package org.graylog.security.authservice.ldap;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import com.unboundid.ldap.sdk.LDAPConnection;
import com.unboundid.ldap.sdk.LDAPException;
import java.nio.charset.StandardCharsets;
import java.util.Base64;
import java.util.Set;
import org.apache.directory.server.annotations.CreateLdapServer;
import org.apache.directory.server.annotations.CreateTransport;
import org.apache.directory.server.core.annotations.ApplyLdifFiles;
import org.apache.directory.server.core.annotations.ContextEntry;
import org.apache.directory.server.core.annotations.CreateDS;
import org.apache.directory.server.core.annotations.CreateIndex;
import org.apache.directory.server.core.annotations.CreatePartition;
import org.apache.directory.server.core.annotations.LoadSchema;
import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
import org.apache.directory.server.core.integ.FrameworkRunner;
import org.apache.directory.server.core.partition.impl.avl.AvlPartition;
import org.apache.directory.server.ldap.LdapServer;
import org.assertj.core.api.Assertions;
import org.graylog.security.authservice.ldap.LDAPConnectorConfig;
import org.graylog.testing.ldap.LDAPTestUtils;
import org.graylog2.ApacheDirectoryTestServiceFactory;
import org.graylog2.configuration.TLSProtocolsConfiguration;
import org.graylog2.security.TrustManagerProvider;
import org.graylog2.security.encryption.EncryptedValue;
import org.graylog2.security.encryption.EncryptedValueService;
import org.junit.After;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.junit.runner.RunWith;
import org.mockito.Mockito;

@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP")})
@RunWith(FrameworkRunner.class)
@CreateDS(name = "LdapConnectorTest", factory = ApacheDirectoryTestServiceFactory.class, partitions = {@CreatePartition(name = "example.com", type = AvlPartition.class, suffix = "dc=example,dc=com", contextEntry = @ContextEntry(entryLdif = "dn: dc=example,dc=com\ndc: example\nobjectClass: top\nobjectClass: domain\n\n"), indexes = {@CreateIndex(attribute = "objectClass"), @CreateIndex(attribute = "dc"), @CreateIndex(attribute = "ou")})}, loadedSchemas = {@LoadSchema(name = "nis", enabled = true)})
@ApplyLdifFiles({LDAPTestUtils.BASE_LDIF})
/* loaded from: input_file:org/graylog/security/authservice/ldap/UnboundLDAPConnectorTest.class */
public class UnboundLDAPConnectorTest extends AbstractLdapTestUnit {
    private static final Set<String> ENABLED_TLS_PROTOCOLS = ImmutableSet.of("TLSv1.2", "TLSv1.3");
    private static final String ADMIN_DN = "uid=admin,ou=system";
    private static final String ADMIN_PASSWORD = "secret";
    private UnboundLDAPConnector connector;
    private LDAPConnection connection;

    @Rule
    public final ExpectedException expectedException = ExpectedException.none();
    private final EncryptedValueService encryptedValueService = new EncryptedValueService("1234567890abcdef");

    @Before
    public void setUp() throws Exception {
        LdapServer ldapServer = getLdapServer();
        LDAPConnectorConfig build = LDAPConnectorConfig.builder().systemUsername(ADMIN_DN).systemPassword(this.encryptedValueService.encrypt(ADMIN_PASSWORD)).transportSecurity(LDAPTransportSecurity.NONE).verifyCertificates(false).serverList(ImmutableList.of(LDAPConnectorConfig.LDAPServer.create("localhost", 9), LDAPConnectorConfig.LDAPServer.create("localhost", ldapServer.getPort()))).build();
        this.connector = new UnboundLDAPConnector(10000, new TLSProtocolsConfiguration(), (TrustManagerProvider) Mockito.mock(TrustManagerProvider.class), this.encryptedValueService);
        this.connection = this.connector.connect(build);
    }

    @After
    public void tearDown() throws Exception {
        this.connection.close();
    }

    @Test
    public void testUserLookup() throws Exception {
        LDAPUser lDAPUser = (LDAPUser) this.connector.searchUserByPrincipal(this.connection, UnboundLDAPConfig.builder().userSearchBase("ou=users,dc=example,dc=com").userSearchPattern("(&(objectClass=posixAccount)(uid={0}))").userUniqueIdAttribute("entryUUID").userNameAttribute("uid").userFullNameAttribute("cn").build(), "john").orElse(null);
        Assertions.assertThat(lDAPUser).isNotNull();
        Assertions.assertThat(lDAPUser.dn()).isNotNull().isEqualTo("cn=John Doe,ou=users,dc=example,dc=com");
        Assertions.assertThat(new String(Base64.getDecoder().decode(lDAPUser.base64UniqueId()), StandardCharsets.UTF_8)).isNotBlank().matches("[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}");
    }

    @Test
    public void testAuthenticateSuccess() throws LDAPException {
        Assertions.assertThat(this.connector.authenticate(this.connection, "cn=John Doe,ou=users,dc=example,dc=com", this.encryptedValueService.encrypt("test"))).isTrue();
    }

    @Test
    public void testAuthenticateFail() throws LDAPException {
        Assertions.assertThat(this.connector.authenticate(this.connection, "cn=John Doe,ou=users,dc=example,dc=com", this.encryptedValueService.encrypt("wrongpass"))).isFalse();
    }

    @Test
    public void authenticateThrowsIllegalArgumentExceptionIfPrincipalIsNull() throws LDAPException {
        this.expectedException.expect(IllegalArgumentException.class);
        this.expectedException.expectMessage("Binding with empty principal is forbidden.");
        this.connector.authenticate(this.connection, (String) null, this.encryptedValueService.encrypt(ADMIN_PASSWORD));
    }

    @Test
    public void authenticateThrowsIllegalArgumentExceptionIfPrincipalIsEmpty() throws LDAPException {
        this.expectedException.expect(IllegalArgumentException.class);
        this.expectedException.expectMessage("Binding with empty principal is forbidden.");
        this.connector.authenticate(this.connection, "", this.encryptedValueService.encrypt(ADMIN_PASSWORD));
    }

    @Test
    public void authenticateThrowsIllegalArgumentExceptionIfCredentialsAreNull() throws LDAPException {
        this.expectedException.expect(IllegalArgumentException.class);
        this.expectedException.expectMessage("Binding with null credentials is forbidden.");
        this.connector.authenticate(this.connection, "principal", (EncryptedValue) null);
    }

    @Test
    public void authenticateThrowsIllegalArgumentExceptionIfCredentialsAreEmpty() throws LDAPException {
        this.expectedException.expect(IllegalArgumentException.class);
        this.expectedException.expectMessage("Binding with empty credentials is forbidden.");
        this.connector.authenticate(this.connection, "principal", EncryptedValue.createUnset());
    }
}
