package org.apache.jackrabbit.oak.spi.security.user.action;

import com.google.common.collect.ImmutableList;
import java.security.Principal;
import javax.jcr.RepositoryException;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.commons.iterator.AccessControlPolicyIteratorAdapter;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration;
import org.apache.jackrabbit.oak.spi.security.user.UserConstants;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.junit.Test;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;

/* loaded from: input_file:org/apache/jackrabbit/oak/spi/security/user/action/AccessControlActionTest.class */
public class AccessControlActionTest implements UserConstants {
    private final Root root = (Root) Mockito.mock(Root.class);
    private final SecurityProvider securityProvider = (SecurityProvider) Mockito.mock(SecurityProvider.class);
    private final UserConfiguration userConfiguration = (UserConfiguration) Mockito.mock(UserConfiguration.class);
    private final AuthorizationConfiguration authorizationConfiguration = (AuthorizationConfiguration) Mockito.mock(AuthorizationConfiguration.class);

    private void initSecurityProvider(@NotNull String str, @NotNull String str2, @NotNull String... strArr) throws Exception {
        initSecurityProvider(null, str, str2, strArr);
    }

    private void initSecurityProvider(@Nullable AccessControlManager accessControlManager, @NotNull String str, @NotNull String str2, @NotNull String... strArr) throws Exception {
        Mockito.when(this.userConfiguration.getParameters()).thenReturn(ConfigurationParameters.of("adminId", str, "anonymousId", str2));
        Mockito.when(this.authorizationConfiguration.getParameters()).thenReturn(ConfigurationParameters.of("administrativePrincipals", strArr));
        if (accessControlManager != null) {
            Mockito.when(this.authorizationConfiguration.getAccessControlManager(this.root, NamePathMapper.DEFAULT)).thenReturn(accessControlManager);
        }
        Mockito.when(this.securityProvider.getConfiguration(UserConfiguration.class)).thenReturn(this.userConfiguration);
        Mockito.when(this.securityProvider.getConfiguration(AuthorizationConfiguration.class)).thenReturn(this.authorizationConfiguration);
    }

    private AccessControlManager mockAccessControlManager(boolean z) throws Exception {
        AccessControlManager accessControlManager = (AccessControlManager) Mockito.mock(AccessControlManager.class);
        Mockito.when(accessControlManager.getApplicablePolicies("/none")).thenReturn(AccessControlPolicyIteratorAdapter.EMPTY);
        Mockito.when(accessControlManager.getApplicablePolicies("/nonACL")).thenReturn(new AccessControlPolicyIteratorAdapter(ImmutableList.of((AccessControlPolicy) Mockito.mock(AccessControlPolicy.class))));
        JackrabbitAccessControlList jackrabbitAccessControlList = (JackrabbitAccessControlList) Mockito.mock(JackrabbitAccessControlList.class);
        if (z) {
            Mockito.when(Boolean.valueOf(jackrabbitAccessControlList.addAccessControlEntry((Principal) ArgumentMatchers.any(Principal.class), (Privilege[]) ArgumentMatchers.any(Privilege[].class)))).thenReturn(true);
        }
        Mockito.when(accessControlManager.getApplicablePolicies("/acl")).thenReturn(new AccessControlPolicyIteratorAdapter(ImmutableList.of(jackrabbitAccessControlList)));
        return accessControlManager;
    }

    private AccessControlAction createAction(@NotNull String... strArr) {
        AccessControlAction accessControlAction = new AccessControlAction();
        accessControlAction.init(this.securityProvider, ConfigurationParameters.of("userPrivilegeNames", strArr, "groupPrivilegeNames", strArr));
        return accessControlAction;
    }

    private AccessControlAction createAction(@NotNull String[] strArr, @NotNull String[] strArr2) {
        AccessControlAction accessControlAction = new AccessControlAction();
        accessControlAction.init(this.securityProvider, ConfigurationParameters.of("userPrivilegeNames", strArr, "groupPrivilegeNames", strArr2));
        return accessControlAction;
    }

    private static void mockAuthorizable(@NotNull Authorizable authorizable, @NotNull String str, @Nullable String str2, @Nullable String str3) throws RepositoryException {
        Mockito.when(authorizable.getID()).thenReturn(str);
        if (str2 != null) {
            Mockito.when(authorizable.getPrincipal()).thenReturn(new PrincipalImpl(str2));
        } else {
            Mockito.when(authorizable.getPrincipal()).thenThrow(new Throwable[]{new RepositoryException()});
        }
        if (str3 != null) {
            Mockito.when(authorizable.getPath()).thenReturn(str3);
        } else {
            Mockito.when(authorizable.getPath()).thenThrow(new Throwable[]{new RepositoryException()});
        }
    }

    private static User mockUser(@NotNull String str, @Nullable String str2, @Nullable String str3) throws RepositoryException {
        User user = (User) Mockito.mock(User.class);
        Mockito.when(Boolean.valueOf(user.isGroup())).thenReturn(false);
        mockAuthorizable(user, str, str2, str3);
        return user;
    }

    private static Group mockGroup(@NotNull String str, @Nullable String str2, @Nullable String str3) throws RepositoryException {
        Group group = (Group) Mockito.mock(Group.class);
        Mockito.when(Boolean.valueOf(group.isGroup())).thenReturn(true);
        mockAuthorizable(group, str, str2, str3);
        return group;
    }

    @Test(expected = IllegalStateException.class)
    public void testOnCreateUserMissingSecurityProvider() throws Exception {
        new AccessControlAction().onCreate((User) Mockito.mock(User.class), (String) null, this.root, NamePathMapper.DEFAULT);
    }

    @Test(expected = IllegalStateException.class)
    public void testOnCreateGroupMissingSecurityProvider() throws Exception {
        new AccessControlAction().onCreate((Group) Mockito.mock(Group.class), this.root, NamePathMapper.DEFAULT);
    }

    @Test
    public void testOnCreateBuiltinUser() throws Exception {
        initSecurityProvider("adminId", "anonymousId", new String[0]);
        AccessControlAction createAction = createAction("jcr:read");
        for (String str : new String[]{"adminId", "anonymousId"}) {
            createAction.onCreate(mockUser(str, null, null), (String) null, this.root, NamePathMapper.DEFAULT);
        }
    }

    @Test(expected = RepositoryException.class)
    public void testOnCreateBuiltinIsGroup() throws Exception {
        initSecurityProvider("adminIdIsUsedByGroup", "anonymousId", new String[0]);
        createAction("jcr:read").onCreate(mockGroup("adminIdIsUsedByGroup", null, null), this.root, NamePathMapper.DEFAULT);
    }

    @Test
    public void testOnCreateUserEmptyPrivs() throws Exception {
        initSecurityProvider("admin", "anonymous", new String[0]);
        createAction(new String[0], new String[]{"jcr:read"}).onCreate(mockUser("id", null, null), (String) null, this.root, NamePathMapper.DEFAULT);
    }

    @Test
    public void testOnCreateGroupEmptyPrivs() throws Exception {
        initSecurityProvider("admin", "anonymous", new String[0]);
        createAction(new String[]{"jcr:read"}, new String[0]).onCreate(mockGroup("id", null, null), this.root, NamePathMapper.DEFAULT);
    }

    @Test
    public void testOnCreateAdminUser() throws Exception {
        initSecurityProvider("admin", "anonymous", "administrativePrincipal");
        createAction("jcr:read").onCreate(mockUser("id", "administrativePrincipal", null), (String) null, this.root, NamePathMapper.DEFAULT);
    }

    @Test
    public void testOnCreateAdminGroup() throws Exception {
        initSecurityProvider("admin", "anonymous", "administrativePrincipal");
        createAction("jcr:read").onCreate(mockGroup("id", "administrativePrincipal", null), this.root, NamePathMapper.DEFAULT);
    }

    @Test(expected = RepositoryException.class)
    public void testOnCreateUserWithoutPath() throws Exception {
        initSecurityProvider("admin", "anonymous", new String[0]);
        createAction("jcr:read").onCreate(mockUser("id", "principalName", null), (String) null, this.root, NamePathMapper.DEFAULT);
    }

    @Test(expected = RepositoryException.class)
    public void testOnCreateGroupWithoutPath() throws Exception {
        initSecurityProvider("admin", "anonymous", new String[0]);
        createAction("jcr:read").onCreate(mockGroup("id", "principal", null), this.root, NamePathMapper.DEFAULT);
    }

    @Test
    public void testOnCreateNoApplicablePolicy() throws Exception {
        initSecurityProvider(mockAccessControlManager(false), "admin", "anonymous", new String[0]);
        createAction("jcr:read").onCreate(mockUser("userId", "pName", "/none"), "pw", this.root, NamePathMapper.DEFAULT);
    }

    @Test
    public void testOnCreateNoApplicableAclPolicy() throws Exception {
        initSecurityProvider(mockAccessControlManager(false), "admin", "anonymous", new String[0]);
        createAction("jcr:read").onCreate(mockGroup("grId", "pName", "/nonACL"), this.root, NamePathMapper.DEFAULT);
    }

    @Test
    public void testOnCreateApplicableAclPolicyForGroup() throws Exception {
        initSecurityProvider(mockAccessControlManager(false), "admin", "anonymous", new String[0]);
        createAction("jcr:read").onCreate(mockGroup("grId", "pName", "/acl"), this.root, NamePathMapper.DEFAULT);
    }

    @Test
    public void testOnCreateApplicableAclPolicyForUser() throws Exception {
        initSecurityProvider(mockAccessControlManager(true), "admin", "anonymous", new String[0]);
        createAction("jcr:read").onCreate(mockUser("userId", "pName", "/acl"), "pw", this.root, NamePathMapper.DEFAULT);
    }
}
