package org.neo4j.server.security.enterprise.auth.integration.bolt;

import java.io.BufferedReader;
import java.io.File;
import java.io.IOException;
import java.io.Reader;
import java.nio.charset.Charset;
import java.util.Map;
import java.util.function.Consumer;
import javax.naming.directory.BasicAttribute;
import javax.naming.directory.ModificationItem;
import javax.naming.ldap.LdapContext;
import org.apache.directory.api.ldap.model.exception.LdapException;
import org.apache.directory.api.ldap.model.exception.LdapOperationErrorException;
import org.apache.directory.server.annotations.CreateLdapServer;
import org.apache.directory.server.annotations.CreateTransport;
import org.apache.directory.server.annotations.SaslMechanism;
import org.apache.directory.server.core.annotations.ApplyLdifFiles;
import org.apache.directory.server.core.annotations.ContextEntry;
import org.apache.directory.server.core.annotations.CreateDS;
import org.apache.directory.server.core.annotations.CreatePartition;
import org.apache.directory.server.core.annotations.LoadSchema;
import org.apache.directory.server.core.api.filtering.EntryFilteringCursor;
import org.apache.directory.server.core.api.interceptor.BaseInterceptor;
import org.apache.directory.server.core.api.interceptor.Interceptor;
import org.apache.directory.server.core.api.interceptor.context.SearchOperationContext;
import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
import org.apache.directory.server.core.integ.FrameworkRunner;
import org.apache.directory.server.ldap.handlers.extended.StartTlsHandler;
import org.apache.directory.server.ldap.handlers.sasl.cramMD5.CramMd5MechanismHandler;
import org.apache.directory.server.ldap.handlers.sasl.digestMD5.DigestMd5MechanismHandler;
import org.apache.shiro.realm.ldap.JndiLdapContextFactory;
import org.hamcrest.CoreMatchers;
import org.hamcrest.Matcher;
import org.hamcrest.MatcherAssert;
import org.junit.Before;
import org.junit.Test;
import org.junit.experimental.categories.Category;
import org.junit.runner.RunWith;
import org.neo4j.bolt.v1.messaging.message.InitMessage;
import org.neo4j.bolt.v1.messaging.message.PullAllMessage;
import org.neo4j.bolt.v1.messaging.message.RequestMessage;
import org.neo4j.bolt.v1.messaging.message.RunMessage;
import org.neo4j.bolt.v1.messaging.util.MessageMatchers;
import org.neo4j.bolt.v1.runtime.spi.StreamMatchers;
import org.neo4j.bolt.v1.transport.integration.TransportTestUtil;
import org.neo4j.bolt.v1.transport.socket.client.TransportConnection;
import org.neo4j.graphdb.config.Setting;
import org.neo4j.internal.kernel.api.security.AuthSubject;
import org.neo4j.kernel.api.exceptions.Status;
import org.neo4j.kernel.impl.proc.Procedures;
import org.neo4j.server.security.enterprise.auth.EnterpriseAuthAndUserManager;
import org.neo4j.server.security.enterprise.auth.ProcedureInteractionTestBase;
import org.neo4j.server.security.enterprise.configuration.SecuritySettings;
import org.neo4j.test.DoubleLatch;
import org.neo4j.values.storable.Values;
import org.neo4j.values.virtual.VirtualValues;

@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP", port = 10389, address = "0.0.0.0"), @CreateTransport(protocol = "LDAPS", port = 10636, address = "0.0.0.0", ssl = true)}, saslMechanisms = {@SaslMechanism(name = "DIGEST-MD5", implClass = DigestMd5MechanismHandler.class), @SaslMechanism(name = "CRAM-MD5", implClass = CramMd5MechanismHandler.class)}, saslHost = "0.0.0.0", extendedOpHandlers = {StartTlsHandler.class}, keyStore = "target/test-classes/neo4j_ldap_test_keystore.jks", certificatePassword = "secret")
@RunWith(FrameworkRunner.class)
@CreateDS(name = "Test", partitions = {@CreatePartition(name = "example", suffix = "dc=example,dc=com", contextEntry = @ContextEntry(entryLdif = "dn: dc=example,dc=com\ndc: example\no: example\nobjectClass: top\nobjectClass: dcObject\nobjectClass: organization\n\n"))}, loadedSchemas = {@LoadSchema(name = "nis", enabled = true)})
@ApplyLdifFiles({"ldap_test_data.ldif"})
/* loaded from: input_file:org/neo4j/server/security/enterprise/auth/integration/bolt/LdapAuthIT.class */
public class LdapAuthIT extends EnterpriseAuthenticationTestBase {
    public static final String LDAP_ERROR_MESSAGE_INVALID_CREDENTIALS = "LDAP: error code 49 - INVALID_CREDENTIALS";
    public static final String NON_ROUTABLE_IP = "192.0.2.0";
    public static final String REFUSED_IP = "127.0.0.1";
    private final String MD5_HASHED_abc123 = "{MD5}6ZoYxCjLONXyYIU2eJIuAw==";
    private static Consumer<Map<Setting<?>, String>> ldapOnlyAuthSettings = map -> {
        map.put(SecuritySettings.auth_provider, "ldap");
        map.put(SecuritySettings.native_authentication_enabled, "false");
        map.put(SecuritySettings.native_authorization_enabled, "false");
        map.put(SecuritySettings.ldap_authentication_enabled, "true");
        map.put(SecuritySettings.ldap_authorization_enabled, "true");
    };
    private static Consumer<Map<Setting<?>, String>> activeDirectoryOnEc2Settings = map -> {
        map.put(SecuritySettings.auth_provider, "ldap");
        map.put(SecuritySettings.ldap_server, "henrik.neohq.net:389");
        map.put(SecuritySettings.ldap_authentication_user_dn_template, "cn={0},cn=Users,dc=neo4j,dc=com");
        map.put(SecuritySettings.ldap_authorization_user_search_base, "cn=Users,dc=neo4j,dc=com");
        map.put(SecuritySettings.ldap_authorization_user_search_filter, "(&(objectClass=*)(CN={0}))");
        map.put(SecuritySettings.ldap_authorization_group_membership_attribute_names, "memberOf");
        map.put(SecuritySettings.ldap_authorization_group_to_role_mapping, "'CN=Neo4j Read Only,CN=Users,DC=neo4j,DC=com'=reader;CN=Neo4j Read-Write,CN=Users,DC=neo4j,DC=com=publisher;CN=Neo4j Schema Manager,CN=Users,DC=neo4j,DC=com=architect;CN=Neo4j Administrator,CN=Users,DC=neo4j,DC=com=admin");
    };
    private static Consumer<Map<Setting<?>, String>> activeDirectoryOnEc2NotUsingSystemAccountSettings = activeDirectoryOnEc2Settings.andThen(map -> {
    });
    private static Consumer<Map<Setting<?>, String>> activeDirectoryOnEc2UsingSystemAccountSettings = activeDirectoryOnEc2Settings.andThen(map -> {
        map.put(SecuritySettings.ldap_authorization_use_system_account, "true");
        map.put(SecuritySettings.ldap_authorization_system_username, "Petra Selmer");
        map.put(SecuritySettings.ldap_authorization_system_password, "S0uthAfrica");
    });

    /* loaded from: input_file:org/neo4j/server/security/enterprise/auth/integration/bolt/LdapAuthIT$DirectoryServiceFailOnSearch.class */
    private class DirectoryServiceFailOnSearch implements AutoCloseable {
        private final Interceptor failOnSearchInterceptor;

        DirectoryServiceFailOnSearch() {
            this.failOnSearchInterceptor = new BaseInterceptor() { // from class: org.neo4j.server.security.enterprise.auth.integration.bolt.LdapAuthIT.DirectoryServiceFailOnSearch.1
                public String getName() {
                    return getClass().getName();
                }

                public EntryFilteringCursor search(SearchOperationContext searchOperationContext) throws LdapException {
                    throw new LdapOperationErrorException();
                }
            };
            try {
                AbstractLdapTestUnit.getService().addFirst(this.failOnSearchInterceptor);
            } catch (LdapException e) {
                throw new RuntimeException((Throwable) e);
            }
        }

        @Override // java.lang.AutoCloseable
        public void close() {
            AbstractLdapTestUnit.getService().remove(this.failOnSearchInterceptor.getName());
        }
    }

    /* loaded from: input_file:org/neo4j/server/security/enterprise/auth/integration/bolt/LdapAuthIT$DirectoryServiceWaitOnSearch.class */
    private class DirectoryServiceWaitOnSearch implements AutoCloseable {
        private final Interceptor waitOnSearchInterceptor;

        DirectoryServiceWaitOnSearch(final long j) {
            this.waitOnSearchInterceptor = new BaseInterceptor() { // from class: org.neo4j.server.security.enterprise.auth.integration.bolt.LdapAuthIT.DirectoryServiceWaitOnSearch.1
                public String getName() {
                    return getClass().getName();
                }

                public EntryFilteringCursor search(SearchOperationContext searchOperationContext) throws LdapException {
                    try {
                        Thread.sleep(j);
                    } catch (InterruptedException e) {
                        Thread.interrupted();
                    }
                    return super.search(searchOperationContext);
                }
            };
            try {
                AbstractLdapTestUnit.getService().addFirst(this.waitOnSearchInterceptor);
            } catch (LdapException e) {
                throw new RuntimeException((Throwable) e);
            }
        }

        @Override // java.lang.AutoCloseable
        public void close() {
            AbstractLdapTestUnit.getService().remove(this.waitOnSearchInterceptor.getName());
        }
    }

    /* loaded from: input_file:org/neo4j/server/security/enterprise/auth/integration/bolt/LdapAuthIT$EmbeddedTestCertificates.class */
    private class EmbeddedTestCertificates implements AutoCloseable {
        private static final String KEY_STORE = "javax.net.ssl.keyStore";
        private static final String KEY_STORE_PASSWORD = "javax.net.ssl.keyStorePassword";
        private static final String TRUST_STORE = "javax.net.ssl.trustStore";
        private static final String TRUST_STORE_PASSWORD = "javax.net.ssl.trustStorePassword";
        private final String keyStore = System.getProperty(KEY_STORE);
        private final String keyStorePassword = System.getProperty(KEY_STORE_PASSWORD);
        private final String trustStore = System.getProperty(TRUST_STORE);
        private final String trustStorePassword = System.getProperty(TRUST_STORE_PASSWORD);

        EmbeddedTestCertificates() {
            String absolutePath = fileFromResources("/neo4j_ldap_test_keystore.jks").getAbsolutePath();
            System.setProperty(KEY_STORE, absolutePath);
            System.setProperty(KEY_STORE_PASSWORD, "secret");
            System.setProperty(TRUST_STORE, absolutePath);
            System.setProperty(TRUST_STORE_PASSWORD, "secret");
        }

        @Override // java.lang.AutoCloseable
        public void close() {
            resetProperty(KEY_STORE, this.keyStore);
            resetProperty(KEY_STORE_PASSWORD, this.keyStorePassword);
            resetProperty(TRUST_STORE, this.trustStore);
            resetProperty(TRUST_STORE_PASSWORD, this.trustStorePassword);
        }

        private File fileFromResources(String str) {
            return new File(getClass().getResource(str).getFile());
        }

        private void resetProperty(String str, String str2) {
            if (str != null) {
                System.clearProperty(str);
            } else {
                System.setProperty(str, str2);
            }
        }
    }

    @Override // org.neo4j.server.security.enterprise.auth.integration.bolt.EnterpriseAuthenticationTestBase
    @Before
    public void setup() {
        super.setup();
        getLdapServer().setConfidentialityRequired(false);
    }

    private void restartNeo4jServerWithSaslDigestMd5() {
        this.server.shutdownDatabase();
        this.server.ensureDatabase(asSettings(ldapOnlyAuthSettings.andThen(map -> {
            map.put(SecuritySettings.ldap_authentication_mechanism, "DIGEST-MD5");
            map.put(SecuritySettings.ldap_authentication_user_dn_template, "{0}");
        })));
        lookupConnectorAddress();
    }

    private void restartNeo4jServerWithSaslCramMd5() {
        this.server.shutdownDatabase();
        this.server.ensureDatabase(asSettings(ldapOnlyAuthSettings.andThen(map -> {
            map.put(SecuritySettings.ldap_authentication_mechanism, "CRAM-MD5");
            map.put(SecuritySettings.ldap_authentication_user_dn_template, "{0}");
        })));
        lookupConnectorAddress();
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.neo4j.server.security.enterprise.auth.integration.bolt.EnterpriseAuthenticationTestBase
    public Consumer<Map<Setting<?>, String>> getSettingsFunction() {
        return super.getSettingsFunction().andThen(ldapOnlyAuthSettings).andThen(map -> {
            map.put(SecuritySettings.ldap_server, "0.0.0.0:10389");
            map.put(SecuritySettings.ldap_authentication_user_dn_template, "cn={0},ou=users,dc=example,dc=com");
            map.put(SecuritySettings.ldap_authentication_cache_enabled, "true");
            map.put(SecuritySettings.ldap_authorization_system_username, "uid=admin,ou=system");
            map.put(SecuritySettings.ldap_authorization_system_password, "secret");
            map.put(SecuritySettings.ldap_authorization_use_system_account, "true");
            map.put(SecuritySettings.ldap_authorization_user_search_base, "dc=example,dc=com");
            map.put(SecuritySettings.ldap_authorization_user_search_filter, "(&(objectClass=*)(uid={0}))");
            map.put(SecuritySettings.ldap_authorization_group_membership_attribute_names, "gidnumber");
            map.put(SecuritySettings.ldap_authorization_group_to_role_mapping, "500=reader;501=publisher;502=architect;503=admin");
            map.put(SecuritySettings.procedure_roles, "test.allowedReadProcedure:role1");
            map.put(SecuritySettings.ldap_read_timeout, "1s");
        });
    }

    @Test
    public void shouldLoginWithLdap() throws Throwable {
        assertAuth("neo4j", "abc123");
        reconnect();
        assertAuth("neo4j", "abc123");
    }

    @Test
    public void shouldLoginWithLdapWithAuthenticationCacheDisabled() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(ldapOnlyAuthSettings.andThen(map -> {
        }));
        assertAuth("neo4j", "abc123");
        reconnect();
        assertAuth("neo4j", "abc123");
    }

    @Test
    public void shouldFailToLoginWithLdapIfInvalidCredentials() throws Throwable {
        assertAuthFail("neo4j", "CANT_REMEMBER_MY_PASSWORDS_ANYMORE!");
    }

    @Test
    public void shoulFailToLoginWithLdapIfInvalidCredentialsFollowingSuccessfulLogin() throws Throwable {
        assertAuth("neo4j", "abc123");
        reconnect();
        assertAuthFail("neo4j", "");
    }

    @Test
    public void shouldLoginWithLdapUsingSaslDigestMd5() throws Throwable {
        restartNeo4jServerWithSaslDigestMd5();
        assertAuth("neo4j", "{MD5}6ZoYxCjLONXyYIU2eJIuAw==");
    }

    @Test
    public void shouldFailToLoginWithLdapDigestMd5IfInvalidCredentials() throws Throwable {
        restartNeo4jServerWithSaslDigestMd5();
        assertAuthFail("neo4j", "{MD5}6ZoYxCjLONXyYIU2eJIuAw==".toUpperCase());
    }

    @Test
    public void shouldLoginWithLdapUsingSaslCramMd5() throws Throwable {
        restartNeo4jServerWithSaslCramMd5();
        assertAuth("neo4j", "{MD5}6ZoYxCjLONXyYIU2eJIuAw==");
    }

    @Test
    public void shouldFailToLoginWithLdapCramMd5IfInvalidCredentials() throws Throwable {
        restartNeo4jServerWithSaslCramMd5();
        assertAuthFail("neo4j", "{MD5}6ZoYxCjLONXyYIU2eJIuAw==".toUpperCase());
    }

    @Test
    public void shouldBeAbleToLoginAndAuthorizeReaderWithLdapOnly() throws Throwable {
        testAuthWithReaderUser();
    }

    @Test
    public void shouldBeAbleToLoginAndAuthorizePublisherWithLdapOnly() throws Throwable {
        testAuthWithPublisherUser();
    }

    @Test
    public void shouldBeAbleToLoginAndAuthorizeNoPermissionUserWithLdapOnly() throws Throwable {
        testAuthWithNoPermissionUser("smith", "abc123");
    }

    @Test
    public void shouldShowCurrentUser() throws Throwable {
        assertAuth("smith", "abc123");
        this.client.send(this.util.chunk(new RequestMessage[]{RunMessage.run("CALL dbms.showCurrentUser()"), PullAllMessage.pullAll()}));
        MatcherAssert.assertThat(this.client, this.util.eventuallyReceives(new Matcher[]{MessageMatchers.msgSuccess(), MessageMatchers.msgRecord(StreamMatchers.eqRecord(new Matcher[]{CoreMatchers.equalTo(Values.stringValue("smith")), CoreMatchers.equalTo(VirtualValues.EMPTY_LIST), CoreMatchers.equalTo(VirtualValues.EMPTY_LIST)}))}));
    }

    @Test
    public void shouldBeAbleToLoginAndAuthorizeNoPermissionUserWithLdapOnlyAndNoGroupToRoleMapping() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(ldapOnlyAuthSettings.andThen(map -> {
        }));
        testAuthWithNoPermissionUser("neo", "abc123");
    }

    @Test
    public void shouldBeAbleToLoginAndAuthorizeWithLdapOnlyAndQuotedGroupToRoleMapping() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(ldapOnlyAuthSettings.andThen(map -> {
        }));
        testAuthWithReaderUser();
        reconnect();
        testAuthWithPublisherUser();
        reconnect();
        testAuthWithNoPermissionUser("smith", "abc123");
    }

    @Test
    public void shouldBeAbleToLoginAndAuthorizeReaderWithUserLdapContext() throws Throwable {
        restartServerWithoutSystemAccount();
        testAuthWithReaderUser();
    }

    @Test
    public void shouldBeAbleToLoginAndAuthorizePublisherWithUserLdapContext() throws Throwable {
        restartServerWithoutSystemAccount();
        testAuthWithPublisherUser();
    }

    @Test
    public void shouldFailIfAuthorizationExpiredWithUserLdapContext() throws Throwable {
        restartServerWithoutSystemAccount();
        assertAuth("neo4j", "abc123");
        assertReadSucceeds();
        this.client.send(this.util.chunk(new RequestMessage[]{RunMessage.run("CALL dbms.security.clearAuthCache()"), PullAllMessage.pullAll()}));
        MatcherAssert.assertThat(this.client, this.util.eventuallyReceives(new Matcher[]{MessageMatchers.msgSuccess(), MessageMatchers.msgSuccess()}));
        this.client.send(this.util.chunk(new RequestMessage[]{RunMessage.run("MATCH (n) RETURN n"), PullAllMessage.pullAll()}));
        MatcherAssert.assertThat(this.client, this.util.eventuallyReceives(new Matcher[]{MessageMatchers.msgFailure(Status.Security.AuthorizationExpired, "LDAP authorization info expired.")}));
        MatcherAssert.assertThat(this.client, TransportTestUtil.eventuallyDisconnects());
    }

    @Test
    public void shouldSucceedIfAuthorizationExpiredWithinTransactionWithUserLdapContext() throws Throwable {
        restartServerWithoutSystemAccount();
        assertAuth("neo4j", "abc123");
        this.client.send(this.util.chunk(new RequestMessage[]{RunMessage.run("CALL dbms.security.clearAuthCache() MATCH (n) RETURN n"), PullAllMessage.pullAll()}));
        MatcherAssert.assertThat(this.client, this.util.eventuallyReceives(new Matcher[]{MessageMatchers.msgSuccess(), MessageMatchers.msgSuccess()}));
    }

    @Test
    public void shouldBeAbleToLoginAndAuthorizeNoPermissionUserWithUserLdapContext() throws Throwable {
        restartServerWithoutSystemAccount();
        testAuthWithNoPermissionUser("smith", "abc123");
    }

    @Test
    public void shouldBeAbleToLoginAndAuthorizeNoPermissionUserWithUserLdapContextAndNoGroupToRoleMapping() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(map -> {
            map.put(SecuritySettings.ldap_authorization_use_system_account, "false");
            map.put(SecuritySettings.ldap_authorization_group_to_role_mapping, null);
        });
        testAuthWithNoPermissionUser("neo", "abc123");
    }

    @Test
    public void shouldBeAbleToLoginWithLdapAndAuthorizeInternally() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(map -> {
            map.put(SecuritySettings.auth_providers, "native,ldap");
            map.put(SecuritySettings.native_authentication_enabled, "false");
            map.put(SecuritySettings.native_authorization_enabled, "true");
            map.put(SecuritySettings.ldap_authentication_enabled, "true");
            map.put(SecuritySettings.ldap_authorization_enabled, "false");
        });
        testCreateReaderUser();
        reconnect();
        testAuthWithReaderUser();
    }

    @Test
    public void shouldBeAbleToLoginNativelyAndAuthorizeWithLdap() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(map -> {
            map.put(SecuritySettings.auth_providers, "native,ldap");
            map.put(SecuritySettings.native_authentication_enabled, "true");
            map.put(SecuritySettings.native_authorization_enabled, "false");
            map.put(SecuritySettings.ldap_authentication_enabled, "false");
            map.put(SecuritySettings.ldap_authorization_enabled, "true");
        });
        ((EnterpriseAuthAndUserManager) this.server.graphDatabaseService().getDependencyResolver().resolveDependency(EnterpriseAuthAndUserManager.class)).getUserManager(AuthSubject.AUTH_DISABLED, true).newUser("neo", "nativePassword", false);
        testAuthWithReaderUser("neo", "nativePassword", null);
    }

    @Test
    public void shouldKeepAuthorizationForLifetimeOfTransaction() throws Throwable {
        restartServerWithoutSystemAccount();
        DoubleLatch doubleLatch = new DoubleLatch(2);
        Throwable[] thArr = {null};
        Thread thread = new Thread(() -> {
            try {
                assertAuth("neo", "abc123");
                assertBeginTransactionSucceeds();
                assertReadSucceeds();
                doubleLatch.startAndWaitForAllToStart();
                doubleLatch.finishAndWaitForAllToFinish();
                assertReadSucceeds();
            } catch (Throwable th) {
                thArr[0] = th;
                doubleLatch.start();
                doubleLatch.finish();
            }
        });
        thread.start();
        doubleLatch.startAndWaitForAllToStart();
        clearAuthCacheFromDifferentConnection();
        doubleLatch.finishAndWaitForAllToFinish();
        thread.join();
        if (thArr[0] != null) {
            throw thArr[0];
        }
    }

    @Test
    public void shouldKeepAuthorizationForLifetimeOfTransactionWithProcedureAllowed() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(map -> {
            map.put(SecuritySettings.ldap_authorization_use_system_account, "false");
            map.put(SecuritySettings.ldap_authorization_group_to_role_mapping, "503=admin;504=role1");
        });
        ((Procedures) this.server.graphDatabaseService().getDependencyResolver().resolveDependency(Procedures.class)).registerProcedure(ProcedureInteractionTestBase.ClassWithProcedures.class);
        DoubleLatch doubleLatch = new DoubleLatch(2);
        Throwable[] thArr = {null};
        Thread thread = new Thread(() -> {
            try {
                assertAuth("smith", "abc123");
                assertBeginTransactionSucceeds();
                assertAllowedReadProcedure();
                doubleLatch.startAndWaitForAllToStart();
                doubleLatch.finishAndWaitForAllToFinish();
                assertAllowedReadProcedure();
            } catch (Throwable th) {
                thArr[0] = th;
                doubleLatch.start();
                doubleLatch.finish();
            }
        });
        thread.start();
        doubleLatch.startAndWaitForAllToStart();
        clearAuthCacheFromDifferentConnection();
        doubleLatch.finishAndWaitForAllToFinish();
        thread.join();
        if (thArr[0] != null) {
            throw thArr[0];
        }
    }

    @Test
    public void shouldBeAbleToUseProcedureAllowedAnnotationWithLdapGroupToRoleMapping() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(ldapOnlyAuthSettings.andThen(map -> {
        }));
        ((Procedures) this.server.graphDatabaseService().getDependencyResolver().resolveDependency(Procedures.class)).registerProcedure(ProcedureInteractionTestBase.ClassWithProcedures.class);
        assertAuth("neo", "abc123");
        assertAllowedReadProcedure();
    }

    @Test
    public void shouldFailIfInvalidLdapServer() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(ldapOnlyAuthSettings.andThen(map -> {
        }));
        assertConnectionRefused(authToken("neo", "abc123", null), "LDAP connection refused.");
        MatcherAssert.assertThat(this.client, TransportTestUtil.eventuallyDisconnects());
    }

    @Test
    @Category({TimeoutTests.class})
    public void shouldTimeoutIfLdapServerDoesNotRespond() throws Throwable {
        DirectoryServiceWaitOnSearch directoryServiceWaitOnSearch = new DirectoryServiceWaitOnSearch(5000L);
        Throwable th = null;
        try {
            try {
                restartNeo4jServerWithOverriddenSettings(ldapOnlyAuthSettings.andThen(map -> {
                }));
                assertAuth("neo", "abc123");
                assertLdapAuthorizationTimeout();
                if (directoryServiceWaitOnSearch != null) {
                    if (0 == 0) {
                        directoryServiceWaitOnSearch.close();
                        return;
                    }
                    try {
                        directoryServiceWaitOnSearch.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (directoryServiceWaitOnSearch != null) {
                if (th != null) {
                    try {
                        directoryServiceWaitOnSearch.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    directoryServiceWaitOnSearch.close();
                }
            }
            throw th4;
        }
    }

    @Test
    @Category({TimeoutTests.class})
    public void shouldTimeoutIfLdapServerDoesNotRespondWithoutConnectionPooling() throws Throwable {
        DirectoryServiceWaitOnSearch directoryServiceWaitOnSearch = new DirectoryServiceWaitOnSearch(5000L);
        Throwable th = null;
        try {
            try {
                restartNeo4jServerWithOverriddenSettings(ldapOnlyAuthSettings.andThen(map -> {
                    map.put(SecuritySettings.ldap_read_timeout, "1s");
                    map.put(SecuritySettings.ldap_authorization_connection_pooling, "false");
                }));
                assertAuth("neo", "abc123");
                assertLdapAuthorizationTimeout();
                if (directoryServiceWaitOnSearch != null) {
                    if (0 == 0) {
                        directoryServiceWaitOnSearch.close();
                        return;
                    }
                    try {
                        directoryServiceWaitOnSearch.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (directoryServiceWaitOnSearch != null) {
                if (th != null) {
                    try {
                        directoryServiceWaitOnSearch.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    directoryServiceWaitOnSearch.close();
                }
            }
            throw th4;
        }
    }

    @Test
    @Category({TimeoutTests.class})
    public void shouldFailIfLdapSearchFails() throws Throwable {
        DirectoryServiceFailOnSearch directoryServiceFailOnSearch = new DirectoryServiceFailOnSearch();
        Throwable th = null;
        try {
            restartNeo4jServerWithOverriddenSettings(ldapOnlyAuthSettings.andThen(map -> {
            }));
            assertAuth("neo", "abc123");
            assertLdapAuthorizationFailed();
            if (directoryServiceFailOnSearch != null) {
                if (0 == 0) {
                    directoryServiceFailOnSearch.close();
                    return;
                }
                try {
                    directoryServiceFailOnSearch.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        } catch (Throwable th3) {
            if (directoryServiceFailOnSearch != null) {
                if (0 != 0) {
                    try {
                        directoryServiceFailOnSearch.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    directoryServiceFailOnSearch.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void shouldTimeoutIfLdapServerDoesNotRespondWithLdapUserContext() throws Throwable {
        DirectoryServiceWaitOnSearch directoryServiceWaitOnSearch = new DirectoryServiceWaitOnSearch(5000L);
        Throwable th = null;
        try {
            restartNeo4jServerWithOverriddenSettings(ldapOnlyAuthSettings.andThen(map -> {
                map.put(SecuritySettings.ldap_authorization_use_system_account, "false");
                map.put(SecuritySettings.ldap_read_timeout, "1s");
            }));
            assertConnectionTimeout(authToken("neo", "abc123", null), "LDAP response timed out.");
            if (directoryServiceWaitOnSearch != null) {
                if (0 == 0) {
                    directoryServiceWaitOnSearch.close();
                    return;
                }
                try {
                    directoryServiceWaitOnSearch.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        } catch (Throwable th3) {
            if (directoryServiceWaitOnSearch != null) {
                if (0 != 0) {
                    try {
                        directoryServiceWaitOnSearch.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    directoryServiceWaitOnSearch.close();
                }
            }
            throw th3;
        }
    }

    private void assertAllowedReadProcedure() throws IOException {
        this.client.send(this.util.chunk(new RequestMessage[]{RunMessage.run("CALL test.allowedReadProcedure()"), PullAllMessage.pullAll()}));
        MatcherAssert.assertThat(this.client, this.util.eventuallyReceives(new Matcher[]{MessageMatchers.msgSuccess(), MessageMatchers.msgRecord(StreamMatchers.eqRecord(new Matcher[]{CoreMatchers.equalTo(Values.stringValue("foo"))})), MessageMatchers.msgSuccess()}));
    }

    @Test
    public void shouldBeAbleToLoginAndAuthorizeReaderWithLdapOnlyUsingLDAPS() throws Throwable {
        getLdapServer().setConfidentialityRequired(true);
        EmbeddedTestCertificates embeddedTestCertificates = new EmbeddedTestCertificates();
        Throwable th = null;
        try {
            restartNeo4jServerWithOverriddenSettings(ldapOnlyAuthSettings.andThen(map -> {
            }));
            testAuthWithReaderUser();
            if (embeddedTestCertificates != null) {
                if (0 == 0) {
                    embeddedTestCertificates.close();
                    return;
                }
                try {
                    embeddedTestCertificates.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        } catch (Throwable th3) {
            if (embeddedTestCertificates != null) {
                if (0 != 0) {
                    try {
                        embeddedTestCertificates.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    embeddedTestCertificates.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void shouldBeAbleToLoginAndAuthorizeReaderWithUserLdapContextUsingLDAPS() throws Throwable {
        getLdapServer().setConfidentialityRequired(true);
        EmbeddedTestCertificates embeddedTestCertificates = new EmbeddedTestCertificates();
        Throwable th = null;
        try {
            restartNeo4jServerWithOverriddenSettings(ldapOnlyAuthSettings.andThen(map -> {
                map.put(SecuritySettings.ldap_authorization_use_system_account, "false");
                map.put(SecuritySettings.ldap_server, "ldaps://localhost:10636");
            }));
            testAuthWithReaderUser();
            if (embeddedTestCertificates != null) {
                if (0 == 0) {
                    embeddedTestCertificates.close();
                    return;
                }
                try {
                    embeddedTestCertificates.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        } catch (Throwable th3) {
            if (embeddedTestCertificates != null) {
                if (0 != 0) {
                    try {
                        embeddedTestCertificates.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    embeddedTestCertificates.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void shouldBeAbleToLoginAndAuthorizeReaderWithLdapOnlyUsingStartTls() throws Throwable {
        getLdapServer().setConfidentialityRequired(true);
        EmbeddedTestCertificates embeddedTestCertificates = new EmbeddedTestCertificates();
        Throwable th = null;
        try {
            restartNeo4jServerWithOverriddenSettings(ldapOnlyAuthSettings.andThen(map -> {
                map.put(SecuritySettings.ldap_server, "localhost:10389");
                map.put(SecuritySettings.ldap_use_starttls, "true");
            }));
            testAuthWithReaderUser();
            if (embeddedTestCertificates != null) {
                if (0 == 0) {
                    embeddedTestCertificates.close();
                    return;
                }
                try {
                    embeddedTestCertificates.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        } catch (Throwable th3) {
            if (embeddedTestCertificates != null) {
                if (0 != 0) {
                    try {
                        embeddedTestCertificates.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    embeddedTestCertificates.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void shouldBeAbleToLoginAndAuthorizeReaderWithLdapUserContextUsingStartTls() throws Throwable {
        getLdapServer().setConfidentialityRequired(true);
        EmbeddedTestCertificates embeddedTestCertificates = new EmbeddedTestCertificates();
        Throwable th = null;
        try {
            restartNeo4jServerWithOverriddenSettings(ldapOnlyAuthSettings.andThen(map -> {
                map.put(SecuritySettings.ldap_authorization_use_system_account, "false");
                map.put(SecuritySettings.ldap_server, "localhost:10389");
                map.put(SecuritySettings.ldap_use_starttls, "true");
            }));
            testAuthWithReaderUser();
            if (embeddedTestCertificates != null) {
                if (0 == 0) {
                    embeddedTestCertificates.close();
                    return;
                }
                try {
                    embeddedTestCertificates.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        } catch (Throwable th3) {
            if (embeddedTestCertificates != null) {
                if (0 != 0) {
                    try {
                        embeddedTestCertificates.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    embeddedTestCertificates.close();
                }
            }
            throw th3;
        }
    }

    public void shouldNotBeAbleToLoginUnknownUserOnEC2() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(activeDirectoryOnEc2NotUsingSystemAccountSettings);
        assertAuthFail("unknown", "abc123ABC123");
    }

    public void shouldBeAbleToLoginAndAuthorizeReaderWithUserLdapContextOnEC2() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(activeDirectoryOnEc2NotUsingSystemAccountSettings);
        assertAuth("neo", "abc123ABC123");
        assertReadSucceeds();
        assertWriteFails("neo", "");
    }

    public void shouldBeAbleToLoginAndAuthorizeReaderOnEC2() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(activeDirectoryOnEc2UsingSystemAccountSettings);
        assertAuth("neo", "abc123ABC123");
        assertReadSucceeds();
        assertWriteFails("neo", "");
    }

    public void shouldBeAbleToLoginAndAuthorizePublisherWithUserLdapContextOnEC2() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(activeDirectoryOnEc2NotUsingSystemAccountSettings);
        assertAuth("tank", "abc123ABC123");
        assertWriteSucceeds();
    }

    public void shouldBeAbleToLoginAndAuthorizePublisherOnEC2() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(activeDirectoryOnEc2UsingSystemAccountSettings);
        assertAuth("tank", "abc123ABC123");
        assertWriteSucceeds();
    }

    public void shouldBeAbleToLoginAndAuthorizeNoPermissionUserWithUserLdapContextOnEC2() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(activeDirectoryOnEc2NotUsingSystemAccountSettings);
        assertAuth("smith", "abc123ABC123");
        assertReadFails("smith", "");
    }

    public void shouldBeAbleToLoginAndAuthorizeNoPermissionUserOnEC2() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(activeDirectoryOnEc2UsingSystemAccountSettings);
        assertAuth("smith", "abc123ABC123");
        assertReadFails("smith", "");
    }

    public void shouldBeAbleToLoginAndAuthorizeReaderUsingLdapsOnEC2() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(activeDirectoryOnEc2UsingSystemAccountSettings.andThen(map -> {
        }));
        assertAuth("neo", "abc123ABC123");
        assertReadSucceeds();
        assertWriteFails("neo", "");
    }

    public void shouldBeAbleToLoginAndAuthorizeReaderWithUserLdapContextUsingLDAPSOnEC2() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(activeDirectoryOnEc2NotUsingSystemAccountSettings.andThen(map -> {
        }));
        assertAuth("neo", "abc123ABC123");
        assertReadSucceeds();
        assertWriteFails("neo", "");
    }

    public void shouldBeAbleToLoginAndAuthorizeReaderUsingStartTlsOnEC2() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(activeDirectoryOnEc2UsingSystemAccountSettings.andThen(map -> {
        }));
        assertAuth("neo", "abc123ABC123");
        assertReadSucceeds();
        assertWriteFails("neo", "");
    }

    public void shouldBeAbleToLoginAndAuthorizeReaderWithUserLdapContextUsingStartTlsOnEC2() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(activeDirectoryOnEc2NotUsingSystemAccountSettings.andThen(map -> {
        }));
        assertAuth("neo", "abc123ABC123");
        assertReadSucceeds();
        assertWriteFails("neo", "");
    }

    @Test
    public void shouldBeAbleToLoginWithLdapWhenSelectingRealmFromClient() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(map -> {
            map.put(SecuritySettings.auth_providers, "native,ldap");
            map.put(SecuritySettings.native_authentication_enabled, "true");
            map.put(SecuritySettings.native_authorization_enabled, "true");
            map.put(SecuritySettings.ldap_authentication_enabled, "true");
            map.put(SecuritySettings.ldap_authorization_enabled, "true");
            map.put(SecuritySettings.ldap_authorization_use_system_account, "true");
        });
        testCreateReaderUser("tank");
        reconnect();
        assertAuth("tank", createdUserPassword, "native");
        assertRoles("reader", "publisher");
        reconnect();
        assertAuth("tank", "abc123", "ldap");
        assertRoles("reader", "publisher");
    }

    @Test
    public void shouldBeAbleToAuthorizeUsingNativeWithLdapEnabled() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(map -> {
            map.put(SecuritySettings.auth_providers, "ldap,native");
            map.put(SecuritySettings.native_authentication_enabled, "true");
            map.put(SecuritySettings.native_authorization_enabled, "true");
            map.put(SecuritySettings.ldap_authentication_enabled, "true");
            map.put(SecuritySettings.ldap_authorization_enabled, "true");
            map.put(SecuritySettings.ldap_authorization_use_system_account, "false");
        });
        testCreateReaderUser("simon");
        reconnect();
        assertAuth("simon", createdUserPassword, "native");
        assertReadSucceeds();
    }

    @Test
    public void shouldNotLogErrorsFromLdapRealmWhenLoginSuccessfulInNativeRealmAndNativeFirst() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(map -> {
            map.put(SecuritySettings.auth_providers, "native,ldap");
            map.put(SecuritySettings.native_authentication_enabled, "true");
            map.put(SecuritySettings.native_authorization_enabled, "true");
            map.put(SecuritySettings.ldap_authentication_enabled, "true");
            map.put(SecuritySettings.ldap_authorization_enabled, "true");
            map.put(SecuritySettings.ldap_authorization_use_system_account, "true");
        });
        testCreateReaderUser("foo");
        reconnect();
        assertAuth("foo", createdUserPassword);
        assertSecurityLogDoesNotContain("ERROR");
    }

    @Test
    public void shouldNotLogErrorsFromLdapRealmWhenLoginSuccessfulInNativeRealmAndLdapFirst() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(map -> {
            map.put(SecuritySettings.auth_providers, "ldap,native");
            map.put(SecuritySettings.native_authentication_enabled, "true");
            map.put(SecuritySettings.native_authorization_enabled, "true");
            map.put(SecuritySettings.ldap_authentication_enabled, "true");
            map.put(SecuritySettings.ldap_authorization_enabled, "true");
            map.put(SecuritySettings.ldap_authorization_use_system_account, "true");
        });
        testCreateReaderUser("foo");
        reconnect();
        assertAuth("foo", createdUserPassword);
        assertSecurityLogDoesNotContain("ERROR");
    }

    @Test
    public void shouldLogInvalidCredentialErrorFromLdapRealm() throws Throwable {
        assertAuthFail("neo", "wrong-password");
        assertSecurityLogContains(LDAP_ERROR_MESSAGE_INVALID_CREDENTIALS);
    }

    @Test
    public void shouldLogInvalidCredentialErrorFromLdapRealmWithMultipleRealmsFailingAndNativeFirst() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(map -> {
            map.put(SecuritySettings.auth_providers, "native, ldap");
            map.put(SecuritySettings.native_authentication_enabled, "true");
            map.put(SecuritySettings.native_authorization_enabled, "true");
            map.put(SecuritySettings.ldap_authentication_enabled, "true");
            map.put(SecuritySettings.ldap_authorization_enabled, "true");
            map.put(SecuritySettings.ldap_authorization_use_system_account, "true");
        });
        testCreateReaderUser("foo");
        reconnect();
        assertAuthFail("foo", "wrong-password");
        assertSecurityLogContains(LDAP_ERROR_MESSAGE_INVALID_CREDENTIALS);
    }

    @Test
    public void shouldLogInvalidCredentialErrorFromLdapRealmWithMultipleRealmsFailingAndLdapFirst() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(map -> {
            map.put(SecuritySettings.auth_providers, "ldap, native");
            map.put(SecuritySettings.native_authentication_enabled, "true");
            map.put(SecuritySettings.native_authorization_enabled, "true");
            map.put(SecuritySettings.ldap_authentication_enabled, "true");
            map.put(SecuritySettings.ldap_authorization_enabled, "true");
            map.put(SecuritySettings.ldap_authorization_use_system_account, "true");
        });
        testCreateReaderUser("foo");
        reconnect();
        assertAuthFail("foo", "wrong-password");
        assertSecurityLogContains(LDAP_ERROR_MESSAGE_INVALID_CREDENTIALS);
    }

    public void shouldLogConnectionTimeoutFromLdapRealm() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(ldapOnlyAuthSettings.andThen(map -> {
            map.put(SecuritySettings.ldap_server, "ldap://192.0.2.0");
            map.put(SecuritySettings.ldap_connection_timeout, "1s");
        }));
        assertConnectionTimeout(authToken("neo", "abc123", null), "LDAP connection timed out.");
        assertSecurityLogContains("ERROR");
        assertSecurityLogContains(NON_ROUTABLE_IP);
    }

    public void shouldLogConnectionTimeoutFromLdapRealmWithMultipleRealms() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(map -> {
            map.put(SecuritySettings.auth_providers, "native, ldap");
            map.put(SecuritySettings.native_authentication_enabled, "true");
            map.put(SecuritySettings.native_authorization_enabled, "true");
            map.put(SecuritySettings.ldap_authentication_enabled, "true");
            map.put(SecuritySettings.ldap_authorization_enabled, "true");
            map.put(SecuritySettings.ldap_authorization_use_system_account, "true");
            map.put(SecuritySettings.ldap_server, "ldap://192.0.2.0");
            map.put(SecuritySettings.ldap_connection_timeout, "1s");
        });
        assertAuthFail("neo", "abc123");
        assertSecurityLogContains("ERROR");
        assertSecurityLogContains("LDAP connection timed out");
        assertSecurityLogContains(NON_ROUTABLE_IP);
    }

    @Test
    public void shouldLogConnectionRefusedFromLdapRealm() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(ldapOnlyAuthSettings.andThen(map -> {
        }));
        assertConnectionRefused(authToken("neo", "abc123", null), "LDAP connection refused.");
        assertSecurityLogContains("ERROR");
        assertSecurityLogContains("auth server connection refused");
        assertSecurityLogContains(REFUSED_IP);
    }

    @Test
    public void shouldLogConnectionRefusedFromLdapRealmWithMultipleRealms() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(map -> {
            map.put(SecuritySettings.auth_providers, "native, ldap");
            map.put(SecuritySettings.native_authentication_enabled, "true");
            map.put(SecuritySettings.native_authorization_enabled, "true");
            map.put(SecuritySettings.ldap_authentication_enabled, "true");
            map.put(SecuritySettings.ldap_authorization_enabled, "true");
            map.put(SecuritySettings.ldap_authorization_use_system_account, "true");
            map.put(SecuritySettings.ldap_server, "ldap://127.0.0.1");
        });
        assertAuthFail("neo", "abc123");
        assertSecurityLogContains("ERROR");
        assertSecurityLogContains("LDAP connection refused");
        assertSecurityLogContains(REFUSED_IP);
    }

    @Test
    public void shouldClearAuthenticationCache() throws Throwable {
        getLdapServer().setConfidentialityRequired(true);
        EmbeddedTestCertificates embeddedTestCertificates = new EmbeddedTestCertificates();
        Throwable th = null;
        try {
            restartNeo4jServerWithOverriddenSettings(ldapOnlyAuthSettings.andThen(map -> {
            }));
            assertAuth("tank", "abc123", "ldap");
            changeLDAPPassword("tank", "abc123", "123abc");
            reconnect();
            assertAuthFail("tank", "123abc");
            reconnect();
            assertAuth("tank", "abc123", "ldap");
            reconnect();
            testClearAuthCache();
            reconnect();
            assertAuthFail("tank", "abc123");
            reconnect();
            assertAuth("tank", "123abc", "ldap");
            if (embeddedTestCertificates != null) {
                if (0 == 0) {
                    embeddedTestCertificates.close();
                    return;
                }
                try {
                    embeddedTestCertificates.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        } catch (Throwable th3) {
            if (embeddedTestCertificates != null) {
                if (0 != 0) {
                    try {
                        embeddedTestCertificates.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    embeddedTestCertificates.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void shouldClearAuthorizationCache() throws Throwable {
        getLdapServer().setConfidentialityRequired(true);
        EmbeddedTestCertificates embeddedTestCertificates = new EmbeddedTestCertificates();
        Throwable th = null;
        try {
            restartNeo4jServerWithOverriddenSettings(ldapOnlyAuthSettings.andThen(map -> {
            }));
            assertAuth("tank", "abc123", "ldap");
            assertReadSucceeds();
            assertWriteSucceeds();
            changeLDAPGroup("tank", "abc123", "reader");
            reconnect();
            assertAuth("tank", "abc123", "ldap");
            assertReadSucceeds();
            assertWriteSucceeds();
            reconnect();
            testClearAuthCache();
            reconnect();
            assertAuth("tank", "abc123", "ldap");
            assertReadSucceeds();
            assertWriteFails("tank", "reader");
            if (embeddedTestCertificates != null) {
                if (0 == 0) {
                    embeddedTestCertificates.close();
                    return;
                }
                try {
                    embeddedTestCertificates.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        } catch (Throwable th3) {
            if (embeddedTestCertificates != null) {
                if (0 != 0) {
                    try {
                        embeddedTestCertificates.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    embeddedTestCertificates.close();
                }
            }
            throw th3;
        }
    }

    private void clearAuthCacheFromDifferentConnection() throws Exception {
        TransportConnection transportConnection = (TransportConnection) this.cf.newInstance();
        transportConnection.connect(this.address).send(this.util.acceptedVersions(1L, 0L, 0L, 0L)).send(this.util.chunk(new RequestMessage[]{InitMessage.init("TestClient/1.1", authToken("neo4j", "abc123", null))}));
        MatcherAssert.assertThat(transportConnection, TransportTestUtil.eventuallyReceives(new byte[]{0, 0, 0, 1}));
        MatcherAssert.assertThat(transportConnection, this.util.eventuallyReceives(new Matcher[]{MessageMatchers.msgSuccess()}));
        transportConnection.send(this.util.chunk(new RequestMessage[]{RunMessage.run("CALL dbms.security.clearAuthCache()"), PullAllMessage.pullAll()}));
        MatcherAssert.assertThat(transportConnection, this.util.eventuallyReceives(new Matcher[]{MessageMatchers.msgSuccess(), MessageMatchers.msgSuccess()}));
    }

    private void assertLdapAuthorizationTimeout() throws IOException {
        this.client.send(this.util.chunk(new RequestMessage[]{RunMessage.run("MATCH (n) RETURN n"), PullAllMessage.pullAll()}));
        MatcherAssert.assertThat(this.client, this.util.eventuallyReceives(new Matcher[]{MessageMatchers.msgFailure(Status.Security.AuthProviderTimeout, "LDAP response timed out.")}));
        MatcherAssert.assertThat(this.client, TransportTestUtil.eventuallyDisconnects());
    }

    private void assertLdapAuthorizationFailed() throws IOException {
        this.client.send(this.util.chunk(new RequestMessage[]{RunMessage.run("MATCH (n) RETURN n"), PullAllMessage.pullAll()}));
        MatcherAssert.assertThat(this.client, this.util.eventuallyReceives(new Matcher[]{MessageMatchers.msgFailure(Status.Security.AuthProviderFailed, "LDAP authorization request failed.")}));
        MatcherAssert.assertThat(this.client, TransportTestUtil.eventuallyDisconnects());
    }

    private void assertConnectionTimeout(Map<String, Object> map, String str) throws Exception {
        this.client.connect(this.address).send(this.util.acceptedVersions(1L, 0L, 0L, 0L)).send(this.util.chunk(new RequestMessage[]{InitMessage.init("TestClient/1.1", map)}));
        MatcherAssert.assertThat(this.client, TransportTestUtil.eventuallyReceives(new byte[]{0, 0, 0, 1}));
        MatcherAssert.assertThat(this.client, this.util.eventuallyReceives(new Matcher[]{MessageMatchers.msgFailure(Status.Security.AuthProviderTimeout, str)}));
        MatcherAssert.assertThat(this.client, TransportTestUtil.eventuallyDisconnects());
    }

    private void assertConnectionRefused(Map<String, Object> map, String str) throws Exception {
        this.client.connect(this.address).send(this.util.acceptedVersions(1L, 0L, 0L, 0L)).send(this.util.chunk(new RequestMessage[]{InitMessage.init("TestClient/1.1", map)}));
        MatcherAssert.assertThat(this.client, TransportTestUtil.eventuallyReceives(new byte[]{0, 0, 0, 1}));
        MatcherAssert.assertThat(this.client, this.util.eventuallyReceives(new Matcher[]{MessageMatchers.msgFailure(Status.Security.AuthProviderFailed, str)}));
        MatcherAssert.assertThat(this.client, TransportTestUtil.eventuallyDisconnects());
    }

    private void testClearAuthCache() throws Exception {
        assertAuth("neo4j", "abc123");
        this.client.send(this.util.chunk(new RequestMessage[]{RunMessage.run("CALL dbms.security.clearAuthCache()"), PullAllMessage.pullAll()}));
        MatcherAssert.assertThat(this.client, this.util.eventuallyReceives(new Matcher[]{MessageMatchers.msgSuccess(), MessageMatchers.msgSuccess()}));
    }

    private void restartServerWithoutSystemAccount() {
        restartNeo4jServerWithOverriddenSettings(map -> {
        });
    }

    private void assertSecurityLogContains(String str) throws IOException {
        Reader openAsReader = this.server.getFileSystem().openAsReader(new File(this.server.getWorkingDirectory(), "storeDir/logs/security.log"), Charset.forName("UTF-8"));
        BufferedReader bufferedReader = new BufferedReader(openAsReader);
        boolean z = false;
        while (true) {
            String readLine = bufferedReader.readLine();
            if (readLine == null) {
                bufferedReader.close();
                openAsReader.close();
                MatcherAssert.assertThat("Security log should contain message '" + str + "'", z);
                return;
            } else if (readLine.contains(str)) {
                z = true;
            }
        }
    }

    private void assertSecurityLogDoesNotContain(String str) throws IOException {
        Reader openAsReader = this.server.getFileSystem().openAsReader(new File(this.server.getWorkingDirectory(), "storeDir/logs/security.log"), Charset.forName("UTF-8"));
        BufferedReader bufferedReader = new BufferedReader(openAsReader);
        while (true) {
            String readLine = bufferedReader.readLine();
            if (readLine == null) {
                bufferedReader.close();
                openAsReader.close();
                return;
            }
            MatcherAssert.assertThat("Security log should not contain message '" + str + "'", !readLine.contains(str));
        }
    }

    private void modifyLDAPAttribute(String str, Object obj, String str2, Object obj2) throws Throwable {
        String format = String.format("cn=%s,ou=users,dc=example,dc=com", str);
        String format2 = String.format("cn=%s,ou=users,dc=example,dc=com", str);
        JndiLdapContextFactory jndiLdapContextFactory = new JndiLdapContextFactory();
        jndiLdapContextFactory.setUrl("ldaps://localhost:10636");
        LdapContext ldapContext = jndiLdapContextFactory.getLdapContext(format2, obj);
        ldapContext.modifyAttributes(format, new ModificationItem[]{new ModificationItem(2, new BasicAttribute(str2, obj2))});
        ldapContext.close();
    }

    private void changeLDAPPassword(String str, Object obj, Object obj2) throws Throwable {
        modifyLDAPAttribute(str, obj, "userpassword", obj2);
    }

    private void changeLDAPGroup(String str, Object obj, String str2) throws Throwable {
        Object obj2;
        boolean z = -1;
        switch (str2.hashCode()) {
            case -1665999883:
                if (str2.equals("architect")) {
                    z = 2;
                    break;
                }
                break;
            case -934979389:
                if (str2.equals("reader")) {
                    z = false;
                    break;
                }
                break;
            case 3387192:
                if (str2.equals("none")) {
                    z = 4;
                    break;
                }
                break;
            case 92668751:
                if (str2.equals("admin")) {
                    z = 3;
                    break;
                }
                break;
            case 1447404028:
                if (str2.equals("publisher")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                obj2 = "500";
                break;
            case true:
                obj2 = "501";
                break;
            case true:
                obj2 = "502";
                break;
            case true:
                obj2 = "503";
                break;
            case true:
                obj2 = "504";
                break;
            default:
                throw new IllegalArgumentException("Invalid group name '" + str2 + "', expected one of none, reader, publisher, architect, or admin");
        }
        modifyLDAPAttribute(str, obj, "gidnumber", obj2);
    }
}
