package org.apache.jackrabbit.oak.spi.security.authentication.external.impl;

import java.util.Arrays;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.UUID;
import java.util.stream.Collectors;
import javax.jcr.RepositoryException;
import javax.jcr.Value;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.guava.common.collect.Iterators;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.commons.collections.IterableUtils;
import org.apache.jackrabbit.oak.commons.collections.SetUtils;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalGroup;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentity;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityException;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityProvider;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalIdentityRef;
import org.apache.jackrabbit.oak.spi.security.authentication.external.ExternalUser;
import org.apache.jackrabbit.oak.spi.security.authentication.external.SyncException;
import org.apache.jackrabbit.oak.spi.security.authentication.external.SyncResult;
import org.apache.jackrabbit.oak.spi.security.authentication.external.SyncedIdentity;
import org.apache.jackrabbit.oak.spi.security.authentication.external.TestIdentityProvider;
import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncConfig;
import org.apache.jackrabbit.oak.spi.security.authentication.external.basic.DefaultSyncContext;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.junit.Assert;
import org.junit.Test;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;

/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncContextTest.class */
public class DynamicSyncContextTest extends AbstractDynamicTest {
    static final String PREVIOUS_SYNCED_ID = "third";
    static final long PREVIOUS_NESTING_DEPTH = Long.MAX_VALUE;
    static final String GROUP_ID = "aaa";

    /* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authentication/external/impl/DynamicSyncContextTest$TestUserWithGroupRefs.class */
    static final class TestUserWithGroupRefs extends TestIdentityProvider.TestIdentity implements ExternalUser {
        private final Iterable<ExternalIdentityRef> declaredGroupRefs;

        /* JADX INFO: Access modifiers changed from: package-private */
        public TestUserWithGroupRefs(@NotNull ExternalUser externalUser, @NotNull Iterable<ExternalIdentityRef> iterable) {
            super((ExternalIdentity) externalUser);
            this.declaredGroupRefs = iterable;
        }

        public String getPassword() {
            return "";
        }

        @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.TestIdentityProvider.TestIdentity
        @NotNull
        public Iterable<ExternalIdentityRef> getDeclaredGroups() {
            return this.declaredGroupRefs;
        }
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authentication.external.impl.AbstractDynamicTest
    @NotNull
    ExternalUser syncPriorToDynamicMembership() throws Exception {
        DefaultSyncConfig createSyncConfig = createSyncConfig();
        createSyncConfig.user().setMembershipNestingDepth(PREVIOUS_NESTING_DEPTH);
        String name = this.idp.getName();
        TestIdentityProvider testIdentityProvider = (TestIdentityProvider) this.idp;
        testIdentityProvider.addGroup(new TestIdentityProvider.TestGroup("ttt", name));
        testIdentityProvider.addGroup(new TestIdentityProvider.TestGroup("tt", name).withGroups("ttt"));
        testIdentityProvider.addGroup(new TestIdentityProvider.TestGroup("thirdGroup", name).withGroups("tt"));
        testIdentityProvider.addGroup(new TestIdentityProvider.TestGroup("forthGroup", name));
        testIdentityProvider.addUser(new TestIdentityProvider.TestUser(PREVIOUS_SYNCED_ID, name).withGroups("thirdGroup", "forthGroup"));
        DefaultSyncContext defaultSyncContext = new DefaultSyncContext(createSyncConfig, this.idp, getUserManager(this.r), getValueFactory(this.r));
        ExternalUser user = this.idp.getUser(PREVIOUS_SYNCED_ID);
        Assert.assertNotNull(user);
        Assert.assertSame(SyncResult.Status.ADD, defaultSyncContext.sync(user).getStatus());
        defaultSyncContext.close();
        this.r.commit();
        return user;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void assertDynamicMembership(@NotNull ExternalIdentity externalIdentity, long j) throws Exception {
        Authorizable authorizable = this.userManager.getAuthorizable(externalIdentity.getId());
        Assert.assertNotNull(authorizable);
        assertDynamicMembership(authorizable, externalIdentity, j);
    }

    private void assertDynamicMembership(@NotNull Authorizable authorizable, @NotNull ExternalIdentity externalIdentity, long j) throws Exception {
        Set set = (Set) Arrays.stream(authorizable.getProperty("rep:externalPrincipalNames")).map(value -> {
            try {
                return value.getString();
            } catch (RepositoryException e) {
                return null;
            }
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).collect(Collectors.toSet());
        HashSet hashSet = new HashSet();
        collectGroupPrincipals(hashSet, externalIdentity.getDeclaredGroups(), j);
        Assert.assertEquals(hashSet, set);
    }

    private void collectGroupPrincipals(Set<String> set, @NotNull Iterable<ExternalIdentityRef> iterable, long j) throws ExternalIdentityException {
        if (j <= 0) {
            return;
        }
        Iterator<ExternalIdentityRef> it = iterable.iterator();
        while (it.hasNext()) {
            ExternalIdentity identity = this.idp.getIdentity(it.next());
            set.add(identity.getPrincipalName());
            collectGroupPrincipals(set, identity.getDeclaredGroups(), j - 1);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void assertSyncedMembership(@NotNull UserManager userManager, @NotNull Authorizable authorizable, @NotNull ExternalIdentity externalIdentity) throws Exception {
        assertSyncedMembership(userManager, authorizable, externalIdentity, this.syncConfig.user().getMembershipNestingDepth());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void assertSyncedMembership(@NotNull UserManager userManager, @NotNull Authorizable authorizable, @NotNull ExternalIdentity externalIdentity, long j) throws Exception {
        Iterable declaredGroups = externalIdentity.getDeclaredGroups();
        for (ExternalIdentityRef externalIdentityRef : getExpectedSyncedGroupRefs(j, this.idp, externalIdentity)) {
            Group authorizable2 = userManager.getAuthorizable(externalIdentityRef.getId(), Group.class);
            Assert.assertNotNull(authorizable2);
            Assert.assertTrue(authorizable2.isMember(authorizable));
            List<String> ids = getIds(authorizable.memberOf());
            Assert.assertTrue("Expected " + ids + " to contain " + authorizable2.getID(), ids.contains(authorizable2.getID()));
            if (IterableUtils.contains(declaredGroups, externalIdentityRef)) {
                Assert.assertTrue(authorizable2.isDeclaredMember(authorizable));
                Assert.assertTrue(Iterators.contains(authorizable.declaredMemberOf(), authorizable2));
            }
        }
    }

    void assertDeclaredGroups(@NotNull ExternalUser externalUser) throws Exception {
        Iterator<ExternalIdentityRef> it = getExpectedSyncedGroupRefs(this.syncConfig.user().getMembershipNestingDepth(), this.idp, externalUser).iterator();
        while (it.hasNext()) {
            Authorizable authorizable = this.userManager.getAuthorizable(it.next().getId());
            if (this.syncConfig.group().getDynamicGroups()) {
                Assert.assertNotNull(authorizable);
            } else {
                Assert.assertNull(authorizable);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean hasStoredMembershipInformation(@NotNull Tree tree, @NotNull Tree tree2) {
        String string = TreeUtil.getString(tree2, "jcr:uuid");
        Assert.assertNotNull(string);
        if (containsMemberRef(tree, string)) {
            return true;
        }
        if (!tree.hasChild("rep:membersList")) {
            return false;
        }
        Iterator it = tree.getChild("rep:membersList").getChildren().iterator();
        while (it.hasNext()) {
            if (containsMemberRef((Tree) it.next(), string)) {
                return true;
            }
        }
        return false;
    }

    private static boolean containsMemberRef(@NotNull Tree tree, @NotNull String str) {
        Iterable strings = TreeUtil.getStrings(tree, "rep:members");
        return strings != null && IterableUtils.contains(strings, str);
    }

    @Test(expected = IllegalArgumentException.class)
    public void testSyncExternalIdentity() throws Exception {
        this.syncContext.sync(new TestIdentityProvider.TestIdentity());
    }

    @Test
    public void testSyncExternalUser() throws Exception {
        ExternalUser user = this.idp.getUser(TestIdentityProvider.ID_TEST_USER);
        sync(user, SyncResult.Status.ADD);
        Assert.assertNotNull(this.userManager.getAuthorizable(TestIdentityProvider.ID_TEST_USER));
        assertDeclaredGroups(user);
    }

    @Test
    public void testSyncExternalUserDepth0() throws Exception {
        this.syncConfig.user().setMembershipNestingDepth(0L);
        sync(this.idp.getUser(TestIdentityProvider.ID_TEST_USER), SyncResult.Status.ADD);
        Assert.assertNotNull(this.r.getTree(this.userManager.getAuthorizable(TestIdentityProvider.ID_TEST_USER).getPath()).getProperty("rep:externalPrincipalNames"));
        Assert.assertEquals(0L, r0.count());
    }

    @Test
    public void testSyncExternalUserDepth1() throws Exception {
        this.syncConfig.user().setMembershipNestingDepth(1L);
        ExternalUser user = this.idp.getUser(TestIdentityProvider.ID_TEST_USER);
        sync(user, SyncResult.Status.ADD);
        PropertyState property = this.r.getTree(this.userManager.getAuthorizable(TestIdentityProvider.ID_TEST_USER).getPath()).getProperty("rep:externalPrincipalNames");
        Assert.assertNotNull(property);
        Set set = SetUtils.toSet((Iterable) property.getValue(Type.STRINGS));
        Iterator it = user.getDeclaredGroups().iterator();
        while (it.hasNext()) {
            Assert.assertTrue(set.remove(this.idp.getIdentity((ExternalIdentityRef) it.next()).getPrincipalName()));
        }
        Assert.assertTrue(set.isEmpty());
    }

    @Test
    public void testSyncExternalUserDepthInfinite() throws Exception {
        this.syncConfig.user().setMembershipNestingDepth(PREVIOUS_NESTING_DEPTH);
        ExternalUser user = this.idp.getUser(TestIdentityProvider.ID_TEST_USER);
        sync(user, SyncResult.Status.ADD);
        PropertyState property = this.r.getTree(this.userManager.getAuthorizable(TestIdentityProvider.ID_TEST_USER).getPath()).getProperty("rep:externalPrincipalNames");
        Assert.assertNotNull(property);
        Set set = SetUtils.toSet((Iterable) property.getValue(Type.STRINGS));
        HashSet hashSet = new HashSet();
        collectGroupPrincipals(hashSet, user.getDeclaredGroups(), PREVIOUS_NESTING_DEPTH);
        Assert.assertEquals(hashSet, set);
    }

    @Test
    public void testSyncExternalUserGroupConflict() throws Exception {
        ExternalUser user = this.idp.getUser(TestIdentityProvider.ID_TEST_USER);
        ExternalIdentity identity = this.idp.getIdentity((ExternalIdentityRef) user.getDeclaredGroups().iterator().next());
        Assert.assertNotNull(identity);
        assertIgnored(user, identity, identity.getId(), identity.getPrincipalName(), null);
    }

    @Test
    public void testSyncExternalUserGroupConflictDifferentIDP() throws Exception {
        ExternalUser user = this.idp.getUser(TestIdentityProvider.ID_TEST_USER);
        ExternalIdentityRef externalIdentityRef = (ExternalIdentityRef) user.getDeclaredGroups().iterator().next();
        ExternalIdentity identity = this.idp.getIdentity(externalIdentityRef);
        Assert.assertNotNull(identity);
        assertIgnored(user, identity, identity.getId(), identity.getPrincipalName(), new ExternalIdentityRef(externalIdentityRef.getId(), externalIdentityRef.getProviderName() + "_mod"));
    }

    @Test
    public void testSyncExternalUserGroupConflictPrincipalNameMismatch() throws Exception {
        ExternalUser user = this.idp.getUser(TestIdentityProvider.ID_TEST_USER);
        ExternalIdentityRef externalIdentityRef = (ExternalIdentityRef) user.getDeclaredGroups().iterator().next();
        ExternalIdentity identity = this.idp.getIdentity(externalIdentityRef);
        Assert.assertNotNull(identity);
        assertIgnored(user, identity, identity.getId(), identity.getPrincipalName() + "mismatch", externalIdentityRef);
    }

    @Test
    public void testSyncExternalUserGroupConflictPrincipalNameCaseMismatch() throws Exception {
        ExternalUser user = this.idp.getUser(TestIdentityProvider.ID_TEST_USER);
        ExternalIdentityRef externalIdentityRef = (ExternalIdentityRef) user.getDeclaredGroups().iterator().next();
        ExternalIdentity identity = this.idp.getIdentity(externalIdentityRef);
        Assert.assertNotNull(identity);
        assertIgnored(user, identity, identity.getId(), identity.getPrincipalName().toUpperCase(), externalIdentityRef);
    }

    @Test
    public void testSyncExternalUserGroupConflictIdCaseMismatch() throws Exception {
        ExternalUser user = this.idp.getUser(TestIdentityProvider.ID_TEST_USER);
        ExternalIdentity identity = this.idp.getIdentity((ExternalIdentityRef) user.getDeclaredGroups().iterator().next());
        Assert.assertNotNull(identity);
        assertIgnored(user, identity, identity.getId().toUpperCase(), identity.getPrincipalName(), null);
    }

    private void assertIgnored(@NotNull ExternalUser externalUser, @NotNull ExternalIdentity externalIdentity, @NotNull String str, @NotNull String str2, @Nullable ExternalIdentityRef externalIdentityRef) throws Exception {
        Group createGroup = this.userManager.createGroup(str, new PrincipalImpl(str2), (String) null);
        if (externalIdentityRef != null) {
            createGroup.setProperty("rep:externalId", getValueFactory().createValue(externalIdentityRef.getString()));
        }
        this.r.commit();
        sync(externalUser, SyncResult.Status.ADD);
        PropertyState property = this.r.getTree(this.userManager.getAuthorizable(TestIdentityProvider.ID_TEST_USER).getPath()).getProperty("rep:externalPrincipalNames");
        Assert.assertNotNull(property);
        Set set = SetUtils.toSet((Iterable) property.getValue(Type.STRINGS));
        Assert.assertFalse(set + " must not contain " + externalIdentity.getPrincipalName(), set.contains(externalIdentity.getPrincipalName()));
    }

    @Test
    public void testSyncExternalUserGroupConflictWithUser() throws Exception {
        ExternalUser user = this.idp.getUser(TestIdentityProvider.ID_TEST_USER);
        ExternalIdentity identity = this.idp.getIdentity((ExternalIdentityRef) user.getDeclaredGroups().iterator().next());
        this.userManager.createUser(identity.getId(), (String) null, new PrincipalImpl(identity.getPrincipalName()), (String) null);
        this.r.commit();
        sync(user, SyncResult.Status.ADD);
        PropertyState property = this.r.getTree(this.userManager.getAuthorizable(TestIdentityProvider.ID_TEST_USER).getPath()).getProperty("rep:externalPrincipalNames");
        Assert.assertNotNull(property);
        Set set = SetUtils.toSet((Iterable) property.getValue(Type.STRINGS));
        Assert.assertFalse(set + " must not contain " + identity.getPrincipalName(), set.contains(identity.getPrincipalName()));
    }

    @Test
    public void testSyncExternalUserExistingGroups() throws Exception {
        Authorizable authorizable = this.userManager.getAuthorizable(this.previouslySyncedUser.getId());
        assertSyncedMembership(this.userManager, authorizable, this.previouslySyncedUser, PREVIOUS_NESTING_DEPTH);
        this.syncContext.setForceUserSync(true);
        this.syncConfig.user().setMembershipExpirationTime(-1L);
        this.syncContext.sync(this.previouslySyncedUser);
        Assert.assertFalse(this.r.getTree(authorizable.getPath()).hasProperty("rep:externalPrincipalNames"));
        assertSyncedMembership(this.userManager, authorizable, this.previouslySyncedUser);
    }

    @Test
    public void testSyncExternalGroup() throws Exception {
        ExternalGroup group = this.idp.getGroup(GROUP_ID);
        this.syncContext.sync(group);
        Assert.assertNull(this.userManager.getAuthorizable(group.getId()));
        Assert.assertFalse(this.r.hasPendingChanges());
    }

    @Test
    public void testSyncExternalGroupVerifyStatus() throws Exception {
        ExternalGroup group = this.idp.getGroup(GROUP_ID);
        Assert.assertEquals(this.syncConfig.group().getDynamicGroups() ? SyncResult.Status.ADD : SyncResult.Status.NOP, this.syncContext.sync(group).getStatus());
        Assert.assertEquals(SyncResult.Status.NOP, this.syncContext.sync(group).getStatus());
        this.syncContext.setForceGroupSync(true);
        Assert.assertEquals(this.syncConfig.group().getDynamicGroups() ? SyncResult.Status.UPDATE : SyncResult.Status.NOP, this.syncContext.sync(group).getStatus());
    }

    @Test
    public void testSyncExternalGroupExisting() throws Exception {
        ExternalGroup group = this.idp.getGroup(((ExternalIdentityRef) this.previouslySyncedUser.getDeclaredGroups().iterator().next()).getId());
        Assert.assertNotNull(group);
        this.syncContext.setForceGroupSync(true);
        Assert.assertSame(SyncResult.Status.UPDATE, this.syncContext.sync(group).getStatus());
    }

    @Test
    public void testSyncForeignExternalGroup() throws Exception {
        TestIdentityProvider.ForeignExternalGroup foreignExternalGroup = new TestIdentityProvider.ForeignExternalGroup();
        SyncResult sync = this.syncContext.sync(foreignExternalGroup);
        Assert.assertNotNull(sync);
        Assert.assertSame(SyncResult.Status.FOREIGN, sync.getStatus());
        SyncedIdentity identity = sync.getIdentity();
        Assert.assertNotNull(identity);
        Assert.assertEquals(foreignExternalGroup.getId(), identity.getId());
        ExternalIdentityRef externalIdRef = identity.getExternalIdRef();
        Assert.assertNotNull(externalIdRef);
        Assert.assertEquals(foreignExternalGroup.getExternalId(), externalIdRef);
        Assert.assertTrue(identity.isGroup());
        Assert.assertEquals(-1L, identity.lastSynced());
        Assert.assertFalse(this.r.hasPendingChanges());
    }

    @Test
    public void testSyncExternalGroupRepositoryException() throws Exception {
        Throwable repositoryException = new RepositoryException();
        UserManager userManager = (UserManager) Mockito.mock(UserManager.class);
        Mockito.when(userManager.getAuthorizable((String) ArgumentMatchers.any(String.class))).thenThrow(new Throwable[]{repositoryException});
        try {
            new DynamicSyncContext(this.syncConfig, this.idp, userManager, this.valueFactory).sync(this.idp.getGroup(GROUP_ID));
            Assert.fail();
        } catch (SyncException e) {
            Assert.assertEquals(repositoryException, e.getCause());
        }
    }

    @Test
    public void testSyncUserByIdUpdate() throws Exception {
        ExternalUser user = this.idp.getUser(TestIdentityProvider.ID_SECOND_USER);
        User createUser = this.userManager.createUser(user.getId(), (String) null);
        createUser.setProperty("rep:externalId", this.valueFactory.createValue(user.getExternalId().getString()));
        this.syncContext.setForceUserSync(true);
        Assert.assertEquals(SyncResult.Status.UPDATE, this.syncContext.sync(user.getId()).getStatus());
        Assert.assertTrue(this.r.getTree(createUser.getPath()).hasProperty("rep:externalPrincipalNames"));
    }

    @Test
    public void testPreviouslySyncedIdentities() throws Exception {
        Authorizable authorizable = this.userManager.getAuthorizable(PREVIOUS_SYNCED_ID);
        Assert.assertNotNull(authorizable);
        Assert.assertFalse(authorizable.hasProperty("rep:externalPrincipalNames"));
        assertSyncedMembership(this.userManager, authorizable, this.previouslySyncedUser, PREVIOUS_NESTING_DEPTH);
    }

    @Test
    public void testSyncUserIdExistingGroupsMembershipNotExpired() throws Exception {
        long membershipExpirationTime = this.syncConfig.user().getMembershipExpirationTime();
        DefaultSyncConfig.User user = this.syncConfig.user();
        try {
            user.setMembershipExpirationTime(PREVIOUS_NESTING_DEPTH);
            this.syncContext.setForceUserSync(true);
            this.syncContext.sync(this.previouslySyncedUser.getId());
            Authorizable authorizable = this.userManager.getAuthorizable(PREVIOUS_SYNCED_ID);
            Assert.assertFalse(this.r.getTree(authorizable.getPath()).hasProperty("rep:externalPrincipalNames"));
            assertSyncedMembership(this.userManager, authorizable, this.previouslySyncedUser);
            user.setMembershipExpirationTime(membershipExpirationTime);
        } catch (Throwable th) {
            user.setMembershipExpirationTime(membershipExpirationTime);
            throw th;
        }
    }

    @Test
    public void testSyncUserIdExistingGroups() throws Exception {
        long membershipExpirationTime = this.syncConfig.user().getMembershipExpirationTime();
        DefaultSyncConfig.User user = this.syncConfig.user();
        try {
            user.setMembershipExpirationTime(-1L);
            this.syncContext.setForceUserSync(true);
            this.syncContext.sync(this.previouslySyncedUser.getId());
            Authorizable authorizable = this.userManager.getAuthorizable(PREVIOUS_SYNCED_ID);
            Tree tree = this.r.getTree(authorizable.getPath());
            if (user.getEnforceDynamicMembership() || this.syncConfig.group().getDynamicGroups()) {
                Assert.assertTrue(tree.hasProperty("rep:externalPrincipalNames"));
                Assert.assertEquals(getExpectedSyncedGroupRefs(user.getMembershipNestingDepth(), this.idp, this.previouslySyncedUser).size(), tree.getProperty("rep:externalPrincipalNames").count());
            } else {
                Assert.assertFalse(tree.hasProperty("rep:externalPrincipalNames"));
            }
            if (!user.getEnforceDynamicMembership() || this.syncConfig.group().getDynamicGroups()) {
                assertSyncedMembership(this.userManager, authorizable, this.previouslySyncedUser);
            } else {
                Iterator<String> it = getExpectedSyncedGroupIds(user.getMembershipNestingDepth(), this.idp, this.previouslySyncedUser).iterator();
                while (it.hasNext()) {
                    Assert.assertNull(this.userManager.getAuthorizable(it.next()));
                }
            }
        } finally {
            user.setMembershipExpirationTime(membershipExpirationTime);
        }
    }

    @Test
    public void testSyncMembershipWithNesting() throws Exception {
        this.syncConfig.user().setMembershipNestingDepth(1L);
        ExternalUser user = this.idp.getUser(TestIdentityProvider.ID_TEST_USER);
        sync(user, SyncResult.Status.ADD);
        Authorizable authorizable = this.userManager.getAuthorizable(user.getId());
        assertDynamicMembership(user, 1L);
        this.syncContext.syncMembership(user, authorizable, -1L);
        assertDynamicMembership(authorizable, user, -1L);
        this.syncContext.syncMembership(user, authorizable, PREVIOUS_NESTING_DEPTH);
        assertDynamicMembership(authorizable, user, PREVIOUS_NESTING_DEPTH);
    }

    @Test
    public void testSyncMembershipWithChangedGroups() throws Exception {
        this.syncConfig.user().setMembershipNestingDepth(1L);
        ExternalUser user = this.idp.getUser(TestIdentityProvider.ID_TEST_USER);
        sync(user, SyncResult.Status.ADD);
        Authorizable authorizable = this.userManager.getAuthorizable(user.getId());
        assertDynamicMembership(authorizable, user, 1L);
        TestUserWithGroupRefs testUserWithGroupRefs = new TestUserWithGroupRefs(user, Set.of());
        this.syncContext.syncMembership(testUserWithGroupRefs, authorizable, 1L);
        assertDynamicMembership(authorizable, testUserWithGroupRefs, 1L);
        TestUserWithGroupRefs testUserWithGroupRefs2 = new TestUserWithGroupRefs(user, Set.of(this.idp.getGroup("a").getExternalId(), this.idp.getGroup("aa").getExternalId(), this.idp.getGroup("secondGroup").getExternalId()));
        this.syncContext.syncMembership(testUserWithGroupRefs2, authorizable, 1L);
        assertDynamicMembership(authorizable, testUserWithGroupRefs2, 1L);
    }

    @Test
    public void testSyncMembershipWithEmptyExistingGroups() throws Exception {
        long membershipNestingDepth = this.syncConfig.user().getMembershipNestingDepth();
        Authorizable authorizable = this.userManager.getAuthorizable(PREVIOUS_SYNCED_ID);
        TestUserWithGroupRefs testUserWithGroupRefs = new TestUserWithGroupRefs(this.previouslySyncedUser, Set.of());
        this.syncContext.syncMembership(testUserWithGroupRefs, authorizable, membershipNestingDepth);
        assertSyncedMembership(this.userManager, authorizable, testUserWithGroupRefs, membershipNestingDepth);
    }

    @Test
    public void testSyncMembershipWithChangedExistingGroups() throws Exception {
        long membershipNestingDepth = this.syncConfig.user().getMembershipNestingDepth();
        Authorizable authorizable = this.userManager.getAuthorizable(PREVIOUS_SYNCED_ID);
        TestUserWithGroupRefs testUserWithGroupRefs = new TestUserWithGroupRefs(this.previouslySyncedUser, Set.of(this.idp.getGroup("a").getExternalId(), this.idp.getGroup("aa").getExternalId(), this.idp.getGroup("secondGroup").getExternalId()));
        this.syncContext.syncMembership(testUserWithGroupRefs, authorizable, membershipNestingDepth);
        this.r.commit();
        assertSyncedMembership(this.userManager, authorizable, testUserWithGroupRefs);
    }

    @Test
    public void testSyncMembershipForExternalGroup() throws Exception {
        ExternalGroup group = this.idp.getGroup(((ExternalIdentityRef) this.previouslySyncedUser.getDeclaredGroups().iterator().next()).getId());
        Authorizable authorizable = this.userManager.getAuthorizable(group.getId());
        this.syncContext.syncMembership(group, authorizable, 1L);
        Assert.assertFalse(authorizable.hasProperty("rep:externalPrincipalNames"));
        Assert.assertFalse(this.r.hasPendingChanges());
    }

    @Test
    public void testSyncMembershipWithForeignGroups() throws Exception {
        TestIdentityProvider.TestUser testUser = (TestIdentityProvider.TestUser) this.idp.getUser(TestIdentityProvider.ID_TEST_USER);
        Set<ExternalIdentityRef> expectedSyncedGroupRefs = getExpectedSyncedGroupRefs(this.syncConfig.user().getMembershipNestingDepth(), this.idp, testUser);
        TestIdentityProvider.ForeignExternalGroup foreignExternalGroup = new TestIdentityProvider.ForeignExternalGroup();
        testUser.withGroups(foreignExternalGroup.getExternalId());
        Assert.assertNotEquals(expectedSyncedGroupRefs, testUser.getDeclaredGroups());
        sync(testUser, SyncResult.Status.ADD);
        Authorizable authorizable = this.userManager.getAuthorizable(TestIdentityProvider.ID_TEST_USER);
        Assert.assertTrue(authorizable.hasProperty("rep:externalPrincipalNames"));
        Value[] property = authorizable.getProperty("rep:externalPrincipalNames");
        Assert.assertEquals(IterableUtils.size(expectedSyncedGroupRefs), property.length);
        for (Value value : property) {
            Assert.assertNotEquals(foreignExternalGroup.getPrincipalName(), value.getString());
        }
    }

    @Test
    public void testSyncMembershipWithUserRef() throws Exception {
        TestIdentityProvider.TestUser testUser = (TestIdentityProvider.TestUser) this.idp.getUser(TestIdentityProvider.ID_TEST_USER);
        Set<ExternalIdentityRef> expectedSyncedGroupRefs = getExpectedSyncedGroupRefs(this.syncConfig.user().getMembershipNestingDepth(), this.idp, testUser);
        Assert.assertNull(this.userManager.getAuthorizable(TestIdentityProvider.ID_SECOND_USER));
        ExternalUser user = this.idp.getUser(TestIdentityProvider.ID_SECOND_USER);
        testUser.withGroups(user.getExternalId());
        Assert.assertFalse(IterableUtils.elementsEqual(expectedSyncedGroupRefs, testUser.getDeclaredGroups()));
        sync(testUser, SyncResult.Status.ADD);
        Authorizable authorizable = this.userManager.getAuthorizable(TestIdentityProvider.ID_TEST_USER);
        Assert.assertTrue(authorizable.hasProperty("rep:externalPrincipalNames"));
        Value[] property = authorizable.getProperty("rep:externalPrincipalNames");
        Assert.assertEquals(IterableUtils.size(expectedSyncedGroupRefs), property.length);
        for (Value value : property) {
            Assert.assertNotEquals(user.getPrincipalName(), value.getString());
        }
    }

    @Test
    public void testSyncMembershipWithUserConflict() throws Exception {
        TestIdentityProvider.TestUser testUser = (TestIdentityProvider.TestUser) this.idp.getUser(TestIdentityProvider.ID_TEST_USER);
        Set<ExternalIdentityRef> expectedSyncedGroupRefs = getExpectedSyncedGroupRefs(this.syncConfig.user().getMembershipNestingDepth(), this.idp, testUser);
        testUser.withGroups(this.previouslySyncedUser.getExternalId());
        Assert.assertFalse(IterableUtils.elementsEqual(expectedSyncedGroupRefs, testUser.getDeclaredGroups()));
        sync(testUser, SyncResult.Status.ADD);
        Authorizable authorizable = this.userManager.getAuthorizable(TestIdentityProvider.ID_TEST_USER);
        Assert.assertTrue(authorizable.hasProperty("rep:externalPrincipalNames"));
        Value[] property = authorizable.getProperty("rep:externalPrincipalNames");
        Assert.assertEquals(IterableUtils.size(expectedSyncedGroupRefs), property.length);
        for (Value value : property) {
            Assert.assertNotEquals(this.previouslySyncedUser.getPrincipalName(), value.getString());
        }
    }

    @Test
    public void testSyncMembershipDeclaredGroupsFails() throws Exception {
        ExternalIdentityProvider externalIdentityProvider = (ExternalIdentityProvider) Mockito.spy(this.idp);
        ExternalUser externalUser = (ExternalUser) Mockito.spy(externalIdentityProvider.getUser(TestIdentityProvider.ID_TEST_USER));
        this.syncContext.sync(externalUser);
        Mockito.clearInvocations(new ExternalIdentityProvider[]{externalIdentityProvider});
        Authorizable authorizable = this.userManager.getAuthorizable(externalUser.getId());
        Assert.assertNotNull(authorizable);
        Mockito.when(externalUser.getDeclaredGroups()).thenThrow(new Throwable[]{new ExternalIdentityException()});
        this.syncContext.syncMembership(externalUser, authorizable, 1L);
        ((ExternalIdentityProvider) Mockito.verify(externalIdentityProvider, Mockito.never())).getIdentity((ExternalIdentityRef) ArgumentMatchers.any(ExternalIdentityRef.class));
    }

    @Test
    public void testAutoMembership() throws Exception {
        Group createGroup = this.userManager.createGroup("group" + UUID.randomUUID());
        this.r.commit();
        this.syncConfig.user().setAutoMembership(new String[]{createGroup.getID(), "non-existing-group"});
        Assert.assertSame(SyncResult.Status.ADD, this.syncContext.sync(this.idp.getUser(TestIdentityProvider.ID_TEST_USER)).getStatus());
        User authorizable = this.userManager.getAuthorizable(TestIdentityProvider.ID_TEST_USER, User.class);
        Assert.assertFalse(createGroup.isDeclaredMember(authorizable));
        Assert.assertFalse(createGroup.isMember(authorizable));
    }

    @Test
    public void testConvertToDynamicMembershipAlreadyDynamic() throws Exception {
        this.syncConfig.user().setMembershipNestingDepth(1L);
        ExternalUser user = this.idp.getUser(TestIdentityProvider.ID_TEST_USER);
        sync(user, SyncResult.Status.ADD);
        User authorizable = this.userManager.getAuthorizable(user.getId(), User.class);
        Assert.assertNotNull(authorizable);
        Assert.assertFalse(this.syncContext.convertToDynamicMembership(authorizable));
    }

    @Test
    public void testConvertToDynamicMembership() throws Exception {
        User authorizable = this.userManager.getAuthorizable(PREVIOUS_SYNCED_ID, User.class);
        Assert.assertNotNull(authorizable);
        Assert.assertFalse(authorizable.hasProperty("rep:externalPrincipalNames"));
        Assert.assertFalse(authorizable.hasProperty("rep:lastDynamicSync"));
        Assert.assertTrue(this.syncContext.convertToDynamicMembership(authorizable));
        Assert.assertTrue(authorizable.hasProperty("rep:externalPrincipalNames"));
        Assert.assertTrue(authorizable.hasProperty("rep:lastDynamicSync"));
        assertDeclaredGroups(this.previouslySyncedUser);
    }

    @Test
    public void testConvertToDynamicMembershipForGroup() throws Exception {
        Assert.assertFalse(this.syncContext.convertToDynamicMembership((Authorizable) Mockito.when(Boolean.valueOf(((Authorizable) Mockito.mock(Authorizable.class)).isGroup())).thenReturn(true).getMock()));
    }
}
