package org.apache.jackrabbit.oak.security.authorization.permission;

import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Sets;
import java.security.Principal;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Random;
import java.util.Set;
import java.util.UUID;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.api.ContentSession;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.plugins.identifier.IdentifierManagerTest;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.RepositoryPermission;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
import org.jetbrains.annotations.NotNull;
import org.junit.Assert;
import org.junit.Test;

/* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/permission/AbstractPermissionRandomTestIT.class */
public abstract class AbstractPermissionRandomTestIT extends AbstractSecurityTest {
    private ContentSession testSession;
    protected final long seed = new Random().nextLong();
    private final Random random = new Random(this.seed);
    protected final String testPath = "testPath" + this.random.nextInt();
    private List<String> paths = new ArrayList();
    final Set<String> allowU = Sets.newHashSet();
    private final Set<String> denyU = Sets.newHashSet();
    private final Set<String> allowG = Sets.newHashSet();
    private final Set<String> denyG = Sets.newHashSet();
    private final String groupId = "gr" + UUID.randomUUID();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/permission/AbstractPermissionRandomTestIT$SetsPP.class */
    public static class SetsPP implements PermissionProvider {
        final Set<String> allowU;
        final Set<String> denyU;
        final Set<String> allowG;
        final Set<String> denyG;

        SetsPP(Set<String> set, Set<String> set2, Set<String> set3, Set<String> set4) {
            this.allowU = set;
            this.denyU = set2;
            this.allowG = set3;
            this.denyG = set4;
        }

        public void refresh() {
        }

        @NotNull
        public Set<String> getPrivileges(Tree tree) {
            return canRead(tree.getPath()) ? ImmutableSet.of("jcr:read") : ImmutableSet.of();
        }

        public boolean hasPrivileges(Tree tree, @NotNull String... strArr) {
            Assert.assertTrue("Implemened only for JCR_READ", strArr.length == 1 && strArr[0].equals("jcr:read"));
            return canRead(tree.getPath());
        }

        @NotNull
        public RepositoryPermission getRepositoryPermission() {
            throw new RuntimeException("unimplemented");
        }

        @NotNull
        public TreePermission getTreePermission(@NotNull Tree tree, @NotNull TreePermission treePermission) {
            throw new RuntimeException("unimplemented");
        }

        public boolean isGranted(@NotNull Tree tree, PropertyState propertyState, long j) {
            Assert.assertTrue("Implemened only for Permissions.READ on trees", propertyState == null && j == 3);
            return canRead(tree.getPath());
        }

        public boolean isGranted(@NotNull String str, @NotNull String str2) {
            Assert.assertEquals("Implemened only for Session.ACTION_READ", "read", str2);
            return canRead(str);
        }

        private boolean canRead(String str) {
            String extractStatus = extractStatus(str, this.denyU);
            String extractStatus2 = extractStatus(str, this.allowU);
            String extractStatus3 = extractStatus(str, this.denyG);
            String extractStatus4 = extractStatus(str, this.allowG);
            if (extractStatus != null) {
                return extractStatus2 != null && extractStatus.length() < extractStatus2.length();
            }
            if (extractStatus2 != null) {
                return true;
            }
            return extractStatus3 != null ? extractStatus4 != null && extractStatus3.length() < extractStatus4.length() : extractStatus4 != null;
        }

        private static String extractStatus(String str, Set<String> set) {
            String str2 = null;
            int i = 0;
            for (String str3 : set) {
                if (str.contains(str3) && i < str3.length()) {
                    str2 = str3;
                    i = str3.length();
                }
            }
            return str2;
        }
    }

    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    public void before() throws Exception {
        super.before();
        create(TreeUtil.getOrAddChild(this.root.getTree(IdentifierManagerTest.ID_ROOT), this.testPath, "nt:unstructured"), 10, 0, 3, this.paths);
        this.root.commit();
        Collections.sort(this.paths);
        int size = this.paths.size() / 10;
        sample(this.paths, size, this.random, this.allowU);
        sample(this.paths, size, this.random, this.denyU);
        sample(this.paths, size, this.random, this.allowG);
        sample(this.paths, size, this.random, this.denyG);
    }

    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    protected ConfigurationParameters getSecurityConfigParameters() {
        return ConfigurationParameters.EMPTY;
    }

    protected PermissionProvider candidatePermissionProvider(@NotNull Root root, @NotNull String str, @NotNull Set<Principal> set) {
        return new SetsPP(this.allowU, this.denyU, this.allowG, this.denyG);
    }

    private static void create(Tree tree, int i, int i2, int i3, List<String> list) throws Exception {
        if (i2 == i3) {
            return;
        }
        for (int i4 = 0; i4 < i; i4++) {
            Tree addChild = TreeUtil.addChild(tree, "n" + i4, "nt:unstructured");
            list.add(addChild.getPath());
            create(addChild, i, i2 + 1, i3, list);
        }
    }

    protected static void sample(List<String> list, int i, Random random, Set<String> set) {
        Assert.assertTrue(i > 0 && i <= list.size());
        for (int i2 = 0; i2 < i; i2++) {
            set.add(list.get(random.nextInt(list.size())));
        }
    }

    @Test
    public void testRandomRead() throws Exception {
        Principal principal = getTestUser().getPrincipal();
        Group createGroup = getUserManager(this.root).createGroup(this.groupId);
        createGroup.addMember(getTestUser());
        Principal principal2 = createGroup.getPrincipal();
        Iterator<String> it = this.allowU.iterator();
        while (it.hasNext()) {
            setPrivileges(principal, it.next(), true, "jcr:read");
        }
        Iterator<String> it2 = this.denyU.iterator();
        while (it2.hasNext()) {
            setPrivileges(principal, it2.next(), false, "jcr:read");
        }
        Iterator<String> it3 = this.allowG.iterator();
        while (it3.hasNext()) {
            setPrivileges(principal2, it3.next(), true, "jcr:read");
        }
        Iterator<String> it4 = this.denyG.iterator();
        while (it4.hasNext()) {
            setPrivileges(principal2, it4.next(), false, "jcr:read");
        }
        this.testSession = createTestSession();
        Root latestRoot = this.testSession.getLatestRoot();
        PermissionProvider permissionProvider = ((AuthorizationConfiguration) getConfig(AuthorizationConfiguration.class)).getPermissionProvider(latestRoot, this.testSession.getWorkspaceName(), this.testSession.getAuthInfo().getPrincipals());
        PermissionProvider candidatePermissionProvider = candidatePermissionProvider(latestRoot, this.testSession.getWorkspaceName(), this.testSession.getAuthInfo().getPrincipals());
        boolean z = candidatePermissionProvider instanceof SetsPP;
        for (String str : this.paths) {
            Tree tree = latestRoot.getTree(str);
            boolean hasPrivileges = permissionProvider.hasPrivileges(tree, new String[]{"jcr:read"});
            boolean isGranted = permissionProvider.isGranted(tree.getPath(), "read");
            boolean isGranted2 = permissionProvider.isGranted(tree, (PropertyState) null, 3L);
            String[] strArr = (String[]) permissionProvider.getPrivileges(tree).toArray(new String[0]);
            Arrays.sort(strArr);
            boolean hasPrivileges2 = candidatePermissionProvider.hasPrivileges(tree, new String[]{"jcr:read"});
            boolean isGranted3 = candidatePermissionProvider.isGranted(tree.getPath(), "read");
            boolean isGranted4 = candidatePermissionProvider.isGranted(tree, (PropertyState) null, 3L);
            String[] strArr2 = (String[]) candidatePermissionProvider.getPrivileges(tree).toArray(new String[0]);
            Arrays.sort(strArr2);
            if (z) {
                Assert.assertEquals("Unexpected #hasPrivileges on [" + str + "] expecting " + hasPrivileges2 + " got " + hasPrivileges + ", seed " + this.seed, Boolean.valueOf(hasPrivileges2), Boolean.valueOf(hasPrivileges));
                Assert.assertEquals("Unexpected #isGranted on [" + str + "] expecting " + isGranted3 + " got " + isGranted + ", seed " + this.seed, Boolean.valueOf(isGranted3), Boolean.valueOf(isGranted));
                Assert.assertEquals("Unexpected #isGranted on [" + str + "] expecting " + isGranted4 + " got " + isGranted2 + ", seed " + this.seed, Boolean.valueOf(isGranted4), Boolean.valueOf(isGranted2));
                Assert.assertArrayEquals(strArr2, strArr);
            } else {
                Assert.assertEquals("Unexpected #hasPrivileges on [" + str + "] expecting " + hasPrivileges + " got " + hasPrivileges2 + ", seed " + this.seed, Boolean.valueOf(hasPrivileges2), Boolean.valueOf(hasPrivileges));
                Assert.assertEquals("Unexpected #isGranted on [" + str + "] expecting " + isGranted + " got " + isGranted3 + ", seed " + this.seed, Boolean.valueOf(isGranted3), Boolean.valueOf(isGranted));
                Assert.assertEquals("Unexpected #isGranted on [" + str + "] expecting " + isGranted2 + " got " + isGranted4 + ", seed " + this.seed, Boolean.valueOf(isGranted4), Boolean.valueOf(isGranted2));
                Assert.assertArrayEquals(strArr, strArr2);
            }
        }
    }

    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    public void after() throws Exception {
        try {
            if (this.testSession != null) {
                this.testSession.close();
            }
            Assert.assertTrue(this.root.getTree(IdentifierManagerTest.ID_ROOT + this.testPath).remove());
            this.root.commit();
        } finally {
            super.after();
        }
    }

    private void setPrivileges(Principal principal, String str, boolean z, String... strArr) throws Exception {
        JackrabbitAccessControlManager accessControlManager = getAccessControlManager(this.root);
        JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(accessControlManager, str);
        accessControlList.addEntry(principal, privilegesFromNames(strArr), z);
        accessControlManager.setPolicy(str, accessControlList);
        this.root.commit();
    }
}
