package org.apache.jackrabbit.oak.exercise.security.authorization.advanced;

import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import java.io.ByteArrayInputStream;
import java.security.Principal;
import javax.jcr.Repository;
import javax.jcr.Session;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.AccessControlPolicyIterator;
import junit.framework.TestCase;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.ContentSession;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.exercise.security.authorization.models.simplifiedroles.ThreeRolesAuthorizationConfiguration;
import org.apache.jackrabbit.oak.exercise.security.principal.CustomPrincipalConfiguration;
import org.apache.jackrabbit.oak.jcr.repository.RepositoryImpl;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager;
import org.apache.jackrabbit.oak.plugins.observation.CommitRateLimiter;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.apache.jackrabbit.oak.security.authorization.composite.CompositeAuthorizationConfiguration;
import org.apache.jackrabbit.oak.security.internal.SecurityProviderHelper;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalConfiguration;
import org.apache.jackrabbit.oak.spi.whiteboard.DefaultWhiteboard;
import org.jetbrains.annotations.NotNull;
import org.junit.Assert;
import org.junit.Test;

/* loaded from: input_file:org/apache/jackrabbit/oak/exercise/security/authorization/advanced/L4_CustomAccessControlManagementTest.class */
public class L4_CustomAccessControlManagementTest extends AbstractSecurityTest {
    protected SecurityProvider initSecurityProvider() {
        ThreeRolesAuthorizationConfiguration threeRolesAuthorizationConfiguration = new ThreeRolesAuthorizationConfiguration();
        threeRolesAuthorizationConfiguration.setParameters(ConfigurationParameters.of("supportedPath", "/test"));
        CustomPrincipalConfiguration customPrincipalConfiguration = new CustomPrincipalConfiguration();
        customPrincipalConfiguration.setParameters(ConfigurationParameters.of("knownPrincipals", new String[]{"principalR", "principalE", "principalO"}));
        SecurityProvider initSecurityProvider = super.initSecurityProvider();
        SecurityProviderHelper.updateConfig(initSecurityProvider, threeRolesAuthorizationConfiguration, AuthorizationConfiguration.class);
        SecurityProviderHelper.updateConfig(initSecurityProvider, customPrincipalConfiguration, PrincipalConfiguration.class);
        return initSecurityProvider;
    }

    protected ConfigurationParameters getSecurityConfigParameters() {
        return ConfigurationParameters.of("authorizationCompositionType", CompositeAuthorizationConfiguration.CompositionType.OR.toString());
    }

    public void before() throws Exception {
        super.before();
        Tree addChild = TreeUtil.addChild(TreeUtil.addChild(this.root.getTree("/"), "test", "oak:Unstructured"), "a", "oak:Unstructured");
        addChild.setProperty("aProp", "value");
        TreeUtil.addChild(addChild, "b", "oak:Unstructured").setProperty("abProp", "value");
        TreeUtil.addMixin(addChild, "rep:ThreeRolesMixin", this.root.getTree("/jcr:system/jcr:nodeTypes"), (String) null);
        Tree addChild2 = TreeUtil.addChild(addChild, "rep:threeRolesPolicy", "rep:ThreeRolesPolicy");
        addChild2.setProperty("rep:readers", ImmutableSet.of("principalR", "everyone"), Type.STRINGS);
        addChild2.setProperty("rep:editors", ImmutableSet.of("principalE", getTestUser().getPrincipal().getName()), Type.STRINGS);
        addChild2.setProperty("rep:owners", ImmutableSet.of("principalO"), Type.STRINGS);
        TreeUtil.addChild(this.root.getTree("/"), "outside", "oak:Unstructured");
        this.root.commit();
    }

    private AccessControlManager getAcManager(@NotNull Root root) {
        return ((AuthorizationConfiguration) getConfig(AuthorizationConfiguration.class)).getAccessControlManager(root, NamePathMapper.DEFAULT);
    }

    private Repository buildJcrRepository() {
        return new RepositoryImpl(getContentRepository(), new DefaultWhiteboard(), getSecurityProvider(), 10000, (CommitRateLimiter) null, false);
    }

    @Test
    public void testGetPolicies() throws Exception {
        AccessControlPolicy[] policies = getAcManager(this.root).getPolicies("/test/a");
        TestCase.assertEquals(-1, policies.length);
        for (int i = 0; i < -1; i++) {
            Assert.assertTrue(policies[i] instanceof AccessControlPolicy);
        }
    }

    @Test
    public void testGetEffectivePolicies() throws Exception {
        ImmutableMap of = ImmutableMap.of("/", -1, "/test", -1, "/test/a/b", -1, "/outside", -1);
        for (String str : of.keySet()) {
            AccessControlPolicy[] effectivePolicies = getAcManager(this.root).getEffectivePolicies(str);
            int intValue = ((Integer) of.get(str)).intValue();
            TestCase.assertEquals(intValue, effectivePolicies.length);
            for (int i = 0; i < intValue; i++) {
                Assert.assertTrue(effectivePolicies[i] instanceof AccessControlPolicy);
            }
        }
    }

    @Test
    public void testGetApplicablePolicies() throws Exception {
        ImmutableMap of = ImmutableMap.of("/test/a", -1, "/test/a/b", -1, "/outside", -1);
        for (String str : of.keySet()) {
            AccessControlPolicyIterator applicablePolicies = getAcManager(this.root).getApplicablePolicies(str);
            TestCase.assertEquals(((Integer) of.get(str)).longValue(), applicablePolicies.getSize());
            while (applicablePolicies.hasNext()) {
                Assert.assertTrue(applicablePolicies.nextAccessControlPolicy() instanceof AccessControlPolicy);
            }
        }
    }

    @Test
    public void testSetPolicy() throws Exception {
        Tree addChild = TreeUtil.addChild(this.root.getTree("/test"), "another", "oak:Unstructured");
        getAcManager(this.root).getPolicies(addChild.getPath());
        this.root.commit();
        PrincipalManager principalManager = getPrincipalManager(this.root);
        ImmutableMap of = ImmutableMap.of(getTestUser().getPrincipal(), 0L, principalManager.getEveryone(), 0L, principalManager.getPrincipal("principalR"), 3L, principalManager.getPrincipal("principalE"), 0L, principalManager.getPrincipal("principalO"), 18431L);
        for (Principal principal : of.keySet()) {
            Assert.assertTrue(((AuthorizationConfiguration) getConfig(AuthorizationConfiguration.class)).getPermissionProvider(this.root, this.adminSession.getWorkspaceName(), ImmutableSet.of(principal)).isGranted(addChild, (PropertyState) null, ((Long) of.get(principal)).longValue()));
        }
    }

    @Test
    public void testSetModifiedPolicy() throws Exception {
        AccessControlManager acManager = getAcManager(this.root);
        for (AccessControlPolicy accessControlPolicy : acManager.getPolicies("/test/a")) {
            acManager.setPolicy("/test/a", accessControlPolicy);
        }
        this.root.commit();
        ContentSession createTestSession = createTestSession();
        Throwable th = null;
        try {
            try {
                Assert.assertTrue(((AuthorizationConfiguration) getConfig(AuthorizationConfiguration.class)).getPermissionProvider(createTestSession().getLatestRoot(), createTestSession.getWorkspaceName(), createTestSession.getAuthInfo().getPrincipals()).isGranted("/test/a", Permissions.getString(18431L)));
                if (createTestSession != null) {
                    if (0 == 0) {
                        createTestSession.close();
                        return;
                    }
                    try {
                        createTestSession.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (createTestSession != null) {
                if (th != null) {
                    try {
                        createTestSession.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    createTestSession.close();
                }
            }
            throw th4;
        }
    }

    @Test
    public void testRemovePolicy() throws Exception {
        AccessControlManager acManager = getAcManager(this.root);
        for (AccessControlPolicy accessControlPolicy : acManager.getPolicies("/test/a")) {
            acManager.removePolicy("/test/a", accessControlPolicy);
        }
        this.root.commit();
        TestCase.assertEquals(0, acManager.getPolicies("/test/a").length);
    }

    @Test
    public void testAccessControlContentIsProtected() throws Exception {
        Tree tree = this.root.getTree("/test");
        try {
            TreeUtil.addChild(tree, "rep:threeRolesPolicy", "rep:ThreeRolesPolicy");
            this.root.commit();
            Assert.fail("Adding policy without mixin must fail.");
        } catch (CommitFailedException e) {
        }
        try {
            tree.setProperty("rep:owners", 437);
            this.root.commit();
            Assert.fail("Using name of protected policy property outside of the context of a policy must fail.");
        } catch (CommitFailedException e2) {
        }
        try {
            Tree tree2 = this.root.getTree("/test/a/b");
            TreeUtil.addMixin(tree2, "rep:ThreeRolesMixin", this.root.getTree("/jcr:system/jcr:nodeTypes"), (String) null);
            TreeUtil.addChild(tree2, "rep:threeRolesPolicy", "rep:ThreeRolesPolicy");
            this.root.commit();
            Assert.fail("Creation of nested three-roles-policy must fail (NOTE: this is an arbitrary limitation for the sake of simplifying permission evaluation).");
        } catch (CommitFailedException e3) {
        }
        try {
            Tree tree3 = this.root.getTree("/outside");
            TreeUtil.addMixin(tree3, "rep:ThreeRolesMixin", this.root.getTree("/jcr:system/jcr:nodeTypes"), (String) null);
            TreeUtil.addChild(tree3, "rep:threeRolesPolicy", "rep:ThreeRolesPolicy");
            this.root.commit();
            Assert.fail("Creation of nested three-roles-policy outside of the configured supported path must fail.");
        } catch (CommitFailedException e4) {
        }
    }

    @Test
    public void testAccessControlItemsAreProtectedByNodeTypeDefinition() throws Exception {
        ReadOnlyNodeTypeManager readOnlyNodeTypeManager = ReadOnlyNodeTypeManager.getInstance(this.root, NamePathMapper.DEFAULT);
        Tree tree = this.root.getTree("/test/a");
        Tree child = tree.getChild("rep:threeRolesPolicy");
        Assert.assertTrue(readOnlyNodeTypeManager.getDefinition(tree, child).isProtected());
        for (String str : new String[]{"rep:readers", "rep:editors", "rep:owners"}) {
            Assert.assertTrue(readOnlyNodeTypeManager.getDefinition(child, child.getProperty(str), true).isProtected());
        }
        buildJcrRepository();
    }

    @Test
    public void testImportNodeWithPolicy() throws Exception {
        Session login = new RepositoryImpl(getContentRepository(), new DefaultWhiteboard(), getSecurityProvider(), 10000, (CommitRateLimiter) null, false).login(getAdminCredentials(), (String) null);
        try {
            login.importXML("/test", new ByteArrayInputStream("<?xml version=\"1.0\" encoding=\"UTF-8\"?><sv:node sv:name=\"another2\" xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\"><sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>oak:Unstructured</sv:value></sv:property><sv:property sv:name=\"jcr:mixinTypes\" sv:type=\"Name\"><sv:value>rep:ThreeRolesMixin</sv:value></sv:property><sv:node sv:name=\"rep:threeRolesPolicy\" <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:ThreeRolesPolicy</sv:value></sv:property><sv:property sv:name=\"rep:readers\" sv:type=\"String\"><sv:value>principalR</sv:value></sv:property></sv:node></sv:node>".getBytes()), 3);
            login.getNode("/test/another");
            Assert.assertTrue(login.getAccessControlManager().getPolicies("/test/another").length > 0);
            login.refresh(false);
            login.logout();
        } catch (Throwable th) {
            login.refresh(false);
            login.logout();
            throw th;
        }
    }

    @Test
    public void testImportNodeWithPolicyAndUnknownPrincipal() throws Exception {
        Session login = buildJcrRepository().login(getAdminCredentials(), (String) null);
        try {
            login.importXML("/test", new ByteArrayInputStream("<?xml version=\"1.0\" encoding=\"UTF-8\"?><sv:node sv:name=\"another2\" xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\"><sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>oak:Unstructured</sv:value></sv:property><sv:property sv:name=\"jcr:mixinTypes\" sv:type=\"Name\"><sv:value>rep:ThreeRolesMixin</sv:value></sv:property><sv:node sv:name=\"rep:threeRolesPolicy\" <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:ThreeRolesPolicy</sv:value></sv:property><sv:property sv:name=\"rep:readers\" sv:type=\"String\"><sv:value>unknownPrincipal</sv:value></sv:property></sv:node></sv:node>".getBytes()), 3);
            login.getNode("/test/another");
            Assert.assertTrue(login.getAccessControlManager().getPolicies("/test/another").length > 0);
            login.refresh(false);
            login.logout();
        } catch (Throwable th) {
            login.refresh(false);
            login.logout();
            throw th;
        }
    }
}
