package org.neo4j.server.security.enterprise.auth;

import java.time.Clock;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import org.apache.shiro.authc.AuthenticationException;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.cache.MemoryConstrainedCacheManager;
import org.apache.shiro.subject.PrincipalCollection;
import org.hamcrest.Matchers;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.mockito.Mockito;
import org.neo4j.kernel.api.exceptions.InvalidArgumentsException;
import org.neo4j.kernel.api.security.AuthenticationResult;
import org.neo4j.kernel.api.security.PasswordPolicy;
import org.neo4j.kernel.api.security.exception.InvalidAuthTokenException;
import org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext;
import org.neo4j.kernel.impl.security.Credential;
import org.neo4j.kernel.impl.security.User;
import org.neo4j.kernel.impl.util.JobScheduler;
import org.neo4j.server.security.auth.AuthenticationStrategy;
import org.neo4j.server.security.auth.BasicPasswordPolicy;
import org.neo4j.server.security.auth.InMemoryUserRepository;
import org.neo4j.server.security.auth.ListSnapshot;
import org.neo4j.server.security.auth.RateLimitedAuthenticationStrategy;
import org.neo4j.server.security.auth.SecurityTestUtils;
import org.neo4j.server.security.auth.UserRepository;
import org.neo4j.server.security.enterprise.auth.InternalFlatFileRealmIT;
import org.neo4j.server.security.enterprise.log.SecurityLog;
import org.neo4j.time.Clocks;

/* loaded from: input_file:org/neo4j/server/security/enterprise/auth/InternalFlatFileRealmTest.class */
public class InternalFlatFileRealmTest {

    @Rule
    public ExpectedException exception = ExpectedException.none();
    private MultiRealmAuthManager authManager;
    private TestRealm testRealm;

    /* loaded from: input_file:org/neo4j/server/security/enterprise/auth/InternalFlatFileRealmTest$TestRealm.class */
    private class TestRealm extends InternalFlatFileRealm {
        private boolean authenticationFlag;
        private boolean authorizationFlag;

        TestRealm(UserRepository userRepository, RoleRepository roleRepository, PasswordPolicy passwordPolicy, AuthenticationStrategy authenticationStrategy, JobScheduler jobScheduler, UserRepository userRepository2, UserRepository userRepository3) {
            super(userRepository, roleRepository, passwordPolicy, authenticationStrategy, jobScheduler, userRepository2, userRepository3);
            this.authenticationFlag = false;
            this.authorizationFlag = false;
        }

        boolean takeAuthenticationFlag() {
            boolean z = this.authenticationFlag;
            this.authenticationFlag = false;
            return z;
        }

        boolean takeAuthorizationFlag() {
            boolean z = this.authorizationFlag;
            this.authorizationFlag = false;
            return z;
        }

        public String getName() {
            return "TestRealm wrapping " + super.getName();
        }

        public boolean supports(AuthenticationToken authenticationToken) {
            return super.supports(authenticationToken);
        }

        protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken authenticationToken) throws AuthenticationException {
            this.authenticationFlag = true;
            return super.doGetAuthenticationInfo(authenticationToken);
        }

        protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principalCollection) {
            this.authorizationFlag = true;
            return super.doGetAuthorizationInfo(principalCollection);
        }
    }

    @Before
    public void setup() throws Throwable {
        this.testRealm = new TestRealm(new InMemoryUserRepository(), new InMemoryRoleRepository(), new BasicPasswordPolicy(), new RateLimitedAuthenticationStrategy(Clock.systemUTC(), 3), (JobScheduler) Mockito.mock(JobScheduler.class), new InMemoryUserRepository(), new InMemoryUserRepository());
        this.authManager = new MultiRealmAuthManager(this.testRealm, AuthTestUtil.listOf(this.testRealm), new MemoryConstrainedCacheManager(), (SecurityLog) Mockito.mock(SecurityLog.class), true);
        this.authManager.init();
        this.authManager.start();
        this.authManager.getUserManager().newUser("mike", "123", false);
    }

    @Test
    public void shouldNotCacheAuthenticationInfo() throws InvalidAuthTokenException {
        Assert.assertThat(this.authManager.login(SecurityTestUtils.authToken("mike", "123")).subject().getAuthenticationResult(), Matchers.equalTo(AuthenticationResult.SUCCESS));
        Assert.assertThat("Test realm did not receive a call", Boolean.valueOf(this.testRealm.takeAuthenticationFlag()), Matchers.is(true));
        Assert.assertThat(this.authManager.login(SecurityTestUtils.authToken("mike", "123")).subject().getAuthenticationResult(), Matchers.equalTo(AuthenticationResult.SUCCESS));
        Assert.assertThat("Test realm did not receive a call", Boolean.valueOf(this.testRealm.takeAuthenticationFlag()), Matchers.is(true));
    }

    @Test
    public void shouldNotCacheAuthorizationInfo() throws InvalidAuthTokenException {
        EnterpriseSecurityContext login = this.authManager.login(SecurityTestUtils.authToken("mike", "123"));
        Assert.assertThat(login.subject().getAuthenticationResult(), Matchers.equalTo(AuthenticationResult.SUCCESS));
        login.mode().allowsReads();
        Assert.assertThat("Test realm did not receive a call", Boolean.valueOf(this.testRealm.takeAuthorizationFlag()), Matchers.is(true));
        login.mode().allowsWrites();
        Assert.assertThat("Test realm did not receive a call", Boolean.valueOf(this.testRealm.takeAuthorizationFlag()), Matchers.is(true));
    }

    @Test
    public void shouldOnlyReloadUsersOrRolesIfNeeded() throws Throwable {
        assertSetUsersAndRolesNTimes(false, false, 0, 0);
        assertSetUsersAndRolesNTimes(false, true, 0, 1);
        assertSetUsersAndRolesNTimes(true, false, 1, 0);
        assertSetUsersAndRolesNTimes(true, true, 1, 1);
    }

    @Test
    public void shouldAssignAdminRoleToDefaultUser() throws Throwable {
        InternalFlatFileRealm internalTestRealmWithUsers = internalTestRealmWithUsers(Collections.emptyList(), Collections.emptyList());
        internalTestRealmWithUsers.initialize();
        internalTestRealmWithUsers.start();
        Assert.assertThat(internalTestRealmWithUsers.getUsernamesForRole("admin"), Matchers.contains(new String[]{"neo4j"}));
    }

    @Test
    public void shouldAssignAdminRoleToSpecifiedUser() throws Throwable {
        InternalFlatFileRealm internalTestRealmWithUsers = internalTestRealmWithUsers(Arrays.asList("neo4j", "morpheus", "trinity"), Collections.singletonList("morpheus"));
        internalTestRealmWithUsers.initialize();
        internalTestRealmWithUsers.start();
        Assert.assertThat(internalTestRealmWithUsers.getUsernamesForRole("admin"), Matchers.contains(new String[]{"morpheus"}));
        Assert.assertThat(Integer.valueOf(internalTestRealmWithUsers.getUsernamesForRole("admin").size()), Matchers.equalTo(1));
    }

    @Test
    public void shouldAssignAdminRoleToOnlyUser() throws Throwable {
        InternalFlatFileRealm internalTestRealmWithUsers = internalTestRealmWithUsers(Collections.singletonList("morpheus"), Collections.emptyList());
        internalTestRealmWithUsers.initialize();
        internalTestRealmWithUsers.start();
        Assert.assertThat(internalTestRealmWithUsers.getUsernamesForRole("admin"), Matchers.contains(new String[]{"morpheus"}));
        Assert.assertThat(Integer.valueOf(internalTestRealmWithUsers.getUsernamesForRole("admin").size()), Matchers.equalTo(1));
    }

    @Test
    public void shouldNotAssignAdminToNonExistentUser() throws Throwable {
        InternalFlatFileRealm internalTestRealmWithUsers = internalTestRealmWithUsers(Collections.singletonList("neo4j"), Collections.singletonList("morpheus"));
        this.exception.expect(InvalidArgumentsException.class);
        this.exception.expectMessage("No roles defined, and default admin user 'morpheus' does not exist. Please use `neo4j-admin set-default-admin` to select a valid admin.");
        internalTestRealmWithUsers.initialize();
        internalTestRealmWithUsers.start();
    }

    @Test
    public void shouldGiveErrorOnMultipleUsersNoDefault() throws Throwable {
        InternalFlatFileRealm internalTestRealmWithUsers = internalTestRealmWithUsers(Arrays.asList("morpheus", "trinity"), Collections.emptyList());
        this.exception.expect(InvalidArgumentsException.class);
        this.exception.expectMessage("No roles defined, and cannot determine which user should be admin. Please use `neo4j-admin set-default-admin` to select an admin.");
        internalTestRealmWithUsers.initialize();
        internalTestRealmWithUsers.start();
    }

    @Test
    public void shouldFailToAssignMultipleDefaultAdmins() throws Throwable {
        InternalFlatFileRealm internalTestRealmWithUsers = internalTestRealmWithUsers(Arrays.asList("morpheus", "trinity", "tank"), Arrays.asList("morpheus", "trinity"));
        this.exception.expect(InvalidArgumentsException.class);
        this.exception.expectMessage("No roles defined, and multiple users defined as default admin user. Please use `neo4j-admin set-default-admin` to select a valid admin.");
        internalTestRealmWithUsers.initialize();
        internalTestRealmWithUsers.start();
    }

    @Test
    public void shouldAssignAdminRoleAfterBadSetting() throws Throwable {
        InMemoryUserRepository inMemoryUserRepository = new InMemoryUserRepository();
        InMemoryUserRepository inMemoryUserRepository2 = new InMemoryUserRepository();
        InMemoryUserRepository inMemoryUserRepository3 = new InMemoryUserRepository();
        InMemoryRoleRepository inMemoryRoleRepository = new InMemoryRoleRepository();
        inMemoryUserRepository.create(newUser("morpheus", "123", false));
        inMemoryUserRepository.create(newUser("trinity", "123", false));
        InternalFlatFileRealm internalFlatFileRealm = new InternalFlatFileRealm(inMemoryUserRepository, inMemoryRoleRepository, new BasicPasswordPolicy(), new RateLimitedAuthenticationStrategy(Clocks.systemClock(), 3), new InternalFlatFileRealmIT.TestJobScheduler(), inMemoryUserRepository2, inMemoryUserRepository3);
        try {
            internalFlatFileRealm.initialize();
            internalFlatFileRealm.start();
            Assert.fail("Multiple users, no default admin provided");
        } catch (InvalidArgumentsException e) {
            internalFlatFileRealm.stop();
            internalFlatFileRealm.shutdown();
        }
        inMemoryUserRepository3.create(new User.Builder("trinity", Credential.INACCESSIBLE).build());
        internalFlatFileRealm.initialize();
        internalFlatFileRealm.start();
        Assert.assertThat(Integer.valueOf(internalFlatFileRealm.getUsernamesForRole("admin").size()), Matchers.equalTo(1));
        Assert.assertThat(internalFlatFileRealm.getUsernamesForRole("admin"), Matchers.contains(new String[]{"trinity"}));
    }

    private InternalFlatFileRealm internalTestRealmWithUsers(List<String> list, List<String> list2) throws Throwable {
        InMemoryUserRepository inMemoryUserRepository = new InMemoryUserRepository();
        InMemoryUserRepository inMemoryUserRepository2 = new InMemoryUserRepository();
        InMemoryUserRepository inMemoryUserRepository3 = new InMemoryUserRepository();
        InMemoryRoleRepository inMemoryRoleRepository = new InMemoryRoleRepository();
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            inMemoryUserRepository.create(newUser(it.next(), "123", false));
        }
        Iterator<String> it2 = list2.iterator();
        while (it2.hasNext()) {
            inMemoryUserRepository3.create(new User.Builder(it2.next(), Credential.INACCESSIBLE).build());
        }
        return new InternalFlatFileRealm(inMemoryUserRepository, inMemoryRoleRepository, new BasicPasswordPolicy(), new RateLimitedAuthenticationStrategy(Clocks.systemClock(), 3), new InternalFlatFileRealmIT.TestJobScheduler(), inMemoryUserRepository2, inMemoryUserRepository3);
    }

    private User newUser(String str, String str2, boolean z) {
        return new User.Builder(str, Credential.forPassword(str2)).withRequiredPasswordChange(z).build();
    }

    private void assertSetUsersAndRolesNTimes(boolean z, boolean z2, int i, int i2) throws Throwable {
        UserRepository userRepository = (UserRepository) Mockito.mock(UserRepository.class);
        RoleRepository roleRepository = (RoleRepository) Mockito.mock(RoleRepository.class);
        UserRepository userRepository2 = (UserRepository) Mockito.mock(UserRepository.class);
        UserRepository userRepository3 = (UserRepository) Mockito.mock(UserRepository.class);
        BasicPasswordPolicy basicPasswordPolicy = new BasicPasswordPolicy();
        RateLimitedAuthenticationStrategy rateLimitedAuthenticationStrategy = new RateLimitedAuthenticationStrategy(Clocks.systemClock(), 3);
        InternalFlatFileRealmIT.TestJobScheduler testJobScheduler = new InternalFlatFileRealmIT.TestJobScheduler();
        InternalFlatFileRealm internalFlatFileRealm = new InternalFlatFileRealm(userRepository, roleRepository, basicPasswordPolicy, rateLimitedAuthenticationStrategy, testJobScheduler, userRepository2, userRepository3);
        Mockito.when(userRepository.getPersistedSnapshot()).thenReturn(new ListSnapshot(10L, Collections.emptyList(), z));
        Mockito.when(userRepository.getUserByName((String) org.mockito.Matchers.any())).thenReturn(new User.Builder().build());
        Mockito.when(roleRepository.getPersistedSnapshot()).thenReturn(new ListSnapshot(10L, Collections.emptyList(), z2));
        Mockito.when(roleRepository.getRoleByName(org.mockito.Matchers.anyString())).thenReturn(new RoleRecord("", new String[0]));
        internalFlatFileRealm.init();
        internalFlatFileRealm.start();
        testJobScheduler.scheduledRunnable.run();
        ((UserRepository) Mockito.verify(userRepository, Mockito.times(i))).setUsers((ListSnapshot) org.mockito.Matchers.any());
        ((RoleRepository) Mockito.verify(roleRepository, Mockito.times(i2))).setRoles((ListSnapshot) org.mockito.Matchers.any());
    }
}
