package org.apache.jackrabbit.core.security.authorization.acl;

import java.security.Principal;
import javax.jcr.AccessDeniedException;
import javax.jcr.Node;
import javax.jcr.NodeIterator;
import javax.jcr.PathNotFoundException;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.Value;
import javax.jcr.ValueFactory;
import javax.jcr.ValueFormatException;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.JackrabbitWorkspace;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
import org.apache.jackrabbit.core.NodeImpl;
import org.apache.jackrabbit.core.ProtectedItemModifier;
import org.apache.jackrabbit.core.SessionImpl;
import org.apache.jackrabbit.core.security.authorization.AccessControlConstants;
import org.apache.jackrabbit.core.security.authorization.AccessControlEditor;
import org.apache.jackrabbit.core.security.authorization.AccessControlEntryImpl;
import org.apache.jackrabbit.core.security.authorization.AccessControlUtils;
import org.apache.jackrabbit.spi.Name;
import org.apache.jackrabbit.spi.commons.conversion.NameException;
import org.apache.jackrabbit.spi.commons.conversion.NameParser;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/lib/jackrabbit-core-2.21.26-beta.jar:org/apache/jackrabbit/core/security/authorization/acl/ACLEditor.class
 */
/* loaded from: input_file:org/apache/jackrabbit/core/security/authorization/acl/ACLEditor.class */
public class ACLEditor extends ProtectedItemModifier implements AccessControlEditor, AccessControlConstants {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) ACLEditor.class);
    private static final String DEFAULT_ACE_NAME = "ace";
    private final SessionImpl session;
    private final AccessControlUtils utils;
    private final boolean allowUnknownPrincipals;

    /* JADX INFO: Access modifiers changed from: package-private */
    public ACLEditor(Session session, AccessControlUtils accessControlUtils, boolean z) {
        super(64);
        if (!(session instanceof SessionImpl)) {
            throw new IllegalArgumentException("org.apache.jackrabbit.core.SessionImpl expected. Found " + session.getClass());
        }
        this.session = (SessionImpl) session;
        this.utils = accessControlUtils;
        this.allowUnknownPrincipals = z;
    }

    ACLTemplate getACL(NodeImpl nodeImpl, String str) throws RepositoryException {
        return new ACLTemplate(nodeImpl, str, this.allowUnknownPrincipals);
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AccessControlEditor
    public AccessControlPolicy[] getPolicies(String str) throws AccessControlException, PathNotFoundException, RepositoryException {
        checkProtectsNode(str);
        NodeImpl aclNode = getAclNode(str);
        return aclNode == null ? new AccessControlPolicy[0] : new AccessControlPolicy[]{getACL(aclNode, str)};
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AccessControlEditor
    public JackrabbitAccessControlPolicy[] getPolicies(Principal principal) throws AccessControlException, RepositoryException {
        if (this.session.getPrincipalManager().hasPrincipal(principal.getName())) {
            return new JackrabbitAccessControlPolicy[0];
        }
        throw new AccessControlException("Unknown principal.");
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AccessControlEditor
    public AccessControlPolicy[] editAccessControlPolicies(String str) throws AccessControlException, PathNotFoundException, RepositoryException {
        NodeImpl node;
        String jCRName;
        Name name;
        checkProtectsNode(str);
        if (str == null) {
            node = (NodeImpl) this.session.getRootNode();
            jCRName = this.session.getJCRName(NT_REP_REPO_ACCESS_CONTROLLABLE);
            name = N_REPO_POLICY;
        } else {
            node = getNode(str);
            jCRName = this.session.getJCRName(NT_REP_ACCESS_CONTROLLABLE);
            name = N_POLICY;
        }
        ACLTemplate aCLTemplate = null;
        if (getAclNode(node, str) == null) {
            if (node.hasNode(name)) {
                log.warn("Colliding policy child without node being access controllable ({}).", str);
            } else {
                PrivilegeManager privilegeManager = ((JackrabbitWorkspace) this.session.getWorkspace()).getPrivilegeManager();
                if (node.isNodeType(jCRName) || node.canAddMixin(jCRName)) {
                    aCLTemplate = new ACLTemplate(str, this.session.getPrincipalManager(), privilegeManager, this.session.getValueFactory(), this.session, this.allowUnknownPrincipals);
                } else {
                    log.warn("Node {} cannot be made access controllable.", str);
                }
            }
        }
        return aCLTemplate != null ? new AccessControlPolicy[]{aCLTemplate} : new AccessControlPolicy[0];
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AccessControlEditor
    public JackrabbitAccessControlPolicy[] editAccessControlPolicies(Principal principal) throws AccessDeniedException, AccessControlException, RepositoryException {
        if (this.session.getPrincipalManager().hasPrincipal(principal.getName())) {
            return new JackrabbitAccessControlPolicy[0];
        }
        throw new AccessControlException("Unknown principal.");
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AccessControlEditor
    public void setPolicy(String str, AccessControlPolicy accessControlPolicy) throws RepositoryException {
        checkProtectsNode(str);
        checkValidPolicy(str, accessControlPolicy);
        NodeImpl aclNode = getAclNode(str);
        if (aclNode != null) {
            NodeIterator nodes = aclNode.getNodes();
            while (nodes.hasNext()) {
                removeItem((NodeImpl) nodes.nextNode());
            }
        } else {
            aclNode = str == null ? createRepoAclNode() : createAclNode(str);
        }
        for (AccessControlEntry accessControlEntry : ((ACLTemplate) accessControlPolicy).getAccessControlEntries()) {
            AccessControlEntryImpl accessControlEntryImpl = (AccessControlEntryImpl) accessControlEntry;
            Name uniqueNodeName = getUniqueNodeName(aclNode, accessControlEntryImpl.isAllow() ? "allow" : "deny");
            Name name = accessControlEntryImpl.isAllow() ? NT_REP_GRANT_ACE : NT_REP_DENY_ACE;
            ValueFactory valueFactory = this.session.getValueFactory();
            NodeImpl addNode = addNode(aclNode, uniqueNodeName, name);
            setProperty(addNode, P_PRINCIPAL_NAME, valueFactory.createValue(accessControlEntryImpl.getPrincipal().getName()));
            setProperty(addNode, P_PRIVILEGES, getPrivilegeNames(accessControlEntryImpl.getPrivileges(), valueFactory));
            for (Name name2 : accessControlEntryImpl.getRestrictions().keySet()) {
                setProperty(addNode, name2, accessControlEntryImpl.getRestriction(name2));
            }
        }
        markModified((NodeImpl) aclNode.getParent());
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AccessControlEditor
    public synchronized void removePolicy(String str, AccessControlPolicy accessControlPolicy) throws AccessControlException, RepositoryException {
        checkProtectsNode(str);
        checkValidPolicy(str, accessControlPolicy);
        NodeImpl aclNode = getAclNode(str);
        if (aclNode == null) {
            throw new AccessControlException("No policy to remove at " + str);
        }
        removeItem(aclNode);
    }

    private void checkProtectsNode(String str) throws RepositoryException {
        if (str != null) {
            if (this.utils.isAcItem(getNode(str))) {
                throw new AccessControlException("Node " + str + " defines ACL or ACE itself.");
            }
        }
    }

    private static void checkValidPolicy(String str, AccessControlPolicy accessControlPolicy) throws AccessControlException {
        if (accessControlPolicy == null || !(accessControlPolicy instanceof ACLTemplate)) {
            throw new AccessControlException("Attempt to set/remove invalid policy " + accessControlPolicy);
        }
        ACLTemplate aCLTemplate = (ACLTemplate) accessControlPolicy;
        if (!(str == null ? aCLTemplate.getPath() == null : str.equals(aCLTemplate.getPath()))) {
            throw new AccessControlException("Policy " + accessControlPolicy + " cannot be applied/removed from the node at " + str);
        }
    }

    private NodeImpl getNode(String str) throws RepositoryException {
        return (NodeImpl) this.session.getNode(str);
    }

    private NodeImpl getAclNode(String str) throws PathNotFoundException, RepositoryException {
        return getAclNode(str == null ? (NodeImpl) this.session.getRootNode() : getNode(str), str);
    }

    private NodeImpl getAclNode(NodeImpl nodeImpl, String str) throws RepositoryException {
        NodeImpl nodeImpl2 = null;
        if (str == null) {
            if (ACLProvider.isRepoAccessControlled(nodeImpl)) {
                nodeImpl2 = nodeImpl.getNode(N_REPO_POLICY);
            }
        } else if (ACLProvider.isAccessControlled(nodeImpl)) {
            nodeImpl2 = nodeImpl.getNode(N_POLICY);
        }
        return nodeImpl2;
    }

    private NodeImpl createAclNode(String str) throws RepositoryException {
        NodeImpl node = getNode(str);
        if (!node.isNodeType(NT_REP_ACCESS_CONTROLLABLE)) {
            node.addMixin(NT_REP_ACCESS_CONTROLLABLE);
        }
        return addNode(node, N_POLICY, NT_REP_ACL);
    }

    private NodeImpl createRepoAclNode() throws RepositoryException {
        NodeImpl nodeImpl = (NodeImpl) this.session.getRootNode();
        if (!nodeImpl.isNodeType(NT_REP_REPO_ACCESS_CONTROLLABLE)) {
            nodeImpl.addMixin(NT_REP_REPO_ACCESS_CONTROLLABLE);
        }
        return addNode(nodeImpl, N_REPO_POLICY, NT_REP_ACL);
    }

    protected static Name getUniqueNodeName(Node node, String str) throws RepositoryException {
        if (str == null) {
            str = DEFAULT_ACE_NAME;
        } else {
            try {
                NameParser.checkFormat(str);
            } catch (NameException e) {
                str = DEFAULT_ACE_NAME;
                log.debug("Invalid path name for Permission: " + str + ".");
            }
        }
        int i = 0;
        String str2 = str;
        while (node.hasNode(str2)) {
            str2 = str + i;
            i++;
        }
        return ((SessionImpl) node.getSession()).getQName(str2);
    }

    private static Value[] getPrivilegeNames(Privilege[] privilegeArr, ValueFactory valueFactory) throws ValueFormatException {
        Value[] valueArr = new Value[privilegeArr.length];
        for (int i = 0; i < privilegeArr.length; i++) {
            valueArr[i] = valueFactory.createValue(privilegeArr[i].getName(), 7);
        }
        return valueArr;
    }
}
