package org.apache.jackrabbit.oak.security.authorization.permission;

import javax.annotation.Nullable;
import javax.jcr.Credentials;
import javax.jcr.NoSuchWorkspaceException;
import javax.jcr.SimpleCredentials;
import javax.jcr.security.AccessControlManager;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginException;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.oak.Oak;
import org.apache.jackrabbit.oak.api.ContentRepository;
import org.apache.jackrabbit.oak.api.ContentSession;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.document.DocumentMK;
import org.apache.jackrabbit.oak.plugins.document.DocumentNodeStore;
import org.apache.jackrabbit.oak.plugins.document.memory.MemoryDocumentStore;
import org.apache.jackrabbit.oak.plugins.identifier.IdentifierManagerTest;
import org.apache.jackrabbit.oak.plugins.index.property.PropertyIndexEditorProvider;
import org.apache.jackrabbit.oak.plugins.index.property.PropertyIndexProvider;
import org.apache.jackrabbit.oak.plugins.index.reference.ReferenceEditorProvider;
import org.apache.jackrabbit.oak.plugins.index.reference.ReferenceIndexProvider;
import org.apache.jackrabbit.oak.plugins.nodetype.TypeEditorProvider;
import org.apache.jackrabbit.oak.plugins.nodetype.write.InitialContent;
import org.apache.jackrabbit.oak.security.SecurityProviderImpl;
import org.apache.jackrabbit.oak.spi.blob.MemoryBlobStore;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authentication.ConfigurationUtil;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
import org.apache.jackrabbit.oak.spi.security.user.UserConfiguration;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/permission/ClusterPermissionsTest.class */
public class ClusterPermissionsTest {
    private DocumentNodeStore ns1;
    private DocumentNodeStore ns2;
    private ContentRepository contentRepository1;
    private ContentRepository contentRepository2;
    private UserManager userManager1;
    private UserManager userManager2;
    private AccessControlManager aclMgr1;
    private AccessControlManager aclMgr2;
    protected NamePathMapper namePathMapper = NamePathMapper.DEFAULT;
    protected SecurityProvider securityProvider1;
    protected SecurityProvider securityProvider2;
    protected ContentSession adminSession1;
    protected ContentSession adminSession2;
    protected Root root1;
    protected Root root2;

    @Before
    public void before() throws Exception {
        MemoryDocumentStore memoryDocumentStore = new MemoryDocumentStore();
        MemoryBlobStore memoryBlobStore = new MemoryBlobStore();
        DocumentMK.Builder builder = new DocumentMK.Builder();
        builder.setDocumentStore(memoryDocumentStore).setBlobStore(memoryBlobStore).setAsyncDelay(0);
        this.ns1 = builder.setClusterId(1).getNodeStore();
        DocumentMK.Builder builder2 = new DocumentMK.Builder();
        builder2.setDocumentStore(memoryDocumentStore).setBlobStore(memoryBlobStore).setAsyncDelay(0);
        this.ns2 = builder2.setClusterId(2).getNodeStore();
        Oak with = new Oak(this.ns1).with(new InitialContent()).with(new ReferenceEditorProvider()).with(new ReferenceIndexProvider()).with(new PropertyIndexEditorProvider()).with(new PropertyIndexProvider()).with(new TypeEditorProvider());
        SecurityProviderImpl securityProviderImpl = new SecurityProviderImpl(getSecurityConfigParameters());
        this.securityProvider1 = securityProviderImpl;
        this.contentRepository1 = with.with(securityProviderImpl).createContentRepository();
        this.adminSession1 = login1(getAdminCredentials());
        this.root1 = this.adminSession1.getLatestRoot();
        this.userManager1 = ((UserConfiguration) this.securityProvider1.getConfiguration(UserConfiguration.class)).getUserManager(this.root1, this.namePathMapper);
        this.aclMgr1 = ((AuthorizationConfiguration) this.securityProvider1.getConfiguration(AuthorizationConfiguration.class)).getAccessControlManager(this.root1, this.namePathMapper);
        syncClusterNodes();
        Oak with2 = new Oak(this.ns2).with(new InitialContent()).with(new ReferenceEditorProvider()).with(new ReferenceIndexProvider()).with(new PropertyIndexEditorProvider()).with(new PropertyIndexProvider()).with(new TypeEditorProvider());
        SecurityProviderImpl securityProviderImpl2 = new SecurityProviderImpl(getSecurityConfigParameters());
        this.securityProvider2 = securityProviderImpl2;
        this.contentRepository2 = with2.with(securityProviderImpl2).createContentRepository();
        this.adminSession2 = login2(getAdminCredentials());
        this.root2 = this.adminSession2.getLatestRoot();
        this.userManager2 = ((UserConfiguration) this.securityProvider2.getConfiguration(UserConfiguration.class)).getUserManager(this.root2, this.namePathMapper);
        this.aclMgr2 = ((AuthorizationConfiguration) this.securityProvider2.getConfiguration(AuthorizationConfiguration.class)).getAccessControlManager(this.root2, this.namePathMapper);
    }

    @After
    public void after() {
        this.ns1.dispose();
        this.ns2.dispose();
    }

    protected ConfigurationParameters getSecurityConfigParameters() {
        return ConfigurationParameters.EMPTY;
    }

    protected Configuration getConfiguration() {
        return ConfigurationUtil.getDefaultConfiguration(getSecurityConfigParameters());
    }

    protected ContentSession login1(@Nullable Credentials credentials) throws LoginException, NoSuchWorkspaceException {
        return this.contentRepository1.login(credentials, (String) null);
    }

    protected ContentSession login2(@Nullable Credentials credentials) throws LoginException, NoSuchWorkspaceException {
        return this.contentRepository2.login(credentials, (String) null);
    }

    protected Credentials getAdminCredentials() {
        return new SimpleCredentials("admin", "admin".toCharArray());
    }

    @Test
    public void testCreateUser() throws Exception {
        this.userManager1.createUser("testUser", "testUser");
        this.root1.commit();
        syncClusterNodes();
        this.root2.refresh();
        Assert.assertNotNull("testUser must exist on 2nd cluster node", this.userManager2.getAuthorizable("testUser"));
    }

    @Test
    public void testAclPropagation() throws Exception {
        this.root1.getTree(IdentifierManagerTest.ID_ROOT).addChild("testNode").setProperty("jcr:primaryType", "nt:unstructured");
        User createUser = this.userManager1.createUser("testUser", "testUser");
        JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(this.aclMgr1, "/testNode");
        accessControlList.addEntry(createUser.getPrincipal(), AccessControlUtils.privilegesFromNames(this.aclMgr1, new String[]{"jcr:all"}), true);
        this.aclMgr1.setPolicy("/testNode", accessControlList);
        this.root1.commit();
        syncClusterNodes();
        this.root2.refresh();
        Assert.assertEquals(1L, AccessControlUtils.getAccessControlList(this.aclMgr2, "/testNode").getAccessControlEntries().length);
    }

    @Test
    public void testPermissionPropagation() throws Exception {
        this.root1.getTree(IdentifierManagerTest.ID_ROOT).addChild("testNode").setProperty("jcr:primaryType", "nt:unstructured");
        User createUser = this.userManager1.createUser("testUser1", "testUser1");
        this.userManager1.createUser("testUser2", "testUser2");
        JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(this.aclMgr1, "/testNode");
        accessControlList.addEntry(EveryonePrincipal.getInstance(), AccessControlUtils.privilegesFromNames(this.aclMgr1, new String[]{"jcr:all"}), false);
        accessControlList.addEntry(createUser.getPrincipal(), AccessControlUtils.privilegesFromNames(this.aclMgr1, new String[]{"jcr:read"}), true);
        this.aclMgr1.setPolicy("/testNode", accessControlList);
        this.root1.commit();
        syncClusterNodes();
        this.root2.refresh();
        ContentSession login = this.contentRepository2.login(new SimpleCredentials("testUser1", "testUser1".toCharArray()), (String) null);
        ContentSession login2 = this.contentRepository2.login(new SimpleCredentials("testUser2", "testUser2".toCharArray()), (String) null);
        Assert.assertTrue(login.getLatestRoot().getTree("/testNode").exists());
        Assert.assertFalse(login2.getLatestRoot().getTree("/testNode").exists());
        JackrabbitAccessControlList accessControlList2 = AccessControlUtils.getAccessControlList(this.aclMgr1, "/testNode");
        accessControlList2.addEntry(EveryonePrincipal.getInstance(), AccessControlUtils.privilegesFromNames(this.aclMgr1, new String[]{"jcr:read"}), true);
        this.aclMgr1.setPolicy("/testNode", accessControlList2);
        this.root1.commit();
        syncClusterNodes();
        this.root2.refresh();
        Assert.assertTrue(login.getLatestRoot().getTree("/testNode").exists());
        Assert.assertTrue(login2.getLatestRoot().getTree("/testNode").exists());
    }

    private void syncClusterNodes() {
        this.ns1.runBackgroundOperations();
        this.ns2.runBackgroundOperations();
    }
}
