package org.neo4j.server.security.enterprise.auth;

import java.io.IOException;
import org.apache.shiro.mgt.SecurityManager;
import org.junit.Before;
import org.junit.Test;
import org.mockito.Mockito;
import org.neo4j.function.ThrowingAction;
import org.neo4j.graphdb.security.AuthorizationViolationException;
import org.neo4j.kernel.api.exceptions.InvalidArgumentsException;
import org.neo4j.kernel.api.security.AuthenticationResult;
import org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext;
import org.neo4j.kernel.impl.util.JobScheduler;
import org.neo4j.kernel.internal.GraphDatabaseAPI;
import org.neo4j.logging.AssertableLogProvider;
import org.neo4j.server.security.auth.AuthenticationStrategy;
import org.neo4j.server.security.auth.BasicPasswordPolicy;
import org.neo4j.server.security.auth.InMemoryUserRepository;
import org.neo4j.server.security.enterprise.log.SecurityLog;
import org.neo4j.test.assertion.Assert;

/* loaded from: input_file:org/neo4j/server/security/enterprise/auth/UserManagementProceduresLoggingTest.class */
public class UserManagementProceduresLoggingTest {
    private TestUserManagementProcedures authProcedures;
    private AssertableLogProvider log = null;
    private EnterpriseSecurityContext matsContext = null;
    private EnterpriseUserManager generalUserManager;

    /* loaded from: input_file:org/neo4j/server/security/enterprise/auth/UserManagementProceduresLoggingTest$TestSecurityContext.class */
    private static class TestSecurityContext extends StandardEnterpriseSecurityContext {
        private final String name;
        private final boolean isAdmin;
        private final EnterpriseUserManager userManager;

        TestSecurityContext(String str, boolean z, EnterpriseUserManager enterpriseUserManager) {
            super((MultiRealmAuthManager) null, new TestShiroSubject(str));
            this.name = str;
            this.isAdmin = z;
            this.userManager = enterpriseUserManager;
        }

        public boolean isAdmin() {
            return this.isAdmin;
        }

        public EnterpriseUserManager getUserManager() {
            return this.userManager;
        }
    }

    /* loaded from: input_file:org/neo4j/server/security/enterprise/auth/UserManagementProceduresLoggingTest$TestShiroSubject.class */
    private static class TestShiroSubject extends ShiroSubject {
        private final String name;

        TestShiroSubject(String str) {
            super((SecurityManager) Mockito.mock(SecurityManager.class), AuthenticationResult.SUCCESS);
            this.name = str;
        }

        public Object getPrincipal() {
            return this.name;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/neo4j/server/security/enterprise/auth/UserManagementProceduresLoggingTest$TestUserManagementProcedures.class */
    public static class TestUserManagementProcedures extends UserManagementProcedures {
        private boolean failTerminateTransactions;

        private TestUserManagementProcedures() {
            this.failTerminateTransactions = false;
        }

        void failTerminateTransaction() {
            this.failTerminateTransactions = true;
        }

        protected void terminateTransactionsForValidUser(String str) {
            if (this.failTerminateTransactions) {
                throw new RuntimeException("Unexpected error");
            }
        }

        protected void terminateConnectionsForValidUser(String str) {
        }
    }

    @Before
    public void setUp() throws Throwable {
        this.log = new AssertableLogProvider();
        SecurityLog securityLog = new SecurityLog(this.log.getLog(getClass()));
        this.authProcedures = new TestUserManagementProcedures();
        this.authProcedures.graph = (GraphDatabaseAPI) Mockito.mock(GraphDatabaseAPI.class);
        this.authProcedures.securityLog = securityLog;
        this.generalUserManager = getUserManager();
        TestSecurityContext testSecurityContext = new TestSecurityContext("admin", true, this.generalUserManager);
        this.matsContext = new TestSecurityContext("mats", false, this.generalUserManager);
        setSubject(testSecurityContext);
    }

    private void setSubject(EnterpriseSecurityContext enterpriseSecurityContext) {
        this.authProcedures.securityContext = enterpriseSecurityContext;
        this.authProcedures.userManager = new PersonalUserManager(this.generalUserManager, enterpriseSecurityContext, this.authProcedures.securityLog);
    }

    private EnterpriseUserManager getUserManager() throws Throwable {
        InternalFlatFileRealm internalFlatFileRealm = new InternalFlatFileRealm(new InMemoryUserRepository(), new InMemoryRoleRepository(), new BasicPasswordPolicy(), (AuthenticationStrategy) Mockito.mock(AuthenticationStrategy.class), (JobScheduler) Mockito.mock(JobScheduler.class), new InMemoryUserRepository(), new InMemoryUserRepository());
        internalFlatFileRealm.start();
        return internalFlatFileRealm;
    }

    @Test
    public void shouldLogCreatingUser() throws Throwable {
        this.authProcedures.createUser("andres", "el password", true);
        this.authProcedures.createUser("mats", "el password", false);
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{info("[admin]: created user `%s`%s", "andres", ", with password change required"), info("[admin]: created user `%s`%s", "mats", "")});
    }

    @Test
    public void shouldLogFailureToCreateUser() throws Throwable {
        catchInvalidArguments(() -> {
            this.authProcedures.createUser(null, "pw", true);
        });
        catchInvalidArguments(() -> {
            this.authProcedures.createUser("", "pw", true);
        });
        catchInvalidArguments(() -> {
            this.authProcedures.createUser("andres", "", true);
        });
        catchInvalidArguments(() -> {
            this.authProcedures.createUser("mats", null, true);
        });
        catchInvalidArguments(() -> {
            this.authProcedures.createUser("neo4j", "nonEmpty", true);
        });
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{error("[admin]: tried to create user `%s`: %s", null, "The provided username is empty."), error("[admin]: tried to create user `%s`: %s", "", "The provided username is empty."), error("[admin]: tried to create user `%s`: %s", "andres", "A password cannot be empty."), error("[admin]: tried to create user `%s`: %s", "mats", "A password cannot be empty."), error("[admin]: tried to create user `%s`: %s", "neo4j", "The specified user 'neo4j' already exists.")});
    }

    @Test
    public void shouldLogUnauthorizedCreatingUser() throws Throwable {
        setSubject(this.matsContext);
        catchAuthorizationViolation(() -> {
            this.authProcedures.createUser("andres", "", true);
        });
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{error("[mats]: tried to create user `%s`: %s", "andres", "Permission denied.")});
    }

    @Test
    public void shouldLogDeletingUser() throws Throwable {
        this.authProcedures.createUser("andres", "el password", false);
        this.authProcedures.deleteUser("andres");
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{info("[admin]: created user `%s`%s", "andres", ""), info("[admin]: deleted user `%s`", "andres")});
    }

    @Test
    public void shouldLogDeletingNonExistentUser() throws Throwable {
        catchInvalidArguments(() -> {
            this.authProcedures.deleteUser("andres");
        });
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{error("[admin]: tried to delete user `%s`: %s", "andres", "User 'andres' does not exist.")});
    }

    @Test
    public void shouldLogUnauthorizedDeleteUser() throws Throwable {
        setSubject(this.matsContext);
        catchAuthorizationViolation(() -> {
            this.authProcedures.deleteUser("admin");
        });
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{error("[mats]: tried to delete user `%s`: %s", "admin", "Permission denied.")});
    }

    @Test
    public void shouldLogAddingRoleToUser() throws Throwable {
        this.authProcedures.createUser("mats", "neo4j", false);
        this.authProcedures.addRoleToUser("architect", "mats");
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{info("[admin]: created user `%s`%s", "mats", ""), info("[admin]: added role `%s` to user `%s`", "architect", "mats")});
    }

    @Test
    public void shouldLogFailureToAddRoleToUser() throws Throwable {
        this.authProcedures.createUser("mats", "neo4j", false);
        catchInvalidArguments(() -> {
            this.authProcedures.addRoleToUser("null", "mats");
        });
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{info("[admin]: created user `%s`%s", "mats", ""), error("[admin]: tried to add role `%s` to user `%s`: %s", "null", "mats", "Role 'null' does not exist.")});
    }

    @Test
    public void shouldLogUnauthorizedAddingRole() throws Throwable {
        setSubject(this.matsContext);
        catchAuthorizationViolation(() -> {
            this.authProcedures.addRoleToUser("admin", "mats");
        });
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{error("[mats]: tried to add role `%s` to user `%s`: %s", "admin", "mats", "Permission denied.")});
    }

    @Test
    public void shouldLogRemovalOfRoleFromUser() throws Throwable {
        this.authProcedures.createUser("mats", "neo4j", false);
        this.authProcedures.addRoleToUser("reader", "mats");
        this.log.clear();
        this.authProcedures.removeRoleFromUser("reader", "mats");
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{info("[admin]: removed role `%s` from user `%s`", "reader", "mats")});
    }

    @Test
    public void shouldLogFailureToRemoveRoleFromUser() throws Throwable {
        this.authProcedures.createUser("mats", "neo4j", false);
        this.authProcedures.addRoleToUser("reader", "mats");
        this.log.clear();
        catchInvalidArguments(() -> {
            this.authProcedures.removeRoleFromUser("notReader", "mats");
        });
        catchInvalidArguments(() -> {
            this.authProcedures.removeRoleFromUser("reader", "notMats");
        });
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{error("[admin]: tried to remove role `%s` from user `%s`: %s", "notReader", "mats", "Role 'notReader' does not exist."), error("[admin]: tried to remove role `%s` from user `%s`: %s", "reader", "notMats", "User 'notMats' does not exist.")});
    }

    @Test
    public void shouldLogUnauthorizedRemovingRole() throws Throwable {
        setSubject(this.matsContext);
        catchAuthorizationViolation(() -> {
            this.authProcedures.removeRoleFromUser("admin", "admin");
        });
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{error("[mats]: tried to remove role `%s` from user `%s`: %s", "admin", "admin", "Permission denied.")});
    }

    @Test
    public void shouldLogUserPasswordChanges() throws IOException, InvalidArgumentsException {
        this.authProcedures.createUser("mats", "neo4j", true);
        this.log.clear();
        this.authProcedures.changeUserPassword("mats", "longPassword", false);
        this.authProcedures.changeUserPassword("mats", "longerPassword", true);
        setSubject(this.matsContext);
        this.authProcedures.changeUserPassword("mats", "evenLongerPassword", false);
        this.authProcedures.changePassword("superLongPassword", false);
        this.authProcedures.changePassword("infinitePassword", true);
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{info("[admin]: changed password for user `%s`%s", "mats", ""), info("[admin]: changed password for user `%s`%s", "mats", ", with password change required"), info("[mats]: changed password%s", ""), info("[mats]: changed password%s", ""), info("[mats]: changed password%s", ", with password change required")});
    }

    @Test
    public void shouldLogFailureToChangeUserPassword() throws Throwable {
        this.authProcedures.createUser("andres", "neo4j", true);
        this.log.clear();
        catchInvalidArguments(() -> {
            this.authProcedures.changeUserPassword("andres", "neo4j", false);
        });
        catchInvalidArguments(() -> {
            this.authProcedures.changeUserPassword("andres", "", false);
        });
        catchInvalidArguments(() -> {
            this.authProcedures.changeUserPassword("notAndres", "good password", false);
        });
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{error("[admin]: tried to change password for user `%s`: %s", "andres", "Old password and new password cannot be the same."), error("[admin]: tried to change password for user `%s`: %s", "andres", "A password cannot be empty."), error("[admin]: tried to change password for user `%s`: %s", "notAndres", "User 'notAndres' does not exist.")});
    }

    @Test
    public void shouldLogFailureToChangeOwnPassword() throws Throwable {
        this.authProcedures.createUser("mats", "neo4j", true);
        setSubject(this.matsContext);
        this.log.clear();
        catchInvalidArguments(() -> {
            this.authProcedures.changeUserPassword("mats", "neo4j", false);
        });
        catchInvalidArguments(() -> {
            this.authProcedures.changeUserPassword("mats", "", false);
        });
        catchInvalidArguments(() -> {
            this.authProcedures.changePassword(null, false);
        });
        catchInvalidArguments(() -> {
            this.authProcedures.changePassword("", false);
        });
        catchInvalidArguments(() -> {
            this.authProcedures.changePassword("neo4j", false);
        });
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{error("[mats]: tried to change password: %s", "Old password and new password cannot be the same."), error("[mats]: tried to change password: %s", "A password cannot be empty."), error("[mats]: tried to change password: %s", "A password cannot be empty."), error("[mats]: tried to change password: %s", "A password cannot be empty."), error("[mats]: tried to change password: %s", "Old password and new password cannot be the same.")});
    }

    @Test
    public void shouldLogUnauthorizedChangePassword() throws Throwable {
        this.authProcedures.createUser("andres", "neo4j", true);
        this.log.clear();
        setSubject(this.matsContext);
        catchAuthorizationViolation(() -> {
            this.authProcedures.changeUserPassword("andres", "otherPw", false);
        });
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{error("[mats]: tried to change password for user `%s`: %s", "andres", "Permission denied.")});
    }

    @Test
    public void shouldLogSuspendUser() throws Throwable {
        this.authProcedures.createUser("mats", "neo4j", false);
        this.log.clear();
        this.authProcedures.suspendUser("mats");
        this.authProcedures.suspendUser("mats");
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{info("[admin]: suspended user `%s`", "mats"), info("[admin]: suspended user `%s`", "mats")});
    }

    @Test
    public void shouldLogFailureToSuspendUser() throws Throwable {
        this.authProcedures.createUser("mats", "neo4j", false);
        this.log.clear();
        catchInvalidArguments(() -> {
            this.authProcedures.suspendUser("notMats");
        });
        catchInvalidArguments(() -> {
            this.authProcedures.suspendUser("admin");
        });
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{error("[admin]: tried to suspend user `%s`: %s", "notMats", "User 'notMats' does not exist."), error("[admin]: tried to suspend user `%s`: %s", "admin", "Suspending yourself (user 'admin') is not allowed.")});
    }

    @Test
    public void shouldLogUnauthorizedSuspendUser() throws Throwable {
        setSubject(this.matsContext);
        catchAuthorizationViolation(() -> {
            this.authProcedures.suspendUser("admin");
        });
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{error("[mats]: tried to suspend user `%s`: %s", "admin", "Permission denied.")});
    }

    @Test
    public void shouldLogActivateUser() throws Throwable {
        this.authProcedures.createUser("mats", "neo4j", false);
        this.authProcedures.suspendUser("mats");
        this.log.clear();
        this.authProcedures.activateUser("mats", false);
        this.authProcedures.activateUser("mats", false);
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{info("[admin]: activated user `%s`", "mats"), info("[admin]: activated user `%s`", "mats")});
    }

    @Test
    public void shouldLogFailureToActivateUser() throws Throwable {
        catchInvalidArguments(() -> {
            this.authProcedures.activateUser("notMats", false);
        });
        catchInvalidArguments(() -> {
            this.authProcedures.activateUser("admin", false);
        });
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{error("[admin]: tried to activate user `%s`: %s", "notMats", "User 'notMats' does not exist."), error("[admin]: tried to activate user `%s`: %s", "admin", "Activating yourself (user 'admin') is not allowed.")});
    }

    @Test
    public void shouldLogUnauthorizedActivateUser() throws Throwable {
        setSubject(this.matsContext);
        catchAuthorizationViolation(() -> {
            this.authProcedures.activateUser("admin", true);
        });
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{error("[mats]: tried to activate user `%s`: %s", "admin", "Permission denied.")});
    }

    @Test
    public void shouldLogCreatingRole() throws Throwable {
        this.authProcedures.createRole("role");
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{info("[admin]: created role `%s`", "role")});
    }

    @Test
    public void shouldLogFailureToCreateRole() throws Throwable {
        this.authProcedures.createRole("role");
        this.log.clear();
        catchInvalidArguments(() -> {
            this.authProcedures.createRole(null);
        });
        catchInvalidArguments(() -> {
            this.authProcedures.createRole("");
        });
        catchInvalidArguments(() -> {
            this.authProcedures.createRole("role");
        });
        catchInvalidArguments(() -> {
            this.authProcedures.createRole("!@#$");
        });
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{error("[admin]: tried to create role `%s`: %s", null, "The provided role name is empty."), error("[admin]: tried to create role `%s`: %s", "", "The provided role name is empty."), error("[admin]: tried to create role `%s`: %s", "role", "The specified role 'role' already exists."), error("[admin]: tried to create role `%s`: %s", "!@#$", "Role name '!@#$' contains illegal characters. Use simple ascii characters and numbers.")});
    }

    @Test
    public void shouldLogUnauthorizedCreateRole() throws Exception {
        setSubject(this.matsContext);
        catchAuthorizationViolation(() -> {
            this.authProcedures.createRole("role");
        });
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{error("[mats]: tried to create role `%s`: %s", "role", "Permission denied.")});
    }

    @Test
    public void shouldLogDeletingRole() throws Exception {
        this.authProcedures.createRole("foo");
        this.log.clear();
        this.authProcedures.deleteRole("foo");
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{info("[admin]: deleted role `%s`", "foo")});
    }

    @Test
    public void shouldLogFailureToDeleteRole() throws Exception {
        catchInvalidArguments(() -> {
            this.authProcedures.deleteRole(null);
        });
        catchInvalidArguments(() -> {
            this.authProcedures.deleteRole("");
        });
        catchInvalidArguments(() -> {
            this.authProcedures.deleteRole("foo");
        });
        catchInvalidArguments(() -> {
            this.authProcedures.deleteRole("admin");
        });
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{error("[admin]: tried to delete role `%s`: %s", null, "Role 'null' does not exist."), error("[admin]: tried to delete role `%s`: %s", "", "Role '' does not exist."), error("[admin]: tried to delete role `%s`: %s", "foo", "Role 'foo' does not exist."), error("[admin]: tried to delete role `%s`: %s", "admin", "'admin' is a predefined role and can not be deleted.")});
    }

    @Test
    public void shouldLogUnauthorizedDeletingRole() throws Exception {
        setSubject(this.matsContext);
        catchAuthorizationViolation(() -> {
            this.authProcedures.deleteRole("admin");
        });
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{error("[mats]: tried to delete role `%s`: %s", "admin", "Permission denied.")});
    }

    @Test
    public void shouldLogIfUnexpectedErrorTerminatingTransactions() throws Exception {
        this.authProcedures.createUser("johan", "neo4j", false);
        this.authProcedures.failTerminateTransaction();
        this.log.clear();
        Assert.assertException(() -> {
            this.authProcedures.deleteUser("johan");
        }, RuntimeException.class, "Unexpected error");
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{info("[admin]: deleted user `%s`", "johan"), error("[admin]: failed to terminate running transaction and bolt connections for user `%s` following %s: %s", "johan", "deletion", "Unexpected error")});
    }

    @Test
    public void shouldLogUnauthorizedListUsers() throws Exception {
        setSubject(this.matsContext);
        catchAuthorizationViolation(() -> {
            this.authProcedures.listUsers();
        });
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{error("[mats]: tried to list users: %s", "Permission denied.")});
    }

    @Test
    public void shouldLogUnauthorizedListRoles() throws Exception {
        setSubject(this.matsContext);
        catchAuthorizationViolation(() -> {
            this.authProcedures.listRoles();
        });
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{error("[mats]: tried to list roles: %s", "Permission denied.")});
    }

    @Test
    public void shouldLogFailureToListRolesForUser() throws Exception {
        catchInvalidArguments(() -> {
            this.authProcedures.listRolesForUser(null);
        });
        catchInvalidArguments(() -> {
            this.authProcedures.listRolesForUser("");
        });
        catchInvalidArguments(() -> {
            this.authProcedures.listRolesForUser("nonExistent");
        });
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{error("[admin]: tried to list roles for user `%s`: %s", null, "User 'null' does not exist."), error("[admin]: tried to list roles for user `%s`: %s", "", "User '' does not exist."), error("[admin]: tried to list roles for user `%s`: %s", "nonExistent", "User 'nonExistent' does not exist.")});
    }

    @Test
    public void shouldLogUnauthorizedListRolesForUser() throws Exception {
        setSubject(this.matsContext);
        catchAuthorizationViolation(() -> {
            this.authProcedures.listRolesForUser("user");
        });
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{error("[mats]: tried to list roles for user `%s`: %s", "user", "Permission denied.")});
    }

    @Test
    public void shouldLogFailureToListUsersForRole() throws Exception {
        catchInvalidArguments(() -> {
            this.authProcedures.listUsersForRole(null);
        });
        catchInvalidArguments(() -> {
            this.authProcedures.listUsersForRole("");
        });
        catchInvalidArguments(() -> {
            this.authProcedures.listUsersForRole("nonExistent");
        });
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{error("[admin]: tried to list users for role `%s`: %s", null, "Role 'null' does not exist."), error("[admin]: tried to list users for role `%s`: %s", "", "Role '' does not exist."), error("[admin]: tried to list users for role `%s`: %s", "nonExistent", "Role 'nonExistent' does not exist.")});
    }

    @Test
    public void shouldLogUnauthorizedListUsersForRole() throws Exception {
        setSubject(this.matsContext);
        catchAuthorizationViolation(() -> {
            this.authProcedures.listUsersForRole("role");
        });
        this.log.assertExactly(new AssertableLogProvider.LogMatcher[]{error("[mats]: tried to list users for role `%s`: %s", "role", "Permission denied.")});
    }

    private void catchInvalidArguments(ThrowingAction<Exception> throwingAction) throws Exception {
        Assert.assertException(throwingAction, InvalidArgumentsException.class, "");
    }

    private void catchAuthorizationViolation(ThrowingAction<Exception> throwingAction) throws Exception {
        Assert.assertException(throwingAction, AuthorizationViolationException.class, "");
    }

    private AssertableLogProvider.LogMatcher info(String str, String... strArr) {
        return strArr.length == 0 ? AssertableLogProvider.inLog(getClass()).info(str) : AssertableLogProvider.inLog(getClass()).info(str, strArr);
    }

    private AssertableLogProvider.LogMatcher error(String str, String... strArr) {
        return AssertableLogProvider.inLog(getClass()).error(str, strArr);
    }
}
