package org.apache.jackrabbit.oak.security.authorization.composite;

import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Sets;
import java.util.HashSet;
import java.util.Set;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.plugins.tree.TreeLocation;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.apache.jackrabbit.util.Text;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;

/* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/composite/LimitedScopeProvider.class */
class LimitedScopeProvider extends AbstractAggrProvider implements PrivilegeConstants {
    private static final Set<String> GRANTED_PRIVS = ImmutableSet.of("jcr:removeChildNodes", "jcr:removeNode", "rep:alterProperties", "rep:removeProperties");
    private static final Set<String> DENIED_PRIVS = ImmutableSet.of("jcr:addChildNodes", "rep:addProperties");
    private static final long GRANTED_PERMS = 88;
    private static final long DENIED_PERMS = 36;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/composite/LimitedScopeProvider$EmptyTestPermission.class */
    public static final class EmptyTestPermission implements TreePermission {
        private final String path;

        private EmptyTestPermission(@NotNull String str) {
            this.path = str;
        }

        @NotNull
        public TreePermission getChildPermission(@NotNull String str, @NotNull NodeState nodeState) {
            return LimitedScopeProvider.createTreePermission(PathUtils.concat(this.path, str));
        }

        public boolean canRead() {
            return false;
        }

        public boolean canRead(@NotNull PropertyState propertyState) {
            return false;
        }

        public boolean canReadAll() {
            return false;
        }

        public boolean canReadProperties() {
            return false;
        }

        public boolean isGranted(long j) {
            return false;
        }

        public boolean isGranted(long j, @NotNull PropertyState propertyState) {
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/composite/LimitedScopeProvider$TestTreePermission.class */
    public static final class TestTreePermission implements TreePermission {
        private final String path;

        private TestTreePermission(@NotNull String str) {
            this.path = str;
        }

        @NotNull
        public TreePermission getChildPermission(@NotNull String str, @NotNull NodeState nodeState) {
            return LimitedScopeProvider.createTreePermission(PathUtils.concat(this.path, str));
        }

        public boolean canRead() {
            return false;
        }

        public boolean canRead(@NotNull PropertyState propertyState) {
            return false;
        }

        public boolean canReadAll() {
            return false;
        }

        public boolean canReadProperties() {
            return false;
        }

        public boolean isGranted(long j) {
            return !Permissions.includes(j, LimitedScopeProvider.DENIED_PERMS) && Permissions.diff(j, LimitedScopeProvider.GRANTED_PERMS) == 0;
        }

        public boolean isGranted(long j, @NotNull PropertyState propertyState) {
            return !Permissions.includes(j, LimitedScopeProvider.DENIED_PERMS) && Permissions.diff(j, LimitedScopeProvider.GRANTED_PERMS) == 0;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public LimitedScopeProvider(@NotNull Root root) {
        super(root);
    }

    @NotNull
    public Set<String> getPrivileges(@Nullable Tree tree) {
        return tree == null ? ImmutableSet.of("jcr:nodeTypeDefinitionManagement") : isSupported(tree) ? ImmutableSet.of("jcr:removeChildNodes", "jcr:removeNode", "rep:alterProperties", "rep:removeProperties") : ImmutableSet.of();
    }

    public boolean hasPrivileges(@Nullable Tree tree, @NotNull String... strArr) {
        HashSet newHashSet = Sets.newHashSet(strArr);
        if (tree == null) {
            return !newHashSet.contains("jcr:namespaceManagement") && newHashSet.size() == 1 && newHashSet.contains("jcr:nodeTypeDefinitionManagement");
        }
        if (isSupported(tree) && !newHashSet.removeAll(DENIED_PRIVS) && newHashSet.removeAll(GRANTED_PRIVS)) {
            return newHashSet.isEmpty();
        }
        return false;
    }

    @NotNull
    public RepositoryPermission getRepositoryPermission() {
        return new RepositoryPermission() { // from class: org.apache.jackrabbit.oak.security.authorization.composite.LimitedScopeProvider.1
            public boolean isGranted(long j) {
                return 32768 == j;
            }
        };
    }

    @NotNull
    public TreePermission getTreePermission(@NotNull Tree tree, @NotNull TreePermission treePermission) {
        return createTreePermission(tree.getPath());
    }

    public boolean isGranted(@NotNull Tree tree, @Nullable PropertyState propertyState, long j) {
        return isSupported(tree) && !Permissions.includes(j, DENIED_PERMS) && Permissions.diff(j, GRANTED_PERMS) == 0;
    }

    public boolean isGranted(@NotNull String str, @NotNull String str2) {
        if (!isSupported(str)) {
            return false;
        }
        long permissions = Permissions.getPermissions(str2, TreeLocation.create(this.root.getTree(str)), false);
        return !Permissions.includes(permissions, DENIED_PERMS) && Permissions.diff(permissions, GRANTED_PERMS) == 0;
    }

    @Override // org.apache.jackrabbit.oak.security.authorization.composite.AbstractAggrProvider
    @NotNull
    public PrivilegeBits supportedPrivileges(@Nullable Tree tree, @Nullable PrivilegeBits privilegeBits) {
        PrivilegeBits privilegeBits2 = tree == null ? PrivilegeBits.getInstance(new PrivilegeBits[]{(PrivilegeBits) PrivilegeBits.BUILT_IN.get("jcr:namespaceManagement"), (PrivilegeBits) PrivilegeBits.BUILT_IN.get("jcr:nodeTypeDefinitionManagement")}) : isSupported(tree) ? (PrivilegeBits) PrivilegeBits.BUILT_IN.get("jcr:write") : PrivilegeBits.EMPTY;
        return (privilegeBits == null || privilegeBits2.isEmpty()) ? privilegeBits2 : PrivilegeBits.getInstance(new PrivilegeBits[]{privilegeBits}).retain(privilegeBits2);
    }

    @Override // org.apache.jackrabbit.oak.security.authorization.composite.AbstractAggrProvider
    public long supportedPermissions(@Nullable Tree tree, @Nullable PropertyState propertyState, long j) {
        if (tree == null) {
            return j & 98304;
        }
        if (isSupported(tree)) {
            return j & 124;
        }
        return 0L;
    }

    @Override // org.apache.jackrabbit.oak.security.authorization.composite.AbstractAggrProvider
    public long supportedPermissions(@NotNull TreeLocation treeLocation, long j) {
        if (isSupported(treeLocation.getPath())) {
            return j & 124;
        }
        return 0L;
    }

    @Override // org.apache.jackrabbit.oak.security.authorization.composite.AbstractAggrProvider
    public long supportedPermissions(@NotNull TreePermission treePermission, @Nullable PropertyState propertyState, long j) {
        if ((treePermission instanceof TestTreePermission) && isSupported(((TestTreePermission) treePermission).path)) {
            return j & 124;
        }
        return 0L;
    }

    public boolean isGranted(@NotNull TreeLocation treeLocation, long j) {
        return isSupported(treeLocation.getPath()) && !Permissions.includes(j, DENIED_PERMS) && Permissions.diff(j, GRANTED_PERMS) == 0;
    }

    boolean isSupported(@NotNull Tree tree) {
        return isSupported(tree.getPath());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean isSupported(@NotNull String str) {
        return Text.isDescendantOrEqual("/test/a", str);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static TreePermission createTreePermission(@NotNull String str) {
        return isSupported(str) ? new TestTreePermission(str) : Text.isDescendant(str, "/test/a") ? new EmptyTestPermission(str) : TreePermission.NO_RECOURSE;
    }
}
