package org.neo4j.server.rest.security;

import java.net.URI;
import javax.ws.rs.core.MediaType;
import org.hamcrest.Matchers;
import org.junit.After;
import org.junit.Assert;
import org.junit.Rule;
import org.junit.Test;
import org.neo4j.kernel.impl.annotations.Documented;
import org.neo4j.server.CommunityNeoServer;
import org.neo4j.server.helpers.CommunityServerBuilder;
import org.neo4j.server.helpers.FunctionalTestHelper;
import org.neo4j.server.rest.RESTDocsGenerator;
import org.neo4j.test.TestData;
import org.neo4j.test.server.ExclusiveServerTestBase;

/* loaded from: input_file:org/neo4j/server/rest/security/SecurityRulesDocIT.class */
public class SecurityRulesDocIT extends ExclusiveServerTestBase {
    private CommunityNeoServer server;
    private FunctionalTestHelper functionalTestHelper;

    @Rule
    public TestData<RESTDocsGenerator> gen = TestData.producedThrough(RESTDocsGenerator.PRODUCER);

    @After
    public void stopServer() {
        if (this.server != null) {
            this.server.stop();
        }
    }

    @Test
    @TestData.Title("Enforcing Server Authorization Rules")
    @Documented("In this example, a (dummy) failing security rule is registered to deny\naccess to all URIs to the server by listing the rules class in\n'neo4j.conf':\n\n@@config\n\nwith the rule source code of:\n\n@@failingRule\n\nWith this rule registered, any access to the server will be\ndenied. In a production-quality implementation the rule\nwill likely lookup credentials/claims in a 3rd-party\ndirectory service (e.g. LDAP) or in a local database of\nauthorized users.")
    public void should401WithBasicChallengeWhenASecurityRuleFails() throws Exception {
        this.server = CommunityServerBuilder.server().withDefaultDatabaseTuning().withSecurityRules(PermanentlyFailingSecurityRule.class.getCanonicalName()).usingDataDir(this.folder.directory(this.name.getMethodName()).getAbsolutePath()).build();
        this.server.start();
        ((RESTDocsGenerator) this.gen.get()).addSnippet("config", "\n[source,properties]\n----\ndbms.security.http_authorization_classes=my.rules.PermanentlyFailingSecurityRule\n----\n");
        ((RESTDocsGenerator) this.gen.get()).addTestSourceSnippets(PermanentlyFailingSecurityRule.class, new String[]{"failingRule"});
        this.functionalTestHelper = new FunctionalTestHelper(this.server);
        ((RESTDocsGenerator) this.gen.get()).setSection("ops");
        Assert.assertThat(((RESTDocsGenerator) this.gen.get()).expectedStatus(401).expectedHeader("WWW-Authenticate").post(this.functionalTestHelper.nodeUri()).response().getHeaders().getFirst("WWW-Authenticate"), Matchers.containsString("Basic realm=\"WallyWorld\""));
    }

    @Test
    public void should401WithBasicChallengeIfAnyOneOfTheRulesFails() throws Exception {
        this.server = CommunityServerBuilder.server().withDefaultDatabaseTuning().withSecurityRules(PermanentlyFailingSecurityRule.class.getCanonicalName(), PermanentlyPassingSecurityRule.class.getCanonicalName()).usingDataDir(this.folder.directory(this.name.getMethodName()).getAbsolutePath()).build();
        this.server.start();
        this.functionalTestHelper = new FunctionalTestHelper(this.server);
        Assert.assertThat(((RESTDocsGenerator) this.gen.get()).expectedStatus(401).expectedHeader("WWW-Authenticate").post(this.functionalTestHelper.nodeUri()).response().getHeaders().getFirst("WWW-Authenticate"), Matchers.containsString("Basic realm=\"WallyWorld\""));
    }

    @Test
    public void shouldInvokeAllSecurityRules() throws Exception {
        this.server = CommunityServerBuilder.server().withDefaultDatabaseTuning().withSecurityRules(NoAccessToDatabaseSecurityRule.class.getCanonicalName()).usingDataDir(this.folder.directory(this.name.getMethodName()).getAbsolutePath()).build();
        this.server.start();
        this.functionalTestHelper = new FunctionalTestHelper(this.server);
        ((RESTDocsGenerator) this.gen.get()).expectedStatus(401).get(this.functionalTestHelper.dataUri()).response();
        Assert.assertTrue(NoAccessToDatabaseSecurityRule.wasInvoked());
    }

    @Test
    public void shouldRespondWith201IfAllTheRulesPassWhenCreatingANode() throws Exception {
        this.server = CommunityServerBuilder.server().withDefaultDatabaseTuning().withSecurityRules(PermanentlyPassingSecurityRule.class.getCanonicalName()).usingDataDir(this.folder.directory(this.name.getMethodName()).getAbsolutePath()).build();
        this.server.start();
        this.functionalTestHelper = new FunctionalTestHelper(this.server);
        ((RESTDocsGenerator) this.gen.get()).expectedStatus(201).expectedHeader("Location").post(this.functionalTestHelper.nodeUri()).response();
    }

    @Test
    @TestData.Title("Using Wildcards to Target Security Rules")
    @Documented("In this example, a security rule is registered to deny\naccess to all URIs to the server by listing the rule(s) class(es) in\n'neo4j.conf'.\nIn this case, the rule is registered\nusing a wildcard URI path (where `*` characters can be used to signify\nany part of the path). For example `/users*` means the rule\nwill be bound to any resources under the `/users` root path. Similarly\n`/users*type*` will bind the rule to resources matching\nURIs like `/users/fred/type/premium`.\n\n@@config\n\nwith the rule source code of:\n\n@@failingRuleWithWildcardPath\n\nWith this rule registered, any access to URIs under /protected/ will be\ndenied by the server. Using wildcards allows flexible targeting of security rules to\narbitrary parts of the server's API, including any unmanaged extensions or managed\nplugins that have been registered.")
    public void aSimpleWildcardUriPathShould401OnAccessToProtectedSubPath() throws Exception {
        this.server = CommunityServerBuilder.server().withDefaultDatabaseTuning().withThirdPartyJaxRsPackage("org.dummy.web.service", "/protected/tree/starts/here/dummy").withSecurityRules(PermanentlyFailingSecurityRuleWithWildcardPath.class.getCanonicalName()).usingDataDir(this.folder.directory(this.name.getMethodName()).getAbsolutePath()).build();
        this.server.start();
        ((RESTDocsGenerator) this.gen.get()).addSnippet("config", "\n[source,properties]\n----\ndbms.security.http_authorization_classes=my.rules.PermanentlyFailingSecurityRuleWithWildcardPath\n----\n");
        ((RESTDocsGenerator) this.gen.get()).addTestSourceSnippets(PermanentlyFailingSecurityRuleWithWildcardPath.class, new String[]{"failingRuleWithWildcardPath"});
        ((RESTDocsGenerator) this.gen.get()).setSection("ops");
        this.functionalTestHelper = new FunctionalTestHelper(this.server);
        Assert.assertEquals(401L, ((RESTDocsGenerator) this.gen.get()).expectedStatus(401).expectedType(MediaType.APPLICATION_JSON_TYPE).expectedHeader("WWW-Authenticate").get(trimTrailingSlash(this.functionalTestHelper.baseUri()) + "/protected/tree/starts/here/dummy/more/stuff").response().getStatus());
    }

    @Test
    @TestData.Title("Using Complex Wildcards to Target Security Rules")
    @Documented("In this example, a security rule is registered to deny\naccess to all URIs matching a complex pattern.\nThe config looks like this:\n\n@@config\n\nwith the rule source code of:\n\n@@failingRuleWithComplexWildcardPath")
    public void aComplexWildcardUriPathShould401OnAccessToProtectedSubPath() throws Exception {
        this.server = CommunityServerBuilder.server().withDefaultDatabaseTuning().withThirdPartyJaxRsPackage("org.dummy.web.service", "/protected/wildcard_replacement/x/y/z/something/else/more_wildcard_replacement/a/b/c/final/bit").withSecurityRules(PermanentlyFailingSecurityRuleWithComplexWildcardPath.class.getCanonicalName()).usingDataDir(this.folder.directory(this.name.getMethodName()).getAbsolutePath()).build();
        this.server.start();
        ((RESTDocsGenerator) this.gen.get()).addSnippet("config", "\n[source,properties]\n----\ndbms.security.http_authorization_classes=my.rules.PermanentlyFailingSecurityRuleWithComplexWildcardPath\n----\n");
        ((RESTDocsGenerator) this.gen.get()).addTestSourceSnippets(PermanentlyFailingSecurityRuleWithComplexWildcardPath.class, new String[]{"failingRuleWithComplexWildcardPath"});
        ((RESTDocsGenerator) this.gen.get()).setSection("ops");
        this.functionalTestHelper = new FunctionalTestHelper(this.server);
        Assert.assertEquals(401L, ((RESTDocsGenerator) this.gen.get()).expectedStatus(401).expectedType(MediaType.APPLICATION_JSON_TYPE).expectedHeader("WWW-Authenticate").get(trimTrailingSlash(this.functionalTestHelper.baseUri()) + "/protected/wildcard_replacement/x/y/z/something/else/more_wildcard_replacement/a/b/c/final/bit/more/stuff").response().getStatus());
    }

    @Test
    public void should403WhenAuthenticatedButForbidden() throws Exception {
        this.server = CommunityServerBuilder.server().withDefaultDatabaseTuning().withSecurityRules(PermanentlyForbiddenSecurityRule.class.getCanonicalName(), PermanentlyPassingSecurityRule.class.getCanonicalName()).usingDataDir(this.folder.directory(this.name.getMethodName()).getAbsolutePath()).build();
        this.server.start();
        this.functionalTestHelper = new FunctionalTestHelper(this.server);
        Assert.assertEquals(403L, ((RESTDocsGenerator) this.gen.get()).expectedStatus(403).expectedType(MediaType.APPLICATION_JSON_TYPE).get(trimTrailingSlash(this.functionalTestHelper.baseUri())).response().getStatus());
    }

    private String trimTrailingSlash(URI uri) {
        String uri2 = uri.toString();
        return uri2.endsWith("/") ? uri2.substring(0, uri2.length() - 1) : uri2;
    }
}
