package org.apache.jackrabbit.oak.spi.security.authorization.cug.impl;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import java.security.Principal;
import java.util.Collections;
import java.util.Iterator;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.jcr.PathNotFoundException;
import javax.jcr.RepositoryException;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.NamedAccessControlPolicy;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.spi.security.authorization.cug.CugPolicy;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
import org.apache.jackrabbit.oak.util.NodeUtil;
import org.apache.jackrabbit.oak.util.TreeUtil;
import org.junit.Assert;
import org.junit.Test;

/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugAccessControlManagerTest.class */
public class CugAccessControlManagerTest extends AbstractCugTest {
    private CugAccessControlManager cugAccessControlManager;

    /* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugAccessControlManagerTest$InvalidCug.class */
    private static final class InvalidCug implements CugPolicy {
        private static final InvalidCug INSTANCE = new InvalidCug();

        private InvalidCug() {
        }

        @Nonnull
        public Set<Principal> getPrincipals() {
            return Collections.emptySet();
        }

        public boolean addPrincipals(@Nonnull Principal... principalArr) {
            return false;
        }

        public boolean removePrincipals(@Nonnull Principal... principalArr) {
            return false;
        }

        public String getPath() {
            return null;
        }
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.AbstractCugTest
    public void before() throws Exception {
        super.before();
        this.cugAccessControlManager = new CugAccessControlManager(this.root, NamePathMapper.DEFAULT, getSecurityProvider());
    }

    private CugPolicy createCug(@Nonnull String str) {
        return new CugPolicyImpl(str, NamePathMapper.DEFAULT, getPrincipalManager(this.root), 3);
    }

    private CugPolicy getApplicableCug(@Nonnull String str) throws RepositoryException {
        return this.cugAccessControlManager.getApplicablePolicies(str).nextAccessControlPolicy();
    }

    @Test
    public void testGetSupportedPrivileges() throws Exception {
        Privilege[] privilegesFromNames = privilegesFromNames(new String[]{"jcr:read"});
        ImmutableMap of = ImmutableMap.of("/content", privilegesFromNames, "/content/subtree", privilegesFromNames, "/testNode", new Privilege[0], "/jcr:system/jcr:nodeTypes", new Privilege[0]);
        for (String str : of.keySet()) {
            Assert.assertArrayEquals((Privilege[]) of.get(str), this.cugAccessControlManager.getSupportedPrivileges(str));
        }
    }

    @Test(expected = PathNotFoundException.class)
    public void testGetSupportedPrivilegesInvalidPath() throws Exception {
        this.cugAccessControlManager.getSupportedPrivileges("/path/to/non/existing/tree");
    }

    @Test
    public void testGetApplicablePolicies() throws Exception {
        Assert.assertTrue(this.cugAccessControlManager.getApplicablePolicies("/content").hasNext());
        Assert.assertTrue(this.cugAccessControlManager.getApplicablePolicies("/content").nextAccessControlPolicy() instanceof CugPolicyImpl);
    }

    @Test
    public void testGetApplicablePoliciesAfterSet() throws Exception {
        this.cugAccessControlManager.setPolicy("/content", getApplicableCug("/content"));
        Assert.assertFalse(this.cugAccessControlManager.getApplicablePolicies("/content").hasNext());
    }

    @Test(expected = PathNotFoundException.class)
    public void testGetApplicablePoliciesInvalidPath() throws Exception {
        this.cugAccessControlManager.getApplicablePolicies("/path/to/non/existing/tree");
    }

    @Test
    public void testGetApplicablePoliciesUnsupportedPath() throws Exception {
        Assert.assertFalse(this.cugAccessControlManager.getApplicablePolicies("/testNode").hasNext());
    }

    @Test
    public void testGetApplicablePoliciesNullPath() throws Exception {
        Assert.assertFalse(this.cugAccessControlManager.getApplicablePolicies((String) null).hasNext());
    }

    @Test
    public void testGetPolicies() throws Exception {
        Assert.assertEquals(0L, this.cugAccessControlManager.getPolicies("/content").length);
    }

    @Test
    public void testGetPoliciesAfterSet() throws Exception {
        this.cugAccessControlManager.setPolicy("/content", getApplicableCug("/content"));
        AccessControlPolicy[] policies = this.cugAccessControlManager.getPolicies("/content");
        Assert.assertEquals(1L, policies.length);
        Assert.assertTrue(policies[0] instanceof CugPolicyImpl);
    }

    @Test
    public void testGetPoliciesAfterManualCreation() throws Exception {
        NodeUtil addChild = new NodeUtil(this.root.getTree("/content")).addChild("rep:cugPolicy", "rep:CugPolicy");
        CugPolicy[] policies = this.cugAccessControlManager.getPolicies("/content");
        Assert.assertEquals(1L, policies.length);
        Assert.assertTrue(policies[0] instanceof CugPolicy);
        Assert.assertTrue(policies[0].getPrincipals().isEmpty());
        addChild.setStrings("rep:principalNames", new String[]{"unknownPrincipalName", "everyone"});
        Assert.assertEquals(2L, this.cugAccessControlManager.getPolicies("/content")[0].getPrincipals().size());
    }

    @Test(expected = PathNotFoundException.class)
    public void testGetPoliciesInvalidPath() throws Exception {
        this.cugAccessControlManager.getPolicies("/path/to/non/existing/tree");
    }

    @Test
    public void testGetPoliciesUnsupportedPath() throws Exception {
        Assert.assertEquals(0L, this.cugAccessControlManager.getPolicies("/testNode").length);
    }

    @Test
    public void testGetPoliciesNullPath() throws Exception {
        Assert.assertEquals(0L, this.cugAccessControlManager.getPolicies((String) null).length);
    }

    @Test
    public void testGetEffectivePolicies() throws Exception {
        Assert.assertEquals(0L, this.cugAccessControlManager.getEffectivePolicies("/content").length);
        this.cugAccessControlManager.setPolicy("/content", createCug("/content"));
        this.root.commit();
        JackrabbitAccessControlPolicy[] effectivePolicies = this.cugAccessControlManager.getEffectivePolicies("/content");
        Assert.assertEquals(1L, effectivePolicies.length);
        JackrabbitAccessControlPolicy[] effectivePolicies2 = this.cugAccessControlManager.getEffectivePolicies("/content/subtree");
        Assert.assertEquals(1L, effectivePolicies.length);
        Assert.assertEquals(effectivePolicies.length, effectivePolicies2.length);
        Assert.assertEquals(effectivePolicies[0].getPath(), effectivePolicies2[0].getPath());
    }

    @Test(expected = PathNotFoundException.class)
    public void testGetEffectivePoliciesInvalidPath() throws Exception {
        this.cugAccessControlManager.getEffectivePolicies("/path/to/non/existing/tree");
    }

    @Test
    public void testGetEffectivePoliciesUnsupportedPath() throws Exception {
        Assert.assertEquals(0L, this.cugAccessControlManager.getEffectivePolicies("/testNode").length);
    }

    @Test
    public void testGetEffectivePoliciesNullPath() throws Exception {
        Assert.assertEquals(0L, this.cugAccessControlManager.getEffectivePolicies((String) null).length);
    }

    @Test
    public void testSetPolicy() throws Exception {
        CugPolicy applicableCug = getApplicableCug("/content");
        applicableCug.addPrincipals(new Principal[]{EveryonePrincipal.getInstance()});
        this.cugAccessControlManager.setPolicy("/content", applicableCug);
        CugPolicy[] policies = this.cugAccessControlManager.getPolicies("/content");
        Assert.assertEquals(1L, policies.length);
        CugPolicy cugPolicy = policies[0];
        Assert.assertTrue(cugPolicy instanceof CugPolicyImpl);
        Set principals = cugPolicy.getPrincipals();
        Assert.assertEquals(1L, principals.size());
        Assert.assertEquals(EveryonePrincipal.getInstance(), principals.iterator().next());
    }

    @Test
    public void testSetPolicyPersisted() throws Exception {
        CugPolicy applicableCug = getApplicableCug("/content");
        applicableCug.addPrincipals(new Principal[]{EveryonePrincipal.getInstance()});
        this.cugAccessControlManager.setPolicy("/content", applicableCug);
        this.root.commit();
        Tree tree = this.root.getTree("/content");
        Assert.assertTrue(TreeUtil.isNodeType(tree, "rep:CugMixin", this.root.getTree("/jcr:system/jcr:nodeTypes")));
        Tree child = tree.getChild("rep:cugPolicy");
        Assert.assertTrue(child.exists());
        Assert.assertEquals("rep:CugPolicy", TreeUtil.getPrimaryTypeName(child));
        PropertyState property = child.getProperty("rep:principalNames");
        Assert.assertNotNull(property);
        Assert.assertTrue(property.isArray());
        Assert.assertEquals(Type.STRINGS, property.getType());
        Assert.assertEquals(1L, property.count());
        Assert.assertEquals("everyone", property.getValue(Type.STRING, 0));
    }

    @Test
    public void testSetInvalidPolicy() throws Exception {
        Iterator it = ImmutableList.of(new AccessControlPolicy() { // from class: org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.CugAccessControlManagerTest.1
        }, new NamedAccessControlPolicy() { // from class: org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.CugAccessControlManagerTest.2
            public String getName() {
                return "name";
            }
        }, InvalidCug.INSTANCE).iterator();
        while (it.hasNext()) {
            try {
                this.cugAccessControlManager.setPolicy("/content", (AccessControlPolicy) it.next());
                Assert.fail("Invalid cug policy must be detected.");
            } catch (AccessControlException e) {
            }
        }
    }

    @Test(expected = PathNotFoundException.class)
    public void testSetPolicyInvalidPath() throws Exception {
        this.cugAccessControlManager.setPolicy("/path/to/non/existing/tree", createCug("/path/to/non/existing/tree"));
    }

    @Test(expected = AccessControlException.class)
    public void testSetPolicyUnsupportedPath() throws Exception {
        this.cugAccessControlManager.setPolicy("/testNode", createCug("/testNode"));
    }

    @Test(expected = AccessControlException.class)
    public void testSetPolicyPathMismatch() throws Exception {
        this.cugAccessControlManager.setPolicy("/content", createCug("/content/subtree"));
    }

    @Test(expected = AccessControlException.class)
    public void testSetInvalidCugNode() throws Exception {
        new NodeUtil(this.root.getTree("/content")).addChild("rep:cugPolicy", "oak:Unstructured");
        this.cugAccessControlManager.setPolicy("/content", new CugPolicyImpl("/content", NamePathMapper.DEFAULT, getPrincipalManager(this.root), 2));
    }

    @Test
    public void testRemovePolicy() throws Exception {
        this.cugAccessControlManager.setPolicy("/content", getApplicableCug("/content"));
        this.cugAccessControlManager.removePolicy("/content", this.cugAccessControlManager.getPolicies("/content")[0]);
        Assert.assertArrayEquals(new AccessControlPolicy[0], this.cugAccessControlManager.getPolicies("/content"));
    }

    @Test
    public void testRemovePolicyPersisted() throws Exception {
        this.cugAccessControlManager.setPolicy("/content", getApplicableCug("/content"));
        this.root.commit();
        this.cugAccessControlManager.removePolicy("/content", this.cugAccessControlManager.getPolicies("/content")[0]);
        this.root.commit();
        Assert.assertFalse(this.root.getTree("/content").hasChild("rep:cugPolicy"));
    }

    @Test
    public void testRemoveInvalidPolicy() throws Exception {
        Iterator it = ImmutableList.of(new AccessControlPolicy() { // from class: org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.CugAccessControlManagerTest.3
        }, new NamedAccessControlPolicy() { // from class: org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.CugAccessControlManagerTest.4
            public String getName() {
                return "name";
            }
        }, InvalidCug.INSTANCE).iterator();
        while (it.hasNext()) {
            try {
                this.cugAccessControlManager.removePolicy("/content", (AccessControlPolicy) it.next());
                Assert.fail("Invalid cug policy must be detected.");
            } catch (AccessControlException e) {
            }
        }
    }

    @Test(expected = AccessControlException.class)
    public void testRemoveInvalidCugNode() throws Exception {
        new NodeUtil(this.root.getTree("/content")).addChild("rep:cugPolicy", "oak:Unstructured");
        this.cugAccessControlManager.removePolicy("/content", new CugPolicyImpl("/content", NamePathMapper.DEFAULT, getPrincipalManager(this.root), 2));
    }

    @Test(expected = PathNotFoundException.class)
    public void testRemovePolicyInvalidPath() throws Exception {
        this.cugAccessControlManager.removePolicy("/path/to/non/existing/tree", createCug("/path/to/non/existing/tree"));
    }

    @Test(expected = AccessControlException.class)
    public void testRemovePolicyUnsupportedPath() throws Exception {
        this.cugAccessControlManager.removePolicy("/testNode", createCug("/testNode"));
    }

    @Test(expected = AccessControlException.class)
    public void testRemovePolicyPathMismatch() throws Exception {
        this.cugAccessControlManager.removePolicy("/content", createCug("/content/subtree"));
    }

    @Test
    public void testGetApplicablePoliciesByPrincipal() throws Exception {
        Assert.assertNotNull(this.cugAccessControlManager.getApplicablePolicies(EveryonePrincipal.getInstance()));
        Assert.assertEquals(0L, r0.length);
    }

    @Test
    public void testGetPoliciesByPrincipal() throws Exception {
        Assert.assertNotNull(this.cugAccessControlManager.getPolicies(EveryonePrincipal.getInstance()));
        Assert.assertEquals(0L, r0.length);
    }

    @Test
    public void testGetEffectivePoliciesByPrincipal() throws Exception {
        Assert.assertNotNull(this.cugAccessControlManager.getEffectivePolicies(ImmutableSet.of(EveryonePrincipal.getInstance())));
        Assert.assertEquals(0L, r0.length);
    }
}
