package eu.ehri.project.api;

import com.google.common.collect.Iterables;
import com.google.common.collect.Lists;
import com.google.common.collect.Sets;
import eu.ehri.project.acl.AclManager;
import eu.ehri.project.acl.ContentTypes;
import eu.ehri.project.acl.GlobalPermissionSet;
import eu.ehri.project.acl.PermissionType;
import eu.ehri.project.exceptions.PermissionDenied;
import eu.ehri.project.models.Group;
import eu.ehri.project.models.PermissionGrant;
import eu.ehri.project.models.Repository;
import eu.ehri.project.models.UserProfile;
import eu.ehri.project.models.base.Accessor;
import eu.ehri.project.models.base.PermissionGrantTarget;
import eu.ehri.project.test.AbstractFixtureTest;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:eu/ehri/project/api/ApiAclTest.class */
public class ApiAclTest extends AbstractFixtureTest {
    @Override // eu.ehri.project.test.AbstractFixtureTest, eu.ehri.project.test.ModelTestBase, eu.ehri.project.test.GraphTestBase
    @Before
    public void setUp() throws Exception {
        super.setUp();
    }

    @Test(expected = PermissionDenied.class)
    public void testSetGlobalPermissionMatrixWithPermissionDenied() throws Exception {
        api((Accessor) this.manager.getEntity("linda", Accessor.class)).acl().setGlobalPermissionMatrix((Group) this.manager.getEntity("kcl", Group.class), GlobalPermissionSet.newBuilder().set(ContentTypes.COUNTRY, new PermissionType[]{PermissionType.PROMOTE}).build());
    }

    @Test
    public void testSetGlobalPermissionMatrix() throws Exception {
        Accessor accessor = (Accessor) this.manager.getEntity("mike", Accessor.class);
        Group group = (Group) this.manager.getEntity("kcl", Group.class);
        Assert.assertFalse(api(accessor).aclManager().hasPermission(ContentTypes.COUNTRY, PermissionType.PROMOTE, group));
        api(accessor).acl().setGlobalPermissionMatrix(group, GlobalPermissionSet.newBuilder().set(ContentTypes.COUNTRY, new PermissionType[]{PermissionType.PROMOTE}).build());
        Assert.assertTrue(api(accessor).aclManager().hasPermission(ContentTypes.COUNTRY, PermissionType.PROMOTE, group));
    }

    @Test
    public void testSetEmptyGlobalPermissionMatrix() throws Exception {
        Accessor accessor = (Accessor) this.manager.getEntity("mike", Accessor.class);
        Accessor accessor2 = (Accessor) this.manager.getEntity("linda", UserProfile.class);
        Assert.assertTrue(api(accessor).aclManager().getGlobalPermissions(accessor2).has(ContentTypes.DOCUMENTARY_UNIT, PermissionType.CREATE));
        Assert.assertEquals(accessor2.getId(), api(accessor).acl().setGlobalPermissionMatrix(accessor2, GlobalPermissionSet.newBuilder().build()).accessorId());
        GlobalPermissionSet globalPermissions = api(accessor).aclManager().getGlobalPermissions(accessor2);
        for (ContentTypes contentTypes : ContentTypes.values()) {
            for (PermissionType permissionType : PermissionType.values()) {
                Assert.assertFalse(globalPermissions.has(contentTypes, permissionType));
            }
        }
    }

    @Test
    public void testSetAccessors() throws Exception {
        Accessor accessor = (Accessor) this.manager.getEntity("mike", Accessor.class);
        Accessor accessor2 = (Accessor) this.manager.getEntity("linda", Accessor.class);
        Group group = (Group) this.manager.getEntity("kcl", Group.class);
        Assert.assertFalse(Iterables.contains(group.getAccessors(), accessor2));
        api(accessor).acl().setAccessors(group, Sets.newHashSet(new Accessor[]{accessor2}));
        Assert.assertTrue(Iterables.contains(group.getAccessors(), accessor2));
    }

    @Test(expected = PermissionDenied.class)
    public void testSetAccessorsWithPermissionDenied() throws Exception {
        Accessor accessor = (Accessor) this.manager.getEntity("linda", Accessor.class);
        Group group = (Group) this.manager.getEntity("kcl", Group.class);
        Assert.assertFalse(Iterables.contains(group.getAccessors(), accessor));
        api(accessor).acl().setAccessors(group, Sets.newHashSet(new Accessor[]{accessor}));
    }

    @Test
    public void testSetItemPermissions() throws Exception {
        Accessor accessor = (Accessor) this.manager.getEntity("mike", Accessor.class);
        Accessor accessor2 = (Accessor) this.manager.getEntity("linda", Accessor.class);
        Group group = (Group) this.manager.getEntity("kcl", Group.class);
        Assert.assertFalse(api(accessor).aclManager().hasPermission(group, PermissionType.DELETE, accessor2));
        Assert.assertEquals(accessor2.getId(), api(accessor).acl().setItemPermissions(group, accessor2, Sets.newHashSet(new PermissionType[]{PermissionType.DELETE})).accessorId());
        Assert.assertTrue(api(accessor).aclManager().hasPermission(group, PermissionType.DELETE, accessor2));
    }

    @Test(expected = PermissionDenied.class)
    public void testSetItemPermissionsWithPermissionDenied() throws Exception {
        Accessor accessor = (Accessor) this.manager.getEntity("linda", Accessor.class);
        api(accessor).acl().setItemPermissions((Group) this.manager.getEntity("kcl", Group.class), accessor, Sets.newHashSet(new PermissionType[]{PermissionType.DELETE}));
    }

    @Test
    public void testRevokePermissionGrant() throws Exception {
        Accessor accessor = (Accessor) this.manager.getEntity("mike", Accessor.class);
        Accessor accessor2 = (Accessor) this.manager.getEntity("reto", Accessor.class);
        Repository repository = (Repository) this.manager.getEntity("r1", Repository.class);
        PermissionGrant permissionGrant = (PermissionGrant) this.manager.getEntity("retoKclWriteGrant", PermissionGrant.class);
        Assert.assertTrue(api(accessor).aclManager().withScope(repository).hasPermission(ContentTypes.DOCUMENTARY_UNIT, PermissionType.CREATE, accessor2));
        api(accessor).acl().revokePermissionGrant(permissionGrant);
        Assert.assertFalse(api(accessor).aclManager().withScope(repository).hasPermission(ContentTypes.DOCUMENTARY_UNIT, PermissionType.CREATE, accessor2));
    }

    @Test(expected = PermissionDenied.class)
    public void testRevokePermissionGrantWithPermissionDenied() throws Exception {
        Accessor accessor = (Accessor) this.manager.getEntity("linda", Accessor.class);
        Accessor accessor2 = (Accessor) this.manager.getEntity("reto", Accessor.class);
        Repository repository = (Repository) this.manager.getEntity("r1", Repository.class);
        PermissionGrant permissionGrant = (PermissionGrant) this.manager.getEntity("retoKclWriteGrant", PermissionGrant.class);
        Assert.assertTrue(api(accessor).aclManager().withScope(repository).hasPermission(ContentTypes.DOCUMENTARY_UNIT, PermissionType.CREATE, accessor2));
        api(accessor).acl().revokePermissionGrant(permissionGrant);
    }

    @Test
    public void testValidUserCanAddAccessorToGroup() throws Exception {
        Accessor accessor = (Accessor) this.manager.getEntity("linda", Accessor.class);
        api(this.validUser).acl().addAccessorToGroup((Group) this.manager.getEntity("kcl", Group.class), accessor);
    }

    @Test(expected = PermissionDenied.class)
    public void testInvalidUserCannotAddAccessorToGroup() throws Exception {
        Accessor accessor = (Accessor) this.manager.getEntity("linda", Accessor.class);
        api(this.invalidUser).acl().addAccessorToGroup((Group) this.manager.getEntity("kcl", Group.class), accessor);
    }

    @Test
    public void testRemoveAccessorFromGroup() throws Exception {
        Accessor accessor = (Accessor) this.manager.getEntity("linda", Accessor.class);
        Group group = (Group) this.manager.getEntity("dans", Group.class);
        Assert.assertTrue(Lists.newArrayList(group.getMembers()).contains(accessor));
        api(this.validUser).acl().removeAccessorFromGroup(group, accessor);
        Assert.assertFalse(Lists.newArrayList(group.getMembers()).contains(accessor));
    }

    @Test(expected = PermissionDenied.class)
    public void testInvalidUserCannotRemoveAccessorFromGroup() throws Exception {
        Accessor accessor = (Accessor) this.manager.getEntity("linda", Accessor.class);
        api(this.invalidUser).acl().removeAccessorFromGroup((Group) this.manager.getEntity("dans", Group.class), accessor);
    }

    @Test
    public void testAddUserToGroupGranteeMembership() throws Exception {
        Accessor accessor = (Accessor) this.manager.getEntity("linda", Accessor.class);
        Group group = (Group) this.manager.getEntity("niod", Group.class);
        UserProfile userProfile = this.invalidUser;
        api(userProfile).aclManager().grantPermission(accessor.as(PermissionGrantTarget.class), PermissionType.GRANT, userProfile);
        api(userProfile).aclManager().grantPermission(group.as(PermissionGrantTarget.class), PermissionType.UPDATE, userProfile);
        try {
            api(userProfile).acl().addAccessorToGroup(group, accessor);
            Assert.fail("User should NOT have had grant permissions!");
        } catch (PermissionDenied e) {
        }
        group.addMember(userProfile);
        api(userProfile).acl().addAccessorToGroup(group, accessor);
    }

    @Test
    public void testAddUserToGroupGranteePerms() throws Exception {
        Accessor accessor = (Accessor) this.manager.getEntity("linda", Accessor.class);
        Group group = (Group) this.manager.getEntity("soma", Group.class);
        UserProfile userProfile = this.invalidUser;
        Assert.assertFalse(AclManager.belongsToAdmin(userProfile));
        group.addMember(userProfile);
        Assert.assertFalse(AclManager.belongsToAdmin(userProfile));
        api(userProfile).aclManager().grantPermission((PermissionGrantTarget) this.graph.frame(accessor.asVertex(), PermissionGrantTarget.class), PermissionType.GRANT, userProfile);
        try {
            api(userProfile).acl().addAccessorToGroup(group, accessor);
            Assert.fail("User should NOT have had grant permissions!");
        } catch (PermissionDenied e) {
        }
        api(userProfile).aclManager().grantPermission(group.as(PermissionGrantTarget.class), PermissionType.UPDATE, userProfile);
        api(userProfile).acl().addAccessorToGroup(group, accessor);
    }
}
