package org.apache.jackrabbit.oak.security.authorization.restriction;

import com.google.common.collect.ImmutableMap;
import java.security.Principal;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.ContentSession;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.plugins.identifier.IdentifierManagerTest;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.AbstractRestrictionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.CompositeRestrictionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinitionImpl;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionPattern;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
import org.apache.jackrabbit.oak.util.NodeUtil;
import org.apache.jackrabbit.value.StringValue;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/restriction/CustomRestrictionProviderTest.class */
public class CustomRestrictionProviderTest extends AbstractSecurityTest {
    private static final String TEST_ROOT_PATH = "/testRoot";
    private static final String TEST_A_PATH = "/testRoot/a";
    private static final String TEST_B_PATH = "/testRoot/a/b";
    private static final String TEST_C_PATH = "/testRoot/a/b/c";
    private static final String TEST_D_PATH = "/testRoot/a/b/c/d";
    private static final String TEST_E_PATH = "/testRoot/a/b/c/d/e";
    private static final String PROP_NAME_PROTECT_ME = "protect-me";
    private Principal testPrincipal;

    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/restriction/CustomRestrictionProviderTest$HasPropertyPattern.class */
    public static class HasPropertyPattern implements RestrictionPattern {
        private final String propertyName;
        private final boolean negate;

        private HasPropertyPattern(@Nonnull String str) {
            if (str.startsWith("!")) {
                this.propertyName = str.substring(1);
                this.negate = true;
            } else {
                this.propertyName = str;
                this.negate = false;
            }
        }

        static RestrictionPattern create(PropertyState propertyState) {
            return propertyState.count() == 1 ? new HasPropertyPattern((String) propertyState.getValue(Type.STRING)) : RestrictionPattern.EMPTY;
        }

        public boolean matches(@Nonnull Tree tree, @Nullable PropertyState propertyState) {
            boolean z = false;
            if (tree.hasChild("jcr:content")) {
                z = tree.getChild("jcr:content").hasProperty(this.propertyName);
            }
            if (!z) {
                z = tree.hasProperty(this.propertyName);
            }
            return this.negate ? !z : z;
        }

        public boolean matches(@Nonnull String str) {
            return matches();
        }

        public boolean matches() {
            return false;
        }

        public String toString() {
            StringBuilder sb = new StringBuilder("HasPropertyPattern{");
            sb.append("propertyName='").append(this.propertyName).append('\'');
            sb.append(", negate=").append(this.negate);
            sb.append('}');
            return sb.toString();
        }
    }

    /* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/restriction/CustomRestrictionProviderTest$PropertyRestrictionProvider.class */
    public static class PropertyRestrictionProvider extends AbstractRestrictionProvider {
        public static final String RESTRICTION_NAME = "hasProperty";

        public PropertyRestrictionProvider() {
            super(supportedRestrictions());
        }

        private static Map<String, RestrictionDefinition> supportedRestrictions() {
            RestrictionDefinitionImpl restrictionDefinitionImpl = new RestrictionDefinitionImpl(RESTRICTION_NAME, Type.STRING, false);
            return Collections.singletonMap(restrictionDefinitionImpl.getName(), restrictionDefinitionImpl);
        }

        public RestrictionPattern getPattern(String str, Tree tree) {
            PropertyState property;
            return (str == null || (property = tree.getProperty(RESTRICTION_NAME)) == null) ? RestrictionPattern.EMPTY : HasPropertyPattern.create(property);
        }

        @Nonnull
        public RestrictionPattern getPattern(@Nullable String str, @Nonnull Set<Restriction> set) {
            if (str != null) {
                for (Restriction restriction : set) {
                    if (RESTRICTION_NAME.equals(restriction.getDefinition().getName())) {
                        return HasPropertyPattern.create(restriction.getProperty());
                    }
                }
            }
            return RestrictionPattern.EMPTY;
        }
    }

    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    protected ConfigurationParameters getSecurityConfigParameters() {
        return ConfigurationParameters.of(ImmutableMap.of("org.apache.jackrabbit.oak.authorization", ConfigurationParameters.of(ImmutableMap.of("restrictionProvider", CompositeRestrictionProvider.newInstance(new RestrictionProvider[]{new PropertyRestrictionProvider(), new RestrictionProviderImpl()})))));
    }

    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    @Before
    public void before() throws Exception {
        super.before();
        NodeUtil addChild = new NodeUtil(this.root.getTree(IdentifierManagerTest.ID_ROOT)).addChild("testRoot", "nt:unstructured").addChild("a", "nt:unstructured").addChild("b", "nt:unstructured").addChild("c", "nt:unstructured");
        addChild.setBoolean(PROP_NAME_PROTECT_ME, true);
        addChild.addChild("d", "nt:unstructured").addChild("e", "nt:unstructured");
        this.root.commit();
        this.testPrincipal = getTestUser().getPrincipal();
    }

    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    @After
    public void after() throws Exception {
        try {
            this.root.refresh();
            this.root.getTree(TEST_ROOT_PATH).remove();
            this.root.commit();
        } finally {
            super.after();
        }
    }

    private void addEntry(String str, boolean z, String str2, String... strArr) throws Exception {
        JackrabbitAccessControlManager accessControlManager = getAccessControlManager(this.root);
        JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(accessControlManager, str);
        if (str2.length() > 0) {
            HashMap hashMap = new HashMap();
            hashMap.put(PropertyRestrictionProvider.RESTRICTION_NAME, new StringValue(str2));
            accessControlList.addEntry(this.testPrincipal, AccessControlUtils.privilegesFromNames(accessControlManager, strArr), z, hashMap);
        } else {
            accessControlList.addEntry(this.testPrincipal, AccessControlUtils.privilegesFromNames(accessControlManager, strArr), z);
        }
        accessControlManager.setPolicy(str, accessControlList);
        this.root.commit();
    }

    private void assertIsGranted(PermissionProvider permissionProvider, Root root, boolean z, String str, long j) {
        Assert.assertEquals("user should " + (z ? "" : "not ") + "have " + j + " on " + str, Boolean.valueOf(z), Boolean.valueOf(permissionProvider.isGranted(root.getTree(str), (PropertyState) null, j)));
    }

    private PermissionProvider getPermissionProvider(ContentSession contentSession) {
        return ((AuthorizationConfiguration) getSecurityProvider().getConfiguration(AuthorizationConfiguration.class)).getPermissionProvider(this.root, contentSession.getWorkspaceName(), contentSession.getAuthInfo().getPrincipals());
    }

    @Test
    public void testProtectByRestriction() throws Exception {
        addEntry(TEST_ROOT_PATH, true, "", "jcr:read", "rep:write");
        addEntry(TEST_A_PATH, false, PROP_NAME_PROTECT_ME, "jcr:removeNode");
        ContentSession createTestSession = createTestSession();
        try {
            Root latestRoot = createTestSession.getLatestRoot();
            PermissionProvider permissionProvider = getPermissionProvider(createTestSession);
            assertIsGranted(permissionProvider, latestRoot, true, TEST_A_PATH, 64L);
            assertIsGranted(permissionProvider, latestRoot, true, TEST_B_PATH, 64L);
            assertIsGranted(permissionProvider, latestRoot, false, TEST_C_PATH, 64L);
            assertIsGranted(permissionProvider, latestRoot, true, TEST_D_PATH, 64L);
            assertIsGranted(permissionProvider, latestRoot, true, TEST_E_PATH, 64L);
            latestRoot.getTree(TEST_D_PATH).remove();
            latestRoot.commit();
            try {
                latestRoot.getTree(TEST_C_PATH).remove();
                latestRoot.commit();
                Assert.fail("should not be able to delete /testRoot/a/b/c");
            } catch (CommitFailedException e) {
            }
        } finally {
            createTestSession.close();
        }
    }

    @Test
    public void testProtectPropertiesByRestriction() throws Exception {
        addEntry(TEST_ROOT_PATH, true, "", "jcr:read", "rep:write");
        addEntry(TEST_A_PATH, false, PROP_NAME_PROTECT_ME, "jcr:modifyProperties");
        ContentSession createTestSession = createTestSession();
        try {
            Root latestRoot = createTestSession.getLatestRoot();
            PermissionProvider permissionProvider = getPermissionProvider(createTestSession);
            assertIsGranted(permissionProvider, latestRoot, true, TEST_A_PATH, 8L);
            assertIsGranted(permissionProvider, latestRoot, true, TEST_B_PATH, 8L);
            assertIsGranted(permissionProvider, latestRoot, false, TEST_C_PATH, 8L);
            assertIsGranted(permissionProvider, latestRoot, true, TEST_D_PATH, 8L);
            assertIsGranted(permissionProvider, latestRoot, true, TEST_E_PATH, 8L);
            createTestSession.close();
        } catch (Throwable th) {
            createTestSession.close();
            throw th;
        }
    }

    @Test
    public void testUnProtectByRestriction() throws Exception {
        addEntry(TEST_ROOT_PATH, true, "", "jcr:read", "rep:write");
        addEntry(TEST_ROOT_PATH, false, "", "jcr:removeNode");
        addEntry(TEST_A_PATH, true, "!protect-me", "jcr:removeNode");
        ContentSession createTestSession = createTestSession();
        try {
            Root latestRoot = createTestSession.getLatestRoot();
            PermissionProvider permissionProvider = getPermissionProvider(createTestSession);
            assertIsGranted(permissionProvider, latestRoot, true, TEST_A_PATH, 64L);
            assertIsGranted(permissionProvider, latestRoot, true, TEST_B_PATH, 64L);
            assertIsGranted(permissionProvider, latestRoot, false, TEST_C_PATH, 64L);
            assertIsGranted(permissionProvider, latestRoot, true, TEST_D_PATH, 64L);
            assertIsGranted(permissionProvider, latestRoot, true, TEST_E_PATH, 64L);
            createTestSession.close();
        } catch (Throwable th) {
            createTestSession.close();
            throw th;
        }
    }
}
