package org.apache.jackrabbit.oak.security.user;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import java.util.List;
import javax.jcr.SimpleCredentials;
import javax.security.auth.login.CredentialExpiredException;
import org.apache.jackrabbit.api.security.user.User;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.spi.security.ConfigurationParameters;
import org.apache.jackrabbit.oak.spi.security.SecurityProvider;
import org.apache.jackrabbit.oak.spi.security.user.action.AuthorizableAction;
import org.apache.jackrabbit.oak.spi.security.user.action.AuthorizableActionProvider;
import org.apache.jackrabbit.oak.spi.security.user.action.PasswordValidationAction;
import org.jetbrains.annotations.NotNull;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:org/apache/jackrabbit/oak/security/user/PasswordExpiryHistoryTest.class */
public class PasswordExpiryHistoryTest extends AbstractSecurityTest {
    private String userId;

    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    @Before
    public void before() throws Exception {
        super.before();
        this.userId = getTestUser().getID();
    }

    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    protected ConfigurationParameters getSecurityConfigParameters() {
        final PasswordValidationAction passwordValidationAction = new PasswordValidationAction();
        passwordValidationAction.init((SecurityProvider) null, ConfigurationParameters.of("constraint", "^.*(?=.{4,}).*"));
        return ConfigurationParameters.of("org.apache.jackrabbit.oak.user", ConfigurationParameters.of(ImmutableMap.of("authorizableActionProvider", new AuthorizableActionProvider() { // from class: org.apache.jackrabbit.oak.security.user.PasswordExpiryHistoryTest.1
            @NotNull
            public List<? extends AuthorizableAction> getAuthorizableActions(@NotNull SecurityProvider securityProvider) {
                return ImmutableList.of(passwordValidationAction);
            }
        }, "passwordMaxAge", 10, "passwordHistorySize", 10)));
    }

    @Test
    public void testAuthenticatePasswordExpiredAndSame() throws Exception {
        User testUser = getTestUser();
        UserAuthentication userAuthentication = new UserAuthentication(getUserConfiguration(), this.root, this.userId);
        this.root.getTree(testUser.getPath()).getChild("rep:pwd").setProperty("rep:passwordLastModified", 0);
        this.root.commit();
        try {
            userAuthentication.authenticate(new SimpleCredentials(this.userId, this.userId.toCharArray()));
            Assert.fail("Credentials should be expired");
        } catch (CredentialExpiredException e) {
            SimpleCredentials simpleCredentials = new SimpleCredentials(this.userId, this.userId.toCharArray());
            try {
                simpleCredentials.setAttribute("user.newpassword", testUser.getID());
                userAuthentication.authenticate(simpleCredentials);
                Assert.fail("User password changed in spite of enabled pw history");
            } catch (CredentialExpiredException e2) {
                Assert.assertEquals("credentials should contain pw change failure reason", "New password is identical to the current password.", simpleCredentials.getAttribute(PasswordHistoryException.class.getSimpleName()));
            }
        }
    }

    @Test
    public void testAuthenticatePasswordExpiredAndInHistory() throws Exception {
        User testUser = getTestUser();
        testUser.changePassword("pw12345678");
        UserAuthentication userAuthentication = new UserAuthentication(getUserConfiguration(), this.root, this.userId);
        this.root.getTree(testUser.getPath()).getChild("rep:pwd").setProperty("rep:passwordLastModified", 0);
        this.root.commit();
        try {
            userAuthentication.authenticate(new SimpleCredentials(this.userId, "pw12345678".toCharArray()));
            Assert.fail("Credentials should be expired");
        } catch (CredentialExpiredException e) {
            SimpleCredentials simpleCredentials = new SimpleCredentials(this.userId, "pw12345678".toCharArray());
            try {
                simpleCredentials.setAttribute("user.newpassword", testUser.getID());
                userAuthentication.authenticate(simpleCredentials);
                Assert.fail("User password changed in spite of enabled pw history");
            } catch (CredentialExpiredException e2) {
                Assert.assertEquals("credentials should contain pw change failure reason", "New password was found in password history.", simpleCredentials.getAttribute(PasswordHistoryException.class.getSimpleName()));
            }
        }
    }

    @Test
    public void testAuthenticatePasswordExpiredAndValidationFailure() throws Exception {
        User testUser = getTestUser();
        UserAuthentication userAuthentication = new UserAuthentication(getUserConfiguration(), this.root, this.userId);
        this.root.getTree(testUser.getPath()).getChild("rep:pwd").setProperty("rep:passwordLastModified", 0);
        this.root.commit();
        try {
            userAuthentication.authenticate(new SimpleCredentials(this.userId, this.userId.toCharArray()));
            Assert.fail("Credentials should be expired");
        } catch (CredentialExpiredException e) {
            SimpleCredentials simpleCredentials = new SimpleCredentials(this.userId, this.userId.toCharArray());
            try {
                simpleCredentials.setAttribute("user.newpassword", "2");
                userAuthentication.authenticate(simpleCredentials);
                Assert.fail("User password changed in spite of expected validation failure");
            } catch (CredentialExpiredException e2) {
                Assert.assertNull(simpleCredentials.getAttribute(PasswordHistoryException.class.getSimpleName()));
            }
        }
    }
}
