package org.neo4j.server.security.enterprise.auth.integration.bolt;

import java.util.LinkedHashMap;
import java.util.Map;
import java.util.function.Consumer;
import org.hamcrest.Matcher;
import org.hamcrest.MatcherAssert;
import org.junit.After;
import org.junit.Before;
import org.junit.Ignore;
import org.junit.Rule;
import org.junit.Test;
import org.neo4j.bolt.v1.messaging.Neo4jPackV1;
import org.neo4j.bolt.v1.messaging.message.InitMessage;
import org.neo4j.bolt.v1.messaging.message.PullAllMessage;
import org.neo4j.bolt.v1.messaging.message.RequestMessage;
import org.neo4j.bolt.v1.messaging.message.RunMessage;
import org.neo4j.bolt.v1.messaging.util.MessageMatchers;
import org.neo4j.bolt.v1.transport.integration.Neo4jWithSocket;
import org.neo4j.bolt.v1.transport.integration.TransportTestUtil;
import org.neo4j.bolt.v1.transport.socket.client.SecureSocketConnection;
import org.neo4j.bolt.v1.transport.socket.client.TransportConnection;
import org.neo4j.function.Factory;
import org.neo4j.graphdb.config.Setting;
import org.neo4j.graphdb.factory.GraphDatabaseSettings;
import org.neo4j.helpers.HostnamePort;
import org.neo4j.helpers.collection.MapUtil;
import org.neo4j.kernel.api.exceptions.Status;
import org.neo4j.server.security.enterprise.configuration.SecuritySettings;
import org.neo4j.test.TestEnterpriseGraphDatabaseFactory;
import org.neo4j.test.TestGraphDatabaseFactory;

@Ignore
/* loaded from: input_file:org/neo4j/server/security/enterprise/auth/integration/bolt/ActiveDirectoryAuthenticationIT.class */
public class ActiveDirectoryAuthenticationIT {

    @Rule
    public Neo4jWithSocket server = new Neo4jWithSocket(getClass(), getTestGraphDatabaseFactory(), asSettings(getSettingsFunction()));
    private Consumer<Map<Setting<?>, String>> useSystemAccountSettings = map -> {
        map.put(SecuritySettings.ldap_authorization_use_system_account, "true");
        map.put(SecuritySettings.ldap_authorization_system_username, "Neo4j System");
        map.put(SecuritySettings.ldap_authorization_system_password, "ProudListingsMedia1");
    };
    public Factory<TransportConnection> cf = SecureSocketConnection::new;
    private HostnamePort address;
    private TransportConnection client;
    private TransportTestUtil util;

    private void restartNeo4jServerWithOverriddenSettings(Consumer<Map<Setting<?>, String>> consumer) {
        this.server.shutdownDatabase();
        this.server.ensureDatabase(asSettings(consumer));
    }

    private Consumer<Map<String, String>> asSettings(Consumer<Map<Setting<?>, String>> consumer) {
        return map -> {
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            consumer.accept(linkedHashMap);
            for (Setting setting : linkedHashMap.keySet()) {
                map.put(setting.name(), linkedHashMap.get(setting));
            }
        };
    }

    protected TestGraphDatabaseFactory getTestGraphDatabaseFactory() {
        return new TestEnterpriseGraphDatabaseFactory();
    }

    protected Consumer<Map<Setting<?>, String>> getSettingsFunction() {
        return map -> {
            map.put(GraphDatabaseSettings.auth_enabled, "true");
            map.put(SecuritySettings.auth_provider, "ldap");
            map.put(SecuritySettings.ldap_server, "activedirectory.neohq.net");
            map.put(SecuritySettings.ldap_authentication_user_dn_template, "CN={0},CN=Users,DC=neo4j,DC=com");
            map.put(SecuritySettings.ldap_authorization_use_system_account, "false");
            map.put(SecuritySettings.ldap_authorization_user_search_base, "cn=Users,dc=neo4j,dc=com");
            map.put(SecuritySettings.ldap_authorization_user_search_filter, "(&(objectClass=*)(CN={0}))");
            map.put(SecuritySettings.ldap_authorization_group_membership_attribute_names, "memberOf");
            map.put(SecuritySettings.ldap_authorization_group_to_role_mapping, "'CN=Neo4j Read Only,CN=Users,DC=neo4j,DC=com'=reader;CN=Neo4j Read-Write,CN=Users,DC=neo4j,DC=com=publisher;CN=Neo4j Schema Manager,CN=Users,DC=neo4j,DC=com=architect;CN=Neo4j Administrator,CN=Users,DC=neo4j,DC=com=admin");
        };
    }

    @Before
    public void setup() {
        this.client = (TransportConnection) this.cf.newInstance();
        this.address = this.server.lookupDefaultConnector();
        this.util = new TransportTestUtil(new Neo4jPackV1());
    }

    @After
    public void teardown() throws Exception {
        if (this.client != null) {
            this.client.disconnect();
        }
    }

    @Test
    public void shouldNotBeAbleToLoginUnknownUserOnEC2() throws Throwable {
        assertAuthFail("unknown", "ProudListingsMedia1");
    }

    @Test
    public void shouldBeAbleToLoginAndAuthorizeReaderWithUserLdapContextOnEC2() throws Throwable {
        assertAuth("neo", "ProudListingsMedia1");
        assertReadSucceeds();
        assertWriteFails("'neo' with roles [reader]");
    }

    @Test
    public void shouldBeAbleToLoginAndAuthorizeReaderOnEC2() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(this.useSystemAccountSettings);
        assertAuth("neo", "ProudListingsMedia1");
        assertReadSucceeds();
        assertWriteFails("'neo' with roles [reader]");
    }

    @Test
    public void shouldBeAbleToLoginAndAuthorizePublisherWithUserLdapContextOnEC2() throws Throwable {
        assertAuth("tank", "ProudListingsMedia1");
        assertWriteSucceeds();
    }

    @Test
    public void shouldBeAbleToLoginAndAuthorizePublisherOnEC2() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(this.useSystemAccountSettings);
        assertAuth("tank", "ProudListingsMedia1");
        assertWriteSucceeds();
    }

    @Test
    public void shouldBeAbleToLoginAndAuthorizeNoPermissionUserWithUserLdapContextOnEC2() throws Throwable {
        assertAuth("smith", "ProudListingsMedia1");
        assertReadFails("'smith' with no roles");
    }

    @Test
    public void shouldBeAbleToLoginAndAuthorizeNoPermissionUserOnEC2() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(this.useSystemAccountSettings);
        assertAuth("smith", "ProudListingsMedia1");
        assertReadFails("'smith' with no roles");
    }

    @Test
    public void shouldBeAbleToLoginAndAuthorizeReaderUsingLdapsOnEC2() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(this.useSystemAccountSettings.andThen(map -> {
        }));
        assertAuth("neo", "ProudListingsMedia1");
        assertReadSucceeds();
        assertWriteFails("'neo' with roles [reader]");
    }

    @Test
    public void shouldBeAbleToLoginAndAuthorizeReaderWithUserLdapContextUsingLDAPSOnEC2() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(map -> {
        });
        assertAuth("neo", "ProudListingsMedia1");
        assertReadSucceeds();
        assertWriteFails("'neo' with roles [reader]");
    }

    @Test
    public void shouldBeAbleToLoginAndAuthorizeReaderUsingStartTlsOnEC2() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(this.useSystemAccountSettings.andThen(map -> {
        }));
        assertAuth("neo", "ProudListingsMedia1");
        assertReadSucceeds();
        assertWriteFails("'neo' with roles [reader]");
    }

    @Test
    public void shouldBeAbleToLoginAndAuthorizeReaderWithUserLdapContextUsingStartTlsOnEC2() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(map -> {
        });
        assertAuth("neo", "ProudListingsMedia1");
        assertReadSucceeds();
        assertWriteFails("'neo' with roles [reader]");
    }

    @Test
    public void shouldBeAbleToAccessEC2ActiveDirectoryInstance() throws Throwable {
        restartNeo4jServerWithOverriddenSettings(map -> {
        });
        assertAuth("tank", "ProudListingsMedia1");
        assertReadSucceeds();
        assertWriteSucceeds();
    }

    private void assertAuth(String str, String str2) throws Exception {
        assertAuth(str, str2, null);
    }

    private void assertAuth(String str, String str2, String str3) throws Exception {
        this.client.connect(this.address).send(this.util.acceptedVersions(1L, 0L, 0L, 0L)).send(this.util.chunk(new RequestMessage[]{InitMessage.init("TestClient/1.1", authToken(str, str2, str3))}));
        MatcherAssert.assertThat(this.client, TransportTestUtil.eventuallyReceives(new byte[]{0, 0, 0, 1}));
        MatcherAssert.assertThat(this.client, this.util.eventuallyReceives(new Matcher[]{MessageMatchers.msgSuccess()}));
    }

    private Map<String, Object> authToken(String str, String str2, String str3) {
        return (str3 == null || str3.length() <= 0) ? MapUtil.map(new Object[]{"principal", str, "credentials", str2, "scheme", "basic"}) : MapUtil.map(new Object[]{"principal", str, "credentials", str2, "scheme", "basic", "realm", str3});
    }

    private void assertAuthFail(String str, String str2) throws Exception {
        this.client.connect(this.address).send(this.util.acceptedVersions(1L, 0L, 0L, 0L)).send(this.util.chunk(new RequestMessage[]{InitMessage.init("TestClient/1.1", MapUtil.map(new Object[]{"principal", str, "credentials", str2, "scheme", "basic"}))}));
        MatcherAssert.assertThat(this.client, TransportTestUtil.eventuallyReceives(new byte[]{0, 0, 0, 1}));
        MatcherAssert.assertThat(this.client, this.util.eventuallyReceives(new Matcher[]{MessageMatchers.msgFailure(Status.Security.Unauthorized, "The client is unauthorized due to authentication failure.")}));
    }

    protected void assertReadSucceeds() throws Exception {
        this.client.send(this.util.chunk(new RequestMessage[]{RunMessage.run("MATCH (n) RETURN n"), PullAllMessage.pullAll()}));
        MatcherAssert.assertThat(this.client, this.util.eventuallyReceives(new Matcher[]{MessageMatchers.msgSuccess(), MessageMatchers.msgSuccess()}));
    }

    protected void assertReadFails(String str) throws Exception {
        this.client.send(this.util.chunk(new RequestMessage[]{RunMessage.run("MATCH (n) RETURN n"), PullAllMessage.pullAll()}));
        MatcherAssert.assertThat(this.client, this.util.eventuallyReceives(new Matcher[]{MessageMatchers.msgFailure(Status.Security.Forbidden, String.format("Read operations are not allowed for user %s.", str))}));
    }

    protected void assertWriteSucceeds() throws Exception {
        this.client.send(this.util.chunk(new RequestMessage[]{RunMessage.run("CREATE ()"), PullAllMessage.pullAll()}));
        MatcherAssert.assertThat(this.client, this.util.eventuallyReceives(new Matcher[]{MessageMatchers.msgSuccess(), MessageMatchers.msgSuccess()}));
    }

    protected void assertWriteFails(String str) throws Exception {
        this.client.send(this.util.chunk(new RequestMessage[]{RunMessage.run("CREATE ()"), PullAllMessage.pullAll()}));
        MatcherAssert.assertThat(this.client, this.util.eventuallyReceives(new Matcher[]{MessageMatchers.msgFailure(Status.Security.Forbidden, String.format("Write operations are not allowed for user %s.", str))}));
    }
}
