package org.neo4j.server.security.enterprise.auth;

import java.time.Duration;
import java.util.Arrays;
import java.util.Collections;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;
import org.neo4j.graphdb.factory.GraphDatabaseSettings;
import org.neo4j.io.fs.FileSystemAbstraction;
import org.neo4j.kernel.configuration.Config;
import org.neo4j.logging.Log;
import org.neo4j.logging.LogProvider;
import org.neo4j.scheduler.JobScheduler;
import org.neo4j.server.security.enterprise.auth.EnterpriseSecurityModule;
import org.neo4j.server.security.enterprise.configuration.SecuritySettings;
import org.neo4j.server.security.enterprise.log.SecurityLog;

/* loaded from: input_file:org/neo4j/server/security/enterprise/auth/EnterpriseSecurityModuleTest.class */
public class EnterpriseSecurityModuleTest {

    @Rule
    public ExpectedException thrown = ExpectedException.none();
    private Config config;
    private LogProvider mockLogProvider;

    @Test
    public void shouldFailOnIllegalRealmNameConfiguration() {
        nativeAuth(true, true);
        ldapAuth(true, true);
        pluginAuth(false, false);
        authProviders("this-realm-does-not-exist");
        this.thrown.expect(IllegalArgumentException.class);
        this.thrown.expectMessage("Illegal configuration: No valid auth provider is active.");
        new EnterpriseSecurityModule().newAuthManager(this.config, this.mockLogProvider, (SecurityLog) Mockito.mock(SecurityLog.class), (FileSystemAbstraction) null, (JobScheduler) null);
    }

    @Test
    public void shouldFailOnNoAuthenticationMechanism() {
        nativeAuth(false, true);
        ldapAuth(false, false);
        pluginAuth(false, false);
        authProviders("native");
        this.thrown.expect(IllegalArgumentException.class);
        this.thrown.expectMessage("Illegal configuration: All authentication providers are disabled.");
        new EnterpriseSecurityModule().newAuthManager(this.config, this.mockLogProvider, (SecurityLog) Mockito.mock(SecurityLog.class), (FileSystemAbstraction) null, (JobScheduler) null);
    }

    @Test
    public void shouldFailOnNoAuthorizationMechanism() {
        nativeAuth(true, false);
        ldapAuth(false, false);
        pluginAuth(false, false);
        authProviders("native");
        this.thrown.expect(IllegalArgumentException.class);
        this.thrown.expectMessage("Illegal configuration: All authorization providers are disabled.");
        new EnterpriseSecurityModule().newAuthManager(this.config, this.mockLogProvider, (SecurityLog) Mockito.mock(SecurityLog.class), (FileSystemAbstraction) null, (JobScheduler) null);
    }

    @Test
    public void shouldFailOnIllegalAdvancedRealmConfiguration() {
        nativeAuth(false, false);
        ldapAuth(false, false);
        pluginAuth(true, true);
        authProviders("native", "ldap");
        this.thrown.expect(IllegalArgumentException.class);
        this.thrown.expectMessage("Illegal configuration: Native auth provider configured, but both authentication and authorization are disabled.");
        new EnterpriseSecurityModule().newAuthManager(this.config, this.mockLogProvider, (SecurityLog) Mockito.mock(SecurityLog.class), (FileSystemAbstraction) null, (JobScheduler) null);
    }

    @Test
    public void shouldFailOnNotLoadedPluginAuthProvider() {
        nativeAuth(false, false);
        ldapAuth(false, false);
        pluginAuth(true, true);
        authProviders("plugin-TestAuthenticationPlugin", "plugin-IllConfiguredAuthorizationPlugin");
        this.thrown.expect(IllegalArgumentException.class);
        this.thrown.expectMessage("Illegal configuration: Failed to load auth plugin 'plugin-IllConfiguredAuthorizationPlugin'.");
        new EnterpriseSecurityModule().newAuthManager(this.config, this.mockLogProvider, (SecurityLog) Mockito.mock(SecurityLog.class), (FileSystemAbstraction) null, (JobScheduler) null);
    }

    @Test
    public void shouldNotFailNativeWithPluginAuthorizationProvider() {
        nativeAuth(true, true);
        ldapAuth(false, false);
        pluginAuth(true, true);
        authProviders("native", "plugin-TestAuthorizationPlugin");
        new EnterpriseSecurityModule().newAuthManager(this.config, this.mockLogProvider, (SecurityLog) Mockito.mock(SecurityLog.class), (FileSystemAbstraction) null, (JobScheduler) null);
    }

    @Test
    public void shouldNotFailWithPropertyLevelPermissions() {
        nativeAuth(true, true);
        ldapAuth(false, false);
        pluginAuth(false, false);
        authProviders("native");
        Mockito.when(this.config.get(SecuritySettings.property_level_authorization_enabled)).thenReturn(true);
        Mockito.when(this.config.get(SecuritySettings.property_level_authorization_permissions)).thenReturn("smith=alias");
        new EnterpriseSecurityModule().newAuthManager(this.config, this.mockLogProvider, (SecurityLog) Mockito.mock(SecurityLog.class), (FileSystemAbstraction) null, (JobScheduler) null);
    }

    @Test
    public void shouldFailOnIllegalPropertyLevelPermissions() {
        nativeAuth(true, true);
        ldapAuth(false, false);
        pluginAuth(false, false);
        authProviders("native");
        Mockito.when(this.config.get(SecuritySettings.property_level_authorization_enabled)).thenReturn(true);
        Mockito.when(this.config.get(SecuritySettings.property_level_authorization_permissions)).thenReturn("smithmalias");
        this.thrown.expect(IllegalArgumentException.class);
        this.thrown.expectMessage("Illegal configuration: Property level authorization is enabled but there is a error in the permissions mapping.");
        new EnterpriseSecurityModule().newAuthManager(this.config, this.mockLogProvider, (SecurityLog) Mockito.mock(SecurityLog.class), (FileSystemAbstraction) null, (JobScheduler) null);
    }

    @Test
    public void shouldParsePropertyLevelPermissions() {
        nativeAuth(true, true);
        ldapAuth(false, false);
        pluginAuth(false, false);
        authProviders("native");
        Mockito.when(this.config.get(SecuritySettings.property_level_authorization_enabled)).thenReturn(true);
        Mockito.when(this.config.get(SecuritySettings.property_level_authorization_permissions)).thenReturn("smith = alias;merovingian=alias ,location;\n abel=alias,\t\thasSilver");
        EnterpriseSecurityModule.SecurityConfig securityConfig = new EnterpriseSecurityModule.SecurityConfig(this.config);
        securityConfig.validate();
        MatcherAssert.assertThat(securityConfig.propertyBlacklist.get("smith"), Matchers.equalTo(Collections.singletonList("alias")));
        MatcherAssert.assertThat(securityConfig.propertyBlacklist.get("merovingian"), Matchers.equalTo(Arrays.asList("alias", "location")));
        MatcherAssert.assertThat(securityConfig.propertyBlacklist.get("abel"), Matchers.equalTo(Arrays.asList("alias", "hasSilver")));
    }

    @Before
    public void setup() {
        this.config = (Config) Mockito.mock(Config.class);
        this.mockLogProvider = (LogProvider) Mockito.mock(LogProvider.class);
        Log log = (Log) Mockito.mock(Log.class);
        Mockito.when(this.mockLogProvider.getLog(ArgumentMatchers.anyString())).thenReturn(log);
        Mockito.when(Boolean.valueOf(log.isDebugEnabled())).thenReturn(true);
        Mockito.when(this.config.get(SecuritySettings.property_level_authorization_enabled)).thenReturn(false);
        Mockito.when(this.config.get(SecuritySettings.auth_cache_ttl)).thenReturn(Duration.ZERO);
        Mockito.when(this.config.get(SecuritySettings.auth_cache_max_capacity)).thenReturn(10);
        Mockito.when(this.config.get(SecuritySettings.auth_cache_use_ttl)).thenReturn(true);
        Mockito.when(this.config.get(SecuritySettings.security_log_successful_authentication)).thenReturn(false);
        Mockito.when(this.config.get(GraphDatabaseSettings.auth_max_failed_attempts)).thenReturn(3);
        Mockito.when(this.config.get(GraphDatabaseSettings.auth_lock_time)).thenReturn(Duration.ofSeconds(5L));
    }

    private void nativeAuth(boolean z, boolean z2) {
        Mockito.when(this.config.get(SecuritySettings.native_authentication_enabled)).thenReturn(Boolean.valueOf(z));
        Mockito.when(this.config.get(SecuritySettings.native_authorization_enabled)).thenReturn(Boolean.valueOf(z2));
    }

    private void ldapAuth(boolean z, boolean z2) {
        Mockito.when(this.config.get(SecuritySettings.ldap_authentication_enabled)).thenReturn(Boolean.valueOf(z));
        Mockito.when(this.config.get(SecuritySettings.ldap_authorization_enabled)).thenReturn(Boolean.valueOf(z2));
    }

    private void pluginAuth(boolean z, boolean z2) {
        Mockito.when(this.config.get(SecuritySettings.plugin_authentication_enabled)).thenReturn(Boolean.valueOf(z));
        Mockito.when(this.config.get(SecuritySettings.plugin_authorization_enabled)).thenReturn(Boolean.valueOf(z2));
    }

    private void authProviders(String... strArr) {
        Mockito.when(this.config.get(SecuritySettings.auth_providers)).thenReturn(Arrays.asList(strArr));
    }
}
