package org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;

import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import com.google.common.collect.Iterators;
import com.google.common.collect.Sets;
import java.security.AccessControlContext;
import java.security.Principal;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Set;
import javax.jcr.AccessDeniedException;
import javax.jcr.Credentials;
import javax.jcr.PathNotFoundException;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.Privilege;
import javax.security.auth.Subject;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.oak.api.ContentSession;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ReadPolicy;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/ReadablePathsAccessControlTest.class */
public class ReadablePathsAccessControlTest extends AbstractPrincipalBasedTest {
    private Principal testPrincipal;
    private Iterator<String> readablePaths;
    private Iterator<String> readableChildPaths;
    private JackrabbitAccessControlManager acMgr;

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl.AbstractPrincipalBasedTest
    @Before
    public void before() throws Exception {
        super.before();
        this.acMgr = new PrincipalBasedAccessControlManager(getMgrProvider(this.root), getFilterProvider());
        this.testPrincipal = getTestSystemUser().getPrincipal();
        Set set = (Set) ((AuthorizationConfiguration) getConfig(AuthorizationConfiguration.class)).getParameters().getConfigValue("readPaths", PermissionConstants.DEFAULT_READ_PATHS);
        Assert.assertFalse(set.isEmpty());
        this.readablePaths = Iterators.cycle(Iterables.transform(set, str -> {
            return getNamePathMapper().getJcrPath(str);
        }));
        HashSet newHashSet = Sets.newHashSet();
        Iterator it = set.iterator();
        while (it.hasNext()) {
            Iterables.addAll(newHashSet, Iterables.transform(this.root.getTree((String) it.next()).getChildren(), tree -> {
                return getNamePathMapper().getJcrPath(tree.getPath());
            }));
        }
        this.readableChildPaths = Iterators.cycle(newHashSet);
    }

    private Subject getTestSubject() {
        return new Subject(true, Collections.singleton(this.testPrincipal), ImmutableSet.of(), ImmutableSet.of());
    }

    @Test
    public void testHasPrivilege() throws Exception {
        ContentSession contentSession = (ContentSession) Subject.doAsPrivileged(getTestSubject(), () -> {
            return getContentRepository().login((Credentials) null, (String) null);
        }, (AccessControlContext) null);
        Throwable th = null;
        try {
            PrincipalBasedAccessControlManager principalBasedAccessControlManager = new PrincipalBasedAccessControlManager(getMgrProvider(contentSession.getLatestRoot()), getFilterProvider());
            Set singleton = Collections.singleton(this.testPrincipal);
            Assert.assertTrue(principalBasedAccessControlManager.hasPrivileges(this.readablePaths.next(), singleton, privilegesFromNames("jcr:read")));
            Assert.assertTrue(principalBasedAccessControlManager.hasPrivileges(this.readablePaths.next(), singleton, privilegesFromNames("rep:readProperties")));
            Assert.assertTrue(principalBasedAccessControlManager.hasPrivileges(this.readableChildPaths.next(), singleton, privilegesFromNames("rep:readNodes")));
            Assert.assertTrue(principalBasedAccessControlManager.hasPrivileges(this.readableChildPaths.next(), singleton, privilegesFromNames("rep:readNodes", "rep:readProperties")));
            if (contentSession != null) {
                if (0 == 0) {
                    contentSession.close();
                    return;
                }
                try {
                    contentSession.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        } catch (Throwable th3) {
            if (contentSession != null) {
                if (0 != 0) {
                    try {
                        contentSession.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    contentSession.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testNotHasPrivilege() throws Exception {
        ContentSession contentSession = (ContentSession) Subject.doAsPrivileged(getTestSubject(), () -> {
            return getContentRepository().login((Credentials) null, (String) null);
        }, (AccessControlContext) null);
        Throwable th = null;
        try {
            PrincipalBasedAccessControlManager principalBasedAccessControlManager = new PrincipalBasedAccessControlManager(getMgrProvider(contentSession.getLatestRoot()), getFilterProvider());
            Set singleton = Collections.singleton(this.testPrincipal);
            Assert.assertFalse(principalBasedAccessControlManager.hasPrivileges(this.readablePaths.next(), singleton, privilegesFromNames("jcr:read", "jcr:readAccessControl")));
            Assert.assertFalse(principalBasedAccessControlManager.hasPrivileges(this.readablePaths.next(), singleton, privilegesFromNames("jcr:all")));
            Assert.assertFalse(principalBasedAccessControlManager.hasPrivileges(this.readableChildPaths.next(), singleton, privilegesFromNames("rep:readNodes", "jcr:modifyProperties")));
            Assert.assertFalse(principalBasedAccessControlManager.hasPrivileges(this.readableChildPaths.next(), singleton, privilegesFromNames("rep:readNodes", "rep:readProperties", "jcr:namespaceManagement")));
            if (contentSession != null) {
                if (0 == 0) {
                    contentSession.close();
                    return;
                }
                try {
                    contentSession.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        } catch (Throwable th3) {
            if (contentSession != null) {
                if (0 != 0) {
                    try {
                        contentSession.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    contentSession.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testHasPrivilegePrincipal() throws Exception {
        Set singleton = Collections.singleton(this.testPrincipal);
        Assert.assertTrue(this.acMgr.hasPrivileges(this.readablePaths.next(), singleton, privilegesFromNames("jcr:read")));
        Assert.assertTrue(this.acMgr.hasPrivileges(this.readablePaths.next(), singleton, privilegesFromNames("rep:readProperties")));
        Assert.assertTrue(this.acMgr.hasPrivileges(this.readableChildPaths.next(), singleton, privilegesFromNames("rep:readNodes")));
        Assert.assertTrue(this.acMgr.hasPrivileges(this.readableChildPaths.next(), singleton, privilegesFromNames("rep:readNodes", "rep:readProperties")));
    }

    @Test
    public void testNotHasPrivilegePrincipal() throws Exception {
        Set singleton = Collections.singleton(this.testPrincipal);
        Assert.assertFalse(this.acMgr.hasPrivileges(this.readablePaths.next(), singleton, privilegesFromNames("jcr:read", "jcr:modifyProperties")));
        Assert.assertFalse(this.acMgr.hasPrivileges(this.readablePaths.next(), singleton, privilegesFromNames("jcr:all")));
        Assert.assertFalse(this.acMgr.hasPrivileges(this.readableChildPaths.next(), singleton, privilegesFromNames("rep:readNodes", "jcr:readAccessControl")));
        Assert.assertFalse(this.acMgr.hasPrivileges(this.readableChildPaths.next(), singleton, privilegesFromNames("jcr:versionManagement", "rep:readProperties")));
        Assert.assertFalse(this.acMgr.hasPrivileges("/", singleton, privilegesFromNames("jcr:read")));
        Assert.assertFalse(this.acMgr.hasPrivileges(getNamePathMapper().getJcrPath(PathUtils.concat("/", "jcr:system")), singleton, privilegesFromNames("rep:readProperties")));
    }

    @Test
    public void testGetPrivileges() throws Exception {
        ContentSession contentSession = (ContentSession) Subject.doAsPrivileged(getTestSubject(), () -> {
            return getContentRepository().login((Credentials) null, (String) null);
        }, (AccessControlContext) null);
        Throwable th = null;
        try {
            PrincipalBasedAccessControlManager principalBasedAccessControlManager = new PrincipalBasedAccessControlManager(getMgrProvider(contentSession.getLatestRoot()), getFilterProvider());
            Privilege[] privilegesFromNames = privilegesFromNames("jcr:read");
            Assert.assertArrayEquals(privilegesFromNames, principalBasedAccessControlManager.getPrivileges(this.readablePaths.next()));
            Assert.assertArrayEquals(privilegesFromNames, principalBasedAccessControlManager.getPrivileges(this.readableChildPaths.next()));
            if (contentSession != null) {
                if (0 == 0) {
                    contentSession.close();
                    return;
                }
                try {
                    contentSession.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        } catch (Throwable th3) {
            if (contentSession != null) {
                if (0 != 0) {
                    try {
                        contentSession.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    contentSession.close();
                }
            }
            throw th3;
        }
    }

    @Test(expected = PathNotFoundException.class)
    public void testGetPrivilegesAtRoot() throws Exception {
        ContentSession contentSession = (ContentSession) Subject.doAsPrivileged(getTestSubject(), () -> {
            return getContentRepository().login((Credentials) null, (String) null);
        }, (AccessControlContext) null);
        Throwable th = null;
        try {
            new PrincipalBasedAccessControlManager(getMgrProvider(contentSession.getLatestRoot()), getFilterProvider()).getPrivileges("/");
            if (contentSession != null) {
                if (0 == 0) {
                    contentSession.close();
                    return;
                }
                try {
                    contentSession.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        } catch (Throwable th3) {
            if (contentSession != null) {
                if (0 != 0) {
                    try {
                        contentSession.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    contentSession.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testGetPrivilegesByPrincipal() throws Exception {
        Privilege[] privilegesFromNames = privilegesFromNames("jcr:read");
        Set singleton = Collections.singleton(this.testPrincipal);
        Assert.assertArrayEquals(privilegesFromNames, this.acMgr.getPrivileges(this.readablePaths.next(), singleton));
        Assert.assertArrayEquals(privilegesFromNames, this.acMgr.getPrivileges(this.readableChildPaths.next(), singleton));
        Assert.assertEquals(0L, this.acMgr.getPrivileges("/", singleton).length);
        Assert.assertEquals(0L, this.acMgr.getPrivileges(PathUtils.concat("/", getNamePathMapper().getJcrName("jcr:system")), singleton).length);
    }

    @Test
    public void testGetEffectivePolicies() throws Exception {
        AccessControlPolicy[] accessControlPolicyArr = {ReadPolicy.INSTANCE};
        Assert.assertArrayEquals(accessControlPolicyArr, this.acMgr.getEffectivePolicies(this.readablePaths.next()));
        Assert.assertArrayEquals(accessControlPolicyArr, this.acMgr.getEffectivePolicies(this.readableChildPaths.next()));
    }

    @Test
    public void testGetEffectivePoliciesNullPath() throws Exception {
        Assert.assertEquals(0L, this.acMgr.getEffectivePolicies((String) null).length);
    }

    @Test(expected = AccessDeniedException.class)
    public void testGetEffectivePoliciesLimitedAccess() throws Exception {
        ContentSession contentSession = (ContentSession) Subject.doAsPrivileged(getTestSubject(), () -> {
            return getContentRepository().login((Credentials) null, (String) null);
        }, (AccessControlContext) null);
        Throwable th = null;
        try {
            new PrincipalBasedAccessControlManager(getMgrProvider(contentSession.getLatestRoot()), getFilterProvider()).getEffectivePolicies(this.readablePaths.next());
            if (contentSession != null) {
                if (0 == 0) {
                    contentSession.close();
                    return;
                }
                try {
                    contentSession.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        } catch (Throwable th3) {
            if (contentSession != null) {
                if (0 != 0) {
                    try {
                        contentSession.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    contentSession.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testGetEffectivePoliciesLimitedAccess2() throws Exception {
        String next = this.readablePaths.next();
        setupPrincipalBasedAccessControl(this.testPrincipal, next, "jcr:readAccessControl");
        addDefaultEntry("/", this.testPrincipal, "jcr:readAccessControl");
        this.root.commit();
        ContentSession contentSession = (ContentSession) Subject.doAsPrivileged(getTestSubject(), () -> {
            return getContentRepository().login((Credentials) null, (String) null);
        }, (AccessControlContext) null);
        Throwable th = null;
        try {
            try {
                ImmutableSet copyOf = ImmutableSet.copyOf(new PrincipalBasedAccessControlManager(getMgrProvider(contentSession.getLatestRoot()), getFilterProvider()).getEffectivePolicies(next));
                Assert.assertEquals(1L, copyOf.size());
                Assert.assertTrue(copyOf.contains(ReadPolicy.INSTANCE));
                if (contentSession != null) {
                    if (0 == 0) {
                        contentSession.close();
                        return;
                    }
                    try {
                        contentSession.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (contentSession != null) {
                if (th != null) {
                    try {
                        contentSession.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    contentSession.close();
                }
            }
            throw th4;
        }
    }

    @Test
    public void testGetEffectivePoliciesLimitedAccess3() throws Exception {
        String next = this.readablePaths.next();
        setupPrincipalBasedAccessControl(this.testPrincipal, next, "jcr:readAccessControl");
        setupPrincipalBasedAccessControl(this.testPrincipal, getTestSystemUser().getPath(), "jcr:read", "jcr:readAccessControl");
        addDefaultEntry("/", this.testPrincipal, "jcr:readAccessControl", "jcr:read");
        this.root.commit();
        ContentSession contentSession = (ContentSession) Subject.doAsPrivileged(getTestSubject(), () -> {
            return getContentRepository().login((Credentials) null, (String) null);
        }, (AccessControlContext) null);
        Throwable th = null;
        try {
            try {
                HashSet newHashSet = Sets.newHashSet(new PrincipalBasedAccessControlManager(getMgrProvider(contentSession.getLatestRoot()), getFilterProvider()).getEffectivePolicies(next));
                Assert.assertEquals(2L, newHashSet.size());
                Assert.assertTrue(newHashSet.remove(ReadPolicy.INSTANCE));
                Assert.assertTrue(newHashSet.iterator().next() instanceof ImmutablePrincipalPolicy);
                if (contentSession != null) {
                    if (0 == 0) {
                        contentSession.close();
                        return;
                    }
                    try {
                        contentSession.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (contentSession != null) {
                if (th != null) {
                    try {
                        contentSession.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    contentSession.close();
                }
            }
            throw th4;
        }
    }

    @Test
    public void testGetEffectivePoliciesByPrincipal() throws Exception {
        Assert.assertEquals(0L, this.acMgr.getEffectivePolicies(Collections.singleton(this.testPrincipal)).length);
    }
}
