package org.neo4j.server.security.enterprise.auth;

import java.util.Collections;
import org.apache.shiro.cache.MemoryConstrainedCacheManager;
import org.hamcrest.Matchers;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.mockito.Mockito;
import org.neo4j.helpers.Strings;
import org.neo4j.helpers.collection.MapUtil;
import org.neo4j.kernel.api.exceptions.InvalidArgumentsException;
import org.neo4j.kernel.api.security.AuthManager;
import org.neo4j.kernel.api.security.AuthSubject;
import org.neo4j.kernel.api.security.AuthenticationResult;
import org.neo4j.kernel.api.security.exception.InvalidAuthTokenException;
import org.neo4j.kernel.configuration.Config;
import org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext;
import org.neo4j.kernel.impl.util.JobScheduler;
import org.neo4j.logging.AssertableLogProvider;
import org.neo4j.logging.Log;
import org.neo4j.logging.NullLogProvider;
import org.neo4j.server.security.auth.AuthenticationStrategy;
import org.neo4j.server.security.auth.CommunitySecurityModule;
import org.neo4j.server.security.auth.Credential;
import org.neo4j.server.security.auth.InitialUserTests;
import org.neo4j.server.security.auth.PasswordPolicy;
import org.neo4j.server.security.auth.SecurityTestUtils;
import org.neo4j.server.security.auth.User;
import org.neo4j.server.security.auth.UserRepository;
import org.neo4j.server.security.enterprise.log.SecurityLog;

/* loaded from: input_file:org/neo4j/server/security/enterprise/auth/MultiRealmAuthManagerTest.class */
public class MultiRealmAuthManagerTest extends InitialUserTests {
    private AuthenticationStrategy authStrategy;
    private MultiRealmAuthManager manager;
    private EnterpriseUserManager userManager;
    private AssertableLogProvider logProvider;

    @Rule
    public ExpectedException expect = ExpectedException.none();

    @Before
    public void setUp() throws Throwable {
        this.config = Config.defaults();
        this.users = CommunitySecurityModule.getUserRepository(this.config, NullLogProvider.getInstance(), this.fsRule.get());
        this.authStrategy = (AuthenticationStrategy) Mockito.mock(AuthenticationStrategy.class);
        this.logProvider = new AssertableLogProvider();
        this.manager = createAuthManager(true);
        this.userManager = this.manager.getUserManager();
    }

    private MultiRealmAuthManager createAuthManager(boolean z) throws Throwable {
        Log log = this.logProvider.getLog(getClass());
        InternalFlatFileRealm internalFlatFileRealm = new InternalFlatFileRealm(this.users, new InMemoryRoleRepository(), (PasswordPolicy) Mockito.mock(PasswordPolicy.class), this.authStrategy, (JobScheduler) Mockito.mock(JobScheduler.class), CommunitySecurityModule.getInitialUserRepository(this.config, NullLogProvider.getInstance(), this.fsRule.get()), EnterpriseSecurityModule.getDefaultAdminRepository(this.config, NullLogProvider.getInstance(), this.fsRule.get()));
        this.manager = new MultiRealmAuthManager(internalFlatFileRealm, Collections.singleton(internalFlatFileRealm), new MemoryConstrainedCacheManager(), new SecurityLog(log), z);
        this.manager.init();
        return this.manager;
    }

    @After
    public void tearDown() throws Throwable {
        this.manager.stop();
        this.manager.shutdown();
    }

    @Test
    public void shouldMakeOnlyUserAdminIfNoRolesFile() throws Throwable {
        this.users.create(newUser("jake", "abc123", false));
        this.manager.start();
        Assert.assertThat(this.manager.getUserManager().getRoleNamesForUser("jake"), Matchers.contains(new String[]{"admin"}));
    }

    @Test
    public void shouldMakeNeo4jUserAdminIfNoRolesFileButManyUsers() throws Throwable {
        this.users.create(newUser("jake", "abc123", false));
        this.users.create(newUser("neo4j", "neo4j", false));
        this.manager.start();
        Assert.assertThat(this.manager.getUserManager().getRoleNamesForUser("neo4j"), Matchers.contains(new String[]{"admin"}));
        Assert.assertThat(Integer.valueOf(this.manager.getUserManager().getRoleNamesForUser("jake").size()), Matchers.equalTo(0));
    }

    @Test
    public void shouldFailIfNoRolesFileButManyUsersAndNoDefaultAdminOrNeo4j() throws Throwable {
        this.users.create(newUser("jake", "abc123", false));
        this.users.create(newUser("jane", "123abc", false));
        this.expect.expect(InvalidArgumentsException.class);
        this.expect.expectMessage("No roles defined, and cannot determine which user should be admin. Please use `neo4j-admin set-default-admin` to select an admin.");
        this.manager.start();
    }

    @Test
    public void shouldFailIfNoRolesFileButManyUsersAndNonExistingDefaultAdmin() throws Throwable {
        UserRepository defaultAdminRepository = EnterpriseSecurityModule.getDefaultAdminRepository(this.config, NullLogProvider.getInstance(), this.fsRule.get());
        defaultAdminRepository.start();
        defaultAdminRepository.create(new User.Builder("foo", Credential.INACCESSIBLE).withRequiredPasswordChange(false).build());
        defaultAdminRepository.shutdown();
        this.users.create(newUser("jake", "abc123", false));
        this.users.create(newUser("jane", "123abc", false));
        this.expect.expect(InvalidArgumentsException.class);
        this.expect.expectMessage("No roles defined, and default admin user 'foo' does not exist. Please use `neo4j-admin set-default-admin` to select a valid admin.");
        this.manager.start();
    }

    @Test
    public void shouldFindAndAuthenticateUserSuccessfully() throws Throwable {
        this.users.create(newUser("jake", "abc123", false));
        this.manager.start();
        setMockAuthenticationStrategyResult("jake", "abc123", AuthenticationResult.SUCCESS);
        Assert.assertThat(this.manager.login(SecurityTestUtils.authToken("jake", "abc123")).subject().getAuthenticationResult(), Matchers.equalTo(AuthenticationResult.SUCCESS));
        this.logProvider.assertExactly(new AssertableLogProvider.LogMatcher[]{info("[jake]: logged in")});
    }

    @Test
    public void shouldNotLogAuthenticationIfFlagSaysNo() throws Throwable {
        this.manager.shutdown();
        this.manager = createAuthManager(false);
        this.users.create(newUser("jake", "abc123", false));
        this.manager.start();
        setMockAuthenticationStrategyResult("jake", "abc123", AuthenticationResult.SUCCESS);
        Assert.assertThat(this.manager.login(SecurityTestUtils.authToken("jake", "abc123")).subject().getAuthenticationResult(), Matchers.equalTo(AuthenticationResult.SUCCESS));
        this.logProvider.assertNone(info("[jake]: logged in"));
    }

    @Test
    public void shouldReturnTooManyAttemptsWhenThatIsAppropriate() throws Throwable {
        this.users.create(newUser("jake", "abc123", true));
        this.manager.start();
        setMockAuthenticationStrategyResult("jake", "wrong password", AuthenticationResult.TOO_MANY_ATTEMPTS);
        Assert.assertThat(this.manager.login(SecurityTestUtils.authToken("jake", "wrong password")).subject().getAuthenticationResult(), Matchers.equalTo(AuthenticationResult.TOO_MANY_ATTEMPTS));
        this.logProvider.assertExactly(new AssertableLogProvider.LogMatcher[]{error("[%s]: failed to log in: too many failed attempts", "jake")});
    }

    @Test
    public void shouldFindAndAuthenticateUserAndReturnPasswordChangeIfRequired() throws Throwable {
        this.users.create(newUser("jake", "abc123", true));
        this.manager.start();
        setMockAuthenticationStrategyResult("jake", "abc123", AuthenticationResult.SUCCESS);
        Assert.assertThat(this.manager.login(SecurityTestUtils.authToken("jake", "abc123")).subject().getAuthenticationResult(), Matchers.equalTo(AuthenticationResult.PASSWORD_CHANGE_REQUIRED));
        this.logProvider.assertExactly(new AssertableLogProvider.LogMatcher[]{info("[jake]: logged in")});
    }

    @Test
    public void shouldFailWhenAuthTokenIsInvalid() throws Throwable {
        this.manager.start();
        org.neo4j.test.assertion.Assert.assertException(() -> {
            this.manager.login(MapUtil.map(new Object[]{"scheme", "supercool", "principal", "neo4j"}));
        }, InvalidAuthTokenException.class, "Unsupported authentication token: { scheme='supercool', principal='neo4j' }");
        org.neo4j.test.assertion.Assert.assertException(() -> {
            this.manager.login(MapUtil.map(new Object[]{"scheme", "none"}));
        }, InvalidAuthTokenException.class, "Unsupported authentication token, scheme='none' only allowed when auth is disabled: { scheme='none' }");
        org.neo4j.test.assertion.Assert.assertException(() -> {
            this.manager.login(MapUtil.map(new Object[]{"key", "value"}));
        }, InvalidAuthTokenException.class, "Unsupported authentication token, missing key `scheme`: { key='value' }");
        org.neo4j.test.assertion.Assert.assertException(() -> {
            this.manager.login(MapUtil.map(new Object[]{"scheme", "basic", "principal", "neo4j"}));
        }, InvalidAuthTokenException.class, "Unsupported authentication token, missing key `credentials`: { scheme='basic', principal='neo4j' }");
        org.neo4j.test.assertion.Assert.assertException(() -> {
            this.manager.login(MapUtil.map(new Object[]{"scheme", "basic", "credentials", "very-secret"}));
        }, InvalidAuthTokenException.class, "Unsupported authentication token, missing key `principal`: { scheme='basic', credentials='******' }");
    }

    @Test
    public void shouldFailAuthenticationIfUserIsNotFound() throws Throwable {
        this.manager.start();
        Assert.assertThat(this.manager.login(SecurityTestUtils.authToken("unknown", "abc123")).subject().getAuthenticationResult(), Matchers.equalTo(AuthenticationResult.FAILURE));
        this.logProvider.assertExactly(new AssertableLogProvider.LogMatcher[]{error("[%s]: failed to log in: invalid principal or credentials", "unknown")});
    }

    @Test
    public void shouldFailAuthenticationAndEscapeIfUserIsNotFound() throws Throwable {
        this.manager.start();
        Assert.assertThat(this.manager.login(SecurityTestUtils.authToken("unknown\n\t\r\"haxx0r\"", "abc123")).subject().getAuthenticationResult(), Matchers.equalTo(AuthenticationResult.FAILURE));
        this.logProvider.assertExactly(new AssertableLogProvider.LogMatcher[]{error("[%s]: failed to log in: invalid principal or credentials", Strings.escape("unknown\n\t\r\"haxx0r\""))});
    }

    @Test
    public void shouldCreateUser() throws Throwable {
        this.manager.start();
        this.userManager.newUser("foo", "bar", true);
        User userByName = this.users.getUserByName("foo");
        Assert.assertNotNull(userByName);
        Assert.assertTrue(userByName.passwordChangeRequired());
        Assert.assertTrue(userByName.credentials().matchesPassword("bar"));
    }

    @Test
    public void shouldDeleteUser() throws Throwable {
        User newUser = newUser("jake", "abc123", true);
        User newUser2 = newUser("neo4j", "321cba", true);
        this.users.create(newUser);
        this.users.create(newUser2);
        this.manager.start();
        this.userManager.deleteUser("jake");
        Assert.assertNull(this.users.getUserByName("jake"));
        Assert.assertNotNull(this.users.getUserByName("neo4j"));
    }

    @Test
    public void shouldFailDeletingUnknownUser() throws Throwable {
        this.users.create(newUser("jake", "abc123", true));
        this.manager.start();
        org.neo4j.test.assertion.Assert.assertException(() -> {
            this.userManager.deleteUser("unknown");
        }, InvalidArgumentsException.class, "User 'unknown' does not exist");
        Assert.assertNotNull(this.users.getUserByName("jake"));
    }

    @Test
    public void shouldSuspendExistingUser() throws Throwable {
        this.users.create(newUser("jake", "abc123", true));
        this.manager.start();
        this.userManager.suspendUser("jake");
        setMockAuthenticationStrategyResult("jake", "abc123", AuthenticationResult.SUCCESS);
        Assert.assertThat(this.manager.login(SecurityTestUtils.authToken("jake", "abc123")).subject().getAuthenticationResult(), Matchers.equalTo(AuthenticationResult.FAILURE));
    }

    @Test
    public void shouldActivateExistingUser() throws Throwable {
        this.users.create(newUser("jake", "abc123", false));
        this.manager.start();
        this.userManager.suspendUser("jake");
        this.userManager.activateUser("jake", false);
        setMockAuthenticationStrategyResult("jake", "abc123", AuthenticationResult.SUCCESS);
        Assert.assertThat(this.manager.login(SecurityTestUtils.authToken("jake", "abc123")).subject().getAuthenticationResult(), Matchers.equalTo(AuthenticationResult.SUCCESS));
    }

    @Test
    public void shouldSuspendSuspendedUser() throws Throwable {
        this.users.create(newUser("jake", "abc123", false));
        this.manager.start();
        this.userManager.suspendUser("jake");
        this.userManager.suspendUser("jake");
        setMockAuthenticationStrategyResult("jake", "abc123", AuthenticationResult.SUCCESS);
        Assert.assertThat(this.manager.login(SecurityTestUtils.authToken("jake", "abc123")).subject().getAuthenticationResult(), Matchers.equalTo(AuthenticationResult.FAILURE));
    }

    @Test
    public void shouldActivateActiveUser() throws Throwable {
        User newUser = newUser("jake", "abc123", false);
        this.users.create(newUser);
        this.manager.start();
        Mockito.when(this.authStrategy.authenticate(newUser, "abc123")).thenReturn(AuthenticationResult.SUCCESS);
        this.userManager.activateUser("jake", false);
        setMockAuthenticationStrategyResult("jake", "abc123", AuthenticationResult.SUCCESS);
        Assert.assertThat(this.manager.login(SecurityTestUtils.authToken("jake", "abc123")).subject().getAuthenticationResult(), Matchers.equalTo(AuthenticationResult.SUCCESS));
    }

    @Test
    public void shouldFailToSuspendNonExistingUser() throws Throwable {
        this.manager.start();
        try {
            this.userManager.suspendUser("jake");
            Assert.fail("Should throw exception on suspending unknown user");
        } catch (InvalidArgumentsException e) {
            Assert.assertThat(e.getMessage(), Matchers.containsString("User 'jake' does not exist"));
        }
    }

    @Test
    public void shouldFailToActivateNonExistingUser() throws Throwable {
        this.manager.start();
        try {
            this.userManager.activateUser("jake", false);
            Assert.fail("Should throw exception on activating unknown user");
        } catch (InvalidArgumentsException e) {
            Assert.assertThat(e.getMessage(), Matchers.containsString("User 'jake' does not exist"));
        }
    }

    @Test
    public void shouldSetPassword() throws Throwable {
        this.users.create(newUser("jake", "abc123", true));
        this.manager.start();
        this.userManager.setUserPassword("jake", "hello, world!", false);
        User user = this.userManager.getUser("jake");
        Assert.assertTrue(user.credentials().matchesPassword("hello, world!"));
        Assert.assertThat(this.users.getUserByName("jake"), Matchers.equalTo(user));
    }

    @Test
    public void shouldSetPasswordThroughAuthSubject() throws Throwable {
        this.users.create(newUser("neo", "abc123", true));
        this.manager.start();
        setMockAuthenticationStrategyResult("neo", "abc123", AuthenticationResult.SUCCESS);
        AuthSubject subject = this.manager.login(SecurityTestUtils.authToken("neo", "abc123")).subject();
        Assert.assertThat(subject.getAuthenticationResult(), Matchers.equalTo(AuthenticationResult.PASSWORD_CHANGE_REQUIRED));
        subject.setPassword("hello, world!", false);
        setMockAuthenticationStrategyResult("neo", "hello, world!", AuthenticationResult.SUCCESS);
        User user = this.userManager.getUser("neo");
        Assert.assertTrue(user.credentials().matchesPassword("hello, world!"));
        Assert.assertThat(this.users.getUserByName("neo"), Matchers.equalTo(user));
        subject.logout();
        Assert.assertThat(this.manager.login(SecurityTestUtils.authToken("neo", "hello, world!")).subject().getAuthenticationResult(), Matchers.equalTo(AuthenticationResult.SUCCESS));
        this.logProvider.assertExactly(new AssertableLogProvider.LogMatcher[]{info("[neo]: logged in"), info("[neo]: changed password%s", ""), info("[neo]: logged in")});
    }

    @Test
    public void shouldNotRequestPasswordChangeWithInvalidCredentials() throws Throwable {
        this.users.create(newUser("neo", "abc123", true));
        this.manager.start();
        setMockAuthenticationStrategyResult("neo", "abc123", AuthenticationResult.SUCCESS);
        setMockAuthenticationStrategyResult("neo", "wrong", AuthenticationResult.FAILURE);
        Assert.assertThat(this.manager.login(SecurityTestUtils.authToken("neo", "wrong")).subject().getAuthenticationResult(), Matchers.equalTo(AuthenticationResult.FAILURE));
    }

    @Test
    public void shouldReturnNullWhenSettingPasswordForUnknownUser() throws Throwable {
        this.manager.start();
        try {
            this.userManager.setUserPassword("unknown", "hello, world!", false);
            Assert.fail("exception expected");
        } catch (InvalidArgumentsException e) {
        }
    }

    private void createTestUsers() throws Throwable {
        this.userManager.newUser("morpheus", "abc123", false);
        this.userManager.newRole("admin", new String[]{"morpheus"});
        setMockAuthenticationStrategyResult("morpheus", "abc123", AuthenticationResult.SUCCESS);
        this.userManager.newUser("trinity", "abc123", false);
        this.userManager.newRole("architect", new String[]{"trinity"});
        setMockAuthenticationStrategyResult("trinity", "abc123", AuthenticationResult.SUCCESS);
        this.userManager.newUser("tank", "abc123", false);
        this.userManager.newRole("publisher", new String[]{"tank"});
        setMockAuthenticationStrategyResult("tank", "abc123", AuthenticationResult.SUCCESS);
        this.userManager.newUser("neo", "abc123", false);
        this.userManager.newRole("reader", new String[]{"neo"});
        setMockAuthenticationStrategyResult("neo", "abc123", AuthenticationResult.SUCCESS);
        this.userManager.newUser("smith", "abc123", false);
        this.userManager.newRole("agent", new String[]{"smith"});
        setMockAuthenticationStrategyResult("smith", "abc123", AuthenticationResult.SUCCESS);
    }

    @Test
    public void defaultUserShouldHaveCorrectPermissions() throws Throwable {
        this.manager.start();
        setMockAuthenticationStrategyResult("neo4j", "neo4j", AuthenticationResult.SUCCESS);
        EnterpriseSecurityContext login = this.manager.login(SecurityTestUtils.authToken("neo4j", "neo4j"));
        this.userManager.setUserPassword("neo4j", "1234", false);
        login.subject().logout();
        setMockAuthenticationStrategyResult("neo4j", "1234", AuthenticationResult.SUCCESS);
        EnterpriseSecurityContext login2 = this.manager.login(SecurityTestUtils.authToken("neo4j", "1234"));
        Assert.assertTrue(login2.mode().allowsReads());
        Assert.assertTrue(login2.mode().allowsWrites());
        Assert.assertTrue(login2.mode().allowsSchemaWrites());
    }

    @Test
    public void userWithAdminRoleShouldHaveCorrectPermissions() throws Throwable {
        createTestUsers();
        this.manager.start();
        EnterpriseSecurityContext login = this.manager.login(SecurityTestUtils.authToken("morpheus", "abc123"));
        Assert.assertTrue(login.mode().allowsReads());
        Assert.assertTrue(login.mode().allowsWrites());
        Assert.assertTrue(login.mode().allowsSchemaWrites());
    }

    @Test
    public void userWithArchitectRoleShouldHaveCorrectPermissions() throws Throwable {
        createTestUsers();
        this.manager.start();
        EnterpriseSecurityContext login = this.manager.login(SecurityTestUtils.authToken("trinity", "abc123"));
        Assert.assertTrue(login.mode().allowsReads());
        Assert.assertTrue(login.mode().allowsWrites());
        Assert.assertTrue(login.mode().allowsSchemaWrites());
    }

    @Test
    public void userWithPublisherRoleShouldHaveCorrectPermissions() throws Throwable {
        createTestUsers();
        this.manager.start();
        EnterpriseSecurityContext login = this.manager.login(SecurityTestUtils.authToken("tank", "abc123"));
        Assert.assertTrue("should allow reads", login.mode().allowsReads());
        Assert.assertTrue("should allow writes", login.mode().allowsWrites());
        Assert.assertFalse("should _not_ allow schema writes", login.mode().allowsSchemaWrites());
    }

    @Test
    public void userWithReaderRoleShouldHaveCorrectPermissions() throws Throwable {
        createTestUsers();
        this.manager.start();
        EnterpriseSecurityContext login = this.manager.login(SecurityTestUtils.authToken("neo", "abc123"));
        Assert.assertTrue(login.mode().allowsReads());
        Assert.assertFalse(login.mode().allowsWrites());
        Assert.assertFalse(login.mode().allowsSchemaWrites());
    }

    @Test
    public void userWithNonPredefinedRoleShouldHaveNoPermissions() throws Throwable {
        createTestUsers();
        this.manager.start();
        EnterpriseSecurityContext login = this.manager.login(SecurityTestUtils.authToken("smith", "abc123"));
        Assert.assertFalse(login.mode().allowsReads());
        Assert.assertFalse(login.mode().allowsWrites());
        Assert.assertFalse(login.mode().allowsSchemaWrites());
    }

    @Test
    public void shouldHaveNoPermissionsAfterLogout() throws Throwable {
        createTestUsers();
        this.manager.start();
        EnterpriseSecurityContext login = this.manager.login(SecurityTestUtils.authToken("morpheus", "abc123"));
        Assert.assertTrue(login.mode().allowsReads());
        Assert.assertTrue(login.mode().allowsWrites());
        Assert.assertTrue(login.mode().allowsSchemaWrites());
        login.subject().logout();
        Assert.assertFalse(login.mode().allowsReads());
        Assert.assertFalse(login.mode().allowsWrites());
        Assert.assertFalse(login.mode().allowsSchemaWrites());
    }

    private AssertableLogProvider.LogMatcher info(String str) {
        return AssertableLogProvider.inLog(getClass()).info(str);
    }

    private AssertableLogProvider.LogMatcher info(String str, String... strArr) {
        return AssertableLogProvider.inLog(getClass()).info(str, strArr);
    }

    private AssertableLogProvider.LogMatcher error(String str, String... strArr) {
        return AssertableLogProvider.inLog(getClass()).error(str, strArr);
    }

    private void setMockAuthenticationStrategyResult(String str, String str2, AuthenticationResult authenticationResult) {
        Mockito.when(this.authStrategy.authenticate(this.users.getUserByName(str), str2)).thenReturn(authenticationResult);
    }

    protected AuthManager authManager() {
        return this.manager;
    }
}
