package org.apache.jackrabbit.core.security.authorization.acl;

import java.security.Principal;
import java.util.Collections;
import java.util.Map;
import java.util.UUID;
import javax.jcr.AccessDeniedException;
import javax.jcr.Node;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.Value;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.core.security.TestPrincipal;
import org.apache.jackrabbit.core.security.authorization.AbstractWriteTest;
import org.apache.jackrabbit.core.security.authorization.AccessControlConstants;
import org.apache.jackrabbit.core.security.principal.EveryonePrincipal;
import org.apache.jackrabbit.test.NotExecutableException;

/* loaded from: input_file:org/apache/jackrabbit/core/security/authorization/acl/WriteTest.class */
public class WriteTest extends AbstractWriteTest {
    @Override // org.apache.jackrabbit.core.security.authorization.AbstractEvaluationTest
    protected boolean isExecutable() {
        return EvaluationUtil.isExecutable(this.acMgr);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.jackrabbit.core.security.authorization.AbstractEvaluationTest
    public JackrabbitAccessControlList getPolicy(AccessControlManager accessControlManager, String str, Principal principal) throws RepositoryException, AccessDeniedException, NotExecutableException {
        return EvaluationUtil.getPolicy(accessControlManager, str, principal);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.jackrabbit.core.security.authorization.AbstractEvaluationTest
    public Map<String, Value> getRestrictions(Session session, String str) {
        return Collections.emptyMap();
    }

    public void testAccessControlModification2() throws RepositoryException, NotExecutableException {
        checkReadOnly(this.path);
        assertTrue(this.superuser.itemExists(givePrivileges(this.path, privilegesFromNames(new String[]{"{http://www.jcp.org/jcr/1.0}readAccessControl", "{http://www.jcp.org/jcr/1.0}modifyAccessControl"}), getRestrictions(this.superuser, this.path)).getPath() + "/rep:policy"));
        Session testSession = getTestSession();
        AccessControlManager testACManager = getTestACManager();
        assertTrue(testACManager.hasPrivileges(this.path, privilegesFromName("{http://www.jcp.org/jcr/1.0}modifyAccessControl")));
        AccessControlPolicy[] policies = testACManager.getPolicies(this.path);
        testACManager.getPolicies(this.childNPath);
        try {
            testACManager.getPolicies(this.siblingPath);
            fail("READ_AC privilege must not apply outside of the tree it has applied to.");
        } catch (AccessDeniedException e) {
        }
        try {
            testACManager.setPolicy(this.siblingPath, policies[0]);
            fail("MODIFY_AC privilege must not apply outside of the tree it has applied to.");
        } catch (AccessDeniedException e2) {
        }
        ACLTemplate aCLTemplate = (ACLTemplate) policies[0];
        aCLTemplate.addAccessControlEntry(this.testUser.getPrincipal(), privilegesFromName("{internal}write"));
        testACManager.setPolicy(this.path, aCLTemplate);
        testSession.save();
        assertTrue(testACManager.hasPrivileges(this.path, privilegesFromName("{http://www.jcp.org/jcr/1.0}removeChildNodes")));
        testACManager.removePolicy(this.path, policies[0]);
        testSession.save();
        try {
            testACManager.getEffectivePolicies(this.childNPath);
            fail("READ_AC privilege has been revoked -> must throw again.");
        } catch (AccessDeniedException e3) {
        }
        checkReadOnly(this.path);
    }

    public void testRemovePermission9() throws NotExecutableException, RepositoryException {
        AccessControlManager testACManager = getTestACManager();
        checkReadOnly(this.path);
        checkReadOnly(this.childNPath);
        Privilege[] privilegesFromName = privilegesFromName("{http://www.jcp.org/jcr/1.0}removeChildNodes");
        Privilege[] privilegesFromName2 = privilegesFromName("{http://www.jcp.org/jcr/1.0}removeNode");
        givePrivileges(this.path, privilegesFromName, getRestrictions(this.superuser, this.path));
        givePrivileges(this.childNPath, privilegesFromName2, getRestrictions(this.superuser, this.childNPath));
        String str = this.childNPath + "/rep:policy";
        assertFalse(getTestSession().hasPermission(str, "remove"));
        assertTrue(testACManager.hasPrivileges(str, new Privilege[]{privilegesFromName[0], privilegesFromName2[0]}));
    }

    public void testApplicablePolicies() throws RepositoryException {
        assertTrue(this.acMgr.getApplicablePolicies(this.childNPath).hasNext());
        this.superuser.getItem(this.childNPath).addMixin(this.superuser.getJCRName(AccessControlConstants.NT_REP_ACCESS_CONTROLLABLE));
        assertTrue(this.acMgr.getApplicablePolicies(this.childNPath).hasNext());
    }

    public void testInheritance2() throws RepositoryException, NotExecutableException {
        Session testSession = getTestSession();
        AccessControlManager testACManager = getTestACManager();
        checkReadOnly(this.path);
        checkReadOnly(this.childNPath);
        Privilege[] privilegesFromNames = privilegesFromNames(new String[]{"{http://www.jcp.org/jcr/1.0}write"});
        givePrivileges(this.path, privilegesFromNames, getRestrictions(this.superuser, this.path));
        withdrawPrivileges(this.childNPath, privilegesFromNames, getRestrictions(this.superuser, this.path));
        assertFalse(testACManager.hasPrivileges(this.childNPath, privilegesFromNames));
        assertFalse(testSession.hasPermission(this.childNPath + "/anyItem", "set_property,remove,add_node"));
        Node addNode = this.superuser.getNode(this.childNPath).addNode(this.nodeName3);
        this.superuser.save();
        String path = addNode.getPath();
        givePrivileges(path, privilegesFromNames, getRestrictions(this.superuser, this.path));
        assertTrue(testACManager.hasPrivileges(path, privilegesFromNames));
        assertTrue(testSession.hasPermission(path + "/anyProp", "set_property"));
        assertFalse(testSession.hasPermission(path, "remove"));
    }

    public void testInheritedGroupPermissions() throws NotExecutableException, RepositoryException {
        Group testGroup = getTestGroup();
        AccessControlManager testACManager = getTestACManager();
        checkReadOnly(this.path);
        Privilege[] privilegesFromName = privilegesFromName("{http://www.jcp.org/jcr/1.0}modifyProperties");
        givePrivileges(this.path, testGroup.getPrincipal(), privilegesFromName, getRestrictions(this.superuser, this.path));
        withdrawPrivileges(this.childNPath, EveryonePrincipal.getInstance(), privilegesFromName, getRestrictions(this.superuser, this.path));
        assertFalse(testACManager.hasPrivileges(this.childNPath, privilegesFromName("{http://www.jcp.org/jcr/1.0}modifyProperties")));
    }

    public void testInheritedGroupPermissions2() throws NotExecutableException, RepositoryException {
        Group testGroup = getTestGroup();
        AccessControlManager testACManager = getTestACManager();
        checkReadOnly(this.path);
        Privilege[] privilegesFromName = privilegesFromName("{http://www.jcp.org/jcr/1.0}modifyProperties");
        givePrivileges(this.path, EveryonePrincipal.getInstance(), privilegesFromName, getRestrictions(this.superuser, this.path));
        withdrawPrivileges(this.childNPath, testGroup.getPrincipal(), privilegesFromName, getRestrictions(this.superuser, this.path));
        assertFalse(testACManager.hasPrivileges(this.childNPath, privilegesFromName("{http://www.jcp.org/jcr/1.0}modifyProperties")));
    }

    public void testMultipleGroupPermissionsOnNode() throws NotExecutableException, RepositoryException {
        Group testGroup = getTestGroup();
        TestPrincipal testPrincipal = new TestPrincipal("testGroup" + UUID.randomUUID());
        UserManager userManager = getUserManager(this.superuser);
        Group createGroup = userManager.createGroup(testPrincipal);
        try {
            createGroup.addMember(this.testUser);
            if (!userManager.isAutoSave() && this.superuser.hasPendingChanges()) {
                this.superuser.save();
            }
            Privilege[] privilegesFromName = privilegesFromName("{http://www.jcp.org/jcr/1.0}modifyProperties");
            givePrivileges(this.path, testGroup.getPrincipal(), privilegesFromName, getRestrictions(this.superuser, this.path));
            withdrawPrivileges(this.path, createGroup.getPrincipal(), privilegesFromName, getRestrictions(this.superuser, this.path));
            AccessControlManager testACManager = getTestACManager();
            assertFalse(getTestSession().hasPermission(this.path, "set_property,read"));
            assertFalse(testACManager.hasPrivileges(this.path, privilegesFromName("{http://www.jcp.org/jcr/1.0}modifyProperties")));
            createGroup.remove();
        } catch (Throwable th) {
            createGroup.remove();
            throw th;
        }
    }

    public void testMultipleGroupPermissionsOnNode2() throws NotExecutableException, RepositoryException {
        Group testGroup = getTestGroup();
        TestPrincipal testPrincipal = new TestPrincipal("testGroup" + UUID.randomUUID());
        UserManager userManager = getUserManager(this.superuser);
        Group createGroup = userManager.createGroup(testPrincipal);
        try {
            createGroup.addMember(this.testUser);
            if (!userManager.isAutoSave() && this.superuser.hasPendingChanges()) {
                this.superuser.save();
            }
            Privilege[] privilegesFromName = privilegesFromName("{http://www.jcp.org/jcr/1.0}modifyProperties");
            withdrawPrivileges(this.path, testGroup.getPrincipal(), privilegesFromName, getRestrictions(this.superuser, this.path));
            givePrivileges(this.path, createGroup.getPrincipal(), privilegesFromName, getRestrictions(this.superuser, this.path));
            AccessControlManager testACManager = getTestACManager();
            assertTrue(getTestSession().hasPermission(this.path, "set_property,read"));
            assertTrue(testACManager.hasPrivileges(this.path, privilegesFromName("{http://www.jcp.org/jcr/1.0}modifyProperties")));
            createGroup.remove();
        } catch (Throwable th) {
            createGroup.remove();
            throw th;
        }
    }

    public void testReorderGroupPermissions() throws NotExecutableException, RepositoryException {
        Group testGroup = getTestGroup();
        TestPrincipal testPrincipal = new TestPrincipal("testGroup" + UUID.randomUUID());
        UserManager userManager = getUserManager(this.superuser);
        Group createGroup = userManager.createGroup(testPrincipal);
        try {
            createGroup.addMember(this.testUser);
            if (!userManager.isAutoSave() && this.superuser.hasPendingChanges()) {
                this.superuser.save();
            }
            Privilege[] privilegesFromName = privilegesFromName("{http://www.jcp.org/jcr/1.0}modifyProperties");
            withdrawPrivileges(this.path, testGroup.getPrincipal(), privilegesFromName, getRestrictions(this.superuser, this.path));
            givePrivileges(this.path, createGroup.getPrincipal(), privilegesFromName, getRestrictions(this.superuser, this.path));
            AccessControlManager testACManager = getTestACManager();
            assertTrue(getTestSession().hasPermission(this.path, "set_property,read"));
            Privilege[] privilegesFromName2 = privilegesFromName("{http://www.jcp.org/jcr/1.0}modifyProperties");
            assertTrue(testACManager.hasPrivileges(this.path, privilegesFromName2));
            AccessControlEntry accessControlEntry = null;
            AccessControlEntry accessControlEntry2 = null;
            JackrabbitAccessControlList jackrabbitAccessControlList = this.acMgr.getPolicies(this.path)[0];
            for (AccessControlEntry accessControlEntry3 : jackrabbitAccessControlList.getAccessControlEntries()) {
                Principal principal = accessControlEntry3.getPrincipal();
                if (testGroup.getPrincipal().equals(principal)) {
                    accessControlEntry2 = accessControlEntry3;
                } else if (createGroup.getPrincipal().equals(principal)) {
                    accessControlEntry = accessControlEntry3;
                }
            }
            jackrabbitAccessControlList.orderBefore(accessControlEntry, accessControlEntry2);
            this.acMgr.setPolicy(this.path, jackrabbitAccessControlList);
            this.superuser.save();
            assertFalse(getTestSession().hasPermission(this.path, "set_property,read"));
            assertFalse(testACManager.hasPrivileges(this.path, privilegesFromName2));
            createGroup.remove();
        } catch (Throwable th) {
            createGroup.remove();
            throw th;
        }
    }

    public void testWriteIfReadingParentIsDenied() throws Exception {
        Privilege[] privilegesFromNames = privilegesFromNames(new String[]{"{http://www.jcp.org/jcr/1.0}read", "{http://www.jcp.org/jcr/1.0}write"});
        withdrawPrivileges(this.path, this.testUser.getPrincipal(), privilegesFromNames, getRestrictions(this.superuser, this.path));
        givePrivileges(this.childNPath, this.testUser.getPrincipal(), privilegesFromNames, getRestrictions(this.superuser, this.childNPath));
        Session testSession = getTestSession();
        assertFalse(testSession.nodeExists(this.path));
        assertTrue(testSession.nodeExists(this.childNPath));
        Node node = testSession.getNode(this.childNPath);
        node.addNode("someChild");
        node.save();
    }

    public void testRemoveNodeWithPolicy() throws Exception {
        Privilege[] privilegesFromNames = privilegesFromNames(new String[]{"{http://www.jcp.org/jcr/1.0}read", "{http://www.jcp.org/jcr/1.0}write"});
        givePrivileges(this.path, this.testUser.getPrincipal(), privilegesFromNames, getRestrictions(this.superuser, this.path));
        givePrivileges(this.childNPath, this.testUser.getPrincipal(), privilegesFromNames, getRestrictions(this.superuser, this.path));
        Session testSession = getTestSession();
        assertTrue(testSession.nodeExists(this.childNPath));
        assertTrue(testSession.hasPermission(this.childNPath, "remove"));
        testSession.getNode(this.childNPath).remove();
        testSession.save();
    }

    public void testRemoveNodeWithInvisibleChild() throws Exception {
        Privilege[] privilegesFromNames = privilegesFromNames(new String[]{"{http://www.jcp.org/jcr/1.0}read", "{http://www.jcp.org/jcr/1.0}write"});
        Node addNode = this.superuser.getNode(this.childNPath).addNode(this.nodeName3);
        this.superuser.save();
        givePrivileges(this.path, this.testUser.getPrincipal(), privilegesFromNames, getRestrictions(this.superuser, this.path));
        withdrawPrivileges(addNode.getPath(), this.testUser.getPrincipal(), privilegesFromNames(new String[]{"{http://www.jcp.org/jcr/1.0}read"}), getRestrictions(this.superuser, this.path));
        Session testSession = getTestSession();
        assertTrue(testSession.nodeExists(this.childNPath));
        assertTrue(testSession.hasPermission(this.childNPath, "remove"));
        testSession.getNode(this.childNPath).remove();
        testSession.save();
    }

    public void testRemoveNodeWithInvisibleNonRemovableChild() throws Exception {
        Privilege[] privilegesFromNames = privilegesFromNames(new String[]{"{http://www.jcp.org/jcr/1.0}read", "{http://www.jcp.org/jcr/1.0}write"});
        Node addNode = this.superuser.getNode(this.childNPath).addNode(this.nodeName3);
        this.superuser.save();
        givePrivileges(this.path, this.testUser.getPrincipal(), privilegesFromNames, getRestrictions(this.superuser, this.path));
        withdrawPrivileges(addNode.getPath(), this.testUser.getPrincipal(), privilegesFromNames, getRestrictions(this.superuser, this.path));
        Session testSession = getTestSession();
        assertTrue(testSession.nodeExists(this.childNPath));
        assertTrue(testSession.hasPermission(this.childNPath, "remove"));
        try {
            testSession.getNode(this.childNPath).remove();
            testSession.save();
            fail();
        } catch (AccessDeniedException e) {
        }
    }
}
