package org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;

import com.google.common.collect.ImmutableSet;
import javax.jcr.SimpleCredentials;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.ContentSession;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.jetbrains.annotations.NotNull;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/PolicyValidatorLimitedUserTest.class */
public class PolicyValidatorLimitedUserTest extends AbstractPrincipalBasedTest {
    private String accessControlledPath;
    private ContentSession testSession;
    private Root testRoot;

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl.AbstractPrincipalBasedTest
    @Before
    public void before() throws Exception {
        super.before();
        this.accessControlledPath = setupPrincipalBasedAccessControl(getTestSystemUser().getPrincipal(), this.testJcrPath, "jcr:nodeTypeManagement").getOakPath();
        User testUser = getTestUser();
        addDefaultEntry("/", testUser.getPrincipal(), "jcr:read", "jcr:readAccessControl");
        this.root.commit();
        this.testSession = login(new SimpleCredentials(testUser.getID(), testUser.getID().toCharArray()));
        this.testRoot = this.testSession.getLatestRoot();
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl.AbstractPrincipalBasedTest
    @After
    public void after() throws Exception {
        try {
            this.testRoot.refresh();
            if (this.testSession != null) {
                this.testSession.close();
            }
        } finally {
            super.after();
        }
    }

    @NotNull
    private Tree createPolicyEntryTree(@NotNull Root root, @NotNull String str, @NotNull String... strArr) throws Exception {
        Tree tree = root.getTree(this.accessControlledPath);
        TreeUtil.addMixin(tree, "rep:PrincipalBasedMixin", root.getTree("/jcr:system/jcr:nodeTypes"), "uid");
        Tree addChild = TreeUtil.addChild(tree, "rep:principalPolicy", "rep:PrincipalPolicy");
        addChild.setProperty("rep:principalName", getTestSystemUser().getPrincipal().getName());
        Tree addChild2 = TreeUtil.addChild(addChild, "entry", "rep:PrincipalEntry");
        addChild2.setProperty("rep:effectivePath", str, Type.PATH);
        addChild2.setProperty("rep:privileges", ImmutableSet.copyOf(strArr), Type.NAMES);
        return addChild2;
    }

    @Test
    public void testAddEntryMissingModAcPermission() throws Exception {
        createPolicyEntryTree(this.testRoot, "/oak:content/child/grandchild/oak:subtree", "jcr:read");
        try {
            this.testRoot.commit();
            Assert.fail("CommitFailedException expected; type ACCESS; code 3");
        } catch (CommitFailedException e) {
            Assert.assertEquals("Access", e.getType());
            Assert.assertEquals(3L, e.getCode());
        }
    }

    @Test
    public void testChangeEntryMissingModAcPermission() throws Exception {
        Tree createPolicyEntryTree = createPolicyEntryTree(this.root, "/oak:content/child/grandchild/oak:subtree", "jcr:read");
        this.root.commit();
        this.testRoot.refresh();
        this.testRoot.getTree(createPolicyEntryTree.getPath()).setProperty("rep:privileges", ImmutableSet.of("jcr:read", "jcr:write"), Type.NAMES);
        try {
            this.testRoot.commit();
            Assert.fail("CommitFailedException expected; type ACCESS; code 3");
        } catch (CommitFailedException e) {
            Assert.assertEquals("Access", e.getType());
            Assert.assertEquals(3L, e.getCode());
        }
    }

    @Test
    public void testAddRestrictionMissingModAcPermission() throws Exception {
        Tree createPolicyEntryTree = createPolicyEntryTree(this.root, "/oak:content/child/grandchild/oak:subtree", "jcr:read");
        this.root.commit();
        this.testRoot.refresh();
        TreeUtil.addChild(this.testRoot.getTree(createPolicyEntryTree.getPath()), "rep:restrictions", "rep:Restrictions").setProperty("rep:glob", "*/glob/*");
        try {
            this.testRoot.commit();
            Assert.fail("CommitFailedException expected; type ACCESS; code 3");
        } catch (CommitFailedException e) {
            Assert.assertEquals("Access", e.getType());
            Assert.assertEquals(3L, e.getCode());
        }
    }

    @Test
    public void testModifyRestrictionMissingModAcPermission() throws Exception {
        Tree addChild = TreeUtil.addChild(createPolicyEntryTree(this.root, "/oak:content/child/grandchild/oak:subtree", "jcr:read"), "rep:restrictions", "rep:Restrictions");
        addChild.setProperty("rep:glob", "*/glob/*");
        this.root.commit();
        this.testRoot.refresh();
        this.testRoot.getTree(addChild.getPath()).setProperty("rep:glob", "*/changedGlob/*");
        try {
            this.testRoot.commit();
            Assert.fail("CommitFailedException expected; type ACCESS; code 3");
        } catch (CommitFailedException e) {
            Assert.assertEquals("Access", e.getType());
            Assert.assertEquals(3L, e.getCode());
        }
    }
}
