package org.apache.jackrabbit.oak.security.privilege;

import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import javax.annotation.Nonnull;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.plugins.name.NamespaceConstants;
import org.apache.jackrabbit.oak.plugins.tree.impl.ImmutableTree;
import org.apache.jackrabbit.oak.spi.commit.DefaultValidator;
import org.apache.jackrabbit.oak.spi.commit.Validator;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeDefinition;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeUtil;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.apache.jackrabbit.oak.spi.state.NodeStateUtils;
import org.apache.jackrabbit.util.Text;

/* loaded from: input_file:resources/install/15/oak-core-1.6.8.jar:org/apache/jackrabbit/oak/security/privilege/PrivilegeValidator.class */
class PrivilegeValidator extends DefaultValidator implements PrivilegeConstants {
    private final Root rootBefore;
    private final Root rootAfter;
    private final PrivilegeBitsProvider bitsProvider;

    /* JADX INFO: Access modifiers changed from: package-private */
    public PrivilegeValidator(Root root, Root root2) {
        this.rootBefore = root;
        this.rootAfter = root2;
        this.bitsProvider = new PrivilegeBitsProvider(this.rootBefore);
    }

    @Override // org.apache.jackrabbit.oak.spi.commit.DefaultValidator, org.apache.jackrabbit.oak.spi.commit.Validator, org.apache.jackrabbit.oak.spi.commit.Editor
    public void propertyAdded(PropertyState propertyState) throws CommitFailedException {
    }

    @Override // org.apache.jackrabbit.oak.spi.commit.DefaultValidator, org.apache.jackrabbit.oak.spi.commit.Validator, org.apache.jackrabbit.oak.spi.commit.Editor
    public void propertyChanged(PropertyState propertyState, PropertyState propertyState2) throws CommitFailedException {
        if (!PrivilegeConstants.REP_NEXT.equals(propertyState.getName())) {
            throw new CommitFailedException(CommitFailedException.CONSTRAINT, 45, "Attempt to modify existing privilege definition.");
        }
        validateNext(PrivilegeBits.getInstance(getPrivilegesTree(this.rootBefore).getProperty(PrivilegeConstants.REP_NEXT)));
    }

    @Override // org.apache.jackrabbit.oak.spi.commit.DefaultValidator, org.apache.jackrabbit.oak.spi.commit.Validator, org.apache.jackrabbit.oak.spi.commit.Editor
    public void propertyDeleted(PropertyState propertyState) throws CommitFailedException {
        throw new CommitFailedException(CommitFailedException.CONSTRAINT, 46, "Attempt to modify existing privilege definition.");
    }

    @Override // org.apache.jackrabbit.oak.spi.commit.DefaultValidator, org.apache.jackrabbit.oak.spi.commit.Editor
    public Validator childNodeAdded(String str, NodeState nodeState) throws CommitFailedException {
        if (!isPrivilegeDefinition(nodeState)) {
            return null;
        }
        getPrivilegesTree(this.rootBefore);
        if (NamespaceConstants.RESERVED_PREFIXES.contains(Text.getNamespacePrefix(str))) {
            throw new CommitFailedException("Privilege", 1, "Failed to register custom privilege: Definition uses reserved namespace: " + str);
        }
        validateDefinition(new ImmutableTree(ImmutableTree.ParentProvider.UNSUPPORTED, str, nodeState));
        return null;
    }

    @Override // org.apache.jackrabbit.oak.spi.commit.DefaultValidator, org.apache.jackrabbit.oak.spi.commit.Editor
    public Validator childNodeChanged(String str, NodeState nodeState, NodeState nodeState2) throws CommitFailedException {
        if (!isPrivilegeDefinition(nodeState) || nodeState.equals(nodeState2)) {
            return null;
        }
        throw new CommitFailedException(CommitFailedException.CONSTRAINT, 41, "Attempt to modify existing privilege definition " + str);
    }

    @Override // org.apache.jackrabbit.oak.spi.commit.DefaultValidator, org.apache.jackrabbit.oak.spi.commit.Editor
    public Validator childNodeDeleted(String str, NodeState nodeState) throws CommitFailedException {
        if (isPrivilegeDefinition(nodeState)) {
            throw new CommitFailedException(CommitFailedException.CONSTRAINT, 42, "Attempt to un-register privilege " + str);
        }
        return null;
    }

    private void validateNext(PrivilegeBits privilegeBits) throws CommitFailedException {
        if (!PrivilegeBits.getInstance(getPrivilegesTree(this.rootAfter).getProperty(PrivilegeConstants.REP_NEXT)).equals(privilegeBits.nextBits())) {
            throw new CommitFailedException(CommitFailedException.CONSTRAINT, 43, "Next bits not updated");
        }
    }

    @Nonnull
    private Tree getPrivilegesTree(Root root) throws CommitFailedException {
        Tree tree = root.getTree(PrivilegeConstants.PRIVILEGES_PATH);
        if (tree.exists()) {
            return tree;
        }
        throw new CommitFailedException(CommitFailedException.CONSTRAINT, 44, "Privilege store not initialized.");
    }

    private void validateDefinition(Tree tree) throws CommitFailedException {
        PrivilegeBits privilegeBits = PrivilegeBits.getInstance(tree);
        if (privilegeBits.isEmpty()) {
            throw new CommitFailedException(CommitFailedException.CONSTRAINT, 48, "PrivilegeBits are missing.");
        }
        Set<String> privilegeNames = this.bitsProvider.getPrivilegeNames(privilegeBits);
        PrivilegeDefinition readDefinition = PrivilegeUtil.readDefinition(tree);
        Set<String> declaredAggregateNames = readDefinition.getDeclaredAggregateNames();
        if (declaredAggregateNames.isEmpty()) {
            if (!privilegeNames.isEmpty()) {
                throw new CommitFailedException(CommitFailedException.CONSTRAINT, 49, "PrivilegeBits already in used.");
            }
            validateNext(privilegeBits);
            return;
        }
        if (declaredAggregateNames.size() == 1) {
            throw new CommitFailedException(CommitFailedException.CONSTRAINT, 50, "Singular aggregation is equivalent to existing privilege.");
        }
        Map<String, PrivilegeDefinition> readDefinitions = new PrivilegeDefinitionReader(this.rootBefore).readDefinitions();
        for (String str : declaredAggregateNames) {
            if (!readDefinitions.containsKey(str)) {
                throw new CommitFailedException(CommitFailedException.CONSTRAINT, 51, "Declared aggregate '" + str + "' is not a registered privilege.");
            }
            if (isCircularAggregation(readDefinition.getName(), str, readDefinitions)) {
                throw new CommitFailedException(CommitFailedException.CONSTRAINT, 52, "Detected circular aggregation within custom privilege caused by " + str);
            }
        }
        Set<String> resolveAggregates = resolveAggregates(declaredAggregateNames, readDefinitions);
        for (PrivilegeDefinition privilegeDefinition : readDefinitions.values()) {
            Set<String> declaredAggregateNames2 = privilegeDefinition.getDeclaredAggregateNames();
            if (!declaredAggregateNames2.isEmpty() && (declaredAggregateNames.equals(declaredAggregateNames2) || resolveAggregates.equals(resolveAggregates(declaredAggregateNames2, readDefinitions)))) {
                throw new CommitFailedException(CommitFailedException.CONSTRAINT, 53, "Custom aggregate privilege '" + readDefinition.getName() + "' is already covered by '" + privilegeDefinition.getName() + '\'');
            }
        }
        if (!privilegeBits.equals(this.bitsProvider.getBits((String[]) declaredAggregateNames.toArray(new String[declaredAggregateNames.size()])))) {
            throw new CommitFailedException(CommitFailedException.CONSTRAINT, 53, "Invalid privilege bits for aggregated privilege definition.");
        }
    }

    private static boolean isCircularAggregation(String str, String str2, Map<String, PrivilegeDefinition> map) {
        if (str.equals(str2)) {
            return true;
        }
        PrivilegeDefinition privilegeDefinition = map.get(str2);
        if (privilegeDefinition.getDeclaredAggregateNames().isEmpty()) {
            return false;
        }
        boolean z = false;
        for (String str3 : privilegeDefinition.getDeclaredAggregateNames()) {
            if (str.equals(str3)) {
                return true;
            }
            if (map.containsKey(str3)) {
                z = isCircularAggregation(str, str3, map);
            }
        }
        return z;
    }

    private static Set<String> resolveAggregates(Set<String> set, Map<String, PrivilegeDefinition> map) throws CommitFailedException {
        HashSet hashSet = new HashSet();
        for (String str : set) {
            PrivilegeDefinition privilegeDefinition = map.get(str);
            if (privilegeDefinition == null) {
                throw new CommitFailedException(CommitFailedException.CONSTRAINT, 47, "Invalid declared aggregate name " + str + ": Unknown privilege.");
            }
            Set<String> declaredAggregateNames = privilegeDefinition.getDeclaredAggregateNames();
            if (declaredAggregateNames.isEmpty()) {
                hashSet.add(str);
            } else {
                hashSet.addAll(resolveAggregates(declaredAggregateNames, map));
            }
        }
        return hashSet;
    }

    private static boolean isPrivilegeDefinition(@Nonnull NodeState nodeState) {
        return PrivilegeConstants.NT_REP_PRIVILEGE.equals(NodeStateUtils.getPrimaryTypeName(nodeState));
    }
}
