package org.neo4j.bolt.security.basic;

import java.util.Collections;
import java.util.concurrent.ThreadLocalRandom;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockito.Mockito;
import org.neo4j.bolt.security.Authentication;
import org.neo4j.bolt.security.error.AuthenticationException;
import org.neo4j.configuration.Config;
import org.neo4j.configuration.GraphDatabaseSettings;
import org.neo4j.function.Suppliers;
import org.neo4j.internal.helpers.collection.MapUtil;
import org.neo4j.internal.kernel.api.connectioninfo.ClientConnectionInfo;
import org.neo4j.kernel.api.exceptions.Status;
import org.neo4j.kernel.impl.security.User;
import org.neo4j.server.security.SecureHasher;
import org.neo4j.server.security.auth.RateLimitedAuthenticationStrategy;
import org.neo4j.server.security.auth.SecurityTestUtils;
import org.neo4j.server.security.systemgraph.BasicSystemGraphRealm;
import org.neo4j.server.security.systemgraph.SystemGraphRealmHelper;
import org.neo4j.time.Clocks;

/* loaded from: input_file:org/neo4j/bolt/security/basic/BasicAuthenticationTest.class */
class BasicAuthenticationTest {
    private Authentication authentication;

    BasicAuthenticationTest() {
    }

    @Test
    void shouldNotDoAnythingOnSuccess() throws Exception {
        Assertions.assertThat(this.authentication.authenticate(MapUtil.map(new Object[]{"scheme", "basic", "principal", "mike", "credentials", SecurityTestUtils.password("secret2")}), ClientConnectionInfo.EMBEDDED_CONNECTION).getLoginContext().subject().executingUser()).isEqualTo("mike");
    }

    @Test
    void shouldThrowAndLogOnFailure() {
        AuthenticationException assertThrows = org.junit.jupiter.api.Assertions.assertThrows(AuthenticationException.class, () -> {
            this.authentication.authenticate(MapUtil.map(new Object[]{"scheme", "basic", "principal", "bob", "credentials", SecurityTestUtils.password("banana")}), ClientConnectionInfo.EMBEDDED_CONNECTION);
        });
        org.junit.jupiter.api.Assertions.assertEquals(Status.Security.Unauthorized, assertThrows.status());
        org.junit.jupiter.api.Assertions.assertEquals("The client is unauthorized due to authentication failure.", assertThrows.getMessage());
    }

    @Test
    void shouldIndicateThatCredentialsExpired() throws Exception {
        org.junit.jupiter.api.Assertions.assertTrue(this.authentication.authenticate(MapUtil.map(new Object[]{"scheme", "basic", "principal", "bob", "credentials", SecurityTestUtils.password("secret")}), ClientConnectionInfo.EMBEDDED_CONNECTION).credentialsExpired());
    }

    @Test
    void shouldFailWhenTooManyAttempts() throws Exception {
        int nextInt = ThreadLocalRandom.current().nextInt(1, 10);
        Authentication createAuthentication = createAuthentication(nextInt);
        for (int i = 0; i < nextInt; i++) {
            try {
                createAuthentication.authenticate(MapUtil.map(new Object[]{"scheme", "basic", "principal", "bob", "credentials", SecurityTestUtils.password("gelato")}), ClientConnectionInfo.EMBEDDED_CONNECTION);
            } catch (AuthenticationException e) {
                Assertions.assertThat(e.status()).isEqualTo(Status.Security.Unauthorized);
            }
        }
        AuthenticationException assertThrows = org.junit.jupiter.api.Assertions.assertThrows(AuthenticationException.class, () -> {
            createAuthentication.authenticate(MapUtil.map(new Object[]{"scheme", "basic", "principal", "bob", "credentials", SecurityTestUtils.password("gelato")}), ClientConnectionInfo.EMBEDDED_CONNECTION);
        });
        org.junit.jupiter.api.Assertions.assertEquals(Status.Security.AuthenticationRateLimit, assertThrows.status());
        org.junit.jupiter.api.Assertions.assertEquals("The client has provided incorrect authentication details too many times in a row.", assertThrows.getMessage());
    }

    @Test
    void shouldClearCredentialsAfterUse() throws Exception {
        byte[] password = SecurityTestUtils.password("secret2");
        this.authentication.authenticate(MapUtil.map(new Object[]{"scheme", "basic", "principal", "mike", "credentials", password}), ClientConnectionInfo.EMBEDDED_CONNECTION);
        Assertions.assertThat(password).containsOnly(new int[]{0});
    }

    @Test
    void shouldThrowWithNoScheme() {
        org.junit.jupiter.api.Assertions.assertEquals(Status.Security.Unauthorized, org.junit.jupiter.api.Assertions.assertThrows(AuthenticationException.class, () -> {
            this.authentication.authenticate(MapUtil.map(new Object[]{"principal", "bob", "credentials", SecurityTestUtils.password("secret")}), ClientConnectionInfo.EMBEDDED_CONNECTION);
        }).status());
    }

    @Test
    void shouldFailOnInvalidAuthToken() {
        org.junit.jupiter.api.Assertions.assertEquals(Status.Security.Unauthorized, org.junit.jupiter.api.Assertions.assertThrows(AuthenticationException.class, () -> {
            this.authentication.authenticate(MapUtil.map(new Object[]{"this", "does", "not", "matter", "for", "test"}), ClientConnectionInfo.EMBEDDED_CONNECTION);
        }).status());
    }

    @Test
    void shouldFailOnMalformedToken() {
        AuthenticationException assertThrows = org.junit.jupiter.api.Assertions.assertThrows(AuthenticationException.class, () -> {
            this.authentication.authenticate(MapUtil.map(new Object[]{"scheme", "basic", "principal", Collections.singletonList("bob"), "credentials", SecurityTestUtils.password("secret")}), ClientConnectionInfo.EMBEDDED_CONNECTION);
        });
        org.junit.jupiter.api.Assertions.assertEquals(Status.Security.Unauthorized, assertThrows.status());
        org.junit.jupiter.api.Assertions.assertEquals("Unsupported authentication token, the value associated with the key `principal` must be a String but was: SingletonList", assertThrows.getMessage());
    }

    @BeforeEach
    void setup() throws Throwable {
        this.authentication = createAuthentication(3);
    }

    private static Authentication createAuthentication(int i) throws Exception {
        Config defaults = Config.defaults(GraphDatabaseSettings.auth_max_failed_attempts, Integer.valueOf(i));
        SystemGraphRealmHelper systemGraphRealmHelper = (SystemGraphRealmHelper) Mockito.spy(new SystemGraphRealmHelper((Suppliers.Lazy) null, new SecureHasher()));
        BasicAuthentication basicAuthentication = new BasicAuthentication(new BasicSystemGraphRealm(systemGraphRealmHelper, new RateLimitedAuthenticationStrategy(Clocks.systemClock(), defaults)));
        ((SystemGraphRealmHelper) Mockito.doReturn(new User("bob", (String) null, SecurityTestUtils.credentialFor("secret"), true, false)).when(systemGraphRealmHelper)).getUser("bob");
        ((SystemGraphRealmHelper) Mockito.doReturn(new User("mike", (String) null, SecurityTestUtils.credentialFor("secret2"), false, false)).when(systemGraphRealmHelper)).getUser("mike");
        return basicAuthentication;
    }
}
