package org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;

import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import java.security.Principal;
import java.util.Iterator;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.memory.PropertyStates;
import org.apache.jackrabbit.oak.plugins.tree.TreeType;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PermissionProviderAccessControlTest.class */
public class PermissionProviderAccessControlTest extends AbstractPrincipalBasedTest {
    private Principal testPrincipal;
    private PrincipalBasedPermissionProvider permissionProvider;
    private String contentPath;
    private String childPath;
    private String grandchildPath;
    private String child2Path;
    private String accessControlledPath;

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl.AbstractPrincipalBasedTest
    @Before
    public void before() throws Exception {
        super.before();
        this.testPrincipal = getTestSystemUser().getPrincipal();
        setupContentTrees("/oak:content/child/grandchild/oak:subtree");
        setupContentTrees("/oak:content/child2/grandchild2");
        this.contentPath = PathUtils.getAncestorPath("/oak:content/child/grandchild/oak:subtree", 3);
        this.childPath = PathUtils.getAncestorPath("/oak:content/child/grandchild/oak:subtree", 2);
        this.grandchildPath = PathUtils.getAncestorPath("/oak:content/child/grandchild/oak:subtree", 1);
        this.child2Path = "/oak:content/child2";
        PrincipalPolicyImpl principalPolicyImpl = setupPrincipalBasedAccessControl(this.testPrincipal, getNamePathMapper().getJcrPath(this.contentPath), "jcr:read");
        addPrincipalBasedEntry(principalPolicyImpl, getNamePathMapper().getJcrPath(this.childPath), "jcr:readAccessControl");
        addPrincipalBasedEntry(principalPolicyImpl, getNamePathMapper().getJcrPath(this.child2Path), "jcr:modifyAccessControl");
        this.accessControlledPath = principalPolicyImpl.getOakPath();
        this.root.commit();
        this.permissionProvider = createPermissionProvider(this.root, this.testPrincipal);
    }

    protected NamePathMapper getNamePathMapper() {
        return NamePathMapper.DEFAULT;
    }

    @Test
    public void testGetTreePermission() throws Exception {
        String concat = PathUtils.concat(this.accessControlledPath, "rep:principalPolicy");
        Tree tree = this.root.getTree("/");
        TreePermission treePermission = this.permissionProvider.getTreePermission(tree, TreePermission.EMPTY);
        Iterator it = PathUtils.elements(concat).iterator();
        while (it.hasNext()) {
            tree = tree.getChild((String) it.next());
            treePermission = this.permissionProvider.getTreePermission(tree, treePermission);
        }
        Assert.assertTrue(treePermission instanceof AbstractTreePermission);
        Assert.assertSame(TreeType.ACCESS_CONTROL, ((AbstractTreePermission) treePermission).getType());
    }

    @Test
    public void testIsGrantedOnAccessControlledTree() throws Exception {
        Tree tree = this.root.getTree(getNamePathMapper().getOakPath(this.accessControlledPath));
        Assert.assertFalse(this.permissionProvider.isGranted(tree, (PropertyState) null, 3L));
        Assert.assertFalse(this.permissionProvider.isGranted(tree, (PropertyState) null, 128L));
        setupPrincipalBasedAccessControl(this.testPrincipal, this.accessControlledPath, "jcr:read");
        this.root.commit();
        this.permissionProvider.refresh();
        Assert.assertTrue(this.permissionProvider.isGranted(tree, (PropertyState) null, 3L));
    }

    @Test
    public void testIsGrantedOnPolicyTree() throws Exception {
        Tree tree = this.root.getTree(PathUtils.concat(this.accessControlledPath, "rep:principalPolicy"));
        Assert.assertFalse(this.permissionProvider.isGranted(tree, (PropertyState) null, 3L));
        Assert.assertFalse(this.permissionProvider.isGranted(tree, (PropertyState) null, 128L));
        Assert.assertFalse(this.permissionProvider.isGranted(tree, (PropertyState) null, 384L));
        Assert.assertFalse(this.permissionProvider.isGranted(tree, (PropertyState) null, 124L));
    }

    @Test
    public void testIsGrantedOnPolicyTreePrincipalReadable() throws Exception {
        setupPrincipalBasedAccessControl(this.testPrincipal, this.accessControlledPath, "jcr:read");
        this.root.commit();
        this.permissionProvider.refresh();
        Tree tree = this.root.getTree(PathUtils.concat(this.accessControlledPath, "rep:principalPolicy"));
        Assert.assertTrue(this.permissionProvider.isGranted(tree, (PropertyState) null, 3L));
        Assert.assertFalse(this.permissionProvider.isGranted(tree, (PropertyState) null, 128L));
        Assert.assertFalse(this.permissionProvider.isGranted(tree, (PropertyState) null, 384L));
        Assert.assertFalse(this.permissionProvider.isGranted(tree, (PropertyState) null, 124L));
    }

    @Test
    public void testIsGrantedOnPolicyTreePrincipalAccessControlReadable() throws Exception {
        setupPrincipalBasedAccessControl(this.testPrincipal, this.accessControlledPath, "jcr:read", "jcr:readAccessControl");
        this.root.commit();
        this.permissionProvider.refresh();
        Tree tree = this.root.getTree(PathUtils.concat(this.accessControlledPath, "rep:principalPolicy"));
        Assert.assertTrue(this.permissionProvider.isGranted(tree, (PropertyState) null, 3L));
        Assert.assertTrue(this.permissionProvider.isGranted(tree, (PropertyState) null, 128L));
        Assert.assertFalse(this.permissionProvider.isGranted(tree, (PropertyState) null, 384L));
        Assert.assertFalse(this.permissionProvider.isGranted(tree, (PropertyState) null, 124L));
    }

    @Test
    public void testIsGrantedOnEntryTree() throws Exception {
        setupPrincipalBasedAccessControl(this.testPrincipal, this.accessControlledPath, "jcr:read", "jcr:readAccessControl");
        this.root.commit();
        this.permissionProvider.refresh();
        for (Tree tree : this.root.getTree(PathUtils.concat(this.accessControlledPath, "rep:principalPolicy")).getChildren()) {
            Assert.assertTrue(this.permissionProvider.isGranted(tree, (PropertyState) null, 131L));
            Assert.assertFalse(this.permissionProvider.isGranted(tree, (PropertyState) null, 256L));
        }
    }

    @Test
    public void testIsGrantedOnEntryTreeAccessControlModifiable() throws Exception {
        setupPrincipalBasedAccessControl(this.testPrincipal, this.accessControlledPath, "jcr:read", "jcr:modifyAccessControl");
        this.root.commit();
        this.permissionProvider.refresh();
        for (Tree tree : this.root.getTree(PathUtils.concat(this.accessControlledPath, "rep:principalPolicy")).getChildren()) {
            Assert.assertTrue(this.permissionProvider.isGranted(tree, (PropertyState) null, 3L));
            String str = (String) tree.getProperty("rep:effectivePath").getValue(Type.STRING);
            if (this.contentPath.equals(str)) {
                Assert.assertFalse(this.permissionProvider.isGranted(tree, (PropertyState) null, 128L));
                Assert.assertFalse(this.permissionProvider.isGranted(tree, (PropertyState) null, 256L));
            } else if (this.childPath.equals(str)) {
                Assert.assertFalse(this.permissionProvider.isGranted(tree, (PropertyState) null, 128L));
                Assert.assertFalse(this.permissionProvider.isGranted(tree, (PropertyState) null, 256L));
            } else if (this.child2Path.equals(str)) {
                Assert.assertFalse(this.permissionProvider.isGranted(tree, (PropertyState) null, 128L));
                Assert.assertTrue(this.permissionProvider.isGranted(tree, (PropertyState) null, 256L));
            }
        }
    }

    @Test
    public void testIsGrantedOnEntryTreeAccessMgt() throws Exception {
        setupPrincipalBasedAccessControl(this.testPrincipal, this.accessControlledPath, "jcr:read", "jcr:readAccessControl", "jcr:modifyAccessControl");
        this.root.commit();
        this.permissionProvider.refresh();
        for (Tree tree : this.root.getTree(PathUtils.concat(this.accessControlledPath, "rep:principalPolicy")).getChildren()) {
            Assert.assertTrue(this.permissionProvider.isGranted(tree, (PropertyState) null, 131L));
            Assert.assertTrue(this.permissionProvider.isGranted(tree, tree.getProperty("rep:effectivePath"), 128L));
            Assert.assertTrue(this.permissionProvider.isGranted(tree, tree.getProperty("rep:privileges"), 128L));
            String str = (String) tree.getProperty("rep:effectivePath").getValue(Type.STRING);
            if (this.contentPath.equals(str)) {
                Assert.assertFalse(this.permissionProvider.isGranted(tree, (PropertyState) null, 256L));
            } else if (this.childPath.equals(str)) {
                Assert.assertFalse(this.permissionProvider.isGranted(tree, (PropertyState) null, 256L));
            } else if (this.child2Path.equals(str)) {
                Assert.assertTrue(this.permissionProvider.isGranted(tree, (PropertyState) null, 256L));
            }
        }
    }

    @Test
    public void testIsGrantedOnNonExistingRestrictionTree() throws Exception {
        setupPrincipalBasedAccessControl(this.testPrincipal, this.accessControlledPath, "jcr:readAccessControl", "jcr:modifyAccessControl");
        this.root.commit();
        this.permissionProvider.refresh();
        for (Tree tree : this.root.getTree(PathUtils.concat(this.accessControlledPath, "rep:principalPolicy")).getChildren()) {
            Tree child = tree.getChild("rep:restrictions");
            PropertyState createProperty = PropertyStates.createProperty("rep:glob", "any");
            Assert.assertFalse(this.permissionProvider.isGranted(child, (PropertyState) null, 3L));
            String str = (String) tree.getProperty("rep:effectivePath").getValue(Type.STRING);
            if (this.contentPath.equals(str)) {
                Assert.assertTrue(this.permissionProvider.isGranted(child, (PropertyState) null, 128L));
                Assert.assertTrue(this.permissionProvider.isGranted(child, createProperty, 128L));
                Assert.assertFalse(this.permissionProvider.isGranted(child, (PropertyState) null, 256L));
            } else if (this.childPath.equals(str)) {
                Assert.assertTrue(this.permissionProvider.isGranted(child, (PropertyState) null, 128L));
                Assert.assertTrue(this.permissionProvider.isGranted(child, createProperty, 128L));
                Assert.assertFalse(this.permissionProvider.isGranted(child, (PropertyState) null, 256L));
            } else if (this.child2Path.equals(str)) {
                Assert.assertTrue(this.permissionProvider.isGranted(child, (PropertyState) null, 384L));
                Assert.assertTrue(this.permissionProvider.isGranted(child, createProperty, 384L));
            }
        }
    }

    @Test
    public void testIsGrantedOnRestrictionTree() throws Exception {
        getPrincipalPolicyImpl(this.testPrincipal, getAccessControlManager(this.root)).addEntry(this.accessControlledPath, privilegesFromNames("jcr:readAccessControl"), ImmutableMap.of(getNamePathMapper().getJcrName("rep:glob"), getValueFactory(this.root).createValue("rep:restrictions*")), ImmutableMap.of());
        this.root.commit();
        this.permissionProvider.refresh();
        for (Tree tree : this.root.getTree(PathUtils.concat(this.accessControlledPath, "rep:principalPolicy")).getChildren()) {
            Assert.assertFalse(this.permissionProvider.isGranted(tree, (PropertyState) null, 3L));
            if (tree.hasChild("rep:restrictions")) {
                Tree child = tree.getChild("rep:restrictions");
                Assert.assertTrue(this.permissionProvider.isGranted(child, (PropertyState) null, 128L));
                Assert.assertFalse(this.permissionProvider.isGranted(child, (PropertyState) null, 3L));
                Assert.assertFalse(this.permissionProvider.isGranted(child, (PropertyState) null, 384L));
                Iterator it = child.getProperties().iterator();
                while (it.hasNext()) {
                    Assert.assertTrue(this.permissionProvider.isGranted(child, (PropertyState) it.next(), 128L));
                }
                return;
            }
        }
    }

    @Test
    public void testIsGrantedByPath() throws Exception {
        setupPrincipalBasedAccessControl(this.testPrincipal, this.accessControlledPath, "jcr:read", "jcr:readAccessControl", "jcr:modifyAccessControl");
        this.root.commit();
        this.permissionProvider.refresh();
        Assert.assertTrue(this.permissionProvider.isGranted(this.accessControlledPath, Permissions.getString(387L)));
        Assert.assertFalse(this.permissionProvider.isGranted(this.accessControlledPath, Permissions.getString(127L)));
        String concat = PathUtils.concat(this.accessControlledPath, "rep:principalPolicy");
        Assert.assertTrue(this.permissionProvider.isGranted(concat, Permissions.getString(387L)));
        for (Tree tree : this.root.getTree(concat).getChildren()) {
            String path = tree.getPath();
            String str = (String) tree.getProperty("rep:effectivePath").getValue(Type.STRING);
            if (this.contentPath.equals(str)) {
                Assert.assertTrue(this.permissionProvider.isGranted(path, Permissions.getString(131L)));
                Assert.assertFalse(this.permissionProvider.isGranted(path, Permissions.getString(256L)));
            } else if (path.equals(str)) {
                Assert.assertTrue(this.permissionProvider.isGranted(path, Permissions.getString(131L)));
                Assert.assertFalse(this.permissionProvider.isGranted(path, Permissions.getString(259L)));
            } else if (this.child2Path.equals(str)) {
                Assert.assertTrue(this.permissionProvider.isGranted(path, Permissions.getString(131L)));
                Assert.assertTrue(this.permissionProvider.isGranted(path, Permissions.getString(259L)));
            }
        }
    }

    @Test
    public void testGetPrivileges() throws Exception {
        Assert.assertTrue(this.permissionProvider.getPrivileges(this.root.getTree(this.accessControlledPath)).isEmpty());
        Tree tree = this.root.getTree(PathUtils.concat(this.accessControlledPath, "rep:principalPolicy"));
        Assert.assertTrue(this.permissionProvider.getPrivileges(tree).isEmpty());
        for (Tree tree2 : tree.getChildren()) {
            Assert.assertTrue(this.permissionProvider.getPrivileges(tree).isEmpty());
        }
        setupPrincipalBasedAccessControl(this.testPrincipal, this.accessControlledPath, "jcr:read");
        this.root.commit();
        this.permissionProvider.refresh();
        ImmutableSet of = ImmutableSet.of("jcr:read");
        Assert.assertEquals(of, this.permissionProvider.getPrivileges(this.root.getTree(this.accessControlledPath)));
        Tree tree3 = this.root.getTree(PathUtils.concat(this.accessControlledPath, "rep:principalPolicy"));
        Assert.assertEquals(of, this.permissionProvider.getPrivileges(tree3));
        for (Tree tree4 : tree3.getChildren()) {
            Assert.assertEquals(of, this.permissionProvider.getPrivileges(tree3));
        }
        setupPrincipalBasedAccessControl(this.testPrincipal, this.accessControlledPath, "jcr:readAccessControl");
        this.root.commit();
        this.permissionProvider.refresh();
        ImmutableSet of2 = ImmutableSet.of("jcr:read", "jcr:readAccessControl");
        Assert.assertEquals(of2, this.permissionProvider.getPrivileges(this.root.getTree(this.accessControlledPath)));
        Tree tree5 = this.root.getTree(PathUtils.concat(this.accessControlledPath, "rep:principalPolicy"));
        Assert.assertEquals(of2, this.permissionProvider.getPrivileges(tree5));
        Iterator it = tree5.getChildren().iterator();
        while (it.hasNext()) {
            Assert.assertEquals(ImmutableSet.of("jcr:read", "jcr:readAccessControl"), this.permissionProvider.getPrivileges((Tree) it.next()));
        }
        setupPrincipalBasedAccessControl(this.testPrincipal, this.accessControlledPath, "jcr:modifyAccessControl");
        this.root.commit();
        this.permissionProvider.refresh();
        ImmutableSet of3 = ImmutableSet.of("jcr:read", "jcr:readAccessControl", "jcr:modifyAccessControl");
        Assert.assertEquals(of3, this.permissionProvider.getPrivileges(this.root.getTree(this.accessControlledPath)));
        Tree tree6 = this.root.getTree(PathUtils.concat(this.accessControlledPath, "rep:principalPolicy"));
        Assert.assertEquals(of3, this.permissionProvider.getPrivileges(tree6));
        for (Tree tree7 : tree6.getChildren()) {
            String str = (String) tree7.getProperty("rep:effectivePath").getValue(Type.STRING);
            if (this.contentPath.equals(str)) {
                Assert.assertEquals(ImmutableSet.of("jcr:read", "jcr:readAccessControl"), this.permissionProvider.getPrivileges(tree7));
            } else if (this.childPath.equals(str)) {
                Assert.assertEquals(ImmutableSet.of("jcr:read", "jcr:readAccessControl"), this.permissionProvider.getPrivileges(tree7));
            } else if (this.child2Path.equals(str)) {
                Assert.assertEquals(ImmutableSet.of("jcr:read", "jcr:readAccessControl", "jcr:modifyAccessControl"), this.permissionProvider.getPrivileges(tree7));
            }
        }
    }
}
