package org.apache.jackrabbit.oak.security.authorization.composite;

import com.google.common.collect.ImmutableMap;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.plugins.tree.RootFactory;
import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
import org.apache.jackrabbit.oak.plugins.tree.impl.ImmutableTree;
import org.apache.jackrabbit.oak.security.authorization.permission.PermissionUtil;
import org.apache.jackrabbit.oak.spi.security.Context;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.spi.state.NodeState;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProvider.class */
public class CompositePermissionProvider implements PermissionProvider {
    private final Root root;
    private final List<AggregatedPermissionProvider> pps;
    private final Context ctx;
    private final CompositeRepositoryPermission repositoryPermission = new CompositeRepositoryPermission();
    private Root immutableRoot;
    private PrivilegeBitsProvider privilegeBitsProvider;

    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProvider$CompositeRepositoryPermission.class */
    private final class CompositeRepositoryPermission implements RepositoryPermission {
        private CompositeRepositoryPermission() {
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission
        public boolean isGranted(long j) {
            boolean z = false;
            long j2 = 0;
            for (AggregatedPermissionProvider aggregatedPermissionProvider : CompositePermissionProvider.this.pps) {
                long supportedPermissions = aggregatedPermissionProvider.supportedPermissions(null, null, j);
                if (CompositePermissionProvider.doEvaluate(supportedPermissions)) {
                    z = aggregatedPermissionProvider.getRepositoryPermission().isGranted(supportedPermissions);
                    j2 |= supportedPermissions;
                    if (!z) {
                        break;
                    }
                }
            }
            return z && j2 == j;
        }
    }

    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/composite/CompositePermissionProvider$CompositeTreePermission.class */
    private final class CompositeTreePermission implements TreePermission {
        private final ImmutableTree tree;
        private final Map<AggregatedPermissionProvider, TreePermission> map;
        private Boolean canRead;

        private CompositeTreePermission() {
            this.tree = null;
            this.map = ImmutableMap.of();
        }

        private CompositeTreePermission(@Nonnull ImmutableTree immutableTree, @Nonnull CompositeTreePermission compositeTreePermission) {
            this.tree = immutableTree;
            this.map = new LinkedHashMap(CompositePermissionProvider.this.pps.size());
            for (AggregatedPermissionProvider aggregatedPermissionProvider : CompositePermissionProvider.this.pps) {
                this.map.put(aggregatedPermissionProvider, aggregatedPermissionProvider.getTreePermission(immutableTree, getParentPermission(compositeTreePermission, aggregatedPermissionProvider)));
            }
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission
        @Nonnull
        public TreePermission getChildPermission(@Nonnull String str, @Nonnull NodeState nodeState) {
            return new CompositeTreePermission(new ImmutableTree(this.tree, str, nodeState), this);
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission
        public boolean canRead() {
            if (this.canRead == null) {
                boolean z = false;
                for (Map.Entry<AggregatedPermissionProvider, TreePermission> entry : this.map.entrySet()) {
                    TreePermission value = entry.getValue();
                    if (CompositePermissionProvider.doEvaluate(entry.getKey().supportedPermissions(value, 1L))) {
                        z = value.canRead();
                        if (!z) {
                            break;
                        }
                    }
                }
                this.canRead = Boolean.valueOf(z);
            }
            return this.canRead.booleanValue();
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission
        public boolean canRead(@Nonnull PropertyState propertyState) {
            boolean z = false;
            for (Map.Entry<AggregatedPermissionProvider, TreePermission> entry : this.map.entrySet()) {
                TreePermission value = entry.getValue();
                if (CompositePermissionProvider.doEvaluate(entry.getKey().supportedPermissions(value, 2L))) {
                    z = value.canRead(propertyState);
                    if (!z) {
                        break;
                    }
                }
            }
            return z;
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission
        public boolean canReadAll() {
            return false;
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission
        public boolean canReadProperties() {
            return false;
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission
        public boolean isGranted(long j) {
            return grantsPermission(j, null);
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission
        public boolean isGranted(long j, @Nonnull PropertyState propertyState) {
            return grantsPermission(j, propertyState);
        }

        private boolean grantsPermission(long j, @Nullable PropertyState propertyState) {
            boolean z = false;
            long j2 = 0;
            for (Map.Entry<AggregatedPermissionProvider, TreePermission> entry : this.map.entrySet()) {
                long supportedPermissions = entry.getKey().supportedPermissions(this.tree, propertyState, j);
                if (CompositePermissionProvider.doEvaluate(supportedPermissions)) {
                    TreePermission value = entry.getValue();
                    z = propertyState == null ? value.isGranted(supportedPermissions) : value.isGranted(supportedPermissions, propertyState);
                    j2 |= supportedPermissions;
                    if (!z) {
                        return false;
                    }
                }
            }
            return z && j2 == j;
        }

        @Nonnull
        private TreePermission getParentPermission(@Nonnull CompositeTreePermission compositeTreePermission, @Nonnull AggregatedPermissionProvider aggregatedPermissionProvider) {
            TreePermission treePermission = compositeTreePermission.map.get(aggregatedPermissionProvider);
            return treePermission == null ? TreePermission.EMPTY : treePermission;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CompositePermissionProvider(@Nonnull Root root, @Nonnull List<AggregatedPermissionProvider> list, @Nonnull Context context) {
        this.root = root;
        this.pps = list;
        this.ctx = context;
        this.immutableRoot = RootFactory.createReadOnlyRoot(root);
        this.privilegeBitsProvider = new PrivilegeBitsProvider(this.immutableRoot);
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider
    public void refresh() {
        this.immutableRoot = RootFactory.createReadOnlyRoot(this.root);
        this.privilegeBitsProvider = new PrivilegeBitsProvider(this.immutableRoot);
        Iterator<AggregatedPermissionProvider> it = this.pps.iterator();
        while (it.hasNext()) {
            it.next().refresh();
        }
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider
    @Nonnull
    public Set<String> getPrivileges(@Nullable Tree tree) {
        Tree immutableTree = PermissionUtil.getImmutableTree(tree, this.immutableRoot);
        PrivilegeBits privilegeBits = PrivilegeBits.getInstance();
        PrivilegeBits privilegeBits2 = PrivilegeBits.getInstance();
        for (AggregatedPermissionProvider aggregatedPermissionProvider : this.pps) {
            PrivilegeBits modifiable = aggregatedPermissionProvider.supportedPrivileges(immutableTree, null).modifiable();
            if (doEvaluate(modifiable)) {
                PrivilegeBits bits = this.privilegeBitsProvider.getBits(aggregatedPermissionProvider.getPrivileges(immutableTree));
                if (!bits.isEmpty()) {
                    privilegeBits.add(bits);
                }
                privilegeBits2.add(modifiable.diff(bits));
            }
        }
        if (!privilegeBits2.isEmpty()) {
            privilegeBits.diff(privilegeBits2);
        }
        return this.privilegeBitsProvider.getPrivilegeNames(privilegeBits);
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider
    public boolean hasPrivileges(@Nullable Tree tree, @Nonnull String... strArr) {
        Tree immutableTree = PermissionUtil.getImmutableTree(tree, this.immutableRoot);
        PrivilegeBits bits = this.privilegeBitsProvider.getBits(strArr);
        if (bits.isEmpty()) {
            return true;
        }
        boolean z = false;
        PrivilegeBits privilegeBits = PrivilegeBits.getInstance();
        for (AggregatedPermissionProvider aggregatedPermissionProvider : this.pps) {
            PrivilegeBits supportedPrivileges = aggregatedPermissionProvider.supportedPrivileges(immutableTree, bits);
            if (doEvaluate(supportedPrivileges)) {
                Set<String> privilegeNames = this.privilegeBitsProvider.getPrivilegeNames(supportedPrivileges);
                z = aggregatedPermissionProvider.hasPrivileges(immutableTree, (String[]) privilegeNames.toArray(new String[privilegeNames.size()]));
                privilegeBits.add(supportedPrivileges);
                if (!z) {
                    break;
                }
            }
        }
        return z && privilegeBits.includes(bits);
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider
    @Nonnull
    public RepositoryPermission getRepositoryPermission() {
        return this.repositoryPermission;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider
    @Nonnull
    public TreePermission getTreePermission(@Nonnull Tree tree, @Nonnull TreePermission treePermission) {
        ImmutableTree immutableTree = (ImmutableTree) PermissionUtil.getImmutableTree(tree, this.immutableRoot);
        if (tree.isRoot()) {
            return new CompositeTreePermission(immutableTree, new CompositeTreePermission());
        }
        if (treePermission instanceof CompositeTreePermission) {
            return new CompositeTreePermission(immutableTree, (CompositeTreePermission) treePermission);
        }
        throw new IllegalArgumentException("Illegal parent permission instance. Expected CompositeTreePermission.");
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider
    public boolean isGranted(@Nonnull Tree tree, @Nullable PropertyState propertyState, long j) {
        Tree immutableTree = PermissionUtil.getImmutableTree(tree, this.immutableRoot);
        boolean z = false;
        long j2 = 0;
        for (AggregatedPermissionProvider aggregatedPermissionProvider : this.pps) {
            long supportedPermissions = aggregatedPermissionProvider.supportedPermissions(immutableTree, propertyState, j);
            if (doEvaluate(supportedPermissions)) {
                z = aggregatedPermissionProvider.isGranted(immutableTree, propertyState, supportedPermissions);
                j2 |= supportedPermissions;
                if (!z) {
                    break;
                }
            }
        }
        return z && j2 == j;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider
    public boolean isGranted(@Nonnull String str, @Nonnull String str2) {
        TreeLocation create = TreeLocation.create(this.immutableRoot, str);
        long permissions = Permissions.getPermissions(str2, create, this.ctx.definesLocation(create));
        PropertyState property = create.getProperty();
        Tree tree = property == null ? create.getTree() : create.getParent().getTree();
        if (tree != null) {
            return isGranted(tree, property, permissions);
        }
        boolean z = false;
        long j = 0;
        for (AggregatedPermissionProvider aggregatedPermissionProvider : this.pps) {
            long supportedPermissions = aggregatedPermissionProvider.supportedPermissions(create, permissions);
            if (doEvaluate(supportedPermissions)) {
                z = aggregatedPermissionProvider.isGranted(create, supportedPermissions);
                j |= supportedPermissions;
                if (!z) {
                    break;
                }
            }
        }
        return z && j == permissions;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static boolean doEvaluate(long j) {
        return j != 0;
    }

    private static boolean doEvaluate(PrivilegeBits privilegeBits) {
        return !privilegeBits.isEmpty();
    }
}
