package com.floragunn.searchguard.util;

import com.floragunn.dlic.util.SettingsBasedSSLConfigurator;
import com.floragunn.searchguard.test.helper.file.FileHelper;
import com.floragunn.searchguard.test.helper.network.SocketUtils;
import java.io.Closeable;
import java.io.FileInputStream;
import java.io.IOException;
import java.net.Socket;
import java.net.SocketException;
import java.nio.charset.CharsetDecoder;
import java.nio.charset.CharsetEncoder;
import java.nio.file.Path;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.util.Map;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManagerFactory;
import org.apache.http.HttpConnectionFactory;
import org.apache.http.HttpException;
import org.apache.http.HttpRequest;
import org.apache.http.HttpResponse;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.config.ConnectionConfig;
import org.apache.http.config.MessageConstraints;
import org.apache.http.entity.ContentLengthStrategy;
import org.apache.http.impl.ConnSupport;
import org.apache.http.impl.DefaultBHttpServerConnection;
import org.apache.http.impl.bootstrap.HttpServer;
import org.apache.http.impl.bootstrap.SSLServerSetupHandler;
import org.apache.http.impl.bootstrap.ServerBootstrap;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.io.HttpMessageParserFactory;
import org.apache.http.io.HttpMessageWriterFactory;
import org.apache.http.protocol.HttpContext;
import org.apache.http.protocol.HttpRequestHandler;
import org.apache.http.ssl.PrivateKeyDetails;
import org.apache.http.ssl.PrivateKeyStrategy;
import org.apache.http.ssl.SSLContextBuilder;
import org.apache.http.ssl.SSLContexts;
import org.apache.http.ssl.TrustStrategy;
import org.elasticsearch.common.settings.Settings;
import org.hamcrest.CoreMatchers;
import org.junit.Assert;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;

/* loaded from: input_file:com/floragunn/searchguard/util/SettingsBasedSSLConfiguratorTest.class */
public class SettingsBasedSSLConfiguratorTest {

    @Rule
    public ExpectedException thrown = ExpectedException.none();

    /* loaded from: input_file:com/floragunn/searchguard/util/SettingsBasedSSLConfiguratorTest$TestServer.class */
    static class TestServer implements Closeable {
        private HttpServer httpServer;
        private int port;

        /* JADX INFO: Access modifiers changed from: package-private */
        /* loaded from: input_file:com/floragunn/searchguard/util/SettingsBasedSSLConfiguratorTest$TestServer$SSLTestHttpServerConnection.class */
        public static class SSLTestHttpServerConnection extends DefaultBHttpServerConnection {
            public SSLTestHttpServerConnection(int i, int i2, CharsetDecoder charsetDecoder, CharsetEncoder charsetEncoder, MessageConstraints messageConstraints, ContentLengthStrategy contentLengthStrategy, ContentLengthStrategy contentLengthStrategy2, HttpMessageParserFactory<HttpRequest> httpMessageParserFactory, HttpMessageWriterFactory<HttpResponse> httpMessageWriterFactory) {
                super(i, i2, charsetDecoder, charsetEncoder, messageConstraints, contentLengthStrategy, contentLengthStrategy2, httpMessageParserFactory, httpMessageWriterFactory);
            }

            public Certificate[] getPeerCertificates() throws SSLPeerUnverifiedException {
                return ((SSLSocket) getSocket()).getSession().getPeerCertificates();
            }
        }

        TestServer(String str, String str2, String str3, boolean z) throws IOException {
            createHttpServer(str, str2, str3, z);
        }

        String getUri() {
            return "https://localhost:" + this.port + "/test";
        }

        private void createHttpServer(String str, String str2, String str3, final boolean z) throws IOException {
            this.port = SocketUtils.findAvailableTcpPort();
            this.httpServer = ServerBootstrap.bootstrap().setListenerPort(this.port).registerHandler("test", new HttpRequestHandler() { // from class: com.floragunn.searchguard.util.SettingsBasedSSLConfiguratorTest.TestServer.1
                @Override // org.apache.http.protocol.HttpRequestHandler
                public void handle(HttpRequest httpRequest, HttpResponse httpResponse, HttpContext httpContext) throws HttpException, IOException {
                }
            }).setSslContext(createSSLContext(str, str2, str3)).setSslSetupHandler(new SSLServerSetupHandler() { // from class: com.floragunn.searchguard.util.SettingsBasedSSLConfiguratorTest.TestServer.3
                public void initialize(SSLServerSocket sSLServerSocket) throws SSLException {
                    if (z) {
                        sSLServerSocket.setNeedClientAuth(true);
                    }
                }
            }).setConnectionFactory(new HttpConnectionFactory<DefaultBHttpServerConnection>() { // from class: com.floragunn.searchguard.util.SettingsBasedSSLConfiguratorTest.TestServer.2
                private ConnectionConfig cconfig = ConnectionConfig.DEFAULT;

                /* renamed from: createConnection, reason: merged with bridge method [inline-methods] */
                public DefaultBHttpServerConnection m32createConnection(Socket socket) throws IOException {
                    SSLTestHttpServerConnection sSLTestHttpServerConnection = new SSLTestHttpServerConnection(this.cconfig.getBufferSize(), this.cconfig.getFragmentSizeHint(), ConnSupport.createDecoder(this.cconfig), ConnSupport.createEncoder(this.cconfig), this.cconfig.getMessageConstraints(), null, null, null, null);
                    sSLTestHttpServerConnection.bind(socket);
                    return sSLTestHttpServerConnection;
                }
            }).create();
            this.httpServer.start();
        }

        @Override // java.io.Closeable, java.lang.AutoCloseable
        public void close() throws IOException {
            if (this.httpServer != null) {
                this.httpServer.shutdown(0L, (TimeUnit) null);
            }
        }

        private SSLContext createSSLContext(String str, String str2, String str3) {
            try {
                TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                KeyStore keyStore = KeyStore.getInstance("JKS");
                keyStore.load(new FileInputStream(FileHelper.getAbsoluteFilePathFromClassPath(str).toFile()), str3.toCharArray());
                trustManagerFactory.init(keyStore);
                KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                KeyStore keyStore2 = KeyStore.getInstance("JKS");
                Path absoluteFilePathFromClassPath = FileHelper.getAbsoluteFilePathFromClassPath(str2);
                if (absoluteFilePathFromClassPath == null) {
                    throw new RuntimeException("Could not find " + str2);
                }
                keyStore2.load(new FileInputStream(absoluteFilePathFromClassPath.toFile()), str3.toCharArray());
                keyManagerFactory.init(keyStore2, str3.toCharArray());
                SSLContextBuilder custom = SSLContexts.custom();
                custom.loadTrustMaterial(keyStore, (TrustStrategy) null);
                custom.loadKeyMaterial(keyStore2, str3.toCharArray(), new PrivateKeyStrategy() { // from class: com.floragunn.searchguard.util.SettingsBasedSSLConfiguratorTest.TestServer.4
                    public String chooseAlias(Map<String, PrivateKeyDetails> map, Socket socket) {
                        return "node1";
                    }
                });
                return custom.build();
            } catch (IOException | GeneralSecurityException e) {
                throw new RuntimeException(e);
            }
        }
    }

    @Test
    public void testPemTrust() throws Exception {
        TestServer testServer = new TestServer("sslConfigurator/pem/truststore.jks", "sslConfigurator/pem/node1-keystore.jks", "secret", false);
        try {
            Path absoluteFilePathFromClassPath = FileHelper.getAbsoluteFilePathFromClassPath("sslConfigurator/pem/root-ca.pem");
            Assert.assertTrue(absoluteFilePathFromClassPath.toFile().exists());
            CloseableHttpClient build = HttpClients.custom().setSSLSocketFactory(new SettingsBasedSSLConfigurator(Settings.builder().put("prefix.pemtrustedcas_filepath", absoluteFilePathFromClassPath.getFileName().toString()).put("prefix.enable_ssl", "true").put("path.home", absoluteFilePathFromClassPath.getParent().toString()).build(), absoluteFilePathFromClassPath.getParent(), "prefix").buildSSLConfig().toSSLConnectionSocketFactory()).build();
            try {
                CloseableHttpResponse execute = build.execute(new HttpGet(testServer.getUri()));
                if (execute != null) {
                    execute.close();
                }
                if (build != null) {
                    build.close();
                }
                testServer.close();
            } finally {
            }
        } catch (Throwable th) {
            try {
                testServer.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    @Test
    public void testPemWrongTrust() throws Exception {
        TestServer testServer = new TestServer("sslConfigurator/pem/truststore.jks", "sslConfigurator/pem/node1-keystore.jks", "secret", false);
        try {
            Path absoluteFilePathFromClassPath = FileHelper.getAbsoluteFilePathFromClassPath("sslConfigurator/pem/other-root-ca.pem");
            CloseableHttpClient build = HttpClients.custom().setSSLSocketFactory(new SettingsBasedSSLConfigurator(Settings.builder().put("prefix.pemtrustedcas_filepath", absoluteFilePathFromClassPath.getFileName().toString()).put("prefix.enable_ssl", "true").put("path.home", absoluteFilePathFromClassPath.getParent().toString()).build(), absoluteFilePathFromClassPath.getParent(), "prefix").buildSSLConfig().toSSLConnectionSocketFactory()).build();
            try {
                this.thrown.expect(SSLHandshakeException.class);
                CloseableHttpResponse execute = build.execute(new HttpGet(testServer.getUri()));
                try {
                    Assert.fail("Connection should have failed due to wrong trust");
                    if (execute != null) {
                        execute.close();
                    }
                    if (build != null) {
                        build.close();
                    }
                    testServer.close();
                } catch (Throwable th) {
                    if (execute != null) {
                        try {
                            execute.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } finally {
            }
        } catch (Throwable th3) {
            try {
                testServer.close();
            } catch (Throwable th4) {
                th3.addSuppressed(th4);
            }
            throw th3;
        }
    }

    @Test
    public void testPemClientAuth() throws Exception {
        TestServer testServer = new TestServer("sslConfigurator/pem/truststore.jks", "sslConfigurator/pem/node1-keystore.jks", "secret", true);
        try {
            Path absoluteFilePathFromClassPath = FileHelper.getAbsoluteFilePathFromClassPath("sslConfigurator/pem/root-ca.pem");
            CloseableHttpClient build = HttpClients.custom().setSSLSocketFactory(new SettingsBasedSSLConfigurator(Settings.builder().put("prefix.pemtrustedcas_filepath", absoluteFilePathFromClassPath.getFileName().toString()).put("prefix.enable_ssl", "true").put("path.home", absoluteFilePathFromClassPath.getParent().toString()).put("prefix.enable_ssl_client_auth", "true").put("prefix.pemcert_filepath", "kirk.pem").put("prefix.pemkey_filepath", "kirk.key").put("prefix.pemkey_password", "secret").build(), absoluteFilePathFromClassPath.getParent(), "prefix").buildSSLConfig().toSSLConnectionSocketFactory()).build();
            try {
                CloseableHttpResponse execute = build.execute(new HttpGet(testServer.getUri()));
                if (execute != null) {
                    execute.close();
                }
                if (build != null) {
                    build.close();
                }
                testServer.close();
            } finally {
            }
        } catch (Throwable th) {
            try {
                testServer.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    @Test
    public void testPemClientAuthFailure() throws Exception {
        TestServer testServer = new TestServer("sslConfigurator/pem/truststore.jks", "sslConfigurator/pem/node1-keystore.jks", "secret", true);
        try {
            Path absoluteFilePathFromClassPath = FileHelper.getAbsoluteFilePathFromClassPath("sslConfigurator/pem/root-ca.pem");
            CloseableHttpClient build = HttpClients.custom().setSSLSocketFactory(new SettingsBasedSSLConfigurator(Settings.builder().put("prefix.pemtrustedcas_filepath", absoluteFilePathFromClassPath.getFileName().toString()).put("prefix.enable_ssl", "true").put("path.home", absoluteFilePathFromClassPath.getParent().toString()).put("prefix.enable_ssl_client_auth", "true").put("prefix.pemcert_filepath", "wrong-kirk.pem").put("prefix.pemkey_filepath", "wrong-kirk.key").put("prefix.pemkey_password", "G0CVtComen4a").build(), absoluteFilePathFromClassPath.getParent(), "prefix").buildSSLConfig().toSSLConnectionSocketFactory()).build();
            try {
                this.thrown.expect(CoreMatchers.either(CoreMatchers.instanceOf(SocketException.class)).or(CoreMatchers.instanceOf(SSLHandshakeException.class)).or(CoreMatchers.instanceOf(SSLException.class)));
                CloseableHttpResponse execute = build.execute(new HttpGet(testServer.getUri()));
                try {
                    Assert.fail("Connection should have failed due to wrong client cert");
                    if (execute != null) {
                        execute.close();
                    }
                    if (build != null) {
                        build.close();
                    }
                    testServer.close();
                } catch (Throwable th) {
                    if (execute != null) {
                        try {
                            execute.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } finally {
            }
        } catch (Throwable th3) {
            try {
                testServer.close();
            } catch (Throwable th4) {
                th3.addSuppressed(th4);
            }
            throw th3;
        }
    }

    @Test
    public void testPemHostnameVerificationFailure() throws Exception {
        TestServer testServer = new TestServer("sslConfigurator/pem/truststore.jks", "sslConfigurator/pem/node-wrong-hostname-keystore.jks", "secret", false);
        try {
            Path absoluteFilePathFromClassPath = FileHelper.getAbsoluteFilePathFromClassPath("sslConfigurator/pem/root-ca.pem");
            CloseableHttpClient build = HttpClients.custom().setSSLSocketFactory(new SettingsBasedSSLConfigurator(Settings.builder().put("prefix.pemtrustedcas_filepath", absoluteFilePathFromClassPath.getFileName().toString()).put("prefix.enable_ssl", "true").put("prefix.verify_hostnames", "true").put("path.home", absoluteFilePathFromClassPath.getParent().toString()).build(), absoluteFilePathFromClassPath.getParent(), "prefix").buildSSLConfig().toSSLConnectionSocketFactory()).build();
            try {
                this.thrown.expect(SSLPeerUnverifiedException.class);
                CloseableHttpResponse execute = build.execute(new HttpGet(testServer.getUri()));
                try {
                    Assert.fail("Connection should have failed due to wrong hostname");
                    if (execute != null) {
                        execute.close();
                    }
                    if (build != null) {
                        build.close();
                    }
                    testServer.close();
                } catch (Throwable th) {
                    if (execute != null) {
                        try {
                            execute.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } finally {
            }
        } catch (Throwable th3) {
            try {
                testServer.close();
            } catch (Throwable th4) {
                th3.addSuppressed(th4);
            }
            throw th3;
        }
    }

    @Test
    public void testPemHostnameVerificationOff() throws Exception {
        TestServer testServer = new TestServer("sslConfigurator/pem/truststore.jks", "sslConfigurator/pem/node-wrong-hostname-keystore.jks", "secret", false);
        try {
            Path absoluteFilePathFromClassPath = FileHelper.getAbsoluteFilePathFromClassPath("sslConfigurator/pem/root-ca.pem");
            CloseableHttpClient build = HttpClients.custom().setSSLSocketFactory(new SettingsBasedSSLConfigurator(Settings.builder().put("prefix.pemtrustedcas_filepath", absoluteFilePathFromClassPath.getFileName().toString()).put("prefix.enable_ssl", "true").put("prefix.verify_hostnames", "false").put("path.home", absoluteFilePathFromClassPath.getParent().toString()).build(), absoluteFilePathFromClassPath.getParent(), "prefix").buildSSLConfig().toSSLConnectionSocketFactory()).build();
            try {
                CloseableHttpResponse execute = build.execute(new HttpGet(testServer.getUri()));
                if (execute != null) {
                    execute.close();
                }
                if (build != null) {
                    build.close();
                }
                testServer.close();
            } finally {
            }
        } catch (Throwable th) {
            try {
                testServer.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    @Test
    public void testJksTrust() throws Exception {
        TestServer testServer = new TestServer("sslConfigurator/jks/truststore.jks", "sslConfigurator/jks/node1-keystore.jks", "secret", false);
        try {
            Path absoluteFilePathFromClassPath = FileHelper.getAbsoluteFilePathFromClassPath("sslConfigurator/jks/truststore.jks");
            CloseableHttpClient build = HttpClients.custom().setSSLSocketFactory(new SettingsBasedSSLConfigurator(Settings.builder().put("searchguard.ssl.transport.truststore_filepath", absoluteFilePathFromClassPath.getFileName().toString()).put("searchguard.ssl.transport.truststore_password", "secret").put("prefix.enable_ssl", "true").put("path.home", absoluteFilePathFromClassPath.getParent().toString()).build(), absoluteFilePathFromClassPath.getParent(), "prefix").buildSSLConfig().toSSLConnectionSocketFactory()).build();
            try {
                CloseableHttpResponse execute = build.execute(new HttpGet(testServer.getUri()));
                if (execute != null) {
                    execute.close();
                }
                if (build != null) {
                    build.close();
                }
                testServer.close();
            } finally {
            }
        } catch (Throwable th) {
            try {
                testServer.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    @Test
    public void testJksWrongTrust() throws Exception {
        TestServer testServer = new TestServer("sslConfigurator/jks/truststore.jks", "sslConfigurator/jks/node1-keystore.jks", "secret", false);
        try {
            Path absoluteFilePathFromClassPath = FileHelper.getAbsoluteFilePathFromClassPath("sslConfigurator/jks/other-root-ca.jks");
            CloseableHttpClient build = HttpClients.custom().setSSLSocketFactory(new SettingsBasedSSLConfigurator(Settings.builder().put("searchguard.ssl.transport.truststore_filepath", absoluteFilePathFromClassPath.getFileName().toString()).put("searchguard.ssl.transport.truststore_password", "secret").put("prefix.enable_ssl", "true").put("path.home", absoluteFilePathFromClassPath.getParent().toString()).build(), absoluteFilePathFromClassPath.getParent(), "prefix").buildSSLConfig().toSSLConnectionSocketFactory()).build();
            try {
                this.thrown.expect(SSLHandshakeException.class);
                CloseableHttpResponse execute = build.execute(new HttpGet(testServer.getUri()));
                try {
                    Assert.fail("Connection should have failed due to wrong trust");
                    if (execute != null) {
                        execute.close();
                    }
                    if (build != null) {
                        build.close();
                    }
                    testServer.close();
                } catch (Throwable th) {
                    if (execute != null) {
                        try {
                            execute.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } finally {
            }
        } catch (Throwable th3) {
            try {
                testServer.close();
            } catch (Throwable th4) {
                th3.addSuppressed(th4);
            }
            throw th3;
        }
    }

    @Test
    public void testTrustAll() throws Exception {
        TestServer testServer = new TestServer("sslConfigurator/jks/truststore.jks", "sslConfigurator/jks/node1-keystore.jks", "secret", false);
        try {
            Path absoluteFilePathFromClassPath = FileHelper.getAbsoluteFilePathFromClassPath("sslConfigurator/jks/other-root-ca.jks");
            CloseableHttpClient build = HttpClients.custom().setSSLSocketFactory(new SettingsBasedSSLConfigurator(Settings.builder().put("prefix.enable_ssl", "true").put("prefix.trust_all", "true").put("path.home", absoluteFilePathFromClassPath.getParent().toString()).build(), absoluteFilePathFromClassPath.getParent(), "prefix").buildSSLConfig().toSSLConnectionSocketFactory()).build();
            try {
                CloseableHttpResponse execute = build.execute(new HttpGet(testServer.getUri()));
                if (execute != null) {
                    execute.close();
                }
                if (build != null) {
                    build.close();
                }
                testServer.close();
            } finally {
            }
        } catch (Throwable th) {
            try {
                testServer.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }
}
