package org.geoserver.security.validation;

import java.io.IOException;
import java.util.Arrays;
import java.util.TreeSet;
import org.easymock.classextension.EasyMock;
import org.geoserver.data.test.MockCreator;
import org.geoserver.data.test.MockTestData;
import org.geoserver.security.GeoServerRoleStore;
import org.geoserver.security.GeoServerSecurityManager;
import org.geoserver.security.GeoServerUserGroupService;
import org.geoserver.security.GeoServerUserGroupStore;
import org.geoserver.security.impl.DataAccessRule;
import org.geoserver.security.impl.DataAccessRuleDAO;
import org.geoserver.security.impl.GeoServerRole;
import org.geoserver.security.impl.ServiceAccessRuleDAO;
import org.geoserver.test.GeoServerMockTestSupport;
import org.junit.Assert;
import org.junit.Test;

/* loaded from: input_file:org/geoserver/security/validation/RoleStoreValidationWrapperTest.class */
public class RoleStoreValidationWrapperTest extends GeoServerMockTestSupport {
    protected void assertSecurityException(IOException iOException, String str, Object... objArr) {
        Assert.assertTrue(iOException.getCause() instanceof AbstractSecurityException);
        AbstractSecurityException cause = iOException.getCause();
        Assert.assertEquals(str, cause.getId());
        for (int i = 0; i < objArr.length; i++) {
            Assert.assertEquals(objArr[i], cause.getArgs()[i]);
        }
    }

    @Test
    public void testRoleStoreWrapper() throws Exception {
        setMockCreator(new MockCreator() { // from class: org.geoserver.security.validation.RoleStoreValidationWrapperTest.1
            public GeoServerSecurityManager createSecurityManager(MockTestData mockTestData) throws Exception {
                GeoServerSecurityManager geoServerSecurityManager = (GeoServerSecurityManager) EasyMock.createMock(GeoServerSecurityManager.class);
                GeoServerRoleStore createRoleStore = createRoleStore("test", geoServerSecurityManager, new String[]{"role1", "parent1"});
                addRolesToCreate(createRoleStore, new String[]{"", "duplicated", "xxx"});
                GeoServerRoleStore createRoleStore2 = createRoleStore("test1", geoServerSecurityManager, new String[]{"duplicated"});
                org.easymock.EasyMock.expect(geoServerSecurityManager.listRoleServices()).andReturn(new TreeSet(Arrays.asList("test", "test1"))).anyTimes();
                EasyMock.replay(new Object[]{createRoleStore, createRoleStore2, geoServerSecurityManager});
                return geoServerSecurityManager;
            }
        });
        GeoServerSecurityManager securityManager = getSecurityManager();
        RoleStoreValidationWrapper roleStoreValidationWrapper = new RoleStoreValidationWrapper(securityManager.loadRoleService("test"), new GeoServerUserGroupService[0]);
        try {
            roleStoreValidationWrapper.addRole(roleStoreValidationWrapper.createRoleObject(""));
            Assert.fail("empty role name should throw exception");
        } catch (IOException e) {
            assertSecurityException(e, "NAME_REQUIRED", new Object[0]);
        }
        try {
            roleStoreValidationWrapper.addRole(roleStoreValidationWrapper.createRoleObject(""));
            Assert.fail("empty role name should throw exception");
        } catch (IOException e2) {
            assertSecurityException(e2, "NAME_REQUIRED", new Object[0]);
        }
        GeoServerRole roleByName = roleStoreValidationWrapper.getRoleByName("role1");
        try {
            roleStoreValidationWrapper.addRole(roleByName);
            Assert.fail("already existing role name should throw exception");
        } catch (IOException e3) {
            assertSecurityException(e3, "ALREADY_EXISTS", "role1");
        }
        for (GeoServerRole geoServerRole : GeoServerRole.SystemRoles) {
            try {
                roleStoreValidationWrapper.addRole(roleStoreValidationWrapper.createRoleObject(geoServerRole.getAuthority()));
                Assert.fail("reserved role name should throw exception");
            } catch (IOException e4) {
                assertSecurityException(e4, "RESERVED_NAME", geoServerRole.getAuthority());
            }
        }
        RoleStoreValidationWrapper roleStoreValidationWrapper2 = new RoleStoreValidationWrapper(securityManager.loadRoleService("test1"), new GeoServerUserGroupService[0]);
        try {
            roleStoreValidationWrapper.addRole(roleStoreValidationWrapper.createRoleObject("duplicated"));
            Assert.fail("reserved role name should throw exception");
        } catch (IOException e5) {
            assertSecurityException(e5, "ALREADY_EXISTS_IN", "duplicated", roleStoreValidationWrapper2.getName());
        }
        try {
            String authority = GeoServerRole.AUTHENTICATED_ROLE.getAuthority();
            roleStoreValidationWrapper.addRole(roleStoreValidationWrapper.createRoleObject(authority));
            Assert.fail(String.valueOf(authority) + " is reserved and should throw exception");
        } catch (IOException e6) {
            assertSecurityException(e6, "RESERVED_NAME", GeoServerRole.AUTHENTICATED_ROLE.getAuthority());
        }
        try {
            roleStoreValidationWrapper.updateRole(roleStoreValidationWrapper.createRoleObject("xxx"));
            Assert.fail("update role object that does not exist should throw exception");
        } catch (IOException e7) {
            assertSecurityException(e7, "NOT_FOUND", "xxx");
        }
        try {
            roleStoreValidationWrapper.setParentRole(roleByName, roleStoreValidationWrapper.createRoleObject("xxx"));
        } catch (IOException e8) {
            assertSecurityException(e8, "NOT_FOUND", "xxx");
        }
        try {
            roleStoreValidationWrapper.associateRoleToGroup(roleByName, "");
            Assert.fail("empty group name should throw exception");
        } catch (IOException e9) {
            assertSecurityException(e9, "GROUPNAME_REQUIRED", new Object[0]);
        }
        try {
            roleStoreValidationWrapper.disAssociateRoleFromGroup(roleByName, "");
            Assert.fail("empty group name should throw exception");
        } catch (IOException e10) {
            assertSecurityException(e10, "GROUPNAME_REQUIRED", new Object[0]);
        }
        try {
            roleStoreValidationWrapper.associateRoleToUser(roleByName, "");
            Assert.fail("empty user name should throw exception");
        } catch (IOException e11) {
            assertSecurityException(e11, "USERNAME_REQUIRED", new Object[0]);
        }
        try {
            roleStoreValidationWrapper.disAssociateRoleFromUser(roleByName, "");
            Assert.fail("empty user name should throw exception");
        } catch (IOException e12) {
            assertSecurityException(e12, "USERNAME_REQUIRED", new Object[0]);
        }
        try {
            roleStoreValidationWrapper.getRolesForUser((String) null);
            Assert.fail("null user name should throw exception");
        } catch (IOException e13) {
            assertSecurityException(e13, "USERNAME_REQUIRED", new Object[0]);
        }
        try {
            roleStoreValidationWrapper.getRolesForGroup((String) null);
            Assert.fail("null group name should throw exception");
        } catch (IOException e14) {
            assertSecurityException(e14, "GROUPNAME_REQUIRED", new Object[0]);
        }
    }

    @Test
    public void testRoleServiceWrapperAccessRules() throws Exception {
        setMockCreator(new MockCreator() { // from class: org.geoserver.security.validation.RoleStoreValidationWrapperTest.2
            public GeoServerSecurityManager createSecurityManager(MockTestData mockTestData) throws Exception {
                GeoServerSecurityManager geoServerSecurityManager = (GeoServerSecurityManager) EasyMock.createNiceMock(GeoServerSecurityManager.class);
                GeoServerRoleStore createRoleStore = createRoleStore("test", geoServerSecurityManager, new String[]{"role1", "parent1"});
                org.easymock.EasyMock.expect(Boolean.valueOf(createRoleStore.removeRole(new GeoServerRole("unused")))).andReturn(true);
                DataAccessRule dataAccessRule = (DataAccessRule) EasyMock.createNiceMock(DataAccessRule.class);
                org.easymock.EasyMock.expect(Integer.valueOf(dataAccessRule.compareTo(dataAccessRule))).andReturn(0).anyTimes();
                org.easymock.EasyMock.expect(dataAccessRule.getKey()).andReturn("foo").anyTimes();
                org.easymock.EasyMock.expect(dataAccessRule.getRoles()).andReturn(new TreeSet(Arrays.asList("role1"))).anyTimes();
                EasyMock.replay(new Object[]{dataAccessRule});
                DataAccessRuleDAO dataAccessRuleDAO = (DataAccessRuleDAO) EasyMock.createNiceMock(DataAccessRuleDAO.class);
                org.easymock.EasyMock.expect(dataAccessRuleDAO.getRulesAssociatedWithRole("role1")).andReturn(new TreeSet(Arrays.asList(dataAccessRule))).anyTimes();
                org.easymock.EasyMock.expect(dataAccessRuleDAO.getRulesAssociatedWithRole("parent1")).andReturn(new TreeSet()).anyTimes();
                org.easymock.EasyMock.expect(geoServerSecurityManager.getDataAccessRuleDAO()).andReturn(dataAccessRuleDAO).anyTimes();
                ServiceAccessRuleDAO serviceAccessRuleDAO = (ServiceAccessRuleDAO) EasyMock.createNiceMock(ServiceAccessRuleDAO.class);
                org.easymock.EasyMock.expect(serviceAccessRuleDAO.getRulesAssociatedWithRole((String) org.easymock.EasyMock.anyObject())).andReturn(new TreeSet()).anyTimes();
                org.easymock.EasyMock.expect(geoServerSecurityManager.getServiceAccessRuleDAO()).andReturn(serviceAccessRuleDAO).anyTimes();
                EasyMock.replay(new Object[]{dataAccessRuleDAO, serviceAccessRuleDAO, createRoleStore, geoServerSecurityManager});
                return geoServerSecurityManager;
            }
        });
        RoleStoreValidationWrapper roleStoreValidationWrapper = new RoleStoreValidationWrapper(getSecurityManager().loadRoleService("test"), true, new GeoServerUserGroupService[0]);
        GeoServerRole roleByName = roleStoreValidationWrapper.getRoleByName("role1");
        roleStoreValidationWrapper.removeRole(roleStoreValidationWrapper.getRoleByName("parent1"));
        try {
            roleStoreValidationWrapper.removeRole(roleByName);
            Assert.fail("used role should throw exception");
        } catch (IOException e) {
            assertSecurityException(e, "ROLE_IN_USE", roleByName.getAuthority(), "foo");
        }
    }

    @Test
    public void testRoleStoreWrapperWithUGServices() throws Exception {
        setMockCreator(new MockCreator() { // from class: org.geoserver.security.validation.RoleStoreValidationWrapperTest.3
            public GeoServerSecurityManager createSecurityManager(MockTestData mockTestData) throws Exception {
                GeoServerSecurityManager geoServerSecurityManager = (GeoServerSecurityManager) EasyMock.createNiceMock(GeoServerSecurityManager.class);
                GeoServerUserGroupStore createUserGroupStore = createUserGroupStore("test1", geoServerSecurityManager);
                addUsers(createUserGroupStore, new String[]{"user1", "abc"});
                addGroups(createUserGroupStore, new String[]{"group1"});
                GeoServerUserGroupStore createUserGroupStore2 = createUserGroupStore("test2", geoServerSecurityManager);
                addUsers(createUserGroupStore, new String[]{"user2", "abc"});
                addGroups(createUserGroupStore, new String[]{"group2"});
                GeoServerRoleStore createRoleStore = createRoleStore("test", geoServerSecurityManager, new String[]{"role1"});
                org.easymock.EasyMock.expect(createRoleStore.getGroupNamesForRole(new GeoServerRole("role1"))).andReturn(new TreeSet(Arrays.asList("group1", "group2"))).anyTimes();
                EasyMock.replay(new Object[]{createUserGroupStore, createUserGroupStore2, createRoleStore, geoServerSecurityManager});
                return geoServerSecurityManager;
            }
        });
        GeoServerSecurityManager securityManager = getSecurityManager();
        RoleStoreValidationWrapper roleStoreValidationWrapper = new RoleStoreValidationWrapper(securityManager.loadRoleService("test"), new GeoServerUserGroupService[]{(GeoServerUserGroupStore) securityManager.loadUserGroupService("test1"), (GeoServerUserGroupStore) securityManager.loadUserGroupService("test2")});
        GeoServerRole roleByName = roleStoreValidationWrapper.getRoleByName("role1");
        try {
            roleStoreValidationWrapper.associateRoleToGroup(roleByName, "group3");
            Assert.fail("unkown group should throw exception");
        } catch (IOException e) {
            assertSecurityException(e, "GROUPNAME_NOT_FOUND", "group3");
        }
        try {
            roleStoreValidationWrapper.associateRoleToUser(roleByName, "user3");
            Assert.fail("unkown user should throw exception");
        } catch (IOException e2) {
            assertSecurityException(e2, "USERNAME_NOT_FOUND", "user3");
        }
        try {
            roleStoreValidationWrapper.getRolesForGroup("group3");
            Assert.fail("unkown group should throw exception");
        } catch (IOException e3) {
            assertSecurityException(e3, "GROUPNAME_NOT_FOUND", "group3");
        }
        try {
            roleStoreValidationWrapper.getRolesForUser("user3");
            Assert.fail("unkown user should throw exception");
        } catch (IOException e4) {
            assertSecurityException(e4, "USERNAME_NOT_FOUND", "user3");
        }
        roleStoreValidationWrapper.disAssociateRoleFromGroup(roleByName, "group1");
        roleStoreValidationWrapper.disAssociateRoleFromGroup(roleByName, "group2");
        try {
            roleStoreValidationWrapper.disAssociateRoleFromGroup(roleByName, "group3");
            Assert.fail("unkown group should throw exception");
        } catch (IOException e5) {
            assertSecurityException(e5, "GROUPNAME_NOT_FOUND", "group3");
        }
        roleStoreValidationWrapper.disAssociateRoleFromUser(roleByName, "user1");
        roleStoreValidationWrapper.disAssociateRoleFromUser(roleByName, "user1");
        try {
            roleStoreValidationWrapper.disAssociateRoleFromUser(roleByName, "user3");
            Assert.fail("unkown user should throw exception");
        } catch (IOException e6) {
            assertSecurityException(e6, "USERNAME_NOT_FOUND", "user3");
        }
    }

    @Test
    public void testMappedRoles() throws Exception {
        setMockCreator(new MockCreator() { // from class: org.geoserver.security.validation.RoleStoreValidationWrapperTest.4
            public GeoServerSecurityManager createSecurityManager(MockTestData mockTestData) throws Exception {
                GeoServerSecurityManager geoServerSecurityManager = (GeoServerSecurityManager) EasyMock.createNiceMock(GeoServerSecurityManager.class);
                GeoServerRoleStore createRoleStore = createRoleStore("test", geoServerSecurityManager, new String[]{"admin", "groupAdmin", "role1"});
                addRolesToCreate(createRoleStore, new String[]{"admin", "groupAdmin"});
                org.easymock.EasyMock.expect(createRoleStore.getAdminRole()).andReturn(new GeoServerRole("admin")).anyTimes();
                org.easymock.EasyMock.expect(createRoleStore.getGroupAdminRole()).andReturn(new GeoServerRole("groupAdmin")).anyTimes();
                EasyMock.replay(new Object[]{createRoleStore, geoServerSecurityManager});
                return geoServerSecurityManager;
            }
        });
        RoleStoreValidationWrapper roleStoreValidationWrapper = new RoleStoreValidationWrapper(getSecurityManager().loadRoleService("test"), new GeoServerUserGroupService[0]);
        try {
            roleStoreValidationWrapper.removeRole(roleStoreValidationWrapper.createRoleObject("admin"));
            Assert.fail("removing admin role should fail");
        } catch (IOException e) {
            assertSecurityException(e, "ADMIN_ROLE_NOT_REMOVABLE", "admin");
        }
        try {
            roleStoreValidationWrapper.removeRole(roleStoreValidationWrapper.createRoleObject("groupAdmin"));
            Assert.fail("removing group admin role should fail");
        } catch (IOException e2) {
            assertSecurityException(e2, "GROUP_ADMIN_ROLE_NOT_REMOVABLE", "groupAdmin");
        }
    }
}
