package org.apache.jackrabbit.oak.security.authentication.token;

import com.google.common.base.Preconditions;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.plugins.tree.TreeProvider;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.apache.jackrabbit.oak.spi.commit.CommitInfo;
import org.apache.jackrabbit.oak.spi.commit.DefaultValidator;
import org.apache.jackrabbit.oak.spi.commit.Validator;
import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider;
import org.apache.jackrabbit.oak.spi.commit.VisibleValidator;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.authentication.token.TokenConstants;
import org.apache.jackrabbit.oak.spi.security.user.util.PasswordUtil;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.apache.jackrabbit.util.Text;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:org/apache/jackrabbit/oak/security/authentication/token/TokenValidatorProvider.class */
public class TokenValidatorProvider extends ValidatorProvider implements TokenConstants {
    private static final Logger log = LoggerFactory.getLogger(TokenValidatorProvider.class);
    private final String userRootPath;
    private final TreeProvider treeProvider;

    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authentication/token/TokenValidatorProvider$TokenValidator.class */
    private final class TokenValidator extends DefaultValidator implements TokenConstants {
        private final Tree parentBefore;
        private final Tree parentAfter;
        private final CommitInfo commitInfo;

        TokenValidator(@NotNull TokenValidatorProvider tokenValidatorProvider, @NotNull NodeState nodeState, @NotNull NodeState nodeState2, CommitInfo commitInfo) {
            this(tokenValidatorProvider.treeProvider.createReadOnlyTree(nodeState), tokenValidatorProvider.treeProvider.createReadOnlyTree(nodeState2), commitInfo);
        }

        private TokenValidator(@Nullable Tree tree, @NotNull Tree tree2, @NotNull CommitInfo commitInfo) {
            this.parentBefore = tree;
            this.parentAfter = tree2;
            this.commitInfo = commitInfo;
        }

        public void propertyAdded(PropertyState propertyState) throws CommitFailedException {
            String name = propertyState.getName();
            if (TOKEN_PROPERTY_NAMES.contains(name)) {
                verifyCommitInfo();
                if (!isTokenTree(this.parentAfter)) {
                    throw TokenValidatorProvider.constraintViolation(60, "Attempt to create reserved token property " + name);
                }
            }
        }

        public void propertyChanged(PropertyState propertyState, PropertyState propertyState2) throws CommitFailedException {
            String name = propertyState2.getName();
            if ("rep:token.key".equals(name)) {
                throw TokenValidatorProvider.constraintViolation(61, "Attempt to change reserved token property " + name);
            }
            if ("rep:token.exp".equals(name)) {
                verifyCommitInfo();
                return;
            }
            if ("jcr:primaryType".equals(name)) {
                if ("rep:Token".equals(propertyState2.getValue(Type.STRING))) {
                    throw TokenValidatorProvider.constraintViolation(62, "Changing primary type of existing node to the reserved token node type.");
                }
                if (isTokensParent(this.parentAfter) && "rep:Unstructured".equals(propertyState.getValue(Type.STRING))) {
                    throw TokenValidatorProvider.constraintViolation(69, "Cannot change the primary type of an existing .tokens node.");
                }
            }
        }

        /* renamed from: childNodeAdded, reason: merged with bridge method [inline-methods] */
        public Validator m148childNodeAdded(String str, NodeState nodeState) throws CommitFailedException {
            Tree tree = (Tree) Preconditions.checkNotNull(this.parentAfter.getChild(str));
            if (isTokenTree(tree)) {
                validateTokenTree(tree);
                return null;
            }
            if (isTokensParent(tree)) {
                validateTokensParent(tree);
            }
            return new VisibleValidator(new TokenValidator((Tree) null, tree, this.commitInfo), true, true);
        }

        /* renamed from: childNodeChanged, reason: merged with bridge method [inline-methods] */
        public Validator m147childNodeChanged(String str, NodeState nodeState, NodeState nodeState2) throws CommitFailedException {
            Tree child = this.parentBefore == null ? null : this.parentBefore.getChild(str);
            Tree child2 = this.parentAfter.getChild(str);
            if (isTokenTree(child) || isTokenTree(child2)) {
                validateTokenTree(child2);
            } else if (isTokensParent(child) || isTokensParent(child2)) {
                validateTokensParent(child2);
            }
            return new VisibleValidator(new TokenValidator(child, child2, this.commitInfo), true, true);
        }

        private void verifyCommitInfo() throws CommitFailedException {
            if (!CommitMarker.isValidCommitInfo(this.commitInfo)) {
                throw TokenValidatorProvider.constraintViolation(63, "Attempt to manually create or change a token node or it's parent.");
            }
        }

        private void verifyHierarchy(@NotNull String str) throws CommitFailedException {
            if (!Text.isDescendant(TokenValidatorProvider.this.userRootPath, str)) {
                throw TokenValidatorProvider.constraintViolation(64, "Attempt to create a token (or it's parent) outside of configured scope " + str);
            }
        }

        private boolean isTokenTree(@Nullable Tree tree) {
            return tree != null && "rep:Token".equals(TreeUtil.getPrimaryTypeName(tree));
        }

        private void validateTokenTree(@NotNull Tree tree) throws CommitFailedException {
            verifyCommitInfo();
            verifyHierarchy(tree.getPath());
            Tree parent = tree.getParent();
            if (!isTokensParent(parent) || !"rep:User".equals(TreeUtil.getPrimaryTypeName(parent.getParent()))) {
                throw TokenValidatorProvider.constraintViolation(65, "Invalid location of token node.");
            }
            if (PasswordUtil.isPlainTextPassword(TreeUtil.getString(tree, "rep:token.key"))) {
                throw TokenValidatorProvider.constraintViolation(66, "Invalid token key.");
            }
            if (TreeUtil.getString(tree, "rep:token.exp") == null) {
                throw TokenValidatorProvider.constraintViolation(67, "Mandatory token expiration missing.");
            }
        }

        private boolean isTokensParent(@Nullable Tree tree) {
            return tree != null && ".tokens".equals(tree.getName());
        }

        private void validateTokensParent(@NotNull Tree tree) throws CommitFailedException {
            verifyHierarchy(tree.getPath());
            if (!"rep:User".equals(TreeUtil.getPrimaryTypeName(tree.getParent()))) {
                throw TokenValidatorProvider.constraintViolation(68, "Invalid location of .tokens node.");
            }
            String primaryTypeName = TreeUtil.getPrimaryTypeName(tree);
            if ("rep:Unstructured".equals(primaryTypeName)) {
                return;
            }
            TokenValidatorProvider.log.debug("Unexpected node type of .tokens node " + primaryTypeName + '.');
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public TokenValidatorProvider(@NotNull ConfigurationParameters configurationParameters, @NotNull TreeProvider treeProvider) {
        this.userRootPath = (String) configurationParameters.getConfigValue("usersPath", "/rep:security/rep:authorizables/rep:users");
        this.treeProvider = treeProvider;
    }

    protected Validator getRootValidator(NodeState nodeState, NodeState nodeState2, CommitInfo commitInfo) {
        return new TokenValidator(this, nodeState, nodeState2, commitInfo);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static CommitFailedException constraintViolation(int i, @NotNull String str) {
        return new CommitFailedException("Constraint", i, str);
    }
}
