package org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;

import com.google.common.base.Predicate;
import com.google.common.base.Predicates;
import java.util.Iterator;
import java.util.Set;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.tree.ReadOnly;
import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
import org.apache.jackrabbit.oak.plugins.tree.TreeType;
import org.apache.jackrabbit.oak.plugins.tree.TreeTypeProvider;
import org.apache.jackrabbit.oak.plugins.version.ReadOnlyVersionManager;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.apache.jackrabbit.oak.spi.state.NodeStateUtils;
import org.apache.jackrabbit.oak.spi.version.VersionConstants;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:default/org.apache.sling.kickstart.far:org/apache/jackrabbit/oak-authorization-principalbased/1.32.0/oak-authorization-principalbased-1.32.0.jar:org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedPermissionProvider.class */
public class PrincipalBasedPermissionProvider implements AggregatedPermissionProvider, Constants {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) PrincipalBasedPermissionProvider.class);
    private final Root root;
    private final String workspaceName;
    private final Iterable principalPaths;
    private final MgrProvider mgrProvider;
    private final TreeTypeProvider typeProvider;
    private final PrivilegeBits modAcBits;
    private Root immutableRoot;
    private RepositoryPermissionImpl repositoryPermission;
    private EntryCache entryCache;
    private ReadablePaths readablePaths;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:default/org.apache.sling.kickstart.far:org/apache/jackrabbit/oak-authorization-principalbased/1.32.0/oak-authorization-principalbased-1.32.0.jar:org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedPermissionProvider$ReadablePaths.class */
    public static final class ReadablePaths {
        private final String[] paths;
        private final String[] substrPaths;
        private final PrivilegeBits readBits;

        private ReadablePaths(@NotNull MgrProvider mgrProvider) {
            this.paths = (String[]) ((Set) mgrProvider.getSecurityProvider().getParameters(AuthorizationConfiguration.NAME).getConfigValue(PermissionConstants.PARAM_READ_PATHS, PermissionConstants.DEFAULT_READ_PATHS)).toArray(new String[0]);
            this.substrPaths = new String[this.paths.length];
            int i = 0;
            for (String str : this.paths) {
                int i2 = i;
                i++;
                this.substrPaths[i2] = str + '/';
            }
            this.readBits = mgrProvider.getPrivilegeBitsProvider().getBits(PrivilegeConstants.JCR_READ);
        }

        public boolean isReadable(@NotNull String str) {
            for (String str2 : this.paths) {
                if (str.equals(str2)) {
                    return true;
                }
            }
            for (String str3 : this.substrPaths) {
                if (str.startsWith(str3)) {
                    return true;
                }
            }
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:default/org.apache.sling.kickstart.far:org/apache/jackrabbit/oak-authorization-principalbased/1.32.0/oak-authorization-principalbased-1.32.0.jar:org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedPermissionProvider$RegularTreePermission.class */
    public final class RegularTreePermission extends AbstractTreePermission {
        RegularTreePermission(@NotNull Tree tree, @NotNull TreeType treeType) {
            super(tree, treeType);
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl.AbstractTreePermission
        PrincipalBasedPermissionProvider getPermissionProvider() {
            return PrincipalBasedPermissionProvider.this;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:default/org.apache.sling.kickstart.far:org/apache/jackrabbit/oak-authorization-principalbased/1.32.0/oak-authorization-principalbased-1.32.0.jar:org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedPermissionProvider$RepositoryPermissionImpl.class */
    public final class RepositoryPermissionImpl implements RepositoryPermission {
        private long grantedPermissions;

        private RepositoryPermissionImpl() {
            this.grantedPermissions = -1L;
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission
        public boolean isGranted(long j) {
            return Permissions.includes(getGranted(), j);
        }

        private long getGranted() {
            if (this.grantedPermissions == -1) {
                this.grantedPermissions = PrivilegeBits.calculatePermissions(PrincipalBasedPermissionProvider.this.getGrantedPrivilegeBits("", EntryPredicate.create(null)), PrivilegeBits.EMPTY, true);
            }
            return this.grantedPermissions;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void refresh() {
            this.grantedPermissions = -1L;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:default/org.apache.sling.kickstart.far:org/apache/jackrabbit/oak-authorization-principalbased/1.32.0/oak-authorization-principalbased-1.32.0.jar:org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedPermissionProvider$VersionTreePermission.class */
    public final class VersionTreePermission extends AbstractTreePermission implements VersionConstants {
        private final Tree versionTree;

        VersionTreePermission(@NotNull Tree tree, @NotNull Tree tree2) {
            super(tree2, TreeType.VERSION);
            this.versionTree = tree;
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl.AbstractTreePermission
        PrincipalBasedPermissionProvider getPermissionProvider() {
            return PrincipalBasedPermissionProvider.this;
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl.AbstractTreePermission, org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission
        @NotNull
        public TreePermission getChildPermission(@NotNull String str, @NotNull NodeState nodeState) {
            return new VersionTreePermission(PrincipalBasedPermissionProvider.this.mgrProvider.getTreeProvider().createReadOnlyTree(this.versionTree, str, nodeState), (VERSION_NODE_NAMES.contains(str) || "nt:version".equals(NodeStateUtils.getPrimaryTypeName(nodeState))) ? getTree() : getTree().getChild(str));
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public PrincipalBasedPermissionProvider(@NotNull Root root, @NotNull String str, @NotNull Iterable<String> iterable, @NotNull PrincipalBasedAuthorizationConfiguration principalBasedAuthorizationConfiguration) {
        this.root = root;
        this.workspaceName = str;
        this.principalPaths = iterable;
        this.immutableRoot = principalBasedAuthorizationConfiguration.getRootProvider().createReadOnlyRoot(root);
        this.mgrProvider = new MgrProviderImpl(principalBasedAuthorizationConfiguration, this.immutableRoot, NamePathMapper.DEFAULT);
        this.typeProvider = new TreeTypeProvider(this.mgrProvider.getContext());
        this.modAcBits = this.mgrProvider.getPrivilegeBitsProvider().getBits(PrivilegeConstants.JCR_MODIFY_ACCESS_CONTROL);
        this.entryCache = new EntryCache(this.immutableRoot, iterable, this.mgrProvider.getRestrictionProvider());
        this.readablePaths = new ReadablePaths(this.mgrProvider);
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider
    public void refresh() {
        this.immutableRoot = this.mgrProvider.getRootProvider().createReadOnlyRoot(this.root);
        this.mgrProvider.reset(this.immutableRoot, NamePathMapper.DEFAULT);
        this.entryCache = new EntryCache(this.immutableRoot, this.principalPaths, this.mgrProvider.getRestrictionProvider());
        if (this.repositoryPermission != null) {
            this.repositoryPermission.refresh();
        }
        this.readablePaths = new ReadablePaths(this.mgrProvider);
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider
    @NotNull
    public Set<String> getPrivileges(@Nullable Tree tree) {
        return this.mgrProvider.getPrivilegeBitsProvider().getPrivilegeNames(getGrantedPrivilegeBits(tree));
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider
    public boolean hasPrivileges(@Nullable Tree tree, @NotNull String... strArr) {
        return getGrantedPrivilegeBits(tree).includes(this.mgrProvider.getPrivilegeBitsProvider().getBits(strArr));
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider
    @NotNull
    public RepositoryPermission getRepositoryPermission() {
        if (this.repositoryPermission == null) {
            this.repositoryPermission = new RepositoryPermissionImpl();
        }
        return this.repositoryPermission;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider
    @NotNull
    public TreePermission getTreePermission(@NotNull Tree tree, @NotNull TreePermission treePermission) {
        TreeType type;
        Tree readOnlyTree = getReadOnlyTree(tree);
        if (treePermission instanceof AbstractTreePermission) {
            type = ((AbstractTreePermission) treePermission).getType();
        } else {
            type = tree.isRoot() ? TreeType.DEFAULT : this.typeProvider.getType(tree.getParent());
        }
        return getTreePermission(readOnlyTree, this.typeProvider.getType(readOnlyTree, type), treePermission);
    }

    /* JADX WARN: Can't fix incorrect switch cases order, some code will duplicate */
    /* JADX WARN: Failed to find 'out' block for switch in B:2:0x001b. Please report as an issue. */
    @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider
    public boolean isGranted(@NotNull Tree tree, @Nullable PropertyState propertyState, long j) {
        Tree readOnlyTree = getReadOnlyTree(tree);
        switch (this.typeProvider.getType(readOnlyTree)) {
            case HIDDEN:
                return true;
            case INTERNAL:
                return false;
            case VERSION:
                if (!isVersionStoreTree(readOnlyTree)) {
                    Tree versionableTree = getVersionableTree(readOnlyTree);
                    if (versionableTree == null) {
                        return false;
                    }
                    readOnlyTree = versionableTree;
                }
                return isGranted(readOnlyTree.getPath(), EntryPredicate.create(readOnlyTree, propertyState), EntryPredicate.createParent(readOnlyTree, j), j);
            case ACCESS_CONTROL:
                if (!isGrantedOnEffective(readOnlyTree, j)) {
                    return false;
                }
                return isGranted(readOnlyTree.getPath(), EntryPredicate.create(readOnlyTree, propertyState), EntryPredicate.createParent(readOnlyTree, j), j);
            default:
                return isGranted(readOnlyTree.getPath(), EntryPredicate.create(readOnlyTree, propertyState), EntryPredicate.createParent(readOnlyTree, j), j);
        }
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider
    public boolean isGranted(@NotNull String str, @NotNull String str2) {
        TreeLocation create = TreeLocation.create(this.immutableRoot, str);
        return isGranted(create, Permissions.getPermissions(str2, create, this.mgrProvider.getContext().definesLocation(create)));
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider
    @NotNull
    public PrivilegeBits supportedPrivileges(@Nullable Tree tree, @Nullable PrivilegeBits privilegeBits) {
        return privilegeBits != null ? privilegeBits : new PrivilegeBitsProvider(this.immutableRoot).getBits(PrivilegeConstants.JCR_ALL);
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider
    public long supportedPermissions(@Nullable Tree tree, @Nullable PropertyState propertyState, long j) {
        return j;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider
    public long supportedPermissions(@NotNull TreeLocation treeLocation, long j) {
        return j;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider
    public long supportedPermissions(@NotNull TreePermission treePermission, @Nullable PropertyState propertyState, long j) {
        return j;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider
    public boolean isGranted(@NotNull TreeLocation treeLocation, long j) {
        boolean z = false;
        PropertyState property = treeLocation.getProperty();
        TreeLocation parent = property == null ? treeLocation : treeLocation.getParent();
        Tree tree = parent.getTree();
        String path = treeLocation.getPath();
        if (tree != null) {
            z = isGranted(tree, property, j);
        } else if (path.startsWith("/jcr:system/jcr:versionStorage")) {
            log.debug("Cannot determine permissions for non-existing location {} below the version storage", treeLocation);
        } else {
            z = isGranted(path, EntryPredicate.create(path), EntryPredicate.createParent(parent.getPath(), parent.getParent().getTree(), j), j);
        }
        return z;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider
    @NotNull
    public TreePermission getTreePermission(@NotNull Tree tree, @NotNull TreeType treeType, @NotNull TreePermission treePermission) {
        Tree readOnlyTree = getReadOnlyTree(tree);
        if (readOnlyTree.isRoot()) {
            return new RegularTreePermission(readOnlyTree, TreeType.DEFAULT);
        }
        switch (treeType) {
            case HIDDEN:
                return TreePermission.ALL;
            case INTERNAL:
                return TreePermission.EMPTY;
            case VERSION:
                if (isVersionStoreTree(readOnlyTree)) {
                    return new RegularTreePermission(readOnlyTree, treeType);
                }
                if (treePermission instanceof VersionTreePermission) {
                    return treePermission.getChildPermission(readOnlyTree.getName(), this.mgrProvider.getTreeProvider().asNodeState(readOnlyTree));
                }
                Tree versionableTree = getVersionableTree(readOnlyTree);
                if (versionableTree != null) {
                    return new VersionTreePermission(readOnlyTree, versionableTree);
                }
                log.warn("Cannot retrieve versionable node for {}", readOnlyTree.getPath());
                return TreePermission.EMPTY;
            case ACCESS_CONTROL:
            default:
                return new RegularTreePermission(readOnlyTree, treeType);
        }
    }

    private Iterator<PermissionEntry> getEntryIterator(@NotNull String str, @NotNull Predicate<PermissionEntry> predicate) {
        return new EntryIterator(str, predicate, this.entryCache);
    }

    private boolean isGranted(@NotNull String str, @NotNull Predicate<PermissionEntry> predicate, @NotNull Predicate<PermissionEntry> predicate2, long j) {
        long j2 = 0;
        if (this.readablePaths.isReadable(str)) {
            j2 = 3;
            if (isGranted(3L, j)) {
                return true;
            }
        }
        PrivilegeBits privilegeBits = PrivilegeBits.getInstance();
        PrivilegeBits privilegeBits2 = PrivilegeBits.getInstance();
        Iterator<PermissionEntry> entryIterator = getEntryIterator(str, Predicates.alwaysTrue());
        while (entryIterator.hasNext()) {
            PermissionEntry next = entryIterator.next();
            PrivilegeBits privilegeBits3 = next.getPrivilegeBits();
            if (predicate2.apply(next)) {
                privilegeBits2.add(privilegeBits3);
            }
            if (predicate.apply(next)) {
                privilegeBits.add(privilegeBits3);
            }
            j2 |= PrivilegeBits.calculatePermissions(privilegeBits, privilegeBits2, true);
            if (isGranted(j2, j)) {
                return true;
            }
        }
        return false;
    }

    private static boolean isGranted(long j, long j2) {
        return (j | (j2 ^ (-1))) == -1;
    }

    private boolean isGrantedOnEffective(@NotNull Tree tree, long j) {
        String effectivePath;
        long j2 = j & 256;
        if (0 != j2 && (effectivePath = getEffectivePath(tree)) != null) {
            return "".equals(effectivePath) ? getRepositoryPermission().isGranted(j2) : isGranted(this.immutableRoot.getTree(effectivePath), null, j2);
        }
        return Boolean.TRUE.booleanValue();
    }

    @NotNull
    private PrivilegeBits getGrantedPrivilegeBits(@Nullable Tree tree) {
        String path;
        Predicate<PermissionEntry> create;
        Tree readOnlyTree = tree == null ? null : getReadOnlyTree(tree);
        PrivilegeBits privilegeBits = PrivilegeBits.EMPTY;
        if (readOnlyTree != null) {
            switch (this.typeProvider.getType(readOnlyTree)) {
                case HIDDEN:
                case INTERNAL:
                    return PrivilegeBits.EMPTY;
                case VERSION:
                    if (!isVersionStoreTree(readOnlyTree)) {
                        Tree versionableTree = getVersionableTree(readOnlyTree);
                        if (versionableTree != null) {
                            readOnlyTree = versionableTree;
                            break;
                        } else {
                            return PrivilegeBits.EMPTY;
                        }
                    }
                    break;
                case ACCESS_CONTROL:
                    privilegeBits = getBitsToSubtract(readOnlyTree);
                    break;
            }
        }
        if (readOnlyTree == null) {
            path = "";
            create = EntryPredicate.create(null);
        } else {
            path = readOnlyTree.getPath();
            create = EntryPredicate.create(readOnlyTree, null);
        }
        PrivilegeBits grantedPrivilegeBits = getGrantedPrivilegeBits(path, create);
        return privilegeBits.isEmpty() ? grantedPrivilegeBits : grantedPrivilegeBits.diff(privilegeBits);
    }

    @NotNull
    PrivilegeBits getBitsToSubtract(@NotNull Tree tree) {
        String effectivePath = getEffectivePath(tree);
        return effectivePath == null ? PrivilegeBits.EMPTY : this.modAcBits.modifiable().diff(getGrantedPrivilegeBits(effectivePath, EntryPredicate.create(effectivePath)));
    }

    /* JADX INFO: Access modifiers changed from: private */
    @NotNull
    public PrivilegeBits getGrantedPrivilegeBits(@NotNull String str, @NotNull Predicate<PermissionEntry> predicate) {
        PrivilegeBits privilegeBits = PrivilegeBits.getInstance();
        Iterator<PermissionEntry> entryIterator = getEntryIterator(str, predicate);
        while (entryIterator.hasNext()) {
            privilegeBits.add(entryIterator.next().getPrivilegeBits());
        }
        if (!privilegeBits.includes(this.readablePaths.readBits) && this.readablePaths.isReadable(str)) {
            privilegeBits.add(this.readablePaths.readBits);
        }
        return privilegeBits;
    }

    @NotNull
    private Tree getReadOnlyTree(@NotNull Tree tree) {
        return tree instanceof ReadOnly ? tree : this.immutableRoot.getTree(tree.getPath());
    }

    @Nullable
    private String getEffectivePath(@NotNull Tree tree) {
        Tree tree2 = null;
        if (Utils.isPrincipalEntry(tree)) {
            tree2 = tree;
        } else if (Utils.isPrincipalEntry(tree.getParent())) {
            tree2 = tree.getParent();
        }
        if (tree2 == null) {
            return null;
        }
        return (String) tree2.getProperty(Constants.REP_EFFECTIVE_PATH).getValue(Type.STRING);
    }

    @Nullable
    private Tree getVersionableTree(@NotNull Tree tree) {
        return ReadOnlyVersionManager.getInstance(this.immutableRoot, NamePathMapper.DEFAULT).getVersionable(tree, this.workspaceName);
    }

    private boolean isVersionStoreTree(@NotNull Tree tree) {
        return ReadOnlyVersionManager.isVersionStoreTree(tree);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @NotNull
    public TreePermission getTreePermission(@NotNull String str, @NotNull NodeState nodeState, @NotNull AbstractTreePermission abstractTreePermission) {
        Tree createReadOnlyTree = this.mgrProvider.getTreeProvider().createReadOnlyTree(abstractTreePermission.getTree(), str, nodeState);
        return getTreePermission(createReadOnlyTree, this.typeProvider.getType(createReadOnlyTree, abstractTreePermission.getType()), abstractTreePermission);
    }
}
