package org.apache.jackrabbit.oak.spi.security.authentication.external.impl;

import com.google.common.base.Function;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import com.google.common.collect.Sets;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import java.util.UUID;
import javax.jcr.RepositoryException;
import javax.jcr.Value;
import javax.jcr.ValueFactory;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.spi.security.authentication.external.AbstractExternalAuthTest;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalUser;
import org.apache.jackrabbit.oak.spi.security.authentication.external.SyncResult;
import org.apache.jackrabbit.oak.spi.security.authentication.external.SyncedIdentity;
import org.apache.jackrabbit.oak.spi.security.authentication.external.TestIdentityProvider;
import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncConfig;
import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncContextTest.class */
public class DynamicSyncContextTest extends AbstractExternalAuthTest {
    private Root r;
    private UserManager userManager;
    private ValueFactory valueFactory;
    private DynamicSyncContext syncContext;

    /* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncContextTest$TestUserWithGroupRefs.class */
    private static final class TestUserWithGroupRefs extends TestIdentityProvider.TestIdentity implements ExternalUser {
        private Iterable<ExternalIdentityRef> declaredGroupRefs;

        private TestUserWithGroupRefs(@NotNull ExternalUser externalUser, @NotNull Iterable<ExternalIdentityRef> iterable) {
            super((ExternalIdentity) externalUser);
            this.declaredGroupRefs = iterable;
        }

        public String getPassword() {
            return "";
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.TestIdentityProvider.TestIdentity
        @NotNull
        public Iterable<ExternalIdentityRef> getDeclaredGroups() {
            return this.declaredGroupRefs;
        }
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.AbstractExternalAuthTest
    @Before
    public void before() throws Exception {
        super.before();
        this.r = getSystemRoot();
        this.userManager = getUserManager(this.r);
        this.valueFactory = getValueFactory(this.r);
        this.syncContext = new DynamicSyncContext(this.syncConfig, this.idp, this.userManager, this.valueFactory);
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.AbstractExternalAuthTest
    @After
    public void after() throws Exception {
        try {
            this.syncContext.close();
            this.r.refresh();
        } finally {
            super.after();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.AbstractExternalAuthTest
    public DefaultSyncConfig createSyncConfig() {
        DefaultSyncConfig createSyncConfig = super.createSyncConfig();
        createSyncConfig.user().setDynamicMembership(true);
        return createSyncConfig;
    }

    private void sync(@NotNull ExternalIdentity externalIdentity, @NotNull SyncResult.Status status) throws Exception {
        Assert.assertSame(status, this.syncContext.sync(externalIdentity).getStatus());
        this.r.commit();
    }

    private void assertDynamicMembership(@NotNull Authorizable authorizable, @NotNull ExternalIdentity externalIdentity, long j) throws Exception {
        Iterable transform = Iterables.transform(ImmutableList.copyOf(authorizable.getProperty("rep:externalPrincipalNames")), new Function<Value, String>() { // from class: org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DynamicSyncContextTest.1
            @Nullable
            public String apply(Value value) {
                try {
                    return value.getString();
                } catch (RepositoryException e) {
                    Assert.fail(e.getMessage());
                    return null;
                }
            }
        });
        HashSet hashSet = new HashSet();
        collectGroupPrincipals(hashSet, externalIdentity.getDeclaredGroups(), j);
        Assert.assertEquals(hashSet, ImmutableSet.copyOf(transform));
    }

    private void collectGroupPrincipals(Set<String> set, @NotNull Iterable<ExternalIdentityRef> iterable, long j) throws ExternalIdentityException {
        if (j <= 0) {
            return;
        }
        Iterator<ExternalIdentityRef> it = iterable.iterator();
        while (it.hasNext()) {
            ExternalIdentity identity = this.idp.getIdentity(it.next());
            set.add(identity.getPrincipalName());
            collectGroupPrincipals(set, identity.getDeclaredGroups(), j - 1);
        }
    }

    private static void assertSyncedMembership(@NotNull UserManager userManager, @NotNull Authorizable authorizable, @NotNull ExternalIdentity externalIdentity) throws Exception {
        Iterator it = externalIdentity.getDeclaredGroups().iterator();
        while (it.hasNext()) {
            Group authorizable2 = userManager.getAuthorizable(((ExternalIdentityRef) it.next()).getId(), Group.class);
            Assert.assertNotNull(authorizable2);
            Assert.assertTrue(authorizable2.isMember(authorizable));
        }
    }

    @Test(expected = IllegalArgumentException.class)
    public void testSyncExternalIdentity() throws Exception {
        this.syncContext.sync(new TestIdentityProvider.TestIdentity());
    }

    @Test
    public void testSyncExternalUser() throws Exception {
        sync(this.idp.getUser(TestIdentityProvider.ID_TEST_USER), SyncResult.Status.ADD);
        Assert.assertNotNull(this.userManager.getAuthorizable(TestIdentityProvider.ID_TEST_USER));
    }

    @Test
    public void testSyncExternalUserDepth0() throws Exception {
        this.syncConfig.user().setMembershipNestingDepth(0L);
        sync(this.idp.getUser(TestIdentityProvider.ID_TEST_USER), SyncResult.Status.ADD);
        Assert.assertNotNull(this.r.getTree(this.userManager.getAuthorizable(TestIdentityProvider.ID_TEST_USER).getPath()).getProperty("rep:externalPrincipalNames"));
        Assert.assertEquals(0L, r0.count());
    }

    @Test
    public void testSyncExternalUserDepth1() throws Exception {
        this.syncConfig.user().setMembershipNestingDepth(1L);
        ExternalUser user = this.idp.getUser(TestIdentityProvider.ID_TEST_USER);
        sync(user, SyncResult.Status.ADD);
        PropertyState property = this.r.getTree(this.userManager.getAuthorizable(TestIdentityProvider.ID_TEST_USER).getPath()).getProperty("rep:externalPrincipalNames");
        Assert.assertNotNull(property);
        HashSet newHashSet = Sets.newHashSet((Iterable) property.getValue(Type.STRINGS));
        Iterator it = user.getDeclaredGroups().iterator();
        while (it.hasNext()) {
            Assert.assertTrue(newHashSet.remove(this.idp.getIdentity((ExternalIdentityRef) it.next()).getPrincipalName()));
        }
        Assert.assertTrue(newHashSet.isEmpty());
    }

    @Test
    public void testSyncExternalUserDepthInfinite() throws Exception {
        this.syncConfig.user().setMembershipNestingDepth(Long.MAX_VALUE);
        ExternalUser user = this.idp.getUser(TestIdentityProvider.ID_TEST_USER);
        sync(user, SyncResult.Status.ADD);
        PropertyState property = this.r.getTree(this.userManager.getAuthorizable(TestIdentityProvider.ID_TEST_USER).getPath()).getProperty("rep:externalPrincipalNames");
        Assert.assertNotNull(property);
        HashSet newHashSet = Sets.newHashSet((Iterable) property.getValue(Type.STRINGS));
        HashSet newHashSet2 = Sets.newHashSet();
        collectGroupPrincipals(newHashSet2, user.getDeclaredGroups(), Long.MAX_VALUE);
        Assert.assertEquals(newHashSet2, newHashSet);
    }

    @Test
    public void testSyncExternalUserExistingGroups() throws Exception {
        this.syncConfig.user().setMembershipNestingDepth(1L);
        ExternalUser user = this.idp.getUser(TestIdentityProvider.ID_TEST_USER);
        DefaultSyncContext defaultSyncContext = new DefaultSyncContext(this.syncConfig, this.idp, this.userManager, this.valueFactory);
        defaultSyncContext.sync(user);
        defaultSyncContext.close();
        Authorizable authorizable = this.userManager.getAuthorizable(TestIdentityProvider.ID_TEST_USER);
        assertSyncedMembership(this.userManager, authorizable, user);
        this.syncContext.setForceUserSync(true);
        this.syncConfig.user().setMembershipExpirationTime(-1L);
        this.syncContext.sync(user);
        Assert.assertFalse(this.r.getTree(authorizable.getPath()).hasProperty("rep:externalPrincipalNames"));
        assertSyncedMembership(this.userManager, authorizable, user);
    }

    @Test
    public void testSyncExternalGroup() throws Exception {
        ExternalGroup externalGroup = (ExternalGroup) this.idp.listGroups().next();
        this.syncContext.sync(externalGroup);
        Assert.assertNull(this.userManager.getAuthorizable(externalGroup.getId()));
        Assert.assertFalse(this.r.hasPendingChanges());
    }

    @Test
    public void testSyncExternalGroupVerifyStatus() throws Exception {
        ExternalGroup externalGroup = (ExternalGroup) this.idp.listGroups().next();
        Assert.assertEquals(SyncResult.Status.NOP, this.syncContext.sync(externalGroup).getStatus());
        Assert.assertEquals(SyncResult.Status.NOP, this.syncContext.sync(externalGroup).getStatus());
        this.syncContext.setForceGroupSync(true);
        Assert.assertEquals(SyncResult.Status.NOP, this.syncContext.sync(externalGroup).getStatus());
    }

    @Test
    public void testSyncExternalGroupExisting() throws Exception {
        ExternalGroup externalGroup = (ExternalGroup) this.idp.listGroups().next();
        DefaultSyncContext defaultSyncContext = new DefaultSyncContext(this.syncConfig, this.idp, this.userManager, this.valueFactory);
        defaultSyncContext.sync(externalGroup);
        defaultSyncContext.close();
        this.syncContext.setForceGroupSync(true);
        Assert.assertSame(SyncResult.Status.UPDATE, this.syncContext.sync(externalGroup).getStatus());
    }

    @Test
    public void testSyncForeignExternalGroup() throws Exception {
        TestIdentityProvider.ForeignExternalGroup foreignExternalGroup = new TestIdentityProvider.ForeignExternalGroup();
        SyncResult sync = this.syncContext.sync(foreignExternalGroup);
        Assert.assertNotNull(sync);
        Assert.assertSame(SyncResult.Status.FOREIGN, sync.getStatus());
        SyncedIdentity identity = sync.getIdentity();
        Assert.assertNotNull(identity);
        Assert.assertEquals(foreignExternalGroup.getId(), identity.getId());
        ExternalIdentityRef externalIdRef = identity.getExternalIdRef();
        Assert.assertNotNull(externalIdRef);
        Assert.assertEquals(foreignExternalGroup.getExternalId(), externalIdRef);
        Assert.assertTrue(identity.isGroup());
        Assert.assertEquals(-1L, identity.lastSynced());
        Assert.assertFalse(this.r.hasPendingChanges());
    }

    @Test
    public void testSyncUserByIdUpdate() throws Exception {
        ExternalIdentity externalIdentity = (ExternalIdentity) this.idp.listUsers().next();
        User createUser = this.userManager.createUser(externalIdentity.getId(), (String) null);
        createUser.setProperty("rep:externalId", this.valueFactory.createValue(externalIdentity.getExternalId().getString()));
        this.syncContext.setForceUserSync(true);
        Assert.assertEquals(SyncResult.Status.UPDATE, this.syncContext.sync(externalIdentity.getId()).getStatus());
        Assert.assertTrue(this.r.getTree(createUser.getPath()).hasProperty("rep:externalPrincipalNames"));
    }

    @Test
    public void testSyncUserIdExistingGroups() throws Exception {
        ExternalUser user = this.idp.getUser(TestIdentityProvider.ID_TEST_USER);
        DefaultSyncContext defaultSyncContext = new DefaultSyncContext(this.syncConfig, this.idp, this.userManager, this.valueFactory);
        defaultSyncContext.sync(user);
        defaultSyncContext.close();
        Authorizable authorizable = this.userManager.getAuthorizable(user.getId());
        Iterator it = user.getDeclaredGroups().iterator();
        while (it.hasNext()) {
            Assert.assertTrue(this.userManager.getAuthorizable(((ExternalIdentityRef) it.next()).getId(), Group.class).isMember(authorizable));
        }
        this.syncContext.setForceUserSync(true);
        this.syncContext.sync(user.getId());
        Authorizable authorizable2 = this.userManager.getAuthorizable(TestIdentityProvider.ID_TEST_USER);
        Assert.assertFalse(this.r.getTree(authorizable2.getPath()).hasProperty("rep:externalPrincipalNames"));
        assertSyncedMembership(this.userManager, authorizable2, user);
    }

    @Test
    public void testSyncMembershipWithNesting() throws Exception {
        this.syncConfig.user().setMembershipNestingDepth(1L);
        ExternalUser user = this.idp.getUser(TestIdentityProvider.ID_TEST_USER);
        sync(user, SyncResult.Status.ADD);
        Authorizable authorizable = this.userManager.getAuthorizable(user.getId());
        assertDynamicMembership(authorizable, user, 1L);
        this.syncContext.syncMembership(user, authorizable, -1L);
        assertDynamicMembership(authorizable, user, -1L);
        this.syncContext.syncMembership(user, authorizable, Long.MAX_VALUE);
        assertDynamicMembership(authorizable, user, Long.MAX_VALUE);
    }

    @Test
    public void testSyncMembershipWithChangedGroups() throws Exception {
        this.syncConfig.user().setMembershipNestingDepth(1L);
        ExternalUser user = this.idp.getUser(TestIdentityProvider.ID_TEST_USER);
        sync(user, SyncResult.Status.ADD);
        Authorizable authorizable = this.userManager.getAuthorizable(user.getId());
        assertDynamicMembership(authorizable, user, 1L);
        TestUserWithGroupRefs testUserWithGroupRefs = new TestUserWithGroupRefs(user, ImmutableSet.of());
        this.syncContext.syncMembership(testUserWithGroupRefs, authorizable, 1L);
        assertDynamicMembership(authorizable, testUserWithGroupRefs, 1L);
        TestUserWithGroupRefs testUserWithGroupRefs2 = new TestUserWithGroupRefs(user, ImmutableSet.of(this.idp.getGroup("a").getExternalId(), this.idp.getGroup("aa").getExternalId(), this.idp.getGroup("secondGroup").getExternalId()));
        this.syncContext.syncMembership(testUserWithGroupRefs2, authorizable, 1L);
        assertDynamicMembership(authorizable, testUserWithGroupRefs2, 1L);
    }

    @Test
    public void testSyncMembershipWithChangedExistingGroups() throws Exception {
        this.syncConfig.user().setMembershipNestingDepth(1L);
        ExternalUser user = this.idp.getUser(TestIdentityProvider.ID_TEST_USER);
        DefaultSyncContext defaultSyncContext = new DefaultSyncContext(this.syncConfig, this.idp, this.userManager, this.valueFactory);
        defaultSyncContext.sync(user);
        defaultSyncContext.close();
        Authorizable authorizable = this.userManager.getAuthorizable(user.getId());
        assertSyncedMembership(this.userManager, authorizable, user);
        TestUserWithGroupRefs testUserWithGroupRefs = new TestUserWithGroupRefs(user, ImmutableSet.of());
        this.syncContext.syncMembership(testUserWithGroupRefs, authorizable, 1L);
        assertSyncedMembership(this.userManager, authorizable, testUserWithGroupRefs);
        TestUserWithGroupRefs testUserWithGroupRefs2 = new TestUserWithGroupRefs(user, ImmutableSet.of(this.idp.getGroup("a").getExternalId(), this.idp.getGroup("aa").getExternalId(), this.idp.getGroup("secondGroup").getExternalId()));
        this.syncContext.syncMembership(testUserWithGroupRefs2, authorizable, 1L);
        assertSyncedMembership(this.userManager, authorizable, testUserWithGroupRefs2);
    }

    @Test
    public void testSyncMembershipForExternalGroup() throws Exception {
        ExternalGroup group = this.idp.getGroup("a");
        DefaultSyncContext defaultSyncContext = new DefaultSyncContext(this.syncConfig, this.idp, this.userManager, this.valueFactory);
        defaultSyncContext.sync(group);
        defaultSyncContext.close();
        this.r.commit();
        Authorizable authorizable = this.userManager.getAuthorizable(group.getId());
        this.syncContext.syncMembership(group, authorizable, 1L);
        Assert.assertFalse(authorizable.hasProperty("rep:externalPrincipalNames"));
        Assert.assertFalse(this.r.hasPendingChanges());
    }

    @Test
    public void testAutoMembership() throws Exception {
        Group createGroup = this.userManager.createGroup("group" + UUID.randomUUID());
        this.r.commit();
        this.syncConfig.user().setAutoMembership(new String[]{createGroup.getID(), "non-existing-group"});
        Assert.assertSame(SyncResult.Status.ADD, this.syncContext.sync(this.idp.getUser(TestIdentityProvider.ID_TEST_USER)).getStatus());
        User authorizable = this.userManager.getAuthorizable(TestIdentityProvider.ID_TEST_USER, User.class);
        Assert.assertFalse(createGroup.isDeclaredMember(authorizable));
        Assert.assertFalse(createGroup.isMember(authorizable));
    }
}
