package org.apache.jackrabbit.oak.security.user;

import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Sets;
import java.util.HashSet;
import java.util.Iterator;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.apache.jackrabbit.JcrConstants;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.spi.commit.DefaultValidator;
import org.apache.jackrabbit.oak.spi.commit.Validator;
import org.apache.jackrabbit.oak.spi.commit.VisibleValidator;
import org.apache.jackrabbit.oak.spi.security.user.AuthorizableType;
import org.apache.jackrabbit.oak.spi.security.user.UserConstants;
import org.apache.jackrabbit.oak.spi.security.user.util.PasswordUtil;
import org.apache.jackrabbit.oak.spi.security.user.util.UserUtil;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.apache.jackrabbit.oak.util.TreeUtil;
import org.apache.jackrabbit.util.Text;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/lib/oak-core-1.0.12.jar:org/apache/jackrabbit/oak/security/user/UserValidator.class
 */
/* loaded from: input_file:org/apache/jackrabbit/oak/security/user/UserValidator.class */
class UserValidator extends DefaultValidator implements UserConstants {
    private final Tree parentBefore;
    private final Tree parentAfter;
    private final UserValidatorProvider provider;
    private final AuthorizableType authorizableType;

    /* JADX INFO: Access modifiers changed from: package-private */
    public UserValidator(Tree tree, Tree tree2, UserValidatorProvider userValidatorProvider) {
        this.parentBefore = tree;
        this.parentAfter = tree2;
        this.provider = userValidatorProvider;
        this.authorizableType = tree2 == null ? null : UserUtil.getType(tree2);
    }

    @Override // org.apache.jackrabbit.oak.spi.commit.DefaultValidator, org.apache.jackrabbit.oak.spi.commit.Validator, org.apache.jackrabbit.oak.spi.commit.Editor
    public void propertyAdded(PropertyState propertyState) throws CommitFailedException {
        if (this.authorizableType == null) {
            return;
        }
        String name = propertyState.getName();
        if (UserConstants.REP_DISABLED.equals(name) && isAdminUser(this.parentAfter)) {
            throw constraintViolation(20, "Admin user cannot be disabled.");
        }
        if (JcrConstants.JCR_UUID.equals(name) && !isValidUUID(this.parentAfter, (String) propertyState.getValue(Type.STRING))) {
            throw constraintViolation(21, "Invalid jcr:uuid for authorizable " + this.parentAfter.getName());
        }
        if (UserConstants.REP_MEMBERS.equals(name)) {
            checkForCyclicMembership((Iterable) propertyState.getValue(Type.STRINGS));
        }
    }

    @Override // org.apache.jackrabbit.oak.spi.commit.DefaultValidator, org.apache.jackrabbit.oak.spi.commit.Validator, org.apache.jackrabbit.oak.spi.commit.Editor
    public void propertyChanged(PropertyState propertyState, PropertyState propertyState2) throws CommitFailedException {
        if (this.authorizableType == null) {
            return;
        }
        String name = propertyState.getName();
        if ("rep:principalName".equals(name) || UserConstants.REP_AUTHORIZABLE_ID.equals(name)) {
            throw constraintViolation(22, "Authorizable property " + name + " may not be altered after user/group creation.");
        }
        if (JcrConstants.JCR_UUID.equals(name)) {
            Preconditions.checkNotNull(this.parentAfter);
            if (!isValidUUID(this.parentAfter, (String) propertyState2.getValue(Type.STRING))) {
                throw constraintViolation(23, "Invalid jcr:uuid for authorizable " + this.parentAfter.getName());
            }
        } else if ("jcr:primaryType".equals(name)) {
            validateAuthorizable(this.parentAfter, UserUtil.getType((String) propertyState2.getValue(Type.STRING)));
        }
        if (isUser(this.parentBefore) && UserConstants.REP_PASSWORD.equals(name) && PasswordUtil.isPlainTextPassword((String) propertyState2.getValue(Type.STRING))) {
            throw constraintViolation(24, "Password may not be plain text.");
        }
        if (UserConstants.REP_MEMBERS.equals(name)) {
            HashSet newHashSet = Sets.newHashSet((Iterable) propertyState2.getValue(Type.STRINGS));
            newHashSet.removeAll(ImmutableSet.copyOf((Iterable) propertyState.getValue(Type.STRINGS)));
            checkForCyclicMembership(newHashSet);
        }
    }

    @Override // org.apache.jackrabbit.oak.spi.commit.DefaultValidator, org.apache.jackrabbit.oak.spi.commit.Validator, org.apache.jackrabbit.oak.spi.commit.Editor
    public void propertyDeleted(PropertyState propertyState) throws CommitFailedException {
        if (this.authorizableType == null) {
            return;
        }
        String name = propertyState.getName();
        if (UserConstants.REP_PASSWORD.equals(name) || "rep:principalName".equals(name) || UserConstants.REP_AUTHORIZABLE_ID.equals(name)) {
            throw constraintViolation(25, "Authorizable property " + name + " may not be removed.");
        }
    }

    @Override // org.apache.jackrabbit.oak.spi.commit.DefaultValidator, org.apache.jackrabbit.oak.spi.commit.Editor
    public Validator childNodeAdded(String str, NodeState nodeState) throws CommitFailedException {
        Tree tree = (Tree) Preconditions.checkNotNull(this.parentAfter.getChild(str));
        validateAuthorizable(tree, UserUtil.getType(tree));
        return new VisibleValidator(new UserValidator(null, tree, this.provider), true, true);
    }

    @Override // org.apache.jackrabbit.oak.spi.commit.DefaultValidator, org.apache.jackrabbit.oak.spi.commit.Editor
    public Validator childNodeChanged(String str, NodeState nodeState, NodeState nodeState2) throws CommitFailedException {
        return new UserValidator(this.parentBefore.getChild(str), this.parentAfter.getChild(str), this.provider);
    }

    @Override // org.apache.jackrabbit.oak.spi.commit.DefaultValidator, org.apache.jackrabbit.oak.spi.commit.Editor
    public Validator childNodeDeleted(String str, NodeState nodeState) throws CommitFailedException {
        Tree child = this.parentBefore.getChild(str);
        AuthorizableType type = UserUtil.getType(child);
        if (type != AuthorizableType.USER && type != AuthorizableType.GROUP) {
            return new VisibleValidator(new UserValidator(child, null, this.provider), true, true);
        }
        if (isAdminUser(child)) {
            throw constraintViolation(27, "The admin user cannot be removed.");
        }
        return null;
    }

    private boolean isAdminUser(@Nonnull Tree tree) {
        if (!tree.exists() || !isUser(tree)) {
            return false;
        }
        return UserUtil.getAdminId(this.provider.getConfig()).equals(UserUtil.getAuthorizableId(tree));
    }

    private void checkForCyclicMembership(@Nonnull Iterable<String> iterable) throws CommitFailedException {
        String string = TreeUtil.getString(this.parentAfter, JcrConstants.JCR_UUID);
        if (string == null) {
            throw constraintViolation(30, "Missing content id for group " + UserUtil.getAuthorizableId(this.parentAfter) + "; cannot check for cyclic group membership.");
        }
        MembershipProvider membershipProvider = this.provider.getMembershipProvider();
        Iterator<String> it = iterable.iterator();
        while (it.hasNext()) {
            Tree byContentID = membershipProvider.getByContentID(it.next(), AuthorizableType.GROUP);
            if (byContentID != null && membershipProvider.isMember(byContentID, string, true)) {
                throw constraintViolation(31, "Cyclic group membership detected in group" + UserUtil.getAuthorizableId(this.parentAfter));
            }
        }
    }

    private void validateAuthorizable(@Nonnull Tree tree, @Nonnull AuthorizableType authorizableType) throws CommitFailedException {
        String authorizableRootPath = UserUtil.getAuthorizableRootPath(this.provider.getConfig(), authorizableType);
        if (authorizableRootPath != null) {
            assertHierarchy(tree, authorizableRootPath);
            if (TreeUtil.getString(tree, "rep:principalName") == null) {
                throw constraintViolation(26, "Mandatory property rep:principalName missing.");
            }
        }
    }

    private static boolean isValidUUID(@Nonnull Tree tree, @Nonnull String str) {
        String authorizableId = UserUtil.getAuthorizableId(tree);
        return authorizableId != null && str.equals(UserProvider.getContentID(authorizableId));
    }

    private static boolean isUser(@Nullable Tree tree) {
        return tree != null && UserConstants.NT_REP_USER.equals(TreeUtil.getPrimaryTypeName(tree));
    }

    private static void assertHierarchy(@Nonnull Tree tree, @Nonnull String str) throws CommitFailedException {
        if (!Text.isDescendant(str, tree.getPath())) {
            throw constraintViolation(28, "Attempt to create user/group outside of configured scope " + str);
        }
        if (tree.isRoot()) {
            return;
        }
        Tree parent = tree.getParent();
        while (true) {
            Tree tree2 = parent;
            if (!tree2.exists() || tree2.isRoot()) {
                return;
            }
            if (!UserConstants.NT_REP_AUTHORIZABLE_FOLDER.equals(TreeUtil.getPrimaryTypeName(tree2))) {
                throw constraintViolation(29, "Cannot create user/group: Intermediate folders must be of type rep:AuthorizableFolder.");
            }
            parent = tree2.getParent();
        }
    }

    private static CommitFailedException constraintViolation(int i, @Nonnull String str) {
        return new CommitFailedException("Constraint", i, str);
    }
}
