package org.apache.jackrabbit.core.security.authorization.principalbased;

import java.security.Principal;
import javax.jcr.Node;
import javax.jcr.NodeIterator;
import javax.jcr.PathNotFoundException;
import javax.jcr.RepositoryException;
import javax.jcr.UnsupportedRepositoryOperationException;
import javax.jcr.Value;
import javax.jcr.ValueFactory;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
import org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.commons.webdav.AtomFeedConstants;
import org.apache.jackrabbit.core.NodeImpl;
import org.apache.jackrabbit.core.ProtectedItemModifier;
import org.apache.jackrabbit.core.SessionImpl;
import org.apache.jackrabbit.core.security.authorization.AccessControlConstants;
import org.apache.jackrabbit.core.security.authorization.AccessControlEditor;
import org.apache.jackrabbit.core.security.authorization.AccessControlEntryImpl;
import org.apache.jackrabbit.core.security.principal.PrincipalImpl;
import org.apache.jackrabbit.spi.Name;
import org.apache.jackrabbit.spi.Path;
import org.apache.jackrabbit.spi.commons.conversion.NameException;
import org.apache.jackrabbit.spi.commons.conversion.NameParser;
import org.apache.jackrabbit.util.Text;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX WARN: Classes with same name are omitted:
  input_file:WEB-INF/lib/jackrabbit-core-2.21.18.jar:org/apache/jackrabbit/core/security/authorization/principalbased/ACLEditor.class
 */
/* loaded from: input_file:org/apache/jackrabbit/core/security/authorization/principalbased/ACLEditor.class */
public class ACLEditor extends ProtectedItemModifier implements AccessControlEditor, AccessControlConstants {
    private static Logger log = LoggerFactory.getLogger((Class<?>) ACLEditor.class);
    private static final String DEFAULT_ACE_NAME = "ace";
    private final SessionImpl session;
    private final String acRootPath;

    /* JADX INFO: Access modifiers changed from: package-private */
    public ACLEditor(SessionImpl sessionImpl, Path path) throws RepositoryException {
        super(64);
        this.session = sessionImpl;
        this.acRootPath = sessionImpl.getJCRPath(path);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ACLTemplate getACL(Principal principal) throws RepositoryException {
        if (!this.session.getPrincipalManager().hasPrincipal(principal.getName())) {
            throw new AccessControlException("Unknown principal.");
        }
        String pathToAcNode = getPathToAcNode(principal);
        ACLTemplate aCLTemplate = null;
        if (this.session.nodeExists(pathToAcNode)) {
            AccessControlPolicy[] policies = getPolicies(pathToAcNode);
            if (policies.length > 0) {
                aCLTemplate = (ACLTemplate) policies[0];
            }
        }
        if (aCLTemplate == null) {
            log.debug("No policy template for Principal " + principal.getName());
        }
        return aCLTemplate;
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AccessControlEditor
    public AccessControlPolicy[] getPolicies(String str) throws AccessControlException, PathNotFoundException, RepositoryException {
        checkProtectsNode(str);
        NodeImpl acNode = getAcNode(str);
        return isAccessControlled(acNode) ? new AccessControlPolicy[]{createTemplate(acNode)} : new AccessControlPolicy[0];
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AccessControlEditor
    public JackrabbitAccessControlPolicy[] getPolicies(Principal principal) throws AccessControlException, RepositoryException {
        if (!this.session.getPrincipalManager().hasPrincipal(principal.getName())) {
            throw new AccessControlException("Cannot edit access control: " + principal.getName() + " isn't a known principal.");
        }
        ACLTemplate acl = getACL(principal);
        return acl == null ? new JackrabbitAccessControlPolicy[0] : new JackrabbitAccessControlPolicy[]{acl};
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AccessControlEditor
    public AccessControlPolicy[] editAccessControlPolicies(String str) throws AccessControlException, PathNotFoundException, RepositoryException {
        checkProtectsNode(str);
        if (Text.isDescendant(this.acRootPath, str)) {
            NodeImpl acNode = getAcNode(str);
            if (acNode == null) {
                if (getPrincipal(str) == null) {
                    throw new AccessControlException("Access control modification not allowed at " + str);
                }
                acNode = createAcNode(str);
            }
            if (!isAccessControlled(acNode)) {
                return new AccessControlPolicy[]{createTemplate(acNode)};
            }
        }
        return new AccessControlPolicy[0];
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AccessControlEditor
    public JackrabbitAccessControlPolicy[] editAccessControlPolicies(Principal principal) throws RepositoryException {
        if (!this.session.getPrincipalManager().hasPrincipal(principal.getName())) {
            throw new AccessControlException("Cannot edit access control: " + principal.getName() + " isn't a known principal.");
        }
        String pathToAcNode = getPathToAcNode(principal);
        NodeImpl createAcNode = !this.session.nodeExists(pathToAcNode) ? createAcNode(pathToAcNode) : (NodeImpl) this.session.getNode(pathToAcNode);
        return !isAccessControlled(createAcNode) ? new JackrabbitAccessControlPolicy[]{createTemplate(createAcNode)} : new JackrabbitAccessControlPolicy[0];
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AccessControlEditor
    public void setPolicy(String str, AccessControlPolicy accessControlPolicy) throws AccessControlException, PathNotFoundException, RepositoryException {
        NodeImpl addNode;
        checkProtectsNode(str);
        checkValidPolicy(str, accessControlPolicy);
        ACLTemplate aCLTemplate = (ACLTemplate) accessControlPolicy;
        NodeImpl acNode = getAcNode(str);
        if (acNode == null) {
            throw new PathNotFoundException("No such node " + str);
        }
        if (acNode.hasNode(N_POLICY)) {
            addNode = acNode.getNode(N_POLICY);
            NodeIterator nodes = addNode.getNodes();
            while (nodes.hasNext()) {
                removeItem((NodeImpl) nodes.nextNode());
            }
        } else {
            addNode = addNode(acNode, N_POLICY, NT_REP_ACL);
        }
        for (AccessControlEntry accessControlEntry : aCLTemplate.getAccessControlEntries()) {
            AccessControlEntryImpl accessControlEntryImpl = (AccessControlEntryImpl) accessControlEntry;
            NodeImpl addNode2 = addNode(addNode, getUniqueNodeName(addNode, AtomFeedConstants.XML_ENTRY), accessControlEntryImpl.isAllow() ? NT_REP_GRANT_ACE : NT_REP_DENY_ACE);
            ValueFactory valueFactory = this.session.getValueFactory();
            setProperty(addNode2, P_PRINCIPAL_NAME, valueFactory.createValue(accessControlEntryImpl.getPrincipal().getName()));
            Privilege[] privileges = accessControlEntryImpl.getPrivileges();
            Value[] valueArr = new Value[privileges.length];
            for (int i = 0; i < privileges.length; i++) {
                valueArr[i] = valueFactory.createValue(privileges[i].getName(), 7);
            }
            setProperty(addNode2, P_PRIVILEGES, valueArr);
            for (Name name : accessControlEntryImpl.getRestrictions().keySet()) {
                setProperty(addNode2, name, accessControlEntryImpl.getRestriction(name));
            }
        }
        markModified((NodeImpl) addNode.getParent());
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AccessControlEditor
    public void removePolicy(String str, AccessControlPolicy accessControlPolicy) throws AccessControlException, PathNotFoundException, RepositoryException {
        checkProtectsNode(str);
        checkValidPolicy(str, accessControlPolicy);
        NodeImpl acNode = getAcNode(str);
        if (!isAccessControlled(acNode) || !createTemplate(acNode).equals(accessControlPolicy)) {
            throw new AccessControlException("Policy " + accessControlPolicy + " does not apply to " + str);
        }
        removeItem(acNode.getNode(N_POLICY));
    }

    private NodeImpl getAcNode(String str) throws PathNotFoundException, RepositoryException {
        if (Text.isDescendant(this.acRootPath, str)) {
            return (NodeImpl) this.session.getNode(str);
        }
        return null;
    }

    private NodeImpl createAcNode(String str) throws RepositoryException {
        Name name;
        NodeImpl addNode;
        String[] explode = Text.explode(str, 47, false);
        StringBuilder sb = new StringBuilder();
        NodeImpl nodeImpl = (NodeImpl) this.session.getRootNode();
        int i = 0;
        while (i < explode.length) {
            if (i > 0) {
                sb.append('/').append(explode[i]);
            }
            Name qName = this.session.getQName(explode[i]);
            if (denotesPrincipalPath(sb.toString())) {
                name = NT_REP_PRINCIPAL_ACCESS_CONTROL;
            } else {
                name = i < explode.length - 1 ? NT_REP_ACCESS_CONTROL : NT_REP_PRINCIPAL_ACCESS_CONTROL;
            }
            if (nodeImpl.hasNode(qName)) {
                NodeImpl node = nodeImpl.getNode(qName);
                if (!node.isNodeType(name)) {
                    throw new RepositoryException("Error while creating access control node: Expected nodetype " + this.session.getJCRName(name) + " below /rep:accessControl, was " + nodeImpl.getPrimaryNodeType().getName() + " instead");
                }
                addNode = node;
            } else {
                addNode = addNode(nodeImpl, qName, name);
            }
            nodeImpl = addNode;
            i++;
        }
        return nodeImpl;
    }

    private boolean denotesPrincipalPath(final String str) {
        if (str == null || str.length() == 0) {
            return false;
        }
        try {
            return this.session.getUserManager().getAuthorizable(new ItemBasedPrincipal() { // from class: org.apache.jackrabbit.core.security.authorization.principalbased.ACLEditor.1
                @Override // org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal
                public String getPath() throws RepositoryException {
                    return str;
                }

                @Override // java.security.Principal
                public String getName() {
                    return Text.getName(str);
                }
            }) != null;
        } catch (RepositoryException e) {
            return false;
        }
    }

    private void checkProtectsNode(String str) throws RepositoryException {
        if (str == null) {
            throw new UnsupportedRepositoryOperationException("JCR-2774");
        }
        if (this.session.nodeExists(str)) {
            NodeImpl nodeImpl = (NodeImpl) this.session.getNode(str);
            if (nodeImpl.isNodeType(NT_REP_ACL) || nodeImpl.isNodeType(NT_REP_ACE)) {
                throw new AccessControlException("Node " + str + " defines ACL or ACE.");
            }
        }
    }

    private void checkValidPolicy(String str, AccessControlPolicy accessControlPolicy) throws AccessControlException {
        if (accessControlPolicy == null || !(accessControlPolicy instanceof ACLTemplate)) {
            throw new AccessControlException("Attempt to set/remove invalid policy " + accessControlPolicy);
        }
        if (!str.equals(((ACLTemplate) accessControlPolicy).getPath())) {
            throw new AccessControlException("Policy " + accessControlPolicy + " is not applicable or does not apply to the node at " + str);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public String getPathToAcNode(Principal principal) throws RepositoryException {
        StringBuffer stringBuffer = new StringBuffer(this.acRootPath);
        if (principal instanceof ItemBasedPrincipal) {
            stringBuffer.append(((ItemBasedPrincipal) principal).getPath());
        } else {
            stringBuffer.append("/");
            stringBuffer.append(Text.escapeIllegalJcrChars(principal.getName()));
        }
        return stringBuffer.toString();
    }

    private Principal getPrincipal(String str) throws RepositoryException {
        String pathName = getPathName(str);
        UserManager userManager = this.session.getUserManager();
        Authorizable authorizable = userManager.getAuthorizable(pathName);
        if (authorizable == null && str.startsWith(this.acRootPath)) {
            final String substring = str.substring(this.acRootPath.length());
            if (substring.indexOf(47, 1) <= 0) {
                return this.session.getPrincipalManager().getPrincipal(Text.getName(substring));
            }
            authorizable = userManager.getAuthorizable(new ItemBasedPrincipal() { // from class: org.apache.jackrabbit.core.security.authorization.principalbased.ACLEditor.2
                @Override // org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal
                public String getPath() throws RepositoryException {
                    return substring;
                }

                @Override // java.security.Principal
                public String getName() {
                    return Text.getName(substring);
                }
            });
        }
        if (authorizable == null) {
            return null;
        }
        return authorizable.getPrincipal();
    }

    private static String getPathName(String str) {
        return Text.unescapeIllegalJcrChars(Text.getName(str));
    }

    private static boolean isAccessControlled(NodeImpl nodeImpl) throws RepositoryException {
        return nodeImpl != null && nodeImpl.isNodeType(NT_REP_PRINCIPAL_ACCESS_CONTROL) && nodeImpl.hasNode(N_POLICY);
    }

    private JackrabbitAccessControlPolicy createTemplate(NodeImpl nodeImpl) throws RepositoryException {
        if (!nodeImpl.isNodeType(NT_REP_PRINCIPAL_ACCESS_CONTROL)) {
            String str = "Unable to edit Access Control at " + nodeImpl.getPath() + ". Expected node of type rep:PrinicipalAccessControl, was " + nodeImpl.getPrimaryNodeType().getName();
            log.debug(str);
            throw new AccessControlException(str);
        }
        Principal principal = getPrincipal(nodeImpl.getPath());
        if (principal == null) {
            String pathName = getPathName(nodeImpl.getPath());
            log.warn("Principal with name " + pathName + " unknown to PrincipalManager.");
            principal = new PrincipalImpl(pathName);
        }
        return new ACLTemplate(principal, nodeImpl);
    }

    protected static Name getUniqueNodeName(Node node, String str) throws RepositoryException {
        if (str == null) {
            str = DEFAULT_ACE_NAME;
        } else {
            try {
                NameParser.checkFormat(str);
            } catch (NameException e) {
                str = DEFAULT_ACE_NAME;
                log.debug("Invalid path name for Permission: " + str + ".");
            }
        }
        int i = 0;
        String str2 = str;
        while (node.hasNode(str2)) {
            str2 = str + i;
            i++;
        }
        return ((SessionImpl) node.getSession()).getQName(str2);
    }
}
