package org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;

import com.google.common.collect.ImmutableSet;
import java.security.Principal;
import javax.jcr.PathNotFoundException;
import javax.jcr.RepositoryException;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
import org.apache.jackrabbit.api.security.authorization.PrincipalAccessControlList;
import org.apache.jackrabbit.api.security.principal.ItemBasedPrincipal;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ImmutableACL;
import org.apache.jackrabbit.oak.spi.security.authorization.principalbased.FilterProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl.PrincipalPolicyImpl;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.jetbrains.annotations.NotNull;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.mockito.Mockito;

/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PrincipalBasedAccessControlManagerTest.class */
public class PrincipalBasedAccessControlManagerTest extends AbstractPrincipalBasedTest {
    private PrincipalBasedAccessControlManager acMgr;
    private ItemBasedPrincipal validPrincipal;

    @Before
    public void testBefore() throws Exception {
        super.before();
        this.acMgr = createAccessControlManager(this.root, getFilterProvider());
        this.validPrincipal = getTestSystemUser().getPrincipal();
    }

    private PrincipalBasedAccessControlManager createAccessControlManager(Root root, @NotNull FilterProvider filterProvider) {
        return new PrincipalBasedAccessControlManager(getMgrProvider(this.root), filterProvider);
    }

    private PrincipalPolicyImpl createValidPolicy() throws RepositoryException {
        return new PrincipalPolicyImpl(this.validPrincipal, getNamePathMapper().getOakPath(this.validPrincipal.getPath()), getMgrProvider(this.root));
    }

    @Test(expected = AccessControlException.class)
    public void testGetApplicablePoliciesNullPrincipal() throws Exception {
        this.acMgr.getApplicablePolicies((Principal) null);
    }

    @Test(expected = AccessControlException.class)
    public void testGetApplicablePoliciesEmptyPrincipalName() throws Exception {
        this.acMgr.getApplicablePolicies(new PrincipalImpl(""));
    }

    @Test
    public void testGetApplicablePoliciesPrincipalNotHandled() throws Exception {
        Assert.assertEquals(0L, createAccessControlManager(this.root, MockUtility.mockFilterProvider(false)).getApplicablePolicies(this.validPrincipal).length);
    }

    @Test
    public void testGetApplicablePoliciesPrincipalHandled() throws Exception {
        JackrabbitAccessControlPolicy[] applicablePolicies = createAccessControlManager(this.root, MockUtility.mockFilterProvider(true)).getApplicablePolicies(this.validPrincipal);
        Assert.assertEquals(1L, applicablePolicies.length);
        Assert.assertTrue(applicablePolicies[0] instanceof PrincipalPolicyImpl);
    }

    @Test
    public void testGetSetPolicy() throws Exception {
        PrincipalPolicyImpl[] applicablePolicies = this.acMgr.getApplicablePolicies(this.validPrincipal);
        Assert.assertEquals(1L, applicablePolicies.length);
        Assert.assertEquals(0L, this.acMgr.getPolicies(this.validPrincipal).length);
        PrincipalPolicyImpl principalPolicyImpl = applicablePolicies[0];
        principalPolicyImpl.addEntry(this.testContentJcrPath, privilegesFromNames("jcr:read"));
        this.acMgr.setPolicy(principalPolicyImpl.getPath(), principalPolicyImpl);
        Assert.assertEquals(0L, this.acMgr.getApplicablePolicies(this.validPrincipal).length);
        Assert.assertEquals(1L, this.acMgr.getPolicies(this.validPrincipal).length);
    }

    @Test(expected = AccessControlException.class)
    public void testGetPoliciesNullPrincipal() throws Exception {
        this.acMgr.getPolicies((Principal) null);
    }

    @Test(expected = AccessControlException.class)
    public void testGetPoliciesEmptyPrincipalName() throws Exception {
        this.acMgr.getPolicies(new PrincipalImpl(""));
    }

    @Test
    public void testGetPoliciesPrincipalNotHandled() throws Exception {
        Assert.assertEquals(0L, createAccessControlManager(this.root, MockUtility.mockFilterProvider(false)).getPolicies(this.validPrincipal).length);
    }

    @Test
    public void testGetPoliciesAccessControlledTree() throws Exception {
        TreeUtil.addMixin(this.root.getTree(getNamePathMapper().getOakPath(this.validPrincipal.getPath())), "rep:PrincipalBasedMixin", this.root.getTree("/jcr:system/jcr:nodeTypes"), "uid");
        Assert.assertEquals(0L, this.acMgr.getPolicies(this.validPrincipal).length);
    }

    @Test(expected = AccessControlException.class)
    public void testGetEffectivePoliciesEmptyPrincipalName() throws Exception {
        this.acMgr.getEffectivePolicies(ImmutableSet.of(this.validPrincipal, new PrincipalImpl("")));
    }

    @Test
    public void testGetEffectivePoliciesNothingSet() throws Exception {
        Assert.assertEquals(0L, this.acMgr.getEffectivePolicies(ImmutableSet.of(this.validPrincipal)).length);
    }

    @Test
    public void testGetEffectivePolicies() throws Exception {
        PrincipalPolicyImpl principalPolicyImpl = this.acMgr.getApplicablePolicies(this.validPrincipal)[0];
        principalPolicyImpl.addEntry(this.testContentJcrPath, privilegesFromNames("jcr:all"));
        this.acMgr.setPolicy(principalPolicyImpl.getPath(), principalPolicyImpl);
        Assert.assertEquals(0L, this.acMgr.getEffectivePolicies(ImmutableSet.of(this.validPrincipal)).length);
        this.root.commit();
        Assert.assertEquals(1L, this.acMgr.getEffectivePolicies(ImmutableSet.of(this.validPrincipal)).length);
    }

    @Test
    public void testGetEffectivePoliciesEmptyPolicySet() throws Exception {
        JackrabbitAccessControlPolicy jackrabbitAccessControlPolicy = this.acMgr.getApplicablePolicies(this.validPrincipal)[0];
        this.acMgr.setPolicy(jackrabbitAccessControlPolicy.getPath(), jackrabbitAccessControlPolicy);
        this.root.commit();
        Assert.assertEquals(0L, this.acMgr.getEffectivePolicies(ImmutableSet.of(this.validPrincipal)).length);
    }

    @Test
    public void testGetEffectivePoliciesRemovedPrincipal() throws Exception {
        setupPrincipalBasedAccessControl(this.validPrincipal, null, "jcr:workspaceManagement");
        this.root.commit();
        String id = getTestSystemUser().getID();
        Root latestRoot = this.adminSession.getLatestRoot();
        getUserManager(latestRoot).getAuthorizable(this.validPrincipal).remove();
        latestRoot.commit();
        try {
            Assert.assertEquals(0L, this.acMgr.getEffectivePolicies(ImmutableSet.of(this.validPrincipal)).length);
        } finally {
            this.root.refresh();
            getUserManager(this.root).createSystemUser(id, "system/test");
            this.root.commit();
        }
    }

    @Test
    public void testGetEffectivePoliciesMixedPrincipalSet() throws Exception {
        setupPrincipalBasedAccessControl(this.validPrincipal, this.testJcrPath, "jcr:read");
        this.root.commit();
        Assert.assertEquals(0L, this.acMgr.getEffectivePolicies(ImmutableSet.of(this.validPrincipal, getTestUser().getPrincipal())).length);
    }

    @Test
    public void testGetEffectivePoliciesRemovedPolicy() throws Exception {
        setupPrincipalBasedAccessControl(this.validPrincipal, null, "jcr:workspaceManagement");
        this.root.commit();
        Root latestRoot = this.adminSession.getLatestRoot();
        latestRoot.getTree(getNamePathMapper().getOakPath(this.validPrincipal.getPath())).getChild("rep:principalPolicy").remove();
        latestRoot.commit();
        Assert.assertEquals(0L, this.acMgr.getEffectivePolicies(ImmutableSet.of(this.validPrincipal)).length);
    }

    @Test(expected = AccessControlException.class)
    public void testSetInvalidPolicy() throws Exception {
        this.acMgr.setPolicy(this.validPrincipal.getPath(), (PrincipalAccessControlList) Mockito.mock(PrincipalAccessControlList.class));
    }

    @Test(expected = AccessControlException.class)
    public void testSetEffectivePolicy() throws Exception {
        setupPrincipalBasedAccessControl(this.validPrincipal, this.testContentJcrPath, "rep:write");
        this.root.commit();
        ImmutableACL immutableACL = this.acMgr.getEffectivePolicies(ImmutableSet.of(this.validPrincipal))[0];
        this.acMgr.setPolicy(immutableACL.getPath(), immutableACL);
    }

    @Test(expected = AccessControlException.class)
    public void testSetPolicyPathMismatch() throws Exception {
        PrincipalPolicyImpl createValidPolicy = createValidPolicy();
        this.acMgr.setPolicy(createValidPolicy.getOakPath(), createValidPolicy);
    }

    @Test(expected = AccessControlException.class)
    public void testSetPolicyNullPath() throws Exception {
        this.acMgr.setPolicy((String) null, (PrincipalAccessControlList) Mockito.mock(PrincipalAccessControlList.class));
    }

    @Test(expected = AccessControlException.class)
    public void testSetPolicyUnsupportedPath() throws Exception {
        this.acMgr.setPolicy(getNamePathMapper().getJcrPath(PathUtils.getParentPath(SUPPORTED_PATH)), createValidPolicy());
    }

    @Test
    public void testSetEmptyPolicy() throws Exception {
        PrincipalPolicyImpl createValidPolicy = createValidPolicy();
        this.acMgr.setPolicy(createValidPolicy.getPath(), createValidPolicy);
        Assert.assertEquals(1L, this.acMgr.getPolicies(this.validPrincipal).length);
        Assert.assertEquals(0L, this.acMgr.getApplicablePolicies(this.validPrincipal).length);
        Assert.assertTrue(this.root.getTree(createValidPolicy.getOakPath()).hasChild("rep:principalPolicy"));
    }

    @Test
    public void testSetPolicyNonExistingEffectivePath() throws Exception {
        PrincipalPolicyImpl principalPolicyImpl = getPrincipalPolicyImpl(this.validPrincipal, this.acMgr);
        principalPolicyImpl.addEntry(this.testJcrPath, privilegesFromNames("jcr:read"));
        this.acMgr.setPolicy(principalPolicyImpl.getPath(), principalPolicyImpl);
        this.root.commit();
    }

    @Test
    public void testSetPolicyRemovedEffectivePath() throws Exception {
        setupContentTrees("/oak:content/child/grandchild/oak:subtree");
        this.root.commit();
        PrincipalPolicyImpl principalPolicyImpl = getPrincipalPolicyImpl(this.validPrincipal, this.acMgr);
        principalPolicyImpl.addEntry(this.testJcrPath, privilegesFromNames("jcr:read"));
        this.root.getTree("/oak:content/child/grandchild/oak:subtree").remove();
        this.root.commit();
        this.acMgr.setPolicy(principalPolicyImpl.getPath(), principalPolicyImpl);
        this.root.commit();
    }

    @Test
    public void testSetPolicy() throws Exception {
        PrincipalPolicyImpl principalPolicyImpl = setupPrincipalBasedAccessControl(this.validPrincipal, "/", "jcr:readAccessControl");
        addPrincipalBasedEntry(principalPolicyImpl, null, "jcr:workspaceManagement");
        Tree child = this.root.getTree(principalPolicyImpl.getOakPath()).getChild("rep:principalPolicy");
        Assert.assertTrue(child.exists());
        Assert.assertEquals(2L, child.getChildrenCount(10L));
        PrincipalPolicyImpl[] policies = this.acMgr.getPolicies(this.validPrincipal);
        Assert.assertEquals(1L, policies.length);
        Assert.assertEquals(2L, policies[0].size());
        Assert.assertEquals(0L, this.acMgr.getApplicablePolicies(this.validPrincipal).length);
    }

    @Test
    public void testSetPolicyRemovesAllChildNodes() throws Exception {
        PrincipalPolicyImpl principalPolicyImpl = setupPrincipalBasedAccessControl(this.validPrincipal, this.testJcrPath, "jcr:read");
        TreeUtil.addChild(this.root.getTree(principalPolicyImpl.getOakPath()).getChild("rep:principalPolicy"), "nonEntryChild", "oak:Unstructured");
        principalPolicyImpl.removeAccessControlEntry((AccessControlEntry) principalPolicyImpl.getEntries().get(0));
        principalPolicyImpl.addEntry(this.testJcrPath, privilegesFromNames("rep:readNodes"));
        this.acMgr.setPolicy(principalPolicyImpl.getPath(), principalPolicyImpl);
        Assert.assertFalse(this.root.getTree(principalPolicyImpl.getOakPath()).getChild("rep:principalPolicy").hasChild("nonEntryChild"));
        Assert.assertArrayEquals(privilegesFromNames("rep:readNodes"), ((PrincipalPolicyImpl.EntryImpl) this.acMgr.getPolicies(this.validPrincipal)[0].getEntries().get(0)).getPrivileges());
    }

    @Test(expected = AccessControlException.class)
    public void testRemoveInvalidPolicy() throws Exception {
        this.acMgr.removePolicy(this.validPrincipal.getPath(), (PrincipalAccessControlList) Mockito.mock(PrincipalAccessControlList.class));
    }

    @Test(expected = AccessControlException.class)
    public void testRemoveEffectivePolicy() throws Exception {
        setupPrincipalBasedAccessControl(this.validPrincipal, this.testContentJcrPath, "rep:write");
        this.root.commit();
        ImmutableACL immutableACL = this.acMgr.getEffectivePolicies(ImmutableSet.of(this.validPrincipal))[0];
        this.acMgr.removePolicy(immutableACL.getPath(), immutableACL);
    }

    @Test(expected = AccessControlException.class)
    public void testRemovePolicyPathMismatch() throws Exception {
        PrincipalPolicyImpl createValidPolicy = createValidPolicy();
        this.acMgr.removePolicy(PathUtils.getParentPath(createValidPolicy.getPath()), createValidPolicy);
    }

    @Test(expected = AccessControlException.class)
    public void testRemovePolicyNullPath() throws Exception {
        this.acMgr.removePolicy((String) null, (PrincipalAccessControlList) Mockito.mock(PrincipalAccessControlList.class));
    }

    @Test(expected = AccessControlException.class)
    public void testRemovePolicyUnsupportedPath() throws Exception {
        this.acMgr.removePolicy(getNamePathMapper().getJcrPath(PathUtils.getParentPath(SUPPORTED_PATH)), createValidPolicy());
    }

    @Test(expected = AccessControlException.class)
    public void testRemovePolicyTreeAlreadyRemoved() throws Exception {
        PrincipalPolicyImpl createValidPolicy = createValidPolicy();
        this.acMgr.setPolicy(createValidPolicy.getPath(), createValidPolicy);
        this.root.getTree(createValidPolicy.getOakPath()).getChild("rep:principalPolicy").remove();
        this.acMgr.removePolicy(createValidPolicy.getPath(), createValidPolicy);
    }

    @Test
    public void testRemoveEmptyPolicy() throws Exception {
        PrincipalPolicyImpl createValidPolicy = createValidPolicy();
        this.acMgr.setPolicy(createValidPolicy.getPath(), createValidPolicy);
        this.acMgr.removePolicy(createValidPolicy.getPath(), createValidPolicy);
        Assert.assertEquals(0L, this.acMgr.getPolicies(this.validPrincipal).length);
        Assert.assertEquals(1L, this.acMgr.getApplicablePolicies(this.validPrincipal).length);
        Assert.assertFalse(this.root.getTree(createValidPolicy.getOakPath()).hasChild("rep:principalPolicy"));
    }

    @Test
    public void testRemovePolicy() throws Exception {
        PrincipalPolicyImpl principalPolicyImpl = setupPrincipalBasedAccessControl(this.validPrincipal, getNamePathMapper().getJcrPath("/rep:security/rep:authorizables/rep:users"), "rep:userManagement");
        addPrincipalBasedEntry(principalPolicyImpl, null, "rep:privilegeManagement");
        this.acMgr.removePolicy(principalPolicyImpl.getPath(), principalPolicyImpl);
        Assert.assertEquals(0L, this.acMgr.getPolicies(this.validPrincipal).length);
        Assert.assertEquals(1L, this.acMgr.getApplicablePolicies(this.validPrincipal).length);
        Assert.assertFalse(this.root.getTree(principalPolicyImpl.getOakPath()).hasChild("rep:principalPolicy"));
    }

    @Test
    public void testGetApplicableByPath() throws RepositoryException {
        Assert.assertFalse(this.acMgr.getApplicablePolicies(this.validPrincipal.getPath()).hasNext());
    }

    @Test(expected = PathNotFoundException.class)
    public void testGetApplicableByNonExistingPath() throws RepositoryException {
        this.acMgr.getApplicablePolicies(this.testContentJcrPath);
    }

    @Test
    public void testGetPoliciesByPath() throws RepositoryException {
        Assert.assertEquals(0L, this.acMgr.getPolicies(this.validPrincipal.getPath()).length);
    }

    @Test(expected = PathNotFoundException.class)
    public void testGetPoliciesByNonExistingPath() throws RepositoryException {
        this.acMgr.getPolicies(this.testContentJcrPath);
    }

    @Test
    public void testGetEffectivePoliciesByPathNothingSet() throws Exception {
        setupContentTrees("/oak:content/child/grandchild/oak:subtree");
        Assert.assertEquals(0L, this.acMgr.getEffectivePolicies(this.testContentJcrPath).length);
        Assert.assertEquals(0L, this.acMgr.getEffectivePolicies((String) null).length);
    }

    @Test
    public void testGetEffectivePoliciesByPathTransientPolicy() throws Exception {
        setupContentTrees("/oak:content/child/grandchild/oak:subtree");
        setupPrincipalBasedAccessControl(this.validPrincipal, this.testContentJcrPath, "jcr:versionManagement");
        Assert.assertEquals(0L, this.acMgr.getEffectivePolicies(this.testContentJcrPath).length);
        Assert.assertEquals(0L, this.acMgr.getEffectivePolicies(this.testJcrPath).length);
    }

    @Test(expected = PathNotFoundException.class)
    public void testGetEffectivePoliciesByNonExistingPath() throws Exception {
        addPrincipalBasedEntry(setupPrincipalBasedAccessControl(this.validPrincipal, this.testContentJcrPath, "jcr:versionManagement"), "/", "jcr:read");
        this.root.commit();
        this.acMgr.getEffectivePolicies(this.testContentJcrPath);
    }

    @Test
    public void testGetEffectivePoliciesByPath() throws Exception {
        setupContentTrees("/oak:content/child/grandchild/oak:subtree");
        addPrincipalBasedEntry(setupPrincipalBasedAccessControl(this.validPrincipal, this.testContentJcrPath, "jcr:removeChildNodes"), "/", "jcr:read");
        this.root.commit();
        Assert.assertEquals(2L, this.acMgr.getEffectivePolicies(this.testJcrPath).length);
        Assert.assertEquals(2L, this.acMgr.getEffectivePolicies(this.testContentJcrPath).length);
        Assert.assertEquals(1L, this.acMgr.getEffectivePolicies("/").length);
    }

    @Test
    public void testGetPolicyWithNonAceChild() throws Exception {
        setupContentTrees("/oak:content/child/grandchild/oak:subtree");
        PrincipalPolicyImpl principalPolicyImpl = setupPrincipalBasedAccessControl(this.validPrincipal, this.testContentJcrPath, "jcr:retentionManagement");
        addPrincipalBasedEntry(principalPolicyImpl, "/", "jcr:read");
        TreeUtil.addChild(this.root.getTree(getNamePathMapper().getOakPath(principalPolicyImpl.getPath())).getChild("rep:principalPolicy"), "nonAceChild", "oak:Unstructured");
        Assert.assertEquals(2L, this.acMgr.getPolicies(this.validPrincipal)[0].size());
    }

    @Test
    public void testGetPolicyMissingMixinType() throws Exception {
        setupContentTrees("/oak:content/child/grandchild/oak:subtree");
        PrincipalPolicyImpl principalPolicyImpl = setupPrincipalBasedAccessControl(this.validPrincipal, this.testContentJcrPath, "jcr:lockManagement");
        addPrincipalBasedEntry(principalPolicyImpl, "/", "jcr:read");
        this.root.getTree(getNamePathMapper().getOakPath(principalPolicyImpl.getPath())).removeProperty("jcr:mixinTypes");
        Assert.assertEquals(0L, this.acMgr.getPolicies(this.validPrincipal).length);
    }

    @Test
    public void testHasPrivilegesByPrincipals() throws Exception {
        setupContentTrees("/oak:content/child/grandchild/oak:subtree");
        setupPrincipalBasedAccessControl(this.validPrincipal, this.testContentJcrPath, "jcr:nodeTypeManagement");
        addDefaultEntry(this.testJcrPath, this.validPrincipal, "jcr:nodeTypeManagement");
        this.root.commit();
        Assert.assertFalse(this.acMgr.hasPrivileges(this.testContentJcrPath, ImmutableSet.of(this.validPrincipal), privilegesFromNames("jcr:nodeTypeManagement")));
        Assert.assertTrue(this.acMgr.hasPrivileges(this.testJcrPath, ImmutableSet.of(this.validPrincipal), privilegesFromNames("jcr:nodeTypeManagement")));
        Assert.assertFalse(this.acMgr.hasPrivileges(this.testContentJcrPath, ImmutableSet.of(this.validPrincipal, EveryonePrincipal.getInstance()), privilegesFromNames("jcr:nodeTypeManagement")));
        Assert.assertTrue(this.acMgr.hasPrivileges(this.testJcrPath, ImmutableSet.of(this.validPrincipal, EveryonePrincipal.getInstance()), privilegesFromNames("jcr:nodeTypeManagement")));
    }

    @Test
    public void testGetPrivilegesByPrincipals() throws Exception {
        setupContentTrees("/oak:content/child/grandchild/oak:subtree");
        setupPrincipalBasedAccessControl(this.validPrincipal, this.testContentJcrPath, "jcr:addChildNodes", "jcr:removeChildNodes", "jcr:removeNode");
        addDefaultEntry(this.testContentJcrPath, this.validPrincipal, "jcr:read", "jcr:removeNode");
        this.root.commit();
        assertPrivileges(this.acMgr.getPrivileges(this.testContentJcrPath, ImmutableSet.of(this.validPrincipal)), "jcr:removeNode");
        assertPrivileges(this.acMgr.getPrivileges(this.testJcrPath, ImmutableSet.of(this.validPrincipal)), "jcr:removeNode");
        assertPrivileges(this.acMgr.getPrivileges(this.testContentJcrPath, ImmutableSet.of(this.validPrincipal, EveryonePrincipal.getInstance())), "jcr:read", "jcr:removeNode");
        assertPrivileges(this.acMgr.getPrivileges(this.testJcrPath, ImmutableSet.of(this.validPrincipal, EveryonePrincipal.getInstance())), "jcr:read", "jcr:removeNode");
    }

    private void assertPrivileges(@NotNull Privilege[] privilegeArr, @NotNull String... strArr) throws Exception {
        Assert.assertEquals(ImmutableSet.copyOf(privilegesFromNames(strArr)), ImmutableSet.copyOf(privilegeArr));
    }
}
