package com.floragunn.searchguard.ssl;

import com.floragunn.searchguard.ssl.test.SingleClusterTest;
import com.floragunn.searchguard.ssl.test.helper.file.FileHelper;
import com.floragunn.searchguard.ssl.test.helper.rest.RestHelper;
import com.floragunn.searchguard.ssl.util.ExceptionUtils;
import com.floragunn.searchguard.ssl.util.SSLConfigConstants;
import com.floragunn.searchguard.ssl.util.config.GenericSSLConfig;
import io.netty.util.internal.PlatformDependent;
import java.io.File;
import java.io.IOException;
import java.net.SocketException;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.nio.file.attribute.FileAttribute;
import java.security.Security;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Random;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
import org.apache.http.NoHttpResponseException;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.admin.cluster.health.ClusterHealthRequest;
import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse;
import org.elasticsearch.action.admin.cluster.node.info.NodesInfoRequest;
import org.elasticsearch.action.admin.cluster.node.info.NodesInfoResponse;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.core.TimeValue;
import org.elasticsearch.node.Node;
import org.elasticsearch.node.PluginAwareNode;
import org.junit.Assert;
import org.junit.Assume;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;

/* loaded from: input_file:com/floragunn/searchguard/ssl/SSLTest.class */
public class SSLTest extends SingleClusterTest {

    @Rule
    public final ExpectedException thrown = ExpectedException.none();

    @Test
    public void testHttps() throws Exception {
        setupSslOnlyMode(Settings.builder().put("searchguard.ssl.transport.enabled", false).put("searchguard.ssl.http.enabled", true).put("searchguard.ssl.http.clientauth_mode", "REQUIRE").putList("searchguard.ssl.http.enabled_protocols", new String[]{"TLSv1.1", "TLSv1.2"}).putList("searchguard.ssl.http.enabled_ciphers", new String[]{"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"}).putList("searchguard.ssl.transport.enabled_protocols", new String[]{"TLSv1.1", "TLSv1.2"}).putList("searchguard.ssl.transport.enabled_ciphers", new String[]{"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"}).put("searchguard.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")).put("searchguard.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).build());
        RestHelper restHelper = restHelper();
        restHelper.enableHTTPClientSSL = true;
        restHelper.trustHTTPServerCertificate = true;
        restHelper.sendHTTPClientCertificate = true;
        restHelper.keystore = "ssl/node-untspec5-keystore.p12";
        Assert.assertTrue(restHelper.executeSimpleRequest("_searchguard/sslinfo?pretty&show_dn=true").contains("EMAILADDRESS=unt@tst.com"));
        Assert.assertTrue(restHelper.executeSimpleRequest("_searchguard/sslinfo?pretty&show_dn=true").contains("local_certificates_list"));
        Assert.assertFalse(restHelper.executeSimpleRequest("_searchguard/sslinfo?pretty&show_dn=false").contains("local_certificates_list"));
        Assert.assertFalse(restHelper.executeSimpleRequest("_searchguard/sslinfo?pretty").contains("local_certificates_list"));
        Assert.assertTrue(restHelper.executeSimpleRequest("_nodes/settings?pretty").contains(this.clusterInfo.clustername));
        Assert.assertFalse(restHelper.executeSimpleRequest("_nodes/settings?pretty").contains("\"searchguard\""));
        Assert.assertFalse(restHelper.executeSimpleRequest("_nodes/settings?pretty").contains("keystore_filepath"));
        Assert.assertTrue(restHelper.executeSimpleRequest("_searchguard/sslinfo?pretty&show_server_certs=true").contains("CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE"));
    }

    @Test
    public void testCipherAndProtocols() throws Exception {
        Security.setProperty("jdk.tls.disabledAlgorithms", "");
        Settings build = Settings.builder().put("searchguard.ssl.transport.enabled", false).put("searchguard.ssl.http.keystore_alias", "node-0").put("searchguard.ssl.http.enabled", true).put("searchguard.ssl.http.clientauth_mode", "REQUIRE").put("searchguard.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")).put("searchguard.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).put("searchguard.ssl.http.enabled_ciphers", "SSL_RSA_EXPORT_WITH_RC4_40_MD5").put("searchguard.ssl.http.enabled_protocols", "SSLv3").put("path.home", ".").build();
        try {
            String[] enabledCipherSuites = new DefaultSearchGuardKeyStore(build, Paths.get(".", new String[0])).createHTTPSSLEngine().getEnabledCipherSuites();
            String[] enabledProtocols = new DefaultSearchGuardKeyStore(build, Paths.get(".", new String[0])).createHTTPSSLEngine().getEnabledProtocols();
            Assert.assertEquals(1L, enabledProtocols.length);
            Assert.assertEquals("SSLv3", enabledProtocols[0]);
            Assert.assertEquals(1L, enabledCipherSuites.length);
            Assert.assertEquals("SSL_RSA_EXPORT_WITH_RC4_40_MD5", enabledCipherSuites[0]);
            Settings build2 = Settings.builder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")).put("searchguard.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).put("searchguard.ssl.transport.enabled_ciphers", "SSL_RSA_EXPORT_WITH_RC4_40_MD5").put("searchguard.ssl.transport.enabled_protocols", "SSLv3").put("path.home", ".").build();
            String[] enabledCipherSuites2 = new DefaultSearchGuardKeyStore(build2, Paths.get(".", new String[0])).createServerTransportSSLEngine().getEnabledCipherSuites();
            String[] enabledProtocols2 = new DefaultSearchGuardKeyStore(build2, Paths.get(".", new String[0])).createServerTransportSSLEngine().getEnabledProtocols();
            Assert.assertEquals(1L, enabledProtocols2.length);
            Assert.assertEquals("SSLv3", enabledProtocols2[0]);
            Assert.assertEquals(1L, enabledCipherSuites2.length);
            Assert.assertEquals("SSL_RSA_EXPORT_WITH_RC4_40_MD5", enabledCipherSuites2[0]);
            String[] enabledCipherSuites3 = new DefaultSearchGuardKeyStore(build2, Paths.get(".", new String[0])).createClientTransportSSLEngine((String) null, -1).getEnabledCipherSuites();
            String[] enabledProtocols3 = new DefaultSearchGuardKeyStore(build2, Paths.get(".", new String[0])).createClientTransportSSLEngine((String) null, -1).getEnabledProtocols();
            Assert.assertEquals(1L, enabledProtocols3.length);
            Assert.assertEquals("SSLv3", enabledProtocols3[0]);
            Assert.assertEquals(1L, enabledCipherSuites3.length);
            Assert.assertEquals("SSL_RSA_EXPORT_WITH_RC4_40_MD5", enabledCipherSuites3[0]);
        } catch (ElasticsearchSecurityException e) {
            Assert.assertTrue("Check if error contains 'no valid cipher suites' -> " + e.toString(), e.toString().contains("no valid cipher suites") || e.toString().contains("failed to set cipher suite") || e.toString().contains("Unable to configure permitted SSL ciphers") || e.toString().contains("OPENSSL_internal:NO_CIPHER_MATCH"));
        }
    }

    @Test
    public void testHttpsOptionalAuth() throws Exception {
        setupSslOnlyMode(Settings.builder().put("searchguard.ssl.transport.enabled", false).put("searchguard.ssl.http.keystore_alias", "node-0").put("searchguard.ssl.http.enabled", true).put("searchguard.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")).put("searchguard.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).build());
        RestHelper restHelper = restHelper();
        restHelper.enableHTTPClientSSL = true;
        restHelper.trustHTTPServerCertificate = true;
        restHelper.sendHTTPClientCertificate = true;
        Assert.assertTrue(restHelper.executeSimpleRequest("_searchguard/sslinfo?pretty").contains("TLS"));
        Assert.assertTrue(restHelper.executeSimpleRequest("_nodes/settings?pretty").contains(this.clusterInfo.clustername));
        Assert.assertFalse(restHelper.executeSimpleRequest("_nodes/settings?pretty").contains("\"searchguard\""));
        Assert.assertTrue(restHelper.executeSimpleRequest("_searchguard/sslinfo?pretty").contains("CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE"));
    }

    @Test
    public void testHttpsAndNodeSSL() throws Exception {
        setupSslOnlyMode(Settings.builder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.transport.keystore_alias", "node-0").put("searchguard.ssl.http.keystore_alias", "node-0").put("searchguard.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")).put("searchguard.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).put("searchguard.ssl.http.enabled", true).put("searchguard.ssl.http.clientauth_mode", "REQUIRE").put("searchguard.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")).put("searchguard.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).build());
        RestHelper restHelper = restHelper();
        restHelper.enableHTTPClientSSL = true;
        restHelper.trustHTTPServerCertificate = true;
        restHelper.sendHTTPClientCertificate = true;
        Assert.assertTrue(restHelper.executeSimpleRequest("_searchguard/sslinfo?pretty").contains("TLS"));
        Assert.assertTrue(restHelper.executeSimpleRequest("_searchguard/sslinfo?pretty").length() > 0);
        Assert.assertTrue(restHelper.executeSimpleRequest("_nodes/settings?pretty").contains(this.clusterInfo.clustername));
        Assert.assertTrue(restHelper.executeSimpleRequest("_searchguard/sslinfo?pretty").contains("CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE"));
        Assert.assertFalse(restHelper.executeSimpleRequest("_nodes/stats?pretty").contains("\"tx_size_in_bytes\" : 0"));
        Assert.assertFalse(restHelper.executeSimpleRequest("_nodes/stats?pretty").contains("\"rx_count\" : 0"));
        Assert.assertFalse(restHelper.executeSimpleRequest("_nodes/stats?pretty").contains("\"rx_size_in_bytes\" : 0"));
        Assert.assertFalse(restHelper.executeSimpleRequest("_nodes/stats?pretty").contains("\"tx_count\" : 0"));
    }

    @Test
    public void testHttpsAndNodeSSLPem() throws Exception {
        setupSslOnlyMode(Settings.builder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.transport.pemcert_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0.crt.pem")).put("searchguard.ssl.transport.pemkey_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0.key.pem")).put("searchguard.ssl.transport.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/root-ca.pem")).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).put("searchguard.ssl.http.enabled", true).put("searchguard.ssl.http.clientauth_mode", "REQUIRE").put("searchguard.ssl.http.pemcert_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0.crt.pem")).put("searchguard.ssl.http.pemkey_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0.key.pem")).put("searchguard.ssl.http.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/root-ca.pem")).build());
        RestHelper restHelper = restHelper();
        restHelper.enableHTTPClientSSL = true;
        restHelper.trustHTTPServerCertificate = true;
        restHelper.sendHTTPClientCertificate = true;
        Assert.assertTrue(restHelper.executeSimpleRequest("_searchguard/sslinfo?pretty").contains("TLS"));
        Assert.assertTrue(restHelper.executeSimpleRequest("_searchguard/sslinfo?pretty").length() > 0);
        Assert.assertTrue(restHelper.executeSimpleRequest("_nodes/settings?pretty").contains(this.clusterInfo.clustername));
        Assert.assertTrue(restHelper.executeSimpleRequest("_searchguard/sslinfo?pretty").contains("CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE"));
    }

    @Test
    public void testHttpsAndNodeSSLPemEnc() throws Exception {
        setupSslOnlyMode(Settings.builder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.transport.pemcert_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/pem/node-4.crt.pem")).put("searchguard.ssl.transport.pemkey_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/pem/node-4.key")).put("searchguard.ssl.transport.pemkey_password", "changeit").put("searchguard.ssl.transport.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/root-ca.pem")).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).put("searchguard.ssl.http.enabled", true).put("searchguard.ssl.http.clientauth_mode", "REQUIRE").put("searchguard.ssl.http.pemcert_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/pem/node-4.crt.pem")).put("searchguard.ssl.http.pemkey_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/pem/node-4.key")).put("searchguard.ssl.http.pemkey_password", "changeit").put("searchguard.ssl.http.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/root-ca.pem")).build());
        RestHelper restHelper = restHelper();
        restHelper.enableHTTPClientSSL = true;
        restHelper.trustHTTPServerCertificate = true;
        restHelper.sendHTTPClientCertificate = true;
        Assert.assertTrue(restHelper.executeSimpleRequest("_searchguard/sslinfo?pretty").contains("TLS"));
        Assert.assertTrue(restHelper.executeSimpleRequest("_searchguard/sslinfo?pretty").length() > 0);
        Assert.assertTrue(restHelper.executeSimpleRequest("_nodes/settings?pretty").contains(this.clusterInfo.clustername));
        Assert.assertTrue(restHelper.executeSimpleRequest("_searchguard/sslinfo?pretty").contains("CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE"));
    }

    @Test
    public void testHttpsAndNodeSSLFailedCipher() throws Exception {
        try {
            setupSslOnlyMode(Settings.builder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.transport.keystore_alias", "node-0").put("searchguard.ssl.http.keystore_alias", "node-0").put("searchguard.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")).put("searchguard.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).put("searchguard.ssl.http.enabled", true).put("searchguard.ssl.http.clientauth_mode", "REQUIRE").put("searchguard.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")).put("searchguard.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).put("searchguard.ssl.transport.enabled_ciphers", "INVALID_CIPHER").build());
            Assert.fail();
        } catch (Exception e) {
            Throwable rootCause = ExceptionUtils.getRootCause(e);
            Assert.assertTrue(rootCause.toString(), rootCause.toString().contains("no valid cipher"));
        }
    }

    @Test
    public void testHttpPlainFail() throws Exception {
        this.thrown.expect(NoHttpResponseException.class);
        setupSslOnlyMode(Settings.builder().put("searchguard.ssl.transport.enabled", false).put("searchguard.ssl.http.keystore_alias", "node-0").put("searchguard.ssl.http.enabled", true).put("searchguard.ssl.http.clientauth_mode", "OPTIONAL").put("searchguard.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")).put("searchguard.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).build());
        RestHelper restHelper = restHelper();
        restHelper.enableHTTPClientSSL = false;
        restHelper.trustHTTPServerCertificate = true;
        restHelper.sendHTTPClientCertificate = false;
        Assert.assertTrue(restHelper.executeSimpleRequest("_searchguard/sslinfo?pretty").length() > 0);
        Assert.assertTrue(restHelper.executeSimpleRequest("_nodes/settings?pretty").contains(this.clusterInfo.clustername));
        Assert.assertTrue(restHelper.executeSimpleRequest("_searchguard/sslinfo?pretty").contains("CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE"));
    }

    @Test
    public void testHttpsNoEnforce() throws Exception {
        setupSslOnlyMode(Settings.builder().put("searchguard.ssl.transport.enabled", false).put("searchguard.ssl.http.keystore_alias", "node-0").put("searchguard.ssl.http.enabled", true).put("searchguard.ssl.http.clientauth_mode", "NONE").put("searchguard.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")).put("searchguard.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).build());
        RestHelper restHelper = restHelper();
        restHelper.enableHTTPClientSSL = true;
        restHelper.trustHTTPServerCertificate = true;
        restHelper.sendHTTPClientCertificate = false;
        Assert.assertTrue(restHelper.executeSimpleRequest("_searchguard/sslinfo?pretty").length() > 0);
        Assert.assertTrue(restHelper.executeSimpleRequest("_nodes/settings?pretty").contains(this.clusterInfo.clustername));
        Assert.assertFalse(restHelper.executeSimpleRequest("_searchguard/sslinfo?pretty").contains("CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE"));
    }

    @Test
    public void testHttpsEnforceFail() throws Exception {
        setupSslOnlyMode(Settings.builder().put("searchguard.ssl.transport.enabled", false).put("searchguard.ssl.http.keystore_alias", "node-0").put("searchguard.ssl.http.enabled", true).put("searchguard.ssl.http.clientauth_mode", "REQUIRE").put("searchguard.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")).put("searchguard.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).build());
        RestHelper restHelper = restHelper();
        restHelper.enableHTTPClientSSL = true;
        restHelper.trustHTTPServerCertificate = true;
        restHelper.sendHTTPClientCertificate = false;
        try {
            restHelper.executeSimpleRequest("");
            Assert.fail();
        } catch (SocketException | SSLException e) {
        } catch (Exception e2) {
            Assert.fail("Unexpected exception " + e2.toString());
        }
    }

    @Test
    public void testHttpsV3Fail() throws Exception {
        this.thrown.expect(SSLHandshakeException.class);
        setupSslOnlyMode(Settings.builder().put("searchguard.ssl.transport.enabled", false).put("searchguard.ssl.http.keystore_alias", "node-0").put("searchguard.ssl.http.enabled", true).put("searchguard.ssl.http.clientauth_mode", "NONE").put("searchguard.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")).put("searchguard.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).build());
        RestHelper restHelper = restHelper();
        restHelper.enableHTTPClientSSL = true;
        restHelper.trustHTTPServerCertificate = true;
        restHelper.sendHTTPClientCertificate = false;
        restHelper.enableHTTPClientSSLv3Only = true;
        Assert.assertTrue(restHelper.executeSimpleRequest("_searchguard/sslinfo?pretty").length() > 0);
        Assert.assertTrue(restHelper.executeSimpleRequest("_nodes/settings?pretty").contains(this.clusterInfo.clustername));
    }

    @Test
    public void testNodeClientSSL() throws Exception {
        Settings build = Settings.builder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.transport.keystore_alias", "node-0").put("searchguard.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")).put("searchguard.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).build();
        setupSslOnlyMode(build);
        RestHelper nonSslRestHelper = nonSslRestHelper();
        Node start = new PluginAwareNode(false, Settings.builder().put("cluster.name", this.clusterInfo.clustername).put("path.home", tmpHome()).put("node.name", "client_node_" + new Random().nextInt()).put("node.roles", "").put("discovery.initial_state_timeout", "8s").putList("cluster.initial_master_nodes", this.clusterInfo.tcpMasterPortsOnly).putList("discovery.seed_hosts", this.clusterInfo.tcpMasterPortsOnly).put(build).build()).start();
        try {
            Assert.assertFalse(((ClusterHealthResponse) start.client().admin().cluster().health(new ClusterHealthRequest().waitForNodes("4").timeout(TimeValue.timeValueSeconds(15L))).actionGet()).isTimedOut());
            Assert.assertEquals(4L, r0.getNumberOfNodes());
            Assert.assertEquals(4L, ((NodesInfoResponse) start.client().admin().cluster().nodesInfo(new NodesInfoRequest(new String[0])).actionGet()).getNodes().size());
            if (start != null) {
                start.close();
            }
            Assert.assertFalse(nonSslRestHelper.executeSimpleRequest("_nodes/stats?pretty").contains("\"tx_size_in_bytes\" : 0"));
            Assert.assertFalse(nonSslRestHelper.executeSimpleRequest("_nodes/stats?pretty").contains("\"rx_count\" : 0"));
            Assert.assertFalse(nonSslRestHelper.executeSimpleRequest("_nodes/stats?pretty").contains("\"rx_size_in_bytes\" : 0"));
            Assert.assertFalse(nonSslRestHelper.executeSimpleRequest("_nodes/stats?pretty").contains("\"tx_count\" : 0"));
        } catch (Throwable th) {
            if (start != null) {
                try {
                    start.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private String tmpHome() {
        try {
            File file = Files.createTempDirectory("sslclientnode", new FileAttribute[0]).toFile();
            file.deleteOnExit();
            return file.getAbsolutePath();
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    @Test
    public void testAvailCiphers() throws Exception {
        SSLContext sSLContext = SSLContext.getInstance("TLS");
        sSLContext.init(null, null, null);
        SSLEngine createSSLEngine = sSLContext.createSSLEngine();
        ArrayList arrayList = new ArrayList(Arrays.asList(createSSLEngine.getSupportedCipherSuites()));
        arrayList.retainAll(SSLConfigConstants.getSecureSSLCiphers(Settings.EMPTY, false));
        createSSLEngine.setEnabledCipherSuites((String[]) arrayList.toArray(new String[0]));
        Assert.assertTrue(Arrays.asList(createSSLEngine.getEnabledCipherSuites()).size() > 0);
    }

    @Test
    public void testUnmodifieableCipherProtocolConfig() throws Exception {
        SSLConfigConstants.getSecureSSLProtocols(Settings.EMPTY, false)[0] = "bogus";
        Assert.assertEquals("TLSv1.3", SSLConfigConstants.getSecureSSLProtocols(Settings.EMPTY, false)[0]);
        try {
            SSLConfigConstants.getSecureSSLCiphers(Settings.EMPTY, false).set(0, "bogus");
            Assert.fail();
        } catch (UnsupportedOperationException e) {
        }
    }

    @Test
    public void testCRLPem() throws Exception {
        setupSslOnlyMode(Settings.builder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.transport.pemcert_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0.crt.pem")).put("searchguard.ssl.transport.pemkey_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0.key.pem")).put("searchguard.ssl.transport.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/root-ca.pem")).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).put("searchguard.ssl.http.enabled", true).put("searchguard.ssl.http.clientauth_mode", "REQUIRE").put("searchguard.ssl.http.pemcert_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0.crt.pem")).put("searchguard.ssl.http.pemkey_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0.key.pem")).put("searchguard.ssl.http.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/chain-ca.pem")).put("searchguard.ssl.http.crl.validate", true).put("searchguard.ssl.http.crl.validation_date", CertificateValidatorTest.CRL_DATE.getTime()).build());
        RestHelper restHelper = restHelper();
        restHelper.enableHTTPClientSSL = true;
        restHelper.trustHTTPServerCertificate = true;
        restHelper.sendHTTPClientCertificate = true;
        Assert.assertTrue(restHelper.executeSimpleRequest("_searchguard/sslinfo?pretty").contains("TLS"));
    }

    @Test
    public void testCRL() throws Exception {
        setupSslOnlyMode(Settings.builder().put("searchguard.ssl.transport.enabled", false).put("searchguard.ssl.http.keystore_alias", "node-0").put("searchguard.ssl.http.enabled", true).put("searchguard.ssl.http.clientauth_mode", "REQUIRE").put("searchguard.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")).put("searchguard.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).put("searchguard.ssl.http.crl.validate", true).put("searchguard.ssl.http.crl.file_path", FileHelper.getAbsoluteFilePathFromClassPath("ssl/crl/revoked.crl")).put("searchguard.ssl.http.crl.validation_date", CertificateValidatorTest.CRL_DATE.getTime()).build());
        RestHelper restHelper = restHelper();
        restHelper.enableHTTPClientSSL = true;
        restHelper.trustHTTPServerCertificate = true;
        restHelper.sendHTTPClientCertificate = true;
        Assert.assertTrue(restHelper.executeSimpleRequest("_nodes/settings?pretty").contains(this.clusterInfo.clustername));
    }

    @Test
    public void testNodeClientSSLwithJavaTLSv13() throws Exception {
        Assume.assumeTrue(PlatformDependent.javaVersion() >= 11);
        Settings build = Settings.builder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.transport.keystore_alias", "node-0").put("searchguard.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")).put("searchguard.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).putList("searchguard.ssl.transport.enabled_protocols", new String[]{"TLSv1.3"}).putList("searchguard.ssl.transport.enabled_ciphers", new String[]{"TLS_AES_128_GCM_SHA256"}).build();
        setupSslOnlyMode(build);
        RestHelper nonSslRestHelper = nonSslRestHelper();
        Node start = new PluginAwareNode(false, Settings.builder().put("cluster.name", this.clusterInfo.clustername).put("path.home", tmpHome()).put("node.name", "client_node_" + new Random().nextInt()).put("node.roles", "").put("discovery.initial_state_timeout", "18s").putList("cluster.initial_master_nodes", this.clusterInfo.tcpMasterPortsOnly).putList("discovery.seed_hosts", this.clusterInfo.tcpMasterPortsOnly).put(build).build()).start();
        try {
            Assert.assertFalse(((ClusterHealthResponse) start.client().admin().cluster().health(new ClusterHealthRequest().waitForNodes("4").timeout(TimeValue.timeValueSeconds(25L))).actionGet()).isTimedOut());
            Assert.assertEquals(4L, r0.getNumberOfNodes());
            Assert.assertEquals(4L, ((NodesInfoResponse) start.client().admin().cluster().nodesInfo(new NodesInfoRequest(new String[0])).actionGet()).getNodes().size());
            if (start != null) {
                start.close();
            }
            Assert.assertFalse(nonSslRestHelper.executeSimpleRequest("_nodes/stats?pretty").contains("\"tx_size_in_bytes\" : 0"));
            Assert.assertFalse(nonSslRestHelper.executeSimpleRequest("_nodes/stats?pretty").contains("\"rx_count\" : 0"));
            Assert.assertFalse(nonSslRestHelper.executeSimpleRequest("_nodes/stats?pretty").contains("\"rx_size_in_bytes\" : 0"));
            Assert.assertFalse(nonSslRestHelper.executeSimpleRequest("_nodes/stats?pretty").contains("\"tx_count\" : 0"));
        } catch (Throwable th) {
            if (start != null) {
                try {
                    start.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void testHttpsAndNodeSSLKeyPass() throws Exception {
        setupSslOnlyMode(Settings.builder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.transport.keystore_alias", "node-0").put("searchguard.ssl.http.keystore_alias", "node-0").put("searchguard.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")).put("searchguard.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).put("searchguard.ssl.transport.keystore_keypassword", "changeit").put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).put("searchguard.ssl.http.enabled", true).put("searchguard.ssl.http.clientauth_mode", "REQUIRE").put("searchguard.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")).put("searchguard.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).put("searchguard.ssl.http.keystore_keypassword", "changeit").build());
        RestHelper restHelper = restHelper();
        restHelper.enableHTTPClientSSL = true;
        restHelper.trustHTTPServerCertificate = true;
        restHelper.sendHTTPClientCertificate = true;
        Assert.assertTrue(restHelper.executeSimpleRequest("_searchguard/sslinfo?pretty").contains("TLS"));
        Assert.assertTrue(restHelper.executeSimpleRequest("_searchguard/sslinfo?pretty").length() > 0);
        Assert.assertTrue(restHelper.executeSimpleRequest("_nodes/settings?pretty").contains(this.clusterInfo.clustername));
        Assert.assertTrue(restHelper.executeSimpleRequest("_searchguard/sslinfo?pretty").contains("CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE"));
        Assert.assertFalse(restHelper.executeSimpleRequest("_nodes/stats?pretty").contains("\"tx_size_in_bytes\" : 0"));
        Assert.assertFalse(restHelper.executeSimpleRequest("_nodes/stats?pretty").contains("\"rx_count\" : 0"));
        Assert.assertFalse(restHelper.executeSimpleRequest("_nodes/stats?pretty").contains("\"rx_size_in_bytes\" : 0"));
        Assert.assertFalse(restHelper.executeSimpleRequest("_nodes/stats?pretty").contains("\"tx_count\" : 0"));
    }

    @Test(expected = ElasticsearchSecurityException.class)
    public void testHttpsAndNodeSSLKeyPassFail() throws Exception {
        setupSslOnlyMode(Settings.builder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.transport.keystore_alias", "node-0").put("searchguard.ssl.http.keystore_alias", "node-0").put("searchguard.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")).put("searchguard.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).put("searchguard.ssl.transport.keystore_keypassword", "wrongpass").put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).put("searchguard.ssl.http.enabled", true).put("searchguard.ssl.http.clientauth_mode", "REQUIRE").put("searchguard.ssl.http.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/node-0-keystore.jks")).put("searchguard.ssl.http.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/truststore.jks")).put("searchguard.ssl.http.keystore_keypassword", "wrongpass").build());
        RestHelper restHelper = restHelper();
        restHelper.enableHTTPClientSSL = true;
        restHelper.trustHTTPServerCertificate = true;
        restHelper.sendHTTPClientCertificate = true;
        Assert.assertTrue(restHelper.executeSimpleRequest("_searchguard/sslinfo?pretty").contains("TLS"));
    }

    @Test
    public void testHttpsAndNodeSSLPCKS1() throws Exception {
        setupSslOnlyMode(Settings.builder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.transport.pemcert_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/pkcs1/node-0.crt.pem")).put("searchguard.ssl.transport.pemkey_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/pkcs1/node-0-pkcs1.key.pem")).put("searchguard.ssl.transport.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/root-ca.pem")).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).put("searchguard.ssl.http.enabled", true).put("searchguard.ssl.http.pemcert_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/pkcs1/node-0.crt.pem")).put("searchguard.ssl.http.pemkey_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/pkcs1/node-0-pkcs1.key.pem")).put("searchguard.ssl.http.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/root-ca.pem")).build());
        RestHelper restHelper = restHelper();
        try {
            restHelper.enableHTTPClientSSL = true;
            restHelper.setSslConfig(new GenericSSLConfig.Builder().trustAll(true).build());
            Assert.assertTrue(restHelper.executeSimpleRequest("_searchguard/sslinfo?pretty").contains("TLS"));
            Assert.assertTrue(restHelper.executeSimpleRequest("_searchguard/sslinfo?pretty").length() > 0);
            Assert.assertTrue(restHelper.executeSimpleRequest("_nodes/settings?pretty").contains(this.clusterInfo.clustername));
        } finally {
            restHelper.setSslConfig(null);
        }
    }
}
