package org.apache.jackrabbit.oak.security.authorization.permission;

import com.google.common.base.Function;
import com.google.common.base.Objects;
import com.google.common.base.Preconditions;
import com.google.common.base.Predicate;
import com.google.common.base.Strings;
import com.google.common.collect.ImmutableSortedMap;
import com.google.common.collect.Iterables;
import com.google.common.collect.Iterators;
import java.security.Principal;
import java.security.acl.Group;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.core.ImmutableTree;
import org.apache.jackrabbit.oak.security.privilege.PrivilegeBits;
import org.apache.jackrabbit.oak.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.ReadStatus;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionPattern;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.apache.jackrabbit.oak.util.TreeUtil;
import org.apache.jackrabbit.util.Text;

/* JADX INFO: Access modifiers changed from: package-private */
/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/lib/oak-core-0.8.jar:org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.class
 */
/* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl.class */
public class CompiledPermissionImpl implements CompiledPermissions, PermissionConstants {
    private final Set<Principal> principals;
    private final RestrictionProvider restrictionProvider;
    private final Map<String, ImmutableTree> trees;
    private final Set<String> readPaths;
    private PrivilegeBitsProvider bitsProvider;
    private Map<Key, PermissionEntry> repoEntries;
    private Map<Key, PermissionEntry> userEntries;
    private Map<Key, PermissionEntry> groupEntries;

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/lib/oak-core-0.8.jar:org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl$EntriesBuilder.class
     */
    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl$EntriesBuilder.class */
    public static final class EntriesBuilder {
        private ImmutableSortedMap.Builder<Key, PermissionEntry> repoEntries;
        private ImmutableSortedMap.Builder<Key, PermissionEntry> userEntries;
        private ImmutableSortedMap.Builder<Key, PermissionEntry> groupEntries;

        private EntriesBuilder() {
            this.repoEntries = ImmutableSortedMap.naturalOrder();
            this.userEntries = ImmutableSortedMap.naturalOrder();
            this.groupEntries = ImmutableSortedMap.naturalOrder();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void addEntries(@Nonnull Principal principal, @Nonnull Tree tree, @Nonnull RestrictionProvider restrictionProvider) {
            for (Tree tree2 : tree.getChildren()) {
                Key key = new Key(tree2);
                PermissionEntry permissionEntry = new PermissionEntry(key.path, tree2, restrictionProvider);
                if (!permissionEntry.privilegeBits.isEmpty()) {
                    if (key.path == null) {
                        this.repoEntries.put((ImmutableSortedMap.Builder<Key, PermissionEntry>) key, (Key) permissionEntry);
                    } else if (principal instanceof Group) {
                        this.groupEntries.put((ImmutableSortedMap.Builder<Key, PermissionEntry>) key, (Key) permissionEntry);
                    } else {
                        this.userEntries.put((ImmutableSortedMap.Builder<Key, PermissionEntry>) key, (Key) permissionEntry);
                    }
                }
            }
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Map<Key, PermissionEntry> getRepoEntries() {
            return this.repoEntries.build();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Map<Key, PermissionEntry> getUserEntries() {
            return getEntries(this.userEntries);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public Map<Key, PermissionEntry> getGroupEntries() {
            return getEntries(this.groupEntries);
        }

        private static Map<Key, PermissionEntry> getEntries(ImmutableSortedMap.Builder builder) {
            ImmutableSortedMap build = builder.build();
            HashSet hashSet = new HashSet();
            Iterator it = build.entrySet().iterator();
            while (it.hasNext()) {
                Map.Entry entry = (Map.Entry) it.next();
                Key key = (Key) entry.getKey();
                Iterator it2 = hashSet.iterator();
                while (it2.hasNext()) {
                    Map.Entry entry2 = (Map.Entry) it2.next();
                    if (Text.isDescendantOrEqual(key.path, ((Key) entry2.getKey()).path)) {
                        ((PermissionEntry) entry2.getValue()).next = (PermissionEntry) entry.getValue();
                        it2.remove();
                    }
                }
                hashSet.add(entry);
            }
            return build;
        }
    }

    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/lib/oak-core-0.8.jar:org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl$EntryFunction.class
     */
    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl$EntryFunction.class */
    private static class EntryFunction implements Function<Map.Entry<Key, PermissionEntry>, PermissionEntry> {
        private EntryFunction() {
        }

        @Override // com.google.common.base.Function
        public PermissionEntry apply(Map.Entry<Key, PermissionEntry> entry) {
            return entry.getValue();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/lib/oak-core-0.8.jar:org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl$EntryIterator.class
     */
    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl$EntryIterator.class */
    public static class EntryIterator implements Iterator<PermissionEntry> {
        private final Iterator<PermissionEntry> it;
        private PermissionEntry latestEntry;

        private EntryIterator(@Nonnull Map<Key, PermissionEntry> map, @Nonnull Tree tree, @Nullable PropertyState propertyState) {
            this.it = Iterators.transform(Iterators.filter(map.entrySet().iterator(), new EntryPredicate(tree, propertyState)), new EntryFunction());
        }

        private EntryIterator(@Nonnull Map<Key, PermissionEntry> map, @Nonnull String str) {
            this.it = Iterators.transform(Iterators.filter(map.entrySet().iterator(), new EntryPredicate(str)), new EntryFunction());
        }

        @Override // java.util.Iterator
        public boolean hasNext() {
            return this.it.hasNext();
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.util.Iterator
        public PermissionEntry next() {
            if (this.latestEntry == null || this.latestEntry.next == null) {
                this.latestEntry = this.it.next();
                return this.latestEntry;
            }
            while (this.it.hasNext() && this.it.next() != this.latestEntry.next) {
            }
            this.latestEntry = this.latestEntry.next;
            return this.latestEntry;
        }

        @Override // java.util.Iterator
        public void remove() {
            throw new UnsupportedOperationException();
        }
    }

    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/lib/oak-core-0.8.jar:org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl$EntryPredicate.class
     */
    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl$EntryPredicate.class */
    private static class EntryPredicate implements Predicate<Map.Entry<Key, PermissionEntry>> {
        private final Tree tree;
        private final PropertyState property;
        private final String path;
        private final int depth;

        private EntryPredicate(@Nonnull Tree tree, @Nullable PropertyState propertyState) {
            this.tree = tree;
            this.property = propertyState;
            this.path = tree.getPath();
            this.depth = PathUtils.getDepth(this.path);
        }

        private EntryPredicate(@Nonnull String str) {
            this.tree = null;
            this.property = null;
            this.path = str;
            this.depth = PathUtils.getDepth(str);
        }

        @Override // com.google.common.base.Predicate
        public boolean apply(@Nullable Map.Entry<Key, PermissionEntry> entry) {
            if (entry != null && this.depth >= entry.getKey().depth) {
                return this.tree != null ? entry.getValue().matches(this.tree, this.property) : entry.getValue().matches(this.path);
            }
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/lib/oak-core-0.8.jar:org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl$Key.class
     */
    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl$Key.class */
    public static final class Key implements Comparable<Key> {
        private final String path;
        private final int depth;
        private final long index;

        private Key(Tree tree) {
            this.path = Strings.emptyToNull(TreeUtil.getString(tree, PermissionConstants.REP_ACCESS_CONTROLLED_PATH));
            this.depth = this.path == null ? 0 : PathUtils.getDepth(this.path);
            this.index = ((Long) Preconditions.checkNotNull(tree.getProperty(PermissionConstants.REP_INDEX).getValue(Type.LONG))).longValue();
        }

        @Override // java.lang.Comparable
        public int compareTo(Key key) {
            Preconditions.checkNotNull(key);
            if (!Objects.equal(this.path, key.path)) {
                return this.depth == key.depth ? this.path.compareTo(key.path) : this.depth < key.depth ? 1 : -1;
            }
            if (this.index == key.index) {
                return 0;
            }
            return this.index < key.index ? 1 : -1;
        }

        public int hashCode() {
            return Objects.hashCode(this.path, Long.valueOf(this.index));
        }

        public boolean equals(Object obj) {
            if (obj == this) {
                return true;
            }
            if (!(obj instanceof Key)) {
                return false;
            }
            Key key = (Key) obj;
            return this.index == key.index && Objects.equal(this.path, key.path);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:WEB-INF/lib/oak-core-0.8.jar:org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl$PermissionEntry.class
     */
    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/permission/CompiledPermissionImpl$PermissionEntry.class */
    public static final class PermissionEntry {
        private final boolean isAllow;
        private final PrivilegeBits privilegeBits;
        private final String path;
        private final RestrictionPattern restriction;
        private ReadStatus readStatus;
        private PermissionEntry next;

        private PermissionEntry(String str, Tree tree, RestrictionProvider restrictionProvider) {
            this.isAllow = 'a' == tree.getName().charAt(0);
            this.privilegeBits = PrivilegeBits.getInstance(tree.getProperty("rep:privileges"));
            this.path = str;
            this.restriction = restrictionProvider.getPattern(str, tree);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean matches(@Nonnull Tree tree, @Nullable PropertyState propertyState) {
            if (Text.isDescendantOrEqual(this.path, tree.getPath())) {
                return this.restriction.matches(tree, propertyState);
            }
            return false;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public boolean matches(@Nonnull String str) {
            if (Text.isDescendantOrEqual(this.path, str)) {
                return this.restriction.matches(str);
            }
            return false;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CompiledPermissionImpl(@Nonnull Set<Principal> set, @Nonnull ImmutableTree immutableTree, @Nonnull PrivilegeBitsProvider privilegeBitsProvider, @Nonnull RestrictionProvider restrictionProvider, @Nonnull Set<String> set2) {
        Preconditions.checkArgument(!set.isEmpty());
        this.principals = set;
        this.restrictionProvider = restrictionProvider;
        this.bitsProvider = privilegeBitsProvider;
        this.readPaths = set2;
        this.trees = new HashMap(set.size());
        buildEntries(immutableTree);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void refresh(@Nonnull ImmutableTree immutableTree, @Nonnull PrivilegeBitsProvider privilegeBitsProvider) {
        this.bitsProvider = privilegeBitsProvider;
        boolean z = false;
        if (this.trees.size() != this.principals.size()) {
            Iterator<Principal> it = this.principals.iterator();
            while (true) {
                if (!it.hasNext()) {
                    break;
                }
                Principal next = it.next();
                if (!this.trees.containsKey(next.getName()) && getPrincipalRoot(immutableTree, next).exists()) {
                    z = true;
                    break;
                }
            }
        }
        if (!z) {
            Iterator<Map.Entry<String, ImmutableTree>> it2 = this.trees.entrySet().iterator();
            while (true) {
                if (!it2.hasNext()) {
                    break;
                }
                ImmutableTree value = it2.next().getValue();
                ImmutableTree child = immutableTree.getChild(value.getName());
                if (child.exists() && !value.equals(child)) {
                    z = true;
                    break;
                }
            }
        }
        if (z) {
            buildEntries(immutableTree);
        }
    }

    @Override // org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissions
    public ReadStatus getReadStatus(@Nonnull Tree tree, @Nullable PropertyState propertyState) {
        if (isReadablePath(tree, null)) {
            return ReadStatus.ALLOW_ALL_REGULAR;
        }
        long j = propertyState == null ? 1L : 2L;
        Iterator<PermissionEntry> entryIterator = getEntryIterator(tree, propertyState);
        while (entryIterator.hasNext()) {
            PermissionEntry next = entryIterator.next();
            if (next.readStatus != null) {
                return next.readStatus;
            }
            if (next.privilegeBits.includesRead(j)) {
                return next.isAllow ? ReadStatus.ALLOW_THIS : ReadStatus.DENY_THIS;
            }
        }
        return ReadStatus.DENY_THIS;
    }

    @Override // org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissions
    public boolean isGranted(long j) {
        return hasPermissions(this.repoEntries.values().iterator(), j, null, null);
    }

    @Override // org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissions
    public boolean isGranted(@Nonnull Tree tree, @Nullable PropertyState propertyState, long j) {
        return hasPermissions(getEntryIterator(tree, propertyState), j, tree, null);
    }

    @Override // org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissions
    public boolean isGranted(@Nonnull String str, long j) {
        return hasPermissions(getEntryIterator(str), j, null, str);
    }

    @Override // org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissions
    public Set<String> getPrivileges(@Nullable Tree tree) {
        return this.bitsProvider.getPrivilegeNames(getPrivilegeBits(tree));
    }

    @Override // org.apache.jackrabbit.oak.security.authorization.permission.CompiledPermissions
    public boolean hasPrivileges(@Nullable Tree tree, String... strArr) {
        return getPrivilegeBits(tree).includes(this.bitsProvider.getBits(strArr));
    }

    @Nonnull
    private static ImmutableTree getPrincipalRoot(ImmutableTree immutableTree, Principal principal) {
        return immutableTree.getChild(Text.escapeIllegalJcrChars(principal.getName()));
    }

    private void buildEntries(@Nonnull ImmutableTree immutableTree) {
        if (!immutableTree.exists()) {
            this.repoEntries = Collections.emptyMap();
            this.userEntries = Collections.emptyMap();
            this.groupEntries = Collections.emptyMap();
            return;
        }
        EntriesBuilder entriesBuilder = new EntriesBuilder();
        for (Principal principal : this.principals) {
            ImmutableTree principalRoot = getPrincipalRoot(immutableTree, principal);
            if (principalRoot.exists()) {
                this.trees.put(principal.getName(), principalRoot);
                entriesBuilder.addEntries(principal, principalRoot, this.restrictionProvider);
            }
        }
        this.repoEntries = entriesBuilder.getRepoEntries();
        this.userEntries = entriesBuilder.getUserEntries();
        this.groupEntries = entriesBuilder.getGroupEntries();
        buildReadStatus(Iterables.concat(this.userEntries.values(), this.groupEntries.values()));
    }

    private static void buildReadStatus(Iterable<PermissionEntry> iterable) {
    }

    private boolean hasPermissions(@Nonnull Iterator<PermissionEntry> it, long j, @Nullable Tree tree, @Nullable String str) {
        PrivilegeBits privilegeBits;
        PrivilegeBits privilegeBits2;
        Tree tree2;
        String str2;
        boolean z = Permissions.diff(3L, j) != 3 && isReadablePath(tree, str);
        if (!it.hasNext() && !z) {
            return false;
        }
        boolean z2 = !(tree == null && str == null) && (Permissions.includes(j, 32L) || Permissions.includes(j, 64L) || Permissions.includes(j, 16384L));
        long j2 = z ? 3L : 0L;
        long j3 = 0;
        PrivilegeBits privilegeBits3 = PrivilegeBits.getInstance();
        if (z) {
            privilegeBits3.add(this.bitsProvider.getBits(PrivilegeConstants.JCR_READ));
        }
        PrivilegeBits privilegeBits4 = PrivilegeBits.getInstance();
        if (z2) {
            privilegeBits = PrivilegeBits.getInstance();
            privilegeBits2 = PrivilegeBits.getInstance();
            tree2 = tree != null ? getParentOrNull(tree) : null;
            str2 = str != null ? Strings.emptyToNull(Text.getRelativeParent(str, 1)) : null;
        } else {
            privilegeBits = PrivilegeBits.EMPTY;
            privilegeBits2 = PrivilegeBits.EMPTY;
            tree2 = null;
            str2 = null;
        }
        while (it.hasNext()) {
            PermissionEntry next = it.next();
            if (z2 && (tree2 != null || str2 != null)) {
                if (tree2 != null ? next.matches(tree2, null) : next.matches(str2)) {
                    if (next.isAllow) {
                        privilegeBits.addDifference(next.privilegeBits, privilegeBits2);
                    } else {
                        privilegeBits2.addDifference(next.privilegeBits, privilegeBits);
                    }
                }
            }
            if (next.isAllow) {
                privilegeBits3.addDifference(next.privilegeBits, privilegeBits4);
                j2 |= Permissions.diff(PrivilegeBits.calculatePermissions(privilegeBits3, privilegeBits, true), j3);
                if ((j2 | (j ^ (-1))) == -1) {
                    return true;
                }
            } else {
                privilegeBits4.addDifference(next.privilegeBits, privilegeBits3);
                j3 |= Permissions.diff(PrivilegeBits.calculatePermissions(privilegeBits4, privilegeBits2, false), j2);
                if (Permissions.includes(j3, j)) {
                    return false;
                }
            }
        }
        return (j2 | (j ^ (-1))) == -1;
    }

    private static Tree getParentOrNull(Tree tree) {
        Tree parent = tree.getParent();
        if (parent.exists()) {
            return parent;
        }
        return null;
    }

    private PrivilegeBits getPrivilegeBits(@Nullable Tree tree) {
        Iterator<PermissionEntry> it = tree == null ? this.repoEntries.values().iterator() : getEntryIterator(tree, null);
        PrivilegeBits privilegeBits = PrivilegeBits.getInstance();
        PrivilegeBits privilegeBits2 = PrivilegeBits.getInstance();
        while (it.hasNext()) {
            PermissionEntry next = it.next();
            if (next.isAllow) {
                privilegeBits.addDifference(next.privilegeBits, privilegeBits2);
            } else {
                privilegeBits2.addDifference(next.privilegeBits, privilegeBits);
            }
        }
        if (isReadablePath(tree, null)) {
            privilegeBits.add(this.bitsProvider.getBits(PrivilegeConstants.JCR_READ));
        }
        return privilegeBits;
    }

    private Iterator<PermissionEntry> getEntryIterator(@Nonnull Tree tree, @Nullable PropertyState propertyState) {
        return Iterators.concat(new EntryIterator(this.userEntries, tree, propertyState), new EntryIterator(this.groupEntries, tree, propertyState));
    }

    private Iterator<PermissionEntry> getEntryIterator(@Nonnull String str) {
        return Iterators.concat(new EntryIterator(this.userEntries, str), new EntryIterator(this.groupEntries, str));
    }

    private boolean isReadablePath(@Nullable Tree tree, @Nullable String str) {
        if (this.readPaths.isEmpty()) {
            return false;
        }
        String path = tree != null ? tree.getPath() : str;
        if (path == null) {
            return false;
        }
        Iterator<String> it = this.readPaths.iterator();
        while (it.hasNext()) {
            if (Text.isDescendantOrEqual(it.next(), path)) {
                return true;
            }
        }
        return false;
    }
}
