package com.adobe.granite.testing.serverside.helper;

import com.adobe.granite.testing.serverside.helper.PrincipalValidator;
import com.google.common.base.Function;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Iterables;
import java.security.AccessControlContext;
import java.security.Principal;
import java.security.PrivilegedAction;
import java.security.acl.Group;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.List;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.jcr.Credentials;
import javax.jcr.Repository;
import javax.jcr.RepositoryException;
import javax.jcr.Session;
import javax.security.auth.Subject;
import org.apache.commons.lang.StringUtils;
import org.apache.jackrabbit.api.JackrabbitSession;
import org.apache.jackrabbit.api.security.JackrabbitAccessControlManager;
import org.apache.jackrabbit.api.security.principal.PrincipalIterator;
import org.apache.jackrabbit.api.security.principal.PrincipalManager;
import org.apache.jackrabbit.commons.jackrabbit.authorization.AccessControlUtils;
import org.apache.jackrabbit.oak.spi.security.authorization.permission.Permissions;
import org.apache.jackrabbit.oak.spi.security.principal.AdminPrincipal;
import org.apache.jackrabbit.oak.spi.security.principal.SystemUserPrincipal;

/* loaded from: input_file:com/adobe/granite/testing/serverside/helper/PrincipalValidatorImpl.class */
public class PrincipalValidatorImpl implements PrincipalValidator {
    private PrincipalManager principalManager;
    private Set<Principal> principals;
    private Session adminSession;
    private ArrayList<PrincipalValidator.ValidationStep> validationSteps;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/adobe/granite/testing/serverside/helper/PrincipalValidatorImpl$PermValidationStep.class */
    public class PermValidationStep implements PrincipalValidator.ValidationStep {
        public static final String ASSERTION_FORMAT = "Principal(s) %s has %s permission on path [%s] for permissions [%s]";
        private final String perm;
        private final String path;
        private final boolean allow;

        PermValidationStep(String str, boolean z, String str2) {
            if (StringUtils.isBlank(str)) {
                throw new IllegalArgumentException("path cannot be blank");
            }
            if (StringUtils.isBlank(str2)) {
                throw new IllegalArgumentException("perm cannot be blank");
            }
            this.path = str;
            this.perm = str2;
            this.allow = z;
        }

        PermValidationStep(String str, boolean z, long j) {
            if (StringUtils.isBlank(str)) {
                throw new IllegalArgumentException("path cannot be blank");
            }
            this.path = str;
            this.perm = Permissions.getString(j);
            this.allow = z;
        }

        @Override // com.adobe.granite.testing.serverside.helper.PrincipalValidator.ValidationStep
        public void validate() throws RepositoryException {
            if (PrincipalValidatorImpl.this.getPrincipalSession(PrincipalValidatorImpl.this.getAdminSession(), PrincipalValidatorImpl.this.principals).hasPermission(this.path, this.perm) != this.allow) {
                Object[] objArr = new Object[4];
                objArr[0] = PrincipalValidatorImpl.this.describePrincipals();
                objArr[1] = !this.allow ? "" : "no";
                objArr[2] = this.path;
                objArr[3] = this.perm;
                throw new AssertionError(String.format(ASSERTION_FORMAT, objArr));
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/adobe/granite/testing/serverside/helper/PrincipalValidatorImpl$PrivValidationStep.class */
    public class PrivValidationStep implements PrincipalValidator.ValidationStep {
        public static final String ASSERTION_FORMAT = "Principal(s) %s has %s privileges on path [%s] for privileges [%s]";
        private final String[] priv;
        private final String path;
        private final boolean allow;

        PrivValidationStep(String[] strArr, String str, boolean z) {
            if (strArr == null) {
                throw new IllegalArgumentException("priv cannot be null");
            }
            if (StringUtils.isBlank(str)) {
                throw new IllegalArgumentException("path cannot be blank");
            }
            this.priv = strArr;
            this.path = str;
            this.allow = z;
        }

        @Override // com.adobe.granite.testing.serverside.helper.PrincipalValidator.ValidationStep
        public void validate() throws RepositoryException {
            JackrabbitAccessControlManager accessControlManager = PrincipalValidatorImpl.this.getAdminSession().getAccessControlManager();
            if (accessControlManager.hasPrivileges(this.path, PrincipalValidatorImpl.this.principals, AccessControlUtils.privilegesFromNames(accessControlManager, this.priv)) != this.allow) {
                Object[] objArr = new Object[4];
                objArr[0] = PrincipalValidatorImpl.this.describePrincipals();
                objArr[1] = !this.allow ? "" : "no";
                objArr[2] = this.path;
                objArr[3] = Arrays.toString(this.priv);
                throw new AssertionError(String.format(ASSERTION_FORMAT, objArr));
            }
        }
    }

    public PrincipalValidatorImpl(Session session) throws RepositoryException {
        this.validationSteps = new ArrayList<>();
        this.adminSession = session;
        this.principalManager = getAdminSession().getPrincipalManager();
        this.principals = Collections.emptySet();
    }

    private PrincipalValidatorImpl(Session session, PrincipalManager principalManager, Set<Principal> set, List<PrincipalValidator.ValidationStep> list) {
        this.validationSteps = new ArrayList<>();
        this.adminSession = session;
        this.principalManager = principalManager;
        this.principals = new HashSet(set);
        this.validationSteps = new ArrayList<>(list);
    }

    @Override // com.adobe.granite.testing.serverside.helper.PrincipalValidatorBuilder
    public PrincipalValidator hasPrivilege(@Nonnull String str, @Nonnull String... strArr) {
        this.validationSteps.add(new PrivValidationStep(strArr, str, true));
        return this;
    }

    @Override // com.adobe.granite.testing.serverside.helper.PrincipalValidatorBuilder
    public PrincipalValidator hasNotPrivilege(@Nonnull String str, @Nonnull String... strArr) {
        this.validationSteps.add(new PrivValidationStep(strArr, str, false));
        return this;
    }

    @Override // com.adobe.granite.testing.serverside.helper.PrincipalValidatorBuilder
    public PrincipalValidator hasPermission(@Nonnull String str, @Nonnull String str2) {
        this.validationSteps.add(new PermValidationStep(str, true, str2));
        return this;
    }

    @Override // com.adobe.granite.testing.serverside.helper.PrincipalValidatorBuilder
    public PrincipalValidator hasPermission(@Nonnull String str, long j) {
        this.validationSteps.add(new PermValidationStep(str, true, j));
        return this;
    }

    @Override // com.adobe.granite.testing.serverside.helper.PrincipalValidatorBuilder
    public PrincipalValidator hasNotPermission(@Nonnull String str, @Nonnull String str2) {
        this.validationSteps.add(new PermValidationStep(str, false, str2));
        return this;
    }

    @Override // com.adobe.granite.testing.serverside.helper.PrincipalValidatorBuilder
    public PrincipalValidator hasNotPermission(@Nonnull String str, long j) {
        this.validationSteps.add(new PermValidationStep(str, false, j));
        return this;
    }

    @Override // com.adobe.granite.testing.serverside.helper.PrincipalValidatorBuilder
    public PrincipalValidator hasNoPermission(@Nonnull String str) {
        Iterator it = Permissions.PERMISSION_NAMES.values().iterator();
        while (it.hasNext()) {
            this.validationSteps.add(new PermValidationStep(str, false, (String) it.next()));
        }
        return this;
    }

    @Override // com.adobe.granite.testing.serverside.helper.PrincipalValidatorBuilder
    public PrincipalValidator hasAllPermissions(@Nonnull String str, @Nonnull long... jArr) {
        for (long j : jArr) {
            hasPermission(str, j);
        }
        return this;
    }

    @Override // com.adobe.granite.testing.serverside.helper.PrincipalValidatorBuilder
    public PrincipalValidator hasOnlyPermissions(@Nonnull String str, @Nonnull long... jArr) {
        hasAllPermissions(str, jArr);
        hasNoneOfPermissions(str, allPermissionsExcept(jArr));
        return this;
    }

    @Override // com.adobe.granite.testing.serverside.helper.PrincipalValidatorBuilder
    public PrincipalValidator hasNoneOfPermissions(@Nonnull String str, @Nonnull long... jArr) {
        for (long j : jArr) {
            hasNotPermission(str, j);
        }
        return this;
    }

    @Override // com.adobe.granite.testing.serverside.helper.PrincipalValidatorBuilder
    public PrincipalValidatorImpl forPrincipals(@Nonnull String str, @Nonnull String... strArr) {
        HashSet hashSet = new HashSet();
        hashSet.add(str);
        Collections.addAll(hashSet, strArr);
        return new PrincipalValidatorImpl(this.adminSession, this.principalManager, ImmutableSet.copyOf(Iterables.transform(hashSet, new Function<String, Principal>() { // from class: com.adobe.granite.testing.serverside.helper.PrincipalValidatorImpl.1
            public Principal apply(String str2) {
                if (PrincipalValidatorImpl.this.principalManager.hasPrincipal(str2)) {
                    return PrincipalValidatorImpl.this.principalManager.getPrincipal(str2);
                }
                throw new AssertionError("Unknown principal: " + str2);
            }
        })), this.validationSteps);
    }

    @Override // com.adobe.granite.testing.serverside.helper.PrincipalValidatorBuilder
    public PrincipalValidator forAdminUser(@Nonnull String str) {
        final PrincipalValidatorImpl forPrincipals = forPrincipals(str, new String[0]);
        forPrincipals.validationSteps.add(new PrincipalValidator.ValidationStep() { // from class: com.adobe.granite.testing.serverside.helper.PrincipalValidatorImpl.2
            @Override // com.adobe.granite.testing.serverside.helper.PrincipalValidator.ValidationStep
            public void validate() throws RepositoryException {
                Principal principal = (Principal) forPrincipals.principals.iterator().next();
                if (!(principal instanceof AdminPrincipal)) {
                    throw new AssertionError("The principal " + principal.getName() + "is not a admin");
                }
            }
        });
        return forPrincipals;
    }

    @Override // com.adobe.granite.testing.serverside.helper.PrincipalValidatorBuilder
    public PrincipalValidator forSystemUser(@Nonnull String str) {
        final PrincipalValidatorImpl forPrincipals = forPrincipals(str, new String[0]);
        forPrincipals.validationSteps.add(new PrincipalValidator.ValidationStep() { // from class: com.adobe.granite.testing.serverside.helper.PrincipalValidatorImpl.3
            @Override // com.adobe.granite.testing.serverside.helper.PrincipalValidator.ValidationStep
            public void validate() throws RepositoryException {
                Principal principal = (Principal) forPrincipals.principals.iterator().next();
                if (!(principal instanceof SystemUserPrincipal)) {
                    throw new AssertionError("The principal " + principal.getName() + "is not a system user");
                }
            }
        });
        return forPrincipals;
    }

    @Override // com.adobe.granite.testing.serverside.helper.PrincipalValidatorBuilder
    public PrincipalValidator forGroup(@Nonnull String str) {
        final PrincipalValidatorImpl forPrincipals = forPrincipals(str, new String[0]);
        this.validationSteps.add(new PrincipalValidator.ValidationStep() { // from class: com.adobe.granite.testing.serverside.helper.PrincipalValidatorImpl.4
            @Override // com.adobe.granite.testing.serverside.helper.PrincipalValidator.ValidationStep
            public void validate() throws RepositoryException {
                Principal principal = (Principal) forPrincipals.principals.iterator().next();
                if (!PrincipalValidatorImpl.this.isGroup(principal)) {
                    throw new AssertionError("The principal " + principal.getName() + "is not a group");
                }
            }
        });
        return forPrincipals;
    }

    @Override // com.adobe.granite.testing.serverside.helper.PrincipalValidator
    public PrincipalValidator includeGroups() {
        this.principals = ImmutableSet.copyOf(resolveGroups());
        return this;
    }

    @Override // com.adobe.granite.testing.serverside.helper.PrincipalValidator
    public void validate() throws RepositoryException {
        Iterator<PrincipalValidator.ValidationStep> it = this.validationSteps.iterator();
        while (it.hasNext()) {
            it.next().validate();
        }
    }

    @Override // com.adobe.granite.testing.serverside.helper.PrincipalValidator
    public PrincipalValidator inGroups(@Nonnull String... strArr) {
        for (String str : strArr) {
            final Principal principal = this.principalManager.getPrincipal(str);
            if (principal == null || !isGroup(principal)) {
                throw new IllegalArgumentException(str + " is not a valid group");
            }
            this.validationSteps.add(new PrincipalValidator.ValidationStep() { // from class: com.adobe.granite.testing.serverside.helper.PrincipalValidatorImpl.5
                @Override // com.adobe.granite.testing.serverside.helper.PrincipalValidator.ValidationStep
                public void validate() throws RepositoryException {
                    if (!PrincipalValidatorImpl.this.resolveGroups().contains(principal)) {
                        throw new AssertionError(PrincipalValidatorImpl.this.principals + " is not member of the group " + principal);
                    }
                }
            });
        }
        return this;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public boolean isGroup(Principal principal) {
        return principal instanceof Group;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public LinkedHashSet<Principal> resolveGroups() {
        LinkedHashSet<Principal> linkedHashSet = new LinkedHashSet<>(this.principals);
        Iterator<Principal> it = this.principals.iterator();
        while (it.hasNext()) {
            PrincipalIterator groupMembership = this.principalManager.getGroupMembership(it.next());
            while (groupMembership.hasNext()) {
                linkedHashSet.add(groupMembership.nextPrincipal());
            }
        }
        return linkedHashSet;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String describePrincipals() {
        StringBuilder sb = new StringBuilder();
        Iterator<Principal> it = this.principals.iterator();
        while (it.hasNext()) {
            sb.append(it.next().getName()).append(',');
        }
        return sb.substring(0, sb.length() - 1);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public JackrabbitSession getAdminSession() {
        return getJackRabbitSession(this.adminSession);
    }

    private JackrabbitSession getJackRabbitSession(Session session) {
        if (session == null) {
            throw new IllegalArgumentException("Session is null");
        }
        if (session instanceof JackrabbitSession) {
            return (JackrabbitSession) session;
        }
        throw new IllegalArgumentException("Session is not a JackrabbitSession");
    }

    /* JADX INFO: Access modifiers changed from: private */
    public JackrabbitSession getPrincipalSession(JackrabbitSession jackrabbitSession, Set<Principal> set) {
        final Repository repository = jackrabbitSession.getRepository();
        return getJackRabbitSession((Session) Subject.doAsPrivileged(new Subject(true, set, Collections.emptySet(), Collections.emptySet()), new PrivilegedAction<Session>() { // from class: com.adobe.granite.testing.serverside.helper.PrincipalValidatorImpl.6
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public Session run() {
                try {
                    return repository.login((Credentials) null, (String) null);
                } catch (Exception e) {
                    return null;
                }
            }
        }, (AccessControlContext) null));
    }

    private long allPermissionsExcept(long... jArr) {
        long j = 2097151;
        for (long j2 : jArr) {
            j -= j2;
        }
        return j;
    }
}
