package org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal;

import java.security.Principal;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.commons.collections.SetUtils;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef;
import org.apache.jackrabbit.oak.spi.security.authentication.external.TestIdentityProvider;
import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncConfig;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration;
import org.jetbrains.annotations.NotNull;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.mockito.Mockito;
import org.osgi.framework.ServiceReference;

/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/principal/ExternalGroupPrincipalProviderWithCacheTest.class */
public class ExternalGroupPrincipalProviderWithCacheTest extends AbstractPrincipalTest {

    @NotNull
    private Group testGroup;
    private final String idpName = TestIdentityProvider.DEFAULT_IDP_NAME;

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal.AbstractPrincipalTest, org.apache.jackrabbit.oak.spi.security.authentication.external.AbstractExternalAuthTest
    @Before
    public void before() throws Exception {
        super.before();
        this.testGroup = createTestGroup();
        this.principalProvider = createPrincipalProvider(getSystemRoot(), getUserConfiguration());
        Iterator listGroups = this.idp.listGroups();
        while (listGroups.hasNext()) {
            this.testGroup.addMember(getUserManager(this.root).getAuthorizable(((ExternalGroup) listGroups.next()).getPrincipalName()));
        }
        this.root.commit();
        this.root.refresh();
        getSystemRoot().refresh();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal.AbstractPrincipalTest, org.apache.jackrabbit.oak.spi.security.authentication.external.AbstractExternalAuthTest
    @NotNull
    public DefaultSyncConfig createSyncConfig() {
        DefaultSyncConfig createSyncConfig = super.createSyncConfig();
        createSyncConfig.group().setDynamicGroups(true);
        createSyncConfig.user().setDynamicMembership(true);
        return createSyncConfig;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.impl.principal.AbstractPrincipalTest
    @NotNull
    public ExternalGroupPrincipalProvider createPrincipalProvider(@NotNull Root root, @NotNull UserConfiguration userConfiguration) {
        SyncConfigTracker syncConfigTracker = (SyncConfigTracker) Mockito.spy(new SyncConfigTracker(this.context.bundleContext(), new SyncHandlerMappingTracker(this.context.bundleContext())));
        if (this.idpName.isEmpty()) {
            Mockito.when(syncConfigTracker.getIdpNamesWithDynamicGroups()).thenReturn(Collections.emptySet());
        } else {
            Mockito.when(syncConfigTracker.getIdpNamesWithDynamicGroups()).thenReturn(Collections.singleton(this.idpName));
        }
        Mockito.when(syncConfigTracker.getServiceReferences()).thenReturn(new ServiceReference[]{(ServiceReference) Mockito.mock(ServiceReference.class)});
        return new ExternalGroupPrincipalProvider(root, userConfiguration, getNamePathMapper(), syncConfigTracker);
    }

    protected ConfigurationParameters getSecurityConfigParameters() {
        return ConfigurationParameters.of("org.apache.jackrabbit.oak.user", ConfigurationParameters.of(Map.of("cacheExpiration", 10000, "cacheMaxStale", 10000, "importBehavior", "besteffort")));
    }

    @NotNull
    Set<Principal> getExternalGroupPrincipals(@NotNull String str) throws Exception {
        if (this.syncConfig.user().getMembershipNestingDepth() == 1) {
            return (Set) SetUtils.toSet(this.idp.getUser(str).getDeclaredGroups()).stream().map(externalIdentityRef -> {
                try {
                    return new PrincipalImpl(this.idp.getIdentity(externalIdentityRef).getPrincipalName());
                } catch (ExternalIdentityException e) {
                    throw new RuntimeException((Throwable) e);
                }
            }).collect(Collectors.toSet());
        }
        HashSet hashSet = new HashSet();
        collectExpectedPrincipals(hashSet, this.idp.getUser(str).getDeclaredGroups(), this.syncConfig.user().getMembershipNestingDepth());
        return hashSet;
    }

    private void collectExpectedPrincipals(Set<Principal> set, @NotNull Iterable<ExternalIdentityRef> iterable, long j) throws Exception {
        if (j <= 0) {
            return;
        }
        Iterator<ExternalIdentityRef> it = iterable.iterator();
        while (it.hasNext()) {
            ExternalIdentity identity = this.idp.getIdentity(it.next());
            set.add(new PrincipalImpl(identity.getPrincipalName()));
            collectExpectedPrincipals(set, identity.getDeclaredGroups(), j - 1);
        }
    }

    @Test
    public void testGetGroupMembershipExternalUserAndLocal() throws Exception {
        Authorizable authorizable = getUserManager(this.root).getAuthorizable(TestIdentityProvider.ID_TEST_USER);
        Assert.assertNotNull(authorizable);
        Set<Principal> externalGroupPrincipals = getExternalGroupPrincipals(TestIdentityProvider.ID_TEST_USER);
        externalGroupPrincipals.add(this.testGroup.getPrincipal());
        Assert.assertEquals(externalGroupPrincipals.size(), this.principalProvider.getMembershipPrincipals(authorizable.getPrincipal()).size());
        this.root.refresh();
        Tree child = this.root.getTree(authorizable.getPath()).getChild("rep:cache");
        Assert.assertNotNull(child);
        Assert.assertTrue(child.hasProperty("rep:externalLocalPrincipalNames"));
        Assert.assertFalse(((String) child.getProperty("rep:externalLocalPrincipalNames").getValue(Type.STRING)).isEmpty());
        Assert.assertEquals(externalGroupPrincipals, this.principalProvider.getMembershipPrincipals(authorizable.getPrincipal()));
    }
}
