package com.floragunn.signals.truststore.service;

import com.floragunn.codova.validation.ConfigValidationException;
import com.floragunn.searchguard.support.PrivilegedConfigClient;
import com.floragunn.searchguard.test.GenericRestClient;
import com.floragunn.searchguard.test.TestSgConfig;
import com.floragunn.searchguard.test.helper.certificate.TestCertificate;
import com.floragunn.searchguard.test.helper.certificate.TestCertificates;
import com.floragunn.searchguard.test.helper.cluster.ClusterConfiguration;
import com.floragunn.searchguard.test.helper.cluster.JavaSecurityTestSetup;
import com.floragunn.searchguard.test.helper.cluster.LocalCluster;
import com.floragunn.signals.CertificatesParser;
import com.floragunn.signals.Signals;
import com.floragunn.signals.SignalsModule;
import com.floragunn.signals.truststore.rest.TruststoreLoader;
import com.floragunn.signals.truststore.service.persistence.TruststoreRepository;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Collectors;
import java.util.stream.IntStream;
import java.util.stream.Stream;
import javax.net.ssl.X509TrustManager;
import org.apache.http.Header;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.search.SearchResponse;
import org.elasticsearch.client.Client;
import org.elasticsearch.client.node.NodeClient;
import org.elasticsearch.search.SearchHit;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.junit.After;
import org.junit.Before;
import org.junit.ClassRule;
import org.junit.Test;

/* loaded from: input_file:com/floragunn/signals/truststore/service/TrustManagerRegistryTest.class */
public class TrustManagerRegistryTest {
    public static final String TRUSTSTORE_ID_1 = "truststore-id-one";
    public static final String TRUSTSTORE_ID_2 = "truststore-id-two";
    public static final String TRUSTSTORE_ID_3 = "truststore-id-three";
    public static final String TEST_CERTIFICATE_ALGORITHM = "SHA256withRSA";
    private TrustManagerRegistry trustManagerRegistryMaster;
    private TrustManagerRegistry trustManagerRegistryDataOne;
    private TrustManagerRegistry trustManagerRegistryDataTwo;
    private static final TestSgConfig.User USER_ADMIN = new TestSgConfig.User("admin").roles(new TestSgConfig.Role[]{TestSgConfig.Role.ALL_ACCESS});

    @ClassRule
    public static JavaSecurityTestSetup javaSecurity = new JavaSecurityTestSetup();

    @ClassRule
    public static LocalCluster cluster = new LocalCluster.Builder().clusterConfiguration(ClusterConfiguration.DEFAULT).sslEnabled().enableModule(SignalsModule.class).nodeSettings(new Object[]{"signals.enabled", true}).user(USER_ADMIN).build();

    @Before
    public void retrieveServicesFromEachNode() {
        this.trustManagerRegistryMaster = ((Signals) cluster.getInjectable(Signals.class)).getTruststoreRegistry();
        List list = (List) cluster.nodes().stream().filter(node -> {
            return !node.esNode().isMasterEligible();
        }).map(node2 -> {
            return (Signals) node2.getInjectable(Signals.class);
        }).map((v0) -> {
            return v0.getTruststoreRegistry();
        }).collect(Collectors.toList());
        MatcherAssert.assertThat(list, Matchers.hasSize(2));
        this.trustManagerRegistryDataOne = (TrustManagerRegistry) list.get(0);
        this.trustManagerRegistryDataTwo = (TrustManagerRegistry) list.get(1);
        MatcherAssert.assertThat(this.trustManagerRegistryMaster, Matchers.notNullValue());
        MatcherAssert.assertThat(this.trustManagerRegistryDataOne, Matchers.notNullValue());
        MatcherAssert.assertThat(this.trustManagerRegistryDataTwo, Matchers.notNullValue());
    }

    @After
    public void clearData() throws Exception {
        Client privilegedInternalNodeClient = cluster.getPrivilegedInternalNodeClient();
        try {
            SearchResponse searchResponse = (SearchResponse) privilegedInternalNodeClient.search(new SearchRequest(new String[]{".signals_truststores"})).actionGet();
            GenericRestClient restClient = cluster.getRestClient(USER_ADMIN, new Header[0]);
            try {
                for (SearchHit searchHit : searchResponse.getHits().getHits()) {
                    TruststoreLoader.deleteTruststoreById(restClient, searchHit.getId());
                }
                if (restClient != null) {
                    restClient.close();
                }
                if (privilegedInternalNodeClient != null) {
                    privilegedInternalNodeClient.close();
                }
            } catch (Throwable th) {
                if (restClient != null) {
                    try {
                        restClient.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (Throwable th3) {
            if (privilegedInternalNodeClient != null) {
                try {
                    privilegedInternalNodeClient.close();
                } catch (Throwable th4) {
                    th3.addSuppressed(th4);
                }
            }
            throw th3;
        }
    }

    @Test
    public void shouldNotFindTruststoreOnEachNodes() {
        Optional findTrustManager = this.trustManagerRegistryMaster.findTrustManager(TRUSTSTORE_ID_1);
        Optional findTrustManager2 = this.trustManagerRegistryDataOne.findTrustManager(TRUSTSTORE_ID_1);
        Optional findTrustManager3 = this.trustManagerRegistryDataTwo.findTrustManager(TRUSTSTORE_ID_1);
        MatcherAssert.assertThat(Boolean.valueOf(findTrustManager.isPresent()), Matchers.equalTo(false));
        MatcherAssert.assertThat(Boolean.valueOf(findTrustManager2.isPresent()), Matchers.equalTo(false));
        MatcherAssert.assertThat(Boolean.valueOf(findTrustManager3.isPresent()), Matchers.equalTo(false));
    }

    @Test
    public void shouldTrustCertificateOnEachNode() throws Exception {
        TestCertificates build = TestCertificates.builder().ca("CN=root.ca.example.com,OU=SearchGuard,O=SearchGuard").addClients(new String[]{"CN=client-0.example.com,OU=SearchGuard,O=SearchGuard"}).build();
        String certificateString = build.getCaCertificate().getCertificateString();
        TestCertificate testCertificate = (TestCertificate) build.getClientsCertificates().get(0);
        GenericRestClient restClient = cluster.getRestClient(USER_ADMIN, new Header[0]);
        try {
            TruststoreLoader.storeTruststoreInPemFormat(restClient, TRUSTSTORE_ID_1, "ca-cert", certificateString);
            if (restClient != null) {
                restClient.close();
            }
            X509TrustManager x509TrustManager = (X509TrustManager) this.trustManagerRegistryMaster.findTrustManager(TRUSTSTORE_ID_1).get();
            X509TrustManager x509TrustManager2 = (X509TrustManager) this.trustManagerRegistryDataOne.findTrustManager(TRUSTSTORE_ID_1).get();
            X509TrustManager x509TrustManager3 = (X509TrustManager) this.trustManagerRegistryDataTwo.findTrustManager(TRUSTSTORE_ID_1).get();
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager, testCertificate)), Matchers.equalTo(true));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager2, testCertificate)), Matchers.equalTo(true));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager3, testCertificate)), Matchers.equalTo(true));
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void shouldNotTrustCertificateIfTrustAnchorWasNotUploadedOnEachNode() throws Exception {
        TestCertificates build = TestCertificates.builder().ca("CN=root.ca.one.com,OU=SearchGuard,O=SearchGuard").build();
        TestCertificates build2 = TestCertificates.builder().ca("CN=root.ca.two.com,OU=SearchGuard,O=SearchGuard").addClients(new String[]{"CN=client-0.two.com,OU=SearchGuard,O=SearchGuard"}).build();
        String certificateString = build.getCaCertificate().getCertificateString();
        TestCertificate testCertificate = (TestCertificate) build2.getClientsCertificates().get(0);
        GenericRestClient restClient = cluster.getRestClient(USER_ADMIN, new Header[0]);
        try {
            TruststoreLoader.storeTruststoreInPemFormat(restClient, TRUSTSTORE_ID_1, "ca-cert", certificateString);
            if (restClient != null) {
                restClient.close();
            }
            X509TrustManager x509TrustManager = (X509TrustManager) this.trustManagerRegistryMaster.findTrustManager(TRUSTSTORE_ID_1).get();
            X509TrustManager x509TrustManager2 = (X509TrustManager) this.trustManagerRegistryDataOne.findTrustManager(TRUSTSTORE_ID_1).get();
            X509TrustManager x509TrustManager3 = (X509TrustManager) this.trustManagerRegistryDataTwo.findTrustManager(TRUSTSTORE_ID_1).get();
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager, testCertificate)), Matchers.equalTo(false));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager2, testCertificate)), Matchers.equalTo(false));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager3, testCertificate)), Matchers.equalTo(false));
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void shouldTrustThreeCasOnEachNode() throws Exception {
        TestCertificates build = TestCertificates.builder().ca("CN=root.ca.one.com,OU=SearchGuard,O=One").addClients(new String[]{"CN=client-0.one.com,OU=SearchGuard,O=One"}).build();
        TestCertificates build2 = TestCertificates.builder().ca("CN=root.ca.two.com,OU=SearchGuard,O=Two").addClients(new String[]{"CN=client-0.two.com,OU=SearchGuard,O=Two"}).build();
        TestCertificates build3 = TestCertificates.builder().ca("CN=root.ca.three.com,OU=SearchGuard,O=Three").addClients(new String[]{"CN=client-0.three.com,OU=SearchGuard,O=Three"}).build();
        String str = build.getCaCertificate().getCertificateString() + build2.getCaCertificate().getCertificateString() + build3.getCaCertificate().getCertificateString();
        TestCertificate testCertificate = (TestCertificate) build.getClientsCertificates().get(0);
        TestCertificate testCertificate2 = (TestCertificate) build2.getClientsCertificates().get(0);
        TestCertificate testCertificate3 = (TestCertificate) build3.getClientsCertificates().get(0);
        GenericRestClient restClient = cluster.getRestClient(USER_ADMIN, new Header[0]);
        try {
            TruststoreLoader.storeTruststoreInPemFormat(restClient, TRUSTSTORE_ID_1, "ca-cert", str);
            if (restClient != null) {
                restClient.close();
            }
            X509TrustManager x509TrustManager = (X509TrustManager) this.trustManagerRegistryMaster.findTrustManager(TRUSTSTORE_ID_1).get();
            X509TrustManager x509TrustManager2 = (X509TrustManager) this.trustManagerRegistryDataOne.findTrustManager(TRUSTSTORE_ID_1).get();
            X509TrustManager x509TrustManager3 = (X509TrustManager) this.trustManagerRegistryDataTwo.findTrustManager(TRUSTSTORE_ID_1).get();
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager, testCertificate)), Matchers.equalTo(true));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager2, testCertificate)), Matchers.equalTo(true));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager3, testCertificate)), Matchers.equalTo(true));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager, testCertificate2)), Matchers.equalTo(true));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager2, testCertificate2)), Matchers.equalTo(true));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager3, testCertificate2)), Matchers.equalTo(true));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager, testCertificate3)), Matchers.equalTo(true));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager2, testCertificate3)), Matchers.equalTo(true));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager3, testCertificate3)), Matchers.equalTo(true));
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void shouldStopTrustCaCertificateWhenCaIsExcludedFromTruststoreEachNode() throws Exception {
        TestCertificates build = TestCertificates.builder().ca("CN=root.ca.one.com,OU=SearchGuard,O=One").addClients(new String[]{"CN=client-0.one.com,OU=SearchGuard,O=One"}).build();
        TestCertificates build2 = TestCertificates.builder().ca("CN=root.ca.two.com,OU=SearchGuard,O=Two").addClients(new String[]{"CN=client-0.two.com,OU=SearchGuard,O=Two"}).build();
        TestCertificates build3 = TestCertificates.builder().ca("CN=root.ca.three.com,OU=SearchGuard,O=Three").addClients(new String[]{"CN=client-0.three.com,OU=SearchGuard,O=Three"}).build();
        String certificateString = build.getCaCertificate().getCertificateString();
        String certificateString2 = build2.getCaCertificate().getCertificateString();
        String certificateString3 = build3.getCaCertificate().getCertificateString();
        String str = certificateString + certificateString2 + certificateString3;
        TestCertificate testCertificate = (TestCertificate) build.getClientsCertificates().get(0);
        TestCertificate testCertificate2 = (TestCertificate) build2.getClientsCertificates().get(0);
        TestCertificate testCertificate3 = (TestCertificate) build3.getClientsCertificates().get(0);
        GenericRestClient restClient = cluster.getRestClient(USER_ADMIN, new Header[0]);
        try {
            TruststoreLoader.storeTruststoreInPemFormat(restClient, TRUSTSTORE_ID_1, "ca-cert", str);
            if (restClient != null) {
                restClient.close();
            }
            X509TrustManager x509TrustManager = (X509TrustManager) this.trustManagerRegistryMaster.findTrustManager(TRUSTSTORE_ID_1).get();
            X509TrustManager x509TrustManager2 = (X509TrustManager) this.trustManagerRegistryDataOne.findTrustManager(TRUSTSTORE_ID_1).get();
            X509TrustManager x509TrustManager3 = (X509TrustManager) this.trustManagerRegistryDataTwo.findTrustManager(TRUSTSTORE_ID_1).get();
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager, testCertificate)), Matchers.equalTo(true));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager2, testCertificate)), Matchers.equalTo(true));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager3, testCertificate)), Matchers.equalTo(true));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager, testCertificate2)), Matchers.equalTo(true));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager2, testCertificate2)), Matchers.equalTo(true));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager3, testCertificate2)), Matchers.equalTo(true));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager, testCertificate3)), Matchers.equalTo(true));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager2, testCertificate3)), Matchers.equalTo(true));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager3, testCertificate3)), Matchers.equalTo(true));
            String str2 = certificateString + certificateString3;
            restClient = cluster.getRestClient(USER_ADMIN, new Header[0]);
            try {
                TruststoreLoader.storeTruststoreInPemFormat(restClient, TRUSTSTORE_ID_1, "ca-cert", str2);
                if (restClient != null) {
                    restClient.close();
                }
                X509TrustManager x509TrustManager4 = (X509TrustManager) this.trustManagerRegistryMaster.findTrustManager(TRUSTSTORE_ID_1).get();
                X509TrustManager x509TrustManager5 = (X509TrustManager) this.trustManagerRegistryDataOne.findTrustManager(TRUSTSTORE_ID_1).get();
                X509TrustManager x509TrustManager6 = (X509TrustManager) this.trustManagerRegistryDataTwo.findTrustManager(TRUSTSTORE_ID_1).get();
                MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager4, testCertificate)), Matchers.equalTo(true));
                MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager5, testCertificate)), Matchers.equalTo(true));
                MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager6, testCertificate)), Matchers.equalTo(true));
                MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager4, testCertificate2)), Matchers.equalTo(false));
                MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager5, testCertificate2)), Matchers.equalTo(false));
                MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager6, testCertificate2)), Matchers.equalTo(false));
                MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager4, testCertificate3)), Matchers.equalTo(true));
                MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager5, testCertificate3)), Matchers.equalTo(true));
                MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager6, testCertificate3)), Matchers.equalTo(true));
            } finally {
            }
        } finally {
        }
    }

    @Test
    public void shouldNotFindTrustManagerAfterTruststoreDeletionOnEachNodes() throws Exception {
        String certificateString = TestCertificates.builder().ca("CN=root.ca.one.com,OU=SearchGuard,O=One").addClients(new String[]{"CN=client-0.one.com,OU=SearchGuard,O=One"}).build().getCaCertificate().getCertificateString();
        GenericRestClient restClient = cluster.getRestClient(USER_ADMIN, new Header[0]);
        try {
            TruststoreLoader.storeTruststoreInPemFormat(restClient, TRUSTSTORE_ID_1, "ca-cert", certificateString);
            MatcherAssert.assertThat(Boolean.valueOf(this.trustManagerRegistryMaster.findTrustManager(TRUSTSTORE_ID_1).isPresent()), Matchers.equalTo(true));
            MatcherAssert.assertThat(Boolean.valueOf(this.trustManagerRegistryDataOne.findTrustManager(TRUSTSTORE_ID_1).isPresent()), Matchers.equalTo(true));
            MatcherAssert.assertThat(Boolean.valueOf(this.trustManagerRegistryDataTwo.findTrustManager(TRUSTSTORE_ID_1).isPresent()), Matchers.equalTo(true));
            TruststoreLoader.deleteTruststoreById(restClient, TRUSTSTORE_ID_1);
            MatcherAssert.assertThat(Boolean.valueOf(this.trustManagerRegistryMaster.findTrustManager(TRUSTSTORE_ID_1).isPresent()), Matchers.equalTo(false));
            MatcherAssert.assertThat(Boolean.valueOf(this.trustManagerRegistryDataOne.findTrustManager(TRUSTSTORE_ID_1).isPresent()), Matchers.equalTo(false));
            MatcherAssert.assertThat(Boolean.valueOf(this.trustManagerRegistryDataTwo.findTrustManager(TRUSTSTORE_ID_1).isPresent()), Matchers.equalTo(false));
            if (restClient != null) {
                restClient.close();
            }
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void shouldCreateVariousTrustManagerForEachTruststore() throws Exception {
        TestCertificates build = TestCertificates.builder().ca("CN=root.ca.one.com,OU=SearchGuard,O=One").addClients(new String[]{"CN=client-0.one.com,OU=SearchGuard,O=One"}).build();
        TestCertificates build2 = TestCertificates.builder().ca("CN=root.ca.two.com,OU=SearchGuard,O=Two").addClients(new String[]{"CN=client-0.two.com,OU=SearchGuard,O=Two"}).build();
        TestCertificates build3 = TestCertificates.builder().ca("CN=root.ca.three.com,OU=SearchGuard,O=Three").addClients(new String[]{"CN=client-0.three.com,OU=SearchGuard,O=Three"}).build();
        String certificateString = build.getCaCertificate().getCertificateString();
        String certificateString2 = build2.getCaCertificate().getCertificateString();
        String certificateString3 = build3.getCaCertificate().getCertificateString();
        TestCertificate testCertificate = (TestCertificate) build.getClientsCertificates().get(0);
        TestCertificate testCertificate2 = (TestCertificate) build2.getClientsCertificates().get(0);
        TestCertificate testCertificate3 = (TestCertificate) build3.getClientsCertificates().get(0);
        GenericRestClient restClient = cluster.getRestClient(USER_ADMIN, new Header[0]);
        try {
            TruststoreLoader.storeTruststoreInPemFormat(restClient, TRUSTSTORE_ID_1, "ca-cert-one", certificateString);
            TruststoreLoader.storeTruststoreInPemFormat(restClient, TRUSTSTORE_ID_2, "ca-cert-two", certificateString2);
            TruststoreLoader.storeTruststoreInPemFormat(restClient, TRUSTSTORE_ID_3, "ca-cert-three", certificateString3);
            if (restClient != null) {
                restClient.close();
            }
            X509TrustManager x509TrustManager = (X509TrustManager) this.trustManagerRegistryMaster.findTrustManager(TRUSTSTORE_ID_1).get();
            X509TrustManager x509TrustManager2 = (X509TrustManager) this.trustManagerRegistryDataOne.findTrustManager(TRUSTSTORE_ID_1).get();
            X509TrustManager x509TrustManager3 = (X509TrustManager) this.trustManagerRegistryDataTwo.findTrustManager(TRUSTSTORE_ID_1).get();
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager, testCertificate)), Matchers.equalTo(true));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager2, testCertificate)), Matchers.equalTo(true));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager3, testCertificate)), Matchers.equalTo(true));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager, testCertificate2)), Matchers.equalTo(false));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager2, testCertificate2)), Matchers.equalTo(false));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager3, testCertificate2)), Matchers.equalTo(false));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager, testCertificate3)), Matchers.equalTo(false));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager2, testCertificate3)), Matchers.equalTo(false));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager3, testCertificate3)), Matchers.equalTo(false));
            X509TrustManager x509TrustManager4 = (X509TrustManager) this.trustManagerRegistryMaster.findTrustManager(TRUSTSTORE_ID_2).get();
            X509TrustManager x509TrustManager5 = (X509TrustManager) this.trustManagerRegistryDataOne.findTrustManager(TRUSTSTORE_ID_2).get();
            X509TrustManager x509TrustManager6 = (X509TrustManager) this.trustManagerRegistryDataTwo.findTrustManager(TRUSTSTORE_ID_2).get();
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager4, testCertificate)), Matchers.equalTo(false));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager5, testCertificate)), Matchers.equalTo(false));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager6, testCertificate)), Matchers.equalTo(false));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager4, testCertificate2)), Matchers.equalTo(true));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager5, testCertificate2)), Matchers.equalTo(true));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager6, testCertificate2)), Matchers.equalTo(true));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager4, testCertificate3)), Matchers.equalTo(false));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager5, testCertificate3)), Matchers.equalTo(false));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager6, testCertificate3)), Matchers.equalTo(false));
            X509TrustManager x509TrustManager7 = (X509TrustManager) this.trustManagerRegistryMaster.findTrustManager(TRUSTSTORE_ID_3).get();
            X509TrustManager x509TrustManager8 = (X509TrustManager) this.trustManagerRegistryDataOne.findTrustManager(TRUSTSTORE_ID_3).get();
            X509TrustManager x509TrustManager9 = (X509TrustManager) this.trustManagerRegistryDataTwo.findTrustManager(TRUSTSTORE_ID_3).get();
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager7, testCertificate)), Matchers.equalTo(false));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager8, testCertificate)), Matchers.equalTo(false));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager9, testCertificate)), Matchers.equalTo(false));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager7, testCertificate2)), Matchers.equalTo(false));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager8, testCertificate2)), Matchers.equalTo(false));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager9, testCertificate2)), Matchers.equalTo(false));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager7, testCertificate3)), Matchers.equalTo(true));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager8, testCertificate3)), Matchers.equalTo(true));
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager9, testCertificate3)), Matchers.equalTo(true));
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void shouldTrustTensOfCas() throws Exception {
        List list = (List) IntStream.range(0, 12).mapToObj(i -> {
            return TestCertificates.builder().ca(String.format("CN=root.ca.number-%d.com,OU=SearchGuard,O=index-%d", Integer.valueOf(i), Integer.valueOf(i))).addClients(new String[]{String.format("CN=client-0.number-%d.com,OU=SearchGuard,O=index-%d", Integer.valueOf(i), Integer.valueOf(i))}).build();
        }).collect(Collectors.toList());
        String str = (String) list.stream().map(testCertificates -> {
            return testCertificates.getCaCertificate().getCertificateString();
        }).collect(Collectors.joining());
        GenericRestClient restClient = cluster.getRestClient(USER_ADMIN, new Header[0]);
        try {
            TruststoreLoader.storeTruststoreInPemFormat(restClient, TRUSTSTORE_ID_1, "ca-certs", str);
            if (restClient != null) {
                restClient.close();
            }
            X509TrustManager x509TrustManager = (X509TrustManager) this.trustManagerRegistryMaster.findTrustManager(TRUSTSTORE_ID_1).get();
            X509TrustManager x509TrustManager2 = (X509TrustManager) this.trustManagerRegistryDataOne.findTrustManager(TRUSTSTORE_ID_1).get();
            X509TrustManager x509TrustManager3 = (X509TrustManager) this.trustManagerRegistryDataTwo.findTrustManager(TRUSTSTORE_ID_1).get();
            list.stream().map(testCertificates2 -> {
                return (TestCertificate) testCertificates2.getClientsCertificates().get(0);
            }).forEach(testCertificate -> {
                MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager, testCertificate)), Matchers.equalTo(true));
                MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager2, testCertificate)), Matchers.equalTo(true));
                MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted(x509TrustManager3, testCertificate)), Matchers.equalTo(true));
            });
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void shouldLoadCertificateOnStartUp() throws Exception {
        TestCertificates build = TestCertificates.builder().ca("CN=root.ca.one.com,OU=SearchGuard,O=One").addClients(new String[]{"CN=client-0.one.com,OU=SearchGuard,O=One"}).build();
        TestCertificate testCertificate = (TestCertificate) build.getClientsCertificates().get(0);
        String certificateString = build.getCaCertificate().getCertificateString();
        GenericRestClient restClient = cluster.getRestClient(USER_ADMIN, new Header[0]);
        try {
            TruststoreLoader.storeTruststoreInPemFormat(restClient, TRUSTSTORE_ID_1, "ca-cert-one", certificateString);
            if (restClient != null) {
                restClient.close();
            }
            TrustManagerRegistry trustManagerRegistry = new TrustManagerRegistry(new TruststoreCrudService(new TruststoreRepository(PrivilegedConfigClient.adapt((Client) cluster.getInjectable(NodeClient.class)))));
            trustManagerRegistry.reloadAll();
            MatcherAssert.assertThat(Boolean.valueOf(isCertificateTrusted((X509TrustManager) trustManagerRegistry.findTrustManager(TRUSTSTORE_ID_1).get(), testCertificate)), Matchers.equalTo(true));
        } catch (Throwable th) {
            if (restClient != null) {
                try {
                    restClient.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private boolean isCertificateTrusted(X509TrustManager x509TrustManager, TestCertificate testCertificate) {
        try {
            x509TrustManager.checkClientTrusted(toJavaCertificate(testCertificate), TEST_CERTIFICATE_ALGORITHM);
            return true;
        } catch (CertificateException e) {
            return false;
        }
    }

    private X509Certificate[] toJavaCertificate(TestCertificate testCertificate) {
        try {
            Stream stream = CertificatesParser.parseCertificates(testCertificate.getCertificateString()).stream();
            Class<X509Certificate> cls = X509Certificate.class;
            Objects.requireNonNull(X509Certificate.class);
            return (X509Certificate[]) stream.map((v1) -> {
                return r1.cast(v1);
            }).toArray(i -> {
                return new X509Certificate[i];
            });
        } catch (ConfigValidationException e) {
            throw new RuntimeException("Cannot parse test certificate", e);
        }
    }
}
