package org.apache.jackrabbit.core.security.authorization.principalbased;

import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.jcr.Item;
import javax.jcr.ItemNotFoundException;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.ValueFactory;
import javax.jcr.observation.Event;
import javax.jcr.observation.EventIterator;
import org.apache.jackrabbit.api.jsr283.security.AccessControlManager;
import org.apache.jackrabbit.api.jsr283.security.AccessControlPolicy;
import org.apache.jackrabbit.api.jsr283.security.Privilege;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.core.ItemImpl;
import org.apache.jackrabbit.core.NodeImpl;
import org.apache.jackrabbit.core.SessionImpl;
import org.apache.jackrabbit.core.observation.SynchronousEventListener;
import org.apache.jackrabbit.core.security.SecurityConstants;
import org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider;
import org.apache.jackrabbit.core.security.authorization.AbstractCompiledPermissions;
import org.apache.jackrabbit.core.security.authorization.AccessControlConstants;
import org.apache.jackrabbit.core.security.authorization.AccessControlEditor;
import org.apache.jackrabbit.core.security.authorization.CompiledPermissions;
import org.apache.jackrabbit.core.security.authorization.Permission;
import org.apache.jackrabbit.core.security.authorization.UnmodifiableAccessControlList;
import org.apache.jackrabbit.core.security.authorization.principalbased.ACLTemplate;
import org.apache.jackrabbit.core.security.principal.PrincipalImpl;
import org.apache.jackrabbit.spi.Path;
import org.apache.jackrabbit.spi.commons.name.PathFactoryImpl;
import org.apache.jackrabbit.util.Text;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:jackrabbit-core-1.5.4.jar:org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider.class */
public class ACLProvider extends AbstractAccessControlProvider implements AccessControlConstants {
    private static Logger log;
    private ACLEditor editor;
    private NodeImpl acRoot;
    static Class class$org$apache$jackrabbit$core$security$authorization$principalbased$ACLProvider;
    static Class class$org$apache$jackrabbit$core$security$authorization$principalbased$ACLEditor;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apache.jackrabbit.core.security.authorization.principalbased.ACLProvider$1, reason: invalid class name */
    /* loaded from: input_file:jackrabbit-core-1.5.4.jar:org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider$1.class */
    public static class AnonymousClass1 {
    }

    /* loaded from: input_file:jackrabbit-core-1.5.4.jar:org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider$CompiledPermissionImpl.class */
    private class CompiledPermissionImpl extends AbstractCompiledPermissions implements SynchronousEventListener {
        private final Set principals;
        private final Set acPaths;
        private Entries entries;
        private final ACLProvider this$0;

        private CompiledPermissionImpl(ACLProvider aCLProvider, Set set) throws RepositoryException {
            this(aCLProvider, set, true);
        }

        private CompiledPermissionImpl(ACLProvider aCLProvider, Set set, boolean z) throws RepositoryException {
            this.this$0 = aCLProvider;
            this.principals = set;
            this.acPaths = new HashSet(set.size());
            this.entries = reload();
            if (z) {
                aCLProvider.observationMgr.addEventListener(this, 31, aCLProvider.acRoot.getPath(), true, null, new String[]{aCLProvider.session.getJCRName(AccessControlConstants.NT_REP_ACE)}, false);
            }
        }

        @Override // org.apache.jackrabbit.core.security.authorization.AbstractCompiledPermissions
        protected synchronized AbstractCompiledPermissions.Result buildResult(Path path) throws RepositoryException {
            AbstractCompiledPermissions.Result result;
            if (!path.isAbsolute()) {
                throw new RepositoryException("Absolute path expected.");
            }
            boolean isAcItem = this.this$0.isAcItem(path);
            String jCRPath = this.this$0.session.getJCRPath(path);
            if (this.this$0.session.itemExists(jCRPath)) {
                Item item = this.this$0.session.getItem(jCRPath);
                result = this.entries.getResult(item, item.getPath(), isAcItem);
            } else {
                result = this.entries.getResult(null, jCRPath, isAcItem);
            }
            return result;
        }

        @Override // org.apache.jackrabbit.core.security.authorization.AbstractCompiledPermissions, org.apache.jackrabbit.core.security.authorization.CompiledPermissions
        public void close() {
            try {
                this.this$0.observationMgr.removeEventListener(this);
            } catch (RepositoryException e) {
                ACLProvider.log.debug("Unable to unregister listener: ", e.getMessage());
            }
            super.close();
        }

        @Override // javax.jcr.observation.EventListener
        public synchronized void onEvent(EventIterator eventIterator) {
            boolean z = false;
            while (eventIterator.hasNext() && !z) {
                try {
                    Event nextEvent = eventIterator.nextEvent();
                    String path = nextEvent.getPath();
                    switch (nextEvent.getType()) {
                        case 1:
                        case 2:
                            z = this.acPaths.contains(Text.getRelativeParent(path, 2));
                            break;
                        case 4:
                        case 8:
                        case 16:
                            z = this.acPaths.contains(Text.getRelativeParent(path, 3));
                            break;
                    }
                } catch (RepositoryException e) {
                    ACLProvider.log.warn("Internal error: ", e.getMessage());
                    return;
                }
            }
            if (z) {
                clearCache();
                this.entries = reload();
            }
        }

        private Entries reload() throws RepositoryException {
            this.acPaths.clear();
            ArrayList arrayList = new ArrayList();
            for (Principal principal : this.principals) {
                ACLTemplate acl = this.this$0.editor.getACL(principal);
                if (acl == null || acl.isEmpty()) {
                    this.acPaths.add(this.this$0.editor.getPathToAcNode(principal));
                } else {
                    arrayList.addAll(Arrays.asList(acl.getAccessControlEntries()));
                    this.acPaths.add(acl.getPath());
                }
            }
            return new Entries(this.this$0, arrayList, null);
        }

        CompiledPermissionImpl(ACLProvider aCLProvider, Set set, AnonymousClass1 anonymousClass1) throws RepositoryException {
            this(aCLProvider, set);
        }

        CompiledPermissionImpl(ACLProvider aCLProvider, Set set, boolean z, AnonymousClass1 anonymousClass1) throws RepositoryException {
            this(aCLProvider, set, z);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:jackrabbit-core-1.5.4.jar:org/apache/jackrabbit/core/security/authorization/principalbased/ACLProvider$Entries.class */
    public class Entries {
        private final List entries;
        private final ACLProvider this$0;

        private Entries(ACLProvider aCLProvider, List list) {
            this.this$0 = aCLProvider;
            this.entries = list;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public AbstractCompiledPermissions.Result getResult(Item item, String str, boolean z) throws RepositoryException {
            int i = 0;
            int i2 = 0;
            int i3 = 0;
            int i4 = 0;
            int i5 = 0;
            int i6 = 0;
            String relativeParent = Text.getRelativeParent(str, 1);
            Iterator it = this.entries.iterator();
            while (it.hasNext() && i != 31) {
                ACLTemplate.Entry entry = (ACLTemplate.Entry) it.next();
                int privilegeBits = entry.getPrivilegeBits();
                if (!"".equals(relativeParent) && entry.matches(relativeParent)) {
                    if (entry.isAllow()) {
                        i5 |= Permission.diff(privilegeBits, i6);
                    } else {
                        i6 |= Permission.diff(privilegeBits, i5);
                    }
                }
                if (item != null ? entry.matches(item) : entry.matches(str)) {
                    if (entry.isAllow()) {
                        i3 |= Permission.diff(privilegeBits, i4);
                        i |= Permission.diff(Permission.calculatePermissions(i3, i5, true, z), i2);
                    } else {
                        i4 |= Permission.diff(privilegeBits, i3);
                        i2 |= Permission.diff(Permission.calculatePermissions(i4, i6, false, z), i);
                    }
                }
            }
            return new AbstractCompiledPermissions.Result(i, i2, i3, i4);
        }

        Entries(ACLProvider aCLProvider, List list, AnonymousClass1 anonymousClass1) {
            this(aCLProvider, list);
        }
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AccessControlUtils
    public boolean isAcItem(Path path) throws RepositoryException {
        for (Path.Element element : path.getElements()) {
            if (N_POLICY.equals(element.getName())) {
                return true;
            }
        }
        return false;
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AccessControlUtils
    public boolean isAcItem(ItemImpl itemImpl) throws RepositoryException {
        NodeImpl nodeImpl = itemImpl.isNode() ? (NodeImpl) itemImpl : (NodeImpl) itemImpl.getParent();
        return nodeImpl.isNodeType(NT_REP_ACL) || nodeImpl.isNodeType(NT_REP_ACE);
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider, org.apache.jackrabbit.core.security.authorization.AccessControlProvider
    public void init(Session session, Map map) throws RepositoryException {
        Principal principalImpl;
        super.init(session, map);
        NodeImpl nodeImpl = (NodeImpl) this.session.getRootNode();
        if (nodeImpl.hasNode(N_ACCESSCONTROL)) {
            this.acRoot = nodeImpl.getNode(N_ACCESSCONTROL);
            if (!this.acRoot.isNodeType(NT_REP_ACCESS_CONTROL)) {
                throw new RepositoryException(new StringBuffer().append("Error while initializing Access Control Provider: Found ac-root to be wrong node type ").append(this.acRoot.getPrimaryNodeType().getName()).toString());
            }
        } else {
            this.acRoot = nodeImpl.addNode(N_ACCESSCONTROL, NT_REP_ACCESS_CONTROL, null);
        }
        this.editor = new ACLEditor(this.session, this.resolver.getQPath(this.acRoot.getPath()));
        if (map.containsKey(AbstractAccessControlProvider.PARAM_OMIT_DEFAULT_PERMISSIONS)) {
            return;
        }
        try {
            log.info("Install initial permissions: ...");
            ValueFactory valueFactory = this.session.getValueFactory();
            HashMap hashMap = new HashMap();
            hashMap.put(this.session.getJCRName(ACLTemplate.P_NODE_PATH), valueFactory.createValue(nodeImpl.getPath(), 8));
            hashMap.put(this.session.getJCRName(ACLTemplate.P_GLOB), valueFactory.createValue(GlobPattern.WILDCARD_ALL));
            PrincipalManager principalManager = this.session.getPrincipalManager();
            AccessControlManager accessControlManager = this.session.getAccessControlManager();
            if (principalManager.hasPrincipal(SecurityConstants.ADMINISTRATORS_NAME)) {
                principalImpl = principalManager.getPrincipal(SecurityConstants.ADMINISTRATORS_NAME);
            } else {
                log.warn("Administrators principal group is missing.");
                principalImpl = new PrincipalImpl(SecurityConstants.ADMINISTRATORS_NAME);
            }
            ACLTemplate aCLTemplate = (ACLTemplate) this.editor.editAccessControlPolicies(principalImpl)[0];
            if (aCLTemplate.isEmpty()) {
                log.info("... Privilege.ALL for administrators principal.");
                aCLTemplate.addEntry(principalImpl, new Privilege[]{accessControlManager.privilegeFromName(Privilege.JCR_ALL)}, true, hashMap);
                this.editor.setPolicy(aCLTemplate.getPath(), aCLTemplate);
            } else {
                log.info("... policy for administrators principal already present.");
            }
            Principal everyone = principalManager.getEveryone();
            ACLTemplate aCLTemplate2 = (ACLTemplate) this.editor.editAccessControlPolicies(everyone)[0];
            if (aCLTemplate2.isEmpty()) {
                log.info("... Privilege.READ for everyone principal.");
                aCLTemplate2.addEntry(everyone, new Privilege[]{accessControlManager.privilegeFromName(Privilege.JCR_READ)}, true, hashMap);
                this.editor.setPolicy(aCLTemplate2.getPath(), aCLTemplate2);
            } else {
                log.info("... policy for everyone principal already present.");
            }
            this.session.save();
            log.info("... done.");
        } catch (RepositoryException e) {
            log.error(new StringBuffer().append("Failed to set-up minimal access control for root node of workspace ").append(this.session.getWorkspace().getName()).toString());
            this.session.getRootNode().refresh(false);
            throw e;
        }
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AccessControlProvider
    public AccessControlPolicy[] getEffectivePolicies(Path path) throws ItemNotFoundException, RepositoryException {
        AccessControlPolicy[] policies = this.editor.getPolicies(this.session.getJCRPath(path));
        AccessControlPolicy[] accessControlPolicyArr = new AccessControlPolicy[policies.length];
        for (int i = 0; i < policies.length; i++) {
            accessControlPolicyArr[i] = new UnmodifiableAccessControlList((ACLTemplate) policies[i]);
        }
        return accessControlPolicyArr;
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AccessControlProvider
    public AccessControlEditor getEditor(Session session) {
        Class cls;
        checkInitialized();
        if (session instanceof SessionImpl) {
            try {
                return new ACLEditor((SessionImpl) session, this.session.getQPath(this.acRoot.getPath()));
            } catch (RepositoryException e) {
                log.error("Internal error: ", e.getMessage());
            }
        }
        Logger logger = log;
        StringBuffer append = new StringBuffer().append("Unable to build access control editor ");
        if (class$org$apache$jackrabbit$core$security$authorization$principalbased$ACLEditor == null) {
            cls = class$("org.apache.jackrabbit.core.security.authorization.principalbased.ACLEditor");
            class$org$apache$jackrabbit$core$security$authorization$principalbased$ACLEditor = cls;
        } else {
            cls = class$org$apache$jackrabbit$core$security$authorization$principalbased$ACLEditor;
        }
        logger.debug(append.append(cls.getName()).append(".").toString());
        return null;
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AccessControlProvider
    public CompiledPermissions compilePermissions(Set set) throws RepositoryException {
        checkInitialized();
        return isAdminOrSystem(set) ? getAdminPermissions() : isReadOnly(set) ? getReadOnlyPermissions() : new CompiledPermissionImpl(this, set, (AnonymousClass1) null);
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AccessControlProvider
    public boolean canAccessRoot(Set set) throws RepositoryException {
        checkInitialized();
        if (isAdminOrSystem(set)) {
            return true;
        }
        return new CompiledPermissionImpl(this, set, false, null).grants(PathFactoryImpl.getInstance().getRootPath(), 1);
    }

    static Class class$(String str) {
        try {
            return Class.forName(str);
        } catch (ClassNotFoundException e) {
            throw new NoClassDefFoundError().initCause(e);
        }
    }

    static {
        Class cls;
        if (class$org$apache$jackrabbit$core$security$authorization$principalbased$ACLProvider == null) {
            cls = class$("org.apache.jackrabbit.core.security.authorization.principalbased.ACLProvider");
            class$org$apache$jackrabbit$core$security$authorization$principalbased$ACLProvider = cls;
        } else {
            cls = class$org$apache$jackrabbit$core$security$authorization$principalbased$ACLProvider;
        }
        log = LoggerFactory.getLogger(cls);
    }
}
