package org.modeshape.jcr.security;

import java.security.AccessControlException;
import javax.jcr.AccessDeniedException;
import javax.jcr.Node;
import javax.jcr.NodeIterator;
import javax.jcr.RepositoryException;
import javax.jcr.UnsupportedRepositoryOperationException;
import javax.jcr.security.AccessControlList;
import javax.jcr.security.AccessControlManager;
import javax.jcr.security.AccessControlPolicy;
import javax.jcr.security.AccessControlPolicyIterator;
import javax.jcr.security.Privilege;
import org.hamcrest.core.Is;
import org.hamcrest.core.IsNull;
import org.jboss.dna.repository.observation.ObservationService;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.modeshape.common.FixFor;
import org.modeshape.jcr.AbstractJcrNode;
import org.modeshape.jcr.JcrRootNode;
import org.modeshape.jcr.MultiUseAbstractTest;
import org.modeshape.jcr.security.acl.Privileges;

/* loaded from: input_file:org/modeshape/jcr/security/AccessControlManagerTest.class */
public class AccessControlManagerTest extends MultiUseAbstractTest {
    private AccessControlManager acm;
    private Privileges privileges;

    @BeforeClass
    public static final void beforeAll() throws Exception {
        MultiUseAbstractTest.beforeAll();
        registerNodeTypes("cars.cnd");
        importContent(ObservationService.WorkspaceListener.DEFAULT_ABSOLUTE_PATH, "io/cars-system-view-with-uuids.xml", 3);
        setPolicy(ObservationService.WorkspaceListener.DEFAULT_ABSOLUTE_PATH, "{http://www.jcp.org/jcr/1.0}all");
        setPolicy("/Cars/Luxury/Cadillac DTS", "{http://www.jcp.org/jcr/1.0}read", "{http://www.jcp.org/jcr/1.0}write", "{http://www.jcp.org/jcr/1.0}modifyAccessControl");
        setPolicy("/Cars/Luxury/", "{http://www.jcp.org/jcr/1.0}read", "{http://www.jcp.org/jcr/1.0}modifyAccessControl");
        setPolicy("/Cars/Sports/", "{http://www.jcp.org/jcr/1.0}read", "{http://www.jcp.org/jcr/1.0}write", "{http://www.jcp.org/jcr/1.0}modifyAccessControl");
        setPolicy("/Cars/Utility/Ford F-150/", "{http://www.jcp.org/jcr/1.0}modifyAccessControl", "{http://www.jcp.org/jcr/1.0}readAccessControl");
        setPolicy("/Cars/Utility/", "{http://www.jcp.org/jcr/1.0}readAccessControl");
    }

    @AfterClass
    public static final void afterAll() throws Exception {
        MultiUseAbstractTest.afterAll();
    }

    @Override // org.modeshape.jcr.MultiUseAbstractTest, org.modeshape.jcr.AbstractJcrRepositoryTest
    @Before
    public void beforeEach() throws Exception {
        super.beforeEach();
        this.acm = session.getAccessControlManager();
        this.privileges = new Privileges(session);
    }

    @Test
    public void testSecondSession() throws Exception {
        session.getRepository().login().logout();
    }

    @Test
    public void shouldObtainAccessControlManager() throws Exception {
        Assert.assertTrue(this.acm != null);
        IsNull.notNullValue(AccessControlManager.class).matches(session.getAccessControlManager());
    }

    @Test
    public void testGetSupportedPrivileges() throws Exception {
        Assert.assertEquals(this.privileges.listOfSupported().length, this.acm.getSupportedPrivileges(ObservationService.WorkspaceListener.DEFAULT_ABSOLUTE_PATH).length);
    }

    @Test
    public void testPrivilegeForName() throws Exception {
        Assert.assertEquals("jcr:all", this.acm.privilegeFromName("{http://www.jcp.org/jcr/1.0}all").getName());
    }

    @Test
    public void shouldHaveReadPrivilege() throws Exception {
        Assert.assertEquals("jcr:read", this.acm.getPrivileges("/Cars/Luxury")[0].getName());
    }

    @Test
    public void shoudlHaveReadWritePrivilege() throws Exception {
        Privilege[] privileges = this.acm.getPrivileges("/Cars/Luxury/Cadillac DTS");
        Assert.assertTrue(contains("jcr:read", privileges));
        Assert.assertTrue(contains("jcr:write", privileges));
    }

    @Test
    public void shoudlDeriveAccessList() throws Exception {
        Assert.assertEquals("jcr:read", this.acm.getPrivileges("/Cars/Luxury/Lexus IS350")[0].getName());
    }

    @Test
    public void shoudlGrantAllPermissions() throws Exception {
        Assert.assertTrue(contains("jcr:all", this.acm.getPrivileges("/Cars/Hybrid")));
    }

    @Test
    public void shouldGrantAdd() throws Exception {
        try {
            session.getNode("/Cars/Sports").addNode("Chevrolet Camaro", "car:Car");
        } catch (AccessDeniedException e) {
            Assert.fail("Should grant add");
        }
    }

    @Test
    public void shouldDenyAdd() throws RepositoryException {
        try {
            session.getNode("/Cars/Luxury").addNode("Cadillac Flitwood", "car:Car");
            Assert.fail("Should deny add node");
        } catch (AccessControlException e) {
            System.out.println("Hide exception");
        } catch (AccessDeniedException e2) {
            System.out.println("Hide exception");
        }
    }

    @Test
    public void shouldGrantModify() throws RepositoryException {
        try {
            session.getNode("/Cars/Sports/Infiniti G37").setProperty("car:msrp", "$34,901");
        } catch (AccessDeniedException e) {
            Assert.fail("Should grant modification");
        }
    }

    @Test
    public void shouldDenyModify() throws RepositoryException {
        try {
            session.getNode("/Cars/Luxury/Lexus IS350").setProperty("car:msrp", "$34,901");
            Assert.fail("Should deny modification");
        } catch (AccessDeniedException e) {
        }
    }

    @Test
    public void shouldGrantRemove() throws RepositoryException {
        try {
            session.getNode("/Cars/Sports/Infiniti G37").remove();
        } catch (AccessDeniedException e) {
            Assert.fail("Should grant remove operation");
        }
    }

    @Test
    public void shouldDenyRemove() throws RepositoryException {
        try {
            session.getNode("/Cars/Luxury/Lexus IS350").remove();
            Assert.fail("Should deny remove operation");
        } catch (AccessControlException e) {
        } catch (AccessDeniedException e2) {
        }
    }

    @Test
    public void shoudlDenyRemove2() throws RepositoryException {
        try {
            session.getNode("/Cars/Luxury/Cadillac DTS").remove();
            Assert.fail("Should deny remove operation: Parent node has no privilege to remove child node");
        } catch (AccessDeniedException e) {
        } catch (AccessControlException e2) {
        } catch (Exception e3) {
            e3.printStackTrace();
        }
    }

    @Test
    public void shouldAllowSetPolicy() throws RepositoryException {
        setPolicy("/Cars/Utility/Ford F-150", "{http://www.jcp.org/jcr/1.0}all");
    }

    @Test
    public void shouldDenySetPolicy() throws RepositoryException {
        try {
            setPolicy("/Cars/Utility", "{http://www.jcp.org/jcr/1.0}all");
            Assert.fail("Should deny access list modification");
        } catch (AccessDeniedException e) {
        }
    }

    public void shouldRemovePolicy() throws RepositoryException {
        this.acm.removePolicy("/Cars/Utility/Ford F-150", (AccessControlPolicy) null);
        Assert.assertEquals("{http://www.jcp.org/jcr/1.0}all", this.acm.getPrivileges("/Cars/Utility/Ford F-150")[0].getName());
    }

    @Test
    public void onlyAccessControlAPIAllowsRemoveACL() throws Exception {
        AbstractJcrNode node = session.getNode("/Cars/Luxury/mode:acl");
        Assert.assertThat(node, Is.is(IsNull.notNullValue()));
        try {
            node.remove();
            Assert.fail("Only Access Control API allows modification");
        } catch (Exception e) {
        }
    }

    @Test
    public void onlyAccessControlAPIAllowsAddACL() throws Exception {
        AbstractJcrNode node = session.getNode("/Cars/Hybrid");
        Assert.assertThat(node, Is.is(IsNull.notNullValue()));
        try {
            node.addMixin("mix:accessControllable");
            node.addNode("mode:acl", "mode:Acl").addNode("test", "mode:Permission");
            Assert.fail("Only Access Control API allows modification");
        } catch (RepositoryException e) {
        }
    }

    @Test
    public void shouldNotDependFromContentPermissions() throws Exception {
        setPolicy("/Cars/Luxury/Bentley Continental", "{http://www.jcp.org/jcr/1.0}write");
    }

    @Test
    @FixFor({"MODE-2036"})
    public void shouldDenyAccessChildNode() throws Exception {
        JcrRootNode rootNode = session.getRootNode();
        Node addNode = rootNode.addNode("truks");
        session.save();
        AccessControlManager accessControlManager = session.getAccessControlManager();
        Privilege[] privilegeArr = {accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}all")};
        AccessControlPolicyIterator applicablePolicies = accessControlManager.getApplicablePolicies(addNode.getPath());
        AccessControlList nextAccessControlPolicy = applicablePolicies.hasNext() ? applicablePolicies.nextAccessControlPolicy() : accessControlManager.getPolicies(addNode.getPath())[0];
        nextAccessControlPolicy.addAccessControlEntry(SimplePrincipal.newInstance("Admin"), privilegeArr);
        accessControlManager.setPolicy(addNode.getPath(), nextAccessControlPolicy);
        session.save();
        try {
            rootNode.getNode("truks");
            Assert.fail("Access list should deny access");
        } catch (javax.jcr.security.AccessControlException e) {
        }
    }

    @Test
    public void shouldAllowAccessUsingRole() throws Exception {
        JcrRootNode rootNode = session.getRootNode();
        Node addNode = rootNode.addNode("tractors");
        session.save();
        AccessControlManager accessControlManager = session.getAccessControlManager();
        Privilege[] privilegeArr = {accessControlManager.privilegeFromName("{http://www.jcp.org/jcr/1.0}all")};
        AccessControlPolicyIterator applicablePolicies = accessControlManager.getApplicablePolicies(addNode.getPath());
        AccessControlList nextAccessControlPolicy = applicablePolicies.hasNext() ? applicablePolicies.nextAccessControlPolicy() : accessControlManager.getPolicies(addNode.getPath())[0];
        nextAccessControlPolicy.addAccessControlEntry(SimplePrincipal.newInstance("admin"), privilegeArr);
        accessControlManager.setPolicy(addNode.getPath(), nextAccessControlPolicy);
        session.save();
        Assert.assertThat(rootNode.getNode("tractors"), Is.is(IsNull.notNullValue()));
    }

    @Test
    public void shouldAllowRead() throws Exception {
        Assert.assertThat(session.getRootNode().addNode("aircraft"), Is.is(IsNull.notNullValue()));
        AccessControlList acl = acl("/aircraft");
        acl.addAccessControlEntry(SimplePrincipal.newInstance("Admin"), new Privilege[]{this.acm.privilegeFromName("{http://www.jcp.org/jcr/1.0}all")});
        acl.addAccessControlEntry(SimplePrincipal.newInstance("anonymous"), new Privilege[]{this.acm.privilegeFromName("{http://www.jcp.org/jcr/1.0}read")});
        this.acm.setPolicy("/aircraft", acl);
        AccessControlList acl2 = acl(ObservationService.WorkspaceListener.DEFAULT_ABSOLUTE_PATH);
        acl2.addAccessControlEntry(SimplePrincipal.newInstance("Admin"), new Privilege[]{this.acm.privilegeFromName("{http://www.jcp.org/jcr/1.0}all")});
        acl2.addAccessControlEntry(SimplePrincipal.newInstance("anonymous"), new Privilege[]{this.acm.privilegeFromName("{http://www.jcp.org/jcr/1.0}read")});
        this.acm.setPolicy(ObservationService.WorkspaceListener.DEFAULT_ABSOLUTE_PATH, acl2);
        session.save();
        session.getRootNode().getNode("aircraft");
    }

    @Test
    public void testGetApplicablePolicies() throws Exception {
        Assert.assertTrue(this.acm.getApplicablePolicies("/Cars").nextAccessControlPolicy() != null);
    }

    @Test
    @FixFor({"MODE-2193"})
    public void shouldAllowReadingAccessibleNodes() throws Exception {
        AccessControlList acl = acl(ObservationService.WorkspaceListener.DEFAULT_ABSOLUTE_PATH);
        acl.addAccessControlEntry(SimplePrincipal.newInstance("anonymous"), new Privilege[]{this.acm.privilegeFromName("{http://www.jcp.org/jcr/1.0}all")});
        this.acm.setPolicy(ObservationService.WorkspaceListener.DEFAULT_ABSOLUTE_PATH, acl);
        JcrRootNode rootNode = session.getRootNode();
        Node addNode = rootNode.addNode("ufo");
        Node addNode2 = rootNode.addNode("vans");
        Assert.assertThat(addNode, Is.is(IsNull.notNullValue()));
        Assert.assertThat(addNode2, Is.is(IsNull.notNullValue()));
        AccessControlList acl2 = acl("/ufo");
        acl2.addAccessControlEntry(SimplePrincipal.newInstance("Admin"), new Privilege[]{this.acm.privilegeFromName("{http://www.jcp.org/jcr/1.0}all")});
        acl2.addAccessControlEntry(SimplePrincipal.newInstance("anonymous"), new Privilege[]{this.acm.privilegeFromName("{http://www.jcp.org/jcr/1.0}read")});
        this.acm.setPolicy("/ufo", acl2);
        AccessControlList acl3 = acl("/vans");
        acl3.addAccessControlEntry(SimplePrincipal.newInstance("user"), new Privilege[]{this.acm.privilegeFromName("{http://www.jcp.org/jcr/1.0}all")});
        this.acm.setPolicy("/vans", acl3);
        session.save();
        NodeIterator nodes = session.getRootNode().getNodes();
        while (nodes.hasNext()) {
            nodes.nextNode();
        }
    }

    private static void setPolicy(String str, String... strArr) throws UnsupportedRepositoryOperationException, RepositoryException {
        AccessControlManager accessControlManager = session.getAccessControlManager();
        Privilege[] privilegeArr = new Privilege[strArr.length];
        for (int i = 0; i < strArr.length; i++) {
            privilegeArr[i] = accessControlManager.privilegeFromName(strArr[i]);
        }
        AccessControlPolicyIterator applicablePolicies = accessControlManager.getApplicablePolicies(str);
        AccessControlList nextAccessControlPolicy = applicablePolicies.hasNext() ? applicablePolicies.nextAccessControlPolicy() : accessControlManager.getPolicies(str)[0];
        nextAccessControlPolicy.addAccessControlEntry(SimplePrincipal.newInstance("anonymous"), privilegeArr);
        accessControlManager.setPolicy(str, nextAccessControlPolicy);
        session.save();
    }

    private boolean contains(String str, Privilege[] privilegeArr) {
        for (Privilege privilege : privilegeArr) {
            if (str.equals(privilege.getName())) {
                return true;
            }
        }
        return false;
    }
}
