package org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;

import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.collect.Iterables;
import java.security.Principal;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.Value;
import javax.jcr.nodetype.ConstraintViolationException;
import javax.jcr.nodetype.PropertyDefinition;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import org.apache.jackrabbit.oak.spi.security.authorization.principalbased.Filter;
import org.apache.jackrabbit.oak.spi.security.authorization.principalbased.FilterProvider;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.apache.jackrabbit.oak.spi.xml.ImportBehavior;
import org.apache.jackrabbit.oak.spi.xml.NodeInfo;
import org.apache.jackrabbit.oak.spi.xml.PropInfo;
import org.apache.jackrabbit.oak.spi.xml.ProtectedNodeImporter;
import org.apache.jackrabbit.oak.spi.xml.ProtectedPropertyImporter;
import org.apache.jackrabbit.oak.spi.xml.ReferenceChangeTracker;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalPolicyImporter.class */
public class PrincipalPolicyImporter implements ProtectedNodeImporter, ProtectedPropertyImporter, Constants {
    private static final Logger log = LoggerFactory.getLogger(PrincipalPolicyImporter.class);
    private Session session;
    private final MgrProvider mgrProvider;
    private final FilterProvider filterProvider;
    private Filter filter;
    private AuthorizationConfiguration authorizationConfiguration;
    private int importBehavior;
    private boolean initialized;
    private PrincipalPolicyImpl policy;
    private Entry entry;

    /* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalPolicyImporter$Entry.class */
    private final class Entry {
        private String effectivePath;
        private final Iterable<Privilege> privileges;
        private final Map<String, Value> restrictions;
        private final Map<String, Value[]> mvRestrictions;

        private Entry(@NotNull List<PropInfo> list) throws RepositoryException {
            this.restrictions = new HashMap();
            this.mvRestrictions = new HashMap();
            List<Privilege> list2 = null;
            for (PropInfo propInfo : list) {
                String oakName = PrincipalPolicyImporter.this.getOakName(propInfo.getName());
                if (Constants.REP_EFFECTIVE_PATH.equals(oakName) && 8 == propInfo.getType()) {
                    this.effectivePath = extractEffectivePath(propInfo);
                } else {
                    if (!Constants.REP_PRIVILEGES.equals(oakName) || 7 != propInfo.getType()) {
                        throw new ConstraintViolationException("Unsupported property '" + oakName + "' with type " + propInfo.getType() + " within policy entry of type rep:PrincipalEntry");
                    }
                    list2 = getPrivileges(Iterables.transform(propInfo.getTextValues(), textValue -> {
                        return textValue.getString();
                    }));
                }
            }
            if (list2 == null) {
                throw new ConstraintViolationException("Entries for PrincipalAccessControlList must specify the privileges to be granted.");
            }
            this.privileges = list2;
        }

        private List<Privilege> getPrivileges(@NotNull Iterable<String> iterable) throws RepositoryException {
            ArrayList arrayList = new ArrayList();
            PrivilegeManager privilegeManager = PrincipalPolicyImporter.this.mgrProvider.getPrivilegeManager();
            Iterator<String> it = iterable.iterator();
            while (it.hasNext()) {
                arrayList.add(privilegeManager.getPrivilege(it.next()));
            }
            return arrayList;
        }

        /* JADX INFO: Access modifiers changed from: private */
        /* JADX WARN: Multi-variable type inference failed */
        public void addRestrictions(@NotNull List<PropInfo> list) throws RepositoryException {
            Preconditions.checkState(this.restrictions.isEmpty() && this.mvRestrictions.isEmpty(), "Multiple restriction nodes.");
            for (PropInfo propInfo : list) {
                String name = propInfo.getName();
                if ("rep:nodePath".equals(PrincipalPolicyImporter.this.getOakName(name))) {
                    Preconditions.checkState(this.effectivePath == null, "Attempt to overwrite rep:effectivePath property with rep:nodePath restriction.");
                    PrincipalPolicyImporter.log.debug("Extracting rep:effectivePath from rep:nodePath restriction.");
                    this.effectivePath = extractEffectivePath(propInfo);
                } else {
                    List values = propInfo.getValues(PrincipalPolicyImporter.this.policy.getRestrictionType(name));
                    if (PrincipalPolicyImporter.this.policy.isMultiValueRestriction(name)) {
                        this.mvRestrictions.put(name, values.toArray(new Value[0]));
                    } else {
                        this.restrictions.put(name, values.get(0));
                    }
                }
            }
        }

        private String extractEffectivePath(@NotNull PropInfo propInfo) throws RepositoryException {
            String string = propInfo.getTextValue().getString();
            return PathUtils.denotesCurrent(string) ? Constants.REPOSITORY_PERMISSION_PATH : string;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void applyTo(@NotNull PrincipalPolicyImpl principalPolicyImpl) throws RepositoryException {
            if (this.effectivePath == null) {
                PrincipalPolicyImporter.log.error("Missing rep:effectivePath for entry {} of policy at {}", this, principalPolicyImpl.getOakPath());
                throw new ConstraintViolationException("Entries for PrincipalAccessControlList must specify an effective path.");
            }
            principalPolicyImpl.addEntry(Strings.emptyToNull(this.effectivePath), (Privilege[]) Iterables.toArray(this.privileges, Privilege.class), this.restrictions, this.mvRestrictions);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public PrincipalPolicyImporter(@NotNull FilterProvider filterProvider, @NotNull MgrProvider mgrProvider) {
        this.filterProvider = filterProvider;
        this.mgrProvider = mgrProvider;
    }

    public boolean init(@NotNull Session session, @NotNull Root root, @NotNull NamePathMapper namePathMapper, boolean z, int i, @NotNull ReferenceChangeTracker referenceChangeTracker, @NotNull SecurityProvider securityProvider) {
        if (this.initialized) {
            throw new IllegalStateException("Already initialized");
        }
        this.session = session;
        this.mgrProvider.reset(root, namePathMapper);
        this.filter = this.filterProvider.getFilter(this.mgrProvider.getSecurityProvider(), root, namePathMapper);
        this.authorizationConfiguration = (AuthorizationConfiguration) securityProvider.getConfiguration(AuthorizationConfiguration.class);
        this.importBehavior = ImportBehavior.valueFromString((String) this.authorizationConfiguration.getParameters().getConfigValue("importBehavior", "abort"));
        this.initialized = true;
        return this.initialized;
    }

    public void processReferences() {
    }

    public boolean handlePropInfo(@NotNull Tree tree, @NotNull PropInfo propInfo, @NotNull PropertyDefinition propertyDefinition) throws RepositoryException {
        Preconditions.checkState(this.initialized);
        if (!Utils.isPrincipalPolicyTree(tree) || !isValidPrincipalProperty(propInfo, propertyDefinition)) {
            return false;
        }
        String parentPath = PathUtils.getParentPath(tree.getPath());
        if (!this.filterProvider.handlesPath(parentPath)) {
            log.debug("Unable to import principal policy. Access controlled path '{}' outside of path supported by FilterProvider.", parentPath);
            return false;
        }
        String string = propInfo.getTextValue().getString();
        Principal validPrincipal = this.filter.getValidPrincipal(parentPath);
        if (validPrincipal == null) {
            log.debug("Unable to lookup principal by path = {}. Creating by name {}.", parentPath, string);
            validPrincipal = new PrincipalImpl(string);
        } else if (!string.equals(validPrincipal.getName())) {
            log.error("Principal name mismatch expected '{}' but was '{}'.", string, validPrincipal.getName());
            throw new ConstraintViolationException("Principal name mismatch.");
        }
        if (!Utils.canHandle(validPrincipal, this.filter, this.importBehavior)) {
            log.debug("Cannot handle principal {} with name = {}", validPrincipal, string);
            return false;
        }
        this.session.checkPermission(parentPath, Permissions.getString(128L));
        this.policy = new PrincipalPolicyImpl(validPrincipal, parentPath, this.mgrProvider);
        return true;
    }

    public void propertiesCompleted(@NotNull Tree tree) throws RepositoryException {
        Preconditions.checkState(this.initialized);
        if (this.policy != null) {
            if (isValidProtectedParent(tree, this.policy)) {
                getAccessControlManager().setPolicy(this.policy.getPath(), this.policy);
            } else {
                log.warn("Protected parent {} does not match path of PrincipalAccessControlList {}.", tree.getPath(), this.policy.getOakPath());
                getAccessControlManager().removePolicy(this.policy.getPath(), this.policy);
            }
        }
    }

    public boolean start(@NotNull Tree tree) throws RepositoryException {
        Preconditions.checkState(this.initialized);
        return this.policy != null && isValidProtectedParent(tree, this.policy);
    }

    public void end(@NotNull Tree tree) throws RepositoryException {
        Preconditions.checkState(this.policy != null);
        if (isValidProtectedParent(tree, this.policy)) {
            getAccessControlManager().setPolicy(this.policy.getPath(), this.policy);
        } else {
            log.warn("Protected parent {} does not match path of PrincipalAccessControlList {}.", tree.getPath(), this.policy.getOakPath());
            getAccessControlManager().removePolicy(this.policy.getPath(), this.policy);
        }
        this.policy = null;
    }

    public void startChildInfo(@NotNull NodeInfo nodeInfo, @NotNull List<PropInfo> list) throws RepositoryException {
        Preconditions.checkState(this.policy != null);
        String oakName = getOakName(nodeInfo.getPrimaryTypeName());
        if (Constants.NT_REP_PRINCIPAL_ENTRY.equals(oakName)) {
            if (this.entry != null) {
                throw new ConstraintViolationException("Invalid child node sequence: Entries must not be nested.");
            }
            this.entry = new Entry(list);
        } else {
            if (!Constants.NT_REP_RESTRICTIONS.equals(oakName)) {
                throw new ConstraintViolationException("Invalid child node '" + nodeInfo.getName() + "' with type " + oakName);
            }
            if (this.entry == null) {
                throw new ConstraintViolationException("Invalid child node sequence: Restriction must be associated with an Entry");
            }
            this.entry.addRestrictions(list);
        }
    }

    public void endChildInfo() throws RepositoryException {
        Preconditions.checkState(this.policy != null);
        if (this.entry != null) {
            this.entry.applyTo(this.policy);
            this.entry = null;
        }
    }

    private boolean isValidPrincipalProperty(@NotNull PropInfo propInfo, @NotNull PropertyDefinition propertyDefinition) {
        return Constants.REP_PRINCIPAL_NAME.equals(getOakName(propInfo.getName())) && !propertyDefinition.isMultiple() && Constants.NT_REP_PRINCIPAL_POLICY.equals(getOakName(propertyDefinition.getDeclaringNodeType().getName()));
    }

    private static boolean isValidProtectedParent(@NotNull Tree tree, @NotNull PrincipalPolicyImpl principalPolicyImpl) {
        return PathUtils.getParentPath(tree.getPath()).equals(principalPolicyImpl.getOakPath());
    }

    /* JADX INFO: Access modifiers changed from: private */
    @Nullable
    public String getOakName(@Nullable String str) {
        if (str == null) {
            return null;
        }
        return getNamePathMapper().getOakNameOrNull(str);
    }

    private AccessControlManager getAccessControlManager() {
        return this.authorizationConfiguration.getAccessControlManager(this.mgrProvider.getRoot(), this.mgrProvider.getNamePathMapper());
    }

    private NamePathMapper getNamePathMapper() {
        return this.mgrProvider.getNamePathMapper();
    }
}
