package org.neo4j.server.security.enterprise.auth;

import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.junit.Assert;
import org.junit.Test;
import org.mockito.internal.util.collections.Sets;
import org.neo4j.graphdb.Result;
import org.neo4j.graphdb.factory.GraphDatabaseSettings;
import org.neo4j.helpers.collection.MapUtil;
import org.neo4j.kernel.api.proc.QualifiedName;
import org.neo4j.kernel.api.proc.UserFunctionSignature;
import org.neo4j.kernel.impl.proc.Procedures;
import org.neo4j.server.security.enterprise.auth.ProcedureInteractionTestBase;
import org.neo4j.server.security.enterprise.configuration.SecuritySettings;

/* loaded from: input_file:org/neo4j/server/security/enterprise/auth/ConfiguredProceduresTestBase.class */
public abstract class ConfiguredProceduresTestBase<S> extends ProcedureInteractionTestBase<S> {
    @Override // org.neo4j.server.security.enterprise.auth.ProcedureInteractionTestBase
    public void setUp() throws Throwable {
    }

    @Test
    public void shouldTerminateLongRunningProcedureThatChecksTheGuardRegularlyOnTimeout() throws Throwable {
        configuredSetup(MapUtil.stringMap(new String[]{GraphDatabaseSettings.transaction_timeout.name(), "2s"}));
        assertFail(this.adminSubject, "CALL test.loop", "Transaction guard check failed");
        Result execute = this.neo.getLocalGraph().execute("CALL dbms.listQueries() YIELD query WITH * WHERE NOT query CONTAINS 'listQueries' RETURN *");
        Assert.assertFalse(execute.hasNext());
        execute.close();
    }

    @Test
    public void shouldSetAllowedToConfigSetting() throws Throwable {
        configuredSetup(MapUtil.stringMap(new String[]{SecuritySettings.default_allowed.name(), "nonEmpty"}));
        MatcherAssert.assertThat(Arrays.asList(((Procedures) this.neo.getLocalGraph().getDependencyResolver().resolveDependency(Procedures.class)).procedure(new QualifiedName(new String[]{"test"}, "numNodes")).allowed()), Matchers.containsInAnyOrder(new String[]{"nonEmpty"}));
    }

    @Test
    public void shouldSetAllowedToDefaultValueAndRunningWorks() throws Throwable {
        configuredSetup(MapUtil.stringMap(new String[]{SecuritySettings.default_allowed.name(), "role1"}));
        this.userManager.newRole("role1", new String[]{"noneSubject"});
        assertSuccess(this.noneSubject, "CALL test.numNodes", resourceIterator -> {
            assertKeyIs(resourceIterator, "count", "3");
        });
    }

    @Test
    public void shouldRunProcedureWithMatchingWildcardAllowed() throws Throwable {
        configuredSetup(MapUtil.stringMap(new String[]{SecuritySettings.procedure_roles.name(), "test.*:role1"}));
        this.userManager.newRole("role1", new String[]{"noneSubject"});
        assertSuccess(this.noneSubject, "CALL test.numNodes", resourceIterator -> {
            assertKeyIs(resourceIterator, "count", "3");
        });
    }

    @Test
    public void shouldNotRunProcedureWithMismatchingWildCardAllowed() throws Throwable {
        configuredSetup(MapUtil.stringMap(new String[]{SecuritySettings.procedure_roles.name(), "tes.*:role1"}));
        this.userManager.newRole("role1", new String[]{"noneSubject"});
        MatcherAssert.assertThat(Arrays.asList(((Procedures) this.neo.getLocalGraph().getDependencyResolver().resolveDependency(Procedures.class)).procedure(new QualifiedName(new String[]{"test"}, "numNodes")).allowed()), Matchers.empty());
        assertFail(this.noneSubject, "CALL test.numNodes", "Read operations are not allowed");
    }

    @Test
    public void shouldNotSetProcedureAllowedIfSettingNotSet() throws Throwable {
        configuredSetup(defaultConfiguration());
        MatcherAssert.assertThat(Arrays.asList(((Procedures) this.neo.getLocalGraph().getDependencyResolver().resolveDependency(Procedures.class)).procedure(new QualifiedName(new String[]{"test"}, "numNodes")).allowed()), Matchers.empty());
    }

    @Test
    public void shouldSetAllowedToConfigSettingForUDF() throws Throwable {
        configuredSetup(MapUtil.stringMap(new String[]{SecuritySettings.default_allowed.name(), "nonEmpty"}));
        MatcherAssert.assertThat(Arrays.asList(((UserFunctionSignature) ((Procedures) this.neo.getLocalGraph().getDependencyResolver().resolveDependency(Procedures.class)).function(new QualifiedName(new String[]{"test"}, "nonAllowedFunc")).get()).allowed()), Matchers.containsInAnyOrder(new String[]{"nonEmpty"}));
    }

    @Test
    public void shouldSetAllowedToDefaultValueAndRunningWorksForUDF() throws Throwable {
        configuredSetup(MapUtil.stringMap(new String[]{SecuritySettings.default_allowed.name(), "role1"}));
        this.userManager.newRole("role1", new String[]{"noneSubject"});
        assertSuccess(this.neo.login("noneSubject", "abc"), "RETURN test.allowedFunc() AS c", resourceIterator -> {
            assertKeyIs(resourceIterator, "c", "success for role1");
        });
    }

    @Test
    public void shouldNotSetProcedureAllowedIfSettingNotSetForUDF() throws Throwable {
        configuredSetup(defaultConfiguration());
        MatcherAssert.assertThat(Arrays.asList(((UserFunctionSignature) ((Procedures) this.neo.getLocalGraph().getDependencyResolver().resolveDependency(Procedures.class)).function(new QualifiedName(new String[]{"test"}, "nonAllowedFunc")).get()).allowed()), Matchers.empty());
    }

    @Test
    public void shouldSetWildcardRoleConfigOnlyIfNotAnnotated() throws Throwable {
        configuredSetup(MapUtil.stringMap(new String[]{SecuritySettings.procedure_roles.name(), "test.*:tester"}));
        this.userManager.newRole("tester", new String[]{"noneSubject"});
        assertSuccess(this.noneSubject, "CALL test.numNodes", resourceIterator -> {
            assertKeyIs(resourceIterator, "count", "3");
        });
    }

    @Test
    public void shouldSetAllMatchingWildcardRoleConfigs() throws Throwable {
        configuredSetup(MapUtil.stringMap(new String[]{SecuritySettings.procedure_roles.name(), "test.*:tester;test.create*:other"}));
        this.userManager.newRole("tester", new String[]{"noneSubject"});
        this.userManager.newRole("other", new String[]{"readSubject"});
        assertSuccess(this.readSubject, "CALL test.allowedReadProcedure", resourceIterator -> {
            assertKeyIs(resourceIterator, "value", "foo");
        });
        assertSuccess(this.noneSubject, "CALL test.createNode", (v0) -> {
            v0.close();
        });
        assertSuccess(this.readSubject, "CALL test.createNode", (v0) -> {
            v0.close();
        });
        assertSuccess(this.noneSubject, "CALL test.numNodes", resourceIterator2 -> {
            assertKeyIs(resourceIterator2, "count", "5");
        });
    }

    @Test
    public void shouldSetAllMatchingWildcardRoleConfigsWithDefaultForUDFs() throws Throwable {
        configuredSetup(MapUtil.stringMap(new String[]{SecuritySettings.procedure_roles.name(), "test.*:tester;test.create*:other", SecuritySettings.default_allowed.name(), "default"}));
        this.userManager.newRole("tester", new String[]{"noneSubject"});
        this.userManager.newRole("default", new String[]{"noneSubject"});
        this.userManager.newRole("other", new String[]{"readSubject"});
        assertSuccess(this.noneSubject, "RETURN test.nonAllowedFunc() AS f", resourceIterator -> {
            assertKeyIs(resourceIterator, "f", "success");
        });
        assertSuccess(this.readSubject, "RETURN test.allowedFunction1() AS f", resourceIterator2 -> {
            assertKeyIs(resourceIterator2, "f", "foo");
        });
        assertSuccess(this.readSubject, "RETURN test.nonAllowedFunc() AS f", resourceIterator3 -> {
            assertKeyIs(resourceIterator3, "f", "success");
        });
    }

    @Test
    public void shouldHandleWriteAfterAllowedReadProcedureWithAuthDisabled() throws Throwable {
        this.neo = setUpNeoServer(MapUtil.stringMap(new String[]{GraphDatabaseSettings.auth_enabled.name(), "false"}));
        ((Procedures) this.neo.getLocalGraph().getDependencyResolver().resolveDependency(Procedures.class)).registerProcedure(ProcedureInteractionTestBase.ClassWithProcedures.class);
        assertEmpty(this.neo.login("no_auth", ""), "CALL test.allowedReadProcedure() YIELD value CREATE (:NewNode {name: value})");
    }

    @Test
    public void shouldHandleMultipleRolesSpecifiedForMapping() throws Throwable {
        configuredSetup(MapUtil.stringMap(new String[]{SecuritySettings.procedure_roles.name(), "test.*:tester, other"}));
        this.userManager.newRole("tester", new String[]{"noneSubject"});
        this.userManager.newRole("other", new String[]{"readSubject"});
        assertSuccess(this.readSubject, "CALL test.createNode", (v0) -> {
            v0.close();
        });
        assertSuccess(this.noneSubject, "CALL test.numNodes", resourceIterator -> {
            assertKeyIs(resourceIterator, "count", "4");
        });
    }

    @Test
    public void shouldShowAllowedRolesWhenListingProcedures() throws Throwable {
        configuredSetup(MapUtil.stringMap(new String[]{SecuritySettings.procedure_roles.name(), "test.numNodes:counter,user", SecuritySettings.default_allowed.name(), "default"}));
        Map<String, Set<String>> genericMap = MapUtil.genericMap(new Object[]{"test.staticReadProcedure", Sets.newSet(new String[]{"default", "reader", "editor", "publisher", "architect", "admin"}), "test.staticWriteProcedure", Sets.newSet(new String[]{"default", "editor", "publisher", "architect", "admin"}), "test.staticSchemaProcedure", Sets.newSet(new String[]{"default", "architect", "admin"}), "test.annotatedProcedure", Sets.newSet(new String[]{"annotated", "reader", "editor", "publisher", "architect", "admin"}), "test.numNodes", Sets.newSet(new String[]{"counter", "user", "reader", "editor", "publisher", "architect", "admin"}), "db.labels", Sets.newSet(new String[]{"default", "reader", "editor", "publisher", "architect", "admin"}), "dbms.security.changePassword", Sets.newSet(new String[]{"admin"}), "dbms.procedures", Sets.newSet(new String[]{"admin"}), "dbms.listQueries", Sets.newSet(new String[]{"admin"}), "dbms.security.createUser", Sets.newSet(new String[]{"admin"}), "db.createLabel", Sets.newSet(new String[]{"default", "editor", "publisher", "architect", "admin"})});
        assertListProceduresHasRoles(this.adminSubject, genericMap, "CALL dbms.procedures");
        assertListProceduresHasRoles(this.schemaSubject, genericMap, "CALL dbms.procedures");
        assertListProceduresHasRoles(this.writeSubject, genericMap, "CALL dbms.procedures");
        assertListProceduresHasRoles(this.readSubject, genericMap, "CALL dbms.procedures");
    }

    @Test
    public void shouldShowAllowedRolesWhenListingFunctions() throws Throwable {
        configuredSetup(MapUtil.stringMap(new String[]{SecuritySettings.procedure_roles.name(), "test.allowedFunc:counter,user", SecuritySettings.default_allowed.name(), "default"}));
        Map<String, Set<String>> genericMap = MapUtil.genericMap(new Object[]{"test.annotatedFunction", Sets.newSet(new String[]{"annotated", "reader", "editor", "publisher", "architect", "admin"}), "test.allowedFunc", Sets.newSet(new String[]{"counter", "user", "reader", "editor", "publisher", "architect", "admin"}), "test.nonAllowedFunc", Sets.newSet(new String[]{"default", "reader", "editor", "publisher", "architect", "admin"})});
        assertListProceduresHasRoles(this.adminSubject, genericMap, "CALL dbms.functions");
        assertListProceduresHasRoles(this.schemaSubject, genericMap, "CALL dbms.functions");
        assertListProceduresHasRoles(this.writeSubject, genericMap, "CALL dbms.functions");
        assertListProceduresHasRoles(this.readSubject, genericMap, "CALL dbms.functions");
    }

    private void assertListProceduresHasRoles(S s, Map<String, Set<String>> map, String str) {
        assertSuccess(s, str, resourceIterator -> {
            List list = (List) resourceIterator.stream().filter(map2 -> {
                String obj = map2.get("name").toString();
                return map.containsKey(obj) && !((Set) map.get(obj)).equals(new HashSet((List) map2.get("roles")));
            }).map(map3 -> {
                String obj = map3.get("name").toString();
                return obj + ": expected '" + map.get(obj) + "' but was '" + map3.get("roles") + "'";
            }).collect(Collectors.toList());
            MatcherAssert.assertThat("Expectations violated: " + list.toString(), list.isEmpty());
        });
    }
}
