package org.neo4j.queryapi.tx;

import java.io.IOException;
import java.net.http.HttpResponse;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.Timeout;
import org.neo4j.configuration.GraphDatabaseSettings;
import org.neo4j.configuration.connectors.BoltConnector;
import org.neo4j.configuration.connectors.BoltConnectorInternalSettings;
import org.neo4j.configuration.connectors.ConnectorPortRegister;
import org.neo4j.configuration.connectors.ConnectorType;
import org.neo4j.configuration.connectors.HttpConnector;
import org.neo4j.configuration.helpers.SocketAddress;
import org.neo4j.dbms.api.DatabaseManagementService;
import org.neo4j.kernel.api.exceptions.Status;
import org.neo4j.queryapi.QueryApiTestUtil;
import org.neo4j.queryapi.QueryResponseAssertions;
import org.neo4j.queryapi.testclient.QueryAPITestClient;
import org.neo4j.queryapi.testclient.QueryRequest;
import org.neo4j.queryapi.testclient.QueryResponse;
import org.neo4j.server.queryapi.tx.TransactionManager;
import org.neo4j.test.TestDatabaseManagementServiceBuilder;

/* loaded from: input_file:org/neo4j/queryapi/tx/QueryResourceTxAuthenticationIT.class */
class QueryResourceTxAuthenticationIT {
    private static QueryAPITestClient testClient;
    private static DatabaseManagementService dbms;
    private static TransactionManager txManager;
    private static String endpoint;

    QueryResourceTxAuthenticationIT() {
    }

    @BeforeEach
    void beforeAll() {
        QueryApiTestUtil.setupLogging();
        dbms = new TestDatabaseManagementServiceBuilder().setConfig(HttpConnector.enabled, true).setConfig(HttpConnector.listen_address, new SocketAddress("localhost", 0)).setConfig(BoltConnectorInternalSettings.local_channel_address, QueryResourceTxIT.class.getSimpleName()).setConfig(BoltConnector.enabled, true).setConfig(BoltConnectorInternalSettings.enable_local_connector, true).setConfig(GraphDatabaseSettings.auth_enabled, true).impermanent().build();
        txManager = (TransactionManager) QueryApiTestUtil.resolveDependency(dbms, TransactionManager.class);
        endpoint = "http://" + ((ConnectorPortRegister) QueryApiTestUtil.resolveDependency(dbms, ConnectorPortRegister.class)).getLocalAddress(ConnectorType.HTTP) + "/db/{databaseName}/query/v2";
        testClient = new QueryAPITestClient(endpoint, "neo4j", "neo4j");
    }

    @AfterEach
    void cleanUp() {
        dbms.shutdown();
    }

    @AfterEach
    void afterEach() {
        Assertions.assertThat(txManager.openTransactionCount()).isEqualTo(0L);
    }

    @Test
    void shouldRequireCredentialChange() throws IOException, InterruptedException {
        QueryResponseAssertions.assertThat(testClient.beginTx(QueryRequest.newBuilder().statement("SHOW USERS").build())).hasErrorStatus(400, Status.Security.CredentialsExpired);
    }

    @Test
    void shouldAllowAccessWhenPasswordChanged() throws IOException, InterruptedException {
        testClient.autoCommit(QueryRequest.newBuilder().statement("ALTER CURRENT USER SET PASSWORD FROM 'neo4j' TO 'secretPassword'").build(), "system");
        QueryAPITestClient queryAPITestClient = new QueryAPITestClient(endpoint, "neo4j", "secretPassword");
        HttpResponse<QueryResponse> beginTx = queryAPITestClient.beginTx(QueryRequest.newBuilder().statement("RETURN 1").build());
        QueryResponseAssertions.assertThat(beginTx).wasSuccessful();
        QueryResponseAssertions.assertThat(beginTx).hasRecord();
        queryAPITestClient.commitTx(((QueryResponse) beginTx.body()).txId());
    }

    @Test
    void shouldReturnUnauthorizedWithWrongCredentials() throws IOException, InterruptedException {
        QueryResponseAssertions.assertThat(new QueryAPITestClient(endpoint, "neo4j", "I'm sneaky!").beginTx(QueryRequest.newBuilder().statement("RETURN 1").build())).hasErrorStatus(401, Status.Security.Unauthorized);
    }

    @Test
    void shouldReturnUnauthorizedWithMissingAuthHeader() throws IOException, InterruptedException {
        QueryResponseAssertions.assertThat(new QueryAPITestClient(endpoint).beginTx(QueryRequest.newBuilder().statement("RETURN 1").build())).hasErrorStatus(401, Status.Security.Unauthorized);
    }

    @Timeout(30)
    @Test
    void shouldErrorWhenTooManyIncorrectPasswordAttempts() throws IOException, InterruptedException {
        HttpResponse<QueryResponse> beginTx;
        testClient.autoCommit(QueryRequest.newBuilder().statement("ALTER CURRENT USER SET PASSWORD FROM 'neo4j' TO 'secretPassword'").build(), "system");
        do {
            beginTx = testClient.beginTx();
        } while (beginTx.statusCode() != 429);
        QueryResponseAssertions.assertThat(beginTx).hasErrorStatus(429, Status.Security.AuthenticationRateLimit);
    }

    @Test
    void shouldNotAllowUserToChangeMidTx() throws IOException, InterruptedException {
        setupUsers();
        QueryAPITestClient queryAPITestClient = new QueryAPITestClient(endpoint, "bob", "secretPassword");
        QueryAPITestClient queryAPITestClient2 = new QueryAPITestClient(endpoint, "alice", "secretPassword");
        HttpResponse<QueryResponse> beginTx = queryAPITestClient.beginTx();
        QueryResponseAssertions.assertThat(beginTx).wasSuccessful();
        QueryResponseAssertions.assertThat(queryAPITestClient2.runInTx(((QueryResponse) beginTx.body()).txId())).hasErrorStatus(404, Status.Request.Invalid);
        QueryResponseAssertions.assertThat(queryAPITestClient.commitTx(((QueryResponse) beginTx.body()).txId())).wasSuccessful();
    }

    @Test
    void shouldNotAllowUserToChangeOnCommit() throws IOException, InterruptedException {
        setupUsers();
        QueryAPITestClient queryAPITestClient = new QueryAPITestClient(endpoint, "bob", "secretPassword");
        QueryAPITestClient queryAPITestClient2 = new QueryAPITestClient(endpoint, "alice", "secretPassword");
        HttpResponse<QueryResponse> beginTx = queryAPITestClient.beginTx();
        QueryResponseAssertions.assertThat(beginTx).wasSuccessful();
        QueryResponseAssertions.assertThat(queryAPITestClient2.commitTx(((QueryResponse) beginTx.body()).txId())).hasErrorStatus(404, Status.Request.Invalid);
        queryAPITestClient.commitTx(((QueryResponse) beginTx.body()).txId());
    }

    private void setupUsers() throws IOException, InterruptedException {
        testClient.autoCommit(QueryRequest.newBuilder().statement("ALTER CURRENT USER SET PASSWORD FROM 'neo4j' TO 'secretPassword'").build(), "system");
        QueryAPITestClient queryAPITestClient = new QueryAPITestClient(endpoint, "neo4j", "secretPassword");
        queryAPITestClient.autoCommit(QueryRequest.newBuilder().statement("CREATE USER bob SET PASSWORD 'secretPassword' SET PASSWORD CHANGE NOT REQUIRED").build(), "system");
        queryAPITestClient.autoCommit(QueryRequest.newBuilder().statement("CREATE USER alice SET PASSWORD 'secretPassword' SET PASSWORD CHANGE NOT REQUIRED").build(), "system");
        queryAPITestClient.autoCommit(QueryRequest.newBuilder().statement("GRANT ROLE admin to bob").build(), "system");
        queryAPITestClient.autoCommit(QueryRequest.newBuilder().statement("GRANT ROLE admin to alice").build(), "system");
    }
}
