package com.floragunn.searchguard.ssl;

import com.floragunn.searchguard.DefaultObjectMapper;
import com.floragunn.searchguard.ssl.util.config.ClientAuthCredentials;
import com.floragunn.searchguard.ssl.util.config.GenericSSLConfig;
import com.floragunn.searchguard.ssl.util.config.TrustStore;
import com.floragunn.searchguard.test.DynamicSgConfig;
import com.floragunn.searchguard.test.SingleClusterTest;
import com.floragunn.searchguard.test.helper.cluster.ClusterConfiguration;
import com.floragunn.searchguard.test.helper.file.FileHelper;
import com.floragunn.searchguard.test.helper.rest.RestHelper;
import com.floragunn.searchguard.tools.SearchGuardAdmin;
import com.floragunn.searchsupport.json.BasicJsonReader;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import java.io.File;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import javax.net.ssl.SSLException;
import javax.net.ssl.SSLHandshakeException;
import org.apache.http.Header;
import org.elasticsearch.common.settings.Settings;
import org.junit.Assert;
import org.junit.Ignore;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;

@Ignore
/* loaded from: input_file:com/floragunn/searchguard/ssl/SSLReloadCertsActionTests.class */
public class SSLReloadCertsActionTests extends SingleClusterTest {
    private final String GET_CERT_DETAILS_ENDPOINT = "/_searchguard/sslinfo?show_server_certs=true";
    private final String GET_CERT_FULL_DETAILS_ENDPOINT = "/_searchguard/sslinfo?show_full_server_certs=true";
    private final String RELOAD_TRANSPORT_CERTS_ENDPOINT = "/_searchguard/api/ssl/transport/reloadcerts";
    private final String RELOAD_HTTP_CERTS_ENDPOINT = "/_searchguard/api/ssl/http/reloadcerts";

    @Rule
    public TemporaryFolder testFolder = new TemporaryFolder();
    private final List<Map<String, String>> NODE_CERT_DETAILS = ImmutableList.of(ImmutableMap.of("issuer_dn", "CN=Example Com Inc. Signing CA,OU=Example Com Inc. Signing CA,O=Example Com Inc.,DC=example,DC=com", "subject_dn", "CN=node-1.example.com,OU=SSL,O=Test,L=Test,C=DE", "san", "[[2, node-1.example.com], [2, localhost], [7, 127.0.0.1], [8, 1.2.3.4.5.5]]", "not_before", "2020-02-17T16:19:25Z", "not_after", "2022-02-16T16:19:25Z"));
    private final List<Map<String, String>> NODE_FULL_CERT_DETAILS = ImmutableList.of(this.NODE_CERT_DETAILS.get(0), ImmutableMap.of("issuer_dn", "CN=Example Com Inc. Root CA,OU=Example Com Inc. Root CA,O=Example Com Inc.,DC=example,DC=com", "subject_dn", "CN=Example Com Inc. Signing CA,OU=Example Com Inc. Signing CA,O=Example Com Inc.,DC=example,DC=com", "san", "", "not_before", "2020-02-17T16:19:16Z", "not_after", "2030-02-16T16:19:16Z"), ImmutableMap.of("issuer_dn", "CN=Example Com Inc. Root CA,OU=Example Com Inc. Root CA,O=Example Com Inc.,DC=example,DC=com", "subject_dn", "CN=Example Com Inc. Root CA,OU=Example Com Inc. Root CA,O=Example Com Inc.,DC=example,DC=com", "san", "", "not_before", "2020-02-17T16:19:16Z", "not_after", "2030-02-16T16:19:16Z"));
    private final List<Map<String, String>> NEW_NODE_CERT_DETAILS = ImmutableList.of(ImmutableMap.of("issuer_dn", "CN=Example Com Inc. Signing CA,OU=Example Com Inc. Signing CA,O=Example Com Inc.,DC=example,DC=com", "subject_dn", "CN=node-1.example.com,OU=SSL,O=Test,L=Test,C=DE", "san", "[[2, node-1.example.com], [2, localhost], [7, 127.0.0.1], [8, 1.2.3.4.5.5]]", "not_before", "2020-02-18T14:11:28Z", "not_after", "2022-02-17T14:11:28Z"));

    @Test
    public void testReloadTransportSSLCertsPass() throws Exception {
        String absolutePath = this.testFolder.newFile("node-temp-cert.pem").getAbsolutePath();
        String absolutePath2 = this.testFolder.newFile("node-temp-key.pem").getAbsolutePath();
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node.crt.pem").toString(), absolutePath);
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node.key.pem").toString(), absolutePath2);
        initTestCluster(absolutePath, absolutePath2, absolutePath, absolutePath2, true);
        RestHelper restHelper = restHelper();
        restHelper.enableHTTPClientSSL = true;
        restHelper.trustHTTPServerCertificate = true;
        restHelper.sendHTTPClientCertificate = true;
        restHelper.keystore = "ssl/reload/kirk-keystore.jks";
        String writeValueAsString = DefaultObjectMapper.writeValueAsString(this.NODE_CERT_DETAILS, false);
        String writeValueAsString2 = DefaultObjectMapper.writeValueAsString(this.NODE_FULL_CERT_DETAILS, false);
        String executeSimpleRequest = restHelper.executeSimpleRequest("/_searchguard/sslinfo?show_server_certs=true");
        Assert.assertEquals(DefaultObjectMapper.readTree(executeSimpleRequest).get("transport_certificates_list").toString(), writeValueAsString);
        Assert.assertEquals(DefaultObjectMapper.readTree(executeSimpleRequest).get("http_certificates_list").toString(), writeValueAsString);
        String executeSimpleRequest2 = restHelper.executeSimpleRequest("/_searchguard/sslinfo?show_full_server_certs=true");
        Assert.assertEquals(DefaultObjectMapper.readTree(executeSimpleRequest2).get("transport_certificates_list").toString(), writeValueAsString2);
        Assert.assertEquals(DefaultObjectMapper.readTree(executeSimpleRequest2).get("http_certificates_list").toString(), writeValueAsString2);
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node-new.crt.pem").toString(), absolutePath);
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node-new.key.pem").toString(), absolutePath2);
        RestHelper.HttpResponse executePostRequest = restHelper.executePostRequest("/_searchguard/api/ssl/transport/reloadcerts", null, new Header[0]);
        Assert.assertEquals(200L, executePostRequest.getStatusCode());
        Assert.assertEquals(executePostRequest.getBody(), ImmutableMap.of("message", "updated transport certs"), BasicJsonReader.read(executePostRequest.getBody()));
        String executeSimpleRequest3 = restHelper.executeSimpleRequest("/_searchguard/sslinfo?show_server_certs=true");
        Assert.assertEquals(DefaultObjectMapper.readTree(executeSimpleRequest3).get("transport_certificates_list").toString(), DefaultObjectMapper.writeValueAsString(this.NEW_NODE_CERT_DETAILS, false));
        Assert.assertEquals(DefaultObjectMapper.readTree(executeSimpleRequest3).get("http_certificates_list").toString(), writeValueAsString);
    }

    @Test
    public void testReloadHttpSSLCertsPass() throws Exception {
        String absolutePath = this.testFolder.newFile("node-temp-cert.pem").getAbsolutePath();
        String absolutePath2 = this.testFolder.newFile("node-temp-key.pem").getAbsolutePath();
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node.crt.pem").toString(), absolutePath);
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node.key.pem").toString(), absolutePath2);
        initTestCluster(absolutePath, absolutePath2, absolutePath, absolutePath2, true);
        RestHelper restHelper = restHelper();
        restHelper.enableHTTPClientSSL = true;
        restHelper.trustHTTPServerCertificate = true;
        restHelper.sendHTTPClientCertificate = true;
        restHelper.keystore = "ssl/reload/kirk-keystore.jks";
        String writeValueAsString = DefaultObjectMapper.writeValueAsString(this.NODE_CERT_DETAILS, false);
        String executeSimpleRequest = restHelper.executeSimpleRequest("/_searchguard/sslinfo?show_server_certs=true");
        Assert.assertEquals(DefaultObjectMapper.readTree(executeSimpleRequest).get("transport_certificates_list").toString(), writeValueAsString);
        Assert.assertEquals(DefaultObjectMapper.readTree(executeSimpleRequest).get("http_certificates_list").toString(), writeValueAsString);
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node-new.crt.pem").toString(), absolutePath);
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node-new.key.pem").toString(), absolutePath2);
        RestHelper.HttpResponse executePostRequest = restHelper.executePostRequest("/_searchguard/api/ssl/http/reloadcerts", null, new Header[0]);
        Assert.assertEquals(200L, executePostRequest.getStatusCode());
        Assert.assertEquals(executePostRequest.getBody(), ImmutableMap.of("message", "updated http certs"), BasicJsonReader.read(executePostRequest.getBody()));
        String executeSimpleRequest2 = restHelper.executeSimpleRequest("/_searchguard/sslinfo?show_server_certs=true");
        String writeValueAsString2 = DefaultObjectMapper.writeValueAsString(this.NEW_NODE_CERT_DETAILS, false);
        Assert.assertEquals(DefaultObjectMapper.readTree(executeSimpleRequest2).get("transport_certificates_list").toString(), writeValueAsString);
        Assert.assertEquals(DefaultObjectMapper.readTree(executeSimpleRequest2).get("http_certificates_list").toString(), writeValueAsString2);
    }

    @Test
    public void testReloadHttpSSLCerts_FailWrongUri() throws Exception {
        String absolutePath = this.testFolder.newFile("node-temp-cert.pem").getAbsolutePath();
        String absolutePath2 = this.testFolder.newFile("node-temp-key.pem").getAbsolutePath();
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node.crt.pem").toString(), absolutePath);
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node.key.pem").toString(), absolutePath2);
        initTestCluster(absolutePath, absolutePath2, absolutePath, absolutePath2, true);
        RestHelper restHelper = restHelper();
        restHelper.enableHTTPClientSSL = true;
        restHelper.trustHTTPServerCertificate = true;
        restHelper.sendHTTPClientCertificate = true;
        restHelper.keystore = "ssl/reload/kirk-keystore.jks";
        RestHelper.HttpResponse executePostRequest = restHelper.executePostRequest("_searchguard/_security/api/ssl/wrong/reloadcerts", null, new Header[0]);
        Assert.assertEquals(executePostRequest.getBody(), ImmutableMap.of("error", "no handler found for uri [/_searchguard/_security/api/ssl/wrong/reloadcerts] and method [POST]"), BasicJsonReader.read(executePostRequest.getBody()));
    }

    @Test
    public void testSSLReloadFail_UnAuthorizedUser() throws Exception {
        String absolutePath = this.testFolder.newFile("node-temp-cert.pem").getAbsolutePath();
        String absolutePath2 = this.testFolder.newFile("node-temp-key.pem").getAbsolutePath();
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node.crt.pem").toString(), absolutePath);
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node.key.pem").toString(), absolutePath2);
        initTestCluster(absolutePath, absolutePath2, absolutePath, absolutePath2, true);
        RestHelper restHelper = restHelper();
        restHelper.enableHTTPClientSSL = true;
        restHelper.trustHTTPServerCertificate = true;
        restHelper.sendHTTPClientCertificate = true;
        restHelper.keystore = "ssl/reload/spock-keystore.jks";
        RestHelper.HttpResponse executePostRequest = restHelper.executePostRequest("/_searchguard/api/ssl/transport/reloadcerts", null, new Header[0]);
        Assert.assertEquals(401L, executePostRequest.getStatusCode());
        Assert.assertEquals("Unauthorized", executePostRequest.getStatusReason());
    }

    @Test
    public void testSSLReloadFail_NoReloadSet() throws Exception {
        File newFile = this.testFolder.newFile("node-temp-cert.pem");
        File newFile2 = this.testFolder.newFile("node-temp-key.pem");
        String absolutePath = newFile.getAbsolutePath();
        String absolutePath2 = newFile2.getAbsolutePath();
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node.crt.pem").toString(), absolutePath);
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node.key.pem").toString(), absolutePath2);
        initTestCluster(absolutePath, absolutePath2, absolutePath, absolutePath2, false);
        RestHelper restHelper = restHelper();
        restHelper.enableHTTPClientSSL = true;
        restHelper.trustHTTPServerCertificate = true;
        restHelper.sendHTTPClientCertificate = true;
        restHelper.keystore = "ssl/reload/kirk-keystore.jks";
        RestHelper.HttpResponse executePostRequest = restHelper.executePostRequest("/_searchguard/api/ssl/transport/reloadcerts", null, new Header[0]);
        Assert.assertEquals(400L, executePostRequest.getStatusCode());
        Assert.assertEquals("SSL Reload action called while searchguard.ssl.cert_reload_enabled is set to false.", executePostRequest.getBody());
    }

    @Test
    public void testReloadWithSgAdmin() throws Exception {
        String absolutePath = this.testFolder.newFile("node-temp-cert.pem").getAbsolutePath();
        String absolutePath2 = this.testFolder.newFile("node-temp-key.pem").getAbsolutePath();
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node.crt.pem").toString(), absolutePath);
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node.key.pem").toString(), absolutePath2);
        initTestCluster(absolutePath, absolutePath2, absolutePath, absolutePath2, true);
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node-new.crt.pem").toString(), absolutePath);
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node-new.key.pem").toString(), absolutePath2);
        ArrayList arrayList = new ArrayList();
        arrayList.add("-cacert");
        arrayList.add(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/root-ca.pem").toFile().getAbsolutePath());
        arrayList.add("-ks");
        arrayList.add(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/kirk-keystore.jks").toFile().getAbsolutePath());
        arrayList.add("-kspass");
        arrayList.add("changeit");
        arrayList.add("-p");
        arrayList.add(String.valueOf(this.clusterInfo.httpPort));
        arrayList.add("-cn");
        arrayList.add(this.clusterInfo.clustername);
        arrayList.add("-reload-http-certs");
        arrayList.add("-reload-transport-certs");
        arrayList.add("-nhnv");
        Assert.assertEquals(0L, SearchGuardAdmin.execute((String[]) arrayList.toArray(new String[0])));
    }

    @Test
    public void testReloadCa() throws Exception {
        String absolutePath = this.testFolder.newFile("node-temp-cert.pem").getAbsolutePath();
        String absolutePath2 = this.testFolder.newFile("node-temp-key.pem").getAbsolutePath();
        String absolutePath3 = this.testFolder.newFile("root-ca.pem").getAbsolutePath();
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node.crt.pem").toString(), absolutePath);
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node.key.pem").toString(), absolutePath2);
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/root-ca.pem").toString(), absolutePath3);
        initTestCluster(absolutePath, absolutePath2, absolutePath, absolutePath2, absolutePath3, true);
        TrustStore build = TrustStore.from().certPem(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/root-ca.pem")).build();
        ClientAuthCredentials build2 = ClientAuthCredentials.from().certPem(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/kirk.crt.pem")).certKeyPem(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/kirk.key.pem"), (String) null).build();
        GenericSSLConfig build3 = new GenericSSLConfig.Builder().useTrustStore(build).useClientAuth(build2).verifyHostnames(false).build();
        RestHelper restHelper = restHelper(0, build3);
        String writeValueAsString = DefaultObjectMapper.writeValueAsString(this.NODE_CERT_DETAILS, false);
        String executeSimpleRequest = restHelper.executeSimpleRequest("/_searchguard/sslinfo?show_server_certs=true");
        Assert.assertEquals(DefaultObjectMapper.readTree(executeSimpleRequest).get("transport_certificates_list").toString(), writeValueAsString);
        Assert.assertEquals(DefaultObjectMapper.readTree(executeSimpleRequest).get("http_certificates_list").toString(), writeValueAsString);
        FileHelper.writeFile(absolutePath3, FileHelper.loadFile("ssl/reload/root-ca.pem") + "\n" + FileHelper.loadFile("ssl/reload/new-ca/root-ca.pem"));
        for (int i = 0; i < 3; i++) {
            RestHelper restHelper2 = restHelper(i, build3);
            restHelper2.enableHTTPClientSSL = true;
            restHelper2.trustHTTPServerCertificate = true;
            restHelper2.sendHTTPClientCertificate = true;
            restHelper2.keystore = "ssl/reload/kirk-keystore.jks";
            Assert.assertEquals(restHelper2.executePostRequest("/_searchguard/api/ssl/http/reloadcerts", null, new Header[0]).getBody(), 200L, r0.getStatusCode());
        }
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/new-ca/node1.pem").toString(), absolutePath);
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/new-ca/node1.key").toString(), absolutePath2);
        for (int i2 = 0; i2 < 3; i2++) {
            Assert.assertEquals(restHelper(i2, build3).executePostRequest("/_searchguard/api/ssl/http/reloadcerts", null, new Header[0]).getBody(), 200L, r0.getStatusCode());
        }
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/new-ca/root-ca.pem").toString(), absolutePath3);
        for (int i3 = 0; i3 < 3; i3++) {
            try {
                Assert.fail("REST request was successful even though node uses new certificate which is not known by local HTTP client: " + restHelper(i3, build3).executePostRequest("/_searchguard/api/ssl/http/reloadcerts", null, new Header[0]));
            } catch (SSLHandshakeException e) {
            }
        }
        TrustStore build4 = TrustStore.from().certPem(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/new-ca/root-ca.pem")).build();
        GenericSSLConfig build5 = new GenericSSLConfig.Builder().useTrustStore(build4).useClientAuth(build2).verifyHostnames(false).build();
        for (int i4 = 0; i4 < 3; i4++) {
            Assert.assertEquals(restHelper(i4, build5).executePostRequest("/_searchguard/api/ssl/http/reloadcerts", null, new Header[0]).getBody(), 200L, r0.getStatusCode());
        }
        for (int i5 = 0; i5 < 3; i5++) {
            try {
                Assert.fail("REST request was successful even though node does not know the old CA anymore. The client however used an admin cert signed with the old CA: " + restHelper(i5, build5).executePostRequest("/_searchguard/api/ssl/http/reloadcerts", null, new Header[0]));
            } catch (SSLException e2) {
            }
        }
        GenericSSLConfig build6 = new GenericSSLConfig.Builder().useTrustStore(build4).useClientAuth(ClientAuthCredentials.from().certPem(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/new-ca/kirk.pem")).certKeyPem(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/new-ca/kirk.key"), (String) null).build()).verifyHostnames(false).build();
        for (int i6 = 0; i6 < 3; i6++) {
            Assert.assertEquals(restHelper(i6, build6).executePostRequest("/_searchguard/api/ssl/http/reloadcerts", null, new Header[0]).getBody(), 200L, r0.getStatusCode());
        }
    }

    private void initTestCluster(String str, String str2, String str3, String str4, boolean z) throws Exception {
        initTestCluster(str, str2, str3, str4, FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/root-ca.pem").toString(), z);
    }

    private void initTestCluster(String str, String str2, String str3, String str4, String str5, boolean z) throws Exception {
        setup(Settings.builder().put("searchguard.ssl.transport.pemtrustedcas_filepath", str5).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.pemcert_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/kirk.crt.pem")).put("searchguard.ssl.transport.pemkey_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/kirk.key.pem")).build(), new DynamicSgConfig(), Settings.builder().putList("searchguard.authcz.admin_dn", new String[]{"CN=kirk,OU=client,O=client,L=Test,C=DE"}).putList("searchguard.nodes_dn", new String[]{"C=DE,L=Test,O=Test,OU=SSL,CN=node-1.example.com"}).put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.http.enabled", true).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).put("searchguard.ssl.transport.pemcert_filepath", str).put("searchguard.ssl.transport.pemkey_filepath", str2).put("searchguard.ssl.transport.pemtrustedcas_filepath", str5).put("searchguard.ssl.http.pemcert_filepath", str3).put("searchguard.ssl.http.pemkey_filepath", str4).put("searchguard.ssl.http.pemtrustedcas_filepath", str5).put("searchguard.ssl.cert_reload_enabled", z).build(), true, ClusterConfiguration.DEFAULT);
    }
}
