package org.apache.jackrabbit.oak.jcr.security.authorization;

import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.Principal;
import java.util.Arrays;
import javax.annotation.Nullable;
import javax.jcr.Node;
import javax.jcr.RepositoryException;
import javax.jcr.security.AccessControlEntry;
import javax.jcr.security.AccessControlException;
import javax.jcr.security.AccessControlList;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.AccessControlPolicyIterator;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlEntry;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
import org.apache.jackrabbit.test.AbstractJCRTest;

/* loaded from: input_file:org/apache/jackrabbit/oak/jcr/security/authorization/AccessControlImporterTest.class */
public class AccessControlImporterTest extends AbstractJCRTest {
    public static final String XML_POLICY_TREE = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><sv:node sv:name=\"test\" xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\">  <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>nt:unstructured</sv:value></sv:property>  <sv:property sv:name=\"jcr:mixinTypes\" sv:type=\"Name\">     <sv:value>rep:AccessControllable</sv:value>  </sv:property>  <sv:node sv:name=\"rep:policy\">     <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:ACL</sv:value></sv:property>     <sv:node sv:name=\"allow\">         <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\">             <sv:value>rep:GrantACE</sv:value>         </sv:property>         <sv:property sv:name=\"rep:principalName\" sv:type=\"String\">             <sv:value>everyone</sv:value>         </sv:property>         <sv:property sv:name=\"rep:privileges\" sv:type=\"Name\">             <sv:value>jcr:write</sv:value>         </sv:property>     </sv:node>  </sv:node></sv:node>";
    public static final String XML_POLICY_TREE_2 = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><sv:node sv:name=\"rep:policy\" xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\"><sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:ACL</sv:value></sv:property><sv:node sv:name=\"allow\"><sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:GrantACE</sv:value></sv:property><sv:property sv:name=\"rep:principalName\" sv:type=\"String\"><sv:value>everyone</sv:value></sv:property><sv:property sv:name=\"rep:privileges\" sv:type=\"Name\"><sv:value>jcr:write</sv:value></sv:property></sv:node></sv:node>";
    public static final String XML_POLICY_TREE_3 = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><sv:node sv:name=\"rep:policy\" xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\"><sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:ACL</sv:value></sv:property><sv:node sv:name=\"allow\"><sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:GrantACE</sv:value></sv:property><sv:property sv:name=\"rep:principalName\" sv:type=\"String\"><sv:value>everyone</sv:value></sv:property><sv:property sv:name=\"rep:privileges\" sv:type=\"Name\"><sv:value>jcr:write</sv:value></sv:property></sv:node><sv:node sv:name=\"allow0\"><sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:GrantACE</sv:value></sv:property><sv:property sv:name=\"rep:principalName\" sv:type=\"String\"><sv:value>admin</sv:value></sv:property><sv:property sv:name=\"rep:privileges\" sv:type=\"Name\"><sv:value>jcr:write</sv:value></sv:property></sv:node></sv:node>";
    public static final String XML_POLICY_TREE_5 = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><sv:node sv:name=\"rep:policy\" xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\"><sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:ACL</sv:value></sv:property><sv:node sv:name=\"allow0\"><sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:GrantACE</sv:value></sv:property><sv:property sv:name=\"rep:principalName\" sv:type=\"String\"><sv:value>admin</sv:value></sv:property><sv:property sv:name=\"rep:privileges\" sv:type=\"Name\"><sv:value>jcr:write</sv:value></sv:property></sv:node></sv:node>";
    public static final String XML_REPO_POLICY_TREE = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><sv:node sv:name=\"rep:repoPolicy\" xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\"><sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:ACL</sv:value></sv:property><sv:node sv:name=\"allow\"><sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:GrantACE</sv:value></sv:property><sv:property sv:name=\"rep:principalName\" sv:type=\"String\"><sv:value>admin</sv:value></sv:property><sv:property sv:name=\"rep:privileges\" sv:type=\"Name\"><sv:value>jcr:workspaceManagement</sv:value></sv:property></sv:node></sv:node>";
    public static final String XML_POLICY_ONLY = "<?xml version=\"1.0\" encoding=\"UTF-8\"?><sv:node sv:name=\"test\" xmlns:mix=\"http://www.jcp.org/jcr/mix/1.0\" xmlns:nt=\"http://www.jcp.org/jcr/nt/1.0\" xmlns:fn_old=\"http://www.w3.org/2004/10/xpath-functions\" xmlns:fn=\"http://www.w3.org/2005/xpath-functions\" xmlns:xs=\"http://www.w3.org/2001/XMLSchema\" xmlns:sv=\"http://www.jcp.org/jcr/sv/1.0\" xmlns:rep=\"internal\" xmlns:jcr=\"http://www.jcp.org/jcr/1.0\">  <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>nt:unstructured</sv:value></sv:property>  <sv:property sv:name=\"jcr:mixinTypes\" sv:type=\"Name\">     <sv:value>rep:AccessControllable</sv:value>  </sv:property>  <sv:node sv:name=\"rep:policy\">     <sv:property sv:name=\"jcr:primaryType\" sv:type=\"Name\"><sv:value>rep:ACL</sv:value></sv:property>  </sv:node></sv:node>";

    /* JADX INFO: Access modifiers changed from: protected */
    public void doImport(String str, String str2) throws IOException, RepositoryException {
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(str2.getBytes("UTF-8"));
        if (isSessionImport()) {
            this.superuser.importXML(str, byteArrayInputStream, 3);
        } else {
            this.superuser.save();
            this.superuser.getWorkspace().importXML(str, byteArrayInputStream, 3);
        }
    }

    protected boolean isSessionImport() {
        return true;
    }

    private Node createImportTarget() throws RepositoryException {
        Node addNode = this.testRootNode.addNode(this.nodeName1);
        addNode.addMixin("rep:AccessControllable");
        if (!isSessionImport()) {
            this.superuser.save();
        }
        return addNode;
    }

    private Node createImportTargetWithPolicy(@Nullable Principal principal) throws RepositoryException {
        Node addNode = this.testRootNode.addNode("test", "test:sameNameSibsFalseChildNodeDefinition");
        AccessControlManager accessControlManager = this.superuser.getAccessControlManager();
        AccessControlPolicyIterator applicablePolicies = accessControlManager.getApplicablePolicies(addNode.getPath());
        while (applicablePolicies.hasNext()) {
            AccessControlList nextAccessControlPolicy = applicablePolicies.nextAccessControlPolicy();
            if (nextAccessControlPolicy instanceof AccessControlList) {
                if (principal != null) {
                    nextAccessControlPolicy.addAccessControlEntry(principal, new Privilege[]{accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}lockManagement")});
                }
                accessControlManager.setPolicy(addNode.getPath(), nextAccessControlPolicy);
            }
        }
        if (!isSessionImport()) {
            this.superuser.save();
        }
        return addNode;
    }

    public void testImportACL() throws Exception {
        try {
            Node node = this.testRootNode;
            doImport(node.getPath(), XML_POLICY_TREE);
            assertTrue(node.hasNode("test"));
            String path = node.getNode("test").getPath();
            AccessControlManager accessControlManager = this.superuser.getAccessControlManager();
            JackrabbitAccessControlList[] policies = accessControlManager.getPolicies(path);
            assertEquals(1, policies.length);
            assertTrue(policies[0] instanceof JackrabbitAccessControlList);
            JackrabbitAccessControlEntry[] accessControlEntries = policies[0].getAccessControlEntries();
            assertEquals(1, accessControlEntries.length);
            JackrabbitAccessControlEntry jackrabbitAccessControlEntry = accessControlEntries[0];
            assertEquals("everyone", jackrabbitAccessControlEntry.getPrincipal().getName());
            assertEquals(1, jackrabbitAccessControlEntry.getPrivileges().length);
            assertEquals(accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}write"), jackrabbitAccessControlEntry.getPrivileges()[0]);
            if (jackrabbitAccessControlEntry instanceof JackrabbitAccessControlEntry) {
                assertTrue(jackrabbitAccessControlEntry.isAllow());
            }
        } finally {
            this.superuser.refresh(false);
        }
    }

    public void testImportACLOnly() throws Exception {
        try {
            Node createImportTarget = createImportTarget();
            doImport(createImportTarget.getPath(), XML_POLICY_TREE_3);
            String path = createImportTarget.getPath();
            AccessControlManager accessControlManager = this.superuser.getAccessControlManager();
            JackrabbitAccessControlList[] policies = accessControlManager.getPolicies(path);
            assertEquals(1, policies.length);
            assertTrue(policies[0] instanceof JackrabbitAccessControlList);
            JackrabbitAccessControlEntry[] accessControlEntries = policies[0].getAccessControlEntries();
            assertEquals(2, accessControlEntries.length);
            JackrabbitAccessControlEntry jackrabbitAccessControlEntry = accessControlEntries[0];
            assertEquals("everyone", jackrabbitAccessControlEntry.getPrincipal().getName());
            assertEquals(1, jackrabbitAccessControlEntry.getPrivileges().length);
            assertEquals(accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}write"), jackrabbitAccessControlEntry.getPrivileges()[0]);
            JackrabbitAccessControlEntry jackrabbitAccessControlEntry2 = accessControlEntries[1];
            assertEquals("admin", jackrabbitAccessControlEntry2.getPrincipal().getName());
            assertEquals(1, jackrabbitAccessControlEntry2.getPrivileges().length);
            assertEquals(accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}write"), jackrabbitAccessControlEntry2.getPrivileges()[0]);
            if (jackrabbitAccessControlEntry2 instanceof JackrabbitAccessControlEntry) {
                assertTrue(jackrabbitAccessControlEntry2.isAllow());
            }
        } finally {
            this.superuser.refresh(false);
        }
    }

    public void testImportACLRemoveACE() throws Exception {
        try {
            Node createImportTarget = createImportTarget();
            doImport(createImportTarget.getPath(), XML_POLICY_TREE_3);
            doImport(createImportTarget.getPath(), XML_POLICY_TREE_5);
            String path = createImportTarget.getPath();
            AccessControlManager accessControlManager = this.superuser.getAccessControlManager();
            JackrabbitAccessControlList[] policies = accessControlManager.getPolicies(path);
            assertEquals(1, policies.length);
            assertTrue(policies[0] instanceof JackrabbitAccessControlList);
            JackrabbitAccessControlEntry[] accessControlEntries = policies[0].getAccessControlEntries();
            assertEquals(1, accessControlEntries.length);
            JackrabbitAccessControlEntry jackrabbitAccessControlEntry = accessControlEntries[0];
            assertEquals("admin", jackrabbitAccessControlEntry.getPrincipal().getName());
            assertEquals(1, jackrabbitAccessControlEntry.getPrivileges().length);
            assertEquals(accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}write"), jackrabbitAccessControlEntry.getPrivileges()[0]);
            if (jackrabbitAccessControlEntry instanceof JackrabbitAccessControlEntry) {
                assertTrue(jackrabbitAccessControlEntry.isAllow());
            }
        } finally {
            this.superuser.refresh(false);
        }
    }

    public void testImportPolicyExists() throws Exception {
        try {
            Node createImportTargetWithPolicy = createImportTargetWithPolicy(EveryonePrincipal.getInstance());
            doImport(createImportTargetWithPolicy.getPath(), XML_POLICY_TREE_2);
            AccessControlManager accessControlManager = this.superuser.getAccessControlManager();
            JackrabbitAccessControlList[] policies = accessControlManager.getPolicies(createImportTargetWithPolicy.getPath());
            assertEquals(1, policies.length);
            assertTrue(policies[0] instanceof JackrabbitAccessControlList);
            JackrabbitAccessControlEntry[] accessControlEntries = policies[0].getAccessControlEntries();
            assertEquals(1, accessControlEntries.length);
            JackrabbitAccessControlEntry jackrabbitAccessControlEntry = accessControlEntries[0];
            assertEquals(EveryonePrincipal.getInstance(), jackrabbitAccessControlEntry.getPrincipal());
            assertEquals(1, Arrays.asList(jackrabbitAccessControlEntry.getPrivileges()).size());
            assertEquals(accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}write"), jackrabbitAccessControlEntry.getPrivileges()[0]);
            if (jackrabbitAccessControlEntry instanceof JackrabbitAccessControlEntry) {
                assertTrue(jackrabbitAccessControlEntry.isAllow());
            }
        } finally {
            this.superuser.refresh(false);
        }
    }

    public void testImportEmptyExistingPolicy() throws Exception {
        try {
            Node createImportTargetWithPolicy = createImportTargetWithPolicy(null);
            doImport(createImportTargetWithPolicy.getPath(), XML_POLICY_ONLY);
            JackrabbitAccessControlList[] policies = this.superuser.getAccessControlManager().getPolicies(createImportTargetWithPolicy.getPath());
            assertEquals(1, policies.length);
            assertTrue(policies[0] instanceof JackrabbitAccessControlList);
            assertEquals(0, policies[0].getAccessControlEntries().length);
            this.superuser.refresh(false);
        } catch (Throwable th) {
            this.superuser.refresh(false);
            throw th;
        }
    }

    public void testImportRepoACLAtRoot() throws Exception {
        Node rootNode = this.superuser.getRootNode();
        AccessControlManager accessControlManager = this.superuser.getAccessControlManager();
        try {
            rootNode.addMixin("rep:RepoAccessControllable");
            if (!isSessionImport()) {
                this.superuser.save();
            }
            doImport(rootNode.getPath(), XML_REPO_POLICY_TREE);
            AccessControlPolicy[] policies = accessControlManager.getPolicies((String) null);
            assertEquals(1, policies.length);
            assertTrue(policies[0] instanceof JackrabbitAccessControlList);
            AccessControlEntry[] accessControlEntries = ((JackrabbitAccessControlList) policies[0]).getAccessControlEntries();
            assertEquals(1, accessControlEntries.length);
            assertEquals(1, accessControlEntries[0].getPrivileges().length);
            assertEquals(accessControlManager.privilegeFromName("jcr:workspaceManagement"), accessControlEntries[0].getPrivileges()[0]);
            assertTrue(rootNode.hasNode("rep:repoPolicy"));
            assertTrue(rootNode.hasNode("rep:repoPolicy/allow"));
            accessControlManager.removePolicy((String) null, policies[0]);
            assertFalse(rootNode.hasNode("rep:repoPolicy"));
            assertFalse(rootNode.hasNode("rep:repoPolicy/allow"));
            if (isSessionImport()) {
                this.superuser.refresh(false);
            } else {
                this.superuser.save();
            }
            assertEquals(0, accessControlManager.getPolicies((String) null).length);
        } catch (Throwable th) {
            if (isSessionImport()) {
                this.superuser.refresh(false);
            } else {
                this.superuser.save();
            }
            assertEquals(0, accessControlManager.getPolicies((String) null).length);
            throw th;
        }
    }

    public void testImportRepoACLAtTestNode() throws Exception {
        try {
            Node addNode = this.testRootNode.addNode("test");
            addNode.addMixin("rep:RepoAccessControllable");
            doImport(addNode.getPath(), XML_REPO_POLICY_TREE);
            assertTrue(addNode.hasNode("rep:repoPolicy"));
            assertFalse(addNode.hasNode("rep:repoPolicy/allow0"));
            assertEquals("rep:RepoAccessControllable", addNode.getNode("rep:repoPolicy").getDefinition().getDeclaringNodeType().getName());
            try {
                this.superuser.save();
                fail("Importing repo policy to non-root node must fail");
            } catch (AccessControlException e) {
            }
        } finally {
            this.superuser.refresh(false);
        }
    }
}
