package org.apache.jackrabbit.oak.security.authorization.permission;

import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableSet;
import java.security.Principal;
import java.util.Set;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.core.ImmutableRoot;
import org.apache.jackrabbit.oak.core.ImmutableTree;
import org.apache.jackrabbit.oak.core.TreeTypeProviderImpl;
import org.apache.jackrabbit.oak.spi.security.SecurityConfiguration;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authentication.external.SyncMode;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.ReadStatus;
import org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal;
import org.apache.jackrabbit.oak.spi.security.principal.SystemPrincipal;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.util.TreeLocation;
import org.apache.jackrabbit.oak.util.TreeUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/permission/PermissionProviderImpl.class */
public class PermissionProviderImpl implements PermissionProvider, AccessControlConstants, PermissionConstants {
    private static final Logger log = LoggerFactory.getLogger(PermissionProviderImpl.class);
    private final Root root;
    private final String workspaceName;
    private final AuthorizationConfiguration acConfig;
    private final CompiledPermissions compiledPermissions;
    private ImmutableRoot immutableRoot;

    public PermissionProviderImpl(@Nonnull Root root, @Nonnull Set<Principal> set, @Nonnull SecurityProvider securityProvider) {
        this.root = root;
        this.workspaceName = root.getContentSession().getWorkspaceName();
        this.acConfig = (AuthorizationConfiguration) securityProvider.getConfiguration(AuthorizationConfiguration.class);
        this.immutableRoot = getImmutableRoot(root, this.acConfig);
        if (set.contains(SystemPrincipal.INSTANCE) || isAdmin(set)) {
            this.compiledPermissions = AllPermissions.getInstance();
            return;
        }
        ImmutableTree permissionsRoot = getPermissionsRoot();
        if (!permissionsRoot.exists() || set.isEmpty()) {
            this.compiledPermissions = NoPermissions.getInstance();
        } else {
            this.compiledPermissions = new CompiledPermissionImpl(set, permissionsRoot, getBitsProvider(), this.acConfig.getRestrictionProvider(), ImmutableSet.copyOf((String[]) this.acConfig.getParameters().getConfigValue(PermissionConstants.PARAM_READ_PATHS, DEFAULT_READ_PATHS)));
        }
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider
    public void refresh() {
        this.immutableRoot = getImmutableRoot(this.root, this.acConfig);
        this.compiledPermissions.refresh(getPermissionsRoot(), getBitsProvider());
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider
    @Nonnull
    public Set<String> getPrivileges(@Nullable Tree tree) {
        return this.compiledPermissions.getPrivileges(tree);
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider
    public boolean hasPrivileges(@Nullable Tree tree, String... strArr) {
        return this.compiledPermissions.hasPrivileges(tree, strArr);
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider
    public ReadStatus getReadStatus(@Nonnull Tree tree, @Nullable PropertyState propertyState) {
        switch (getType(tree, propertyState)) {
            case 2:
                return getVersionContentReadStatus(tree, propertyState);
            case 4:
                return canReadAccessControlContent(tree, null) ? ReadStatus.ALLOW_ALL : ReadStatus.DENY_ALL;
            case 8:
                return ReadStatus.ALLOW_ALL;
            default:
                return this.compiledPermissions.getReadStatus(tree, propertyState);
        }
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider
    public boolean isGranted(long j) {
        return this.compiledPermissions.isGranted(j);
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider
    public boolean isGranted(@Nonnull Tree tree, @Nullable PropertyState propertyState, long j) {
        switch (getType(tree, propertyState)) {
            case 2:
                TreeLocation versionableLocation = getVersionableLocation(tree, propertyState);
                if (versionableLocation == null) {
                    return this.compiledPermissions.isGranted(tree, propertyState, j);
                }
                Tree tree2 = propertyState == null ? versionableLocation.getTree() : versionableLocation.getParent().getTree();
                return tree2 != null ? this.compiledPermissions.isGranted(tree2, propertyState, j) : this.compiledPermissions.isGranted(versionableLocation.getPath(), j);
            case 8:
                return true;
            default:
                return this.compiledPermissions.isGranted(tree, propertyState, j);
        }
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider
    public boolean isGranted(@Nonnull String str, @Nonnull String str2) {
        TreeLocation create = TreeLocation.create(this.immutableRoot, str);
        long permissions = Permissions.getPermissions(str2, create, this.acConfig.getContext().definesLocation(create));
        boolean z = false;
        if (create.exists()) {
            PropertyState property = create.getProperty();
            Tree tree = property == null ? create.getTree() : create.getParent().getTree();
            if (tree != null) {
                z = isGranted(tree, property, permissions);
            }
        } else {
            z = this.compiledPermissions.isGranted(str, permissions);
        }
        return z;
    }

    private boolean isAdmin(Set<Principal> set) {
        ImmutableSet copyOf = ImmutableSet.copyOf((Object[]) this.acConfig.getParameters().getConfigValue(PermissionConstants.PARAM_ADMINISTRATIVE_PRINCIPALS, new String[0]));
        for (Principal principal : set) {
            if ((principal instanceof AdminPrincipal) || copyOf.contains(principal.getName())) {
                return true;
            }
        }
        return false;
    }

    private static ImmutableRoot getImmutableRoot(Root root, SecurityConfiguration securityConfiguration) {
        return root instanceof ImmutableRoot ? (ImmutableRoot) root : new ImmutableRoot(root, new TreeTypeProviderImpl(securityConfiguration.getContext()));
    }

    @Nonnull
    private ImmutableTree getPermissionsRoot() {
        return this.immutableRoot.getTree("/jcr:system/rep:permissionStore/" + this.workspaceName);
    }

    @Nonnull
    private PrivilegeBitsProvider getBitsProvider() {
        return new PrivilegeBitsProvider(this.immutableRoot);
    }

    private static int getType(@Nonnull Tree tree, @Nullable PropertyState propertyState) {
        return ImmutableTree.getType(tree);
    }

    private boolean canReadAccessControlContent(@Nonnull Tree tree, @Nullable PropertyState propertyState) {
        return this.compiledPermissions.isGranted(tree, propertyState, 128L);
    }

    private ReadStatus getVersionContentReadStatus(@Nonnull Tree tree, @Nullable PropertyState propertyState) {
        ReadStatus readStatus;
        TreeLocation versionableLocation = getVersionableLocation(tree, propertyState);
        if (versionableLocation != null) {
            Tree tree2 = propertyState == null ? versionableLocation.getTree() : versionableLocation.getParent().getTree();
            if (tree2 == null) {
                readStatus = this.compiledPermissions.isGranted(versionableLocation.getPath(), propertyState == null ? 1L : 2L) ? ReadStatus.ALLOW_THIS : ReadStatus.DENY_THIS;
            } else {
                readStatus = this.compiledPermissions.getReadStatus(tree2, propertyState);
            }
        } else {
            readStatus = this.compiledPermissions.getReadStatus(tree, propertyState);
        }
        return readStatus;
    }

    @CheckForNull
    private TreeLocation getVersionableLocation(@Nonnull Tree tree, @Nullable PropertyState propertyState) {
        String str = SyncMode.NO_SYNC;
        String name = propertyState == null ? SyncMode.NO_SYNC : propertyState.getName();
        String str2 = null;
        Tree tree2 = tree;
        while (true) {
            Tree tree3 = tree2;
            if (!tree3.exists() || tree3.isRoot() || "jcr:versionStorage".equals(tree3.getName())) {
                break;
            }
            String name2 = tree3.getName();
            String str3 = (String) Preconditions.checkNotNull(TreeUtil.getPrimaryTypeName(tree3));
            if ("jcr:frozenNode".equals(name2) && tree3 != tree) {
                str = PathUtils.relativize(tree3.getPath(), tree.getPath());
            } else if ("nt:versionHistory".equals(str3)) {
                PropertyState property = tree3.getProperty(this.workspaceName);
                if (property != null) {
                    str2 = PathUtils.concat((String) property.getValue(Type.PATH), new String[]{str, name});
                }
            }
            tree2 = tree3.getParent();
        }
        if (str2 != null && str2.length() != 0) {
            return TreeLocation.create(this.immutableRoot, str2);
        }
        log.debug("Unable to determine versionable path of the version store node.");
        return null;
    }
}
