package org.neo4j.server.security.enterprise.auth.integration.bolt;

import java.io.IOException;
import java.util.Map;
import java.util.function.Consumer;
import org.apache.directory.server.annotations.CreateLdapServer;
import org.apache.directory.server.annotations.CreateTransport;
import org.apache.directory.server.annotations.SaslMechanism;
import org.apache.directory.server.core.annotations.ApplyLdifFiles;
import org.apache.directory.server.core.annotations.ContextEntry;
import org.apache.directory.server.core.annotations.CreateDS;
import org.apache.directory.server.core.annotations.CreatePartition;
import org.apache.directory.server.core.annotations.LoadSchema;
import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
import org.apache.directory.server.core.integ.FrameworkRunner;
import org.apache.directory.server.ldap.handlers.sasl.cramMD5.CramMd5MechanismHandler;
import org.apache.directory.server.ldap.handlers.sasl.digestMD5.DigestMd5MechanismHandler;
import org.hamcrest.Matcher;
import org.hamcrest.MatcherAssert;
import org.junit.After;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.neo4j.bolt.v1.messaging.message.Message;
import org.neo4j.bolt.v1.messaging.message.Messages;
import org.neo4j.bolt.v1.messaging.util.MessageMatchers;
import org.neo4j.bolt.v1.transport.integration.Neo4jWithSocket;
import org.neo4j.bolt.v1.transport.integration.TransportTestUtil;
import org.neo4j.bolt.v1.transport.socket.client.Connection;
import org.neo4j.bolt.v1.transport.socket.client.SecureSocketConnection;
import org.neo4j.function.Factory;
import org.neo4j.graphdb.config.Setting;
import org.neo4j.graphdb.factory.GraphDatabaseSettings;
import org.neo4j.helpers.HostnamePort;
import org.neo4j.helpers.collection.MapUtil;
import org.neo4j.kernel.api.exceptions.Status;
import org.neo4j.server.security.enterprise.auth.SecuritySettings;
import org.neo4j.test.TestEnterpriseGraphDatabaseFactory;
import org.neo4j.test.TestGraphDatabaseFactory;

@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP", port = 10389, address = "0.0.0.0")}, saslMechanisms = {@SaslMechanism(name = "DIGEST-MD5", implClass = DigestMd5MechanismHandler.class), @SaslMechanism(name = "CRAM-MD5", implClass = CramMd5MechanismHandler.class)}, saslHost = "0.0.0.0")
@RunWith(FrameworkRunner.class)
@CreateDS(name = "Test", partitions = {@CreatePartition(name = "example", suffix = "dc=example,dc=com", contextEntry = @ContextEntry(entryLdif = "dn: dc=example,dc=com\ndc: example\no: example\nobjectClass: top\nobjectClass: dcObject\nobjectClass: organization\n\n"))}, loadedSchemas = {@LoadSchema(name = "nis", enabled = true), @LoadSchema(name = "posix", enabled = false)})
/* loaded from: input_file:org/neo4j/server/security/enterprise/auth/integration/bolt/LdapAuthenticationIT.class */
public class LdapAuthenticationIT extends AbstractLdapTestUnit {
    protected Connection client;
    final String MD5_HASHED_abc123 = "{MD5}6ZoYxCjLONXyYIU2eJIuAw==";

    @Rule
    public Neo4jWithSocket server = new Neo4jWithSocket(getTestGraphDatabaseFactory(), getSettingsFunction());
    public Factory<Connection> cf = SecureSocketConnection::new;
    public HostnamePort address = new HostnamePort("localhost:7687");
    private Consumer<Map<Setting<?>, String>> ldapOnlyAuthSettings = map -> {
        map.put(SecuritySettings.internal_authentication_enabled, "false");
        map.put(SecuritySettings.internal_authorization_enabled, "false");
        map.put(SecuritySettings.ldap_authentication_enabled, "true");
        map.put(SecuritySettings.ldap_authorization_enabled, "true");
    };

    private void restartNeo4jServerWithOverriddenSettings(Consumer<Map<Setting<?>, String>> consumer) throws IOException {
        this.server.restartDatabase(consumer);
    }

    private void restartNeo4jServerWithSaslDigestMd5() throws IOException {
        this.server.restartDatabase(this.ldapOnlyAuthSettings.andThen(map -> {
            map.put(SecuritySettings.ldap_auth_mechanism, "DIGEST-MD5");
            map.put(SecuritySettings.ldap_user_dn_template, "{0}");
        }));
    }

    private void restartNeo4jServerWithSaslCramMd5() throws IOException {
        this.server.restartDatabase(this.ldapOnlyAuthSettings.andThen(map -> {
            map.put(SecuritySettings.ldap_auth_mechanism, "CRAM-MD5");
            map.put(SecuritySettings.ldap_user_dn_template, "{0}");
        }));
    }

    protected TestGraphDatabaseFactory getTestGraphDatabaseFactory() {
        return new TestEnterpriseGraphDatabaseFactory();
    }

    protected Consumer<Map<Setting<?>, String>> getSettingsFunction() {
        return map -> {
            map.put(GraphDatabaseSettings.auth_enabled, "true");
            map.put(GraphDatabaseSettings.auth_manager, "enterprise-auth-manager");
            map.put(SecuritySettings.internal_authentication_enabled, "true");
            map.put(SecuritySettings.internal_authorization_enabled, "true");
            map.put(SecuritySettings.ldap_authentication_enabled, "true");
            map.put(SecuritySettings.ldap_authorization_enabled, "true");
            map.put(SecuritySettings.ldap_server, "0.0.0.0:10389");
            map.put(SecuritySettings.ldap_user_dn_template, "cn={0},ou=users,dc=example,dc=com");
            map.put(SecuritySettings.ldap_system_username, "uid=admin,ou=system");
            map.put(SecuritySettings.ldap_system_password, "secret");
            map.put(SecuritySettings.ldap_authorization_use_system_account, "true");
            map.put(SecuritySettings.ldap_authorization_user_search_base, "dc=example,dc=com");
            map.put(SecuritySettings.ldap_authorization_user_search_filter, "(&(objectClass=*)(uid={0}))");
            map.put(SecuritySettings.ldap_authorization_group_membership_attribute_names, "gidnumber");
            map.put(SecuritySettings.ldap_authorization_group_to_role_mapping, "500=reader;501=publisher;502=architect;503=admin");
        };
    }

    @Test
    @ApplyLdifFiles({"ldap_test_data.ldif"})
    public void shouldLoginWithLdap() throws Throwable {
        assertAuth("neo4j", "abc123");
    }

    @Test
    @ApplyLdifFiles({"ldap_test_data.ldif"})
    public void shouldFailToLoginWithLdapIfInvalidCredentials() throws Throwable {
        assertAuthFail("neo4j", "CANT_REMEMBER_MY_PASSWORDS_ANYMORE!");
    }

    @Test
    @ApplyLdifFiles({"ldap_test_data.ldif"})
    public void shouldLoginWithLdapUsingSaslDigestMd5() throws Throwable {
        restartNeo4jServerWithSaslDigestMd5();
        assertAuth("neo4j", "{MD5}6ZoYxCjLONXyYIU2eJIuAw==");
    }

    @Test
    @ApplyLdifFiles({"ldap_test_data.ldif"})
    public void shouldFailToLoginWithLdapDigestMd5IfInvalidCredentials() throws Throwable {
        restartNeo4jServerWithSaslDigestMd5();
        assertAuthFail("neo4j", "{MD5}6ZoYxCjLONXyYIU2eJIuAw==".toUpperCase());
    }

    @Test
    @ApplyLdifFiles({"ldap_test_data.ldif"})
    public void shouldLoginWithLdapUsingSaslCramMd5() throws Throwable {
        restartNeo4jServerWithSaslCramMd5();
        assertAuth("neo4j", "{MD5}6ZoYxCjLONXyYIU2eJIuAw==");
    }

    @Test
    @ApplyLdifFiles({"ldap_test_data.ldif"})
    public void shouldFailToLoginWithLdapCramMd5IfInvalidCredentials() throws Throwable {
        restartNeo4jServerWithSaslCramMd5();
        assertAuthFail("neo4j", "{MD5}6ZoYxCjLONXyYIU2eJIuAw==".toUpperCase());
    }

    @Test
    @ApplyLdifFiles({"ldap_test_data.ldif"})
    public void shouldBeAbleToLoginAndAuthorizeReaderWithLdapOnly() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(this.ldapOnlyAuthSettings);
        testAuthWithReaderUser();
    }

    @Test
    @ApplyLdifFiles({"ldap_test_data.ldif"})
    public void shouldBeAbleToLoginAndAuthorizePublisherWithLdapOnly() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(this.ldapOnlyAuthSettings);
        testAuthWithPublisherUser();
    }

    @Test
    @ApplyLdifFiles({"ldap_test_data.ldif"})
    public void shouldBeAbleToLoginAndAuthorizeNoPermissionUserWithLdapOnly() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(this.ldapOnlyAuthSettings);
        testAuthWithNoPermissionUser("smith");
    }

    @Test
    @ApplyLdifFiles({"ldap_test_data.ldif"})
    public void shouldBeAbleToLoginAndAuthorizeNoPermissionUserWithLdapOnlyAndNoGroupToRoleMapping() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(this.ldapOnlyAuthSettings.andThen(map -> {
            map.put(SecuritySettings.ldap_authorization_group_to_role_mapping, null);
        }));
        testAuthWithNoPermissionUser("neo");
    }

    @Test
    @ApplyLdifFiles({"ldap_test_data.ldif"})
    public void shouldBeAbleToLoginAndAuthorizeReaderWithUserLdapContext() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(this.ldapOnlyAuthSettings.andThen(map -> {
            map.put(SecuritySettings.ldap_authorization_use_system_account, "false");
        }));
        testAuthWithReaderUser();
    }

    @Test
    @ApplyLdifFiles({"ldap_test_data.ldif"})
    public void shouldBeAbleToLoginAndAuthorizePublisherWithUserLdapContext() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(this.ldapOnlyAuthSettings.andThen(map -> {
            map.put(SecuritySettings.ldap_authorization_use_system_account, "false");
        }));
        testAuthWithPublisherUser();
    }

    @Test
    @ApplyLdifFiles({"ldap_test_data.ldif"})
    public void shouldBeAbleToLoginAndAuthorizeNoPermissionUserWithUserLdapContext() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(this.ldapOnlyAuthSettings.andThen(map -> {
            map.put(SecuritySettings.ldap_authorization_use_system_account, "false");
        }));
        testAuthWithNoPermissionUser("smith");
    }

    @Test
    @ApplyLdifFiles({"ldap_test_data.ldif"})
    public void shouldBeAbleToLoginAndAuthorizeNoPermissionUserWithUserLdapContextAndNoGroupToRoleMapping() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(this.ldapOnlyAuthSettings.andThen(map -> {
            map.put(SecuritySettings.ldap_authorization_use_system_account, "false");
            map.put(SecuritySettings.ldap_authorization_group_to_role_mapping, null);
        }));
        testAuthWithNoPermissionUser("neo");
    }

    @Test
    @ApplyLdifFiles({"ldap_test_data.ldif"})
    public void shouldBeAbleToLoginWithLdapAndAuthorizeInternally() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(map -> {
            map.put(SecuritySettings.internal_authentication_enabled, "false");
            map.put(SecuritySettings.internal_authorization_enabled, "true");
            map.put(SecuritySettings.ldap_authentication_enabled, "true");
            map.put(SecuritySettings.ldap_authorization_enabled, "false");
        });
        testCreateReaderUser();
        reconnect();
        testAuthWithReaderUser();
    }

    @Before
    public void setup() {
        this.client = (Connection) this.cf.newInstance();
    }

    @After
    public void teardown() throws Exception {
        if (this.client != null) {
            this.client.disconnect();
        }
    }

    private void reconnect() throws Exception {
        if (this.client != null) {
            this.client.disconnect();
        }
        this.client = (Connection) this.cf.newInstance();
    }

    private void testCreateReaderUser() throws Exception {
        assertAuth("neo4j", "abc123");
        this.client.send(TransportTestUtil.chunk(new Message[]{Messages.run("CALL dbms.changeUserPassword('neo4j', '123') CALL dbms.createUser( 'neo', 'invalid', false ) CALL dbms.addUserToRole( 'neo', 'reader' ) RETURN 0"), Messages.pullAll()}));
        MatcherAssert.assertThat(this.client, TransportTestUtil.eventuallyRecieves(new Matcher[]{MessageMatchers.msgSuccess()}));
    }

    private void testAuthWithReaderUser() throws Exception {
        assertAuth("neo", "abc123");
        this.client.send(TransportTestUtil.chunk(new Message[]{Messages.run("MATCH (n) RETURN n"), Messages.pullAll()}));
        MatcherAssert.assertThat(this.client, TransportTestUtil.eventuallyRecieves(new Matcher[]{MessageMatchers.msgSuccess(), MessageMatchers.msgSuccess()}));
        this.client.send(TransportTestUtil.chunk(new Message[]{Messages.run("CREATE ()"), Messages.pullAll()}));
        MatcherAssert.assertThat(this.client, TransportTestUtil.eventuallyRecieves(new Matcher[]{MessageMatchers.msgFailure(Status.Security.Forbidden, String.format("Write operations are not allowed for 'neo'.", new Object[0]))}));
    }

    private void testAuthWithPublisherUser() throws Exception {
        assertAuth("tank", "abc123");
        this.client.send(TransportTestUtil.chunk(new Message[]{Messages.run("CREATE ()"), Messages.pullAll()}));
        MatcherAssert.assertThat(this.client, TransportTestUtil.eventuallyRecieves(new Matcher[]{MessageMatchers.msgSuccess(), MessageMatchers.msgSuccess()}));
    }

    private void testAuthWithNoPermissionUser(String str) throws Exception {
        assertAuth(str, "abc123");
        this.client.send(TransportTestUtil.chunk(new Message[]{Messages.run("MATCH (n) RETURN n"), Messages.pullAll()}));
        MatcherAssert.assertThat(this.client, TransportTestUtil.eventuallyRecieves(new Matcher[]{MessageMatchers.msgFailure(Status.Security.Forbidden, String.format("Read operations are not allowed for '%s'.", str))}));
    }

    private void assertAuth(String str, String str2) throws Exception {
        this.client.connect(this.address).send(TransportTestUtil.acceptedVersions(1L, 0L, 0L, 0L)).send(TransportTestUtil.chunk(new Message[]{Messages.init("TestClient/1.1", MapUtil.map(new Object[]{"principal", str, "credentials", str2, "scheme", "basic"}))}));
        MatcherAssert.assertThat(this.client, TransportTestUtil.eventuallyRecieves(new byte[]{0, 0, 0, 1}));
        MatcherAssert.assertThat(this.client, TransportTestUtil.eventuallyRecieves(new Matcher[]{MessageMatchers.msgSuccess()}));
    }

    private void assertAuthFail(String str, String str2) throws Exception {
        this.client.connect(this.address).send(TransportTestUtil.acceptedVersions(1L, 0L, 0L, 0L)).send(TransportTestUtil.chunk(new Message[]{Messages.init("TestClient/1.1", MapUtil.map(new Object[]{"principal", str, "credentials", str2, "scheme", "basic"}))}));
        MatcherAssert.assertThat(this.client, TransportTestUtil.eventuallyRecieves(new byte[]{0, 0, 0, 1}));
        MatcherAssert.assertThat(this.client, TransportTestUtil.eventuallyRecieves(new Matcher[]{MessageMatchers.msgFailure(Status.Security.Unauthorized, "The client is unauthorized due to authentication failure.")}));
    }
}
