package org.neo4j.server.rest.dbms;

import java.io.ByteArrayOutputStream;
import java.nio.charset.StandardCharsets;
import java.util.regex.Pattern;
import javax.servlet.FilterChain;
import javax.servlet.ServletOutputStream;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.WriteListener;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.binary.Base64;
import org.hamcrest.Matchers;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;
import org.neo4j.internal.kernel.api.security.AuthSubject;
import org.neo4j.internal.kernel.api.security.AuthenticationResult;
import org.neo4j.internal.kernel.api.security.LoginContext;
import org.neo4j.logging.AssertableLogProvider;
import org.neo4j.server.security.auth.BasicAuthManager;
import org.neo4j.server.security.auth.BasicLoginContext;
import org.neo4j.server.security.auth.SecurityTestUtils;

/* loaded from: input_file:org/neo4j/server/rest/dbms/AuthorizationFilterTest.class */
public class AuthorizationFilterTest {
    private final BasicAuthManager authManager = (BasicAuthManager) Mockito.mock(BasicAuthManager.class);
    private final AssertableLogProvider logProvider = new AssertableLogProvider();
    private final ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
    private final HttpServletRequest servletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
    private final HttpServletResponse servletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
    private final FilterChain filterChain = (FilterChain) Mockito.mock(FilterChain.class);

    @Before
    public void setUp() throws Exception {
        Mockito.when(this.servletResponse.getOutputStream()).thenReturn(new ServletOutputStream() { // from class: org.neo4j.server.rest.dbms.AuthorizationFilterTest.1
            public void write(int i) {
                AuthorizationFilterTest.this.outputStream.write(i);
            }

            public boolean isReady() {
                return true;
            }

            public void setWriteListener(WriteListener writeListener) {
                throw new UnsupportedOperationException();
            }
        });
    }

    @Test
    public void shouldAllowOptionsRequests() throws Exception {
        AuthorizationEnabledFilter authorizationEnabledFilter = new AuthorizationEnabledFilter(() -> {
            return this.authManager;
        }, this.logProvider, new Pattern[0]);
        Mockito.when(this.servletRequest.getMethod()).thenReturn("OPTIONS");
        authorizationEnabledFilter.doFilter(this.servletRequest, this.servletResponse, this.filterChain);
        ((FilterChain) Mockito.verify(this.filterChain)).doFilter((ServletRequest) ArgumentMatchers.same(this.servletRequest), (ServletResponse) ArgumentMatchers.same(this.servletResponse));
    }

    @Test
    public void shouldWhitelistMatchingUris() throws Exception {
        AuthorizationEnabledFilter authorizationEnabledFilter = new AuthorizationEnabledFilter(() -> {
            return this.authManager;
        }, this.logProvider, new Pattern[]{Pattern.compile("/"), Pattern.compile("/browser.*")});
        Mockito.when(this.servletRequest.getMethod()).thenReturn("GET");
        Mockito.when(this.servletRequest.getContextPath()).thenReturn("/", new String[]{"/browser/index.html"});
        authorizationEnabledFilter.doFilter(this.servletRequest, this.servletResponse, this.filterChain);
        authorizationEnabledFilter.doFilter(this.servletRequest, this.servletResponse, this.filterChain);
        ((FilterChain) Mockito.verify(this.filterChain, Mockito.times(2))).doFilter((ServletRequest) ArgumentMatchers.same(this.servletRequest), (ServletResponse) ArgumentMatchers.same(this.servletResponse));
    }

    @Test
    public void shouldRequireAuthorizationForNonWhitelistedUris() throws Exception {
        AuthorizationEnabledFilter authorizationEnabledFilter = new AuthorizationEnabledFilter(() -> {
            return this.authManager;
        }, this.logProvider, new Pattern[]{Pattern.compile("/"), Pattern.compile("/browser.*")});
        Mockito.when(this.servletRequest.getMethod()).thenReturn("GET");
        Mockito.when(this.servletRequest.getContextPath()).thenReturn("/db/data");
        authorizationEnabledFilter.doFilter(this.servletRequest, this.servletResponse, this.filterChain);
        Mockito.verifyNoMoreInteractions(new Object[]{this.filterChain});
        ((HttpServletResponse) Mockito.verify(this.servletResponse)).setStatus(401);
        ((HttpServletResponse) Mockito.verify(this.servletResponse)).addHeader("WWW-Authenticate", "Basic realm=\"Neo4j\"");
        ((HttpServletResponse) Mockito.verify(this.servletResponse)).addHeader("Content-Type", "application/json; charset=UTF-8");
        Assert.assertThat(this.outputStream.toString(StandardCharsets.UTF_8.name()), Matchers.containsString("\"code\" : \"Neo.ClientError.Security.Unauthorized\""));
        Assert.assertThat(this.outputStream.toString(StandardCharsets.UTF_8.name()), Matchers.containsString("\"message\" : \"No authentication header supplied.\""));
    }

    @Test
    public void shouldRequireValidAuthorizationHeader() throws Exception {
        AuthorizationEnabledFilter authorizationEnabledFilter = new AuthorizationEnabledFilter(() -> {
            return this.authManager;
        }, this.logProvider, new Pattern[0]);
        Mockito.when(this.servletRequest.getMethod()).thenReturn("GET");
        Mockito.when(this.servletRequest.getContextPath()).thenReturn("/db/data");
        Mockito.when(this.servletRequest.getHeader("Authorization")).thenReturn("NOT A VALID VALUE");
        authorizationEnabledFilter.doFilter(this.servletRequest, this.servletResponse, this.filterChain);
        Mockito.verifyNoMoreInteractions(new Object[]{this.filterChain});
        ((HttpServletResponse) Mockito.verify(this.servletResponse)).setStatus(400);
        ((HttpServletResponse) Mockito.verify(this.servletResponse)).addHeader("Content-Type", "application/json; charset=UTF-8");
        Assert.assertThat(this.outputStream.toString(StandardCharsets.UTF_8.name()), Matchers.containsString("\"code\" : \"Neo.ClientError.Request.InvalidFormat\""));
        Assert.assertThat(this.outputStream.toString(StandardCharsets.UTF_8.name()), Matchers.containsString("\"message\" : \"Invalid authentication header.\""));
    }

    @Test
    public void shouldNotAuthorizeInvalidCredentials() throws Exception {
        AuthorizationEnabledFilter authorizationEnabledFilter = new AuthorizationEnabledFilter(() -> {
            return this.authManager;
        }, this.logProvider, new Pattern[0]);
        String encodeBase64String = Base64.encodeBase64String("foo:bar".getBytes(StandardCharsets.UTF_8));
        BasicLoginContext basicLoginContext = (BasicLoginContext) Mockito.mock(BasicLoginContext.class);
        AuthSubject authSubject = (AuthSubject) Mockito.mock(AuthSubject.class);
        Mockito.when(this.servletRequest.getMethod()).thenReturn("GET");
        Mockito.when(this.servletRequest.getContextPath()).thenReturn("/db/data");
        Mockito.when(this.servletRequest.getHeader("Authorization")).thenReturn("BASIC " + encodeBase64String);
        Mockito.when(this.servletRequest.getRemoteAddr()).thenReturn("remote_ip_address");
        Mockito.when(this.authManager.login(SecurityTestUtils.authToken("foo", "bar"))).thenReturn(basicLoginContext);
        Mockito.when(basicLoginContext.subject()).thenReturn(authSubject);
        Mockito.when(authSubject.getAuthenticationResult()).thenReturn(AuthenticationResult.FAILURE);
        authorizationEnabledFilter.doFilter(this.servletRequest, this.servletResponse, this.filterChain);
        Mockito.verifyNoMoreInteractions(new Object[]{this.filterChain});
        this.logProvider.assertExactly(new AssertableLogProvider.LogMatcher[]{AssertableLogProvider.inLog(AuthorizationEnabledFilter.class).warn("Failed authentication attempt for '%s' from %s", new Object[]{"foo", "remote_ip_address"})});
        ((HttpServletResponse) Mockito.verify(this.servletResponse)).setStatus(401);
        ((HttpServletResponse) Mockito.verify(this.servletResponse)).addHeader("Content-Type", "application/json; charset=UTF-8");
        Assert.assertThat(this.outputStream.toString(StandardCharsets.UTF_8.name()), Matchers.containsString("\"code\" : \"Neo.ClientError.Security.Unauthorized\""));
        Assert.assertThat(this.outputStream.toString(StandardCharsets.UTF_8.name()), Matchers.containsString("\"message\" : \"Invalid username or password.\""));
    }

    @Test
    public void shouldAuthorizeWhenPasswordChangeRequiredForWhitelistedPath() throws Exception {
        AuthorizationEnabledFilter authorizationEnabledFilter = new AuthorizationEnabledFilter(() -> {
            return this.authManager;
        }, this.logProvider, new Pattern[0]);
        String encodeBase64String = Base64.encodeBase64String("foo:bar".getBytes(StandardCharsets.UTF_8));
        BasicLoginContext basicLoginContext = (BasicLoginContext) Mockito.mock(BasicLoginContext.class);
        AuthSubject authSubject = (AuthSubject) Mockito.mock(AuthSubject.class);
        Mockito.when(this.servletRequest.getMethod()).thenReturn("GET");
        Mockito.when(this.servletRequest.getContextPath()).thenReturn("/user/foo");
        Mockito.when(this.servletRequest.getHeader("Authorization")).thenReturn("BASIC " + encodeBase64String);
        Mockito.when(this.authManager.login(SecurityTestUtils.authToken("foo", "bar"))).thenReturn(basicLoginContext);
        Mockito.when(basicLoginContext.subject()).thenReturn(authSubject);
        Mockito.when(authSubject.getAuthenticationResult()).thenReturn(AuthenticationResult.PASSWORD_CHANGE_REQUIRED);
        authorizationEnabledFilter.doFilter(this.servletRequest, this.servletResponse, this.filterChain);
        ((FilterChain) Mockito.verify(this.filterChain)).doFilter((ServletRequest) ArgumentMatchers.eq(new AuthorizedRequestWrapper("BASIC", "foo", this.servletRequest, LoginContext.AUTH_DISABLED)), (ServletResponse) ArgumentMatchers.same(this.servletResponse));
    }

    @Test
    public void shouldNotAuthorizeWhenPasswordChangeRequired() throws Exception {
        AuthorizationEnabledFilter authorizationEnabledFilter = new AuthorizationEnabledFilter(() -> {
            return this.authManager;
        }, this.logProvider, new Pattern[0]);
        String encodeBase64String = Base64.encodeBase64String("foo:bar".getBytes(StandardCharsets.UTF_8));
        BasicLoginContext basicLoginContext = (BasicLoginContext) Mockito.mock(BasicLoginContext.class);
        AuthSubject authSubject = (AuthSubject) Mockito.mock(AuthSubject.class);
        Mockito.when(this.servletRequest.getMethod()).thenReturn("GET");
        Mockito.when(this.servletRequest.getContextPath()).thenReturn("/db/data");
        Mockito.when(this.servletRequest.getRequestURL()).thenReturn(new StringBuffer("http://bar.baz:7474/db/data/"));
        Mockito.when(this.servletRequest.getRequestURI()).thenReturn("/db/data/");
        Mockito.when(this.servletRequest.getHeader("Authorization")).thenReturn("BASIC " + encodeBase64String);
        Mockito.when(this.authManager.login(SecurityTestUtils.authToken("foo", "bar"))).thenReturn(basicLoginContext);
        Mockito.when(basicLoginContext.subject()).thenReturn(authSubject);
        Mockito.when(authSubject.getAuthenticationResult()).thenReturn(AuthenticationResult.PASSWORD_CHANGE_REQUIRED);
        authorizationEnabledFilter.doFilter(this.servletRequest, this.servletResponse, this.filterChain);
        Mockito.verifyNoMoreInteractions(new Object[]{this.filterChain});
        ((HttpServletResponse) Mockito.verify(this.servletResponse)).setStatus(403);
        ((HttpServletResponse) Mockito.verify(this.servletResponse)).addHeader("Content-Type", "application/json; charset=UTF-8");
        Assert.assertThat(this.outputStream.toString(StandardCharsets.UTF_8.name()), Matchers.containsString("\"password_change\" : \"http://bar.baz:7474/user/foo/password\""));
        Assert.assertThat(this.outputStream.toString(StandardCharsets.UTF_8.name()), Matchers.containsString("\"code\" : \"Neo.ClientError.Security.Forbidden\""));
        Assert.assertThat(this.outputStream.toString(StandardCharsets.UTF_8.name()), Matchers.containsString("\"message\" : \"User is required to change their password.\""));
    }

    @Test
    public void shouldNotAuthorizeWhenTooManyAttemptsMade() throws Exception {
        AuthorizationEnabledFilter authorizationEnabledFilter = new AuthorizationEnabledFilter(() -> {
            return this.authManager;
        }, this.logProvider, new Pattern[0]);
        String encodeBase64String = Base64.encodeBase64String("foo:bar".getBytes(StandardCharsets.UTF_8));
        BasicLoginContext basicLoginContext = (BasicLoginContext) Mockito.mock(BasicLoginContext.class);
        AuthSubject authSubject = (AuthSubject) Mockito.mock(AuthSubject.class);
        Mockito.when(this.servletRequest.getMethod()).thenReturn("GET");
        Mockito.when(this.servletRequest.getContextPath()).thenReturn("/db/data");
        Mockito.when(this.servletRequest.getHeader("Authorization")).thenReturn("BASIC " + encodeBase64String);
        Mockito.when(this.authManager.login(SecurityTestUtils.authToken("foo", "bar"))).thenReturn(basicLoginContext);
        Mockito.when(basicLoginContext.subject()).thenReturn(authSubject);
        Mockito.when(authSubject.getAuthenticationResult()).thenReturn(AuthenticationResult.TOO_MANY_ATTEMPTS);
        authorizationEnabledFilter.doFilter(this.servletRequest, this.servletResponse, this.filterChain);
        Mockito.verifyNoMoreInteractions(new Object[]{this.filterChain});
        ((HttpServletResponse) Mockito.verify(this.servletResponse)).setStatus(429);
        ((HttpServletResponse) Mockito.verify(this.servletResponse)).addHeader("Content-Type", "application/json; charset=UTF-8");
        Assert.assertThat(this.outputStream.toString(StandardCharsets.UTF_8.name()), Matchers.containsString("\"code\" : \"Neo.ClientError.Security.AuthenticationRateLimit\""));
        Assert.assertThat(this.outputStream.toString(StandardCharsets.UTF_8.name()), Matchers.containsString("\"message\" : \"Too many failed authentication requests. Please wait 5 seconds and try again.\""));
    }

    @Test
    public void shouldAuthorizeWhenValidCredentialsSupplied() throws Exception {
        AuthorizationEnabledFilter authorizationEnabledFilter = new AuthorizationEnabledFilter(() -> {
            return this.authManager;
        }, this.logProvider, new Pattern[0]);
        String encodeBase64String = Base64.encodeBase64String("foo:bar".getBytes(StandardCharsets.UTF_8));
        BasicLoginContext basicLoginContext = (BasicLoginContext) Mockito.mock(BasicLoginContext.class);
        AuthSubject authSubject = (AuthSubject) Mockito.mock(AuthSubject.class);
        Mockito.when(this.servletRequest.getMethod()).thenReturn("GET");
        Mockito.when(this.servletRequest.getContextPath()).thenReturn("/db/data");
        Mockito.when(this.servletRequest.getHeader("Authorization")).thenReturn("BASIC " + encodeBase64String);
        Mockito.when(this.authManager.login(SecurityTestUtils.authToken("foo", "bar"))).thenReturn(basicLoginContext);
        Mockito.when(basicLoginContext.subject()).thenReturn(authSubject);
        Mockito.when(authSubject.getAuthenticationResult()).thenReturn(AuthenticationResult.SUCCESS);
        authorizationEnabledFilter.doFilter(this.servletRequest, this.servletResponse, this.filterChain);
        ((FilterChain) Mockito.verify(this.filterChain)).doFilter((ServletRequest) ArgumentMatchers.eq(new AuthorizedRequestWrapper("BASIC", "foo", this.servletRequest, LoginContext.AUTH_DISABLED)), (ServletResponse) ArgumentMatchers.same(this.servletResponse));
    }

    @Test
    public void shouldIncludeCrippledAuthHeaderIfBrowserIsTheOneCalling() throws Throwable {
        AuthorizationEnabledFilter authorizationEnabledFilter = new AuthorizationEnabledFilter(() -> {
            return this.authManager;
        }, this.logProvider, new Pattern[]{Pattern.compile("/"), Pattern.compile("/browser.*")});
        Mockito.when(this.servletRequest.getMethod()).thenReturn("GET");
        Mockito.when(this.servletRequest.getContextPath()).thenReturn("/db/data");
        Mockito.when(this.servletRequest.getHeader("X-Ajax-Browser-Auth")).thenReturn("true");
        authorizationEnabledFilter.doFilter(this.servletRequest, this.servletResponse, this.filterChain);
        Mockito.verifyNoMoreInteractions(new Object[]{this.filterChain});
        ((HttpServletResponse) Mockito.verify(this.servletResponse)).setStatus(401);
        ((HttpServletResponse) Mockito.verify(this.servletResponse)).addHeader("WWW-Authenticate", "None");
        ((HttpServletResponse) Mockito.verify(this.servletResponse)).addHeader("Content-Type", "application/json; charset=UTF-8");
        Assert.assertThat(this.outputStream.toString(StandardCharsets.UTF_8.name()), Matchers.containsString("\"code\" : \"Neo.ClientError.Security.Unauthorized\""));
        Assert.assertThat(this.outputStream.toString(StandardCharsets.UTF_8.name()), Matchers.containsString("\"message\" : \"No authentication header supplied.\""));
    }
}
