package com.floragunn.searchguard.ssl;

import com.floragunn.searchguard.ssl.AbstractUnitTest;
import com.floragunn.searchguard.ssl.util.ExceptionUtils;
import com.floragunn.searchguard.ssl.util.SSLConfigConstants;
import java.net.InetSocketAddress;
import java.net.SocketException;
import java.nio.file.Paths;
import java.security.KeyStore;
import java.security.Security;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.TrustManagerFactory;
import org.apache.http.NoHttpResponseException;
import org.apache.lucene.util.Constants;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.admin.cluster.health.ClusterHealthRequest;
import org.elasticsearch.action.admin.cluster.health.ClusterHealthResponse;
import org.elasticsearch.action.admin.cluster.node.info.NodesInfoRequest;
import org.elasticsearch.action.admin.cluster.node.info.NodesInfoResponse;
import org.elasticsearch.action.index.IndexRequest;
import org.elasticsearch.action.index.IndexResponse;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.search.SearchResponse;
import org.elasticsearch.action.support.WriteRequest;
import org.elasticsearch.client.transport.NoNodeAvailableException;
import org.elasticsearch.common.settings.Settings;
import org.elasticsearch.common.transport.TransportAddress;
import org.elasticsearch.common.unit.TimeValue;
import org.elasticsearch.common.xcontent.XContentType;
import org.elasticsearch.node.Node;
import org.elasticsearch.node.PluginAwareNode;
import org.elasticsearch.transport.Netty4Plugin;
import org.junit.Assert;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;

/* loaded from: input_file:com/floragunn/searchguard/ssl/SSLTest.class */
public class SSLTest extends AbstractUnitTest {

    @Rule
    public final ExpectedException thrown = ExpectedException.none();
    protected boolean allowOpenSSL = false;

    @Test
    public void testHttps() throws Exception {
        this.enableHTTPClientSSL = true;
        this.trustHTTPServerCertificate = true;
        this.sendHTTPClientCertificate = true;
        this.keystore = "node-untspec5-keystore.p12";
        startES(Settings.builder().put("searchguard.ssl.transport.enabled", false).put("searchguard.ssl.http.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.http.clientauth_mode", "REQUIRE").putList("searchguard.ssl.http.enabled_protocols", new String[]{"TLSv1.1", "TLSv1.2"}).putList("searchguard.ssl.http.enabled_ciphers", new String[]{"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"}).putList("searchguard.ssl.transport.enabled_protocols", new String[]{"TLSv1.1", "TLSv1.2"}).putList("searchguard.ssl.transport.enabled_ciphers", new String[]{"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256"}).put("searchguard.ssl.http.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")).put("searchguard.ssl.http.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")).build());
        System.out.println(executeSimpleRequest("_searchguard/sslinfo?pretty&show_dn=true"));
        Assert.assertTrue(executeSimpleRequest("_searchguard/sslinfo?pretty&show_dn=true").contains("EMAILADDRESS=unt@tst.com"));
        Assert.assertTrue(executeSimpleRequest("_searchguard/sslinfo?pretty&show_dn=true").contains("local_certificates_list"));
        Assert.assertFalse(executeSimpleRequest("_searchguard/sslinfo?pretty&show_dn=false").contains("local_certificates_list"));
        Assert.assertFalse(executeSimpleRequest("_searchguard/sslinfo?pretty").contains("local_certificates_list"));
        Assert.assertTrue(executeSimpleRequest("_nodes/settings?pretty").contains("searchguard_ssl_testcluster"));
        Assert.assertFalse(executeSimpleRequest("_nodes/settings?pretty").contains("\"searchguard\""));
        Assert.assertFalse(executeSimpleRequest("_nodes/settings?pretty").contains("keystore_filepath"));
    }

    @Test
    public void testCipherAndProtocols() throws Exception {
        Security.setProperty("jdk.tls.disabledAlgorithms", "");
        System.out.println("Disabled algos: " + Security.getProperty("jdk.tls.disabledAlgorithms"));
        System.out.println("allowOpenSSL: " + this.allowOpenSSL);
        Settings build = Settings.builder().put("searchguard.ssl.transport.enabled", false).put("searchguard.ssl.http.keystore_alias", "node-0").put("searchguard.ssl.http.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.http.clientauth_mode", "REQUIRE").put("searchguard.ssl.http.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")).put("searchguard.ssl.http.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")).put("searchguard.ssl.http.enabled_ciphers", "SSL_RSA_EXPORT_WITH_RC4_40_MD5").put("searchguard.ssl.http.enabled_protocols", "SSLv3").put("client.type", "node").put("path.home", ".").build();
        try {
            String[] enabledCipherSuites = new DefaultSearchGuardKeyStore(build, Paths.get(".", new String[0])).createHTTPSSLEngine().getEnabledCipherSuites();
            String[] enabledProtocols = new DefaultSearchGuardKeyStore(build, Paths.get(".", new String[0])).createHTTPSSLEngine().getEnabledProtocols();
            if (this.allowOpenSSL) {
                Assert.assertEquals(2L, enabledProtocols.length);
                Assert.assertTrue("Check SSLv3", "SSLv3".equals(enabledProtocols[0]) || "SSLv3".equals(enabledProtocols[1]));
                Assert.assertEquals(1L, enabledCipherSuites.length);
                Assert.assertEquals("TLS_RSA_EXPORT_WITH_RC4_40_MD5", enabledCipherSuites[0]);
            } else {
                Assert.assertEquals(1L, enabledProtocols.length);
                Assert.assertEquals("SSLv3", enabledProtocols[0]);
                Assert.assertEquals(1L, enabledCipherSuites.length);
                Assert.assertEquals("SSL_RSA_EXPORT_WITH_RC4_40_MD5", enabledCipherSuites[0]);
            }
            Settings build2 = Settings.builder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")).put("searchguard.ssl.transport.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")).put("searchguard.ssl.transport.enabled_ciphers", "SSL_RSA_EXPORT_WITH_RC4_40_MD5").put("searchguard.ssl.transport.enabled_protocols", "SSLv3").put("client.type", "node").put("path.home", ".").build();
            String[] enabledCipherSuites2 = new DefaultSearchGuardKeyStore(build2, Paths.get(".", new String[0])).createServerTransportSSLEngine().getEnabledCipherSuites();
            String[] enabledProtocols2 = new DefaultSearchGuardKeyStore(build2, Paths.get(".", new String[0])).createServerTransportSSLEngine().getEnabledProtocols();
            if (this.allowOpenSSL) {
                Assert.assertEquals(2L, enabledProtocols2.length);
                Assert.assertTrue("Check SSLv3", "SSLv3".equals(enabledProtocols2[0]) || "SSLv3".equals(enabledProtocols2[1]));
                Assert.assertEquals(1L, enabledCipherSuites2.length);
                Assert.assertEquals("TLS_RSA_EXPORT_WITH_RC4_40_MD5", enabledCipherSuites2[0]);
            } else {
                Assert.assertEquals(1L, enabledProtocols2.length);
                Assert.assertEquals("SSLv3", enabledProtocols2[0]);
                Assert.assertEquals(1L, enabledCipherSuites2.length);
                Assert.assertEquals("SSL_RSA_EXPORT_WITH_RC4_40_MD5", enabledCipherSuites2[0]);
            }
            String[] enabledCipherSuites3 = new DefaultSearchGuardKeyStore(build2, Paths.get(".", new String[0])).createClientTransportSSLEngine((String) null, -1).getEnabledCipherSuites();
            String[] enabledProtocols3 = new DefaultSearchGuardKeyStore(build2, Paths.get(".", new String[0])).createClientTransportSSLEngine((String) null, -1).getEnabledProtocols();
            if (this.allowOpenSSL) {
                Assert.assertEquals(2L, enabledProtocols3.length);
                Assert.assertTrue("Check SSLv3", "SSLv3".equals(enabledProtocols3[0]) || "SSLv3".equals(enabledProtocols3[1]));
                Assert.assertEquals(1L, enabledCipherSuites3.length);
                Assert.assertEquals("TLS_RSA_EXPORT_WITH_RC4_40_MD5", enabledCipherSuites3[0]);
            } else {
                Assert.assertEquals(1L, enabledProtocols3.length);
                Assert.assertEquals("SSLv3", enabledProtocols3[0]);
                Assert.assertEquals(1L, enabledCipherSuites3.length);
                Assert.assertEquals("SSL_RSA_EXPORT_WITH_RC4_40_MD5", enabledCipherSuites3[0]);
            }
        } catch (ElasticsearchSecurityException e) {
            System.out.println("EXPECTED " + e.getClass().getSimpleName() + " for " + System.getProperty("java.specification.version") + ": " + e.toString());
            e.printStackTrace();
            Assert.assertTrue("Check if error contains 'no valid cipher suites' -> " + e.toString(), e.toString().contains("no valid cipher suites") || e.toString().contains("failed to set cipher suite") || e.toString().contains("Unable to configure permitted SSL ciphers") || e.toString().contains("OPENSSL_internal:NO_CIPHER_MATCH"));
            Assert.assertTrue("Check if >= Java 8 and no openssl", this.allowOpenSSL ? true : Constants.JRE_IS_MINIMUM_JAVA8);
        }
    }

    @Test
    public void testHttpsOptionalAuth() throws Exception {
        this.enableHTTPClientSSL = true;
        this.trustHTTPServerCertificate = true;
        this.sendHTTPClientCertificate = true;
        startES(Settings.builder().put("searchguard.ssl.transport.enabled", false).put("searchguard.ssl.http.keystore_alias", "node-0").put("searchguard.ssl.http.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.http.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")).put("searchguard.ssl.http.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")).build());
        System.out.println(executeSimpleRequest("_searchguard/sslinfo?pretty"));
        Assert.assertTrue(executeSimpleRequest("_searchguard/sslinfo?pretty").contains("TLS"));
        Assert.assertTrue(executeSimpleRequest("_nodes/settings?pretty").contains("searchguard_ssl_testcluster"));
        Assert.assertFalse(executeSimpleRequest("_nodes/settings?pretty").contains("\"searchguard\""));
        Assert.assertTrue(executeSimpleRequest("_searchguard/sslinfo?pretty").contains("CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE"));
    }

    @Test
    public void testHttpsAndNodeSSL() throws Exception {
        this.enableHTTPClientSSL = true;
        this.trustHTTPServerCertificate = true;
        this.sendHTTPClientCertificate = true;
        startES(Settings.builder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.keystore_alias", "node-0").put("searchguard.ssl.http.keystore_alias", "node-0").put("searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")).put("searchguard.ssl.transport.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).put("searchguard.ssl.http.enabled", true).put("searchguard.ssl.http.clientauth_mode", "REQUIRE").put("searchguard.ssl.http.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")).put("searchguard.ssl.http.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")).build());
        System.out.println(executeSimpleRequest("_searchguard/sslinfo?pretty"));
        Assert.assertTrue(executeSimpleRequest("_searchguard/sslinfo?pretty").contains("TLS"));
        Assert.assertTrue(executeSimpleRequest("_searchguard/sslinfo?pretty").length() > 0);
        Assert.assertTrue(executeSimpleRequest("_nodes/settings?pretty").contains("searchguard_ssl_testcluster"));
        Assert.assertTrue(executeSimpleRequest("_searchguard/sslinfo?pretty").contains("CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE"));
        Assert.assertFalse(executeSimpleRequest("_nodes/stats?pretty").contains("\"tx_size_in_bytes\" : 0"));
        Assert.assertFalse(executeSimpleRequest("_nodes/stats?pretty").contains("\"rx_count\" : 0"));
        Assert.assertFalse(executeSimpleRequest("_nodes/stats?pretty").contains("\"rx_size_in_bytes\" : 0"));
        Assert.assertFalse(executeSimpleRequest("_nodes/stats?pretty").contains("\"tx_count\" : 0"));
    }

    @Test
    public void testHttpsAndNodeSSLPem() throws Exception {
        this.enableHTTPClientSSL = true;
        this.trustHTTPServerCertificate = true;
        this.sendHTTPClientCertificate = true;
        startES(Settings.builder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.pemcert_filepath", getAbsoluteFilePathFromClassPath("node-0.crt.pem")).put("searchguard.ssl.transport.pemkey_filepath", getAbsoluteFilePathFromClassPath("node-0.key.pem")).put("searchguard.ssl.transport.pemtrustedcas_filepath", getAbsoluteFilePathFromClassPath("root-ca.pem")).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).put("searchguard.ssl.http.enabled", true).put("searchguard.ssl.http.clientauth_mode", "REQUIRE").put("searchguard.ssl.http.pemcert_filepath", getAbsoluteFilePathFromClassPath("node-0.crt.pem")).put("searchguard.ssl.http.pemkey_filepath", getAbsoluteFilePathFromClassPath("node-0.key.pem")).put("searchguard.ssl.http.pemtrustedcas_filepath", getAbsoluteFilePathFromClassPath("root-ca.pem")).build());
        System.out.println(executeSimpleRequest("_searchguard/sslinfo?pretty"));
        Assert.assertTrue(executeSimpleRequest("_searchguard/sslinfo?pretty").contains("TLS"));
        Assert.assertTrue(executeSimpleRequest("_searchguard/sslinfo?pretty").length() > 0);
        Assert.assertTrue(executeSimpleRequest("_nodes/settings?pretty").contains("searchguard_ssl_testcluster"));
        Assert.assertTrue(executeSimpleRequest("_searchguard/sslinfo?pretty").contains("CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE"));
    }

    @Test
    public void testHttpsAndNodeSSLPemEnc() throws Exception {
        this.enableHTTPClientSSL = true;
        this.trustHTTPServerCertificate = true;
        this.sendHTTPClientCertificate = true;
        startES(Settings.builder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.pemcert_filepath", getAbsoluteFilePathFromClassPath("pem/node-4.crt.pem")).put("searchguard.ssl.transport.pemkey_filepath", getAbsoluteFilePathFromClassPath("pem/node-4.key")).put("searchguard.ssl.transport.pemkey_password", "changeit").put("searchguard.ssl.transport.pemtrustedcas_filepath", getAbsoluteFilePathFromClassPath("root-ca.pem")).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).put("searchguard.ssl.http.enabled", true).put("searchguard.ssl.http.clientauth_mode", "REQUIRE").put("searchguard.ssl.http.pemcert_filepath", getAbsoluteFilePathFromClassPath("pem/node-4.crt.pem")).put("searchguard.ssl.http.pemkey_filepath", getAbsoluteFilePathFromClassPath("pem/node-4.key")).put("searchguard.ssl.http.pemkey_password", "changeit").put("searchguard.ssl.http.pemtrustedcas_filepath", getAbsoluteFilePathFromClassPath("root-ca.pem")).build());
        System.out.println(executeSimpleRequest("_searchguard/sslinfo?pretty"));
        Assert.assertTrue(executeSimpleRequest("_searchguard/sslinfo?pretty").contains("TLS"));
        Assert.assertTrue(executeSimpleRequest("_searchguard/sslinfo?pretty").length() > 0);
        Assert.assertTrue(executeSimpleRequest("_nodes/settings?pretty").contains("searchguard_ssl_testcluster"));
        Assert.assertTrue(executeSimpleRequest("_searchguard/sslinfo?pretty").contains("CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE"));
    }

    @Test
    public void testHttpsAndNodeSSLFailedCipher() throws Exception {
        this.enableHTTPClientSSL = true;
        this.trustHTTPServerCertificate = true;
        this.sendHTTPClientCertificate = true;
        try {
            startES(Settings.builder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.keystore_alias", "node-0").put("searchguard.ssl.http.keystore_alias", "node-0").put("searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")).put("searchguard.ssl.transport.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).put("searchguard.ssl.http.enabled", true).put("searchguard.ssl.http.clientauth_mode", "REQUIRE").put("searchguard.ssl.http.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")).put("searchguard.ssl.http.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")).put("searchguard.ssl.transport.enabled_ciphers", "INVALID_CIPHER").build());
            Assert.fail();
        } catch (Exception e) {
            Throwable rootCause = ExceptionUtils.getRootCause(e);
            if (this.allowOpenSSL) {
                Assert.assertTrue(rootCause.toString(), rootCause.toString().contains("no cipher match"));
            } else {
                Assert.assertTrue(rootCause.toString(), rootCause.toString().contains("no valid cipher"));
            }
        }
    }

    @Test
    public void testHttpPlainFail() throws Exception {
        this.thrown.expect(NoHttpResponseException.class);
        this.enableHTTPClientSSL = false;
        this.trustHTTPServerCertificate = true;
        this.sendHTTPClientCertificate = false;
        startES(Settings.builder().put("searchguard.ssl.transport.enabled", false).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.http.keystore_alias", "node-0").put("searchguard.ssl.http.enabled", true).put("searchguard.ssl.http.clientauth_mode", "OPTIONAL").put("searchguard.ssl.http.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")).put("searchguard.ssl.http.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")).build());
        Assert.assertTrue(executeSimpleRequest("_searchguard/sslinfo?pretty").length() > 0);
        Assert.assertTrue(executeSimpleRequest("_nodes/settings?pretty").contains("searchguard_ssl_testcluster"));
        Assert.assertTrue(executeSimpleRequest("_searchguard/sslinfo?pretty").contains("CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE"));
    }

    @Test
    public void testHttpsNoEnforce() throws Exception {
        this.enableHTTPClientSSL = true;
        this.trustHTTPServerCertificate = true;
        this.sendHTTPClientCertificate = false;
        startES(Settings.builder().put("searchguard.ssl.transport.enabled", false).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.http.keystore_alias", "node-0").put("searchguard.ssl.http.enabled", true).put("searchguard.ssl.http.clientauth_mode", "NONE").put("searchguard.ssl.http.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")).put("searchguard.ssl.http.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")).build());
        Assert.assertTrue(executeSimpleRequest("_searchguard/sslinfo?pretty").length() > 0);
        Assert.assertTrue(executeSimpleRequest("_nodes/settings?pretty").contains("searchguard_ssl_testcluster"));
        Assert.assertFalse(executeSimpleRequest("_searchguard/sslinfo?pretty").contains("CN=node-0.example.com,OU=SSL,O=Test,L=Test,C=DE"));
    }

    @Test
    public void testHttpsEnforceFail() throws Exception {
        this.enableHTTPClientSSL = true;
        this.trustHTTPServerCertificate = true;
        this.sendHTTPClientCertificate = false;
        startES(Settings.builder().put("searchguard.ssl.transport.enabled", false).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.http.keystore_alias", "node-0").put("searchguard.ssl.http.enabled", true).put("searchguard.ssl.http.clientauth_mode", "REQUIRE").put("searchguard.ssl.http.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")).put("searchguard.ssl.http.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")).build());
        try {
            executeSimpleRequest("");
            Assert.fail();
        } catch (SocketException e) {
            System.out.println("Expected SocketException " + e.toString());
        } catch (SSLHandshakeException e2) {
            System.out.println("Expected SSLHandshakeException " + e2.toString());
        } catch (Exception e3) {
            e3.printStackTrace();
            Assert.fail("Unexpected exception " + e3.toString());
        }
    }

    @Test
    public void testHttpsV3Fail() throws Exception {
        this.thrown.expect(SSLHandshakeException.class);
        this.enableHTTPClientSSL = true;
        this.trustHTTPServerCertificate = true;
        this.sendHTTPClientCertificate = false;
        this.enableHTTPClientSSLv3Only = true;
        startES(Settings.builder().put("searchguard.ssl.transport.enabled", false).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.http.keystore_alias", "node-0").put("searchguard.ssl.http.enabled", true).put("searchguard.ssl.http.clientauth_mode", "NONE").put("searchguard.ssl.http.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")).put("searchguard.ssl.http.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")).build());
        Assert.assertTrue(executeSimpleRequest("_searchguard/sslinfo?pretty").length() > 0);
        Assert.assertTrue(executeSimpleRequest("_nodes/settings?pretty").contains("searchguard_ssl_testcluster"));
    }

    @Test
    public void testTransportClientSSL() throws Exception {
        Settings build = Settings.builder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.keystore_alias", "node-0").put("searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")).put("searchguard.ssl.transport.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).build();
        startES(build);
        this.log.debug("Elasticsearch started");
        AbstractUnitTest.TransportClientImpl transportClientImpl = new AbstractUnitTest.TransportClientImpl(this, Settings.builder().put("cluster.name", "searchguard_ssl_testcluster").put(build).build(), asCollection(SearchGuardSSLPlugin.class));
        Throwable th = null;
        try {
            try {
                this.log.debug("TransportClient built, connect now to {}:{}", this.nodeHost, Integer.valueOf(this.nodePort));
                transportClientImpl.addTransportAddress(new TransportAddress(new InetSocketAddress(this.nodeHost, this.nodePort)));
                Assert.assertEquals(3L, ((NodesInfoResponse) transportClientImpl.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet()).getNodes().size());
                this.log.debug("TransportClient connected");
                Assert.assertEquals("test", ((IndexResponse) transportClientImpl.index(new IndexRequest("test", "test").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"a\":5}", XContentType.JSON)).actionGet()).getIndex());
                this.log.debug("Index created");
                Assert.assertEquals(1L, ((SearchResponse) transportClientImpl.search(new SearchRequest(new String[]{"test"})).actionGet()).getHits().getTotalHits());
                this.log.debug("Search done");
                Assert.assertEquals(3L, ((ClusterHealthResponse) transportClientImpl.admin().cluster().health(new ClusterHealthRequest(new String[]{"test"})).actionGet()).getNumberOfNodes());
                this.log.debug("ClusterHealth done");
                Assert.assertEquals(3L, ((NodesInfoResponse) transportClientImpl.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet()).getNodes().size());
                this.log.debug("NodesInfoRequest asserted");
                if (transportClientImpl != null) {
                    if (0 == 0) {
                        transportClientImpl.close();
                        return;
                    }
                    try {
                        transportClientImpl.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (transportClientImpl != null) {
                if (th != null) {
                    try {
                        transportClientImpl.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    transportClientImpl.close();
                }
            }
            throw th4;
        }
    }

    @Test
    public void testTransportClientSSLExternalContext() throws Exception {
        startES(Settings.builder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.keystore_alias", "node-0").put("searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")).put("searchguard.ssl.transport.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).build());
        this.log.debug("Elasticsearch started");
        Settings build = Settings.builder().put("cluster.name", "searchguard_ssl_testcluster").put("path.home", ".").put("searchguard.ssl.client.external_context_id", "abcx").build();
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        KeyStore keyStore = KeyStore.getInstance("JKS");
        keyStore.load(getClass().getResourceAsStream("/truststore.jks"), "changeit".toCharArray());
        trustManagerFactory.init(keyStore);
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        KeyStore keyStore2 = KeyStore.getInstance("JKS");
        keyStore2.load(getClass().getResourceAsStream("/node-0-keystore.jks"), "changeit".toCharArray());
        keyManagerFactory.init(keyStore2, "changeit".toCharArray());
        SSLContext sSLContext = SSLContext.getInstance("TLSv1.2");
        sSLContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
        ExternalSearchGuardKeyStore.registerExternalSslContext("abcx", sSLContext);
        AbstractUnitTest.TransportClientImpl transportClientImpl = new AbstractUnitTest.TransportClientImpl(this, build, asCollection(SearchGuardSSLPlugin.class));
        Throwable th = null;
        try {
            try {
                this.log.debug("TransportClient built, connect now to {}:{}", this.nodeHost, Integer.valueOf(this.nodePort));
                transportClientImpl.addTransportAddress(new TransportAddress(new InetSocketAddress(this.nodeHost, this.nodePort)));
                this.log.debug("TransportClient connected");
                Assert.assertEquals("test", ((IndexResponse) transportClientImpl.index(new IndexRequest("test", "test").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"a\":5}", XContentType.JSON)).actionGet()).getIndex());
                this.log.debug("Index created");
                Assert.assertEquals(1L, ((SearchResponse) transportClientImpl.search(new SearchRequest(new String[]{"test"})).actionGet()).getHits().getTotalHits());
                this.log.debug("Search done");
                Assert.assertEquals(3L, ((ClusterHealthResponse) transportClientImpl.admin().cluster().health(new ClusterHealthRequest(new String[]{"test"})).actionGet()).getNumberOfNodes());
                this.log.debug("ClusterHealth done");
                if (transportClientImpl != null) {
                    if (0 == 0) {
                        transportClientImpl.close();
                        return;
                    }
                    try {
                        transportClientImpl.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (transportClientImpl != null) {
                if (th != null) {
                    try {
                        transportClientImpl.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    transportClientImpl.close();
                }
            }
            throw th4;
        }
    }

    @Test
    public void testNodeClientSSL() throws Exception {
        Settings build = Settings.builder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.keystore_alias", "node-0").put("searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")).put("searchguard.ssl.transport.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).build();
        startES(build);
        Node start = new PluginAwareNode(Settings.builder().put("cluster.name", "searchguard_ssl_testcluster").put("path.home", ".").put(build).build(), Netty4Plugin.class, SearchGuardSSLPlugin.class).start();
        Throwable th = null;
        try {
            try {
                Assert.assertFalse(((ClusterHealthResponse) start.client().admin().cluster().health(new ClusterHealthRequest().waitForNodes("4").timeout(TimeValue.timeValueSeconds(5L))).actionGet()).isTimedOut());
                Assert.assertEquals(4L, r0.getNumberOfNodes());
                Assert.assertEquals(4L, ((NodesInfoResponse) start.client().admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet()).getNodes().size());
                if (start != null) {
                    if (0 != 0) {
                        try {
                            start.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        start.close();
                    }
                }
                Assert.assertFalse(executeSimpleRequest("_nodes/stats?pretty").contains("\"tx_size_in_bytes\" : 0"));
                Assert.assertFalse(executeSimpleRequest("_nodes/stats?pretty").contains("\"rx_count\" : 0"));
                Assert.assertFalse(executeSimpleRequest("_nodes/stats?pretty").contains("\"rx_size_in_bytes\" : 0"));
                Assert.assertFalse(executeSimpleRequest("_nodes/stats?pretty").contains("\"tx_count\" : 0"));
            } finally {
            }
        } catch (Throwable th3) {
            if (start != null) {
                if (th != null) {
                    try {
                        start.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    start.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testTransportClientSSLFail() throws Exception {
        this.thrown.expect(NoNodeAvailableException.class);
        startES(Settings.builder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.keystore_alias", "node-0").put("searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")).put("searchguard.ssl.transport.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).build());
        AbstractUnitTest.TransportClientImpl transportClientImpl = new AbstractUnitTest.TransportClientImpl(this, Settings.builder().put("cluster.name", "searchguard_ssl_testcluster").put("path.home", getAbsoluteFilePathFromClassPath("node-0-keystore.jks").getParent()).put("searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")).put("searchguard.ssl.transport.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore_fail.jks")).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).build(), asCollection(SearchGuardSSLPlugin.class));
        Throwable th = null;
        try {
            try {
                transportClientImpl.addTransportAddress(new TransportAddress(new InetSocketAddress(this.nodeHost, this.nodePort)));
                Assert.assertEquals(3L, ((NodesInfoResponse) transportClientImpl.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet()).getNodes().size());
                if (transportClientImpl != null) {
                    if (0 == 0) {
                        transportClientImpl.close();
                        return;
                    }
                    try {
                        transportClientImpl.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (transportClientImpl != null) {
                if (th != null) {
                    try {
                        transportClientImpl.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    transportClientImpl.close();
                }
            }
            throw th4;
        }
    }

    @Test
    public void testAvailCiphers() throws Exception {
        SSLContext sSLContext = SSLContext.getInstance("TLS");
        sSLContext.init(null, null, null);
        SSLEngine createSSLEngine = sSLContext.createSSLEngine();
        ArrayList arrayList = new ArrayList(Arrays.asList(createSSLEngine.getSupportedCipherSuites()));
        arrayList.retainAll(SSLConfigConstants.getSecureSSLCiphers(Settings.EMPTY, false));
        createSSLEngine.setEnabledCipherSuites((String[]) arrayList.toArray(new String[0]));
        List asList = Arrays.asList(createSSLEngine.getEnabledCipherSuites());
        System.out.println("JDK enabled ciphers: " + asList);
        Assert.assertTrue(asList.size() > 0);
    }

    @Test
    public void testUnmodifieableCipherProtocolConfig() throws Exception {
        SSLConfigConstants.getSecureSSLProtocols(Settings.EMPTY, false)[0] = "bogus";
        Assert.assertEquals("TLSv1.2", SSLConfigConstants.getSecureSSLProtocols(Settings.EMPTY, false)[0]);
        try {
            SSLConfigConstants.getSecureSSLCiphers(Settings.EMPTY, false).set(0, "bogus");
            Assert.fail();
        } catch (UnsupportedOperationException e) {
        }
    }

    @Test
    public void testCustomPrincipalExtractor() throws Exception {
        this.enableHTTPClientSSL = true;
        this.trustHTTPServerCertificate = true;
        this.sendHTTPClientCertificate = true;
        Settings build = Settings.builder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.keystore_alias", "node-0").put("searchguard.ssl.transport.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")).put("searchguard.ssl.transport.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).put("searchguard.ssl.transport.principal_extractor_class", "com.floragunn.searchguard.ssl.TestPrincipalExtractor").put("searchguard.ssl.http.keystore_alias", "node-0").put("searchguard.ssl.http.enabled", true).put("searchguard.ssl.http.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")).put("searchguard.ssl.http.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")).build();
        startES(build);
        this.log.debug("Elasticsearch started");
        AbstractUnitTest.TransportClientImpl transportClientImpl = new AbstractUnitTest.TransportClientImpl(this, Settings.builder().put("cluster.name", "searchguard_ssl_testcluster").put("path.home", ".").put(build).build(), asCollection(SearchGuardSSLPlugin.class));
        Throwable th = null;
        try {
            try {
                this.log.debug("TransportClient built, connect now to {}:{}", this.nodeHost, Integer.valueOf(this.nodePort));
                transportClientImpl.addTransportAddress(new TransportAddress(new InetSocketAddress(this.nodeHost, this.nodePort)));
                Assert.assertEquals(3L, ((NodesInfoResponse) transportClientImpl.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet()).getNodes().size());
                this.log.debug("TransportClient connected");
                TestPrincipalExtractor.reset();
                Assert.assertEquals("test", ((IndexResponse) transportClientImpl.index(new IndexRequest("test", "test").setRefreshPolicy(WriteRequest.RefreshPolicy.IMMEDIATE).source("{\"a\":5}", XContentType.JSON)).actionGet()).getIndex());
                this.log.debug("Index created");
                Assert.assertEquals(1L, ((SearchResponse) transportClientImpl.search(new SearchRequest(new String[]{"test"})).actionGet()).getHits().getTotalHits());
                this.log.debug("Search done");
                Assert.assertEquals(3L, ((ClusterHealthResponse) transportClientImpl.admin().cluster().health(new ClusterHealthRequest(new String[]{"test"})).actionGet()).getNumberOfNodes());
                this.log.debug("ClusterHealth done");
                Assert.assertEquals(3L, ((NodesInfoResponse) transportClientImpl.admin().cluster().nodesInfo(new NodesInfoRequest()).actionGet()).getNodes().size());
                this.log.debug("NodesInfoRequest asserted");
                if (transportClientImpl != null) {
                    if (0 != 0) {
                        try {
                            transportClientImpl.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        transportClientImpl.close();
                    }
                }
                executeSimpleRequest("_searchguard/sslinfo?pretty");
                Assert.assertTrue(TestPrincipalExtractor.getHttpCount() > 0);
            } finally {
            }
        } catch (Throwable th3) {
            if (transportClientImpl != null) {
                if (th != null) {
                    try {
                        transportClientImpl.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    transportClientImpl.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testCRLPem() throws Exception {
        this.enableHTTPClientSSL = true;
        this.trustHTTPServerCertificate = true;
        this.sendHTTPClientCertificate = true;
        startES(Settings.builder().put("searchguard.ssl.transport.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.pemcert_filepath", getAbsoluteFilePathFromClassPath("node-0.crt.pem")).put("searchguard.ssl.transport.pemkey_filepath", getAbsoluteFilePathFromClassPath("node-0.key.pem")).put("searchguard.ssl.transport.pemtrustedcas_filepath", getAbsoluteFilePathFromClassPath("root-ca.pem")).put("searchguard.ssl.transport.enforce_hostname_verification", false).put("searchguard.ssl.transport.resolve_hostname", false).put("searchguard.ssl.http.enabled", true).put("searchguard.ssl.http.clientauth_mode", "REQUIRE").put("searchguard.ssl.http.pemcert_filepath", getAbsoluteFilePathFromClassPath("node-0.crt.pem")).put("searchguard.ssl.http.pemkey_filepath", getAbsoluteFilePathFromClassPath("node-0.key.pem")).put("searchguard.ssl.http.pemtrustedcas_filepath", getAbsoluteFilePathFromClassPath("chain-ca.pem")).put("searchguard.ssl.http.crl.validate", true).put("searchguard.ssl.http.crl.validation_date", CertificateValidatorTest.CRL_DATE.getTime()).build());
        Assert.assertTrue(executeSimpleRequest("_searchguard/sslinfo?pretty").contains("TLS"));
    }

    @Test
    public void testCRL() throws Exception {
        this.enableHTTPClientSSL = true;
        this.trustHTTPServerCertificate = true;
        this.sendHTTPClientCertificate = true;
        startES(Settings.builder().put("searchguard.ssl.transport.enabled", false).put("searchguard.ssl.http.keystore_alias", "node-0").put("searchguard.ssl.http.enabled", true).put("searchguard.ssl.http.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.transport.enable_openssl_if_available", this.allowOpenSSL).put("searchguard.ssl.http.clientauth_mode", "REQUIRE").put("searchguard.ssl.http.keystore_filepath", getAbsoluteFilePathFromClassPath("node-0-keystore.jks")).put("searchguard.ssl.http.truststore_filepath", getAbsoluteFilePathFromClassPath("truststore.jks")).put("searchguard.ssl.http.crl.validate", true).put("searchguard.ssl.http.crl.file_path", getAbsoluteFilePathFromClassPath("crl/revoked.crl")).put("searchguard.ssl.http.crl.validation_date", CertificateValidatorTest.CRL_DATE.getTime()).build());
        Assert.assertTrue(executeSimpleRequest("_nodes/settings?pretty").contains("searchguard_ssl_testcluster"));
    }
}
