package org.apache.jackrabbit.oak.spi.security.authentication.external.impl;

import com.google.common.collect.Iterables;
import com.google.common.collect.Sets;
import java.util.HashSet;
import java.util.Set;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityProvider;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalUser;
import org.apache.jackrabbit.oak.spi.security.authentication.external.PrincipalNameResolver;
import org.apache.jackrabbit.oak.spi.security.authentication.external.SyncResult;
import org.apache.jackrabbit.oak.spi.security.authentication.external.TestIdentityProvider;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.junit.Assert;
import org.junit.Test;

/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/PrincipalResolutionTest.class */
public class PrincipalResolutionTest extends DynamicSyncContextTest {

    /* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/PrincipalResolutionTest$PrincipalResolvingIDP.class */
    static class PrincipalResolvingIDP extends TestIdentityProvider implements PrincipalNameResolver {
        @NotNull
        public String fromExternalIdentityRef(@NotNull ExternalIdentityRef externalIdentityRef) throws ExternalIdentityException {
            ExternalIdentity identity = getIdentity(externalIdentityRef);
            if (identity == null) {
                throw new ExternalIdentityException();
            }
            return identity.getPrincipalName();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.AbstractExternalAuthTest
    @NotNull
    public ExternalIdentityProvider createIDP() {
        return new PrincipalResolvingIDP();
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DynamicSyncContextTest
    @Test
    public void testSyncExternalUserGroupConflictPrincipalNameMismatch() throws Exception {
        ExternalUser user = this.idp.getUser(TestIdentityProvider.ID_TEST_USER);
        ExternalIdentityRef externalIdentityRef = (ExternalIdentityRef) user.getDeclaredGroups().iterator().next();
        ExternalIdentity identity = this.idp.getIdentity(externalIdentityRef);
        Assert.assertNotNull(identity);
        assertSynched(user, identity, identity.getId(), identity.getPrincipalName() + "mismatch", externalIdentityRef);
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DynamicSyncContextTest
    @Test
    public void testSyncExternalUserGroupConflictPrincipalNameCaseMismatch() throws Exception {
        ExternalUser user = this.idp.getUser(TestIdentityProvider.ID_TEST_USER);
        ExternalIdentityRef externalIdentityRef = (ExternalIdentityRef) user.getDeclaredGroups().iterator().next();
        ExternalIdentity identity = this.idp.getIdentity(externalIdentityRef);
        Assert.assertNotNull(identity);
        assertSynched(user, identity, identity.getId(), identity.getPrincipalName().toUpperCase(), externalIdentityRef);
    }

    private void assertSynched(@NotNull ExternalUser externalUser, @NotNull ExternalIdentity externalIdentity, @NotNull String str, @NotNull String str2, @Nullable ExternalIdentityRef externalIdentityRef) throws Exception {
        Group createGroup = this.userManager.createGroup(str, new PrincipalImpl(str2), (String) null);
        if (externalIdentityRef != null) {
            createGroup.setProperty("rep:externalId", getValueFactory().createValue(externalIdentityRef.getString()));
        }
        this.r.commit();
        sync(externalUser, SyncResult.Status.ADD);
        PropertyState property = this.r.getTree(this.userManager.getAuthorizable(TestIdentityProvider.ID_TEST_USER).getPath()).getProperty("rep:externalPrincipalNames");
        Assert.assertNotNull(property);
        HashSet newHashSet = Sets.newHashSet((Iterable) property.getValue(Type.STRINGS));
        Assert.assertTrue(newHashSet + " must contain " + externalIdentity.getPrincipalName(), newHashSet.contains(externalIdentity.getPrincipalName()));
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DynamicSyncContextTest
    @Test
    public void testSyncMembershipWithUserRef() throws Exception {
        TestIdentityProvider.TestUser testUser = (TestIdentityProvider.TestUser) this.idp.getUser(TestIdentityProvider.ID_TEST_USER);
        Set<ExternalIdentityRef> expectedSyncedGroupRefs = getExpectedSyncedGroupRefs(this.syncConfig.user().getMembershipNestingDepth(), this.idp, testUser);
        Assert.assertNull(this.userManager.getAuthorizable(TestIdentityProvider.ID_SECOND_USER));
        testUser.withGroups(this.idp.getUser(TestIdentityProvider.ID_SECOND_USER).getExternalId());
        Assert.assertFalse(Iterables.elementsEqual(expectedSyncedGroupRefs, testUser.getDeclaredGroups()));
        sync(testUser, SyncResult.Status.ADD);
        Assert.assertTrue(this.userManager.getAuthorizable(TestIdentityProvider.ID_TEST_USER).hasProperty("rep:externalPrincipalNames"));
        assertDynamicMembership(testUser, 1L);
    }
}
