package org.neo4j.kernel.impl.security;

import inet.ipaddr.IPAddressString;
import java.net.ConnectException;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
import java.net.URLConnection;
import java.net.URLStreamHandler;
import java.net.UnknownHostException;
import java.util.Iterator;
import java.util.List;
import org.apache.commons.lang3.mutable.MutableInt;
import org.assertj.core.api.Assertions;
import org.assertj.core.api.AssertionsForClassTypes;
import org.junit.jupiter.api.Test;
import org.mockito.Mockito;
import org.neo4j.configuration.Config;
import org.neo4j.configuration.GraphDatabaseInternalSettings;
import org.neo4j.graphdb.security.URLAccessValidationError;
import org.neo4j.internal.kernel.api.connectioninfo.ClientConnectionInfo;
import org.neo4j.internal.kernel.api.security.AbstractSecurityLog;
import org.neo4j.internal.kernel.api.security.AccessMode;
import org.neo4j.internal.kernel.api.security.AuthSubject;
import org.neo4j.internal.kernel.api.security.CommunitySecurityLog;
import org.neo4j.internal.kernel.api.security.SecurityAuthorizationHandler;
import org.neo4j.internal.kernel.api.security.SecurityContext;
import org.neo4j.logging.NullLog;

/* loaded from: input_file:org/neo4j/kernel/impl/security/WebURLAccessRuleTest.class */
class WebURLAccessRuleTest {
    private AbstractSecurityLog securityLog = new CommunitySecurityLog(NullLog.getInstance());
    private final SecurityAuthorizationHandler securityAuthorizationHandler = new SecurityAuthorizationHandler(this.securityLog);

    /* renamed from: org.neo4j.kernel.impl.security.WebURLAccessRuleTest$1TestWebURLAccessRule, reason: invalid class name */
    /* loaded from: input_file:org/neo4j/kernel/impl/security/WebURLAccessRuleTest$1TestWebURLAccessRule.class */
    class C1TestWebURLAccessRule extends WebURLAccessRule {
        public static boolean enteredIpPinning = false;
        final /* synthetic */ Config val$config;

        /* JADX WARN: 'super' call moved to the top of the method (can break code semantics) */
        public C1TestWebURLAccessRule(Config config) {
            super(config);
            this.val$config = config;
        }

        protected URL substituteHostByIP(URL url, String str) {
            enteredIpPinning = true;
            return url;
        }
    }

    WebURLAccessRuleTest() {
    }

    @Test
    void shouldThrowWhenUrlIsWithinBlockedRange() throws Exception {
        IPAddressString iPAddressString = new IPAddressString("127.0.0.0/8");
        IPAddressString iPAddressString2 = new IPAddressString("0:0:0:0:0:0:0:1/8");
        Iterator it = List.of("http://localhost/test.csv", "https://localhost/test.csv", "ftp://localhost/test.csv", "http://[::1]/test.csv").iterator();
        while (it.hasNext()) {
            URL url = new URL((String) it.next());
            Config defaults = Config.defaults(GraphDatabaseInternalSettings.cypher_ip_blocklist, List.of(iPAddressString, iPAddressString2));
            Assertions.assertThat(org.junit.jupiter.api.Assertions.assertThrows(URLAccessValidationError.class, () -> {
                new WebURLAccessRule(defaults).validate(url, this.securityAuthorizationHandler, fullSecurityContext());
            }).getMessage()).contains(new CharSequence[]{"blocked via the configuration property internal.dbms.cypher_ip_blocklist"});
        }
    }

    @Test
    void validationShouldPassWhenUrlIsNotWithinBlockedRange() throws Exception {
        IPAddressString iPAddressString = new IPAddressString("132.0.0.0/8");
        Config config = (Config) Mockito.mock(Config.class);
        Mockito.when((List) config.get(GraphDatabaseInternalSettings.cypher_ip_blocklist)).thenReturn(List.of(iPAddressString));
        List of = List.of("http://localhost/test.csv", "https://localhost/test.csv", "ftp://localhost/test.csv", "http://[::1]/test.csv");
        List of2 = List.of(new URL("http://127.0.0.1/test.csv"), new URL("https://localhost/test.csv"), new URL("ftp://localhost/test.csv"), new URL("http://[::1]/test.csv"));
        for (int i = 0; i < of.size(); i++) {
            Assertions.assertThat(new WebURLAccessRule(config).checkNotBlockedAndPinToIP(new URL((String) of.get(i)), this.securityAuthorizationHandler, fullSecurityContext())).isEqualTo(of2.get(i));
        }
    }

    @Test
    void shouldWorkWithNonRangeIps() throws MalformedURLException {
        IPAddressString iPAddressString = new IPAddressString("127.0.0.1");
        URL url = new URL("http://localhost/test.csv");
        Config defaults = Config.defaults(GraphDatabaseInternalSettings.cypher_ip_blocklist, List.of(iPAddressString));
        Assertions.assertThat(org.junit.jupiter.api.Assertions.assertThrows(URLAccessValidationError.class, () -> {
            new WebURLAccessRule(defaults).validate(url, this.securityAuthorizationHandler, fullSecurityContext());
        }).getMessage()).contains(new CharSequence[]{"blocked via the configuration property internal.dbms.cypher_ip_blocklist"});
    }

    @Test
    void shouldFailForInvalidIps() throws Exception {
        IPAddressString iPAddressString = new IPAddressString("127.0.0.1");
        URL url = new URL("http://always.invalid/test.csv");
        Config defaults = Config.defaults(GraphDatabaseInternalSettings.cypher_ip_blocklist, List.of(iPAddressString));
        Assertions.assertThat(((UnknownHostException) org.junit.jupiter.api.Assertions.assertThrows(UnknownHostException.class, () -> {
            new WebURLAccessRule(defaults).validate(url, this.securityAuthorizationHandler, fullSecurityContext());
        })).getMessage()).contains(new CharSequence[]{"always.invalid"});
    }

    @Test
    void shouldFailForRedirectedInvalidIps() throws Exception {
        IPAddressString iPAddressString = new IPAddressString("127.0.0.1");
        final HttpURLConnection httpURLConnection = (HttpURLConnection) Mockito.mock(HttpURLConnection.class);
        Mockito.when(Integer.valueOf(httpURLConnection.getResponseCode())).thenReturn(302);
        Mockito.when(httpURLConnection.getHeaderField("Location")).thenReturn("https://127.0.0.1");
        URL url = new URL("https", "127.0.0.0", 8000, "", new URLStreamHandler() { // from class: org.neo4j.kernel.impl.security.WebURLAccessRuleTest.1
            @Override // java.net.URLStreamHandler
            protected URLConnection openConnection(URL url2) {
                return httpURLConnection;
            }
        });
        Config defaults = Config.defaults(GraphDatabaseInternalSettings.cypher_ip_blocklist, List.of(iPAddressString));
        Assertions.assertThat(org.junit.jupiter.api.Assertions.assertThrows(URLAccessValidationError.class, () -> {
            new WebURLAccessRule(defaults).validate(url, this.securityAuthorizationHandler, fullSecurityContext());
        }).getMessage()).contains(new CharSequence[]{"access to /127.0.0.1 is blocked via the configuration property internal.dbms.cypher_ip_blocklist"});
    }

    @Test
    void shouldNotFollowChangeInProtocols() throws Exception {
        IPAddressString iPAddressString = new IPAddressString("127.168.0.1");
        final HttpURLConnection httpURLConnection = (HttpURLConnection) Mockito.mock(HttpURLConnection.class);
        Mockito.when(Integer.valueOf(httpURLConnection.getResponseCode())).thenReturn(306);
        Mockito.when(httpURLConnection.getHeaderField("Location")).thenReturn("http://127.0.0.1");
        org.junit.jupiter.api.Assertions.assertEquals(new WebURLAccessRule(Config.defaults(GraphDatabaseInternalSettings.cypher_ip_blocklist, List.of(iPAddressString))).validate(new URL("https", "127.0.0.0", 8000, "", new URLStreamHandler() { // from class: org.neo4j.kernel.impl.security.WebURLAccessRuleTest.2
            @Override // java.net.URLStreamHandler
            protected URLConnection openConnection(URL url) {
                return httpURLConnection;
            }
        }), this.securityAuthorizationHandler, fullSecurityContext()), httpURLConnection);
    }

    @Test
    void shouldFailForExceedingRedirectLimit() throws Exception {
        IPAddressString iPAddressString = new IPAddressString("127.168.0.1");
        final HttpURLConnection httpURLConnection = (HttpURLConnection) Mockito.mock(HttpURLConnection.class);
        Mockito.when(Integer.valueOf(httpURLConnection.getResponseCode())).thenReturn(302);
        Mockito.when(httpURLConnection.getHeaderField("Location")).thenReturn("/b");
        final HttpURLConnection httpURLConnection2 = (HttpURLConnection) Mockito.mock(HttpURLConnection.class);
        Mockito.when(Integer.valueOf(httpURLConnection2.getResponseCode())).thenReturn(302);
        Mockito.when(httpURLConnection2.getHeaderField("Location")).thenReturn("/a");
        final MutableInt mutableInt = new MutableInt(0);
        URLStreamHandler uRLStreamHandler = new URLStreamHandler() { // from class: org.neo4j.kernel.impl.security.WebURLAccessRuleTest.3
            @Override // java.net.URLStreamHandler
            protected URLConnection openConnection(URL url) {
                return mutableInt.getAndIncrement() % 2 == 0 ? httpURLConnection : httpURLConnection2;
            }
        };
        URL url = new URL("https", "127.0.0.0", 8000, "/a", uRLStreamHandler);
        URL url2 = new URL("https", "127.0.0.0", 8000, "/b", uRLStreamHandler);
        Mockito.when(httpURLConnection.getURL()).thenReturn(url);
        Mockito.when(httpURLConnection2.getURL()).thenReturn(url2);
        Config defaults = Config.defaults(GraphDatabaseInternalSettings.cypher_ip_blocklist, List.of(iPAddressString));
        AssertionsForClassTypes.assertThatThrownBy(() -> {
            new WebURLAccessRule(defaults).validate(url, this.securityAuthorizationHandler, fullSecurityContext());
        }).isInstanceOf(URLAccessValidationError.class).hasMessageContaining("Redirect limit exceeded");
    }

    @Test
    void shouldPinIPsForHttpAndFtp() throws Exception {
        IPAddressString iPAddressString = new IPAddressString("127.168.0.1");
        URL url = new URL("http://localhost/test.csv");
        URL url2 = new URL("https://localhost/test.csv");
        URL url3 = new URL("ftp://localhost/test.csv");
        C1TestWebURLAccessRule c1TestWebURLAccessRule = new C1TestWebURLAccessRule(Config.defaults(GraphDatabaseInternalSettings.cypher_ip_blocklist, List.of(iPAddressString)));
        org.junit.jupiter.api.Assertions.assertThrows(ConnectException.class, () -> {
            c1TestWebURLAccessRule.validate(url, this.securityAuthorizationHandler, fullSecurityContext());
        });
        org.junit.jupiter.api.Assertions.assertTrue(C1TestWebURLAccessRule.enteredIpPinning);
        C1TestWebURLAccessRule.enteredIpPinning = false;
        c1TestWebURLAccessRule.validate(url3, this.securityAuthorizationHandler, fullSecurityContext());
        org.junit.jupiter.api.Assertions.assertTrue(C1TestWebURLAccessRule.enteredIpPinning);
        C1TestWebURLAccessRule.enteredIpPinning = false;
        org.junit.jupiter.api.Assertions.assertThrows(ConnectException.class, () -> {
            c1TestWebURLAccessRule.validate(url2, this.securityAuthorizationHandler, fullSecurityContext());
        });
        org.junit.jupiter.api.Assertions.assertFalse(C1TestWebURLAccessRule.enteredIpPinning);
    }

    @Test
    void shouldSubstituteIpCorrectly() throws Exception {
        WebURLAccessRule webURLAccessRule = new WebURLAccessRule(Config.defaults());
        org.junit.jupiter.api.Assertions.assertEquals("http://127.0.0.1/test.csv", webURLAccessRule.substituteHostByIP(new URL("http://localhost/test.csv"), "127.0.0.1").toString());
        org.junit.jupiter.api.Assertions.assertEquals("http://user:password@127.0.0.1/test.csv", webURLAccessRule.substituteHostByIP(new URL("http://user:password@localhost/test.csv"), "127.0.0.1").toString());
        org.junit.jupiter.api.Assertions.assertEquals("https://user:password@127.0.0.1/test.csv?a=b&c=d", webURLAccessRule.substituteHostByIP(new URL("https://user:password@localhost/test.csv?a=b&c=d"), "127.0.0.1").toString());
        org.junit.jupiter.api.Assertions.assertEquals("ftp://user:password@127.0.0.1/test.csv", webURLAccessRule.substituteHostByIP(new URL("ftp://user:password@localhost/test.csv"), "127.0.0.1").toString());
    }

    private SecurityContext fullSecurityContext() {
        return new SecurityContext(AuthSubject.ANONYMOUS, AccessMode.Static.FULL, ClientConnectionInfo.EMBEDDED_CONNECTION, "neo4j");
    }
}
