package org.apache.jackrabbit.oak.security.authorization;

import java.security.Principal;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.jcr.security.AccessControlManager;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlImporter;
import org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlManagerImpl;
import org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlValidatorProvider;
import org.apache.jackrabbit.oak.security.authorization.monitor.AuthorizationMonitor;
import org.apache.jackrabbit.oak.security.authorization.monitor.AuthorizationMonitorImpl;
import org.apache.jackrabbit.oak.security.authorization.permission.AllPermissionProviderImpl;
import org.apache.jackrabbit.oak.security.authorization.permission.MountPermissionProvider;
import org.apache.jackrabbit.oak.security.authorization.permission.PermissionHook;
import org.apache.jackrabbit.oak.security.authorization.permission.PermissionProviderImpl;
import org.apache.jackrabbit.oak.security.authorization.permission.PermissionStoreValidatorProvider;
import org.apache.jackrabbit.oak.security.authorization.permission.PermissionUtil;
import org.apache.jackrabbit.oak.security.authorization.permission.PermissionValidatorProvider;
import org.apache.jackrabbit.oak.security.authorization.permission.VersionablePathHook;
import org.apache.jackrabbit.oak.security.authorization.restriction.RestrictionProviderImpl;
import org.apache.jackrabbit.oak.spi.commit.CommitHook;
import org.apache.jackrabbit.oak.spi.commit.MoveTracker;
import org.apache.jackrabbit.oak.spi.commit.ValidatorProvider;
import org.apache.jackrabbit.oak.spi.lifecycle.WorkspaceInitializer;
import org.apache.jackrabbit.oak.spi.mount.MountInfoProvider;
import org.apache.jackrabbit.oak.spi.mount.Mounts;
import org.apache.jackrabbit.oak.spi.security.ConfigurationBase;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.Context;
import org.apache.jackrabbit.oak.spi.security.SecurityConfiguration;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
import org.apache.jackrabbit.oak.spi.xml.ImportBehavior;
import org.apache.jackrabbit.oak.spi.xml.ProtectedItemImporter;
import org.apache.jackrabbit.oak.stats.Monitor;
import org.apache.jackrabbit.oak.stats.StatisticsProvider;
import org.jetbrains.annotations.NotNull;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.metatype.annotations.AttributeDefinition;
import org.osgi.service.metatype.annotations.Designate;
import org.osgi.service.metatype.annotations.ObjectClassDefinition;
import org.osgi.service.metatype.annotations.Option;
import p000slingmockoak.com.google.common.collect.ImmutableList;

@Designate(ocd = Configuration.class)
@Component(service = {AuthorizationConfiguration.class, SecurityConfiguration.class}, property = {"oak.security.name=org.apache.jackrabbit.oak.security.authorization.AuthorizationConfigurationImpl"})
/* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl.class */
public class AuthorizationConfigurationImpl extends ConfigurationBase implements AuthorizationConfiguration, ProviderCtx {
    private MountInfoProvider mountInfoProvider;
    private AuthorizationMonitor monitor;

    @ObjectClassDefinition(name = "Apache Jackrabbit Oak AuthorizationConfiguration")
    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/AuthorizationConfigurationImpl$Configuration.class */
    @interface Configuration {
        @AttributeDefinition(name = "Jackrabbit 2.x Permissions", description = "Enforce backwards compatible permission validation with respect to the configurable options.", cardinality = 2, options = {@Option(label = "USER_MANAGEMENT", value = "USER_MANAGEMENT"), @Option(label = "REMOVE_NODE", value = "REMOVE_NODE")})
        String permissionsJr2();

        @AttributeDefinition(name = "Import Behavior", description = "Behavior for access control related items upon XML import.", options = {@Option(label = ImportBehavior.NAME_ABORT, value = ImportBehavior.NAME_ABORT), @Option(label = ImportBehavior.NAME_BESTEFFORT, value = ImportBehavior.NAME_BESTEFFORT), @Option(label = ImportBehavior.NAME_IGNORE, value = ImportBehavior.NAME_IGNORE)})
        String importBehavior() default "abort";

        @AttributeDefinition(name = "Readable Paths", description = "Enable full read access to regular nodes and properties at the specified paths irrespective of other policies that may take effective.")
        String[] readPaths() default {"/jcr:system/rep:namespaces", "/jcr:system/jcr:nodeTypes", "/jcr:system/rep:privileges"};

        @AttributeDefinition(name = "Administrative Principals", description = "Allows to specify principals that should be granted full permissions on the complete repository content.", cardinality = 10)
        String[] administrativePrincipals();

        @AttributeDefinition(name = "Ranking", description = "Ranking of this configuration in a setup with multiple authorization configurations.")
        int configurationRanking() default 100;
    }

    public AuthorizationConfigurationImpl() {
        this.mountInfoProvider = Mounts.defaultMountInfoProvider();
        this.monitor = new AuthorizationMonitorImpl(StatisticsProvider.NOOP);
    }

    public AuthorizationConfigurationImpl(@NotNull SecurityProvider securityProvider) {
        super(securityProvider, securityProvider.getParameters(AuthorizationConfiguration.NAME));
        this.mountInfoProvider = Mounts.defaultMountInfoProvider();
        this.monitor = new AuthorizationMonitorImpl(StatisticsProvider.NOOP);
    }

    @Activate
    private void activate(Configuration configuration, Map<String, Object> map) {
        setParameters(ConfigurationParameters.of(map));
    }

    @Override // org.apache.jackrabbit.oak.spi.security.SecurityConfiguration.Default, org.apache.jackrabbit.oak.spi.security.SecurityConfiguration
    @NotNull
    public String getName() {
        return AuthorizationConfiguration.NAME;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.SecurityConfiguration.Default, org.apache.jackrabbit.oak.spi.security.SecurityConfiguration
    @NotNull
    public WorkspaceInitializer getWorkspaceInitializer() {
        return new AuthorizationInitializer(this.mountInfoProvider);
    }

    @Override // org.apache.jackrabbit.oak.spi.security.SecurityConfiguration.Default, org.apache.jackrabbit.oak.spi.security.SecurityConfiguration
    @NotNull
    public List<? extends CommitHook> getCommitHooks(@NotNull String str) {
        return ImmutableList.of((PermissionHook) new VersionablePathHook(str, this), new PermissionHook(str, getRestrictionProvider(), this));
    }

    @Override // org.apache.jackrabbit.oak.spi.security.SecurityConfiguration.Default, org.apache.jackrabbit.oak.spi.security.SecurityConfiguration
    @NotNull
    public List<ValidatorProvider> getValidators(@NotNull String str, @NotNull Set<Principal> set, @NotNull MoveTracker moveTracker) {
        return ImmutableList.of((AccessControlValidatorProvider) new PermissionStoreValidatorProvider(), (AccessControlValidatorProvider) new PermissionValidatorProvider(str, set, moveTracker, this), new AccessControlValidatorProvider(this));
    }

    @Override // org.apache.jackrabbit.oak.spi.security.SecurityConfiguration.Default, org.apache.jackrabbit.oak.spi.security.SecurityConfiguration
    @NotNull
    public List<ProtectedItemImporter> getProtectedItemImporters() {
        return ImmutableList.of(new AccessControlImporter());
    }

    @Override // org.apache.jackrabbit.oak.spi.security.SecurityConfiguration.Default, org.apache.jackrabbit.oak.spi.security.SecurityConfiguration
    @NotNull
    public Context getContext() {
        return AuthorizationContext.getInstance();
    }

    @Override // org.apache.jackrabbit.oak.spi.security.SecurityConfiguration
    @NotNull
    public Iterable<Monitor<?>> getMonitors(@NotNull StatisticsProvider statisticsProvider) {
        this.monitor = new AuthorizationMonitorImpl(statisticsProvider);
        return Collections.singleton(this.monitor);
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration
    @NotNull
    public AccessControlManager getAccessControlManager(@NotNull Root root, @NotNull NamePathMapper namePathMapper) {
        return new AccessControlManagerImpl(root, namePathMapper, getSecurityProvider());
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration
    @NotNull
    public RestrictionProvider getRestrictionProvider() {
        RestrictionProvider restrictionProvider = (RestrictionProvider) getParameters().getConfigValue(AccessControlConstants.PARAM_RESTRICTION_PROVIDER, null, RestrictionProvider.class);
        if (restrictionProvider == null) {
            restrictionProvider = new RestrictionProviderImpl();
        }
        return restrictionProvider;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration
    @NotNull
    public PermissionProvider getPermissionProvider(@NotNull Root root, @NotNull String str, @NotNull Set<Principal> set) {
        Context context = ((AuthorizationConfiguration) getSecurityProvider().getConfiguration(AuthorizationConfiguration.class)).getContext();
        return PermissionUtil.isAdminOrSystem(set, getParameters()) ? new AllPermissionProviderImpl(root, this) : this.mountInfoProvider.hasNonDefaultMounts() ? new MountPermissionProvider(root, str, set, getRestrictionProvider(), getParameters(), context, this) : new PermissionProviderImpl(root, str, set, getRestrictionProvider(), getParameters(), context, this);
    }

    @Override // org.apache.jackrabbit.oak.security.authorization.ProviderCtx
    @NotNull
    public MountInfoProvider getMountInfoProvider() {
        return this.mountInfoProvider;
    }

    @Override // org.apache.jackrabbit.oak.security.authorization.ProviderCtx
    @NotNull
    public AuthorizationMonitor getMonitor() {
        return this.monitor;
    }

    @Reference(name = "mountInfoProvider", cardinality = ReferenceCardinality.MANDATORY)
    public void bindMountInfoProvider(MountInfoProvider mountInfoProvider) {
        this.mountInfoProvider = mountInfoProvider;
    }

    public void unbindMountInfoProvider(MountInfoProvider mountInfoProvider) {
        this.mountInfoProvider = null;
    }
}
