package org.apache.jackrabbit.oak.security.authorization.evaluation;

import java.util.Collections;
import java.util.Map;
import javax.jcr.RepositoryException;
import javax.jcr.Value;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlList;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.guava.common.collect.ImmutableMap;
import org.apache.jackrabbit.guava.common.collect.ImmutableSet;
import org.apache.jackrabbit.guava.common.collect.Iterables;
import org.apache.jackrabbit.oak.api.Tree;
import org.apache.jackrabbit.oak.plugins.identifier.IdentifierManagerTest;
import org.apache.jackrabbit.oak.plugins.tree.TreeUtil;
import org.apache.jackrabbit.oak.spi.security.authorization.AuthorizationConfiguration;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.PermissionProvider;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import org.jetbrains.annotations.NotNull;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:org/apache/jackrabbit/oak/security/authorization/evaluation/AbstractQueryTest.class */
public abstract class AbstractQueryTest extends AbstractOakCoreTest {
    Tree node;
    Tree subnode;

    @Override // org.apache.jackrabbit.oak.security.authorization.evaluation.AbstractOakCoreTest, org.apache.jackrabbit.oak.AbstractSecurityTest
    @Before
    public void before() throws Exception {
        super.before();
        createIndexDefinition();
        this.node = TreeUtil.addChild(this.root.getTree(IdentifierManagerTest.ID_ROOT), "node", "nt:unstructured");
        this.subnode = TreeUtil.addChild(this.node, "subnode", "nt:unstructured");
        this.root.commit();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void grantPropertyReadAccess(@NotNull String str) throws Exception {
        JackrabbitAccessControlManager accessControlManager = getAccessControlManager(this.root);
        JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(accessControlManager, IdentifierManagerTest.ID_ROOT);
        if (accessControlList != null) {
            accessControlList.addEntry(this.testPrincipal, AccessControlUtils.privilegesFromNames(accessControlManager, new String[]{"rep:readProperties"}), true, (Map) null, ImmutableMap.of("rep:itemNames", new Value[]{getValueFactory(this.root).createValue(str, 7)}));
            accessControlManager.setPolicy(accessControlList.getPath(), accessControlList);
        }
    }

    void createIndexDefinition() throws RepositoryException {
    }

    abstract String getStatement();

    @Test
    public void testQueryWithEmptyGlobRestriction() throws Exception {
        JackrabbitAccessControlManager accessControlManager = getAccessControlManager(this.root);
        JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(accessControlManager, this.node.getPath());
        if (accessControlList != null) {
            accessControlList.addEntry(this.testPrincipal, AccessControlUtils.privilegesFromNames(accessControlManager, new String[]{"jcr:all"}), true, ImmutableMap.of("rep:glob", getValueFactory(this.root).createValue("")));
            accessControlManager.setPolicy(accessControlList.getPath(), accessControlList);
            this.root.commit();
        }
        assertAccess(this.node.getPath(), this.subnode.getPath(), false);
        Assert.assertTrue(Iterables.elementsEqual(ImmutableSet.of(this.node.getPath()), Iterables.transform(getTestRoot().getQueryEngine().executeQuery(getStatement(), "JCR-SQL2", Collections.emptyMap(), Collections.emptyMap()).getRows(), resultRow -> {
            return resultRow.getPath();
        })));
    }

    @Test
    public void testQueryWithEmptyGlobRestrictionAndPropertyRead() throws Exception {
        JackrabbitAccessControlManager accessControlManager = getAccessControlManager(this.root);
        JackrabbitAccessControlList accessControlList = AccessControlUtils.getAccessControlList(accessControlManager, this.node.getPath());
        if (accessControlList != null) {
            accessControlList.addEntry(this.testPrincipal, privilegesFromNames("jcr:all"), true, ImmutableMap.of("rep:glob", getValueFactory(this.root).createValue("")));
            accessControlList.addEntry(this.testPrincipal, privilegesFromNames("rep:readProperties"), true, ImmutableMap.of("rep:glob", getValueFactory(this.root).createValue("/jcr:primaryType")));
            accessControlManager.setPolicy(accessControlList.getPath(), accessControlList);
            this.root.commit();
        }
        assertAccess(this.node.getPath(), this.subnode.getPath(), true);
        Assert.assertTrue(Iterables.elementsEqual(ImmutableSet.of(this.node.getPath()), Iterables.transform(getTestRoot().getQueryEngine().executeQuery(getStatement(), "JCR-SQL2", Collections.emptyMap(), Collections.emptyMap()).getRows(), resultRow -> {
            return resultRow.getPath();
        })));
    }

    @Test
    public void testQueryWithAllowNodeAndDenySubNode() throws Exception {
        setupPermission(this.node.getPath(), this.testPrincipal, true, "jcr:all");
        setupPermission(this.subnode.getPath(), this.testPrincipal, false, "jcr:all");
        assertAccess(this.node.getPath(), this.subnode.getPath(), true);
        Assert.assertTrue(Iterables.elementsEqual(ImmutableSet.of(this.node.getPath()), Iterables.transform(getTestRoot().getQueryEngine().executeQuery(getStatement(), "JCR-SQL2", Collections.emptyMap(), Collections.emptyMap()).getRows(), resultRow -> {
            return resultRow.getPath();
        })));
    }

    private void assertAccess(@NotNull String str, @NotNull String str2, boolean z) throws Exception {
        Assert.assertTrue(getTestRoot().getTree(str).exists());
        Assert.assertFalse(getTestRoot().getTree(str2).exists());
        PermissionProvider permissionProvider = ((AuthorizationConfiguration) getConfig(AuthorizationConfiguration.class)).getPermissionProvider(getTestRoot(), getTestSession().getWorkspaceName(), getTestSession().getAuthInfo().getPrincipals());
        Assert.assertTrue(permissionProvider.isGranted(str, "read"));
        Assert.assertEquals(Boolean.valueOf(z), Boolean.valueOf(permissionProvider.isGranted(str + "/jcr:primaryType", "read")));
        Assert.assertEquals(Boolean.valueOf(z), Boolean.valueOf(permissionProvider.isGranted(str + "/jcr:primaryType", Permissions.getString(2L))));
        Assert.assertFalse(permissionProvider.isGranted(str2, "read"));
        Assert.assertFalse(permissionProvider.isGranted(str2 + "/jcr:primaryType", "read"));
        Assert.assertFalse(permissionProvider.isGranted(str2 + "/jcr:primaryType", Permissions.getString(2L)));
    }
}
