package org.apache.jackrabbit.oak.spi.security.authorization.cug.impl;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import java.security.Principal;
import java.util.Iterator;
import java.util.Set;
import javax.jcr.SimpleCredentials;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.ContentSession;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.plugins.nodetype.NodeTypeConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
import org.apache.jackrabbit.oak.util.NodeUtil;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Ignore;
import org.junit.Test;

/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugEvaluationTest.class */
public class CugEvaluationTest extends AbstractCugTest implements NodeTypeConstants {
    private static final String TEST_GROUP_ID = "testGroup";
    private static final String TEST_USER2_ID = "testUser2";
    private ContentSession testSession;
    private Root testRoot;
    private Principal testGroupPrincipal;

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.AbstractCugTest
    @Before
    public void before() throws Exception {
        super.before();
        Group createGroup = getUserManager(this.root).createGroup(TEST_GROUP_ID);
        this.testGroupPrincipal = createGroup.getPrincipal();
        createGroup.addMember(getUserManager(this.root).createUser(TEST_USER2_ID, TEST_USER2_ID));
        this.root.commit();
        NodeUtil nodeUtil = new NodeUtil(this.root.getTree("/content"));
        nodeUtil.addChild("a", "oak:Unstructured").addChild("b", "oak:Unstructured").addChild("c", "oak:Unstructured");
        nodeUtil.addChild("aa", "oak:Unstructured").addChild("bb", "oak:Unstructured").addChild("cc", "oak:Unstructured");
        createCug("/content/a", this.testGroupPrincipal);
        createCug("/content/aa/bb", this.testGroupPrincipal);
        createCug("/content/a/b/c", EveryonePrincipal.getInstance());
        createCug("/content2", EveryonePrincipal.getInstance());
        JackrabbitAccessControlManager accessControlManager = getAccessControlManager(this.root);
        JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(accessControlManager, "/content");
        accessControlList.addAccessControlEntry(getTestUser().getPrincipal(), privilegesFromNames(new String[]{"jcr:read"}));
        accessControlList.addAccessControlEntry(this.testGroupPrincipal, privilegesFromNames(new String[]{"jcr:read", "rep:write", "jcr:readAccessControl"}));
        accessControlManager.setPolicy("/content", accessControlList);
        this.root.commit();
        this.testSession = createTestSession();
        this.testRoot = this.testSession.getLatestRoot();
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.AbstractCugTest
    public void after() throws Exception {
        try {
            this.root.refresh();
            Authorizable authorizable = getUserManager(this.root).getAuthorizable(TEST_GROUP_ID);
            if (authorizable != null) {
                authorizable.remove();
            }
            Authorizable authorizable2 = getUserManager(this.root).getAuthorizable(TEST_USER2_ID);
            if (authorizable2 != null) {
                authorizable2.remove();
            }
            this.root.commit();
            if (this.testSession != null) {
                this.testSession.close();
            }
            super.after();
        } catch (Throwable th) {
            if (this.testSession != null) {
                this.testSession.close();
            }
            super.after();
            throw th;
        }
    }

    private PermissionProvider createPermissionProvider(Set<Principal> set) {
        return ((AuthorizationConfiguration) getSecurityProvider().getConfiguration(AuthorizationConfiguration.class)).getPermissionProvider(this.root, this.adminSession.getWorkspaceName(), set);
    }

    @Test
    public void testRead() throws Exception {
        for (String str : ImmutableList.of("/", "/testNode", "/content/a", "/content/a/b", "/content/aa/bb", "/content2")) {
            Assert.assertFalse(str, this.testRoot.getTree(str).exists());
        }
        for (String str2 : ImmutableList.of("/content", "/content/subtree", "/content/a/b/c", "/content/aa")) {
            Assert.assertTrue(str2, this.testRoot.getTree(str2).exists());
        }
    }

    @Test
    public void testReadAcl() throws Exception {
        Assert.assertFalse(this.testRoot.getTree("/content/rep:policy").exists());
    }

    @Test
    public void testReadAcl2() throws Exception {
        ContentSession login = login(new SimpleCredentials(TEST_USER2_ID, TEST_USER2_ID.toCharArray()));
        try {
            Root latestRoot = login.getLatestRoot();
            Assert.assertTrue(latestRoot.getTree("/content/rep:policy").exists());
            Assert.assertFalse(latestRoot.getTree("/content2/rep:cugPolicy").exists());
            login.close();
        } catch (Throwable th) {
            login.close();
            throw th;
        }
    }

    @Test
    @Ignore("FIXME: cugpolicy not detected as ac-content")
    public void testReadCug() throws Exception {
        for (String str : ImmutableList.of("/content/a/rep:cugPolicy", "/content/aa/bb/rep:cugPolicy", "/content2/rep:cugPolicy")) {
            Assert.assertFalse(str, this.testRoot.getTree(str).exists());
        }
    }

    @Test
    public void testReadCug2() throws Exception {
        ContentSession login = login(new SimpleCredentials(TEST_USER2_ID, TEST_USER2_ID.toCharArray()));
        try {
            Root latestRoot = login.getLatestRoot();
            Assert.assertTrue(latestRoot.getTree("/content/a/rep:cugPolicy").exists());
            Assert.assertFalse(latestRoot.getTree("/content2/rep:cugPolicy").exists());
            login.close();
        } catch (Throwable th) {
            login.close();
            throw th;
        }
    }

    @Test
    public void testWrite() throws Exception {
        Iterator it = ImmutableList.of("/content", "/content/a/b/c").iterator();
        while (it.hasNext()) {
            try {
                try {
                    new NodeUtil(this.testRoot.getTree((String) it.next())).addChild("writeTest", "oak:Unstructured");
                    this.testRoot.commit();
                    Assert.fail();
                    this.testRoot.refresh();
                } catch (CommitFailedException e) {
                    Assert.assertTrue(e.isAccessViolation());
                    this.testRoot.refresh();
                }
            } catch (Throwable th) {
                this.testRoot.refresh();
                throw th;
            }
        }
    }

    @Test
    public void testWrite2() throws Exception {
        ContentSession login = login(new SimpleCredentials(TEST_USER2_ID, TEST_USER2_ID.toCharArray()));
        Root latestRoot = login.getLatestRoot();
        try {
            Iterator it = ImmutableList.of("/content", "/content/a/b/c").iterator();
            while (it.hasNext()) {
                new NodeUtil(latestRoot.getTree((String) it.next())).addChild("writeTest", "oak:Unstructured");
                latestRoot.commit();
            }
        } finally {
            latestRoot.refresh();
            login.close();
        }
    }

    @Test
    public void testWriteAcl() throws Exception {
        Root latestRoot = login(new SimpleCredentials(TEST_USER2_ID, TEST_USER2_ID.toCharArray())).getLatestRoot();
        try {
            try {
                Tree tree = latestRoot.getTree("/content/a/b/c");
                tree.setProperty("jcr:mixinTypes", ImmutableList.of("rep:CugMixin", "rep:AccessControllable"), Type.NAMES);
                tree.addChild("rep:policy").setProperty("jcr:primaryType", "rep:ACL", Type.NAME);
                latestRoot.commit();
                Assert.fail();
                latestRoot.refresh();
            } catch (CommitFailedException e) {
                Assert.assertTrue(e.isAccessViolation());
                latestRoot.refresh();
            }
        } catch (Throwable th) {
            latestRoot.refresh();
            throw th;
        }
    }

    @Test
    @Ignore("FIXME: cugpolicy not detected as ac-content")
    public void testWriteCug() throws Exception {
        Root latestRoot = login(new SimpleCredentials(TEST_USER2_ID, TEST_USER2_ID.toCharArray())).getLatestRoot();
        try {
            try {
                latestRoot.getTree("/content/a/rep:cugPolicy").setProperty("rep:principalNames", ImmutableList.of("everyone", this.testGroupPrincipal.getName()), Type.STRINGS);
                latestRoot.commit();
                Assert.fail();
                latestRoot.refresh();
            } catch (CommitFailedException e) {
                Assert.assertTrue(e.isAccessViolation());
                latestRoot.refresh();
            }
        } catch (Throwable th) {
            latestRoot.refresh();
            throw th;
        }
    }

    @Test
    public void testIsGranted() throws Exception {
        Tree tree = this.root.getTree("/content");
        Tree tree2 = this.root.getTree("/content/a");
        Tree tree3 = this.root.getTree("/content/a/b/c");
        PermissionProvider createPermissionProvider = createPermissionProvider(ImmutableSet.of(this.testGroupPrincipal));
        Assert.assertTrue(createPermissionProvider.isGranted(tree, (PropertyState) null, 3L));
        Assert.assertTrue(createPermissionProvider.isGranted(tree2, (PropertyState) null, 3L));
        Assert.assertFalse(createPermissionProvider.isGranted(tree3, (PropertyState) null, 3L));
        Assert.assertTrue(createPermissionProvider.isGranted(tree, (PropertyState) null, 128L));
        Assert.assertTrue(createPermissionProvider.isGranted(tree2, (PropertyState) null, 128L));
        Assert.assertTrue(createPermissionProvider.isGranted(tree3, (PropertyState) null, 128L));
        PermissionProvider createPermissionProvider2 = createPermissionProvider(ImmutableSet.of(EveryonePrincipal.getInstance()));
        Assert.assertFalse(createPermissionProvider2.isGranted(tree, (PropertyState) null, 3L));
        Assert.assertFalse(createPermissionProvider2.isGranted(tree2, (PropertyState) null, 3L));
        Assert.assertFalse(createPermissionProvider2.isGranted(tree3, (PropertyState) null, 3L));
        Assert.assertFalse(createPermissionProvider2.isGranted(tree, (PropertyState) null, 128L));
        Assert.assertFalse(createPermissionProvider2.isGranted(tree2, (PropertyState) null, 128L));
        Assert.assertFalse(createPermissionProvider2.isGranted(tree3, (PropertyState) null, 128L));
        PermissionProvider createPermissionProvider3 = createPermissionProvider(ImmutableSet.of(this.testGroupPrincipal, EveryonePrincipal.getInstance()));
        Assert.assertTrue(createPermissionProvider3.isGranted(tree, (PropertyState) null, 3L));
        Assert.assertTrue(createPermissionProvider3.isGranted(tree2, (PropertyState) null, 3L));
        Assert.assertTrue(createPermissionProvider3.isGranted(tree3, (PropertyState) null, 3L));
        Assert.assertTrue(createPermissionProvider3.isGranted(tree, (PropertyState) null, 128L));
        Assert.assertTrue(createPermissionProvider3.isGranted(tree2, (PropertyState) null, 128L));
        Assert.assertTrue(createPermissionProvider3.isGranted(tree3, (PropertyState) null, 128L));
        PermissionProvider createPermissionProvider4 = createPermissionProvider(ImmutableSet.of(getTestUser().getPrincipal(), EveryonePrincipal.getInstance()));
        Assert.assertTrue(createPermissionProvider4.isGranted(tree, (PropertyState) null, 3L));
        Assert.assertFalse(createPermissionProvider4.isGranted(tree2, (PropertyState) null, 3L));
        Assert.assertTrue(createPermissionProvider4.isGranted(tree3, (PropertyState) null, 3L));
        Assert.assertFalse(createPermissionProvider4.isGranted(tree, (PropertyState) null, 128L));
        Assert.assertFalse(createPermissionProvider4.isGranted(tree2, (PropertyState) null, 128L));
        Assert.assertFalse(createPermissionProvider4.isGranted(tree3, (PropertyState) null, 128L));
    }

    @Test
    public void testHasPrivileges() throws Exception {
        Tree tree = this.root.getTree("/content");
        Tree tree2 = this.root.getTree("/content/a");
        Tree tree3 = this.root.getTree("/content/a/b/c");
        PermissionProvider createPermissionProvider = createPermissionProvider(ImmutableSet.of(this.testGroupPrincipal));
        Assert.assertTrue(createPermissionProvider.hasPrivileges(tree, new String[]{"jcr:read"}));
        Assert.assertTrue(createPermissionProvider.hasPrivileges(tree2, new String[]{"jcr:read"}));
        Assert.assertFalse(createPermissionProvider.hasPrivileges(tree3, new String[]{"jcr:read"}));
        Assert.assertTrue(createPermissionProvider.hasPrivileges(tree, new String[]{"rep:write", "jcr:readAccessControl"}));
        Assert.assertTrue(createPermissionProvider.hasPrivileges(tree2, new String[]{"rep:write", "jcr:readAccessControl"}));
        Assert.assertTrue(createPermissionProvider.hasPrivileges(tree3, new String[]{"rep:write", "jcr:readAccessControl"}));
        PermissionProvider createPermissionProvider2 = createPermissionProvider(ImmutableSet.of(EveryonePrincipal.getInstance()));
        Assert.assertFalse(createPermissionProvider2.hasPrivileges(tree, new String[]{"jcr:read"}));
        Assert.assertFalse(createPermissionProvider2.hasPrivileges(tree2, new String[]{"jcr:read"}));
        Assert.assertFalse(createPermissionProvider2.hasPrivileges(tree3, new String[]{"jcr:read"}));
        Assert.assertFalse(createPermissionProvider2.hasPrivileges(tree, new String[]{"rep:write", "jcr:readAccessControl"}));
        Assert.assertFalse(createPermissionProvider2.hasPrivileges(tree2, new String[]{"rep:write", "jcr:readAccessControl"}));
        Assert.assertFalse(createPermissionProvider2.hasPrivileges(tree3, new String[]{"rep:write", "jcr:readAccessControl"}));
        PermissionProvider createPermissionProvider3 = createPermissionProvider(ImmutableSet.of(this.testGroupPrincipal, EveryonePrincipal.getInstance()));
        Assert.assertTrue(createPermissionProvider3.hasPrivileges(tree, new String[]{"jcr:read"}));
        Assert.assertTrue(createPermissionProvider3.hasPrivileges(tree2, new String[]{"jcr:read"}));
        Assert.assertTrue(createPermissionProvider3.hasPrivileges(tree3, new String[]{"jcr:read"}));
        Assert.assertTrue(createPermissionProvider3.hasPrivileges(tree, new String[]{"rep:write", "jcr:readAccessControl"}));
        Assert.assertTrue(createPermissionProvider3.hasPrivileges(tree2, new String[]{"rep:write", "jcr:readAccessControl"}));
        Assert.assertTrue(createPermissionProvider3.hasPrivileges(tree3, new String[]{"rep:write", "jcr:readAccessControl"}));
        PermissionProvider createPermissionProvider4 = createPermissionProvider(ImmutableSet.of(getTestUser().getPrincipal(), EveryonePrincipal.getInstance()));
        Assert.assertTrue(createPermissionProvider4.hasPrivileges(tree, new String[]{"jcr:read"}));
        Assert.assertFalse(createPermissionProvider4.hasPrivileges(tree2, new String[]{"jcr:read"}));
        Assert.assertTrue(createPermissionProvider4.hasPrivileges(tree3, new String[]{"jcr:read"}));
        Assert.assertFalse(createPermissionProvider4.hasPrivileges(tree, new String[]{"rep:write", "jcr:readAccessControl"}));
        Assert.assertFalse(createPermissionProvider4.hasPrivileges(tree2, new String[]{"rep:write", "jcr:readAccessControl"}));
        Assert.assertFalse(createPermissionProvider4.hasPrivileges(tree3, new String[]{"rep:write", "jcr:readAccessControl"}));
    }

    @Test
    public void testHasAllPrivileges() throws Exception {
        PermissionProvider createPermissionProvider = createPermissionProvider(ImmutableSet.of(this.testGroupPrincipal));
        Assert.assertFalse(createPermissionProvider.hasPrivileges(this.root.getTree("/content"), new String[]{"jcr:all"}));
        Assert.assertFalse(createPermissionProvider.hasPrivileges(this.root.getTree("/content/a"), new String[]{"jcr:all"}));
        Assert.assertFalse(createPermissionProvider.hasPrivileges(this.root.getTree("/content/b/c"), new String[]{"jcr:all"}));
    }

    @Test
    public void testHasAllPrivileges2() throws Exception {
        JackrabbitAccessControlManager accessControlManager = getAccessControlManager(this.root);
        JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(accessControlManager, "/content/a");
        accessControlList.addAccessControlEntry(this.testGroupPrincipal, privilegesFromNames(new String[]{"jcr:all"}));
        accessControlManager.setPolicy("/content/a", accessControlList);
        this.root.commit();
        PermissionProvider createPermissionProvider = createPermissionProvider(ImmutableSet.of(this.testGroupPrincipal));
        Assert.assertFalse(createPermissionProvider.hasPrivileges(this.root.getTree("/content"), new String[]{"jcr:all"}));
        Assert.assertTrue(createPermissionProvider.hasPrivileges(this.root.getTree("/content/a"), new String[]{"jcr:all"}));
        Assert.assertTrue(createPermissionProvider.hasPrivileges(this.root.getTree("/content/a/b"), new String[]{"jcr:all"}));
        Assert.assertFalse(createPermissionProvider.hasPrivileges(this.root.getTree("/content/a/b/c"), new String[]{"jcr:all"}));
    }

    @Test
    public void testHasAllPrivileges3() throws Exception {
        PermissionProvider createPermissionProvider = createPermissionProvider(this.adminSession.getAuthInfo().getPrincipals());
        Assert.assertTrue(createPermissionProvider.hasPrivileges(this.root.getTree("/content"), new String[]{"jcr:all"}));
        Assert.assertTrue(createPermissionProvider.hasPrivileges(this.root.getTree("/content/a"), new String[]{"jcr:all"}));
        Assert.assertTrue(createPermissionProvider.hasPrivileges(this.root.getTree("/content/a/b/c"), new String[]{"jcr:all"}));
    }

    @Test
    @Ignore
    public void testGetPrivileges() throws Exception {
        Tree tree = this.root.getTree("/content");
        Tree tree2 = this.root.getTree("/content/a");
        Tree tree3 = this.root.getTree("/content/a/b/c");
        ImmutableSet of = ImmutableSet.of("jcr:read");
        ImmutableSet of2 = ImmutableSet.of("rep:write", "jcr:readAccessControl");
        ImmutableSet of3 = ImmutableSet.of("jcr:read", "rep:write", "jcr:readAccessControl");
        PermissionProvider createPermissionProvider = createPermissionProvider(ImmutableSet.of(this.testGroupPrincipal));
        Assert.assertEquals(of3, createPermissionProvider.getPrivileges(tree));
        Assert.assertEquals(of3, createPermissionProvider.getPrivileges(tree2));
        Assert.assertEquals(of2, createPermissionProvider.getPrivileges(tree3));
        PermissionProvider createPermissionProvider2 = createPermissionProvider(ImmutableSet.of(EveryonePrincipal.getInstance()));
        Assert.assertTrue(createPermissionProvider2.getPrivileges(tree).isEmpty());
        Assert.assertTrue(createPermissionProvider2.getPrivileges(tree2).isEmpty());
        Assert.assertTrue(createPermissionProvider2.getPrivileges(tree3).isEmpty());
        PermissionProvider createPermissionProvider3 = createPermissionProvider(ImmutableSet.of(this.testGroupPrincipal, EveryonePrincipal.getInstance()));
        Assert.assertEquals(of3, createPermissionProvider3.getPrivileges(tree));
        Assert.assertEquals(of3, createPermissionProvider3.getPrivileges(tree2));
        Assert.assertEquals(of3, createPermissionProvider3.getPrivileges(tree3));
        PermissionProvider createPermissionProvider4 = createPermissionProvider(ImmutableSet.of(getTestUser().getPrincipal(), EveryonePrincipal.getInstance()));
        Assert.assertEquals(of, createPermissionProvider4.getPrivileges(tree));
        Assert.assertTrue(createPermissionProvider4.getPrivileges(tree2).isEmpty());
        Assert.assertEquals(of, createPermissionProvider4.getPrivileges(tree3));
    }
}
