package org.apache.jackrabbit.oak.security.authorization.permission;

import com.google.common.base.Preconditions;
import com.google.common.base.Predicate;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableSortedSet;
import com.google.common.collect.Iterators;
import com.google.common.primitives.Longs;
import java.security.Principal;
import java.security.acl.Group;
import java.util.Collection;
import java.util.Comparator;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.NoSuchElementException;
import java.util.Set;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.core.ImmutableTree;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.ReadStatus;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionPattern;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.apache.jackrabbit.oak.util.TreeUtil;
import org.apache.jackrabbit.util.Text;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.class */
public class CompiledPermissionImpl implements CompiledPermissions, PermissionConstants {
    private final Set<Principal> principals;
    private final RestrictionProvider restrictionProvider;
    private final Map<String, Tree> userTrees;
    private final Map<String, Tree> groupTrees;
    private final Set<String> readPaths;
    private PrivilegeBitsProvider bitsProvider;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl$EntryComparator.class */
    public static final class EntryComparator implements Comparator<PermissionEntry> {
        private EntryComparator() {
        }

        @Override // java.util.Comparator
        public int compare(@Nonnull PermissionEntry permissionEntry, @Nonnull PermissionEntry permissionEntry2) {
            return Longs.compare(permissionEntry2.index, permissionEntry.index);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl$EntryIterator.class */
    public class EntryIterator implements Iterator<PermissionEntry> {
        private final Collection<Tree> principalTrees;
        private final EntryPredicate predicate;
        private String path;
        private Iterator<PermissionEntry> nextEntries;
        private PermissionEntry next;

        private EntryIterator(@Nonnull Map<String, Tree> map, @Nonnull EntryPredicate entryPredicate) {
            this.nextEntries = Iterators.emptyIterator();
            this.principalTrees = map.values();
            this.predicate = entryPredicate;
            this.path = Strings.nullToEmpty(entryPredicate.path);
            this.next = seekNext();
        }

        @Override // java.util.Iterator
        public boolean hasNext() {
            return this.next != null;
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.util.Iterator
        public PermissionEntry next() {
            if (this.next == null) {
                throw new NoSuchElementException();
            }
            PermissionEntry permissionEntry = this.next;
            this.next = seekNext();
            return permissionEntry;
        }

        @Override // java.util.Iterator
        public void remove() {
            throw new UnsupportedOperationException();
        }

        @CheckForNull
        private PermissionEntry seekNext() {
            while (!this.nextEntries.hasNext() && this.path != null) {
                this.nextEntries = getNextEntries();
                this.path = PermissionUtil.getParentPathOrNull(this.path);
            }
            if (this.nextEntries.hasNext()) {
                return this.nextEntries.next();
            }
            return null;
        }

        @Nonnull
        private Iterator<PermissionEntry> getNextEntries() {
            ImmutableSortedSet.Builder builder = new ImmutableSortedSet.Builder(new EntryComparator());
            for (Tree tree : this.principalTrees) {
                String entryName = PermissionUtil.getEntryName(this.path);
                Tree tree2 = tree;
                while (tree2.hasChild(entryName)) {
                    tree2 = tree2.getChild(entryName);
                    PermissionEntry permissionEntry = new PermissionEntry(tree2, CompiledPermissionImpl.this.restrictionProvider);
                    if (this.predicate.apply(permissionEntry)) {
                        builder.add(permissionEntry);
                    }
                }
            }
            return builder.build().iterator();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl$EntryPredicate.class */
    public static final class EntryPredicate implements Predicate<PermissionEntry> {
        private final Tree tree;
        private final PropertyState property;
        private final String path;

        private EntryPredicate(@Nonnull Tree tree, @Nullable PropertyState propertyState) {
            this.tree = tree;
            this.property = propertyState;
            this.path = tree.getPath();
        }

        private EntryPredicate(@Nonnull String str) {
            this.tree = null;
            this.property = null;
            this.path = str;
        }

        private EntryPredicate() {
            this.tree = null;
            this.property = null;
            this.path = null;
        }

        public boolean apply(@Nullable PermissionEntry permissionEntry) {
            if (permissionEntry == null) {
                return false;
            }
            return this.tree != null ? permissionEntry.matches(this.tree, this.property) : this.path != null ? permissionEntry.matches(this.path) : permissionEntry.matches();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl$PermissionEntry.class */
    public static final class PermissionEntry {
        private final boolean isAllow;
        private final PrivilegeBits privilegeBits;
        private final long index;
        private final String path;
        private final RestrictionPattern restriction;
        private ReadStatus readStatus;

        private PermissionEntry(Tree tree, RestrictionProvider restrictionProvider) {
            this.readStatus = null;
            this.isAllow = ((Boolean) tree.getProperty(PermissionConstants.REP_IS_ALLOW).getValue(Type.BOOLEAN)).booleanValue();
            this.privilegeBits = PrivilegeBits.getInstance(tree.getProperty("rep:privileges"));
            this.index = ((Long) Preconditions.checkNotNull(tree.getProperty(PermissionConstants.REP_INDEX).getValue(Type.LONG))).longValue();
            this.path = Strings.emptyToNull(TreeUtil.getString(tree, PermissionConstants.REP_ACCESS_CONTROLLED_PATH));
            this.restriction = restrictionProvider.getPattern(this.path, tree);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean matches(@Nonnull Tree tree, @Nullable PropertyState propertyState) {
            return this.restriction.matches(tree, propertyState);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean matches(@Nonnull String str) {
            return this.restriction.matches(str);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean matches() {
            return this.restriction.matches();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean matchesParent(@Nonnull String str) {
            if (Text.isDescendantOrEqual(this.path, str)) {
                return this.restriction.matches(str);
            }
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CompiledPermissionImpl(@Nonnull Set<Principal> set, @Nonnull ImmutableTree immutableTree, @Nonnull PrivilegeBitsProvider privilegeBitsProvider, @Nonnull RestrictionProvider restrictionProvider, @Nonnull Set<String> set2) {
        Preconditions.checkArgument(!set.isEmpty());
        this.principals = set;
        this.restrictionProvider = restrictionProvider;
        this.bitsProvider = privilegeBitsProvider;
        this.readPaths = set2;
        this.userTrees = new HashMap(set.size());
        this.groupTrees = new HashMap(set.size());
        if (immutableTree.exists()) {
            for (Principal principal : set) {
                Tree principalRoot = getPrincipalRoot(immutableTree, principal);
                Map<String, Tree> targetMap = getTargetMap(principal);
                if (principalRoot.exists()) {
                    targetMap.put(principal.getName(), principalRoot);
                } else {
                    targetMap.remove(principal.getName());
                }
            }
        }
    }

    @Override // org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissions
    public void refresh(@Nonnull ImmutableTree immutableTree, @Nonnull PrivilegeBitsProvider privilegeBitsProvider) {
        this.bitsProvider = privilegeBitsProvider;
        for (Principal principal : this.principals) {
            Map<String, Tree> targetMap = getTargetMap(principal);
            Tree principalRoot = getPrincipalRoot(immutableTree, principal);
            String name = principal.getName();
            if (!principalRoot.exists()) {
                targetMap.remove(name);
            } else if (!targetMap.containsKey(name) || !principalRoot.equals(targetMap.get(name))) {
                targetMap.put(name, principalRoot);
            }
        }
    }

    @Override // org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissions
    public ReadStatus getReadStatus(@Nonnull Tree tree, @Nullable PropertyState propertyState) {
        if (isReadablePath(tree, null)) {
            return ReadStatus.ALLOW_ALL_REGULAR;
        }
        long j = propertyState == null ? 1L : 2L;
        Iterator<PermissionEntry> entryIterator = getEntryIterator(new EntryPredicate(tree, propertyState));
        while (entryIterator.hasNext()) {
            PermissionEntry next = entryIterator.next();
            if (next.readStatus != null) {
                return next.readStatus;
            }
            if (next.privilegeBits.includesRead(j)) {
                return next.isAllow ? ReadStatus.ALLOW_THIS : ReadStatus.DENY_THIS;
            }
        }
        return ReadStatus.DENY_THIS;
    }

    @Override // org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissions
    public boolean isGranted(long j) {
        return hasPermissions(getEntryIterator(new EntryPredicate()), j, null, null);
    }

    @Override // org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissions
    public boolean isGranted(@Nonnull Tree tree, @Nullable PropertyState propertyState, long j) {
        return hasPermissions(getEntryIterator(new EntryPredicate(tree, propertyState)), j, tree, null);
    }

    @Override // org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissions
    public boolean isGranted(@Nonnull String str, long j) {
        return hasPermissions(getEntryIterator(new EntryPredicate(str)), j, null, str);
    }

    @Override // org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissions
    public Set<String> getPrivileges(@Nullable Tree tree) {
        return this.bitsProvider.getPrivilegeNames(getPrivilegeBits(tree));
    }

    @Override // org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissions
    public boolean hasPrivileges(@Nullable Tree tree, String... strArr) {
        return getPrivilegeBits(tree).includes(this.bitsProvider.getBits(strArr));
    }

    @Nonnull
    private static Tree getPrincipalRoot(Tree tree, Principal principal) {
        return tree.getChild(Text.escapeIllegalJcrChars(principal.getName()));
    }

    @Nonnull
    private Map<String, Tree> getTargetMap(Principal principal) {
        return principal instanceof Group ? this.groupTrees : this.userTrees;
    }

    private boolean hasPermissions(@Nonnull Iterator<PermissionEntry> it, long j, @Nullable Tree tree, @Nullable String str) {
        PrivilegeBits privilegeBits;
        PrivilegeBits privilegeBits2;
        boolean z = Permissions.diff(3L, j) != 3 && isReadablePath(tree, str);
        if (!it.hasNext() && !z) {
            return false;
        }
        boolean z2 = !(tree == null && str == null) && (Permissions.includes(j, 32L) || Permissions.includes(j, 64L) || Permissions.includes(j, Permissions.MODIFY_CHILD_NODE_COLLECTION));
        long j2 = z ? 3L : 0L;
        long j3 = 0;
        PrivilegeBits privilegeBits3 = PrivilegeBits.getInstance();
        if (z) {
            privilegeBits3.add(this.bitsProvider.getBits(PrivilegeConstants.JCR_READ));
        }
        PrivilegeBits privilegeBits4 = PrivilegeBits.getInstance();
        String str2 = null;
        if (z2) {
            privilegeBits = PrivilegeBits.getInstance();
            privilegeBits2 = PrivilegeBits.getInstance();
            if (str != null || tree != null) {
                str2 = PermissionUtil.getParentPathOrNull(str != null ? str : tree.getPath());
            }
        } else {
            privilegeBits = PrivilegeBits.EMPTY;
            privilegeBits2 = PrivilegeBits.EMPTY;
            str2 = null;
        }
        while (it.hasNext()) {
            PermissionEntry next = it.next();
            if (z2 && str2 != null && next.matchesParent(str2)) {
                if (next.isAllow) {
                    privilegeBits.addDifference(next.privilegeBits, privilegeBits2);
                } else {
                    privilegeBits2.addDifference(next.privilegeBits, privilegeBits);
                }
            }
            if (next.isAllow) {
                privilegeBits3.addDifference(next.privilegeBits, privilegeBits4);
                j2 |= Permissions.diff(PrivilegeBits.calculatePermissions(privilegeBits3, privilegeBits, true), j3);
                if ((j2 | (j ^ (-1))) == -1) {
                    return true;
                }
            } else {
                privilegeBits4.addDifference(next.privilegeBits, privilegeBits3);
                j3 |= Permissions.diff(PrivilegeBits.calculatePermissions(privilegeBits4, privilegeBits2, false), j2);
                if (Permissions.includes(j3, j)) {
                    return false;
                }
            }
        }
        return (j2 | (j ^ (-1))) == -1;
    }

    @Nonnull
    private PrivilegeBits getPrivilegeBits(@Nullable Tree tree) {
        Iterator<PermissionEntry> entryIterator = getEntryIterator(tree == null ? new EntryPredicate() : new EntryPredicate(tree, null));
        PrivilegeBits privilegeBits = PrivilegeBits.getInstance();
        PrivilegeBits privilegeBits2 = PrivilegeBits.getInstance();
        while (entryIterator.hasNext()) {
            PermissionEntry next = entryIterator.next();
            if (next.isAllow) {
                privilegeBits.addDifference(next.privilegeBits, privilegeBits2);
            } else {
                privilegeBits2.addDifference(next.privilegeBits, privilegeBits);
            }
        }
        if (isReadablePath(tree, null)) {
            privilegeBits.add(this.bitsProvider.getBits(PrivilegeConstants.JCR_READ));
        }
        return privilegeBits;
    }

    @Nonnull
    private Iterator<PermissionEntry> getEntryIterator(@Nonnull EntryPredicate entryPredicate) {
        return Iterators.concat(this.userTrees.isEmpty() ? Iterators.emptyIterator() : new EntryIterator(this.userTrees, entryPredicate), this.groupTrees.isEmpty() ? Iterators.emptyIterator() : new EntryIterator(this.groupTrees, entryPredicate));
    }

    private boolean isReadablePath(@Nullable Tree tree, @Nullable String str) {
        if (this.readPaths.isEmpty()) {
            return false;
        }
        String path = tree != null ? tree.getPath() : str;
        if (path == null) {
            return false;
        }
        Iterator<String> it = this.readPaths.iterator();
        while (it.hasNext()) {
            if (Text.isDescendantOrEqual(it.next(), path)) {
                return true;
            }
        }
        return false;
    }
}
