package org.apache.jackrabbit.core.security.authorization.acl;

import java.security.Principal;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import javax.jcr.AccessDeniedException;
import javax.jcr.Node;
import javax.jcr.PathNotFoundException;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.Value;
import javax.jcr.ValueFactory;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.core.security.authorization.AbstractEvaluationTest;
import org.apache.jackrabbit.core.security.authorization.AccessControlConstants;
import org.apache.jackrabbit.test.NotExecutableException;
import org.junit.Test;

/* loaded from: input_file:org/apache/jackrabbit/core/security/authorization/acl/ReadTest.class */
public class ReadTest extends AbstractEvaluationTest {
    private String path;
    private String childNPath;

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.jackrabbit.core.security.authorization.AbstractEvaluationTest
    public void setUp() throws Exception {
        super.setUp();
        Node addNode = this.testRootNode.addNode(this.nodeName1, this.testNodeType);
        Node addNode2 = addNode.addNode(this.nodeName2, this.testNodeType);
        this.superuser.save();
        this.path = addNode.getPath();
        this.childNPath = addNode2.getPath();
    }

    @Override // org.apache.jackrabbit.core.security.authorization.AbstractEvaluationTest
    protected boolean isExecutable() {
        return EvaluationUtil.isExecutable(this.acMgr);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.jackrabbit.core.security.authorization.AbstractEvaluationTest
    public JackrabbitAccessControlList getPolicy(AccessControlManager accessControlManager, String str, Principal principal) throws RepositoryException, AccessDeniedException, NotExecutableException {
        return EvaluationUtil.getPolicy(accessControlManager, str, principal);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.jackrabbit.core.security.authorization.AbstractEvaluationTest
    public Map<String, Value> getRestrictions(Session session, String str) {
        return Collections.emptyMap();
    }

    public void testReadDenied() throws Exception {
        Privilege[] privilegesFromName = privilegesFromName("{http://www.jcp.org/jcr/1.0}read");
        withdrawPrivileges(this.path, privilegesFromName, getRestrictions(this.superuser, this.path));
        givePrivileges(this.childNPath, privilegesFromName, getRestrictions(this.superuser, this.childNPath));
        Session testSession = getTestSession();
        assertFalse(testSession.nodeExists(this.path));
        assertTrue(testSession.nodeExists(this.childNPath));
        testSession.getNode(this.childNPath).getDefinition();
    }

    public void testDenyUserAllowGroup() throws Exception {
        Privilege[] privilegesFromName = privilegesFromName("{http://www.jcp.org/jcr/1.0}read");
        Principal principal = getTestGroup().getPrincipal();
        withdrawPrivileges(this.path, this.testUser.getPrincipal(), privilegesFromName, getRestrictions(this.superuser, this.path));
        givePrivileges(this.path, principal, privilegesFromName, getRestrictions(this.superuser, this.path));
        assertFalse(getTestSession().nodeExists(this.path));
    }

    public void testAllowGroupDenyUser() throws Exception {
        Privilege[] privilegesFromName = privilegesFromName("{http://www.jcp.org/jcr/1.0}read");
        givePrivileges(this.path, getTestGroup().getPrincipal(), privilegesFromName, getRestrictions(this.superuser, this.path));
        withdrawPrivileges(this.path, this.testUser.getPrincipal(), privilegesFromName, getRestrictions(this.superuser, this.path));
        assertFalse(getTestSession().nodeExists(this.path));
    }

    public void testAllowUserDenyGroup() throws Exception {
        Privilege[] privilegesFromName = privilegesFromName("{http://www.jcp.org/jcr/1.0}read");
        Principal principal = getTestGroup().getPrincipal();
        givePrivileges(this.path, this.testUser.getPrincipal(), privilegesFromName, getRestrictions(this.superuser, this.path));
        withdrawPrivileges(this.path, principal, privilegesFromName, getRestrictions(this.superuser, this.path));
        assertTrue(getTestSession().nodeExists(this.path));
    }

    public void testDenyGroupAllowUser() throws Exception {
        Privilege[] privilegesFromName = privilegesFromName("{http://www.jcp.org/jcr/1.0}read");
        withdrawPrivileges(this.path, getTestGroup().getPrincipal(), privilegesFromName, getRestrictions(this.superuser, this.path));
        givePrivileges(this.path, this.testUser.getPrincipal(), privilegesFromName, getRestrictions(this.superuser, this.path));
        assertTrue(getTestSession().nodeExists(this.path));
    }

    public void testDenyGroupAllowEveryone() throws Exception {
        Privilege[] privilegesFromName = privilegesFromName("{http://www.jcp.org/jcr/1.0}read");
        Principal principal = getTestGroup().getPrincipal();
        Principal everyone = this.superuser.getPrincipalManager().getEveryone();
        withdrawPrivileges(this.path, principal, privilegesFromName, getRestrictions(this.superuser, this.path));
        givePrivileges(this.path, everyone, privilegesFromName, getRestrictions(this.superuser, this.path));
        assertTrue(getTestSession().nodeExists(this.path));
    }

    public void testAllowEveryoneDenyGroup() throws Exception {
        Privilege[] privilegesFromName = privilegesFromName("{http://www.jcp.org/jcr/1.0}read");
        Principal principal = getTestGroup().getPrincipal();
        givePrivileges(this.path, this.superuser.getPrincipalManager().getEveryone(), privilegesFromName, getRestrictions(this.superuser, this.path));
        withdrawPrivileges(this.path, principal, privilegesFromName, getRestrictions(this.superuser, this.path));
        assertFalse(getTestSession().nodeExists(this.path));
    }

    public void testDenyGroupPathAllowEveryoneChildPath() throws Exception {
        Privilege[] privilegesFromName = privilegesFromName("{http://www.jcp.org/jcr/1.0}read");
        Principal principal = getTestGroup().getPrincipal();
        Principal everyone = this.superuser.getPrincipalManager().getEveryone();
        withdrawPrivileges(this.path, principal, privilegesFromName, getRestrictions(this.superuser, this.path));
        givePrivileges(this.path, everyone, privilegesFromName, getRestrictions(this.superuser, this.childNPath));
        assertTrue(getTestSession().nodeExists(this.childNPath));
    }

    public void testAllowEveryonePathDenyGroupChildPath() throws Exception {
        Privilege[] privilegesFromName = privilegesFromName("{http://www.jcp.org/jcr/1.0}read");
        Principal principal = getTestGroup().getPrincipal();
        givePrivileges(this.path, this.superuser.getPrincipalManager().getEveryone(), privilegesFromName, getRestrictions(this.superuser, this.path));
        withdrawPrivileges(this.path, principal, privilegesFromName, getRestrictions(this.superuser, this.childNPath));
        assertFalse(getTestSession().nodeExists(this.childNPath));
    }

    public void testAllowUserPathDenyGroupChildPath() throws Exception {
        Privilege[] privilegesFromName = privilegesFromName("{http://www.jcp.org/jcr/1.0}read");
        Principal principal = getTestGroup().getPrincipal();
        givePrivileges(this.path, this.testUser.getPrincipal(), privilegesFromName, getRestrictions(this.superuser, this.path));
        withdrawPrivileges(this.path, principal, privilegesFromName, getRestrictions(this.superuser, this.childNPath));
        assertTrue(getTestSession().nodeExists(this.childNPath));
    }

    public void testDenyGroupPathAllowUserChildPath() throws Exception {
        Privilege[] privilegesFromName = privilegesFromName("{http://www.jcp.org/jcr/1.0}read");
        withdrawPrivileges(this.path, getTestGroup().getPrincipal(), privilegesFromName, getRestrictions(this.superuser, this.path));
        givePrivileges(this.path, this.testUser.getPrincipal(), privilegesFromName, getRestrictions(this.superuser, this.childNPath));
        assertTrue(getTestSession().nodeExists(this.childNPath));
    }

    public void testDenyUserPathAllowGroupChildPath() throws Exception {
        Privilege[] privilegesFromName = privilegesFromName("{http://www.jcp.org/jcr/1.0}read");
        Principal principal = getTestGroup().getPrincipal();
        withdrawPrivileges(this.path, this.testUser.getPrincipal(), privilegesFromName, getRestrictions(this.superuser, this.path));
        givePrivileges(this.path, principal, privilegesFromName, getRestrictions(this.superuser, this.childNPath));
        assertFalse(getTestSession().nodeExists(this.childNPath));
    }

    public void testAllowGroupPathDenyUserChildPath() throws Exception {
        Privilege[] privilegesFromName = privilegesFromName("{http://www.jcp.org/jcr/1.0}read");
        givePrivileges(this.path, getTestGroup().getPrincipal(), privilegesFromName, getRestrictions(this.superuser, this.path));
        withdrawPrivileges(this.path, this.testUser.getPrincipal(), privilegesFromName, getRestrictions(this.superuser, this.childNPath));
        assertFalse(getTestSession().nodeExists(this.childNPath));
    }

    public void testGlobRestriction() throws Exception {
        Session testSession = getTestSession();
        AccessControlManager testACManager = getTestACManager();
        ValueFactory valueFactory = this.superuser.getValueFactory();
        checkReadOnly(this.path);
        checkReadOnly(this.childNPath);
        Privilege[] privilegesFromName = privilegesFromName("{http://www.jcp.org/jcr/1.0}read");
        HashMap hashMap = new HashMap(getRestrictions(this.superuser, this.path));
        hashMap.put(AccessControlConstants.P_GLOB.toString(), valueFactory.createValue("*/" + this.jcrPrimaryType));
        withdrawPrivileges(this.path, privilegesFromName, hashMap);
        assertTrue(testACManager.hasPrivileges(this.path, privilegesFromName));
        assertTrue(testSession.hasPermission(this.path, "read"));
        testSession.getNode(this.path);
        assertTrue(testACManager.hasPrivileges(this.childNPath, privilegesFromName));
        assertTrue(testSession.hasPermission(this.childNPath, "read"));
        testSession.getNode(this.childNPath);
        String str = this.path + "/" + this.jcrPrimaryType;
        assertFalse(testSession.hasPermission(str, "read"));
        assertFalse(testSession.propertyExists(str));
        String str2 = this.childNPath + "/" + this.jcrPrimaryType;
        assertFalse(testSession.hasPermission(str2, "read"));
        assertFalse(testSession.propertyExists(str2));
    }

    @Test
    public void testEmptyGlobRestriction() throws Exception {
        String path = this.superuser.getNode(this.childNPath).addNode("child").getPath();
        this.superuser.save();
        Privilege[] privilegesFromName = privilegesFromName("{http://www.jcp.org/jcr/1.0}read");
        withdrawPrivileges(this.path, privilegesFromName, Collections.EMPTY_MAP);
        Session testSession = getTestSession();
        assertFalse(testSession.nodeExists(this.path));
        assertFalse(canGetNode(testSession, this.path));
        assertFalse(testSession.nodeExists(this.childNPath));
        assertFalse(canGetNode(testSession, this.childNPath));
        assertFalse(testSession.nodeExists(path));
        assertFalse(canGetNode(testSession, path));
        assertFalse(testSession.propertyExists(this.childNPath + "/jcr:primaryType"));
        HashMap hashMap = new HashMap(getRestrictions(this.superuser, this.childNPath));
        hashMap.put(AccessControlConstants.P_GLOB.toString(), this.vf.createValue(""));
        givePrivileges(this.childNPath, privilegesFromName, hashMap);
        assertFalse(testSession.nodeExists(this.path));
        assertFalse(canGetNode(testSession, this.path));
        assertTrue(testSession.nodeExists(this.childNPath));
        assertTrue(canGetNode(testSession, this.childNPath));
        assertFalse(testSession.nodeExists(path));
        assertFalse(canGetNode(testSession, path));
        assertFalse(testSession.propertyExists(this.childNPath + "/jcr:primaryType"));
        givePrivileges(path, privilegesFromName, Collections.EMPTY_MAP);
        assertTrue(testSession.nodeExists(path));
        assertTrue(canGetNode(testSession, path));
        assertTrue(testSession.propertyExists(path + "/jcr:primaryType"));
    }

    @Test
    public void testEmptyGlobRestriction2() throws Exception {
        String path = this.superuser.getNode(this.childNPath).addNode("child").getPath();
        this.superuser.save();
        Privilege[] privilegesFromName = privilegesFromName("{http://www.jcp.org/jcr/1.0}read");
        withdrawPrivileges(this.path, privilegesFromName, Collections.EMPTY_MAP);
        Session testSession = getTestSession();
        assertFalse(testSession.nodeExists(this.path));
        assertFalse(canGetNode(testSession, this.path));
        assertFalse(testSession.nodeExists(this.childNPath));
        assertFalse(canGetNode(testSession, this.childNPath));
        assertFalse(testSession.nodeExists(path));
        assertFalse(canGetNode(testSession, path));
        assertFalse(testSession.propertyExists(this.childNPath + "/jcr:primaryType"));
        HashMap hashMap = new HashMap(getRestrictions(this.superuser, this.path));
        hashMap.put(AccessControlConstants.P_GLOB.toString(), this.vf.createValue(""));
        givePrivileges(this.path, privilegesFromName, hashMap);
        assertTrue(testSession.nodeExists(this.path));
        assertTrue(canGetNode(testSession, this.path));
        assertFalse(testSession.nodeExists(this.childNPath));
        assertFalse(canGetNode(testSession, this.childNPath));
        assertFalse(testSession.nodeExists(path));
        assertFalse(canGetNode(testSession, path));
        assertFalse(testSession.propertyExists(this.childNPath + "/jcr:primaryType"));
    }

    @Test
    public void testEmptyGlobRestriction3() throws Exception {
        String path = this.superuser.getNode(this.path).addNode("child2").getPath();
        this.superuser.save();
        try {
            Group testGroup = getTestGroup();
            Group createGroup = getUserManager(this.superuser).createGroup("group2");
            createGroup.addMember(this.testUser);
            Group createGroup2 = getUserManager(this.superuser).createGroup("group3");
            this.superuser.save();
            assertTrue(testGroup.isDeclaredMember(this.testUser));
            assertTrue(createGroup.isDeclaredMember(this.testUser));
            assertFalse(createGroup2.isDeclaredMember(this.testUser));
            Privilege[] privilegesFromName = privilegesFromName("{http://www.jcp.org/jcr/1.0}read");
            withdrawPrivileges(this.path, testGroup.getPrincipal(), privilegesFromName, Collections.EMPTY_MAP);
            HashMap hashMap = new HashMap(getRestrictions(this.superuser, this.path));
            hashMap.put(AccessControlConstants.P_GLOB.toString(), this.vf.createValue(""));
            givePrivileges(this.path, testGroup.getPrincipal(), privilegesFromName, hashMap);
            withdrawPrivileges(this.childNPath, createGroup.getPrincipal(), privilegesFromName, Collections.EMPTY_MAP);
            HashMap hashMap2 = new HashMap(getRestrictions(this.superuser, this.childNPath));
            hashMap2.put(AccessControlConstants.P_GLOB.toString(), this.vf.createValue(""));
            givePrivileges(this.childNPath, createGroup.getPrincipal(), privilegesFromName, hashMap2);
            withdrawPrivileges(path, createGroup2.getPrincipal(), privilegesFromName, Collections.EMPTY_MAP);
            HashMap hashMap3 = new HashMap(getRestrictions(this.superuser, path));
            hashMap3.put(AccessControlConstants.P_GLOB.toString(), this.vf.createValue(""));
            givePrivileges(path, createGroup2.getPrincipal(), privilegesFromName, hashMap3);
            Session testSession = getTestSession();
            assertTrue(testSession.nodeExists(this.path));
            assertTrue(testSession.nodeExists(this.childNPath));
            assertFalse(testSession.nodeExists(path));
            Authorizable authorizable = getUserManager(this.superuser).getAuthorizable("group2");
            if (authorizable != null) {
                authorizable.remove();
            }
            Authorizable authorizable2 = getUserManager(this.superuser).getAuthorizable("group3");
            if (authorizable2 != null) {
                authorizable2.remove();
            }
            this.superuser.save();
        } catch (Throwable th) {
            Authorizable authorizable3 = getUserManager(this.superuser).getAuthorizable("group2");
            if (authorizable3 != null) {
                authorizable3.remove();
            }
            Authorizable authorizable4 = getUserManager(this.superuser).getAuthorizable("group3");
            if (authorizable4 != null) {
                authorizable4.remove();
            }
            this.superuser.save();
            throw th;
        }
    }

    private static boolean canGetNode(Session session, String str) throws RepositoryException {
        try {
            session.getNode(str);
            return true;
        } catch (PathNotFoundException e) {
            return false;
        }
    }

    public void testRemoveMixin() throws Exception {
        Node node = this.superuser.getNode(this.path);
        withdrawPrivileges(this.path, privilegesFromName("{http://www.jcp.org/jcr/1.0}read"), getRestrictions(this.superuser, this.path));
        assertTrue(node.hasNode("rep:policy"));
        assertTrue(node.isNodeType("rep:AccessControllable"));
        node.removeMixin("rep:AccessControllable");
        this.superuser.save();
        assertFalse(node.hasNode("rep:policy"));
        assertFalse(node.isNodeType("rep:AccessControllable"));
    }
}
