package com.floragunn.dlic.auth.ldap;

import com.floragunn.dlic.auth.ldap.backend.LDAPAuthenticationBackend;
import com.floragunn.dlic.auth.ldap.backend.LDAPAuthorizationBackend;
import com.floragunn.dlic.auth.ldap.srv.LdapServer;
import com.floragunn.dlic.auth.ldap.util.LdapHelper;
import com.floragunn.dlic.auth.ldap.util.Utils;
import com.floragunn.searchguard.test.helper.cluster.FileHelper;
import com.floragunn.searchguard.user.AuthCredentials;
import com.floragunn.searchguard.user.User;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.TreeSet;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.common.settings.Settings;
import org.hamcrest.Matchers;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Test;
import org.ldaptive.LdapAttribute;
import org.ldaptive.LdapEntry;
import org.ldaptive.LdapException;

/* loaded from: input_file:com/floragunn/dlic/auth/ldap/LdapBackendTest.class */
public class LdapBackendTest {
    private static LdapServer tlsLdapServer;
    private static LdapServer startTlsLdapServer;
    private static LdapServer plainTextLdapServer;

    @Test
    public void testLdapAuthentication() throws Exception {
        LdapUser authenticate = new LDAPAuthenticationBackend(Settings.builder().putList("hosts", new String[]{"127.0.0.1:4", "localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(uid={0})").build(), (Path) null).authenticate(AuthCredentials.forUser("jacksonm").password("secret").build());
        Assert.assertNotNull(authenticate);
        Assert.assertEquals("cn=Michael Jackson,ou=people,o=TEST", authenticate.getName());
    }

    @Test(expected = ElasticsearchSecurityException.class)
    public void testLdapAuthenticationFakeLogin() throws Exception {
        new LDAPAuthenticationBackend(Settings.builder().putList("hosts", new String[]{"localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(uid={0})").put("fakelogin_enabled", true).build(), (Path) null).authenticate(AuthCredentials.forUser("unknown").password("unknown").build());
    }

    @Test(expected = ElasticsearchSecurityException.class)
    public void testLdapInjection() throws Exception {
        new LDAPAuthenticationBackend(Settings.builder().putList("hosts", new String[]{"localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(uid={0})").build(), (Path) null).authenticate(AuthCredentials.forUser("*jack*").password("secret").build());
    }

    @Test
    public void testLdapAuthenticationBindDn() throws Exception {
        LdapUser authenticate = new LDAPAuthenticationBackend(Settings.builder().putList("hosts", new String[]{"localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(uid={0})").put("userbase", "ou=people,o=TEST").put("bind_dn", "cn=Captain Spock,ou=people,o=TEST").put("password", "spocksecret").build(), (Path) null).authenticate(AuthCredentials.forUser("jacksonm").password("secret").build());
        Assert.assertNotNull(authenticate);
        Assert.assertEquals("cn=Michael Jackson,ou=people,o=TEST", authenticate.getName());
    }

    @Test(expected = ElasticsearchSecurityException.class)
    public void testLdapAuthenticationWrongBindDn() throws Exception {
        new LDAPAuthenticationBackend(Settings.builder().putList("hosts", new String[]{"localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(uid={0})").put("userbase", "ou=people,o=TEST").put("bind_dn", "cn=Captain Spock,ou=people,o=TEST").put("password", "wrong").build(), (Path) null).authenticate(AuthCredentials.forUser("jacksonm").password("secret").build());
    }

    @Test(expected = ElasticsearchSecurityException.class)
    public void testLdapAuthenticationBindFail() throws Exception {
        new LDAPAuthenticationBackend(Settings.builder().putList("hosts", new String[]{"localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(uid={0})").build(), (Path) null).authenticate(AuthCredentials.forUser("jacksonm").password("wrong").build());
    }

    @Test(expected = ElasticsearchSecurityException.class)
    public void testLdapAuthenticationNoUser() throws Exception {
        new LDAPAuthenticationBackend(Settings.builder().putList("hosts", new String[]{"localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(uid={0})").build(), (Path) null).authenticate(AuthCredentials.forUser("UNKNOWN").password("UNKNOWN").build());
    }

    @Test(expected = ElasticsearchSecurityException.class)
    public void testLdapAuthenticationFail() throws Exception {
        new LDAPAuthenticationBackend(Settings.builder().putList("hosts", new String[]{"127.0.0.1:4", "localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(uid={0})").build(), (Path) null).authenticate(AuthCredentials.forUser("jacksonm").password("xxxxx").build());
    }

    @Test
    public void testLdapAuthenticationSSL() throws Exception {
        LdapUser authenticate = new LDAPAuthenticationBackend(Settings.builder().putList("hosts", new String[]{"localhost:" + tlsLdapServer.getPort()}).put("usersearch", "(uid={0})").put("enable_ssl", true).put("searchguard.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")).put("verify_hostnames", false).put("path.home", ".").build(), (Path) null).authenticate(AuthCredentials.forUser("jacksonm").password("secret").build());
        Assert.assertNotNull(authenticate);
        Assert.assertEquals("cn=Michael Jackson,ou=people,o=TEST", authenticate.getName());
    }

    @Test
    public void testLdapAuthenticationSSLPEMFile() throws Exception {
        LdapUser authenticate = new LDAPAuthenticationBackend(Settings.builder().putList("hosts", new String[]{"localhost:" + tlsLdapServer.getPort()}).put("usersearch", "(uid={0})").put("enable_ssl", true).put("pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/root-ca.pem").toFile().getName()).put("verify_hostnames", false).put("path.home", ".").put("path.conf", FileHelper.getAbsoluteFilePathFromClassPath("ldap/root-ca.pem").getParent()).build(), Paths.get("src/test/resources/ldap", new String[0])).authenticate(AuthCredentials.forUser("jacksonm").password("secret").build());
        Assert.assertNotNull(authenticate);
        Assert.assertEquals("cn=Michael Jackson,ou=people,o=TEST", authenticate.getName());
    }

    @Test
    public void testLdapAuthenticationSSLPEMText() throws Exception {
        LdapUser authenticate = new LDAPAuthenticationBackend(Settings.builder().put(Settings.builder().loadFromPath(Paths.get(FileHelper.getAbsoluteFilePathFromClassPath("ldap/test1.yml").toFile().getAbsolutePath(), new String[0])).build()).putList("hosts", new String[]{"localhost:" + tlsLdapServer.getPort()}).build(), (Path) null).authenticate(AuthCredentials.forUser("jacksonm").password("secret").build());
        Assert.assertNotNull(authenticate);
        Assert.assertEquals("cn=Michael Jackson,ou=people,o=TEST", authenticate.getName());
    }

    @Test
    public void testLdapAuthenticationSSLSSLv3() throws Exception {
        try {
            new LDAPAuthenticationBackend(Settings.builder().putList("hosts", new String[]{"localhost:" + tlsLdapServer.getPort()}).put("usersearch", "(uid={0})").put("enable_ssl", true).put("searchguard.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")).put("verify_hostnames", false).putList("enabled_ssl_protocols", new String[]{"SSLv3"}).put("path.home", ".").build(), (Path) null).authenticate(AuthCredentials.forUser("jacksonm").password("secret").build());
        } catch (Exception e) {
            Assert.assertEquals(e.getCause().getClass(), LdapException.class);
            Assert.assertTrue(e.getCause().getMessage().contains("Unable to connec"));
        }
    }

    @Test
    public void testLdapAuthenticationSSLUnknowCipher() throws Exception {
        try {
            new LDAPAuthenticationBackend(Settings.builder().putList("hosts", new String[]{"localhost:" + tlsLdapServer.getPort()}).put("usersearch", "(uid={0})").put("enable_ssl", true).put("searchguard.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")).put("verify_hostnames", false).putList("enabled_ssl_ciphers", new String[]{"AAA"}).put("path.home", ".").build(), (Path) null).authenticate(AuthCredentials.forUser("jacksonm").password("secret").build());
        } catch (Exception e) {
            Assert.assertEquals(e.getCause().getClass(), LdapException.class);
            Assert.assertTrue(e.getCause().getMessage().contains("Unable to connec"));
        }
    }

    @Test
    public void testLdapAuthenticationSpecialCipherProtocol() throws Exception {
        LdapUser authenticate = new LDAPAuthenticationBackend(Settings.builder().putList("hosts", new String[]{"localhost:" + tlsLdapServer.getPort()}).put("usersearch", "(uid={0})").put("enable_ssl", true).put("searchguard.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")).put("verify_hostnames", false).putList("enabled_ssl_protocols", new String[]{"TLSv1.2"}).putList("enabled_ssl_ciphers", new String[]{"TLS_DHE_RSA_WITH_AES_128_CBC_SHA"}).put("path.home", ".").build(), (Path) null).authenticate(AuthCredentials.forUser("jacksonm").password("secret").build());
        Assert.assertNotNull(authenticate);
        Assert.assertEquals("cn=Michael Jackson,ou=people,o=TEST", authenticate.getName());
    }

    @Test
    public void testLdapAuthenticationSSLNoKeystore() throws Exception {
        LdapUser authenticate = new LDAPAuthenticationBackend(Settings.builder().putList("hosts", new String[]{"localhost:" + tlsLdapServer.getPort()}).put("usersearch", "(uid={0})").put("enable_ssl", true).put("searchguard.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")).put("verify_hostnames", false).put("path.home", ".").build(), (Path) null).authenticate(AuthCredentials.forUser("jacksonm").password("secret").build());
        Assert.assertNotNull(authenticate);
        Assert.assertEquals("cn=Michael Jackson,ou=people,o=TEST", authenticate.getName());
    }

    @Test
    public void testLdapAuthenticationSSLFailPlain() throws Exception {
        try {
            new LDAPAuthenticationBackend(Settings.builder().putList("hosts", new String[]{"localhost:" + tlsLdapServer.getPort()}).put("usersearch", "(uid={0})").put("enable_ssl", true).build(), (Path) null).authenticate(AuthCredentials.forUser("jacksonm").password("secret").build());
        } catch (Exception e) {
            Assert.assertEquals(LdapException.class, e.getCause().getClass());
        }
    }

    @Test
    public void testLdapExists() throws Exception {
        LDAPAuthenticationBackend lDAPAuthenticationBackend = new LDAPAuthenticationBackend(Settings.builder().putList("hosts", new String[]{"127.0.0.1:4", "localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(uid={0})").build(), (Path) null);
        Assert.assertTrue(lDAPAuthenticationBackend.exists(new User("jacksonm")));
        Assert.assertFalse(lDAPAuthenticationBackend.exists(new User("doesnotexist")));
    }

    @Test
    public void testLdapAuthorization() throws Exception {
        Settings build = Settings.builder().putList("hosts", new String[]{"127.0.0.1:4", "localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(uid={0})").put("userbase", "ou=people,o=TEST").put("rolebase", "ou=groups,o=TEST").put("rolename", "cn").put("rolesearch", "(uniqueMember={0})").build();
        LdapUser authenticate = new LDAPAuthenticationBackend(build, (Path) null).authenticate(AuthCredentials.forUser("jacksonm").password("secret").build());
        new LDAPAuthorizationBackend(build, (Path) null).fillRoles(authenticate, (AuthCredentials) null);
        Assert.assertNotNull(authenticate);
        Assert.assertEquals("cn=Michael Jackson,ou=people,o=TEST", authenticate.getName());
        Assert.assertEquals(2L, authenticate.getRoles().size());
        Assert.assertEquals("ceo", new ArrayList(new TreeSet(authenticate.getRoles())).get(0));
        Assert.assertEquals(authenticate.getName(), authenticate.getUserEntry().getDN());
    }

    @Test
    public void testLdapAuthenticationReferral() throws Exception {
        LdapEntry lookup = LdapHelper.lookup(LDAPAuthorizationBackend.getConnectionConfig(Settings.builder().putList("hosts", new String[]{"localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(uid={0})").build(), (Path) null), "cn=Ref1,ou=people,o=TEST");
        Assert.assertNotNull(lookup);
        Assert.assertEquals("cn=refsolved,ou=people,o=TEST", lookup.getDn());
    }

    @Test
    public void testLdapEscape() throws Exception {
        Settings build = Settings.builder().putList("hosts", new String[]{"localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(uid={0})").put("userbase", "ou=people,o=TEST").put("rolebase", "ou=groups,o=TEST").put("rolename", "cn").put("rolesearch", "(uniqueMember={0})").put("userrolename", "description").put("resolve_nested_roles", true).build();
        LdapUser authenticate = new LDAPAuthenticationBackend(build, (Path) null).authenticate(AuthCredentials.forUser("ssign").password("ssignsecret").build());
        Assert.assertNotNull(authenticate);
        Assert.assertEquals("cn=Special\\, Sign,ou=people,o=TEST", authenticate.getName());
        new LDAPAuthorizationBackend(build, (Path) null).fillRoles(authenticate, (AuthCredentials) null);
        Assert.assertEquals("cn=Special\\, Sign,ou=people,o=TEST", authenticate.getName());
        Assert.assertEquals(4L, authenticate.getRoles().size());
        Assert.assertTrue(authenticate.getRoles().toString().contains("ceo"));
    }

    @Test
    public void testLdapAuthorizationRoleSearchUsername() throws Exception {
        Settings build = Settings.builder().putList("hosts", new String[]{"localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(cn={0})").put("userbase", "ou=people,o=TEST").put("rolebase", "ou=groups,o=TEST").put("rolename", "cn").put("rolesearch", "(uniqueMember=cn={1},ou=people,o=TEST)").build();
        LdapUser authenticate = new LDAPAuthenticationBackend(build, (Path) null).authenticate(AuthCredentials.forUser("Michael Jackson").password("secret").build());
        new LDAPAuthorizationBackend(build, (Path) null).fillRoles(authenticate, (AuthCredentials) null);
        Assert.assertNotNull(authenticate);
        Assert.assertEquals("Michael Jackson", authenticate.getOriginalUsername());
        Assert.assertEquals("cn=Michael Jackson,ou=people,o=TEST", authenticate.getUserEntry().getDN());
        Assert.assertEquals(2L, authenticate.getRoles().size());
        Assert.assertEquals("ceo", new ArrayList(new TreeSet(authenticate.getRoles())).get(0));
        Assert.assertEquals(authenticate.getName(), authenticate.getUserEntry().getDN());
    }

    @Test
    public void testLdapAuthorizationOnly() throws Exception {
        Settings build = Settings.builder().putList("hosts", new String[]{"localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(uid={0})").put("userbase", "ou=people,o=TEST").put("rolebase", "ou=groups,o=TEST").put("rolename", "cn").put("rolesearch", "(uniqueMember={0})").build();
        User user = new User("jacksonm");
        new LDAPAuthorizationBackend(build, (Path) null).fillRoles(user, (AuthCredentials) null);
        Assert.assertNotNull(user);
        Assert.assertEquals("jacksonm", user.getName());
        Assert.assertEquals(2L, user.getRoles().size());
        Assert.assertEquals("ceo", new ArrayList(new TreeSet(user.getRoles())).get(0));
    }

    @Test
    public void testLdapAuthorizationNonDNEntry() throws Exception {
        Settings build = Settings.builder().putList("hosts", new String[]{"localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(uid={0})").put("userbase", "ou=people,o=TEST").put("rolebase", "ou=groups,o=TEST").put("rolename", "description").put("rolesearch", "(uniqueMember={0})").build();
        User user = new User("jacksonm");
        new LDAPAuthorizationBackend(build, (Path) null).fillRoles(user, (AuthCredentials) null);
        Assert.assertNotNull(user);
        Assert.assertEquals("jacksonm", user.getName());
        Assert.assertEquals(2L, user.getRoles().size());
        Assert.assertEquals("ceo-ceo", new ArrayList(new TreeSet(user.getRoles())).get(0));
    }

    @Test
    public void testLdapAuthorizationNested() throws Exception {
        Settings build = Settings.builder().putList("hosts", new String[]{"localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(uid={0})").put("userbase", "ou=people,o=TEST").put("rolebase", "ou=groups,o=TEST").put("rolename", "cn").put("resolve_nested_roles", true).put("rolesearch", "(uniqueMember={0})").build();
        User user = new User("spock");
        new LDAPAuthorizationBackend(build, (Path) null).fillRoles(user, (AuthCredentials) null);
        Assert.assertNotNull(user);
        Assert.assertEquals("spock", user.getName());
        Assert.assertEquals(4L, user.getRoles().size());
        Assert.assertEquals("nested1", new ArrayList(new TreeSet(user.getRoles())).get(1));
    }

    @Test
    public void testLdapAuthorizationNestedFilter() throws Exception {
        Settings build = Settings.builder().putList("hosts", new String[]{"localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(uid={0})").put("userbase", "ou=people,o=TEST").put("rolebase", "ou=groups,o=TEST").put("rolename", "cn").put("resolve_nested_roles", true).put("rolesearch", "(uniqueMember={0})").putList("nested_role_filter", new String[]{"cn=nested2,ou=groups,o=TEST"}).build();
        User user = new User("spock");
        new LDAPAuthorizationBackend(build, (Path) null).fillRoles(user, (AuthCredentials) null);
        Assert.assertNotNull(user);
        Assert.assertEquals("spock", user.getName());
        Assert.assertEquals(2L, user.getRoles().size());
        Assert.assertEquals("ceo", new ArrayList(new TreeSet(user.getRoles())).get(0));
        Assert.assertEquals("nested2", new ArrayList(new TreeSet(user.getRoles())).get(1));
    }

    @Test
    public void testLdapAuthorizationDnNested() throws Exception {
        Settings build = Settings.builder().putList("hosts", new String[]{"localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(uid={0})").put("userbase", "ou=people,o=TEST").put("rolebase", "ou=groups,o=TEST").put("rolename", "dn").put("resolve_nested_roles", true).put("rolesearch", "(uniqueMember={0})").build();
        User user = new User("spock");
        new LDAPAuthorizationBackend(build, (Path) null).fillRoles(user, (AuthCredentials) null);
        Assert.assertNotNull(user);
        Assert.assertEquals("spock", user.getName());
        Assert.assertEquals(4L, user.getRoles().size());
        Assert.assertEquals("cn=nested1,ou=groups,o=TEST", new ArrayList(new TreeSet(user.getRoles())).get(1));
    }

    @Test
    public void testLdapAuthorizationDn() throws Exception {
        Settings build = Settings.builder().putList("hosts", new String[]{"localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(uid={0})").put("userbase", "ou=people,o=TEST").put("rolebase", "ou=groups,o=TEST").put("rolename", "dn").put("username_attribute", "UID").put("resolve_nested_roles", false).put("rolesearch", "(uniqueMember={0})").build();
        User authenticate = new LDAPAuthenticationBackend(build, (Path) null).authenticate(AuthCredentials.forUser("jacksonm").password("secret").build());
        new LDAPAuthorizationBackend(build, (Path) null).fillRoles(authenticate, (AuthCredentials) null);
        Assert.assertNotNull(authenticate);
        Assert.assertEquals("jacksonm", authenticate.getName());
        Assert.assertEquals(2L, authenticate.getRoles().size());
        Assert.assertEquals("cn=ceo,ou=groups,o=TEST", new ArrayList(new TreeSet(authenticate.getRoles())).get(0));
    }

    @Test
    public void testLdapAuthenticationUserNameAttribute() throws Exception {
        LdapUser authenticate = new LDAPAuthenticationBackend(Settings.builder().putList("hosts", new String[]{"localhost:" + plainTextLdapServer.getPort()}).put("userbase", "ou=people,o=TEST").put("usersearch", "(uid={0})").put("username_attribute", "uid").build(), (Path) null).authenticate(AuthCredentials.forUser("jacksonm").password("secret").build());
        Assert.assertNotNull(authenticate);
        Assert.assertEquals("jacksonm", authenticate.getName());
    }

    @Test
    public void testLdapAuthenticationStartTLS() throws Exception {
        LdapUser authenticate = new LDAPAuthenticationBackend(Settings.builder().putList("hosts", new String[]{"localhost:" + startTlsLdapServer.getPort()}).put("usersearch", "(uid={0})").put("enable_start_tls", true).put("bind_dn", "cn=Michael Jackson,ou=people,o=TEST").put("password", "secret").put("searchguard.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ldap/truststore.jks")).put("verify_hostnames", false).put("path.home", ".").build(), (Path) null).authenticate(AuthCredentials.forUser("jacksonm").password("secret").build());
        Assert.assertNotNull(authenticate);
        Assert.assertEquals("cn=Michael Jackson,ou=people,o=TEST", authenticate.getName());
    }

    @Test
    public void testLdapAuthorizationSkipUsers() throws Exception {
        Settings build = Settings.builder().putList("hosts", new String[]{"127.0.0.1:4", "localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(uid={0})").put("userbase", "ou=people,o=TEST").put("rolebase", "ou=groups,o=TEST").put("rolename", "cn").put("rolesearch", "(uniqueMember={0})").putList("skip_users", new String[]{"cn=Michael Jackson,ou*people,o=TEST"}).build();
        LdapUser authenticate = new LDAPAuthenticationBackend(build, (Path) null).authenticate(AuthCredentials.forUser("jacksonm").password("secret").build());
        new LDAPAuthorizationBackend(build, (Path) null).fillRoles(authenticate, (AuthCredentials) null);
        Assert.assertNotNull(authenticate);
        Assert.assertEquals("cn=Michael Jackson,ou=people,o=TEST", authenticate.getName());
        Assert.assertEquals(0L, authenticate.getRoles().size());
        Assert.assertEquals(authenticate.getName(), authenticate.getUserEntry().getDN());
    }

    @Test
    public void testLdapAuthorizationSkipUsersNoDn() throws Exception {
        Settings build = Settings.builder().putList("hosts", new String[]{"127.0.0.1:4", "localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(uid={0})").put("userbase", "ou=people,o=TEST").put("rolebase", "ou=groups,o=TEST").put("rolename", "cn").put("rolesearch", "(uniqueMember={0})").putList("skip_users", new String[]{"jacksonm"}).build();
        LdapUser authenticate = new LDAPAuthenticationBackend(build, (Path) null).authenticate(AuthCredentials.forUser("jacksonm").password("secret").build());
        new LDAPAuthorizationBackend(build, (Path) null).fillRoles(authenticate, (AuthCredentials) null);
        Assert.assertNotNull(authenticate);
        Assert.assertEquals("cn=Michael Jackson,ou=people,o=TEST", authenticate.getName());
        Assert.assertEquals(0L, authenticate.getRoles().size());
        Assert.assertEquals(authenticate.getName(), authenticate.getUserEntry().getDN());
    }

    @Test
    public void testLdapAuthorizationNestedAttr() throws Exception {
        Settings build = Settings.builder().putList("hosts", new String[]{"localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(uid={0})").put("userbase", "ou=people,o=TEST").put("rolebase", "ou=groups,o=TEST").put("rolename", "cn").put("resolve_nested_roles", true).put("rolesearch", "(uniqueMember={0})").put("userrolename", "description").put("rolesearch_enabled", true).build();
        User user = new User("spock");
        new LDAPAuthorizationBackend(build, (Path) null).fillRoles(user, (AuthCredentials) null);
        Assert.assertNotNull(user);
        Assert.assertEquals("spock", user.getName());
        Assert.assertEquals(8L, user.getRoles().size());
        Assert.assertEquals("nested3", new ArrayList(new TreeSet(user.getRoles())).get(4));
        Assert.assertEquals("rolemo4", new ArrayList(new TreeSet(user.getRoles())).get(7));
    }

    @Test
    public void testLdapAuthorizationNestedAttrFilter() throws Exception {
        Settings build = Settings.builder().putList("hosts", new String[]{"localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(uid={0})").put("userbase", "ou=people,o=TEST").put("rolebase", "ou=groups,o=TEST").put("rolename", "cn").put("resolve_nested_roles", true).put("rolesearch", "(uniqueMember={0})").put("userrolename", "description").put("rolesearch_enabled", true).putList("nested_role_filter", new String[]{"cn=rolemo4*"}).build();
        User user = new User("spock");
        new LDAPAuthorizationBackend(build, (Path) null).fillRoles(user, (AuthCredentials) null);
        Assert.assertNotNull(user);
        Assert.assertEquals("spock", user.getName());
        Assert.assertEquals(6L, user.getRoles().size());
        Assert.assertEquals("role2", new ArrayList(new TreeSet(user.getRoles())).get(4));
        Assert.assertEquals("nested1", new ArrayList(new TreeSet(user.getRoles())).get(2));
    }

    @Test
    public void testLdapAuthorizationNestedAttrFilterAll() throws Exception {
        Settings build = Settings.builder().putList("hosts", new String[]{"localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(uid={0})").put("userbase", "ou=people,o=TEST").put("rolebase", "ou=groups,o=TEST").put("rolename", "cn").put("resolve_nested_roles", true).put("rolesearch", "(uniqueMember={0})").put("userrolename", "description").put("rolesearch_enabled", true).putList("nested_role_filter", new String[]{"*"}).build();
        User user = new User("spock");
        new LDAPAuthorizationBackend(build, (Path) null).fillRoles(user, (AuthCredentials) null);
        Assert.assertNotNull(user);
        Assert.assertEquals("spock", user.getName());
        Assert.assertEquals(4L, user.getRoles().size());
    }

    @Test
    public void testLdapAuthorizationNestedAttrFilterAllEqualsNestedFalse() throws Exception {
        Settings build = Settings.builder().putList("hosts", new String[]{"localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(uid={0})").put("userbase", "ou=people,o=TEST").put("rolebase", "ou=groups,o=TEST").put("rolename", "cn").put("resolve_nested_roles", false).put("rolesearch", "(uniqueMember={0})").put("userrolename", "description").put("rolesearch_enabled", true).build();
        User user = new User("spock");
        new LDAPAuthorizationBackend(build, (Path) null).fillRoles(user, (AuthCredentials) null);
        Assert.assertNotNull(user);
        Assert.assertEquals("spock", user.getName());
        Assert.assertEquals(4L, user.getRoles().size());
    }

    @Test
    public void testLdapAuthorizationNestedAttrNoRoleSearch() throws Exception {
        Settings build = Settings.builder().putList("hosts", new String[]{"localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(uid={0})").put("userbase", "ou=people,o=TEST").put("rolebase", "unused").put("rolename", "cn").put("resolve_nested_roles", true).put("rolesearch", "(((unused").put("userrolename", "description").put("rolesearch_enabled", false).build();
        User user = new User("spock");
        new LDAPAuthorizationBackend(build, (Path) null).fillRoles(user, (AuthCredentials) null);
        Assert.assertNotNull(user);
        Assert.assertEquals("spock", user.getName());
        Assert.assertEquals(3L, user.getRoles().size());
        Assert.assertEquals("nested3", new ArrayList(new TreeSet(user.getRoles())).get(1));
        Assert.assertEquals("rolemo4", new ArrayList(new TreeSet(user.getRoles())).get(2));
    }

    @Test
    @Deprecated
    public void testCustomAttributes() throws Exception {
        LdapUser authenticate = new LDAPAuthenticationBackend(Settings.builder().putList("hosts", new String[]{"127.0.0.1:4", "localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(uid={0})").build(), (Path) null).authenticate(AuthCredentials.forUser("jacksonm").password("secret").build());
        Assert.assertNotNull(authenticate);
        Assert.assertEquals("cn=Michael Jackson,ou=people,o=TEST", authenticate.getName());
        Assert.assertEquals(authenticate.getCustomAttributesMap().toString(), 16L, authenticate.getCustomAttributesMap().size());
        Assert.assertFalse(authenticate.getCustomAttributesMap().toString(), authenticate.getCustomAttributesMap().keySet().contains("attr.ldap.userpassword"));
        Assert.assertEquals(new LDAPAuthenticationBackend(Settings.builder().putList("hosts", new String[]{"127.0.0.1:4", "localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(uid={0})").put("custom_attr_maxval_len", 0).build(), (Path) null).authenticate(AuthCredentials.forUser("jacksonm").password("secret").build()).getCustomAttributesMap().toString(), 2L, r0.getCustomAttributesMap().size());
        Assert.assertEquals(new LDAPAuthenticationBackend(Settings.builder().putList("hosts", new String[]{"127.0.0.1:4", "localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(uid={0})").putList("custom_attr_whitelist", new String[]{"*objectclass*", "entryParentId"}).build(), (Path) null).authenticate(AuthCredentials.forUser("jacksonm").password("secret").build()).getCustomAttributesMap().toString(), 2L, r0.getCustomAttributesMap().size());
    }

    @Test
    public void testLdapAuthorizationNonDNRoles() throws Exception {
        Settings build = Settings.builder().putList("hosts", new String[]{"localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(uid={0})").put("userbase", "ou=people,o=TEST").put("rolebase", "ou=groups,o=TEST").put("rolename", "cn").put("resolve_nested_roles", true).put("rolesearch", "(uniqueMember={0})").put("userrolename", "description, ou").put("rolesearch_enabled", true).build();
        User user = new User("nondnroles");
        new LDAPAuthorizationBackend(build, (Path) null).fillRoles(user, (AuthCredentials) null);
        Assert.assertNotNull(user);
        Assert.assertEquals("nondnroles", user.getName());
        Assert.assertEquals(5L, user.getRoles().size());
        Assert.assertTrue("Roles do not contain non-LDAP role 'kibanauser'", user.getRoles().contains("kibanauser"));
        Assert.assertTrue("Roles do not contain non-LDAP role 'humanresources'", user.getRoles().contains("humanresources"));
        Assert.assertTrue("Roles do not contain LDAP role 'dummyempty'", user.getRoles().contains("dummyempty"));
        Assert.assertTrue("Roles do not contain non-LDAP role 'role2'", user.getRoles().contains("role2"));
        Assert.assertTrue("Roles do not contain non-LDAP role 'anotherrole' from second role name", user.getRoles().contains("anotherrole"));
    }

    @Test
    public void testLdapSpecial186() throws Exception {
        Settings build = Settings.builder().putList("hosts", new String[]{"localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(uid={0})").put("userbase", "ou=people,o=TEST").put("rolebase", "ou=groups,o=TEST").put("rolename", "description").put("rolesearch", "(uniqueMember={0})").put("resolve_nested_roles", true).build();
        LdapUser authenticate = new LDAPAuthenticationBackend(build, (Path) null).authenticate(AuthCredentials.forUser("spec186").password("spec186").build());
        Assert.assertNotNull(authenticate);
        Assert.assertEquals("CN=AA BB/CC (DD) my\\, company end\\=with\\=whitespace\\ ,ou=people,o=TEST", authenticate.getName());
        Assert.assertEquals("AA BB/CC (DD) my, company end=with=whitespace ", Utils.getSingleStringValue(authenticate.getUserEntry().getLdaptiveEntry().getAttribute("cn")));
        new LDAPAuthorizationBackend(build, (Path) null).fillRoles(authenticate, (AuthCredentials) null);
        Assert.assertEquals(3L, authenticate.getRoles().size());
        Assert.assertTrue(authenticate.getRoles().toString().contains("ROLE/(186) consists of\\, special="));
        Assert.assertTrue(authenticate.getRoles().toString().contains("ROLEx(186n) consists of\\, special="));
        Assert.assertTrue(authenticate.getRoles().toString().contains("ROLE/(186nn) consists of\\, special="));
        new LDAPAuthorizationBackend(build, (Path) null).fillRoles(new User("spec186"), (AuthCredentials) null);
        Assert.assertTrue(authenticate.getRoles().toString().contains("ROLE/(186) consists of\\, special="));
        Assert.assertTrue(authenticate.getRoles().toString().contains("ROLEx(186n) consists of\\, special="));
        Assert.assertTrue(authenticate.getRoles().toString().contains("ROLE/(186nn) consists of\\, special="));
        new LDAPAuthorizationBackend(build, (Path) null).fillRoles(new User("CN=AA BB/CC (DD) my\\, company end\\=with\\=whitespace\\ ,ou=people,o=TEST"), (AuthCredentials) null);
        Assert.assertTrue(authenticate.getRoles().toString().contains("ROLE/(186) consists of\\, special="));
        Assert.assertTrue(authenticate.getRoles().toString().contains("ROLEx(186n) consists of\\, special="));
        Assert.assertTrue(authenticate.getRoles().toString().contains("ROLE/(186nn) consists of\\, special="));
        new LDAPAuthorizationBackend(build, (Path) null).fillRoles(new User("CN=AA BB\\/CC (DD) my\\, company end\\=with\\=whitespace\\ ,ou=people,o=TEST"), (AuthCredentials) null);
        Assert.assertTrue(authenticate.getRoles().toString().contains("ROLE/(186) consists of\\, special="));
        Assert.assertTrue(authenticate.getRoles().toString().contains("ROLEx(186n) consists of\\, special="));
        Assert.assertTrue(authenticate.getRoles().toString().contains("ROLE/(186nn) consists of\\, special="));
    }

    @Test
    public void testLdapSpecial186_2() throws Exception {
        Settings build = Settings.builder().putList("hosts", new String[]{"localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(uid={0})").put("userbase", "ou=people,o=TEST").put("rolebase", "ou=groups,o=TEST").put("rolename", "dn").put("rolesearch", "(uniqueMember={0})").put("resolve_nested_roles", true).build();
        LdapUser authenticate = new LDAPAuthenticationBackend(build, (Path) null).authenticate(AuthCredentials.forUser("spec186").password("spec186").build());
        Assert.assertNotNull(authenticate);
        Assert.assertEquals("CN=AA BB/CC (DD) my\\, company end\\=with\\=whitespace\\ ,ou=people,o=TEST", authenticate.getName());
        Assert.assertEquals("AA BB/CC (DD) my, company end=with=whitespace ", Utils.getSingleStringValue(authenticate.getUserEntry().getLdaptiveEntry().getAttribute("cn")));
        new LDAPAuthorizationBackend(build, (Path) null).fillRoles(authenticate, (AuthCredentials) null);
        Assert.assertEquals(3L, authenticate.getRoles().size());
        Assert.assertTrue(authenticate.getRoles().toString().contains("cn=ROLE/(186) consists of\\, special\\=chars\\ "));
        Assert.assertTrue(authenticate.getRoles().toString().contains("cn=ROLE/(186n) consists of\\, special\\=chars\\ "));
        Assert.assertTrue(authenticate.getRoles().toString().contains("cn=ROLE/(186nn) consists of\\, special\\=chars\\ "));
        new LDAPAuthorizationBackend(build, (Path) null).fillRoles(new User("spec186"), (AuthCredentials) null);
        Assert.assertTrue(authenticate.getRoles().toString().contains("cn=ROLE/(186) consists of\\, special\\=chars\\ "));
        Assert.assertTrue(authenticate.getRoles().toString().contains("cn=ROLE/(186n) consists of\\, special\\=chars\\ "));
        Assert.assertTrue(authenticate.getRoles().toString().contains("cn=ROLE/(186nn) consists of\\, special\\=chars\\ "));
        new LDAPAuthorizationBackend(build, (Path) null).fillRoles(new User("CN=AA BB/CC (DD) my\\, company end\\=with\\=whitespace\\ ,ou=people,o=TEST"), (AuthCredentials) null);
        Assert.assertTrue(authenticate.getRoles().toString().contains("cn=ROLE/(186) consists of\\, special\\=chars\\ "));
        Assert.assertTrue(authenticate.getRoles().toString().contains("cn=ROLE/(186n) consists of\\, special\\=chars\\ "));
        Assert.assertTrue(authenticate.getRoles().toString().contains("cn=ROLE/(186nn) consists of\\, special\\=chars\\ "));
        new LDAPAuthorizationBackend(build, (Path) null).fillRoles(new User("CN=AA BB\\/CC (DD) my\\, company end\\=with\\=whitespace\\ ,ou=people,o=TEST"), (AuthCredentials) null);
        Assert.assertTrue(authenticate.getRoles().toString().contains("cn=ROLE/(186) consists of\\, special\\=chars\\ "));
        Assert.assertTrue(authenticate.getRoles().toString().contains("cn=ROLE/(186n) consists of\\, special\\=chars\\ "));
        Assert.assertTrue(authenticate.getRoles().toString().contains("cn=ROLE/(186nn) consists of\\, special\\=chars\\ "));
    }

    @Test
    public void testOperationalAttributes() throws Exception {
        LdapUser authenticate = new LDAPAuthenticationBackend(Settings.builder().putList("hosts", new String[]{"localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(uid={0})").build(), (Path) null).authenticate(AuthCredentials.forUser("jacksonm").password("secret").build());
        Assert.assertNotNull(authenticate);
        LdapAttribute attribute = authenticate.getUserEntry().getLdaptiveEntry().getAttribute("entryUUID");
        Assert.assertNotNull(attribute);
        Assert.assertNotNull(attribute.getStringValue());
        Assert.assertTrue(attribute.getStringValue().length() > 10);
        Assert.assertTrue(attribute.getStringValue().split("-").length == 5);
    }

    @Test
    public void testMultiCn() throws Exception {
        LdapUser authenticate = new LDAPAuthenticationBackend(Settings.builder().putList("hosts", new String[]{"localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(uid={0})").put("userbase", "ou=people,o=TEST").put("rolebase", "ou=groups,o=TEST").put("rolename", "cn").put("rolesearch", "(uniqueMember={0})").put("resolve_nested_roles", true).build(), (Path) null).authenticate(AuthCredentials.forUser("multi").password("multi").build());
        Assert.assertNotNull(authenticate);
        Assert.assertEquals("cn=cabc,ou=people,o=TEST", authenticate.getName());
    }

    @Test
    public void testMultiValuedAttributes() throws Exception {
        LdapUser authenticate = new LDAPAuthenticationBackend(Settings.builder().putList("hosts", new String[]{"localhost:" + plainTextLdapServer.getPort()}).put("usersearch", "(uid={0})").put("userbase", "ou=people,o=TEST").put("rolebase", "ou=groups,o=TEST").put("rolename", "cn").put("rolesearch", "(uniqueMember={0})").put("resolve_nested_roles", true).put("map_ldap_attrs_to_user_attrs.mapped_mail", "mail").put("map_ldap_attrs_to_user_attrs.mapped_description", "description").build(), (Path) null).authenticate(AuthCredentials.forUser("multivalued").password("multivalued").build());
        Assert.assertNotNull(authenticate);
        Assert.assertThat((Iterable) authenticate.getStructuredAttributes().get("mapped_mail"), Matchers.containsInAnyOrder(new Object[]{"multivalued1@example.com", "multivalued2@example.com", "multivalued3@example.com"}));
        Assert.assertThat((Iterable) authenticate.getStructuredAttributes().get("mapped_description"), Matchers.containsInAnyOrder(new Object[]{"cn=multivalued1,ou=groups,o=TEST", "cn=multivalued2,ou=groups,o=TEST"}));
    }

    @AfterClass
    public static void tearDown() throws Exception {
        if (tlsLdapServer != null) {
            tlsLdapServer.stop();
        }
        if (startTlsLdapServer != null) {
            startTlsLdapServer.stop();
        }
        if (plainTextLdapServer != null) {
            plainTextLdapServer.stop();
        }
    }

    static {
        System.setProperty("sg.display_lic_none", "true");
        tlsLdapServer = LdapServer.createTls("base.ldif");
        startTlsLdapServer = LdapServer.createStartTls("base.ldif");
        plainTextLdapServer = LdapServer.createPlainText("base.ldif");
    }
}
