List<ACE> getEntries() {
        return this.entries;
    }

    @Override // javax.jcr.security.AccessControlList
    public void removeAccessControlEntry(AccessControlEntry accessControlEntry) throws RepositoryException {
        if (!this.entries.remove(checkACE(accessControlEntry))) {
            throw new AccessControlException("Cannot remove AccessControlEntry " + accessControlEntry);
        }
    }

    @Override // org.apache.jackrabbit.api.security.JackrabbitAccessControlList
    public boolean addEntry(Principal principal, Privilege[] privilegeArr, boolean z, Map<String, Value> map, Map<String, Value[]> map2) throws RepositoryException {
        if (privilegeArr == null || privilegeArr.length == 0) {
            throw new AccessControlException("Privileges may not be null nor an empty array");
        }
        for (Privilege privilege : privilegeArr) {
            if (getPrivilegeManager().getPrivilege(privilege.getName()).isAbstract()) {
                throw new AccessControlException("Privilege " + privilege + " is abstract.");
            }
        }
        if (!checkValidPrincipal(principal)) {
            return false;
        }
        ACE createACE = createACE(principal, getPrivilegeBits(privilegeArr), z, validateRestrictions(map == null ? Collections.emptyMap() : map, map2 == null ? Collections.emptyMap() : map2));
        if (!this.entries.contains(createACE)) {
            return internalAddEntry(createACE);
        }
        log.debug("Entry is already contained in policy -> no modification.");
        return false;
    }

    @Override // org.apache.jackrabbit.api.security.JackrabbitAccessControlList
    public void orderBefore(AccessControlEntry accessControlEntry, AccessControlEntry accessControlEntry2) throws RepositoryException {
        ACE checkACE = checkACE(accessControlEntry);
        ACE checkACE2 = accessControlEntry2 == null ? null : checkACE(accessControlEntry2);
        if (checkACE.equals(checkACE2)) {
            log.debug("'srcEntry' equals 'destEntry' -> no reordering required.");
            return;
        }
        int size = checkACE2 == null ? this.entries.size() - 1 : this.entries.indexOf(checkACE2);
        if (size < 0) {
            throw new AccessControlException("'destEntry' not contained in this AccessControlList.");
        }
        if (!this.entries.remove(checkACE)) {
            throw new AccessControlException("srcEntry not contained in this AccessControlList");
        }
        this.entries.add(size, checkACE);
    }

    public String toString() {
        StringBuilder sb = new StringBuilder();
        sb.append("ACL: ").append(getPath()).append("; ACEs: ");
        Iterator<ACE> it = this.entries.iterator();
        while (it.hasNext()) {
            sb.append(it.next().toString()).append(';');
        }
        return sb.toString();
    }

    private static ACE checkACE(AccessControlEntry accessControlEntry) throws AccessControlException {
        if (accessControlEntry instanceof ACE) {
            return (ACE) accessControlEntry;
        }
        throw new AccessControlException("Invalid access control entry.");
    }

    private boolean internalAddEntry(@NotNull ACE ace) throws RepositoryException {
        String name = ace.getPrincipal().getName();
        Set<Restriction> restrictions = ace.getRestrictions();
        boolean z = true;
        for (ACE ace2 : Lists.newArrayList(Iterables.filter(this.entries, ace3 -> {
            return name.equals(((ACE) Preconditions.checkNotNull(ace3)).getPrincipal().getName()) && restrictions.equals(ace3.getRestrictions());
        }))) {
            PrivilegeBits privilegeBits = PrivilegeBits.getInstance(ace2.getPrivilegeBits());
            PrivilegeBits privilegeBits2 = ace.getPrivilegeBits();
            if (ace.isAllow() != ace2.isAllow()) {
                PrivilegeBits diff = PrivilegeBits.getInstance(privilegeBits).diff(privilegeBits2);
                if (diff.isEmpty()) {
                    this.entries.remove(ace2);
                } else if (!diff.includes(privilegeBits)) {
                    int indexOf = this.entries.indexOf(ace2);
                    this.entries.remove(ace2);
                    this.entries.add(indexOf, createACE(ace2, diff));
                }
            } else {
                if (privilegeBits.includes(privilegeBits2)) {
                    return false;
                }
                privilegeBits.add(privilegeBits2);
                int indexOf2 = this.entries.indexOf(ace2);
                this.entries.remove(ace2);
                this.entries.add(indexOf2, createACE(ace2, privilegeBits));
                z = false;
            }
        }
        if (!z) {
            return true;
        }
        this.entries.add(ace);
        return true;
    }

    private ACE createACE(@NotNull ACE ace, @NotNull PrivilegeBits privilegeBits) throws RepositoryException {
        return createACE(ace.getPrincipal(), privilegeBits, ace.isAllow(), ace.getRestrictions());
    }

    @NotNull
    private Set<Restriction> validateRestrictions(@NotNull Map<String, Value> map, @NotNull Map<String, Value[]> map2) throws RepositoryException {
        for (RestrictionDefinition restrictionDefinition : Iterables.filter(getRestrictionProvider().getSupportedRestrictions(getOakPath()), (v0) -> {
            return v0.isMandatory();
        })) {
            String jcrName = getNamePathMapper().getJcrName(restrictionDefinition.getName());
            if (!(restrictionDefinition.getRequiredType().isArray() ? map2.containsKey(jcrName) : map.containsKey(jcrName))) {
                throw new AccessControlException("Mandatory restriction " + jcrName + " is missing.");
            }
        }
        HashSet hashSet = new HashSet();
        for (Map.Entry<String, Value> entry : map.entrySet()) {
            hashSet.add(getRestrictionProvider().createRestriction(getOakPath(), getNamePathMapper().getOakName(entry.getKey()), entry.getValue()));
        }
        for (Map.Entry<String, Value[]> entry2 : map2.entrySet()) {
            hashSet.add(getRestrictionProvider().createRestriction(getOakPath(), getNamePathMapper().getOakName(entry2.getKey()), entry2.getValue()));
        }
        return hashSet;
    }
}
