package org.apache.jackrabbit.oak.security.authorization.permission;

import com.google.common.collect.ImmutableSet;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import javax.jcr.RepositoryException;
import javax.jcr.security.AccessControlEntry;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.oak.api.ContentSession;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.plugins.identifier.IdentifierManagerTest;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlTest;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBitsProvider;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.apache.jackrabbit.oak.util.NodeUtil;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/permission/PermissionHookTest.class */
public class PermissionHookTest extends AbstractAccessControlTest implements AccessControlConstants, PermissionConstants, PrivilegeConstants {
    protected String testPrincipalName;
    protected PrivilegeBitsProvider bitsProvider;
    protected String testPath = "/testPath";
    protected String childPath = "/testPath/childNode";
    protected List<Principal> principals = new ArrayList();

    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    @Before
    public void before() throws Exception {
        super.before();
        Principal testPrincipal = getTestPrincipal();
        new NodeUtil(this.root.getTree(IdentifierManagerTest.ID_ROOT), this.namePathMapper).addChild("testPath", "nt:unstructured").addChild("childNode", "nt:unstructured");
        JackrabbitAccessControlManager accessControlManager = getAccessControlManager(this.root);
        JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(accessControlManager, this.testPath);
        accessControlList.addAccessControlEntry(testPrincipal, privilegesFromNames("jcr:addChildNodes"));
        accessControlList.addAccessControlEntry(EveryonePrincipal.getInstance(), privilegesFromNames("jcr:read"));
        accessControlManager.setPolicy(this.testPath, accessControlList);
        this.root.commit();
        this.testPrincipalName = testPrincipal.getName();
        this.bitsProvider = new PrivilegeBitsProvider(this.root);
    }

    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    @After
    public void after() throws Exception {
        try {
            this.root.refresh();
            Tree tree = this.root.getTree(this.testPath);
            if (tree.exists()) {
                tree.remove();
            }
            Iterator<Principal> it = this.principals.iterator();
            while (it.hasNext()) {
                getUserManager(this.root).getAuthorizable(it.next()).remove();
            }
            this.root.commit();
            super.after();
        } catch (Throwable th) {
            super.after();
            throw th;
        }
    }

    protected Tree getPrincipalRoot(String str) {
        return this.root.getTree("/jcr:system/rep:permissionStore").getChild(this.adminSession.getWorkspaceName()).getChild(str);
    }

    protected Tree getEntry(String str, String str2, long j) throws Exception {
        Tree child = getPrincipalRoot(str).getChild(PermissionUtil.getEntryName(str2)).getChild(String.valueOf(j));
        if (child.exists()) {
            return child;
        }
        throw new RepositoryException("no such entry");
    }

    protected long cntEntries(Tree tree) {
        long childrenCount = tree.getChildrenCount(Long.MAX_VALUE);
        Iterator it = tree.getChildren().iterator();
        while (it.hasNext()) {
            childrenCount += cntEntries((Tree) it.next());
        }
        return childrenCount;
    }

    protected void createPrincipals() throws Exception {
        if (this.principals.isEmpty()) {
            for (int i = 0; i < 10; i++) {
                this.principals.add(getUserManager(this.root).createGroup("testGroup" + i).getPrincipal());
            }
            this.root.commit();
        }
    }

    protected static void assertIndex(int i, Tree tree) {
        Assert.assertEquals(i, Integer.parseInt(tree.getName()));
    }

    @Test
    public void testModifyRestrictions() throws Exception {
        Tree tree = (Tree) this.root.getTree(this.testPath + "/rep:policy").getChildren().iterator().next();
        Assert.assertEquals(this.testPrincipalName, tree.getProperty("rep:principalName").getValue(Type.STRING));
        NodeUtil addChild = new NodeUtil(tree).addChild("rep:restrictions", "rep:Restrictions");
        addChild.setString("rep:glob", "*");
        String path = addChild.getTree().getPath();
        this.root.commit();
        Tree principalRoot = getPrincipalRoot(this.testPrincipalName);
        Assert.assertEquals(2L, cntEntries(principalRoot));
        Assert.assertEquals("*", ((Tree) ((Tree) principalRoot.getChildren().iterator().next()).getChildren().iterator().next()).getProperty("rep:glob").getValue(Type.STRING));
        this.root.getTree(path).setProperty("rep:glob", "/*/jcr:content/*");
        this.root.commit();
        Tree principalRoot2 = getPrincipalRoot(this.testPrincipalName);
        Assert.assertEquals(2L, cntEntries(principalRoot2));
        Assert.assertEquals("/*/jcr:content/*", ((Tree) ((Tree) principalRoot2.getChildren().iterator().next()).getChildren().iterator().next()).getProperty("rep:glob").getValue(Type.STRING));
        this.root.getTree(path).remove();
        this.root.commit();
        Tree principalRoot3 = getPrincipalRoot(this.testPrincipalName);
        Assert.assertEquals(2L, cntEntries(principalRoot3));
        Assert.assertNull(((Tree) ((Tree) principalRoot3.getChildren().iterator().next()).getChildren().iterator().next()).getProperty("rep:glob"));
    }

    @Test
    public void testReorderAce() throws Exception {
        assertIndex(0, getEntry(this.testPrincipalName, this.testPath, 0L));
        ((Tree) this.root.getTree(this.testPath + "/rep:policy").getChildren().iterator().next()).orderBefore((String) null);
        this.root.commit();
        assertIndex(1, getEntry(this.testPrincipalName, this.testPath, 1L));
    }

    @Test
    public void testReorderAndAddAce() throws Exception {
        assertIndex(0, getEntry(this.testPrincipalName, this.testPath, 0L));
        Tree tree = this.root.getTree(this.testPath + "/rep:policy");
        ((Tree) tree.getChildren().iterator().next()).orderBefore((String) null);
        NodeUtil addChild = new NodeUtil(tree).addChild("denyEveryoneLockMgt", "rep:DenyACE");
        addChild.setString("rep:principalName", "everyone");
        addChild.setStrings("rep:privileges", new String[]{"jcr:lockManagement"});
        this.root.commit();
        assertIndex(1, getEntry(this.testPrincipalName, this.testPath, 1L));
    }

    @Test
    public void testReorderAddAndRemoveAces() throws Exception {
        assertIndex(0, getEntry(this.testPrincipalName, this.testPath, 0L));
        Tree tree = this.root.getTree(this.testPath + "/rep:policy");
        ((Tree) tree.getChildren().iterator().next()).orderBefore((String) null);
        Iterator it = tree.getChildren().iterator();
        ((Tree) it.next()).remove();
        String name = ((Tree) it.next()).getName();
        NodeUtil addChild = new NodeUtil(tree).addChild("denyEveryoneLockMgt", "rep:DenyACE");
        addChild.setString("rep:principalName", "everyone");
        addChild.setStrings("rep:privileges", new String[]{"jcr:lockManagement"});
        addChild.getTree().orderBefore(name);
        this.root.commit();
        assertIndex(1, getEntry(this.testPrincipalName, this.testPath, 1L));
    }

    @Test
    public void testReorderAddAndRemoveAces2() throws Exception {
        createPrincipals();
        JackrabbitAccessControlManager accessControlManager = getAccessControlManager(this.root);
        JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(accessControlManager, this.testPath);
        for (int i = 0; i < 4; i++) {
            accessControlList.addAccessControlEntry(this.principals.get(i), privilegesFromNames("jcr:read"));
        }
        accessControlManager.setPolicy(this.testPath, accessControlList);
        this.root.commit();
        AccessControlEntry[] accessControlEntries = accessControlList.getAccessControlEntries();
        accessControlList.removeAccessControlEntry(accessControlEntries[0]);
        accessControlList.removeAccessControlEntry(accessControlEntries[2]);
        accessControlList.orderBefore(accessControlEntries[4], accessControlEntries[3]);
        accessControlList.addAccessControlEntry(this.principals.get(4), privilegesFromNames("jcr:read"));
        accessControlList.addAccessControlEntry(this.principals.get(5), privilegesFromNames("jcr:read"));
        accessControlManager.setPolicy(this.testPath, accessControlList);
        this.root.commit();
        assertIndex(1, getEntry(this.principals.get(2).getName(), this.testPath, 1L));
        assertIndex(2, getEntry(this.principals.get(1).getName(), this.testPath, 2L));
    }

    @Test
    public void testReorderAndRemoveAces() throws Exception {
        createPrincipals();
        JackrabbitAccessControlManager accessControlManager = getAccessControlManager(this.root);
        JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(accessControlManager, this.testPath);
        for (int i = 0; i < 4; i++) {
            accessControlList.addAccessControlEntry(this.principals.get(i), privilegesFromNames("jcr:read"));
        }
        accessControlManager.setPolicy(this.testPath, accessControlList);
        this.root.commit();
        AccessControlEntry[] accessControlEntries = accessControlList.getAccessControlEntries();
        accessControlList.removeAccessControlEntry(accessControlEntries[0]);
        accessControlList.removeAccessControlEntry(accessControlEntries[2]);
        accessControlList.orderBefore(accessControlEntries[4], (AccessControlEntry) null);
        accessControlList.orderBefore(accessControlEntries[3], accessControlEntries[1]);
        accessControlManager.setPolicy(this.testPath, accessControlList);
        this.root.commit();
        assertIndex(1, getEntry("everyone", this.testPath, 1L));
        assertIndex(3, getEntry(this.principals.get(2).getName(), this.testPath, 3L));
        for (String str : new String[]{this.testPrincipalName, this.principals.get(0).getName()}) {
            try {
                getEntry(str, this.testPath, 0L);
                Assert.fail();
            } catch (RepositoryException e) {
            }
        }
    }

    @Test
    public void testImplicitAceRemoval() throws Exception {
        JackrabbitAccessControlManager accessControlManager = getAccessControlManager(this.root);
        JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(accessControlManager, this.testPath);
        accessControlList.addAccessControlEntry(getTestPrincipal(), privilegesFromNames("jcr:read", "rep:write"));
        accessControlManager.setPolicy(this.testPath, accessControlList);
        JackrabbitAccessControlList accessControlList2 = AccessControlUtils.getAccessControlList(accessControlManager, this.childPath);
        accessControlList2.addAccessControlEntry(EveryonePrincipal.getInstance(), privilegesFromNames("jcr:read"));
        accessControlManager.setPolicy(this.childPath, accessControlList2);
        this.root.commit();
        Assert.assertTrue(this.root.getTree(this.childPath + "/rep:policy").exists());
        Assert.assertEquals(4L, cntEntries(getPrincipalRoot("everyone")));
        ContentSession createTestSession = createTestSession();
        Root latestRoot = createTestSession.getLatestRoot();
        Assert.assertTrue(latestRoot.getTree(this.childPath).exists());
        Assert.assertFalse(latestRoot.getTree(this.childPath + "/rep:policy").exists());
        latestRoot.getTree(this.childPath).remove();
        latestRoot.commit();
        createTestSession.close();
        this.root.refresh();
        Assert.assertFalse(this.root.getTree(this.testPath).hasChild("childNode"));
        Assert.assertFalse(this.root.getTree(this.childPath + "/rep:policy").exists());
        Assert.assertEquals(2L, cntEntries(getPrincipalRoot("everyone")));
    }

    @Test
    public void testDynamicJcrAll() throws Exception {
        JackrabbitAccessControlManager accessControlManager = getAccessControlManager(this.root);
        JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(accessControlManager, this.childPath);
        accessControlList.addAccessControlEntry(EveryonePrincipal.getInstance(), privilegesFromNames("jcr:all"));
        accessControlManager.setPolicy(this.childPath, accessControlList);
        this.root.commit();
        Tree entry = getEntry("everyone", this.childPath, 0L);
        Assert.assertTrue(entry.exists());
        PropertyState property = entry.getProperty("rep:privileges");
        Assert.assertEquals(1L, property.count());
        Assert.assertEquals(-1L, ((Long) property.getValue(Type.LONG, 0)).longValue());
        PermissionProvider permissionProvider = ((AuthorizationConfiguration) getConfig(AuthorizationConfiguration.class)).getPermissionProvider(this.root, this.root.getContentSession().getWorkspaceName(), ImmutableSet.of(EveryonePrincipal.getInstance()));
        Tree tree = this.root.getTree(this.childPath);
        Assert.assertTrue(permissionProvider.hasPrivileges(tree, new String[]{"jcr:all"}));
        Assert.assertTrue(permissionProvider.getPrivileges(tree).contains("jcr:all"));
        long diff = Permissions.diff(2097151L, 96L);
        Assert.assertFalse(permissionProvider.isGranted(tree, (PropertyState) null, 64L));
        Assert.assertFalse(permissionProvider.isGranted(tree, (PropertyState) null, 32L));
        Assert.assertTrue(permissionProvider.isGranted(tree, (PropertyState) null, diff));
        JackrabbitAccessControlList accessControlList2 = AccessControlUtils.getAccessControlList(accessControlManager, this.childPath);
        for (AccessControlEntry accessControlEntry : accessControlList2.getAccessControlEntries()) {
            if ("everyone".equals(accessControlEntry.getPrincipal().getName())) {
                accessControlList2.removeAccessControlEntry(accessControlEntry);
            }
        }
        accessControlManager.setPolicy(this.childPath, accessControlList2);
        this.root.commit();
        Tree child = getPrincipalRoot("everyone").getChild(PermissionUtil.getEntryName(this.childPath));
        if (child.exists()) {
            Assert.assertFalse(child.getChild("0").exists());
        }
    }
}
