package org.apache.jackrabbit.oak.security.authorization.restriction;

import java.security.Principal;
import java.util.HashMap;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.ContentSession;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.util.NodeUtil;
import org.apache.jackrabbit.value.StringValue;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/restriction/PermissionTest.class */
public class PermissionTest extends AbstractSecurityTest {
    private static final String TEST_ROOT_PATH = "/testRoot";
    private static final String TEST_A_PATH = "/testRoot/a";
    private static final String TEST_B_PATH = "/testRoot/a/b";
    private static final String TEST_C_PATH = "/testRoot/a/b/c";
    private static final String TEST_D_PATH = "/testRoot/a/b/c/d";
    private static final String TEST_E_PATH = "/testRoot/a/b/c/d/e";
    private Principal testPrincipal;

    @Before
    public void before() throws Exception {
        super.before();
        new NodeUtil(this.root.getTree("/")).addChild("testRoot", "nt:unstructured").addChild("a", "nt:unstructured").addChild("b", "nt:unstructured").addChild("c", "nt:unstructured").addChild("d", "nt:unstructured").addChild("e", "nt:unstructured");
        this.root.commit();
        this.testPrincipal = getTestUser().getPrincipal();
    }

    @After
    public void after() throws Exception {
        try {
            this.root.refresh();
            this.root.getTree(TEST_ROOT_PATH).remove();
            this.root.commit();
        } finally {
            super.after();
        }
    }

    private void addEntry(String str, boolean z, String str2, String... strArr) throws Exception {
        JackrabbitAccessControlManager accessControlManager = getAccessControlManager(this.root);
        JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(accessControlManager, str);
        if (str2.length() > 0) {
            HashMap hashMap = new HashMap();
            hashMap.put("rep:glob", new StringValue(str2));
            accessControlList.addEntry(this.testPrincipal, AccessControlUtils.privilegesFromNames(accessControlManager, strArr), z, hashMap);
        } else {
            accessControlList.addEntry(this.testPrincipal, AccessControlUtils.privilegesFromNames(accessControlManager, strArr), z);
        }
        accessControlManager.setPolicy(str, accessControlList);
        this.root.commit();
    }

    private void assertIsGranted(PermissionProvider permissionProvider, Root root, boolean z, String str, long j) {
        Assert.assertEquals("user should " + (z ? "" : "not ") + "have " + j + " on " + str, Boolean.valueOf(z), Boolean.valueOf(permissionProvider.isGranted(root.getTree(str), (PropertyState) null, j)));
    }

    private PermissionProvider getPermissionProvider(ContentSession contentSession) {
        return ((AuthorizationConfiguration) getSecurityProvider().getConfiguration(AuthorizationConfiguration.class)).getPermissionProvider(this.root, contentSession.getWorkspaceName(), contentSession.getAuthInfo().getPrincipals());
    }

    @Test
    public void testHasPermission() throws Exception {
        addEntry(TEST_ROOT_PATH, true, "", "jcr:read", "rep:write");
        addEntry(TEST_B_PATH, true, "", "jcr:removeNode");
        addEntry(TEST_C_PATH, false, "", "jcr:removeNode");
        ContentSession createTestSession = createTestSession();
        try {
            Root latestRoot = createTestSession.getLatestRoot();
            PermissionProvider permissionProvider = getPermissionProvider(createTestSession);
            assertIsGranted(permissionProvider, latestRoot, true, TEST_A_PATH, 64L);
            assertIsGranted(permissionProvider, latestRoot, true, TEST_B_PATH, 64L);
            assertIsGranted(permissionProvider, latestRoot, false, TEST_C_PATH, 64L);
            try {
                latestRoot.getTree(TEST_C_PATH).remove();
                latestRoot.commit();
                Assert.fail("removing node on /a/b/c should fail");
            } catch (CommitFailedException e) {
            }
        } finally {
            createTestSession.close();
        }
    }

    @Test
    public void testHasPermissionWithRestrictions() throws Exception {
        addEntry(TEST_ROOT_PATH, true, "", "jcr:read", "rep:write");
        addEntry(TEST_A_PATH, false, "*/c", "jcr:removeNode");
        addEntry(TEST_A_PATH, true, "*/b", "jcr:removeNode");
        ContentSession createTestSession = createTestSession();
        try {
            Root latestRoot = createTestSession.getLatestRoot();
            PermissionProvider permissionProvider = getPermissionProvider(createTestSession);
            assertIsGranted(permissionProvider, latestRoot, true, TEST_A_PATH, 64L);
            assertIsGranted(permissionProvider, latestRoot, true, TEST_B_PATH, 64L);
            assertIsGranted(permissionProvider, latestRoot, false, TEST_C_PATH, 64L);
            assertIsGranted(permissionProvider, latestRoot, true, TEST_D_PATH, 64L);
            assertIsGranted(permissionProvider, latestRoot, true, TEST_E_PATH, 64L);
            latestRoot.getTree(TEST_D_PATH).remove();
            latestRoot.commit();
            try {
                latestRoot.getTree(TEST_C_PATH).remove();
                latestRoot.commit();
                Assert.fail("user should not be able to remove c");
            } catch (CommitFailedException e) {
            }
        } finally {
            createTestSession.close();
        }
    }

    @Test
    public void testHasPermissionWithRestrictions2() throws Exception {
        addEntry(TEST_ROOT_PATH, true, "", "jcr:read", "rep:write");
        addEntry(TEST_A_PATH, true, "*/b", "jcr:removeNode");
        addEntry(TEST_A_PATH, false, "*/c", "jcr:removeNode");
        ContentSession createTestSession = createTestSession();
        try {
            Root latestRoot = createTestSession.getLatestRoot();
            PermissionProvider permissionProvider = getPermissionProvider(createTestSession);
            assertIsGranted(permissionProvider, latestRoot, true, TEST_A_PATH, 64L);
            assertIsGranted(permissionProvider, latestRoot, true, TEST_B_PATH, 64L);
            assertIsGranted(permissionProvider, latestRoot, false, TEST_C_PATH, 64L);
            assertIsGranted(permissionProvider, latestRoot, true, TEST_D_PATH, 64L);
            latestRoot.getTree(TEST_D_PATH).remove();
            latestRoot.commit();
            try {
                latestRoot.getTree(TEST_C_PATH).remove();
                latestRoot.commit();
                Assert.fail("should not be able to delete /testRoot/a/b/c");
            } catch (CommitFailedException e) {
                latestRoot.refresh();
            }
        } finally {
            createTestSession.close();
        }
    }

    @Test
    public void testProtectPropertiesByRestriction() throws Exception {
        addEntry(TEST_ROOT_PATH, true, "", "jcr:read", "rep:write");
        addEntry(TEST_A_PATH, false, "*/c", "jcr:modifyProperties");
        ContentSession createTestSession = createTestSession();
        try {
            Root latestRoot = createTestSession.getLatestRoot();
            PermissionProvider permissionProvider = getPermissionProvider(createTestSession);
            assertIsGranted(permissionProvider, latestRoot, true, TEST_A_PATH, 8L);
            assertIsGranted(permissionProvider, latestRoot, true, TEST_B_PATH, 8L);
            assertIsGranted(permissionProvider, latestRoot, false, TEST_C_PATH, 8L);
            assertIsGranted(permissionProvider, latestRoot, true, TEST_D_PATH, 8L);
            assertIsGranted(permissionProvider, latestRoot, true, TEST_E_PATH, 8L);
            createTestSession.close();
        } catch (Throwable th) {
            createTestSession.close();
            throw th;
        }
    }
}
