package org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal;

import java.util.Collection;
import java.util.Collections;
import java.util.Iterator;
import java.util.Map;
import javax.jcr.SimpleCredentials;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.Privilege;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.guava.common.collect.Lists;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.commons.UUIDUtils;
import org.apache.jackrabbit.oak.plugins.tree.RootProvider;
import org.apache.jackrabbit.oak.plugins.tree.TreeProvider;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule;
import org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl;
import org.apache.jackrabbit.oak.spi.security.CompositeConfiguration;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.Context;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalLoginTestBase;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalUser;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ProtectionConfig;
import org.apache.jackrabbit.oak.spi.security.authentication.external.TestIdentityProvider;
import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncConfig;
import org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModule;
import org.apache.jackrabbit.oak.spi.security.authentication.token.TokenConfiguration;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
import org.jetbrains.annotations.NotNull;
import org.junit.Assert;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;
import org.mockito.Mockito;

@RunWith(Parameterized.class)
/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalUserValidatorTest.class */
public class ExternalUserValidatorTest extends ExternalLoginTestBase {
    private final IdentityProtectionType type;
    private final boolean isDynamic;
    private String localUserPath;
    private String externalUserPath;
    private UserManager userManager;
    private Root sysRoot;

    @Parameterized.Parameters(name = "name={2}")
    public static Collection<Object[]> parameters() {
        return Lists.newArrayList(new Object[]{new Object[]{IdentityProtectionType.NONE, false, "None, Default Sync"}, new Object[]{IdentityProtectionType.WARN, true, "Warn, Dynamic Sync"}, new Object[]{IdentityProtectionType.WARN, false, "Warn, Default Sync"}, new Object[]{IdentityProtectionType.PROTECTED, true, "Protected, Dynamic Sync"}, new Object[]{IdentityProtectionType.PROTECTED, false, "Protected, Default Sync"}});
    }

    public ExternalUserValidatorTest(@NotNull IdentityProtectionType identityProtectionType, boolean z, @NotNull String str) {
        this.type = identityProtectionType;
        this.isDynamic = z;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalLoginTestBase, org.apache.jackrabbit.oak.spi.security.authentication.external.AbstractExternalAuthTest
    public void before() throws Exception {
        super.before();
        this.localUserPath = getTestUser().getPath();
        login(new SimpleCredentials(TestIdentityProvider.ID_TEST_USER, new char[0])).close();
        this.root.refresh();
        Authorizable authorizable = getUserManager(this.root).getAuthorizable(TestIdentityProvider.ID_TEST_USER);
        Assert.assertNotNull(authorizable);
        this.externalUserPath = authorizable.getPath();
        this.userManager = getUserManager(this.root);
        this.sysRoot = getSystemRoot();
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.AbstractExternalAuthTest
    @NotNull
    protected Map<String, Object> getExternalPrincipalConfiguration() {
        return Collections.singletonMap("protectExternalIdentities", this.type.label);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.AbstractExternalAuthTest
    @NotNull
    public DefaultSyncConfig createSyncConfig() {
        DefaultSyncConfig createSyncConfig = super.createSyncConfig();
        createSyncConfig.user().setDynamicMembership(this.isDynamic);
        return createSyncConfig;
    }

    private boolean exceptionExpected() {
        return this.type == IdentityProtectionType.PROTECTED;
    }

    private void assertCommit() {
        try {
            this.root.commit();
            if (exceptionExpected()) {
                Assert.fail("CommitFailedException expected");
            }
        } catch (CommitFailedException e) {
            if (exceptionExpected()) {
                Assert.assertEquals(76L, e.getCode());
            } else {
                Assert.fail("No CommitFailedException expected.");
            }
        } finally {
            this.root.refresh();
        }
    }

    @Test
    public void testModifyLocalUser() throws Exception {
        Tree tree = this.root.getTree(this.localUserPath);
        tree.setProperty(TestIdentityProvider.DEFAULT_IDP_NAME, "value");
        TreeUtil.addChild(tree, "child", "oak:Unstructured");
        this.root.commit();
        Assert.assertTrue(this.userManager.getAuthorizableByPath(this.localUserPath).hasProperty(TestIdentityProvider.DEFAULT_IDP_NAME));
        tree.setProperty(TestIdentityProvider.DEFAULT_IDP_NAME, "modified");
        this.root.commit();
        Assert.assertTrue(this.userManager.getAuthorizableByPath(this.localUserPath).hasProperty(TestIdentityProvider.DEFAULT_IDP_NAME));
        tree.removeProperty(TestIdentityProvider.DEFAULT_IDP_NAME);
        tree.getChild("child").remove();
        this.root.commit();
        Assert.assertFalse(this.userManager.getAuthorizableByPath(this.localUserPath).hasProperty(TestIdentityProvider.DEFAULT_IDP_NAME));
    }

    @Test
    public void testAddProperty() throws Exception {
        this.root.getTree(this.externalUserPath).setProperty(TestIdentityProvider.DEFAULT_IDP_NAME, "value");
        assertCommit();
        Assert.assertEquals(Boolean.valueOf(!exceptionExpected()), Boolean.valueOf(this.userManager.getAuthorizableByPath(this.externalUserPath).hasProperty(TestIdentityProvider.DEFAULT_IDP_NAME)));
    }

    @Test
    public void testModifyProperty() throws Exception {
        Tree tree = this.root.getTree(this.externalUserPath);
        Assert.assertTrue(tree.hasProperty("name"));
        tree.setProperty("name", "newValue");
        assertCommit();
        Assert.assertEquals(exceptionExpected() ? "Test User" : "newValue", this.userManager.getAuthorizableByPath(this.externalUserPath).getProperty("name")[0].getString());
    }

    @Test
    public void testRemoveProperty() throws Exception {
        Tree tree = this.root.getTree(this.externalUserPath);
        Assert.assertTrue(tree.hasProperty("email"));
        tree.removeProperty("email");
        assertCommit();
        Assert.assertEquals(Boolean.valueOf(exceptionExpected()), Boolean.valueOf(this.userManager.getAuthorizableByPath(this.externalUserPath).hasProperty("email")));
    }

    @Test
    public void testAddPropertyInSubtree() throws Exception {
        this.root.getTree(this.externalUserPath).getChild("profile").setProperty(TestIdentityProvider.DEFAULT_IDP_NAME, "value");
        assertCommit();
        Assert.assertEquals(Boolean.valueOf(!exceptionExpected()), Boolean.valueOf(this.userManager.getAuthorizableByPath(this.externalUserPath).hasProperty("profile/test")));
    }

    @Test
    public void testModifyPropertyInSubtree() throws Exception {
        Tree child = this.root.getTree(this.externalUserPath).getChild("profile");
        Assert.assertTrue(child.hasProperty("age"));
        child.setProperty("age", 90);
        assertCommit();
        Assert.assertEquals(exceptionExpected() ? 72L : 90L, this.userManager.getAuthorizableByPath(this.externalUserPath).getProperty("profile/age")[0].getLong());
    }

    @Test
    public void testRemovePropertyInSubtree() throws Exception {
        Tree child = this.root.getTree(this.externalUserPath).getChild("profile");
        Assert.assertTrue(child.hasProperty("age"));
        child.removeProperty("age");
        assertCommit();
        Assert.assertEquals(Boolean.valueOf(exceptionExpected()), Boolean.valueOf(this.userManager.getAuthorizableByPath(this.externalUserPath).hasProperty("profile/age")));
    }

    @Test
    public void testAddChildNode() throws Exception {
        Tree child = this.root.getTree(this.externalUserPath).getChild("profile");
        TreeUtil.addChild(child, "child", "oak:Unstructured");
        assertCommit();
        Assert.assertEquals(Boolean.valueOf(!exceptionExpected()), Boolean.valueOf(child.hasChild("child")));
    }

    @Test
    public void testRemoveChildNode() throws Exception {
        Tree child = this.root.getTree(this.externalUserPath).getChild("profile");
        Assert.assertTrue(child.exists());
        child.remove();
        assertCommit();
        Assert.assertEquals(Boolean.valueOf(exceptionExpected()), Boolean.valueOf(this.userManager.getAuthorizableByPath(this.externalUserPath).hasProperty("profile/age")));
    }

    @Test
    public void testReorderChildNodes() throws Exception {
        Root systemRoot = getSystemRoot();
        systemRoot.refresh();
        Tree tree = systemRoot.getTree(this.externalUserPath);
        tree.getChild("profile");
        TreeUtil.addChild(tree, "profile2", "nt:unstructured", systemRoot.getTree("/jcr:system/jcr:nodeTypes"), "id");
        systemRoot.commit();
        this.root.refresh();
        this.root.getTree(this.externalUserPath).getChild("profile2").orderBefore("profile");
        assertCommit();
        Assert.assertEquals(exceptionExpected() ? "profile" : "profile2", ((Tree) this.root.getTree(this.externalUserPath).getChildren().iterator().next()).getName());
    }

    @Test
    public void testModifyGroupMembership() throws Exception {
        Group authorizable = getUserManager(this.root).getAuthorizable("a", Group.class);
        if (authorizable != null) {
            authorizable.addMember(getTestUser());
            assertCommit();
            Assert.assertEquals(Boolean.valueOf(!exceptionExpected()), Boolean.valueOf(authorizable.isMember(getTestUser())));
        }
    }

    @Test
    public void testAddEditAcContent() throws Exception {
        JackrabbitAccessControlManager accessControlManager = getAccessControlManager(this.root);
        JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(accessControlManager, this.externalUserPath);
        Privilege[] privilegesFromNames = privilegesFromNames(new String[]{"jcr:read"});
        if (accessControlList != null) {
            accessControlList.addAccessControlEntry(EveryonePrincipal.getInstance(), privilegesFromNames);
            accessControlManager.setPolicy(accessControlList.getPath(), accessControlList);
            this.root.commit();
            Assert.assertTrue(accessControlManager.hasPrivileges(this.externalUserPath, Collections.singleton(EveryonePrincipal.getInstance()), privilegesFromNames));
            for (AccessControlEntry accessControlEntry : accessControlList.getAccessControlEntries()) {
                if (EveryonePrincipal.getInstance().equals(accessControlEntry.getPrincipal())) {
                    accessControlList.removeAccessControlEntry(accessControlEntry);
                    accessControlManager.setPolicy(accessControlList.getPath(), accessControlList);
                    this.root.commit();
                }
            }
            Assert.assertFalse(accessControlManager.hasPrivileges(this.externalUserPath, Collections.singleton(EveryonePrincipal.getInstance()), privilegesFromNames));
        }
    }

    @Test
    public void testCustomSecurityProperty() throws Exception {
        Context.Default r0 = new Context.Default() { // from class: org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal.ExternalUserValidatorTest.1
            public boolean definesProperty(@NotNull Tree tree, @NotNull PropertyState propertyState) {
                return "testtoken".equals(propertyState.getName());
            }
        };
        TokenConfiguration tokenConfiguration = (TokenConfiguration) Mockito.mock(TokenConfiguration.class);
        Mockito.when(tokenConfiguration.getContext()).thenReturn(r0);
        Mockito.when(tokenConfiguration.getParameters()).thenReturn(ConfigurationParameters.EMPTY);
        CompositeConfiguration compositeConfiguration = (TokenConfiguration) getSecurityProvider().getConfiguration(TokenConfiguration.class);
        Assert.assertTrue(compositeConfiguration instanceof CompositeConfiguration);
        CompositeConfiguration compositeConfiguration2 = compositeConfiguration;
        try {
            compositeConfiguration2.addConfiguration(tokenConfiguration);
            Tree tree = this.root.getTree(this.externalUserPath);
            tree.setProperty("testtoken", "value");
            this.root.commit();
            tree.setProperty("testtoken", "modified");
            this.root.commit();
            tree.removeProperty("testtoken");
            this.root.commit();
            compositeConfiguration2.removeConfiguration(tokenConfiguration);
        } catch (Throwable th) {
            compositeConfiguration2.removeConfiguration(tokenConfiguration);
            throw th;
        }
    }

    @Test
    public void testRemoveTokens() throws Exception {
        Configuration configuration = getConfiguration();
        try {
            Configuration.setConfiguration(getTokenConfiguration());
            SimpleCredentials simpleCredentials = new SimpleCredentials(TestIdentityProvider.ID_TEST_USER, "".toCharArray());
            simpleCredentials.setAttribute(".token", "");
            getContentRepository().login(simpleCredentials, (String) null).close();
            this.root.refresh();
            Tree child = this.root.getTree(this.externalUserPath).getChild(".tokens");
            Assert.assertTrue(child.exists());
            Iterator it = child.getChildren().iterator();
            while (it.hasNext()) {
                ((Tree) it.next()).remove();
                this.root.commit();
            }
            child.remove();
            this.root.commit();
            Assert.assertFalse(this.root.getTree(this.externalUserPath).hasChild(".tokens"));
            Configuration.setConfiguration(configuration);
        } catch (Throwable th) {
            Configuration.setConfiguration(configuration);
            throw th;
        }
    }

    private Configuration getTokenConfiguration() {
        return new Configuration() { // from class: org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal.ExternalUserValidatorTest.2
            public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
                return new AppConfigurationEntry[]{new AppConfigurationEntry(TokenLoginModule.class.getName(), AppConfigurationEntry.LoginModuleControlFlag.SUFFICIENT, Collections.emptyMap()), new AppConfigurationEntry(LoginModuleImpl.class.getName(), AppConfigurationEntry.LoginModuleControlFlag.SUFFICIENT, Collections.emptyMap()), new AppConfigurationEntry(ExternalLoginModule.class.getName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, ExternalUserValidatorTest.this.options)};
            }
        };
    }

    @Test
    public void testCreateExternalUser() throws Exception {
        ExternalUser user = this.idp.getUser(TestIdentityProvider.ID_SECOND_USER);
        Tree addChild = TreeUtil.addChild(this.root.getTree(this.externalUserPath).getParent(), TestIdentityProvider.DEFAULT_IDP_NAME, "rep:User", this.root.getTree("/jcr:system/jcr:nodeTypes"), "id");
        addChild.setProperty("rep:authorizableId", user.getId());
        addChild.setProperty("rep:principalName", user.getPrincipalName());
        addChild.setProperty("rep:externalId", user.getExternalId().getString());
        addChild.setProperty("jcr:uuid", UUIDUtils.generateUUID(user.getId().toLowerCase()));
        assertCommit();
        Authorizable authorizable = getUserManager(this.root).getAuthorizable(user.getId());
        if (exceptionExpected()) {
            Assert.assertNull(authorizable);
        } else {
            Assert.assertNotNull(authorizable);
        }
    }

    @Test
    public void testCreateExternalUserWithSubtree() throws Exception {
        ExternalUser user = this.idp.getUser(TestIdentityProvider.ID_SECOND_USER);
        Tree addChild = TreeUtil.addChild(this.root.getTree(this.externalUserPath).getParent(), TestIdentityProvider.DEFAULT_IDP_NAME, "rep:User", this.root.getTree("/jcr:system/jcr:nodeTypes"), "id");
        addChild.setProperty("rep:authorizableId", user.getId());
        addChild.setProperty("rep:principalName", user.getPrincipalName());
        addChild.setProperty("rep:externalId", user.getExternalId().getString());
        addChild.setProperty("jcr:uuid", UUIDUtils.generateUUID(user.getId().toLowerCase()));
        TreeUtil.addChild(addChild, "profile", "nt:unstructured", this.root.getTree("/jcr:system/jcr:nodeTypes"), "id").setProperty("name", "test-user");
        assertCommit();
        Authorizable authorizable = getUserManager(this.root).getAuthorizable(user.getId());
        if (exceptionExpected()) {
            Assert.assertNull(authorizable);
        } else {
            Assert.assertNotNull(authorizable);
        }
    }

    @Test
    public void testAddMixin() throws Exception {
        TreeUtil.addMixin(this.root.getTree(this.externalUserPath), "mix:versionable", this.root.getTree("/jcr:system/jcr:nodeTypes"), "id");
        assertCommit();
        Assert.assertEquals(Boolean.valueOf(!exceptionExpected()), Boolean.valueOf(this.root.getTree(this.externalUserPath).hasProperty("jcr:mixinTypes")));
    }

    @Test
    public void testAddMixinWithProperty() throws Exception {
        Tree tree = this.root.getTree(this.externalUserPath);
        TreeUtil.addMixin(tree, "mix:language", this.root.getTree("/jcr:system/jcr:nodeTypes"), "id");
        tree.setProperty("jcr:language", "farsi");
        assertCommit();
        Assert.assertEquals(Boolean.valueOf(!exceptionExpected()), Boolean.valueOf(this.root.getTree(this.externalUserPath).hasProperty("jcr:mixinTypes")));
    }

    @Test
    public void testRemoveExternalUser() {
        this.root.getTree(this.externalUserPath).remove();
        assertCommit();
        Assert.assertEquals(Boolean.valueOf(exceptionExpected()), Boolean.valueOf(this.root.getTree(this.externalUserPath).exists()));
    }

    @Test
    public void testDisable() throws Exception {
        User authorizableByPath = getUserManager(this.root).getAuthorizableByPath(this.externalUserPath);
        Assert.assertNotNull(authorizableByPath);
        Assert.assertFalse(authorizableByPath.isGroup());
        authorizableByPath.disable("disable");
        assertCommit();
        Assert.assertEquals(Boolean.valueOf(!exceptionExpected()), Boolean.valueOf(this.root.getTree(this.externalUserPath).hasProperty("rep:disabled")));
    }

    @Test
    public void testChangePassword() throws Exception {
        User authorizableByPath = getUserManager(this.root).getAuthorizableByPath(this.externalUserPath);
        Assert.assertNotNull(authorizableByPath);
        Assert.assertFalse(authorizableByPath.isGroup());
        authorizableByPath.changePassword("something");
        assertCommit();
        Assert.assertEquals(Boolean.valueOf(!exceptionExpected()), Boolean.valueOf(this.root.getTree(this.externalUserPath).hasProperty("rep:password")));
    }

    @Test
    public void testAddModifyRemoveFolder() throws Exception {
        Tree addChild = TreeUtil.addChild(this.root.getTree(PathUtils.getParentPath(this.externalUserPath)), "folder", "rep:AuthorizableFolder");
        String path = addChild.getPath();
        this.root.commit();
        this.sysRoot.refresh();
        Assert.assertTrue(this.sysRoot.getTree(path).exists());
        TreeUtil.addMixin(addChild, "mix:versionable", this.root.getTree("/jcr:system/jcr:nodeTypes"), "id");
        this.root.commit();
        this.sysRoot.refresh();
        Assert.assertTrue(this.sysRoot.getTree(path).hasProperty("jcr:mixinTypes"));
        addChild.remove();
        this.root.commit();
        this.sysRoot.refresh();
        Assert.assertFalse(this.sysRoot.getTree(path).exists());
    }

    @Test
    public void testValidatorWithTypeNone() {
        if (this.type == IdentityProtectionType.NONE) {
            RootProvider rootProvider = (RootProvider) Mockito.mock(RootProvider.class);
            TreeProvider treeProvider = (TreeProvider) Mockito.mock(TreeProvider.class);
            SecurityProvider securityProvider = (SecurityProvider) Mockito.mock(SecurityProvider.class);
            try {
                new ExternalUserValidatorProvider(rootProvider, treeProvider, securityProvider, this.type, ProtectionConfig.DEFAULT);
                Assert.fail("IllegalArgumentException expected");
                Mockito.verifyNoInteractions(new Object[]{rootProvider, treeProvider, securityProvider});
            } catch (IllegalArgumentException e) {
                Mockito.verifyNoInteractions(new Object[]{rootProvider, treeProvider, securityProvider});
            } catch (Throwable th) {
                Mockito.verifyNoInteractions(new Object[]{rootProvider, treeProvider, securityProvider});
                throw th;
            }
        }
    }
}
