package offset.nodes.server.model.security;

import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Comparator;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Stack;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.jcr.AccessDeniedException;
import javax.jcr.Item;
import javax.jcr.Node;
import javax.jcr.NodeIterator;
import javax.jcr.PathNotFoundException;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.observation.Event;
import javax.jcr.observation.EventIterator;
import javax.jcr.observation.EventListener;
import offset.nodes.Constants;
import offset.nodes.client.model.SimpleNamespaceRegistry;
import offset.nodes.client.virtual.model.jcr.QName;
import offset.nodes.server.model.RepositoryStartupExtension;
import offset.nodes.server.model.XPathQuery;
import offset.nodes.server.search.model.DistinctNodeIterator;
import org.apache.jackrabbit.api.jsr283.security.AccessControlPolicy;
import org.apache.jackrabbit.api.jsr283.security.Privilege;
import org.apache.jackrabbit.core.ItemId;
import org.apache.jackrabbit.core.security.AMContext;
import org.apache.jackrabbit.core.security.AbstractAccessControlManager;
import org.apache.jackrabbit.core.security.AccessManager;
import org.apache.jackrabbit.core.security.AnonymousPrincipal;
import org.apache.jackrabbit.core.security.SystemPrincipal;
import org.apache.jackrabbit.core.security.authorization.AccessControlProvider;
import org.apache.jackrabbit.core.security.authorization.NamedAccessControlPolicyImpl;
import org.apache.jackrabbit.core.security.authorization.PrivilegeRegistry;
import org.apache.jackrabbit.core.security.authorization.WorkspaceAccessManager;
import org.apache.jackrabbit.spi.Name;
import org.apache.jackrabbit.spi.Path;
import org.apache.jackrabbit.spi.commons.name.NameFactoryImpl;
import org.apache.jackrabbit.spi.commons.name.PathFactoryImpl;

/* loaded from: input_file:WEB-INF/lib/core-lib-1.0-SNAPSHOT.jar:offset/nodes/server/model/security/PathAccessManager.class */
public class PathAccessManager extends AbstractAccessControlManager implements AccessManager {
    private AMContext context;
    private WorkspaceAccessManager wspAccessMgr;
    private PrivilegeRegistry privilegeRegistry;
    Session systemSession;
    UserNodePrincipal user;
    Node[] roles;
    CondensedACE[] accessControlEntries;
    private static final AccessControlPolicy POLICY = new NamedAccessControlPolicyImpl("Simple AccessControlPolicy");
    static PathAccessManager instance = null;
    static HashMap<String, Integer> permissionMappings = new HashMap<>();
    HashMap<Integer, ACNode> permissionRoots = new HashMap<>();
    PermissionsCache permissionsCache = new PermissionsCache();
    private boolean initialized = false;
    private boolean anonymous = false;
    private boolean system = false;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/core-lib-1.0-SNAPSHOT.jar:offset/nodes/server/model/security/PathAccessManager$ACNode.class */
    public class ACNode {
        Boolean granted;
        int level;
        Path path;
        HashMap<Path.Element, ACNode> children = new HashMap<>();

        public ACNode(Path path, int i, Boolean bool) {
            this.path = path;
            this.granted = bool;
            this.level = i;
        }

        public void addNode(Path path, boolean z) throws RepositoryException {
            if (path.equals(getPath())) {
                this.granted = new Boolean(z);
                return;
            }
            ACNode aCNode = this;
            ACNode aCNode2 = null;
            while (aCNode != null) {
                aCNode2 = aCNode.getChild(path);
                if (aCNode2 == null) {
                    ACNode aCNode3 = new ACNode(path.subPath(aCNode.getLevel() + aCNode.getPath().getLength(), path.getLength()), aCNode.getLevel() + aCNode.getPath().getLength(), new Boolean(z));
                    aCNode.getChildren().put(aCNode3.getPath().getElements()[0], aCNode3);
                    return;
                } else if (!aCNode2.subPathMatches(path)) {
                    break;
                } else {
                    aCNode = aCNode2;
                }
            }
            int i = 0;
            for (int i2 = 0; i2 < path.getLength() - aCNode2.getLevel() && i2 < aCNode2.getPath().getLength() && aCNode2.getPath().getElements()[i2].equals(path.getElements()[i2 + aCNode2.getLevel()]); i2++) {
                i = i2 + 1;
            }
            if (path.getLength() <= i + aCNode2.getLevel()) {
                ACNode aCNode4 = new ACNode(aCNode2.getPath().subPath(i, aCNode2.getPath().getLength()), aCNode2.getLevel() + i, aCNode2.getGranted());
                aCNode4.getChildren().putAll(aCNode2.getChildren());
                aCNode2.getChildren().clear();
                ACNode aCNode5 = aCNode2;
                aCNode5.setGranted(Boolean.valueOf(z));
                aCNode5.setPath(aCNode2.getPath().subPath(0, i));
                aCNode5.getChildren().put(aCNode4.getPath().getNameElement(), aCNode4);
                return;
            }
            ACNode aCNode6 = new ACNode(aCNode2.getPath().subPath(i, aCNode2.getPath().getLength()), aCNode2.getLevel() + i, aCNode2.getGranted());
            aCNode6.getChildren().putAll(aCNode2.getChildren());
            aCNode2.getChildren().clear();
            ACNode aCNode7 = new ACNode(path.subPath(aCNode2.getLevel() + i, path.getLength()), aCNode2.getLevel() + i, Boolean.valueOf(z));
            ACNode aCNode8 = aCNode2;
            aCNode8.setPath(aCNode2.getPath().subPath(0, i));
            aCNode8.setGranted(null);
            aCNode8.getChildren().put(aCNode6.getPath().getNameElement(), aCNode6);
            aCNode8.getChildren().put(aCNode7.getPath().getNameElement(), aCNode7);
        }

        protected HashMap<Path.Element, ACNode> getChildren() {
            return this.children;
        }

        public ACNode nextNode(Path path) {
            ACNode child = getChild(path);
            if (child != null && child.subPathMatches(path)) {
                return child;
            }
            return null;
        }

        public ACNode getChild(Path path) {
            if (path.getLength() <= this.level + this.path.getLength()) {
                return null;
            }
            return this.children.get(path.getElements()[this.level + this.path.getLength()]);
        }

        public boolean hasChildren() {
            return this.children.size() > 0;
        }

        public boolean subPathMatches(Path path) {
            Path.Element[] elements = this.path.getElements();
            if (this.path.getLength() > path.getLength() - this.level) {
                return false;
            }
            for (int i = 1; i < this.path.getLength() && i + this.level < path.getLength(); i++) {
                if (!elements[i].equals(path.getElements()[i + this.level])) {
                    return false;
                }
            }
            return true;
        }

        public Boolean getGranted() {
            return this.granted;
        }

        public void setGranted(Boolean bool) {
            this.granted = bool;
        }

        public int getLevel() {
            return this.level;
        }

        public void setLevel(int i) {
            this.level = i;
        }

        public Path getPath() {
            return this.path;
        }

        public void setPath(Path path) {
            this.path = path;
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/core-lib-1.0-SNAPSHOT.jar:offset/nodes/server/model/security/PathAccessManager$CondensedACE.class */
    public class CondensedACE {
        SimpleNamespaceRegistry namespaces = SimpleNamespaceRegistry.getInstance();
        public int permission;
        public boolean granted;
        public Path path;

        public CondensedACE(int i, boolean z, String str) {
            this.permission = i;
            this.granted = z;
            this.path = toPath(str);
        }

        public boolean isGranted() {
            return this.granted;
        }

        public void setGranted(boolean z) {
            this.granted = z;
        }

        public Path getPath() {
            return this.path;
        }

        public String getManagedNodePathString() throws IllegalArgumentException, RepositoryException {
            return getPathString(this.path);
        }

        protected String getPathString(Path path) {
            StringBuffer stringBuffer = new StringBuffer();
            for (int i = 0; i < path.getElements().length; i++) {
                Path.Element element = path.getElements()[i];
                if (i > 0) {
                    stringBuffer.append("/");
                }
                stringBuffer.append(this.namespaces.toPrefixName(new QName(element.getName().getNamespaceURI(), element.getName().getLocalName())));
                if (element.getIndex() > 0) {
                    stringBuffer.append("[" + element.getIndex() + "]");
                }
            }
            return stringBuffer.toString();
        }

        public int getPermission() {
            return this.permission;
        }

        protected Path toPath(String str) {
            String str2;
            String[] split = str.split("/");
            Path.Element[] elementArr = new Path.Element[split.length];
            for (int i = 0; i < split.length; i++) {
                String str3 = split[i];
                int i2 = -1;
                String str4 = "";
                if (str3.indexOf("[") > 0) {
                    int indexOf = str3.indexOf("[");
                    i2 = Integer.valueOf(str3.substring(indexOf + 1, str3.indexOf("]"))).intValue();
                    str3 = str3.substring(0, indexOf);
                }
                if (str3.indexOf(":") > 0) {
                    String[] split2 = str3.split(":");
                    str4 = this.namespaces.getURI(split2[0]);
                    str2 = split2[1];
                } else {
                    str2 = str3;
                }
                elementArr[i] = i2 < 0 ? PathFactoryImpl.getInstance().createElement(NameFactoryImpl.getInstance().create(str4, str2)) : PathFactoryImpl.getInstance().createElement(NameFactoryImpl.getInstance().create(str4, str2), i2);
            }
            return PathFactoryImpl.getInstance().create(elementArr);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/core-lib-1.0-SNAPSHOT.jar:offset/nodes/server/model/security/PathAccessManager$PathAccessManagerStartupExtension.class */
    public class PathAccessManagerStartupExtension implements RepositoryStartupExtension, EventListener {
        PathAccessManagerStartupExtension() {
        }

        @Override // offset.nodes.server.model.RepositoryStartupExtension
        public void onStartup(Session session) {
            try {
                session.getWorkspace().getObservationManager().addEventListener(this, 31, "/", true, null, new String[]{Constants.TYPENAME_ACCESS_CONTROL_ENTRY, "nodes:role"}, true);
            } catch (RepositoryException e) {
                Logger.getLogger(PathAccessManager.class.getName()).log(Level.SEVERE, (String) null, (Throwable) e);
            }
        }

        @Override // javax.jcr.observation.EventListener
        public void onEvent(EventIterator eventIterator) {
            try {
                boolean z = false;
                HashSet hashSet = new HashSet();
                while (!z && eventIterator.hasNext()) {
                    Event nextEvent = eventIterator.nextEvent();
                    if (nextEvent.getType() == 2 || nextEvent.getType() == 8) {
                        z = true;
                        break;
                    }
                    Item item = PathAccessManager.this.systemSession.getItem(nextEvent.getPath());
                    Node parent = item.isNode() ? (Node) item : item.getParent();
                    if (parent.isNodeType(Constants.TYPENAME_ACCESS_CONTROL_ENTRY)) {
                        z = accessControlEntryChanged(nextEvent, parent);
                        hashSet.add(parent.getPath());
                    } else if (parent.isNodeType("nodes:role")) {
                        z = true;
                        hashSet.add(parent.getPath());
                    }
                }
                if (z) {
                    PathAccessManager.this.invalidate();
                }
            } catch (RepositoryException e) {
                Logger.getLogger(PathAccessManager.class.getName()).log(Level.SEVERE, (String) null, (Throwable) e);
            }
        }

        protected boolean accessControlEntryChanged(Event event, Node node) throws RepositoryException {
            for (int i = 0; i < PathAccessManager.this.accessControlEntries.length; i++) {
                if (PathAccessManager.this.accessControlEntries[i].getManagedNodePathString().equals(event.getPath())) {
                    return true;
                }
            }
            String str = null;
            NodeIterator nodes = node.getNodes();
            while (true) {
                if (!nodes.hasNext()) {
                    break;
                }
                Node nextNode = nodes.nextNode();
                if (!nextNode.getName().equals(Constants.TYPENAME_PRIVILEGES)) {
                    str = nextNode.getProperty(Constants.PROP_REFERENCE).getString();
                    break;
                }
            }
            for (int i2 = 0; i2 < PathAccessManager.this.roles.length; i2++) {
                if (PathAccessManager.this.roles[i2].getUUID().equals(str)) {
                    return true;
                }
            }
            return PathAccessManager.this.user.getUser().getUUID().equals(str);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:WEB-INF/lib/core-lib-1.0-SNAPSHOT.jar:offset/nodes/server/model/security/PathAccessManager$PermissionsCache.class */
    public class PermissionsCache {
        HashMap<Integer, HashMap<ItemId, Boolean>> caches = new HashMap<>();
        CacheStorage cacheStorage = new CacheStorage();

        /* JADX INFO: Access modifiers changed from: package-private */
        /* loaded from: input_file:WEB-INF/lib/core-lib-1.0-SNAPSHOT.jar:offset/nodes/server/model/security/PathAccessManager$PermissionsCache$CacheStorage.class */
        public class CacheStorage {
            public static final int MAX_CACHE = 500;
            CacheEntry[] entries = new CacheEntry[500];
            int size = 0;
            int start = 0;
            int end = 0;

            /* JADX INFO: Access modifiers changed from: package-private */
            /* loaded from: input_file:WEB-INF/lib/core-lib-1.0-SNAPSHOT.jar:offset/nodes/server/model/security/PathAccessManager$PermissionsCache$CacheStorage$CacheEntry.class */
            public class CacheEntry {
                ItemId id;
                int permission;

                public CacheEntry(ItemId itemId, int i) {
                    this.id = itemId;
                    this.permission = i;
                }

                public ItemId getId() {
                    return this.id;
                }

                public int getPermission() {
                    return this.permission;
                }
            }

            CacheStorage() {
            }

            protected void remove() {
                PermissionsCache.this.caches.get(Integer.valueOf(this.entries[this.start].getPermission())).remove(this.entries[this.start].getId());
                this.start++;
                if (this.start >= 500) {
                    this.start = 0;
                }
                this.size--;
            }

            public void add(ItemId itemId, int i) {
                if (this.size + 1 > 500) {
                    remove();
                }
                if (this.size > 0 && this.entries[this.start].getId().equals(itemId)) {
                    remove();
                }
                CacheEntry[] cacheEntryArr = this.entries;
                int i2 = this.end;
                this.end = i2 + 1;
                cacheEntryArr[i2] = new CacheEntry(itemId, i);
                if (this.end >= 500) {
                    this.end = 0;
                }
                this.size++;
            }
        }

        public PermissionsCache() {
            this.caches.put(new Integer(1), new HashMap<>());
            this.caches.put(new Integer(2), new HashMap<>());
            this.caches.put(new Integer(4), new HashMap<>());
        }

        public Boolean hasPermissions(ItemId itemId, int i) {
            Iterator<Integer> it = PathAccessManager.permissionMappings.values().iterator();
            while (it.hasNext()) {
                int intValue = it.next().intValue();
                int i2 = i & intValue;
                if (i2 > 0) {
                    Boolean bool = this.caches.get(new Integer(intValue)).get(itemId);
                    if (bool == null || !bool.booleanValue()) {
                        return bool;
                    }
                    if (i2 == i) {
                        break;
                    }
                }
            }
            return new Boolean(true);
        }

        public void addPermission(ItemId itemId, int i, boolean z) {
            this.cacheStorage.add(itemId, i);
            this.caches.get(Integer.valueOf(i)).put(itemId, new Boolean(z));
        }
    }

    @Override // org.apache.jackrabbit.core.security.AccessManager
    public void init(AMContext aMContext) throws AccessDeniedException, Exception {
        init(aMContext, null, null);
    }

    @Override // org.apache.jackrabbit.core.security.AccessManager
    public void init(AMContext aMContext, AccessControlProvider accessControlProvider, WorkspaceAccessManager workspaceAccessManager) throws AccessDeniedException, Exception {
        if (this.initialized) {
            throw new IllegalStateException("already initialized");
        }
        this.context = aMContext;
        this.privilegeRegistry = new PrivilegeRegistry(aMContext.getNamePathResolver());
        this.wspAccessMgr = workspaceAccessManager;
        this.anonymous = !aMContext.getSubject().getPrincipals(AnonymousPrincipal.class).isEmpty();
        this.system = !aMContext.getSubject().getPrincipals(SystemPrincipal.class).isEmpty();
        this.systemSession = PasswordLoginModule.getSystemSession();
        this.initialized = true;
        if (!canAccess(aMContext.getWorkspaceName())) {
            throw new AccessDeniedException("Not allowed to access Workspace " + aMContext.getWorkspaceName());
        }
        Principal principal = (Principal) aMContext.getSubject().getPrincipals().toArray()[0];
        if (principal instanceof UserNodePrincipal) {
            this.user = (UserNodePrincipal) principal;
            initAccessControl();
            new PathAccessManagerStartupExtension().onStartup(this.systemSession);
        }
    }

    protected void invalidate() throws RepositoryException {
        this.permissionRoots = new HashMap<>();
        this.permissionsCache = new PermissionsCache();
        initAccessControl();
    }

    protected void initAccessControl() throws RepositoryException {
        this.roles = readAllRolesOfUser(this.user);
        this.accessControlEntries = condenseACENodes(readACENodes(this.roles, this.user));
        for (CondensedACE condensedACE : this.accessControlEntries) {
            getPermissionRoot(condensedACE.getPermission()).addNode(condensedACE.getPath(), condensedACE.isGranted());
        }
    }

    protected Node[] readAllRolesOfUser(UserNodePrincipal userNodePrincipal) throws RepositoryException {
        DistinctNodeIterator distinctNodeIterator = new DistinctNodeIterator(new XPathQuery(this.systemSession).executeQuery("/jcr:root//element(*, nodes:role)[@nodes:user='" + userNodePrincipal.getUser().getUUID() + "']"));
        Node[] nodeArr = new Node[(int) distinctNodeIterator.getSize()];
        int i = 0;
        while (distinctNodeIterator.hasNext()) {
            nodeArr[i] = distinctNodeIterator.nextNode();
            i++;
        }
        return nodeArr;
    }

    protected Node[] readACENodes(Node[] nodeArr, UserNodePrincipal userNodePrincipal) throws RepositoryException {
        XPathQuery xPathQuery = new XPathQuery(this.systemSession);
        StringBuffer stringBuffer = new StringBuffer("/jcr:root//nodes:accessControlEntry/element(*, nodes:principal)[@nodes:reference='" + userNodePrincipal.getUser().getUUID() + "'");
        for (Node node : nodeArr) {
            stringBuffer.append(" or @nodes:reference='" + node.getUUID() + "'");
        }
        stringBuffer.append("]");
        NodeIterator executeQuery = xPathQuery.executeQuery(stringBuffer.toString());
        Node[] nodeArr2 = new Node[(int) executeQuery.getSize()];
        int i = 0;
        while (executeQuery.hasNext()) {
            nodeArr2[i] = executeQuery.nextNode().getParent();
            i++;
        }
        return nodeArr2;
    }

    protected CondensedACE[] condenseACENodes(Node[] nodeArr) throws RepositoryException {
        Arrays.sort(nodeArr, new Comparator() { // from class: offset.nodes.server.model.security.PathAccessManager.1
            @Override // java.util.Comparator
            public int compare(Object obj, Object obj2) {
                try {
                    Node node = (Node) obj;
                    Node node2 = (Node) obj2;
                    if (node.getParent().getParent().getPath().equals(node2.getParent().getParent().getPath())) {
                        return node.getPath().compareTo(node2.getPath());
                    }
                    String[] split = node.getParent().getParent().getPath().split("/");
                    String[] split2 = node2.getParent().getParent().getPath().split("/");
                    int min = Math.min(split.length, split2.length);
                    for (int i = 0; i < min; i++) {
                        int compareTo = split[i].compareTo(split2[i]);
                        if (compareTo != 0) {
                            return compareTo;
                        }
                    }
                    return split.length - split2.length;
                } catch (RepositoryException e) {
                    Logger.getLogger(PathAccessManager.class.getName()).log(Level.SEVERE, (String) null, (Throwable) e);
                    return 0;
                }
            }
        });
        HashMap hashMap = new HashMap();
        int i = 0;
        HashMap hashMap2 = new HashMap();
        for (Node node : nodeArr) {
            NodeIterator nodes = node.getNode(Constants.TYPENAME_PRIVILEGES).getNodes();
            while (nodes.hasNext()) {
                Node nextNode = nodes.nextNode();
                Integer num = permissionMappings.get(nextNode.getName());
                if (num != null) {
                    Stack stack = (Stack) hashMap2.get(num);
                    if (stack == null) {
                        stack = new Stack();
                        hashMap2.put(num, stack);
                    }
                    String path = node.getParent().getParent().getPath();
                    while (stack.size() > 0 && !(path + "/").startsWith(((CondensedACE) stack.peek()).getManagedNodePathString() + "/")) {
                        stack.pop();
                    }
                    boolean equals = nextNode.getProperty(Constants.PROP_PRESENCE).getString().equals(Constants.VALUE_GRANTED);
                    boolean isUserRole = isUserRole(node);
                    if (equals || isUserRole) {
                        if (equals && !isUserRole) {
                            equals = false;
                        }
                        if (stack.size() <= 0 || ((CondensedACE) stack.peek()).isGranted() != equals) {
                            CondensedACE condensedACE = null;
                            ArrayList arrayList = (ArrayList) hashMap.get(num);
                            if (stack.size() > 0 && ((CondensedACE) stack.peek()).getManagedNodePathString().equals(path)) {
                                condensedACE = (CondensedACE) stack.peek();
                            }
                            if (condensedACE == null) {
                                if (arrayList == null) {
                                    arrayList = new ArrayList();
                                    hashMap.put(num, arrayList);
                                }
                                condensedACE = new CondensedACE(num.intValue(), equals, path);
                                arrayList.add(condensedACE);
                                i++;
                            } else {
                                condensedACE.setGranted(equals);
                            }
                            stack.push(condensedACE);
                        }
                    }
                }
            }
        }
        CondensedACE[] condensedACEArr = new CondensedACE[i];
        int i2 = 0;
        Iterator it = hashMap.values().iterator();
        while (it.hasNext()) {
            Iterator it2 = ((ArrayList) it.next()).iterator();
            while (it2.hasNext()) {
                int i3 = i2;
                i2++;
                condensedACEArr[i3] = (CondensedACE) it2.next();
            }
        }
        return condensedACEArr;
    }

    public ACNode getPermissionRoot(int i) throws RepositoryException {
        ACNode aCNode = this.permissionRoots.get(Integer.valueOf(i));
        if (aCNode == null) {
            aCNode = new ACNode(PathFactoryImpl.getInstance().create("{}"), 0, new Boolean(true));
            this.permissionRoots.put(new Integer(i), aCNode);
        }
        return aCNode;
    }

    @Override // org.apache.jackrabbit.core.security.AccessManager
    public synchronized void close() throws Exception {
        checkInitialized();
        this.initialized = false;
    }

    @Override // org.apache.jackrabbit.core.security.AccessManager
    public void checkPermission(ItemId itemId, int i) throws AccessDeniedException, RepositoryException {
        if (!isGranted(itemId, i)) {
            throw new AccessDeniedException("Access denied");
        }
    }

    @Override // org.apache.jackrabbit.core.security.AccessManager
    public boolean isGranted(ItemId itemId, int i) throws RepositoryException {
        checkInitialized();
        Boolean hasPermissions = this.permissionsCache.hasPermissions(itemId, i);
        return hasPermissions != null ? hasPermissions.booleanValue() : isGranted(itemId, this.context.getHierarchyManager().getPath(itemId), i);
    }

    @Override // org.apache.jackrabbit.core.security.AccessManager
    public boolean isGranted(Path path, Name name, int i) throws RepositoryException {
        return isGranted(path, i);
    }

    @Override // org.apache.jackrabbit.core.security.AccessManager
    public boolean canRead(Path path) throws RepositoryException {
        return isGranted(path, 1);
    }

    @Override // org.apache.jackrabbit.core.security.AccessManager
    public boolean isGranted(Path path, int i) throws RepositoryException {
        return isGranted((ItemId) null, path, i);
    }

    public boolean isGranted(ItemId itemId, Path path, int i) throws RepositoryException {
        if (!path.isAbsolute()) {
            throw new RepositoryException("Absolute path expected");
        }
        checkInitialized();
        if (this.system) {
            return true;
        }
        Iterator<Integer> it = permissionMappings.values().iterator();
        while (it.hasNext()) {
            int intValue = it.next().intValue();
            int i2 = i & intValue;
            if (i2 > 0) {
                boolean permissionGranted = permissionGranted(getPermissionRoot(intValue), path);
                if (itemId != null) {
                    this.permissionsCache.addPermission(itemId, i2, permissionGranted);
                }
                if (!permissionGranted) {
                    return false;
                }
            }
        }
        return true;
    }

    protected boolean isUserRole(Node node) throws RepositoryException {
        NodeIterator nodes = node.getNodes();
        Node node2 = null;
        while (true) {
            if (!nodes.hasNext()) {
                break;
            }
            Node nextNode = nodes.nextNode();
            if (!nextNode.getName().equals(Constants.TYPENAME_PRIVILEGES)) {
                node2 = nextNode;
                break;
            }
        }
        if (node2 == null) {
            return false;
        }
        String string = node2.getProperty(Constants.PROP_REFERENCE).getString();
        for (int i = 0; i < this.roles.length; i++) {
            if (this.roles[i].getUUID().equals(string)) {
                return true;
            }
        }
        return false;
    }

    protected boolean permissionGranted(ACNode aCNode, Path path) {
        ACNode aCNode2;
        ACNode aCNode3 = aCNode;
        while (true) {
            aCNode2 = aCNode3;
            if ((aCNode2.getGranted() != null && !aCNode2.getGranted().booleanValue()) || !aCNode2.hasChildren()) {
                break;
            }
            ACNode nextNode = aCNode2.nextNode(path);
            if (nextNode == null) {
                break;
            }
            aCNode3 = nextNode;
        }
        return aCNode2.getGranted() == null || aCNode2.getGranted().booleanValue();
    }

    @Override // org.apache.jackrabbit.core.security.AccessManager
    public boolean canAccess(String str) throws RepositoryException {
        if (this.system || this.wspAccessMgr == null) {
            return true;
        }
        return this.wspAccessMgr.grants(this.context.getSubject().getPrincipals(), str);
    }

    @Override // org.apache.jackrabbit.api.jsr283.security.AccessControlManager
    public boolean hasPrivileges(String str, Privilege[] privilegeArr) throws PathNotFoundException, RepositoryException {
        checkInitialized();
        checkValidNodePath(str);
        if (privilegeArr == null || privilegeArr.length == 0) {
            return true;
        }
        PrivilegeRegistry privilegeRegistry = this.privilegeRegistry;
        return this.system || !this.anonymous || PrivilegeRegistry.getBits(privilegeArr) == 1;
    }

    @Override // org.apache.jackrabbit.api.jsr283.security.AccessControlManager
    public Privilege[] getPrivileges(String str) throws PathNotFoundException, RepositoryException {
        checkInitialized();
        checkValidNodePath(str);
        return this.anonymous ? this.privilegeRegistry.getPrivileges(1) : this.system ? this.privilegeRegistry.getPrivileges(127) : this.privilegeRegistry.getPrivileges(127);
    }

    @Override // org.apache.jackrabbit.api.jsr283.security.AccessControlManager
    public AccessControlPolicy[] getEffectivePolicies(String str) throws PathNotFoundException, AccessDeniedException, RepositoryException {
        checkInitialized();
        checkPrivileges(str, 32);
        return new AccessControlPolicy[]{POLICY};
    }

    @Override // org.apache.jackrabbit.core.security.AbstractAccessControlManager
    protected void checkInitialized() throws IllegalStateException {
        if (!this.initialized) {
            throw new IllegalStateException("not initialized");
        }
    }

    @Override // org.apache.jackrabbit.core.security.AbstractAccessControlManager
    protected void checkPrivileges(String str, int i) throws AccessDeniedException, PathNotFoundException, RepositoryException {
        checkValidNodePath(str);
        if (this.anonymous && i != 1) {
            throw new AccessDeniedException("Anonymous may only READ.");
        }
    }

    @Override // org.apache.jackrabbit.core.security.AbstractAccessControlManager
    protected PrivilegeRegistry getPrivilegeRegistry() throws RepositoryException {
        checkInitialized();
        return this.privilegeRegistry;
    }

    @Override // org.apache.jackrabbit.core.security.AbstractAccessControlManager
    protected void checkValidNodePath(String str) throws PathNotFoundException, RepositoryException {
        Path qPath = this.context.getNamePathResolver().getQPath(str);
        if (!qPath.isAbsolute()) {
            throw new RepositoryException("Absolute path expected. Found: " + str);
        }
        if (this.context.getHierarchyManager().resolveNodePath(qPath) == null) {
            throw new PathNotFoundException(str);
        }
    }

    static {
        permissionMappings.put("read", new Integer(1));
        permissionMappings.put(Constants.PRIVILEGE_ADD_NODE, new Integer(4));
        permissionMappings.put(Constants.PRIVILEGE_REMOVE_NODE, new Integer(8));
        permissionMappings.put("setProperty", new Integer(2));
        permissionMappings.put(Constants.PRIVILEGE_REMOVE_PROPERTY, new Integer(16));
    }
}
