package org.apache.jackrabbit.oak.security.user;

import java.util.ArrayList;
import java.util.Iterator;
import java.util.UUID;
import javax.jcr.RepositoryException;
import javax.security.auth.Subject;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.ContentSession;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.plugins.identifier.IdentifierManagerTest;
import org.apache.jackrabbit.oak.plugins.memory.PropertyStates;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.apache.jackrabbit.oak.spi.commit.CommitInfo;
import org.apache.jackrabbit.oak.spi.commit.Validator;
import org.apache.jackrabbit.oak.spi.security.authentication.SystemSubject;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.jetbrains.annotations.NotNull;
import org.junit.Assert;
import org.junit.Test;

/* loaded from: input_file:org/apache/jackrabbit/oak/security/user/CacheValidatorProviderTest.class */
public class CacheValidatorProviderTest extends AbstractSecurityTest {
    private Group testGroup;
    private Authorizable[] authorizables;

    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    public void before() throws Exception {
        super.before();
        this.testGroup = getUserManager(this.root).createGroup("testGroup_" + UUID.randomUUID());
        this.root.commit();
        this.authorizables = new Authorizable[]{getTestUser(), this.testGroup};
    }

    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    public void after() throws Exception {
        try {
            this.root.refresh();
            if (this.testGroup != null) {
                this.testGroup.remove();
                this.root.commit();
            }
        } finally {
            super.after();
        }
    }

    private Tree getAuthorizableTree(@NotNull Authorizable authorizable) throws RepositoryException {
        return this.root.getTree(authorizable.getPath());
    }

    private Tree getCache(@NotNull Authorizable authorizable) throws Exception {
        ContentSession contentSession = (ContentSession) Subject.doAs(SystemSubject.INSTANCE, () -> {
            return login(null);
        });
        try {
            Root latestRoot = contentSession.getLatestRoot();
            TreeUtil.getOrAddChild(latestRoot.getTree(authorizable.getPath()), "rep:cache", "rep:Cache").setProperty("rep:expiration", 1L, Type.LONG);
            latestRoot.commit(CacheValidatorProvider.asCommitAttributes());
            if (contentSession != null) {
                contentSession.close();
            }
            this.root.refresh();
            return this.root.getTree(authorizable.getPath()).getChild("rep:cache");
        } catch (Throwable th) {
            if (contentSession != null) {
                try {
                    contentSession.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testCreateCacheByName() throws RepositoryException {
        for (Authorizable authorizable : this.authorizables) {
            try {
                TreeUtil.addChild(getAuthorizableTree(authorizable), "rep:cache", "nt:unstructured");
                this.root.commit();
                Assert.fail("Creating rep:cache node below a user or group must fail.");
            } catch (CommitFailedException e) {
                Assert.assertTrue(e.isConstraintViolation());
                Assert.assertEquals(34L, e.getCode());
            }
        }
    }

    @Test
    public void testCreateCacheByNodeType() throws RepositoryException {
        for (Authorizable authorizable : this.authorizables) {
            try {
                TreeUtil.addChild(getAuthorizableTree(authorizable), "childNode", "rep:Cache").setProperty("rep:expiration", 1L, Type.LONG);
                this.root.commit();
                Assert.fail("Creating node with nt rep:Cache below a user or group must fail.");
            } catch (CommitFailedException e) {
                Assert.assertTrue(e.isConstraintViolation());
                Assert.assertEquals(34L, e.getCode());
            }
        }
    }

    @Test
    public void testChangePrimaryTypeUser() throws Exception {
        for (Authorizable authorizable : this.authorizables) {
            try {
                Tree addChild = TreeUtil.addChild(getAuthorizableTree(authorizable), "childNode", "nt:unstructured");
                this.root.commit();
                addChild.setProperty("jcr:primaryType", "rep:Cache", Type.NAME);
                addChild.setProperty("rep:expiration", 1L, Type.LONG);
                this.root.commit();
                Assert.fail("Changing primary type of residual node below an user/group to rep:Cache must fail.");
            } catch (CommitFailedException e) {
                Assert.assertTrue(e.isConstraintViolation());
                Assert.assertEquals(34L, e.getCode());
            }
        }
    }

    @Test
    public void testCreateCacheWithCommitInfo() throws RepositoryException {
        for (Authorizable authorizable : this.authorizables) {
            try {
                TreeUtil.addChild(getAuthorizableTree(authorizable), "rep:cache", "rep:Cache").setProperty("rep:expiration", 1L, Type.LONG);
                this.root.commit(CacheValidatorProvider.asCommitAttributes());
                Assert.fail("Creating rep:cache node below a user or group must fail.");
            } catch (CommitFailedException e) {
                Assert.assertTrue(e.isConstraintViolation());
                Assert.assertEquals(34L, e.getCode());
            }
        }
    }

    @Test
    public void testCreateCacheBelowProfile() throws Exception {
        try {
            TreeUtil.addChild(TreeUtil.addChild(getAuthorizableTree(getTestUser()), "profile", "oak:Unstructured"), "rep:cache", "rep:Cache").setProperty("rep:expiration", 23L, Type.LONG);
            this.root.commit(CacheValidatorProvider.asCommitAttributes());
            Assert.fail("Creating rep:cache node below a user or group must fail.");
        } catch (CommitFailedException e) {
            Assert.assertTrue(e.isConstraintViolation());
            Assert.assertEquals(34L, e.getCode());
        }
    }

    @Test
    public void testCreateCacheBelowPersistedProfile() throws Exception {
        Tree addChild = TreeUtil.addChild(getAuthorizableTree(getTestUser()), "profile", "oak:Unstructured");
        this.root.commit();
        try {
            TreeUtil.addChild(addChild, "rep:cache", "rep:Cache").setProperty("rep:expiration", 23L, Type.LONG);
            this.root.commit(CacheValidatorProvider.asCommitAttributes());
            Assert.fail("Creating rep:cache node below a user or group must fail.");
        } catch (CommitFailedException e) {
            Assert.assertTrue(e.isConstraintViolation());
            Assert.assertEquals(34L, e.getCode());
        }
    }

    @Test
    public void testModifyCache() throws Exception {
        ArrayList arrayList = new ArrayList();
        arrayList.add(PropertyStates.createProperty("rep:expiration", 25));
        arrayList.add(PropertyStates.createProperty("rep:groupPrincipalNames", "everyone"));
        arrayList.add(PropertyStates.createProperty("jcr:primaryType", "nt:unstructured", Type.NAME));
        arrayList.add(PropertyStates.createProperty("residualProp", "anyvalue"));
        Tree cache = getCache(getTestUser());
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            try {
                try {
                    cache.setProperty((PropertyState) it.next());
                    this.root.commit(CacheValidatorProvider.asCommitAttributes());
                    Assert.fail("Modifying rep:cache node below a user or group must fail.");
                    this.root.refresh();
                } catch (CommitFailedException e) {
                    Assert.assertTrue(e.isConstraintViolation());
                    Assert.assertEquals(34L, e.getCode());
                    this.root.refresh();
                }
            } catch (Throwable th) {
                this.root.refresh();
                throw th;
            }
        }
    }

    @Test
    public void testNestedCache() throws Exception {
        try {
            TreeUtil.getOrAddChild(getCache(getTestUser()), "rep:cache", "rep:Cache").setProperty("rep:expiration", 223L, Type.LONG);
            this.root.commit(CacheValidatorProvider.asCommitAttributes());
            Assert.fail("Creating nested cache must fail.");
        } catch (CommitFailedException e) {
            Assert.assertTrue(e.isConstraintViolation());
            Assert.assertEquals(34L, e.getCode());
        }
    }

    @Test
    public void testRemoveCache() throws Exception {
        getCache(getTestUser()).remove();
        this.root.commit();
        Assert.assertFalse(getAuthorizableTree(getTestUser()).hasChild("rep:cache"));
    }

    @Test
    public void testCreateCacheOutsideOfAuthorizable() throws Exception {
        Tree tree = this.root.getTree(IdentifierManagerTest.ID_ROOT);
        try {
            try {
                TreeUtil.addChild(tree, "rep:cache", "rep:Cache").setProperty("rep:expiration", 1L, Type.LONG);
                this.root.commit();
                Assert.fail("Using rep:cache/rep:Cache outside a user or group must fail.");
                this.root.refresh();
                Tree child = tree.getChild("rep:cache");
                if (child.exists()) {
                    child.remove();
                    this.root.commit();
                }
            } catch (CommitFailedException e) {
                Assert.assertTrue(e.isConstraintViolation());
                Assert.assertEquals(34L, e.getCode());
                this.root.refresh();
                Tree child2 = tree.getChild("rep:cache");
                if (child2.exists()) {
                    child2.remove();
                    this.root.commit();
                }
            }
        } catch (Throwable th) {
            this.root.refresh();
            Tree child3 = tree.getChild("rep:cache");
            if (child3.exists()) {
                child3.remove();
                this.root.commit();
            }
            throw th;
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testChangeAuthorizableChildToCache() throws Exception {
        TreeUtil.addChild(getAuthorizableTree(getTestUser()), "child", "oak:Unstructured");
        this.root.commit();
        try {
            getAuthorizableTree(getTestUser()).getChild("child").setProperty("jcr:primaryType", "rep:Cache", Type.NAME);
            this.root.commit();
        } catch (CommitFailedException e) {
            Assert.assertTrue(e.isConstraintViolation());
            Assert.assertEquals(34L, e.getCode());
            throw e;
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testChildNodeAddedToCache() throws Exception {
        try {
            Tree cache = getCache(getTestUser());
            createCacheValidator(cache).childNodeAdded("child", getTreeProvider().asNodeState(TreeUtil.addChild(cache, "child", "oak:Unstructured")));
        } catch (CommitFailedException e) {
            Assert.assertTrue(e.isConstraintViolation());
            Assert.assertEquals(34L, e.getCode());
            throw e;
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testChildNodeChangedToCache() throws Exception {
        try {
            Tree cache = getCache(getTestUser());
            Tree addChild = TreeUtil.addChild(cache, "child", "oak:Unstructured");
            Validator createCacheValidator = createCacheValidator(cache);
            NodeState asNodeState = getTreeProvider().asNodeState(addChild);
            createCacheValidator.childNodeChanged("child", asNodeState, asNodeState);
        } catch (CommitFailedException e) {
            Assert.assertTrue(e.isConstraintViolation());
            Assert.assertEquals(34L, e.getCode());
            throw e;
        }
    }

    private Validator createCacheValidator(@NotNull Tree tree) {
        CacheValidatorProvider cacheValidatorProvider = new CacheValidatorProvider(this.root.getContentSession().getAuthInfo().getPrincipals(), getTreeProvider());
        NodeState asNodeState = getTreeProvider().asNodeState(tree);
        return cacheValidatorProvider.getRootValidator(asNodeState, asNodeState, new CommitInfo("sid", "uid"));
    }
}
