package org.neo4j.server.security.enterprise.auth;

import java.time.Clock;
import java.util.function.Function;
import org.hamcrest.Matchers;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.neo4j.internal.kernel.api.security.AccessMode;
import org.neo4j.kernel.api.security.exception.InvalidAuthTokenException;
import org.neo4j.kernel.enterprise.api.security.EnterpriseSecurityContext;
import org.neo4j.kernel.impl.api.security.OverriddenAccessMode;
import org.neo4j.kernel.impl.api.security.RestrictedAccessMode;
import org.neo4j.server.security.auth.InMemoryUserRepository;
import org.neo4j.server.security.auth.RateLimitedAuthenticationStrategy;
import org.neo4j.server.security.auth.SecurityTestUtils;

/* loaded from: input_file:org/neo4j/server/security/enterprise/auth/EnterpriseSecurityContextDescriptionTest.class */
public class EnterpriseSecurityContextDescriptionTest {
    private EnterpriseUserManager manager;

    @Rule
    public MultiRealmAuthManagerRule authManagerRule = new MultiRealmAuthManagerRule(new InMemoryUserRepository(), new RateLimitedAuthenticationStrategy(Clock.systemUTC(), 3));
    private Function<String, Integer> token = str -> {
        return -1;
    };

    @Before
    public void setUp() throws Throwable {
        this.authManagerRule.getManager().start();
        this.manager = this.authManagerRule.getManager().getUserManager();
        this.manager.newUser("mats", "foo", false);
    }

    @Test
    public void shouldMakeNiceDescriptionWithoutRoles() throws Exception {
        Assert.assertThat(context().description(), Matchers.equalTo("user 'mats' with no roles"));
    }

    @Test
    public void shouldMakeNiceDescriptionWithRoles() throws Exception {
        this.manager.newRole("role1", new String[]{"mats"});
        this.manager.addRoleToUser("publisher", "mats");
        Assert.assertThat(context().description(), Matchers.equalTo("user 'mats' with roles [publisher,role1]"));
    }

    @Test
    public void shouldMakeNiceDescriptionWithMode() throws Exception {
        this.manager.newRole("role1", new String[]{"mats"});
        this.manager.addRoleToUser("publisher", "mats");
        Assert.assertThat(context().withMode(AccessMode.Static.CREDENTIALS_EXPIRED).description(), Matchers.equalTo("user 'mats' with CREDENTIALS_EXPIRED"));
    }

    @Test
    public void shouldMakeNiceDescriptionRestricted() throws Exception {
        this.manager.newRole("role1", new String[]{"mats"});
        this.manager.addRoleToUser("publisher", "mats");
        EnterpriseSecurityContext context = context();
        Assert.assertThat(context.withMode(new RestrictedAccessMode(context.mode(), AccessMode.Static.READ)).description(), Matchers.equalTo("user 'mats' with roles [publisher,role1] restricted to READ"));
    }

    @Test
    public void shouldMakeNiceDescriptionOverridden() throws Exception {
        this.manager.newRole("role1", new String[]{"mats"});
        this.manager.addRoleToUser("publisher", "mats");
        EnterpriseSecurityContext context = context();
        Assert.assertThat(context.withMode(new OverriddenAccessMode(context.mode(), AccessMode.Static.READ)).description(), Matchers.equalTo("user 'mats' with roles [publisher,role1] overridden by READ"));
    }

    @Test
    public void shouldMakeNiceDescriptionAuthDisabled() {
        Assert.assertThat(EnterpriseSecurityContext.AUTH_DISABLED.description(), Matchers.equalTo("AUTH_DISABLED with FULL"));
    }

    @Test
    public void shouldMakeNiceDescriptionAuthDisabledAndRestricted() {
        EnterpriseSecurityContext enterpriseSecurityContext = EnterpriseSecurityContext.AUTH_DISABLED;
        Assert.assertThat(enterpriseSecurityContext.withMode(new RestrictedAccessMode(enterpriseSecurityContext.mode(), AccessMode.Static.READ)).description(), Matchers.equalTo("AUTH_DISABLED with FULL restricted to READ"));
    }

    private EnterpriseSecurityContext context() throws InvalidAuthTokenException {
        return this.authManagerRule.getManager().login(SecurityTestUtils.authToken("mats", "foo")).authorize(this.token);
    }
}
