package org.apache.jackrabbit.oak.security.user;

import java.security.PrivilegedActionException;
import javax.jcr.Credentials;
import javax.jcr.SimpleCredentials;
import javax.security.auth.Subject;
import javax.security.auth.login.CredentialExpiredException;
import javax.security.auth.login.LoginException;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.api.ContentRepository;
import org.apache.jackrabbit.oak.api.ContentSession;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.plugins.nodetype.ReadOnlyNodeTypeManager;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.authentication.SystemSubject;
import org.jetbrains.annotations.NotNull;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:org/apache/jackrabbit/oak/security/user/PasswordExpiryAdminTest.class */
public class PasswordExpiryAdminTest extends AbstractSecurityTest {
    private User user;
    private String userId;

    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    @Before
    public void before() throws Exception {
        super.before();
        this.user = getUserManager(this.root).getAuthorizable("admin", User.class);
        this.userId = this.user.getID();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    public ConfigurationParameters getSecurityConfigParameters() {
        return ConfigurationParameters.of("org.apache.jackrabbit.oak.user", ConfigurationParameters.of("passwordMaxAge", 10, "passwordExpiryForAdmin", true));
    }

    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    @NotNull
    protected ContentSession createAdminSession(@NotNull ContentRepository contentRepository) {
        try {
            return (ContentSession) Subject.doAs(SystemSubject.INSTANCE, () -> {
                return contentRepository.login((Credentials) null, (String) null);
            });
        } catch (PrivilegedActionException e) {
            throw new RuntimeException(e);
        }
    }

    @Test
    public void testUserNode() throws Exception {
        Tree child = this.root.getTree(this.user.getPath()).getChild("rep:pwd");
        Assert.assertTrue(child.exists());
        Assert.assertTrue(TreeUtil.isNodeType(child, "rep:Password", this.root.getTree("/jcr:system/jcr:nodeTypes")));
        Assert.assertTrue(ReadOnlyNodeTypeManager.getInstance(this.root, getNamePathMapper()).getDefinition(child.getParent(), child).isProtected());
        PropertyState property = child.getProperty("rep:passwordLastModified");
        Assert.assertNotNull(property);
        Assert.assertEquals(Type.LONG, property.getType());
        Assert.assertTrue(((Long) property.getValue(Type.LONG, 0)).longValue() > 0);
        Assert.assertFalse(this.user.hasProperty("rep:pwd/rep:passwordLastModified"));
    }

    @Test
    public void testChangePassword() throws Exception {
        long longValue = ((Long) this.root.getTree(this.user.getPath()).getChild("rep:pwd").getProperty("rep:passwordLastModified").getValue(Type.LONG, 0)).longValue();
        Assert.assertTrue(longValue > 0);
        waitForSystemTimeIncrement(longValue);
        this.user.changePassword(this.user.getID());
        this.root.commit();
        Assert.assertTrue(((Long) this.root.getTree(this.user.getPath()).getChild("rep:pwd").getProperty("rep:passwordLastModified").getValue(Type.LONG, 0)).longValue() > longValue);
    }

    @Test
    public void testAuthenticatePasswordExpiredNewUser() throws Exception {
        Assert.assertTrue(new UserAuthentication(getUserConfiguration(), this.root, this.userId).authenticate(new SimpleCredentials(this.userId, this.userId.toCharArray())));
    }

    @Test
    public void testAuthenticatePasswordExpired() throws Exception {
        UserAuthentication userAuthentication = new UserAuthentication(getUserConfiguration(), this.root, this.userId);
        this.root.getTree(this.user.getPath()).getChild("rep:pwd").setProperty("rep:passwordLastModified", 0);
        this.root.commit();
        try {
            userAuthentication.authenticate(new SimpleCredentials(this.userId, this.userId.toCharArray()));
            Assert.fail("Credentials should be expired");
        } catch (CredentialExpiredException e) {
        }
    }

    @Test
    public void testAuthenticateBeforePasswordExpired() throws Exception {
        UserAuthentication userAuthentication = new UserAuthentication(getUserConfiguration(), this.root, this.userId);
        this.root.getTree(this.user.getPath()).getChild("rep:pwd").setProperty("rep:passwordLastModified", 0);
        this.root.commit();
        try {
            userAuthentication.authenticate(new SimpleCredentials(this.userId, "wrong".toCharArray()));
        } catch (LoginException e) {
        } catch (CredentialExpiredException e2) {
            Assert.fail("Login should fail before expiry");
        }
    }

    @Test
    public void testAuthenticatePasswordExpiredChangePassword() throws Exception {
        UserAuthentication userAuthentication = new UserAuthentication(getUserConfiguration(), this.root, this.userId);
        this.root.getTree(this.user.getPath()).getChild("rep:pwd").setProperty("rep:passwordLastModified", 0);
        this.root.commit();
        this.user.changePassword(this.userId);
        this.root.commit();
        Assert.assertTrue(userAuthentication.authenticate(new SimpleCredentials(this.userId, this.userId.toCharArray())));
    }
}
