package org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import java.security.Principal;
import java.util.Iterator;
import javax.jcr.AccessDeniedException;
import javax.jcr.RepositoryException;
import javax.jcr.SimpleCredentials;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ImmutableACL;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/AccessControlManagerLimitedUserTest.class */
public class AccessControlManagerLimitedUserTest extends AbstractPrincipalBasedTest implements PrivilegeConstants {
    Principal systemPrincipal;
    String systemPrincipalPath;
    Principal testPrincipal;
    Root testRoot;
    JackrabbitAccessControlManager testAcMgr;

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl.AbstractPrincipalBasedTest
    @Before
    public void before() throws Exception {
        super.before();
        this.systemPrincipalPath = getTestSystemUser().getPath();
        this.systemPrincipal = getTestSystemUser().getPrincipal();
        this.testPrincipal = createTestPrincipal();
        setupContentTrees("/oak:content/child/grandchild/oak:subtree");
        grant(this.testPrincipal, "/", "jcr:read");
        addPrincipalBasedEntry(setupPrincipalBasedAccessControl(this.systemPrincipal, this.testContentJcrPath, "jcr:nodeTypeManagement"), null, "jcr:namespaceManagement");
        this.root.commit();
        this.testRoot = createTestRoot();
        this.testAcMgr = createAccessControlManager(this.testRoot);
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl.AbstractPrincipalBasedTest
    public void after() throws Exception {
        try {
            if (this.testRoot != null) {
                this.testRoot.getContentSession().close();
            }
        } finally {
            super.after();
        }
    }

    Principal createTestPrincipal() throws Exception {
        return getTestUser().getPrincipal();
    }

    Root createTestRoot() throws Exception {
        User testUser = getTestUser();
        return login(new SimpleCredentials(testUser.getID(), testUser.getID().toCharArray())).getLatestRoot();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void grant(@NotNull Principal principal, @Nullable String str, @NotNull String... strArr) throws Exception {
        addDefaultEntry(str, principal, strArr);
    }

    private static void assertEmptyPolicies(@NotNull AccessControlPolicy[] accessControlPolicyArr) {
        Assert.assertEquals(0L, accessControlPolicyArr.length);
    }

    private static void assertPolicies(@NotNull AccessControlPolicy[] accessControlPolicyArr, Class<? extends JackrabbitAccessControlList> cls, int i, int i2) {
        Assert.assertEquals(i, accessControlPolicyArr.length);
        if (i > 0) {
            Assert.assertTrue(cls.isAssignableFrom(accessControlPolicyArr[0].getClass()));
            Assert.assertEquals(i2, ((JackrabbitAccessControlList) accessControlPolicyArr[0]).size());
        }
    }

    @NotNull
    private String getPolicyPath() throws Exception {
        PrincipalPolicyImpl[] policies = createAccessControlManager(this.root).getPolicies(this.systemPrincipal);
        Assert.assertEquals(1L, policies.length);
        return PathUtils.concat(policies[0].getOakPath(), "rep:principalPolicy");
    }

    @NotNull
    private String getEntryPath() throws Exception {
        Tree tree = this.root.getTree(getPolicyPath());
        Assert.assertTrue(tree.exists());
        for (Tree tree2 : tree.getChildren()) {
            if (Utils.isPrincipalEntry(tree2)) {
                return tree2.getPath();
            }
        }
        throw new RepositoryException("unable to locate policy entry");
    }

    @Test(expected = AccessDeniedException.class)
    public void testGetApplicableByPath() throws RepositoryException {
        this.testAcMgr.getApplicablePolicies(this.testJcrPath);
    }

    @Test(expected = AccessDeniedException.class)
    public void testGetPoliciesByPath() throws RepositoryException {
        this.testAcMgr.getPolicies(this.testJcrPath);
    }

    @Test(expected = AccessDeniedException.class)
    public void testGetEffectiveByPathNoAccess() throws RepositoryException {
        this.testAcMgr.getEffectivePolicies(this.testJcrPath);
    }

    @Test(expected = AccessDeniedException.class)
    public void testGetEffectiveByNullPath() throws RepositoryException {
        this.testAcMgr.getEffectivePolicies((String) null);
    }

    @Test(expected = AccessDeniedException.class)
    public void testGetEffectiveByRooyPath() throws RepositoryException {
        this.testAcMgr.getEffectivePolicies("/");
    }

    @Test(expected = AccessDeniedException.class)
    public void testGetEffectiveByPathReadAccessControlOnPrincipal() throws Exception {
        grant(this.testPrincipal, this.systemPrincipalPath, "jcr:readAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        AccessControlPolicy[] effectivePolicies = this.testAcMgr.getEffectivePolicies(this.testJcrPath);
        Assert.assertEquals(1L, effectivePolicies.length);
        Assert.assertTrue(effectivePolicies[0] instanceof PrincipalPolicyImpl);
    }

    @Test
    public void testGetEffectiveByPathMissingReadAccessControlOnPrincipal() throws Exception {
        grant(this.testPrincipal, null, "jcr:readAccessControl");
        grant(this.testPrincipal, PathUtils.getAncestorPath(this.testJcrPath, 3), "jcr:readAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        assertEmptyPolicies(this.testAcMgr.getEffectivePolicies((String) null));
        assertEmptyPolicies(this.testAcMgr.getEffectivePolicies(this.testJcrPath));
    }

    @Test(expected = AccessDeniedException.class)
    public void testGetApplicableByPrincipalNoAccess() throws RepositoryException {
        this.testAcMgr.getApplicablePolicies(this.systemPrincipal);
    }

    @Test(expected = AccessDeniedException.class)
    public void testGetPoliciesByPrincipalNoAccess() throws RepositoryException {
        this.testAcMgr.getPolicies(this.systemPrincipal);
    }

    @Test(expected = AccessDeniedException.class)
    public void testGetEffectiveByPrincipalNoAccess() throws RepositoryException {
        this.testAcMgr.getEffectivePolicies(ImmutableSet.of(this.systemPrincipal));
    }

    @Test
    public void testGetPoliciesByPrincipal() throws Exception {
        grant(this.testPrincipal, this.systemPrincipalPath, "jcr:readAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        assertPolicies(this.testAcMgr.getPolicies(this.systemPrincipal), PrincipalPolicyImpl.class, 1, 2);
        grant(this.testPrincipal, this.testContentJcrPath, "jcr:readAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        assertPolicies(this.testAcMgr.getPolicies(this.systemPrincipal), PrincipalPolicyImpl.class, 1, 2);
        grant(this.testPrincipal, null, "jcr:readAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        assertPolicies(this.testAcMgr.getPolicies(this.systemPrincipal), PrincipalPolicyImpl.class, 1, 2);
    }

    @Test
    public void testGetEffectiveByPrincipal() throws Exception {
        grant(this.testPrincipal, this.systemPrincipalPath, "jcr:readAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        assertPolicies(this.testAcMgr.getEffectivePolicies(ImmutableSet.of(this.systemPrincipal)), ImmutableACL.class, 1, 2);
        grant(this.testPrincipal, this.testContentJcrPath, "jcr:readAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        assertPolicies(this.testAcMgr.getEffectivePolicies(ImmutableSet.of(this.systemPrincipal)), ImmutableACL.class, 1, 2);
        grant(this.testPrincipal, null, "jcr:readAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        assertPolicies(this.testAcMgr.getEffectivePolicies(ImmutableSet.of(this.systemPrincipal)), ImmutableACL.class, 1, 2);
    }

    @Test(expected = AccessDeniedException.class)
    public void testSetPolicyMissingModifyAccessControlOnPrincipal() throws Exception {
        grant(this.testPrincipal, this.systemPrincipalPath, "jcr:readAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        PrincipalPolicyImpl principalPolicyImpl = this.testAcMgr.getPolicies(this.systemPrincipal)[0];
        principalPolicyImpl.addEntry((String) null, privilegesFromNames("jcr:workspaceManagement"));
        this.testAcMgr.setPolicy(principalPolicyImpl.getPath(), principalPolicyImpl);
    }

    @Test(expected = AccessDeniedException.class)
    public void testSetPolicyMissingModifyAccessControlOnEffectivePath() throws Exception {
        grant(this.testPrincipal, this.systemPrincipalPath, "jcr:readAccessControl", "jcr:modifyAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        PrincipalPolicyImpl principalPolicyImpl = this.testAcMgr.getPolicies(this.systemPrincipal)[0];
        principalPolicyImpl.addEntry((String) null, privilegesFromNames("jcr:workspaceManagement"));
        principalPolicyImpl.addEntry(this.testJcrPath, privilegesFromNames("jcr:read"));
        this.testAcMgr.setPolicy(principalPolicyImpl.getPath(), principalPolicyImpl);
    }

    @Test(expected = AccessDeniedException.class)
    public void testSetPolicyMissingModifyAccessControlOnEffectivePath2() throws Exception {
        grant(this.testPrincipal, this.systemPrincipalPath, "jcr:readAccessControl", "jcr:modifyAccessControl");
        grant(this.testPrincipal, this.testContentJcrPath, "jcr:readAccessControl", "jcr:modifyAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        PrincipalPolicyImpl principalPolicyImpl = this.testAcMgr.getPolicies(this.systemPrincipal)[0];
        principalPolicyImpl.addEntry((String) null, privilegesFromNames("jcr:workspaceManagement"));
        principalPolicyImpl.addEntry(this.testJcrPath, privilegesFromNames("jcr:read"));
        this.testAcMgr.setPolicy(principalPolicyImpl.getPath(), principalPolicyImpl);
    }

    @Test
    public void testSetPolicy() throws Exception {
        grant(this.testPrincipal, this.systemPrincipalPath, "jcr:readAccessControl", "jcr:modifyAccessControl");
        grant(this.testPrincipal, this.testContentJcrPath, "jcr:readAccessControl", "jcr:modifyAccessControl");
        grant(this.testPrincipal, null, "jcr:readAccessControl", "jcr:modifyAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        PrincipalPolicyImpl principalPolicyImpl = this.testAcMgr.getPolicies(this.systemPrincipal)[0];
        principalPolicyImpl.addEntry((String) null, privilegesFromNames("jcr:workspaceManagement"));
        principalPolicyImpl.addEntry(this.testJcrPath, privilegesFromNames("jcr:read"));
        this.testAcMgr.setPolicy(principalPolicyImpl.getPath(), principalPolicyImpl);
        this.testRoot.commit();
    }

    @Test(expected = AccessDeniedException.class)
    public void testRemovePolicyMissingModifyAccessControlOnPrincipal() throws Exception {
        grant(this.testPrincipal, this.systemPrincipalPath, "jcr:readAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        PrincipalPolicyImpl principalPolicyImpl = this.testAcMgr.getPolicies(this.systemPrincipal)[0];
        this.testAcMgr.removePolicy(principalPolicyImpl.getPath(), principalPolicyImpl);
    }

    @Test(expected = AccessDeniedException.class)
    public void testRemovePolicyMissingModifyAccessControlOnEffectivePath() throws Exception {
        grant(this.testPrincipal, this.systemPrincipalPath, "jcr:readAccessControl", "jcr:modifyAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        PrincipalPolicyImpl principalPolicyImpl = this.testAcMgr.getPolicies(this.systemPrincipal)[0];
        this.testAcMgr.removePolicy(principalPolicyImpl.getPath(), principalPolicyImpl);
    }

    @Test(expected = AccessDeniedException.class)
    public void testRemovePolicyMissingModifyAccessControlOnEffectivePath2() throws Exception {
        grant(this.testPrincipal, this.systemPrincipalPath, "jcr:readAccessControl", "jcr:modifyAccessControl");
        grant(this.testPrincipal, this.testContentJcrPath, "jcr:readAccessControl", "jcr:modifyAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        PrincipalPolicyImpl principalPolicyImpl = this.testAcMgr.getPolicies(this.systemPrincipal)[0];
        this.testAcMgr.removePolicy(principalPolicyImpl.getPath(), principalPolicyImpl);
    }

    @Test
    public void testRemovePolicy() throws Exception {
        grant(this.testPrincipal, this.systemPrincipalPath, "jcr:readAccessControl", "jcr:modifyAccessControl");
        grant(this.testPrincipal, null, "jcr:readAccessControl", "jcr:modifyAccessControl");
        grant(this.testPrincipal, this.testContentJcrPath, "jcr:readAccessControl", "jcr:modifyAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        PrincipalPolicyImpl principalPolicyImpl = this.testAcMgr.getPolicies(this.systemPrincipal)[0];
        this.testAcMgr.removePolicy(principalPolicyImpl.getPath(), principalPolicyImpl);
        this.testRoot.commit();
    }

    @Test
    public void testRemovePolicyWithNonEntryChild() throws Exception {
        PrincipalPolicyImpl principalPolicyImpl = getPrincipalPolicyImpl(this.systemPrincipal, getAccessControlManager(this.root));
        for (AccessControlEntry accessControlEntry : principalPolicyImpl.getAccessControlEntries()) {
            principalPolicyImpl.removeAccessControlEntry(accessControlEntry);
        }
        getAccessControlManager(this.root).setPolicy(principalPolicyImpl.getPath(), principalPolicyImpl);
        grant(this.testPrincipal, this.systemPrincipalPath, "jcr:readAccessControl", "jcr:modifyAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        Tree tree = this.testRoot.getTree(getPolicyPath());
        Assert.assertFalse(tree.getChildren().iterator().hasNext());
        TreeUtil.addChild(tree, "nonEntry", "oak:Unstructured");
        PrincipalPolicyImpl principalPolicyImpl2 = getPrincipalPolicyImpl(this.systemPrincipal, this.testAcMgr);
        this.testAcMgr.removePolicy(principalPolicyImpl2.getPath(), principalPolicyImpl2);
        this.testRoot.commit();
    }

    @Test(expected = AccessControlException.class)
    public void testRemovePolicyMissingEffectivePaths() throws Exception {
        grant(this.testPrincipal, this.systemPrincipalPath, "jcr:readAccessControl", "jcr:modifyAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        PrincipalPolicyImpl principalPolicyImpl = getPrincipalPolicyImpl(this.systemPrincipal, this.testAcMgr);
        Iterator it = this.testRoot.getTree(getPolicyPath()).getChildren().iterator();
        while (it.hasNext()) {
            ((Tree) it.next()).removeProperty("rep:effectivePath");
        }
        this.testAcMgr.removePolicy(principalPolicyImpl.getPath(), principalPolicyImpl);
    }

    @Test(expected = AccessDeniedException.class)
    public void testHasPrivilegeSystemUser() throws Exception {
        this.testAcMgr.hasPrivileges(this.testContentJcrPath, ImmutableSet.of(this.systemPrincipal), privilegesFromNames("jcr:nodeTypeManagement"));
    }

    @Test(expected = AccessDeniedException.class)
    public void testHasPrivilegeSystemUserWithPartialReadAc() throws Exception {
        grant(this.testPrincipal, this.systemPrincipalPath, "jcr:readAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        this.testAcMgr.hasPrivileges(this.testContentJcrPath, ImmutableSet.of(this.systemPrincipal), privilegesFromNames("jcr:nodeTypeManagement"));
    }

    @Test
    public void testHasPrivilegeSystemUserWithPartialReadAc2() throws Exception {
        grant(this.testPrincipal, this.testContentJcrPath, "jcr:readAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        Assert.assertFalse(this.testAcMgr.hasPrivileges(this.testContentJcrPath, ImmutableSet.of(this.systemPrincipal), privilegesFromNames("jcr:nodeTypeManagement")));
    }

    @Test
    public void testHasPrivilegeSystemUserWithReadAc() throws Exception {
        grant(this.testPrincipal, this.testContentJcrPath, "jcr:readAccessControl");
        grant(this.testPrincipal, this.systemPrincipalPath, "jcr:readAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        Assert.assertFalse(this.testAcMgr.hasPrivileges(this.testContentJcrPath, ImmutableSet.of(this.systemPrincipal), privilegesFromNames("jcr:nodeTypeManagement")));
        addDefaultEntry(this.testContentJcrPath, this.systemPrincipal, "jcr:read", "jcr:nodeTypeManagement");
        this.root.commit();
        this.testRoot.refresh();
        Assert.assertTrue(this.testAcMgr.hasPrivileges(this.testContentJcrPath, ImmutableSet.of(this.systemPrincipal), privilegesFromNames("jcr:nodeTypeManagement")));
        Assert.assertFalse(this.testAcMgr.hasPrivileges(this.testContentJcrPath, ImmutableSet.of(this.systemPrincipal), privilegesFromNames("jcr:read", "jcr:nodeTypeManagement")));
    }

    @Test(expected = AccessDeniedException.class)
    public void testGetPrivilegeSystemUser() throws Exception {
        this.testAcMgr.getPrivileges((String) null, ImmutableSet.of(this.systemPrincipal));
    }

    @Test(expected = AccessDeniedException.class)
    public void testGetPrivilegeSystemUserWithPartialReadAc() throws Exception {
        grant(this.testPrincipal, this.systemPrincipalPath, "jcr:readAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        this.testAcMgr.getPrivileges((String) null, ImmutableSet.of(this.systemPrincipal));
    }

    @Test
    public void testGetPrivilegeSystemUserWithPartialReadAc2() throws Exception {
        grant(this.testPrincipal, null, "jcr:readAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        Assert.assertEquals(0L, this.testAcMgr.getPrivileges((String) null, ImmutableSet.of(this.systemPrincipal)).length);
    }

    @Test
    public void testGetPrivilegeSystemUserWithWithReadAc() throws Exception {
        grant(this.testPrincipal, null, "jcr:readAccessControl");
        grant(this.testPrincipal, this.systemPrincipalPath, "jcr:readAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        Assert.assertArrayEquals(new Privilege[0], this.testAcMgr.getPrivileges((String) null, ImmutableSet.of(this.systemPrincipal)));
        addDefaultEntry(null, this.systemPrincipal, "jcr:namespaceManagement", "rep:privilegeManagement");
        this.root.commit();
        this.testRoot.refresh();
        Assert.assertArrayEquals(privilegesFromNames("jcr:namespaceManagement"), this.testAcMgr.getPrivileges((String) null, ImmutableSet.of(this.systemPrincipal)));
    }

    @Test
    public void testReadPolicyTree() throws Exception {
        Tree tree = this.testRoot.getTree(getPolicyPath());
        Assert.assertNotNull(tree);
        Assert.assertFalse(tree.exists());
    }

    @Test
    public void testReadPolicyTreeWithReadAc() throws Exception {
        grant(this.testPrincipal, this.systemPrincipalPath, "jcr:readAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        Tree tree = this.testRoot.getTree(getPolicyPath());
        Assert.assertNotNull(tree);
        Assert.assertTrue(tree.exists());
    }

    @Test
    public void testReadEntryTree() throws Exception {
        Tree tree = this.testRoot.getTree(getEntryPath());
        Assert.assertNotNull(tree);
        Assert.assertFalse(tree.exists());
    }

    @Test
    public void testReadEntryTreeWithReadAc() throws Exception {
        grant(this.testPrincipal, this.systemPrincipalPath, "jcr:readAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        Tree tree = this.testRoot.getTree(getEntryPath());
        Assert.assertNotNull(tree);
        Assert.assertTrue(tree.exists());
    }

    @Test(expected = CommitFailedException.class)
    public void testAddEntryTree() throws Exception {
        grant(this.testPrincipal, this.systemPrincipalPath, "jcr:readAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        try {
            Tree addChild = TreeUtil.addChild(this.testRoot.getTree(getPolicyPath()), "entry", "rep:PrincipalEntry");
            addChild.setProperty("rep:effectivePath", "/oak:content/child/grandchild/oak:subtree", Type.PATH);
            addChild.setProperty("rep:privileges", ImmutableList.of("jcr:addChildNodes"), Type.NAMES);
            this.testRoot.commit();
        } catch (CommitFailedException e) {
            Assert.assertEquals("Access", e.getType());
            Assert.assertEquals(3L, e.getCode());
            throw e;
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testAddEntryTreeModAcOnSystemPrincipal() throws Exception {
        grant(this.testPrincipal, this.systemPrincipalPath, "jcr:readAccessControl", "jcr:modifyAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        try {
            Tree addChild = TreeUtil.addChild(this.testRoot.getTree(getPolicyPath()), "entry", "rep:PrincipalEntry");
            addChild.setProperty("rep:effectivePath", "/oak:content/child/grandchild/oak:subtree", Type.PATH);
            addChild.setProperty("rep:privileges", ImmutableList.of("jcr:addChildNodes"), Type.NAMES);
            this.testRoot.commit();
        } catch (CommitFailedException e) {
            Assert.assertEquals("Access", e.getType());
            Assert.assertEquals(3L, e.getCode());
            throw e;
        }
    }

    @Test(expected = IllegalStateException.class)
    public void testAddEntryTreeModAcOnEffectivePath() throws Exception {
        grant(this.testPrincipal, this.testJcrPath, "jcr:readAccessControl", "jcr:modifyAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        TreeUtil.addChild(this.testRoot.getTree(getPolicyPath()), "entry", "rep:PrincipalEntry");
    }

    @Test
    public void testAddEntryTreeFullModAc() throws Exception {
        grant(this.testPrincipal, this.testJcrPath, "jcr:readAccessControl", "jcr:modifyAccessControl");
        grant(this.testPrincipal, this.systemPrincipalPath, "jcr:readAccessControl", "jcr:modifyAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        Tree addChild = TreeUtil.addChild(this.testRoot.getTree(getPolicyPath()), "entry", "rep:PrincipalEntry");
        addChild.setProperty("rep:effectivePath", "/oak:content/child/grandchild/oak:subtree", Type.PATH);
        addChild.setProperty("rep:privileges", ImmutableList.of("jcr:addChildNodes"), Type.NAMES);
        this.testRoot.commit();
    }

    @Test(expected = CommitFailedException.class)
    public void testRemovePolicyTree() throws Exception {
        grant(this.testPrincipal, this.systemPrincipalPath, "jcr:readAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        try {
            this.testRoot.getTree(getPolicyPath()).remove();
            this.testRoot.commit();
        } catch (CommitFailedException e) {
            Assert.assertEquals("Access", e.getType());
            Assert.assertEquals(0L, e.getCode());
            throw e;
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testRemovePolicyTreeWithModAcOnSystemPrincipal() throws Exception {
        grant(this.testPrincipal, this.systemPrincipalPath, "jcr:readAccessControl", "jcr:modifyAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        try {
            this.testRoot.getTree(getPolicyPath()).remove();
            this.testRoot.commit();
        } catch (CommitFailedException e) {
            Assert.assertEquals("Access", e.getType());
            Assert.assertEquals(3L, e.getCode());
            throw e;
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testRemovePolicyTreeWithModAcOnOneEffectivePath() throws Exception {
        grant(this.testPrincipal, this.systemPrincipalPath, "jcr:readAccessControl", "jcr:modifyAccessControl");
        grant(this.testPrincipal, this.testContentJcrPath, "jcr:modifyAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        try {
            this.testRoot.getTree(getPolicyPath()).remove();
            this.testRoot.commit();
        } catch (CommitFailedException e) {
            Assert.assertEquals("Access", e.getType());
            Assert.assertEquals(3L, e.getCode());
            throw e;
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testRemovePolicyTreeWithModAcOnOneEffectivePath2() throws Exception {
        grant(this.testPrincipal, this.systemPrincipalPath, "jcr:readAccessControl", "jcr:modifyAccessControl");
        grant(this.testPrincipal, null, "jcr:modifyAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        try {
            this.testRoot.getTree(getPolicyPath()).remove();
            this.testRoot.commit();
        } catch (CommitFailedException e) {
            Assert.assertEquals("Access", e.getType());
            Assert.assertEquals(3L, e.getCode());
            throw e;
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testRemoveEmptyPolicyTree() throws Exception {
        PrincipalPolicyImpl principalPolicyImpl = getPrincipalPolicyImpl(this.systemPrincipal, getAccessControlManager(this.root));
        Iterator it = principalPolicyImpl.getEntries().iterator();
        while (it.hasNext()) {
            principalPolicyImpl.removeAccessControlEntry((AccessControlEntry) it.next());
        }
        getAccessControlManager(this.root).setPolicy(principalPolicyImpl.getPath(), principalPolicyImpl);
        grant(this.testPrincipal, this.systemPrincipalPath, "jcr:readAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        Tree tree = this.testRoot.getTree(getPolicyPath());
        Assert.assertTrue(tree.exists());
        tree.remove();
        this.testRoot.commit();
    }

    @Test(expected = CommitFailedException.class)
    public void testRemoveEntryTree() throws Exception {
        grant(this.testPrincipal, this.systemPrincipalPath, "jcr:readAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        try {
            this.testRoot.getTree(getEntryPath()).remove();
            this.testRoot.commit();
        } catch (CommitFailedException e) {
            Assert.assertEquals("Access", e.getType());
            Assert.assertEquals(3L, e.getCode());
            throw e;
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testRemoveEntryTreeModAcOnSystemPrincipal() throws Exception {
        grant(this.testPrincipal, this.systemPrincipalPath, "jcr:readAccessControl", "jcr:modifyAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        try {
            this.testRoot.getTree(getEntryPath()).remove();
            this.testRoot.commit();
        } catch (CommitFailedException e) {
            Assert.assertEquals("Access", e.getType());
            Assert.assertEquals(3L, e.getCode());
            throw e;
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testRemoveEntryTreeModAcOnEffectivePath() throws Exception {
        grant(this.testPrincipal, this.systemPrincipalPath, "jcr:readAccessControl");
        grant(this.testPrincipal, this.testContentJcrPath, "jcr:modifyAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        try {
            this.testRoot.getTree(getEntryPath()).remove();
            this.testRoot.commit();
        } catch (CommitFailedException e) {
            Assert.assertEquals("Access", e.getType());
            Assert.assertEquals(0L, e.getCode());
            throw e;
        }
    }

    @Test
    public void testRemoveEntryTreeFullModAc() throws Exception {
        grant(this.testPrincipal, this.systemPrincipalPath, "jcr:readAccessControl", "jcr:modifyAccessControl");
        grant(this.testPrincipal, this.testContentJcrPath, "jcr:modifyAccessControl");
        this.root.commit();
        this.testRoot.refresh();
        this.testRoot.getTree(getEntryPath()).remove();
        this.testRoot.commit();
    }
}
