package org.geoserver.security.impl;

import org.geoserver.catalog.LayerGroupInfo;
import org.geoserver.catalog.LayerInfo;
import org.geoserver.catalog.ResourceInfo;
import org.geoserver.catalog.WorkspaceInfo;
import org.geoserver.security.AccessMode;
import org.geoserver.security.CatalogMode;
import org.geoserver.security.DataAccessLimits;
import org.geoserver.security.ResourceAccessManager;
import org.geoserver.security.VectorAccessLimits;
import org.geoserver.security.WorkspaceAccessLimits;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.opengis.filter.Filter;
import org.springframework.security.core.Authentication;

/* loaded from: input_file:org/geoserver/security/impl/DefaultResourceAccessManagerAuthTest.class */
public class DefaultResourceAccessManagerAuthTest extends AbstractAuthorizationTest {
    @Before
    public void setupCatalog() {
        populateCatalog();
    }

    @Test
    public void testWideOpen() throws Exception {
        checkUserAccessFlat(buildAccessManager("wideOpen.properties"), this.anonymous, true, true);
    }

    @Test
    public void testLockedDown() throws Exception {
        DefaultResourceAccessManager buildAccessManager = buildAccessManager("lockedDown.properties");
        checkUserAccessFlat(buildAccessManager, this.anonymous, false, false);
        checkUserAccessFlat(buildAccessManager, this.roUser, false, false);
        checkUserAccessFlat(buildAccessManager, this.rwUser, true, true);
        checkUserAccessFlat(buildAccessManager, this.root, true, true);
    }

    @Test
    public void testPublicRead() throws Exception {
        DefaultResourceAccessManager buildAccessManager = buildAccessManager("publicRead.properties");
        checkUserAccessFlat(buildAccessManager, this.anonymous, true, false);
        checkUserAccessFlat(buildAccessManager, this.roUser, true, false);
        checkUserAccessFlat(buildAccessManager, this.rwUser, true, true);
        checkUserAccessFlat(buildAccessManager, this.root, true, true);
    }

    private void checkUserAccessFlat(ResourceAccessManager resourceAccessManager, Authentication authentication, boolean z, boolean z2) {
        Assert.assertEquals(Boolean.valueOf(z), Boolean.valueOf(canAccess(resourceAccessManager, authentication, this.statesLayer, AccessMode.READ)));
        Assert.assertEquals(Boolean.valueOf(z2), Boolean.valueOf(canAccess(resourceAccessManager, authentication, this.statesLayer, AccessMode.WRITE)));
        ResourceInfo resource = this.statesLayer.getResource();
        Assert.assertEquals(Boolean.valueOf(z), Boolean.valueOf(canAccess(resourceAccessManager, authentication, resource, AccessMode.READ)));
        Assert.assertEquals(Boolean.valueOf(z2), Boolean.valueOf(canAccess(resourceAccessManager, authentication, resource, AccessMode.WRITE)));
        Assert.assertEquals(Boolean.valueOf(z), Boolean.valueOf(canAccess(resourceAccessManager, authentication, this.toppWs, AccessMode.READ)));
        Assert.assertEquals(Boolean.valueOf(z2), Boolean.valueOf(canAccess(resourceAccessManager, authentication, this.toppWs, AccessMode.WRITE)));
    }

    @Test
    public void testComplex() throws Exception {
        DefaultResourceAccessManager buildAccessManager = buildAccessManager("complex.properties");
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.anonymous, this.nurcWs, AccessMode.READ));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.anonymous, this.nurcWs, AccessMode.WRITE));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.nurcWs, AccessMode.READ));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.rwUser, this.nurcWs, AccessMode.WRITE));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, (Authentication) this.root, this.nurcWs, AccessMode.WRITE));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.anonymous, this.toppWs, AccessMode.READ));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.anonymous, this.toppWs, AccessMode.WRITE));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.toppWs, AccessMode.READ));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.rwUser, this.toppWs, AccessMode.WRITE));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.anonymous, this.roadsLayer, AccessMode.READ));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.anonymous, this.roadsLayer, AccessMode.WRITE));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.roadsLayer, AccessMode.READ));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.rwUser, this.roadsLayer, AccessMode.WRITE));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.anonymous, this.statesLayer, AccessMode.READ));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.anonymous, this.statesLayer, AccessMode.WRITE));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.statesLayer, AccessMode.READ));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.statesLayer, AccessMode.WRITE));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.rwUser, this.statesLayer, AccessMode.WRITE));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.rwUser, this.statesLayer, AccessMode.WRITE));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.anonymous, this.landmarksLayer, AccessMode.READ));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.anonymous, this.landmarksLayer, AccessMode.WRITE));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.landmarksLayer, AccessMode.READ));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.landmarksLayer, AccessMode.WRITE));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.rwUser, this.landmarksLayer, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.rwUser, this.statesLayer, AccessMode.WRITE));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.anonymous, this.basesLayer, AccessMode.READ));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.anonymous, this.basesLayer, AccessMode.WRITE));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.basesLayer, AccessMode.READ));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.basesLayer, AccessMode.WRITE));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.rwUser, this.basesLayer, AccessMode.READ));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.rwUser, this.basesLayer, AccessMode.WRITE));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.basesLayer, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.basesLayer, AccessMode.WRITE));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.anonymous, this.arcGridLayer, AccessMode.READ));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.anonymous, this.arcGridLayer, AccessMode.WRITE));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.arcGridLayer, AccessMode.READ));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.arcGridLayer, AccessMode.WRITE));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.rwUser, this.arcGridLayer, AccessMode.READ));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.rwUser, this.arcGridLayer, AccessMode.WRITE));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.arcGridLayer, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.arcGridLayer, AccessMode.WRITE));
    }

    @Test
    public void testDefaultMode() throws Exception {
        Assert.assertEquals(CatalogMode.HIDE, buildAccessManager("lockedDown.properties").getMode());
    }

    @Test
    public void testHideMode() throws Exception {
        Assert.assertEquals(CatalogMode.HIDE, buildAccessManager("lockedDownHide.properties").getMode());
    }

    @Test
    public void testChallengeMode() throws Exception {
        Assert.assertEquals(CatalogMode.CHALLENGE, buildAccessManager("lockedDownChallenge.properties").getMode());
    }

    @Test
    public void testMixedMode() throws Exception {
        Assert.assertEquals(CatalogMode.MIXED, buildAccessManager("lockedDownMixed.properties").getMode());
    }

    @Test
    public void testUnknownMode() throws Exception {
        Assert.assertEquals(CatalogMode.HIDE, buildAccessManager("lockedDownUnknown.properties").getMode());
    }

    @Test
    public void testOverride() throws Exception {
        DefaultResourceAccessManager buildAccessManager = buildAccessManager("override-ws.properties");
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.statesLayer, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.toppWs, AccessMode.READ));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.statesLayer, AccessMode.READ));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.toppWs, AccessMode.READ));
    }

    @Test
    public void testWmsNamedTreeAMilitaryOnly() throws Exception {
        setupRequestThreadLocal("WMS");
        DefaultResourceAccessManager buildAccessManager = buildAccessManager("namedTreeAMilitaryOnly.properties");
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.namedTreeA, AccessMode.READ));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.statesLayer, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.roadsLayer, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.containerTreeB, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.nestedContainerE, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.forestsLayer, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.singleGroupC, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.namedTreeA, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.statesLayer, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.roadsLayer, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.containerTreeB, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.nestedContainerE, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.forestsLayer, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.singleGroupC, AccessMode.READ));
    }

    @Test
    public void testContainerGroupBMilitaryOnly() throws Exception {
        setupRequestThreadLocal("WMS");
        DefaultResourceAccessManager buildAccessManager = buildAccessManager("containerTreeGroupBMilitaryOnly.properties");
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.namedTreeA, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.statesLayer, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.roadsLayer, AccessMode.READ));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.containerTreeB, AccessMode.READ));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.landmarksLayer, AccessMode.READ));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.nestedContainerE, AccessMode.READ));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.forestsLayer, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.singleGroupC, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.namedTreeA, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.statesLayer, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.roadsLayer, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.containerTreeB, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.nestedContainerE, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.forestsLayer, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.singleGroupC, AccessMode.READ));
    }

    @Test
    public void testWmsbothGroupABMilitaryOnly() throws Exception {
        setupRequestThreadLocal("WMS");
        DefaultResourceAccessManager buildAccessManager = buildAccessManager("bothGroupABMilitaryOnly.properties");
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.namedTreeA, AccessMode.READ));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.statesLayer, AccessMode.READ));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.roadsLayer, AccessMode.READ));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.containerTreeB, AccessMode.READ));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.landmarksLayer, AccessMode.READ));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.nestedContainerE, AccessMode.READ));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.forestsLayer, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.singleGroupC, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.namedTreeA, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.statesLayer, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.roadsLayer, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.landmarksLayer, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.containerTreeB, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.nestedContainerE, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.forestsLayer, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.singleGroupC, AccessMode.READ));
    }

    @Test
    public void testSingleGroupCMilitaryOnly() throws Exception {
        setupRequestThreadLocal("WMS");
        DefaultResourceAccessManager buildAccessManager = buildAccessManager("singleGroupCMilitaryOnly.properties");
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.namedTreeA, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.statesLayer, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.roadsLayer, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.containerTreeB, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.landmarksLayer, AccessMode.READ));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.singleGroupC, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.basesLayer, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.namedTreeA, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.statesLayer, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.roadsLayer, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.containerTreeB, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.singleGroupC, AccessMode.READ));
    }

    @Test
    public void testWsContainerGroupDMilitaryOnly() throws Exception {
        setupRequestThreadLocal("WMS");
        DefaultResourceAccessManager buildAccessManager = buildAccessManager("wsContainerGroupDMilitaryOnly.properties");
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.namedTreeA, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.statesLayer, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.roadsLayer, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.containerTreeB, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.landmarksLayer, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.singleGroupC, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.basesLayer, AccessMode.READ));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.wsContainerD, AccessMode.READ));
        Assert.assertFalse(canAccess((ResourceAccessManager) buildAccessManager, this.roUser, this.arcGridLayer, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.namedTreeA, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.statesLayer, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.roadsLayer, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.containerTreeB, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.singleGroupC, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.wsContainerD, AccessMode.READ));
        Assert.assertTrue(canAccess((ResourceAccessManager) buildAccessManager, this.milUser, this.arcGridLayer, AccessMode.READ));
    }

    private boolean canAccess(ResourceAccessManager resourceAccessManager, Authentication authentication, LayerInfo layerInfo, AccessMode accessMode) {
        return canAccess(accessMode, resourceAccessManager.getAccessLimits(authentication, layerInfo));
    }

    private boolean canAccess(ResourceAccessManager resourceAccessManager, Authentication authentication, LayerGroupInfo layerGroupInfo, AccessMode accessMode) {
        return resourceAccessManager.getAccessLimits(authentication, layerGroupInfo) == null;
    }

    private boolean canAccess(AccessMode accessMode, DataAccessLimits dataAccessLimits) {
        if (dataAccessLimits == null) {
            return true;
        }
        if (accessMode == AccessMode.READ) {
            return dataAccessLimits.getReadFilter() != Filter.EXCLUDE;
        }
        if (accessMode == AccessMode.WRITE) {
            return (dataAccessLimits instanceof VectorAccessLimits) && ((VectorAccessLimits) dataAccessLimits).getWriteFilter() != Filter.EXCLUDE;
        }
        throw new RuntimeException("Unknown access mode " + accessMode);
    }

    private boolean canAccess(ResourceAccessManager resourceAccessManager, Authentication authentication, ResourceInfo resourceInfo, AccessMode accessMode) {
        return canAccess(accessMode, resourceAccessManager.getAccessLimits(authentication, resourceInfo));
    }

    private boolean canAccess(ResourceAccessManager resourceAccessManager, Authentication authentication, WorkspaceInfo workspaceInfo, AccessMode accessMode) {
        WorkspaceAccessLimits accessLimits = resourceAccessManager.getAccessLimits(authentication, workspaceInfo);
        if (accessLimits == null) {
            return true;
        }
        if (accessMode == AccessMode.READ) {
            return accessLimits.isReadable();
        }
        if (accessMode == AccessMode.WRITE) {
            return accessLimits.isWritable();
        }
        if (accessMode == AccessMode.ADMIN) {
            return accessLimits.isAdminable();
        }
        throw new RuntimeException("Unknown access mode " + accessMode);
    }
}
