package org.neo4j.bolt.security.auth;

import java.util.Collections;
import java.util.concurrent.ThreadLocalRandom;
import org.hamcrest.BaseMatcher;
import org.hamcrest.CoreMatchers;
import org.hamcrest.Description;
import org.hamcrest.MatcherAssert;
import org.hamcrest.TypeSafeMatcher;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockito.Mockito;
import org.neo4j.configuration.Config;
import org.neo4j.configuration.GraphDatabaseSettings;
import org.neo4j.cypher.internal.security.SecureHasher;
import org.neo4j.dbms.database.DatabaseManager;
import org.neo4j.internal.helpers.collection.MapUtil;
import org.neo4j.kernel.api.exceptions.Status;
import org.neo4j.kernel.impl.security.User;
import org.neo4j.server.security.auth.RateLimitedAuthenticationStrategy;
import org.neo4j.server.security.auth.SecurityTestUtils;
import org.neo4j.server.security.systemgraph.BasicSystemGraphRealm;
import org.neo4j.server.security.systemgraph.SecurityGraphInitializer;
import org.neo4j.time.Clocks;

/* loaded from: input_file:org/neo4j/bolt/security/auth/BasicAuthenticationTest.class */
class BasicAuthenticationTest {
    private Authentication authentication;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/neo4j/bolt/security/auth/BasicAuthenticationTest$CredentialsClearedMatcher.class */
    public static class CredentialsClearedMatcher extends BaseMatcher<byte[]> {
        CredentialsClearedMatcher() {
        }

        public boolean matches(Object obj) {
            if (!(obj instanceof byte[])) {
                return false;
            }
            for (byte b : (byte[]) obj) {
                if (b != 0) {
                    return false;
                }
            }
            return true;
        }

        public void describeTo(Description description) {
            description.appendText("Byte array should contain only zeroes");
        }
    }

    /* loaded from: input_file:org/neo4j/bolt/security/auth/BasicAuthenticationTest$HasStatus.class */
    static class HasStatus extends TypeSafeMatcher<Status.HasStatus> {
        private final Status status;

        HasStatus(Status status) {
            this.status = status;
        }

        /* JADX INFO: Access modifiers changed from: protected */
        public boolean matchesSafely(Status.HasStatus hasStatus) {
            return hasStatus.status() == this.status;
        }

        public void describeTo(Description description) {
            description.appendText("expects status ").appendValue(this.status);
        }

        /* JADX INFO: Access modifiers changed from: protected */
        public void describeMismatchSafely(Status.HasStatus hasStatus, Description description) {
            description.appendText("was ").appendValue(hasStatus.status());
        }
    }

    BasicAuthenticationTest() {
    }

    @Test
    void shouldNotDoAnythingOnSuccess() throws Exception {
        MatcherAssert.assertThat(this.authentication.authenticate(MapUtil.map(new Object[]{"scheme", "basic", "principal", "mike", "credentials", SecurityTestUtils.password("secret2")})).getLoginContext().subject().username(), CoreMatchers.equalTo("mike"));
    }

    @Test
    void shouldThrowAndLogOnFailure() {
        AuthenticationException assertThrows = Assertions.assertThrows(AuthenticationException.class, () -> {
            this.authentication.authenticate(MapUtil.map(new Object[]{"scheme", "basic", "principal", "bob", "credentials", SecurityTestUtils.password("banana")}));
        });
        Assertions.assertEquals(Status.Security.Unauthorized, assertThrows.status());
        Assertions.assertEquals("The client is unauthorized due to authentication failure.", assertThrows.getMessage());
    }

    @Test
    void shouldIndicateThatCredentialsExpired() throws Exception {
        Assertions.assertTrue(this.authentication.authenticate(MapUtil.map(new Object[]{"scheme", "basic", "principal", "bob", "credentials", SecurityTestUtils.password("secret")})).credentialsExpired());
    }

    @Test
    void shouldFailWhenTooManyAttempts() throws Exception {
        int nextInt = ThreadLocalRandom.current().nextInt(1, 10);
        Authentication createAuthentication = createAuthentication(nextInt);
        for (int i = 0; i < nextInt; i++) {
            try {
                createAuthentication.authenticate(MapUtil.map(new Object[]{"scheme", "basic", "principal", "bob", "credentials", SecurityTestUtils.password("gelato")}));
            } catch (AuthenticationException e) {
                MatcherAssert.assertThat(e.status(), CoreMatchers.equalTo(Status.Security.Unauthorized));
            }
        }
        AuthenticationException assertThrows = Assertions.assertThrows(AuthenticationException.class, () -> {
            createAuthentication.authenticate(MapUtil.map(new Object[]{"scheme", "basic", "principal", "bob", "credentials", SecurityTestUtils.password("gelato")}));
        });
        Assertions.assertEquals(Status.Security.AuthenticationRateLimit, assertThrows.status());
        Assertions.assertEquals("The client has provided incorrect authentication details too many times in a row.", assertThrows.getMessage());
    }

    @Test
    void shouldClearCredentialsAfterUse() throws Exception {
        byte[] password = SecurityTestUtils.password("secret2");
        this.authentication.authenticate(MapUtil.map(new Object[]{"scheme", "basic", "principal", "mike", "credentials", password}));
        MatcherAssert.assertThat(password, isCleared());
    }

    @Test
    void shouldThrowWithNoScheme() {
        Assertions.assertEquals(Status.Security.Unauthorized, Assertions.assertThrows(AuthenticationException.class, () -> {
            this.authentication.authenticate(MapUtil.map(new Object[]{"principal", "bob", "credentials", SecurityTestUtils.password("secret")}));
        }).status());
    }

    @Test
    void shouldFailOnInvalidAuthToken() {
        Assertions.assertEquals(Status.Security.Unauthorized, Assertions.assertThrows(AuthenticationException.class, () -> {
            this.authentication.authenticate(MapUtil.map(new Object[]{"this", "does", "not", "matter", "for", "test"}));
        }).status());
    }

    @Test
    void shouldFailOnMalformedToken() {
        AuthenticationException assertThrows = Assertions.assertThrows(AuthenticationException.class, () -> {
            this.authentication.authenticate(MapUtil.map(new Object[]{"scheme", "basic", "principal", Collections.singletonList("bob"), "credentials", SecurityTestUtils.password("secret")}));
        });
        Assertions.assertEquals(Status.Security.Unauthorized, assertThrows.status());
        Assertions.assertEquals("Unsupported authentication token, the value associated with the key `principal` must be a String but was: SingletonList", assertThrows.getMessage());
    }

    @BeforeEach
    void setup() throws Throwable {
        this.authentication = createAuthentication(3);
    }

    private static Authentication createAuthentication(int i) throws Exception {
        BasicSystemGraphRealm basicSystemGraphRealm = (BasicSystemGraphRealm) Mockito.spy(new BasicSystemGraphRealm(SecurityGraphInitializer.NO_OP, (DatabaseManager) null, new SecureHasher(), new RateLimitedAuthenticationStrategy(Clocks.systemClock(), Config.defaults(GraphDatabaseSettings.auth_max_failed_attempts, Integer.valueOf(i))), true));
        BasicAuthentication basicAuthentication = new BasicAuthentication(basicSystemGraphRealm);
        ((BasicSystemGraphRealm) Mockito.doReturn(new User.Builder("bob", SecurityTestUtils.credentialFor("secret")).withRequiredPasswordChange(true).build()).when(basicSystemGraphRealm)).getUser("bob");
        ((BasicSystemGraphRealm) Mockito.doReturn(new User.Builder("mike", SecurityTestUtils.credentialFor("secret2")).build()).when(basicSystemGraphRealm)).getUser("mike");
        return basicAuthentication;
    }

    private static CredentialsClearedMatcher isCleared() {
        return new CredentialsClearedMatcher();
    }
}
