package org.apache.jackrabbit.oak.security.authorization.restriction;

import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import javax.jcr.Value;
import javax.jcr.ValueFactory;
import javax.jcr.security.AccessControlException;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.guava.common.collect.ImmutableList;
import org.apache.jackrabbit.guava.common.collect.ImmutableSet;
import org.apache.jackrabbit.guava.common.collect.Maps;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.plugins.identifier.IdentifierManagerTest;
import org.apache.jackrabbit.oak.plugins.memory.PropertyStates;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.CompositePattern;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.CompositeRestrictionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.Restriction;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinition;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionDefinitionImpl;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionImpl;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionPattern;
import org.apache.jackrabbit.oak.spi.security.authorization.restriction.RestrictionProvider;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;
import org.mockito.Mockito;

@RunWith(Parameterized.class)
/* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/restriction/RestrictionProviderImplTest.class */
public class RestrictionProviderImplTest extends AbstractSecurityTest implements AccessControlConstants {
    private static final String TEST_RESTR_NAME = "test";
    private final boolean asComposite;
    private RestrictionProvider provider;

    @Parameterized.Parameters(name = "name={1}")
    public static Collection<Object[]> parameters() {
        return Arrays.asList(new Object[]{false, "RestrictionProviderImpl as singular provider"}, new Object[]{true, "RestrictionProviderImpl as part of a composite restriction provider"});
    }

    public RestrictionProviderImplTest(boolean z, String str) {
        this.asComposite = z;
    }

    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    @Before
    public void before() throws Exception {
        super.before();
        RestrictionProvider restrictionProviderImpl = new RestrictionProviderImpl();
        if (this.asComposite) {
            this.provider = CompositeRestrictionProvider.newInstance(new RestrictionProvider[]{restrictionProviderImpl, new TestProvider(Collections.singletonMap(TEST_RESTR_NAME, new RestrictionDefinitionImpl(TEST_RESTR_NAME, Type.STRING, false)))});
        } else {
            this.provider = restrictionProviderImpl;
        }
    }

    @Test
    public void testGetSupportedDefinitions() {
        Assert.assertTrue(this.provider.getSupportedRestrictions((String) null).isEmpty());
        Set<RestrictionDefinition> supportedRestrictions = this.provider.getSupportedRestrictions("/testPath");
        Assert.assertNotNull(supportedRestrictions);
        Assert.assertEquals(this.asComposite ? 8 : 7, supportedRestrictions.size());
        ImmutableSet of = ImmutableSet.of("rep:prefixes", "rep:current", "rep:globs", "rep:subtrees");
        for (RestrictionDefinition restrictionDefinition : supportedRestrictions) {
            if ("rep:glob".equals(restrictionDefinition.getName())) {
                Assert.assertEquals(Type.STRING, restrictionDefinition.getRequiredType());
                Assert.assertFalse(restrictionDefinition.isMandatory());
            } else if ("rep:ntNames".equals(restrictionDefinition.getName())) {
                Assert.assertEquals(Type.NAMES, restrictionDefinition.getRequiredType());
                Assert.assertFalse(restrictionDefinition.isMandatory());
            } else if ("rep:itemNames".equals(restrictionDefinition.getName())) {
                Assert.assertEquals(Type.NAMES, restrictionDefinition.getRequiredType());
                Assert.assertFalse(restrictionDefinition.isMandatory());
            } else if (of.contains(restrictionDefinition.getName())) {
                Assert.assertEquals(Type.STRINGS, restrictionDefinition.getRequiredType());
                Assert.assertFalse(restrictionDefinition.isMandatory());
            } else if (this.asComposite) {
                Assert.assertEquals(TEST_RESTR_NAME, restrictionDefinition.getName());
            } else {
                Assert.fail("unexpected restriction " + restrictionDefinition.getName());
            }
        }
    }

    @Test
    public void testGetRestrictionPattern() throws Exception {
        HashMap newHashMap = Maps.newHashMap();
        newHashMap.put(PropertyStates.createProperty("rep:glob", "/*/jcr:content"), GlobPattern.create("/testPath", "/*/jcr:content"));
        ImmutableList of = ImmutableList.of("nt:folder", "nt:linkedFile");
        newHashMap.put(PropertyStates.createProperty("rep:ntNames", of, Type.NAMES), new NodeTypePattern(of));
        Tree addChild = TreeUtil.addChild(TreeUtil.getOrAddChild(this.root.getTree(IdentifierManagerTest.ID_ROOT), "testPath", "nt:unstructured"), "rep:restrictions", "rep:Restrictions");
        for (Map.Entry entry : newHashMap.entrySet()) {
            addChild.setProperty((PropertyState) entry.getKey());
            Assert.assertEquals(entry.getValue(), this.provider.getPattern("/testPath", addChild));
            addChild.removeProperty(((PropertyState) entry.getKey()).getName());
        }
        Iterator it = newHashMap.entrySet().iterator();
        while (it.hasNext()) {
            addChild.setProperty((PropertyState) ((Map.Entry) it.next()).getKey());
        }
        Assert.assertTrue(this.provider.getPattern("/testPath", addChild) instanceof CompositePattern);
    }

    @Test
    public void testGetPatternForAllSupported() throws Exception {
        HashMap newHashMap = Maps.newHashMap();
        newHashMap.put(PropertyStates.createProperty("rep:glob", "/*/jcr:content"), GlobPattern.create("/testPath", "/*/jcr:content"));
        ImmutableList of = ImmutableList.of("nt:folder", "nt:linkedFile");
        newHashMap.put(PropertyStates.createProperty("rep:ntNames", of, Type.NAMES), new NodeTypePattern(of));
        ImmutableList of2 = ImmutableList.of("rep", "jcr");
        newHashMap.put(PropertyStates.createProperty("rep:prefixes", of2, Type.STRINGS), new PrefixPattern(of2));
        newHashMap.put(PropertyStates.createProperty("rep:itemNames", of2, Type.NAMES), new ItemNamePattern(ImmutableList.of("abc", "jcr:primaryType")));
        ImmutableList of3 = ImmutableList.of("jcr:mixinTypes", "jcr:primaryType");
        newHashMap.put(PropertyStates.createProperty("rep:current", of3, Type.STRINGS), new CurrentPattern("/testPath", of3));
        List singletonList = Collections.singletonList("/*/jcr:content");
        newHashMap.put(PropertyStates.createProperty("rep:globs", singletonList, Type.STRINGS), new GlobsPattern("/testPath", singletonList));
        ImmutableList of4 = ImmutableList.of("/sub/tree", "/a/b/c/");
        newHashMap.put(PropertyStates.createProperty("rep:subtrees", of4, Type.STRINGS), new SubtreePattern("/testPath", of4));
        Tree addChild = TreeUtil.addChild(TreeUtil.getOrAddChild(this.root.getTree(IdentifierManagerTest.ID_ROOT), "testPath", "nt:unstructured"), "rep:restrictions", "rep:Restrictions");
        Iterator it = newHashMap.entrySet().iterator();
        while (it.hasNext()) {
            addChild.setProperty((PropertyState) ((Map.Entry) it.next()).getKey());
        }
        Assert.assertTrue(this.provider.getPattern("/testPath", addChild) instanceof CompositePattern);
    }

    @Test
    public void testGetPatternFromRestrictions() throws Exception {
        HashMap newHashMap = Maps.newHashMap();
        newHashMap.put(PropertyStates.createProperty("rep:glob", "/*/jcr:content"), GlobPattern.create("/testPath", "/*/jcr:content"));
        ImmutableList of = ImmutableList.of("nt:folder", "nt:linkedFile");
        newHashMap.put(PropertyStates.createProperty("rep:ntNames", of, Type.NAMES), new NodeTypePattern(of));
        ImmutableList of2 = ImmutableList.of("rep", "jcr");
        newHashMap.put(PropertyStates.createProperty("rep:prefixes", of2, Type.STRINGS), new PrefixPattern(of2));
        ImmutableList of3 = ImmutableList.of("abc", "jcr:primaryType");
        newHashMap.put(PropertyStates.createProperty("rep:itemNames", of3, Type.NAMES), new ItemNamePattern(of3));
        ImmutableList of4 = ImmutableList.of("*");
        newHashMap.put(PropertyStates.createProperty("rep:current", of4, Type.STRINGS), new CurrentPattern("/testPath", of4));
        List singletonList = Collections.singletonList("/*/jcr:content");
        newHashMap.put(PropertyStates.createProperty("rep:globs", singletonList, Type.STRINGS), new GlobsPattern("/testPath", singletonList));
        ImmutableList of5 = ImmutableList.of("/sub/tree", "/a/b/c/");
        newHashMap.put(PropertyStates.createProperty("rep:subtrees", of5, Type.STRINGS), new SubtreePattern("/testPath", of5));
        Tree orAddChild = TreeUtil.getOrAddChild(this.root.getTree(IdentifierManagerTest.ID_ROOT), "testPath", "nt:unstructured");
        Tree addChild = TreeUtil.addChild(orAddChild, "rep:restrictions", "rep:Restrictions");
        for (Map.Entry entry : newHashMap.entrySet()) {
            addChild.setProperty((PropertyState) entry.getKey());
            Assert.assertEquals(entry.getValue(), this.provider.getPattern("/testPath", this.provider.readRestrictions("/testPath", orAddChild)));
            addChild.removeProperty(((PropertyState) entry.getKey()).getName());
        }
        Iterator it = newHashMap.entrySet().iterator();
        while (it.hasNext()) {
            addChild.setProperty((PropertyState) ((Map.Entry) it.next()).getKey());
        }
        Assert.assertTrue(this.provider.getPattern("/testPath", this.provider.readRestrictions("/testPath", orAddChild)) instanceof CompositePattern);
    }

    @Test
    public void testGetPatternFromInvalidRestrictionSet() {
        Assert.assertSame(RestrictionPattern.EMPTY, this.provider.getPattern("/testPath", Collections.singleton(new RestrictionImpl(PropertyStates.createProperty(IdentifierManagerTest.ID_INVALID, Collections.singleton("value"), Type.STRINGS), false))));
    }

    @Test
    public void testGetPatternFromTreeNullPath() {
        Assert.assertSame(RestrictionPattern.EMPTY, this.provider.getPattern((String) null, (Tree) Mockito.mock(Tree.class)));
    }

    @Test
    public void testGetPatternFromRestrictionsNullPath() {
        Assert.assertSame(RestrictionPattern.EMPTY, this.provider.getPattern((String) null, ImmutableSet.of((Restriction) Mockito.mock(Restriction.class))));
    }

    @Test
    public void testGetPatternFromEmptyRestrictions() {
        Assert.assertSame(RestrictionPattern.EMPTY, this.provider.getPattern("/testPath", ImmutableSet.of()));
    }

    @Test(expected = AccessControlException.class)
    public void testValidateGlobRestriction() throws Exception {
        Tree orAddChild = TreeUtil.getOrAddChild(this.root.getTree(IdentifierManagerTest.ID_ROOT), "testTree", "nt:unstructured");
        String path = orAddChild.getPath();
        JackrabbitAccessControlManager accessControlManager = getAccessControlManager(this.root);
        for (String str : ImmutableList.of("/1*/2*/3*/4*/5*/6*/7*/8*/9*/10*/11*/12*/13*/14*/15*/16*/17*/18*/19*/20*/21*", "*********************")) {
            JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(accessControlManager, path);
            accessControlList.addEntry(getTestUser().getPrincipal(), AccessControlUtils.privilegesFromNames(accessControlManager, new String[]{"jcr:read"}), true, Collections.singletonMap("rep:glob", getValueFactory().createValue(str)));
            accessControlManager.setPolicy(path, accessControlList);
            try {
                this.provider.validateRestrictions(path, orAddChild.getChild("rep:policy").getChild("allow"));
                accessControlManager.removePolicy(path, accessControlList);
            } catch (Throwable th) {
                accessControlManager.removePolicy(path, accessControlList);
                throw th;
            }
        }
    }

    @Test(expected = AccessControlException.class)
    public void testValidateMvGlobRestriction() throws Exception {
        Tree orAddChild = TreeUtil.getOrAddChild(this.root.getTree(IdentifierManagerTest.ID_ROOT), "testTree", "nt:unstructured");
        String path = orAddChild.getPath();
        JackrabbitAccessControlManager accessControlManager = getAccessControlManager(this.root);
        ValueFactory valueFactory = getValueFactory(this.root);
        JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(accessControlManager, path);
        accessControlList.addEntry(getTestUser().getPrincipal(), AccessControlUtils.privilegesFromNames(accessControlManager, new String[]{"jcr:read"}), true, Collections.emptyMap(), Collections.singletonMap("rep:globs", new Value[]{valueFactory.createValue("/1*/2*/3*/4*/5*/6*/7*/8*/9*/10*/11*/12*/13*/14*/15*/16*/17*/18*/19*/20*/21*"), valueFactory.createValue("*********************")}));
        accessControlManager.setPolicy(path, accessControlList);
        try {
            this.provider.validateRestrictions(path, orAddChild.getChild("rep:policy").getChild("allow"));
            accessControlManager.removePolicy(path, accessControlList);
        } catch (Throwable th) {
            accessControlManager.removePolicy(path, accessControlList);
            throw th;
        }
    }
}
