package org.apache.jackrabbit.oak.spi.security.authentication.external.impl;

import java.util.Set;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef;
import org.apache.jackrabbit.oak.spi.security.authentication.external.SyncResult;
import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncConfig;
import org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DynamicSyncContextTest;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.junit.Assert;
import org.junit.Test;

/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/EnforceDynamicMembershipTest.class */
public class EnforceDynamicMembershipTest extends DynamicSyncContextTest {
    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.impl.AbstractDynamicTest, org.apache.jackrabbit.oak.spi.security.authentication.external.AbstractExternalAuthTest
    @NotNull
    public DefaultSyncConfig createSyncConfig() {
        DefaultSyncConfig createSyncConfig = super.createSyncConfig();
        createSyncConfig.user().setDynamicMembership(true).setEnforceDynamicMembership(true);
        return createSyncConfig;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DynamicSyncContextTest
    @Test
    public void testSyncMembershipWithChangedExistingGroups() throws Exception {
        Authorizable authorizable = this.userManager.getAuthorizable("third");
        DynamicSyncContextTest.TestUserWithGroupRefs testUserWithGroupRefs = new DynamicSyncContextTest.TestUserWithGroupRefs(this.previouslySyncedUser, Set.of(this.idp.getGroup("a").getExternalId(), this.idp.getGroup("aa").getExternalId(), this.idp.getGroup("secondGroup").getExternalId()));
        this.syncContext.syncMembership(testUserWithGroupRefs, authorizable, 1L);
        Assert.assertTrue(this.r.getTree(authorizable.getPath()).hasProperty("rep:externalPrincipalNames"));
        assertMigratedGroups(this.userManager, testUserWithGroupRefs, null);
        assertMigratedGroups(this.userManager, this.previouslySyncedUser, null);
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DynamicSyncContextTest
    @Test
    public void testSyncExternalUserExistingGroups() throws Exception {
        ExternalIdentityRef externalIdentityRef = (ExternalIdentityRef) this.previouslySyncedUser.getDeclaredGroups().iterator().next();
        this.userManager.getAuthorizable(externalIdentityRef.getId(), Group.class).addMember(this.userManager.createGroup("someOtherMember"));
        this.r.commit();
        this.syncConfig.user().setMembershipExpirationTime(-1L);
        DynamicSyncContext dynamicSyncContext = new DynamicSyncContext(this.syncConfig, this.idp, this.userManager, this.valueFactory);
        dynamicSyncContext.setForceUserSync(true);
        Assert.assertSame(SyncResult.Status.UPDATE, dynamicSyncContext.sync(this.previouslySyncedUser).getStatus());
        Authorizable authorizable = this.userManager.getAuthorizable("third");
        Assert.assertNotNull(authorizable);
        Assert.assertTrue(this.r.getTree(authorizable.getPath()).hasProperty("rep:externalPrincipalNames"));
        assertDynamicMembership(this.previouslySyncedUser, 1L);
        assertMigratedGroups(this.userManager, this.previouslySyncedUser, externalIdentityRef);
    }

    @Test
    public void testGroupFromDifferentIDP() throws Exception {
        Authorizable authorizable = this.userManager.getAuthorizable("third");
        this.userManager.createGroup("anotherGroup").addMember(authorizable);
        this.r.commit();
        this.syncConfig.user().setMembershipExpirationTime(-1L);
        DynamicSyncContext dynamicSyncContext = new DynamicSyncContext(this.syncConfig, this.idp, this.userManager, this.valueFactory);
        dynamicSyncContext.setForceUserSync(true);
        Assert.assertSame(SyncResult.Status.UPDATE, dynamicSyncContext.sync(this.previouslySyncedUser).getStatus());
        this.r.commit();
        Assert.assertTrue(this.r.getTree(authorizable.getPath()).hasProperty("rep:externalPrincipalNames"));
        assertDynamicMembership(this.previouslySyncedUser, 1L);
        assertMigratedGroups(this.userManager, this.previouslySyncedUser, null);
        Group authorizable2 = this.userManager.getAuthorizable("anotherGroup", Group.class);
        Assert.assertNotNull(authorizable2);
        Assert.assertTrue(authorizable2.isMember(authorizable));
    }

    private static void assertMigratedGroups(@NotNull UserManager userManager, @NotNull ExternalIdentity externalIdentity, @Nullable ExternalIdentityRef externalIdentityRef) throws Exception {
        for (ExternalIdentityRef externalIdentityRef2 : externalIdentity.getDeclaredGroups()) {
            Group authorizable = userManager.getAuthorizable(externalIdentityRef2.getId(), Group.class);
            if (externalIdentityRef2.equals(externalIdentityRef)) {
                Assert.assertNotNull(authorizable);
            } else {
                Assert.assertNull(authorizable);
            }
        }
    }
}
