package org.apache.jackrabbit.oak.spi.security.authorization.cug.impl;

import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableList;
import javax.jcr.nodetype.NodeDefinitionTemplate;
import javax.jcr.nodetype.NodeTypeTemplate;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.plugins.memory.PropertyStates;
import org.apache.jackrabbit.oak.plugins.nodetype.write.ReadWriteNodeTypeManager;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.apache.jackrabbit.oak.spi.commit.CommitInfo;
import org.apache.jackrabbit.oak.spi.commit.Validator;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.jetbrains.annotations.NotNull;
import org.junit.Assert;
import org.junit.Test;
import org.mockito.Mockito;

/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugValidatorTest.class */
public class CugValidatorTest extends AbstractCugTest {
    private Tree node;

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.AbstractCugTest
    public void before() throws Exception {
        super.before();
        this.node = this.root.getTree("/content");
    }

    @NotNull
    private Validator createRootValidator(@NotNull NodeState nodeState) {
        return (Validator) Preconditions.checkNotNull(new CugValidatorProvider().getRootValidator(nodeState, nodeState, new CommitInfo("sid", "uid")));
    }

    @Test
    public void testChangePrimaryType() {
        this.node = this.root.getTree("/content2");
        try {
            this.node.setProperty("jcr:primaryType", "rep:CugPolicy", Type.NAME);
            this.node.setProperty("rep:principalNames", ImmutableList.of("everyone"), Type.STRINGS);
            this.root.commit();
            Assert.fail();
        } catch (CommitFailedException e) {
            Assert.assertTrue(e.isAccessControlViolation());
            Assert.assertEquals(20L, e.getCode());
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testPropertyChangedBeforeWasCug() throws CommitFailedException {
        try {
            createRootValidator((NodeState) Mockito.mock(NodeState.class)).propertyChanged(PropertyStates.createProperty("jcr:primaryType", "rep:CugPolicy"), PropertyStates.createProperty("jcr:primaryType", "oak:Unstructured"));
        } catch (CommitFailedException e) {
            Assert.assertTrue(e.isAccessControlViolation());
            Assert.assertEquals(20L, e.getCode());
            throw e;
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testPropertyChangedAfterIsCug() throws CommitFailedException {
        try {
            createRootValidator((NodeState) Mockito.mock(NodeState.class)).propertyChanged(PropertyStates.createProperty("jcr:primaryType", "oak:Unstructured"), PropertyStates.createProperty("jcr:primaryType", "rep:CugPolicy"));
        } catch (CommitFailedException e) {
            Assert.assertTrue(e.isAccessControlViolation());
            Assert.assertEquals(20L, e.getCode());
            throw e;
        }
    }

    @Test
    public void testPropertyChangedNoCugInvolved() throws Exception {
        createRootValidator((NodeState) Mockito.mock(NodeState.class)).propertyChanged(PropertyStates.createProperty("jcr:primaryType", "oak:Unstructured"), PropertyStates.createProperty("jcr:primaryType", "nt:unstructured"));
    }

    @Test(expected = CommitFailedException.class)
    public void testChangePrimaryTypeOfCug() throws Exception {
        this.node.setProperty("jcr:mixinTypes", ImmutableList.of("rep:CugMixin"), Type.NAMES);
        Tree addChild = TreeUtil.addChild(this.node, "rep:cugPolicy", "rep:CugPolicy");
        addChild.setProperty("rep:principalNames", ImmutableList.of("everyone"), Type.STRINGS);
        this.root.commit();
        try {
            addChild.setProperty("jcr:primaryType", "oak:Unstructured", Type.NAME);
            this.root.commit();
        } catch (CommitFailedException e) {
            Assert.assertTrue(e.isAccessControlViolation());
            Assert.assertEquals(21L, e.getCode());
            throw e;
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testInvalidPrimaryType() throws Exception {
        TreeUtil.addChild(this.node, "rep:cugPolicy", "oak:Unstructured").setProperty("rep:principalNames", ImmutableList.of("everyone"), Type.STRINGS);
        try {
            try {
                this.root.commit();
                this.root.refresh();
            } catch (CommitFailedException e) {
                Assert.assertTrue(e.isAccessControlViolation());
                Assert.assertEquals(21L, e.getCode());
                throw e;
            }
        } catch (Throwable th) {
            this.root.refresh();
            throw th;
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testMissingMixin() throws Exception {
        TreeUtil.addChild(this.node, "rep:cugPolicy", "rep:CugPolicy").setProperty("rep:principalNames", ImmutableList.of("everyone"), Type.STRINGS);
        try {
            try {
                this.root.commit();
                this.root.refresh();
            } catch (CommitFailedException e) {
                Assert.assertTrue(e.isAccessControlViolation());
                Assert.assertEquals(22L, e.getCode());
                throw e;
            }
        } catch (Throwable th) {
            this.root.refresh();
            throw th;
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testRemoveMixin() throws Exception {
        this.node.setProperty("jcr:mixinTypes", ImmutableList.of("rep:CugMixin"), Type.NAMES);
        TreeUtil.addChild(this.node, "rep:cugPolicy", "rep:CugPolicy").setProperty("rep:principalNames", ImmutableList.of("everyone"), Type.STRINGS);
        this.root.commit();
        try {
            try {
                this.node.removeProperty("jcr:mixinTypes");
                this.root.commit();
                this.root.refresh();
            } catch (CommitFailedException e) {
                Assert.assertTrue(e.isAccessControlViolation());
                Assert.assertEquals(22L, e.getCode());
                throw e;
            }
        } catch (Throwable th) {
            this.root.refresh();
            throw th;
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testCugPolicyWithDifferentName() throws Exception {
        this.node.setProperty("jcr:mixinTypes", ImmutableList.of("rep:CugMixin"), Type.NAMES);
        TreeUtil.addChild(this.node, "anotherName", "rep:CugPolicy").setProperty("rep:principalNames", ImmutableList.of("everyone"), Type.STRINGS);
        try {
            try {
                this.root.commit();
                this.root.refresh();
            } catch (CommitFailedException e) {
                Assert.assertTrue(e.isAccessControlViolation());
                Assert.assertEquals(23L, e.getCode());
                throw e;
            }
        } catch (Throwable th) {
            this.root.refresh();
            throw th;
        }
    }

    @Test
    public void testNodeTypeWithCugNames() throws Exception {
        ReadWriteNodeTypeManager readWriteNodeTypeManager = new ReadWriteNodeTypeManager() { // from class: org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.CugValidatorTest.1
            @NotNull
            protected Root getWriteRoot() {
                return CugValidatorTest.this.root;
            }

            @NotNull
            protected Tree getTypes() {
                return CugValidatorTest.this.root.getTree("/jcr:system/jcr:nodeTypes");
            }
        };
        NodeTypeTemplate createNodeTypeTemplate = readWriteNodeTypeManager.createNodeTypeTemplate();
        createNodeTypeTemplate.setName("testNT");
        NodeDefinitionTemplate createNodeDefinitionTemplate = readWriteNodeTypeManager.createNodeDefinitionTemplate();
        createNodeDefinitionTemplate.setName("rep:cugPolicy");
        createNodeDefinitionTemplate.setRequiredPrimaryTypeNames(new String[]{"nt:base"});
        createNodeTypeTemplate.getNodeDefinitionTemplates().add(createNodeDefinitionTemplate);
        readWriteNodeTypeManager.registerNodeType(createNodeTypeTemplate, true);
    }

    @Test(expected = CommitFailedException.class)
    public void testJcrNodeTypesOutsideOfSystemIsValidated() throws Exception {
        TreeUtil.addChild(TreeUtil.addChild(this.node, "jcr:nodeTypes", "oak:Unstructured"), "rep:cugPolicy", "rep:CugPolicy").setProperty("rep:principalNames", ImmutableList.of("everyone"), Type.STRINGS);
        try {
            try {
                this.root.commit();
                this.root.refresh();
            } catch (CommitFailedException e) {
                Assert.assertTrue(e.isAccessControlViolation());
                Assert.assertEquals(22L, e.getCode());
                throw e;
            }
        } catch (Throwable th) {
            this.root.refresh();
            throw th;
        }
    }
}
