package org.apache.jackrabbit.oak.security.user;

import javax.jcr.SimpleCredentials;
import javax.security.auth.login.CredentialExpiredException;
import javax.security.auth.login.LoginException;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.user.UserConstants;
import org.apache.jackrabbit.oak.spi.security.user.util.PasswordUtil;
import org.jetbrains.annotations.Nullable;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:org/apache/jackrabbit/oak/security/user/ResetExpiredPasswordTest.class */
public class ResetExpiredPasswordTest extends AbstractSecurityTest implements UserConstants {
    private String userId;
    private SimpleCredentials creds;

    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    @Before
    public void before() throws Exception {
        super.before();
        User testUser = getTestUser();
        this.userId = testUser.getID();
        this.root.getTree(testUser.getPath()).getChild("rep:pwd").setProperty("rep:passwordLastModified", 0);
        this.root.commit();
    }

    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    protected ConfigurationParameters getSecurityConfigParameters() {
        return ConfigurationParameters.of("org.apache.jackrabbit.oak.user", ConfigurationParameters.of("passwordMaxAge", 10));
    }

    private void authenticate(String str, Object obj) throws LoginException {
        this.creds = new SimpleCredentials(this.userId, str.toCharArray());
        this.creds.setAttribute("user.newpassword", obj);
        new UserAuthentication(getUserConfiguration(), this.root, this.userId).authenticate(this.creds);
    }

    private static void assertCredentials(@Nullable SimpleCredentials simpleCredentials) {
        Assert.assertNotNull(simpleCredentials);
        Assert.assertNull(simpleCredentials.getAttribute("user.newpassword"));
    }

    @Test
    public void testPasswordChangePersisted() throws Exception {
        authenticate(this.userId, "newPw");
        Assert.assertTrue(PasswordUtil.isSame((String) login(getAdminCredentials()).getLatestRoot().getTree(getTestUser().getPath()).getProperty("rep:password").getValue(Type.STRING), "newPw"));
        assertCredentials(this.creds);
    }

    @Test
    public void testAuthenticatePasswordExpiredThenChanged() throws Exception {
        authenticate(this.userId, this.userId);
        assertCredentials(this.creds);
    }

    @Test
    public void testChangeWithWrongPw() throws Exception {
        try {
            authenticate("wrongPw", "newPw");
            Assert.fail("Authentication with wrong expired password should fail and should not reset pw.");
        } catch (LoginException e) {
        } finally {
            Tree tree = this.root.getTree(getTestUser().getPath());
            Assert.assertTrue(PasswordUtil.isSame((String) tree.getProperty("rep:password").getValue(Type.STRING), this.userId));
            Assert.assertEquals(0L, ((Long) tree.getChild("rep:pwd").getProperty("rep:passwordLastModified").getValue(Type.LONG)).longValue());
            assertCredentials(this.creds);
        }
    }

    @Test
    public void testChangeWithNonStringAttribute() throws Exception {
        try {
            authenticate(this.userId, 1L);
            Assert.fail("Authentication with non-string attribute should fail.");
        } catch (CredentialExpiredException e) {
        } finally {
            Tree tree = this.root.getTree(getTestUser().getPath());
            Assert.assertTrue(PasswordUtil.isSame((String) tree.getProperty("rep:password").getValue(Type.STRING), this.userId));
            Assert.assertEquals(0L, ((Long) tree.getChild("rep:pwd").getProperty("rep:passwordLastModified").getValue(Type.LONG)).longValue());
            assertCredentials(this.creds);
        }
    }
}
