package org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal;

import java.lang.annotation.Annotation;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.util.Collection;
import java.util.List;
import java.util.Map;
import javax.jcr.RepositoryException;
import javax.jcr.Value;
import javax.jcr.nodetype.ConstraintViolationException;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.guava.common.collect.ImmutableMap;
import org.apache.jackrabbit.oak.spi.security.authentication.external.AbstractExternalAuthTest;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef;
import org.apache.jackrabbit.oak.spi.security.authentication.external.SyncHandler;
import org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DefaultSyncHandler;
import org.apache.jackrabbit.oak.spi.security.authentication.external.impl.SyncHandlerMapping;
import org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal.ExternalAuthorizableActionProvider;
import org.apache.jackrabbit.oak.spi.security.user.action.GroupAction;
import org.apache.sling.testing.mock.osgi.MapUtil;
import org.jetbrains.annotations.NotNull;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;
import org.mockito.Mockito;
import org.osgi.framework.ServiceReference;
import org.osgi.framework.ServiceRegistration;

@RunWith(Parameterized.class)
/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalAuthorizableActionProviderTest.class */
public class ExternalAuthorizableActionProviderTest extends AbstractExternalAuthTest {
    private static final String IDP_NAME = "idp1";
    private static final String LOCAL_GROUP_ID = "localGroup";
    private final ExternalAuthorizableActionProvider eap = new ExternalAuthorizableActionProvider();
    private final Group localGroup = (Group) Mockito.mock(Group.class);
    private final Group externalGroup = (Group) Mockito.mock(Group.class);
    private final Authorizable externalUser = (Authorizable) Mockito.mock(Authorizable.class);
    private SyncHandler sh;
    private SyncHandlerMapping shMapping;
    private final boolean failOnViolation;

    @Parameterized.Parameters(name = "name={1}")
    public static Collection<Object[]> parameters() {
        return List.of(new Object[]{true, "Fail"}, new Object[]{false, "Only Warn"});
    }

    public ExternalAuthorizableActionProviderTest(boolean z, String str) {
        this.failOnViolation = z;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.AbstractExternalAuthTest
    @Before
    public void before() throws Exception {
        super.before();
        this.eap.activate(this.context.bundleContext(), new ExternalAuthorizableActionProvider.Configuration() { // from class: org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal.ExternalAuthorizableActionProviderTest.1
            public Class<? extends Annotation> annotationType() {
                return Annotation.class;
            }

            public boolean failAddMembersForDifferentIdp() {
                return ExternalAuthorizableActionProviderTest.this.failOnViolation;
            }
        });
        ((Group) Mockito.doReturn(LOCAL_GROUP_ID).when(this.localGroup)).getID();
        ((Group) Mockito.doReturn("externalGroup").when(this.externalGroup)).getID();
        Mockito.when(this.externalUser.getProperty("rep:externalId")).thenReturn(new Value[]{getValueFactory(this.root).createValue(new ExternalIdentityRef("externalUserId", IDP_NAME).getString())});
        Mockito.when(Boolean.valueOf(this.externalUser.isGroup())).thenReturn(false);
        Mockito.when(this.externalGroup.getProperty("rep:externalId")).thenReturn(new Value[]{getValueFactory(this.root).createValue(new ExternalIdentityRef("externalGroupId", IDP_NAME).getString())});
        Mockito.when(Boolean.valueOf(this.externalGroup.isGroup())).thenReturn(true);
        this.sh = new DefaultSyncHandler();
        this.shMapping = new SyncHandlerMapping() { // from class: org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal.ExternalAuthorizableActionProviderTest.2
        };
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.AbstractExternalAuthTest
    @After
    public void after() throws Exception {
        try {
            Mockito.reset(new Authorizable[]{this.localGroup, this.externalGroup, this.externalUser});
        } finally {
            super.after();
        }
    }

    private GroupAction getGroupAction() {
        return (GroupAction) this.eap.getAuthorizableActions(getSecurityProvider()).get(0);
    }

    @Test
    public void testGetActions() {
        List authorizableActions = this.eap.getAuthorizableActions(getSecurityProvider());
        Assert.assertEquals(1L, authorizableActions.size());
        Assert.assertTrue(authorizableActions.get(0) instanceof GroupAction);
    }

    @Test
    public void testMemberNotExternal() throws Exception {
        GroupAction groupAction = getGroupAction();
        groupAction.onMemberAdded(this.localGroup, getTestUser(), this.root, getNamePathMapper());
        groupAction.onMemberAdded(this.externalGroup, getTestUser(), this.root, getNamePathMapper());
        Mockito.verifyNoInteractions(new Object[]{this.localGroup});
        Mockito.verifyNoInteractions(new Object[]{this.externalGroup});
    }

    @Test
    public void testSameIDP() throws Exception {
        getGroupAction().onMemberAdded(this.externalGroup, this.externalUser, this.root, getNamePathMapper());
        ((Group) Mockito.verify(this.externalGroup)).getProperty("rep:externalId");
        Mockito.verifyNoMoreInteractions(new Object[]{this.externalGroup});
    }

    @Test
    public void testUserMamaberGroupInUserAutomembership() throws Exception {
        registerSyncHandlerSyncMapping(IDP_NAME, LOCAL_GROUP_ID, true);
        GroupAction groupAction = getGroupAction();
        groupAction.onMemberAdded(this.localGroup, this.externalUser, this.root, getNamePathMapper());
        ((Group) Mockito.verify(this.localGroup)).getProperty("rep:externalId");
        ((Group) Mockito.verify(this.localGroup)).getID();
        Mockito.verifyNoMoreInteractions(new Object[]{this.localGroup});
        groupAction.onMemberAdded(this.localGroup, this.externalUser, this.root, getNamePathMapper());
        ((Group) Mockito.verify(this.localGroup, Mockito.times(2))).getProperty("rep:externalId");
        ((Group) Mockito.verify(this.localGroup, Mockito.times(2))).getID();
        Mockito.verifyNoMoreInteractions(new Object[]{this.localGroup});
    }

    @Test
    public void testUserMemberGroupInGroupAutomembership() throws Exception {
        registerSyncHandlerSyncMapping(IDP_NAME, LOCAL_GROUP_ID, false);
        assertViolationDetected(this.externalUser);
        verifyInvocations();
    }

    @Test
    public void testGroupMemberGroupInAutomembership() throws Exception {
        registerSyncHandlerSyncMapping(IDP_NAME, LOCAL_GROUP_ID, false);
        GroupAction groupAction = getGroupAction();
        groupAction.onMemberAdded(this.localGroup, this.externalGroup, this.root, getNamePathMapper());
        ((Group) Mockito.verify(this.localGroup)).getProperty("rep:externalId");
        ((Group) Mockito.verify(this.localGroup)).getID();
        Mockito.verifyNoMoreInteractions(new Object[]{this.localGroup});
        groupAction.onMemberAdded(this.localGroup, this.externalGroup, this.root, getNamePathMapper());
        ((Group) Mockito.verify(this.localGroup, Mockito.times(2))).getProperty("rep:externalId");
        ((Group) Mockito.verify(this.localGroup, Mockito.times(2))).getID();
        Mockito.verifyNoMoreInteractions(new Object[]{this.localGroup});
    }

    @Test
    public void testGroupMemberGroupInUserAutomembership() throws Exception {
        registerSyncHandlerSyncMapping(IDP_NAME, LOCAL_GROUP_ID, true);
        assertViolationDetected(this.externalGroup);
        verifyInvocations();
    }

    @Test
    public void testGroupInAutomembershipDifferentIDP() throws Exception {
        registerSyncHandlerSyncMapping("anotherIDP", LOCAL_GROUP_ID, true);
        assertViolationDetected(this.externalUser);
        verifyInvocations();
    }

    @Test
    public void testGroupNotInAutomembership() throws Exception {
        registerSyncHandlerSyncMapping(IDP_NAME, "anotherGroup", false);
        assertViolationDetected(this.externalGroup);
        verifyInvocations();
    }

    @Test
    public void testModifySyncHandler() throws Exception {
        ServiceRegistration registerService = this.context.bundleContext().registerService(SyncHandler.class.getName(), this.sh, MapUtil.toDictionary(createSyncConfig(LOCAL_GROUP_ID, true)));
        this.context.registerService(SyncHandlerMapping.class, this.shMapping, new Object[]{MapUtil.toDictionary(createMappingConfig(IDP_NAME))});
        getGroupAction().onMemberAdded(this.localGroup, this.externalUser, this.root, getNamePathMapper());
        registerService.setProperties(MapUtil.toDictionary(createSyncConfig("anotherGroup", true)));
        Field declaredField = ExternalAuthorizableActionProvider.class.getDeclaredField("automembershipTracker");
        declaredField.setAccessible(true);
        Object obj = declaredField.get(this.eap);
        Method declaredMethod = obj.getClass().getDeclaredMethod("modifiedService", ServiceReference.class, Object.class);
        declaredMethod.setAccessible(true);
        declaredMethod.invoke(obj, registerService.getReference(), this.sh);
        assertViolationDetected(this.externalUser);
    }

    @Test
    public void testRemoveSyncHandler() throws RepositoryException {
        ServiceRegistration registerService = this.context.bundleContext().registerService(SyncHandler.class.getName(), this.sh, MapUtil.toDictionary(createSyncConfig(LOCAL_GROUP_ID, false)));
        this.context.registerService(SyncHandlerMapping.class, this.shMapping, new Object[]{MapUtil.toDictionary(createMappingConfig(IDP_NAME))});
        getGroupAction().onMemberAdded(this.localGroup, this.externalGroup, this.root, getNamePathMapper());
        registerService.unregister();
        assertViolationDetected(this.externalGroup);
    }

    @Test
    public void testDuplicateSyncHandlerMapping() throws Exception {
        registerSyncHandlerSyncMapping("anotherIdpName", LOCAL_GROUP_ID, true);
        this.context.registerService(SyncHandlerMapping.class, new SyncHandlerMapping() { // from class: org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal.ExternalAuthorizableActionProviderTest.3
        }, createMappingConfig("anotherIdpName"));
        assertViolationDetected(this.externalUser);
    }

    @Test
    public void testCollidingSyncHandler() throws Exception {
        registerSyncHandlerSyncMapping("anotherIdpName", LOCAL_GROUP_ID, true);
        this.context.registerInjectActivateService(new DefaultSyncHandler(), createSyncConfig("anotherGroupId", true));
        assertViolationDetected(this.externalUser);
    }

    @Test
    public void testDeactivate() throws RepositoryException {
        assertViolationDetected(this.externalUser);
        this.eap.deactivate();
        registerSyncHandlerSyncMapping(IDP_NAME, LOCAL_GROUP_ID, true);
        assertViolationDetected(this.externalUser);
    }

    @Test
    public void testDeactivatePriorToActivate() throws RepositoryException {
        ExternalAuthorizableActionProvider externalAuthorizableActionProvider = new ExternalAuthorizableActionProvider();
        externalAuthorizableActionProvider.deactivate();
        registerSyncHandlerSyncMapping(IDP_NAME, LOCAL_GROUP_ID, true);
        assertViolationDetected(this.externalUser, (GroupAction) externalAuthorizableActionProvider.getAuthorizableActions(getSecurityProvider()).get(0), false);
    }

    private void assertViolationDetected(@NotNull Authorizable authorizable) throws RepositoryException {
        assertViolationDetected(authorizable, getGroupAction(), this.failOnViolation);
    }

    private void assertViolationDetected(@NotNull Authorizable authorizable, @NotNull GroupAction groupAction, boolean z) throws RepositoryException {
        try {
            groupAction.onMemberAdded(this.localGroup, authorizable, this.root, getNamePathMapper());
            if (z) {
                Assert.fail("ConstraintViolationException expected");
            }
        } catch (ConstraintViolationException e) {
            if (z) {
                return;
            }
            Assert.fail("No ConstraintViolationException expected");
        }
    }

    private void verifyInvocations() throws RepositoryException {
        ((Group) Mockito.verify(this.localGroup)).getProperty("rep:externalId");
        ((Group) Mockito.verify(this.localGroup)).getID();
        Mockito.verifyNoMoreInteractions(new Object[]{this.localGroup});
    }

    private void registerSyncHandlerSyncMapping(@NotNull String str, @NotNull String str2, boolean z) {
        this.context.registerInjectActivateService(this.sh, createSyncConfig(str2, z));
        this.context.registerService(SyncHandlerMapping.class, this.shMapping, createMappingConfig(str));
    }

    private static Map<String, Object> createSyncConfig(@NotNull String str, boolean z) {
        return ImmutableMap.of("handler.name", "sh", z ? "user.autoMembership" : "group.autoMembership", new String[]{str});
    }

    private static Map<String, Object> createMappingConfig(@NotNull String str) {
        return ImmutableMap.of("idp.name", str, "sync.handlerName", "sh");
    }
}
