package org.neo4j.security;

import java.util.Collections;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.Test;
import org.neo4j.configuration.GraphDatabaseSettings;
import org.neo4j.dbms.api.DatabaseManagementService;
import org.neo4j.exceptions.InvalidArgumentException;
import org.neo4j.graphdb.Transaction;
import org.neo4j.internal.kernel.api.connectioninfo.ClientConnectionInfo;
import org.neo4j.internal.kernel.api.security.AuthenticationResult;
import org.neo4j.internal.kernel.api.security.LoginContext;
import org.neo4j.kernel.api.security.AuthManager;
import org.neo4j.kernel.api.security.AuthToken;
import org.neo4j.test.TestDatabaseManagementServiceBuilder;
import org.neo4j.test.extension.DbmsController;
import org.neo4j.test.extension.DbmsExtension;
import org.neo4j.test.extension.ExtensionCallback;
import org.neo4j.test.extension.Inject;
import org.neo4j.test.utils.TestDirectory;

@DbmsExtension(configurationCallback = "configure")
/* loaded from: input_file:org/neo4j/security/BasicAuthIT.class */
class BasicAuthIT {

    @Inject
    private TestDirectory testDirectory;

    @Inject
    private DatabaseManagementService managementService;

    @Inject
    private DbmsController dbmsController;

    @Inject
    private AuthManager authManager;

    BasicAuthIT() {
    }

    @ExtensionCallback
    void configure(TestDatabaseManagementServiceBuilder testDatabaseManagementServiceBuilder) {
        testDatabaseManagementServiceBuilder.setConfig(GraphDatabaseSettings.auth_enabled, false);
    }

    @Test
    void shouldCreateUserWithAuthDisabled() throws Exception {
        Transaction beginTx = this.managementService.database("system").beginTx();
        try {
            beginTx.execute("CREATE USER foo SET PASSWORD 'barpassword'").close();
            beginTx.commit();
            if (beginTx != null) {
                beginTx.close();
            }
            this.dbmsController.restartDbms(testDatabaseManagementServiceBuilder -> {
                return testDatabaseManagementServiceBuilder.setConfig(GraphDatabaseSettings.auth_enabled, true);
            });
            Assertions.assertThat(this.authManager.login(AuthToken.newBasicAuthToken("foo", "wrong"), ClientConnectionInfo.EMBEDDED_CONNECTION).subject().getAuthenticationResult()).isEqualTo(AuthenticationResult.FAILURE);
            Assertions.assertThat(this.authManager.login(AuthToken.newBasicAuthToken("foo", "barpassword"), ClientConnectionInfo.EMBEDDED_CONNECTION).subject().getAuthenticationResult()).isEqualTo(AuthenticationResult.PASSWORD_CHANGE_REQUIRED);
        } catch (Throwable th) {
            if (beginTx != null) {
                try {
                    beginTx.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    void shouldFailImpersonate() throws Exception {
        Transaction beginTx = this.managementService.database("system").beginTx();
        try {
            beginTx.execute("CREATE USER foo SET PASSWORD 'barpassword' CHANGE NOT REQUIRED").close();
            beginTx.execute("CREATE USER baz SET PASSWORD 'barpassword'").close();
            beginTx.commit();
            if (beginTx != null) {
                beginTx.close();
            }
            this.dbmsController.restartDbms(testDatabaseManagementServiceBuilder -> {
                return testDatabaseManagementServiceBuilder.setConfig(GraphDatabaseSettings.auth_enabled, true);
            });
            LoginContext login = this.authManager.login(AuthToken.newBasicAuthToken("foo", "barpassword"), ClientConnectionInfo.EMBEDDED_CONNECTION);
            Assertions.assertThat(login.subject().getAuthenticationResult()).isEqualTo(AuthenticationResult.SUCCESS);
            Assertions.assertThatThrownBy(() -> {
                this.authManager.impersonate(login, "baz");
            }).isInstanceOf(InvalidArgumentException.class).hasMessage("Impersonation is not supported in community edition.");
        } catch (Throwable th) {
            if (beginTx != null) {
                try {
                    beginTx.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    void shouldFailImpersonateWithAuthDisabled() throws Exception {
        Transaction beginTx = this.managementService.database("system").beginTx();
        try {
            beginTx.execute("CREATE USER foo SET PASSWORD 'barpassword'").close();
            beginTx.commit();
            if (beginTx != null) {
                beginTx.close();
            }
            LoginContext login = this.authManager.login(Collections.emptyMap(), ClientConnectionInfo.EMBEDDED_CONNECTION);
            Assertions.assertThat(login.subject().getAuthenticationResult()).isEqualTo(AuthenticationResult.SUCCESS);
            Assertions.assertThatThrownBy(() -> {
                this.authManager.impersonate(login, "foo");
            }).isInstanceOf(InvalidArgumentException.class).hasMessage("Impersonation is not supported with auth disabled.");
        } catch (Throwable th) {
            if (beginTx != null) {
                try {
                    beginTx.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }
}
