package org.apache.jackrabbit.oak.security.authorization.accesscontrol;

import com.google.common.base.Preconditions;
import java.security.AccessControlException;
import java.security.Principal;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.Value;
import javax.jcr.nodetype.ConstraintViolationException;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalConfiguration;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.apache.jackrabbit.oak.spi.xml.NodeInfo;
import org.apache.jackrabbit.oak.spi.xml.PropInfo;
import org.apache.jackrabbit.oak.spi.xml.ProtectedNodeImporter;
import org.apache.jackrabbit.oak.spi.xml.ReferenceChangeTracker;
import org.apache.jackrabbit.oak.spi.xml.TextValue;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/lib/oak-core-1.5.17.jar:org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlImporter.class
 */
/* loaded from: input_file:WEB-INF/lib/oak-upgrade-1.5.17.jar:org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlImporter.class */
public class AccessControlImporter implements ProtectedNodeImporter, AccessControlConstants {
    private static final Logger log = LoggerFactory.getLogger(AccessControlImporter.class);
    private static final int CHILD_STATUS_UNDEFINED = 0;
    private static final int CHILD_STATUS_ACE = 1;
    private static final int CHILD_STATUS_RESTRICTION = 2;
    private AccessControlManager acMgr;
    private PrincipalManager principalManager;
    private ReadOnlyNodeTypeManager ntMgr;
    private boolean initialized = false;
    private int childStatus;
    private JackrabbitAccessControlList acl;
    private MutableEntry entry;
    private int importBehavior;

    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/lib/oak-core-1.5.17.jar:org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlImporter$MutableEntry.class
     */
    /* loaded from: input_file:WEB-INF/lib/oak-upgrade-1.5.17.jar:org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlImporter$MutableEntry.class */
    private final class MutableEntry {
        private final boolean isAllow;
        private Principal principal;
        private List<Privilege> privileges;
        private Map<String, Value> restrictions;
        private boolean ignore;

        private MutableEntry(boolean z) {
            this.restrictions = new HashMap();
            this.isAllow = z;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void setPrincipal(TextValue textValue) {
            String string = textValue.getString();
            this.principal = AccessControlImporter.this.principalManager.getPrincipal(string);
            if (this.principal == null) {
                switch (AccessControlImporter.this.importBehavior) {
                    case 1:
                        AccessControlImporter.log.debug("Unknown principal " + string + " -> Ignoring this ACE.");
                        this.ignore = true;
                        return;
                    case 2:
                        this.principal = new PrincipalImpl(string);
                        return;
                    case 3:
                        throw new AccessControlException("Unknown principal " + string);
                    default:
                        return;
                }
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void setPrivilegeNames(List<? extends TextValue> list) throws RepositoryException {
            this.privileges = new ArrayList();
            Iterator<? extends TextValue> it = list.iterator();
            while (it.hasNext()) {
                this.privileges.add(AccessControlImporter.this.acMgr.privilegeFromName(it.next().getValue(7).getString()));
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void addRestriction(PropInfo propInfo) throws RepositoryException {
            this.restrictions.put(propInfo.getName(), propInfo.getValue(AccessControlImporter.this.acl.getRestrictionType(propInfo.getName())));
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void addRestrictions(List<PropInfo> list) throws RepositoryException {
            Iterator<PropInfo> it = list.iterator();
            while (it.hasNext()) {
                addRestriction(it.next());
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void applyTo(JackrabbitAccessControlList jackrabbitAccessControlList) throws RepositoryException {
            Preconditions.checkNotNull(jackrabbitAccessControlList);
            if (this.ignore) {
                AccessControlImporter.log.debug("Unknown principal: Ignore ACE based on ImportBehavior.IGNORE configuration.");
            } else {
                jackrabbitAccessControlList.addEntry(this.principal, (Privilege[]) this.privileges.toArray(new Privilege[this.privileges.size()]), this.isAllow, this.restrictions);
            }
        }
    }

    @Override // org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter
    public boolean init(@Nonnull Session session, @Nonnull Root root, @Nonnull NamePathMapper namePathMapper, boolean z, int i, @Nonnull ReferenceChangeTracker referenceChangeTracker, @Nonnull SecurityProvider securityProvider) {
        if (this.initialized) {
            throw new IllegalStateException("Already initialized");
        }
        try {
            AuthorizationConfiguration authorizationConfiguration = (AuthorizationConfiguration) securityProvider.getConfiguration(AuthorizationConfiguration.class);
            this.importBehavior = Util.getImportBehavior(authorizationConfiguration);
            if (z) {
                this.acMgr = authorizationConfiguration.getAccessControlManager(root, namePathMapper);
                this.principalManager = ((PrincipalConfiguration) securityProvider.getConfiguration(PrincipalConfiguration.class)).getPrincipalManager(root, namePathMapper);
            } else {
                this.acMgr = session.getAccessControlManager();
                this.principalManager = ((JackrabbitSession) session).getPrincipalManager();
            }
            this.ntMgr = ReadOnlyNodeTypeManager.getInstance(root, namePathMapper);
            this.initialized = true;
        } catch (RepositoryException e) {
            log.warn("Error while initializing access control importer", (Throwable) e);
        }
        return this.initialized;
    }

    @Override // org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter
    public void processReferences() throws RepositoryException {
    }

    @Override // org.apache.jackrabbit.oak.spi.xml.ProtectedNodeImporter
    public boolean start(@Nonnull Tree tree) throws RepositoryException {
        checkInitialized();
        this.acl = getACL(tree);
        return this.acl != null;
    }

    @Override // org.apache.jackrabbit.oak.spi.xml.ProtectedNodeImporter
    public void end(@Nonnull Tree tree) throws RepositoryException {
        if (this.acl == null) {
            throw new IllegalStateException("End reached without ACL to write back.");
        }
        this.acMgr.setPolicy(this.acl.getPath(), this.acl);
        this.acl = null;
    }

    @Override // org.apache.jackrabbit.oak.spi.xml.ProtectedNodeImporter
    public void startChildInfo(@Nonnull NodeInfo nodeInfo, @Nonnull List<PropInfo> list) throws RepositoryException {
        checkInitialized();
        String primaryTypeName = nodeInfo.getPrimaryTypeName();
        if (!AccessControlConstants.NT_REP_GRANT_ACE.equals(primaryTypeName) && !AccessControlConstants.NT_REP_DENY_ACE.equals(primaryTypeName)) {
            if (!AccessControlConstants.NT_REP_RESTRICTIONS.equals(primaryTypeName)) {
                throw new ConstraintViolationException("Invalid child node with type " + primaryTypeName);
            }
            if (this.entry == null) {
                throw new ConstraintViolationException("Invalid child node sequence: Restriction must be associated with an ACE");
            }
            this.entry.addRestrictions(list);
            this.childStatus = 2;
            return;
        }
        if (this.entry != null) {
            throw new ConstraintViolationException("Invalid child node sequence: ACEs may not be nested.");
        }
        this.entry = new MutableEntry(AccessControlConstants.NT_REP_GRANT_ACE.equals(primaryTypeName));
        for (PropInfo propInfo : list) {
            String name = propInfo.getName();
            if ("rep:principalName".equals(name)) {
                this.entry.setPrincipal(propInfo.getTextValue());
            } else if ("rep:privileges".equals(name)) {
                this.entry.setPrivilegeNames(propInfo.getTextValues());
            } else {
                this.entry.addRestriction(propInfo);
            }
        }
        this.childStatus = 1;
    }

    @Override // org.apache.jackrabbit.oak.spi.xml.ProtectedNodeImporter
    public void endChildInfo() throws RepositoryException {
        checkInitialized();
        switch (this.childStatus) {
            case 1:
                this.entry.applyTo(this.acl);
                this.entry = null;
                this.childStatus = 0;
                return;
            case 2:
                this.childStatus = 1;
                return;
            default:
                throw new ConstraintViolationException("Invalid child node sequence.");
        }
    }

    private void checkInitialized() {
        if (!this.initialized) {
            throw new IllegalStateException("Not initialized");
        }
    }

    @CheckForNull
    private JackrabbitAccessControlList getACL(Tree tree) throws RepositoryException {
        String name = tree.getName();
        JackrabbitAccessControlList jackrabbitAccessControlList = null;
        if (!tree.isRoot()) {
            Tree parent = tree.getParent();
            if (AccessControlConstants.REP_POLICY.equals(name) && this.ntMgr.isNodeType(tree, AccessControlConstants.NT_REP_ACL)) {
                jackrabbitAccessControlList = getACL(parent.getPath());
            } else if (AccessControlConstants.REP_REPO_POLICY.equals(name) && this.ntMgr.isNodeType(tree, AccessControlConstants.NT_REP_ACL) && parent.isRoot()) {
                jackrabbitAccessControlList = getACL((String) null);
            }
        }
        if (jackrabbitAccessControlList != null) {
            for (AccessControlEntry accessControlEntry : jackrabbitAccessControlList.getAccessControlEntries()) {
                jackrabbitAccessControlList.removeAccessControlEntry(accessControlEntry);
            }
        }
        return jackrabbitAccessControlList;
    }

    @CheckForNull
    private JackrabbitAccessControlList getACL(String str) throws RepositoryException {
        JackrabbitAccessControlList jackrabbitAccessControlList = null;
        AccessControlPolicy[] policies = this.acMgr.getPolicies(str);
        int length = policies.length;
        int i = 0;
        while (true) {
            if (i >= length) {
                break;
            }
            AccessControlPolicy accessControlPolicy = policies[i];
            if (accessControlPolicy instanceof JackrabbitAccessControlList) {
                jackrabbitAccessControlList = (JackrabbitAccessControlList) accessControlPolicy;
                break;
            }
            i++;
        }
        return jackrabbitAccessControlList;
    }
}
