package org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal;

import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.UUID;
import javax.jcr.SimpleCredentials;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.guava.common.collect.ImmutableMap;
import org.apache.jackrabbit.oak.api.ContentSession;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.security.authentication.token.TokenLoginModule;
import org.apache.jackrabbit.oak.security.authentication.user.LoginModuleImpl;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalLoginTestBase;
import org.apache.jackrabbit.oak.spi.security.authentication.external.SyncHandler;
import org.apache.jackrabbit.oak.spi.security.authentication.external.TestIdentityProvider;
import org.apache.jackrabbit.oak.spi.security.authentication.external.impl.ExternalLoginModule;
import org.apache.jackrabbit.oak.spi.security.authentication.external.impl.SyncHandlerMapping;
import org.apache.jackrabbit.oak.spi.whiteboard.WhiteboardUtils;
import org.jetbrains.annotations.NotNull;
import org.junit.Assert;
import org.junit.Test;

/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalLoginCachedDynamicMembershipTest.class */
public class ExternalLoginCachedDynamicMembershipTest extends ExternalLoginTestBase {
    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalLoginTestBase, org.apache.jackrabbit.oak.spi.security.authentication.external.AbstractExternalAuthTest
    public void before() throws Exception {
        super.before();
        this.syncConfig.user().setDynamicMembership(true);
        this.syncConfig.group().setDynamicGroups(true);
        ImmutableMap of = ImmutableMap.of("user.dynamicMembership", Boolean.valueOf(this.syncConfig.user().getDynamicMembership()), "group.dynamicGroups", Boolean.valueOf(this.syncConfig.group().getDynamicGroups()));
        SyncHandler syncHandler = (SyncHandler) WhiteboardUtils.getService(this.whiteboard, SyncHandler.class);
        this.context.registerService(SyncHandler.class, syncHandler, new Object[]{of});
        this.context.registerService(SyncHandlerMapping.class, new SyncHandlerMapping() { // from class: org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal.ExternalLoginCachedDynamicMembershipTest.1
        }, new Object[]{ImmutableMap.of("idp.name", this.idp.getName(), "sync.handlerName", syncHandler.getName())});
    }

    private Set<String> calcExpectedPrincipalNames(@NotNull ExternalIdentity externalIdentity, long j) throws Exception {
        if (j <= 0) {
            return Collections.emptySet();
        }
        HashSet hashSet = new HashSet();
        Iterator it = externalIdentity.getDeclaredGroups().iterator();
        while (it.hasNext()) {
            ExternalIdentity identity = this.idp.getIdentity((ExternalIdentityRef) it.next());
            hashSet.add(identity.getPrincipalName());
            hashSet.addAll(calcExpectedPrincipalNames(identity, j - 1));
        }
        return hashSet;
    }

    @Test
    public void testLoginPopulatesPrincipalCache() throws Exception {
        ContentSession login = login(new SimpleCredentials(TestIdentityProvider.ID_TEST_USER, new char[0]));
        try {
            Set<String> calcExpectedPrincipalNames = calcExpectedPrincipalNames(this.idp.getUser(TestIdentityProvider.ID_TEST_USER), this.syncConfig.user().getMembershipNestingDepth());
            new HashSet(login.getAuthInfo().getPrincipals()).forEach(principal -> {
                calcExpectedPrincipalNames.remove(principal.getName());
            });
            Assert.assertTrue(calcExpectedPrincipalNames.isEmpty());
            this.root.refresh();
            Tree child = this.root.getTree(getUserManager(this.root).getAuthorizable(TestIdentityProvider.ID_TEST_USER).getPath()).getChild("rep:cache");
            Assert.assertTrue(child.exists());
            Assert.assertTrue(child.hasProperty("rep:externalLocalPrincipalNames"));
            Assert.assertNotNull(child.getProperty("rep:externalLocalPrincipalNames").getValue(Type.STRING));
            if (login != null) {
                login.close();
            }
        } catch (Throwable th) {
            if (login != null) {
                try {
                    login.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testLocalGroupAndUserIsCached() throws Exception {
        Group createGroup = getUserManager(this.root).createGroup("testGroup" + UUID.randomUUID());
        Assert.assertTrue("Failed to add external group to local group", createGroup.addMembers(new String[]{this.idp.getGroup("a").getPrincipalName()}).isEmpty());
        Group createGroup2 = getUserManager(this.root).createGroup("testGroup" + UUID.randomUUID());
        Assert.assertTrue("Failed to add user to local group", createGroup2.addMembers(new String[]{TestIdentityProvider.ID_TEST_USER}).isEmpty());
        this.root.commit();
        ContentSession login = login(new SimpleCredentials(TestIdentityProvider.ID_TEST_USER, new char[0]));
        try {
            HashSet hashSet = new HashSet(login.getAuthInfo().getPrincipals());
            Set<String> calcExpectedPrincipalNames = calcExpectedPrincipalNames(this.idp.getUser(TestIdentityProvider.ID_TEST_USER), this.syncConfig.user().getMembershipNestingDepth());
            hashSet.forEach(principal -> {
                calcExpectedPrincipalNames.remove(principal.getName());
            });
            Assert.assertTrue(calcExpectedPrincipalNames.isEmpty());
            this.root.refresh();
            Tree child = this.root.getTree(getUserManager(this.root).getAuthorizable(TestIdentityProvider.ID_TEST_USER).getPath()).getChild("rep:cache");
            Assert.assertTrue(child.exists());
            Assert.assertTrue(child.hasProperty("rep:externalLocalPrincipalNames"));
            String str = (String) child.getProperty("rep:externalLocalPrincipalNames").getValue(Type.STRING);
            Assert.assertNotNull(str);
            Assert.assertTrue(str.contains(createGroup.getID()));
            String str2 = (String) child.getProperty("rep:groupPrincipalNames").getValue(Type.STRING);
            Assert.assertNotNull(str2);
            Assert.assertTrue(str2.contains(createGroup2.getID()));
            if (login != null) {
                login.close();
            }
        } catch (Throwable th) {
            if (login != null) {
                try {
                    login.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    protected ConfigurationParameters getSecurityConfigParameters() {
        return ConfigurationParameters.of("org.apache.jackrabbit.oak.user", ConfigurationParameters.of(Map.of("cacheExpiration", 10000, "cacheMaxStale", 10000, "importBehavior", "besteffort")));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalLoginTestBase
    public Configuration getConfiguration() {
        return new Configuration() { // from class: org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal.ExternalLoginCachedDynamicMembershipTest.2
            public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
                return new AppConfigurationEntry[]{new AppConfigurationEntry(TokenLoginModule.class.getName(), AppConfigurationEntry.LoginModuleControlFlag.OPTIONAL, Collections.emptyMap()), new AppConfigurationEntry(LoginModuleImpl.class.getName(), AppConfigurationEntry.LoginModuleControlFlag.OPTIONAL, Collections.emptyMap()), new AppConfigurationEntry(ExternalLoginModule.class.getName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, ExternalLoginCachedDynamicMembershipTest.this.options)};
            }
        };
    }
}
