package org.apache.jackrabbit.oak.security.authorization.evaluation;

import javax.jcr.security.AccessControlEntry;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.namepath.NamePathMapper;
import org.apache.jackrabbit.oak.plugins.identifier.IdentifierManagerTest;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionConstants;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/evaluation/Jr2CompatibilityTest.class */
public class Jr2CompatibilityTest extends AbstractOakCoreTest {
    @Override // org.apache.jackrabbit.oak.security.authorization.evaluation.AbstractOakCoreTest, org.apache.jackrabbit.oak.AbstractSecurityTest
    @Before
    public void before() throws Exception {
        super.before();
        setupPermission(IdentifierManagerTest.ID_ROOT, getTestUser().getPrincipal(), true, "jcr:read", "rep:write");
    }

    @Override // org.apache.jackrabbit.oak.security.authorization.evaluation.AbstractOakCoreTest, org.apache.jackrabbit.oak.AbstractSecurityTest
    @After
    public void after() throws Exception {
        try {
            JackrabbitAccessControlManager accessControlManager = getAccessControlManager(this.root);
            JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(accessControlManager, IdentifierManagerTest.ID_ROOT);
            if (accessControlList != null) {
                boolean z = false;
                for (AccessControlEntry accessControlEntry : accessControlList.getAccessControlEntries()) {
                    if (accessControlEntry.getPrincipal().equals(getTestUser().getPrincipal())) {
                        accessControlList.removeAccessControlEntry(accessControlEntry);
                        z = true;
                    }
                }
                if (z) {
                    accessControlManager.setPolicy(IdentifierManagerTest.ID_ROOT, accessControlList);
                    this.root.commit();
                }
            }
        } finally {
            super.after();
        }
    }

    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    protected ConfigurationParameters getSecurityConfigParameters() {
        return ConfigurationParameters.of("org.apache.jackrabbit.oak.authorization", ConfigurationParameters.of("permissionsJr2", PermissionConstants.VALUE_PERMISSIONS_JR2));
    }

    @Test
    public void testUserManagementPermissionWithJr2Flag() throws Exception {
        Root testRoot = getTestRoot();
        testRoot.refresh();
        try {
            User createUser = getUserConfiguration().getUserManager(testRoot, NamePathMapper.DEFAULT).createUser("a", "b");
            testRoot.commit();
            createUser.changePassword("c");
            testRoot.commit();
            createUser.remove();
            testRoot.commit();
            this.root.refresh();
            Authorizable authorizable = getUserManager(this.root).getAuthorizable("a");
            if (authorizable != null) {
                authorizable.remove();
                this.root.commit();
            }
        } catch (Throwable th) {
            this.root.refresh();
            Authorizable authorizable2 = getUserManager(this.root).getAuthorizable("a");
            if (authorizable2 != null) {
                authorizable2.remove();
                this.root.commit();
            }
            throw th;
        }
    }

    @Test
    public void testRemoveNodeWithJr2Flag() throws Exception {
        setupPermission("/a", this.testPrincipal, true, "jcr:read", "rep:write");
        setupPermission("/a/b", this.testPrincipal, false, "jcr:removeNode");
        Root testRoot = getTestRoot();
        JackrabbitAccessControlManager accessControlManager = getAccessControlManager(testRoot);
        Assert.assertTrue(accessControlManager.hasPrivileges("/a", privilegesFromNames("rep:write")));
        Assert.assertFalse(accessControlManager.hasPrivileges("/a/b", privilegesFromNames("jcr:removeNode")));
        try {
            testRoot.getTree("/a").remove();
            testRoot.commit();
            Assert.fail();
        } catch (CommitFailedException e) {
            Assert.assertTrue(e.isAccessViolation());
        }
    }

    @Test
    public void testRemoveNodeWithJr2Flag2() throws Exception {
        setupPermission("/a", this.testPrincipal, true, "jcr:read", "rep:write");
        setupPermission("/a/b", this.testPrincipal, false, "rep:removeProperties");
        Root testRoot = getTestRoot();
        JackrabbitAccessControlManager accessControlManager = getAccessControlManager(testRoot);
        Assert.assertTrue(accessControlManager.hasPrivileges("/a", privilegesFromNames("rep:write")));
        Assert.assertFalse(accessControlManager.hasPrivileges("/a/b", privilegesFromNames("rep:removeProperties")));
        try {
            testRoot.getTree("/a").remove();
            testRoot.commit();
            Assert.fail();
        } catch (CommitFailedException e) {
            Assert.assertTrue(e.isAccessViolation());
        }
    }
}
