package org.apache.jackrabbit.oak.security.authorization.permission;

import java.security.Principal;
import java.util.Iterator;
import javax.jcr.Credentials;
import javax.security.auth.Subject;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.guava.common.collect.ImmutableSet;
import org.apache.jackrabbit.oak.AbstractSecurityTest;
import org.apache.jackrabbit.oak.api.ContentSession;
import org.apache.jackrabbit.oak.api.PropertyState;
import org.apache.jackrabbit.oak.api.Root;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.commons.PathUtils;
import org.apache.jackrabbit.oak.plugins.identifier.IdentifierManagerTest;
import org.apache.jackrabbit.oak.plugins.memory.EmptyNodeState;
import org.apache.jackrabbit.oak.plugins.memory.PropertyStates;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.accesscontrol.AccessControlConstants;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.TreePermission;
import org.apache.jackrabbit.oak.spi.security.principal.EveryonePrincipal;
import org.jetbrains.annotations.NotNull;
import org.junit.Assert;
import org.junit.Test;

/* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/permission/RepoPolicyTreePermissionTest.class */
public class RepoPolicyTreePermissionTest extends AbstractSecurityTest implements AccessControlConstants {
    private static final String REPO_POLICY_PATH = "/rep:repoPolicy";
    private AuthorizationConfiguration config;
    private ContentSession accessSession;
    private ContentSession noAccessSession;

    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    public void before() throws Exception {
        super.before();
        Principal principal = getTestUser().getPrincipal();
        JackrabbitAccessControlManager accessControlManager = getAccessControlManager(this.root);
        JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(accessControlManager, (String) null);
        if (accessControlList == null) {
            throw new RuntimeException();
        }
        accessControlList.addAccessControlEntry(principal, privilegesFromNames("jcr:namespaceManagement", "jcr:readAccessControl"));
        accessControlList.addAccessControlEntry(EveryonePrincipal.getInstance(), privilegesFromNames("jcr:read"));
        accessControlManager.setPolicy((String) null, accessControlList);
        this.root.commit();
        this.config = (AuthorizationConfiguration) getSecurityProvider().getConfiguration(AuthorizationConfiguration.class);
        this.accessSession = createTestSession();
        this.noAccessSession = (ContentSession) Subject.doAs(new Subject(true, ImmutableSet.of(EveryonePrincipal.getInstance()), ImmutableSet.of(), ImmutableSet.of()), () -> {
            try {
                return getContentRepository().login((Credentials) null, (String) null);
            } catch (Exception e) {
                throw new RuntimeException();
            }
        });
    }

    @Override // org.apache.jackrabbit.oak.AbstractSecurityTest
    public void after() throws Exception {
        try {
            JackrabbitAccessControlManager accessControlManager = getAccessControlManager(this.root);
            JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(accessControlManager, (String) null);
            if (accessControlList != null) {
                accessControlManager.removePolicy((String) null, accessControlList);
                this.root.commit();
            }
            this.accessSession.close();
            this.noAccessSession.close();
        } finally {
            super.after();
        }
    }

    @NotNull
    private TreePermission getTreePermission(@NotNull ContentSession contentSession, @NotNull String str) {
        Root latestRoot = contentSession.getLatestRoot();
        PermissionProvider permissionProvider = this.config.getPermissionProvider(latestRoot, contentSession.getWorkspaceName(), contentSession.getAuthInfo().getPrincipals());
        Tree tree = latestRoot.getTree(IdentifierManagerTest.ID_ROOT);
        TreePermission treePermission = permissionProvider.getTreePermission(tree, TreePermission.EMPTY);
        Iterator it = PathUtils.elements(str).iterator();
        while (it.hasNext()) {
            tree = tree.getChild((String) it.next());
            treePermission = permissionProvider.getTreePermission(tree, treePermission);
        }
        return treePermission;
    }

    @Test
    public void testTreePermissionImpl() {
        Assert.assertTrue(getTreePermission(this.accessSession, REPO_POLICY_PATH) instanceof RepoPolicyTreePermission);
    }

    @Test
    public void testGetChildPermission() {
        TreePermission treePermission = getTreePermission(this.accessSession, REPO_POLICY_PATH);
        Assert.assertSame(treePermission, treePermission.getChildPermission("childName", EmptyNodeState.EMPTY_NODE));
    }

    @Test
    public void testCanRead() {
        Assert.assertTrue(getTreePermission(this.accessSession, REPO_POLICY_PATH).canRead());
    }

    @Test
    public void testCanRead2() {
        Assert.assertFalse(getTreePermission(this.noAccessSession, REPO_POLICY_PATH).canRead());
    }

    @Test
    public void testCanReadAceNode() {
        Assert.assertTrue(getTreePermission(this.accessSession, ((Tree) this.root.getTree(REPO_POLICY_PATH).getChildren().iterator().next()).getPath()).canRead());
    }

    @Test
    public void testCanReadAceNode2() {
        Assert.assertFalse(getTreePermission(this.noAccessSession, ((Tree) this.root.getTree(REPO_POLICY_PATH).getChildren().iterator().next()).getPath()).canRead());
    }

    @Test
    public void testCanReadProperty() {
        Assert.assertTrue(getTreePermission(this.accessSession, REPO_POLICY_PATH).canRead(PropertyStates.createProperty("jcr:primaryType", "rep:ACL")));
    }

    @Test
    public void testCanReadProperty2() {
        Assert.assertFalse(getTreePermission(this.noAccessSession, REPO_POLICY_PATH).canRead(PropertyStates.createProperty("jcr:primaryType", "rep:ACL")));
    }

    @Test
    public void testCanReadPropertyAceNode() {
        Tree tree = (Tree) this.root.getTree(REPO_POLICY_PATH).getChildren().iterator().next();
        Assert.assertTrue(getTreePermission(this.accessSession, tree.getPath()).canRead(tree.getProperty("rep:principalName")));
    }

    @Test
    public void testCanReadPropertyAceNode2() {
        Tree tree = (Tree) this.root.getTree(REPO_POLICY_PATH).getChildren().iterator().next();
        Assert.assertFalse(getTreePermission(this.noAccessSession, tree.getPath()).canRead(tree.getProperty("rep:principalName")));
    }

    @Test
    public void testCanReadProperties() {
        Assert.assertTrue(getTreePermission(this.accessSession, REPO_POLICY_PATH).canReadProperties());
    }

    @Test
    public void testCanReadProperties2() {
        Assert.assertFalse(getTreePermission(this.noAccessSession, REPO_POLICY_PATH).canReadProperties());
    }

    @Test
    public void testCanReadAll() {
        Assert.assertFalse(getTreePermission(this.accessSession, REPO_POLICY_PATH).canReadAll());
    }

    @Test
    public void testCanReadAll2() {
        Assert.assertFalse(getTreePermission(this.noAccessSession, REPO_POLICY_PATH).canReadAll());
    }

    @Test
    public void testIsGranted() {
        TreePermission treePermission = getTreePermission(this.accessSession, REPO_POLICY_PATH);
        Assert.assertTrue(treePermission.isGranted(65536L));
        Assert.assertFalse(treePermission.isGranted(131072L));
        Assert.assertFalse(treePermission.isGranted(196608L));
    }

    @Test
    public void testIsGranted2() {
        TreePermission treePermission = getTreePermission(this.noAccessSession, REPO_POLICY_PATH);
        Assert.assertFalse(treePermission.isGranted(65536L));
        Assert.assertFalse(treePermission.isGranted(131072L));
        Assert.assertFalse(treePermission.isGranted(196608L));
    }

    @Test
    public void testIsGrantedProperty() {
        PropertyState createProperty = PropertyStates.createProperty("name", "value");
        TreePermission treePermission = getTreePermission(this.accessSession, REPO_POLICY_PATH);
        Assert.assertTrue(treePermission.isGranted(65536L, createProperty));
        Assert.assertFalse(treePermission.isGranted(131072L, createProperty));
        Assert.assertFalse(treePermission.isGranted(196608L, createProperty));
    }

    @Test
    public void testIsGrantedProperty2() {
        PropertyState createProperty = PropertyStates.createProperty("name", "value");
        TreePermission treePermission = getTreePermission(this.noAccessSession, REPO_POLICY_PATH);
        Assert.assertFalse(treePermission.isGranted(65536L, createProperty));
        Assert.assertFalse(treePermission.isGranted(131072L, createProperty));
        Assert.assertFalse(treePermission.isGranted(196608L, createProperty));
    }
}
