package org.apache.jackrabbit.oak.jcr.security.authorization;

import java.security.Principal;
import java.util.HashSet;
import javax.jcr.Node;
import javax.jcr.NodeIterator;
import javax.jcr.PathNotFoundException;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.security.Privilege;
import javax.jcr.util.TraversingItemVisitor;
import org.apache.jackrabbit.api.security.user.Group;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
import org.junit.Assert;
import org.junit.Test;

/* loaded from: input_file:org/apache/jackrabbit/oak/jcr/security/authorization/ReadTest.class */
public class ReadTest extends AbstractEvaluationTest {
    @Test
    public void testChildNodes() throws Exception {
        Node node = this.superuser.getNode(this.path);
        for (int i = 0; i < 5; i++) {
            node = node.addNode(this.nodeName4, this.testNodeType);
        }
        this.superuser.save();
        this.testSession.refresh(false);
        String path = node.getPath();
        Assert.assertArrayEquals(this.readPrivileges, this.testAcMgr.getPrivileges(path));
        this.testSession.checkPermission(path, "read");
    }

    @Test
    public void testNonExistingItem() throws Exception {
        String path = this.testSession.getRootNode().getPath();
        assertReadOnly(path);
        this.testSession.checkPermission(path + "nonExistingItem", "read");
    }

    @Test
    public void testGetItem() throws Exception {
        deny(this.path, this.readPrivileges);
        allow(this.childNPath, this.readPrivileges);
        this.testSession.getItem(this.childNPath);
    }

    @Test
    public void testItemExists() throws Exception {
        deny(this.path, this.readPrivileges);
        allow(this.childNPath, this.readPrivileges);
        assertFalse(this.testSession.itemExists(this.path));
        assertTrue(this.testSession.itemExists(this.childNPath));
    }

    @Test
    public void testDeniedReadOnSubTree() throws Exception {
        deny(this.childNPath, this.readPrivileges);
        assertTrue(this.testSession.hasPermission(this.path, "read"));
        Node node = this.testSession.getNode(this.path);
        this.testSession.getNode(this.childNPath2);
        assertTrue(node.getProperties().hasNext());
        assertFalse(this.testSession.itemExists(this.childNPath));
        try {
            this.testSession.getNode(this.childNPath);
            fail("Read access has been denied -> cannot retrieve child node.");
        } catch (PathNotFoundException e) {
        }
        assertFalse(this.testSession.itemExists(this.childchildPPath));
        try {
            this.testSession.getItem(this.childchildPPath);
            fail("Read access has been denied -> cannot retrieve prop below child node.");
        } catch (PathNotFoundException e2) {
        }
    }

    @Test
    public void testAllowWriteDenyRead() throws Exception {
        allow(this.path, this.repWritePrivileges);
        deny(this.path, this.readPrivileges);
        assertFalse(this.testSession.nodeExists(this.path));
    }

    @Test
    public void testDenyRoot() throws Exception {
        try {
            deny("/", this.readPrivileges);
            this.testSession.getRootNode();
            fail("root should not be accessible");
        } catch (Exception e) {
        }
    }

    @Test
    public void testDenyPath() throws Exception {
        try {
            deny(this.path, this.readPrivileges);
            this.testSession.getNode(this.path);
            fail("nodet should not be accessible");
        } catch (Exception e) {
        }
    }

    @Test
    public void testReadDenied() throws Exception {
        deny(this.path, this.readPrivileges);
        allow(this.childNPath, this.readPrivileges);
        assertFalse(this.testSession.nodeExists(this.path));
        assertTrue(this.testSession.nodeExists(this.childNPath));
        this.testSession.getNode(this.childNPath).getDefinition();
    }

    @Test
    public void testDenyUserAllowGroup() throws Exception {
        deny(this.path, this.testUser.getPrincipal(), this.readPrivileges);
        allow(this.path, getTestGroup().getPrincipal(), this.readPrivileges);
        assertFalse(this.testSession.nodeExists(this.path));
    }

    @Test
    public void testAllowGroupDenyUser() throws Exception {
        allow(this.path, getTestGroup().getPrincipal(), this.readPrivileges);
        deny(this.path, this.testUser.getPrincipal(), this.readPrivileges);
        assertFalse(this.testSession.nodeExists(this.path));
    }

    @Test
    public void testAllowUserDenyGroup() throws Exception {
        allow(this.path, this.testUser.getPrincipal(), this.readPrivileges);
        deny(this.path, getTestGroup().getPrincipal(), this.readPrivileges);
        assertTrue(this.testSession.nodeExists(this.path));
    }

    @Test
    public void testDenyGroupAllowUser() throws Exception {
        deny(this.path, getTestGroup().getPrincipal(), this.readPrivileges);
        allow(this.path, this.testUser.getPrincipal(), this.readPrivileges);
        assertTrue(this.testSession.nodeExists(this.path));
    }

    @Test
    public void testDenyGroupAllowEveryone() throws Exception {
        deny(this.path, getTestGroup().getPrincipal(), this.readPrivileges);
        allow(this.path, (Principal) EveryonePrincipal.getInstance(), this.readPrivileges);
        assertTrue(this.testSession.nodeExists(this.path));
    }

    @Test
    public void testAllowEveryoneDenyGroup() throws Exception {
        allow(this.path, (Principal) EveryonePrincipal.getInstance(), this.readPrivileges);
        deny(this.path, getTestGroup().getPrincipal(), this.readPrivileges);
        assertFalse(this.testSession.nodeExists(this.path));
    }

    @Test
    public void testDenyGroupPathAllowEveryoneChildPath() throws Exception {
        deny(this.path, getTestGroup().getPrincipal(), this.readPrivileges);
        allow(this.path, (Principal) EveryonePrincipal.getInstance(), this.readPrivileges);
        assertTrue(this.testSession.nodeExists(this.childNPath));
    }

    @Test
    public void testAllowEveryonePathDenyGroupChildPath() throws Exception {
        allow(this.path, (Principal) EveryonePrincipal.getInstance(), this.readPrivileges);
        deny(this.childNPath, getTestGroup().getPrincipal(), this.readPrivileges);
        assertFalse(this.testSession.nodeExists(this.childNPath));
    }

    @Test
    public void testAllowUserPathDenyGroupChildPath() throws Exception {
        allow(this.path, this.testUser.getPrincipal(), this.readPrivileges);
        deny(this.path, getTestGroup().getPrincipal(), this.readPrivileges);
        assertTrue(this.testSession.nodeExists(this.childNPath));
    }

    @Test
    public void testDenyGroupPathAllowUserChildPath() throws Exception {
        deny(this.path, getTestGroup().getPrincipal(), this.readPrivileges);
        allow(this.path, this.testUser.getPrincipal(), this.readPrivileges);
        assertTrue(this.testSession.nodeExists(this.childNPath));
    }

    @Test
    public void testDenyUserPathAllowGroupChildPath() throws Exception {
        deny(this.path, this.testUser.getPrincipal(), this.readPrivileges);
        allow(this.path, getTestGroup().getPrincipal(), this.readPrivileges);
        assertFalse(this.testSession.nodeExists(this.childNPath));
    }

    @Test
    public void testAllowGroupPathDenyUserChildPath() throws Exception {
        allow(this.path, getTestGroup().getPrincipal(), this.readPrivileges);
        deny(this.path, this.testUser.getPrincipal(), this.readPrivileges);
        assertFalse(this.testSession.nodeExists(this.childNPath));
    }

    @Test
    public void testGlobRestriction() throws Exception {
        deny(this.path, this.readPrivileges, createGlobRestriction("*/" + this.jcrPrimaryType));
        assertTrue(this.testAcMgr.hasPrivileges(this.path, this.readPrivileges));
        assertTrue(this.testSession.hasPermission(this.path, "read"));
        this.testSession.getNode(this.path);
        assertTrue(this.testAcMgr.hasPrivileges(this.childNPath, this.readPrivileges));
        assertTrue(this.testSession.hasPermission(this.childNPath, "read"));
        this.testSession.getNode(this.childNPath);
        String str = this.path + '/' + this.jcrPrimaryType;
        assertFalse(this.testSession.hasPermission(str, "read"));
        assertFalse(this.testSession.propertyExists(str));
        String str2 = this.childNPath + '/' + this.jcrPrimaryType;
        assertFalse(this.testSession.hasPermission(str2, "read"));
        assertFalse(this.testSession.propertyExists(str2));
    }

    @Test
    public void testGlobRestriction2() throws Exception {
        Group createGroup = getUserManager(this.superuser).createGroup(generateId("group2_"));
        Group createGroup2 = getUserManager(this.superuser).createGroup(generateId("group3_"));
        this.superuser.save();
        try {
            Privilege[] privilegesFromName = privilegesFromName("{http://www.jcp.org/jcr/1.0}read");
            modify(this.path, getTestGroup().getPrincipal(), privilegesFromName, true, createGlobRestriction("/*"));
            allow(this.path, createGroup.getPrincipal(), privilegesFromName);
            deny(this.path, createGroup2.getPrincipal(), privilegesFromName);
            HashSet hashSet = new HashSet();
            hashSet.add(getTestGroup().getPrincipal());
            hashSet.add(createGroup.getPrincipal());
            hashSet.add(createGroup2.getPrincipal());
            assertFalse(this.acMgr.hasPrivileges(this.path, hashSet, privilegesFromName));
            assertFalse(this.acMgr.hasPrivileges(this.childNPath, hashSet, privilegesFromName));
            createGroup.remove();
            createGroup2.remove();
            this.superuser.save();
        } catch (Throwable th) {
            createGroup.remove();
            createGroup2.remove();
            this.superuser.save();
            throw th;
        }
    }

    @Test
    public void testGlobRestriction3() throws Exception {
        Group createGroup = getUserManager(this.superuser).createGroup(generateId("group2_"));
        Group createGroup2 = getUserManager(this.superuser).createGroup(generateId("group3_"));
        this.superuser.save();
        try {
            Privilege[] privilegesFromName = privilegesFromName("{http://www.jcp.org/jcr/1.0}read");
            allow(this.path, createGroup.getPrincipal(), privilegesFromName);
            deny(this.path, createGroup2.getPrincipal(), privilegesFromName);
            modify(this.path, getTestGroup().getPrincipal(), privilegesFromName, true, createGlobRestriction("/*"));
            HashSet hashSet = new HashSet();
            hashSet.add(getTestGroup().getPrincipal());
            hashSet.add(createGroup.getPrincipal());
            hashSet.add(createGroup2.getPrincipal());
            assertFalse(this.acMgr.hasPrivileges(this.path, hashSet, privilegesFromName));
            assertTrue(this.acMgr.hasPrivileges(this.childNPath, hashSet, privilegesFromName));
            createGroup.remove();
            createGroup2.remove();
            this.superuser.save();
        } catch (Throwable th) {
            createGroup.remove();
            createGroup2.remove();
            this.superuser.save();
            throw th;
        }
    }

    @Test
    public void testGlobRestriction4() throws Exception {
        Node addNode = this.superuser.getNode(this.path).addNode("a");
        allow(this.path, this.readPrivileges);
        deny(this.path, this.readPrivileges, createGlobRestriction("*/anotherpath"));
        String path = addNode.getPath();
        assertTrue(this.testSession.nodeExists(path));
        Node node = this.testSession.getNode(path);
        Node node2 = this.testSession.getNode(this.path);
        assertTrue(node2.hasNode("a"));
        assertTrue(node.isSame(node2.getNode("a")));
    }

    @Test
    public void testGlobRestriction5() throws Exception {
        Node addNode = this.superuser.getNode(this.path).addNode("a");
        allow(this.path, this.readPrivileges);
        deny(this.path, this.readPrivileges, createGlobRestriction("*/anotherpath"));
        allow(addNode.getPath(), this.repWritePrivileges);
        String path = addNode.getPath();
        assertTrue(this.testSession.nodeExists(path));
        Node node = this.testSession.getNode(path);
        Node node2 = this.testSession.getNode(this.path);
        assertTrue(node2.hasNode("a"));
        assertTrue(node.isSame(node2.getNode("a")));
    }

    @Test
    public void testGlobRestriction6() throws Exception {
        Privilege[] privilegesFromName = privilegesFromName("{http://www.jcp.org/jcr/1.0}read");
        allow(this.path, privilegesFromName);
        deny(this.path, privilegesFromName, createGlobRestriction("/*"));
        assertTrue(this.testSession.nodeExists(this.path));
        assertFalse(this.testSession.propertyExists(this.path + "/jcr:primaryType"));
        assertFalse(this.testSession.nodeExists(this.childNPath));
        assertFalse(this.testSession.propertyExists(this.childPPath));
    }

    @Test
    public void testEmptyGlobRestriction() throws Exception {
        String path = this.superuser.getNode(this.childNPath).addNode("child").getPath();
        this.superuser.save();
        deny(this.path, this.readPrivileges);
        assertFalse(canReadNode(this.testSession, this.path));
        assertFalse(canReadNode(this.testSession, this.childNPath));
        assertFalse(canReadNode(this.testSession, path));
        assertFalse(this.testSession.propertyExists(this.childchildPPath));
        allow(this.childNPath, this.readPrivileges, createGlobRestriction(""));
        assertFalse(canReadNode(this.testSession, this.path));
        assertTrue(canReadNode(this.testSession, this.childNPath));
        assertFalse(canReadNode(this.testSession, path));
        assertFalse(this.testSession.propertyExists(this.childchildPPath));
        assertFalse(this.testSession.propertyExists(this.childNPath + "/jcr:primaryType"));
        allow(path, this.readPrivileges);
        assertTrue(canReadNode(this.testSession, path));
        assertTrue(this.testSession.propertyExists(path + "/jcr:primaryType"));
    }

    @Test
    public void testEmptyGlobRestriction2() throws Exception {
        String path = this.superuser.getNode(this.childNPath).addNode("child").getPath();
        this.superuser.save();
        deny(this.path, this.readPrivileges);
        assertFalse(canReadNode(this.testSession, this.path));
        assertFalse(canReadNode(this.testSession, this.childNPath));
        assertFalse(canReadNode(this.testSession, path));
        assertFalse(this.testSession.propertyExists(this.childchildPPath));
        allow(this.path, this.readPrivileges, createGlobRestriction(""));
        assertTrue(canReadNode(this.testSession, this.path));
        assertFalse(canReadNode(this.testSession, this.childNPath));
        assertFalse(canReadNode(this.testSession, path));
        assertFalse(this.testSession.propertyExists(this.childchildPPath));
        assertFalse(this.testSession.propertyExists(this.childNPath + "/jcr:primaryType"));
    }

    @Test
    public void testEmptyGlobRestriction3() throws Exception {
        Group testGroup = getTestGroup();
        Group createGroup = getUserManager(this.superuser).createGroup(generateId("group2_"));
        createGroup.addMember(this.testUser);
        Group createGroup2 = getUserManager(this.superuser).createGroup(generateId("group3_"));
        this.superuser.save();
        try {
            assertTrue(testGroup.isDeclaredMember(this.testUser));
            assertTrue(createGroup.isDeclaredMember(this.testUser));
            assertFalse(createGroup2.isDeclaredMember(this.testUser));
            deny(this.path, testGroup.getPrincipal(), this.readPrivileges);
            modify(this.path, testGroup.getPrincipal(), this.readPrivileges, true, createGlobRestriction(""));
            deny(this.childNPath, createGroup.getPrincipal(), this.readPrivileges);
            modify(this.childNPath, createGroup.getPrincipal(), this.readPrivileges, true, createGlobRestriction(""));
            deny(this.childNPath2, createGroup2.getPrincipal(), this.readPrivileges);
            modify(this.childNPath2, createGroup2.getPrincipal(), this.readPrivileges, true, createGlobRestriction(""));
            Session login = getHelper().getRepository().login(this.creds);
            assertTrue(canReadNode(login, this.path));
            assertTrue(canReadNode(login, this.childNPath));
            assertFalse(canReadNode(login, this.childNPath2));
            createGroup.remove();
            createGroup2.remove();
            this.superuser.save();
        } catch (Throwable th) {
            createGroup.remove();
            createGroup2.remove();
            this.superuser.save();
            throw th;
        }
    }

    @Test
    public void testImplicitReorder() throws Exception {
        allow(this.path, this.testUser.getPrincipal(), this.readPrivileges);
        assertEntry(0, true);
        allow(this.path, getTestGroup().getPrincipal(), this.readPrivileges);
        assertEntry(0, true);
        deny(this.path, this.testUser.getPrincipal(), this.readPrivileges);
        assertEntry(1, false);
        deny(this.path, getTestGroup().getPrincipal(), this.readPrivileges);
        assertEntry(0, false);
        allow(this.path, this.testUser.getPrincipal(), this.readPrivileges);
    }

    @Test
    public void testChildNodesWithAccessCheck() throws Exception {
        Node addNode = this.superuser.getNode(this.path).addNode("nodeToDeny");
        this.superuser.save();
        deny(addNode.getPath(), privilegesFromName("jcr:read"));
        NodeIterator nodes = this.testSession.getNode(this.path).getNodes();
        HashSet hashSet = new HashSet();
        while (nodes.hasNext()) {
            hashSet.add(nodes.nextNode().getName());
        }
        assertFalse(hashSet.contains("nodeToDeny"));
    }

    private void assertEntry(final int i, final boolean z) throws RepositoryException {
        assertEquals(this.testUser.getPrincipal(), AccessControlUtils.getAccessControlList(this.superuser, this.path).getAccessControlEntries()[i].getPrincipal());
        new TraversingItemVisitor.Default(true, -1) { // from class: org.apache.jackrabbit.oak.jcr.security.authorization.ReadTest.1
            protected void entering(Node node, int i2) throws RepositoryException {
                if (node.isNodeType("rep:Permissions") && node.hasProperty("rep:accessControlledPath") && ReadTest.this.path.equals(node.getProperty("rep:accessControlledPath").getString())) {
                    junit.framework.Assert.assertEquals(i, node.getProperty("rep:index").getLong());
                    junit.framework.Assert.assertEquals(z, node.getProperty("rep:isAllow").getBoolean());
                }
            }
        }.visit(this.superuser.getNode("/jcr:system/rep:permissionStore/default/" + this.testUser.getPrincipal().getName()));
    }
}
