package org.apache.jackrabbit.oak.spi.security.authorization.principalbased.impl;

import java.security.Principal;
import java.util.Iterator;
import java.util.List;
import javax.jcr.Value;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
import org.apache.jackrabbit.api.security.authorization.PrincipalAccessControlList;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.guava.common.collect.ImmutableMap;
import org.apache.jackrabbit.guava.common.collect.ImmutableSet;
import org.apache.jackrabbit.guava.common.collect.Iterables;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.apache.jackrabbit.util.Text;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.mockito.Mockito;

/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/authorization/principalbased/impl/EffectivePolicyTest.class */
public class EffectivePolicyTest extends AbstractPrincipalBasedTest {
    private PrincipalBasedAccessControlManager acMgr;
    private Principal validPrincipal;
    private Principal validPrincipal2;
    private String jcrEffectivePath;

    @Before
    public void testBefore() throws Exception {
        super.before();
        setupContentTrees("/oak:content/child/grandchild/oak:subtree");
        this.jcrEffectivePath = PathUtils.getAncestorPath(getNamePathMapper().getJcrPath("/oak:content/child/grandchild/oak:subtree"), 3);
        this.validPrincipal2 = getUserManager(this.root).createSystemUser("anotherValidPrincipal", "system/test").getPrincipal();
        this.root.commit();
        this.acMgr = createAccessControlManager(this.root);
        this.validPrincipal = getTestSystemUser().getPrincipal();
        addPrincipalBasedEntry(setupPrincipalBasedAccessControl(this.validPrincipal, this.jcrEffectivePath, "jcr:read", "rep:write"), null, "jcr:namespaceManagement");
        PrincipalPolicyImpl principalPolicyImpl = this.acMgr.getApplicablePolicies(this.validPrincipal2)[0];
        principalPolicyImpl.addEntry(this.jcrEffectivePath, privilegesFromNames("jcr:read"), ImmutableMap.of(getNamePathMapper().getJcrName("rep:glob"), getValueFactory(this.root).createValue("/*/glob")), ImmutableMap.of());
        principalPolicyImpl.addEntry("/", privilegesFromNames("jcr:lifecycleManagement"), ImmutableMap.of(), ImmutableMap.of(getNamePathMapper().getJcrName("rep:ntNames"), new Value[]{getValueFactory(this.root).createValue(getNamePathMapper().getJcrName("nt:resource"), 7)}));
        this.acMgr.setPolicy(principalPolicyImpl.getPath(), principalPolicyImpl);
        this.root.commit();
    }

    @Test
    public void testEffectivePolicyByPrincipal() throws Exception {
        ImmutablePrincipalPolicy[] effectivePolicies = this.acMgr.getEffectivePolicies(ImmutableSet.of(this.validPrincipal));
        assertEffectivePolicies(effectivePolicies, 2, 2, true);
        List entries = effectivePolicies[0].getEntries();
        Assert.assertEquals(2L, entries.size());
        Assert.assertTrue(entries.get(0) instanceof PrincipalAccessControlList.Entry);
        Assert.assertEquals(this.validPrincipal, ((JackrabbitAccessControlEntry) entries.get(0)).getPrincipal());
        Assert.assertArrayEquals(privilegesFromNames("jcr:read", "rep:write"), ((JackrabbitAccessControlEntry) entries.get(0)).getPrivileges());
        Assert.assertEquals(this.jcrEffectivePath, ((PrincipalAccessControlList.Entry) entries.get(0)).getEffectivePath());
        Assert.assertNull(((PrincipalAccessControlList.Entry) entries.get(1)).getEffectivePath());
    }

    @Test
    public void testEffectivePolicyByPrincipal2() throws Exception {
        ImmutablePrincipalPolicy[] effectivePolicies = this.acMgr.getEffectivePolicies(ImmutableSet.of(this.validPrincipal2));
        assertEffectivePolicies(effectivePolicies, 2, 2, true);
        List entries = effectivePolicies[0].getEntries();
        Assert.assertEquals(2L, entries.size());
        Assert.assertTrue(entries.get(0) instanceof PrincipalAccessControlList.Entry);
        Assert.assertEquals(this.validPrincipal2, ((JackrabbitAccessControlEntry) entries.get(0)).getPrincipal());
        Assert.assertArrayEquals(privilegesFromNames("jcr:read"), ((JackrabbitAccessControlEntry) entries.get(0)).getPrivileges());
        Assert.assertEquals(this.jcrEffectivePath, ((PrincipalAccessControlList.Entry) entries.get(0)).getEffectivePath());
        Assert.assertEquals(this.validPrincipal2, ((JackrabbitAccessControlEntry) entries.get(1)).getPrincipal());
        Assert.assertArrayEquals(privilegesFromNames("jcr:lifecycleManagement"), ((JackrabbitAccessControlEntry) entries.get(1)).getPrivileges());
        Assert.assertEquals("/", ((PrincipalAccessControlList.Entry) entries.get(1)).getEffectivePath());
    }

    @Test
    public void testEffectivePolicyByPath() throws Exception {
        String jcrPath = getNamePathMapper().getJcrPath("/oak:content/child/grandchild/oak:subtree");
        ImmutablePrincipalPolicy[] effectivePolicies = this.acMgr.getEffectivePolicies(jcrPath);
        Assert.assertEquals(2L, effectivePolicies.length);
        for (ImmutablePrincipalPolicy immutablePrincipalPolicy : effectivePolicies) {
            Assert.assertTrue(immutablePrincipalPolicy instanceof ImmutablePrincipalPolicy);
            ImmutablePrincipalPolicy immutablePrincipalPolicy2 = immutablePrincipalPolicy;
            ImmutableSet copyOf = ImmutableSet.copyOf(Iterables.filter(this.acMgr.getEffectivePolicies(ImmutableSet.of(immutablePrincipalPolicy2.getPrincipal()))[0].getEntries(), jackrabbitAccessControlEntry -> {
                String effectivePath = ((PrincipalAccessControlList.Entry) jackrabbitAccessControlEntry).getEffectivePath();
                return effectivePath != null && Text.isDescendantOrEqual(effectivePath, jcrPath);
            }));
            Assert.assertEquals(copyOf.size(), immutablePrincipalPolicy2.size());
            List entries = immutablePrincipalPolicy2.getEntries();
            Iterator it = copyOf.iterator();
            while (it.hasNext()) {
                Assert.assertTrue(entries.contains((JackrabbitAccessControlEntry) it.next()));
            }
        }
    }

    @Test
    public void testEffectivePolicyByPathVerifiesPrincipals() throws Exception {
        PrincipalManager principalManager = (PrincipalManager) Mockito.mock(PrincipalManager.class);
        Mockito.when(principalManager.getPrincipal(this.validPrincipal.getName())).thenReturn((Object) null);
        Mockito.when(principalManager.getPrincipal(this.validPrincipal2.getName())).thenReturn(new PrincipalImpl(this.validPrincipal2.getName()));
        MgrProvider mgrProvider = (MgrProvider) Mockito.mock(MgrProvider.class);
        Mockito.when(mgrProvider.getPrincipalManager()).thenReturn(principalManager);
        Mockito.when(mgrProvider.getRoot()).thenReturn(this.root);
        Mockito.when(mgrProvider.getSecurityProvider()).thenReturn(this.securityProvider);
        Mockito.when(mgrProvider.getNamePathMapper()).thenReturn(getNamePathMapper());
        Assert.assertEquals(0L, new PrincipalBasedAccessControlManager(mgrProvider, getFilterProvider()).getEffectivePolicies(getNamePathMapper().getJcrPath("/oak:content/child/grandchild/oak:subtree")).length);
    }

    @Test
    public void testEffectivePolicyByNullPath() throws Exception {
        ImmutablePrincipalPolicy[] effectivePolicies = this.acMgr.getEffectivePolicies((String) null);
        Assert.assertEquals(1L, effectivePolicies.length);
        Assert.assertTrue(effectivePolicies[0] instanceof ImmutablePrincipalPolicy);
        Assert.assertEquals(this.validPrincipal, effectivePolicies[0].getPrincipal());
        List entries = effectivePolicies[0].getEntries();
        Assert.assertEquals(1L, entries.size());
        Assert.assertTrue(entries.get(0) instanceof PrincipalAccessControlList.Entry);
        Assert.assertNull(((PrincipalAccessControlList.Entry) entries.get(0)).getEffectivePath());
        Assert.assertEquals(this.validPrincipal, ((JackrabbitAccessControlEntry) entries.get(0)).getPrincipal());
        Assert.assertArrayEquals(privilegesFromNames("jcr:namespaceManagement"), ((JackrabbitAccessControlEntry) entries.get(0)).getPrivileges());
    }
}
