package org.apache.jackrabbit.oak.security.authentication.token;

import java.util.Collections;
import java.util.Date;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.plugins.identifier.IdentifierManagerTest;
import org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlManagerImplTest;
import org.apache.jackrabbit.oak.spi.security.authentication.token.TokenInfo;
import org.apache.jackrabbit.oak.spi.security.user.util.PasswordUtil;
import org.apache.jackrabbit.oak.util.NodeUtil;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:org/apache/jackrabbit/oak/security/authentication/token/TokenValidatorTest.class */
public class TokenValidatorTest extends AbstractTokenTest {
    private String userId;

    @Override // org.apache.jackrabbit.oak.security.authentication.token.AbstractTokenTest, org.apache.jackrabbit.oak.AbstractSecurityTest
    @Before
    public void before() throws Exception {
        super.before();
        this.userId = getTestUser().getID();
    }

    @Test
    public void testCreateReservedKeyProperty() throws Exception {
        NodeUtil addChild = new NodeUtil(this.root.getTree(IdentifierManagerTest.ID_ROOT)).addChild("testNode", "nt:unstructured");
        try {
            try {
                addChild.setString("rep:token.key", "anyValue");
                this.root.commit(CommitMarker.asCommitAttributes());
                Assert.fail("The reserved token key property must not used with other node types.");
                addChild.getTree().remove();
                this.root.commit();
            } catch (CommitFailedException e) {
                Assert.assertEquals(60L, e.getCode());
                addChild.getTree().remove();
                this.root.commit();
            }
        } catch (Throwable th) {
            addChild.getTree().remove();
            this.root.commit();
            throw th;
        }
    }

    @Test
    public void testCreateReservedKeyProperty2() throws Exception {
        NodeUtil addChild = new NodeUtil(this.root.getTree(IdentifierManagerTest.ID_ROOT)).addChild("testNode", "nt:unstructured");
        try {
            try {
                addChild.setString("rep:token.key", "anyValue");
                this.root.commit();
                Assert.fail("The reserved token key property must only be created by the TokenProvider.");
                addChild.getTree().remove();
                this.root.commit();
            } catch (CommitFailedException e) {
                Assert.assertEquals(63L, e.getCode());
                addChild.getTree().remove();
                this.root.commit();
            }
        } catch (Throwable th) {
            addChild.getTree().remove();
            this.root.commit();
            throw th;
        }
    }

    @Test
    public void testChangingTokenKey() throws Exception {
        try {
            new NodeUtil(getTokenTree(this.tokenProvider.createToken(this.userId, Collections.emptyMap()))).setString("rep:token.key", PasswordUtil.buildPasswordHash("anotherValue"));
            this.root.commit(CommitMarker.asCommitAttributes());
            Assert.fail("The token key must never be modified.");
        } catch (CommitFailedException e) {
            Assert.assertEquals(61L, e.getCode());
        }
    }

    @Test
    public void testPlaintextTokenKey() throws Exception {
        try {
            new NodeUtil(getTokenTree(this.tokenProvider.createToken(this.userId, Collections.emptyMap()))).setString("rep:token.key", "anotherValue");
            this.root.commit(CommitMarker.asCommitAttributes());
            Assert.fail("The token key must not be plaintext.");
        } catch (CommitFailedException e) {
            Assert.assertEquals(66L, e.getCode());
        }
    }

    @Test
    public void testManuallyModifyExpirationDate() throws Exception {
        try {
            new NodeUtil(getTokenTree(this.tokenProvider.createToken(this.userId, Collections.emptyMap()))).setDate("rep:token.exp", new Date().getTime());
            this.root.commit();
            Assert.fail("The token expiry must not manually be changed");
        } catch (CommitFailedException e) {
            Assert.assertEquals(63L, e.getCode());
        }
    }

    @Test
    public void testModifyExpirationDate() throws Exception {
        new NodeUtil(getTokenTree(this.tokenProvider.createToken(this.userId, Collections.emptyMap()))).setDate("rep:token.exp", new Date().getTime());
        this.root.commit(CommitMarker.asCommitAttributes());
    }

    @Test
    public void testCreateTokenAtInvalidLocationBelowTestNode() throws Exception {
        TokenInfo createToken = this.tokenProvider.createToken(this.userId, Collections.emptyMap());
        Tree tokenTree = getTokenTree(createToken);
        Assert.assertNotNull(this.tokenProvider.getTokenInfo(createToken.getToken()));
        NodeUtil addChild = new NodeUtil(this.root.getTree(IdentifierManagerTest.ID_ROOT)).addChild("testNode", "nt:unstructured");
        try {
            try {
                createTokenTree(createToken, addChild, "rep:Token");
                tokenTree.remove();
                this.root.commit(CommitMarker.asCommitAttributes());
                Assert.fail("Creating a new token not  at '/testNode' must fail.");
                addChild.getTree().remove();
                this.root.commit(CommitMarker.asCommitAttributes());
            } catch (CommitFailedException e) {
                Assert.assertEquals(64L, e.getCode());
                addChild.getTree().remove();
                this.root.commit(CommitMarker.asCommitAttributes());
            }
        } catch (Throwable th) {
            addChild.getTree().remove();
            this.root.commit(CommitMarker.asCommitAttributes());
            throw th;
        }
    }

    @Test
    public void testCreateTokenAtInvalidLocationInsideUser() throws Exception {
        TokenInfo createToken = this.tokenProvider.createToken(this.userId, Collections.emptyMap());
        Tree tokenTree = getTokenTree(createToken);
        Assert.assertNotNull(this.tokenProvider.getTokenInfo(createToken.getToken()));
        NodeUtil addChild = new NodeUtil(this.root.getTree(getUserManager(this.root).getAuthorizable(this.userId).getPath())).addChild("testNode", "nt:unstructured");
        try {
            try {
                createTokenTree(createToken, addChild, "rep:Token");
                tokenTree.remove();
                this.root.commit(CommitMarker.asCommitAttributes());
                Assert.fail("Creating a new token '" + addChild.getTree().getPath() + "' must fail.");
                addChild.getTree().remove();
                this.root.commit(CommitMarker.asCommitAttributes());
            } catch (CommitFailedException e) {
                Assert.assertEquals(65L, e.getCode());
                addChild.getTree().remove();
                this.root.commit(CommitMarker.asCommitAttributes());
            }
        } catch (Throwable th) {
            addChild.getTree().remove();
            this.root.commit(CommitMarker.asCommitAttributes());
            throw th;
        }
    }

    @Test
    public void testCreateTokenAtInvalidLocationInsideUser2() throws Exception {
        TokenInfo createToken = this.tokenProvider.createToken(this.userId, Collections.emptyMap());
        Tree tokenTree = getTokenTree(createToken);
        Assert.assertNotNull(this.tokenProvider.getTokenInfo(createToken.getToken()));
        NodeUtil orAddChild = new NodeUtil(this.root.getTree(getUserManager(this.root).getAuthorizable(this.userId).getPath())).getOrAddChild(".tokens", "rep:Unstructured");
        try {
            try {
                orAddChild = orAddChild.addChild(IdentifierManagerTest.ID_INVALID, "nt:unstructured");
                createTokenTree(createToken, orAddChild, "rep:Token");
                tokenTree.remove();
                this.root.commit(CommitMarker.asCommitAttributes());
                Assert.fail("Creating a new token '" + orAddChild.getTree().getPath() + "' must fail.");
                orAddChild.getTree().remove();
                this.root.commit(CommitMarker.asCommitAttributes());
            } catch (CommitFailedException e) {
                Assert.assertEquals(65L, e.getCode());
                orAddChild.getTree().remove();
                this.root.commit(CommitMarker.asCommitAttributes());
            }
        } catch (Throwable th) {
            orAddChild.getTree().remove();
            this.root.commit(CommitMarker.asCommitAttributes());
            throw th;
        }
    }

    @Test
    public void testManuallyCreateToken() throws Exception {
        TokenInfo createToken = this.tokenProvider.createToken(this.userId, Collections.emptyMap());
        Tree tokenTree = getTokenTree(createToken);
        Assert.assertNotNull(this.tokenProvider.getTokenInfo(createToken.getToken()));
        try {
            try {
                createTokenTree(createToken, new NodeUtil(tokenTree.getParent()), "rep:Token");
                tokenTree.remove();
                this.root.commit();
                Assert.fail("Manually creating a token node must fail.");
                this.root.refresh();
                this.root.commit();
            } catch (CommitFailedException e) {
                Assert.assertEquals(63L, e.getCode());
                this.root.refresh();
                this.root.commit();
            }
        } catch (Throwable th) {
            this.root.refresh();
            this.root.commit();
            throw th;
        }
    }

    @Test
    public void testCreateTokenWithInvalidNodeType() throws Exception {
        TokenInfo createToken = this.tokenProvider.createToken(this.userId, Collections.emptyMap());
        Tree tokenTree = getTokenTree(createToken);
        Assert.assertNotNull(this.tokenProvider.getTokenInfo(createToken.getToken()));
        Tree tree = null;
        try {
            try {
                tree = createTokenTree(createToken, new NodeUtil(this.root.getTree(getUserManager(this.root).getAuthorizable(this.userId).getPath()).getChild(".tokens")), "nt:unstructured");
                tokenTree.remove();
                this.root.commit(CommitMarker.asCommitAttributes());
                Assert.fail("The token node must be of type rep:Token.");
                if (tree != null) {
                    tree.remove();
                    this.root.commit(CommitMarker.asCommitAttributes());
                }
            } catch (CommitFailedException e) {
                Assert.assertEquals(60L, e.getCode());
                if (tree != null) {
                    tree.remove();
                    this.root.commit(CommitMarker.asCommitAttributes());
                }
            }
        } catch (Throwable th) {
            if (tree != null) {
                tree.remove();
                this.root.commit(CommitMarker.asCommitAttributes());
            }
            throw th;
        }
    }

    @Test
    public void testRemoveTokenNode() throws Exception {
        getTokenTree(this.tokenProvider.createToken(this.userId, Collections.emptyMap())).remove();
        this.root.commit();
    }

    @Test
    public void testInvalidTokenParentNode() throws Exception {
        NodeUtil addChild = new NodeUtil(this.root.getTree(getUserManager(this.root).getAuthorizable(this.userId).getPath())).addChild("testNode", "nt:unstructured");
        try {
            try {
                addChild.addChild(".tokens", "nt:unstructured");
                this.root.commit(CommitMarker.asCommitAttributes());
                Assert.fail("Creating a new token '" + addChild.getTree().getPath() + "' must fail.");
                addChild.getTree().remove();
                this.root.commit(CommitMarker.asCommitAttributes());
            } catch (CommitFailedException e) {
                Assert.assertEquals(68L, e.getCode());
                addChild.getTree().remove();
                this.root.commit(CommitMarker.asCommitAttributes());
            }
        } catch (Throwable th) {
            addChild.getTree().remove();
            this.root.commit(CommitMarker.asCommitAttributes());
            throw th;
        }
    }

    @Test
    public void testManuallyCreateTokenParent() throws Exception {
        new NodeUtil(this.root.getTree(getUserManager(this.root).getAuthorizable(this.userId).getPath())).addChild(".tokens", "rep:Unstructured");
        this.root.commit();
    }

    @Test
    public void testManuallyCreateTokenParentWithNtUnstructured() throws Exception {
        new NodeUtil(this.root.getTree(getUserManager(this.root).getAuthorizable(this.userId).getPath())).addChild(".tokens", "nt:unstructured");
        this.root.commit();
    }

    @Test
    public void testTokensNodeBelowRoot() throws Exception {
        NodeUtil nodeUtil = null;
        try {
            try {
                nodeUtil = new NodeUtil(this.root.getTree(IdentifierManagerTest.ID_ROOT)).addChild(".tokens", "rep:Unstructured");
                this.root.commit();
                Assert.fail("The token parent node must be located below the configured user root.");
                if (nodeUtil != null) {
                    nodeUtil.getTree().remove();
                    this.root.commit(CommitMarker.asCommitAttributes());
                }
            } catch (CommitFailedException e) {
                Assert.assertEquals(64L, e.getCode());
                if (nodeUtil != null) {
                    nodeUtil.getTree().remove();
                    this.root.commit(CommitMarker.asCommitAttributes());
                }
            }
        } catch (Throwable th) {
            if (nodeUtil != null) {
                nodeUtil.getTree().remove();
                this.root.commit(CommitMarker.asCommitAttributes());
            }
            throw th;
        }
    }

    @Test
    public void testTokensNodeAtInvalidPathBelowUser() throws Exception {
        NodeUtil nodeUtil = null;
        try {
            try {
                nodeUtil = new NodeUtil(this.root.getTree(getUserManager(this.root).getAuthorizable(this.userId).getPath())).addChild(AccessControlManagerImplTest.TEST_LOCAL_PREFIX, "nt:unstructured");
                nodeUtil.addChild(".tokens", "rep:Unstructured");
                this.root.commit();
                Assert.fail("The token parent node must be located below the user home node.");
                if (nodeUtil != null) {
                    nodeUtil.getTree().remove();
                    this.root.commit(CommitMarker.asCommitAttributes());
                }
            } catch (CommitFailedException e) {
                Assert.assertEquals(68L, e.getCode());
                if (nodeUtil != null) {
                    nodeUtil.getTree().remove();
                    this.root.commit(CommitMarker.asCommitAttributes());
                }
            }
        } catch (Throwable th) {
            if (nodeUtil != null) {
                nodeUtil.getTree().remove();
                this.root.commit(CommitMarker.asCommitAttributes());
            }
            throw th;
        }
    }

    @Test
    public void testChangeTokenParentPrimaryTypeToRepUnstructured() throws Exception {
        NodeUtil addChild = new NodeUtil(this.root.getTree(getUserManager(this.root).getAuthorizable(this.userId).getPath())).addChild(".tokens", "nt:unstructured");
        this.root.commit();
        addChild.setName("jcr:primaryType", "rep:Unstructured");
        this.root.commit();
    }

    @Test
    public void testChangeTokenParentPrimaryType() throws Exception {
        try {
            try {
                getTokenTree(this.tokenProvider.createToken(this.userId, Collections.emptyMap())).getParent().setProperty("jcr:primaryType", "nt:unstructured", Type.NAME);
                this.root.commit();
                Assert.fail("The primary type of the token parent must not be changed from rep:Unstructured to another type.");
                this.root.refresh();
            } catch (CommitFailedException e) {
                Assert.assertEquals(69L, e.getCode());
                this.root.refresh();
            }
        } catch (Throwable th) {
            this.root.refresh();
            throw th;
        }
    }

    @Test
    public void testChangeRegularRepUnstructuredPrimaryType() throws Exception {
        NodeUtil orAddChild = new NodeUtil(this.root.getTree(getUserManager(this.root).getAuthorizable(this.userId).getPath())).getOrAddChild(AccessControlManagerImplTest.TEST_LOCAL_PREFIX, "rep:Unstructured");
        this.root.commit();
        orAddChild.setName("jcr:primaryType", "nt:unstructured");
        this.root.commit();
    }
}
