package org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol;

import java.security.Principal;
import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Objects;
import java.util.Set;
import javax.jcr.AccessDeniedException;
import javax.jcr.PathNotFoundException;
import javax.jcr.RepositoryException;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.api.security.authorization.PrivilegeCollection;
import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionAware;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConfiguration;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeUtil;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.osgi.annotation.versioning.ProviderType;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@ProviderType
/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authorization/accesscontrol/AbstractAccessControlManager.class */
public abstract class AbstractAccessControlManager implements JackrabbitAccessControlManager, AccessControlConstants {
    private static final Logger log = LoggerFactory.getLogger(AbstractAccessControlManager.class);
    private final Root root;
    private final String workspaceName;
    private final NamePathMapper namePathMapper;
    private final AuthorizationConfiguration config;
    private final PrivilegeManager privilegeManager;
    private PermissionProvider permissionProvider;
    private PrivilegeBitsProvider privilegeBitsProvider;
    private boolean doRefresh = false;

    /* JADX INFO: Access modifiers changed from: protected */
    public AbstractAccessControlManager(@NotNull Root root, @NotNull NamePathMapper namePathMapper, @NotNull SecurityProvider securityProvider) {
        this.root = root;
        this.workspaceName = root.getContentSession().getWorkspaceName();
        this.namePathMapper = namePathMapper;
        this.privilegeManager = ((PrivilegeConfiguration) securityProvider.getConfiguration(PrivilegeConfiguration.class)).getPrivilegeManager(root, namePathMapper);
        this.config = (AuthorizationConfiguration) securityProvider.getConfiguration(AuthorizationConfiguration.class);
    }

    @NotNull
    public Privilege[] getSupportedPrivileges(@Nullable String str) throws RepositoryException {
        getTree(getOakPath(str), 0L, false);
        return this.privilegeManager.getRegisteredPrivileges();
    }

    @NotNull
    public Privilege privilegeFromName(@NotNull String str) throws RepositoryException {
        return this.privilegeManager.getPrivilege(str);
    }

    public boolean hasPrivileges(@Nullable String str, @Nullable Privilege[] privilegeArr) throws RepositoryException {
        return hasPrivileges(str, privilegeArr, getPermissionProvider(), 0L, false);
    }

    @NotNull
    public Privilege[] getPrivileges(@Nullable String str) throws RepositoryException {
        return getPrivileges(str, getPermissionProvider(), 0L);
    }

    @Override // org.apache.jackrabbit.api.security.JackrabbitAccessControlManager
    public boolean hasPrivileges(@Nullable String str, @NotNull Set<Principal> set, @Nullable Privilege[] privilegeArr) throws RepositoryException {
        return getPrincipals().equals(set) ? hasPrivileges(str, privilegeArr) : hasPrivileges(str, privilegeArr, this.config.getPermissionProvider(this.root, this.workspaceName, set), 128L, false);
    }

    @Override // org.apache.jackrabbit.api.security.JackrabbitAccessControlManager
    @NotNull
    public Privilege[] getPrivileges(@Nullable String str, @NotNull Set<Principal> set) throws RepositoryException {
        return getPrincipals().equals(set) ? getPrivileges(str) : getPrivileges(str, this.config.getPermissionProvider(this.root, this.workspaceName, set), 128L);
    }

    @Override // org.apache.jackrabbit.api.security.JackrabbitAccessControlManager
    @NotNull
    public PrivilegeCollection getPrivilegeCollection(@Nullable String str) throws RepositoryException {
        return getPrivilegeCollection(getPrivilegeNames(str, getPermissionProvider(), 0L), false);
    }

    @Override // org.apache.jackrabbit.api.security.JackrabbitAccessControlManager
    @NotNull
    public PrivilegeCollection getPrivilegeCollection(@Nullable String str, @NotNull Set<Principal> set) throws RepositoryException {
        return getPrincipals().equals(set) ? getPrivilegeCollection(str) : getPrivilegeCollection(getPrivilegeNames(str, this.config.getPermissionProvider(this.root, this.workspaceName, set), 128L), false);
    }

    @Override // org.apache.jackrabbit.api.security.JackrabbitAccessControlManager
    @NotNull
    public PrivilegeCollection privilegeCollectionFromNames(@NotNull String... strArr) throws RepositoryException {
        return getPrivilegeCollection(PrivilegeUtil.getOakNames(strArr, this.namePathMapper), true);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @NotNull
    public AuthorizationConfiguration getConfig() {
        return this.config;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @NotNull
    public Root getRoot() {
        return this.root;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @NotNull
    public Root getLatestRoot() {
        return this.root.getContentSession().getLatestRoot();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @NotNull
    public NamePathMapper getNamePathMapper() {
        return this.namePathMapper;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @NotNull
    public PrivilegeManager getPrivilegeManager() {
        return this.privilegeManager;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @NotNull
    public PrivilegeBitsProvider getPrivilegeBitsProvider() {
        if (this.privilegeBitsProvider == null) {
            this.privilegeBitsProvider = new PrivilegeBitsProvider(this.root);
        }
        return this.privilegeBitsProvider;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Nullable
    public String getOakPath(@Nullable String str) throws RepositoryException {
        if (str == null) {
            return null;
        }
        String oakPath = this.namePathMapper.getOakPath(str);
        if (oakPath == null || !PathUtils.isAbsolute(oakPath)) {
            throw new RepositoryException("Failed to resolve JCR path " + str);
        }
        return oakPath;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @NotNull
    public Tree getTree(@Nullable String str, long j, boolean z) throws RepositoryException {
        Tree tree = str == null ? this.root.getTree("/") : this.root.getTree(str);
        if (!tree.exists()) {
            throw new PathNotFoundException("No tree at " + str);
        }
        if (j != 0) {
            checkPermissions(str == null ? null : tree, j);
        }
        if (z && this.config.getContext().definesTree(tree)) {
            throw new AccessControlException("Tree " + tree.getPath() + " defines access control content.");
        }
        return tree;
    }

    @NotNull
    protected PermissionProvider getPermissionProvider() {
        if (this.permissionProvider == null) {
            if (this.root instanceof PermissionAware) {
                this.permissionProvider = ((PermissionAware) this.root).getPermissionProvider();
            } else {
                this.permissionProvider = this.config.getPermissionProvider(this.root, this.workspaceName, getPrincipals());
                this.doRefresh = true;
            }
        } else if (this.doRefresh) {
            this.permissionProvider.refresh();
        }
        return this.permissionProvider;
    }

    @NotNull
    private Set<Principal> getPrincipals() {
        return this.root.getContentSession().getAuthInfo().getPrincipals();
    }

    private void checkPermissions(@Nullable Tree tree, long j) throws AccessDeniedException {
        if (!(tree == null ? getPermissionProvider().getRepositoryPermission().isGranted(j) : getPermissionProvider().isGranted(tree, null, j))) {
            throw new AccessDeniedException("Access denied.");
        }
    }

    @NotNull
    private Set<String> getPrivilegeNames(@Nullable String str, @NotNull PermissionProvider permissionProvider, long j) throws RepositoryException {
        Tree tree;
        if (str == null) {
            tree = null;
            if (j != 0) {
                checkPermissions(null, j);
            }
        } else {
            tree = getTree(getOakPath(str), j, false);
        }
        return permissionProvider.getPrivileges(tree);
    }

    /* JADX INFO: Access modifiers changed from: private */
    @NotNull
    public Privilege[] getPrivileges(@NotNull Set<String> set) throws RepositoryException {
        if (set.isEmpty()) {
            return new Privilege[0];
        }
        HashSet hashSet = new HashSet(set.size());
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            hashSet.add(this.privilegeManager.getPrivilege(this.namePathMapper.getJcrName(it.next())));
        }
        return (Privilege[]) hashSet.toArray(new Privilege[0]);
    }

    @NotNull
    private Privilege[] getPrivileges(@Nullable String str, @NotNull PermissionProvider permissionProvider, long j) throws RepositoryException {
        return getPrivileges(getPrivilegeNames(str, permissionProvider, j));
    }

    private boolean hasPrivileges(@Nullable String str, @Nullable Privilege[] privilegeArr, @NotNull PermissionProvider permissionProvider, long j, boolean z) throws RepositoryException {
        Tree tree;
        if (str == null) {
            tree = null;
            if (j != 0) {
                checkPermissions(null, j);
            }
        } else {
            tree = getTree(getOakPath(str), j, z);
        }
        if (privilegeArr == null || privilegeArr.length == 0) {
            log.debug("No privileges passed -> allowed.");
            return true;
        }
        return permissionProvider.hasPrivileges(tree, (String[]) PrivilegeUtil.getOakNames((String[]) Arrays.stream(privilegeArr).filter((v0) -> {
            return Objects.nonNull(v0);
        }).map((v0) -> {
            return v0.getName();
        }).toArray(i -> {
            return new String[i];
        }), this.namePathMapper).toArray(new String[0]));
    }

    @NotNull
    private PrivilegeCollection getPrivilegeCollection(@NotNull final Set<String> set, boolean z) throws AccessControlException {
        return new AbstractPrivilegeCollection(getPrivilegeBitsProvider().getBits(set, z)) { // from class: org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlManager.1
            @Override // org.apache.jackrabbit.api.security.authorization.PrivilegeCollection
            public Privilege[] getPrivileges() throws RepositoryException {
                return AbstractAccessControlManager.this.getPrivileges((Set<String>) set);
            }

            @Override // org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractPrivilegeCollection
            @NotNull
            PrivilegeBitsProvider getPrivilegeBitsProvider() {
                return AbstractAccessControlManager.this.getPrivilegeBitsProvider();
            }

            @Override // org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractPrivilegeCollection
            @NotNull
            NamePathMapper getNamePathMapper() {
                return AbstractAccessControlManager.this.getNamePathMapper();
            }
        };
    }
}
