package com.floragunn.searchguard.legacy;

import com.floragunn.codova.documents.DocReader;
import com.floragunn.searchguard.legacy.test.SingleClusterTest;
import com.floragunn.searchguard.test.GenericRestClient;
import com.floragunn.searchguard.test.helper.certificate.NodeCertificateType;
import com.floragunn.searchguard.test.helper.certificate.TestCertificate;
import com.floragunn.searchguard.test.helper.certificate.TestCertificates;
import com.floragunn.searchguard.test.helper.cluster.EsClientProvider;
import com.floragunn.searchguard.test.helper.cluster.FileHelper;
import com.floragunn.searchguard.test.helper.cluster.LocalCluster;
import com.floragunn.searchguard.test.helper.cluster.TestCertificateBasedSSLContextProvider;
import com.google.common.collect.ImmutableMap;
import java.io.File;
import java.net.InetSocketAddress;
import java.net.SocketException;
import java.nio.charset.StandardCharsets;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.function.Consumer;
import java.util.stream.Collectors;
import java.util.stream.IntStream;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
import org.apache.commons.io.FileUtils;
import org.apache.http.Header;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.junit.Assert;
import org.junit.Test;

/* loaded from: input_file:com/floragunn/searchguard/legacy/SSLReloadCertsActionTests.class */
public class SSLReloadCertsActionTests extends SingleClusterTest {
    private final String GET_CERT_DETAILS_ENDPOINT = "/_searchguard/sslinfo?show_server_certs=true";
    private final String GET_CERT_FULL_DETAILS_ENDPOINT = "/_searchguard/sslinfo?show_full_server_certs=true";
    private final String RELOAD_TRANSPORT_CERTS_ENDPOINT = "/_searchguard/api/ssl/transport/reloadcerts";
    private final String RELOAD_HTTP_CERTS_ENDPOINT = "/_searchguard/api/ssl/http/reloadcerts";

    @Test
    public void testReloadTransportSSLCertsPass() throws Exception {
        TestCertificates prepareTestCertificates = prepareTestCertificates(2);
        TestCertificate testCertificate = (TestCertificate) prepareTestCertificates.getNodesCertificates().get(0);
        TestCertificate testCertificate2 = (TestCertificate) prepareTestCertificates.getNodesCertificates().get(1);
        GenericRestClient adminCertRestClient = initTestCluster(prepareTestCertificates, testCertificate, testCertificate, true).getAdminCertRestClient();
        try {
            GenericRestClient.HttpResponse httpResponse = adminCertRestClient.get("/_searchguard/sslinfo?show_server_certs=true", new Header[0]);
            Assert.assertEquals(200L, httpResponse.getStatusCode());
            List<String> certificatesToListOfString = certificatesToListOfString(testCertificate.getCertificate());
            Assert.assertEquals(certificatesToListOfString, httpResponse.getBodyAsDocNode().getAsListOfStrings("transport_certificates_list"));
            Assert.assertEquals(certificatesToListOfString, httpResponse.getBodyAsDocNode().getAsListOfStrings("http_certificates_list"));
            GenericRestClient.HttpResponse httpResponse2 = adminCertRestClient.get("/_searchguard/sslinfo?show_full_server_certs=true", new Header[0]);
            Assert.assertEquals(200L, httpResponse.getStatusCode());
            Assert.assertEquals(certificatesToListOfString, httpResponse2.getBodyAsDocNode().getAsListOfStrings("transport_certificates_list"));
            Assert.assertEquals(certificatesToListOfString, httpResponse2.getBodyAsDocNode().getAsListOfStrings("http_certificates_list"));
            FileHelper.copyFileContents(testCertificate2.getCertificateFile().getAbsolutePath(), testCertificate.getCertificateFile().getAbsolutePath());
            FileHelper.copyFileContents(testCertificate2.getPrivateKeyFile().getAbsolutePath(), testCertificate.getPrivateKeyFile().getAbsolutePath());
            GenericRestClient.HttpResponse post = adminCertRestClient.post("/_searchguard/api/ssl/transport/reloadcerts");
            Assert.assertEquals(200L, post.getStatusCode());
            Assert.assertEquals(post.getBody(), ImmutableMap.of("message", "updated transport certs"), DocReader.json().read(post.getBody()));
            GenericRestClient.HttpResponse httpResponse3 = adminCertRestClient.get("/_searchguard/sslinfo?show_server_certs=true", new Header[0]);
            Assert.assertEquals(200L, httpResponse3.getStatusCode());
            Assert.assertEquals(certificatesToListOfString(testCertificate2.getCertificate()), httpResponse3.getBodyAsDocNode().getAsListOfStrings("transport_certificates_list"));
            Assert.assertEquals(certificatesToListOfString, httpResponse3.getBodyAsDocNode().getAsListOfStrings("http_certificates_list"));
            if (adminCertRestClient != null) {
                adminCertRestClient.close();
            }
        } catch (Throwable th) {
            if (adminCertRestClient != null) {
                try {
                    adminCertRestClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testReloadHttpSSLCertsPass() throws Exception {
        TestCertificates prepareTestCertificates = prepareTestCertificates(2);
        TestCertificate testCertificate = (TestCertificate) prepareTestCertificates.getNodesCertificates().get(0);
        TestCertificate testCertificate2 = (TestCertificate) prepareTestCertificates.getNodesCertificates().get(1);
        GenericRestClient adminCertRestClient = initTestCluster(prepareTestCertificates, testCertificate, testCertificate, true).getAdminCertRestClient();
        try {
            GenericRestClient.HttpResponse httpResponse = adminCertRestClient.get("/_searchguard/sslinfo?show_server_certs=true", new Header[0]);
            Assert.assertEquals(200L, httpResponse.getStatusCode());
            List<String> certificatesToListOfString = certificatesToListOfString(testCertificate.getCertificate());
            Assert.assertEquals(certificatesToListOfString, httpResponse.getBodyAsDocNode().getAsListOfStrings("transport_certificates_list"));
            Assert.assertEquals(certificatesToListOfString, httpResponse.getBodyAsDocNode().getAsListOfStrings("http_certificates_list"));
            FileHelper.copyFileContents(testCertificate2.getCertificateFile().getAbsolutePath(), testCertificate.getCertificateFile().getAbsolutePath());
            FileHelper.copyFileContents(testCertificate2.getPrivateKeyFile().getAbsolutePath(), testCertificate.getPrivateKeyFile().getAbsolutePath());
            GenericRestClient.HttpResponse post = adminCertRestClient.post("/_searchguard/api/ssl/http/reloadcerts");
            Assert.assertEquals(200L, post.getStatusCode());
            Assert.assertEquals(post.getBody(), ImmutableMap.of("message", "updated http certs"), DocReader.json().read(post.getBody()));
            GenericRestClient.HttpResponse httpResponse2 = adminCertRestClient.get("/_searchguard/sslinfo?show_server_certs=true", new Header[0]);
            Assert.assertEquals(200L, httpResponse2.getStatusCode());
            Assert.assertEquals(certificatesToListOfString, httpResponse2.getBodyAsDocNode().getAsListOfStrings("transport_certificates_list"));
            Assert.assertEquals(certificatesToListOfString(testCertificate2.getCertificate()), httpResponse2.getBodyAsDocNode().getAsListOfStrings("http_certificates_list"));
            if (adminCertRestClient != null) {
                adminCertRestClient.close();
            }
        } catch (Throwable th) {
            if (adminCertRestClient != null) {
                try {
                    adminCertRestClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testReloadHttpSSLCerts_FailWrongUri() throws Exception {
        TestCertificates prepareTestCertificates = prepareTestCertificates(1);
        TestCertificate testCertificate = (TestCertificate) prepareTestCertificates.getNodesCertificates().get(0);
        GenericRestClient adminCertRestClient = initTestCluster(prepareTestCertificates, testCertificate, testCertificate, true).getAdminCertRestClient();
        try {
            GenericRestClient.HttpResponse post = adminCertRestClient.post("_searchguard/_security/api/ssl/wrong/reloadcerts");
            Assert.assertEquals(400L, post.getStatusCode());
            Assert.assertEquals(post.getBody(), ImmutableMap.of("error", "no handler found for uri [/_searchguard/_security/api/ssl/wrong/reloadcerts] and method [POST]"), DocReader.json().read(post.getBody()));
            if (adminCertRestClient != null) {
                adminCertRestClient.close();
            }
        } catch (Throwable th) {
            if (adminCertRestClient != null) {
                try {
                    adminCertRestClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testSSLReloadFail_UnAuthorizedUser() throws Exception {
        TestCertificates prepareTestCertificates = prepareTestCertificates(1);
        TestCertificate testCertificate = (TestCertificate) prepareTestCertificates.getNodesCertificates().get(0);
        GenericRestClient restClient = initTestCluster(prepareTestCertificates, testCertificate, testCertificate, true).getRestClient(new Header[0]);
        try {
            GenericRestClient.HttpResponse post = restClient.post("/_searchguard/api/ssl/transport/reloadcerts");
            Assert.assertEquals(401L, post.getStatusCode());
            Assert.assertEquals("Unauthorized", post.getStatusReason());
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testSSLReloadFail_NoReloadSet() throws Exception {
        TestCertificates prepareTestCertificates = prepareTestCertificates(1);
        TestCertificate testCertificate = (TestCertificate) prepareTestCertificates.getNodesCertificates().get(0);
        GenericRestClient adminCertRestClient = initTestCluster(prepareTestCertificates, testCertificate, testCertificate, false).getAdminCertRestClient();
        try {
            GenericRestClient.HttpResponse post = adminCertRestClient.post("/_searchguard/api/ssl/transport/reloadcerts");
            Assert.assertEquals(400L, post.getStatusCode());
            Assert.assertEquals("SSL Reload action called while searchguard.ssl.cert_reload_enabled is set to false.", post.getBody());
            if (adminCertRestClient != null) {
                adminCertRestClient.close();
            }
        } catch (Throwable th) {
            if (adminCertRestClient != null) {
                try {
                    adminCertRestClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testReloadCa() throws Exception {
        TestCertificates prepareTestCertificates = prepareTestCertificates(1);
        TestCertificate testCertificate = (TestCertificate) prepareTestCertificates.getNodesCertificates().get(0);
        TestCertificate adminCertificate = prepareTestCertificates.getAdminCertificate();
        TestCertificate caCertificate = prepareTestCertificates.getCaCertificate();
        TestCertificates prepareTestCertificates2 = prepareTestCertificates(1);
        TestCertificate testCertificate2 = (TestCertificate) prepareTestCertificates2.getNodesCertificates().get(0);
        TestCertificate adminCertificate2 = prepareTestCertificates2.getAdminCertificate();
        TestCertificate caCertificate2 = prepareTestCertificates2.getCaCertificate();
        LocalCluster initTestCluster = initTestCluster(prepareTestCertificates, testCertificate, testCertificate, true);
        GenericRestClient adminCertRestClient = initTestCluster.getAdminCertRestClient();
        try {
            GenericRestClient.HttpResponse httpResponse = adminCertRestClient.get("/_searchguard/sslinfo?show_server_certs=true", new Header[0]);
            Assert.assertEquals(200L, httpResponse.getStatusCode());
            List<String> certificatesToListOfString = certificatesToListOfString(testCertificate.getCertificate());
            Assert.assertEquals(certificatesToListOfString, httpResponse.getBodyAsDocNode().getListOfStrings("transport_certificates_list"));
            Assert.assertEquals(certificatesToListOfString, httpResponse.getBodyAsDocNode().getListOfStrings("http_certificates_list"));
            FileHelper.writeFile(caCertificate.getCertificateFile().getAbsolutePath(), String.join("\n", FileUtils.readFileToString(new File(caCertificate.getCertificateFile().getAbsolutePath()), StandardCharsets.UTF_8), FileUtils.readFileToString(new File(caCertificate2.getCertificateFile().getAbsolutePath()), StandardCharsets.UTF_8)));
            Assert.assertEquals(adminCertRestClient.post("/_searchguard/api/ssl/http/reloadcerts").getBody(), 200L, r0.getStatusCode());
            FileHelper.copyFileContents(testCertificate2.getCertificateFile().getAbsolutePath(), testCertificate.getCertificateFile().getAbsolutePath());
            FileHelper.copyFileContents(testCertificate2.getPrivateKeyFile().getAbsolutePath(), testCertificate.getPrivateKeyFile().getAbsolutePath());
            Assert.assertEquals(adminCertRestClient.post("/_searchguard/api/ssl/http/reloadcerts").getBody(), 200L, r0.getStatusCode());
            FileHelper.copyFileContents(caCertificate2.getCertificateFile().getAbsolutePath(), caCertificate.getCertificateFile().getAbsolutePath());
            try {
                Assert.fail("REST request was successful even though node uses new certificate which is not known by local HTTP client: " + String.valueOf(adminCertRestClient.post("/_searchguard/api/ssl/http/reloadcerts")));
            } catch (SSLHandshakeException e) {
            }
            if (adminCertRestClient != null) {
                adminCertRestClient.close();
            }
            GenericRestClient prepareRestClient = prepareRestClient(initTestCluster.getHttpAddress(), caCertificate2, adminCertificate, true);
            try {
                Assert.assertEquals(prepareRestClient.post("/_searchguard/api/ssl/http/reloadcerts").getBody(), 200L, r0.getStatusCode());
                try {
                    Assert.fail("REST request was successful even though node does not know the old CA anymore. The client however used an admin cert signed with the old CA: " + String.valueOf(prepareRestClient.post("/_searchguard/api/ssl/http/reloadcerts")));
                } catch (SocketException | SSLException e2) {
                }
                if (prepareRestClient != null) {
                    prepareRestClient.close();
                }
                FileHelper.copyFileContents(adminCertificate2.getCertificateFile().getAbsolutePath(), adminCertificate.getCertificateFile().getAbsolutePath());
                FileHelper.copyFileContents(adminCertificate2.getPrivateKeyFile().getAbsolutePath(), adminCertificate.getPrivateKeyFile().getAbsolutePath());
                adminCertRestClient = initTestCluster.getAdminCertRestClient();
                try {
                    Assert.assertEquals(adminCertRestClient.post("/_searchguard/api/ssl/http/reloadcerts").getBody(), 200L, r0.getStatusCode());
                    if (adminCertRestClient != null) {
                        adminCertRestClient.close();
                    }
                } finally {
                }
            } catch (Throwable th) {
                if (prepareRestClient != null) {
                    try {
                        prepareRestClient.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } finally {
        }
    }

    private TestCertificates prepareTestCertificates(int i) {
        TestCertificates.TestCertificatesBuilder builder = TestCertificates.builder();
        builder.ca("CN=root.ca.example.com,OU=SearchGuard,O=SearchGuard");
        builder.addClients(new String[]{"CN=client-0.example.com,OU=SearchGuard,O=SearchGuard"});
        builder.addAdminClients(new String[]{"CN=admin-0.example.com,OU=SearchGuard,O=SearchGuard"});
        IntStream.range(0, i).forEach(i2 -> {
            builder.addNodes(Collections.singletonList(String.format("CN=node-%s.example.com,OU=SearchGuard,O=SearchGuard", Integer.valueOf(i2))), i2 + 1, (String) null, (List) null, Collections.singletonList("127.0.0.1"), NodeCertificateType.transport_and_rest, (String) null);
        });
        return builder.build();
    }

    private LocalCluster initTestCluster(TestCertificates testCertificates, TestCertificate testCertificate, TestCertificate testCertificate2, boolean z) {
        TestCertificate caCertificate = testCertificates.getCaCertificate();
        return new LocalCluster.Builder().singleNode().sslEnabled(testCertificates).nodeSettings(new Object[]{"searchguard.authcz.admin_dn", Collections.singletonList(testCertificates.getAdminCertificate().getCertificate().getSubject().toString())}).nodeSettings(new Object[]{"searchguard.nodes_dn", Collections.singletonList(testCertificate.getCertificate().getSubject().toString())}).nodeSettings(new Object[]{"searchguard.ssl.transport.enabled", true}).nodeSettings(new Object[]{"searchguard.ssl.http.enabled", true}).nodeSettings(new Object[]{"searchguard.ssl.transport.enforce_hostname_verification", false}).nodeSettings(new Object[]{"searchguard.ssl.transport.resolve_hostname", false}).nodeSettings(new Object[]{"searchguard.ssl.transport.pemcert_filepath", testCertificate.getCertificateFile().getAbsolutePath()}).nodeSettings(new Object[]{"searchguard.ssl.transport.pemkey_filepath", testCertificate.getPrivateKeyFile().getAbsolutePath()}).nodeSettings(new Object[]{"searchguard.ssl.transport.pemtrustedcas_filepath", caCertificate.getCertificateFile().getAbsolutePath()}).nodeSettings(new Object[]{"searchguard.ssl.http.pemcert_filepath", testCertificate2.getCertificateFile().getAbsolutePath()}).nodeSettings(new Object[]{"searchguard.ssl.http.pemkey_filepath", testCertificate2.getPrivateKeyFile().getAbsolutePath()}).nodeSettings(new Object[]{"searchguard.ssl.http.pemtrustedcas_filepath", caCertificate.getCertificateFile().getAbsolutePath()}).nodeSettings(new Object[]{"searchguard.ssl.cert_reload_enabled", Boolean.valueOf(z)}).embedded().start();
    }

    private GenericRestClient prepareRestClient(InetSocketAddress inetSocketAddress, TestCertificate testCertificate, TestCertificate testCertificate2, boolean z) {
        return new GenericRestClient(inetSocketAddress, Collections.emptyList(), new TestCertificateBasedSSLContextProvider(testCertificate, testCertificate2).getSslContext(z), EsClientProvider.UserCredentialsHolder.basic("cert", (String) null), (Consumer) null);
    }

    private List<String> certificatesToListOfString(X509CertificateHolder... x509CertificateHolderArr) {
        return (List) Arrays.stream(x509CertificateHolderArr).map(this::certificateHolderToString).collect(Collectors.toList());
    }

    private String certificateHolderToString(X509CertificateHolder x509CertificateHolder) {
        try {
            X509Certificate certificate = new JcaX509CertificateConverter().getCertificate(x509CertificateHolder);
            StringBuilder sb = new StringBuilder("{");
            sb.append("issuer_dn=");
            sb.append(certificate.getIssuerX500Principal().getName()).append(", ");
            sb.append("subject_dn=");
            sb.append(certificate.getSubjectX500Principal().getName()).append(", ");
            sb.append("san=");
            sb.append(certificate.getSubjectAlternativeNames() != null ? certificate.getSubjectAlternativeNames().toString() : "").append(", ");
            sb.append("not_before=");
            sb.append(certificate.getNotBefore().toInstant().toString()).append(", ");
            sb.append("not_after=");
            sb.append(certificate.getNotAfter().toInstant().toString());
            sb.append("}");
            return sb.toString();
        } catch (CertificateException e) {
            throw new RuntimeException("Failed to map certificate holder to string", e);
        }
    }
}
