package org.neo4j.queryapi;

import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.IOException;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.Timeout;
import org.neo4j.configuration.GraphDatabaseSettings;
import org.neo4j.configuration.connectors.BoltConnector;
import org.neo4j.configuration.connectors.ConnectorPortRegister;
import org.neo4j.configuration.connectors.ConnectorType;
import org.neo4j.configuration.connectors.HttpConnector;
import org.neo4j.configuration.helpers.SocketAddress;
import org.neo4j.dbms.api.DatabaseManagementService;
import org.neo4j.kernel.api.exceptions.Status;
import org.neo4j.test.TestDatabaseManagementServiceBuilder;

/* loaded from: input_file:org/neo4j/queryapi/QueryResourceAuthenticationIT.class */
class QueryResourceAuthenticationIT {
    private static DatabaseManagementService dbms;
    private static HttpClient client;
    private static String queryEndpoint;
    private final ObjectMapper MAPPER = new ObjectMapper();

    QueryResourceAuthenticationIT() {
    }

    @BeforeEach
    void beforeEach() {
        QueryApiTestUtil.setupLogging();
        dbms = new TestDatabaseManagementServiceBuilder().setConfig(HttpConnector.enabled, true).setConfig(HttpConnector.listen_address, new SocketAddress("localhost", 0)).setConfig(GraphDatabaseSettings.auth_enabled, true).setConfig(BoltConnector.enabled, true).impermanent().build();
        queryEndpoint = "http://" + ((ConnectorPortRegister) QueryApiTestUtil.resolveDependency(dbms, ConnectorPortRegister.class)).getLocalAddress(ConnectorType.HTTP) + "/db/{databaseName}/query/v2";
        client = HttpClient.newBuilder().build();
    }

    @AfterEach
    void cleanUp() {
        dbms.shutdown();
    }

    @Test
    void shouldRequireCredentialChange() throws IOException, InterruptedException {
        HttpResponse send = client.send(QueryApiTestUtil.baseRequestBuilder(queryEndpoint, "system").header("Authorization", QueryApiTestUtil.encodedCredentials("neo4j", "neo4j")).POST(HttpRequest.BodyPublishers.ofString("{\"statement\": \"SHOW USERS\"}")).build(), HttpResponse.BodyHandlers.ofString());
        Assertions.assertThat(send.statusCode()).isEqualTo(400);
        JsonNode readTree = this.MAPPER.readTree((String) send.body());
        Assertions.assertThat(readTree.get("errors").size()).isEqualTo(1);
        Assertions.assertThat(readTree.get("errors").get(0).get("code").asText()).isEqualTo(Status.Security.CredentialsExpired.code().serialize());
    }

    @Test
    void shouldAllowAccessWhenPasswordChanged() throws IOException, InterruptedException {
        updateInitialPassword();
        HttpResponse send = client.send(QueryApiTestUtil.baseRequestBuilder(queryEndpoint, "neo4j").header("Authorization", QueryApiTestUtil.encodedCredentials("neo4j", "secretPassword")).POST(HttpRequest.BodyPublishers.ofString("{\"statement\": \"RETURN 1\"}")).build(), HttpResponse.BodyHandlers.ofString());
        JsonNode readTree = this.MAPPER.readTree((String) send.body());
        Assertions.assertThat(send.statusCode()).isEqualTo(202);
        Assertions.assertThat(readTree.get("data").get("fields").size()).isEqualTo(1);
        Assertions.assertThat(readTree.get("data").get("values").get(0).get(0).asInt()).isEqualTo(1);
        Assertions.assertThat(readTree.get("errors")).isNull();
    }

    @Test
    void shouldReturnUnauthorizedWithWrongCredentials() throws IOException, InterruptedException {
        HttpResponse send = client.send(QueryApiTestUtil.baseRequestBuilder(queryEndpoint, "neo4j").header("Authorization", QueryApiTestUtil.encodedCredentials("neo4j", "I'm sneaky!")).POST(HttpRequest.BodyPublishers.ofString("{\"statement\": \"RETURN 1\"}")).build(), HttpResponse.BodyHandlers.ofString());
        Assertions.assertThat(send.statusCode()).isEqualTo(401);
        Assertions.assertThat((String) send.body()).isEqualTo("{\"errors\":[{\"code\":\"Neo.ClientError.Security.Unauthorized\",\"message\":\"Invalid credential.\"}]}");
    }

    @Test
    void shouldReturnUnauthorizedWithMissingAuthHeader() throws IOException, InterruptedException {
        HttpResponse send = client.send(QueryApiTestUtil.baseRequestBuilder(queryEndpoint, "neo4j").POST(HttpRequest.BodyPublishers.ofString("{\"statement\": \"RETURN 1\"}")).build(), HttpResponse.BodyHandlers.ofString());
        Assertions.assertThat(send.statusCode()).isEqualTo(401);
        Assertions.assertThat((String) send.body()).isEqualTo("{\"errors\":[{\"code\":\"Neo.ClientError.Security.Unauthorized\",\"message\":\"No authentication header supplied.\"}]}");
    }

    @Test
    void shouldReturnUnauthorizedWithInvalidAuthHeader() throws IOException, InterruptedException {
        HttpResponse send = client.send(QueryApiTestUtil.baseRequestBuilder(queryEndpoint, "neo4j").header("Authorization", "Just let me in. Thanks!").POST(HttpRequest.BodyPublishers.ofString("{\"statement\": \"RETURN 1\"}")).build(), HttpResponse.BodyHandlers.ofString());
        Assertions.assertThat(send.statusCode()).isEqualTo(400);
        Assertions.assertThat((String) send.body()).isEqualTo("{\"errors\":[{\"code\":\"Neo.ClientError.Request.InvalidFormat\",\"message\":\"Invalid authentication header.\"}]}");
    }

    @Timeout(30)
    @Test
    void shouldErrorWhenTooManyIncorrectPasswordAttempts() throws IOException, InterruptedException {
        HttpResponse send;
        updateInitialPassword();
        do {
            send = client.send(QueryApiTestUtil.baseRequestBuilder(queryEndpoint, "neo4j").header("Authorization", QueryApiTestUtil.encodedCredentials("neo4j", "WrongPasswordBud")).POST(HttpRequest.BodyPublishers.ofString("shouldn't be parsing this")).build(), HttpResponse.BodyHandlers.ofString());
        } while (send.statusCode() != 429);
        Assertions.assertThat(send.body()).isEqualTo("{\"errors\":[{\"code\":\"Neo.ClientError.Security.AuthenticationRateLimit\",\"message\":\"Too many failed authentication requests. Please wait 5 seconds and try again.\"}]}");
    }

    private static void updateInitialPassword() throws IOException, InterruptedException {
        Assertions.assertThat(client.send(QueryApiTestUtil.baseRequestBuilder(queryEndpoint, "system").header("Authorization", QueryApiTestUtil.encodedCredentials("neo4j", "neo4j")).POST(HttpRequest.BodyPublishers.ofString("{\"statement\": \"ALTER CURRENT USER SET PASSWORD FROM 'neo4j' TO 'secretPassword'\"}")).build(), HttpResponse.BodyHandlers.ofString()).statusCode()).isEqualTo(202);
    }

    @AfterAll
    static void teardown() {
        if (dbms != null) {
            dbms.shutdown();
        }
    }
}
