package org.neo4j.server.security.enterprise.auth;

import com.google.common.testing.FakeTicker;
import java.time.Clock;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.Permission;
import org.apache.shiro.realm.Realm;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.SimplePrincipalCollection;
import org.hamcrest.Matchers;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.mockito.Mockito;
import org.neo4j.helpers.collection.MapUtil;
import org.neo4j.kernel.api.security.exception.InvalidAuthTokenException;
import org.neo4j.kernel.configuration.Config;
import org.neo4j.kernel.enterprise.api.security.EnterpriseAuthSubject;
import org.neo4j.kernel.impl.enterprise.SecurityLog;
import org.neo4j.kernel.impl.util.JobScheduler;
import org.neo4j.server.security.auth.BasicPasswordPolicy;
import org.neo4j.server.security.auth.InMemoryUserRepository;
import org.neo4j.server.security.auth.RateLimitedAuthenticationStrategy;
import org.neo4j.server.security.auth.SecurityTestUtils;
import org.neo4j.server.security.enterprise.auth.ShiroCaffeineCache;

/* loaded from: input_file:org/neo4j/server/security/enterprise/auth/LdapCachingTest.class */
public class LdapCachingTest {
    private MultiRealmAuthManager authManager;
    private TestRealm testRealm;
    private FakeTicker fakeTicker;

    /* loaded from: input_file:org/neo4j/server/security/enterprise/auth/LdapCachingTest$TestRealm.class */
    private class TestRealm extends LdapRealm {
        private boolean authenticationFlag;
        private boolean authorizationFlag;

        boolean takeAuthenticationFlag() {
            boolean z = this.authenticationFlag;
            this.authenticationFlag = false;
            return z;
        }

        boolean takeAuthorizationFlag() {
            boolean z = this.authorizationFlag;
            this.authorizationFlag = false;
            return z;
        }

        TestRealm(Config config, SecurityLog securityLog) {
            super(config, securityLog);
            this.authenticationFlag = false;
            this.authorizationFlag = false;
            setAuthenticationCachingEnabled(true);
            setAuthorizationCachingEnabled(true);
        }

        public String getName() {
            return "TestRealm wrapping " + super.getName();
        }

        public boolean supports(AuthenticationToken authenticationToken) {
            return super.supports(authenticationToken);
        }

        protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
            this.authenticationFlag = true;
            return new AuthenticationInfo() { // from class: org.neo4j.server.security.enterprise.auth.LdapCachingTest.TestRealm.1
                public PrincipalCollection getPrincipals() {
                    return new SimplePrincipalCollection();
                }

                public Object getCredentials() {
                    return "123";
                }
            };
        }

        protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
            this.authorizationFlag = true;
            return new AuthorizationInfo() { // from class: org.neo4j.server.security.enterprise.auth.LdapCachingTest.TestRealm.2
                public Collection<String> getRoles() {
                    return Collections.emptyList();
                }

                public Collection<String> getStringPermissions() {
                    return Collections.emptyList();
                }

                public Collection<Permission> getObjectPermissions() {
                    return Collections.emptyList();
                }
            };
        }
    }

    @Before
    public void setup() throws Throwable {
        SecurityLog securityLog = (SecurityLog) Mockito.mock(SecurityLog.class);
        Realm internalFlatFileRealm = new InternalFlatFileRealm(new InMemoryUserRepository(), new InMemoryRoleRepository(), new BasicPasswordPolicy(), new RateLimitedAuthenticationStrategy(Clock.systemUTC(), 3), (JobScheduler) Mockito.mock(JobScheduler.class));
        this.testRealm = new TestRealm(getLdapConfig(), securityLog);
        List listOf = AuthTestUtil.listOf(internalFlatFileRealm, this.testRealm);
        this.fakeTicker = new FakeTicker();
        FakeTicker fakeTicker = this.fakeTicker;
        fakeTicker.getClass();
        this.authManager = new MultiRealmAuthManager(internalFlatFileRealm, listOf, new ShiroCaffeineCache.Manager(fakeTicker::read, 100L, 10), securityLog, false);
        this.authManager.init();
        this.authManager.start();
        this.authManager.getUserManager().newUser("mike", "123", false);
        this.authManager.getUserManager().newUser("mats", "456", false);
    }

    private Config getLdapConfig() {
        return new Config(MapUtil.stringMap(new String[]{SecuritySettings.native_authentication_enabled.name(), "false", SecuritySettings.native_authorization_enabled.name(), "false", SecuritySettings.ldap_authentication_enabled.name(), "true", SecuritySettings.ldap_authorization_enabled.name(), "true", SecuritySettings.ldap_authorization_user_search_base.name(), "dc=example,dc=com", SecuritySettings.ldap_authorization_group_membership_attribute_names.name(), "gidnumber"}));
    }

    @Test
    public void shouldCacheAuthenticationInfo() throws InvalidAuthTokenException {
        this.authManager.login(SecurityTestUtils.authToken("mike", "123"));
        Assert.assertThat("Test realm did not receive a call", Boolean.valueOf(this.testRealm.takeAuthenticationFlag()), Matchers.is(true));
        this.authManager.login(SecurityTestUtils.authToken("mike", "123"));
        Assert.assertThat("Test realm received a call", Boolean.valueOf(this.testRealm.takeAuthenticationFlag()), Matchers.is(false));
    }

    @Test
    public void shouldCacheAuthorizationInfo() throws InvalidAuthTokenException {
        EnterpriseAuthSubject login = this.authManager.login(SecurityTestUtils.authToken("mike", "123"));
        login.allowsReads();
        Assert.assertThat("Test realm did not receive a call", Boolean.valueOf(this.testRealm.takeAuthorizationFlag()), Matchers.is(true));
        login.allowsWrites();
        Assert.assertThat("Test realm received a call", Boolean.valueOf(this.testRealm.takeAuthorizationFlag()), Matchers.is(false));
    }

    @Test
    public void shouldInvalidateAuthorizationCacheAfterTTL() throws InvalidAuthTokenException {
        EnterpriseAuthSubject login = this.authManager.login(SecurityTestUtils.authToken("mike", "123"));
        login.allowsReads();
        Assert.assertThat("Test realm did not receive a call", Boolean.valueOf(this.testRealm.takeAuthorizationFlag()), Matchers.is(true));
        this.fakeTicker.advance(99L, TimeUnit.MILLISECONDS);
        login.allowsWrites();
        Assert.assertThat("Test realm received a call", Boolean.valueOf(this.testRealm.takeAuthorizationFlag()), Matchers.is(false));
        this.fakeTicker.advance(2L, TimeUnit.MILLISECONDS);
        login.allowsWrites();
        Assert.assertThat("Test realm did not received a call", Boolean.valueOf(this.testRealm.takeAuthorizationFlag()), Matchers.is(true));
    }

    @Test
    public void shouldInvalidateAuthenticationCacheAfterTTL() throws InvalidAuthTokenException {
        Map authToken = SecurityTestUtils.authToken("mike", "123");
        this.authManager.login(authToken);
        Assert.assertThat("Test realm did not receive a call", Boolean.valueOf(this.testRealm.takeAuthenticationFlag()), Matchers.is(true));
        this.fakeTicker.advance(99L, TimeUnit.MILLISECONDS);
        this.authManager.login(authToken);
        Assert.assertThat("Test realm received a call", Boolean.valueOf(this.testRealm.takeAuthenticationFlag()), Matchers.is(false));
        this.fakeTicker.advance(2L, TimeUnit.MILLISECONDS);
        this.authManager.login(authToken);
        Assert.assertThat("Test realm did not received a call", Boolean.valueOf(this.testRealm.takeAuthenticationFlag()), Matchers.is(true));
    }

    @Test
    public void shouldInvalidateAuthenticationCacheOnDemand() throws InvalidAuthTokenException {
        Map authToken = SecurityTestUtils.authToken("mike", "123");
        this.authManager.login(authToken);
        Assert.assertThat("Test realm did not receive a call", Boolean.valueOf(this.testRealm.takeAuthenticationFlag()), Matchers.is(true));
        this.fakeTicker.advance(2L, TimeUnit.MILLISECONDS);
        this.authManager.login(authToken);
        Assert.assertThat("Test realm received a call", Boolean.valueOf(this.testRealm.takeAuthenticationFlag()), Matchers.is(false));
        this.authManager.clearAuthCache();
        this.authManager.login(authToken);
        Assert.assertThat("Test realm did not receive a call", Boolean.valueOf(this.testRealm.takeAuthenticationFlag()), Matchers.is(true));
    }
}
