package org.neo4j.server.rest.security;

import com.sun.jersey.api.client.ClientResponse;
import org.hamcrest.Matchers;
import org.junit.Assert;
import org.junit.Test;
import org.neo4j.server.web.HttpMethod;
import org.neo4j.test.server.HTTP;

/* loaded from: input_file:org/neo4j/server/rest/security/AuthorizationCorsIT.class */
public class AuthorizationCorsIT extends CommunityServerTestBase {
    @Test
    public void shouldAddCorsHeaderWhenAuthDisabled() throws Exception {
        startServer(false);
        HTTP.Response runQuery = runQuery("authDisabled", "authDisabled");
        Assert.assertEquals(ClientResponse.Status.OK.getStatusCode(), runQuery.status());
        assertCorsHeaderPresent(runQuery);
        Assert.assertThat(runQuery.content().toString(), Matchers.containsString("42"));
    }

    @Test
    public void shouldAddCorsHeaderWhenAuthEnabledAndPasswordChangeRequired() throws Exception {
        startServer(true);
        HTTP.Response runQuery = runQuery("neo4j", "neo4j");
        Assert.assertEquals(ClientResponse.Status.FORBIDDEN.getStatusCode(), runQuery.status());
        assertCorsHeaderPresent(runQuery);
        Assert.assertThat(runQuery.content().toString(), Matchers.containsString("password_change"));
    }

    @Test
    public void shouldAddCorsHeaderWhenAuthEnabledAndPasswordChangeNotRequired() throws Exception {
        startServer(true);
        HTTP.Response changePassword = changePassword("neo4j", "neo4j", "newPassword");
        Assert.assertEquals(ClientResponse.Status.OK.getStatusCode(), changePassword.status());
        assertCorsHeaderPresent(changePassword);
        HTTP.Response runQuery = runQuery("neo4j", "newPassword");
        Assert.assertEquals(ClientResponse.Status.OK.getStatusCode(), runQuery.status());
        assertCorsHeaderPresent(runQuery);
        Assert.assertThat(runQuery.content().toString(), Matchers.containsString("42"));
    }

    @Test
    public void shouldAddCorsHeaderWhenAuthEnabledAndIncorrectPassword() throws Exception {
        startServer(true);
        HTTP.Response runQuery = runQuery("neo4j", "wrongPassword");
        Assert.assertEquals(ClientResponse.Status.UNAUTHORIZED.getStatusCode(), runQuery.status());
        assertCorsHeaderPresent(runQuery);
        Assert.assertThat(runQuery.content().toString(), Matchers.containsString("Neo.ClientError.Security.Unauthorized"));
    }

    @Test
    public void shouldAddCorsMethodsHeader() throws Exception {
        startServer(false);
        testCorsAllowMethods(HttpMethod.POST);
        testCorsAllowMethods(HttpMethod.GET);
        testCorsAllowMethods(HttpMethod.PATCH);
        testCorsAllowMethods(HttpMethod.DELETE);
    }

    @Test
    public void shouldAddCorsHeaderWhenConfigured() throws Exception {
        startServer(false, "https://example.com:7687");
        testCorsAllowMethods(HttpMethod.POST, "https://example.com:7687");
        testCorsAllowMethods(HttpMethod.GET, "https://example.com:7687");
        testCorsAllowMethods(HttpMethod.PATCH, "https://example.com:7687");
        testCorsAllowMethods(HttpMethod.DELETE, "https://example.com:7687");
    }

    @Test
    public void shouldAddCorsRequestHeaders() throws Exception {
        startServer(false);
        HTTP.Response runQuery = runQuery(requestWithHeaders("authDisabled", "authDisabled").withHeaders("Access-Control-Request-Headers", "Accept, X-Not-Accept"));
        Assert.assertEquals(ClientResponse.Status.OK.getStatusCode(), runQuery.status());
        assertCorsHeaderPresent(runQuery);
        Assert.assertEquals("Accept, X-Not-Accept", runQuery.header("Access-Control-Allow-Headers"));
    }

    private void testCorsAllowMethods(HttpMethod httpMethod) throws Exception {
        testCorsAllowMethods(httpMethod, "*");
    }

    private void testCorsAllowMethods(HttpMethod httpMethod, String str) throws Exception {
        HTTP.Response runQuery = runQuery(requestWithHeaders("authDisabled", "authDisabled").withHeaders("Access-Control-Request-Method", httpMethod.toString()));
        Assert.assertEquals(ClientResponse.Status.OK.getStatusCode(), runQuery.status());
        assertCorsHeaderEquals(runQuery, str);
        Assert.assertEquals(httpMethod, HttpMethod.valueOf(runQuery.header("Access-Control-Allow-Methods")));
    }

    private HTTP.Response changePassword(String str, String str2, String str3) {
        return requestWithHeaders(str, str2).POST(passwordURL(str), HTTP.RawPayload.quotedJson("{'password': '" + str3 + "'}"));
    }

    private HTTP.Response runQuery(String str, String str2) {
        return runQuery(requestWithHeaders(str, str2));
    }

    private HTTP.Response runQuery(HTTP.Builder builder) {
        return builder.POST(txCommitURL(), HTTP.RawPayload.quotedJson("{'statements': [{'statement': 'RETURN 42'}]}"));
    }

    private static HTTP.Builder requestWithHeaders(String str, String str2) {
        return HTTP.withBasicAuth(str, str2).withHeaders("Accept", "application/json; charset=UTF-8", "Content-Type", "application/json");
    }

    private static void assertCorsHeaderPresent(HTTP.Response response) {
        assertCorsHeaderEquals(response, "*");
    }

    private static void assertCorsHeaderEquals(HTTP.Response response, String str) {
        Assert.assertEquals(str, response.header("Access-Control-Allow-Origin"));
    }
}
