package org.neo4j.server.rest.security;

import com.sun.jersey.core.util.Base64;
import java.io.IOException;
import org.codehaus.jackson.JsonNode;
import org.hamcrest.CoreMatchers;
import org.junit.After;
import org.junit.Assert;
import org.junit.Ignore;
import org.junit.Rule;
import org.junit.Test;
import org.neo4j.graphdb.factory.GraphDatabaseSettings;
import org.neo4j.kernel.impl.annotations.Documented;
import org.neo4j.server.CommunityNeoServer;
import org.neo4j.server.helpers.CommunityServerBuilder;
import org.neo4j.server.rest.RESTRequestGenerator;
import org.neo4j.server.rest.domain.JsonHelper;
import org.neo4j.server.rest.domain.JsonParseException;
import org.neo4j.string.UTF8;
import org.neo4j.test.TestData;
import org.neo4j.test.server.ExclusiveServerTestBase;
import org.neo4j.test.server.HTTP;

/* loaded from: input_file:org/neo4j/server/rest/security/AuthenticationIT.class */
public class AuthenticationIT extends ExclusiveServerTestBase {

    @Rule
    public TestData<RESTRequestGenerator> gen = TestData.producedThrough(RESTRequestGenerator.PRODUCER);
    private CommunityNeoServer server;

    @Test
    @Documented("Missing authorization\n\nIf an +Authorization+ header is not supplied, the server will reply with an error.")
    public void missing_authorization() throws JsonParseException, IOException {
        startServerWithConfiguredUser();
        JsonNode jsonNode = JsonHelper.jsonNode(((RESTRequestGenerator) this.gen.get()).expectedStatus(401).expectedHeader("WWW-Authenticate", "Basic realm=\"Neo4j\"").get(dataURL()).entity()).get("errors").get(0);
        Assert.assertThat(jsonNode.get("code").asText(), CoreMatchers.equalTo("Neo.ClientError.Security.Unauthorized"));
        Assert.assertThat(jsonNode.get("message").asText(), CoreMatchers.equalTo("No authentication header supplied."));
    }

    @Test
    @Documented("Authenticate to access the server\n\nAuthenticate by sending a username and a password to Neo4j using HTTP Basic Auth.\nRequests should include an +Authorization+ header, with a value of +Basic <payload>+,\nwhere \"payload\" is a base64 encoded string of \"username:password\".")
    public void successful_authentication() throws JsonParseException, IOException {
        startServerWithConfiguredUser();
        JsonNode jsonNode = JsonHelper.jsonNode(((RESTRequestGenerator) this.gen.get()).expectedStatus(200).withHeader("Authorization", challengeResponse("neo4j", "secret")).get(userURL("neo4j")).entity());
        Assert.assertThat(jsonNode.get("username").asText(), CoreMatchers.equalTo("neo4j"));
        Assert.assertThat(Boolean.valueOf(jsonNode.get("password_change_required").asBoolean()), CoreMatchers.equalTo(false));
        Assert.assertThat(jsonNode.get("password_change").asText(), CoreMatchers.equalTo(passwordURL("neo4j")));
    }

    @Test
    @Documented("Incorrect authentication\n\nIf an incorrect username or password is provided, the server replies with an error.")
    public void incorrect_authentication() throws JsonParseException, IOException {
        startServerWithConfiguredUser();
        JsonNode jsonNode = JsonHelper.jsonNode(((RESTRequestGenerator) this.gen.get()).expectedStatus(401).withHeader("Authorization", challengeResponse("neo4j", "incorrect")).expectedHeader("WWW-Authenticate", "Basic realm=\"Neo4j\"").post(dataURL()).entity()).get("errors").get(0);
        Assert.assertThat(jsonNode.get("code").asText(), CoreMatchers.equalTo("Neo.ClientError.Security.Unauthorized"));
        Assert.assertThat(jsonNode.get("message").asText(), CoreMatchers.equalTo("Invalid username or password."));
    }

    @Test
    @Documented("Required password changes\n\nIn some cases, like the very first time Neo4j is accessed, the user will be required to choose\na new password. The database will signal that a new password is required and deny access.\n\nSee <<rest-api-security-user-status-and-password-changing>> for how to set a new password.")
    public void password_change_required() throws JsonParseException, IOException {
        startServer(true);
        JsonNode jsonNode = JsonHelper.jsonNode(((RESTRequestGenerator) this.gen.get()).expectedStatus(403).withHeader("Authorization", challengeResponse("neo4j", "neo4j")).get(dataURL()).entity());
        JsonNode jsonNode2 = jsonNode.get("errors").get(0);
        Assert.assertThat(jsonNode2.get("code").asText(), CoreMatchers.equalTo("Neo.ClientError.Security.Forbidden"));
        Assert.assertThat(jsonNode2.get("message").asText(), CoreMatchers.equalTo("User is required to change their password."));
        Assert.assertThat(jsonNode.get("password_change").asText(), CoreMatchers.equalTo(passwordURL("neo4j")));
    }

    @Test
    @Documented("When auth is disabled\n\nWhen auth has been disabled in the configuration, requests can be sent without an +Authorization+ header.")
    public void auth_disabled() throws IOException {
        startServer(false);
        ((RESTRequestGenerator) this.gen.get()).expectedStatus(200).get(dataURL());
    }

    @Test
    public void shouldSayMalformedHeaderIfMalformedAuthorization() throws Exception {
        startServerWithConfiguredUser();
        HTTP.Response GET = HTTP.withHeaders("Authorization", "This makes no sense").GET(dataURL());
        Assert.assertThat(Integer.valueOf(GET.status()), CoreMatchers.equalTo(400));
        Assert.assertThat(GET.get("errors").get(0).get("code").asText(), CoreMatchers.equalTo("Neo.ClientError.Request.InvalidFormat"));
        Assert.assertThat(GET.get("errors").get(0).get("message").asText(), CoreMatchers.equalTo("Invalid authentication header."));
    }

    @Test
    public void shouldNotAllowDataAccess() throws Exception {
        startServerWithConfiguredUser();
        assertAuthorizationRequired("POST", "db/data/node", HTTP.RawPayload.quotedJson("{'name':'jake'}"), 201);
        assertAuthorizationRequired("GET", "db/data/node/1234", 404);
        assertAuthorizationRequired("POST", "db/data/transaction/commit", HTTP.RawPayload.quotedJson("{'statements':[{'statement':'MATCH (n) RETURN n'}]}"), 200);
        Assert.assertEquals(200L, HTTP.GET(this.server.baseUri().resolve("").toString()).status());
    }

    @Test
    public void shouldAllowAllAccessIfAuthenticationIsDisabled() throws Exception {
        startServer(false);
        Assert.assertEquals(201L, HTTP.POST(this.server.baseUri().resolve("db/data/node").toString(), HTTP.RawPayload.quotedJson("{'name':'jake'}")).status());
        Assert.assertEquals(404L, HTTP.GET(this.server.baseUri().resolve("db/data/node/1234").toString()).status());
        Assert.assertEquals(200L, HTTP.POST(this.server.baseUri().resolve("db/data/transaction/commit").toString(), HTTP.RawPayload.quotedJson("{'statements':[{'statement':'MATCH (n) RETURN n'}]}")).status());
    }

    @Test
    public void shouldReplyNicelyToTooManyFailedAuthAttempts() throws Exception {
        startServerWithConfiguredUser();
        long currentTimeMillis = System.currentTimeMillis() + 30000;
        HTTP.Response response = null;
        while (System.currentTimeMillis() < currentTimeMillis) {
            response = HTTP.withHeaders("Authorization", challengeResponse("neo4j", "incorrect")).POST(this.server.baseUri().resolve("authentication").toString(), HTTP.RawPayload.quotedJson("{'username':'neo4j', 'password':'something that is wrong'}"));
            if (response.status() == 429) {
                break;
            }
        }
        Assert.assertThat(Integer.valueOf(response.status()), CoreMatchers.equalTo(429));
        JsonNode jsonNode = response.get("errors").get(0);
        Assert.assertThat(jsonNode.get("code").asText(), CoreMatchers.equalTo("Neo.ClientError.Security.AuthenticationRateLimit"));
        Assert.assertThat(jsonNode.get("message").asText(), CoreMatchers.equalTo("Too many failed authentication requests. Please wait 5 seconds and try again."));
    }

    @Test
    @Ignore
    public void shouldNotAllowDataAccessForUnauthorizedUser() throws Exception {
        startServerWithConfiguredUser();
        HTTP.withHeaders("Authorization", challengeResponse("neo4j", "secret")).POST(this.server.baseUri().resolve("authentication").toString(), HTTP.RawPayload.quotedJson("{'username':'neo4j', 'password':'secret'}"));
        Assert.assertEquals(403L, HTTP.withHeaders("Authorization", challengeResponse("neo4j", "secret")).POST(this.server.baseUri().resolve("db/data/node").toString(), HTTP.RawPayload.quotedJson("{'name':'jake'}")).status());
        Assert.assertEquals(403L, HTTP.withHeaders("Authorization", challengeResponse("neo4j", "secret")).GET(this.server.baseUri().resolve("db/data/node/1234").toString()).status());
        Assert.assertEquals(403L, HTTP.withHeaders("Authorization", challengeResponse("neo4j", "secret")).POST(this.server.baseUri().resolve("db/data/transaction/commit").toString(), HTTP.RawPayload.quotedJson("{'statements':[{'statement':'MATCH (n) RETURN n'}]}")).status());
    }

    private void assertAuthorizationRequired(String str, String str2, int i) throws JsonParseException {
        assertAuthorizationRequired(str, str2, null, i);
    }

    private void assertAuthorizationRequired(String str, String str2, Object obj, int i) throws JsonParseException {
        HTTP.Response request = HTTP.request(str, this.server.baseUri().resolve(str2).toString(), obj);
        Assert.assertThat(Integer.valueOf(request.status()), CoreMatchers.equalTo(401));
        Assert.assertThat(request.get("errors").get(0).get("code").asText(), CoreMatchers.equalTo("Neo.ClientError.Security.Unauthorized"));
        Assert.assertThat(request.get("errors").get(0).get("message").asText(), CoreMatchers.equalTo("No authentication header supplied."));
        Assert.assertThat(request.header("WWW-Authenticate"), CoreMatchers.equalTo("Basic realm=\"Neo4j\""));
        HTTP.Response request2 = HTTP.withHeaders("Authorization", "This makes no sense").request(str, this.server.baseUri().resolve(str2).toString(), obj);
        Assert.assertThat(Integer.valueOf(request2.status()), CoreMatchers.equalTo(400));
        Assert.assertThat(request2.get("errors").get(0).get("code").asText(), CoreMatchers.equalTo("Neo.ClientError.Request.InvalidFormat"));
        Assert.assertThat(request2.get("errors").get(0).get("message").asText(), CoreMatchers.equalTo("Invalid authentication header."));
        HTTP.Response request3 = HTTP.withHeaders("Authorization", challengeResponse("neo4j", "incorrect")).request(str, this.server.baseUri().resolve(str2).toString(), obj);
        Assert.assertThat(Integer.valueOf(request3.status()), CoreMatchers.equalTo(401));
        Assert.assertThat(request3.get("errors").get(0).get("code").asText(), CoreMatchers.equalTo("Neo.ClientError.Security.Unauthorized"));
        Assert.assertThat(request3.get("errors").get(0).get("message").asText(), CoreMatchers.equalTo("Invalid username or password."));
        Assert.assertThat(request3.header("WWW-Authenticate"), CoreMatchers.equalTo("Basic realm=\"Neo4j\""));
        Assert.assertThat(Integer.valueOf(HTTP.withHeaders("Authorization", challengeResponse("neo4j", "secret")).request(str, this.server.baseUri().resolve(str2).toString(), obj).status()), CoreMatchers.equalTo(Integer.valueOf(i)));
    }

    @After
    public void cleanup() {
        if (this.server != null) {
            this.server.stop();
        }
    }

    public void startServerWithConfiguredUser() throws IOException {
        startServer(true);
        Assert.assertEquals(200L, HTTP.withHeaders("Authorization", challengeResponse("neo4j", "neo4j")).POST(this.server.baseUri().resolve("/user/neo4j/password").toString(), HTTP.RawPayload.quotedJson("{'password':'secret'}")).status());
    }

    public void startServer(boolean z) throws IOException {
        this.server = CommunityServerBuilder.server().withProperty(GraphDatabaseSettings.auth_enabled.name(), Boolean.toString(z)).build();
        this.server.start();
    }

    private String challengeResponse(String str, String str2) {
        return "Basic " + base64(str + ":" + str2);
    }

    private String dataURL() {
        return this.server.baseUri().resolve("db/data/").toString();
    }

    private String userURL(String str) {
        return this.server.baseUri().resolve("user/" + str).toString();
    }

    private String passwordURL(String str) {
        return this.server.baseUri().resolve("user/" + str + "/password").toString();
    }

    private String base64(String str) {
        return UTF8.decode(Base64.encode(str));
    }
}
