package org.apache.jackrabbit.oak.security.authorization.permission;

import com.google.common.base.Objects;
import com.google.common.base.Preconditions;
import com.google.common.base.Strings;
import com.google.common.collect.Lists;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.annotation.Nonnull;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.core.AbstractTree;
import org.apache.jackrabbit.oak.core.ImmutableRoot;
import org.apache.jackrabbit.oak.core.ImmutableTree;
import org.apache.jackrabbit.oak.core.TreeTypeProvider;
import org.apache.jackrabbit.oak.plugins.memory.EmptyNodeState;
import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager;
import org.apache.jackrabbit.oak.spi.commit.PostValidationHook;
import org.apache.jackrabbit.oak.spi.security.authentication.external.SyncMode;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.spi.state.DefaultNodeStateDiff;
import org.apache.jackrabbit.oak.spi.state.NodeBuilder;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.apache.jackrabbit.oak.spi.state.NodeStateUtils;
import org.apache.jackrabbit.oak.util.TreeUtil;
import org.apache.jackrabbit.util.Text;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook.class */
public class PermissionHook implements PostValidationHook, AccessControlConstants, PermissionConstants {
    private static final Logger log = LoggerFactory.getLogger(PermissionHook.class);
    private final RestrictionProvider restrictionProvider;
    private final String workspaceName;
    private NodeBuilder permissionRoot;
    private ReadOnlyNodeTypeManager ntMgr;
    private PrivilegeBitsProvider bitsProvider;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook$AcEntry.class */
    public class AcEntry {
        private final String accessControlledPath;
        private final String principalName;
        private final PrivilegeBits privilegeBits;
        private final boolean isAllow;
        private final Set<Restriction> restrictions;
        private int hashCode;

        private AcEntry(@Nonnull Tree tree, @Nonnull String str) {
            this.hashCode = -1;
            this.accessControlledPath = str;
            this.principalName = Text.escapeIllegalJcrChars((String) Preconditions.checkNotNull(TreeUtil.getString(tree, "rep:principalName")));
            this.privilegeBits = PermissionHook.this.bitsProvider.getBits(TreeUtil.getStrings(tree, "rep:privileges"));
            this.isAllow = AccessControlConstants.NT_REP_GRANT_ACE.equals(TreeUtil.getPrimaryTypeName(tree));
            this.restrictions = PermissionHook.this.restrictionProvider.readRestrictions(Strings.emptyToNull(str), tree);
        }

        public int hashCode() {
            if (this.hashCode == -1) {
                this.hashCode = Objects.hashCode(new Object[]{this.accessControlledPath, this.principalName, this.privilegeBits, Boolean.valueOf(this.isAllow), this.restrictions});
            }
            return this.hashCode;
        }

        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof AcEntry)) {
                return false;
            }
            AcEntry acEntry = (AcEntry) obj;
            return this.isAllow == acEntry.isAllow && this.privilegeBits.equals(acEntry.privilegeBits) && this.principalName.equals(acEntry.principalName) && this.accessControlledPath.equals(acEntry.accessControlledPath) && this.restrictions.equals(acEntry.restrictions);
        }

        public String toString() {
            StringBuilder sb = new StringBuilder();
            sb.append(this.accessControlledPath);
            sb.append(';').append(this.principalName);
            sb.append(';').append(this.isAllow ? "allow" : "deny");
            sb.append(';').append(PermissionHook.this.bitsProvider.getPrivilegeNames(this.privilegeBits));
            sb.append(';').append(this.restrictions);
            return sb.toString();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook$AfterNode.class */
    public static final class AfterNode extends Node {
        private final NodeBuilder builder;

        private AfterNode(NodeBuilder nodeBuilder) {
            super("/");
            this.builder = nodeBuilder;
        }

        private AfterNode(String str, String str2, NodeState nodeState) {
            super(str, str2);
            this.builder = nodeState.builder();
        }

        private AfterNode(AfterNode afterNode, String str) {
            super(afterNode.getPath(), str);
            this.builder = afterNode.builder.child(str);
        }

        @Override // org.apache.jackrabbit.oak.security.authorization.permission.PermissionHook.Node
        NodeState getNodeState() {
            return this.builder.getNodeState();
        }
    }

    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook$BeforeNode.class */
    private static final class BeforeNode extends Node {
        private final NodeState nodeState;

        BeforeNode(NodeState nodeState) {
            super("/");
            this.nodeState = nodeState;
        }

        BeforeNode(String str, String str2, NodeState nodeState) {
            super(str, str2);
            this.nodeState = nodeState;
        }

        BeforeNode(Node node, String str, NodeState nodeState) {
            super(node.getPath(), str);
            this.nodeState = nodeState;
        }

        @Override // org.apache.jackrabbit.oak.security.authorization.permission.PermissionHook.Node
        NodeState getNodeState() {
            return this.nodeState;
        }
    }

    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook$Diff.class */
    private class Diff extends DefaultNodeStateDiff {
        private final Node parentBefore;
        private final AfterNode parentAfter;

        private Diff(@Nonnull Node node, @Nonnull AfterNode afterNode) {
            this.parentBefore = node;
            this.parentAfter = afterNode;
        }

        @Override // org.apache.jackrabbit.oak.spi.state.DefaultNodeStateDiff, org.apache.jackrabbit.oak.spi.state.NodeStateDiff
        public boolean childNodeAdded(String str, NodeState nodeState) {
            if (NodeStateUtils.isHidden(str)) {
                return true;
            }
            if (!isACL(str, nodeState)) {
                BeforeNode beforeNode = new BeforeNode(this.parentBefore.getPath(), str, EmptyNodeState.EMPTY_NODE);
                nodeState.compareAgainstBaseState(beforeNode.getNodeState(), new Diff(beforeNode, new AfterNode(this.parentAfter, str)));
                return true;
            }
            int i = 0;
            for (String str2 : PermissionHook.getAceNames(nodeState)) {
                Tree tree = PermissionHook.getTree(str2, nodeState.getChildNode(str2));
                if (isACE(tree)) {
                    createPermissionEntry(tree, i, new AfterNode(this.parentAfter, str)).add();
                }
                i++;
            }
            return true;
        }

        @Override // org.apache.jackrabbit.oak.spi.state.DefaultNodeStateDiff, org.apache.jackrabbit.oak.spi.state.NodeStateDiff
        public boolean childNodeChanged(String str, NodeState nodeState, NodeState nodeState2) {
            if (NodeStateUtils.isHidden(str)) {
                return true;
            }
            if (!isACL(str, nodeState) && !isACL(str, nodeState2)) {
                nodeState2.compareAgainstBaseState(nodeState, new Diff(new BeforeNode(this.parentBefore.getPath(), str, nodeState), new AfterNode(this.parentAfter, str)));
                return true;
            }
            List<AcEntry> createEntries = createEntries(new BeforeNode(this.parentBefore, str, nodeState));
            List<AcEntry> createEntries2 = createEntries(new AfterNode(this.parentAfter, str));
            for (int i = 0; i < createEntries.size(); i++) {
                AcEntry acEntry = createEntries.get(i);
                if (createEntries2.isEmpty() || !createEntries2.contains(acEntry)) {
                    new PermissionEntry(acEntry, i).remove();
                }
            }
            ArrayList arrayList = new ArrayList();
            ArrayList arrayList2 = new ArrayList();
            for (int i2 = 0; i2 < createEntries2.size(); i2++) {
                AcEntry acEntry2 = createEntries2.get(i2);
                int indexOf = createEntries.indexOf(acEntry2);
                if (indexOf == -1) {
                    arrayList2.add(new PermissionEntry(acEntry2, i2));
                } else if (indexOf != i2) {
                    arrayList.add(new PermissionEntry(createEntries.get(indexOf), indexOf));
                    arrayList2.add(new PermissionEntry(acEntry2, i2));
                }
            }
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                ((PermissionEntry) it.next()).remove();
            }
            Iterator it2 = arrayList2.iterator();
            while (it2.hasNext()) {
                ((PermissionEntry) it2.next()).add();
            }
            return true;
        }

        @Override // org.apache.jackrabbit.oak.spi.state.DefaultNodeStateDiff, org.apache.jackrabbit.oak.spi.state.NodeStateDiff
        public boolean childNodeDeleted(String str, NodeState nodeState) {
            if (NodeStateUtils.isHidden(str)) {
                return true;
            }
            if (!isACL(str, nodeState)) {
                BeforeNode beforeNode = new BeforeNode(this.parentBefore.getPath(), str, nodeState);
                AfterNode afterNode = new AfterNode(this.parentAfter.getPath(), str, EmptyNodeState.EMPTY_NODE);
                afterNode.getNodeState().compareAgainstBaseState(nodeState, new Diff(beforeNode, afterNode));
                return true;
            }
            int i = 0;
            for (String str2 : PermissionHook.getAceNames(nodeState)) {
                Tree tree = PermissionHook.getTree(str2, nodeState.getChildNode(str2));
                if (isACE(tree)) {
                    createPermissionEntry(tree, i, new BeforeNode(this.parentBefore, str, nodeState)).remove();
                }
                i++;
            }
            return true;
        }

        private boolean isACL(@Nonnull String str, @Nonnull NodeState nodeState) {
            return PermissionHook.this.ntMgr.isNodeType(PermissionHook.getTree(str, nodeState), AccessControlConstants.NT_REP_ACL);
        }

        private boolean isACE(@Nonnull Tree tree) {
            return PermissionHook.this.ntMgr.isNodeType(tree, AccessControlConstants.NT_REP_ACE);
        }

        @Nonnull
        private PermissionEntry createPermissionEntry(@Nonnull Tree tree, int i, @Nonnull Node node) {
            return new PermissionEntry(tree, PermissionHook.getAccessControlledPath(node), i);
        }

        @Nonnull
        private List<AcEntry> createEntries(Node node) {
            ArrayList arrayList = new ArrayList();
            NodeState nodeState = node.getNodeState();
            for (String str : PermissionHook.getAceNames(nodeState)) {
                Tree tree = PermissionHook.getTree(str, nodeState.getChildNode(str));
                if (isACE(tree)) {
                    arrayList.add(new AcEntry(tree, PermissionHook.getAccessControlledPath(node)));
                }
            }
            return arrayList;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook$Node.class */
    public static abstract class Node {
        private final String path;

        private Node(String str) {
            this.path = str;
        }

        private Node(String str, String str2) {
            this.path = PathUtils.concat(str, new String[]{str2});
        }

        String getName() {
            return Text.getName(this.path);
        }

        String getPath() {
            return this.path;
        }

        abstract NodeState getNodeState();
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/permission/PermissionHook$PermissionEntry.class */
    public final class PermissionEntry {
        private final AcEntry ace;
        private final long index;
        private final String nodeName;
        private int hashCode;

        private PermissionEntry(@Nonnull PermissionHook permissionHook, @Nonnull Tree tree, String str, long j) {
            this(new AcEntry(tree, str), j);
        }

        private PermissionEntry(@Nonnull AcEntry acEntry, long j) {
            this.hashCode = -1;
            this.ace = acEntry;
            this.index = j;
            this.nodeName = PermissionUtil.getEntryName(acEntry.accessControlledPath);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void add() {
            NodeBuilder child = PermissionHook.this.permissionRoot.child(this.ace.principalName);
            if (!child.hasProperty("jcr:primaryType")) {
                child.setProperty("jcr:primaryType", PermissionConstants.NT_REP_PERMISSION_STORE, Type.NAME);
            }
            NodeBuilder parent = getParent(child);
            NodeBuilder property = parent.child(String.valueOf(hashCode())).setProperty("jcr:primaryType", PermissionConstants.NT_REP_PERMISSIONS, Type.NAME).setProperty(PermissionConstants.REP_ACCESS_CONTROLLED_PATH, this.ace.accessControlledPath).setProperty(PermissionConstants.REP_IS_ALLOW, Boolean.valueOf(this.ace.isAllow)).setProperty(PermissionConstants.REP_INDEX, Long.valueOf(this.index)).setProperty(this.ace.privilegeBits.asPropertyState("rep:privileges"));
            Iterator it = this.ace.restrictions.iterator();
            while (it.hasNext()) {
                property.setProperty(((Restriction) it.next()).getProperty());
            }
            if (parent.hasChildNode(this.nodeName)) {
                NodeBuilder childNode = parent.getChildNode(this.nodeName);
                property.setChildNode(this.nodeName, childNode.getNodeState());
                childNode.remove();
            }
            parent.setChildNode(this.nodeName, property.getNodeState());
            property.remove();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void remove() {
            if (!PermissionHook.this.permissionRoot.hasChildNode(this.ace.principalName)) {
                PermissionHook.log.error("{} {}: Principal root missing.", "Unable to remove permission entry", this);
                return;
            }
            NodeBuilder parent = getParent(PermissionHook.this.permissionRoot.getChildNode(this.ace.principalName));
            if (!parent.hasChildNode(this.nodeName)) {
                PermissionHook.log.error("{} {}. No corresponding node found in permission store.", "Unable to remove permission entry", this);
                return;
            }
            NodeBuilder childNode = parent.getChildNode(this.nodeName);
            for (String str : childNode.getChildNodeNames()) {
                NodeBuilder childNode2 = childNode.getChildNode(str);
                parent.setChildNode(str, childNode2.getNodeState());
                childNode2.remove();
            }
            childNode.remove();
        }

        private NodeBuilder getParent(NodeBuilder nodeBuilder) {
            NodeBuilder nodeBuilder2;
            NodeBuilder nodeBuilder3 = nodeBuilder;
            while (true) {
                nodeBuilder2 = nodeBuilder3;
                if (!nodeBuilder2.hasChildNode(this.nodeName)) {
                    break;
                }
                NodeBuilder childNode = nodeBuilder2.getChildNode(this.nodeName);
                if (this.index >= ((Long) childNode.getProperty(PermissionConstants.REP_INDEX).getValue(Type.LONG)).longValue()) {
                    break;
                }
                nodeBuilder3 = childNode;
            }
            return nodeBuilder2;
        }

        public int hashCode() {
            if (this.hashCode == -1) {
                this.hashCode = Objects.hashCode(new Object[]{this.ace, Long.valueOf(this.index)});
            }
            return this.hashCode;
        }

        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof PermissionEntry)) {
                return false;
            }
            PermissionEntry permissionEntry = (PermissionEntry) obj;
            return this.index == permissionEntry.index && this.ace.equals(permissionEntry.ace);
        }

        public String toString() {
            StringBuilder sb = new StringBuilder();
            sb.append("permission entry: ").append(this.ace.toString()).append('-').append(this.index);
            return sb.toString();
        }
    }

    public PermissionHook(String str, RestrictionProvider restrictionProvider) {
        this.workspaceName = str;
        this.restrictionProvider = restrictionProvider;
    }

    @Override // org.apache.jackrabbit.oak.spi.commit.CommitHook
    @Nonnull
    public NodeState processCommit(NodeState nodeState, NodeState nodeState2) throws CommitFailedException {
        NodeBuilder builder = nodeState2.builder();
        this.permissionRoot = getPermissionRoot(builder);
        this.ntMgr = ReadOnlyNodeTypeManager.getInstance(nodeState);
        this.bitsProvider = new PrivilegeBitsProvider(new ImmutableRoot(nodeState));
        nodeState2.compareAgainstBaseState(nodeState, new Diff(new BeforeNode(nodeState), new AfterNode(builder)));
        return builder.getNodeState();
    }

    @Nonnull
    private NodeBuilder getPermissionRoot(NodeBuilder nodeBuilder) {
        return nodeBuilder.getChildNode("jcr:system").getChildNode(PermissionConstants.REP_PERMISSION_STORE).getChildNode(this.workspaceName);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Tree getTree(String str, NodeState nodeState) {
        return new ImmutableTree(ImmutableTree.ParentProvider.UNSUPPORTED, str, nodeState, TreeTypeProvider.EMPTY);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static List<String> getAceNames(NodeState nodeState) {
        return Lists.newArrayList((Iterable) ((PropertyState) Preconditions.checkNotNull(nodeState.getProperty(AbstractTree.OAK_CHILD_ORDER))).getValue(Type.STRINGS));
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static String getAccessControlledPath(Node node) {
        return AccessControlConstants.REP_REPO_POLICY.equals(node.getName()) ? SyncMode.NO_SYNC : Text.getRelativeParent(node.getPath(), 1);
    }
}
