package io.trino.plugin.password.ldap;

import com.google.common.io.Closer;
import io.trino.plugin.base.ldap.JdkLdapClient;
import io.trino.plugin.base.ldap.LdapClientConfig;
import io.trino.plugin.password.ldap.TestingOpenLdapServer;
import io.trino.spi.security.AccessDeniedException;
import io.trino.spi.security.BasicPrincipal;
import java.util.Objects;
import org.assertj.core.api.AbstractBooleanAssert;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.TestInstance;
import org.junit.jupiter.api.parallel.Execution;
import org.junit.jupiter.api.parallel.ExecutionMode;
import org.testcontainers.containers.Network;

@Execution(ExecutionMode.CONCURRENT)
@TestInstance(TestInstance.Lifecycle.PER_CLASS)
/* loaded from: input_file:io/trino/plugin/password/ldap/TestLdapAuthenticator.class */
public class TestLdapAuthenticator {
    private final Closer closer = Closer.create();
    private final TestingOpenLdapServer openLdapServer;
    private final LdapAuthenticatorClient client;

    public TestLdapAuthenticator() {
        Network newNetwork = Network.newNetwork();
        Closer closer = this.closer;
        Objects.requireNonNull(newNetwork);
        closer.register(newNetwork::close);
        this.openLdapServer = (TestingOpenLdapServer) this.closer.register(new TestingOpenLdapServer(newNetwork));
        this.openLdapServer.start();
        this.client = new LdapAuthenticatorClient(new JdkLdapClient(new LdapClientConfig().setLdapUrl(this.openLdapServer.getLdapUrl())));
    }

    @AfterAll
    public void close() throws Exception {
        this.closer.close();
    }

    @Test
    public void testSingleBindPattern() throws Exception {
        TestingOpenLdapServer.DisposableSubContext createOrganization = this.openLdapServer.createOrganization();
        try {
            TestingOpenLdapServer.DisposableSubContext createUser = this.openLdapServer.createUser(createOrganization, "alice", "alice-pass");
            try {
                LdapAuthenticator ldapAuthenticator = new LdapAuthenticator(this.client, new LdapAuthenticatorConfig().setUserBindSearchPatterns("uid=${USER}," + createOrganization.getDistinguishedName()));
                Assertions.assertThatThrownBy(() -> {
                    ldapAuthenticator.createAuthenticatedPrincipal("alice", "invalid");
                }).isInstanceOf(AccessDeniedException.class).hasMessageMatching("Access Denied: Invalid credentials");
                Assertions.assertThatThrownBy(() -> {
                    ldapAuthenticator.createAuthenticatedPrincipal("unknown", "alice-pass");
                }).isInstanceOf(RuntimeException.class).hasMessageMatching("Access Denied: Invalid credentials");
                Assertions.assertThat(ldapAuthenticator.createAuthenticatedPrincipal("alice", "alice-pass")).isEqualTo(new BasicPrincipal("alice"));
                if (createUser != null) {
                    createUser.close();
                }
                if (createOrganization != null) {
                    createOrganization.close();
                }
            } finally {
            }
        } catch (Throwable th) {
            if (createOrganization != null) {
                try {
                    createOrganization.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testMultipleBindPattern() throws Exception {
        TestingOpenLdapServer.DisposableSubContext createOrganization = this.openLdapServer.createOrganization();
        try {
            TestingOpenLdapServer.DisposableSubContext createOrganization2 = this.openLdapServer.createOrganization();
            try {
                TestingOpenLdapServer.DisposableSubContext createUser = this.openLdapServer.createUser(createOrganization, "alice", "alice-pass");
                try {
                    TestingOpenLdapServer.DisposableSubContext createUser2 = this.openLdapServer.createUser(createOrganization2, "bob", "bob-pass");
                    try {
                        TestingOpenLdapServer.DisposableSubContext createUser3 = this.openLdapServer.createUser(createOrganization2, "alice", "alt-alice-pass");
                        try {
                            LdapAuthenticator ldapAuthenticator = new LdapAuthenticator(this.client, new LdapAuthenticatorConfig().setUserBindSearchPatterns(String.format("uid=${USER},%s:uid=${USER},%s", createOrganization.getDistinguishedName(), createOrganization2.getDistinguishedName())));
                            Assertions.assertThat(ldapAuthenticator.createAuthenticatedPrincipal("alice", "alice-pass")).isEqualTo(new BasicPrincipal("alice"));
                            ldapAuthenticator.invalidateCache();
                            Assertions.assertThat(ldapAuthenticator.createAuthenticatedPrincipal("bob", "bob-pass")).isEqualTo(new BasicPrincipal("bob"));
                            ldapAuthenticator.invalidateCache();
                            Assertions.assertThat(ldapAuthenticator.createAuthenticatedPrincipal("alice", "alt-alice-pass")).isEqualTo(new BasicPrincipal("alice"));
                            ldapAuthenticator.invalidateCache();
                            Assertions.assertThat(ldapAuthenticator.createAuthenticatedPrincipal("alice", "alice-pass")).isEqualTo(new BasicPrincipal("alice"));
                            ldapAuthenticator.invalidateCache();
                            if (createUser3 != null) {
                                createUser3.close();
                            }
                            if (createUser2 != null) {
                                createUser2.close();
                            }
                            if (createUser != null) {
                                createUser.close();
                            }
                            if (createOrganization2 != null) {
                                createOrganization2.close();
                            }
                            if (createOrganization != null) {
                                createOrganization.close();
                            }
                        } catch (Throwable th) {
                            if (createUser3 != null) {
                                try {
                                    createUser3.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            }
                            throw th;
                        }
                    } catch (Throwable th3) {
                        if (createUser2 != null) {
                            try {
                                createUser2.close();
                            } catch (Throwable th4) {
                                th3.addSuppressed(th4);
                            }
                        }
                        throw th3;
                    }
                } catch (Throwable th5) {
                    if (createUser != null) {
                        try {
                            createUser.close();
                        } catch (Throwable th6) {
                            th5.addSuppressed(th6);
                        }
                    }
                    throw th5;
                }
            } catch (Throwable th7) {
                if (createOrganization2 != null) {
                    try {
                        createOrganization2.close();
                    } catch (Throwable th8) {
                        th7.addSuppressed(th8);
                    }
                }
                throw th7;
            }
        } catch (Throwable th9) {
            if (createOrganization != null) {
                try {
                    createOrganization.close();
                } catch (Throwable th10) {
                    th9.addSuppressed(th10);
                }
            }
            throw th9;
        }
    }

    @Test
    public void testGroupMembership() throws Exception {
        TestingOpenLdapServer.DisposableSubContext createOrganization = this.openLdapServer.createOrganization();
        try {
            TestingOpenLdapServer.DisposableSubContext createGroup = this.openLdapServer.createGroup(createOrganization);
            try {
                TestingOpenLdapServer.DisposableSubContext createUser = this.openLdapServer.createUser(createOrganization, "alice", "alice-pass");
                try {
                    TestingOpenLdapServer.DisposableSubContext createUser2 = this.openLdapServer.createUser(createOrganization, "bob", "bob-pass");
                    try {
                        LdapAuthenticator ldapAuthenticator = new LdapAuthenticator(this.client, new LdapAuthenticatorConfig().setUserBindSearchPatterns("uid=${USER}," + createOrganization.getDistinguishedName()).setUserBaseDistinguishedName(createOrganization.getDistinguishedName()).setGroupAuthorizationSearchPattern(String.format("(&(objectClass=groupOfNames)(cn=group_*)(member=uid=${USER},%s))", createOrganization.getDistinguishedName())));
                        Assertions.assertThatThrownBy(() -> {
                            ldapAuthenticator.createAuthenticatedPrincipal("alice", "invalid");
                        }).isInstanceOf(AccessDeniedException.class).hasMessageMatching("Access Denied: Invalid credentials");
                        Assertions.assertThatThrownBy(() -> {
                            ldapAuthenticator.createAuthenticatedPrincipal("unknown", "alice-pass");
                        }).isInstanceOf(AccessDeniedException.class).hasMessageMatching("Access Denied: Invalid credentials");
                        Assertions.assertThatThrownBy(() -> {
                            ldapAuthenticator.createAuthenticatedPrincipal("bob", "bob-pass");
                        }).isInstanceOf(AccessDeniedException.class).hasMessageMatching("Access Denied: User \\[bob] not a member of an authorized group");
                        this.openLdapServer.addUserToGroup(createUser, createGroup);
                        Assertions.assertThat(ldapAuthenticator.createAuthenticatedPrincipal("alice", "alice-pass")).isEqualTo(new BasicPrincipal("alice"));
                        if (createUser2 != null) {
                            createUser2.close();
                        }
                        if (createUser != null) {
                            createUser.close();
                        }
                        if (createGroup != null) {
                            createGroup.close();
                        }
                        if (createOrganization != null) {
                            createOrganization.close();
                        }
                    } catch (Throwable th) {
                        if (createUser2 != null) {
                            try {
                                createUser2.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        }
                        throw th;
                    }
                } catch (Throwable th3) {
                    if (createUser != null) {
                        try {
                            createUser.close();
                        } catch (Throwable th4) {
                            th3.addSuppressed(th4);
                        }
                    }
                    throw th3;
                }
            } catch (Throwable th5) {
                if (createGroup != null) {
                    try {
                        createGroup.close();
                    } catch (Throwable th6) {
                        th5.addSuppressed(th6);
                    }
                }
                throw th5;
            }
        } catch (Throwable th7) {
            if (createOrganization != null) {
                try {
                    createOrganization.close();
                } catch (Throwable th8) {
                    th7.addSuppressed(th8);
                }
            }
            throw th7;
        }
    }

    @Test
    public void testInvalidBindPassword() throws Exception {
        TestingOpenLdapServer.DisposableSubContext createOrganization = this.openLdapServer.createOrganization();
        try {
            LdapAuthenticator ldapAuthenticator = new LdapAuthenticator(this.client, new LdapAuthenticatorConfig().setUserBaseDistinguishedName(createOrganization.getDistinguishedName()).setGroupAuthorizationSearchPattern("(&(objectClass=inetOrgPerson))").setBindDistingushedName("cn=admin,dc=trino,dc=testldap,dc=com").setBindPassword("invalid-password"));
            Assertions.assertThatThrownBy(() -> {
                ldapAuthenticator.createAuthenticatedPrincipal("alice", "alice-pass");
            }).isInstanceOf(AccessDeniedException.class).hasMessageMatching("Access Denied: Invalid credentials");
            if (createOrganization != null) {
                createOrganization.close();
            }
        } catch (Throwable th) {
            if (createOrganization != null) {
                try {
                    createOrganization.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testDistinguishedNameLookup() throws Exception {
        TestingOpenLdapServer.DisposableSubContext createOrganization = this.openLdapServer.createOrganization();
        try {
            TestingOpenLdapServer.DisposableSubContext createGroup = this.openLdapServer.createGroup(createOrganization);
            try {
                TestingOpenLdapServer.DisposableSubContext createUser = this.openLdapServer.createUser(createOrganization, "alice", "alice-pass");
                try {
                    TestingOpenLdapServer.DisposableSubContext createUser2 = this.openLdapServer.createUser(createOrganization, "bob", "bob-pass");
                    try {
                        LdapAuthenticator ldapAuthenticator = new LdapAuthenticator(this.client, new LdapAuthenticatorConfig().setUserBaseDistinguishedName(createOrganization.getDistinguishedName()).setGroupAuthorizationSearchPattern(String.format("(&(objectClass=inetOrgPerson)(memberof=%s))", createGroup.getDistinguishedName())).setBindDistingushedName("cn=admin,dc=trino,dc=testldap,dc=com").setBindPassword("admin"));
                        Assertions.assertThatThrownBy(() -> {
                            ldapAuthenticator.createAuthenticatedPrincipal("unknown_user", "invalid");
                        }).isInstanceOf(AccessDeniedException.class).hasMessageMatching("Access Denied: User \\[unknown_user] not a member of an authorized group");
                        Assertions.assertThatThrownBy(() -> {
                            ldapAuthenticator.createAuthenticatedPrincipal("alice", "invalid");
                        }).isInstanceOf(AccessDeniedException.class).hasMessageMatching("Access Denied: User \\[alice] not a member of an authorized group");
                        ldapAuthenticator.invalidateCache();
                        Assertions.assertThatThrownBy(() -> {
                            ldapAuthenticator.createAuthenticatedPrincipal("alice", "alice-pass");
                        }).isInstanceOf(AccessDeniedException.class).hasMessageMatching("Access Denied: User \\[alice] not a member of an authorized group");
                        ldapAuthenticator.invalidateCache();
                        Assertions.assertThatThrownBy(() -> {
                            ldapAuthenticator.createAuthenticatedPrincipal("bob", "bob-pass");
                        }).isInstanceOf(AccessDeniedException.class).hasMessageMatching("Access Denied: User \\[bob] not a member of an authorized group");
                        ldapAuthenticator.invalidateCache();
                        this.openLdapServer.addUserToGroup(createUser, createGroup);
                        Assertions.assertThat(ldapAuthenticator.createAuthenticatedPrincipal("alice", "alice-pass")).isEqualTo(new BasicPrincipal("alice"));
                        ldapAuthenticator.invalidateCache();
                        Assertions.assertThatThrownBy(() -> {
                            ldapAuthenticator.createAuthenticatedPrincipal("alice", "invalid");
                        }).isInstanceOf(AccessDeniedException.class).hasMessageMatching("Access Denied: Invalid credentials");
                        ldapAuthenticator.invalidateCache();
                        this.openLdapServer.addUserToGroup(createUser2, createGroup);
                        Assertions.assertThatThrownBy(() -> {
                            ldapAuthenticator.createAuthenticatedPrincipal("alice", "alice-pass");
                        }).isInstanceOf(AccessDeniedException.class).hasMessageMatching("Access Denied: Multiple group membership results for user \\[alice].*");
                        ldapAuthenticator.invalidateCache();
                        if (createUser2 != null) {
                            createUser2.close();
                        }
                        if (createUser != null) {
                            createUser.close();
                        }
                        if (createGroup != null) {
                            createGroup.close();
                        }
                        if (createOrganization != null) {
                            createOrganization.close();
                        }
                    } catch (Throwable th) {
                        if (createUser2 != null) {
                            try {
                                createUser2.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        }
                        throw th;
                    }
                } catch (Throwable th3) {
                    if (createUser != null) {
                        try {
                            createUser.close();
                        } catch (Throwable th4) {
                            th3.addSuppressed(th4);
                        }
                    }
                    throw th3;
                }
            } catch (Throwable th5) {
                if (createGroup != null) {
                    try {
                        createGroup.close();
                    } catch (Throwable th6) {
                        th5.addSuppressed(th6);
                    }
                }
                throw th5;
            }
        } catch (Throwable th7) {
            if (createOrganization != null) {
                try {
                    createOrganization.close();
                } catch (Throwable th8) {
                    th7.addSuppressed(th8);
                }
            }
            throw th7;
        }
    }

    @Test
    public void testContainsSpecialCharacters() {
        ((AbstractBooleanAssert) Assertions.assertThat(LdapAuthenticator.containsSpecialCharacters("The quick brown fox jumped over the lazy dogs")).as("English pangram", new Object[0])).isEqualTo(false);
        ((AbstractBooleanAssert) Assertions.assertThat(LdapAuthenticator.containsSpecialCharacters("Pchnąć w tę łódź jeża lub ośm skrzyń fig")).as("Perfect polish pangram", new Object[0])).isEqualTo(false);
        ((AbstractBooleanAssert) Assertions.assertThat(LdapAuthenticator.containsSpecialCharacters("いろはにほへと ちりぬるを わかよたれそ つねならむ うゐのおくやま けふこえて あさきゆめみし ゑひもせす（ん）")).as("Japanese hiragana pangram - Iroha", new Object[0])).isEqualTo(false);
        ((AbstractBooleanAssert) Assertions.assertThat(LdapAuthenticator.containsSpecialCharacters("*")).as("LDAP wildcard", new Object[0])).isEqualTo(true);
        ((AbstractBooleanAssert) Assertions.assertThat(LdapAuthenticator.containsSpecialCharacters("   John Doe")).as("Beginning with whitespace", new Object[0])).isEqualTo(true);
        ((AbstractBooleanAssert) Assertions.assertThat(LdapAuthenticator.containsSpecialCharacters("John Doe  \r")).as("Ending with whitespace", new Object[0])).isEqualTo(true);
        ((AbstractBooleanAssert) Assertions.assertThat(LdapAuthenticator.containsSpecialCharacters("Hi (This) = is * a \\ test # ç à ô")).as("Multiple special characters", new Object[0])).isEqualTo(true);
        ((AbstractBooleanAssert) Assertions.assertThat(LdapAuthenticator.containsSpecialCharacters("John��Doe")).as("NULL character", new Object[0])).isEqualTo(true);
        ((AbstractBooleanAssert) Assertions.assertThat(LdapAuthenticator.containsSpecialCharacters("John Doe <john.doe@company.com>")).as("Angle brackets", new Object[0])).isEqualTo(true);
    }
}
