package org.apache.jackrabbit.oak.security.authorization.accesscontrol;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import java.security.Principal;
import java.util.Collections;
import javax.jcr.AccessDeniedException;
import javax.jcr.RepositoryException;
import javax.jcr.Value;
import javax.jcr.ValueFactory;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.api.security.authorization.PrivilegeManager;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.identifier.IdentifierManagerTest;
import org.apache.jackrabbit.oak.plugins.memory.MemoryNodeStore;
import org.apache.jackrabbit.oak.plugins.tree.TreeProvider;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.apache.jackrabbit.oak.security.authorization.ProviderCtx;
import org.apache.jackrabbit.oak.security.authorization.composite.CompositeAuthorizationConfiguration;
import org.apache.jackrabbit.oak.security.authorization.restriction.RestrictionProviderImpl;
import org.apache.jackrabbit.oak.security.internal.SecurityProviderHelper;
import org.apache.jackrabbit.oak.spi.commit.CommitInfo;
import org.apache.jackrabbit.oak.spi.commit.Validator;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.Context;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
import org.apache.jackrabbit.oak.spi.security.privilege.PrivilegeConfiguration;
import org.apache.jackrabbit.oak.spi.state.NodeBuilder;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.jetbrains.annotations.NotNull;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;

/* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlValidatorTest.class */
public class AccessControlValidatorTest extends AbstractSecurityTest implements AccessControlConstants {
    private final String testName = "testRoot";
    private final String testPath = "/testRoot";
    private final String aceName = "validAce";
    private Principal testPrincipal;

    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    @Before
    public void before() throws Exception {
        super.before();
        TreeUtil.addChild(this.root.getTree(IdentifierManagerTest.ID_ROOT), "testRoot", "nt:unstructured");
        this.root.commit();
        this.testPrincipal = getTestUser().getPrincipal();
    }

    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    @After
    public void after() throws Exception {
        try {
            this.root.refresh();
            Tree tree = this.root.getTree("/testRoot");
            if (tree.exists()) {
                tree.remove();
                this.root.commit();
            }
        } finally {
            super.after();
        }
    }

    @NotNull
    private Tree getTestTree() {
        return this.root.getTree("/testRoot");
    }

    @NotNull
    private AccessControlValidatorProvider createValidatorProvider() {
        return new AccessControlValidatorProvider(((CompositeAuthorizationConfiguration) getConfig(AuthorizationConfiguration.class)).getDefaultConfig());
    }

    @NotNull
    private AccessControlValidatorProvider createValidatorProvider(@NotNull RestrictionProvider restrictionProvider, @NotNull PrivilegeConfiguration privilegeConfiguration) {
        ProviderCtx providerCtx = (ProviderCtx) Mockito.mock(ProviderCtx.class);
        Mockito.when(providerCtx.getRootProvider()).thenReturn(getRootProvider());
        Mockito.when(providerCtx.getTreeProvider()).thenReturn(getTreeProvider());
        SecurityProvider securityProvider = (SecurityProvider) Mockito.mock(SecurityProvider.class);
        Mockito.when(securityProvider.getConfiguration(PrivilegeConfiguration.class)).thenReturn(privilegeConfiguration);
        AuthorizationConfiguration authorizationConfiguration = (AuthorizationConfiguration) Mockito.mock(AuthorizationConfiguration.class);
        Mockito.when(authorizationConfiguration.getRestrictionProvider()).thenReturn(restrictionProvider);
        Mockito.when(authorizationConfiguration.getContext()).thenReturn(((AuthorizationConfiguration) getConfig(AuthorizationConfiguration.class)).getContext());
        Mockito.when(securityProvider.getConfiguration(AuthorizationConfiguration.class)).thenReturn(authorizationConfiguration);
        Mockito.when(providerCtx.getSecurityProvider()).thenReturn(securityProvider);
        return new AccessControlValidatorProvider(providerCtx);
    }

    @NotNull
    private Validator createRootValidator(@NotNull Tree tree) {
        NodeState asNodeState = getTreeProvider().asNodeState(tree);
        return createValidatorProvider().getRootValidator(asNodeState, asNodeState, new CommitInfo("sid", (String) null));
    }

    @NotNull
    private Tree createPolicy(@NotNull Tree tree, boolean z) throws AccessDeniedException {
        tree.setProperty("jcr:mixinTypes", ImmutableList.of("rep:AccessControllable"), Type.NAMES);
        Tree addChild = TreeUtil.addChild(tree, "rep:policy", "rep:ACL");
        addChild.setOrderableChildren(true);
        Tree createACE = createACE(addChild, "validAce", "rep:GrantACE", this.testPrincipal.getName(), "jcr:read");
        if (z) {
            TreeUtil.addChild(createACE, "rep:restrictions", "rep:Restrictions");
        }
        return addChild;
    }

    @NotNull
    private static Tree createACE(@NotNull Tree tree, @NotNull String str, @NotNull String str2, @NotNull String str3, @NotNull String... strArr) throws AccessDeniedException {
        Tree addChild = TreeUtil.addChild(tree, str, str2);
        addChild.setProperty("rep:principalName", str3);
        addChild.setProperty("rep:privileges", ImmutableList.copyOf(strArr), Type.NAMES);
        return addChild;
    }

    private static CommitFailedException assertCommitFailedException(@NotNull CommitFailedException commitFailedException, @NotNull String str, int i) {
        Assert.assertTrue(commitFailedException.isOfType(str));
        Assert.assertEquals(i, commitFailedException.getCode());
        return commitFailedException;
    }

    @Test(expected = CommitFailedException.class)
    public void testPolicyWithOutChildOrder() throws Exception {
        Tree testTree = getTestTree();
        testTree.setProperty("jcr:mixinTypes", ImmutableList.of("rep:AccessControllable"), Type.NAMES);
        TreeUtil.addChild(testTree, "rep:policy", "rep:ACL");
        try {
            this.root.commit();
        } catch (CommitFailedException e) {
            throw assertCommitFailedException(e, "AccessControl", 4);
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testOnlyRootIsRepoAccessControllable() throws Exception {
        getTestTree().setProperty("jcr:mixinTypes", ImmutableList.of("rep:RepoAccessControllable"), Type.NAMES);
        try {
            this.root.commit();
        } catch (CommitFailedException e) {
            throw assertCommitFailedException(e, "AccessControl", 12);
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testAddInvalidRepoPolicy() throws Exception {
        Tree testTree = getTestTree();
        testTree.setProperty("jcr:mixinTypes", ImmutableList.of("rep:AccessControllable"), Type.NAMES);
        TreeUtil.addChild(testTree, "rep:repoPolicy", "rep:ACL");
        try {
            this.root.commit();
        } catch (CommitFailedException e) {
            throw assertCommitFailedException(e, "AccessControl", 6);
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testAddPolicyWithAcl() throws Exception {
        addPolicyWithAcContent(new String[0]);
    }

    @Test(expected = CommitFailedException.class)
    public void testAddPolicyWithAce() throws Exception {
        addPolicyWithAcContent("validAce");
    }

    @Test(expected = CommitFailedException.class)
    public void testAddPolicyWithRestriction() throws Exception {
        addPolicyWithAcContent("validAce", "rep:restrictions");
    }

    private void addPolicyWithAcContent(@NotNull String... strArr) throws Exception {
        Tree tree = this.root.getTree(IdentifierManagerTest.ID_ROOT);
        Tree createPolicy = createPolicy(tree, true);
        Tree tree2 = createPolicy;
        for (String str : strArr) {
            tree2 = tree2.getChild(str);
        }
        TreeUtil.addChild(tree2, "rep:policy", "rep:ACL");
        TreeProvider treeProvider = getTreeProvider();
        try {
            Validator childNodeAdded = createRootValidator(tree).childNodeAdded(createPolicy.getName(), treeProvider.asNodeState(createPolicy));
            Tree tree3 = createPolicy;
            for (String str2 : strArr) {
                tree3 = tree3.getChild(str2);
                childNodeAdded = childNodeAdded.childNodeAdded(str2, treeProvider.asNodeState(tree3));
            }
            childNodeAdded.childNodeAdded("rep:policy", treeProvider.asNodeState(tree3.getChild("rep:policy")));
        } catch (CommitFailedException e) {
            throw assertCommitFailedException(e, "AccessControl", 5);
        }
    }

    @Test(expected = CommitFailedException.class)
    public void tesAddIsolatedRepPolicy() throws Exception {
        addIsolatedPolicy("rep:policy");
    }

    @Test(expected = CommitFailedException.class)
    public void tesAddIsolatedRepRepoPolicy() throws Exception {
        addIsolatedPolicy("rep:repoPolicy");
    }

    @Test(expected = CommitFailedException.class)
    public void tesAddIsolatedUnknownPolicy() throws Exception {
        addIsolatedPolicy("isolatedPolicy");
    }

    private void addIsolatedPolicy(@NotNull String str) throws Exception {
        TreeUtil.addChild(getTestTree(), str, "rep:ACL");
        try {
            this.root.commit();
        } catch (CommitFailedException e) {
            throw assertCommitFailedException(e, "AccessControl", 6);
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testAddIsolatedGrantAce() throws Exception {
        createACE(getTestTree(), "isolatedACE", "rep:GrantACE", this.testPrincipal.getName(), "jcr:read");
        try {
            this.root.commit();
        } catch (CommitFailedException e) {
            throw assertCommitFailedException(e, "AccessControl", 7);
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testAddIsolatedDenyAce() throws Exception {
        createACE(getTestTree(), "isolatedACE", "rep:DenyACE", this.testPrincipal.getName(), "jcr:read");
        try {
            this.root.commit();
        } catch (CommitFailedException e) {
            throw assertCommitFailedException(e, "AccessControl", 7);
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testAddIsolatedRestriction() throws Exception {
        TreeUtil.addChild(getTestTree(), "isolatedRestriction", "rep:Restrictions");
        try {
            this.root.commit();
        } catch (CommitFailedException e) {
            throw assertCommitFailedException(e, "AccessControl", 2);
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testInvalidPrivilege() throws Exception {
        createACE(createPolicy(getTestTree(), false), "aceWithInvalidPrivilege", "rep:GrantACE", this.testPrincipal.getName(), "invalidPrivilegeName");
        try {
            this.root.commit();
        } catch (CommitFailedException e) {
            throw assertCommitFailedException(e, "AccessControl", 10);
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testAbstractPrivilege() throws Exception {
        getPrivilegeManager(this.root).registerPrivilege("abstractPrivilege", true, new String[0]);
        createACE(createPolicy(getTestTree(), false), IdentifierManagerTest.ID_INVALID, "rep:GrantACE", this.testPrincipal.getName(), "abstractPrivilege");
        try {
            this.root.commit();
        } catch (CommitFailedException e) {
            throw assertCommitFailedException(e, "AccessControl", 11);
        }
    }

    @Test(expected = IllegalStateException.class)
    public void testValidatingPrivilegesCausesInternalError() throws Exception {
        PrivilegeConfiguration privilegeConfiguration = (PrivilegeConfiguration) Mockito.when(((PrivilegeConfiguration) Mockito.mock(PrivilegeConfiguration.class)).getPrivilegeManager((Root) ArgumentMatchers.any(Root.class), (NamePathMapper) ArgumentMatchers.any(NamePathMapper.class))).thenReturn((PrivilegeManager) Mockito.when(((PrivilegeManager) Mockito.mock(PrivilegeManager.class)).getPrivilege(ArgumentMatchers.anyString())).thenThrow(new Throwable[]{new RepositoryException()}).getMock()).getMock();
        Tree tree = this.root.getTree(IdentifierManagerTest.ID_ROOT);
        Tree createPolicy = createPolicy(tree, false);
        TreeProvider treeProvider = getTreeProvider();
        AccessControlValidatorProvider createValidatorProvider = createValidatorProvider(((AuthorizationConfiguration) getConfig(AuthorizationConfiguration.class)).getRestrictionProvider(), privilegeConfiguration);
        NodeState asNodeState = treeProvider.asNodeState(tree);
        createValidatorProvider.getRootValidator(asNodeState, asNodeState, new CommitInfo("sid", (String) null)).childNodeAdded(createPolicy.getName(), treeProvider.asNodeState(createPolicy)).childNodeAdded("validAce", treeProvider.asNodeState(createPolicy.getChild("validAce")));
    }

    @Test(expected = CommitFailedException.class)
    public void testInvalidRestriction() throws Exception {
        createPolicy(getTestTree(), true).getChild("validAce").getChild("rep:restrictions").setProperty(IdentifierManagerTest.ID_INVALID, "value");
        try {
            this.root.commit();
        } catch (CommitFailedException e) {
            throw assertCommitFailedException(e, "AccessControl", 1);
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testRestrictionWithInvalidType() throws Exception {
        createPolicy(getTestTree(), true).getChild("validAce").getChild("rep:restrictions").setProperty("rep:glob", "rep:glob", Type.NAME);
        try {
            this.root.commit();
        } catch (CommitFailedException e) {
            throw assertCommitFailedException(e, "AccessControl", 1);
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testValidatingRestrictionsCausesInternalError() throws Exception {
        RestrictionProvider restrictionProvider = (RestrictionProvider) Mockito.spy(((AuthorizationConfiguration) getConfig(AuthorizationConfiguration.class)).getRestrictionProvider());
        ((RestrictionProvider) Mockito.doAnswer(invocationOnMock -> {
            throw new RepositoryException();
        }).when(restrictionProvider)).validateRestrictions(ArgumentMatchers.anyString(), (Tree) ArgumentMatchers.any(Tree.class));
        Tree tree = this.root.getTree(IdentifierManagerTest.ID_ROOT);
        Tree createPolicy = createPolicy(tree, false);
        Tree child = createPolicy.getChild("validAce");
        child.setProperty("rep:glob", "any");
        TreeProvider treeProvider = getTreeProvider();
        AccessControlValidatorProvider createValidatorProvider = createValidatorProvider(restrictionProvider, (PrivilegeConfiguration) getConfig(PrivilegeConfiguration.class));
        NodeState asNodeState = treeProvider.asNodeState(tree);
        try {
            createValidatorProvider.getRootValidator(asNodeState, asNodeState, new CommitInfo("sid", (String) null)).childNodeAdded(createPolicy.getName(), treeProvider.asNodeState(createPolicy)).childNodeAdded(child.getName(), treeProvider.asNodeState(child));
        } catch (CommitFailedException e) {
            throw assertCommitFailedException(e, "Oak", 13);
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testDuplicateAce() throws Exception {
        JackrabbitAccessControlManager accessControlManager = getAccessControlManager(this.root);
        JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(accessControlManager, "/testRoot");
        accessControlList.addAccessControlEntry(this.testPrincipal, privilegesFromNames("jcr:addChildNodes"));
        accessControlManager.setPolicy("/testRoot", accessControlList);
        createDuplicateAceTree();
        try {
            this.root.commit();
        } catch (CommitFailedException e) {
            throw assertCommitFailedException(e, "AccessControl", 13);
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testDuplicateAceWithRestrictionInACE() throws Exception {
        JackrabbitAccessControlManager accessControlManager = getAccessControlManager(this.root);
        JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(accessControlManager, "/testRoot");
        accessControlList.addEntry(this.testPrincipal, privilegesFromNames("jcr:addChildNodes"), true, Collections.singletonMap("rep:glob", getValueFactory(this.root).createValue("some/glob")));
        accessControlManager.setPolicy("/testRoot", accessControlList);
        createDuplicateAceTree().setProperty("rep:glob", "some/glob", Type.STRING);
        try {
            this.root.commit();
        } catch (CommitFailedException e) {
            Assert.assertTrue(e.getMessage().contains("rep:glob = some/glob"));
            throw assertCommitFailedException(e, "AccessControl", 13);
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testDuplicateAceWithRestrictions() throws Exception {
        JackrabbitAccessControlManager accessControlManager = getAccessControlManager(this.root);
        JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(accessControlManager, "/testRoot");
        ValueFactory valueFactory = getValueFactory(this.root);
        accessControlList.addEntry(this.testPrincipal, privilegesFromNames("jcr:addChildNodes"), true, Collections.singletonMap("rep:glob", valueFactory.createValue("some/glob")), Collections.singletonMap("rep:globs", new Value[]{valueFactory.createValue("glob1"), valueFactory.createValue("glob2")}));
        accessControlManager.setPolicy("/testRoot", accessControlList);
        Tree addChild = TreeUtil.addChild(createDuplicateAceTree(), "rep:restrictions", "rep:Restrictions");
        addChild.setProperty("rep:glob", "some/glob", Type.STRING);
        addChild.setProperty("rep:globs", ImmutableList.of("glob1", "glob2"), Type.STRINGS);
        try {
            this.root.commit();
        } catch (CommitFailedException e) {
            String message = e.getMessage();
            Assert.assertTrue(message.contains("rep:glob = some/glob"));
            Assert.assertTrue(message.contains("rep:globs = [glob1, glob2]"));
            throw assertCommitFailedException(e, "AccessControl", 13);
        }
    }

    @NotNull
    private Tree createDuplicateAceTree() throws AccessDeniedException {
        Tree addChild = TreeUtil.addChild(this.root.getTree("/testRoot/rep:policy"), "duplicateAce", "rep:GrantACE");
        addChild.setProperty("rep:principalName", this.testPrincipal.getName());
        addChild.setProperty("rep:privileges", ImmutableList.of("jcr:addChildNodes"), Type.NAMES);
        return addChild;
    }

    @Test
    public void testAceDifferentByAllowStatus() throws Exception {
        Tree createPolicy = createPolicy(this.root.getTree(IdentifierManagerTest.ID_ROOT), false);
        Tree child = createPolicy.getChild("validAce");
        Tree addChild = TreeUtil.addChild(createPolicy, "second", "rep:DenyACE");
        addChild.setProperty(child.getProperty("rep:principalName"));
        addChild.setProperty(child.getProperty("rep:privileges"));
        this.root.commit();
    }

    @Test
    public void testAceDifferentByRestrictionValue() throws Exception {
        ValueFactory valueFactory = getValueFactory(this.root);
        JackrabbitAccessControlManager accessControlManager = getAccessControlManager(this.root);
        JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(accessControlManager, "/testRoot");
        accessControlList.addEntry(this.testPrincipal, privilegesFromNames("jcr:addChildNodes"), true, ImmutableMap.of(), ImmutableMap.of("rep:ntNames", new Value[]{valueFactory.createValue("oak:Unstructured", 7)}));
        accessControlList.addEntry(this.testPrincipal, privilegesFromNames("jcr:addChildNodes"), true, ImmutableMap.of(), ImmutableMap.of("rep:ntNames", new Value[]{valueFactory.createValue("nt:unstructured", 7)}));
        Assert.assertEquals(2L, accessControlList.getAccessControlEntries().length);
        accessControlManager.setPolicy("/testRoot", accessControlList);
        this.root.commit();
    }

    @Test
    public void hiddenNodeAdded() throws CommitFailedException {
        AccessControlValidatorProvider createValidatorProvider = createValidatorProvider();
        NodeState root = new MemoryNodeStore().getRoot();
        NodeBuilder builder = root.builder();
        NodeBuilder child = builder.child("test");
        NodeBuilder child2 = child.child(":hidden");
        Validator childNodeAdded = createValidatorProvider.getRootValidator(root, builder.getNodeState(), CommitInfo.EMPTY).childNodeAdded("test", child.getNodeState());
        Assert.assertNotNull(childNodeAdded);
        Assert.assertNull(childNodeAdded.childNodeAdded(":hidden", child2.getNodeState()));
    }

    @Test
    public void hiddenNodeChanged() throws CommitFailedException {
        AccessControlValidatorProvider createValidatorProvider = createValidatorProvider();
        NodeBuilder builder = new MemoryNodeStore().getRoot().builder();
        builder.child("test").child(":hidden");
        NodeState nodeState = builder.getNodeState();
        NodeBuilder child = nodeState.builder().child("test");
        NodeBuilder child2 = child.child(":hidden");
        child2.child("added");
        Validator childNodeChanged = createValidatorProvider.getRootValidator(nodeState, builder.getNodeState(), CommitInfo.EMPTY).childNodeChanged("test", nodeState.getChildNode("test"), child.getNodeState());
        Assert.assertNotNull(childNodeChanged);
        Assert.assertNull(childNodeChanged.childNodeChanged(":hidden", nodeState.getChildNode("test").getChildNode(":hidden"), child2.getNodeState()));
    }

    @Test
    public void hiddenNodeDeleted() throws CommitFailedException {
        AccessControlValidatorProvider createValidatorProvider = createValidatorProvider();
        NodeBuilder builder = new MemoryNodeStore().getRoot().builder();
        builder.child("test").child(":hidden");
        NodeState nodeState = builder.getNodeState();
        NodeBuilder builder2 = nodeState.builder();
        NodeBuilder child = builder2.child("test");
        child.child(":hidden").remove();
        Validator childNodeChanged = createValidatorProvider.getRootValidator(nodeState, builder2.getNodeState(), CommitInfo.EMPTY).childNodeChanged("test", nodeState.getChildNode("test"), child.getNodeState());
        Assert.assertNotNull(childNodeChanged);
        Assert.assertNull(childNodeChanged.childNodeDeleted(":hidden", nodeState.getChildNode("test").getChildNode(":hidden")));
    }

    @Test
    public void testRestrictionsUsedByOtherModule() throws Exception {
        AuthorizationConfiguration authorizationConfiguration = (AuthorizationConfiguration) Mockito.mock(AuthorizationConfiguration.class);
        Mockito.when(authorizationConfiguration.getContext()).thenReturn(new Context.Default() { // from class: org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlValidatorTest.1
            public boolean definesTree(@NotNull Tree tree) {
                return "differentAccessControl".equals(tree.getName());
            }
        });
        Mockito.when(authorizationConfiguration.getParameters()).thenReturn(ConfigurationParameters.EMPTY);
        SecurityProviderHelper.updateConfig(getSecurityProvider(), authorizationConfiguration, AuthorizationConfiguration.class);
        Tree addChild = TreeUtil.addChild(this.root.getTree(IdentifierManagerTest.ID_ROOT), "differentAccessControl", "oak:Unstructured");
        RestrictionProviderImpl restrictionProviderImpl = new RestrictionProviderImpl();
        restrictionProviderImpl.writeRestrictions(IdentifierManagerTest.ID_ROOT, addChild, ImmutableSet.of(restrictionProviderImpl.createRestriction(IdentifierManagerTest.ID_ROOT, "rep:itemNames", new Value[]{getValueFactory(this.root).createValue("someName", 7)})));
        this.root.commit();
    }

    @Test(expected = CommitFailedException.class)
    public void testRestrictionsUsedByOtherModule2() throws Exception {
        AuthorizationConfiguration authorizationConfiguration = (AuthorizationConfiguration) Mockito.mock(AuthorizationConfiguration.class);
        Mockito.when(authorizationConfiguration.getContext()).thenReturn(new Context.Default());
        Mockito.when(authorizationConfiguration.getParameters()).thenReturn(ConfigurationParameters.EMPTY);
        SecurityProviderHelper.updateConfig(getSecurityProvider(), authorizationConfiguration, AuthorizationConfiguration.class);
        Tree addChild = TreeUtil.addChild(this.root.getTree(IdentifierManagerTest.ID_ROOT), "notCoveredByContext", "oak:Unstructured");
        RestrictionProviderImpl restrictionProviderImpl = new RestrictionProviderImpl();
        restrictionProviderImpl.writeRestrictions(IdentifierManagerTest.ID_ROOT, addChild, ImmutableSet.of(restrictionProviderImpl.createRestriction(IdentifierManagerTest.ID_ROOT, "rep:itemNames", new Value[]{getValueFactory(this.root).createValue("someName", 7)})));
        try {
            this.root.commit();
        } catch (CommitFailedException e) {
            throw assertCommitFailedException(e, "AccessControl", 2);
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testAddPolicyTreeWithInvalidName() throws Exception {
        Tree tree = this.root.getTree(IdentifierManagerTest.ID_ROOT);
        tree.setProperty("jcr:mixinTypes", ImmutableList.of("rep:AccessControllable"), Type.NAMES);
        TreeUtil.addChild(tree, "invalidName", "rep:ACL");
        try {
            createRootValidator(tree).childNodeAdded("invalidName", (NodeState) Mockito.mock(NodeState.class));
        } catch (CommitFailedException e) {
            throw assertCommitFailedException(e, "AccessControl", 3);
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testAddEntyWithEmptyPrivileges() throws Exception {
        Tree tree = this.root.getTree(IdentifierManagerTest.ID_ROOT);
        Tree createPolicy = createPolicy(tree, false);
        Tree child = createPolicy.getChild("validAce");
        child.setProperty("rep:privileges", ImmutableList.of(), Type.NAMES);
        try {
            createRootValidator(tree).childNodeAdded(createPolicy.getName(), getTreeProvider().asNodeState(createPolicy)).childNodeAdded(child.getName(), getTreeProvider().asNodeState(child));
        } catch (CommitFailedException e) {
            throw assertCommitFailedException(e, "AccessControl", 9);
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testAddEntyWithNullrivileges() throws Exception {
        Tree tree = this.root.getTree(IdentifierManagerTest.ID_ROOT);
        Tree createPolicy = createPolicy(tree, false);
        Tree child = createPolicy.getChild("validAce");
        child.removeProperty("rep:privileges");
        try {
            createRootValidator(tree).childNodeAdded(createPolicy.getName(), getTreeProvider().asNodeState(createPolicy)).childNodeAdded(child.getName(), getTreeProvider().asNodeState(child));
        } catch (CommitFailedException e) {
            throw assertCommitFailedException(e, "AccessControl", 9);
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testAddEntyWithEmptyPrincipalName() throws Exception {
        Tree tree = this.root.getTree(IdentifierManagerTest.ID_ROOT);
        Tree createPolicy = createPolicy(tree, false);
        Tree child = createPolicy.getChild("validAce");
        child.setProperty("rep:principalName", "");
        try {
            createRootValidator(tree).childNodeAdded(createPolicy.getName(), getTreeProvider().asNodeState(createPolicy)).childNodeAdded(child.getName(), getTreeProvider().asNodeState(child));
        } catch (CommitFailedException e) {
            throw assertCommitFailedException(e, "AccessControl", 8);
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testAddEntyWithNullPrincipalName() throws Exception {
        Tree tree = this.root.getTree(IdentifierManagerTest.ID_ROOT);
        Tree createPolicy = createPolicy(tree, false);
        Tree child = createPolicy.getChild("validAce");
        child.removeProperty("rep:principalName");
        try {
            createRootValidator(tree).childNodeAdded(createPolicy.getName(), getTreeProvider().asNodeState(createPolicy)).childNodeAdded(child.getName(), getTreeProvider().asNodeState(child));
        } catch (CommitFailedException e) {
            throw assertCommitFailedException(e, "AccessControl", 8);
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testAddRepoPolicyWithAcl() throws Exception {
        addRepoPolicyWithAcContent(createPolicy(getTestTree(), false));
    }

    @Test(expected = CommitFailedException.class)
    public void testAddRepoPolicyWithAce() throws Exception {
        addRepoPolicyWithAcContent(createPolicy(getTestTree(), false).addChild("validAce"));
    }

    @Test(expected = CommitFailedException.class)
    public void testAddRepoPolicyWithRestriction() throws Exception {
        addRepoPolicyWithAcContent(createPolicy(getTestTree(), true).getChild("validAce").getChild("rep:restrictions"));
    }

    private void addRepoPolicyWithAcContent(@NotNull Tree tree) throws Exception {
        TreeUtil.addChild(tree, "rep:repoPolicy", "rep:ACL");
        try {
            this.root.commit();
            Assert.fail("Adding an ACL below access control content should fail");
        } catch (CommitFailedException e) {
            throw assertCommitFailedException(e, "Constraint", 25);
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testAddAceWithAce() throws Exception {
        addAceWithAcContent(createPolicy(getTestTree(), false).getChild("validAce"));
    }

    @Test(expected = CommitFailedException.class)
    public void testAddAceWithRestriction() throws Exception {
        addAceWithAcContent(createPolicy(getTestTree(), true).getChild("validAce").getChild("rep:restrictions"));
    }

    private void addAceWithAcContent(@NotNull Tree tree) throws Exception {
        TreeUtil.addChild(tree, "invalidACE", "rep:DenyACE");
        try {
            this.root.commit();
        } catch (CommitFailedException e) {
            throw assertCommitFailedException(e, "Constraint", 25);
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testAddRestrictionWithAcl() throws Exception {
        addRestrictionWithAcContent(createPolicy(getTestTree(), false));
    }

    @Test(expected = CommitFailedException.class)
    public void testAddRestrictionWithRestriction() throws Exception {
        addRestrictionWithAcContent(createPolicy(getTestTree(), true).getChild("validAce").getChild("rep:restrictions"));
    }

    private void addRestrictionWithAcContent(@NotNull Tree tree) throws Exception {
        TreeUtil.addChild(tree, "rep:restrictions", "rep:Restrictions");
        try {
            this.root.commit();
        } catch (CommitFailedException e) {
            throw assertCommitFailedException(e, "Constraint", 25);
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testInvalidRestrictionWithACE() throws Exception {
        TreeUtil.addChild(createPolicy(getTestTree(), false).getChild("validAce"), "invalidRestriction", "rep:Restrictions");
        try {
            this.root.commit();
        } catch (CommitFailedException e) {
            throw assertCommitFailedException(e, "Constraint", 25);
        }
    }
}
