package org.neo4j.server.security.auth;

import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Map;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;
import org.neo4j.cypher.internal.security.SecureHasher;
import org.neo4j.dbms.database.DatabaseManager;
import org.neo4j.internal.helpers.collection.MapUtil;
import org.neo4j.internal.kernel.api.security.AuthenticationResult;
import org.neo4j.kernel.api.exceptions.InvalidArgumentsException;
import org.neo4j.kernel.api.security.AuthToken;
import org.neo4j.kernel.api.security.exception.InvalidAuthTokenException;
import org.neo4j.kernel.impl.security.User;
import org.neo4j.server.security.systemgraph.BasicSystemGraphRealm;
import org.neo4j.server.security.systemgraph.SecurityGraphInitializer;
import org.neo4j.test.assertion.Assert;

/* loaded from: input_file:org/neo4j/server/security/auth/BasicSystemGraphRealmTest.class */
public class BasicSystemGraphRealmTest {
    private AuthenticationStrategy authStrategy;
    private BasicSystemGraphRealm realm;

    @BeforeEach
    void setUp() throws Exception {
        this.authStrategy = (AuthenticationStrategy) Mockito.mock(AuthenticationStrategy.class);
        this.realm = (BasicSystemGraphRealm) Mockito.spy(new BasicSystemGraphRealm(SecurityGraphInitializer.NO_OP, (DatabaseManager) null, new SecureHasher(), this.authStrategy, true));
    }

    @Test
    void shouldFindAndAuthenticateUserSuccessfully() throws Throwable {
        User build = new User.Builder("jake", SecurityTestUtils.credentialFor("abc123")).build();
        ((BasicSystemGraphRealm) Mockito.doReturn(build).when(this.realm)).getUser("jake");
        setMockAuthenticationStrategyResult(build, "abc123", AuthenticationResult.SUCCESS);
        assertLoginGivesResult("jake", "abc123", AuthenticationResult.SUCCESS);
    }

    @Test
    void shouldFindAndAuthenticateUserAndReturnAuthStrategyResult() throws Throwable {
        User build = new User.Builder("jake", SecurityTestUtils.credentialFor("abc123")).build();
        ((BasicSystemGraphRealm) Mockito.doReturn(build).when(this.realm)).getUser("jake");
        setMockAuthenticationStrategyResult(build, "abc123", AuthenticationResult.TOO_MANY_ATTEMPTS);
        assertLoginGivesResult("jake", "abc123", AuthenticationResult.TOO_MANY_ATTEMPTS);
    }

    @Test
    void shouldFindAndAuthenticateUserAndReturnPasswordChangeIfRequired() throws Throwable {
        User build = new User.Builder("jake", SecurityTestUtils.credentialFor("abc123")).withRequiredPasswordChange(true).build();
        ((BasicSystemGraphRealm) Mockito.doReturn(build).when(this.realm)).getUser("jake");
        setMockAuthenticationStrategyResult(build, "abc123", AuthenticationResult.SUCCESS);
        assertLoginGivesResult("jake", "abc123", AuthenticationResult.PASSWORD_CHANGE_REQUIRED);
    }

    @Test
    void shouldFailAuthenticationIfUserIsNotFound() throws Throwable {
        ((BasicSystemGraphRealm) Mockito.doThrow(new Throwable[]{new InvalidArgumentsException("User 'unknown' does not exist.")}).when(this.realm)).getUser("unknown");
        assertLoginGivesResult("unknown", "abc123", AuthenticationResult.FAILURE);
    }

    @Test
    void shouldClearPasswordOnLogin() throws Throwable {
        Mockito.when(this.authStrategy.authenticate((User) ArgumentMatchers.any(), (byte[]) ArgumentMatchers.any())).thenReturn(AuthenticationResult.SUCCESS);
        ((BasicSystemGraphRealm) Mockito.doReturn(new User.Builder("jake", SecurityTestUtils.credentialFor("abc123")).withRequiredPasswordChange(true).build()).when(this.realm)).getUser("jake");
        byte[] password = SecurityTestUtils.password("abc123");
        Map newBasicAuthToken = AuthToken.newBasicAuthToken("jake", password);
        this.realm.login(newBasicAuthToken);
        MatcherAssert.assertThat(password, Matchers.equalTo(clearedPasswordWithSameLengthAs("abc123")));
        MatcherAssert.assertThat(newBasicAuthToken.get("credentials"), Matchers.equalTo(clearedPasswordWithSameLengthAs("abc123")));
    }

    @Test
    void shouldClearPasswordOnInvalidAuthToken() {
        byte[] password = SecurityTestUtils.password("abc123");
        Map newBasicAuthToken = AuthToken.newBasicAuthToken("jake", password);
        newBasicAuthToken.put("scheme", null);
        try {
            this.realm.login(newBasicAuthToken);
            Assertions.fail("exception expected");
        } catch (InvalidAuthTokenException e) {
        }
        MatcherAssert.assertThat(password, Matchers.equalTo(clearedPasswordWithSameLengthAs("abc123")));
        MatcherAssert.assertThat(newBasicAuthToken.get("credentials"), Matchers.equalTo(clearedPasswordWithSameLengthAs("abc123")));
    }

    @Test
    void shouldFailWhenAuthTokenIsInvalid() {
        Assert.assertException(() -> {
            this.realm.login(MapUtil.map(new Object[]{"scheme", "supercool", "principal", "neo4j"}));
        }, InvalidAuthTokenException.class, "Unsupported authentication token, scheme 'supercool' is not supported.");
        Assert.assertException(() -> {
            this.realm.login(MapUtil.map(new Object[]{"scheme", "none"}));
        }, InvalidAuthTokenException.class, "Unsupported authentication token, scheme 'none' is only allowed when auth is disabled");
        Assert.assertException(() -> {
            this.realm.login(MapUtil.map(new Object[]{"key", "value"}));
        }, InvalidAuthTokenException.class, "Unsupported authentication token, missing key `scheme`");
        Assert.assertException(() -> {
            this.realm.login(MapUtil.map(new Object[]{"scheme", "basic", "principal", "neo4j"}));
        }, InvalidAuthTokenException.class, "Unsupported authentication token, missing key `credentials`");
        Assert.assertException(() -> {
            this.realm.login(MapUtil.map(new Object[]{"scheme", "basic", "credentials", "very-secret"}));
        }, InvalidAuthTokenException.class, "Unsupported authentication token, missing key `principal`");
    }

    private void assertLoginGivesResult(String str, String str2, AuthenticationResult authenticationResult) throws InvalidAuthTokenException {
        MatcherAssert.assertThat(this.realm.login(SecurityTestUtils.authToken(str, str2)).subject().getAuthenticationResult(), Matchers.equalTo(authenticationResult));
    }

    private void setMockAuthenticationStrategyResult(User user, String str, AuthenticationResult authenticationResult) {
        Mockito.when(this.authStrategy.authenticate(user, SecurityTestUtils.password(str))).thenReturn(authenticationResult);
    }

    public static byte[] clearedPasswordWithSameLengthAs(String str) {
        byte[] bytes = str.getBytes(StandardCharsets.UTF_8);
        Arrays.fill(bytes, (byte) 0);
        return bytes;
    }
}
