package org.apache.jackrabbit.oak.spi.security.authentication.external.impl;

import java.security.Principal;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.stream.Collectors;
import javax.jcr.RepositoryException;
import org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.guava.common.collect.ImmutableList;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityProvider;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalUser;
import org.apache.jackrabbit.oak.spi.security.authentication.external.SyncResult;
import org.apache.jackrabbit.oak.spi.security.authentication.external.TestIdentityProvider;
import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncConfig;
import org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DynamicSyncContextTest;
import org.apache.jackrabbit.oak.spi.security.authentication.external.impl.PrincipalResolutionTest;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
import org.jetbrains.annotations.NotNull;
import org.junit.Assert;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;

@RunWith(Parameterized.class)
/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicGroupsTest.class */
public class DynamicGroupsTest extends DynamicSyncContextTest {
    private final long membershipNestingDepth;
    private final boolean isPrincipalNameResolver;

    @Parameterized.Parameters(name = "name={2}")
    public static Collection<Object[]> parameters() {
        return List.of(new Object[]{0, false, "Membership-Nesting-Depth=0"}, new Object[]{1, false, "Membership-Nesting-Depth=1"}, new Object[]{1, true, "Membership-Nesting-Depth=1, IDP implements PrincipalNameResolver"}, new Object[]{2, false, "Membership-Nesting-Depth=2"});
    }

    public DynamicGroupsTest(long j, boolean z, @NotNull String str) {
        this.membershipNestingDepth = j;
        this.isPrincipalNameResolver = z;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.AbstractExternalAuthTest
    @NotNull
    public ExternalIdentityProvider createIDP() {
        return this.isPrincipalNameResolver ? new PrincipalResolutionTest.PrincipalResolvingIDP() : super.createIDP();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.impl.AbstractDynamicTest, org.apache.jackrabbit.oak.spi.security.authentication.external.AbstractExternalAuthTest
    @NotNull
    public DefaultSyncConfig createSyncConfig() {
        DefaultSyncConfig createSyncConfig = super.createSyncConfig();
        createSyncConfig.group().setDynamicGroups(true);
        createSyncConfig.user().setMembershipNestingDepth(this.membershipNestingDepth);
        return createSyncConfig;
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DynamicSyncContextTest
    @Test
    public void testSyncExternalGroup() throws Exception {
        ExternalGroup group = this.idp.getGroup("aaa");
        this.syncContext.sync(group);
        Assert.assertNotNull(this.userManager.getAuthorizable(group.getId()));
        Assert.assertTrue(this.r.hasPendingChanges());
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DynamicSyncContextTest
    @Test
    public void testSyncExternalUserExistingGroups() throws Exception {
        Authorizable authorizable = this.userManager.getAuthorizable(this.previouslySyncedUser.getId());
        assertSyncedMembership(this.userManager, authorizable, this.previouslySyncedUser, Long.MAX_VALUE);
        this.syncContext.setForceUserSync(true);
        this.syncConfig.user().setMembershipExpirationTime(-1L);
        this.syncContext.sync(this.previouslySyncedUser);
        Assert.assertTrue(this.r.getTree(authorizable.getPath()).hasProperty("rep:externalPrincipalNames"));
        assertSyncedMembership(this.userManager, authorizable, this.previouslySyncedUser);
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DynamicSyncContextTest
    @Test
    public void testSyncMembershipWithEmptyExistingGroups() throws Exception {
        Authorizable authorizable = this.userManager.getAuthorizable("third");
        DynamicSyncContextTest.TestUserWithGroupRefs testUserWithGroupRefs = new DynamicSyncContextTest.TestUserWithGroupRefs(this.previouslySyncedUser, Set.of());
        this.syncContext.syncMembership(testUserWithGroupRefs, authorizable, this.membershipNestingDepth);
        assertSyncedMembership(this.userManager, authorizable, testUserWithGroupRefs, this.membershipNestingDepth);
        Assert.assertTrue(this.r.getTree(authorizable.getPath()).hasProperty("rep:externalPrincipalNames"));
        Assert.assertEquals(0L, r0.getProperty("rep:externalPrincipalNames").count());
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.impl.DynamicSyncContextTest
    @Test
    public void testSyncMembershipWithChangedExistingGroups() throws Exception {
        Authorizable authorizable = this.userManager.getAuthorizable("third");
        DynamicSyncContextTest.TestUserWithGroupRefs testUserWithGroupRefs = new DynamicSyncContextTest.TestUserWithGroupRefs(this.previouslySyncedUser, Set.of(this.idp.getGroup("a").getExternalId(), this.idp.getGroup("aa").getExternalId(), this.idp.getGroup("secondGroup").getExternalId()));
        this.syncContext.syncMembership(testUserWithGroupRefs, authorizable, this.membershipNestingDepth);
        Tree tree = this.r.getTree(authorizable.getPath());
        Assert.assertTrue(tree.hasProperty("rep:externalPrincipalNames"));
        Set<String> expectedSyncedGroupIds = getExpectedSyncedGroupIds(this.membershipNestingDepth, this.idp, testUserWithGroupRefs);
        Assert.assertEquals(expectedSyncedGroupIds.size(), tree.getProperty("rep:externalPrincipalNames").count());
        assertMigratedGroups(this.previouslySyncedUser, tree);
        if (this.membershipNestingDepth != 0) {
            assertMigratedGroups(testUserWithGroupRefs, tree);
            return;
        }
        Iterator<String> it = expectedSyncedGroupIds.iterator();
        while (it.hasNext()) {
            Assert.assertNull(this.userManager.getAuthorizable(it.next()));
        }
    }

    private void assertMigratedGroups(@NotNull ExternalIdentity externalIdentity, @NotNull Tree tree) throws Exception {
        Iterator it = externalIdentity.getDeclaredGroups().iterator();
        while (it.hasNext()) {
            Group authorizable = this.userManager.getAuthorizable(((ExternalIdentityRef) it.next()).getId(), Group.class);
            Assert.assertNotNull(authorizable);
            Assert.assertFalse(hasStoredMembershipInformation(this.r.getTree(authorizable.getPath()), tree));
        }
    }

    @Test
    public void testSyncNewGroup() throws Exception {
        TestIdentityProvider.TestGroup testGroup = new TestIdentityProvider.TestGroup("newGroup", this.idp.getName());
        ((TestIdentityProvider) this.idp).addGroup(testGroup);
        sync(testGroup, SyncResult.Status.ADD);
        Assert.assertNotNull(this.userManager.getAuthorizable("newGroup"));
    }

    @Test
    public void testReSyncUserMembershipExpired() throws Exception {
        boolean isForceGroupSync = this.syncContext.isForceGroupSync();
        boolean isForceUserSync = this.syncContext.isForceUserSync();
        long membershipExpirationTime = this.syncConfig.user().getMembershipExpirationTime();
        try {
            this.syncContext.setForceGroupSync(true).setForceUserSync(true);
            this.syncConfig.user().setMembershipExpirationTime(-1L);
            sync(this.idp.getUser("third"), SyncResult.Status.UPDATE);
            User authorizable = this.userManager.getAuthorizable("third", User.class);
            Assert.assertNotNull(authorizable);
            Assert.assertTrue(authorizable.hasProperty("rep:externalPrincipalNames"));
            Set set = (Set) Arrays.stream(authorizable.getProperty("rep:externalPrincipalNames")).filter((v0) -> {
                return Objects.nonNull(v0);
            }).map(value -> {
                try {
                    return value.getString();
                } catch (RepositoryException e) {
                    return "";
                }
            }).collect(Collectors.toSet());
            Set<String> expectedSyncedGroupIds = getExpectedSyncedGroupIds(this.membershipNestingDepth, this.idp, this.previouslySyncedUser);
            Assert.assertEquals(expectedSyncedGroupIds.size(), set.size());
            Tree tree = this.r.getTree(authorizable.getPath());
            Iterator<String> it = getExpectedSyncedGroupIds(Long.MAX_VALUE, this.idp, this.previouslySyncedUser).iterator();
            while (it.hasNext()) {
                Group authorizable2 = this.userManager.getAuthorizable(it.next(), Group.class);
                Assert.assertNotNull(authorizable2);
                Assert.assertFalse(hasStoredMembershipInformation(this.r.getTree(authorizable2.getPath()), tree));
                boolean contains = expectedSyncedGroupIds.contains(authorizable2.getID());
                Assert.assertEquals(Boolean.valueOf(contains), Boolean.valueOf(authorizable2.isDeclaredMember(authorizable)));
                Assert.assertEquals(Boolean.valueOf(contains), Boolean.valueOf(set.contains(authorizable2.getPrincipal().getName())));
            }
        } finally {
            this.syncContext.setForceGroupSync(isForceGroupSync).setForceUserSync(isForceUserSync);
            this.syncConfig.user().setMembershipExpirationTime(membershipExpirationTime);
        }
    }

    @Test
    public void testReSyncGroupCreatedPriorToEnabledDynamic() throws Exception {
        boolean isForceGroupSync = this.syncContext.isForceGroupSync();
        String id = ((ExternalIdentityRef) this.previouslySyncedUser.getDeclaredGroups().iterator().next()).getId();
        try {
            this.syncContext.setForceGroupSync(true);
            sync(this.idp.getGroup(id), SyncResult.Status.UPDATE);
            Group authorizable = this.userManager.getAuthorizable(id, Group.class);
            Assert.assertNotNull(authorizable);
            User authorizable2 = this.userManager.getAuthorizable("third", User.class);
            Assert.assertNotNull(authorizable2);
            Assert.assertTrue(authorizable.isMember(authorizable2));
            Tree tree = this.r.getTree(authorizable.getPath());
            Assert.assertTrue(tree.hasProperty("rep:members"));
            Assert.assertFalse(tree.hasChild("rep:membersList"));
            this.syncContext.setForceGroupSync(isForceGroupSync);
        } catch (Throwable th) {
            this.syncContext.setForceGroupSync(isForceGroupSync);
            throw th;
        }
    }

    @Test
    public void testGroupPrincipalLookup() throws Exception {
        ExternalUser user = this.idp.getUser(TestIdentityProvider.ID_TEST_USER);
        sync(user, SyncResult.Status.ADD);
        PrincipalManager principalManager = getPrincipalManager(this.r);
        for (ExternalIdentityRef externalIdentityRef : getExpectedSyncedGroupRefs(this.membershipNestingDepth, this.idp, user)) {
            Principal principal = principalManager.getPrincipal(this.idp.getIdentity(externalIdentityRef).getPrincipalName());
            Assert.assertNotNull(principal);
            Assert.assertTrue(principal instanceof ItemBasedPrincipal);
            Authorizable authorizable = this.userManager.getAuthorizable(principal);
            Assert.assertNotNull(authorizable);
            Assert.assertTrue(authorizable.isGroup());
            Assert.assertEquals(externalIdentityRef.getId(), authorizable.getID());
        }
    }

    @Test
    public void testCrossIDPMembership() throws Exception {
        UserManager userManager = getUserManager(this.r);
        PrincipalManager principalManager = getPrincipalManager(this.r);
        ImmutableList copyOf = ImmutableList.copyOf(this.previouslySyncedUser.getDeclaredGroups());
        Assert.assertTrue(copyOf.size() > 1);
        String id = ((ExternalIdentityRef) copyOf.get(0)).getId();
        String id2 = ((ExternalIdentityRef) copyOf.get(1)).getId();
        Group createGroup = userManager.createGroup("localGroup");
        createGroup.addMembers(new String[]{id, id2});
        userManager.createGroup(EveryonePrincipal.getInstance());
        this.r.commit();
        Assert.assertTrue(getIds(userManager.getAuthorizable("third").memberOf()).contains(createGroup.getID()));
        this.syncContext.setForceUserSync(true);
        this.syncContext.setForceGroupSync(true);
        this.syncContext.sync(this.idp.getUser("third"));
        Authorizable authorizable = userManager.getAuthorizable("third");
        Assert.assertTrue(this.r.getTree(authorizable.getPath()).hasProperty("rep:externalPrincipalNames"));
        List<String> ids = getIds(authorizable.memberOf());
        if (this.membershipNestingDepth == 0) {
            Assert.assertFalse(ids.contains("localGroup"));
            Assert.assertFalse(createGroup.isMember(authorizable));
        } else {
            Assert.assertEquals("Found " + ids, this.membershipNestingDepth > 1 ? 5L : 4L, ids.size());
            Assert.assertTrue(ids.contains("localGroup"));
            Assert.assertTrue(createGroup.isMember(authorizable));
            for (String str : new String[]{id, id2}) {
                Authorizable authorizable2 = userManager.getAuthorizable(str);
                Assert.assertTrue(getIds(authorizable2.declaredMemberOf()).contains("localGroup"));
                Assert.assertTrue(createGroup.isMember(authorizable2));
            }
        }
        List<String> principalNames = getPrincipalNames(principalManager.getGroupMembership(authorizable.getPrincipal()));
        Assert.assertEquals(Boolean.valueOf(this.membershipNestingDepth != 0), Boolean.valueOf(principalNames.contains(createGroup.getPrincipal().getName())));
        Iterator it = copyOf.iterator();
        while (it.hasNext()) {
            Assert.assertEquals(Boolean.valueOf(this.membershipNestingDepth != 0), Boolean.valueOf(principalNames.contains(this.idp.getIdentity((ExternalIdentityRef) it.next()).getPrincipalName())));
        }
        Authorizable authorizable3 = this.userManager.getAuthorizable(id);
        if (authorizable3 != null) {
            Assert.assertTrue(getPrincipalNames(principalManager.getGroupMembership(authorizable3.getPrincipal())).contains(createGroup.getPrincipal().getName()));
        }
    }
}
