package org.apache.jackrabbit.oak.security.authorization.permission;

import java.security.Principal;
import java.util.Set;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.guava.common.collect.ImmutableList;
import org.apache.jackrabbit.guava.common.collect.ImmutableSet;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.api.CommitFailedException;
import org.apache.jackrabbit.oak.api.ContentSession;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.api.Type;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.plugins.identifier.IdentifierManagerTest;
import org.apache.jackrabbit.oak.plugins.memory.PropertyStates;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.apache.jackrabbit.oak.security.authorization.ProviderCtx;
import org.apache.jackrabbit.oak.security.authorization.monitor.AuthorizationMonitor;
import org.apache.jackrabbit.oak.spi.commit.MoveTracker;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
import org.apache.jackrabbit.oak.spi.state.NodeState;
import org.jetbrains.annotations.NotNull;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.mockito.Mockito;

/* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/permission/PermissionValidatorTest.class */
public class PermissionValidatorTest extends AbstractSecurityTest {
    private static final String TEST_ROOT_PATH = "/testRoot";
    private static final String TEST_CHILD_PATH = "/testRoot/child";
    private Principal testPrincipal;
    private final AuthorizationMonitor monitor = (AuthorizationMonitor) Mockito.mock(AuthorizationMonitor.class);

    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    @Before
    public void before() throws Exception {
        super.before();
        TreeUtil.addChild(TreeUtil.addChild(this.root.getTree(IdentifierManagerTest.ID_ROOT), "testRoot", "nt:unstructured"), "child", "nt:unstructured");
        this.root.commit();
        this.testPrincipal = getTestUser().getPrincipal();
    }

    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    @After
    public void after() throws Exception {
        try {
            Mockito.clearInvocations(new AuthorizationMonitor[]{this.monitor});
            this.root.refresh();
            this.root.getTree(TEST_ROOT_PATH).remove();
            this.root.commit();
        } finally {
            super.after();
        }
    }

    private void grant(@NotNull String... strArr) throws Exception {
        JackrabbitAccessControlManager accessControlManager = getAccessControlManager(this.root);
        JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(accessControlManager, TEST_ROOT_PATH);
        accessControlList.addEntry(this.testPrincipal, AccessControlUtils.privilegesFromNames(accessControlManager, strArr), true);
        accessControlManager.setPolicy(TEST_ROOT_PATH, accessControlList);
        this.root.commit();
    }

    @NotNull
    private ProviderCtx mockProviderCtx() {
        ProviderCtx providerCtx = (ProviderCtx) Mockito.mock(ProviderCtx.class);
        Mockito.when(providerCtx.getSecurityProvider()).thenReturn(getSecurityProvider());
        Mockito.when(providerCtx.getTreeProvider()).thenReturn(getTreeProvider());
        Mockito.when(providerCtx.getMonitor()).thenReturn(this.monitor);
        return providerCtx;
    }

    private PermissionValidator createValidator(@NotNull Set<Principal> set, @NotNull String str) {
        Tree tree = this.root.getTree(IdentifierManagerTest.ID_ROOT);
        NodeState asNodeState = getTreeProvider().asNodeState(tree);
        String workspaceName = this.root.getContentSession().getWorkspaceName();
        PermissionProvider permissionProvider = ((AuthorizationConfiguration) getConfig(AuthorizationConfiguration.class)).getPermissionProvider(this.root, workspaceName, set);
        PermissionValidator permissionValidator = new PermissionValidator(asNodeState, asNodeState, permissionProvider, new PermissionValidatorProvider(workspaceName, set, new MoveTracker(), mockProviderCtx()));
        TreePermission treePermission = permissionProvider.getTreePermission(tree, TreePermission.EMPTY);
        for (String str2 : PathUtils.elements(str)) {
            tree = tree.getChild(str2);
            asNodeState = asNodeState.getChildNode(str2);
            treePermission = treePermission.getChildPermission(str2, asNodeState);
            permissionValidator = new PermissionValidator(tree, tree, treePermission, permissionValidator);
        }
        return permissionValidator;
    }

    private void verifyMonitor() {
        ((AuthorizationMonitor) Mockito.verify(this.monitor)).accessViolation();
        Mockito.verifyNoMoreInteractions(new Object[]{this.monitor});
    }

    @Test(expected = CommitFailedException.class)
    public void testLockPermissions() throws Exception {
        grant("jcr:read", "rep:write");
        try {
            ContentSession createTestSession = createTestSession();
            try {
                Root latestRoot = createTestSession.getLatestRoot();
                latestRoot.getTree(TEST_CHILD_PATH).setProperty(PropertyStates.createProperty("jcr:lockOwner", "lockOwner"));
                latestRoot.commit();
                if (createTestSession != null) {
                    createTestSession.close();
                }
            } finally {
            }
        } catch (CommitFailedException e) {
            Assert.assertTrue(e.isAccessViolation());
            Assert.assertEquals(0L, e.getCode());
            throw e;
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testRepositoryPermissionsNamespaces() throws Exception {
        try {
            try {
                ContentSession createTestSession = createTestSession();
                try {
                    createValidator(createTestSession.getAuthInfo().getPrincipals(), "/jcr:system/rep:namespaces").childNodeAdded("any", (NodeState) Mockito.mock(NodeState.class));
                    if (createTestSession != null) {
                        createTestSession.close();
                    }
                } catch (Throwable th) {
                    if (createTestSession != null) {
                        try {
                            createTestSession.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } finally {
                verifyMonitor();
            }
        } catch (CommitFailedException e) {
            Assert.assertTrue(e.isAccessViolation());
            Assert.assertEquals(0L, e.getCode());
            throw e;
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testRepositoryPermissionsNodeTypes() throws Exception {
        try {
            try {
                ContentSession createTestSession = createTestSession();
                try {
                    createValidator(createTestSession.getAuthInfo().getPrincipals(), "/jcr:system/jcr:nodeTypes").childNodeDeleted("any", (NodeState) Mockito.mock(NodeState.class));
                    if (createTestSession != null) {
                        createTestSession.close();
                    }
                } catch (Throwable th) {
                    if (createTestSession != null) {
                        try {
                            createTestSession.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } finally {
                verifyMonitor();
            }
        } catch (CommitFailedException e) {
            Assert.assertTrue(e.isAccessViolation());
            Assert.assertEquals(0L, e.getCode());
            throw e;
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testRepositoryPermissionsPrivileges() throws Exception {
        try {
            try {
                ContentSession createTestSession = createTestSession();
                try {
                    createValidator(createTestSession.getAuthInfo().getPrincipals(), "/jcr:system/rep:privileges").propertyAdded(PropertyStates.createProperty("any", "value"));
                    if (createTestSession != null) {
                        createTestSession.close();
                    }
                } catch (Throwable th) {
                    if (createTestSession != null) {
                        try {
                            createTestSession.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (CommitFailedException e) {
                Assert.assertTrue(e.isAccessViolation());
                Assert.assertEquals(0L, e.getCode());
                throw e;
            }
        } finally {
            verifyMonitor();
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testRemoveVersionStorageTree() throws Exception {
        Tree tree = this.root.getTree(IdentifierManagerTest.ID_ROOT);
        NodeState asNodeState = getTreeProvider().asNodeState(tree);
        PermissionValidator permissionValidator = new PermissionValidator(asNodeState, asNodeState, (PermissionProvider) Mockito.mock(PermissionProvider.class), new PermissionValidatorProvider("wspName", ImmutableSet.of(), new MoveTracker(), mockProviderCtx()));
        for (String str : PathUtils.elements("/jcr:system/jcr:versionStorage")) {
            try {
                tree = tree.getChild(str);
                asNodeState = asNodeState.getChildNode(str);
                permissionValidator = new PermissionValidator(tree, tree, TreePermission.EMPTY, permissionValidator);
            } catch (Throwable th) {
                verifyMonitor();
                throw th;
            }
        }
        try {
            TreeUtil.addChild(tree, "any", "rep:versionStorage");
            permissionValidator.childNodeDeleted("any", (NodeState) Mockito.mock(NodeState.class));
            verifyMonitor();
        } catch (CommitFailedException e) {
            Assert.assertTrue(e.isAccessViolation());
            Assert.assertEquals(22L, e.getCode());
            throw e;
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testAddVersionStorageTreeWithoutHistory() throws Exception {
        PermissionValidator createValidator = createValidator(ImmutableSet.of(), "/jcr:system/jcr:versionStorage");
        try {
            try {
                TreeUtil.addChild(this.root.getTree("/jcr:system/jcr:versionStorage"), "any", "rep:versionStorage");
                createValidator.childNodeAdded("any", (NodeState) Mockito.mock(NodeState.class));
                verifyMonitor();
            } catch (CommitFailedException e) {
                Assert.assertTrue(e.isAccessViolation());
                Assert.assertEquals(21L, e.getCode());
                throw e;
            }
        } catch (Throwable th) {
            verifyMonitor();
            throw th;
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testAddVersionStorageTreeUnexpectedNode() throws Exception {
        PermissionValidator createValidator = createValidator(ImmutableSet.of(), "/jcr:system/jcr:versionStorage");
        try {
            try {
                TreeUtil.addChild(TreeUtil.addChild(this.root.getTree("/jcr:system/jcr:versionStorage"), "any", "rep:versionStorage"), "unexpected", "nt:unstructured");
                createValidator.childNodeAdded("any", (NodeState) Mockito.mock(NodeState.class));
                Mockito.verifyNoInteractions(new Object[]{this.monitor});
            } catch (CommitFailedException e) {
                Assert.assertTrue(e.isOfType("Misc"));
                Assert.assertEquals(0L, e.getCode());
                throw e;
            }
        } catch (Throwable th) {
            Mockito.verifyNoInteractions(new Object[]{this.monitor});
            throw th;
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testChangePrimaryTypeToPolicyNode() throws Exception {
        grant("jcr:read", "jcr:readAccessControl", "rep:write");
        TreeUtil.addChild(this.root.getTree(TEST_CHILD_PATH), "rep:policy", "nt:unstructured");
        this.root.commit();
        try {
            ContentSession createTestSession = createTestSession();
            try {
                Root latestRoot = createTestSession.getLatestRoot();
                Tree tree = latestRoot.getTree(TEST_CHILD_PATH);
                tree.setProperty(PropertyStates.createProperty("jcr:mixinTypes", ImmutableList.of("rep:AccessControllable"), Type.NAMES));
                Tree child = tree.getChild("rep:policy");
                child.setOrderableChildren(true);
                child.setProperty("jcr:primaryType", "rep:ACL", Type.NAME);
                latestRoot.commit();
                if (createTestSession != null) {
                    createTestSession.close();
                }
            } finally {
            }
        } catch (CommitFailedException e) {
            Assert.assertTrue(e.isAccessViolation());
            Assert.assertEquals(0L, e.getCode());
            throw e;
        }
    }

    @Test
    public void testAddImmutablePropertyWithDeclaringMixin() throws Exception {
        grant("jcr:read", "jcr:nodeTypeManagement");
        ContentSession createTestSession = createTestSession();
        try {
            Root latestRoot = createTestSession.getLatestRoot();
            Tree tree = latestRoot.getTree(TEST_ROOT_PATH);
            TreeUtil.addMixin(tree, "mix:created", this.root.getTree("/jcr:system/jcr:nodeTypes"), "uid");
            Assert.assertTrue(tree.hasProperty("jcr:createdBy"));
            Assert.assertTrue(tree.hasProperty("jcr:created"));
            latestRoot.commit();
            if (createTestSession != null) {
                createTestSession.close();
            }
        } catch (Throwable th) {
            if (createTestSession != null) {
                try {
                    createTestSession.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testAddImmutablePropertyWithoutDeclaringMixin() throws Exception {
        grant("jcr:read");
        try {
            ContentSession createTestSession = createTestSession();
            try {
                Root latestRoot = createTestSession.getLatestRoot();
                Tree tree = latestRoot.getTree(TEST_ROOT_PATH);
                tree.setProperty(PropertyStates.createProperty("jcr:created", "mixCreatedIsMissing", Type.DATE));
                tree.setProperty(PropertyStates.createProperty("jcr:createdBy", "mixCreatedIsMissing", Type.STRING));
                latestRoot.commit();
                if (createTestSession != null) {
                    createTestSession.close();
                }
            } finally {
            }
        } catch (CommitFailedException e) {
            Assert.assertTrue(e.isAccessViolation());
            Assert.assertEquals(0L, e.getCode());
            throw e;
        }
    }

    @Test(expected = CommitFailedException.class)
    public void testChangeImmutableProperty() throws Exception {
        TreeUtil.addMixin(this.root.getTree(TEST_ROOT_PATH), "mix:created", this.root.getTree("/jcr:system/jcr:nodeTypes"), "uid");
        grant("jcr:read", "jcr:modifyProperties");
        try {
            ContentSession createTestSession = createTestSession();
            try {
                Root latestRoot = createTestSession.getLatestRoot();
                latestRoot.getTree(TEST_ROOT_PATH).setProperty(PropertyStates.createProperty("jcr:createdBy", "anotherUid", Type.STRING));
                latestRoot.commit();
                if (createTestSession != null) {
                    createTestSession.close();
                }
            } finally {
            }
        } catch (CommitFailedException e) {
            Assert.assertTrue(e.isAccessViolation());
            Assert.assertEquals(0L, e.getCode());
            throw e;
        }
    }
}
