package org.graylog2.security.realm;

import com.google.common.collect.Maps;
import com.lordofthejars.nosqlunit.annotation.UsingDataSet;
import com.lordofthejars.nosqlunit.core.LoadStrategyEnum;
import java.net.URI;
import java.util.Collections;
import java.util.HashMap;
import org.apache.directory.ldap.client.api.LdapConnectionConfig;
import org.apache.directory.server.annotations.CreateLdapServer;
import org.apache.directory.server.annotations.CreateTransport;
import org.apache.directory.server.core.annotations.ApplyLdifFiles;
import org.apache.directory.server.core.annotations.ContextEntry;
import org.apache.directory.server.core.annotations.CreateDS;
import org.apache.directory.server.core.annotations.CreateIndex;
import org.apache.directory.server.core.annotations.CreatePartition;
import org.apache.directory.server.core.annotations.LoadSchema;
import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
import org.apache.directory.server.core.integ.FrameworkRunner;
import org.apache.directory.server.core.partition.impl.avl.AvlPartition;
import org.apache.directory.server.ldap.LdapServer;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.assertj.core.api.Assertions;
import org.graylog2.ApacheDirectoryTestServiceFactory;
import org.graylog2.Configuration;
import org.graylog2.plugin.database.users.User;
import org.graylog2.security.PasswordAlgorithmFactory;
import org.graylog2.security.ldap.LdapConnector;
import org.graylog2.security.ldap.LdapSettingsImpl;
import org.graylog2.security.ldap.LdapSettingsService;
import org.graylog2.shared.security.Permissions;
import org.graylog2.shared.security.ldap.LdapEntry;
import org.graylog2.shared.security.ldap.LdapSettings;
import org.graylog2.shared.users.UserService;
import org.graylog2.users.RoleService;
import org.graylog2.users.UserImpl;
import org.joda.time.DateTimeZone;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;

@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP")})
@RunWith(FrameworkRunner.class)
@CreateDS(name = "LdapUserAuthenticatorTest", factory = ApacheDirectoryTestServiceFactory.class, partitions = {@CreatePartition(name = "example.com", type = AvlPartition.class, suffix = "dc=example,dc=com", contextEntry = @ContextEntry(entryLdif = "dn: dc=example,dc=com\ndc: example\nobjectClass: top\nobjectClass: domain\n\n"), indexes = {@CreateIndex(attribute = "objectClass"), @CreateIndex(attribute = "dc"), @CreateIndex(attribute = "ou")})}, loadedSchemas = {@LoadSchema(name = "nis", enabled = true)})
@ApplyLdifFiles({"org/graylog2/security/ldap/base.ldif"})
/* loaded from: input_file:org/graylog2/security/realm/LdapUserAuthenticatorTest.class */
public class LdapUserAuthenticatorTest extends AbstractLdapTestUnit {
    private static final String ADMIN_DN = "uid=admin,ou=system";
    private static final String ADMIN_PASSWORD = "secret";
    private static final AuthenticationToken VALID_TOKEN = new UsernamePasswordToken("john", "test");
    private static final AuthenticationToken INVALID_TOKEN = new UsernamePasswordToken("john", "__invalid__");
    private static final String PASSWORD_SECRET = "r8Om85b0zgHmiGsK86T3ZFlmSIdMd3hcKmOa4T60MSPEobfRCTLNOK4T91GdHbGx";
    private LdapConnector ldapConnector;
    private LdapServer server;
    private LdapSettingsService ldapSettingsService;
    private LdapSettings ldapSettings;
    private Configuration configuration;
    private UserService userService;

    @Before
    public void setUp() throws Exception {
        this.server = getLdapServer();
        LdapConnectionConfig ldapConnectionConfig = new LdapConnectionConfig();
        ldapConnectionConfig.setLdapHost("localHost");
        ldapConnectionConfig.setLdapPort(this.server.getPort());
        ldapConnectionConfig.setName(ADMIN_DN);
        ldapConnectionConfig.setCredentials(ADMIN_PASSWORD);
        this.configuration = (Configuration) Mockito.mock(Configuration.class);
        Mockito.when(this.configuration.getPasswordSecret()).thenReturn(PASSWORD_SECRET);
        this.ldapConnector = new LdapConnector(10000);
        this.ldapSettingsService = (LdapSettingsService) Mockito.mock(LdapSettingsService.class);
        this.userService = (UserService) Mockito.mock(UserService.class);
        this.ldapSettings = new LdapSettingsImpl(this.configuration, (RoleService) Mockito.mock(RoleService.class));
        this.ldapSettings.setEnabled(true);
        this.ldapSettings.setUri(URI.create("ldap://localhost:" + this.server.getPort()));
        this.ldapSettings.setUseStartTls(false);
        this.ldapSettings.setSystemUsername(ADMIN_DN);
        this.ldapSettings.setSystemPassword(ADMIN_PASSWORD);
        this.ldapSettings.setSearchBase("ou=users,dc=example,dc=com");
        this.ldapSettings.setSearchPattern("(&(objectClass=posixAccount)(uid={0}))");
        this.ldapSettings.setDisplayNameAttribute("cn");
        this.ldapSettings.setActiveDirectory(false);
        this.ldapSettings.setGroupSearchBase("ou=groups,dc=example,dc=com");
        this.ldapSettings.setGroupIdAttribute("cn");
        this.ldapSettings.setGroupSearchPattern("(|(objectClass=groupOfNames)(objectClass=posixGroup))");
    }

    @Test
    public void testDoGetAuthenticationInfo() throws Exception {
        LdapUserAuthenticator ldapUserAuthenticator = (LdapUserAuthenticator) Mockito.spy(new LdapUserAuthenticator(this.ldapConnector, this.ldapSettingsService, this.userService, (RoleService) Mockito.mock(RoleService.class), DateTimeZone.UTC));
        Mockito.when(this.ldapSettingsService.load()).thenReturn(this.ldapSettings);
        ((LdapUserAuthenticator) Mockito.doReturn(Mockito.mock(User.class)).when(ldapUserAuthenticator)).syncFromLdapEntry((LdapEntry) ArgumentMatchers.any(LdapEntry.class), (LdapSettings) ArgumentMatchers.any(LdapSettings.class), ArgumentMatchers.anyString());
        Assertions.assertThat(ldapUserAuthenticator.doGetAuthenticationInfo(VALID_TOKEN)).isNotNull();
        Assertions.assertThat(ldapUserAuthenticator.doGetAuthenticationInfo(INVALID_TOKEN)).isNull();
    }

    @Test
    public void testDoGetAuthenticationInfoDeniesEmptyPassword() throws Exception {
        LdapUserAuthenticator ldapUserAuthenticator = new LdapUserAuthenticator(this.ldapConnector, this.ldapSettingsService, this.userService, (RoleService) Mockito.mock(RoleService.class), DateTimeZone.UTC);
        Mockito.when(this.ldapSettingsService.load()).thenReturn(this.ldapSettings);
        Assertions.assertThat(ldapUserAuthenticator.doGetAuthenticationInfo(new UsernamePasswordToken("john", (char[]) null))).isNull();
        Assertions.assertThat(ldapUserAuthenticator.doGetAuthenticationInfo(new UsernamePasswordToken("john", new char[0]))).isNull();
    }

    @Test
    @UsingDataSet(loadStrategy = LoadStrategyEnum.DELETE_ALL)
    public void testSyncFromLdapEntry() {
        LdapUserAuthenticator ldapUserAuthenticator = (LdapUserAuthenticator) Mockito.spy(new LdapUserAuthenticator(this.ldapConnector, this.ldapSettingsService, this.userService, (RoleService) Mockito.mock(RoleService.class), DateTimeZone.UTC));
        LdapEntry ldapEntry = new LdapEntry();
        LdapSettings ldapSettings = (LdapSettings) Mockito.mock(LdapSettings.class);
        Mockito.when(ldapSettings.getDisplayNameAttribute()).thenReturn("displayName");
        Mockito.when(ldapSettings.getDefaultGroupId()).thenReturn("54e3deadbeefdeadbeef0001");
        Mockito.when(ldapSettings.getAdditionalDefaultGroupIds()).thenReturn(Collections.emptySet());
        Mockito.when(this.userService.create()).thenReturn(new UserImpl((PasswordAlgorithmFactory) null, new Permissions(Collections.emptySet()), Maps.newHashMap()));
        User syncFromLdapEntry = ldapUserAuthenticator.syncFromLdapEntry(ldapEntry, ldapSettings, "user");
        Assertions.assertThat(syncFromLdapEntry).isNotNull();
        Assertions.assertThat(syncFromLdapEntry.isExternalUser()).isTrue();
        Assertions.assertThat(syncFromLdapEntry.getName()).isEqualTo("user");
        Assertions.assertThat(syncFromLdapEntry.getEmail()).isEqualTo("user@localhost");
        Assertions.assertThat(syncFromLdapEntry.getHashedPassword()).isEqualTo("User synced from LDAP.");
        Assertions.assertThat(syncFromLdapEntry.getTimeZone()).isEqualTo(DateTimeZone.UTC);
        Assertions.assertThat(syncFromLdapEntry.getRoleIds()).containsOnly(new String[]{"54e3deadbeefdeadbeef0001"});
        Assertions.assertThat(syncFromLdapEntry.getPermissions()).isNotEmpty();
    }

    @Test
    @UsingDataSet(loadStrategy = LoadStrategyEnum.DELETE_ALL)
    public void testSyncFromLdapEntryExistingUser() {
        LdapUserAuthenticator ldapUserAuthenticator = (LdapUserAuthenticator) Mockito.spy(new LdapUserAuthenticator(this.ldapConnector, this.ldapSettingsService, this.userService, (RoleService) Mockito.mock(RoleService.class), DateTimeZone.UTC));
        LdapEntry ldapEntry = new LdapEntry();
        LdapSettings ldapSettings = (LdapSettings) Mockito.mock(LdapSettings.class);
        Mockito.when(ldapSettings.getDisplayNameAttribute()).thenReturn("displayName");
        Mockito.when(ldapSettings.getDefaultGroupId()).thenReturn("54e3deadbeefdeadbeef0001");
        Mockito.when(ldapSettings.getAdditionalDefaultGroupIds()).thenReturn(Collections.emptySet());
        HashMap newHashMap = Maps.newHashMap();
        newHashMap.put("permissions", Collections.singletonList("test:permission:1234"));
        Mockito.when(this.userService.load(ArgumentMatchers.anyString())).thenReturn(new UserImpl((PasswordAlgorithmFactory) null, new Permissions(Collections.emptySet()), newHashMap));
        User syncFromLdapEntry = ldapUserAuthenticator.syncFromLdapEntry(ldapEntry, ldapSettings, "user");
        Assertions.assertThat(syncFromLdapEntry).isNotNull();
        Assertions.assertThat(syncFromLdapEntry.getPermissions()).contains(new String[]{"test:permission:1234"});
        Assertions.assertThat(syncFromLdapEntry.isExternalUser()).isTrue();
        Assertions.assertThat(syncFromLdapEntry.getName()).isEqualTo("user");
        Assertions.assertThat(syncFromLdapEntry.getEmail()).isEqualTo("user@localhost");
        Assertions.assertThat(syncFromLdapEntry.getHashedPassword()).isEqualTo("User synced from LDAP.");
        Assertions.assertThat(syncFromLdapEntry.getTimeZone()).isEqualTo(DateTimeZone.UTC);
        Assertions.assertThat(syncFromLdapEntry.getRoleIds()).containsOnly(new String[]{"54e3deadbeefdeadbeef0001"});
        Assertions.assertThat(syncFromLdapEntry.getPermissions()).isNotEmpty();
    }
}
