package org.apache.jackrabbit.core.security.authorization.principalbased;

import java.security.Principal;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.jcr.AccessDeniedException;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.Value;
import javax.jcr.ValueFactory;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.core.NodeImpl;
import org.apache.jackrabbit.core.SessionImpl;
import org.apache.jackrabbit.core.cache.GrowingLRUMap;
import org.apache.jackrabbit.core.id.ItemId;
import org.apache.jackrabbit.core.security.SecurityConstants;
import org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider;
import org.apache.jackrabbit.core.security.authorization.AbstractCompiledPermissions;
import org.apache.jackrabbit.core.security.authorization.AccessControlConstants;
import org.apache.jackrabbit.core.security.authorization.AccessControlEditor;
import org.apache.jackrabbit.core.security.authorization.AccessControlEntryImpl;
import org.apache.jackrabbit.core.security.authorization.AccessControlListener;
import org.apache.jackrabbit.core.security.authorization.AccessControlModifications;
import org.apache.jackrabbit.core.security.authorization.CompiledPermissions;
import org.apache.jackrabbit.core.security.authorization.Permission;
import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
import org.apache.jackrabbit.core.security.authorization.UnmodifiableAccessControlList;
import org.apache.jackrabbit.core.security.authorization.principalbased.ACLTemplate;
import org.apache.jackrabbit.spi.Path;
import org.apache.jackrabbit.util.Text;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider.class */
public class ACLProvider extends AbstractAccessControlProvider implements AccessControlConstants {
    private static Logger log = LoggerFactory.getLogger(ACLProvider.class);
    private NodeImpl acRoot;
    private ACLEditor editor;
    private EntriesCache entriesCache;
    private int readBits;

    /* loaded from: input_file:org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider$CompiledPermissionImpl.class */
    private class CompiledPermissionImpl extends AbstractCompiledPermissions implements AccessControlListener {
        private final Set<Principal> principals;
        private final Set<String> acPaths;
        private List<AccessControlEntry> entries;
        private boolean canReadAll;
        private final Map<ItemId, Boolean> readCache;
        private final Object monitor;

        private CompiledPermissionImpl(ACLProvider aCLProvider, Set<Principal> set) throws RepositoryException {
            this(set, true);
        }

        private CompiledPermissionImpl(Set<Principal> set, boolean z) throws RepositoryException {
            this.readCache = new GrowingLRUMap(Permission.LIFECYCLE_MNGMT, 5000);
            this.monitor = new Object();
            this.principals = set;
            this.acPaths = new HashSet(set.size());
            reload();
            if (z) {
                ACLProvider.this.entriesCache.addListener(this);
            }
        }

        private void reload() throws RepositoryException {
            this.acPaths.clear();
            Iterator<Principal> it = this.principals.iterator();
            while (it.hasNext()) {
                this.acPaths.add(ACLProvider.this.editor.getPathToAcNode(it.next()));
            }
            this.entries = ACLProvider.this.entriesCache.getEntries(this.principals);
            this.canReadAll = canRead(ACLProvider.this.session.getQPath("/"));
            if (this.canReadAll) {
                Iterator<AccessControlEntry> it2 = this.entries.iterator();
                while (it2.hasNext()) {
                    AccessControlEntryImpl accessControlEntryImpl = (AccessControlEntryImpl) it2.next();
                    if (!accessControlEntryImpl.isAllow() && (accessControlEntryImpl.getPrivilegeBits() & ACLProvider.this.readBits) == ACLProvider.this.readBits) {
                        this.canReadAll = false;
                        return;
                    }
                }
            }
        }

        @Override // org.apache.jackrabbit.core.security.authorization.AbstractCompiledPermissions
        protected synchronized AbstractCompiledPermissions.Result buildResult(Path path) throws RepositoryException {
            if (!path.isAbsolute()) {
                throw new RepositoryException("Absolute path expected.");
            }
            return buildResult(ACLProvider.this.session.getJCRPath(path), ACLProvider.this.isAcItem(path));
        }

        private AbstractCompiledPermissions.Result buildResult(String str, boolean z) throws RepositoryException {
            int i = 0;
            int i2 = 0;
            int i3 = 0;
            int i4 = 0;
            int i5 = 0;
            int i6 = 0;
            String relativeParent = Text.getRelativeParent(str, 1);
            for (AccessControlEntry accessControlEntry : this.entries) {
                if (accessControlEntry instanceof ACLTemplate.Entry) {
                    ACLTemplate.Entry entry = (ACLTemplate.Entry) accessControlEntry;
                    int privilegeBits = entry.getPrivilegeBits();
                    if (!"".equals(relativeParent) && entry.matches(relativeParent)) {
                        if (entry.isAllow()) {
                            i5 |= Permission.diff(privilegeBits, i6);
                        } else {
                            i6 |= Permission.diff(privilegeBits, i5);
                        }
                    }
                    if (entry.matches(str)) {
                        if (entry.isAllow()) {
                            i3 |= Permission.diff(privilegeBits, i4);
                            i |= Permission.diff(PrivilegeRegistry.calculatePermissions(i3, i5, true, z), i2);
                        } else {
                            i4 |= Permission.diff(privilegeBits, i3);
                            i2 |= Permission.diff(PrivilegeRegistry.calculatePermissions(i4, i6, false, z), i);
                        }
                    }
                } else {
                    ACLProvider.log.warn("Unexpected AccessControlEntry instance -> ignore");
                }
            }
            return new AbstractCompiledPermissions.Result(i, i2, i3, i4);
        }

        @Override // org.apache.jackrabbit.core.security.authorization.AbstractCompiledPermissions, org.apache.jackrabbit.core.security.authorization.CompiledPermissions
        public void close() {
            ACLProvider.this.entriesCache.removeListener(this);
            super.close();
        }

        @Override // org.apache.jackrabbit.core.security.authorization.CompiledPermissions
        public boolean canRead(Path path, ItemId itemId) throws RepositoryException {
            boolean canRead;
            if (path == null) {
                synchronized (this.monitor) {
                    if (!this.readCache.containsKey(itemId)) {
                        boolean canRead2 = canRead(ACLProvider.this.session.getHierarchyManager().getPath(itemId));
                        this.readCache.put(itemId, Boolean.valueOf(canRead2));
                        return canRead2;
                    }
                    canRead = this.readCache.get(itemId).booleanValue();
                }
            } else {
                canRead = canRead(path);
            }
            return canRead;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean canRead(Path path) throws RepositoryException {
            return (this.canReadAll && !ACLProvider.this.isAcItem(path)) || grants(path, 1);
        }

        @Override // org.apache.jackrabbit.core.security.authorization.AccessControlListener
        public void acModified(AccessControlModifications accessControlModifications) {
            try {
                boolean z = false;
                Iterator it = accessControlModifications.getNodeIdentifiers().iterator();
                while (it.hasNext() && !z) {
                    z = this.acPaths.contains(it.next().toString());
                }
                if (z) {
                    clearCache();
                    reload();
                }
            } catch (RepositoryException e) {
                ACLProvider.log.warn("Internal error: ", e.getMessage());
            }
        }
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider, org.apache.jackrabbit.core.security.authorization.AccessControlProvider
    public void init(Session session, Map map) throws RepositoryException {
        super.init(session, map);
        NodeImpl nodeImpl = (NodeImpl) this.session.getRootNode();
        if (nodeImpl.hasNode(N_ACCESSCONTROL)) {
            this.acRoot = nodeImpl.getNode(N_ACCESSCONTROL);
            if (!this.acRoot.isNodeType(NT_REP_ACCESS_CONTROL)) {
                throw new RepositoryException("Error while initializing Access Control Provider: Found ac-root to be wrong node type " + this.acRoot.getPrimaryNodeType().getName());
            }
        } else {
            this.acRoot = nodeImpl.addNode(N_ACCESSCONTROL, NT_REP_ACCESS_CONTROL, null);
        }
        this.editor = new ACLEditor(this.session, this.resolver.getQPath(this.acRoot.getPath()));
        this.entriesCache = new EntriesCache(this.session, this.editor, this.acRoot.getPath());
        this.readBits = PrivilegeRegistry.getBits(new Privilege[]{this.session.getAccessControlManager().privilegeFromName("{http://www.jcp.org/jcr/1.0}read")});
        if (map.containsKey(AbstractAccessControlProvider.PARAM_OMIT_DEFAULT_PERMISSIONS)) {
            return;
        }
        try {
            log.debug("Install initial permissions: ...");
            ValueFactory valueFactory = this.session.getValueFactory();
            HashMap hashMap = new HashMap();
            hashMap.put(this.session.getJCRName(ACLTemplate.P_NODE_PATH), valueFactory.createValue(nodeImpl.getPath(), 8));
            PrincipalManager principalManager = this.session.getPrincipalManager();
            AccessControlManager accessControlManager = this.session.getAccessControlManager();
            if (principalManager.hasPrincipal(SecurityConstants.ADMINISTRATORS_NAME)) {
                installDefaultPermissions(principalManager.getPrincipal(SecurityConstants.ADMINISTRATORS_NAME), new Privilege[]{accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}all")}, hashMap, this.editor);
            } else {
                log.info("Administrators principal group is missing -> Not adding default permissions.");
            }
            installDefaultPermissions(principalManager.getEveryone(), new Privilege[]{accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}read")}, hashMap, this.editor);
            this.session.save();
        } catch (RepositoryException e) {
            log.error("Failed to set-up minimal access control for root node of workspace " + this.session.getWorkspace().getName());
            this.session.getRootNode().refresh(false);
        }
    }

    private static void installDefaultPermissions(Principal principal, Privilege[] privilegeArr, Map<String, Value> map, AccessControlEditor accessControlEditor) throws RepositoryException, AccessControlException {
        JackrabbitAccessControlPolicy[] editAccessControlPolicies = accessControlEditor.editAccessControlPolicies(principal);
        if (editAccessControlPolicies.length <= 0) {
            log.debug("... policy for principal  '" + principal.getName() + "'  already present.");
            return;
        }
        ACLTemplate aCLTemplate = (ACLTemplate) editAccessControlPolicies[0];
        if (!aCLTemplate.isEmpty()) {
            log.debug("... policy for principal '" + principal.getName() + "' already present.");
        } else {
            aCLTemplate.addEntry(principal, privilegeArr, true, map);
            accessControlEditor.setPolicy(aCLTemplate.getPath(), aCLTemplate);
        }
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider, org.apache.jackrabbit.core.security.authorization.AccessControlProvider
    public void close() {
        super.close();
        this.entriesCache.close();
    }

    /* JADX WARN: Code restructure failed: missing block: B:36:0x0123, code lost:
    
        continue;
     */
    @Override // org.apache.jackrabbit.core.security.authorization.AccessControlProvider
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public javax.jcr.security.AccessControlPolicy[] getEffectivePolicies(org.apache.jackrabbit.spi.Path r6, org.apache.jackrabbit.core.security.authorization.CompiledPermissions r7) throws javax.jcr.ItemNotFoundException, javax.jcr.RepositoryException {
        /*
            Method dump skipped, instructions count: 496
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: org.apache.jackrabbit.core.security.authorization.principalbased.ACLProvider.getEffectivePolicies(org.apache.jackrabbit.spi.Path, org.apache.jackrabbit.core.security.authorization.CompiledPermissions):javax.jcr.security.AccessControlPolicy[]");
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AccessControlProvider
    public AccessControlPolicy[] getEffectivePolicies(Set<Principal> set, CompiledPermissions compiledPermissions) throws RepositoryException {
        ArrayList arrayList = new ArrayList(set.size());
        Iterator<Principal> it = set.iterator();
        while (it.hasNext()) {
            ACLTemplate acl = this.editor.getACL(it.next());
            if (acl != null) {
                if (!compiledPermissions.grants(this.session.getQPath(acl.getPath()), 32)) {
                    throw new AccessDeniedException("Access denied at " + acl.getPath());
                }
                arrayList.add(new UnmodifiableAccessControlList(acl));
            }
        }
        return (AccessControlPolicy[]) arrayList.toArray(new AccessControlPolicy[arrayList.size()]);
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AccessControlProvider
    public AccessControlEditor getEditor(Session session) {
        checkInitialized();
        if (session instanceof SessionImpl) {
            try {
                return new ACLEditor((SessionImpl) session, this.session.getQPath(this.acRoot.getPath()));
            } catch (RepositoryException e) {
                log.error("Internal error: ", e.getMessage());
            }
        }
        log.debug("Unable to build access control editor " + ACLEditor.class.getName() + ".");
        return null;
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AccessControlProvider
    public CompiledPermissions compilePermissions(Set<Principal> set) throws RepositoryException {
        checkInitialized();
        return isAdminOrSystem(set) ? getAdminPermissions() : isReadOnly(set) ? getReadOnlyPermissions() : new CompiledPermissionImpl(set);
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AccessControlProvider
    public boolean canAccessRoot(Set<Principal> set) throws RepositoryException {
        checkInitialized();
        if (isAdminOrSystem(set)) {
            return true;
        }
        return new CompiledPermissionImpl(set, false).canRead(((NodeImpl) this.session.getRootNode()).getPrimaryPath());
    }
}
