package org.apache.jackrabbit.oak.security.authorization.accesscontrol;

import java.security.Principal;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
import javax.jcr.AccessDeniedException;
import javax.jcr.PathNotFoundException;
import javax.jcr.RepositoryException;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlPolicy;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.guava.common.collect.ImmutableList;
import org.apache.jackrabbit.guava.common.collect.ImmutableSet;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.namepath.impl.GlobalNameMapper;
import org.apache.jackrabbit.oak.namepath.impl.NamePathMapperImpl;
import org.apache.jackrabbit.oak.plugins.identifier.IdentifierManagerTest;
import org.apache.jackrabbit.oak.plugins.name.ReadWriteNamespaceRegistry;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/accesscontrol/AccessControlManagerLimitedPermissionsTest.class */
public class AccessControlManagerLimitedPermissionsTest extends AbstractSecurityTest {
    private static final String TEST_PREFIX = "jr";
    private static final String TEST_URI = "http://jackrabbit.apache.org";
    private static final String TEST_NAME = "jr:testRoot";
    private String testPath;
    private String childPath;
    private NamePathMapper npMapper;
    private Root testRoot;
    private AccessControlManagerImpl testAcMgr;
    private Privilege[] testPrivileges;
    private Principal testPrincipal;

    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    @Before
    public void before() throws Exception {
        super.before();
        new ReadWriteNamespaceRegistry(this.root) { // from class: org.apache.jackrabbit.oak.security.authorization.accesscontrol.AccessControlManagerLimitedPermissionsTest.1
            protected Root getWriteRoot() {
                return AccessControlManagerLimitedPermissionsTest.this.root;
            }
        }.registerNamespace(TEST_PREFIX, TEST_URI);
        this.npMapper = new NamePathMapperImpl(new GlobalNameMapper(this.root));
        Tree addChild = TreeUtil.addChild(this.root.getTree(IdentifierManagerTest.ID_ROOT), TEST_NAME, "nt:unstructured");
        this.testPath = addChild.getPath();
        this.childPath = TreeUtil.addChild(addChild, "child", "nt:unstructured").getPath();
        this.root.commit();
        this.testRoot = createTestSession().getLatestRoot();
        this.testAcMgr = new AccessControlManagerImpl(this.testRoot, getNamePathMapper(), getSecurityProvider());
        this.testPrivileges = privilegesFromNames("jcr:addChildNodes", "jcr:read");
        this.testPrincipal = getTestUser().getPrincipal();
    }

    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    @After
    public void after() throws Exception {
        try {
            this.testRoot.getContentSession().close();
        } finally {
            super.after();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    public NamePathMapper getNamePathMapper() {
        return this.npMapper;
    }

    private void setupPolicy(@Nullable String str, @Nullable Privilege... privilegeArr) throws RepositoryException {
        TestUtility.setupPolicy(getAccessControlManager(this.root), str, this.testPrincipal, (privilegeArr == null || privilegeArr.length == 0) ? this.testPrivileges : privilegeArr, true, TestUtility.getGlobRestriction("*", getValueFactory(this.root)), null);
    }

    @NotNull
    private List<String> getAcContentPaths() throws RepositoryException {
        JackrabbitAccessControlManager accessControlManager = getAccessControlManager(this.root);
        ACL applicablePolicy = TestUtility.getApplicablePolicy(accessControlManager, this.testPath);
        applicablePolicy.addEntry(this.testPrincipal, this.testPrivileges, true, TestUtility.getGlobRestriction("*", getValueFactory(this.root)));
        accessControlManager.setPolicy(this.testPath, applicablePolicy);
        String str = this.testPath + "/rep:policy";
        Tree tree = this.root.getTree(str);
        Assert.assertTrue(tree.exists());
        Iterator it = tree.getChildren().iterator();
        Assert.assertTrue(it.hasNext());
        Tree tree2 = (Tree) it.next();
        Assert.assertNotNull(tree2);
        ArrayList arrayList = new ArrayList();
        arrayList.add(str);
        arrayList.add(tree2.getPath());
        Tree child = tree2.getChild("rep:restrictions");
        if (child.exists()) {
            arrayList.add(child.getPath());
        }
        return arrayList;
    }

    @Test
    public void testHasPrivilegesNotAccessiblePath() throws Exception {
        ArrayList arrayList = new ArrayList();
        arrayList.add(IdentifierManagerTest.ID_ROOT);
        arrayList.addAll(getAcContentPaths());
        Privilege[] privilegesFromNames = privilegesFromNames("jcr:all");
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            try {
                this.testAcMgr.hasPrivileges((String) it.next(), privilegesFromNames);
                Assert.fail("AccessControlManager#hasPrivileges for node that is not accessible should fail.");
            } catch (PathNotFoundException e) {
            }
        }
        Iterator it2 = arrayList.iterator();
        while (it2.hasNext()) {
            try {
                this.testAcMgr.hasPrivileges((String) it2.next(), getPrincipals(this.root.getContentSession()), privilegesFromNames);
                Assert.fail("AccessControlManager#hasPrivileges for node that is not accessible should fail.");
            } catch (PathNotFoundException e2) {
            }
        }
        Iterator it3 = arrayList.iterator();
        while (it3.hasNext()) {
            try {
                this.testAcMgr.hasPrivileges((String) it3.next(), getPrincipals(this.testRoot.getContentSession()), privilegesFromNames);
                Assert.fail("AccessControlManager#hasPrivileges for node that is not accessible should fail.");
            } catch (PathNotFoundException e3) {
            }
        }
        Iterator it4 = arrayList.iterator();
        while (it4.hasNext()) {
            try {
                this.testAcMgr.hasPrivileges((String) it4.next(), ImmutableSet.of(), privilegesFromNames);
                Assert.fail("AccessControlManager#hasPrivileges for node that is not accessible should fail.");
            } catch (PathNotFoundException e4) {
            }
        }
    }

    @Test
    public void testTestSessionHasRepoPrivileges() throws Exception {
        Assert.assertFalse(this.testAcMgr.hasPrivileges((String) null, this.testPrivileges));
        Assert.assertFalse(this.testAcMgr.hasPrivileges((String) null, getPrincipals(this.testRoot.getContentSession()), this.testPrivileges));
    }

    @Test
    public void testHasRepoPrivilegesNoAccessToPrincipals() throws Exception {
        try {
            this.testAcMgr.getPrivileges((String) null, getPrincipals(this.adminSession));
            Assert.fail("testSession doesn't have sufficient permission to read access control information");
        } catch (AccessDeniedException e) {
        }
    }

    @Test(expected = AccessDeniedException.class)
    public void testHasRepoPrivilegesForEmptyPrincipalSet() throws Exception {
        this.testAcMgr.getPrivileges((String) null, Collections.emptySet());
    }

    @Test
    public void testHasPrivileges() throws Exception {
        setupPolicy(this.testPath, new Privilege[0]);
        this.root.commit();
        this.testRoot.refresh();
        ArrayList<Privilege[]> arrayList = new ArrayList();
        arrayList.add(privilegesFromNames("jcr:read"));
        arrayList.add(privilegesFromNames("rep:readNodes"));
        arrayList.add(privilegesFromNames("rep:readProperties"));
        arrayList.add(privilegesFromNames("jcr:addChildNodes"));
        arrayList.add(this.testPrivileges);
        for (Privilege[] privilegeArr : arrayList) {
            Assert.assertTrue(this.testAcMgr.hasPrivileges(this.testPath, privilegeArr));
            Assert.assertTrue(this.testAcMgr.hasPrivileges(this.testPath, getPrincipals(this.testRoot.getContentSession()), privilegeArr));
        }
        ArrayList<Privilege[]> arrayList2 = new ArrayList();
        arrayList2.add(privilegesFromNames("jcr:all"));
        arrayList2.add(privilegesFromNames("jcr:readAccessControl"));
        arrayList2.add(privilegesFromNames("jcr:write"));
        arrayList2.add(privilegesFromNames("jcr:lockManagement"));
        for (Privilege[] privilegeArr2 : arrayList2) {
            Assert.assertFalse(this.testAcMgr.hasPrivileges(this.testPath, privilegeArr2));
            Assert.assertFalse(this.testAcMgr.hasPrivileges(this.testPath, getPrincipals(this.testRoot.getContentSession()), privilegeArr2));
        }
    }

    @Test(expected = AccessDeniedException.class)
    public void testHasPrivilegesForPrincipals() throws Exception {
        setupPolicy(this.testPath, new Privilege[0]);
        this.root.commit();
        this.testRoot.refresh();
        this.testAcMgr.getPrivileges(this.testPath, getPrincipals(this.adminSession));
    }

    @Test
    public void testGetPrivilegesNotAccessiblePath() throws Exception {
        ArrayList arrayList = new ArrayList();
        arrayList.add(IdentifierManagerTest.ID_ROOT);
        arrayList.addAll(getAcContentPaths());
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            try {
                this.testAcMgr.getPrivileges((String) it.next());
                Assert.fail("AccessControlManager#getPrivileges for node that is not accessible should fail.");
            } catch (PathNotFoundException e) {
            }
        }
        Iterator it2 = arrayList.iterator();
        while (it2.hasNext()) {
            try {
                this.testAcMgr.getPrivileges((String) it2.next(), getPrincipals(this.adminSession));
                Assert.fail("AccessControlManager#getPrivileges for node that is not accessible should fail.");
            } catch (PathNotFoundException e2) {
            }
        }
        Iterator it3 = arrayList.iterator();
        while (it3.hasNext()) {
            try {
                this.testAcMgr.getPrivileges((String) it3.next(), Collections.singleton(this.testPrincipal));
                Assert.fail("AccessControlManager#getPrivileges for node that is not accessible should fail.");
            } catch (PathNotFoundException e3) {
            }
        }
    }

    @Test
    public void testGetPrivileges() throws Exception {
        setupPolicy(this.testPath, new Privilege[0]);
        this.root.commit();
        this.testRoot.refresh();
        Set<Principal> principals = getPrincipals(this.testRoot.getContentSession());
        Assert.assertArrayEquals(new Privilege[0], this.testAcMgr.getPrivileges((String) null));
        Assert.assertArrayEquals(new Privilege[0], this.testAcMgr.getPrivileges((String) null, principals));
        Assert.assertEquals(ImmutableSet.copyOf(this.testPrivileges), ImmutableSet.copyOf(this.testAcMgr.getPrivileges(this.testPath)));
        Assert.assertEquals(ImmutableSet.copyOf(this.testPrivileges), ImmutableSet.copyOf(this.testAcMgr.getPrivileges(this.testPath, principals)));
        try {
            this.testAcMgr.getPrivileges(this.testPath, getPrincipals(this.adminSession));
            Assert.fail("testSession doesn't have sufficient permission to read access control information at testPath");
        } catch (AccessDeniedException e) {
        }
    }

    @Test
    public void testGetApplicablePolicies() throws Exception {
        setupPolicy(this.testPath, new Privilege[0]);
        this.root.commit();
        this.testRoot.refresh();
        Iterator it = ImmutableList.of(this.testPrincipal, EveryonePrincipal.getInstance()).iterator();
        while (it.hasNext()) {
            JackrabbitAccessControlPolicy[] applicablePolicies = this.testAcMgr.getApplicablePolicies((Principal) it.next());
            AbstractAccessControlTest.assertPolicies(applicablePolicies, 1L);
            Assert.assertTrue(applicablePolicies[0] instanceof ACL);
        }
    }

    @Test
    public void testGetPolicies() throws Exception {
        setupPolicy(this.testPath, new Privilege[0]);
        this.root.commit();
        this.testRoot.refresh();
        PrincipalManager principalManager = getPrincipalManager(this.testRoot);
        for (Principal principal : ImmutableList.of(this.testPrincipal, EveryonePrincipal.getInstance())) {
            if (principalManager.hasPrincipal(principal.getName())) {
                AbstractAccessControlTest.assertPolicies(this.testAcMgr.getPolicies(principal), 0L);
            } else {
                AbstractAccessControlTest.assertPolicies(this.testAcMgr.getPolicies(principal), 0L);
            }
        }
    }

    @Test
    public void testGetEffectivePolicies() throws Exception {
        Privilege[] privilegesFromNames = privilegesFromNames("jcr:read", "jcr:readAccessControl");
        setupPolicy(this.testPath, privilegesFromNames);
        this.root.commit();
        this.testRoot.refresh();
        Assert.assertTrue(this.testAcMgr.hasPrivileges(this.testPath, privilegesFromNames));
        AbstractAccessControlTest.assertPolicies(this.testAcMgr.getEffectivePolicies(this.testPath), 1L);
    }

    @Test
    public void testGetEffectivePolicies2() throws Exception {
        setupPolicy(this.testPath, privilegesFromNames("jcr:read"));
        setupPolicy(this.childPath, privilegesFromNames("jcr:readAccessControl"));
        this.root.commit();
        this.testRoot.refresh();
        Assert.assertTrue(this.testAcMgr.hasPrivileges(this.childPath, privilegesFromNames("jcr:read", "jcr:readAccessControl")));
        AbstractAccessControlTest.assertPolicies(this.testAcMgr.getEffectivePolicies(this.childPath), 1L);
    }

    @Test
    public void testGetEffectivePoliciesWithoutPrivilege() throws Exception {
        setupPolicy(this.testPath, privilegesFromNames("jcr:read"));
        this.root.commit();
        this.testRoot.refresh();
        for (String str : ImmutableList.of(this.testPath, "/jcr:system/jcr:nodeTypes")) {
            Assert.assertFalse(this.testAcMgr.hasPrivileges(str, privilegesFromNames("jcr:readAccessControl")));
            try {
                this.testAcMgr.getEffectivePolicies(str);
                Assert.fail("READ_ACCESS_CONTROL is not granted at " + str);
            } catch (AccessDeniedException e) {
            }
        }
    }

    @Test
    public void testGetEffectivePoliciesByPrincipal() throws Exception {
        Privilege[] privilegesFromNames = privilegesFromNames("jcr:read", "jcr:readAccessControl");
        setupPolicy(this.testPath, privilegesFromNames);
        setupPolicy(this.childPath, privilegesFromNames);
        this.root.commit();
        this.testRoot.refresh();
        AbstractAccessControlTest.assertPolicies(this.testAcMgr.getEffectivePolicies(Collections.singleton(this.testPrincipal)), 2L);
    }

    @Test
    public void testGetEffectivePoliciesByPrincipal2() throws Exception {
        setupPolicy(this.testPath, privilegesFromNames("jcr:readAccessControl"));
        setupPolicy(this.childPath, privilegesFromNames("jcr:read", "jcr:readAccessControl"));
        this.root.commit();
        this.testRoot.refresh();
        AbstractAccessControlTest.assertPolicies(this.testAcMgr.getEffectivePolicies(Collections.singleton(this.testPrincipal)), 1L);
    }

    @Test
    public void testGetEffectivePoliciesByPrincipal3() throws Exception {
        setupPolicy(this.testPath, privilegesFromNames("jcr:read"));
        setupPolicy(this.childPath, privilegesFromNames("jcr:readAccessControl"));
        this.root.commit();
        this.testRoot.refresh();
        AbstractAccessControlTest.assertPolicies(this.testAcMgr.getEffectivePolicies(Collections.singleton(this.testPrincipal)), 1L);
    }

    @Test
    public void testGetEffectivePoliciesByPrincipals() throws Exception {
        Privilege[] privilegesFromNames = privilegesFromNames("jcr:read", "jcr:readAccessControl");
        setupPolicy(this.testPath, privilegesFromNames("jcr:read", "jcr:readAccessControl"));
        JackrabbitAccessControlManager accessControlManager = getAccessControlManager(this.root);
        ACL applicablePolicy = TestUtility.getApplicablePolicy(accessControlManager, this.childPath);
        applicablePolicy.addEntry(EveryonePrincipal.getInstance(), privilegesFromNames, true);
        accessControlManager.setPolicy(this.childPath, applicablePolicy);
        this.root.commit();
        this.testRoot.refresh();
        AbstractAccessControlTest.assertPolicies(this.testAcMgr.getEffectivePolicies(ImmutableSet.of(this.testPrincipal, EveryonePrincipal.getInstance())), 2L);
    }

    @Test
    public void testGetEffectivePoliciesByPrincipals2() throws Exception {
        Privilege[] privilegesFromNames = privilegesFromNames("jcr:read", "jcr:readAccessControl");
        JackrabbitAccessControlManager accessControlManager = getAccessControlManager(this.root);
        ACL applicablePolicy = TestUtility.getApplicablePolicy(accessControlManager, this.testPath);
        applicablePolicy.addEntry(this.testPrincipal, privilegesFromNames, false);
        accessControlManager.setPolicy(this.testPath, applicablePolicy);
        setupPolicy(this.childPath, privilegesFromNames);
        this.root.commit();
        this.testRoot.refresh();
        AbstractAccessControlTest.assertPolicies(this.testAcMgr.getEffectivePolicies(ImmutableSet.of(this.testPrincipal, EveryonePrincipal.getInstance())), 1L);
    }

    @Test
    public void testGetEffectivePoliciesByPrincipalsReadPolicy1() throws Exception {
        setupPolicy(IdentifierManagerTest.ID_ROOT, privilegesFromNames("jcr:read"));
        this.root.commit();
        this.testRoot.refresh();
        AbstractAccessControlTest.assertPolicies(this.testAcMgr.getEffectivePolicies(ImmutableSet.of(this.testPrincipal, EveryonePrincipal.getInstance())), 0L, false);
    }

    @Test
    public void testGetEffectivePoliciesByPrincipalsReadPolicy2() throws Exception {
        setupPolicy(IdentifierManagerTest.ID_ROOT, privilegesFromNames("jcr:readAccessControl"));
        this.root.commit();
        this.testRoot.refresh();
        AbstractAccessControlTest.assertPolicies(this.testAcMgr.getEffectivePolicies(ImmutableSet.of(this.testPrincipal, EveryonePrincipal.getInstance())), 1L, true);
    }

    @Test
    public void testGetEffectivePoliciesByPrincipalsIncludesReadPolicy3() throws Exception {
        setupPolicy(IdentifierManagerTest.ID_ROOT, privilegesFromNames("jcr:read", "jcr:readAccessControl"));
        this.root.commit();
        this.testRoot.refresh();
        AbstractAccessControlTest.assertPolicies(this.testAcMgr.getEffectivePolicies(ImmutableSet.of(this.testPrincipal, EveryonePrincipal.getInstance())), 1L, true);
    }
}
