package org.apache.jackrabbit.oak.jcr.security.authorization;

import com.google.common.collect.Lists;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import javax.jcr.AccessDeniedException;
import javax.jcr.NodeIterator;
import javax.jcr.security.Privilege;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.user.Authorizable;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.api.security.user.UserManager;
import org.apache.jackrabbit.commons.JcrUtils;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
import org.apache.jackrabbit.oak.spi.security.principal.PrincipalImpl;
import org.apache.jackrabbit.util.Text;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:org/apache/jackrabbit/oak/jcr/security/authorization/UserManagementTest.class */
public class UserManagementTest extends AbstractEvaluationTest {
    private final String userId = "testUser2";
    private final String groupId = "testGroup2";
    private List<String> authorizablesToRemove = Lists.newArrayList(new String[]{"testUser2", "testGroup2"});

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.jackrabbit.oak.jcr.security.authorization.AbstractEvaluationTest
    public void setUp() throws Exception {
        super.setUp();
        AccessControlUtils.addAccessControlEntry(this.superuser, "/rep:security/rep:authorizables", EveryonePrincipal.getInstance(), privilegesFromName("{http://www.jcp.org/jcr/1.0}read"), true);
        this.superuser.save();
    }

    @Override // org.apache.jackrabbit.oak.jcr.security.authorization.AbstractEvaluationTest
    @Before
    public void tearDown() throws Exception {
        try {
            this.testSession.refresh(false);
            this.superuser.refresh(false);
            UserManager userManager = getUserManager(this.superuser);
            Iterator<String> it = this.authorizablesToRemove.iterator();
            while (it.hasNext()) {
                Authorizable authorizable = userManager.getAuthorizable(it.next());
                if (authorizable != null) {
                    authorizable.remove();
                }
            }
            this.superuser.save();
            super.tearDown();
        } catch (Throwable th) {
            super.tearDown();
            throw th;
        }
    }

    private void createUser(String str) throws Exception {
        getUserManager(this.superuser).createUser(str, "pw");
        this.superuser.save();
        this.testSession.refresh(false);
    }

    @Test
    public void testCreateUserWithoutPermission() throws Exception {
        UserManager userManager = getUserManager(this.testSession);
        try {
            userManager.createUser("testUser2", "pw");
            this.testSession.save();
            fail("Test session doesn't have sufficient permission -> creating user should fail.");
        } catch (AccessDeniedException e) {
        }
        modify("/", "rep:write", true);
        try {
            userManager.createUser("testUser2", "pw");
            this.testSession.save();
            fail("Test session doesn't have sufficient permission -> creating user should fail.");
        } catch (AccessDeniedException e2) {
        }
    }

    @Test
    public void testCreateUser() throws Exception {
        UserManager userManager = getUserManager(this.testSession);
        modify("/", "rep:userManagement", true);
        userManager.createUser("testUser2", "pw");
        this.testSession.save();
    }

    @Test
    public void testCreateUser2() throws Exception {
        UserManager userManager = getUserManager(this.testSession);
        allow("/", privilegesFromNames(new String[]{"rep:userManagement", "rep:write"}));
        userManager.createUser("testUser2", "pw");
        this.testSession.save();
    }

    @Test
    public void testCreateGroup() throws Exception {
        UserManager userManager = getUserManager(this.testSession);
        modify("/", "rep:userManagement", true);
        userManager.createGroup("testGroup2");
        this.testSession.save();
    }

    @Test
    public void testCreateGroup2() throws Exception {
        UserManager userManager = getUserManager(this.testSession);
        allow("/", privilegesFromNames(new String[]{"rep:userManagement", "rep:write"}));
        userManager.createGroup("testGroup2");
        this.testSession.save();
    }

    @Test
    public void testCreateWithoutReadAccess() throws Exception {
        UserManager userManager = getUserManager(this.testSession);
        deny("/", privilegesFromName("jcr:read"));
        allow("/", privilegesFromName("rep:userManagement"));
        try {
            userManager.createGroup("testGroup2");
            this.testSession.save();
            fail("Creating group without read-access on the folder node should fail");
        } catch (AccessDeniedException e) {
        }
    }

    @Test
    public void testCreateWithIntermediateReadDeny() throws Exception {
        JcrUtils.getOrCreateByPath("/rep:security/rep:authorizables/rep:groups/a/b/c", "rep:AuthorizableFolder", this.superuser);
        this.superuser.save();
        try {
            deny("/rep:security/rep:authorizables/rep:groups", privilegesFromName("{http://www.jcp.org/jcr/1.0}read"));
            allow("/rep:security/rep:authorizables/rep:groups/a/b/c", privilegesFromNames(new String[]{"{http://www.jcp.org/jcr/1.0}read", "rep:userManagement", "rep:write"}));
            getUserManager(this.testSession).createGroup("testGroup2", new PrincipalImpl("testGroup2"), "a/b/c");
            this.testSession.save();
            this.superuser.refresh(false);
            this.superuser.getNode("/rep:security/rep:authorizables/rep:groups/a").remove();
            JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(this.acMgr, "/rep:security/rep:authorizables/rep:groups");
            if (accessControlList != null) {
                this.acMgr.removePolicy("/rep:security/rep:authorizables/rep:groups", accessControlList);
            }
            this.superuser.save();
        } catch (Throwable th) {
            this.superuser.refresh(false);
            this.superuser.getNode("/rep:security/rep:authorizables/rep:groups/a").remove();
            JackrabbitAccessControlList accessControlList2 = AccessControlUtils.getAccessControlList(this.acMgr, "/rep:security/rep:authorizables/rep:groups");
            if (accessControlList2 != null) {
                this.acMgr.removePolicy("/rep:security/rep:authorizables/rep:groups", accessControlList2);
            }
            this.superuser.save();
            throw th;
        }
    }

    @Test
    public void testCreateWithIntermediateReadDeny2() throws Exception {
        JcrUtils.getOrCreateByPath("/rep:security/rep:authorizables/rep:groups/a", "rep:AuthorizableFolder", this.superuser);
        this.superuser.save();
        try {
            deny("/rep:security/rep:authorizables/rep:groups", privilegesFromName("{http://www.jcp.org/jcr/1.0}read"));
            allow("/rep:security/rep:authorizables/rep:groups/a", privilegesFromNames(new String[]{"{http://www.jcp.org/jcr/1.0}read", "rep:userManagement", "rep:write"}));
            getUserManager(this.testSession).createGroup("testGroup2", new PrincipalImpl("testGroup2"), "a/b/c");
            this.testSession.save();
            this.superuser.refresh(false);
            this.superuser.getNode("/rep:security/rep:authorizables/rep:groups/a").remove();
            JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(this.acMgr, "/rep:security/rep:authorizables/rep:groups");
            if (accessControlList != null) {
                this.acMgr.removePolicy("/rep:security/rep:authorizables/rep:groups", accessControlList);
            }
            this.superuser.save();
        } catch (Throwable th) {
            this.superuser.refresh(false);
            this.superuser.getNode("/rep:security/rep:authorizables/rep:groups/a").remove();
            JackrabbitAccessControlList accessControlList2 = AccessControlUtils.getAccessControlList(this.acMgr, "/rep:security/rep:authorizables/rep:groups");
            if (accessControlList2 != null) {
                this.acMgr.removePolicy("/rep:security/rep:authorizables/rep:groups", accessControlList2);
            }
            this.superuser.save();
            throw th;
        }
    }

    @Test
    public void testChangePasswordWithoutPermission() throws Exception {
        createUser("testUser2");
        try {
            getUserManager(this.testSession).getAuthorizable("testUser2").changePassword("pw2");
            this.testSession.save();
            fail();
        } catch (AccessDeniedException e) {
        }
    }

    @Test
    public void testChangePasswordWithoutPermission2() throws Exception {
        createUser("testUser2");
        modify("/", "rep:write", true);
        try {
            getUserManager(this.testSession).getAuthorizable("testUser2").changePassword("pw2");
            this.testSession.save();
            fail();
        } catch (AccessDeniedException e) {
        }
    }

    @Test
    public void testChangePassword() throws Exception {
        createUser("testUser2");
        modify("/", "rep:userManagement", true);
        getUserManager(this.testSession).getAuthorizable("testUser2").changePassword("pw2");
        this.testSession.save();
    }

    @Test
    public void testDisableUserWithoutPermission() throws Exception {
        createUser("testUser2");
        try {
            getUserManager(this.testSession).getAuthorizable("testUser2").disable("disabled!");
            this.testSession.save();
            fail();
        } catch (AccessDeniedException e) {
        }
    }

    @Test
    public void testDisableUserWithoutPermission2() throws Exception {
        createUser("testUser2");
        modify("/", "rep:write", true);
        try {
            getUserManager(this.testSession).getAuthorizable("testUser2").disable("disabled!");
            this.testSession.save();
            fail();
        } catch (AccessDeniedException e) {
        }
    }

    @Test
    public void testDisableUser() throws Exception {
        createUser("testUser2");
        modify("/", "rep:userManagement", true);
        getUserManager(this.testSession).getAuthorizable("testUser2").disable("disabled!");
        this.testSession.save();
    }

    @Test
    public void testRemoveUserWithoutPermission() throws Exception {
        createUser("testUser2");
        UserManager userManager = getUserManager(this.testSession);
        try {
            userManager.getAuthorizable("testUser2").remove();
            this.testSession.save();
            fail("Test session doesn't have sufficient permission to remove a user.");
        } catch (AccessDeniedException e) {
        }
        modify("/", "rep:write", true);
        try {
            userManager.getAuthorizable("testUser2").remove();
            this.testSession.save();
            fail("Test session doesn't have sufficient permission to remove a user.");
        } catch (AccessDeniedException e2) {
        }
    }

    @Test
    public void testRemoveUser() throws Exception {
        createUser("testUser2");
        modify("/", "rep:userManagement", true);
        getUserManager(this.testSession).getAuthorizable("testUser2").remove();
        this.testSession.save();
    }

    @Test
    public void testRemoveUser2() throws Exception {
        createUser("testUser2");
        allow("/", privilegesFromNames(new String[]{"rep:userManagement", "rep:write"}));
        getUserManager(this.testSession).getAuthorizable("testUser2").remove();
        this.testSession.save();
    }

    @Test
    public void testChangeUserPropertiesWithoutPermission() throws Exception {
        createUser("testUser2");
        try {
            getUserManager(this.testSession).getAuthorizable("testUser2").setProperty("someProp", this.testSession.getValueFactory().createValue("value"));
            this.testSession.save();
            fail("Test session doesn't have sufficient permission to alter user properties.");
        } catch (AccessDeniedException e) {
        }
    }

    @Test
    public void testChangeUserPropertiesWithoutPermission2() throws Exception {
        createUser("testUser2");
        modify("/", "rep:userManagement", true);
        try {
            getUserManager(this.testSession).getAuthorizable("testUser2").setProperty("someProp", this.testSession.getValueFactory().createValue("value"));
            this.testSession.save();
            fail("Test session doesn't have sufficient permission to alter user properties.");
        } catch (AccessDeniedException e) {
        }
    }

    @Test
    public void testChangeUserProperties() throws Exception {
        createUser("testUser2");
        modify("/", "jcr:modifyProperties", true);
        Authorizable authorizable = getUserManager(this.testSession).getAuthorizable("testUser2");
        authorizable.setProperty("someProp", this.testSession.getValueFactory().createValue("value"));
        this.testSession.save();
        authorizable.setProperty("someProperty", this.testSession.getValueFactory().createValue("modified"));
        this.testSession.save();
        authorizable.removeProperty("someProperty");
        this.testSession.save();
    }

    @Test
    public void testFindAuthorizables() throws Exception {
        deny(Text.getRelativeParent("/rep:security/rep:authorizables/rep:users", 1), privilegesFromName("jcr:read"));
        allow(getUserManager(this.superuser).getAuthorizable(this.testSession.getUserID()).getPath(), privilegesFromName("jcr:all"));
        Iterator findAuthorizables = getUserManager(this.testSession).findAuthorizables("rep:principalName", (String) null, 1);
        HashSet hashSet = new HashSet();
        while (findAuthorizables.hasNext()) {
            hashSet.add(((Authorizable) findAuthorizables.next()).getID());
        }
        assertFalse(hashSet.isEmpty());
        NodeIterator nodes = this.testSession.getWorkspace().getQueryManager().createQuery("/jcr:root//element(*,rep:User)", "xpath").execute().getNodes();
        assertTrue(nodes.hasNext());
        while (nodes.hasNext()) {
            String string = nodes.nextNode().getProperty("rep:authorizableId").getString();
            if (!hashSet.remove(string)) {
                fail("UserId " + string + " missing in result set.");
            }
        }
        assertTrue("Result mismatch", hashSet.isEmpty());
    }

    @Test
    public void testGlobRestriction() throws Exception {
        String relativeParent = Text.getRelativeParent("/rep:security/rep:authorizables/rep:groups", 1);
        Privilege[] privilegesFromName = privilegesFromName("rep:userManagement");
        allow(relativeParent, privilegesFromName);
        deny(relativeParent, privilegesFromName, createGlobRestriction("*/rep:members"));
        UserManager userManager = getUserManager(this.testSession);
        Group createGroup = userManager.createGroup("testGroup2");
        this.testSession.save();
        try {
            createGroup.addMember(userManager.getAuthorizable(this.testSession.getUserID()));
            this.testSession.save();
            fail();
            this.testSession.refresh(false);
        } catch (AccessDeniedException e) {
            this.testSession.refresh(false);
        } catch (Throwable th) {
            this.testSession.refresh(false);
            throw th;
        }
    }
}
