package org.apache.jackrabbit.oak.spi.security.authorization.cug.impl;

import com.google.common.collect.ImmutableSet;
import java.security.Principal;
import java.util.Collections;
import java.util.Iterator;
import java.util.Set;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.tree.RootFactory;
import org.apache.jackrabbit.oak.plugins.tree.TreeFactory;
import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
import org.apache.jackrabbit.oak.plugins.tree.TreeType;
import org.apache.jackrabbit.oak.plugins.tree.TreeTypeProvider;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.apache.jackrabbit.oak.plugins.version.ReadOnlyVersionManager;
import org.apache.jackrabbit.oak.spi.security.Context;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.AggregatedPermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.apache.jackrabbit.oak.spi.state.NodeStateUtils;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugPermissionProvider.class */
public class CugPermissionProvider implements AggregatedPermissionProvider, CugConstants {
    private static final Set<String> READ_PRIVILEGE_NAMES = ImmutableSet.of("jcr:read", "rep:readNodes", "rep:readProperties");
    private final Root root;
    private final String workspaceName;
    private final String[] principalNames;
    private final TreeTypeProvider typeProvider;
    private final Context ctx;
    private final SupportedPaths supportedPaths;
    private Root immutableRoot;
    private ReadOnlyVersionManager versionManager;
    private TopLevelPaths topPaths;

    /* JADX INFO: Access modifiers changed from: package-private */
    public CugPermissionProvider(@Nonnull Root root, @Nonnull String str, @Nonnull Set<Principal> set, @Nonnull Set<String> set2, @Nonnull Context context) {
        this.root = root;
        this.workspaceName = str;
        this.immutableRoot = RootFactory.createReadOnlyRoot(root);
        this.principalNames = new String[set.size()];
        int i = 0;
        Iterator<Principal> it = set.iterator();
        while (it.hasNext()) {
            int i2 = i;
            i++;
            this.principalNames[i2] = it.next().getName();
        }
        this.supportedPaths = new SupportedPaths(set2);
        this.typeProvider = new TreeTypeProvider(context);
        this.ctx = context;
        this.topPaths = new TopLevelPaths(this.immutableRoot);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Nonnull
    public TreePermission getTreePermission(@Nonnull Tree tree, @Nonnull TreeType treeType, @Nonnull String str, @Nonnull NodeState nodeState, @Nonnull AbstractTreePermission abstractTreePermission) {
        Tree createReadOnlyTree = TreeFactory.createReadOnlyTree(tree, str, nodeState);
        return getTreePermission(createReadOnlyTree, this.typeProvider.getType(createReadOnlyTree, treeType), abstractTreePermission);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public boolean isAllow(@Nonnull Tree tree) {
        PropertyState property = tree.getProperty(CugConstants.REP_PRINCIPAL_NAMES);
        if (property == null) {
            return false;
        }
        for (String str : (Iterable) property.getValue(Type.STRINGS)) {
            for (String str2 : this.principalNames) {
                if (str.equals(str2)) {
                    return true;
                }
            }
        }
        return false;
    }

    public void refresh() {
        this.immutableRoot = RootFactory.createReadOnlyRoot(this.root);
        this.versionManager = null;
        this.topPaths = new TopLevelPaths(this.immutableRoot);
    }

    @Nonnull
    public Set<String> getPrivileges(@Nullable Tree tree) {
        return (tree == null || !canRead(tree)) ? Collections.emptySet() : READ_PRIVILEGE_NAMES;
    }

    public boolean hasPrivileges(@Nullable Tree tree, @Nonnull String... strArr) {
        if (tree == null) {
            return false;
        }
        for (String str : strArr) {
            if (!READ_PRIVILEGE_NAMES.contains(str)) {
                return false;
            }
        }
        return canRead(tree);
    }

    @Nonnull
    public RepositoryPermission getRepositoryPermission() {
        return RepositoryPermission.EMPTY;
    }

    @Nonnull
    public TreePermission getTreePermission(@Nonnull Tree tree, @Nonnull TreePermission treePermission) {
        if (TreePermission.NO_RECOURSE == treePermission) {
            throw new IllegalStateException("Attempt to create tree permission for path '" + tree.getPath() + "', which is either not supported or doesn't contain any CUGs.");
        }
        Tree immutableTree = getImmutableTree(tree);
        return getTreePermission(immutableTree, this.typeProvider.getType(immutableTree), treePermission);
    }

    public boolean isGranted(@Nonnull Tree tree, PropertyState propertyState, long j) {
        if (isRead(j)) {
            return canRead(tree);
        }
        return false;
    }

    public boolean isGranted(@Nonnull String str, @Nonnull String str2) {
        TreeLocation create = TreeLocation.create(this.immutableRoot, str);
        if (this.ctx.definesLocation(create) || NodeStateUtils.isHiddenPath(str)) {
            return false;
        }
        return isGranted(create, Permissions.getPermissions(str2, create, false));
    }

    @Nonnull
    public PrivilegeBits supportedPrivileges(@Nullable Tree tree, @Nullable PrivilegeBits privilegeBits) {
        PrivilegeBits privilegeBits2;
        if (tree == null) {
            return PrivilegeBits.EMPTY;
        }
        if (privilegeBits == null) {
            privilegeBits2 = (PrivilegeBits) PrivilegeBits.BUILT_IN.get("jcr:read");
        } else {
            privilegeBits2 = PrivilegeBits.getInstance(new PrivilegeBits[]{privilegeBits});
            privilegeBits2.retain((PrivilegeBits) PrivilegeBits.BUILT_IN.get("jcr:read"));
        }
        return (privilegeBits2.isEmpty() || !includesCug(tree)) ? PrivilegeBits.EMPTY : privilegeBits2;
    }

    public long supportedPermissions(@Nullable Tree tree, @Nullable PropertyState propertyState, long j) {
        if (tree == null) {
            return 0L;
        }
        long j2 = j & 3;
        if (j2 == 0 || !includesCug(tree)) {
            return 0L;
        }
        return j2;
    }

    public long supportedPermissions(@Nonnull TreeLocation treeLocation, long j) {
        long j2 = j & 3;
        if (j2 == 0 || !includesCug(getTreeFromLocation(treeLocation))) {
            return 0L;
        }
        return j2;
    }

    public long supportedPermissions(@Nonnull TreePermission treePermission, @Nullable PropertyState propertyState, long j) {
        long j2 = j & 3;
        if (j2 != 0 && (treePermission instanceof CugTreePermission) && ((CugTreePermission) treePermission).isInCug()) {
            return j2;
        }
        return 0L;
    }

    public boolean isGranted(@Nonnull TreeLocation treeLocation, long j) {
        Tree treeFromLocation;
        if (!isRead(j) || (treeFromLocation = getTreeFromLocation(treeLocation)) == null) {
            return false;
        }
        return isGranted(treeFromLocation, treeLocation.getProperty(), j);
    }

    @Nonnull
    public TreePermission getTreePermission(@Nonnull Tree tree, @Nonnull TreeType treeType, @Nonnull TreePermission treePermission) {
        TreePermission cugTreePermission;
        if (!isSupportedType(treeType) || !this.topPaths.hasAny()) {
            return TreePermission.NO_RECOURSE;
        }
        boolean z = treePermission instanceof CugTreePermission;
        if (TreeType.VERSION == treeType) {
            cugTreePermission = createVersionPermission(tree, treeType, treePermission, z);
        } else if (z) {
            cugTreePermission = new CugTreePermission(tree, treeType, treePermission, this);
        } else {
            String path = tree.getPath();
            cugTreePermission = includes(path) ? this.topPaths.contains(path) ? new CugTreePermission(tree, treeType, treePermission, this) : TreePermission.NO_RECOURSE : (mayContain(path) || isJcrSystemPath(tree)) ? new EmptyCugTreePermission(tree, treeType, this) : TreePermission.NO_RECOURSE;
        }
        return cugTreePermission;
    }

    private static boolean isJcrSystemPath(@Nonnull Tree tree) {
        return "jcr:system".equals(tree.getName());
    }

    private static boolean isRead(long j) {
        return j == 1 || j == 2 || j == 3;
    }

    private static boolean isSupportedType(@Nonnull TreeType treeType) {
        return treeType == TreeType.DEFAULT || treeType == TreeType.VERSION;
    }

    private boolean includesCug(@CheckForNull Tree tree) {
        if (tree == null) {
            return false;
        }
        Tree immutableTree = getImmutableTree(tree);
        TreeType type = this.typeProvider.getType(immutableTree);
        return isSupportedType(type) && this.topPaths.hasAny() && getCugRoot(immutableTree, type) != null;
    }

    private boolean includes(@Nonnull String str) {
        return this.supportedPaths.includes(str);
    }

    private boolean mayContain(@Nonnull String str) {
        return this.supportedPaths.mayContainCug(str) && this.topPaths.contains(str);
    }

    @CheckForNull
    private Tree getCugRoot(@Nonnull Tree tree, @Nonnull TreeType treeType) {
        Tree tree2 = tree;
        String path = tree.getPath();
        if (TreeType.VERSION == treeType && !ReadOnlyVersionManager.isVersionStoreTree(tree2)) {
            tree2 = getVersionManager().getVersionable(tree, this.workspaceName);
            if (tree2 == null) {
                return null;
            }
            path = tree2.getPath();
        }
        if (!includes(path)) {
            return null;
        }
        if (CugUtil.hasCug(tree2)) {
            return tree2;
        }
        while (!tree2.isRoot() && includes(PathUtils.getParentPath(path))) {
            tree2 = tree2.getParent();
            if (CugUtil.hasCug(tree2)) {
                return tree2;
            }
        }
        return null;
    }

    private boolean canRead(@Nonnull Tree tree) {
        Tree cugRoot;
        Tree cug;
        Tree immutableTree = getImmutableTree(tree);
        TreeType type = this.typeProvider.getType(immutableTree);
        if (!isSupportedType(type) || !this.topPaths.hasAny() || (cugRoot = getCugRoot(immutableTree, type)) == null || (cug = CugUtil.getCug(cugRoot)) == null) {
            return false;
        }
        return isAllow(cug);
    }

    @Nonnull
    private Tree getImmutableTree(@Nonnull Tree tree) {
        return TreeUtil.isReadOnlyTree(tree) ? tree : this.immutableRoot.getTree(tree.getPath());
    }

    @CheckForNull
    private static Tree getTreeFromLocation(@Nonnull TreeLocation treeLocation) {
        Tree tree;
        Tree tree2 = treeLocation.getProperty() == null ? treeLocation.getTree() : treeLocation.getParent().getTree();
        while (true) {
            tree = tree2;
            if (tree != null || PathUtils.denotesRoot(treeLocation.getPath())) {
                break;
            }
            treeLocation = treeLocation.getParent();
            tree2 = treeLocation.getTree();
        }
        return tree;
    }

    @Nonnull
    private TreePermission createVersionPermission(@Nonnull Tree tree, @Nonnull TreeType treeType, @Nonnull TreePermission treePermission, boolean z) {
        TreePermission cugTreePermission;
        if (ReadOnlyVersionManager.isVersionStoreTree(tree)) {
            return z ? new CugTreePermission(tree, treeType, treePermission, this) : new EmptyCugTreePermission(tree, treeType, this);
        }
        Tree versionable = getVersionManager().getVersionable(tree, this.workspaceName);
        if (versionable == null) {
            return TreePermission.NO_RECOURSE;
        }
        TreeType type = this.typeProvider.getType(versionable);
        if (!isSupportedType(type)) {
            return TreePermission.NO_RECOURSE;
        }
        String path = versionable.getPath();
        boolean z2 = false;
        Tree tree2 = null;
        if (z) {
            tree2 = CugUtil.getCug(versionable);
        } else if (includes(path)) {
            z2 = true;
            Tree cugRoot = getCugRoot(versionable, type);
            if (cugRoot != null) {
                tree2 = CugUtil.getCug(cugRoot);
            }
        }
        if (tree2 != null) {
            cugTreePermission = new CugTreePermission(tree, treeType, treePermission, this, true, isAllow(tree2), CugUtil.hasNestedCug(tree2));
        } else if (z) {
            CugTreePermission cugTreePermission2 = (CugTreePermission) treePermission;
            cugTreePermission = new CugTreePermission(tree, treeType, treePermission, this, cugTreePermission2.isInCug(), cugTreePermission2.isAllow(), cugTreePermission2.hasNestedCug());
        } else {
            cugTreePermission = z2 ? new CugTreePermission(tree, treeType, treePermission, this, false, false, false) : mayContain(path) ? new EmptyCugTreePermission(tree, treeType, this) : TreePermission.NO_RECOURSE;
        }
        return cugTreePermission;
    }

    @Nonnull
    private ReadOnlyVersionManager getVersionManager() {
        if (this.versionManager == null) {
            this.versionManager = ReadOnlyVersionManager.getInstance(this.immutableRoot, NamePathMapper.DEFAULT);
        }
        return this.versionManager;
    }
}
