package org.neo4j.server.security.auth;

import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import java.util.Map;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;
import org.neo4j.function.Suppliers;
import org.neo4j.internal.helpers.collection.MapUtil;
import org.neo4j.internal.kernel.api.connectioninfo.ClientConnectionInfo;
import org.neo4j.internal.kernel.api.security.AuthenticationResult;
import org.neo4j.internal.kernel.api.security.CommunitySecurityLog;
import org.neo4j.kernel.api.security.AuthToken;
import org.neo4j.kernel.api.security.exception.InvalidAuthTokenException;
import org.neo4j.kernel.impl.security.User;
import org.neo4j.server.security.SecureHasher;
import org.neo4j.server.security.systemgraph.BasicSystemGraphRealm;
import org.neo4j.server.security.systemgraph.SecurityGraphHelper;

/* loaded from: input_file:org/neo4j/server/security/auth/BasicSystemGraphRealmTest.class */
public class BasicSystemGraphRealmTest {
    private AuthenticationStrategy authStrategy;
    private SecurityGraphHelper realmHelper;
    private BasicSystemGraphRealm realm;

    @BeforeEach
    void setUp() {
        this.authStrategy = (AuthenticationStrategy) Mockito.mock(AuthenticationStrategy.class);
        this.realmHelper = (SecurityGraphHelper) Mockito.spy(new SecurityGraphHelper((Suppliers.Lazy) null, new SecureHasher(), CommunitySecurityLog.NULL_LOG));
        this.realm = new BasicSystemGraphRealm(this.realmHelper, this.authStrategy);
    }

    @Test
    void shouldFindAndAuthenticateUserSuccessfully() throws Throwable {
        User user = new User("jake", (String) null, SecurityTestUtils.credentialFor("abc123"), false, false);
        ((SecurityGraphHelper) Mockito.doReturn(user).when(this.realmHelper)).getUserByName("jake");
        setMockAuthenticationStrategyResult(user, "abc123", AuthenticationResult.SUCCESS);
        assertLoginGivesResult("jake", "abc123", AuthenticationResult.SUCCESS);
    }

    @Test
    void shouldFindAndAuthenticateUserAndReturnAuthStrategyResult() throws Throwable {
        User user = new User("jake", (String) null, SecurityTestUtils.credentialFor("abc123"), false, false);
        ((SecurityGraphHelper) Mockito.doReturn(user).when(this.realmHelper)).getUserByName("jake");
        setMockAuthenticationStrategyResult(user, "abc123", AuthenticationResult.TOO_MANY_ATTEMPTS);
        assertLoginGivesResult("jake", "abc123", AuthenticationResult.TOO_MANY_ATTEMPTS);
    }

    @Test
    void shouldFindAndAuthenticateUserAndReturnPasswordChangeIfRequired() throws Throwable {
        User user = new User("jake", (String) null, SecurityTestUtils.credentialFor("abc123"), true, false);
        ((SecurityGraphHelper) Mockito.doReturn(user).when(this.realmHelper)).getUserByName("jake");
        setMockAuthenticationStrategyResult(user, "abc123", AuthenticationResult.SUCCESS);
        assertLoginGivesResult("jake", "abc123", AuthenticationResult.PASSWORD_CHANGE_REQUIRED);
    }

    @Test
    void shouldFailAuthenticationIfUserIsNotFound() throws Throwable {
        ((SecurityGraphHelper) Mockito.doReturn((Object) null).when(this.realmHelper)).getUserByName("unknown");
        assertLoginGivesResult("unknown", "abc123", AuthenticationResult.FAILURE);
    }

    @Test
    void shouldClearPasswordOnLogin() throws Throwable {
        Mockito.when(this.authStrategy.authenticate((User) ArgumentMatchers.any(), (byte[]) ArgumentMatchers.any())).thenReturn(AuthenticationResult.SUCCESS);
        ((SecurityGraphHelper) Mockito.doReturn(new User("jake", (String) null, SecurityTestUtils.credentialFor("abc123"), true, false)).when(this.realmHelper)).getUserByName("jake");
        byte[] password = SecurityTestUtils.password("abc123");
        Map newBasicAuthToken = AuthToken.newBasicAuthToken("jake", password);
        this.realm.login(newBasicAuthToken, ClientConnectionInfo.EMBEDDED_CONNECTION);
        Assertions.assertThat(password).isEqualTo(clearedPasswordWithSameLengthAs("abc123"));
        Assertions.assertThat(newBasicAuthToken.get("credentials")).isEqualTo(clearedPasswordWithSameLengthAs("abc123"));
    }

    @Test
    void shouldClearPasswordOnInvalidAuthToken() {
        byte[] password = SecurityTestUtils.password("abc123");
        Map newBasicAuthToken = AuthToken.newBasicAuthToken("jake", password);
        newBasicAuthToken.put("scheme", null);
        try {
            this.realm.login(newBasicAuthToken, ClientConnectionInfo.EMBEDDED_CONNECTION);
            org.junit.jupiter.api.Assertions.fail("exception expected");
        } catch (InvalidAuthTokenException e) {
        }
        Assertions.assertThat(password).isEqualTo(clearedPasswordWithSameLengthAs("abc123"));
        Assertions.assertThat(newBasicAuthToken.get("credentials")).isEqualTo(clearedPasswordWithSameLengthAs("abc123"));
    }

    @Test
    void shouldFailWhenAuthTokenIsInvalid() {
        Assertions.assertThatThrownBy(() -> {
            this.realm.login(MapUtil.map(new Object[]{"scheme", "supercool", "principal", "neo4j"}), ClientConnectionInfo.EMBEDDED_CONNECTION);
        }).isInstanceOf(InvalidAuthTokenException.class).hasMessage("Unsupported authentication token, scheme 'supercool' is not supported.");
        Assertions.assertThatThrownBy(() -> {
            this.realm.login(MapUtil.map(new Object[]{"scheme", "none"}), ClientConnectionInfo.EMBEDDED_CONNECTION);
        }).isInstanceOf(InvalidAuthTokenException.class).hasMessage("Unsupported authentication token, scheme 'none' is only allowed when auth is disabled.");
        Assertions.assertThatThrownBy(() -> {
            this.realm.login(MapUtil.map(new Object[]{"key", "value"}), ClientConnectionInfo.EMBEDDED_CONNECTION);
        }).isInstanceOf(InvalidAuthTokenException.class).hasMessage("Unsupported authentication token, missing key `scheme`");
        Assertions.assertThatThrownBy(() -> {
            this.realm.login(MapUtil.map(new Object[]{"scheme", "basic", "principal", "neo4j"}), ClientConnectionInfo.EMBEDDED_CONNECTION);
        }).isInstanceOf(InvalidAuthTokenException.class).hasMessage("Unsupported authentication token, missing key `credentials`");
        Assertions.assertThatThrownBy(() -> {
            this.realm.login(MapUtil.map(new Object[]{"scheme", "basic", "credentials", "very-secret"}), ClientConnectionInfo.EMBEDDED_CONNECTION);
        }).isInstanceOf(InvalidAuthTokenException.class).hasMessage("Unsupported authentication token, missing key `principal`");
    }

    private void assertLoginGivesResult(String str, String str2, AuthenticationResult authenticationResult) throws InvalidAuthTokenException {
        Assertions.assertThat(this.realm.login(SecurityTestUtils.authToken(str, str2), ClientConnectionInfo.EMBEDDED_CONNECTION).subject().getAuthenticationResult()).isEqualTo(authenticationResult);
    }

    private void setMockAuthenticationStrategyResult(User user, String str, AuthenticationResult authenticationResult) {
        Mockito.when(this.authStrategy.authenticate(user, SecurityTestUtils.password(str))).thenReturn(authenticationResult);
    }

    public static byte[] clearedPasswordWithSameLengthAs(String str) {
        byte[] bytes = str.getBytes(StandardCharsets.UTF_8);
        Arrays.fill(bytes, (byte) 0);
        return bytes;
    }
}
