package org.apache.jackrabbit.oak.security.authorization.accesscontrol;

import com.google.common.base.Function;
import com.google.common.base.Objects;
import com.google.common.base.Preconditions;
import com.google.common.base.Predicate;
import com.google.common.collect.Iterables;
import com.google.common.collect.Lists;
import java.security.Principal;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.annotation.CheckForNull;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.jcr.AccessDeniedException;
import javax.jcr.RepositoryException;
import javax.jcr.UnsupportedRepositoryOperationException;
import javax.jcr.Value;
import javax.jcr.query.Query;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.AccessControlPolicyIterator;
import javax.jcr.security.NamedAccessControlPolicy;
import javax.jcr.security.Privilege;
import joptsimple.internal.Strings;
import org.apache.jackrabbit.JcrConstants;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
import org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.commons.iterator.AccessControlPolicyIteratorAdapter;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.commons.webdav.JcrRemotingConstants;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.QueryEngine;
import org.apache.jackrabbit.oak.api.Result;
import org.apache.jackrabbit.oak.api.ResultRow;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.memory.PropertyBuilder;
import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager;
import org.apache.jackrabbit.oak.security.authorization.restriction.PrincipalRestrictionProvider;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ACE;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlManager;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ImmutableACL;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.PolicyOwner;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalConfiguration;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.util.NodeUtil;
import org.apache.jackrabbit.oak.util.TreeUtil;
import org.apache.jackrabbit.util.ISO9075;
import org.apache.jackrabbit.util.Text;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/lib/oak-core-1.5.17.jar:org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.class
  input_file:WEB-INF/lib/oak-upgrade-1.5.17.jar:org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.class
 */
/* loaded from: input_file:WEB-INF/lib/oak-core-1.0.0.jar:org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl.class */
public class AccessControlManagerImpl extends AbstractAccessControlManager implements PolicyOwner {
    private static final Logger log = LoggerFactory.getLogger(AccessControlManagerImpl.class);
    private final PrivilegeBitsProvider bitsProvider;
    private final ReadOnlyNodeTypeManager ntMgr;
    private final PrincipalManager principalManager;
    private final RestrictionProvider restrictionProvider;
    private final Set<String> readPaths;

    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/lib/oak-upgrade-1.5.17.jar:org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl$AcePredicate.class
     */
    /* loaded from: input_file:WEB-INF/lib/oak-core-1.5.17.jar:org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl$AcePredicate.class */
    private static final class AcePredicate implements Predicate<ACE> {
        private final Iterable<String> principalNames;

        private AcePredicate(@Nonnull Set<Principal> set) {
            this.principalNames = Iterables.transform(set, new Function<Principal, String>() { // from class: org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlManagerImpl.AcePredicate.1
                @Override // com.google.common.base.Function
                public String apply(Principal principal) {
                    return principal.getName();
                }
            });
        }

        @Override // com.google.common.base.Predicate
        public boolean apply(@Nullable ACE ace) {
            return ace != null && Iterables.contains(this.principalNames, ace.getPrincipal().getName());
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/lib/oak-core-1.5.17.jar:org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl$Entry.class
      input_file:WEB-INF/lib/oak-upgrade-1.5.17.jar:org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl$Entry.class
     */
    /* loaded from: input_file:WEB-INF/lib/oak-core-1.0.0.jar:org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl$Entry.class */
    public final class Entry extends ACE {
        private Entry(Principal principal, PrivilegeBits privilegeBits, boolean z, Set<Restriction> set, NamePathMapper namePathMapper) throws AccessControlException {
            super(principal, privilegeBits, z, set, namePathMapper);
        }

        @Override // javax.jcr.security.AccessControlEntry
        public Privilege[] getPrivileges() {
            HashSet hashSet = new HashSet();
            for (String str : AccessControlManagerImpl.this.bitsProvider.getPrivilegeNames(getPrivilegeBits())) {
                try {
                    hashSet.add(AccessControlManagerImpl.this.getPrivilegeManager().getPrivilege(str));
                } catch (RepositoryException e) {
                    AccessControlManagerImpl.log.warn("Unable to get privilege with name : " + str, (Throwable) e);
                }
            }
            return (Privilege[]) hashSet.toArray(new Privilege[hashSet.size()]);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/lib/oak-core-1.5.17.jar:org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl$NodeACL.class
      input_file:WEB-INF/lib/oak-upgrade-1.5.17.jar:org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl$NodeACL.class
     */
    /* loaded from: input_file:WEB-INF/lib/oak-core-1.0.0.jar:org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl$NodeACL.class */
    public class NodeACL extends ACL {
        NodeACL(@Nullable AccessControlManagerImpl accessControlManagerImpl, String str) {
            this(str, null);
        }

        NodeACL(@Nullable String str, @Nullable List<ACE> list) {
            super(str, list, AccessControlManagerImpl.this.getNamePathMapper());
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlList
        @Nonnull
        public RestrictionProvider getRestrictionProvider() {
            return AccessControlManagerImpl.this.restrictionProvider;
        }

        @Override // org.apache.jackrabbit.oak.security.authorization.accesscontrol.ACL
        ACE createACE(Principal principal, PrivilegeBits privilegeBits, boolean z, Set<Restriction> set) throws RepositoryException {
            return new Entry(principal, privilegeBits, z, set, getNamePathMapper());
        }

        @Override // org.apache.jackrabbit.oak.security.authorization.accesscontrol.ACL
        void checkValidPrincipal(Principal principal) throws AccessControlException {
            Util.checkValidPrincipal(principal, AccessControlManagerImpl.this.principalManager, 2 != Util.getImportBehavior(AccessControlManagerImpl.this.getConfig()));
        }

        @Override // org.apache.jackrabbit.oak.security.authorization.accesscontrol.ACL
        PrivilegeManager getPrivilegeManager() {
            return AccessControlManagerImpl.this.getPrivilegeManager();
        }

        @Override // org.apache.jackrabbit.oak.security.authorization.accesscontrol.ACL
        PrivilegeBits getPrivilegeBits(Privilege[] privilegeArr) {
            return AccessControlManagerImpl.this.bitsProvider.getBits(privilegeArr, getNamePathMapper());
        }

        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof NodeACL)) {
                return false;
            }
            NodeACL nodeACL = (NodeACL) obj;
            return Objects.equal(getOakPath(), nodeACL.getOakPath()) && getEntries().equals(nodeACL.getEntries());
        }

        public int hashCode() {
            return 0;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/lib/oak-core-1.5.17.jar:org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl$PrincipalACL.class
      input_file:WEB-INF/lib/oak-upgrade-1.5.17.jar:org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl$PrincipalACL.class
     */
    /* loaded from: input_file:WEB-INF/lib/oak-core-1.0.0.jar:org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl$PrincipalACL.class */
    public final class PrincipalACL extends ACL {
        private final Principal principal;
        private final RestrictionProvider rProvider;

        private PrincipalACL(@Nullable AccessControlManagerImpl accessControlManagerImpl, @Nonnull String str, Principal principal) {
            this(str, principal, null, new PrincipalRestrictionProvider(accessControlManagerImpl.restrictionProvider));
        }

        private PrincipalACL(@Nullable String str, @Nonnull Principal principal, @Nullable List<ACE> list, @Nonnull RestrictionProvider restrictionProvider) {
            super(str, list, AccessControlManagerImpl.this.getNamePathMapper());
            this.principal = principal;
            this.rProvider = restrictionProvider;
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlList
        @Nonnull
        public RestrictionProvider getRestrictionProvider() {
            return this.rProvider;
        }

        @Override // org.apache.jackrabbit.oak.security.authorization.accesscontrol.ACL
        ACE createACE(Principal principal, PrivilegeBits privilegeBits, boolean z, Set<Restriction> set) throws RepositoryException {
            return new Entry(principal, privilegeBits, z, set, getNamePathMapper());
        }

        @Override // org.apache.jackrabbit.oak.security.authorization.accesscontrol.ACL
        void checkValidPrincipal(Principal principal) throws AccessControlException {
            Util.checkValidPrincipal(principal, AccessControlManagerImpl.this.principalManager, true);
        }

        @Override // org.apache.jackrabbit.oak.security.authorization.accesscontrol.ACL
        PrivilegeManager getPrivilegeManager() {
            return AccessControlManagerImpl.this.getPrivilegeManager();
        }

        @Override // org.apache.jackrabbit.oak.security.authorization.accesscontrol.ACL
        PrivilegeBits getPrivilegeBits(Privilege[] privilegeArr) {
            return AccessControlManagerImpl.this.bitsProvider.getBits(privilegeArr, getNamePathMapper());
        }

        @Override // org.apache.jackrabbit.oak.security.authorization.accesscontrol.ACL, org.apache.jackrabbit.api.security.JackrabbitAccessControlList
        public void orderBefore(AccessControlEntry accessControlEntry, AccessControlEntry accessControlEntry2) throws RepositoryException {
            throw new UnsupportedRepositoryOperationException("reordering is not supported");
        }

        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof PrincipalACL)) {
                return false;
            }
            PrincipalACL principalACL = (PrincipalACL) obj;
            return Objects.equal(getOakPath(), principalACL.getOakPath()) && getEntries().equals(principalACL.getEntries());
        }

        public int hashCode() {
            return 0;
        }
    }

    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/lib/oak-core-1.5.17.jar:org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl$ReadPolicy.class
      input_file:WEB-INF/lib/oak-upgrade-1.5.17.jar:org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl$ReadPolicy.class
     */
    /* loaded from: input_file:WEB-INF/lib/oak-core-1.0.0.jar:org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerImpl$ReadPolicy.class */
    private static final class ReadPolicy implements NamedAccessControlPolicy {
        private static final NamedAccessControlPolicy INSTANCE = new ReadPolicy();

        private ReadPolicy() {
        }

        @Override // javax.jcr.security.NamedAccessControlPolicy
        public String getName() {
            return "Grants read access on configured trees.";
        }
    }

    public AccessControlManagerImpl(@Nonnull Root root, @Nonnull NamePathMapper namePathMapper, @Nonnull SecurityProvider securityProvider) {
        super(root, namePathMapper, securityProvider);
        this.bitsProvider = new PrivilegeBitsProvider(root);
        this.ntMgr = ReadOnlyNodeTypeManager.getInstance(root, namePathMapper);
        this.principalManager = ((PrincipalConfiguration) securityProvider.getConfiguration(PrincipalConfiguration.class)).getPrincipalManager(root, namePathMapper);
        this.restrictionProvider = getConfig().getRestrictionProvider();
        this.readPaths = (Set) getConfig().getParameters().getConfigValue(PermissionConstants.PARAM_READ_PATHS, PermissionConstants.DEFAULT_READ_PATHS);
    }

    @Override // javax.jcr.security.AccessControlManager
    @Nonnull
    public AccessControlPolicy[] getPolicies(@Nullable String str) throws RepositoryException {
        String oakPath = getOakPath(str);
        JackrabbitAccessControlList createACL = createACL(oakPath, getTree(oakPath, 128L, true), false);
        ArrayList arrayList = new ArrayList(2);
        if (createACL != null) {
            arrayList.add(createACL);
        }
        if (this.readPaths.contains(oakPath)) {
            arrayList.add(ReadPolicy.INSTANCE);
        }
        return (AccessControlPolicy[]) arrayList.toArray(new AccessControlPolicy[arrayList.size()]);
    }

    @Override // javax.jcr.security.AccessControlManager
    @Nonnull
    public AccessControlPolicy[] getEffectivePolicies(@Nullable String str) throws RepositoryException {
        String oakPath = getOakPath(str);
        Tree tree = getTree(oakPath, 128L, true);
        Root latestRoot = getRoot().getContentSession().getLatestRoot();
        Tree tree2 = latestRoot.getTree(tree.getPath());
        ArrayList arrayList = new ArrayList();
        JackrabbitAccessControlList createACL = createACL(oakPath, tree2, true);
        if (createACL != null) {
            arrayList.add(createACL);
        }
        if (oakPath != null) {
            String relativeParent = Text.getRelativeParent(oakPath, 1);
            while (true) {
                String str2 = relativeParent;
                if (str2.isEmpty()) {
                    break;
                }
                JackrabbitAccessControlList createACL2 = createACL(str2, latestRoot.getTree(str2), true);
                if (createACL2 != null) {
                    arrayList.add(createACL2);
                }
                relativeParent = PathUtils.denotesRoot(str2) ? "" : Text.getRelativeParent(str2, 1);
            }
        }
        if (this.readPaths.contains(oakPath)) {
            arrayList.add(ReadPolicy.INSTANCE);
        }
        return (AccessControlPolicy[]) arrayList.toArray(new AccessControlPolicy[arrayList.size()]);
    }

    @Override // javax.jcr.security.AccessControlManager
    @Nonnull
    public AccessControlPolicyIterator getApplicablePolicies(@Nullable String str) throws RepositoryException {
        String oakPath = getOakPath(str);
        Tree tree = getTree(oakPath, 128L, true);
        NodeACL nodeACL = null;
        if (getAclTree(oakPath, tree) == null) {
            if (tree.hasChild(Util.getAclName(oakPath))) {
                log.warn("Colliding policy child without node being access controllable ({}).", str);
            } else {
                String mixinName = Util.getMixinName(oakPath);
                if (this.ntMgr.isNodeType(tree, mixinName) || this.ntMgr.getEffectiveNodeType(tree).supportsMixin(mixinName)) {
                    nodeACL = new NodeACL(this, oakPath);
                } else {
                    log.warn("Node {} cannot be made access controllable.", str);
                }
            }
        }
        return nodeACL == null ? AccessControlPolicyIteratorAdapter.EMPTY : new AccessControlPolicyIteratorAdapter(Collections.singleton(nodeACL));
    }

    @Override // javax.jcr.security.AccessControlManager
    public void setPolicy(@Nullable String str, @Nonnull AccessControlPolicy accessControlPolicy) throws RepositoryException {
        String oakPath = getOakPath(str);
        Util.checkValidPolicy(oakPath, accessControlPolicy);
        if (accessControlPolicy instanceof PrincipalACL) {
            setPrincipalBasedAcl((PrincipalACL) accessControlPolicy);
        } else {
            setNodeBasedAcl(oakPath, getTree(oakPath, 256L, true), (ACL) accessControlPolicy);
        }
    }

    private void setPrincipalBasedAcl(PrincipalACL principalACL) throws RepositoryException {
        JackrabbitAccessControlPolicy[] policies = getPolicies(principalACL.principal);
        PrincipalACL principalACL2 = policies.length == 0 ? null : (PrincipalACL) policies[0];
        ArrayList<ACE> newArrayList = Lists.newArrayList(principalACL.getEntries());
        List<ACE> emptyList = Collections.emptyList();
        if (principalACL2 != null) {
            newArrayList.removeAll(principalACL2.getEntries());
            emptyList = principalACL2.getEntries();
            emptyList.removeAll(principalACL.getEntries());
        }
        for (ACE ace : newArrayList) {
            String nodePath = getNodePath(ace);
            Tree tree = getTree(nodePath, 256L, true);
            ACL acl = (ACL) createACL(nodePath, tree, false);
            if (acl == null) {
                acl = new NodeACL(this, nodePath);
            }
            HashMap hashMap = new HashMap();
            for (String str : ace.getRestrictionNames()) {
                if (!AccessControlConstants.REP_NODE_PATH.equals(str)) {
                    hashMap.put(str, ace.getRestriction(str));
                }
            }
            acl.addEntry(ace.getPrincipal(), ace.getPrivileges(), ace.isAllow(), hashMap);
            setNodeBasedAcl(nodePath, tree, acl);
        }
        for (ACE ace2 : emptyList) {
            String nodePath2 = getNodePath(ace2);
            Tree tree2 = getTree(nodePath2, 256L, true);
            ACL acl2 = (ACL) createACL(nodePath2, tree2, false);
            if (acl2 != null) {
                acl2.removeAccessControlEntry(ace2);
                setNodeBasedAcl(nodePath2, tree2, acl2);
            } else {
                log.debug("Missing ACL at {}; cannot remove entry {}", nodePath2, ace2);
            }
        }
    }

    private void setNodeBasedAcl(@Nullable String str, @Nonnull Tree tree, @Nonnull ACL acl) throws RepositoryException {
        Tree aclTree = getAclTree(str, tree);
        if (aclTree != null) {
            Iterator<Tree> it = aclTree.getChildren().iterator();
            while (it.hasNext()) {
                it.next().remove();
            }
        } else {
            aclTree = createAclTree(str, tree);
        }
        aclTree.setOrderableChildren(true);
        for (ACE ace : acl.getEntries()) {
            boolean isAllow = ace.isAllow();
            NodeUtil addChild = new NodeUtil(aclTree).addChild(Util.generateAceName(aclTree, isAllow), isAllow ? AccessControlConstants.NT_REP_GRANT_ACE : AccessControlConstants.NT_REP_DENY_ACE);
            addChild.setString("rep:principalName", ace.getPrincipal().getName());
            addChild.setNames("rep:privileges", AccessControlUtils.namesFromPrivileges(ace.getPrivileges()));
            this.restrictionProvider.writeRestrictions(str, addChild.getTree(), ace.getRestrictions());
        }
    }

    @Override // javax.jcr.security.AccessControlManager
    public void removePolicy(@Nullable String str, @Nonnull AccessControlPolicy accessControlPolicy) throws RepositoryException {
        String oakPath = getOakPath(str);
        Util.checkValidPolicy(oakPath, accessControlPolicy);
        if (!(accessControlPolicy instanceof PrincipalACL)) {
            Tree aclTree = getAclTree(oakPath, getTree(oakPath, 256L, true));
            if (aclTree == null) {
                throw new AccessControlException("No policy to remove at " + str);
            }
            aclTree.remove();
            return;
        }
        PrincipalACL principalACL = (PrincipalACL) accessControlPolicy;
        for (ACE ace : principalACL.getEntries()) {
            String nodePath = getNodePath(ace);
            Tree aclTree2 = getAclTree(nodePath, getTree(nodePath, 256L, true));
            if (aclTree2 == null) {
                throw new AccessControlException("Unable to retrieve policy node at " + nodePath);
            }
            for (Tree tree : aclTree2.getChildren()) {
                if (ace.equals(createACE(nodePath, tree, principalACL.rProvider))) {
                    tree.remove();
                }
            }
            if (!aclTree2.getChildren().iterator().hasNext()) {
                aclTree2.remove();
            }
        }
    }

    @Override // org.apache.jackrabbit.api.security.JackrabbitAccessControlManager
    @Nonnull
    public JackrabbitAccessControlPolicy[] getApplicablePolicies(@Nonnull Principal principal) throws RepositoryException {
        Util.checkValidPrincipal(principal, this.principalManager, true);
        String path = principal instanceof ItemBasedPrincipal ? ((ItemBasedPrincipal) principal).getPath() : null;
        return createPrincipalACL(path, principal) != null ? new JackrabbitAccessControlPolicy[0] : new JackrabbitAccessControlPolicy[]{new PrincipalACL(path, principal)};
    }

    @Override // org.apache.jackrabbit.api.security.JackrabbitAccessControlManager
    @Nonnull
    public JackrabbitAccessControlPolicy[] getPolicies(@Nonnull Principal principal) throws RepositoryException {
        Util.checkValidPrincipal(principal, this.principalManager, true);
        JackrabbitAccessControlList createPrincipalACL = createPrincipalACL(principal instanceof ItemBasedPrincipal ? ((ItemBasedPrincipal) principal).getPath() : null, principal);
        return createPrincipalACL != null ? new JackrabbitAccessControlPolicy[]{createPrincipalACL} : new JackrabbitAccessControlPolicy[0];
    }

    @Override // org.apache.jackrabbit.api.security.JackrabbitAccessControlManager
    @Nonnull
    public AccessControlPolicy[] getEffectivePolicies(@Nonnull Set<Principal> set) throws RepositoryException {
        Util.checkValidPrincipals(set, this.principalManager);
        Root latestRoot = getLatestRoot();
        Result searchAces = searchAces(set, latestRoot);
        ArrayList arrayList = new ArrayList();
        Iterator<? extends ResultRow> it = searchAces.getRows().iterator();
        while (it.hasNext()) {
            String path = it.next().getPath();
            String name = Text.getName(Text.getRelativeParent(path, 1));
            Tree tree = latestRoot.getTree(Text.getRelativeParent(path, 2));
            if (name.isEmpty() || !tree.exists()) {
                log.debug("Isolated access control entry -> ignore query result at " + path);
            } else {
                JackrabbitAccessControlList createACL = createACL(AccessControlConstants.REP_REPO_POLICY.equals(name) ? null : tree.getPath(), tree, true);
                if (createACL != null) {
                    arrayList.add(createACL);
                }
            }
        }
        return (AccessControlPolicy[]) arrayList.toArray(new AccessControlPolicy[arrayList.size()]);
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.PolicyOwner
    public boolean defines(String str, AccessControlPolicy accessControlPolicy) {
        try {
            return Util.isValidPolicy(getOakPath(str), accessControlPolicy);
        } catch (RepositoryException e) {
            log.warn("Invalid absolute path: " + str, e.getMessage());
            return false;
        }
    }

    @CheckForNull
    private Tree getAclTree(@Nullable String str, @Nonnull Tree tree) {
        if (!Util.isAccessControlled(str, tree, this.ntMgr)) {
            return null;
        }
        Tree child = tree.getChild(Util.getAclName(str));
        if (child.exists()) {
            return child;
        }
        return null;
    }

    @Nonnull
    private Tree createAclTree(@Nullable String str, @Nonnull Tree tree) throws AccessDeniedException {
        if (!Util.isAccessControlled(str, tree, this.ntMgr)) {
            PropertyState property = tree.getProperty(JcrConstants.JCR_MIXINTYPES);
            String mixinName = Util.getMixinName(str);
            if (property == null) {
                tree.setProperty(JcrConstants.JCR_MIXINTYPES, Collections.singleton(mixinName), Type.NAMES);
            } else {
                PropertyBuilder copy = PropertyBuilder.copy(Type.NAME, property);
                copy.addValue(mixinName);
                tree.setProperty(copy.getPropertyState());
            }
        }
        return new NodeUtil(tree).addChild(Util.getAclName(str), AccessControlConstants.NT_REP_ACL).getTree();
    }

    @CheckForNull
    private JackrabbitAccessControlList createACL(@Nullable String str, @Nonnull Tree tree, boolean z) throws RepositoryException {
        JackrabbitAccessControlList jackrabbitAccessControlList = null;
        String aclName = Util.getAclName(str);
        if (tree.exists() && Util.isAccessControlled(str, tree, this.ntMgr)) {
            Tree child = tree.getChild(aclName);
            if (child.exists()) {
                ArrayList arrayList = new ArrayList();
                for (Tree tree2 : child.getChildren()) {
                    if (Util.isACE(tree2, this.ntMgr)) {
                        arrayList.add(createACE(str, tree2, this.restrictionProvider));
                    }
                }
                jackrabbitAccessControlList = z ? new ImmutableACL(str, arrayList, this.restrictionProvider, getNamePathMapper()) : new NodeACL(str, arrayList);
            }
        }
        return jackrabbitAccessControlList;
    }

    @Nullable
    private JackrabbitAccessControlList createPrincipalACL(@Nullable String str, @Nonnull Principal principal) throws RepositoryException {
        Root root = getRoot();
        Result searchAces = searchAces(Collections.singleton(principal), root);
        PrincipalRestrictionProvider principalRestrictionProvider = new PrincipalRestrictionProvider(this.restrictionProvider);
        ArrayList arrayList = new ArrayList();
        Iterator<? extends ResultRow> it = searchAces.getRows().iterator();
        while (it.hasNext()) {
            Tree tree = root.getTree(it.next().getPath());
            if (Util.isACE(tree, this.ntMgr)) {
                String relativeParent = Text.getRelativeParent(tree.getPath(), 1);
                arrayList.add(createACE(relativeParent.endsWith(AccessControlConstants.REP_REPO_POLICY) ? null : Text.getRelativeParent(relativeParent, 1), tree, principalRestrictionProvider));
            }
        }
        if (arrayList.isEmpty()) {
            return null;
        }
        return new PrincipalACL(str, principal, arrayList, principalRestrictionProvider);
    }

    @Nonnull
    private ACE createACE(@Nullable String str, @Nonnull Tree tree, @Nonnull RestrictionProvider restrictionProvider) throws RepositoryException {
        return new Entry(getPrincipal(tree), this.bitsProvider.getBits((Iterable<String>) Preconditions.checkNotNull(TreeUtil.getStrings(tree, "rep:privileges"))), AccessControlConstants.NT_REP_GRANT_ACE.equals(TreeUtil.getPrimaryTypeName(tree)), restrictionProvider.readRestrictions(str, tree), getNamePathMapper());
    }

    @Nonnull
    private static Result searchAces(@Nonnull Set<Principal> set, @Nonnull Root root) throws RepositoryException {
        StringBuilder sb = new StringBuilder(JcrRemotingConstants.ROOT_ITEM_RESOURCEPATH);
        sb.append("//element(*,");
        sb.append(AccessControlConstants.NT_REP_ACE);
        sb.append(")[");
        int i = 0;
        for (Principal principal : set) {
            if (i > 0) {
                sb.append(" or ");
            }
            sb.append('@');
            sb.append(ISO9075.encode("rep:principalName"));
            sb.append("='");
            sb.append(principal.getName().replaceAll(Strings.SINGLE_QUOTE, "''"));
            sb.append('\'');
            i++;
        }
        sb.append(']');
        sb.append(" order by jcr:path");
        try {
            return root.getQueryEngine().executeQuery(sb.toString(), Query.XPATH, org.tukaani.xz.common.Util.VLI_MAX, 0L, QueryEngine.NO_BINDINGS, QueryEngine.NO_MAPPINGS);
        } catch (ParseException e) {
            log.error("Error while collecting effective policies.", e.getMessage());
            throw new RepositoryException("Error while collecting effective policies.", e);
        }
    }

    @Nonnull
    private Principal getPrincipal(@Nonnull Tree tree) {
        String str = (String) Preconditions.checkNotNull(TreeUtil.getString(tree, "rep:principalName"));
        Principal principal = this.principalManager.getPrincipal(str);
        if (principal == null) {
            log.debug("Unknown principal " + str);
            principal = new PrincipalImpl(str);
        }
        return principal;
    }

    private String getNodePath(ACE ace) throws RepositoryException {
        Value restriction = ace.getRestriction(AccessControlConstants.REP_NODE_PATH);
        if (restriction == null) {
            throw new AccessControlException("Missing mandatory restriction rep:nodePath");
        }
        return getOakPath(restriction.getString());
    }
}
