package org.neo4j.server.rest.security;

import com.sun.jersey.core.util.Base64;
import java.io.File;
import java.io.IOException;
import java.nio.charset.Charset;
import org.codehaus.jackson.JsonNode;
import org.hamcrest.CoreMatchers;
import org.hamcrest.Matchers;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.neo4j.kernel.impl.annotations.Documented;
import org.neo4j.server.CommunityNeoServer;
import org.neo4j.server.configuration.ServerSettings;
import org.neo4j.server.helpers.CommunityServerBuilder;
import org.neo4j.server.rest.RESTDocsGenerator;
import org.neo4j.server.rest.domain.JsonHelper;
import org.neo4j.server.rest.domain.JsonParseException;
import org.neo4j.server.rest.web.PropertyValueException;
import org.neo4j.test.TestData;
import org.neo4j.test.server.ExclusiveServerTestBase;
import org.neo4j.test.server.HTTP;

/* loaded from: input_file:org/neo4j/server/rest/security/AuthenticationDocIT.class */
public class AuthenticationDocIT extends ExclusiveServerTestBase {

    @Rule
    public TestData<RESTDocsGenerator> gen = TestData.producedThrough(RESTDocsGenerator.PRODUCER);
    private CommunityNeoServer server;

    @Before
    public void setUp() {
        ((RESTDocsGenerator) this.gen.get()).setSection("dev/rest-api");
    }

    @Test
    @Documented(" Required password changes\n\n In some cases, like the very first time you access Neo4j with authorization enabled, you are required to choose\n a new password. The database will signal that a new password is required when you try to authenticate.\n\n See <<rest-api-changing-your-password>> for how to set a new password.\n")
    public void password_change_required() throws PropertyValueException, IOException {
        startServer(true);
        JsonNode jsonNode = JsonHelper.jsonNode(((RESTDocsGenerator) this.gen.get()).noGraph().expectedStatus(200).payload(quotedJson("{'username':'neo4j', 'password':'neo4j'}")).post(authURL()).entity());
        Assert.assertThat(jsonNode.get("username").asText(), CoreMatchers.equalTo("neo4j"));
        Assert.assertThat(Boolean.valueOf(jsonNode.has("authorization_token")), CoreMatchers.is(false));
        Assert.assertThat(Boolean.valueOf(jsonNode.has("authorization_token_change")), CoreMatchers.is(false));
        Assert.assertThat(Boolean.valueOf(jsonNode.get("password_change_required").asBoolean()), CoreMatchers.equalTo(true));
        Assert.assertThat(jsonNode.get("password_change").asText(), CoreMatchers.equalTo(this.server.baseUri().resolve("user/neo4j/password").toString()));
    }

    @Test
    @Documented(" Authenticate to obtain an authorization token\n\n You authenticate by sending a username and a password to Neo4j. The database will reply with an authorization\n token. The reply from this endpoint will also indicate if your password should be changed which will,\n for instance, be the case in a newly installed instance.\n")
    public void successful_authentication() throws PropertyValueException, IOException {
        startServerWithConfiguredUser();
        JsonNode jsonNode = JsonHelper.jsonNode(((RESTDocsGenerator) this.gen.get()).noGraph().expectedStatus(200).payload(quotedJson("{'username':'neo4j', 'password':'secret'}")).post(authURL()).entity());
        Assert.assertThat(jsonNode.get("username").asText(), CoreMatchers.equalTo("neo4j"));
        Assert.assertThat(Boolean.valueOf(jsonNode.get("password_change_required").asBoolean()), CoreMatchers.equalTo(false));
        Assert.assertThat(Integer.valueOf(jsonNode.get("authorization_token").asText().length()), Matchers.greaterThan(0));
        Assert.assertThat(jsonNode.get("authorization_token_change").asText(), CoreMatchers.equalTo(this.server.baseUri().resolve("user/neo4j/authorization_token").toString()));
    }

    @Test
    @Documented(" Using the Authorization Token\n\n Given that you have acquired an authorization token, you may use it to get access to the rest of the API.\n To include the token in requests to the server, it should be encoded as the 'password' part of the HTTP Basic Auth scheme.\n This means you should include a +Authorization+ header, with a value of +Basic realm=\"Neo4j\" <token payload>+\n where \"token payload\" is a base64 encoded string of the token prepended by a colon.\n\n In pseudo-code:\n\n [source,javascript]\n ----\n authorization = 'Basic realm=\"Neo4j\" ' + base64( ':' + token );\n ----\n")
    public void using_the_token() throws PropertyValueException, IOException {
        startServerWithConfiguredUser();
        ((RESTDocsGenerator) this.gen.get()).noGraph().expectedStatus(200).withHeader("Authorization", challengeResponse(HTTP.POST(authURL(), HTTP.RawPayload.quotedJson("{'username':'neo4j','password':'secret'}")).get("authorization_token").asText())).get(this.server.baseUri().resolve("").toString());
    }

    @Test
    @Documented(" Incorrect username or password\n\n If you provide incorrect authentication credentials, the server replies with a an error.\n")
    public void incorrect_authentication() throws PropertyValueException, IOException {
        startServerWithConfiguredUser();
        JsonNode jsonNode = JsonHelper.jsonNode(((RESTDocsGenerator) this.gen.get()).noGraph().expectedStatus(422).payload(quotedJson("{'username':'bob', 'password':'incorrect'}")).post(authURL()).entity());
        Assert.assertThat(jsonNode.get("errors").get(0).get("code").asText(), CoreMatchers.equalTo("Neo.ClientError.Security.AuthenticationFailed"));
        Assert.assertThat(jsonNode.get("errors").get(0).get("message").asText(), CoreMatchers.equalTo("Invalid username and/or password."));
    }

    @Test
    @Documented(" Get current authorization status\n\n You can use this endpoint to determine if security is enabled, and to check if your authorization token is valid.\n\n Given that you have a valid authorization token, you can retrieve metadata about the current user from the authentication endpoint.\n If Neo4j security is disabled, this endpoint will also return `200 OK`, see <<rest-api-get-authorization-status-when-authorization-is-disabled>>.\n If security is enabled and your token is invalid, you will get an error reply, see <<rest-api-attempting-to-get-authorization-status-while-unauthorized>>.\n This way, you can use this endpoint to determine if you need to acquire an authorization token.\n")
    public void authorization_metadata() throws PropertyValueException, IOException {
        startServerWithConfiguredUser();
        Assert.assertThat(JsonHelper.jsonNode(((RESTDocsGenerator) this.gen.get()).noGraph().expectedStatus(200).withHeader("Authorization", challengeResponse(HTTP.POST(authURL(), HTTP.RawPayload.quotedJson("{'username':'neo4j','password':'secret'}")).get("authorization_token").asText())).get(authURL()).entity()).get("username").asText(), CoreMatchers.equalTo("neo4j"));
    }

    @Test
    @Documented(" Attempting to get authorization status while unauthorized\n\n Given that you have an invalid authorization token, or no token at all, asking for authorization status leads\n to an unauthorized HTTP reply.\n")
    public void disallowed_authorization_metadata() throws PropertyValueException, IOException {
        startServerWithConfiguredUser();
        JsonNode jsonNode = JsonHelper.jsonNode(((RESTDocsGenerator) this.gen.get()).noGraph().expectedStatus(401).expectedHeader("WWW-Authenticate", "None").withHeader("Authorization", "Basic realm=\"Neo4j\" " + base64(":helloworld")).get(authURL()).entity());
        Assert.assertThat(jsonNode.get("errors").get(0).get("code").asText(), CoreMatchers.equalTo("Neo.ClientError.Security.AuthorizationFailed"));
        Assert.assertThat(jsonNode.get("errors").get(0).get("message").asText(), CoreMatchers.equalTo("Invalid authorization token supplied."));
    }

    @Test
    @Documented(" Get authorization status when authorization is disabled\n\n Given that authorization is disabled in the configuration, you can perform a `GET` request to the authentication endpoint, and will\n get back an `200 OK` response. You will not receive a username or authorization token.\n")
    public void auth_disabled_get_metadata() throws PropertyValueException, IOException {
        startServer(false);
        ((RESTDocsGenerator) this.gen.get()).noGraph().expectedStatus(200).get(authURL());
    }

    @Test
    public void shouldSayTokenMissingIfNoTokenProvided() throws Exception {
        startServerWithConfiguredUser();
        HTTP.Response GET = HTTP.GET(authURL());
        Assert.assertThat(Integer.valueOf(GET.status()), CoreMatchers.equalTo(401));
        Assert.assertThat(GET.get("errors").get(0).get("code").asText(), CoreMatchers.equalTo("Neo.ClientError.Security.AuthorizationFailed"));
        Assert.assertThat(GET.get("errors").get(0).get("message").asText(), CoreMatchers.equalTo("No authorization token supplied."));
        Assert.assertThat(GET.header("WWW-Authenticate"), CoreMatchers.equalTo("None"));
    }

    @Test
    public void shouldSayMalformedTokenIfMalformedToken() throws Exception {
        startServerWithConfiguredUser();
        HTTP.Response GET = HTTP.withHeaders("Authorization", "This makes no sense").GET(authURL());
        Assert.assertThat(Integer.valueOf(GET.status()), CoreMatchers.equalTo(400));
        Assert.assertThat(GET.get("errors").get(0).get("code").asText(), CoreMatchers.equalTo("Neo.ClientError.Request.InvalidFormat"));
        Assert.assertThat(GET.get("errors").get(0).get("message").asText(), CoreMatchers.equalTo("Invalid Authorization header."));
    }

    @Test
    public void shouldHandleMissingParameters() throws Exception {
        startServerWithConfiguredUser();
        Assert.assertEquals(422L, HTTP.POST(authURL()).status());
        Assert.assertEquals(422L, HTTP.POST(authURL(), HTTP.RawPayload.quotedJson("{'password':'whatever'}")).status());
        Assert.assertEquals(422L, HTTP.POST(authURL(), HTTP.RawPayload.quotedJson("{'password':1234, 'username':{}}")).status());
    }

    @Test
    public void shouldNotAllowDataAccess() throws Exception {
        startServerWithConfiguredUser();
        assertAuthorizationRequired("POST", "db/data/node", HTTP.RawPayload.quotedJson("{'name':'jake'}"), 201);
        assertAuthorizationRequired("GET", "db/data/node/1234", 404);
        assertAuthorizationRequired("POST", "db/data/transaction/commit", HTTP.RawPayload.quotedJson("{'statements':[{'statement':'MATCH (n) RETURN n'}]}"), 200);
        Assert.assertEquals(200L, HTTP.GET(this.server.baseUri().resolve("webadmin").toString()).status());
        Assert.assertEquals(200L, HTTP.GET(this.server.baseUri().resolve("browser").toString()).status());
        Assert.assertEquals(200L, HTTP.GET(this.server.baseUri().resolve("").toString()).status());
    }

    @Test
    public void rootEndpointShouldOnlyShowAuthenticationDiscoverabilityUrl() throws Exception {
        startServerWithConfiguredUser();
        Assert.assertThat(HTTP.GET(this.server.baseUri().resolve("").toString()).rawContent(), CoreMatchers.equalTo(String.format("{%n  \"authentication\" : \"" + this.server.baseUri().resolve("authentication") + "\"%n}", new Object[0])));
    }

    @Test
    public void shouldAllowAllAccessIfAuthenticationIsDisabled() throws Exception {
        startServer(false);
        Assert.assertEquals(201L, HTTP.POST(this.server.baseUri().resolve("db/data/node").toString(), HTTP.RawPayload.quotedJson("{'name':'jake'}")).status());
        Assert.assertEquals(404L, HTTP.GET(this.server.baseUri().resolve("db/data/node/1234").toString()).status());
        Assert.assertEquals(200L, HTTP.POST(this.server.baseUri().resolve("db/data/transaction/commit").toString(), HTTP.RawPayload.quotedJson("{'statements':[{'statement':'MATCH (n) RETURN n'}]}")).status());
    }

    @Test
    public void shouldReplyNicelyToTooManyFailedAuthAttempts() throws Exception {
        startServerWithConfiguredUser();
        long currentTimeMillis = System.currentTimeMillis() + 30000;
        HTTP.Response response = null;
        while (System.currentTimeMillis() < currentTimeMillis) {
            response = HTTP.POST(this.server.baseUri().resolve("authentication").toString(), HTTP.RawPayload.quotedJson("{'username':'neo4j', 'password':'something that is wrong'}"));
            if (response.status() == 429) {
                break;
            }
        }
        Assert.assertThat(Integer.valueOf(response.status()), CoreMatchers.equalTo(429));
        Assert.assertThat(response.get("errors").get(0).get("code").asText(), CoreMatchers.equalTo("Neo.ClientError.Security.AuthenticationRateLimit"));
        Assert.assertThat(response.get("errors").get(0).get("message").asText(), CoreMatchers.equalTo("Too many failed authentication requests. Please try again in 5 seconds."));
    }

    private void assertAuthorizationRequired(String str, String str2, int i) throws JsonParseException {
        assertAuthorizationRequired(str, str2, null, i);
    }

    private void assertAuthorizationRequired(String str, String str2, Object obj, int i) throws JsonParseException {
        HTTP.Response request = HTTP.request(str, this.server.baseUri().resolve(str2).toString(), obj);
        Assert.assertThat(Integer.valueOf(request.status()), CoreMatchers.equalTo(401));
        Assert.assertThat(request.get("errors").get(0).get("code").asText(), CoreMatchers.equalTo("Neo.ClientError.Security.AuthorizationFailed"));
        Assert.assertThat(request.get("errors").get(0).get("message").asText(), CoreMatchers.equalTo("No authorization token supplied."));
        Assert.assertThat(request.get("authentication").asText(), CoreMatchers.equalTo("http://localhost:7474/authentication"));
        Assert.assertThat(request.header("WWW-Authenticate"), CoreMatchers.equalTo("None"));
        HTTP.Response request2 = HTTP.withHeaders("Authorization", "This makes no sense").request(str, this.server.baseUri().resolve(str2).toString(), obj);
        Assert.assertThat(Integer.valueOf(request2.status()), CoreMatchers.equalTo(400));
        Assert.assertThat(request2.get("errors").get(0).get("code").asText(), CoreMatchers.equalTo("Neo.ClientError.Request.InvalidFormat"));
        Assert.assertThat(request2.get("errors").get(0).get("message").asText(), CoreMatchers.equalTo("Invalid Authorization header."));
        HTTP.Response request3 = HTTP.withHeaders("Authorization", "Basic realm=\"Neo4j\" " + base64(":helloworld")).request(str, this.server.baseUri().resolve(str2).toString(), obj);
        Assert.assertThat(Integer.valueOf(request3.status()), CoreMatchers.equalTo(401));
        Assert.assertThat(request3.get("errors").get(0).get("code").asText(), CoreMatchers.equalTo("Neo.ClientError.Security.AuthorizationFailed"));
        Assert.assertThat(request3.get("errors").get(0).get("message").asText(), CoreMatchers.equalTo("Invalid authorization token supplied."));
        Assert.assertThat(request3.get("authentication").asText(), CoreMatchers.equalTo("http://localhost:7474/authentication"));
        Assert.assertThat(request3.header("WWW-Authenticate"), CoreMatchers.equalTo("None"));
        Assert.assertThat(Integer.valueOf(HTTP.withHeaders("Authorization", challengeResponse(HTTP.POST(authURL(), HTTP.RawPayload.quotedJson("{'username':'neo4j','password':'secret'}")).get("authorization_token").asText())).request(str, this.server.baseUri().resolve(str2).toString(), obj).status()), CoreMatchers.equalTo(Integer.valueOf(i)));
    }

    @After
    public void cleanup() {
        if (this.server != null) {
            this.server.stop();
        }
    }

    public void startServerWithConfiguredUser() throws IOException {
        startServer(true);
        Assert.assertEquals(200L, HTTP.POST(this.server.baseUri().resolve("/user/neo4j/password").toString(), HTTP.RawPayload.quotedJson("{'password':'neo4j', 'new_password':'secret'}")).status());
    }

    public void startServer(boolean z) throws IOException {
        new File("neo4j-home/data/dbms/authorization").delete();
        this.server = CommunityServerBuilder.server().withProperty(ServerSettings.authorization_enabled.name(), Boolean.toString(z)).build();
        this.server.start();
    }

    private String challengeResponse(String str) {
        return "Basic realm=\"Neo4j\" " + base64(":" + str);
    }

    private String authURL() {
        return this.server.baseUri().resolve("authentication").toString();
    }

    private String base64(String str) {
        return new String(Base64.encode(str), Charset.forName("UTF-8"));
    }

    private String quotedJson(String str) {
        return str.replaceAll("'", "\"");
    }
}
