package org.apache.jackrabbit.oak.spi.security.authorization.cug.impl;

import com.google.common.collect.ImmutableList;
import java.io.IOException;
import java.io.InputStream;
import java.security.Principal;
import java.security.PrivilegedActionException;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.jcr.RepositoryException;
import javax.jcr.security.AccessControlManager;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.ConfigurationPolicy;
import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.ReferenceCardinality;
import org.apache.felix.scr.annotations.Service;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.memory.MemoryNodeStore;
import org.apache.jackrabbit.oak.plugins.name.NamespaceEditorProvider;
import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager;
import org.apache.jackrabbit.oak.plugins.nodetype.TypeEditorProvider;
import org.apache.jackrabbit.oak.plugins.nodetype.write.NodeTypeRegistry;
import org.apache.jackrabbit.oak.plugins.tree.RootFactory;
import org.apache.jackrabbit.oak.spi.commit.CommitHook;
import org.apache.jackrabbit.oak.spi.commit.CompositeEditorProvider;
import org.apache.jackrabbit.oak.spi.commit.EditorHook;
import org.apache.jackrabbit.oak.spi.commit.MoveTracker;
import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider;
import org.apache.jackrabbit.oak.spi.lifecycle.RepositoryInitializer;
import org.apache.jackrabbit.oak.spi.security.CompositeConfiguration;
import org.apache.jackrabbit.oak.spi.security.ConfigurationBase;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.Context;
import org.apache.jackrabbit.oak.spi.security.SecurityConfiguration;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.cug.CugExclude;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.EmptyPermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
import org.apache.jackrabbit.oak.spi.state.ApplyDiff;
import org.apache.jackrabbit.oak.spi.state.NodeBuilder;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter;

@Service({AuthorizationConfiguration.class, SecurityConfiguration.class})
@Component(metatype = true, label = "Apache Jackrabbit Oak CUG Configuration", description = "Authorization configuration dedicated to setup and evaluate 'Closed User Group' permissions.", policy = ConfigurationPolicy.REQUIRE)
@Properties({@Property(name = CugConstants.PARAM_CUG_SUPPORTED_PATHS, label = "Supported Paths", description = "Paths under which CUGs can be created and will be evaluated.", cardinality = Integer.MAX_VALUE), @Property(name = CugConstants.PARAM_CUG_ENABLED, label = "CUG Evaluation Enabled", description = "Flag to enable the evaluation of the configured CUG policies.", boolValue = {false}), @Property(name = CompositeConfiguration.PARAM_RANKING, label = "Ranking", description = "Ranking of this configuration in a setup with multiple authorization configurations.", intValue = {200})})
/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugConfiguration.class */
public class CugConfiguration extends ConfigurationBase implements AuthorizationConfiguration, CugConstants {

    @Reference(cardinality = ReferenceCardinality.MANDATORY_UNARY)
    private CugExclude exclude;

    public CugConfiguration() {
    }

    public CugConfiguration(@Nonnull SecurityProvider securityProvider) {
        super(securityProvider, securityProvider.getParameters(AuthorizationConfiguration.NAME));
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration
    @Nonnull
    public AccessControlManager getAccessControlManager(@Nonnull Root root, @Nonnull NamePathMapper namePathMapper) {
        return new CugAccessControlManager(root, namePathMapper, getSecurityProvider());
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration
    @Nonnull
    public RestrictionProvider getRestrictionProvider() {
        return RestrictionProvider.EMPTY;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration
    @Nonnull
    public PermissionProvider getPermissionProvider(@Nonnull Root root, @Nonnull String str, @Nonnull Set<Principal> set) {
        ConfigurationParameters parameters = getParameters();
        boolean booleanValue = ((Boolean) parameters.getConfigValue(CugConstants.PARAM_CUG_ENABLED, false)).booleanValue();
        Set set2 = (Set) parameters.getConfigValue(CugConstants.PARAM_CUG_SUPPORTED_PATHS, Collections.emptySet());
        return (!booleanValue || set2.isEmpty() || getExclude().isExcluded(set)) ? EmptyPermissionProvider.getInstance() : new CugPermissionProvider(root, str, set, set2, ((AuthorizationConfiguration) getSecurityProvider().getConfiguration(AuthorizationConfiguration.class)).getContext());
    }

    @Override // org.apache.jackrabbit.oak.spi.security.SecurityConfiguration.Default, org.apache.jackrabbit.oak.spi.security.SecurityConfiguration
    @Nonnull
    public String getName() {
        return AuthorizationConfiguration.NAME;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.SecurityConfiguration.Default, org.apache.jackrabbit.oak.spi.security.SecurityConfiguration
    @Nonnull
    public RepositoryInitializer getRepositoryInitializer() {
        return new RepositoryInitializer() { // from class: org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.CugConfiguration.1
            @Override // org.apache.jackrabbit.oak.spi.lifecycle.RepositoryInitializer
            public void initialize(@Nonnull NodeBuilder nodeBuilder) {
                NodeState nodeState = nodeBuilder.getNodeState();
                MemoryNodeStore memoryNodeStore = new MemoryNodeStore(nodeState);
                if (CugConfiguration.registerCugNodeTypes(RootFactory.createSystemRoot(memoryNodeStore, new EditorHook(new CompositeEditorProvider(new NamespaceEditorProvider(), new TypeEditorProvider())), null, null, null, null))) {
                    memoryNodeStore.getRoot().compareAgainstBaseState(nodeState, new ApplyDiff(nodeBuilder));
                }
            }
        };
    }

    @Override // org.apache.jackrabbit.oak.spi.security.SecurityConfiguration.Default, org.apache.jackrabbit.oak.spi.security.SecurityConfiguration
    @Nonnull
    public List<? extends CommitHook> getCommitHooks(@Nonnull String str) {
        return Collections.singletonList(new NestedCugHook());
    }

    @Override // org.apache.jackrabbit.oak.spi.security.SecurityConfiguration.Default, org.apache.jackrabbit.oak.spi.security.SecurityConfiguration
    @Nonnull
    public List<? extends ValidatorProvider> getValidators(@Nonnull String str, @Nonnull Set<Principal> set, @Nonnull MoveTracker moveTracker) {
        return ImmutableList.of(new CugValidatorProvider());
    }

    @Override // org.apache.jackrabbit.oak.spi.security.SecurityConfiguration.Default, org.apache.jackrabbit.oak.spi.security.SecurityConfiguration
    @Nonnull
    public List<ProtectedItemImporter> getProtectedItemImporters() {
        return Collections.singletonList(new CugImporter());
    }

    @Override // org.apache.jackrabbit.oak.spi.security.SecurityConfiguration.Default, org.apache.jackrabbit.oak.spi.security.SecurityConfiguration
    @Nonnull
    public Context getContext() {
        return CugContext.INSTANCE;
    }

    @Activate
    protected void activate(Map<String, Object> map) throws IOException, CommitFailedException, PrivilegedActionException, RepositoryException {
        setParameters(ConfigurationParameters.of(map));
    }

    public void bindExclude(CugExclude cugExclude) {
        this.exclude = cugExclude;
    }

    public void unbindExclude(CugExclude cugExclude) {
        this.exclude = null;
    }

    @Nonnull
    private CugExclude getExclude() {
        return this.exclude == null ? new CugExclude.Default() : this.exclude;
    }

    static boolean registerCugNodeTypes(@Nonnull final Root root) {
        try {
            if (new ReadOnlyNodeTypeManager() { // from class: org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.CugConfiguration.2
                @Override // org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager
                protected Tree getTypes() {
                    return Root.this.getTree(NodeTypeConstants.NODE_TYPES_PATH);
                }
            }.hasNodeType(CugConstants.NT_REP_CUG_POLICY)) {
                return false;
            }
            InputStream resourceAsStream = CugConfiguration.class.getResourceAsStream("cug_nodetypes.cnd");
            try {
                NodeTypeRegistry.register(root, resourceAsStream, "cug node types");
                resourceAsStream.close();
                return true;
            } catch (Throwable th) {
                resourceAsStream.close();
                throw th;
            }
        } catch (IOException e) {
            throw new IllegalStateException("Unable to read cug node types", e);
        } catch (RepositoryException e2) {
            throw new IllegalStateException("Unable to read cug node types", e2);
        }
    }
}
