package org.apache.jackrabbit.oak.security.authorization.restriction;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import java.util.Iterator;
import java.util.Set;
import javax.jcr.Value;
import javax.jcr.ValueFactory;
import javax.jcr.security.AccessControlException;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.plugins.identifier.IdentifierManagerTest;
import org.apache.jackrabbit.oak.plugins.memory.PropertyStates;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.CompositePattern;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.CompositeRestrictionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinitionImpl;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionImpl;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/restriction/CompositeRestrictionProviderTest.class */
public class CompositeRestrictionProviderTest extends AbstractSecurityTest implements AccessControlConstants {
    private RestrictionProvider rp1 = new TestProvider(ImmutableMap.of("rep:glob", new RestrictionDefinitionImpl("rep:glob", Type.STRING, false), "rep:ntNames", new RestrictionDefinitionImpl("rep:ntNames", Type.NAMES, false), "rep:prefixes", new RestrictionDefinitionImpl("rep:prefixes", Type.STRINGS, false)));
    private RestrictionProvider rp2 = new TestProvider(ImmutableMap.of("boolean", new RestrictionDefinitionImpl("boolean", Type.BOOLEAN, true), "longs", new RestrictionDefinitionImpl("longs", Type.LONGS, false)));
    private RestrictionProvider rp3 = new TestProvider(ImmutableMap.of("string", new RestrictionDefinitionImpl("string", Type.STRING, false)), true);
    private Set<String> supported = ImmutableSet.of("boolean", "longs", "rep:ntNames", "rep:glob");
    private RestrictionProvider provider = CompositeRestrictionProvider.newInstance(new RestrictionProvider[]{this.rp1, this.rp2});
    private ValueFactory vf;

    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    @Before
    public void before() throws Exception {
        super.before();
        this.vf = getValueFactory();
    }

    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    @After
    public void after() throws Exception {
        try {
            this.root.refresh();
        } finally {
            super.after();
        }
    }

    @Test
    public void testReadRestrictions() throws Exception {
        Tree addChild = TreeUtil.addChild(this.root.getTree(IdentifierManagerTest.ID_ROOT), "test", "rep:GrantACE");
        addChild.setProperty("boolean", true);
        addChild.setProperty(PropertyStates.createProperty("longs", ImmutableList.of(this.vf.createValue(10L), this.vf.createValue(290L))));
        addChild.setProperty("rep:glob", "*");
        addChild.setProperty("rep:ntNames", ImmutableSet.of(), Type.NAMES);
        addChild.setProperty(IdentifierManagerTest.ID_INVALID, "val");
        addChild.setProperty("invalid2", ImmutableList.of("val1", "val2", "val3"), Type.STRINGS);
        Set readRestrictions = this.provider.readRestrictions("/test", addChild);
        Assert.assertEquals(4L, readRestrictions.size());
        Iterator it = readRestrictions.iterator();
        while (it.hasNext()) {
            if (!this.supported.contains(((Restriction) it.next()).getDefinition().getName())) {
                Assert.fail("read unsupported restriction");
            }
        }
    }

    @Test
    public void testWriteRestrictions() throws Exception {
        this.provider.writeRestrictions("/test", TreeUtil.addChild(this.root.getTree(IdentifierManagerTest.ID_ROOT), "test", "rep:GrantACE"), ImmutableSet.of(this.provider.createRestriction("/test", "boolean", this.vf.createValue(true)), this.provider.createRestriction("/test", "longs", new Value[0]), this.provider.createRestriction("/test", "rep:glob", this.vf.createValue("*")), this.provider.createRestriction("/test", "rep:ntNames", new Value[]{this.vf.createValue("nt:base", 7), this.vf.createValue("nt:version", 7)})));
    }

    @Test
    public void testWriteUnsupportedRestrictions() throws Exception {
        try {
            this.provider.writeRestrictions("/test", TreeUtil.addChild(this.root.getTree(IdentifierManagerTest.ID_ROOT), "test", "rep:GrantACE"), ImmutableSet.of(new RestrictionImpl(PropertyStates.createProperty(IdentifierManagerTest.ID_INVALID, this.vf.createValue(true)), false)));
            Assert.fail("AccessControlException expected");
        } catch (AccessControlException e) {
        }
    }

    @Test
    public void testValidateRestrictions() throws Exception {
        Tree addChild = TreeUtil.addChild(this.root.getTree(IdentifierManagerTest.ID_ROOT), "test", "rep:GrantACE");
        Tree addChild2 = TreeUtil.addChild(addChild, "rep:restrictions", "rep:Restrictions");
        addChild2.setProperty("boolean", true);
        addChild2.setProperty(PropertyStates.createProperty("longs", ImmutableList.of(this.vf.createValue(10L), this.vf.createValue(290L))));
        addChild2.setProperty("rep:glob", "*");
        addChild2.setProperty("rep:ntNames", ImmutableList.of(), Type.NAMES);
        this.provider.validateRestrictions("/test", addChild);
        addChild2.removeProperty("boolean");
        try {
            this.provider.validateRestrictions("/test", addChild);
            Assert.fail("validation should detect missing mandatory restrictions");
        } catch (AccessControlException e) {
        }
        addChild2.setProperty("boolean", "nt:base", Type.NAME);
        try {
            this.provider.validateRestrictions("/test", addChild);
            Assert.fail("validation should detect wrong restriction type");
            addChild2.setProperty("boolean", true);
        } catch (AccessControlException e2) {
            addChild2.setProperty("boolean", true);
        } catch (Throwable th) {
            addChild2.setProperty("boolean", true);
            throw th;
        }
        addChild2.setProperty("rep:glob", ImmutableList.of("*", "/jcr:content"), Type.STRINGS);
        try {
            this.provider.validateRestrictions("/test", addChild);
            Assert.fail("validation should detect wrong restriction type (multi vs single valued)");
        } catch (AccessControlException e3) {
        }
    }

    @Test
    public void testValidateRestrictionsAtEntryNode() throws Exception {
        Tree addChild = TreeUtil.addChild(this.root.getTree(IdentifierManagerTest.ID_ROOT), "test", "rep:GrantACE");
        addChild.setProperty("boolean", true);
        addChild.setProperty(PropertyStates.createProperty("longs", ImmutableList.of(this.vf.createValue(10L), this.vf.createValue(290L))));
        addChild.setProperty("rep:glob", "*");
        addChild.setProperty("rep:ntNames", ImmutableList.of(), Type.NAMES);
        this.provider.validateRestrictions("/test", addChild);
    }

    @Test
    public void testValidateInvalidRestrictionDef() throws Exception {
        RestrictionProvider newInstance = CompositeRestrictionProvider.newInstance(new RestrictionProvider[]{this.rp1, this.rp3});
        Tree addChild = TreeUtil.addChild(this.root.getTree(IdentifierManagerTest.ID_ROOT), "test", "rep:GrantACE");
        TreeUtil.addChild(addChild, "rep:restrictions", "rep:Restrictions").setProperty(PropertyStates.createProperty("longs", ImmutableList.of(this.vf.createValue(10L), this.vf.createValue(290L))));
        try {
            newInstance.validateRestrictions("/test", addChild);
            Assert.fail("Validation must detect invalid restriction definition");
        } catch (AccessControlException e) {
        }
    }

    @Test
    public void testValidateUnsupportedRestriction() throws Exception {
        RestrictionProvider newInstance = CompositeRestrictionProvider.newInstance(new RestrictionProvider[]{this.rp1, this.rp3});
        Tree addChild = TreeUtil.addChild(this.root.getTree(IdentifierManagerTest.ID_ROOT), "test", "rep:GrantACE");
        TreeUtil.addChild(addChild, "rep:restrictions", "rep:Restrictions").setProperty("unsupported", "value");
        try {
            newInstance.validateRestrictions("/test", addChild);
            Assert.fail("Validation must detect unsupported restriction");
        } catch (AccessControlException e) {
        }
    }

    @Test
    public void testGetRestrictionPattern() throws Exception {
        Tree addChild = TreeUtil.addChild(this.root.getTree(IdentifierManagerTest.ID_ROOT), "test", "rep:GrantACE");
        Tree addChild2 = TreeUtil.addChild(addChild, "rep:restrictions", "rep:Restrictions");
        addChild2.setProperty("rep:glob", "*");
        Assert.assertFalse(this.provider.getPattern("/test", addChild) instanceof CompositePattern);
        addChild2.setProperty("boolean", true);
        addChild2.setProperty(PropertyStates.createProperty("longs", ImmutableList.of(this.vf.createValue(10L), this.vf.createValue(290L))));
        Assert.assertTrue(this.provider.getPattern("/test", addChild2) instanceof CompositePattern);
    }
}
