package org.apache.jackrabbit.oak.security.authorization.composite;

import com.google.common.base.Predicate;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.Iterables;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.plugins.tree.RootFactory;
import org.apache.jackrabbit.oak.plugins.tree.impl.ImmutableTree;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.apache.jackrabbit.util.Text;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProvider.class */
public class CompositePermissionProvider implements PermissionProvider {
    private final Root root;
    private final List<AggregatedPermissionProvider> pps;
    private final CompositeRepositoryPermission repositoryPermission = new CompositeRepositoryPermission();
    private Root immutableRoot;
    private PrivilegeBitsProvider pbp;

    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProvider$CompositeRepositoryPermission.class */
    private class CompositeRepositoryPermission implements RepositoryPermission {
        private CompositeRepositoryPermission() {
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission
        public boolean isGranted(long j) {
            Iterable filter = Iterables.filter(CompositePermissionProvider.this.pps, new Predicate<AggregatedPermissionProvider>() { // from class: org.apache.jackrabbit.oak.security.authorization.composite.CompositePermissionProvider.CompositeRepositoryPermission.1
                @Override // com.google.common.base.Predicate
                public boolean apply(@Nullable AggregatedPermissionProvider aggregatedPermissionProvider) {
                    return aggregatedPermissionProvider != null && aggregatedPermissionProvider.handlesRepositoryPermissions();
                }
            });
            if (!Permissions.isAggregate(j)) {
                return CompositePermissionProvider.grantsRepoPermission(j, filter);
            }
            Iterator<Long> it = Permissions.aggregates(j).iterator();
            while (it.hasNext()) {
                if (!CompositePermissionProvider.grantsRepoPermission(it.next().longValue(), filter)) {
                    return false;
                }
            }
            return true;
        }
    }

    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProvider$CompositeTreePermission.class */
    private final class CompositeTreePermission implements TreePermission {
        private final ImmutableTree tree;
        private final CompositeTreePermission parentPermission;
        private final Map<AggregatedPermissionProvider, TreePermission> map;
        private Boolean canRead;

        private CompositeTreePermission() {
            this.tree = null;
            this.parentPermission = null;
            this.map = ImmutableMap.of();
        }

        private CompositeTreePermission(@Nonnull ImmutableTree immutableTree, @Nonnull CompositeTreePermission compositeTreePermission) {
            this.tree = immutableTree;
            this.parentPermission = compositeTreePermission;
            this.map = new LinkedHashMap(CompositePermissionProvider.this.pps.size());
            for (AggregatedPermissionProvider aggregatedPermissionProvider : CompositePermissionProvider.this.pps) {
                this.map.put(aggregatedPermissionProvider, aggregatedPermissionProvider.getTreePermission(immutableTree, getParentPermission(aggregatedPermissionProvider)));
            }
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission
        @Nonnull
        public TreePermission getChildPermission(@Nonnull String str, @Nonnull NodeState nodeState) {
            return new CompositeTreePermission(new ImmutableTree(this.tree, str, nodeState), this);
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission
        public boolean canRead() {
            if (this.canRead == null) {
                this.canRead = false;
                Iterator<Map.Entry<AggregatedPermissionProvider, TreePermission>> it = this.map.entrySet().iterator();
                while (it.hasNext()) {
                    Map.Entry<AggregatedPermissionProvider, TreePermission> next = it.next();
                    if (next.getKey().handles(next.getValue(), 1L)) {
                        boolean canRead = next.getValue().canRead();
                        if (!it.hasNext() || !canRead) {
                            this.canRead = Boolean.valueOf(canRead);
                            break;
                        }
                    }
                }
            }
            return this.canRead.booleanValue();
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission
        public boolean canRead(@Nonnull PropertyState propertyState) {
            Iterator<Map.Entry<AggregatedPermissionProvider, TreePermission>> it = this.map.entrySet().iterator();
            while (it.hasNext()) {
                Map.Entry<AggregatedPermissionProvider, TreePermission> next = it.next();
                if (next.getKey().handles(next.getValue(), 2L)) {
                    boolean canRead = next.getValue().canRead(propertyState);
                    if (!it.hasNext() || !canRead) {
                        return canRead;
                    }
                }
            }
            return false;
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission
        public boolean canReadAll() {
            return false;
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission
        public boolean canReadProperties() {
            return false;
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission
        public boolean isGranted(long j) {
            if (!Permissions.isAggregate(j)) {
                return grantsPermission(j, null);
            }
            Iterator<Long> it = Permissions.aggregates(j).iterator();
            while (it.hasNext()) {
                if (!grantsPermission(it.next().longValue(), null)) {
                    return false;
                }
            }
            return true;
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission
        public boolean isGranted(long j, @Nonnull PropertyState propertyState) {
            if (!Permissions.isAggregate(j)) {
                return grantsPermission(j, propertyState);
            }
            Iterator<Long> it = Permissions.aggregates(j).iterator();
            while (it.hasNext()) {
                if (!grantsPermission(it.next().longValue(), propertyState)) {
                    return false;
                }
            }
            return true;
        }

        private boolean grantsPermission(long j, @Nullable PropertyState propertyState) {
            Iterator<Map.Entry<AggregatedPermissionProvider, TreePermission>> it = this.map.entrySet().iterator();
            while (it.hasNext()) {
                Map.Entry<AggregatedPermissionProvider, TreePermission> next = it.next();
                if (next.getKey().handles(this, j)) {
                    TreePermission value = next.getValue();
                    boolean isGranted = propertyState == null ? value.isGranted(j) : value.isGranted(j, propertyState);
                    if (!it.hasNext() || !isGranted) {
                        return isGranted;
                    }
                }
            }
            return false;
        }

        @Nonnull
        private TreePermission getParentPermission(AggregatedPermissionProvider aggregatedPermissionProvider) {
            TreePermission treePermission = null;
            if (this.parentPermission != null) {
                treePermission = this.parentPermission.map.get(aggregatedPermissionProvider);
            }
            return treePermission == null ? TreePermission.EMPTY : treePermission;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CompositePermissionProvider(@Nonnull Root root, @Nonnull List<AggregatedPermissionProvider> list) {
        this.root = root;
        this.pps = list;
        this.immutableRoot = RootFactory.createReadOnlyRoot(root);
        this.pbp = new PrivilegeBitsProvider(this.immutableRoot);
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider
    public void refresh() {
        this.immutableRoot = RootFactory.createReadOnlyRoot(this.root);
        this.pbp = new PrivilegeBitsProvider(this.immutableRoot);
        Iterator<AggregatedPermissionProvider> it = this.pps.iterator();
        while (it.hasNext()) {
            it.next().refresh();
        }
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider
    @Nonnull
    public Set<String> getPrivileges(@Nullable final Tree tree) {
        PrivilegeBits privilegeBits = null;
        Iterator it = Iterables.filter(this.pps, new Predicate<AggregatedPermissionProvider>() { // from class: org.apache.jackrabbit.oak.security.authorization.composite.CompositePermissionProvider.1
            @Override // com.google.common.base.Predicate
            public boolean apply(@Nullable AggregatedPermissionProvider aggregatedPermissionProvider) {
                return aggregatedPermissionProvider != null && (tree != null || aggregatedPermissionProvider.handlesRepositoryPermissions());
            }
        }).iterator();
        while (it.hasNext()) {
            PrivilegeBits bits = this.pbp.getBits(((AggregatedPermissionProvider) it.next()).getPrivileges(tree));
            if (privilegeBits == null) {
                privilegeBits = PrivilegeBits.getInstance();
                privilegeBits.add(bits);
            } else {
                privilegeBits.retain(bits);
            }
        }
        return this.pbp.getPrivilegeNames(privilegeBits);
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider
    public boolean hasPrivileges(@Nullable final Tree tree, @Nonnull String... strArr) {
        for (final String str : this.pbp.getAggregatedPrivilegeNames(strArr)) {
            Iterator it = Iterables.filter(this.pps, new Predicate<AggregatedPermissionProvider>() { // from class: org.apache.jackrabbit.oak.security.authorization.composite.CompositePermissionProvider.2
                @Override // com.google.common.base.Predicate
                public boolean apply(@Nullable AggregatedPermissionProvider aggregatedPermissionProvider) {
                    return aggregatedPermissionProvider != null && (tree != null ? aggregatedPermissionProvider.handles(tree, CompositePermissionProvider.this.pbp.getBits(str)) : aggregatedPermissionProvider.handlesRepositoryPermissions());
                }
            }).iterator();
            while (it.hasNext()) {
                if (!((AggregatedPermissionProvider) it.next()).hasPrivileges(tree, str)) {
                    return false;
                }
            }
        }
        return true;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider
    @Nonnull
    public RepositoryPermission getRepositoryPermission() {
        return this.repositoryPermission;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider
    @Nonnull
    public TreePermission getTreePermission(@Nonnull Tree tree, @Nonnull TreePermission treePermission) {
        ImmutableTree immutableTree = tree instanceof ImmutableTree ? (ImmutableTree) tree : (ImmutableTree) this.immutableRoot.getTree(tree.getPath());
        if (tree.isRoot()) {
            return new CompositeTreePermission(immutableTree, new CompositeTreePermission());
        }
        if (treePermission instanceof CompositeTreePermission) {
            return new CompositeTreePermission(immutableTree, (CompositeTreePermission) treePermission);
        }
        throw new IllegalArgumentException("Illegal parent permission instance. Expected CompositeTreePermission.");
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider
    public boolean isGranted(@Nonnull final Tree tree, @Nullable PropertyState propertyState, final long j) {
        if (!Permissions.isAggregate(j)) {
            return grantsPermission(tree, propertyState, j, Iterables.filter(this.pps, new Predicate<AggregatedPermissionProvider>() { // from class: org.apache.jackrabbit.oak.security.authorization.composite.CompositePermissionProvider.4
                @Override // com.google.common.base.Predicate
                public boolean apply(@Nullable AggregatedPermissionProvider aggregatedPermissionProvider) {
                    return aggregatedPermissionProvider != null && aggregatedPermissionProvider.handles(tree, j);
                }
            }));
        }
        Iterator<Long> it = Permissions.aggregates(j).iterator();
        while (it.hasNext()) {
            final long longValue = it.next().longValue();
            if (!grantsPermission(tree, propertyState, longValue, Iterables.filter(this.pps, new Predicate<AggregatedPermissionProvider>() { // from class: org.apache.jackrabbit.oak.security.authorization.composite.CompositePermissionProvider.3
                @Override // com.google.common.base.Predicate
                public boolean apply(@Nullable AggregatedPermissionProvider aggregatedPermissionProvider) {
                    return aggregatedPermissionProvider != null && aggregatedPermissionProvider.handles(tree, longValue);
                }
            }))) {
                return false;
            }
        }
        return true;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider
    public boolean isGranted(@Nonnull final String str, @Nonnull String str2) {
        final String[] explode = Text.explode(str2, 44, false);
        switch (explode.length) {
            case 0:
                return true;
            case 1:
                return grantsAction(str, explode[0], Iterables.filter(this.pps, new Predicate<AggregatedPermissionProvider>() { // from class: org.apache.jackrabbit.oak.security.authorization.composite.CompositePermissionProvider.5
                    @Override // com.google.common.base.Predicate
                    public boolean apply(@Nullable AggregatedPermissionProvider aggregatedPermissionProvider) {
                        return aggregatedPermissionProvider != null && aggregatedPermissionProvider.handles(str, explode[0]);
                    }
                }));
            default:
                for (final String str3 : explode) {
                    if (!grantsAction(str, str3, Iterables.filter(this.pps, new Predicate<AggregatedPermissionProvider>() { // from class: org.apache.jackrabbit.oak.security.authorization.composite.CompositePermissionProvider.6
                        @Override // com.google.common.base.Predicate
                        public boolean apply(@Nullable AggregatedPermissionProvider aggregatedPermissionProvider) {
                            return aggregatedPermissionProvider != null && aggregatedPermissionProvider.handles(str, str3);
                        }
                    }))) {
                        return false;
                    }
                }
                return true;
        }
    }

    private static boolean grantsPermission(@Nonnull Tree tree, @Nullable PropertyState propertyState, long j, @Nonnull Iterable<AggregatedPermissionProvider> iterable) {
        Iterator<AggregatedPermissionProvider> it = iterable.iterator();
        while (it.hasNext()) {
            boolean isGranted = it.next().isGranted(tree, propertyState, j);
            if (!it.hasNext() || !isGranted) {
                return isGranted;
            }
        }
        return false;
    }

    private static boolean grantsAction(@Nonnull String str, @Nonnull String str2, @Nonnull Iterable<AggregatedPermissionProvider> iterable) {
        Iterator<AggregatedPermissionProvider> it = iterable.iterator();
        while (it.hasNext()) {
            boolean isGranted = it.next().isGranted(str, str2);
            if (!it.hasNext() || !isGranted) {
                return isGranted;
            }
        }
        return false;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean grantsRepoPermission(long j, @Nonnull Iterable<AggregatedPermissionProvider> iterable) {
        Iterator<AggregatedPermissionProvider> it = iterable.iterator();
        while (it.hasNext()) {
            boolean isGranted = it.next().getRepositoryPermission().isGranted(j);
            if (!it.hasNext() || !isGranted) {
                return isGranted;
            }
        }
        return false;
    }
}
