package org.apache.jackrabbit.oak.security.user;

import java.security.Principal;
import java.util.Collections;
import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import javax.jcr.AccessDeniedException;
import org.apache.commons.lang3.StringUtils;
import org.apache.jackrabbit.guava.common.collect.Iterables;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.commons.LongUtils;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.apache.jackrabbit.oak.spi.commit.CommitInfo;
import org.apache.jackrabbit.oak.spi.security.user.AuthorizableType;
import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration;
import org.apache.jackrabbit.oak.spi.security.user.cache.CacheConstants;
import org.apache.jackrabbit.oak.spi.security.user.cache.CacheLoader;
import org.apache.jackrabbit.oak.spi.security.user.cache.CachePrincipalFactory;
import org.apache.jackrabbit.oak.spi.security.user.cache.CachedMembershipReader;
import org.apache.jackrabbit.oak.spi.security.user.util.UserUtil;
import org.apache.jackrabbit.util.Text;
import org.jetbrains.annotations.NotNull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/jackrabbit/oak/security/user/CachedPrincipalMembershipReader.class */
class CachedPrincipalMembershipReader implements CachedMembershipReader {
    private static final int MAX_CACHE_TRACKING_ENTRIES = 100;
    private final CachePrincipalFactory principalFactory;
    private final UserConfiguration config;
    private final Root root;
    private final long expiration;
    private final long maxStale;
    private final String propertyName;
    private final int membershipThreshold;
    private final String expirationPropertyName;
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) CachedPrincipalMembershipReader.class);
    private static final Map<UserConfiguration, Map<String, Long>> CACHE_UPDATES = new ConcurrentHashMap();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/jackrabbit/oak/security/user/CachedPrincipalMembershipReader$CommitMarker.class */
    public static final class CommitMarker {
        private static final String KEY = CommitMarker.class.getName();
        private static final CommitMarker INSTANCE = new CommitMarker();

        /* JADX INFO: Access modifiers changed from: package-private */
        public static boolean isValidCommitInfo(@NotNull CommitInfo commitInfo) {
            return INSTANCE == commitInfo.getInfo().get(KEY);
        }

        private CommitMarker() {
        }

        static Map<String, Object> asCommitAttributes() {
            return Collections.singletonMap(KEY, INSTANCE);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CachedPrincipalMembershipReader(@NotNull CacheConfiguration cacheConfiguration, @NotNull Root root, @NotNull CachePrincipalFactory cachePrincipalFactory) {
        this.expiration = cacheConfiguration.getExpiration();
        this.maxStale = cacheConfiguration.getMaxStale();
        this.propertyName = cacheConfiguration.getPropertyName();
        this.expirationPropertyName = cacheConfiguration.getExpirationPropertyName();
        this.config = cacheConfiguration.getUserConfiguration();
        this.membershipThreshold = cacheConfiguration.getMembershipThreshold();
        this.root = root;
        this.principalFactory = cachePrincipalFactory;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.user.cache.CachedMembershipReader
    public Set<Principal> readMembership(@NotNull Tree tree, CacheLoader cacheLoader) {
        return UserUtil.isType(tree, AuthorizableType.USER) ? readGroupsFromCache(tree, cacheLoader) : cacheLoader.load(tree);
    }

    private Set<Principal> readGroupsFromCache(@NotNull Tree tree, CacheLoader cacheLoader) {
        boolean z;
        Set<Principal> emptySet = Collections.emptySet();
        String path = tree.getPath();
        Tree child = tree.getChild(CacheConstants.REP_CACHE);
        long readExpirationTime = readExpirationTime(child);
        long currentTimeMillis = System.currentTimeMillis();
        if (isValidCache(readExpirationTime, currentTimeMillis) && hasPropertyCached(child)) {
            LOG.debug("Reading membership from cache for '{}'", path);
            return serveGroupsFromCache(child);
        }
        Map<String, Long> cacheUpdateMap = getCacheUpdateMap();
        long id = Thread.currentThread().getId();
        try {
            try {
                synchronized (cacheUpdateMap) {
                    z = cacheUpdateMap.computeIfAbsent(path, str -> {
                        return Long.valueOf(id);
                    }).longValue() == id;
                }
                if (z) {
                    emptySet = cacheLoader.load(tree);
                    writeGroupsToCache(tree, emptySet);
                } else if (canServeStaleCache(readExpirationTime, currentTimeMillis) && hasCacheValues(child)) {
                    LOG.debug("Another thread is updating the cache, returning a stale cache for '{}'.", path);
                    emptySet = serveGroupsFromCache(child);
                } else {
                    LOG.debug("This thread is not allowed to serve a stale cache; reading from provider without caching.");
                    emptySet = cacheLoader.load(tree);
                }
                synchronized (cacheUpdateMap) {
                    cacheUpdateMap.remove(path, Long.valueOf(id));
                }
            } catch (AccessDeniedException | CommitFailedException e) {
                LOG.debug("Failed to cache membership: {}", e.getMessage());
                synchronized (cacheUpdateMap) {
                    cacheUpdateMap.remove(path, Long.valueOf(id));
                }
            }
            return emptySet;
        } catch (Throwable th) {
            synchronized (cacheUpdateMap) {
                cacheUpdateMap.remove(path, Long.valueOf(id));
                throw th;
            }
        }
    }

    private long readExpirationTime(@NotNull Tree tree) {
        if (tree.exists() && tree.hasProperty(this.expirationPropertyName)) {
            return TreeUtil.getLong(tree, this.expirationPropertyName, 0L);
        }
        return 0L;
    }

    private static boolean isValidCache(long j, long j2) {
        return j > 0 && j2 < j;
    }

    private boolean canServeStaleCache(long j, long j2) {
        return j2 - j < this.maxStale;
    }

    private boolean hasPropertyCached(Tree tree) {
        return tree.hasProperty(this.propertyName);
    }

    private boolean hasCacheValues(@NotNull Tree tree) {
        return tree.hasProperty(this.propertyName) && !StringUtils.isEmpty(TreeUtil.getString(tree, this.propertyName));
    }

    private Set<Principal> serveGroupsFromCache(@NotNull Tree tree) {
        String string = TreeUtil.getString(tree, this.propertyName, "");
        HashSet hashSet = new HashSet();
        for (String str : Text.explode(string, 44)) {
            hashSet.add(this.principalFactory.create(Text.unescape(str)));
        }
        return hashSet;
    }

    private void writeGroupsToCache(@NotNull Tree tree, @NotNull Set<Principal> set) throws AccessDeniedException, CommitFailedException {
        try {
            this.root.refresh();
            Tree child = tree.getChild(CacheConstants.REP_CACHE);
            String path = tree.getPath();
            if (!child.exists()) {
                if (set.size() < this.membershipThreshold) {
                    LOG.debug("Omit cache creation for user without membership at {}", path);
                    this.root.refresh();
                    return;
                } else {
                    LOG.debug("Attempting to create new membership cache at {}", path);
                    child = TreeUtil.addChild(tree, CacheConstants.REP_CACHE, CacheConstants.NT_REP_CACHE);
                }
            }
            child.setProperty(this.expirationPropertyName, Long.valueOf(LongUtils.calculateExpirationTime(this.expiration)));
            child.setProperty(this.propertyName, set.isEmpty() ? "" : String.join(",", (Iterable<? extends CharSequence>) Iterables.transform(set, principal -> {
                return Text.escape(principal.getName());
            })));
            this.root.commit(CommitMarker.asCommitAttributes());
            LOG.debug("Cached membership property '{}' at {}", this.propertyName, path);
            this.root.refresh();
        } catch (Throwable th) {
            this.root.refresh();
            throw th;
        }
    }

    @NotNull
    private Map<String, Long> getCacheUpdateMap() {
        return CACHE_UPDATES.computeIfAbsent(this.config, userConfiguration -> {
            return new LinkedHashMap<String, Long>() { // from class: org.apache.jackrabbit.oak.security.user.CachedPrincipalMembershipReader.1
                @Override // java.util.LinkedHashMap
                protected boolean removeEldestEntry(@NotNull Map.Entry<String, Long> entry) {
                    return size() > 100;
                }
            };
        });
    }
}
