package org.apache.jackrabbit.oak.security.authorization.permission;

import com.google.common.collect.ImmutableList;
import java.security.Principal;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.ContentSession;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.plugins.identifier.IdentifierManagerTest;
import org.apache.jackrabbit.oak.plugins.memory.PropertyStates;
import org.apache.jackrabbit.oak.util.NodeUtil;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidatorTest.class */
public class PermissionValidatorTest extends AbstractSecurityTest {
    private static final String TEST_ROOT_PATH = "/testRoot";
    private static final String TEST_CHILD_PATH = "/testRoot/child";
    private NodeUtil testRootNode;
    private Principal testPrincipal;

    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    @Before
    public void before() throws Exception {
        super.before();
        this.testRootNode = new NodeUtil(this.root.getTree(IdentifierManagerTest.ID_ROOT)).addChild("testRoot", "nt:unstructured");
        this.testRootNode.addChild("child", "nt:unstructured");
        this.root.commit();
        this.testPrincipal = getTestUser().getPrincipal();
    }

    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    @After
    public void after() throws Exception {
        try {
            this.root.refresh();
            this.root.getTree(TEST_ROOT_PATH).remove();
            this.root.commit();
        } finally {
            super.after();
        }
    }

    private void grant(String str, String... strArr) throws Exception {
        JackrabbitAccessControlManager accessControlManager = getAccessControlManager(this.root);
        JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(accessControlManager, str);
        accessControlList.addEntry(this.testPrincipal, AccessControlUtils.privilegesFromNames(accessControlManager, strArr), true);
        accessControlManager.setPolicy(str, accessControlList);
        this.root.commit();
    }

    @Test
    public void testChangePrimaryTypeToPolicyNode() throws Exception {
        this.testRootNode.getChild("child").addChild("rep:policy", "nt:unstructured");
        this.root.commit();
        grant(TEST_ROOT_PATH, "jcr:read", "jcr:readAccessControl", "rep:write");
        ContentSession createTestSession = createTestSession();
        try {
            try {
                Root latestRoot = createTestSession.getLatestRoot();
                Tree tree = latestRoot.getTree(TEST_CHILD_PATH);
                tree.setProperty(PropertyStates.createProperty("jcr:mixinTypes", ImmutableList.of("rep:AccessControllable"), Type.NAMES));
                Tree child = tree.getChild("rep:policy");
                child.setOrderableChildren(true);
                child.setProperty("jcr:primaryType", "rep:ACL", Type.NAME);
                latestRoot.commit();
                Assert.fail("Turning a false policy node into access control content requires the ability to write AC content.");
                createTestSession.close();
            } catch (CommitFailedException e) {
                Assert.assertTrue(e.isAccessViolation());
                Assert.assertEquals(0L, e.getCode());
                createTestSession.close();
            }
        } catch (Throwable th) {
            createTestSession.close();
            throw th;
        }
    }
}
