package org.neo4j.server.security.enterprise.auth;

import java.time.Duration;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.TreeSet;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.Attribute;
import javax.naming.directory.Attributes;
import javax.naming.directory.SearchControls;
import javax.naming.directory.SearchResult;
import javax.naming.ldap.LdapContext;
import org.apache.shiro.authc.AuthenticationInfo;
import org.apache.shiro.authc.AuthenticationToken;
import org.apache.shiro.authc.SimpleAuthenticationInfo;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.authz.SimpleAuthorizationInfo;
import org.apache.shiro.realm.ldap.JndiLdapContextFactory;
import org.apache.shiro.realm.ldap.LdapContextFactory;
import org.apache.shiro.subject.PrincipalCollection;
import org.apache.shiro.subject.SimplePrincipalCollection;
import org.hamcrest.CoreMatchers;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;
import org.mockito.internal.matchers.Any;
import org.neo4j.helpers.collection.MapUtil;
import org.neo4j.kernel.configuration.Config;
import org.neo4j.server.security.enterprise.configuration.SecuritySettings;
import org.neo4j.server.security.enterprise.log.SecurityLog;

/* loaded from: input_file:org/neo4j/server/security/enterprise/auth/LdapRealmTest.class */
public class LdapRealmTest {
    Config config = (Config) Mockito.mock(Config.class);
    private SecurityLog securityLog = (SecurityLog) Mockito.mock(SecurityLog.class);
    private SecureHasher secureHasher = new SecureHasher();

    @Rule
    public ExpectedException expectedException = ExpectedException.none();

    /* loaded from: input_file:org/neo4j/server/security/enterprise/auth/LdapRealmTest$TestLdapRealm.class */
    private class TestLdapRealm extends LdapRealm {
        private boolean failAuth;

        TestLdapRealm(Config config, SecurityLog securityLog, boolean z) {
            super(config, securityLog, LdapRealmTest.this.secureHasher);
            this.failAuth = z;
        }

        protected AuthenticationInfo queryForAuthenticationInfoUsingStartTls(AuthenticationToken authenticationToken, LdapContextFactory ldapContextFactory) throws NamingException {
            if (this.failAuth) {
                throw new NamingException("Simulated failure");
            }
            return new SimpleAuthenticationInfo("olivia", "123", "basic");
        }

        protected AuthorizationInfo queryForAuthorizationInfo(PrincipalCollection principalCollection, LdapContextFactory ldapContextFactory) throws NamingException {
            if (this.failAuth) {
                throw new NamingException("Simulated failure");
            }
            return new SimpleAuthorizationInfo();
        }
    }

    @Before
    public void setUp() {
        Mockito.when(this.config.get(SecuritySettings.ldap_authorization_user_search_base)).thenReturn("dc=example,dc=com");
        Mockito.when(this.config.get(SecuritySettings.ldap_authorization_group_membership_attribute_names)).thenReturn(Collections.singletonList("memberOf"));
        Mockito.when(this.config.get(SecuritySettings.ldap_authentication_enabled)).thenReturn(true);
        Mockito.when(this.config.get(SecuritySettings.ldap_authorization_enabled)).thenReturn(true);
        Mockito.when(this.config.get(SecuritySettings.ldap_authentication_cache_enabled)).thenReturn(false);
        Mockito.when(this.config.get(SecuritySettings.ldap_connection_timeout)).thenReturn(Duration.ofSeconds(1L));
        Mockito.when(this.config.get(SecuritySettings.ldap_read_timeout)).thenReturn(Duration.ofSeconds(1L));
        Mockito.when(this.config.get(SecuritySettings.ldap_authorization_connection_pooling)).thenReturn(true);
        Mockito.when(this.config.get(SecuritySettings.ldap_authentication_use_samaccountname)).thenReturn(false);
    }

    @Test
    public void groupToRoleMappingShouldBeAbleToBeNull() {
        Mockito.when(this.config.get(SecuritySettings.ldap_authorization_group_to_role_mapping)).thenReturn((Object) null);
        new LdapRealm(this.config, this.securityLog, this.secureHasher);
    }

    @Test
    public void groupToRoleMappingShouldBeAbleToBeEmpty() {
        Mockito.when(this.config.get(SecuritySettings.ldap_authorization_group_to_role_mapping)).thenReturn("");
        new LdapRealm(this.config, this.securityLog, this.secureHasher);
    }

    @Test
    public void groupToRoleMappingShouldBeAbleToHaveMultipleRoles() {
        Mockito.when(this.config.get(SecuritySettings.ldap_authorization_group_to_role_mapping)).thenReturn("group=role1,role2,role3");
        LdapRealm ldapRealm = new LdapRealm(this.config, this.securityLog, this.secureHasher);
        Assert.assertThat(ldapRealm.getGroupToRoleMapping().get("group"), CoreMatchers.equalTo(Arrays.asList("role1", "role2", "role3")));
        Assert.assertThat(Integer.valueOf(ldapRealm.getGroupToRoleMapping().size()), CoreMatchers.equalTo(1));
    }

    @Test
    public void groupToRoleMappingShouldBeAbleToHaveMultipleGroups() {
        Mockito.when(this.config.get(SecuritySettings.ldap_authorization_group_to_role_mapping)).thenReturn("group1=role1;group2=role2,role3;group3=role4");
        LdapRealm ldapRealm = new LdapRealm(this.config, this.securityLog, this.secureHasher);
        Assert.assertThat(ldapRealm.getGroupToRoleMapping().keySet(), CoreMatchers.equalTo(new TreeSet(Arrays.asList("group1", "group2", "group3"))));
        Assert.assertThat(ldapRealm.getGroupToRoleMapping().get("group1"), CoreMatchers.equalTo(Collections.singletonList("role1")));
        Assert.assertThat(ldapRealm.getGroupToRoleMapping().get("group2"), CoreMatchers.equalTo(Arrays.asList("role2", "role3")));
        Assert.assertThat(ldapRealm.getGroupToRoleMapping().get("group3"), CoreMatchers.equalTo(Collections.singletonList("role4")));
        Assert.assertThat(Integer.valueOf(ldapRealm.getGroupToRoleMapping().size()), CoreMatchers.equalTo(3));
    }

    @Test
    public void groupToRoleMappingShouldBeAbleToHaveQuotedKeysAndWhitespaces() {
        Mockito.when(this.config.get(SecuritySettings.ldap_authorization_group_to_role_mapping)).thenReturn("'group1' = role1;\t \"group2\"\n=\t role2,role3 ;  gr oup3= role4\n ;'group4 '= ; g =r");
        LdapRealm ldapRealm = new LdapRealm(this.config, this.securityLog, this.secureHasher);
        Assert.assertThat(ldapRealm.getGroupToRoleMapping().keySet(), CoreMatchers.equalTo(new TreeSet(Arrays.asList("group1", "group2", "gr oup3", "group4 ", "g"))));
        Assert.assertThat(ldapRealm.getGroupToRoleMapping().get("group1"), CoreMatchers.equalTo(Collections.singletonList("role1")));
        Assert.assertThat(ldapRealm.getGroupToRoleMapping().get("group2"), CoreMatchers.equalTo(Arrays.asList("role2", "role3")));
        Assert.assertThat(ldapRealm.getGroupToRoleMapping().get("gr oup3"), CoreMatchers.equalTo(Collections.singletonList("role4")));
        Assert.assertThat(ldapRealm.getGroupToRoleMapping().get("group4 "), CoreMatchers.equalTo(Collections.emptyList()));
        Assert.assertThat(ldapRealm.getGroupToRoleMapping().get("g"), CoreMatchers.equalTo(Collections.singletonList("r")));
        Assert.assertThat(Integer.valueOf(ldapRealm.getGroupToRoleMapping().size()), CoreMatchers.equalTo(5));
    }

    @Test
    public void groupToRoleMappingShouldBeAbleToHaveTrailingSemicolons() {
        Mockito.when(this.config.get(SecuritySettings.ldap_authorization_group_to_role_mapping)).thenReturn("group=role;;");
        LdapRealm ldapRealm = new LdapRealm(this.config, this.securityLog, this.secureHasher);
        Assert.assertThat(ldapRealm.getGroupToRoleMapping().get("group"), CoreMatchers.equalTo(Collections.singletonList("role")));
        Assert.assertThat(Integer.valueOf(ldapRealm.getGroupToRoleMapping().size()), CoreMatchers.equalTo(1));
    }

    @Test
    public void groupToRoleMappingShouldBeAbleToHaveTrailingCommas() {
        Mockito.when(this.config.get(SecuritySettings.ldap_authorization_group_to_role_mapping)).thenReturn("group=role1,role2,role3,,,");
        LdapRealm ldapRealm = new LdapRealm(this.config, this.securityLog, this.secureHasher);
        Assert.assertThat(ldapRealm.getGroupToRoleMapping().keySet(), CoreMatchers.equalTo(Stream.of("group").collect(Collectors.toSet())));
        Assert.assertThat(ldapRealm.getGroupToRoleMapping().get("group"), CoreMatchers.equalTo(Arrays.asList("role1", "role2", "role3")));
        Assert.assertThat(Integer.valueOf(ldapRealm.getGroupToRoleMapping().size()), CoreMatchers.equalTo(1));
    }

    @Test
    public void groupToRoleMappingShouldBeAbleToHaveNoRoles() {
        Mockito.when(this.config.get(SecuritySettings.ldap_authorization_group_to_role_mapping)).thenReturn("group=,");
        LdapRealm ldapRealm = new LdapRealm(this.config, this.securityLog, this.secureHasher);
        Assert.assertThat(Integer.valueOf(((Collection) ldapRealm.getGroupToRoleMapping().get("group")).size()), CoreMatchers.equalTo(0));
        Assert.assertThat(Integer.valueOf(ldapRealm.getGroupToRoleMapping().size()), CoreMatchers.equalTo(1));
    }

    @Test
    public void groupToRoleMappingShouldNotBeAbleToHaveInvalidFormat() {
        Mockito.when(this.config.get(SecuritySettings.ldap_authorization_group_to_role_mapping)).thenReturn("group");
        this.expectedException.expect(IllegalArgumentException.class);
        this.expectedException.expectMessage("wrong number of fields");
        new LdapRealm(this.config, this.securityLog, this.secureHasher);
    }

    @Test
    public void groupToRoleMappingShouldNotBeAbleToHaveEmptyGroupName() {
        Mockito.when(this.config.get(SecuritySettings.ldap_authorization_group_to_role_mapping)).thenReturn("=role");
        this.expectedException.expect(IllegalArgumentException.class);
        this.expectedException.expectMessage("wrong number of fields");
        new LdapRealm(this.config, this.securityLog, this.secureHasher);
    }

    @Test
    public void groupComparisonShouldBeCaseInsensitive() {
        Mockito.when(this.config.get(SecuritySettings.ldap_authorization_group_to_role_mapping)).thenReturn("GrouP=role1,role2,role3");
        LdapRealm ldapRealm = new LdapRealm(this.config, this.securityLog, this.secureHasher);
        Assert.assertThat(ldapRealm.getGroupToRoleMapping().get("group"), CoreMatchers.equalTo(Arrays.asList("role1", "role2", "role3")));
        Assert.assertThat(Integer.valueOf(ldapRealm.getGroupToRoleMapping().size()), CoreMatchers.equalTo(1));
    }

    @Test
    public void shouldWarnAboutUserSearchFilterWithoutArgument() throws Exception {
        Mockito.when(this.config.get(SecuritySettings.ldap_authorization_user_search_filter)).thenReturn("");
        LdapContext ldapContext = (LdapContext) Mockito.mock(LdapContext.class);
        NamingEnumeration namingEnumeration = (NamingEnumeration) Mockito.mock(NamingEnumeration.class);
        Mockito.when(ldapContext.search(ArgumentMatchers.anyString(), ArgumentMatchers.anyString(), (Object[]) ArgumentMatchers.any(), (SearchControls) ArgumentMatchers.any())).thenReturn(namingEnumeration);
        Mockito.when(Boolean.valueOf(namingEnumeration.hasMoreElements())).thenReturn(false);
        makeAndInit();
        ((SecurityLog) Mockito.verify(this.securityLog)).warn(ArgumentMatchers.contains("LDAP user search filter does not contain the argument placeholder {0}"));
    }

    @Test
    public void shouldWarnAboutUserSearchBaseBeingEmpty() throws Exception {
        Mockito.when(this.config.get(SecuritySettings.ldap_authorization_user_search_base)).thenReturn("");
        LdapContext ldapContext = (LdapContext) Mockito.mock(LdapContext.class);
        NamingEnumeration namingEnumeration = (NamingEnumeration) Mockito.mock(NamingEnumeration.class);
        Mockito.when(ldapContext.search(ArgumentMatchers.anyString(), ArgumentMatchers.anyString(), (Object[]) ArgumentMatchers.any(), (SearchControls) ArgumentMatchers.any())).thenReturn(namingEnumeration);
        Mockito.when(Boolean.valueOf(namingEnumeration.hasMoreElements())).thenReturn(false);
        org.neo4j.test.assertion.Assert.assertException(this::makeAndInit, IllegalArgumentException.class, "Illegal LDAP user search settings, see security log for details.");
        ((SecurityLog) Mockito.verify(this.securityLog)).error(ArgumentMatchers.contains("LDAP user search base is empty."));
    }

    @Test
    public void shouldWarnAboutGroupMembershipsBeingEmpty() throws Exception {
        Mockito.when(this.config.get(SecuritySettings.ldap_authorization_group_membership_attribute_names)).thenReturn(Collections.emptyList());
        LdapContext ldapContext = (LdapContext) Mockito.mock(LdapContext.class);
        NamingEnumeration namingEnumeration = (NamingEnumeration) Mockito.mock(NamingEnumeration.class);
        Mockito.when(ldapContext.search(ArgumentMatchers.anyString(), ArgumentMatchers.anyString(), (Object[]) ArgumentMatchers.any(), (SearchControls) ArgumentMatchers.any())).thenReturn(namingEnumeration);
        Mockito.when(Boolean.valueOf(namingEnumeration.hasMoreElements())).thenReturn(false);
        org.neo4j.test.assertion.Assert.assertException(this::makeAndInit, IllegalArgumentException.class, "Illegal LDAP user search settings, see security log for details.");
        ((SecurityLog) Mockito.verify(this.securityLog)).error(ArgumentMatchers.contains("LDAP group membership attribute names are empty. Authorization will not be possible."));
    }

    @Test
    public void shouldWarnAboutAmbiguousUserSearch() throws NamingException {
        Mockito.when(this.config.get(SecuritySettings.ldap_authorization_user_search_filter)).thenReturn("{0}");
        LdapContext ldapContext = (LdapContext) Mockito.mock(LdapContext.class);
        NamingEnumeration namingEnumeration = (NamingEnumeration) Mockito.mock(NamingEnumeration.class);
        SearchResult searchResult = (SearchResult) Mockito.mock(SearchResult.class);
        Mockito.when(ldapContext.search(ArgumentMatchers.anyString(), ArgumentMatchers.anyString(), (Object[]) ArgumentMatchers.any(), (SearchControls) ArgumentMatchers.any())).thenReturn(namingEnumeration);
        Mockito.when(Boolean.valueOf(namingEnumeration.hasMoreElements())).thenReturn(true);
        Mockito.when(namingEnumeration.next()).thenReturn(searchResult);
        Mockito.when(searchResult.toString()).thenReturn("<ldap search result>");
        new LdapRealm(this.config, this.securityLog, this.secureHasher).findRoleNamesForUser("username", ldapContext);
        ((SecurityLog) Mockito.verify(this.securityLog)).warn(ArgumentMatchers.contains("LDAP user search for user principal 'username' is ambiguous"));
    }

    @Test
    public void shouldAllowMultipleGroupMembershipAttributes() throws NamingException {
        Mockito.when(this.config.get(SecuritySettings.ldap_authorization_user_search_filter)).thenReturn("{0}");
        Mockito.when(this.config.get(SecuritySettings.ldap_authorization_group_membership_attribute_names)).thenReturn(Arrays.asList("attr0", "attr1", "attr2"));
        Mockito.when(this.config.get(SecuritySettings.ldap_authorization_group_to_role_mapping)).thenReturn("group1=role1;group2=role2,role3");
        LdapContext ldapContext = (LdapContext) Mockito.mock(LdapContext.class);
        NamingEnumeration namingEnumeration = (NamingEnumeration) Mockito.mock(NamingEnumeration.class);
        SearchResult searchResult = (SearchResult) Mockito.mock(SearchResult.class);
        Attributes attributes = (Attributes) Mockito.mock(Attributes.class);
        Attribute attribute = (Attribute) Mockito.mock(Attribute.class);
        Attribute attribute2 = (Attribute) Mockito.mock(Attribute.class);
        Attribute attribute3 = (Attribute) Mockito.mock(Attribute.class);
        NamingEnumeration namingEnumeration2 = (NamingEnumeration) Mockito.mock(NamingEnumeration.class);
        NamingEnumeration namingEnumeration3 = (NamingEnumeration) Mockito.mock(NamingEnumeration.class);
        NamingEnumeration namingEnumeration4 = (NamingEnumeration) Mockito.mock(NamingEnumeration.class);
        NamingEnumeration namingEnumeration5 = (NamingEnumeration) Mockito.mock(NamingEnumeration.class);
        Mockito.when(ldapContext.search(ArgumentMatchers.anyString(), ArgumentMatchers.anyString(), (Object[]) ArgumentMatchers.any(), (SearchControls) ArgumentMatchers.any())).thenReturn(namingEnumeration);
        Mockito.when(Boolean.valueOf(namingEnumeration.hasMoreElements())).thenReturn(true, new Boolean[]{false});
        Mockito.when(namingEnumeration.next()).thenReturn(searchResult);
        Mockito.when(searchResult.getAttributes()).thenReturn(attributes);
        Mockito.when(attributes.getAll()).thenReturn(namingEnumeration2);
        Mockito.when(Boolean.valueOf(namingEnumeration2.hasMore())).thenReturn(true, new Boolean[]{true, false});
        Mockito.when(namingEnumeration2.next()).thenReturn(attribute, new Object[]{attribute2, attribute3});
        Mockito.when(attribute.getID()).thenReturn("attr1");
        Mockito.when(attribute.getAll()).thenReturn(namingEnumeration3);
        Mockito.when(Boolean.valueOf(namingEnumeration3.hasMore())).thenReturn(true, new Boolean[]{false});
        Mockito.when(namingEnumeration3.next()).thenReturn("group1");
        Mockito.when(attribute2.getID()).thenReturn("attr2");
        Mockito.when(attribute2.getAll()).thenReturn(namingEnumeration4);
        Mockito.when(Boolean.valueOf(namingEnumeration4.hasMore())).thenReturn(true, new Boolean[]{false});
        Mockito.when(namingEnumeration4.next()).thenReturn("group2");
        Mockito.when(attribute3.getID()).thenReturn("attr3");
        Mockito.when(attribute3.getAll()).thenReturn(namingEnumeration5);
        Mockito.when(Boolean.valueOf(namingEnumeration5.hasMore())).thenReturn(true, new Boolean[]{false});
        Mockito.when(namingEnumeration5.next()).thenReturn("groupWithNoRole");
        Assert.assertThat(new LdapRealm(this.config, this.securityLog, this.secureHasher).findRoleNamesForUser("username", ldapContext), CoreMatchers.hasItems(new String[]{"role1", "role2", "role3"}));
    }

    @Test
    public void shouldLogSuccessfulAuthenticationQueries() throws NamingException {
        Mockito.when(this.config.get(SecuritySettings.ldap_use_starttls)).thenReturn(false);
        Mockito.when(this.config.get(SecuritySettings.ldap_authorization_use_system_account)).thenReturn(true);
        TestLdapRealm testLdapRealm = new TestLdapRealm(this.config, this.securityLog, false);
        JndiLdapContextFactory jndiLdapContextFactory = (JndiLdapContextFactory) Mockito.mock(JndiLdapContextFactory.class);
        Mockito.when(jndiLdapContextFactory.getUrl()).thenReturn("ldap://myserver.org:12345");
        Mockito.when(jndiLdapContextFactory.getLdapContext(Any.ANY, Any.ANY)).thenReturn((Object) null);
        testLdapRealm.queryForAuthenticationInfo(new ShiroAuthToken(MapUtil.map(new Object[]{"principal", "olivia", "credentials", "123"})), jndiLdapContextFactory);
        ((SecurityLog) Mockito.verify(this.securityLog)).debug(ArgumentMatchers.contains("{LdapRealm}: Authenticated user 'olivia' against 'ldap://myserver.org:12345'"));
    }

    @Test
    public void shouldLogSuccessfulAuthenticationQueriesUsingStartTLS() throws NamingException {
        Mockito.when(this.config.get(SecuritySettings.ldap_use_starttls)).thenReturn(true);
        TestLdapRealm testLdapRealm = new TestLdapRealm(this.config, this.securityLog, false);
        JndiLdapContextFactory jndiLdapContextFactory = (JndiLdapContextFactory) Mockito.mock(JndiLdapContextFactory.class);
        Mockito.when(jndiLdapContextFactory.getUrl()).thenReturn("ldap://myserver.org:12345");
        testLdapRealm.queryForAuthenticationInfo(new ShiroAuthToken(MapUtil.map(new Object[]{"principal", "olivia", "credentials", "123"})), jndiLdapContextFactory);
        ((SecurityLog) Mockito.verify(this.securityLog)).debug(ArgumentMatchers.contains("{LdapRealm}: Authenticated user 'olivia' against 'ldap://myserver.org:12345' using StartTLS"));
    }

    @Test
    public void shouldLogFailedAuthenticationQueries() {
        Mockito.when(this.config.get(SecuritySettings.ldap_use_starttls)).thenReturn(true);
        TestLdapRealm testLdapRealm = new TestLdapRealm(this.config, this.securityLog, true);
        JndiLdapContextFactory jndiLdapContextFactory = (JndiLdapContextFactory) Mockito.mock(JndiLdapContextFactory.class);
        Mockito.when(jndiLdapContextFactory.getUrl()).thenReturn("ldap://myserver.org:12345");
        org.neo4j.test.assertion.Assert.assertException(() -> {
            testLdapRealm.queryForAuthenticationInfo(new ShiroAuthToken(MapUtil.map(new Object[]{"principal", "olivia", "credentials", "123"})), jndiLdapContextFactory);
        }, NamingException.class);
    }

    @Test
    public void shouldLogSuccessfulAuthorizationQueries() {
        Mockito.when(this.config.get(SecuritySettings.ldap_use_starttls)).thenReturn(true);
        TestLdapRealm testLdapRealm = new TestLdapRealm(this.config, this.securityLog, false);
        Mockito.when(((JndiLdapContextFactory) Mockito.mock(JndiLdapContextFactory.class)).getUrl()).thenReturn("ldap://myserver.org:12345");
        testLdapRealm.doGetAuthorizationInfo(new SimplePrincipalCollection("olivia", "LdapRealm"));
        ((SecurityLog) Mockito.verify(this.securityLog)).debug(ArgumentMatchers.contains("{LdapRealm}: Queried for authorization info for user 'olivia'"));
    }

    @Test
    public void shouldLogFailedAuthorizationQueries() {
        Mockito.when(this.config.get(SecuritySettings.ldap_use_starttls)).thenReturn(true);
        TestLdapRealm testLdapRealm = new TestLdapRealm(this.config, this.securityLog, true);
        Mockito.when(((JndiLdapContextFactory) Mockito.mock(JndiLdapContextFactory.class)).getUrl()).thenReturn("ldap://myserver.org:12345");
        Assert.assertNull(testLdapRealm.doGetAuthorizationInfo(new SimplePrincipalCollection("olivia", "LdapRealm")));
        ((SecurityLog) Mockito.verify(this.securityLog)).warn(ArgumentMatchers.contains("{LdapRealm}: Failed to get authorization info: 'LDAP naming error while attempting to retrieve authorization for user [olivia].' caused by 'Simulated failure'"));
    }

    private void makeAndInit() {
        try {
            new LdapRealm(this.config, this.securityLog, this.secureHasher).initialize();
        } catch (Exception e) {
            throw e;
        } catch (Throwable th) {
            throw new RuntimeException(th);
        }
    }
}
