package org.apache.jackrabbit.oak.spi.security.authorization.cug.impl;

import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableSet;
import java.security.Principal;
import java.util.Iterator;
import java.util.Set;
import java.util.UUID;
import javax.jcr.AccessDeniedException;
import javax.jcr.RepositoryException;
import javax.jcr.SimpleCredentials;
import javax.jcr.security.AccessControlPolicyIterator;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.api.ContentSession;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.apache.jackrabbit.oak.spi.nodetype.NodeTypeConstants;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.cug.CugPolicy;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
import org.apache.jackrabbit.oak.util.NodeUtil;
import org.apache.jackrabbit.util.Text;
import org.jetbrains.annotations.NotNull;
import org.junit.Assert;

/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authorization/cug/impl/AbstractCugTest.class */
public class AbstractCugTest extends AbstractSecurityTest implements CugConstants, NodeTypeConstants {
    static final String UNSUPPORTED_PATH = "/testNode";
    static final String INVALID_PATH = "/path/to/non/existing/tree";
    static final String SUPPORTED_PATH = "/content";
    static final String SUPPORTED_PATH2 = "/content2";
    static final String SUPPORTED_PATH3 = "/some/content/tree";
    static final String[] SUPPORTED_PATHS = {SUPPORTED_PATH, SUPPORTED_PATH2, SUPPORTED_PATH3};
    static final ConfigurationParameters CUG_CONFIG = ConfigurationParameters.of("cugSupportedPaths", SUPPORTED_PATHS, "cugEnabled", true);
    static final String TEST_GROUP_ID = "testGroup" + UUID.randomUUID();
    static final String TEST_USER2_ID = "testUser2" + UUID.randomUUID();

    public void before() throws Exception {
        super.before();
        NodeUtil nodeUtil = new NodeUtil(this.root.getTree("/"));
        nodeUtil.addChild("content", "oak:Unstructured").addChild("subtree", "oak:Unstructured");
        nodeUtil.addChild("content2", "oak:Unstructured");
        nodeUtil.addChild("some", "oak:Unstructured").addChild("content", "oak:Unstructured").addChild("tree", "oak:Unstructured");
        nodeUtil.addChild("testNode", "oak:Unstructured").addChild("child", "oak:Unstructured");
        this.root.commit();
    }

    public void after() throws Exception {
        try {
            this.root.refresh();
            Authorizable authorizable = getUserManager(this.root).getAuthorizable(TEST_GROUP_ID);
            if (authorizable != null) {
                authorizable.remove();
            }
            Authorizable authorizable2 = getUserManager(this.root).getAuthorizable(TEST_USER2_ID);
            if (authorizable2 != null) {
                authorizable2.remove();
            }
            for (String str : new String[]{SUPPORTED_PATH, SUPPORTED_PATH2, Text.getAbsoluteParent(SUPPORTED_PATH3, 0), UNSUPPORTED_PATH}) {
                Tree tree = this.root.getTree(str);
                if (tree.exists()) {
                    tree.remove();
                }
            }
            this.root.commit();
            super.after();
        } catch (Throwable th) {
            super.after();
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SecurityProvider getSecurityProvider() {
        if (this.securityProvider == null) {
            this.securityProvider = CugSecurityProvider.newTestSecurityProvider(getSecurityConfigParameters());
        }
        return this.securityProvider;
    }

    protected ConfigurationParameters getSecurityConfigParameters() {
        return ConfigurationParameters.of("org.apache.jackrabbit.oak.authorization", CUG_CONFIG);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public CugPermissionProvider createCugPermissionProvider(@NotNull Set<String> set, @NotNull Principal... principalArr) {
        return new CugPermissionProvider(this.root, this.root.getContentSession().getWorkspaceName(), ImmutableSet.copyOf(principalArr), set, ((AuthorizationConfiguration) getConfig(AuthorizationConfiguration.class)).getContext(), getRootProvider(), getTreeProvider());
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void createTrees(@NotNull Tree tree, @NotNull String str, @NotNull String... strArr) throws AccessDeniedException {
        Tree tree2 = tree;
        for (String str2 : strArr) {
            tree2 = TreeUtil.addChild(tree2, str2, str);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void setupCugsAndAcls() throws Exception {
        UserManager userManager = getUserManager(this.root);
        Principal testGroupPrincipal = getTestGroupPrincipal();
        userManager.getAuthorizable(testGroupPrincipal).addMember(userManager.createUser(TEST_USER2_ID, TEST_USER2_ID));
        this.root.commit();
        User testUser = getTestUser();
        NodeUtil nodeUtil = new NodeUtil(this.root.getTree(SUPPORTED_PATH));
        nodeUtil.addChild("a", "oak:Unstructured").addChild("b", "oak:Unstructured").addChild("c", "oak:Unstructured");
        nodeUtil.addChild("aa", "oak:Unstructured").addChild("bb", "oak:Unstructured").addChild("cc", "oak:Unstructured");
        createCug("/content/a", testGroupPrincipal);
        createCug("/content/aa/bb", testGroupPrincipal);
        createCug("/content/a/b/c", EveryonePrincipal.getInstance());
        createCug(SUPPORTED_PATH2, EveryonePrincipal.getInstance());
        JackrabbitAccessControlManager accessControlManager = getAccessControlManager(this.root);
        JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(accessControlManager, SUPPORTED_PATH);
        accessControlList.addAccessControlEntry(testUser.getPrincipal(), privilegesFromNames(new String[]{"jcr:read"}));
        accessControlList.addAccessControlEntry(testGroupPrincipal, privilegesFromNames(new String[]{"jcr:read", "rep:write", "jcr:readAccessControl"}));
        accessControlManager.setPolicy(SUPPORTED_PATH, accessControlList);
        this.root.commit();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void createCug(@NotNull String str, @NotNull Principal principal) throws RepositoryException {
        JackrabbitAccessControlManager accessControlManager = getAccessControlManager(this.root);
        AccessControlPolicyIterator applicablePolicies = accessControlManager.getApplicablePolicies(str);
        while (applicablePolicies.hasNext()) {
            CugPolicy nextAccessControlPolicy = applicablePolicies.nextAccessControlPolicy();
            if (nextAccessControlPolicy instanceof CugPolicy) {
                nextAccessControlPolicy.addPrincipals(new Principal[]{principal});
                accessControlManager.setPolicy(str, nextAccessControlPolicy);
                return;
            }
        }
        throw new IllegalStateException("Unable to create CUG at " + str);
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void createCug(@NotNull Root root, @NotNull String str, @NotNull String str2) throws RepositoryException {
        Tree tree = root.getTree(str);
        Preconditions.checkState(tree.exists());
        TreeUtil.addMixin(tree, "rep:CugMixin", root.getTree("/jcr:system/jcr:nodeTypes"), (String) null);
        new NodeUtil(tree).addChild("rep:cugPolicy", "rep:CugPolicy").setStrings("rep:principalNames", new String[]{str2});
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public Principal getTestGroupPrincipal() throws Exception {
        UserManager userManager = getUserManager(this.root);
        Group authorizable = userManager.getAuthorizable(TEST_GROUP_ID, Group.class);
        if (authorizable == null) {
            authorizable = userManager.createGroup(TEST_GROUP_ID);
            this.root.commit();
        }
        return authorizable.getPrincipal();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public ContentSession createTestSession2() throws Exception {
        return login(new SimpleCredentials(TEST_USER2_ID, TEST_USER2_ID.toCharArray()));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void assertCugPermission(@NotNull TreePermission treePermission, boolean z) {
        if (z) {
            Assert.assertTrue(treePermission instanceof CugTreePermission);
        } else {
            Assert.assertTrue(treePermission instanceof EmptyCugTreePermission);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static TreePermission getTreePermission(@NotNull Root root, @NotNull String str, @NotNull PermissionProvider permissionProvider) {
        Tree tree = root.getTree("/");
        TreePermission treePermission = permissionProvider.getTreePermission(tree, TreePermission.EMPTY);
        Iterator it = PathUtils.elements(str).iterator();
        while (it.hasNext()) {
            tree = tree.getChild((String) it.next());
            treePermission = permissionProvider.getTreePermission(tree, treePermission);
        }
        return treePermission;
    }
}
