package org.neo4j.server.rest.security;

import com.sun.jersey.core.util.Base64;
import java.io.File;
import java.io.IOException;
import java.net.URI;
import java.nio.charset.Charset;
import org.hamcrest.CoreMatchers;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.neo4j.kernel.impl.annotations.Documented;
import org.neo4j.server.CommunityNeoServer;
import org.neo4j.server.configuration.ServerSettings;
import org.neo4j.server.helpers.CommunityServerBuilder;
import org.neo4j.server.rest.RESTDocsGenerator;
import org.neo4j.server.rest.domain.JsonHelper;
import org.neo4j.server.rest.domain.JsonParseException;
import org.neo4j.server.rest.web.PropertyValueException;
import org.neo4j.test.TestData;
import org.neo4j.test.server.ExclusiveServerTestBase;
import org.neo4j.test.server.HTTP;

/* loaded from: input_file:org/neo4j/server/rest/security/UsersDocIT.class */
public class UsersDocIT extends ExclusiveServerTestBase {

    @Rule
    public TestData<RESTDocsGenerator> gen = TestData.producedThrough(RESTDocsGenerator.PRODUCER);
    private CommunityNeoServer server;

    @Before
    public void setUp() {
        ((RESTDocsGenerator) this.gen.get()).setSection("dev/rest-api");
    }

    @Test
    @Documented(" Invalidating the authorization token\n\n You can ask that the server generates a new authorization token. This will invalidate any existing token for the\n user.\n")
    public void regenerate_token() throws PropertyValueException, IOException {
        startServerWithConfiguredUser();
        String asText = HTTP.POST(authURL(), HTTP.RawPayload.quotedJson("{'username':'neo4j','password':'secret'}")).get("authorization_token").asText();
        String asText2 = JsonHelper.jsonNode(((RESTDocsGenerator) this.gen.get()).noGraph().expectedStatus(200).payload(quotedJson("{'password':'secret'}")).post(this.server.baseUri().resolve("/user/neo4j/authorization_token").toString()).entity()).get("authorization_token").asText();
        Assert.assertThat(asText2, CoreMatchers.not(CoreMatchers.equalTo(asText)));
        Assert.assertThat(Integer.valueOf(asText2.length()), CoreMatchers.not(0));
        Assert.assertEquals(200L, HTTP.withHeaders("Authorization", challengeResponse(asText2)).GET(authURL()).status());
        Assert.assertEquals(401L, HTTP.withHeaders("Authorization", challengeResponse(asText)).GET(authURL()).status());
    }

    @Test
    @Documented(" Changing your password for the first time\n\n When enabling authorization for the first time, you must change the password before an authorization token can be granted.\n You can choose any password you like, except the default `neo4j`.\n The response will include an authorization token.\n")
    public void change_password_first_time() throws PropertyValueException, IOException {
        startServer(true);
        Assert.assertThat(Integer.valueOf(JsonHelper.jsonNode(((RESTDocsGenerator) this.gen.get()).noGraph().expectedStatus(200).payload(quotedJson("{'password':'neo4j', 'new_password':'qwerty'}")).post(this.server.baseUri().resolve("/user/neo4j/password").toString()).entity()).get("authorization_token").asText().length()), CoreMatchers.not(0));
        Assert.assertEquals(200L, HTTP.POST(authURL(), HTTP.RawPayload.quotedJson("{'username':'neo4j','password':'qwerty'}")).status());
        Assert.assertEquals(422L, HTTP.POST(authURL(), HTTP.RawPayload.quotedJson("{'username':'neo4j','password':'neo4j'}")).status());
    }

    @Test
    @Documented(" Changing your password\n\n Given that you know the current password, you can ask the server to change a users password. You can choose any\n password you like, as long as it is different from the current password.\n")
    public void change_password() throws PropertyValueException, IOException {
        startServerWithConfiguredUser();
        String asText = HTTP.POST(authURL(), HTTP.RawPayload.quotedJson("{'username':'neo4j','password':'secret'}")).get("authorization_token").asText();
        String asText2 = JsonHelper.jsonNode(((RESTDocsGenerator) this.gen.get()).noGraph().expectedStatus(200).payload(quotedJson("{'password':'secret', 'new_password':'qwerty'}")).post(this.server.baseUri().resolve("/user/neo4j/password").toString()).entity()).get("authorization_token").asText();
        Assert.assertThat(asText2, CoreMatchers.equalTo(asText));
        Assert.assertThat(Integer.valueOf(asText2.length()), CoreMatchers.not(0));
        Assert.assertEquals(200L, HTTP.POST(authURL(), HTTP.RawPayload.quotedJson("{'username':'neo4j','password':'qwerty'}")).status());
        Assert.assertEquals(422L, HTTP.POST(authURL(), HTTP.RawPayload.quotedJson("{'username':'neo4j','password':'secret'}")).status());
    }

    @Test
    @Documented(" Setting authorization token\n\n In some cases you may want to explicitly set an authorization token for a user, for instance if you want to be\n able to use the same authorization token for multiple Neo4j instances in a cluster.\n\n This can be done by taking an authorization token generated by Neo4j and asking other Neo4j instance to use that\n token. This is similar to invalidating an existing token, except the new token to be used is passed in explicitly.\n")
    public void set_token() throws PropertyValueException, IOException {
        startServerWithConfiguredUser();
        String asText = HTTP.POST(authURL(), HTTP.RawPayload.quotedJson("{'username':'neo4j','password':'secret'}")).get("authorization_token").asText();
        Assert.assertThat(JsonHelper.jsonNode(((RESTDocsGenerator) this.gen.get()).noGraph().expectedStatus(200).payload(quotedJson("{'password':'secret', 'new_authorization_token':'EEB9E6883A24CEF7899CF35AD49D5944'}")).post(this.server.baseUri().resolve("/user/neo4j/authorization_token").toString()).entity()).get("authorization_token").asText(), CoreMatchers.equalTo("EEB9E6883A24CEF7899CF35AD49D5944"));
        Assert.assertEquals(200L, HTTP.withHeaders("Authorization", challengeResponse(r0)).GET(authURL()).status());
        Assert.assertEquals(401L, HTTP.withHeaders("Authorization", challengeResponse(asText)).GET(authURL()).status());
    }

    @Test
    public void cantChangeToCurrentPassword() throws Exception {
        startServer(true);
        Assert.assertThat(Integer.valueOf(HTTP.POST(this.server.baseUri().resolve("/user/neo4j/password").toString(), HTTP.RawPayload.quotedJson("{'password':'neo4j', 'new_password':'neo4j'}")).status()), CoreMatchers.equalTo(422));
    }

    @Test
    public void shouldRateLimit() throws Exception {
        startServer(true);
        assertRateLimited("POST", this.server.baseUri().resolve("/user/neo4j/password"), "{'password':'something that is wrong', 'new_password':'secret'}");
        assertRateLimited("POST", this.server.baseUri().resolve("/user/neo4j/authorization_token"), "{'password':'something that is wrong'}");
        assertRateLimited("POST", this.server.baseUri().resolve("/user/neo4j/authorization_token"), "{'password':'something that is wrong','new_authorization_token':'asd'}");
    }

    @Test
    public void shouldRequireAuthorization() throws Exception {
        startServer(true);
        assertAuthorizationNeeded("POST", this.server.baseUri().resolve("/user/neo4j/password"), "{'password':'something that is wrong', 'new_password':'secret'}");
        assertAuthorizationNeeded("POST", this.server.baseUri().resolve("/user/neo4j/authorization_token"), "{'password':'something that is wrong'}");
        assertAuthorizationNeeded("POST", this.server.baseUri().resolve("/user/neo4j/authorization_token"), "{'password':'something that is wrong','new_authorization_token':'asd'}");
    }

    private void assertAuthorizationNeeded(String str, URI uri, String str2) throws JsonParseException {
        HTTP.Response request = HTTP.request(str, uri.toString(), HTTP.RawPayload.quotedJson(str2));
        Assert.assertThat(Integer.valueOf(request.status()), CoreMatchers.equalTo(422));
        Assert.assertThat(request.get("errors").get(0).get("code").asText(), CoreMatchers.equalTo("Neo.ClientError.Security.AuthenticationFailed"));
        Assert.assertThat(request.get("errors").get(0).get("message").asText(), CoreMatchers.equalTo("Invalid username and/or password."));
    }

    private void assertRateLimited(String str, URI uri, String str2) throws JsonParseException {
        long currentTimeMillis = System.currentTimeMillis() + 30000;
        HTTP.Response response = null;
        while (System.currentTimeMillis() < currentTimeMillis) {
            response = HTTP.request(str, uri.toString(), HTTP.RawPayload.quotedJson(str2));
            if (response.status() == 429) {
                break;
            }
        }
        Assert.assertThat(Integer.valueOf(response.status()), CoreMatchers.equalTo(429));
        Assert.assertThat(response.get("errors").get(0).get("code").asText(), CoreMatchers.equalTo("Neo.ClientError.Security.AuthenticationRateLimit"));
        Assert.assertThat(response.get("errors").get(0).get("message").asText(), CoreMatchers.equalTo("Too many failed authentication requests. Please try again in 5 seconds."));
    }

    @After
    public void cleanup() {
        if (this.server != null) {
            this.server.stop();
        }
    }

    public void startServer(boolean z) throws IOException {
        new File("neo4j-home/data/dbms/authorization").delete();
        this.server = CommunityServerBuilder.server().withProperty(ServerSettings.authorization_enabled.name(), Boolean.toString(z)).build();
        this.server.start();
    }

    public void startServerWithConfiguredUser() throws IOException {
        startServer(true);
        Assert.assertEquals(200L, HTTP.POST(this.server.baseUri().resolve("/user/neo4j/password").toString(), HTTP.RawPayload.quotedJson("{'password':'neo4j', 'new_password':'secret'}")).status());
    }

    private String challengeResponse(String str) {
        return "Basic realm=\"Neo4j\" " + base64(":" + str);
    }

    private String authURL() {
        return this.server.baseUri().resolve("authentication").toString();
    }

    private String base64(String str) {
        return new String(Base64.encode(str), Charset.forName("UTF-8"));
    }

    private String quotedJson(String str) {
        return str.replaceAll("'", "\"");
    }
}
