package org.apache.jackrabbit.vault.fs.spi.impl.jcr20;

import java.security.Principal;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import java.util.function.Consumer;
import javax.jcr.Node;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.AccessControlPolicy;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.commons.JcrUtils;
import org.apache.jackrabbit.util.Text;
import org.apache.jackrabbit.vault.fs.spi.ACLManagement;
import org.apache.jackrabbit.vault.fs.spi.UserManagement;
import org.apache.jackrabbit.vault.util.UncheckedRepositoryException;
import org.jetbrains.annotations.NotNull;

/* loaded from: input_file:org/apache/jackrabbit/vault/fs/spi/impl/jcr20/JackrabbitACLManagement.class */
public class JackrabbitACLManagement implements ACLManagement {
    public static final String NT_REP_CUG_POLICY = "rep:CugPolicy";
    public static final String REP_CUG_POLICY = "rep:cugPolicy";
    public static final String REP_POLICY = "rep:policy";
    public static final String REP_PRINCIPAL_POLICY = "rep:principalPolicy";
    public static final String NT_REP_PRINCIPAL_POLICY = "rep:PrincipalPolicy";
    public static final String REP_REPO_POLICY = "rep:repoPolicy";
    public static final String NT_REP_POLICY = "rep:Policy";
    public static final String NT_REP_ACL = "rep:ACL";
    public static final String NT_REP_ACE = "rep:ACE";
    public static final String NT_REP_GRANT_ACE = "rep:GrantACE";
    public static final String NT_REP_DENY_ACE = "rep:DenyACE";
    public static final String NT_REP_RESTRICTIONS = "rep:Restrictions";
    public static final String MIX_REP_ACCESS_CONTROLLABLE = "rep:AccessControllable";
    public static final String MIX_REP_REPO_ACCESS_CONTROLLABLE = "rep:RepoAccessControllable";
    public static final String MIX_REP_CUG_MIXIN = "rep:CugMixin";
    public static final String MIX_REP_PRINCIPAL_BASED_MIXIN = "rep:PrincipalBasedMixin";
    private String groupsRootPath;
    private String usersRootPath;
    private final UserManagement userManagement = new JackrabbitUserManagement();

    /* loaded from: input_file:org/apache/jackrabbit/vault/fs/spi/impl/jcr20/JackrabbitACLManagement$PrincipalAccessControlPolicyCollector.class */
    private static final class PrincipalAccessControlPolicyCollector implements Consumer<Principal> {
        private final JackrabbitAccessControlManager jrAcMgr;
        private final Map<String, List<? extends AccessControlPolicy>> policiesPerPrincipal = new HashMap();

        public PrincipalAccessControlPolicyCollector(JackrabbitAccessControlManager jackrabbitAccessControlManager) {
            this.jrAcMgr = jackrabbitAccessControlManager;
        }

        public Map<String, List<? extends AccessControlPolicy>> getPoliciesPerPrincipal() {
            return this.policiesPerPrincipal;
        }

        @Override // java.util.function.Consumer
        public void accept(Principal principal) {
            try {
                List<? extends AccessControlPolicy> asList = Arrays.asList(this.jrAcMgr.getPolicies(principal));
                if (!asList.isEmpty()) {
                    this.policiesPerPrincipal.put(principal.getName(), asList);
                }
            } catch (RepositoryException e) {
                throw new UncheckedRepositoryException(e);
            }
        }
    }

    private synchronized void determineAuthorizableRootPaths(Session session) throws RepositoryException {
        UserManager userManager = ((JackrabbitSession) session).getUserManager();
        String uuid = UUID.randomUUID().toString();
        Group createGroup = userManager.createGroup(new SimplePrincipal(uuid), "intermediate");
        this.groupsRootPath = Text.getRelativeParent(createGroup.getPath(), 2);
        createGroup.remove();
        User createUser = userManager.createUser(uuid, "test", new SimplePrincipal(uuid), "intermediate");
        this.usersRootPath = Text.getRelativeParent(createUser.getPath(), 2);
        createUser.remove();
    }

    public boolean isACLNodeType(String str) {
        return str.equals(NT_REP_ACL) || str.equals(NT_REP_CUG_POLICY) || str.equals(NT_REP_PRINCIPAL_POLICY);
    }

    public boolean isAccessControllableMixin(String str) {
        return str.equals(MIX_REP_ACCESS_CONTROLLABLE) || str.equals(MIX_REP_REPO_ACCESS_CONTROLLABLE) || str.equals(MIX_REP_CUG_MIXIN) || str.equals(MIX_REP_PRINCIPAL_BASED_MIXIN);
    }

    public boolean isACLNode(Node node) throws RepositoryException {
        return node.isNodeType(NT_REP_POLICY);
    }

    public boolean ensureAccessControllable(Node node, String str) throws RepositoryException {
        boolean z = false;
        if (NT_REP_ACL.equals(str)) {
            if (!node.isNodeType(MIX_REP_ACCESS_CONTROLLABLE)) {
                node.addMixin(MIX_REP_ACCESS_CONTROLLABLE);
                z = true;
            }
            if (isRootNode(node) && !node.isNodeType(MIX_REP_REPO_ACCESS_CONTROLLABLE)) {
                node.addMixin(MIX_REP_REPO_ACCESS_CONTROLLABLE);
                z = true;
            }
        } else if (NT_REP_CUG_POLICY.equals(str)) {
            if (!node.isNodeType(MIX_REP_CUG_MIXIN)) {
                node.addMixin(MIX_REP_CUG_MIXIN);
                z = true;
            }
        } else if (NT_REP_PRINCIPAL_POLICY.equals(str) && !node.isNodeType(MIX_REP_PRINCIPAL_BASED_MIXIN)) {
            node.addMixin(MIX_REP_PRINCIPAL_BASED_MIXIN);
            z = true;
        }
        return z;
    }

    public void clearACL(Node node) throws RepositoryException {
        AccessControlManager accessControlManager = node.getSession().getAccessControlManager();
        String path = node.getPath();
        for (AccessControlPolicy accessControlPolicy : accessControlManager.getPolicies(path)) {
            accessControlManager.removePolicy(path, accessControlPolicy);
        }
        if (isRootNode(node)) {
            for (AccessControlPolicy accessControlPolicy2 : accessControlManager.getPolicies((String) null)) {
                accessControlManager.removePolicy((String) null, accessControlPolicy2);
            }
        }
    }

    private static boolean isRootNode(Node node) throws RepositoryException {
        return node.getDepth() == 0;
    }

    private boolean areAuthorizablesAllowedBelowPath(Session session, String str) throws RepositoryException {
        if (this.usersRootPath == null || this.groupsRootPath == null) {
            determineAuthorizableRootPaths(session);
        }
        return str.startsWith(this.usersRootPath) || str.startsWith(this.groupsRootPath);
    }

    @NotNull
    public Map<String, List<? extends AccessControlPolicy>> getPrincipalAcls(Node node) throws RepositoryException {
        if (!areAuthorizablesAllowedBelowPath(node.getSession(), node.getPath())) {
            return Collections.emptyMap();
        }
        JackrabbitSession session = node.getSession();
        JackrabbitAccessControlManager accessControlManager = session.getAccessControlManager();
        if (!(accessControlManager instanceof JackrabbitAccessControlManager)) {
            throw new RepositoryException("The access control manager returned is no JackrabbitAccessControlManager, this is probably not a Jackrabbit/Oak repository");
        }
        PrincipalAccessControlPolicyCollector principalAccessControlPolicyCollector = new PrincipalAccessControlPolicyCollector(accessControlManager);
        try {
            findPrincipalsRecursively(session.getUserManager(), node, principalAccessControlPolicyCollector);
            return principalAccessControlPolicyCollector.getPoliciesPerPrincipal();
        } catch (UncheckedRepositoryException e) {
            throw e.getCause();
        }
    }

    private void findPrincipalsRecursively(UserManager userManager, Node node, Consumer<Principal> consumer) throws RepositoryException {
        if (!this.userManagement.isAuthorizableNodeType(node.getPrimaryNodeType().getName())) {
            Iterator it = JcrUtils.in(node.getNodes()).iterator();
            while (it.hasNext()) {
                findPrincipalsRecursively(userManager, (Node) it.next(), consumer);
            }
        } else {
            Authorizable authorizableByPath = userManager.getAuthorizableByPath(node.getPath());
            if (authorizableByPath != null) {
                consumer.accept(authorizableByPath.getPrincipal());
            }
        }
    }
}
