package org.apache.jackrabbit.oak.security.authorization.accesscontrol;

import java.security.Principal;
import javax.jcr.AccessDeniedException;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.plugins.identifier.IdentifierManagerTest;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlTest;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import org.apache.jackrabbit.oak.util.NodeUtil;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlValidatorTest.class */
public class AccessControlValidatorTest extends AbstractAccessControlTest implements AccessControlConstants {
    private final String testName = "testRoot";
    private final String testPath = "/testRoot";
    private final String aceName = "validAce";
    private Principal testPrincipal;

    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    @Before
    public void before() throws Exception {
        super.before();
        new NodeUtil(this.root.getTree(IdentifierManagerTest.ID_ROOT), getNamePathMapper()).addChild("testRoot", "nt:unstructured");
        this.root.commit();
        this.testPrincipal = getTestPrincipal();
    }

    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    @After
    public void after() throws Exception {
        try {
            Tree tree = this.root.getTree("/testRoot");
            if (tree.exists()) {
                tree.remove();
                this.root.commit();
            }
        } finally {
            super.after();
        }
    }

    private NodeUtil getTestRoot() {
        return new NodeUtil(this.root.getTree("/testRoot"));
    }

    private NodeUtil createAcl() throws AccessDeniedException {
        NodeUtil testRoot = getTestRoot();
        testRoot.setNames("jcr:mixinTypes", new String[]{"rep:AccessControllable"});
        NodeUtil addChild = testRoot.addChild("rep:policy", "rep:ACL");
        createACE(addChild, "validAce", "rep:GrantACE", this.testPrincipal.getName(), "jcr:read").addChild("rep:restrictions", "rep:Restrictions");
        return addChild;
    }

    private static NodeUtil createACE(NodeUtil nodeUtil, String str, String str2, String str3, String... strArr) throws AccessDeniedException {
        NodeUtil addChild = nodeUtil.addChild(str, str2);
        addChild.setString("rep:principalName", str3);
        addChild.setNames("rep:privileges", strArr);
        return addChild;
    }

    @Test
    public void testPolicyWithOutChildOrder() throws AccessDeniedException {
        NodeUtil testRoot = getTestRoot();
        testRoot.setNames("jcr:mixinTypes", new String[]{"rep:AccessControllable"});
        testRoot.addChild("rep:policy", "rep:ACL");
        try {
            this.root.commit();
            Assert.fail("Policy node with child node ordering");
        } catch (CommitFailedException e) {
            Assert.assertTrue(e.isAccessControlViolation());
            Assert.assertEquals("OakAccessControl0004: Invalid policy node: Order of children is not stable.", e.getMessage());
        }
    }

    @Test
    public void testOnlyRootIsRepoAccessControllable() {
        getTestRoot().setNames("jcr:mixinTypes", new String[]{"rep:RepoAccessControllable"});
        try {
            this.root.commit();
            Assert.fail("Only the root node can be made RepoAccessControllable.");
        } catch (CommitFailedException e) {
            Assert.assertTrue(e.isAccessControlViolation());
        }
    }

    @Test
    public void testAddInvalidRepoPolicy() throws Exception {
        getTestRoot().setNames("jcr:mixinTypes", new String[]{"rep:AccessControllable"});
        NodeUtil addChild = getTestRoot().addChild("rep:repoPolicy", "rep:ACL");
        try {
            try {
                this.root.commit();
                Assert.fail("Attempt to add repo-policy with rep:AccessControllable node.");
                addChild.getTree().remove();
            } catch (CommitFailedException e) {
                Assert.assertTrue(e.isAccessControlViolation());
                addChild.getTree().remove();
            }
        } catch (Throwable th) {
            addChild.getTree().remove();
            throw th;
        }
    }

    @Test
    public void testAddPolicyWithAcContent() throws Exception {
        NodeUtil createAcl = createAcl();
        NodeUtil child = createAcl.getChild("validAce");
        for (NodeUtil nodeUtil : new NodeUtil[]{createAcl, child, child.getChild("rep:restrictions")}) {
            NodeUtil addChild = nodeUtil.addChild("rep:policy", "rep:ACL");
            try {
                try {
                    this.root.commit();
                    Assert.fail("Adding an ACL below access control content should fail");
                    addChild.getTree().remove();
                } catch (CommitFailedException e) {
                    Assert.assertTrue(e.isConstraintViolation());
                    addChild.getTree().remove();
                }
            } catch (Throwable th) {
                addChild.getTree().remove();
                throw th;
            }
        }
    }

    @Test
    public void testAddRepoPolicyWithAcContent() throws Exception {
        NodeUtil createAcl = createAcl();
        NodeUtil child = createAcl.getChild("validAce");
        for (NodeUtil nodeUtil : new NodeUtil[]{createAcl, child, child.getChild("rep:restrictions")}) {
            NodeUtil addChild = nodeUtil.addChild("rep:repoPolicy", "rep:ACL");
            try {
                try {
                    this.root.commit();
                    Assert.fail("Adding an ACL below access control content should fail");
                    addChild.getTree().remove();
                } catch (CommitFailedException e) {
                    Assert.assertTrue(e.isConstraintViolation());
                    addChild.getTree().remove();
                }
            } catch (Throwable th) {
                addChild.getTree().remove();
                throw th;
            }
        }
    }

    @Test
    public void testAddAceWithAcContent() throws Exception {
        NodeUtil child = createAcl().getChild("validAce");
        for (NodeUtil nodeUtil : new NodeUtil[]{child, child.getChild("rep:restrictions")}) {
            NodeUtil addChild = nodeUtil.addChild("invalidACE", "rep:DenyACE");
            try {
                try {
                    this.root.commit();
                    Assert.fail("Adding an ACE below an ACE or restriction should fail");
                    addChild.getTree().remove();
                } catch (CommitFailedException e) {
                    Assert.assertTrue(e.isConstraintViolation());
                    addChild.getTree().remove();
                }
            } catch (Throwable th) {
                addChild.getTree().remove();
                throw th;
            }
        }
    }

    @Test
    public void testAddRestrictionWithAcContent() throws Exception {
        NodeUtil createAcl = createAcl();
        for (NodeUtil nodeUtil : new NodeUtil[]{createAcl, createAcl.getChild("validAce").getChild("rep:restrictions")}) {
            NodeUtil addChild = nodeUtil.addChild("invalidRestriction", "rep:Restrictions");
            try {
                try {
                    this.root.commit();
                    Assert.fail("Adding an ACE below an ACE or restriction should fail");
                    addChild.getTree().remove();
                } catch (CommitFailedException e) {
                    Assert.assertTrue(e.isConstraintViolation());
                    addChild.getTree().remove();
                }
            } catch (Throwable th) {
                addChild.getTree().remove();
                throw th;
            }
        }
    }

    @Test
    public void testAddIsolatedPolicy() throws Exception {
        NodeUtil testRoot = getTestRoot();
        for (String str : new String[]{"isolatedACL", "rep:policy", "rep:repoPolicy"}) {
            NodeUtil addChild = testRoot.addChild(str, "rep:ACL");
            try {
                try {
                    this.root.commit();
                    Assert.fail("Writing an isolated ACL without the parent being rep:AccessControllable should fail.");
                    addChild.getTree().remove();
                } catch (CommitFailedException e) {
                    Assert.assertTrue(e.isAccessControlViolation());
                    addChild.getTree().remove();
                }
            } catch (Throwable th) {
                addChild.getTree().remove();
                throw th;
            }
        }
    }

    @Test
    public void testAddIsolatedAce() throws Exception {
        NodeUtil testRoot = getTestRoot();
        for (String str : new String[]{"rep:DenyACE", "rep:GrantACE"}) {
            NodeUtil createACE = createACE(testRoot, "isolatedACE", str, this.testPrincipal.getName(), "jcr:read");
            try {
                try {
                    this.root.commit();
                    Assert.fail("Writing an isolated ACE should fail.");
                    createACE.getTree().remove();
                } catch (CommitFailedException e) {
                    Assert.assertTrue(e.isAccessControlViolation());
                    createACE.getTree().remove();
                }
            } catch (Throwable th) {
                createACE.getTree().remove();
                throw th;
            }
        }
    }

    @Test
    public void testAddIsolatedRestriction() throws Exception {
        NodeUtil addChild = getTestRoot().addChild("isolatedRestriction", "rep:Restrictions");
        try {
            try {
                this.root.commit();
                Assert.fail("Writing an isolated Restriction should fail.");
                addChild.getTree().remove();
            } catch (CommitFailedException e) {
                Assert.assertTrue(e.isAccessControlViolation());
                addChild.getTree().remove();
            }
        } catch (Throwable th) {
            addChild.getTree().remove();
            throw th;
        }
    }

    @Test
    public void testInvalidPrivilege() throws Exception {
        createACE(createAcl(), IdentifierManagerTest.ID_INVALID, "rep:GrantACE", this.testPrincipal.getName(), "invalidPrivilegeName");
        try {
            this.root.commit();
            Assert.fail("Creating an ACE with invalid privilege should fail.");
        } catch (CommitFailedException e) {
            Assert.assertTrue(e.isAccessControlViolation());
        }
    }

    @Test
    public void testAbstractPrivilege() throws Exception {
        getPrivilegeManager(this.root).registerPrivilege("abstractPrivilege", true, new String[0]);
        createACE(createAcl(), IdentifierManagerTest.ID_INVALID, "rep:GrantACE", this.testPrincipal.getName(), "abstractPrivilege");
        try {
            this.root.commit();
            Assert.fail("Creating an ACE with an abstract privilege should fail.");
        } catch (CommitFailedException e) {
            Assert.assertTrue(e.isAccessControlViolation());
        }
    }

    @Test
    public void testInvalidRestriction() throws Exception {
        createAcl().getChild("validAce").getChild("rep:restrictions").setString(IdentifierManagerTest.ID_INVALID, "value");
        try {
            this.root.commit();
            Assert.fail("Creating an unsupported restriction should fail.");
        } catch (CommitFailedException e) {
            Assert.assertTrue(e.isAccessControlViolation());
        }
    }

    @Test
    public void testRestrictionWithInvalidType() throws Exception {
        createAcl().getChild("validAce").getChild("rep:restrictions").setName("rep:glob", "rep:glob");
        try {
            this.root.commit();
            Assert.fail("Creating restriction with invalid type should fail.");
        } catch (CommitFailedException e) {
            Assert.assertTrue(e.isAccessControlViolation());
        }
    }

    @Test
    public void testDuplicateAce() throws Exception {
        JackrabbitAccessControlManager accessControlManager = getAccessControlManager(this.root);
        JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(accessControlManager, "/testRoot");
        accessControlList.addAccessControlEntry(this.testPrincipal, privilegesFromNames("jcr:addChildNodes"));
        accessControlManager.setPolicy("/testRoot", accessControlList);
        NodeUtil addChild = new NodeUtil(this.root.getTree("/testRoot/rep:policy")).addChild("duplicateAce", "rep:GrantACE");
        addChild.setString("rep:principalName", this.testPrincipal.getName());
        addChild.setStrings("rep:privileges", new String[]{"jcr:addChildNodes"});
        try {
            this.root.commit();
            Assert.fail("Creating duplicate ACE must be detected");
        } catch (CommitFailedException e) {
            Assert.assertTrue(e.isAccessControlViolation());
        }
    }
}
