package org.apache.jackrabbit.oak.spi.security.authorization.cug.impl;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import java.security.Principal;
import java.util.Iterator;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.ContentSession;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.apache.jackrabbit.oak.spi.nodetype.NodeTypeConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/CugEvaluationTest.class */
public class CugEvaluationTest extends AbstractCugTest implements NodeTypeConstants {
    private ContentSession testSession;
    private Root testRoot;
    private Principal testGroupPrincipal;
    private Tree content;
    private Tree content2;
    private Tree a;
    private Tree c;

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.AbstractCugTest
    @Before
    public void before() throws Exception {
        super.before();
        setupCugsAndAcls(new String[0]);
        this.testGroupPrincipal = getTestGroupPrincipal();
        this.content = this.root.getTree("/content");
        this.content2 = this.root.getTree("/content2");
        this.a = this.root.getTree("/content/a");
        this.c = this.root.getTree("/content/a/b/c");
        this.testSession = createTestSession();
        this.testRoot = this.testSession.getLatestRoot();
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.cug.impl.AbstractCugTest
    public void after() throws Exception {
        try {
            if (this.testSession != null) {
                this.testSession.close();
            }
        } finally {
            super.after();
        }
    }

    private PermissionProvider createPermissionProvider(ContentSession contentSession) {
        return ((AuthorizationConfiguration) getSecurityProvider().getConfiguration(AuthorizationConfiguration.class)).getPermissionProvider(this.root, this.adminSession.getWorkspaceName(), contentSession.getAuthInfo().getPrincipals());
    }

    private PermissionProvider createPermissionProvider(Principal... principalArr) {
        return ((AuthorizationConfiguration) getSecurityProvider().getConfiguration(AuthorizationConfiguration.class)).getPermissionProvider(this.root, this.adminSession.getWorkspaceName(), ImmutableSet.copyOf(principalArr));
    }

    @Test
    public void testRead() {
        for (String str : ImmutableList.of("/", "/testNode", "/content/a", "/content/a/b", "/content/aa/bb", "/content2")) {
            Assert.assertFalse(str, this.testRoot.getTree(str).exists());
        }
        for (String str2 : ImmutableList.of("/content", "/content/subtree", "/content/a/b/c", "/content/aa")) {
            Assert.assertTrue(str2, this.testRoot.getTree(str2).exists());
        }
    }

    @Test
    public void testReadAcl() {
        Assert.assertFalse(this.testRoot.getTree("/content/rep:policy").exists());
    }

    @Test
    public void testReadAcl2() throws Exception {
        ContentSession createTestSession2 = createTestSession2();
        try {
            Assert.assertTrue(createTestSession2.getLatestRoot().getTree("/content/rep:policy").exists());
            if (createTestSession2 != null) {
                createTestSession2.close();
            }
        } catch (Throwable th) {
            if (createTestSession2 != null) {
                try {
                    createTestSession2.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testReadCug() {
        for (String str : ImmutableList.of("/content/a/rep:cugPolicy", "/content/aa/bb/rep:cugPolicy", "/content2/rep:cugPolicy")) {
            Assert.assertFalse(str, this.testRoot.getTree(str).exists());
        }
    }

    @Test
    public void testReadCug2() throws Exception {
        ContentSession createTestSession2 = createTestSession2();
        try {
            Root latestRoot = createTestSession2.getLatestRoot();
            Assert.assertTrue(latestRoot.getTree("/content/a/rep:cugPolicy").exists());
            Assert.assertFalse(latestRoot.getTree("/content2/rep:cugPolicy").exists());
            if (createTestSession2 != null) {
                createTestSession2.close();
            }
        } catch (Throwable th) {
            if (createTestSession2 != null) {
                try {
                    createTestSession2.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testWrite() throws Exception {
        Iterator it = ImmutableList.of("/content", "/content/a/b/c").iterator();
        while (it.hasNext()) {
            try {
                try {
                    TreeUtil.addChild(this.testRoot.getTree((String) it.next()), "writeTest", "oak:Unstructured");
                    this.testRoot.commit();
                    Assert.fail();
                    this.testRoot.refresh();
                } catch (CommitFailedException e) {
                    Assert.assertTrue(e.isAccessViolation());
                    this.testRoot.refresh();
                }
            } catch (Throwable th) {
                this.testRoot.refresh();
                throw th;
            }
        }
    }

    @Test
    public void testWrite2() throws Exception {
        ContentSession createTestSession2 = createTestSession2();
        Root latestRoot = createTestSession2.getLatestRoot();
        try {
            PermissionProvider createPermissionProvider = createPermissionProvider(createTestSession2);
            Assert.assertTrue(createPermissionProvider.isGranted(this.root.getTree("/content/writeTest"), (PropertyState) null, 32L));
            Assert.assertTrue(createPermissionProvider.isGranted(this.root.getTree("/content/a/b/c/writeTest"), (PropertyState) null, 32L));
            Iterator it = ImmutableList.of("/content", "/content/a/b/c").iterator();
            while (it.hasNext()) {
                TreeUtil.addChild(latestRoot.getTree((String) it.next()), "writeTest", "oak:Unstructured");
                latestRoot.commit();
            }
        } finally {
            latestRoot.refresh();
            createTestSession2.close();
        }
    }

    @Test
    public void testWriteAcl() throws Exception {
        Root latestRoot = createTestSession2().getLatestRoot();
        try {
            try {
                Tree tree = latestRoot.getTree("/content/a/b/c");
                tree.setProperty("jcr:mixinTypes", ImmutableList.of("rep:CugMixin", "rep:AccessControllable"), Type.NAMES);
                tree.addChild("rep:policy").setProperty("jcr:primaryType", "rep:ACL", Type.NAME);
                latestRoot.commit();
                Assert.fail();
                latestRoot.refresh();
            } catch (CommitFailedException e) {
                Assert.assertTrue(e.isAccessViolation());
                latestRoot.refresh();
            }
        } catch (Throwable th) {
            latestRoot.refresh();
            throw th;
        }
    }

    @Test
    public void testWriteCug() throws Exception {
        Root latestRoot = createTestSession2().getLatestRoot();
        try {
            try {
                latestRoot.getTree("/content/a/rep:cugPolicy").setProperty("rep:principalNames", ImmutableList.of("everyone", this.testGroupPrincipal.getName()), Type.STRINGS);
                latestRoot.commit();
                Assert.fail();
                latestRoot.refresh();
            } catch (CommitFailedException e) {
                Assert.assertTrue(e.isAccessViolation());
                latestRoot.refresh();
            }
        } catch (Throwable th) {
            latestRoot.refresh();
            throw th;
        }
    }

    @Test
    public void testIsGrantedTestGroup() {
        PermissionProvider createPermissionProvider = createPermissionProvider(this.testGroupPrincipal);
        Assert.assertTrue(createPermissionProvider.isGranted(this.content, (PropertyState) null, 3L));
        Assert.assertTrue(createPermissionProvider.isGranted(this.a, (PropertyState) null, 3L));
        Assert.assertFalse(createPermissionProvider.isGranted(this.c, (PropertyState) null, 3L));
        Assert.assertTrue(createPermissionProvider.isGranted(this.content, (PropertyState) null, 128L));
        Assert.assertTrue(createPermissionProvider.isGranted(this.a, (PropertyState) null, 128L));
        Assert.assertTrue(createPermissionProvider.isGranted(this.c, (PropertyState) null, 128L));
    }

    @Test
    public void testIsGrantedEveryone() {
        PermissionProvider createPermissionProvider = createPermissionProvider(EveryonePrincipal.getInstance());
        Assert.assertFalse(createPermissionProvider.isGranted(this.content, (PropertyState) null, 3L));
        Assert.assertFalse(createPermissionProvider.isGranted(this.content2, (PropertyState) null, 3L));
        Assert.assertFalse(createPermissionProvider.isGranted(this.a, (PropertyState) null, 3L));
        Assert.assertFalse(createPermissionProvider.isGranted(this.c, (PropertyState) null, 3L));
        Assert.assertFalse(createPermissionProvider.isGranted(this.content, (PropertyState) null, 128L));
        Assert.assertFalse(createPermissionProvider.isGranted(this.content2, (PropertyState) null, 128L));
        Assert.assertFalse(createPermissionProvider.isGranted(this.a, (PropertyState) null, 128L));
        Assert.assertFalse(createPermissionProvider.isGranted(this.c, (PropertyState) null, 128L));
    }

    @Test
    public void testIsGrantedTestGroupEveryone() {
        PermissionProvider createPermissionProvider = createPermissionProvider(this.testGroupPrincipal, EveryonePrincipal.getInstance());
        Assert.assertTrue(createPermissionProvider.isGranted(this.content, (PropertyState) null, 3L));
        Assert.assertTrue(createPermissionProvider.isGranted(this.a, (PropertyState) null, 3L));
        Assert.assertTrue(createPermissionProvider.isGranted(this.c, (PropertyState) null, 3L));
        Assert.assertTrue(createPermissionProvider.isGranted(this.content, (PropertyState) null, 128L));
        Assert.assertTrue(createPermissionProvider.isGranted(this.a, (PropertyState) null, 128L));
        Assert.assertTrue(createPermissionProvider.isGranted(this.c, (PropertyState) null, 128L));
    }

    @Test
    public void testIsGrantedTestUserEveryone() throws Exception {
        PermissionProvider createPermissionProvider = createPermissionProvider(getTestUser().getPrincipal(), EveryonePrincipal.getInstance());
        Assert.assertTrue(createPermissionProvider.isGranted(this.content, (PropertyState) null, 3L));
        Assert.assertFalse(createPermissionProvider.isGranted(this.a, (PropertyState) null, 3L));
        Assert.assertTrue(createPermissionProvider.isGranted(this.c, (PropertyState) null, 3L));
        Assert.assertFalse(createPermissionProvider.isGranted(this.content, (PropertyState) null, 128L));
        Assert.assertFalse(createPermissionProvider.isGranted(this.a, (PropertyState) null, 128L));
        Assert.assertFalse(createPermissionProvider.isGranted(this.c, (PropertyState) null, 128L));
    }

    @Test
    public void testHasPrivilegesTestGroup() {
        PermissionProvider createPermissionProvider = createPermissionProvider(this.testGroupPrincipal);
        Assert.assertTrue(createPermissionProvider.hasPrivileges(this.content, new String[]{"jcr:read"}));
        Assert.assertTrue(createPermissionProvider.hasPrivileges(this.a, new String[]{"jcr:read"}));
        Assert.assertFalse(createPermissionProvider.hasPrivileges(this.c, new String[]{"jcr:read"}));
        Assert.assertTrue(createPermissionProvider.hasPrivileges(this.content, new String[]{"rep:write", "jcr:readAccessControl"}));
        Assert.assertTrue(createPermissionProvider.hasPrivileges(this.a, new String[]{"rep:write", "jcr:readAccessControl"}));
        Assert.assertTrue(createPermissionProvider.hasPrivileges(this.c, new String[]{"rep:write", "jcr:readAccessControl"}));
    }

    @Test
    public void testHasPrivilegesEveryone() {
        PermissionProvider createPermissionProvider = createPermissionProvider(EveryonePrincipal.getInstance());
        Assert.assertFalse(createPermissionProvider.hasPrivileges(this.content, new String[]{"jcr:read"}));
        Assert.assertFalse(createPermissionProvider.hasPrivileges(this.content2, new String[]{"jcr:read"}));
        Assert.assertFalse(createPermissionProvider.hasPrivileges(this.a, new String[]{"jcr:read"}));
        Assert.assertFalse(createPermissionProvider.hasPrivileges(this.c, new String[]{"jcr:read"}));
        Assert.assertFalse(createPermissionProvider.hasPrivileges(this.content, new String[]{"rep:write", "jcr:readAccessControl"}));
        Assert.assertFalse(createPermissionProvider.hasPrivileges(this.content2, new String[]{"rep:write", "jcr:readAccessControl"}));
        Assert.assertFalse(createPermissionProvider.hasPrivileges(this.a, new String[]{"rep:write", "jcr:readAccessControl"}));
        Assert.assertFalse(createPermissionProvider.hasPrivileges(this.c, new String[]{"rep:write", "jcr:readAccessControl"}));
    }

    @Test
    public void testHasPrivilegesTestGroupEveryone() {
        PermissionProvider createPermissionProvider = createPermissionProvider(this.testGroupPrincipal, EveryonePrincipal.getInstance());
        Assert.assertTrue(createPermissionProvider.hasPrivileges(this.content, new String[]{"jcr:read"}));
        Assert.assertTrue(createPermissionProvider.hasPrivileges(this.a, new String[]{"jcr:read"}));
        Assert.assertTrue(createPermissionProvider.hasPrivileges(this.c, new String[]{"jcr:read"}));
        Assert.assertTrue(createPermissionProvider.hasPrivileges(this.content, new String[]{"rep:write", "jcr:readAccessControl"}));
        Assert.assertTrue(createPermissionProvider.hasPrivileges(this.a, new String[]{"rep:write", "jcr:readAccessControl"}));
        Assert.assertTrue(createPermissionProvider.hasPrivileges(this.c, new String[]{"rep:write", "jcr:readAccessControl"}));
    }

    @Test
    public void testHasPrivilegesTestUserEveryone() throws Exception {
        PermissionProvider createPermissionProvider = createPermissionProvider(getTestUser().getPrincipal(), EveryonePrincipal.getInstance());
        Assert.assertTrue(createPermissionProvider.hasPrivileges(this.content, new String[]{"jcr:read"}));
        Assert.assertFalse(createPermissionProvider.hasPrivileges(this.a, new String[]{"jcr:read"}));
        Assert.assertTrue(createPermissionProvider.hasPrivileges(this.c, new String[]{"jcr:read"}));
        Assert.assertFalse(createPermissionProvider.hasPrivileges(this.content, new String[]{"rep:write", "jcr:readAccessControl"}));
        Assert.assertFalse(createPermissionProvider.hasPrivileges(this.a, new String[]{"rep:write", "jcr:readAccessControl"}));
        Assert.assertFalse(createPermissionProvider.hasPrivileges(this.c, new String[]{"rep:write", "jcr:readAccessControl"}));
    }

    @Test
    public void testHasAllPrivileges() {
        PermissionProvider createPermissionProvider = createPermissionProvider(this.testGroupPrincipal);
        Assert.assertFalse(createPermissionProvider.hasPrivileges(this.content, new String[]{"jcr:all"}));
        Assert.assertFalse(createPermissionProvider.hasPrivileges(this.a, new String[]{"jcr:all"}));
        Assert.assertFalse(createPermissionProvider.hasPrivileges(this.c, new String[]{"jcr:all"}));
    }

    @Test
    public void testHasAllPrivileges2() throws Exception {
        JackrabbitAccessControlManager accessControlManager = getAccessControlManager(this.root);
        JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(accessControlManager, "/content/a");
        accessControlList.addAccessControlEntry(this.testGroupPrincipal, privilegesFromNames(new String[]{"jcr:all"}));
        accessControlManager.setPolicy("/content/a", accessControlList);
        this.root.commit();
        PermissionProvider createPermissionProvider = createPermissionProvider(this.testGroupPrincipal);
        Assert.assertFalse(createPermissionProvider.hasPrivileges(this.root.getTree("/content"), new String[]{"jcr:all"}));
        Assert.assertTrue(createPermissionProvider.hasPrivileges(this.root.getTree("/content/a"), new String[]{"jcr:all"}));
        Assert.assertTrue(createPermissionProvider.hasPrivileges(this.root.getTree("/content/a/b"), new String[]{"jcr:all"}));
        Assert.assertFalse(createPermissionProvider.hasPrivileges(this.root.getTree("/content/a/b/c"), new String[]{"jcr:all"}));
    }

    @Test
    public void testHasAllPrivilegesAdmin() {
        PermissionProvider createPermissionProvider = createPermissionProvider(this.adminSession);
        Assert.assertTrue(createPermissionProvider.hasPrivileges(this.content, new String[]{"jcr:all"}));
        Assert.assertTrue(createPermissionProvider.hasPrivileges(this.a, new String[]{"jcr:all"}));
        Assert.assertTrue(createPermissionProvider.hasPrivileges(this.c, new String[]{"jcr:all"}));
    }

    @Test
    public void testGetPrivilegesTestGroup() {
        ImmutableSet of = ImmutableSet.of("rep:write", "jcr:readAccessControl");
        ImmutableSet of2 = ImmutableSet.of("jcr:read", "rep:write", "jcr:readAccessControl");
        PermissionProvider createPermissionProvider = createPermissionProvider(this.testGroupPrincipal);
        Assert.assertEquals(of2, createPermissionProvider.getPrivileges(this.content));
        Assert.assertEquals(of2, createPermissionProvider.getPrivileges(this.a));
        Assert.assertEquals(of, createPermissionProvider.getPrivileges(this.c));
        Assert.assertTrue(createPermissionProvider.getPrivileges(this.content2).isEmpty());
    }

    @Test
    public void testGetPrivilegesEveryone() {
        PermissionProvider createPermissionProvider = createPermissionProvider(EveryonePrincipal.getInstance());
        Assert.assertTrue(createPermissionProvider.getPrivileges(this.content).isEmpty());
        Assert.assertTrue(createPermissionProvider.getPrivileges(this.content2).isEmpty());
        Assert.assertTrue(createPermissionProvider.getPrivileges(this.a).isEmpty());
        Assert.assertTrue(createPermissionProvider.getPrivileges(this.c).isEmpty());
    }

    @Test
    public void testGetPrivilegesTestGroupEveryone() {
        ImmutableSet of = ImmutableSet.of("jcr:read", "rep:write", "jcr:readAccessControl");
        PermissionProvider createPermissionProvider = createPermissionProvider(this.testGroupPrincipal, EveryonePrincipal.getInstance());
        Assert.assertEquals(of, createPermissionProvider.getPrivileges(this.content));
        Assert.assertEquals(of, createPermissionProvider.getPrivileges(this.a));
        Assert.assertEquals(of, createPermissionProvider.getPrivileges(this.c));
        Assert.assertTrue(createPermissionProvider.getPrivileges(this.content2).isEmpty());
    }

    @Test
    public void testGetPrivilegesTestUserEveryone() throws Exception {
        PermissionProvider createPermissionProvider = createPermissionProvider(getTestUser().getPrincipal(), EveryonePrincipal.getInstance());
        ImmutableSet of = ImmutableSet.of("jcr:read");
        Assert.assertEquals(of, createPermissionProvider.getPrivileges(this.content));
        Assert.assertEquals(of, createPermissionProvider.getPrivileges(this.c));
        Assert.assertTrue(createPermissionProvider.getPrivileges(this.a).isEmpty());
        Assert.assertTrue(createPermissionProvider.getPrivileges(this.content2).isEmpty());
    }
}
