package org.apache.jackrabbit.oak.security.authentication.token;

import java.util.Calendar;
import java.util.Date;
import java.util.UUID;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.plugins.identifier.IdentifierManagerTest;
import org.apache.jackrabbit.oak.plugins.memory.PropertyStates;
import org.apache.jackrabbit.oak.plugins.tree.TreeProvider;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.apache.jackrabbit.oak.spi.commit.CommitInfo;
import org.apache.jackrabbit.oak.spi.commit.Validator;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.authentication.token.TokenInfo;
import org.apache.jackrabbit.oak.spi.security.user.util.PasswordUtil;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.apache.jackrabbit.util.ISO8601;
import org.jetbrains.annotations.NotNull;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.mockito.Mockito;

/* loaded from: input_file:org/apache/jackrabbit/oak/security/authentication/token/TokenValidatorTest.class */
public class TokenValidatorTest extends AbstractTokenTest {
    private String userId;

    @Override // org.apache.jackrabbit.oak.security.authentication.token.AbstractTokenTest, org.apache.jackrabbit.oak.AbstractSecurityTest
    @Before
    public void before() throws Exception {
        super.before();
        this.userId = getTestUser().getID();
    }

    private static String getDateValue() {
        Calendar calendar = Calendar.getInstance();
        calendar.setTimeInMillis(new Date().getTime());
        return ISO8601.format(calendar);
    }

    @Test
    public void testCreateReservedKeyProperty() throws Exception {
        Tree addChild = TreeUtil.addChild(this.root.getTree(IdentifierManagerTest.ID_ROOT), "testNode", "nt:unstructured");
        try {
            try {
                addChild.setProperty("rep:token.key", "anyValue");
                this.root.commit(CommitMarker.asCommitAttributes());
                Assert.fail("The reserved token key property must not used with other node types.");
                addChild.remove();
                if (this.root.hasPendingChanges()) {
                    this.root.commit();
                }
            } catch (CommitFailedException e) {
                Assert.assertEquals(60L, e.getCode());
                addChild.remove();
                if (this.root.hasPendingChanges()) {
                    this.root.commit();
                }
            }
        } catch (Throwable th) {
            addChild.remove();
            if (this.root.hasPendingChanges()) {
                this.root.commit();
            }
            throw th;
        }
    }

    @Test
    public void testCreateReservedKeyProperty2() throws Exception {
        Tree addChild = TreeUtil.addChild(this.root.getTree(IdentifierManagerTest.ID_ROOT), "testNode", "nt:unstructured");
        try {
            try {
                addChild.setProperty("rep:token.key", "anyValue");
                this.root.commit();
                Assert.fail("The reserved token key property must only be created by the TokenProvider.");
                addChild.remove();
                if (this.root.hasPendingChanges()) {
                    this.root.commit();
                }
            } catch (CommitFailedException e) {
                Assert.assertEquals(63L, e.getCode());
                addChild.remove();
                if (this.root.hasPendingChanges()) {
                    this.root.commit();
                }
            }
        } catch (Throwable th) {
            addChild.remove();
            if (this.root.hasPendingChanges()) {
                this.root.commit();
            }
            throw th;
        }
    }

    @Test
    public void testChangingTokenKey() throws Exception {
        try {
            getTokenTree(createTokenInfo(this.tokenProvider, this.userId)).setProperty("rep:token.key", PasswordUtil.buildPasswordHash("anotherValue"));
            this.root.commit(CommitMarker.asCommitAttributes());
            Assert.fail("The token key must never be modified.");
        } catch (CommitFailedException e) {
            Assert.assertEquals(61L, e.getCode());
        }
    }

    @Test
    public void testPlaintextTokenKey() {
        try {
            getTokenTree(createTokenInfo(this.tokenProvider, this.userId)).setProperty("rep:token.key", "anotherValue");
            this.root.commit(CommitMarker.asCommitAttributes());
            Assert.fail("The token key must not be plaintext.");
        } catch (CommitFailedException e) {
            Assert.assertEquals(66L, e.getCode());
        }
    }

    @Test
    public void testManuallyModifyExpirationDate() {
        try {
            getTokenTree(createTokenInfo(this.tokenProvider, this.userId)).setProperty("rep:token.exp", getDateValue(), Type.DATE);
            this.root.commit();
            Assert.fail("The token expiry must not manually be changed");
        } catch (CommitFailedException e) {
            Assert.assertEquals(63L, e.getCode());
        }
    }

    @Test
    public void testModifyExpirationDate() throws Exception {
        getTokenTree(createTokenInfo(this.tokenProvider, this.userId)).setProperty("rep:token.exp", getDateValue(), Type.DATE);
        this.root.commit(CommitMarker.asCommitAttributes());
    }

    @Test
    public void testCreateTokenAtInvalidLocationBelowTestNode() throws Exception {
        TokenInfo createTokenInfo = createTokenInfo(this.tokenProvider, this.userId);
        Assert.assertNotNull(this.tokenProvider.getTokenInfo(createTokenInfo.getToken()));
        Tree addChild = TreeUtil.addChild(this.root.getTree(IdentifierManagerTest.ID_ROOT), "testNode", "nt:unstructured");
        try {
            try {
                replaceTokenTree(createTokenInfo, addChild, "rep:Token");
                this.root.commit(CommitMarker.asCommitAttributes());
                Assert.fail("Creating a new token not  at '/testNode' must fail.");
                addChild.remove();
                this.root.commit(CommitMarker.asCommitAttributes());
            } catch (CommitFailedException e) {
                Assert.assertEquals(64L, e.getCode());
                addChild.remove();
                this.root.commit(CommitMarker.asCommitAttributes());
            }
        } catch (Throwable th) {
            addChild.remove();
            this.root.commit(CommitMarker.asCommitAttributes());
            throw th;
        }
    }

    @Test
    public void testCreateTokenAtInvalidLocationInsideUser() throws Exception {
        TokenInfo createTokenInfo = createTokenInfo(this.tokenProvider, this.userId);
        Assert.assertNotNull(this.tokenProvider.getTokenInfo(createTokenInfo.getToken()));
        Tree addChild = TreeUtil.addChild(getUserTree(this.userId), "testNode", "nt:unstructured");
        try {
            try {
                replaceTokenTree(createTokenInfo, addChild, "rep:Token");
                this.root.commit(CommitMarker.asCommitAttributes());
                Assert.fail("Creating a new token '" + addChild.getPath() + "' must fail.");
                addChild.remove();
                this.root.commit(CommitMarker.asCommitAttributes());
            } catch (CommitFailedException e) {
                Assert.assertEquals(65L, e.getCode());
                addChild.remove();
                this.root.commit(CommitMarker.asCommitAttributes());
            }
        } catch (Throwable th) {
            addChild.remove();
            this.root.commit(CommitMarker.asCommitAttributes());
            throw th;
        }
    }

    @Test
    public void testCreateTokenAtInvalidLocationInsideUser2() throws Exception {
        TokenInfo createTokenInfo = createTokenInfo(this.tokenProvider, this.userId);
        Assert.assertNotNull(this.tokenProvider.getTokenInfo(createTokenInfo.getToken()));
        Tree addChild = TreeUtil.addChild(getUserTree(this.userId), ".tokens", "rep:Unstructured");
        try {
            try {
                addChild = TreeUtil.addChild(addChild, IdentifierManagerTest.ID_INVALID, "nt:unstructured");
                replaceTokenTree(createTokenInfo, addChild, "rep:Token");
                this.root.commit(CommitMarker.asCommitAttributes());
                Assert.fail("Creating a new token '" + addChild.getPath() + "' must fail.");
                addChild.remove();
                this.root.commit(CommitMarker.asCommitAttributes());
            } catch (CommitFailedException e) {
                Assert.assertEquals(65L, e.getCode());
                addChild.remove();
                this.root.commit(CommitMarker.asCommitAttributes());
            }
        } catch (Throwable th) {
            addChild.remove();
            this.root.commit(CommitMarker.asCommitAttributes());
            throw th;
        }
    }

    @Test
    public void testManuallyCreateToken() throws Exception {
        TokenInfo createTokenInfo = createTokenInfo(this.tokenProvider, this.userId);
        Assert.assertNotNull(this.tokenProvider.getTokenInfo(createTokenInfo.getToken()));
        try {
            try {
                replaceTokenTree(createTokenInfo, getUserTree(this.userId).getChild(".tokens"), "rep:Token");
                this.root.commit();
                Assert.fail("Manually creating a token node must fail.");
                this.root.refresh();
                this.root.commit();
            } catch (CommitFailedException e) {
                Assert.assertEquals(63L, e.getCode());
                this.root.refresh();
                this.root.commit();
            }
        } catch (Throwable th) {
            this.root.refresh();
            this.root.commit();
            throw th;
        }
    }

    @Test
    public void testCreateTokenWithInvalidNodeType() throws Exception {
        TokenInfo createTokenInfo = createTokenInfo(this.tokenProvider, this.userId);
        Assert.assertNotNull(this.tokenProvider.getTokenInfo(createTokenInfo.getToken()));
        Tree tree = null;
        try {
            try {
                tree = replaceTokenTree(createTokenInfo, getUserTree(this.userId).getChild(".tokens"), "nt:unstructured");
                this.root.commit(CommitMarker.asCommitAttributes());
                Assert.fail("The token node must be of type rep:Token.");
                if (tree != null) {
                    tree.remove();
                    this.root.commit(CommitMarker.asCommitAttributes());
                }
            } catch (CommitFailedException e) {
                Assert.assertEquals(60L, e.getCode());
                if (tree != null) {
                    tree.remove();
                    this.root.commit(CommitMarker.asCommitAttributes());
                }
            }
        } catch (Throwable th) {
            if (tree != null) {
                tree.remove();
                this.root.commit(CommitMarker.asCommitAttributes());
            }
            throw th;
        }
    }

    @Test
    public void testRemoveTokenNode() throws Exception {
        getTokenTree(createTokenInfo(this.tokenProvider, this.userId)).remove();
        this.root.commit();
    }

    @Test
    public void testInvalidTokenParentNode() throws Exception {
        Tree addChild = TreeUtil.addChild(getUserTree(this.userId), "testNode", "nt:unstructured");
        try {
            try {
                TreeUtil.addChild(addChild, ".tokens", "nt:unstructured");
                this.root.commit(CommitMarker.asCommitAttributes());
                Assert.fail("Creating a new token '" + addChild.getPath() + "' must fail.");
                addChild.remove();
                this.root.commit(CommitMarker.asCommitAttributes());
            } catch (CommitFailedException e) {
                Assert.assertEquals(68L, e.getCode());
                addChild.remove();
                this.root.commit(CommitMarker.asCommitAttributes());
            }
        } catch (Throwable th) {
            addChild.remove();
            this.root.commit(CommitMarker.asCommitAttributes());
            throw th;
        }
    }

    @Test
    public void testManuallyCreateTokenParent() throws Exception {
        TreeUtil.addChild(getUserTree(this.userId), ".tokens", "rep:Unstructured");
        this.root.commit();
    }

    @Test
    public void testManuallyCreateTokenParentWithNtUnstructured() throws Exception {
        TreeUtil.addChild(getUserTree(this.userId), ".tokens", "nt:unstructured");
        this.root.commit();
    }

    @Test
    public void testTokensNodeBelowRoot() throws Exception {
        Tree tree = null;
        try {
            try {
                tree = TreeUtil.addChild(this.root.getTree(IdentifierManagerTest.ID_ROOT), ".tokens", "rep:Unstructured");
                this.root.commit();
                Assert.fail("The token parent node must be located below the configured user root.");
                if (tree != null) {
                    tree.remove();
                    this.root.commit(CommitMarker.asCommitAttributes());
                }
            } catch (CommitFailedException e) {
                Assert.assertEquals(64L, e.getCode());
                if (tree != null) {
                    tree.remove();
                    this.root.commit(CommitMarker.asCommitAttributes());
                }
            }
        } catch (Throwable th) {
            if (tree != null) {
                tree.remove();
                this.root.commit(CommitMarker.asCommitAttributes());
            }
            throw th;
        }
    }

    @Test
    public void testTokensNodeAtInvalidPathBelowUser() throws Exception {
        Tree tree = null;
        try {
            try {
                tree = TreeUtil.addChild(getUserTree(this.userId), "test", "nt:unstructured");
                TreeUtil.addChild(tree, ".tokens", "rep:Unstructured");
                this.root.commit();
                Assert.fail("The token parent node must be located below the user home node.");
                if (tree != null) {
                    tree.remove();
                    this.root.commit(CommitMarker.asCommitAttributes());
                }
            } catch (CommitFailedException e) {
                Assert.assertEquals(68L, e.getCode());
                if (tree != null) {
                    tree.remove();
                    this.root.commit(CommitMarker.asCommitAttributes());
                }
            }
        } catch (Throwable th) {
            if (tree != null) {
                tree.remove();
                this.root.commit(CommitMarker.asCommitAttributes());
            }
            throw th;
        }
    }

    @Test
    public void testChangeTokenParentPrimaryTypeToRepUnstructured() throws Exception {
        Tree addChild = TreeUtil.addChild(getUserTree(this.userId), ".tokens", "nt:unstructured");
        this.root.commit();
        addChild.setProperty("jcr:primaryType", "rep:Unstructured", Type.NAME);
        this.root.commit();
    }

    @Test
    public void testChangeTokenParentPrimaryType() {
        try {
            getTokenTree(createTokenInfo(this.tokenProvider, this.userId)).getParent().setProperty("jcr:primaryType", "nt:unstructured", Type.NAME);
            this.root.commit();
            Assert.fail("The primary type of the token parent must not be changed from rep:Unstructured to another type.");
        } catch (CommitFailedException e) {
            Assert.assertEquals(69L, e.getCode());
        } finally {
            this.root.refresh();
        }
    }

    @Test
    public void testChangeRegularRepUnstructuredPrimaryType() throws Exception {
        Tree orAddChild = TreeUtil.getOrAddChild(getUserTree(this.userId), "test", "rep:Unstructured");
        this.root.commit();
        orAddChild.setProperty("jcr:primaryType", "nt:unstructured", Type.NAME);
        this.root.commit();
    }

    @Test
    public void testChangeToReservedTokenNodeType() throws Exception {
        String str = getTestUser().getPath() + IdentifierManagerTest.ID_ROOT + ".tokens";
        String str2 = str + "/node";
        try {
            try {
                Tree addChild = this.root.getTree(getTestUser().getPath()).addChild(".tokens");
                addChild.setProperty("jcr:primaryType", "nt:unstructured", Type.NAME);
                addChild.addChild("node").setProperty("jcr:primaryType", "nt:unstructured", Type.NAME);
                this.root.commit();
                Tree tree = this.root.getTree(str2);
                tree.setProperty("jcr:primaryType", "rep:Token", Type.NAME);
                tree.setProperty("jcr:uuid", UUID.randomUUID().toString());
                tree.setProperty("rep:token.key", PasswordUtil.buildPasswordHash("key"));
                tree.setProperty("rep:token.exp", getDateValue(), Type.DATE);
                this.root.commit(CommitMarker.asCommitAttributes());
                this.root.refresh();
                this.root.getTree(str).remove();
                this.root.commit();
            } catch (CommitFailedException e) {
                Assert.assertEquals(62L, e.getCode());
                this.root.refresh();
                this.root.getTree(str).remove();
                this.root.commit();
            }
        } catch (Throwable th) {
            this.root.refresh();
            this.root.getTree(str).remove();
            this.root.commit();
            throw th;
        }
    }

    @Test
    public void testReservedPropertyAddedValidParent() throws Exception {
        Tree addChild = TreeUtil.addChild(this.root.getTree(IdentifierManagerTest.ID_ROOT), "name", "rep:Token");
        createRootValidator(addChild, addChild).propertyAdded(PropertyStates.createProperty("rep:token.exp", "anyValue"));
    }

    @Test(expected = CommitFailedException.class)
    public void testReservedPropertyAddedInvalidParent() throws Exception {
        Tree tree = this.root.getTree(IdentifierManagerTest.ID_ROOT);
        try {
            createRootValidator(tree, tree).propertyAdded(PropertyStates.createProperty("rep:token.exp", "anyValue"));
        } catch (CommitFailedException e) {
            Assert.assertTrue(e.isConstraintViolation());
            Assert.assertEquals(60L, e.getCode());
            throw e;
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testAddTokenTreeMissingKey() throws Exception {
        Tree tokenTree = getTokenTree(createTokenInfo(this.tokenProvider, this.userId));
        tokenTree.removeProperty("rep:token.key");
        Tree tree = this.root.getTree(IdentifierManagerTest.ID_ROOT);
        try {
            try {
                createValidator(tree, tree, tokenTree.getParent().getPath(), false).childNodeAdded(tokenTree.getName(), getTreeProvider().asNodeState(tokenTree));
                this.root.refresh();
            } catch (CommitFailedException e) {
                Assert.assertTrue(e.isConstraintViolation());
                Assert.assertEquals(66L, e.getCode());
                throw e;
            }
        } catch (Throwable th) {
            this.root.refresh();
            throw th;
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testAddTokenTreeMissingTokensParent() throws Exception {
        Tree tokenTree = getTokenTree(createTokenInfo(this.tokenProvider, this.userId));
        this.root.move(tokenTree.getPath(), PathUtils.concat(getTestUser().getPath(), tokenTree.getName()));
        Tree tree = this.root.getTree(IdentifierManagerTest.ID_ROOT);
        try {
            try {
                createValidator(tree, tree, getTestUser().getPath(), true).childNodeAdded(tokenTree.getName(), (NodeState) Mockito.mock(NodeState.class));
                this.root.refresh();
            } catch (CommitFailedException e) {
                Assert.assertTrue(e.isConstraintViolation());
                Assert.assertEquals(65L, e.getCode());
                throw e;
            }
        } catch (Throwable th) {
            this.root.refresh();
            throw th;
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testAddTokenTreeMissingUserGrandParent() throws Exception {
        Tree tokenTree = getTokenTree(createTokenInfo(this.tokenProvider, this.userId));
        Tree parent = tokenTree.getParent();
        this.root.move(parent.getPath(), PathUtils.concat(PathUtils.getParentPath(getTestUser().getPath()), parent.getName()));
        try {
            try {
                NodeState asNodeState = getTreeProvider().asNodeState(parent);
                Validator rootValidator = new TokenValidatorProvider(ConfigurationParameters.EMPTY, (TreeProvider) Mockito.when(((TreeProvider) Mockito.mock(TreeProvider.class)).createReadOnlyTree(asNodeState)).thenReturn(parent).getMock()).getRootValidator(asNodeState, asNodeState, new CommitInfo("sid", "uid", CommitMarker.asCommitAttributes()));
                Assert.assertNotNull(rootValidator);
                rootValidator.childNodeChanged(tokenTree.getName(), (NodeState) Mockito.mock(NodeState.class), (NodeState) Mockito.mock(NodeState.class));
                this.root.refresh();
            } catch (CommitFailedException e) {
                Assert.assertTrue(e.isConstraintViolation());
                Assert.assertEquals(65L, e.getCode());
                throw e;
            }
        } catch (Throwable th) {
            this.root.refresh();
            throw th;
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testAddTokenTreeInvalidKey() throws Exception {
        Tree tokenTree = getTokenTree(createTokenInfo(this.tokenProvider, this.userId));
        tokenTree.setProperty("rep:token.key", "someValue");
        Tree tree = this.root.getTree(IdentifierManagerTest.ID_ROOT);
        try {
            try {
                createValidator(tree, tree, tokenTree.getParent().getPath(), true).childNodeAdded(tokenTree.getName(), getTreeProvider().asNodeState(tokenTree));
                this.root.refresh();
            } catch (CommitFailedException e) {
                Assert.assertTrue(e.isConstraintViolation());
                Assert.assertEquals(66L, e.getCode());
                throw e;
            }
        } catch (Throwable th) {
            this.root.refresh();
            throw th;
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testAddTokenTreeMissingExpiry() throws Exception {
        Tree tokenTree = getTokenTree(createTokenInfo(this.tokenProvider, this.userId));
        tokenTree.removeProperty("rep:token.exp");
        Tree tree = this.root.getTree(IdentifierManagerTest.ID_ROOT);
        try {
            try {
                createValidator(tree, tree, tokenTree.getParent().getPath(), false).childNodeAdded(tokenTree.getName(), getTreeProvider().asNodeState(tokenTree));
                this.root.refresh();
            } catch (CommitFailedException e) {
                Assert.assertTrue(e.isConstraintViolation());
                Assert.assertEquals(67L, e.getCode());
                throw e;
            }
        } catch (Throwable th) {
            this.root.refresh();
            throw th;
        }
    }

    @Test(expected = IllegalStateException.class)
    public void testIllegalValidatorSequence() throws Exception {
        Tree tokenTree = getTokenTree(createTokenInfo(this.tokenProvider, this.userId));
        Tree tree = this.root.getTree(IdentifierManagerTest.ID_ROOT);
        createValidator(tree, tree, tokenTree.getParent().getPath(), true).childNodeChanged(tokenTree.getName(), (NodeState) Mockito.mock(NodeState.class), (NodeState) Mockito.mock(NodeState.class));
    }

    @NotNull
    private Validator createRootValidator(@NotNull Tree tree, @NotNull Tree tree2) {
        Validator rootValidator = new TokenValidatorProvider(ConfigurationParameters.EMPTY, getTreeProvider()).getRootValidator(getTreeProvider().asNodeState(tree), getTreeProvider().asNodeState(tree2), new CommitInfo("sid", "uid", CommitMarker.asCommitAttributes()));
        Assert.assertNotNull(rootValidator);
        return rootValidator;
    }

    @NotNull
    private Validator createValidator(@NotNull Tree tree, @NotNull Tree tree2, @NotNull String str, boolean z) throws CommitFailedException {
        TokenValidatorProvider tokenValidatorProvider = new TokenValidatorProvider(ConfigurationParameters.EMPTY, getTreeProvider());
        NodeState asNodeState = getTreeProvider().asNodeState(tree);
        NodeState asNodeState2 = getTreeProvider().asNodeState(tree2);
        Validator rootValidator = tokenValidatorProvider.getRootValidator(asNodeState, asNodeState2, new CommitInfo("sid", "uid", CommitMarker.asCommitAttributes()));
        for (String str2 : PathUtils.elements(str)) {
            Assert.assertNotNull(rootValidator);
            asNodeState = asNodeState.getChildNode(str2);
            asNodeState2 = asNodeState2.getChildNode(str2);
            rootValidator = z ? rootValidator.childNodeAdded(str2, asNodeState2) : rootValidator.childNodeChanged(str2, asNodeState, asNodeState2);
        }
        Assert.assertNotNull(rootValidator);
        return rootValidator;
    }
}
