package com.floragunn.searchguard.ssl;

import com.floragunn.searchguard.DefaultObjectMapper;
import com.floragunn.searchguard.test.DynamicSgConfig;
import com.floragunn.searchguard.test.SingleClusterTest;
import com.floragunn.searchguard.test.helper.cluster.ClusterConfiguration;
import com.floragunn.searchguard.test.helper.file.FileHelper;
import com.floragunn.searchguard.test.helper.rest.RestHelper;
import com.floragunn.searchguard.tools.SearchGuardAdmin;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import java.io.File;
import java.util.ArrayList;
import java.util.List;
import java.util.Map;
import net.minidev.json.JSONObject;
import org.apache.http.Header;
import org.elasticsearch.common.settings.Settings;
import org.junit.Assert;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;

/* loaded from: input_file:com/floragunn/searchguard/ssl/SSLReloadCertsActionTests.class */
public class SSLReloadCertsActionTests extends SingleClusterTest {
    private final String GET_CERT_DETAILS_ENDPOINT = "/_searchguard/sslinfo?show_server_certs=true";
    private final String RELOAD_TRANSPORT_CERTS_ENDPOINT = "/_searchguard/api/ssl/transport/reloadcerts";
    private final String RELOAD_HTTP_CERTS_ENDPOINT = "/_searchguard/api/ssl/http/reloadcerts";

    @Rule
    public TemporaryFolder testFolder = new TemporaryFolder();
    private final List<Map<String, String>> NODE_CERT_DETAILS = ImmutableList.of(ImmutableMap.of("issuer_dn", "CN=Example Com Inc. Signing CA,OU=Example Com Inc. Signing CA,O=Example Com Inc.,DC=example,DC=com", "subject_dn", "CN=node-1.example.com,OU=SSL,O=Test,L=Test,C=DE", "san", "[[2, node-1.example.com], [2, localhost], [7, 127.0.0.1], [8, 1.2.3.4.5.5]]", "not_before", "2020-02-17T16:19:25Z", "not_after", "2022-02-16T16:19:25Z"));
    private final List<Map<String, String>> NEW_NODE_CERT_DETAILS = ImmutableList.of(ImmutableMap.of("issuer_dn", "CN=Example Com Inc. Signing CA,OU=Example Com Inc. Signing CA,O=Example Com Inc.,DC=example,DC=com", "subject_dn", "CN=node-1.example.com,OU=SSL,O=Test,L=Test,C=DE", "san", "[[2, node-1.example.com], [2, localhost], [7, 127.0.0.1], [8, 1.2.3.4.5.5]]", "not_before", "2020-02-18T14:11:28Z", "not_after", "2022-02-17T14:11:28Z"));

    @Test
    public void testReloadTransportSSLCertsPass() throws Exception {
        String absolutePath = this.testFolder.newFile("node-temp-cert.pem").getAbsolutePath();
        String absolutePath2 = this.testFolder.newFile("node-temp-key.pem").getAbsolutePath();
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node.crt.pem").toString(), absolutePath);
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node.key.pem").toString(), absolutePath2);
        initTestCluster(absolutePath, absolutePath2, absolutePath, absolutePath2, true);
        RestHelper restHelper = restHelper();
        restHelper.enableHTTPClientSSL = true;
        restHelper.trustHTTPServerCertificate = true;
        restHelper.sendHTTPClientCertificate = true;
        restHelper.keystore = "ssl/reload/kirk-keystore.jks";
        String writeValueAsString = DefaultObjectMapper.writeValueAsString(this.NODE_CERT_DETAILS, false);
        String executeSimpleRequest = restHelper.executeSimpleRequest("/_searchguard/sslinfo?show_server_certs=true");
        Assert.assertEquals(DefaultObjectMapper.readTree(executeSimpleRequest).get("transport_certificates_list").toString(), writeValueAsString);
        Assert.assertEquals(DefaultObjectMapper.readTree(executeSimpleRequest).get("http_certificates_list").toString(), writeValueAsString);
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node-new.crt.pem").toString(), absolutePath);
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node-new.key.pem").toString(), absolutePath2);
        RestHelper.HttpResponse executePostRequest = restHelper.executePostRequest("/_searchguard/api/ssl/transport/reloadcerts", null, new Header[0]);
        Assert.assertEquals(200L, executePostRequest.getStatusCode());
        JSONObject jSONObject = new JSONObject();
        jSONObject.appendField("message", "updated transport certs");
        Assert.assertEquals(jSONObject.toString(), executePostRequest.getBody());
        String executeSimpleRequest2 = restHelper.executeSimpleRequest("/_searchguard/sslinfo?show_server_certs=true");
        Assert.assertEquals(DefaultObjectMapper.readTree(executeSimpleRequest2).get("transport_certificates_list").toString(), DefaultObjectMapper.writeValueAsString(this.NEW_NODE_CERT_DETAILS, false));
        Assert.assertEquals(DefaultObjectMapper.readTree(executeSimpleRequest2).get("http_certificates_list").toString(), writeValueAsString);
    }

    @Test
    public void testReloadHttpSSLCertsPass() throws Exception {
        String absolutePath = this.testFolder.newFile("node-temp-cert.pem").getAbsolutePath();
        String absolutePath2 = this.testFolder.newFile("node-temp-key.pem").getAbsolutePath();
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node.crt.pem").toString(), absolutePath);
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node.key.pem").toString(), absolutePath2);
        initTestCluster(absolutePath, absolutePath2, absolutePath, absolutePath2, true);
        RestHelper restHelper = restHelper();
        restHelper.enableHTTPClientSSL = true;
        restHelper.trustHTTPServerCertificate = true;
        restHelper.sendHTTPClientCertificate = true;
        restHelper.keystore = "ssl/reload/kirk-keystore.jks";
        String writeValueAsString = DefaultObjectMapper.writeValueAsString(this.NODE_CERT_DETAILS, false);
        String executeSimpleRequest = restHelper.executeSimpleRequest("/_searchguard/sslinfo?show_server_certs=true");
        Assert.assertEquals(DefaultObjectMapper.readTree(executeSimpleRequest).get("transport_certificates_list").toString(), writeValueAsString);
        Assert.assertEquals(DefaultObjectMapper.readTree(executeSimpleRequest).get("http_certificates_list").toString(), writeValueAsString);
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node-new.crt.pem").toString(), absolutePath);
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node-new.key.pem").toString(), absolutePath2);
        RestHelper.HttpResponse executePostRequest = restHelper.executePostRequest("/_searchguard/api/ssl/http/reloadcerts", null, new Header[0]);
        Assert.assertEquals(200L, executePostRequest.getStatusCode());
        JSONObject jSONObject = new JSONObject();
        jSONObject.appendField("message", "updated http certs");
        Assert.assertEquals(jSONObject.toString(), executePostRequest.getBody());
        String executeSimpleRequest2 = restHelper.executeSimpleRequest("/_searchguard/sslinfo?show_server_certs=true");
        String writeValueAsString2 = DefaultObjectMapper.writeValueAsString(this.NEW_NODE_CERT_DETAILS, false);
        Assert.assertEquals(DefaultObjectMapper.readTree(executeSimpleRequest2).get("transport_certificates_list").toString(), writeValueAsString);
        Assert.assertEquals(DefaultObjectMapper.readTree(executeSimpleRequest2).get("http_certificates_list").toString(), writeValueAsString2);
    }

    @Test
    public void testReloadHttpSSLCerts_FailWrongUri() throws Exception {
        String absolutePath = this.testFolder.newFile("node-temp-cert.pem").getAbsolutePath();
        String absolutePath2 = this.testFolder.newFile("node-temp-key.pem").getAbsolutePath();
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node.crt.pem").toString(), absolutePath);
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node.key.pem").toString(), absolutePath2);
        initTestCluster(absolutePath, absolutePath2, absolutePath, absolutePath2, true);
        RestHelper restHelper = restHelper();
        restHelper.enableHTTPClientSSL = true;
        restHelper.trustHTTPServerCertificate = true;
        restHelper.sendHTTPClientCertificate = true;
        restHelper.keystore = "ssl/reload/kirk-keystore.jks";
        RestHelper.HttpResponse executePostRequest = restHelper.executePostRequest("_searchguard/_security/api/ssl/wrong/reloadcerts", null, new Header[0]);
        JSONObject jSONObject = new JSONObject();
        jSONObject.put("error", "no handler found for uri [/_searchguard/_security/api/ssl/wrong/reloadcerts] and method [POST]");
        Assert.assertEquals(jSONObject.toString().replace("\\", ""), executePostRequest.getBody());
    }

    @Test
    public void testSSLReloadFail_UnAuthorizedUser() throws Exception {
        String absolutePath = this.testFolder.newFile("node-temp-cert.pem").getAbsolutePath();
        String absolutePath2 = this.testFolder.newFile("node-temp-key.pem").getAbsolutePath();
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node.crt.pem").toString(), absolutePath);
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node.key.pem").toString(), absolutePath2);
        initTestCluster(absolutePath, absolutePath2, absolutePath, absolutePath2, true);
        RestHelper restHelper = restHelper();
        restHelper.enableHTTPClientSSL = true;
        restHelper.trustHTTPServerCertificate = true;
        restHelper.sendHTTPClientCertificate = true;
        restHelper.keystore = "ssl/reload/spock-keystore.jks";
        RestHelper.HttpResponse executePostRequest = restHelper.executePostRequest("/_searchguard/api/ssl/transport/reloadcerts", null, new Header[0]);
        Assert.assertEquals(401L, executePostRequest.getStatusCode());
        Assert.assertEquals("Unauthorized", executePostRequest.getStatusReason());
    }

    @Test
    public void testSSLReloadFail_InvalidDNAndDate() throws Exception {
        String absolutePath = this.testFolder.newFile("node-temp-cert.pem").getAbsolutePath();
        String absolutePath2 = this.testFolder.newFile("node-temp-key.pem").getAbsolutePath();
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node.crt.pem").toString(), absolutePath);
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node.key.pem").toString(), absolutePath2);
        initTestCluster(absolutePath, absolutePath2, absolutePath, absolutePath2, true);
        RestHelper restHelper = restHelper();
        restHelper.enableHTTPClientSSL = true;
        restHelper.trustHTTPServerCertificate = true;
        restHelper.sendHTTPClientCertificate = true;
        restHelper.keystore = "ssl/reload/kirk-keystore.jks";
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node-wrong.crt.pem").toString(), absolutePath);
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node-wrong.key.pem").toString(), absolutePath2);
        RestHelper.HttpResponse executePostRequest = restHelper.executePostRequest("/_searchguard/api/ssl/transport/reloadcerts", null, new Header[0]);
        Assert.assertEquals(500L, executePostRequest.getStatusCode());
        JSONObject jSONObject = new JSONObject();
        jSONObject.appendField("error", "ElasticsearchSecurityException[Error while initializing transport SSL layer from PEM: java.lang.Exception: New Certs do not have valid Issuer DN, Subject DN or SAN.]; nested: Exception[New Certs do not have valid Issuer DN, Subject DN or SAN.];");
        Assert.assertEquals(jSONObject.toString(), executePostRequest.getBody());
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node.crt.pem").toString(), absolutePath);
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node.key.pem").toString(), absolutePath2);
        RestHelper.HttpResponse executePostRequest2 = restHelper.executePostRequest("/_searchguard/api/ssl/transport/reloadcerts", null, new Header[0]);
        Assert.assertEquals(500L, executePostRequest2.getStatusCode());
        JSONObject jSONObject2 = new JSONObject();
        jSONObject2.appendField("error", "ElasticsearchSecurityException[Error while initializing transport SSL layer from PEM: java.lang.Exception: New certificates should not expire before the current ones.]; nested: Exception[New certificates should not expire before the current ones.];");
        Assert.assertEquals(jSONObject2.toString(), executePostRequest2.getBody());
    }

    @Test
    public void testSSLReloadFail_NoReloadSet() throws Exception {
        File newFile = this.testFolder.newFile("node-temp-cert.pem");
        File newFile2 = this.testFolder.newFile("node-temp-key.pem");
        String absolutePath = newFile.getAbsolutePath();
        String absolutePath2 = newFile2.getAbsolutePath();
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node.crt.pem").toString(), absolutePath);
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node.key.pem").toString(), absolutePath2);
        initTestCluster(absolutePath, absolutePath2, absolutePath, absolutePath2, false);
        RestHelper restHelper = restHelper();
        restHelper.enableHTTPClientSSL = true;
        restHelper.trustHTTPServerCertificate = true;
        restHelper.sendHTTPClientCertificate = true;
        restHelper.keystore = "ssl/reload/kirk-keystore.jks";
        RestHelper.HttpResponse executePostRequest = restHelper.executePostRequest("/_searchguard/api/ssl/transport/reloadcerts", null, new Header[0]);
        Assert.assertEquals(400L, executePostRequest.getStatusCode());
        Assert.assertEquals("SSL Reload action called while searchguard.ssl.cert_reload_enabled is set to false.", executePostRequest.getBody());
    }

    @Test
    public void testReloadWithSgAdmin() throws Exception {
        String absolutePath = this.testFolder.newFile("node-temp-cert.pem").getAbsolutePath();
        String absolutePath2 = this.testFolder.newFile("node-temp-key.pem").getAbsolutePath();
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node.crt.pem").toString(), absolutePath);
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node.key.pem").toString(), absolutePath2);
        initTestCluster(absolutePath, absolutePath2, absolutePath, absolutePath2, true);
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node-new.crt.pem").toString(), absolutePath);
        FileHelper.copyFileContents(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/node-new.key.pem").toString(), absolutePath2);
        ArrayList arrayList = new ArrayList();
        arrayList.add("-cacert");
        arrayList.add(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/root-ca.pem").toFile().getAbsolutePath());
        arrayList.add("-ks");
        arrayList.add(FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/kirk-keystore.jks").toFile().getAbsolutePath());
        arrayList.add("-kspass");
        arrayList.add("changeit");
        arrayList.add("-p");
        arrayList.add(String.valueOf(this.clusterInfo.httpPort));
        arrayList.add("-cn");
        arrayList.add(this.clusterInfo.clustername);
        arrayList.add("-reload-http-certs");
        arrayList.add("-reload-transport-certs");
        arrayList.add("-nhnv");
        Assert.assertEquals(0L, SearchGuardAdmin.execute((String[]) arrayList.toArray(new String[0])));
    }

    private void initTestCluster(String str, String str2, String str3, String str4, boolean z) throws Exception {
        setup(Settings.builder().put("searchguard.ssl.transport.truststore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/truststore.jks")).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.keystore_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/kirk-keystore.jks")).build(), new DynamicSgConfig(), Settings.builder().putList("searchguard.authcz.admin_dn", new String[]{"CN=kirk,OU=client,O=client,L=Test,C=DE"}).putList("searchguard.nodes_dn", new String[]{"C=DE,L=Test,O=Test,OU=SSL,CN=node-1.example.com"}).put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.http.enabled", true).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).put("searchguard.ssl.transport.pemcert_filepath", str).put("searchguard.ssl.transport.pemkey_filepath", str2).put("searchguard.ssl.transport.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/root-ca.pem")).put("searchguard.ssl.http.pemcert_filepath", str3).put("searchguard.ssl.http.pemkey_filepath", str4).put("searchguard.ssl.http.pemtrustedcas_filepath", FileHelper.getAbsoluteFilePathFromClassPath("ssl/reload/root-ca.pem")).put("searchguard.ssl.cert_reload_enabled", z).build(), true, ClusterConfiguration.DEFAULT);
    }
}
