package org.apache.jackrabbit.core.security;

import java.security.Principal;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.jcr.AccessDeniedException;
import javax.jcr.ItemNotFoundException;
import javax.jcr.NamespaceException;
import javax.jcr.PathNotFoundException;
import javax.jcr.RepositoryException;
import javax.jcr.UnsupportedRepositoryOperationException;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.Privilege;
import javax.security.auth.Subject;
import org.apache.commons.collections.map.LRUMap;
import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
import org.apache.jackrabbit.core.HierarchyManager;
import org.apache.jackrabbit.core.RepositoryContext;
import org.apache.jackrabbit.core.config.WorkspaceConfig;
import org.apache.jackrabbit.core.id.ItemId;
import org.apache.jackrabbit.core.security.authorization.AccessControlProvider;
import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
import org.apache.jackrabbit.core.security.authorization.WorkspaceAccessManager;
import org.apache.jackrabbit.spi.Name;
import org.apache.jackrabbit.spi.Path;
import org.apache.jackrabbit.spi.commons.conversion.DefaultNamePathResolver;
import org.apache.jackrabbit.spi.commons.conversion.NamePathResolver;
import org.apache.jackrabbit.spi.commons.name.PathFactoryImpl;
import org.apache.jackrabbit.spi.commons.namespace.SessionNamespaceResolver;
import org.jahia.jaas.JahiaPrincipal;
import org.jahia.settings.SettingsBean;
import org.jahia.utils.security.AccessManagerUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/jackrabbit/core/security/JahiaAccessManager.class */
public class JahiaAccessManager extends AbstractAccessControlManager implements AccessManager, AccessControlManager {
    private static final Logger logger = LoggerFactory.getLogger(JahiaAccessManager.class);
    private static final Subject SYSTEM_SUBJECT = new Subject(true, new HashSet(Arrays.asList(new SystemPrincipal())), Collections.EMPTY_SET, Collections.EMPTY_SET);
    protected Subject subject;
    protected HierarchyManager hierMgr;
    protected NamePathResolver resolver;
    private JahiaPrivilegeRegistry privilegeRegistry;
    protected String workspaceName;
    private JahiaSystemSession securitySession;
    private RepositoryContext repositoryContext;
    private WorkspaceConfig workspaceConfig;
    private DefaultNamePathResolver pr;
    private Map<String, Boolean> pathPermissionCache = null;
    private Map<Object, AccessManagerUtils.CompiledAcl> compiledAcls = new HashMap();
    private boolean isAliased = false;
    private boolean initialized = false;
    protected JahiaPrincipal jahiaPrincipal = null;

    public static String getPrivilegeName(String str, String str2) {
        return AccessManagerUtils.getPrivilegeName(str, str2);
    }

    public static void setDeniedPaths(Collection<String> collection) {
        AccessManagerUtils.setDeniedPaths(collection);
    }

    public JahiaAccessManager() {
        AccessManagerUtils.initCaches();
    }

    public void init(AMContext aMContext) throws AccessDeniedException, Exception {
        init(aMContext, null, null, null, null);
    }

    public void init(AMContext aMContext, AccessControlProvider accessControlProvider, WorkspaceAccessManager workspaceAccessManager) throws AccessDeniedException, Exception {
        init(aMContext, null, null, null, null);
    }

    public JahiaSystemSession getSecuritySession() throws RepositoryException {
        if (this.securitySession != null) {
            return this.securitySession;
        }
        this.securitySession = new JahiaSystemSession(this.repositoryContext, SYSTEM_SUBJECT, this.workspaceConfig);
        return this.securitySession;
    }

    public boolean isSystemPrincipal() {
        return AccessManagerUtils.isSystemPrincipal(this.jahiaPrincipal);
    }

    public void init(AMContext aMContext, AccessControlProvider accessControlProvider, WorkspaceAccessManager workspaceAccessManager, RepositoryContext repositoryContext, WorkspaceConfig workspaceConfig) throws AccessDeniedException, Exception {
        if (this.initialized) {
            throw new IllegalStateException("already initialized");
        }
        this.pathPermissionCache = Collections.synchronizedMap(new LRUMap(SettingsBean.getInstance().getAccessManagerPathPermissionCacheMaxSize()));
        this.subject = aMContext.getSubject();
        this.resolver = aMContext.getNamePathResolver();
        this.hierMgr = aMContext.getHierarchyManager();
        this.workspaceName = aMContext.getWorkspaceName();
        this.repositoryContext = repositoryContext;
        this.workspaceConfig = workspaceConfig;
        this.privilegeRegistry = new JahiaPrivilegeRegistry(aMContext.getSession().getWorkspace().getNamespaceRegistry());
        Set principals = this.subject.getPrincipals(JahiaPrincipal.class);
        if (!principals.isEmpty()) {
            this.jahiaPrincipal = (JahiaPrincipal) principals.iterator().next();
        }
        this.pr = new DefaultNamePathResolver(new SessionNamespaceResolver(getSecuritySession()), true);
        this.initialized = true;
    }

    public void close() throws Exception {
        if (this.securitySession != null) {
            this.securitySession.logout();
        }
    }

    public void checkPermission(ItemId itemId, int i) throws AccessDeniedException, ItemNotFoundException, RepositoryException {
        if (!isGranted(itemId, i)) {
            throw new AccessDeniedException("Not sufficient privileges for permissions : " + i + " on " + itemId);
        }
    }

    public void checkPermission(Path path, int i) throws AccessDeniedException, RepositoryException {
        if (!isGranted(path, i)) {
            throw new AccessDeniedException("Not sufficient privileges for permissions : " + i + " on " + path + " [" + AccessManagerUtils.deniedPathes.get() + "]");
        }
    }

    protected void checkPermission(String str, int i) throws AccessDeniedException, PathNotFoundException, RepositoryException {
        checkValidNodePath(str);
        checkPermission(this.resolver.getQPath(str), i);
    }

    public boolean hasPrivileges(String str, Set<Principal> set, Privilege[] privilegeArr) throws PathNotFoundException, AccessDeniedException, RepositoryException {
        checkInitialized();
        checkValidNodePath(str);
        checkPermission(str, 32);
        if (privilegeArr != null && privilegeArr.length != 0) {
            return isGranted(this.resolver.getQPath(str), PrivilegeRegistry.getBits(privilegeArr));
        }
        if (!logger.isDebugEnabled()) {
            return true;
        }
        logger.debug("No privileges passed -> allowed.");
        return true;
    }

    protected void checkInitialized() throws IllegalStateException {
        if (!this.initialized) {
            throw new IllegalStateException("not initialized");
        }
    }

    protected PrivilegeManager getPrivilegeManager() throws RepositoryException {
        return new PrivilegeManager() { // from class: org.apache.jackrabbit.core.security.JahiaAccessManager.1
            public Privilege[] getRegisteredPrivileges() throws RepositoryException {
                return JahiaPrivilegeRegistry.getRegisteredPrivileges();
            }

            public Privilege getPrivilege(String str) throws AccessControlException, RepositoryException {
                return JahiaAccessManager.this.privilegeRegistry.getPrivilege(str, JahiaAccessManager.this.workspaceName);
            }

            public Privilege registerPrivilege(String str, boolean z, String[] strArr) throws AccessDeniedException, NamespaceException, RepositoryException {
                return null;
            }
        };
    }

    public void checkRepositoryPermission(int i) throws AccessDeniedException, RepositoryException {
        if (!isGranted(PathFactoryImpl.getInstance().getRootPath(), i)) {
            throw new AccessDeniedException("Access denied");
        }
    }

    protected void checkValidNodePath(String str) throws PathNotFoundException, RepositoryException {
        checkValidNodePath(this.resolver.getQPath(str));
    }

    protected void checkValidNodePath(Path path) throws RepositoryException {
        if (!path.isAbsolute()) {
            throw new RepositoryException("Absolute path expected.");
        }
        if (this.hierMgr.resolveNodePath(path) == null) {
            throw new PathNotFoundException("No such node " + path);
        }
    }

    public AccessControlPolicy[] getEffectivePolicies(Set<Principal> set) throws AccessDeniedException, AccessControlException, UnsupportedRepositoryOperationException, RepositoryException {
        return new AccessControlPolicy[0];
    }

    public Privilege[] getPrivileges(String str, Set<Principal> set) throws PathNotFoundException, AccessDeniedException, RepositoryException {
        return new Privilege[0];
    }

    public boolean isGranted(ItemId itemId, int i) throws ItemNotFoundException, RepositoryException {
        if (isSystemPrincipal() && AccessManagerUtils.deniedPathes.get() == null) {
            return true;
        }
        HashSet hashSet = new HashSet();
        if ((i & 1) == 1) {
            hashSet.add(getPrivilegeName("{http://www.jcp.org/jcr/1.0}read", this.workspaceName));
        }
        if ((i & 2) == 2) {
            if (itemId.denotesNode()) {
                hashSet.add(getPrivilegeName("{http://www.jcp.org/jcr/1.0}addChildNodes", this.workspaceName));
            } else {
                hashSet.add(getPrivilegeName("{http://www.jcp.org/jcr/1.0}modifyProperties", this.workspaceName));
            }
        }
        if ((i & 4) == 4) {
            hashSet.add(itemId.denotesNode() ? getPrivilegeName("{http://www.jcp.org/jcr/1.0}removeChildNodes", this.workspaceName) : getPrivilegeName("{http://www.jcp.org/jcr/1.0}removeNode", this.workspaceName));
        }
        return isGranted(this.hierMgr.getPath(itemId), hashSet);
    }

    public boolean isGranted(Path path, int i) throws RepositoryException {
        if (isSystemPrincipal() && AccessManagerUtils.deniedPathes.get() == null) {
            return true;
        }
        HashSet hashSet = new HashSet();
        if (i == 4 || i == 2 || i == 16) {
            String jCRPath = this.pr.getJCRPath(path);
            if (i == 4 && (jCRPath.contains("j:translation_") || jCRPath.contains("j:referenceInField_"))) {
                i = 2;
            } else {
                path = path.getAncestor(1);
            }
        }
        Iterator<Privilege> it = this.privilegeRegistry.getPrivileges(i, this.workspaceName).iterator();
        while (it.hasNext()) {
            hashSet.add(it.next().getName());
        }
        return isGranted(path, hashSet);
    }

    public boolean isGranted(Path path, Set<String> set) throws RepositoryException {
        return AccessManagerUtils.isGranted(new JahiaJCRPathWrapperImpl(path.getCanonicalPath(), this.pr, getSecuritySession()), set, getSecuritySession(), this.jahiaPrincipal, this.workspaceName, this.isAliased, this.pathPermissionCache, this.compiledAcls, this.privilegeRegistry);
    }

    public boolean isGranted(Path path, Name name2, int i) throws RepositoryException {
        return isGranted(PathFactoryImpl.getInstance().create(path, name2, true), i);
    }

    public boolean canRead(Path path, ItemId itemId) throws RepositoryException {
        if (path != null) {
            return isGranted(path, 1);
        }
        if (itemId != null) {
            return isGranted(itemId, 1);
        }
        return false;
    }

    public boolean canAccess(String str) throws RepositoryException {
        return true;
    }

    public Set<Privilege> getPermissionsInRole(String str) throws RepositoryException {
        return AccessManagerUtils.getPermissionsInRole(str, this.privilegeRegistry);
    }

    public boolean matchPermission(Set<String> set, String str) throws RepositoryException {
        return AccessManagerUtils.matchPermission(set, str, this.isAliased, this.privilegeRegistry, this.workspaceName);
    }

    public boolean hasPrivileges(String str, Privilege[] privilegeArr) throws PathNotFoundException, RepositoryException {
        return hasPrivileges(this.resolver.getQPath(str), privilegeArr);
    }

    public boolean hasPrivileges(Path path, Privilege[] privilegeArr) throws PathNotFoundException, RepositoryException {
        checkInitialized();
        checkValidNodePath(path);
        if (privilegeArr == null || privilegeArr.length == 0) {
            if (!logger.isDebugEnabled()) {
                return true;
            }
            logger.debug("No privileges passed -> allowed.");
            return true;
        }
        HashSet hashSet = new HashSet();
        for (Privilege privilege : privilegeArr) {
            hashSet.add(privilege.getName());
        }
        return isGranted(path, hashSet);
    }

    public Privilege[] getPrivileges(String str) throws PathNotFoundException, RepositoryException {
        return isAdmin(null) ? getSupportedPrivileges(str) : AccessManagerUtils.getPrivileges(str, this.workspaceName, this.jahiaPrincipal, this.privilegeRegistry);
    }

    public AccessControlPolicy[] getEffectivePolicies(String str) throws PathNotFoundException, AccessDeniedException, RepositoryException {
        return new AccessControlPolicy[0];
    }

    public void setAliased(boolean z) {
        this.isAliased = z;
    }

    public boolean isAdmin(String str) {
        return AccessManagerUtils.isAdmin(str, this.jahiaPrincipal);
    }

    public Set<String> getRoles(String str) throws PathNotFoundException, RepositoryException {
        return AccessManagerUtils.getRoles(str, this.workspaceName, this.jahiaPrincipal);
    }

    public static void flushPrivilegesInRoles() {
        AccessManagerUtils.flushPrivilegesInRoles();
    }

    public static void flushMatchingPermissions() {
        AccessManagerUtils.flushMatchingPermissions();
    }
}
