package org.apache.jackrabbit.core.security.authorization.acl;

import java.security.Principal;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.jcr.AccessDeniedException;
import javax.jcr.ItemNotFoundException;
import javax.jcr.NodeIterator;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.query.QueryResult;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlList;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.core.NodeImpl;
import org.apache.jackrabbit.core.SessionImpl;
import org.apache.jackrabbit.core.id.NodeId;
import org.apache.jackrabbit.core.nodetype.NodeTypeImpl;
import org.apache.jackrabbit.core.security.SecurityConstants;
import org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider;
import org.apache.jackrabbit.core.security.authorization.AccessControlConstants;
import org.apache.jackrabbit.core.security.authorization.AccessControlEditor;
import org.apache.jackrabbit.core.security.authorization.CompiledPermissions;
import org.apache.jackrabbit.core.security.authorization.UnmodifiableAccessControlList;
import org.apache.jackrabbit.spi.Name;
import org.apache.jackrabbit.spi.Path;
import org.apache.jackrabbit.util.ISO9075;
import org.apache.jackrabbit.util.Text;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/jackrabbit/core/security/authorization/acl/ACLProvider.class */
public class ACLProvider extends AbstractAccessControlProvider implements AccessControlConstants {
    private static final Logger log = LoggerFactory.getLogger(ACLProvider.class);
    private NodeId rootNodeId;
    private EntryCollector entryCollector;

    @Override // org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider, org.apache.jackrabbit.core.security.authorization.AccessControlProvider
    public void init(Session session, Map map) throws RepositoryException {
        super.init(session, map);
        NodeImpl nodeImpl = (NodeImpl) this.session.getRootNode();
        this.rootNodeId = nodeImpl.getNodeId();
        ACLEditor aCLEditor = new ACLEditor(this.session, this);
        if ((!map.containsKey(AbstractAccessControlProvider.PARAM_OMIT_DEFAULT_PERMISSIONS)) && !isAccessControlled(nodeImpl)) {
            initRootACL(this.session, aCLEditor);
        }
        this.entryCollector = createEntryCollector(this.session);
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AbstractAccessControlProvider, org.apache.jackrabbit.core.security.authorization.AccessControlProvider
    public void close() {
        super.close();
        this.entryCollector.close();
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AccessControlProvider
    public AccessControlPolicy[] getEffectivePolicies(Path path, CompiledPermissions compiledPermissions) throws ItemNotFoundException, RepositoryException {
        NodeImpl nodeImpl;
        checkInitialized();
        List<AccessControlList> arrayList = new ArrayList<>();
        if (path == null) {
            nodeImpl = (NodeImpl) this.session.getRootNode();
            if (isRepoAccessControlled(nodeImpl)) {
                if (!compiledPermissions.grants(nodeImpl.getPrimaryPath(), 32)) {
                    throw new AccessDeniedException("Access denied at " + nodeImpl.getPath());
                }
                arrayList.add(new UnmodifiableAccessControlList((List<? extends AccessControlEntry>) this.entryCollector.collectEntries(null, new EntryFilterImpl((Collection<String>) null, (NodeId) null, this.session))));
            }
        } else {
            nodeImpl = (NodeImpl) this.session.getNode(this.session.getJCRPath(path));
            collectAcls(getNode(nodeImpl, isAcItem(nodeImpl)), compiledPermissions, arrayList);
        }
        if (arrayList.isEmpty()) {
            log.warn("No access controlled node present in item hierarchy starting from " + nodeImpl.getPath());
        }
        return (AccessControlPolicy[]) arrayList.toArray(new AccessControlList[arrayList.size()]);
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AccessControlProvider
    public AccessControlPolicy[] getEffectivePolicies(Set<Principal> set, CompiledPermissions compiledPermissions) throws RepositoryException {
        String encode = ISO9075.encode(this.session.getJCRName(P_PRINCIPAL_NAME));
        StringBuilder sb = new StringBuilder("/jcr:root");
        sb.append("//element(*,");
        sb.append(this.session.getJCRName(NT_REP_ACE));
        sb.append(")[");
        int i = 0;
        for (Principal principal : set) {
            if (i > 0) {
                sb.append(" or ");
            }
            sb.append("@");
            sb.append(encode);
            sb.append("='");
            sb.append(principal.getName().replaceAll("'", "''"));
            sb.append("'");
            i++;
        }
        sb.append("]");
        try {
            QueryResult execute = this.session.getWorkspace().getQueryManager().createQuery(sb.toString(), "xpath").execute();
            LinkedHashSet linkedHashSet = new LinkedHashSet();
            NodeIterator nodes = execute.getNodes();
            while (nodes.hasNext()) {
                NodeImpl nodeImpl = (NodeImpl) nodes.nextNode().getParent();
                Name qName = nodeImpl.getQName();
                NodeImpl nodeImpl2 = (NodeImpl) nodeImpl.getParent();
                if (N_POLICY.equals(qName) && isAccessControlled(nodeImpl2)) {
                    if (!compiledPermissions.canRead(nodeImpl.getPrimaryPath(), nodeImpl.getNodeId())) {
                        throw new AccessDeniedException("Access denied at " + Text.getRelativeParent(nodeImpl.getPath(), 1));
                    }
                    linkedHashSet.add(new UnmodifiableAccessControlList(this.entryCollector.getEntries(nodeImpl2).getACEs(), nodeImpl2.getPath(), Collections.emptyMap()));
                } else if (N_REPO_POLICY.equals(qName) && isRepoAccessControlled(nodeImpl2)) {
                    if (!compiledPermissions.canRead(nodeImpl.getPrimaryPath(), nodeImpl.getNodeId())) {
                        throw new AccessDeniedException("Access denied at " + Text.getRelativeParent(nodeImpl.getPath(), 1));
                    }
                    linkedHashSet.add(new UnmodifiableAccessControlList((List<? extends AccessControlEntry>) this.entryCollector.collectEntries(null, new EntryFilterImpl((Collection<String>) null, (NodeId) null, this.session))));
                }
            }
            return (AccessControlPolicy[]) linkedHashSet.toArray(new AccessControlPolicy[linkedHashSet.size()]);
        } catch (RepositoryException e) {
            log.error("Unexpected error while searching effective policies.", e.getMessage());
            throw new UnsupportedOperationException("Retrieve effective policies for set of principals not supported.", e);
        }
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AccessControlProvider
    public AccessControlEditor getEditor(Session session) {
        checkInitialized();
        return new ACLEditor(session, this);
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AccessControlProvider
    public CompiledPermissions compilePermissions(Set<Principal> set) throws RepositoryException {
        checkInitialized();
        return isAdminOrSystem(set) ? getAdminPermissions() : isReadOnly(set) ? getReadOnlyPermissions() : new CompiledPermissionsImpl(set, this.session, this.entryCollector, this, true);
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AccessControlProvider
    public boolean canAccessRoot(Set<Principal> set) throws RepositoryException {
        checkInitialized();
        if (isAdminOrSystem(set)) {
            return true;
        }
        CompiledPermissionsImpl compiledPermissionsImpl = new CompiledPermissionsImpl(set, this.session, this.entryCollector, this, false);
        try {
            return compiledPermissionsImpl.canRead(null, this.rootNodeId);
        } finally {
            compiledPermissionsImpl.close();
        }
    }

    protected EntryCollector createEntryCollector(SessionImpl sessionImpl) throws RepositoryException {
        return new CachingEntryCollector(sessionImpl, this.rootNodeId);
    }

    private void collectAcls(NodeImpl nodeImpl, CompiledPermissions compiledPermissions, List<AccessControlList> list) throws RepositoryException {
        if (isAccessControlled(nodeImpl)) {
            if (!compiledPermissions.grants(nodeImpl.getPrimaryPath(), 32)) {
                throw new AccessDeniedException("Access denied at " + nodeImpl.getPath());
            }
            list.add(new UnmodifiableAccessControlList(this.entryCollector.getEntries(nodeImpl).getACEs(), nodeImpl.getPath(), Collections.emptyMap()));
        }
        if (this.rootNodeId.equals(nodeImpl.getId())) {
            return;
        }
        collectAcls((NodeImpl) nodeImpl.getParent(), compiledPermissions, list);
    }

    private static void initRootACL(SessionImpl sessionImpl, AccessControlEditor accessControlEditor) throws RepositoryException {
        try {
            log.debug("Install initial ACL:...");
            String path = sessionImpl.getRootNode().getPath();
            ACLTemplate[] editAccessControlPolicies = accessControlEditor.editAccessControlPolicies(path);
            if (editAccessControlPolicies.length > 0) {
                ACLTemplate aCLTemplate = editAccessControlPolicies[0];
                PrincipalManager principalManager = sessionImpl.getPrincipalManager();
                AccessControlManager accessControlManager = sessionImpl.getAccessControlManager();
                if (principalManager.hasPrincipal(SecurityConstants.ADMINISTRATORS_NAME)) {
                    Principal principal = principalManager.getPrincipal(SecurityConstants.ADMINISTRATORS_NAME);
                    log.debug("... Privilege.ALL for administrators.");
                    aCLTemplate.addAccessControlEntry(principal, new Privilege[]{accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}all")});
                } else {
                    log.info("Administrators principal group is missing -> omitting initialization of default permissions.");
                }
                Principal everyone = principalManager.getEveryone();
                log.debug("... Privilege.READ for everyone.");
                aCLTemplate.addAccessControlEntry(everyone, new Privilege[]{accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}read")});
                accessControlEditor.setPolicy(path, aCLTemplate);
                sessionImpl.save();
            } else {
                log.info("No applicable ACL available for the root node -> skip initialization of the root node's ACL.");
            }
        } catch (RepositoryException e) {
            log.error("Failed to set-up minimal access control for root node of workspace " + sessionImpl.getWorkspace().getName());
            sessionImpl.getRootNode().refresh(false);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean isAccessControlled(NodeImpl nodeImpl) throws RepositoryException {
        return nodeImpl.hasNode(N_POLICY) && nodeImpl.isNodeType(NT_REP_ACCESS_CONTROLLABLE);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean isRepoAccessControlled(NodeImpl nodeImpl) throws RepositoryException {
        return nodeImpl.hasNode(N_REPO_POLICY) && nodeImpl.isNodeType(NT_REP_REPO_ACCESS_CONTROLLABLE);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static NodeImpl getNode(NodeImpl nodeImpl, boolean z) throws RepositoryException {
        NodeImpl nodeImpl2;
        if (z) {
            Name qName = ((NodeTypeImpl) nodeImpl.getPrimaryNodeType()).getQName();
            nodeImpl2 = qName.equals(NT_REP_ACL) ? (NodeImpl) nodeImpl.getParent() : (qName.equals(NT_REP_GRANT_ACE) || qName.equals(NT_REP_DENY_ACE)) ? (NodeImpl) nodeImpl.getParent().getParent() : nodeImpl;
        } else {
            nodeImpl2 = nodeImpl;
        }
        return nodeImpl2;
    }
}
