package org.modeshape.jcr;

import java.security.AccessControlContext;
import java.security.AccessController;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.Map;
import javax.jcr.AccessDeniedException;
import javax.jcr.Credentials;
import javax.jcr.LoginException;
import javax.jcr.NodeIterator;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.jcr.SimpleCredentials;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import org.hamcrest.core.Is;
import org.hamcrest.core.IsNull;
import org.infinispan.schematic.Schematic;
import org.infinispan.schematic.document.Document;
import org.infinispan.schematic.document.EditableDocument;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.TestRule;
import org.modeshape.common.FixFor;
import org.modeshape.common.junit.SkipLongRunning;
import org.modeshape.common.junit.SkipTestRule;
import org.modeshape.jcr.security.AdvancedAuthorizationProvider;
import org.modeshape.jcr.security.AuthenticationProvider;
import org.modeshape.jcr.security.AuthorizationProvider;
import org.modeshape.jcr.security.JaasSecurityContext;
import org.modeshape.jcr.security.SecurityContext;
import org.modeshape.jcr.value.Path;
import org.modeshape.jcr.value.StringFactory;

/* loaded from: input_file:org/modeshape/jcr/AuthenticationAndAuthorizationTest.class */
public class AuthenticationAndAuthorizationTest {

    @Rule
    public TestRule skipTestRule = new SkipTestRule();
    private static final String REPO_NAME = "testRepo";
    private Environment environment;
    protected JcrRepository repository;
    protected JcrSession session;

    /* loaded from: input_file:org/modeshape/jcr/AuthenticationAndAuthorizationTest$AdvancedTestSecurityProvider.class */
    public static class AdvancedTestSecurityProvider extends TestSecurityProvider implements AdvancedAuthorizationProvider {
        /* JADX WARN: Multi-variable type inference failed */
        public boolean hasPermission(AdvancedAuthorizationProvider.Context context, Path path, String... strArr) {
            this.actionsByNodePath.put(this.stringFactory.create(path), strArr[0]);
            return true;
        }
    }

    /* loaded from: input_file:org/modeshape/jcr/AuthenticationAndAuthorizationTest$SimpleTestSecurityProvider.class */
    public static class SimpleTestSecurityProvider extends TestSecurityProvider implements AuthorizationProvider {
        /* JADX WARN: Multi-variable type inference failed */
        public boolean hasPermission(ExecutionContext executionContext, String str, String str2, String str3, Path path, String... strArr) {
            this.actionsByNodePath.put(this.stringFactory.create(path), strArr[0]);
            return true;
        }
    }

    /* loaded from: input_file:org/modeshape/jcr/AuthenticationAndAuthorizationTest$TestSecurityProvider.class */
    public static abstract class TestSecurityProvider implements AuthenticationProvider, SecurityContext {
        protected final Map<String, String> actionsByNodePath = new HashMap();
        protected StringFactory stringFactory;

        public ExecutionContext authenticate(Credentials credentials, String str, String str2, ExecutionContext executionContext, Map<String, Object> map) {
            this.stringFactory = executionContext.getValueFactories().getStringFactory();
            return executionContext.with(this);
        }

        public boolean isAnonymous() {
            return false;
        }

        public String getUserName() {
            return "test user";
        }

        public boolean hasRole(String str) {
            return true;
        }

        public void logout() {
        }

        public Map<String, String> getActionsByNodePath() {
            return this.actionsByNodePath;
        }
    }

    @BeforeClass
    public static void beforeAll() {
        JaasTestUtil.initJaas("security/jaas.conf.xml");
    }

    @AfterClass
    public static void afterAll() {
        JaasTestUtil.releaseJaas();
    }

    @Before
    public void beforeEach() throws Exception {
        this.environment = new TestingEnvironment();
    }

    @After
    public void afterEach() throws Exception {
        if (this.repository != null) {
            try {
                TestingUtil.killRepositories(this.repository);
            } finally {
                this.repository = null;
                this.session = null;
                this.environment.shutdown();
            }
        }
    }

    protected void startRepositoryWith(Document document, String str) throws Exception {
        this.repository = new JcrRepository(new RepositoryConfiguration(document, str, this.environment));
        this.repository.start();
    }

    protected Document createRepositoryConfiguration(String str, String str2, String... strArr) {
        EditableDocument newDocument = Schematic.newDocument("name", str);
        EditableDocument orCreateDocument = newDocument.getOrCreateDocument("security");
        if (strArr == null || strArr.length == 0) {
            orCreateDocument.getOrCreateDocument("anonymous").setArray("roles");
        } else {
            EditableDocument orCreateDocument2 = orCreateDocument.getOrCreateDocument("anonymous");
            orCreateDocument2.setArray("roles", strArr);
            orCreateDocument2.setBoolean("useOnFailedLogin", true);
        }
        if (str2 != null) {
            orCreateDocument.getOrCreateArray("providers").addDocument(Schematic.newDocument("classname", "JAAS", "policyName", "modeshape-jcr"));
        }
        return newDocument;
    }

    @Test
    public void shouldLogInAsAnonymousUsingNoCredentials() throws Exception {
        startRepositoryWith(createRepositoryConfiguration(REPO_NAME, "modeshape-jcr-non-existant", "readwrite"), REPO_NAME);
        this.session = this.repository.login();
        this.session.getRootNode().getPath();
        this.session.getRootNode().addNode("someNewNode");
    }

    @Test
    public void shouldLogInAsAnonymousWithReadOnlyPrivilegesUsingNoCredentials() throws Exception {
        startRepositoryWith(createRepositoryConfiguration(REPO_NAME, "modeshape-jcr-non-existant", "readonly"), REPO_NAME);
        this.session = this.repository.login();
        this.session.getRootNode().getPath();
        try {
            this.session.getRootNode().addNode("someNewNode");
            Assert.fail("Should not have been able to update content with a read-only user");
        } catch (AccessDeniedException e) {
        }
    }

    @Test
    public void shouldLogInAsUserWithReadOnlyRole() throws Exception {
        startRepositoryWith(createRepositoryConfiguration(REPO_NAME, "modeshape-jcr", new String[0]), REPO_NAME);
        this.session = this.repository.login(new SimpleCredentials("readonly", "readonly".toCharArray()));
        this.session.getRootNode().getPath();
        this.session.getRootNode().getDefinition();
        try {
            this.session.getRootNode().addNode("someNewNode");
            Assert.fail("Should not have been able to update content with a read-only user");
        } catch (AccessDeniedException e) {
        }
    }

    @Test
    public void shouldLogInAsUserWithReadWriteRole() throws Exception {
        startRepositoryWith(createRepositoryConfiguration(REPO_NAME, "modeshape-jcr", new String[0]), REPO_NAME);
        this.session = this.repository.login(new SimpleCredentials("readwrite", "readwrite".toCharArray()));
        this.session.getRootNode().getPath();
        this.session.getRootNode().getDefinition();
        this.session.getRootNode().addNode("someNewNode");
    }

    @Test
    public void shouldNotAllowAnonymousLoginsWhenUsingOnlyJaas() throws Exception {
        startRepositoryWith(createRepositoryConfiguration(REPO_NAME, "modeshape-jcr", new String[0]), REPO_NAME);
        try {
            this.session = this.repository.login();
            Assert.fail("Should not have been able to login anonymously if anonymous logins are disabled");
        } catch (LoginException e) {
        }
    }

    @Test
    public void shouldLogInAsAnonymousUserIfNoProviderAuthenticatesCredentials() throws Exception {
        startRepositoryWith(createRepositoryConfiguration(REPO_NAME, "modeshape-jcr", "readonly"), REPO_NAME);
        this.session = this.repository.login(new SimpleCredentials("readwrite", "wrongpassword".toCharArray()));
        Assert.assertThat(Boolean.valueOf(this.session.isAnonymous()), Is.is(true));
        this.session.getRootNode().getPath();
        this.session.getRootNode().getDefinition();
        try {
            this.session.getRootNode().addNode("someNewNode");
            Assert.fail("Should not have been able to update content with a read-only user");
        } catch (AccessDeniedException e) {
        }
    }

    @Test
    public void shouldLogInAsWritableAnonymousUserIfNoProviderAuthenticatesCredentials() throws Exception {
        startRepositoryWith(createRepositoryConfiguration(REPO_NAME, "modeshape-jcr", "readwrite"), REPO_NAME);
        this.session = this.repository.login(new SimpleCredentials("readwrite", "wrongpassword".toCharArray()));
        Assert.assertThat(Boolean.valueOf(this.session.isAnonymous()), Is.is(true));
        this.session.getRootNode().getPath();
        this.session.getRootNode().getDefinition();
        this.session.getRootNode().addNode("someNewNode");
    }

    @Test
    public void shouldAllowLoginWithNoCredentialsInPrivilegedBlock() throws Exception {
        startRepositoryWith(createRepositoryConfiguration(REPO_NAME, "modeshape-jcr", "readwrite"), REPO_NAME);
        this.session = this.repository.login(new SimpleCredentials("readwrite", "readwrite".toCharArray()));
        LoginContext loginContext = new LoginContext("modeshape-jcr", new JaasSecurityContext.UserPasswordCallbackHandler("superuser", "superuser".toCharArray()));
        loginContext.login();
        Session session = (Session) Subject.doAsPrivileged(loginContext.getSubject(), new PrivilegedExceptionAction<Session>() { // from class: org.modeshape.jcr.AuthenticationAndAuthorizationTest.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Session run() throws Exception {
                return AuthenticationAndAuthorizationTest.this.repository.login();
            }
        }, AccessController.getContext());
        Assert.assertThat(session, Is.is(IsNull.notNullValue()));
        Assert.assertThat(session.getUserID(), Is.is("superuser"));
        loginContext.logout();
    }

    @Test(expected = LoginException.class)
    public void shouldNotAllowLoginIfCredentialsDoNotProvideJaasMethod() throws Exception {
        startRepositoryWith(createRepositoryConfiguration(REPO_NAME, "modeshape-jcr", new String[0]), REPO_NAME);
        this.repository.login(new Credentials() { // from class: org.modeshape.jcr.AuthenticationAndAuthorizationTest.2
            private static final long serialVersionUID = 1;
        });
    }

    @Test(expected = LoginException.class)
    public void shouldNotAllowLoginIfCredentialsReturnNullAccessControlContext() throws Exception {
        startRepositoryWith(createRepositoryConfiguration(REPO_NAME, "modeshape-jcr", new String[0]), REPO_NAME);
        this.repository.login(new Credentials() { // from class: org.modeshape.jcr.AuthenticationAndAuthorizationTest.3
            private static final long serialVersionUID = 1;

            public AccessControlContext getAccessControlContext() {
                return null;
            }
        });
    }

    @Test(expected = LoginException.class)
    public void shouldNotAllowLoginIfCredentialsReturnNullLoginContext() throws Exception {
        startRepositoryWith(createRepositoryConfiguration(REPO_NAME, "modeshape-jcr", new String[0]), REPO_NAME);
        this.repository.login(new Credentials() { // from class: org.modeshape.jcr.AuthenticationAndAuthorizationTest.4
            private static final long serialVersionUID = 1;

            public LoginContext getLoginContext() {
                return null;
            }
        });
    }

    @Test
    @FixFor({"MODE-1938"})
    @SkipLongRunning
    public void shouldNotLeakUninitializedWorkspaceCaches() throws Exception {
        for (int i = 0; i < 200; i++) {
            beforeEach();
            shouldLogInAsAnonymousUserIfNoProviderAuthenticatesCredentials();
            afterEach();
        }
    }

    @Test
    @FixFor({"MODE-2225"})
    public void shouldInvokeAuthorizationProviderWhenIteratingNodes() throws Exception {
        this.repository = TestingUtil.startRepositoryWithConfig("config/custom-authentication-provider-config-1.json");
        assertPermissionsCheckedWhenIteratingChildren();
    }

    @Test
    @FixFor({"MODE-2225"})
    public void shouldInvokeAdvancedAuthorizationProviderWhenIteratingNodes() throws Exception {
        this.repository = TestingUtil.startRepositoryWithConfig("config/custom-authentication-provider-config-2.json");
        assertPermissionsCheckedWhenIteratingChildren();
    }

    private void assertPermissionsCheckedWhenIteratingChildren() throws RepositoryException {
        this.session = this.repository.login();
        NodeIterator nodes = this.session.getNode("/testRoot").getNodes();
        while (nodes.hasNext()) {
            nodes.nextNode();
        }
        Map<String, String> actionsByNodePath = ((TestSecurityProvider) this.session.context().getSecurityContext()).getActionsByNodePath();
        Assert.assertTrue("READ permission not checked for node", actionsByNodePath.containsKey("/testRoot"));
        Assert.assertTrue("READ permission not checked for node", actionsByNodePath.containsKey("/testRoot/node3"));
        Assert.assertTrue("READ permission not checked for node", actionsByNodePath.containsKey("/testRoot/node2"));
        Assert.assertTrue("READ permission not checked for node", actionsByNodePath.containsKey("/testRoot/node1"));
    }
}
