package org.neo4j.server.security.enterprise.auth;

import java.util.Map;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.junit.Assert;
import org.junit.Test;
import org.neo4j.bolt.v1.transport.socket.client.TransportConnection;
import org.neo4j.graphdb.ResourceIterator;
import org.neo4j.helpers.collection.MapUtil;
import org.neo4j.kernel.api.exceptions.InvalidArgumentsException;
import org.neo4j.kernel.api.security.AuthenticationResult;
import org.neo4j.server.security.enterprise.auth.ProcedureInteractionTestBase;
import org.neo4j.test.DoubleLatch;

/* loaded from: input_file:org/neo4j/server/security/enterprise/auth/AuthProceduresInteractionTestBase.class */
public abstract class AuthProceduresInteractionTestBase<S> extends ProcedureInteractionTestBase<S> {
    private static final String PWD_CHANGE = AuthenticationResult.PASSWORD_CHANGE_REQUIRED.name().toLowerCase();

    @Test
    public void shouldHaveDescriptionsOnAllSecurityProcedures() throws Throwable {
        assertSuccess(this.readSubject, "CALL dbms.procedures", resourceIterator -> {
            MatcherAssert.assertThat(Long.valueOf(resourceIterator.stream().filter(map -> {
                String obj = map.get("name").toString();
                String obj2 = map.get("description").toString();
                if (!obj.contains("dbms.security") || obj.contains("Transaction") || obj.contains("Connection")) {
                    return false;
                }
                MatcherAssert.assertThat("Description for '" + obj + "' should not be empty", Integer.valueOf(obj2.trim().length()), Matchers.greaterThan(0));
                return true;
            }).count()), Matchers.equalTo(16L));
        });
    }

    @Test
    public void shouldChangeOwnPassword() throws Throwable {
        assertEmpty(this.readSubject, "CALL dbms.security.changePassword( '321' )");
        this.neo.updateAuthToken(this.readSubject, "readSubject", "321");
        this.neo.assertAuthenticated(this.readSubject);
        testSuccessfulRead(this.readSubject, 3);
    }

    @Test
    public void shouldChangeOwnPasswordEvenIfHasNoAuthorization() throws Throwable {
        this.neo.assertAuthenticated(this.noneSubject);
        assertEmpty(this.noneSubject, "CALL dbms.security.changePassword( '321' )");
        this.neo.updateAuthToken(this.noneSubject, "noneSubject", "321");
        this.neo.assertAuthenticated(this.noneSubject);
    }

    @Test
    public void shouldNotChangeOwnPasswordIfNewPasswordInvalid() throws Exception {
        assertFail(this.readSubject, "CALL dbms.security.changePassword( '' )", "A password cannot be empty.");
        assertFail(this.readSubject, "CALL dbms.security.changePassword( '123' )", "Old password and new password cannot be the same.");
    }

    @Test
    public void shouldChangeUserPassword() throws Throwable {
        assertEmpty(this.adminSubject, "CALL dbms.security.changeUserPassword( 'readSubject', '321', false )");
        this.neo.assertInitFailed(this.neo.login("readSubject", "123"));
        this.neo.assertAuthenticated(this.neo.login("readSubject", "321"));
    }

    @Test
    public void shouldChangeUserPasswordAndRequirePasswordChangeOnNextLoginByDefault() throws Throwable {
        assertEmpty(this.adminSubject, "CALL dbms.security.changeUserPassword( 'readSubject', '321' )");
        this.neo.assertInitFailed(this.neo.login("readSubject", "123"));
        this.neo.assertPasswordChangeRequired(this.neo.login("readSubject", "321"));
    }

    @Test
    public void shouldChangeUserPasswordAndRequirePasswordChangeOnNextLoginOnRequest() throws Throwable {
        assertEmpty(this.adminSubject, "CALL dbms.security.changeUserPassword( 'readSubject', '321', true )");
        this.neo.assertInitFailed(this.neo.login("readSubject", "123"));
        this.neo.assertPasswordChangeRequired(this.neo.login("readSubject", "321"));
    }

    @Test
    public void shouldNotChangeUserPasswordIfNotAdmin() throws Exception {
        assertFail(this.schemaSubject, "CALL dbms.security.changeUserPassword( 'readSubject', '321' )", "Permission denied.");
        assertFail(this.schemaSubject, "CALL dbms.security.changeUserPassword( 'jake', '321' )", "Permission denied.");
        assertFail(this.schemaSubject, "CALL dbms.security.changeUserPassword( 'readSubject', '' )", "Permission denied.");
    }

    @Test
    public void shouldChangeUserPasswordIfSameUser() throws Throwable {
        assertEmpty(this.readSubject, "CALL dbms.security.changeUserPassword( 'readSubject', '321', false )");
        this.neo.updateAuthToken(this.readSubject, "readSubject", "321");
        this.neo.assertAuthenticated(this.readSubject);
        testSuccessfulRead(this.readSubject, 3);
        assertEmpty(this.adminSubject, "CALL dbms.security.changeUserPassword( 'adminSubject', 'cba', false )");
        this.neo.updateAuthToken(this.adminSubject, "adminSubject", "cba");
        this.neo.assertAuthenticated(this.adminSubject);
        testSuccessfulRead(this.adminSubject, 3);
    }

    @Test
    public void shouldFailToChangeUserPasswordIfSameUserButInvalidPassword() throws Exception {
        assertFail(this.readSubject, "CALL dbms.security.changeUserPassword( 'readSubject', '123' )", "Old password and new password cannot be the same.");
        assertFail(this.adminSubject, "CALL dbms.security.changeUserPassword( 'adminSubject', 'abc' )", "Old password and new password cannot be the same.");
    }

    @Test
    public void shouldNotChangeUserPasswordIfNonExistentUser() throws Exception {
        assertFail(this.adminSubject, "CALL dbms.security.changeUserPassword( 'jake', '321' )", "User 'jake' does not exist.");
    }

    @Test
    public void shouldNotChangeUserPasswordIfEmptyPassword() throws Exception {
        assertFail(this.adminSubject, "CALL dbms.security.changeUserPassword( 'readSubject', '' )", "A password cannot be empty.");
    }

    @Test
    public void shouldNotChangeUserPasswordIfSamePassword() throws Exception {
        assertFail(this.adminSubject, "CALL dbms.security.changeUserPassword( 'readSubject', '123' )", "Old password and new password cannot be the same.");
    }

    @Test
    public void shouldCreateUserAndRequirePasswordChangeByDefault() throws Exception {
        assertEmpty(this.adminSubject, "CALL dbms.security.createUser('craig', '1234' )");
        this.userManager.getUser("craig");
        this.neo.assertInitFailed(this.neo.login("craig", "321"));
        this.neo.assertPasswordChangeRequired(this.neo.login("craig", "1234"));
    }

    @Test
    public void shouldCreateUserAndRequirePasswordChangeIfRequested() throws Exception {
        assertEmpty(this.adminSubject, "CALL dbms.security.createUser('craig', '1234', true)");
        this.userManager.getUser("craig");
        this.neo.assertInitFailed(this.neo.login("craig", "321"));
        this.neo.assertPasswordChangeRequired(this.neo.login("craig", "1234"));
    }

    @Test
    public void shouldCreateUserAndRequireNoPasswordChangeIfRequested() throws Exception {
        assertEmpty(this.adminSubject, "CALL dbms.security.createUser('craig', '1234', false)");
        this.userManager.getUser("craig");
        this.neo.assertAuthenticated(this.neo.login("craig", "1234"));
    }

    @Test
    public void shouldNotCreateUserIfInvalidUsername() throws Exception {
        assertFail(this.adminSubject, "CALL dbms.security.createUser(null, '1234', true)", "The provided username is empty.");
        assertFail(this.adminSubject, "CALL dbms.security.createUser('', '1234', true)", "The provided username is empty.");
        assertFail(this.adminSubject, "CALL dbms.security.createUser(',ss!', '1234', true)", "Username ',ss!' contains illegal characters.");
        assertFail(this.adminSubject, "CALL dbms.security.createUser(',ss!', '', true)", "Username ',ss!' contains illegal characters.");
    }

    @Test
    public void shouldNotCreateUserIfInvalidPassword() throws Exception {
        assertFail(this.adminSubject, "CALL dbms.security.createUser('craig', '', true)", "A password cannot be empty.");
        assertFail(this.adminSubject, "CALL dbms.security.createUser('craig', null, true)", "A password cannot be empty.");
    }

    @Test
    public void shouldNotCreateExistingUser() throws Exception {
        assertFail(this.adminSubject, "CALL dbms.security.createUser('readSubject', '1234', true)", "The specified user 'readSubject' already exists");
        assertFail(this.adminSubject, "CALL dbms.security.createUser('readSubject', '', true)", "A password cannot be empty.");
    }

    @Test
    public void shouldNotAllowNonAdminCreateUser() throws Exception {
        testFailCreateUser(this.pwdSubject, this.CHANGE_PWD_ERR_MSG);
        testFailCreateUser(this.readSubject, "Permission denied.");
        testFailCreateUser(this.writeSubject, "Permission denied.");
        testFailCreateUser(this.schemaSubject, "Permission denied.");
    }

    @Test
    public void shouldDeleteUser() throws Exception {
        assertEmpty(this.adminSubject, "CALL dbms.security.deleteUser('noneSubject')");
        try {
            this.userManager.getUser("noneSubject");
            Assert.fail("User noneSubject should not exist");
        } catch (InvalidArgumentsException e) {
            Assert.assertTrue("User noneSubject should not exist", e.getMessage().contains("User 'noneSubject' does not exist."));
        }
        this.userManager.addRoleToUser("publisher", "readSubject");
        assertEmpty(this.adminSubject, "CALL dbms.security.deleteUser('readSubject')");
        try {
            this.userManager.getUser("readSubject");
            Assert.fail("User readSubject should not exist");
        } catch (InvalidArgumentsException e2) {
            Assert.assertTrue("User readSubject should not exist", e2.getMessage().contains("User 'readSubject' does not exist."));
        }
        Assert.assertFalse(this.userManager.getUsernamesForRole("reader").contains("readSubject"));
        Assert.assertFalse(this.userManager.getUsernamesForRole("publisher").contains("readSubject"));
    }

    @Test
    public void shouldNotDeleteUserIfNotAdmin() throws Exception {
        testFailDeleteUser(this.pwdSubject, "readSubject", this.CHANGE_PWD_ERR_MSG);
        testFailDeleteUser(this.readSubject, "readSubject", "Permission denied.");
        testFailDeleteUser(this.writeSubject, "readSubject", "Permission denied.");
        testFailDeleteUser(this.schemaSubject, "readSubject", "Permission denied.");
        testFailDeleteUser(this.schemaSubject, "Craig", "Permission denied.");
        testFailDeleteUser(this.schemaSubject, "", "Permission denied.");
    }

    @Test
    public void shouldNotAllowDeletingNonExistentUser() throws Exception {
        testFailDeleteUser(this.adminSubject, "Craig", "User 'Craig' does not exist.");
        testFailDeleteUser(this.adminSubject, "", "User '' does not exist.");
    }

    @Test
    public void shouldNotAllowDeletingYourself() throws Exception {
        testFailDeleteUser(this.adminSubject, "adminSubject", "Deleting yourself (user 'adminSubject') is not allowed.");
    }

    @Test
    public void shouldTerminateTransactionsOnUserDeletion() throws Throwable {
        shouldTerminateTransactionsForUser(this.writeSubject, "dbms.security.deleteUser( '%s' )");
    }

    @Test
    public void shouldTerminateConnectionsOnUserDeletion() throws Exception {
        TransportConnection startBoltSession = startBoltSession("writeSubject", "abc");
        MatcherAssert.assertThat(countBoltConnectionsByUsername().get("writeSubject"), Matchers.equalTo(Long.valueOf(this.IS_BOLT ? 2L : 1L)));
        assertEmpty(this.adminSubject, "CALL dbms.security.deleteUser( 'writeSubject' )");
        MatcherAssert.assertThat(countBoltConnectionsByUsername().get("writeSubject"), Matchers.equalTo((Object) null));
        startBoltSession.disconnect();
    }

    @Test
    public void shouldSuspendUser() throws Exception {
        assertEmpty(this.adminSubject, "CALL dbms.security.suspendUser('readSubject')");
        Assert.assertTrue(this.userManager.getUser("readSubject").hasFlag("is_suspended"));
    }

    @Test
    public void shouldSuspendSuspendedUser() throws Exception {
        assertEmpty(this.adminSubject, "CALL dbms.security.suspendUser('readSubject')");
        assertEmpty(this.adminSubject, "CALL dbms.security.suspendUser('readSubject')");
        Assert.assertTrue(this.userManager.getUser("readSubject").hasFlag("is_suspended"));
    }

    @Test
    public void shouldFailToSuspendNonExistentUser() throws Exception {
        assertFail(this.adminSubject, "CALL dbms.security.suspendUser('Craig')", "User 'Craig' does not exist.");
    }

    @Test
    public void shouldFailToSuspendIfNotAdmin() throws Exception {
        assertFail(this.schemaSubject, "CALL dbms.security.suspendUser('readSubject')", "Permission denied.");
        assertFail(this.schemaSubject, "CALL dbms.security.suspendUser('Craig')", "Permission denied.");
        assertFail(this.schemaSubject, "CALL dbms.security.suspendUser('')", "Permission denied.");
    }

    @Test
    public void shouldFailToSuspendYourself() throws Exception {
        assertFail(this.adminSubject, "CALL dbms.security.suspendUser('adminSubject')", "Suspending yourself (user 'adminSubject') is not allowed.");
    }

    @Test
    public void shouldTerminateTransactionsOnUserSuspension() throws Throwable {
        shouldTerminateTransactionsForUser(this.writeSubject, "dbms.security.suspendUser( '%s' )");
    }

    @Test
    public void shouldTerminateConnectionsOnUserSuspension() throws Exception {
        TransportConnection startBoltSession = startBoltSession("writeSubject", "abc");
        MatcherAssert.assertThat(countBoltConnectionsByUsername().get("writeSubject"), Matchers.equalTo(Long.valueOf(this.IS_BOLT ? 2L : 1L)));
        assertEmpty(this.adminSubject, "CALL dbms.security.suspendUser( 'writeSubject' )");
        MatcherAssert.assertThat(countBoltConnectionsByUsername().get("writeSubject"), Matchers.equalTo((Object) null));
        startBoltSession.disconnect();
    }

    @Test
    public void shouldActivateUserAndRequirePasswordChangeByDefault() throws Exception {
        this.userManager.suspendUser("readSubject");
        assertEmpty(this.adminSubject, "CALL dbms.security.activateUser('readSubject')");
        this.neo.assertInitFailed(this.neo.login("readSubject", "321"));
        this.neo.assertPasswordChangeRequired(this.neo.login("readSubject", "123"));
        Assert.assertFalse(this.userManager.getUser("readSubject").hasFlag("is_suspended"));
    }

    @Test
    public void shouldActivateUserAndRequirePasswordChangeIfRequested() throws Exception {
        this.userManager.suspendUser("readSubject");
        assertEmpty(this.adminSubject, "CALL dbms.security.activateUser('readSubject', true)");
        this.neo.assertInitFailed(this.neo.login("readSubject", "321"));
        this.neo.assertPasswordChangeRequired(this.neo.login("readSubject", "123"));
        Assert.assertFalse(this.userManager.getUser("readSubject").hasFlag("is_suspended"));
    }

    @Test
    public void shouldActivateUserAndRequireNoPasswordChangeIfRequested() throws Exception {
        this.userManager.suspendUser("readSubject");
        assertEmpty(this.adminSubject, "CALL dbms.security.activateUser('readSubject', false)");
        Assert.assertFalse(this.userManager.getUser("readSubject").hasFlag("is_suspended"));
    }

    @Test
    public void shouldActivateActiveUser() throws Exception {
        this.userManager.suspendUser("readSubject");
        assertEmpty(this.adminSubject, "CALL dbms.security.activateUser('readSubject')");
        assertEmpty(this.adminSubject, "CALL dbms.security.activateUser('readSubject')");
        Assert.assertFalse(this.userManager.getUser("readSubject").hasFlag("is_suspended"));
    }

    @Test
    public void shouldFailToActivateNonExistentUser() throws Exception {
        assertFail(this.adminSubject, "CALL dbms.security.activateUser('Craig')", "User 'Craig' does not exist.");
    }

    @Test
    public void shouldFailToActivateIfNotAdmin() throws Exception {
        this.userManager.suspendUser("readSubject");
        assertFail(this.schemaSubject, "CALL dbms.security.activateUser('readSubject')", "Permission denied.");
        assertFail(this.schemaSubject, "CALL dbms.security.activateUser('Craig')", "Permission denied.");
        assertFail(this.schemaSubject, "CALL dbms.security.activateUser('')", "Permission denied.");
    }

    @Test
    public void shouldFailToActivateYourself() throws Exception {
        assertFail(this.adminSubject, "CALL dbms.security.activateUser('adminSubject')", "Activating yourself (user 'adminSubject') is not allowed.");
    }

    @Test
    public void shouldAddRoleToUser() throws Exception {
        Assert.assertFalse("Should not have role publisher", userHasRole("readSubject", "publisher"));
        assertEmpty(this.adminSubject, "CALL dbms.security.addRoleToUser('publisher', 'readSubject' )");
        Assert.assertTrue("Should have role publisher", userHasRole("readSubject", "publisher"));
    }

    @Test
    public void shouldAddRetainUserInRole() throws Exception {
        Assert.assertTrue("Should have role reader", userHasRole("readSubject", "reader"));
        assertEmpty(this.adminSubject, "CALL dbms.security.addRoleToUser('reader', 'readSubject')");
        Assert.assertTrue("Should have still have role reader", userHasRole("readSubject", "reader"));
    }

    @Test
    public void shouldFailToAddNonExistentUserToRole() throws Exception {
        testFailAddRoleToUser(this.adminSubject, "publisher", "Olivia", "User 'Olivia' does not exist.");
        testFailAddRoleToUser(this.adminSubject, "thisRoleDoesNotExist", "Olivia", "User 'Olivia' does not exist.");
        testFailAddRoleToUser(this.adminSubject, "", "Olivia", "The provided role name is empty.");
    }

    @Test
    public void shouldFailToAddUserToNonExistentRole() throws Exception {
        testFailAddRoleToUser(this.adminSubject, "thisRoleDoesNotExist", "readSubject", "Role 'thisRoleDoesNotExist' does not exist.");
        testFailAddRoleToUser(this.adminSubject, "", "readSubject", "The provided role name is empty.");
    }

    @Test
    public void shouldFailToAddRoleToUserIfNotAdmin() throws Exception {
        testFailAddRoleToUser(this.pwdSubject, "publisher", "readSubject", this.CHANGE_PWD_ERR_MSG);
        testFailAddRoleToUser(this.readSubject, "publisher", "readSubject", "Permission denied.");
        testFailAddRoleToUser(this.writeSubject, "publisher", "readSubject", "Permission denied.");
        testFailAddRoleToUser(this.schemaSubject, "publisher", "readSubject", "Permission denied.");
        testFailAddRoleToUser(this.schemaSubject, "publisher", "Olivia", "Permission denied.");
        testFailAddRoleToUser(this.schemaSubject, "thisRoleDoesNotExist", "Olivia", "Permission denied.");
    }

    @Test
    public void shouldRemoveRoleFromUser() throws Exception {
        assertEmpty(this.adminSubject, "CALL dbms.security.removeRoleFromUser('reader', 'readSubject')");
        Assert.assertFalse("Should not have role reader", userHasRole("readSubject", "reader"));
    }

    @Test
    public void shouldKeepUserOutOfRole() throws Exception {
        Assert.assertFalse("Should not have role publisher", userHasRole("readSubject", "publisher"));
        assertEmpty(this.adminSubject, "CALL dbms.security.removeRoleFromUser('publisher', 'readSubject')");
        Assert.assertFalse("Should not have role publisher", userHasRole("readSubject", "publisher"));
    }

    @Test
    public void shouldFailToRemoveNonExistentUserFromRole() throws Exception {
        testFailRemoveRoleFromUser(this.adminSubject, "publisher", "Olivia", "User 'Olivia' does not exist.");
        testFailRemoveRoleFromUser(this.adminSubject, "thisRoleDoesNotExist", "Olivia", "User 'Olivia' does not exist.");
        testFailRemoveRoleFromUser(this.adminSubject, "", "Olivia", "The provided role name is empty.");
        testFailRemoveRoleFromUser(this.adminSubject, "", "", "The provided role name is empty.");
        testFailRemoveRoleFromUser(this.adminSubject, "publisher", "", "The provided username is empty.");
    }

    @Test
    public void shouldFailToRemoveUserFromNonExistentRole() throws Exception {
        testFailRemoveRoleFromUser(this.adminSubject, "thisRoleDoesNotExist", "readSubject", "Role 'thisRoleDoesNotExist' does not exist.");
        testFailRemoveRoleFromUser(this.adminSubject, "", "readSubject", "The provided role name is empty.");
    }

    @Test
    public void shouldFailToRemoveRoleFromUserIfNotAdmin() throws Exception {
        testFailRemoveRoleFromUser(this.pwdSubject, "publisher", "readSubject", this.CHANGE_PWD_ERR_MSG);
        testFailRemoveRoleFromUser(this.readSubject, "publisher", "readSubject", "Permission denied.");
        testFailRemoveRoleFromUser(this.writeSubject, "publisher", "readSubject", "Permission denied.");
        testFailRemoveRoleFromUser(this.schemaSubject, "reader", "readSubject", "Permission denied.");
        testFailRemoveRoleFromUser(this.schemaSubject, "reader", "Olivia", "Permission denied.");
        testFailRemoveRoleFromUser(this.schemaSubject, "thisRoleDoesNotExist", "Olivia", "Permission denied.");
    }

    @Test
    public void shouldFailToRemoveYourselfFromAdminRole() throws Exception {
        assertFail(this.adminSubject, "CALL dbms.security.removeRoleFromUser('admin', 'adminSubject')", "Removing yourself (user 'adminSubject') from the admin role is not allowed.");
    }

    @Test
    public void shouldAllowAddingAndRemovingUserFromMultipleRoles() throws Exception {
        Assert.assertFalse("Should not have role publisher", userHasRole("readSubject", "publisher"));
        Assert.assertFalse("Should not have role architect", userHasRole("readSubject", "architect"));
        assertEmpty(this.adminSubject, "CALL dbms.security.addRoleToUser('publisher', 'readSubject')");
        assertEmpty(this.adminSubject, "CALL dbms.security.addRoleToUser('architect', 'readSubject')");
        Assert.assertTrue("Should have role publisher", userHasRole("readSubject", "publisher"));
        Assert.assertTrue("Should have role architect", userHasRole("readSubject", "architect"));
        assertEmpty(this.adminSubject, "CALL dbms.security.removeRoleFromUser('publisher', 'readSubject')");
        assertEmpty(this.adminSubject, "CALL dbms.security.removeRoleFromUser('architect', 'readSubject')");
        Assert.assertFalse("Should not have role publisher", userHasRole("readSubject", "publisher"));
        Assert.assertFalse("Should not have role architect", userHasRole("readSubject", "architect"));
    }

    @Test
    public void shouldCreateRole() throws Exception {
        assertEmpty(this.adminSubject, "CALL dbms.security.createRole('new_role')");
        this.userManager.getRole("new_role");
    }

    @Test
    public void shouldNotCreateRoleIfInvalidRoleName() throws Exception {
        assertFail(this.adminSubject, "CALL dbms.security.createRole('')", "The provided role name is empty.");
        assertFail(this.adminSubject, "CALL dbms.security.createRole('&%ss!')", "Role name '&%ss!' contains illegal characters. Use simple ascii characters and numbers.");
        assertFail(this.adminSubject, "CALL dbms.security.createRole('åäöø')", "Role name 'åäöø' contains illegal characters. Use simple ascii characters and numbers");
    }

    @Test
    public void shouldNotCreateExistingRole() throws Exception {
        assertFail(this.adminSubject, String.format("CALL dbms.security.createRole('%s')", "architect"), "The specified role 'architect' already exists");
        assertEmpty(this.adminSubject, "CALL dbms.security.createRole('new_role')");
        assertFail(this.adminSubject, "CALL dbms.security.createRole('new_role')", "The specified role 'new_role' already exists");
    }

    @Test
    public void shouldNotAllowNonAdminCreateRole() throws Exception {
        testFailCreateRole(this.pwdSubject, this.CHANGE_PWD_ERR_MSG);
        testFailCreateRole(this.readSubject, "Permission denied.");
        testFailCreateRole(this.writeSubject, "Permission denied.");
        testFailCreateRole(this.schemaSubject, "Permission denied.");
    }

    @Test
    public void shouldThrowIfTryingToDeletePredefinedRole() throws Exception {
        testFailDeleteRole(this.adminSubject, "admin", String.format("'%s' is a predefined role and can not be deleted.", "admin"));
        testFailDeleteRole(this.adminSubject, "architect", String.format("'%s' is a predefined role and can not be deleted.", "architect"));
        testFailDeleteRole(this.adminSubject, "publisher", String.format("'%s' is a predefined role and can not be deleted.", "publisher"));
        testFailDeleteRole(this.adminSubject, "reader", String.format("'%s' is a predefined role and can not be deleted.", "reader"));
    }

    @Test
    public void shouldThrowIfNonAdminTryingToDeleteRole() throws Exception {
        assertEmpty(this.adminSubject, String.format("CALL dbms.security.createRole('%s')", "new_role"));
        testFailDeleteRole(this.schemaSubject, "new_role", "Permission denied.");
        testFailDeleteRole(this.writeSubject, "new_role", "Permission denied.");
        testFailDeleteRole(this.readSubject, "new_role", "Permission denied.");
        testFailDeleteRole(this.noneSubject, "new_role", "Permission denied.");
    }

    @Test
    public void shouldThrowIfDeletingNonExistentRole() {
        testFailDeleteRole(this.adminSubject, "nonExistent", "Role 'nonExistent' does not exist.");
    }

    @Test
    public void shouldDeleteRole() throws Exception {
        this.neo.getLocalUserManager().newRole("new_role", new String[0]);
        assertEmpty(this.adminSubject, String.format("CALL dbms.security.deleteRole('%s')", "new_role"));
        MatcherAssert.assertThat(this.userManager.getAllRoleNames(), Matchers.not(Matchers.contains(new String[]{"new_role"})));
    }

    @Test
    public void deletingRoleAssignedToSelfShouldWork() throws Exception {
        assertEmpty(this.adminSubject, String.format("CALL dbms.security.createRole('%s')", "new_role"));
        assertEmpty(this.adminSubject, String.format("CALL dbms.security.addRoleToUser('%s', '%s')", "new_role", "adminSubject"));
        MatcherAssert.assertThat(this.userManager.getRoleNamesForUser("adminSubject"), Matchers.hasItem("new_role"));
        assertEmpty(this.adminSubject, String.format("CALL dbms.security.deleteRole('%s')", "new_role"));
        MatcherAssert.assertThat(this.userManager.getRoleNamesForUser("adminSubject"), Matchers.not(Matchers.hasItem("new_role")));
        MatcherAssert.assertThat(this.userManager.getAllRoleNames(), Matchers.not(Matchers.contains(new String[]{"new_role"})));
    }

    @Test
    public void shouldListUsers() throws Exception {
        assertSuccess(this.adminSubject, "CALL dbms.security.listUsers() YIELD username", resourceIterator -> {
            assertKeyIs(resourceIterator, "username", this.initialUsers);
        });
    }

    @Test
    public void shouldReturnUsersWithRoles() throws Exception {
        Map map = MapUtil.map(new Object[]{"adminSubject", listOf("admin"), "readSubject", listOf("reader"), "schemaSubject", listOf("architect"), "writeSubject", listOf("reader", "publisher"), "editorSubject", listOf("editor"), "pwdSubject", listOf(new String[0]), "noneSubject", listOf(new String[0]), "neo4j", listOf("admin")});
        this.userManager.addRoleToUser("reader", "writeSubject");
        assertSuccess(this.adminSubject, "CALL dbms.security.listUsers()", resourceIterator -> {
            assertKeyIsMap((ResourceIterator<Map<String, Object>>) resourceIterator, "username", "roles", valueOf(map));
        });
    }

    @Test
    public void shouldReturnUsersWithFlags() throws Exception {
        Map map = MapUtil.map(new Object[]{"adminSubject", listOf(new String[0]), "readSubject", listOf(new String[0]), "schemaSubject", listOf(new String[0]), "editorSubject", listOf(new String[0]), "writeSubject", listOf("is_suspended"), "pwdSubject", listOf(PWD_CHANGE, "is_suspended"), "noneSubject", listOf(new String[0]), "neo4j", listOf(PWD_CHANGE.toLowerCase())});
        this.userManager.suspendUser("writeSubject");
        this.userManager.suspendUser("pwdSubject");
        assertSuccess(this.adminSubject, "CALL dbms.security.listUsers()", resourceIterator -> {
            assertKeyIsMap((ResourceIterator<Map<String, Object>>) resourceIterator, "username", "flags", valueOf(map));
        });
    }

    @Test
    public void shouldShowCurrentUser() throws Exception {
        this.userManager.addRoleToUser("reader", "writeSubject");
        assertSuccess(this.adminSubject, "CALL dbms.showCurrentUser()", resourceIterator -> {
            assertKeyIsMap((ResourceIterator<Map<String, Object>>) resourceIterator, "username", "roles", valueOf(MapUtil.map(new Object[]{"adminSubject", listOf("admin")})));
        });
        assertSuccess(this.readSubject, "CALL dbms.showCurrentUser()", resourceIterator2 -> {
            assertKeyIsMap((ResourceIterator<Map<String, Object>>) resourceIterator2, "username", "roles", valueOf(MapUtil.map(new Object[]{"readSubject", listOf("reader")})));
        });
        assertSuccess(this.schemaSubject, "CALL dbms.showCurrentUser()", resourceIterator3 -> {
            assertKeyIsMap((ResourceIterator<Map<String, Object>>) resourceIterator3, "username", "roles", valueOf(MapUtil.map(new Object[]{"schemaSubject", listOf("architect")})));
        });
        assertSuccess(this.writeSubject, "CALL dbms.showCurrentUser()", resourceIterator4 -> {
            assertKeyIsMap((ResourceIterator<Map<String, Object>>) resourceIterator4, "username", "roles", valueOf(MapUtil.map(new Object[]{"writeSubject", listOf("reader", "publisher")})));
        });
        assertSuccess(this.noneSubject, "CALL dbms.showCurrentUser()", resourceIterator5 -> {
            assertKeyIsMap((ResourceIterator<Map<String, Object>>) resourceIterator5, "username", "roles", valueOf(MapUtil.map(new Object[]{"noneSubject", listOf(new String[0])})));
        });
    }

    @Test
    public void shouldNotAllowNonAdminListUsers() throws Exception {
        testFailListUsers(this.pwdSubject, 5, this.CHANGE_PWD_ERR_MSG);
        testFailListUsers(this.readSubject, 5, "Permission denied.");
        testFailListUsers(this.writeSubject, 5, "Permission denied.");
        testFailListUsers(this.schemaSubject, 5, "Permission denied.");
    }

    @Test
    public void shouldListRoles() throws Exception {
        assertSuccess(this.adminSubject, "CALL dbms.security.listRoles() YIELD role", resourceIterator -> {
            assertKeyIs(resourceIterator, "role", this.initialRoles);
        });
    }

    @Test
    public void shouldReturnRolesWithUsers() throws Exception {
        Map map = MapUtil.map(new Object[]{"admin", listOf("adminSubject", "neo4j"), "reader", listOf("readSubject"), "architect", listOf("schemaSubject"), "publisher", listOf("writeSubject"), "editor", listOf("editorSubject"), "empty", listOf(new String[0])});
        assertSuccess(this.adminSubject, "CALL dbms.security.listRoles()", resourceIterator -> {
            assertKeyIsMap((ResourceIterator<Map<String, Object>>) resourceIterator, "role", "users", valueOf(map));
        });
    }

    @Test
    public void shouldNotAllowNonAdminListRoles() throws Exception {
        testFailListRoles(this.pwdSubject, this.CHANGE_PWD_ERR_MSG);
        testFailListRoles(this.readSubject, "Permission denied.");
        testFailListRoles(this.writeSubject, "Permission denied.");
        testFailListRoles(this.schemaSubject, "Permission denied.");
    }

    @Test
    public void shouldListRolesForUser() throws Exception {
        assertSuccess(this.adminSubject, "CALL dbms.security.listRolesForUser('adminSubject') YIELD value as roles RETURN roles", resourceIterator -> {
            assertKeyIs(resourceIterator, "roles", "admin");
        });
        assertSuccess(this.adminSubject, "CALL dbms.security.listRolesForUser('readSubject') YIELD value as roles RETURN roles", resourceIterator2 -> {
            assertKeyIs(resourceIterator2, "roles", "reader");
        });
    }

    @Test
    public void shouldListNoRolesForUserWithNoRoles() throws Exception {
        assertEmpty(this.adminSubject, "CALL dbms.security.createUser('Henrik', 'bar', false)");
        assertEmpty(this.adminSubject, "CALL dbms.security.listRolesForUser('Henrik') YIELD value as roles RETURN roles");
    }

    @Test
    public void shouldNotListRolesForNonExistentUser() throws Exception {
        assertFail(this.adminSubject, "CALL dbms.security.listRolesForUser('Petra') YIELD value as roles RETURN roles", "User 'Petra' does not exist.");
        assertFail(this.adminSubject, "CALL dbms.security.listRolesForUser('') YIELD value as roles RETURN roles", "User '' does not exist.");
    }

    @Test
    public void shouldListOwnRolesRoles() throws Exception {
        assertSuccess(this.adminSubject, "CALL dbms.security.listRolesForUser('adminSubject') YIELD value as roles RETURN roles", resourceIterator -> {
            assertKeyIs(resourceIterator, "roles", "admin");
        });
        assertSuccess(this.readSubject, "CALL dbms.security.listRolesForUser('readSubject') YIELD value as roles RETURN roles", resourceIterator2 -> {
            assertKeyIs(resourceIterator2, "roles", "reader");
        });
    }

    @Test
    public void shouldNotAllowNonAdminListUserRoles() throws Exception {
        testFailListUserRoles(this.pwdSubject, "adminSubject", this.CHANGE_PWD_ERR_MSG);
        testFailListUserRoles(this.readSubject, "adminSubject", "Permission denied.");
        testFailListUserRoles(this.writeSubject, "adminSubject", "Permission denied.");
        testFailListUserRoles(this.schemaSubject, "adminSubject", "Permission denied.");
    }

    @Test
    public void shouldListUsersForRole() throws Exception {
        assertSuccess(this.adminSubject, "CALL dbms.security.listUsersForRole('admin') YIELD value as users RETURN users", resourceIterator -> {
            assertKeyIs(resourceIterator, "users", "adminSubject", "neo4j");
        });
    }

    @Test
    public void shouldListNoUsersForRoleWithNoUsers() throws Exception {
        assertEmpty(this.adminSubject, "CALL dbms.security.listUsersForRole('empty') YIELD value as users RETURN users");
    }

    @Test
    public void shouldNotListUsersForNonExistentRole() throws Exception {
        assertFail(this.adminSubject, "CALL dbms.security.listUsersForRole('poodle') YIELD value as users RETURN users", "Role 'poodle' does not exist.");
        assertFail(this.adminSubject, "CALL dbms.security.listUsersForRole('') YIELD value as users RETURN users", "Role '' does not exist.");
    }

    @Test
    public void shouldNotListUsersForRoleIfNotAdmin() throws Exception {
        testFailListRoleUsers(this.pwdSubject, "admin", this.CHANGE_PWD_ERR_MSG);
        testFailListRoleUsers(this.readSubject, "admin", "Permission denied.");
        testFailListRoleUsers(this.writeSubject, "admin", "Permission denied.");
        testFailListRoleUsers(this.schemaSubject, "admin", "Permission denied.");
    }

    @Test
    public void shouldAllowClearAuthCacheIfAdmin() throws Exception {
        assertEmpty(this.adminSubject, "CALL dbms.security.clearAuthCache()");
    }

    @Test
    public void shouldNotClearAuthCacheIfNotAdmin() throws Exception {
        assertFail(this.pwdSubject, "CALL dbms.security.clearAuthCache()", this.CHANGE_PWD_ERR_MSG);
        assertFail(this.readSubject, "CALL dbms.security.clearAuthCache()", "Permission denied.");
        assertFail(this.writeSubject, "CALL dbms.security.clearAuthCache()", "Permission denied.");
        assertFail(this.schemaSubject, "CALL dbms.security.clearAuthCache()", "Permission denied.");
    }

    @Test
    public void shouldPrintUserAndRolesWhenPermissionDenied() throws Throwable {
        this.userManager.newUser("mats", "foo", false);
        this.userManager.newRole("failer", new String[]{"mats"});
        S login = this.neo.login("mats", "foo");
        assertFail(this.noneSubject, "CALL test.numNodes", "Read operations are not allowed for user 'noneSubject' with no roles.");
        assertFail(this.readSubject, "CALL test.allowedWriteProcedure", "Write operations are not allowed for user 'readSubject' with roles [reader].");
        assertFail(this.writeSubject, "CALL test.allowedSchemaProcedure", "Schema operations are not allowed for user 'writeSubject' with roles [publisher].");
        assertFail(login, "CALL test.numNodes", "Read operations are not allowed for user 'mats' with roles [failer].");
        assertFail(login, "RETURN test.allowedFunction1()", "Read operations are not allowed for user 'mats' with roles [failer].");
    }

    @Test
    public void shouldAllowProcedureStartingTransactionInNewThread() throws Throwable {
        ProcedureInteractionTestBase.ClassWithProcedures.exceptionsInProcedure.clear();
        DoubleLatch doubleLatch = new DoubleLatch(2);
        ProcedureInteractionTestBase.ClassWithProcedures.doubleLatch = doubleLatch;
        doubleLatch.start();
        assertEmpty(this.writeSubject, "CALL test.threadTransaction");
        doubleLatch.finishAndWaitForAllToFinish();
        MatcherAssert.assertThat(Integer.valueOf(ProcedureInteractionTestBase.ClassWithProcedures.exceptionsInProcedure.size()), Matchers.equalTo(0));
        assertSuccess(this.adminSubject, "MATCH (:VeryUniqueLabel) RETURN toString(count(*)) as n", resourceIterator -> {
            assertKeyIs(resourceIterator, "n", "1");
        });
    }

    @Test
    public void shouldInheritSecurityContextWhenProcedureStartingTransactionInNewThread() throws Throwable {
        ProcedureInteractionTestBase.ClassWithProcedures.exceptionsInProcedure.clear();
        DoubleLatch doubleLatch = new DoubleLatch(2);
        ProcedureInteractionTestBase.ClassWithProcedures.doubleLatch = doubleLatch;
        doubleLatch.start();
        assertEmpty(this.readSubject, "CALL test.threadReadDoingWriteTransaction");
        doubleLatch.finishAndWaitForAllToFinish();
        MatcherAssert.assertThat(Integer.valueOf(ProcedureInteractionTestBase.ClassWithProcedures.exceptionsInProcedure.size()), Matchers.equalTo(1));
        MatcherAssert.assertThat(ProcedureInteractionTestBase.ClassWithProcedures.exceptionsInProcedure.get(0).getMessage(), Matchers.containsString(this.WRITE_OPS_NOT_ALLOWED));
        assertSuccess(this.adminSubject, "MATCH (:VeryUniqueLabel) RETURN toString(count(*)) as n", resourceIterator -> {
            assertKeyIs(resourceIterator, "n", "0");
        });
    }

    @Test
    public void shouldSetCorrectUnAuthenticatedPermissions() throws Throwable {
        assertFail(this.neo.login("Batman", "Matban"), "MATCH (n) RETURN n", "");
        assertFail(this.neo.login("Batman", "Matban"), "CREATE (:Node)", "");
        assertFail(this.neo.login("Batman", "Matban"), "CREATE INDEX ON :Node(number)", "");
        assertFail(this.neo.login("Batman", "Matban"), "CALL dbms.security.changePassword( '321' )", "");
        assertFail(this.neo.login("Batman", "Matban"), "CALL dbms.security.createUser('Henrik', 'bar', true)", "");
    }

    @Test
    public void shouldSetCorrectPasswordChangeRequiredPermissions() throws Throwable {
        testFailRead(this.pwdSubject, 3, pwdReqErrMsg(this.READ_OPS_NOT_ALLOWED));
        testFailWrite(this.pwdSubject, pwdReqErrMsg(this.WRITE_OPS_NOT_ALLOWED));
        testFailSchema(this.pwdSubject, pwdReqErrMsg(this.SCHEMA_OPS_NOT_ALLOWED));
        assertPasswordChangeWhenPasswordChangeRequired(this.pwdSubject, "321");
        assertEmpty(this.adminSubject, "CALL dbms.security.createUser('Henrik', 'bar', true)");
        assertEmpty(this.adminSubject, "CALL dbms.security.addRoleToUser('architect', 'Henrik')");
        S login = this.neo.login("Henrik", "bar");
        this.neo.assertPasswordChangeRequired(login);
        testFailRead(login, 3, pwdReqErrMsg(this.READ_OPS_NOT_ALLOWED));
        testFailWrite(login, pwdReqErrMsg(this.WRITE_OPS_NOT_ALLOWED));
        testFailSchema(login, pwdReqErrMsg(this.SCHEMA_OPS_NOT_ALLOWED));
        assertPasswordChangeWhenPasswordChangeRequired(login, "321");
        assertEmpty(this.adminSubject, "CALL dbms.security.createUser('Olivia', 'bar', true)");
        assertEmpty(this.adminSubject, "CALL dbms.security.addRoleToUser('admin', 'Olivia')");
        S login2 = this.neo.login("Olivia", "bar");
        this.neo.assertPasswordChangeRequired(login2);
        testFailRead(login2, 3, pwdReqErrMsg(this.READ_OPS_NOT_ALLOWED));
        testFailWrite(login2, pwdReqErrMsg(this.WRITE_OPS_NOT_ALLOWED));
        testFailSchema(login2, pwdReqErrMsg(this.SCHEMA_OPS_NOT_ALLOWED));
        assertFail(login2, "CALL dbms.security.createUser('OliviasFriend', 'bar', false)", this.CHANGE_PWD_ERR_MSG);
        assertPasswordChangeWhenPasswordChangeRequired(login2, "321");
    }

    @Test
    public void shouldSetCorrectNoRolePermissions() throws Exception {
        testFailRead(this.noneSubject, 3);
        testFailWrite(this.noneSubject);
        testFailSchema(this.noneSubject);
        testFailCreateUser(this.noneSubject, "Permission denied.");
        assertEmpty(this.noneSubject, "CALL dbms.security.changePassword( '321' )");
    }

    @Test
    public void shouldSetCorrectReaderPermissions() throws Exception {
        testSuccessfulRead(this.readSubject, 3);
        testFailWrite(this.readSubject);
        testFailTokenWrite(this.readSubject, this.WRITE_OPS_NOT_ALLOWED);
        testFailSchema(this.readSubject);
        testFailCreateUser(this.readSubject, "Permission denied.");
        assertEmpty(this.readSubject, "CALL dbms.security.changePassword( '321' )");
    }

    @Test
    public void shouldSetCorrectEditorPermissions() throws Exception {
        testSuccessfulRead(this.editorSubject, 3);
        testSuccessfulWrite(this.editorSubject);
        testFailTokenWrite(this.editorSubject);
        testFailSchema(this.editorSubject);
        testFailCreateUser(this.editorSubject, "Permission denied.");
        assertEmpty(this.editorSubject, "CALL dbms.security.changePassword( '321' )");
    }

    @Test
    public void shouldSetCorrectPublisherPermissions() throws Exception {
        testSuccessfulRead(this.writeSubject, 3);
        testSuccessfulWrite(this.writeSubject);
        testSuccessfulTokenWrite(this.writeSubject);
        testFailSchema(this.writeSubject);
        testFailCreateUser(this.writeSubject, "Permission denied.");
        assertEmpty(this.writeSubject, "CALL dbms.security.changePassword( '321' )");
    }

    @Test
    public void shouldSetCorrectSchemaPermissions() throws Exception {
        testSuccessfulRead(this.schemaSubject, 3);
        testSuccessfulWrite(this.schemaSubject);
        testSuccessfulTokenWrite(this.schemaSubject);
        testSuccessfulSchema(this.schemaSubject);
        testFailCreateUser(this.schemaSubject, "Permission denied.");
        assertEmpty(this.schemaSubject, "CALL dbms.security.changePassword( '321' )");
    }

    @Test
    public void shouldSetCorrectAdminPermissions() throws Exception {
        testSuccessfulRead(this.adminSubject, 3);
        testSuccessfulWrite(this.adminSubject);
        testSuccessfulTokenWrite(this.adminSubject);
        testSuccessfulSchema(this.adminSubject);
        assertEmpty(this.adminSubject, "CALL dbms.security.createUser('Olivia', 'bar', true)");
        assertEmpty(this.adminSubject, "CALL dbms.security.changePassword( '321' )");
    }

    @Test
    public void shouldSetCorrectMultiRolePermissions() throws Exception {
        assertEmpty(this.adminSubject, "CALL dbms.security.addRoleToUser('reader', 'schemaSubject')");
        testSuccessfulRead(this.schemaSubject, 3);
        testSuccessfulWrite(this.schemaSubject);
        testSuccessfulSchema(this.schemaSubject);
        testFailCreateUser(this.schemaSubject, "Permission denied.");
        assertEmpty(this.schemaSubject, "CALL dbms.security.changePassword( '321' )");
    }
}
