package org.apache.jackrabbit.oak.security.authorization.accesscontrol;

import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Sets;
import java.security.Principal;
import java.security.acl.Group;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.jcr.RepositoryException;
import javax.jcr.Value;
import javax.jcr.ValueFactory;
import javax.jcr.ValueFormatException;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.ACE;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlList;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlListTest;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.AbstractRestrictionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinitionImpl;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionPattern;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeBits;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConstants;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest.class */
public class ACLTest extends AbstractAccessControlListTest implements PrivilegeConstants, AccessControlConstants {
    private PrivilegeManager privilegeManager;
    private PrincipalManager principalManager;
    private AbstractAccessControlList acl;
    private Principal testPrincipal;
    private Privilege[] testPrivileges;

    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest$InvalidPrivilege.class */
    private class InvalidPrivilege implements Privilege {
        private InvalidPrivilege() {
        }

        public String getName() {
            return "invalidPrivilege";
        }

        public boolean isAbstract() {
            return false;
        }

        public boolean isAggregate() {
            return false;
        }

        public Privilege[] getDeclaredAggregatePrivileges() {
            return new Privilege[0];
        }

        public Privilege[] getAggregatePrivileges() {
            return new Privilege[0];
        }
    }

    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/accesscontrol/ACLTest$TestRestrictionProvider.class */
    private final class TestRestrictionProvider extends AbstractRestrictionProvider {
        private TestRestrictionProvider(String str, Type type, boolean z) {
            super(Collections.singletonMap(str, new RestrictionDefinitionImpl(str, type, z)));
        }

        @Nonnull
        public RestrictionPattern getPattern(@Nullable String str, @Nonnull Tree tree) {
            throw new UnsupportedOperationException();
        }

        @Nonnull
        public RestrictionPattern getPattern(@Nullable String str, @Nonnull Set<Restriction> set) {
            throw new UnsupportedOperationException();
        }
    }

    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    @Before
    public void before() throws Exception {
        super.before();
        this.privilegeManager = getPrivilegeManager(this.root);
        this.principalManager = getPrincipalManager(this.root);
        this.acl = createEmptyACL();
        this.testPrincipal = getTestPrincipal();
        this.testPrivileges = privilegesFromNames("jcr:addChildNodes", "jcr:lockManagement");
    }

    @Override // org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AbstractAccessControlListTest
    /* renamed from: createACL */
    protected AbstractAccessControlList mo60createACL(@Nullable String str, @Nonnull List<ACE> list, @Nonnull NamePathMapper namePathMapper, @Nonnull final RestrictionProvider restrictionProvider) {
        return new ACL(str == null ? null : namePathMapper.getOakPath(str), list, namePathMapper) { // from class: org.apache.jackrabbit.oak.security.authorization.accesscontrol.ACLTest.1
            @Nonnull
            public RestrictionProvider getRestrictionProvider() {
                return restrictionProvider;
            }

            ACE createACE(Principal principal, PrivilegeBits privilegeBits, boolean z, Set<Restriction> set) throws RepositoryException {
                return ACLTest.this.createEntry(principal, privilegeBits, z, set);
            }

            boolean checkValidPrincipal(Principal principal) throws AccessControlException {
                Util.checkValidPrincipal(principal, ACLTest.this.principalManager);
                return true;
            }

            PrivilegeManager getPrivilegeManager() {
                return ACLTest.this.privilegeManager;
            }

            PrivilegeBits getPrivilegeBits(Privilege[] privilegeArr) {
                return ACLTest.this.getBitsProvider().getBits(privilegeArr, getNamePathMapper());
            }
        };
    }

    private static void assertACE(JackrabbitAccessControlEntry jackrabbitAccessControlEntry, boolean z, Privilege... privilegeArr) {
        Assert.assertEquals(Boolean.valueOf(z), Boolean.valueOf(jackrabbitAccessControlEntry.isAllow()));
        Assert.assertEquals(Sets.newHashSet(privilegeArr), Sets.newHashSet(jackrabbitAccessControlEntry.getPrivileges()));
    }

    @Test
    public void testUnknownPrincipal() throws Exception {
        try {
            this.acl.addAccessControlEntry(new InvalidTestPrincipal("unknown"), privilegesFromNames("jcr:read"));
            Assert.fail("Adding an ACE with an unknown principal should fail");
        } catch (AccessControlException e) {
        }
    }

    @Test
    public void testInternalPrincipal() throws RepositoryException {
        this.acl.addAccessControlEntry(new PrincipalImpl("unknown"), privilegesFromNames("jcr:read"));
    }

    @Test
    public void testNullPrincipal() throws Exception {
        try {
            this.acl.addAccessControlEntry((Principal) null, privilegesFromNames("jcr:read"));
            Assert.fail("Adding an ACE with null principal should fail");
        } catch (AccessControlException e) {
        }
    }

    @Test
    public void testEmptyPrincipal() throws Exception {
        try {
            this.acl.addAccessControlEntry(new PrincipalImpl(""), privilegesFromNames("jcr:read"));
            Assert.fail("Adding an ACE with empty-named principal should fail");
        } catch (AccessControlException e) {
        }
    }

    @Test
    public void testAddEntriesWithCustomPrincipal() throws Exception {
        PrincipalImpl principalImpl = new PrincipalImpl("anonymous");
        Principal principal = new Principal() { // from class: org.apache.jackrabbit.oak.security.authorization.accesscontrol.ACLTest.2
            @Override // java.security.Principal
            public String getName() {
                return "anonymous";
            }
        };
        Assert.assertTrue(this.acl.addAccessControlEntry(principalImpl, privilegesFromNames("jcr:read")));
        Assert.assertTrue(this.acl.addAccessControlEntry(principal, privilegesFromNames("jcr:readAccessControl")));
        Assert.assertEquals(1L, this.acl.getAccessControlEntries().length);
        Assert.assertTrue(this.acl.addEntry(principal, privilegesFromNames("jcr:read"), false));
        Assert.assertEquals(2L, this.acl.getAccessControlEntries().length);
        Assert.assertArrayEquals(privilegesFromNames("jcr:readAccessControl"), this.acl.getAccessControlEntries()[0].getPrivileges());
    }

    @Test
    public void testAddEntryWithoutPrivilege() throws Exception {
        try {
            this.acl.addAccessControlEntry(this.testPrincipal, new Privilege[0]);
            Assert.fail("Adding an ACE with empty privilege array should fail.");
        } catch (AccessControlException e) {
        }
        try {
            this.acl.addAccessControlEntry(this.testPrincipal, (Privilege[]) null);
            Assert.fail("Adding an ACE with null privileges should fail.");
        } catch (AccessControlException e2) {
        }
    }

    @Test
    public void testAddEntryWithInvalidPrivilege() throws Exception {
        try {
            this.acl.addAccessControlEntry(this.testPrincipal, new Privilege[]{new InvalidPrivilege()});
            Assert.fail("Adding an ACE with invalid privileges should fail.");
        } catch (AccessControlException e) {
        }
    }

    @Test
    public void testAddAccessControlEntry() throws Exception {
        Assert.assertTrue(this.acl.addAccessControlEntry(this.testPrincipal, this.testPrivileges));
        Assert.assertFalse(this.acl.isEmpty());
    }

    @Test
    public void testAddEntry() throws Exception {
        Assert.assertTrue(this.acl.addEntry(this.testPrincipal, this.testPrivileges, true));
        Assert.assertFalse(this.acl.isEmpty());
    }

    @Test
    public void testAddEntry2() throws Exception {
        Assert.assertTrue(this.acl.addEntry(this.testPrincipal, this.testPrivileges, true, Collections.emptyMap()));
        Assert.assertFalse(this.acl.isEmpty());
    }

    @Test
    public void testAddEntryTwice() throws Exception {
        this.acl.addEntry(this.testPrincipal, this.testPrivileges, true, Collections.emptyMap());
        Assert.assertFalse(this.acl.addEntry(this.testPrincipal, this.testPrivileges, true, Collections.emptyMap()));
    }

    @Test
    public void testRemoveEntry() throws Exception {
        Assert.assertTrue(this.acl.addAccessControlEntry(this.testPrincipal, this.testPrivileges));
        this.acl.removeAccessControlEntry(this.acl.getAccessControlEntries()[0]);
        Assert.assertTrue(this.acl.isEmpty());
    }

    @Test
    public void testRemoveEntries() throws Exception {
        AbstractAccessControlList createACL = createACL(getTestPath(), createTestEntries(), this.namePathMapper);
        for (AccessControlEntry accessControlEntry : createACL.getAccessControlEntries()) {
            createACL.removeAccessControlEntry(accessControlEntry);
        }
        Assert.assertTrue(createACL.isEmpty());
    }

    @Test
    public void testRemoveInvalidEntry() throws Exception {
        try {
            this.acl.removeAccessControlEntry(new JackrabbitAccessControlEntry() { // from class: org.apache.jackrabbit.oak.security.authorization.accesscontrol.ACLTest.3
                public boolean isAllow() {
                    return false;
                }

                public String[] getRestrictionNames() {
                    return new String[0];
                }

                public Value getRestriction(String str) {
                    return null;
                }

                public Value[] getRestrictions(String str) {
                    return null;
                }

                public Principal getPrincipal() {
                    return ACLTest.this.testPrincipal;
                }

                public Privilege[] getPrivileges() {
                    return ACLTest.this.testPrivileges;
                }
            });
            Assert.fail("Passing an unknown ACE should fail");
        } catch (AccessControlException e) {
        }
    }

    @Test
    public void testRemoveNonExisting() throws Exception {
        try {
            this.acl.removeAccessControlEntry(createEntry(this.testPrincipal, this.testPrivileges, true));
            Assert.fail("Removing a non-existing ACE should fail.");
        } catch (AccessControlException e) {
        }
    }

    @Test
    public void testReorderToTheEnd() throws Exception {
        Privilege[] privilegesFromNames = privilegesFromNames("jcr:read", "jcr:readAccessControl");
        Privilege[] privilegesFromNames2 = privilegesFromNames("jcr:write");
        AbstractAccessControlList createEmptyACL = createEmptyACL();
        createEmptyACL.addAccessControlEntry(this.testPrincipal, privilegesFromNames);
        createEmptyACL.addEntry(this.testPrincipal, privilegesFromNames2, false);
        createEmptyACL.addAccessControlEntry(EveryonePrincipal.getInstance(), privilegesFromNames2);
        List entries = createEmptyACL.getEntries();
        Assert.assertEquals(3L, entries.size());
        AccessControlEntry accessControlEntry = (AccessControlEntry) entries.get(0);
        createEmptyACL.orderBefore(accessControlEntry, (AccessControlEntry) null);
        Assert.assertEquals(accessControlEntry, createEmptyACL.getEntries().get(2));
    }

    @Test
    public void testReorder() throws Exception {
        Privilege[] privilegesFromNames = privilegesFromNames("jcr:read", "jcr:readAccessControl");
        Privilege[] privilegesFromNames2 = privilegesFromNames("jcr:write");
        AbstractAccessControlList createEmptyACL = createEmptyACL();
        createEmptyACL.addAccessControlEntry(this.testPrincipal, privilegesFromNames);
        createEmptyACL.addEntry(this.testPrincipal, privilegesFromNames2, false);
        createEmptyACL.addAccessControlEntry(EveryonePrincipal.getInstance(), privilegesFromNames2);
        AccessControlEntry[] accessControlEntries = createEmptyACL.getAccessControlEntries();
        Assert.assertEquals(3L, accessControlEntries.length);
        AccessControlEntry accessControlEntry = accessControlEntries[0];
        AccessControlEntry accessControlEntry2 = accessControlEntries[1];
        AccessControlEntry accessControlEntry3 = accessControlEntries[2];
        createEmptyACL.orderBefore(accessControlEntry2, accessControlEntry);
        Assert.assertEquals(accessControlEntry2, createEmptyACL.getEntries().get(0));
        Assert.assertEquals(accessControlEntry, createEmptyACL.getEntries().get(1));
        Assert.assertEquals(accessControlEntry3, createEmptyACL.getEntries().get(2));
        createEmptyACL.orderBefore(accessControlEntry3, accessControlEntry);
        Assert.assertEquals(accessControlEntry2, createEmptyACL.getEntries().get(0));
        Assert.assertEquals(accessControlEntry3, createEmptyACL.getEntries().get(1));
        Assert.assertEquals(accessControlEntry, createEmptyACL.getEntries().get(2));
    }

    @Test
    public void testReorderInvalidEntries() throws Exception {
        Privilege[] privilegesFromNames = privilegesFromNames("jcr:read", "jcr:readAccessControl");
        Privilege[] privilegesFromNames2 = privilegesFromNames("jcr:write");
        this.acl.addAccessControlEntry(this.testPrincipal, privilegesFromNames);
        this.acl.addAccessControlEntry(EveryonePrincipal.getInstance(), privilegesFromNames2);
        ACE createEntry = createEntry(this.testPrincipal, false, (Set<Restriction>) null, "jcr:write");
        try {
            this.acl.orderBefore(createEntry, (AccessControlEntry) this.acl.getEntries().get(0));
            Assert.fail("src entry not contained in list -> reorder should fail.");
        } catch (AccessControlException e) {
        }
        try {
            this.acl.orderBefore((AccessControlEntry) this.acl.getEntries().get(0), createEntry);
            Assert.fail("dest entry not contained in list -> reorder should fail.");
        } catch (AccessControlException e2) {
        }
    }

    @Test
    public void testMultipleEntries() throws Exception {
        this.acl.addEntry(this.testPrincipal, privilegesFromNames("jcr:read"), true);
        Privilege[] privilegesFromNames = privilegesFromNames("jcr:read", "jcr:addChildNodes");
        Assert.assertTrue(this.acl.addEntry(this.testPrincipal, privilegesFromNames, true));
        Assert.assertTrue(this.acl.size() == 1);
        assertACE((JackrabbitAccessControlEntry) this.acl.getEntries().get(0), true, privilegesFromNames);
    }

    @Test
    public void testMultipleEntries2() throws Exception {
        Privilege[] privilegesFromNames = privilegesFromNames("jcr:read", "jcr:addChildNodes");
        this.acl.addEntry(this.testPrincipal, privilegesFromNames, true);
        Assert.assertFalse(this.acl.addEntry(this.testPrincipal, privilegesFromNames("jcr:addChildNodes"), true));
        Assert.assertTrue(this.acl.size() == 1);
        assertACE((JackrabbitAccessControlEntry) this.acl.getEntries().get(0), true, privilegesFromNames);
    }

    @Test
    public void testComplementaryEntry() throws Exception {
        Privilege[] privilegesFromNames = privilegesFromNames("jcr:read");
        this.acl.addEntry(this.testPrincipal, privilegesFromNames, true);
        Assert.assertTrue(this.acl.addEntry(this.testPrincipal, privilegesFromNames, false));
        Assert.assertEquals(1L, this.acl.size());
        assertACE((JackrabbitAccessControlEntry) this.acl.getEntries().get(0), false, privilegesFromNames);
    }

    @Test
    public void testComplementaryEntry1() throws Exception {
        this.acl.addEntry(this.testPrincipal, privilegesFromNames("jcr:read", "jcr:addChildNodes"), true);
        Assert.assertTrue(this.acl.addEntry(this.testPrincipal, privilegesFromNames("jcr:read"), false));
        Assert.assertTrue(this.acl.size() == 2);
        assertACE((JackrabbitAccessControlEntry) this.acl.getEntries().get(0), true, privilegesFromNames("jcr:addChildNodes"));
        assertACE((JackrabbitAccessControlEntry) this.acl.getEntries().get(1), false, privilegesFromNames("jcr:read"));
    }

    @Test
    public void testComplementaryEntry2() throws Exception {
        this.acl.addAccessControlEntry(this.testPrincipal, privilegesFromNames("rep:write"));
        Privilege[] privilegesFromNames = privilegesFromNames("jcr:modifyProperties");
        Assert.assertTrue(this.acl.addEntry(this.testPrincipal, privilegesFromNames, false));
        Assert.assertTrue(this.acl.size() == 2);
        assertACE((JackrabbitAccessControlEntry) this.acl.getEntries().get(0), true, privilegesFromNames("jcr:addChildNodes", "jcr:removeChildNodes", "jcr:removeNode", "jcr:nodeTypeManagement"));
        assertACE((JackrabbitAccessControlEntry) this.acl.getEntries().get(1), false, privilegesFromNames);
    }

    @Test
    public void testMultiplePrincipals() throws Exception {
        Principal everyone = this.principalManager.getEveryone();
        Privilege[] privilegesFromNames = privilegesFromNames("jcr:read");
        this.acl.addAccessControlEntry(this.testPrincipal, privilegesFromNames);
        Assert.assertFalse(this.acl.addAccessControlEntry(this.testPrincipal, privilegesFromNames));
        Assert.assertTrue(this.acl.addAccessControlEntry(everyone, privilegesFromNames));
        Assert.assertTrue(this.acl.getAccessControlEntries().length == 2);
        Assert.assertEquals(everyone, this.acl.getAccessControlEntries()[1].getPrincipal());
    }

    @Test
    public void testSetEntryForGroupPrincipal() throws Exception {
        Privilege[] privilegesFromNames = privilegesFromNames("jcr:read");
        Group group = (Group) this.principalManager.getEveryone();
        Assert.assertTrue(this.acl.addAccessControlEntry(group, privilegesFromNames));
        Assert.assertTrue(this.acl.addEntry(group, privilegesFromNames, false));
        Assert.assertEquals(1L, this.acl.size());
        Assert.assertFalse(((JackrabbitAccessControlEntry) this.acl.getEntries().get(0)).isAllow());
    }

    @Test
    public void testUpdateGroupEntry() throws Exception {
        Privilege[] privilegesFromNames = privilegesFromNames("jcr:read");
        Privilege[] privilegesFromNames2 = privilegesFromNames("jcr:write");
        Principal everyone = this.principalManager.getEveryone();
        this.acl.addEntry(this.testPrincipal, privilegesFromNames, true);
        this.acl.addEntry(everyone, privilegesFromNames, true);
        this.acl.addEntry(this.testPrincipal, privilegesFromNames2, false);
        this.acl.addEntry(everyone, privilegesFromNames2, true);
        JackrabbitAccessControlEntry[] accessControlEntries = this.acl.getAccessControlEntries();
        Assert.assertEquals(3L, accessControlEntries.length);
        JackrabbitAccessControlEntry jackrabbitAccessControlEntry = accessControlEntries[1];
        Assert.assertEquals(everyone, jackrabbitAccessControlEntry.getPrincipal());
        assertACE(jackrabbitAccessControlEntry, true, privilegesFromNames("jcr:read", "jcr:write"));
    }

    @Test
    public void testComplementaryGroupEntry() throws Exception {
        Privilege[] privilegesFromNames = privilegesFromNames("jcr:read");
        Privilege[] privilegesFromNames2 = privilegesFromNames("jcr:write");
        Principal everyone = this.principalManager.getEveryone();
        this.acl.addEntry(this.testPrincipal, privilegesFromNames, true);
        this.acl.addEntry(everyone, privilegesFromNames, true);
        this.acl.addEntry(this.testPrincipal, privilegesFromNames2, false);
        this.acl.addEntry(everyone, privilegesFromNames2, true);
        this.acl.addEntry(this.testPrincipal, privilegesFromNames, false);
        JackrabbitAccessControlEntry[] accessControlEntries = this.acl.getAccessControlEntries();
        Assert.assertEquals(2L, accessControlEntries.length);
        Assert.assertEquals(everyone, accessControlEntries[0].getPrincipal());
        JackrabbitAccessControlEntry jackrabbitAccessControlEntry = accessControlEntries[1];
        Assert.assertEquals(this.testPrincipal, jackrabbitAccessControlEntry.getPrincipal());
        assertACE(jackrabbitAccessControlEntry, false, privilegesFromNames("jcr:read", "jcr:write"));
    }

    @Test
    public void testAllowWriteDenyRemoveGroupEntries() throws Exception {
        Principal everyone = this.principalManager.getEveryone();
        Privilege[] privilegesFromNames = privilegesFromNames("rep:write");
        Privilege[] privilegesFromNames2 = privilegesFromNames("jcr:removeChildNodes");
        this.acl.addEntry(everyone, privilegesFromNames, true, Collections.emptyMap());
        this.acl.addEntry(everyone, privilegesFromNames2, false, Collections.emptyMap());
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        for (JackrabbitAccessControlEntry jackrabbitAccessControlEntry : this.acl.getAccessControlEntries()) {
            if (everyone.equals(jackrabbitAccessControlEntry.getPrincipal()) && (jackrabbitAccessControlEntry instanceof JackrabbitAccessControlEntry)) {
                JackrabbitAccessControlEntry jackrabbitAccessControlEntry2 = jackrabbitAccessControlEntry;
                Privilege[] privileges = jackrabbitAccessControlEntry2.getPrivileges();
                if (jackrabbitAccessControlEntry2.isAllow()) {
                    hashSet.addAll(Arrays.asList(privileges));
                } else {
                    hashSet2.addAll(Arrays.asList(privileges));
                }
            }
        }
        Privilege[] privilegesFromNames3 = privilegesFromNames("jcr:addChildNodes", "jcr:removeNode", "jcr:modifyProperties", "jcr:nodeTypeManagement");
        Assert.assertEquals(privilegesFromNames3.length, hashSet.size());
        Assert.assertEquals(ImmutableSet.copyOf(privilegesFromNames3), hashSet);
        Assert.assertEquals(1L, hashSet2.size());
        Assert.assertArrayEquals(privilegesFromNames("jcr:removeChildNodes"), hashSet2.toArray(new Privilege[hashSet2.size()]));
    }

    @Test
    public void testUpdateAndComplementary() throws Exception {
        Privilege[] privilegesFromNames = privilegesFromNames("jcr:read");
        Privilege[] privilegesFromNames2 = privilegesFromNames("jcr:write");
        Privilege[] privilegesFromNames3 = privilegesFromNames("jcr:readAccessControl");
        Assert.assertTrue(this.acl.addEntry(this.testPrincipal, privilegesFromNames, true));
        Assert.assertTrue(this.acl.addEntry(this.testPrincipal, privilegesFromNames2, true));
        Assert.assertTrue(this.acl.addEntry(this.testPrincipal, privilegesFromNames3, true));
        Assert.assertEquals(1L, this.acl.size());
        Assert.assertTrue(this.acl.addEntry(this.testPrincipal, privilegesFromNames, false));
        Assert.assertEquals(2L, this.acl.size());
        assertACE((JackrabbitAccessControlEntry) this.acl.getEntries().get(0), true, privilegesFromNames("jcr:write", "jcr:readAccessControl"));
        assertACE((JackrabbitAccessControlEntry) this.acl.getEntries().get(1), false, privilegesFromNames);
    }

    @Test
    public void testDifferentPrivilegeImplementation() throws Exception {
        Privilege[] privilegesFromNames = privilegesFromNames("jcr:read");
        this.acl.addEntry(this.testPrincipal, privilegesFromNames, false);
        Assert.assertFalse(this.acl.addEntry(new PrincipalImpl(this.testPrincipal.getName()), privilegesFromNames, false));
        Assert.assertFalse(this.acl.addEntry(new Principal() { // from class: org.apache.jackrabbit.oak.security.authorization.accesscontrol.ACLTest.4
            @Override // java.security.Principal
            public String getName() {
                return ACLTest.this.testPrincipal.getName();
            }
        }, privilegesFromNames, false));
    }

    @Test
    public void testNewEntriesAppendedAtEnd() throws Exception {
        Privilege[] privilegesFromNames = privilegesFromNames("jcr:read");
        Privilege[] privilegesFromNames2 = privilegesFromNames("jcr:write");
        this.acl.addEntry(this.testPrincipal, privilegesFromNames, true);
        this.acl.addEntry(this.principalManager.getEveryone(), privilegesFromNames, true);
        this.acl.addEntry(this.testPrincipal, privilegesFromNames2, false);
        JackrabbitAccessControlEntry[] accessControlEntries = this.acl.getAccessControlEntries();
        Assert.assertEquals(3L, accessControlEntries.length);
        JackrabbitAccessControlEntry jackrabbitAccessControlEntry = accessControlEntries[2];
        Assert.assertEquals(this.testPrincipal, jackrabbitAccessControlEntry.getPrincipal());
        assertACE(jackrabbitAccessControlEntry, false, privilegesFromNames2);
    }

    @Test
    public void testInsertionOrder() throws Exception {
        Privilege[] privilegesFromNames = privilegesFromNames("jcr:read");
        Privilege[] privilegesFromNames2 = privilegesFromNames("jcr:write");
        Privilege[] privilegesFromNames3 = privilegesFromNames("jcr:addChildNodes");
        Map singletonMap = Collections.singletonMap("rep:glob", getValueFactory().createValue("/.*"));
        this.acl.addEntry(this.testPrincipal, privilegesFromNames, true);
        this.acl.addEntry(this.testPrincipal, privilegesFromNames2, false);
        this.acl.addEntry(this.testPrincipal, privilegesFromNames3, true, singletonMap);
        List entries = this.acl.getEntries();
        assertACE((JackrabbitAccessControlEntry) entries.get(0), true, privilegesFromNames);
        assertACE((JackrabbitAccessControlEntry) entries.get(1), false, privilegesFromNames2);
        assertACE((JackrabbitAccessControlEntry) entries.get(2), true, privilegesFromNames3);
    }

    @Test
    public void testInsertionOrder2() throws Exception {
        Privilege[] privilegesFromNames = privilegesFromNames("jcr:read");
        Privilege[] privilegesFromNames2 = privilegesFromNames("jcr:write");
        Privilege[] privilegesFromNames3 = privilegesFromNames("jcr:addChildNodes");
        Map singletonMap = Collections.singletonMap("rep:glob", getValueFactory().createValue("/.*"));
        this.acl.addEntry(this.testPrincipal, privilegesFromNames, true);
        this.acl.addEntry(this.testPrincipal, privilegesFromNames3, true, singletonMap);
        this.acl.addEntry(this.testPrincipal, privilegesFromNames2, false);
        List entries = this.acl.getEntries();
        assertACE((JackrabbitAccessControlEntry) entries.get(0), true, privilegesFromNames);
        assertACE((JackrabbitAccessControlEntry) entries.get(1), true, privilegesFromNames3);
        assertACE((JackrabbitAccessControlEntry) entries.get(2), false, privilegesFromNames2);
    }

    @Test
    public void testRestrictions() throws Exception {
        String[] restrictionNames = this.acl.getRestrictionNames();
        Assert.assertNotNull(restrictionNames);
        Assert.assertEquals(3L, restrictionNames.length);
        Assert.assertArrayEquals(new String[]{"rep:glob", "rep:ntNames", "rep:prefixes"}, restrictionNames);
        Assert.assertEquals(1L, this.acl.getRestrictionType(restrictionNames[0]));
        Assert.assertEquals(7L, this.acl.getRestrictionType(restrictionNames[1]));
        Assert.assertEquals(1L, this.acl.getRestrictionType(restrictionNames[2]));
        Privilege[] privilegesFromNames = privilegesFromNames("jcr:write");
        Assert.assertTrue(this.acl.addAccessControlEntry(this.testPrincipal, privilegesFromNames));
        Assert.assertEquals(1L, this.acl.getAccessControlEntries().length);
        Assert.assertFalse(this.acl.addAccessControlEntry(this.testPrincipal, privilegesFromNames));
        Assert.assertEquals(1L, this.acl.getAccessControlEntries().length);
        Assert.assertFalse(this.acl.addEntry(this.testPrincipal, privilegesFromNames, true));
        Assert.assertEquals(1L, this.acl.getAccessControlEntries().length);
        Assert.assertTrue(this.acl.addEntry(this.testPrincipal, privilegesFromNames, false));
        Assert.assertEquals(1L, this.acl.getAccessControlEntries().length);
        Map singletonMap = Collections.singletonMap("rep:glob", getValueFactory().createValue("/.*"));
        Assert.assertTrue(this.acl.addEntry(this.testPrincipal, privilegesFromNames, false, singletonMap));
        Assert.assertEquals(2L, this.acl.getAccessControlEntries().length);
        Assert.assertFalse(this.acl.addEntry(this.testPrincipal, privilegesFromNames, false, singletonMap));
        Assert.assertEquals(2L, this.acl.getAccessControlEntries().length);
        Assert.assertTrue(this.acl.addEntry(this.testPrincipal, privilegesFromNames, true, singletonMap));
        Assert.assertEquals(2L, this.acl.getAccessControlEntries().length);
    }

    @Test
    public void testMvRestrictions() throws Exception {
        ValueFactory valueFactory = getValueFactory();
        Value[] valueArr = {valueFactory.createValue("nt:file", 7), valueFactory.createValue("nt:folder", 7)};
        Map singletonMap = Collections.singletonMap("rep:ntNames", valueArr);
        Map singletonMap2 = Collections.singletonMap("rep:glob", valueFactory.createValue("/.*"));
        Assert.assertTrue(this.acl.addEntry(this.testPrincipal, this.testPrivileges, false, singletonMap2, singletonMap));
        Assert.assertFalse(this.acl.addEntry(this.testPrincipal, this.testPrivileges, false, singletonMap2, singletonMap));
        Assert.assertEquals(1L, this.acl.getAccessControlEntries().length);
        JackrabbitAccessControlEntry jackrabbitAccessControlEntry = this.acl.getAccessControlEntries()[0];
        try {
            jackrabbitAccessControlEntry.getRestriction("rep:ntNames");
            Assert.fail();
        } catch (ValueFormatException e) {
        }
        Assert.assertArrayEquals(valueArr, jackrabbitAccessControlEntry.getRestrictions("rep:ntNames"));
    }

    @Test
    public void testUnsupportedRestrictions() throws Exception {
        try {
            this.acl.addEntry(this.testPrincipal, this.testPrivileges, false, Collections.singletonMap("unknownRestriction", getValueFactory().createValue("value")));
            Assert.fail("Invalid restrictions -> AccessControlException expected");
        } catch (AccessControlException e) {
        }
    }

    @Test
    public void testUnsupportedRestrictions2() throws Exception {
        try {
            mo60createACL(getTestPath(), new ArrayList(), this.namePathMapper, new TestRestrictionProvider("restr", Type.NAME, false)).addEntry(this.testPrincipal, this.testPrivileges, false, Collections.singletonMap("unsupported", getValueFactory().createValue("value")));
            Assert.fail("Unsupported restriction must be detected.");
        } catch (AccessControlException e) {
        }
    }

    @Test
    public void testInvalidRestrictionType() throws Exception {
        try {
            mo60createACL(getTestPath(), new ArrayList(), this.namePathMapper, new TestRestrictionProvider("restr", Type.NAME, false)).addEntry(this.testPrincipal, this.testPrivileges, false, Collections.singletonMap("restr", getValueFactory().createValue(true)));
            Assert.fail("Invalid restriction type.");
        } catch (AccessControlException e) {
        }
    }

    @Test
    public void testMandatoryRestrictions() throws Exception {
        try {
            mo60createACL(getTestPath(), new ArrayList(), this.namePathMapper, new TestRestrictionProvider("mandatory", Type.NAME, true)).addEntry(this.testPrincipal, this.testPrivileges, false, Collections.emptyMap());
            Assert.fail("Mandatory restriction must be enforced.");
        } catch (AccessControlException e) {
        }
    }
}
