package org.sonar.server.authentication;

import com.google.common.collect.Sets;
import java.util.Arrays;
import java.util.List;
import java.util.Set;
import java.util.function.Consumer;
import java.util.function.Function;
import java.util.stream.Collectors;
import org.assertj.core.api.Assertions;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.mockito.Mockito;
import org.sonar.api.config.internal.MapSettings;
import org.sonar.api.server.authentication.UserIdentity;
import org.sonar.api.utils.System2;
import org.sonar.api.utils.internal.AlwaysIncreasingSystem2;
import org.sonar.core.util.UuidFactoryFast;
import org.sonar.core.util.stream.MoreCollectors;
import org.sonar.db.DbTester;
import org.sonar.db.organization.OrganizationDto;
import org.sonar.db.user.GroupDto;
import org.sonar.db.user.UserDto;
import org.sonar.db.user.UserTesting;
import org.sonar.server.authentication.UserIdentityAuthenticatorParameters;
import org.sonar.server.authentication.event.AuthenticationEvent;
import org.sonar.server.authentication.event.AuthenticationExceptionMatcher;
import org.sonar.server.authentication.exception.EmailAlreadyExistsRedirectionException;
import org.sonar.server.authentication.exception.UpdateLoginRedirectionException;
import org.sonar.server.es.EsTester;
import org.sonar.server.organization.DefaultOrganizationProvider;
import org.sonar.server.organization.OrganizationUpdater;
import org.sonar.server.organization.OrganizationUpdaterImpl;
import org.sonar.server.organization.OrganizationValidationImpl;
import org.sonar.server.organization.TestDefaultOrganizationProvider;
import org.sonar.server.organization.TestOrganizationFlags;
import org.sonar.server.qualityprofile.BuiltInQProfileRepository;
import org.sonar.server.user.NewUserNotifier;
import org.sonar.server.user.UserUpdater;
import org.sonar.server.user.index.UserIndexer;
import org.sonar.server.usergroups.DefaultGroupCreator;
import org.sonar.server.usergroups.DefaultGroupFinder;

/* loaded from: input_file:org/sonar/server/authentication/UserIdentityAuthenticatorImplTest.class */
public class UserIdentityAuthenticatorImplTest {
    private static String USER_LOGIN = "github-johndoo";
    private static UserIdentity USER_IDENTITY = UserIdentity.builder().setProviderId("ABCD").setProviderLogin("johndoo").setLogin(USER_LOGIN).setName("John").setEmail("john@email.com").build();
    private static TestIdentityProvider IDENTITY_PROVIDER = new TestIdentityProvider().setKey("github").setName("name of github").setEnabled(true).setAllowsUsersToSignUp(true);
    private MapSettings settings = new MapSettings();

    @Rule
    public ExpectedException expectedException = ExpectedException.none();

    @Rule
    public DbTester db = DbTester.create(new AlwaysIncreasingSystem2());

    @Rule
    public EsTester es = EsTester.create();
    private UserIndexer userIndexer = new UserIndexer(this.db.getDbClient(), this.es.client());
    private DefaultOrganizationProvider defaultOrganizationProvider = TestDefaultOrganizationProvider.from(this.db);
    private OrganizationUpdater organizationUpdater = (OrganizationUpdater) Mockito.mock(OrganizationUpdater.class);
    private TestOrganizationFlags organizationFlags = TestOrganizationFlags.standalone();
    private LocalAuthentication localAuthentication = new LocalAuthentication(this.db.getDbClient());
    private UserUpdater userUpdater = new UserUpdater((NewUserNotifier) Mockito.mock(NewUserNotifier.class), this.db.getDbClient(), this.userIndexer, this.organizationFlags, this.defaultOrganizationProvider, this.organizationUpdater, new DefaultGroupFinder(this.db.getDbClient()), this.settings.asConfig(), this.localAuthentication);
    private UserIdentityAuthenticatorImpl underTest = new UserIdentityAuthenticatorImpl(this.db.getDbClient(), this.userUpdater, this.defaultOrganizationProvider, this.organizationFlags, new OrganizationUpdaterImpl(this.db.getDbClient(), (System2) Mockito.mock(System2.class), UuidFactoryFast.getInstance(), new OrganizationValidationImpl(), this.settings.asConfig(), (UserIndexer) null, (BuiltInQProfileRepository) null, (DefaultGroupCreator) null), new DefaultGroupFinder(this.db.getDbClient()));

    @Test
    public void authenticate_new_user() {
        this.organizationFlags.setEnabled(true);
        this.underTest.authenticate(UserIdentityAuthenticatorParameters.builder().setUserIdentity(USER_IDENTITY).setProvider(IDENTITY_PROVIDER).setSource(AuthenticationEvent.Source.realm(AuthenticationEvent.Method.BASIC, IDENTITY_PROVIDER.getName())).setExistingEmailStrategy(UserIdentityAuthenticatorParameters.ExistingEmailStrategy.FORBID).setUpdateLoginStrategy(UserIdentityAuthenticatorParameters.UpdateLoginStrategy.ALLOW).build());
        UserDto userDto = (UserDto) this.db.users().selectUserByLogin(USER_LOGIN).get();
        Assertions.assertThat(userDto).isNotNull();
        Assertions.assertThat(userDto.isActive()).isTrue();
        Assertions.assertThat(userDto.getName()).isEqualTo("John");
        Assertions.assertThat(userDto.getEmail()).isEqualTo("john@email.com");
        Assertions.assertThat(userDto.getExternalLogin()).isEqualTo("johndoo");
        Assertions.assertThat(userDto.getExternalIdentityProvider()).isEqualTo("github");
        Assertions.assertThat(userDto.getExternalId()).isEqualTo("ABCD");
        Assertions.assertThat(userDto.isRoot()).isFalse();
        checkGroupMembership(userDto, new GroupDto[0]);
    }

    @Test
    public void authenticate_new_user_with_groups() {
        this.organizationFlags.setEnabled(true);
        GroupDto insertGroup = this.db.users().insertGroup(this.db.getDefaultOrganization(), "group1");
        GroupDto insertGroup2 = this.db.users().insertGroup(this.db.getDefaultOrganization(), "group2");
        authenticate(USER_LOGIN, "group1", "group2", "group3");
        checkGroupMembership((UserDto) this.db.users().selectUserByLogin(USER_LOGIN).get(), insertGroup, insertGroup2);
    }

    @Test
    public void authenticate_new_user_and_force_default_group_when_organizations_are_disabled() {
        this.organizationFlags.setEnabled(false);
        UserDto insertUser = this.db.users().insertUser();
        GroupDto insertGroup = this.db.users().insertGroup(this.db.getDefaultOrganization(), "group1");
        GroupDto insertDefaultGroup = insertDefaultGroup();
        this.db.users().insertMember(insertGroup, insertUser);
        this.db.users().insertMember(insertDefaultGroup, insertUser);
        authenticate(insertUser.getLogin(), "group1");
        checkGroupMembership(insertUser, insertGroup, insertDefaultGroup);
    }

    @Test
    public void does_not_force_default_group_when_authenticating_new_user_if_organizations_are_enabled() {
        this.organizationFlags.setEnabled(true);
        UserDto insertUser = this.db.users().insertUser();
        GroupDto insertGroup = this.db.users().insertGroup(this.db.getDefaultOrganization(), "group1");
        GroupDto insertDefaultGroup = insertDefaultGroup();
        this.db.users().insertMember(insertGroup, insertUser);
        this.db.users().insertMember(insertDefaultGroup, insertUser);
        authenticate(insertUser.getLogin(), "group1");
        checkGroupMembership(insertUser, insertGroup);
    }

    @Test
    public void authenticate_new_user_sets_onboarded_flag_to_false_when_onboarding_setting_is_set_to_true() {
        this.organizationFlags.setEnabled(true);
        this.settings.setProperty("sonar.onboardingTutorial.showToNewUsers", true);
        this.underTest.authenticate(UserIdentityAuthenticatorParameters.builder().setUserIdentity(USER_IDENTITY).setProvider(IDENTITY_PROVIDER).setSource(AuthenticationEvent.Source.local(AuthenticationEvent.Method.BASIC)).setExistingEmailStrategy(UserIdentityAuthenticatorParameters.ExistingEmailStrategy.FORBID).setUpdateLoginStrategy(UserIdentityAuthenticatorParameters.UpdateLoginStrategy.ALLOW).build());
        Assertions.assertThat(((UserDto) this.db.users().selectUserByLogin(USER_LOGIN).get()).isOnboarded()).isFalse();
    }

    @Test
    public void authenticate_new_user_sets_onboarded_flag_to_true_when_onboarding_setting_is_set_to_false() {
        this.organizationFlags.setEnabled(true);
        this.settings.setProperty("sonar.onboardingTutorial.showToNewUsers", false);
        this.underTest.authenticate(UserIdentityAuthenticatorParameters.builder().setUserIdentity(USER_IDENTITY).setProvider(IDENTITY_PROVIDER).setSource(AuthenticationEvent.Source.local(AuthenticationEvent.Method.BASIC)).setExistingEmailStrategy(UserIdentityAuthenticatorParameters.ExistingEmailStrategy.FORBID).setUpdateLoginStrategy(UserIdentityAuthenticatorParameters.UpdateLoginStrategy.ALLOW).build());
        Assertions.assertThat(((UserDto) this.db.users().selectUserByLogin(USER_LOGIN).get()).isOnboarded()).isTrue();
    }

    @Test
    public void external_id_is_set_to_provider_login_when_null() {
        this.organizationFlags.setEnabled(true);
        UserIdentity build = UserIdentity.builder().setProviderId((String) null).setLogin("john").setProviderLogin("johndoo").setName("JOhn").build();
        this.underTest.authenticate(UserIdentityAuthenticatorParameters.builder().setUserIdentity(build).setProvider(IDENTITY_PROVIDER).setSource(AuthenticationEvent.Source.local(AuthenticationEvent.Method.BASIC)).setExistingEmailStrategy(UserIdentityAuthenticatorParameters.ExistingEmailStrategy.FORBID).setUpdateLoginStrategy(UserIdentityAuthenticatorParameters.UpdateLoginStrategy.ALLOW).build());
        Assertions.assertThat(this.db.users().selectUserByLogin(build.getLogin()).get()).extracting(new Function[]{(v0) -> {
            return v0.getLogin();
        }, (v0) -> {
            return v0.getExternalId();
        }, (v0) -> {
            return v0.getExternalLogin();
        }}).contains(new Object[]{"john", "johndoo", "johndoo"});
    }

    @Test
    public void authenticate_new_user_update_existing_user_email_when_strategy_is_ALLOW() {
        this.organizationFlags.setEnabled(true);
        UserDto insertUser = this.db.users().insertUser(new Consumer[]{userDto -> {
            userDto.setEmail("john@email.com");
        }});
        UserIdentity build = UserIdentity.builder().setProviderLogin("johndoo").setLogin("new_login").setName(insertUser.getName()).setEmail(insertUser.getEmail()).build();
        this.underTest.authenticate(UserIdentityAuthenticatorParameters.builder().setUserIdentity(build).setProvider(IDENTITY_PROVIDER).setSource(AuthenticationEvent.Source.local(AuthenticationEvent.Method.BASIC)).setExistingEmailStrategy(UserIdentityAuthenticatorParameters.ExistingEmailStrategy.ALLOW).setUpdateLoginStrategy(UserIdentityAuthenticatorParameters.UpdateLoginStrategy.ALLOW).build());
        Assertions.assertThat(((UserDto) this.db.users().selectUserByLogin(build.getLogin()).get()).getEmail()).isEqualTo(insertUser.getEmail());
        Assertions.assertThat(((UserDto) this.db.users().selectUserByLogin(insertUser.getLogin()).get()).getEmail()).isNull();
    }

    @Test
    public void throw_EmailAlreadyExistException_when_authenticating_new_user_when_email_already_exists_and_strategy_is_WARN() {
        this.organizationFlags.setEnabled(true);
        UserDto insertUser = this.db.users().insertUser(new Consumer[]{userDto -> {
            userDto.setEmail("john@email.com");
        }});
        UserIdentity build = UserIdentity.builder().setProviderLogin("johndoo").setLogin("new_login").setName(insertUser.getName()).setEmail(insertUser.getEmail()).build();
        this.expectedException.expect(EmailAlreadyExistsRedirectionException.class);
        this.underTest.authenticate(UserIdentityAuthenticatorParameters.builder().setUserIdentity(build).setProvider(IDENTITY_PROVIDER).setSource(AuthenticationEvent.Source.local(AuthenticationEvent.Method.BASIC)).setExistingEmailStrategy(UserIdentityAuthenticatorParameters.ExistingEmailStrategy.WARN).setUpdateLoginStrategy(UserIdentityAuthenticatorParameters.UpdateLoginStrategy.ALLOW).build());
    }

    @Test
    public void throw_AuthenticationException_when_authenticating_new_user_when_email_already_exists_and_strategy_is_FORBID() {
        this.db.users().insertUser(new Consumer[]{userDto -> {
            userDto.setEmail("john@email.com");
        }});
        AuthenticationEvent.Source realm = AuthenticationEvent.Source.realm(AuthenticationEvent.Method.FORM, IDENTITY_PROVIDER.getName());
        this.expectedException.expect(AuthenticationExceptionMatcher.authenticationException().from(realm).withLogin(USER_IDENTITY.getLogin()).andPublicMessage("You can't sign up because email 'john@email.com' is already used by an existing user. This means that you probably already registered with another account."));
        this.expectedException.expectMessage("Email 'john@email.com' is already used");
        this.underTest.authenticate(UserIdentityAuthenticatorParameters.builder().setUserIdentity(USER_IDENTITY).setProvider(IDENTITY_PROVIDER).setSource(realm).setExistingEmailStrategy(UserIdentityAuthenticatorParameters.ExistingEmailStrategy.FORBID).setExistingEmailStrategy(UserIdentityAuthenticatorParameters.ExistingEmailStrategy.FORBID).setUpdateLoginStrategy(UserIdentityAuthenticatorParameters.UpdateLoginStrategy.ALLOW).build());
    }

    @Test
    public void throw_AuthenticationException_when_authenticating_new_user_and_email_already_exists_multiple_times() {
        this.db.users().insertUser(new Consumer[]{userDto -> {
            userDto.setEmail("john@email.com");
        }});
        this.db.users().insertUser(new Consumer[]{userDto2 -> {
            userDto2.setEmail("john@email.com");
        }});
        AuthenticationEvent.Source realm = AuthenticationEvent.Source.realm(AuthenticationEvent.Method.FORM, IDENTITY_PROVIDER.getName());
        this.expectedException.expect(AuthenticationExceptionMatcher.authenticationException().from(realm).withLogin(USER_IDENTITY.getLogin()).andPublicMessage("You can't sign up because email 'john@email.com' is already used by an existing user. This means that you probably already registered with another account."));
        this.expectedException.expectMessage("Email 'john@email.com' is already used");
        this.underTest.authenticate(UserIdentityAuthenticatorParameters.builder().setUserIdentity(USER_IDENTITY).setProvider(IDENTITY_PROVIDER).setSource(realm).setExistingEmailStrategy(UserIdentityAuthenticatorParameters.ExistingEmailStrategy.FORBID).setExistingEmailStrategy(UserIdentityAuthenticatorParameters.ExistingEmailStrategy.FORBID).setUpdateLoginStrategy(UserIdentityAuthenticatorParameters.UpdateLoginStrategy.ALLOW).build());
    }

    @Test
    public void fail_to_authenticate_new_user_when_allow_users_to_signup_is_false() {
        TestIdentityProvider allowsUsersToSignUp = new TestIdentityProvider().setKey("github").setName("Github").setEnabled(true).setAllowsUsersToSignUp(false);
        AuthenticationEvent.Source realm = AuthenticationEvent.Source.realm(AuthenticationEvent.Method.FORM, allowsUsersToSignUp.getName());
        this.expectedException.expect(AuthenticationExceptionMatcher.authenticationException().from(realm).withLogin(USER_IDENTITY.getLogin()).andPublicMessage("'github' users are not allowed to sign up"));
        this.expectedException.expectMessage("User signup disabled for provider 'github'");
        this.underTest.authenticate(UserIdentityAuthenticatorParameters.builder().setUserIdentity(USER_IDENTITY).setProvider(allowsUsersToSignUp).setSource(realm).setExistingEmailStrategy(UserIdentityAuthenticatorParameters.ExistingEmailStrategy.FORBID).setUpdateLoginStrategy(UserIdentityAuthenticatorParameters.UpdateLoginStrategy.ALLOW).build());
    }

    @Test
    public void authenticate_existing_user_matching_login() {
        this.db.users().insertUser(new Consumer[]{userDto -> {
            userDto.setLogin(USER_LOGIN).setName("Old name").setEmail("Old email").setExternalId("old id").setExternalLogin("old identity").setExternalIdentityProvider("old provide");
        }});
        this.underTest.authenticate(UserIdentityAuthenticatorParameters.builder().setUserIdentity(USER_IDENTITY).setProvider(IDENTITY_PROVIDER).setSource(AuthenticationEvent.Source.local(AuthenticationEvent.Method.BASIC)).setExistingEmailStrategy(UserIdentityAuthenticatorParameters.ExistingEmailStrategy.FORBID).setUpdateLoginStrategy(UserIdentityAuthenticatorParameters.UpdateLoginStrategy.ALLOW).build());
        Assertions.assertThat(this.db.users().selectUserByLogin(USER_LOGIN).get()).extracting(new Function[]{(v0) -> {
            return v0.getName();
        }, (v0) -> {
            return v0.getEmail();
        }, (v0) -> {
            return v0.getExternalId();
        }, (v0) -> {
            return v0.getExternalLogin();
        }, (v0) -> {
            return v0.getExternalIdentityProvider();
        }, (v0) -> {
            return v0.isActive();
        }}).contains(new Object[]{"John", "john@email.com", "ABCD", "johndoo", "github", true});
    }

    @Test
    public void authenticate_existing_user_matching_external_id() {
        UserDto insertUser = this.db.users().insertUser(new Consumer[]{userDto -> {
            userDto.setLogin("Old login").setName("Old name").setEmail("Old email").setExternalId(USER_IDENTITY.getProviderId()).setExternalLogin("old identity").setExternalIdentityProvider(IDENTITY_PROVIDER.getKey());
        }});
        this.underTest.authenticate(UserIdentityAuthenticatorParameters.builder().setUserIdentity(USER_IDENTITY).setProvider(IDENTITY_PROVIDER).setSource(AuthenticationEvent.Source.local(AuthenticationEvent.Method.BASIC)).setExistingEmailStrategy(UserIdentityAuthenticatorParameters.ExistingEmailStrategy.FORBID).setUpdateLoginStrategy(UserIdentityAuthenticatorParameters.UpdateLoginStrategy.ALLOW).build());
        Assertions.assertThat(this.db.users().selectUserByLogin("Old login")).isNotPresent();
        Assertions.assertThat(this.db.getDbClient().userDao().selectByUuid(this.db.getSession(), insertUser.getUuid())).extracting(new Function[]{(v0) -> {
            return v0.getLogin();
        }, (v0) -> {
            return v0.getName();
        }, (v0) -> {
            return v0.getEmail();
        }, (v0) -> {
            return v0.getExternalId();
        }, (v0) -> {
            return v0.getExternalLogin();
        }, (v0) -> {
            return v0.getExternalIdentityProvider();
        }, (v0) -> {
            return v0.isActive();
        }}).contains(new Object[]{USER_LOGIN, "John", "john@email.com", "ABCD", "johndoo", "github", true});
    }

    @Test
    public void authenticate_existing_user_and_update_only_login() {
        UserDto insertUser = this.db.users().insertUser(new Consumer[]{userDto -> {
            userDto.setLogin("old login").setName(USER_IDENTITY.getName()).setEmail(USER_IDENTITY.getEmail()).setExternalId(USER_IDENTITY.getProviderId()).setExternalLogin("old identity").setExternalIdentityProvider(IDENTITY_PROVIDER.getKey());
        }});
        this.underTest.authenticate(UserIdentityAuthenticatorParameters.builder().setUserIdentity(USER_IDENTITY).setProvider(IDENTITY_PROVIDER).setSource(AuthenticationEvent.Source.local(AuthenticationEvent.Method.BASIC)).setExistingEmailStrategy(UserIdentityAuthenticatorParameters.ExistingEmailStrategy.FORBID).setUpdateLoginStrategy(UserIdentityAuthenticatorParameters.UpdateLoginStrategy.ALLOW).build());
        Assertions.assertThat(this.db.users().selectUserByLogin("Old login")).isNotPresent();
        Assertions.assertThat(this.db.getDbClient().userDao().selectByUuid(this.db.getSession(), insertUser.getUuid())).extracting(new Function[]{(v0) -> {
            return v0.getLogin();
        }, (v0) -> {
            return v0.getName();
        }, (v0) -> {
            return v0.getEmail();
        }, (v0) -> {
            return v0.getExternalId();
        }, (v0) -> {
            return v0.getExternalLogin();
        }, (v0) -> {
            return v0.getExternalIdentityProvider();
        }, (v0) -> {
            return v0.isActive();
        }}).containsExactlyInAnyOrder(new Object[]{USER_LOGIN, USER_IDENTITY.getName(), USER_IDENTITY.getEmail(), USER_IDENTITY.getProviderId(), USER_IDENTITY.getProviderLogin(), IDENTITY_PROVIDER.getKey(), true});
    }

    @Test
    public void authenticate_existing_user_matching_login_when_external_id_is_null() {
        UserDto insertUser = this.db.users().insertUser(new Consumer[]{userDto -> {
            userDto.setLogin(USER_LOGIN).setName("Old name").setEmail("Old email").setExternalId("Old id").setExternalLogin("old identity").setExternalIdentityProvider(IDENTITY_PROVIDER.getKey());
        }});
        this.underTest.authenticate(UserIdentityAuthenticatorParameters.builder().setUserIdentity(UserIdentity.builder().setProviderId((String) null).setProviderLogin("johndoo").setLogin(USER_LOGIN).setName("John").setEmail("john@email.com").build()).setProvider(IDENTITY_PROVIDER).setSource(AuthenticationEvent.Source.local(AuthenticationEvent.Method.BASIC)).setExistingEmailStrategy(UserIdentityAuthenticatorParameters.ExistingEmailStrategy.FORBID).setUpdateLoginStrategy(UserIdentityAuthenticatorParameters.UpdateLoginStrategy.ALLOW).build());
        Assertions.assertThat(this.db.getDbClient().userDao().selectByUuid(this.db.getSession(), insertUser.getUuid())).extracting(new Function[]{(v0) -> {
            return v0.getLogin();
        }, (v0) -> {
            return v0.getName();
        }, (v0) -> {
            return v0.getEmail();
        }, (v0) -> {
            return v0.getExternalId();
        }, (v0) -> {
            return v0.getExternalLogin();
        }, (v0) -> {
            return v0.getExternalIdentityProvider();
        }, (v0) -> {
            return v0.isActive();
        }}).contains(new Object[]{insertUser.getLogin(), "John", "john@email.com", "johndoo", "johndoo", "github", true});
    }

    @Test
    public void authenticate_existing_user_with_login_update_and_strategy_is_ALLOW() {
        UserDto insertUser = this.db.users().insertUser(new Consumer[]{userDto -> {
            userDto.setLogin("Old login").setExternalId(USER_IDENTITY.getProviderId()).setExternalLogin("old identity").setExternalIdentityProvider(IDENTITY_PROVIDER.getKey());
        }});
        this.underTest.authenticate(UserIdentityAuthenticatorParameters.builder().setUserIdentity(USER_IDENTITY).setProvider(IDENTITY_PROVIDER).setSource(AuthenticationEvent.Source.local(AuthenticationEvent.Method.BASIC)).setExistingEmailStrategy(UserIdentityAuthenticatorParameters.ExistingEmailStrategy.FORBID).setUpdateLoginStrategy(UserIdentityAuthenticatorParameters.UpdateLoginStrategy.ALLOW).build());
        Assertions.assertThat(this.db.getDbClient().userDao().selectByUuid(this.db.getSession(), insertUser.getUuid())).extracting(new Function[]{(v0) -> {
            return v0.getLogin();
        }, (v0) -> {
            return v0.getExternalLogin();
        }}).contains(new Object[]{USER_LOGIN, USER_IDENTITY.getProviderLogin()});
    }

    @Test
    public void authenticate_existing_user_with_login_update_and_personal_org_does_not_exits_and_strategy_is_WARN() {
        this.organizationFlags.setEnabled(true);
        UserDto insertUser = this.db.users().insertUser(new Consumer[]{userDto -> {
            userDto.setLogin("Old login").setExternalId(USER_IDENTITY.getProviderId()).setExternalLogin("old identity").setExternalIdentityProvider(IDENTITY_PROVIDER.getKey()).setOrganizationUuid((String) null);
        }});
        this.underTest.authenticate(UserIdentityAuthenticatorParameters.builder().setUserIdentity(USER_IDENTITY).setProvider(IDENTITY_PROVIDER).setSource(AuthenticationEvent.Source.local(AuthenticationEvent.Method.BASIC)).setExistingEmailStrategy(UserIdentityAuthenticatorParameters.ExistingEmailStrategy.FORBID).setUpdateLoginStrategy(UserIdentityAuthenticatorParameters.UpdateLoginStrategy.WARN).build());
        Assertions.assertThat(this.db.getDbClient().userDao().selectByUuid(this.db.getSession(), insertUser.getUuid())).extracting(new Function[]{(v0) -> {
            return v0.getLogin();
        }, (v0) -> {
            return v0.getExternalLogin();
        }}).contains(new Object[]{USER_LOGIN, USER_IDENTITY.getProviderLogin()});
    }

    @Test
    public void throw_UpdateLoginRedirectionException_when_authenticating_with_login_update_and_personal_org_exists_and_strategy_is_WARN() {
        this.organizationFlags.setEnabled(true);
        OrganizationDto insert = this.db.organizations().insert(organizationDto -> {
            organizationDto.setKey("Old login");
        });
        this.db.users().insertUser(new Consumer[]{userDto -> {
            userDto.setLogin("Old login").setExternalId(USER_IDENTITY.getProviderId()).setExternalLogin("old identity").setExternalIdentityProvider(IDENTITY_PROVIDER.getKey()).setOrganizationUuid(insert.getUuid());
        }});
        this.expectedException.expect(UpdateLoginRedirectionException.class);
        this.underTest.authenticate(UserIdentityAuthenticatorParameters.builder().setUserIdentity(USER_IDENTITY).setProvider(IDENTITY_PROVIDER).setSource(AuthenticationEvent.Source.local(AuthenticationEvent.Method.BASIC)).setExistingEmailStrategy(UserIdentityAuthenticatorParameters.ExistingEmailStrategy.FORBID).setUpdateLoginStrategy(UserIdentityAuthenticatorParameters.UpdateLoginStrategy.WARN).build());
    }

    @Test
    public void authenticate_existing_user_and_update_personal_og_key_when_personal_org_exists_and_strategy_is_ALLOW() {
        this.organizationFlags.setEnabled(true);
        OrganizationDto insert = this.db.organizations().insert(organizationDto -> {
            organizationDto.setKey("Old login");
        });
        UserDto insertUser = this.db.users().insertUser(new Consumer[]{userDto -> {
            userDto.setLogin("Old login").setExternalId(USER_IDENTITY.getProviderId()).setExternalLogin("old identity").setExternalIdentityProvider(IDENTITY_PROVIDER.getKey()).setOrganizationUuid(insert.getUuid());
        }});
        this.underTest.authenticate(UserIdentityAuthenticatorParameters.builder().setUserIdentity(USER_IDENTITY).setProvider(IDENTITY_PROVIDER).setSource(AuthenticationEvent.Source.local(AuthenticationEvent.Method.BASIC)).setExistingEmailStrategy(UserIdentityAuthenticatorParameters.ExistingEmailStrategy.FORBID).setUpdateLoginStrategy(UserIdentityAuthenticatorParameters.UpdateLoginStrategy.ALLOW).build());
        Assertions.assertThat(this.db.getDbClient().userDao().selectByUuid(this.db.getSession(), insertUser.getUuid())).extracting(new Function[]{(v0) -> {
            return v0.getLogin();
        }, (v0) -> {
            return v0.getExternalLogin();
        }}).contains(new Object[]{USER_LOGIN, USER_IDENTITY.getProviderLogin()});
        Assertions.assertThat(((OrganizationDto) this.db.getDbClient().organizationDao().selectByUuid(this.db.getSession(), insert.getUuid()).get()).getKey()).isEqualTo(USER_LOGIN);
    }

    @Test
    public void fail_to_authenticate_existing_user_when_personal_org_does_not_exist() {
        this.organizationFlags.setEnabled(true);
        this.db.users().insertUser(new Consumer[]{userDto -> {
            userDto.setLogin("Old login").setExternalId(USER_IDENTITY.getProviderId()).setExternalLogin("old identity").setExternalIdentityProvider(IDENTITY_PROVIDER.getKey()).setOrganizationUuid("unknown");
        }});
        this.expectedException.expect(IllegalStateException.class);
        this.expectedException.expectMessage("Cannot find personal organization uuid 'unknown' for user 'Old login'");
        this.underTest.authenticate(UserIdentityAuthenticatorParameters.builder().setUserIdentity(USER_IDENTITY).setProvider(IDENTITY_PROVIDER).setSource(AuthenticationEvent.Source.local(AuthenticationEvent.Method.BASIC)).setExistingEmailStrategy(UserIdentityAuthenticatorParameters.ExistingEmailStrategy.FORBID).setUpdateLoginStrategy(UserIdentityAuthenticatorParameters.UpdateLoginStrategy.ALLOW).build());
    }

    @Test
    public void authenticate_existing_disabled_user() {
        this.organizationFlags.setEnabled(true);
        this.db.users().insertUser(new Consumer[]{userDto -> {
            userDto.setLogin(USER_LOGIN).setActive(false).setName("Old name").setEmail("Old email").setExternalId("old id").setExternalLogin("old identity").setExternalIdentityProvider("old provide");
        }});
        this.underTest.authenticate(UserIdentityAuthenticatorParameters.builder().setUserIdentity(USER_IDENTITY).setProvider(IDENTITY_PROVIDER).setSource(AuthenticationEvent.Source.local(AuthenticationEvent.Method.BASIC)).setExistingEmailStrategy(UserIdentityAuthenticatorParameters.ExistingEmailStrategy.FORBID).setUpdateLoginStrategy(UserIdentityAuthenticatorParameters.UpdateLoginStrategy.ALLOW).build());
        UserDto userDto2 = (UserDto) this.db.users().selectUserByLogin(USER_LOGIN).get();
        Assertions.assertThat(userDto2.isActive()).isTrue();
        Assertions.assertThat(userDto2.getName()).isEqualTo("John");
        Assertions.assertThat(userDto2.getEmail()).isEqualTo("john@email.com");
        Assertions.assertThat(userDto2.getExternalId()).isEqualTo("ABCD");
        Assertions.assertThat(userDto2.getExternalLogin()).isEqualTo("johndoo");
        Assertions.assertThat(userDto2.getExternalIdentityProvider()).isEqualTo("github");
        Assertions.assertThat(userDto2.isRoot()).isFalse();
    }

    @Test
    public void authenticate_existing_user_when_email_already_exists_and_strategy_is_ALLOW() {
        this.organizationFlags.setEnabled(true);
        UserDto insertUser = this.db.users().insertUser(new Consumer[]{userDto -> {
            userDto.setEmail("john@email.com");
        }});
        UserDto insertUser2 = this.db.users().insertUser(new Consumer[]{userDto2 -> {
            userDto2.setEmail((String) null);
        }});
        this.underTest.authenticate(UserIdentityAuthenticatorParameters.builder().setUserIdentity(UserIdentity.builder().setLogin(insertUser2.getLogin()).setProviderLogin("johndoo").setName("John").setEmail("john@email.com").build()).setProvider(IDENTITY_PROVIDER).setSource(AuthenticationEvent.Source.local(AuthenticationEvent.Method.BASIC)).setExistingEmailStrategy(UserIdentityAuthenticatorParameters.ExistingEmailStrategy.ALLOW).setUpdateLoginStrategy(UserIdentityAuthenticatorParameters.UpdateLoginStrategy.ALLOW).build());
        Assertions.assertThat(((UserDto) this.db.users().selectUserByLogin(insertUser2.getLogin()).get()).getEmail()).isEqualTo("john@email.com");
        Assertions.assertThat(((UserDto) this.db.users().selectUserByLogin(insertUser.getLogin()).get()).getEmail()).isNull();
    }

    @Test
    public void throw_EmailAlreadyExistException_when_authenticating_existing_user_when_email_already_exists_and_strategy_is_WARN() {
        this.organizationFlags.setEnabled(true);
        this.db.users().insertUser(new Consumer[]{userDto -> {
            userDto.setEmail("john@email.com");
        }});
        UserIdentity build = UserIdentity.builder().setLogin(this.db.users().insertUser(new Consumer[]{userDto2 -> {
            userDto2.setEmail((String) null);
        }}).getLogin()).setProviderLogin("johndoo").setName("John").setEmail("john@email.com").build();
        this.expectedException.expect(EmailAlreadyExistsRedirectionException.class);
        this.underTest.authenticate(UserIdentityAuthenticatorParameters.builder().setUserIdentity(build).setProvider(IDENTITY_PROVIDER).setSource(AuthenticationEvent.Source.local(AuthenticationEvent.Method.BASIC)).setExistingEmailStrategy(UserIdentityAuthenticatorParameters.ExistingEmailStrategy.WARN).setUpdateLoginStrategy(UserIdentityAuthenticatorParameters.UpdateLoginStrategy.ALLOW).build());
    }

    @Test
    public void throw_AuthenticationException_when_authenticating_existing_user_when_email_already_exists_and_strategy_is_FORBID() {
        this.organizationFlags.setEnabled(true);
        this.db.users().insertUser(new Consumer[]{userDto -> {
            userDto.setEmail("john@email.com");
        }});
        UserIdentity build = UserIdentity.builder().setLogin(this.db.users().insertUser(new Consumer[]{userDto2 -> {
            userDto2.setEmail((String) null);
        }}).getLogin()).setProviderLogin("johndoo").setName("John").setEmail("john@email.com").build();
        this.expectedException.expect(AuthenticationExceptionMatcher.authenticationException().from(AuthenticationEvent.Source.realm(AuthenticationEvent.Method.FORM, IDENTITY_PROVIDER.getName())).withLogin(build.getLogin()).andPublicMessage("You can't sign up because email 'john@email.com' is already used by an existing user. This means that you probably already registered with another account."));
        this.expectedException.expectMessage("Email 'john@email.com' is already used");
        this.underTest.authenticate(UserIdentityAuthenticatorParameters.builder().setUserIdentity(build).setProvider(IDENTITY_PROVIDER).setSource(AuthenticationEvent.Source.realm(AuthenticationEvent.Method.FORM, IDENTITY_PROVIDER.getName())).setExistingEmailStrategy(UserIdentityAuthenticatorParameters.ExistingEmailStrategy.FORBID).setUpdateLoginStrategy(UserIdentityAuthenticatorParameters.UpdateLoginStrategy.ALLOW).build());
    }

    @Test
    public void does_not_fail_to_authenticate_user_when_email_has_not_changed_and_strategy_is_FORBID() {
        this.organizationFlags.setEnabled(true);
        UserDto insertUser = this.db.users().insertUser(new Consumer[]{userDto -> {
            userDto.setEmail("john@email.com");
        }});
        this.underTest.authenticate(UserIdentityAuthenticatorParameters.builder().setUserIdentity(UserIdentity.builder().setLogin(insertUser.getLogin()).setProviderLogin("johndoo").setName("John").setEmail("john@email.com").build()).setProvider(IDENTITY_PROVIDER).setSource(AuthenticationEvent.Source.local(AuthenticationEvent.Method.BASIC)).setExistingEmailStrategy(UserIdentityAuthenticatorParameters.ExistingEmailStrategy.FORBID).setUpdateLoginStrategy(UserIdentityAuthenticatorParameters.UpdateLoginStrategy.ALLOW).build());
        Assertions.assertThat(((UserDto) this.db.users().selectUserByLogin(insertUser.getLogin()).get()).getEmail()).isEqualTo("john@email.com");
    }

    @Test
    public void authenticate_existing_user_and_add_new_groups() {
        this.organizationFlags.setEnabled(true);
        UserDto insertUser = this.db.users().insertUser(UserTesting.newUserDto().setLogin(USER_LOGIN).setActive(true).setName("John"));
        GroupDto insertGroup = this.db.users().insertGroup(this.db.getDefaultOrganization(), "group1");
        GroupDto insertGroup2 = this.db.users().insertGroup(this.db.getDefaultOrganization(), "group2");
        authenticate(USER_LOGIN, "group1", "group2", "group3");
        checkGroupMembership(insertUser, insertGroup, insertGroup2);
    }

    @Test
    public void authenticate_existing_user_and_remove_groups() {
        this.organizationFlags.setEnabled(true);
        UserDto insertUser = this.db.users().insertUser(UserTesting.newUserDto().setLogin(USER_LOGIN).setActive(true).setName("John"));
        GroupDto insertGroup = this.db.users().insertGroup(this.db.getDefaultOrganization(), "group1");
        GroupDto insertGroup2 = this.db.users().insertGroup(this.db.getDefaultOrganization(), "group2");
        this.db.users().insertMember(insertGroup, insertUser);
        this.db.users().insertMember(insertGroup2, insertUser);
        authenticate(USER_LOGIN, "group1");
        checkGroupMembership(insertUser, insertGroup);
    }

    @Test
    public void authenticate_existing_user_and_remove_all_groups_expect_default_when_organizations_are_disabled() {
        this.organizationFlags.setEnabled(false);
        UserDto insertUser = this.db.users().insertUser();
        GroupDto insertGroup = this.db.users().insertGroup(this.db.getDefaultOrganization(), "group1");
        GroupDto insertGroup2 = this.db.users().insertGroup(this.db.getDefaultOrganization(), "group2");
        GroupDto insertDefaultGroup = insertDefaultGroup();
        this.db.users().insertMember(insertGroup, insertUser);
        this.db.users().insertMember(insertGroup2, insertUser);
        this.db.users().insertMember(insertDefaultGroup, insertUser);
        authenticate(insertUser.getLogin(), new String[0]);
        checkGroupMembership(insertUser, insertDefaultGroup);
    }

    @Test
    public void does_not_force_default_group_when_authenticating_existing_user_when_organizations_are_enabled() {
        this.organizationFlags.setEnabled(true);
        UserDto insertUser = this.db.users().insertUser();
        GroupDto insertGroup = this.db.users().insertGroup(this.db.getDefaultOrganization(), "group1");
        GroupDto insertDefaultGroup = insertDefaultGroup();
        this.db.users().insertMember(insertGroup, insertUser);
        this.db.users().insertMember(insertDefaultGroup, insertUser);
        authenticate(insertUser.getLogin(), "group1");
        checkGroupMembership(insertUser, insertGroup);
    }

    @Test
    public void ignore_groups_on_non_default_organizations() {
        this.organizationFlags.setEnabled(true);
        OrganizationDto insert = this.db.organizations().insert();
        UserDto insertUser = this.db.users().insertUser(UserTesting.newUserDto().setLogin(USER_LOGIN).setActive(true).setName("John"));
        GroupDto insertGroup = this.db.users().insertGroup(this.db.getDefaultOrganization(), "a-group");
        this.db.users().insertGroup(insert, "a-group");
        this.underTest.authenticate(UserIdentityAuthenticatorParameters.builder().setUserIdentity(UserIdentity.builder().setProviderLogin("johndoo").setLogin(insertUser.getLogin()).setName(insertUser.getName()).setGroups(Sets.newHashSet(new String[]{"a-group"})).build()).setProvider(IDENTITY_PROVIDER).setSource(AuthenticationEvent.Source.local(AuthenticationEvent.Method.BASIC)).setExistingEmailStrategy(UserIdentityAuthenticatorParameters.ExistingEmailStrategy.FORBID).setUpdateLoginStrategy(UserIdentityAuthenticatorParameters.UpdateLoginStrategy.ALLOW).build());
        checkGroupMembership(insertUser, insertGroup);
    }

    private void authenticate(String str, String... strArr) {
        this.underTest.authenticate(UserIdentityAuthenticatorParameters.builder().setUserIdentity(UserIdentity.builder().setProviderLogin("johndoo").setLogin(str).setName("John").setGroups((Set) Arrays.stream(strArr).collect(MoreCollectors.toSet())).build()).setProvider(IDENTITY_PROVIDER).setSource(AuthenticationEvent.Source.local(AuthenticationEvent.Method.BASIC)).setExistingEmailStrategy(UserIdentityAuthenticatorParameters.ExistingEmailStrategy.FORBID).setUpdateLoginStrategy(UserIdentityAuthenticatorParameters.UpdateLoginStrategy.ALLOW).build());
    }

    private void checkGroupMembership(UserDto userDto, GroupDto... groupDtoArr) {
        Assertions.assertThat(this.db.users().selectGroupIdsOfUser(userDto)).containsOnly(((List) Arrays.stream(groupDtoArr).map((v0) -> {
            return v0.getId();
        }).collect(Collectors.toList())).toArray(new Integer[0]));
    }

    private GroupDto insertDefaultGroup() {
        return this.db.users().insertDefaultGroup(this.db.getDefaultOrganization(), "sonar-users");
    }
}
