package org.graylog2.security.ldap;

import com.google.common.collect.ImmutableSet;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.nio.file.Paths;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.time.Duration;
import java.util.Locale;
import java.util.Set;
import javax.annotation.Nonnull;
import javax.net.ssl.TrustManager;
import org.apache.directory.api.ldap.model.exception.LdapException;
import org.apache.directory.ldap.client.api.LdapNetworkConnection;
import org.assertj.core.api.Assertions;
import org.graylog2.rest.models.system.ldap.requests.LdapTestConfigRequest;
import org.graylog2.security.DefaultX509TrustManager;
import org.graylog2.security.ldap.LdapConnector;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;
import org.testcontainers.containers.BindMode;
import org.testcontainers.containers.GenericContainer;
import org.testcontainers.containers.wait.strategy.Wait;
import org.testcontainers.junit.jupiter.Testcontainers;

@Testcontainers
/* loaded from: input_file:org/graylog2/security/ldap/LdapConnectorSSLTLSIT.class */
public class LdapConnectorSSLTLSIT {
    private static final int DEFAULT_TIMEOUT = 60000;
    private static final String ADMIN_NAME = "cn=admin,dc=example,dc=org";
    private static final String ADMIN_PASSWORD = "admin";
    private static final String LOCAL_CERTS_PATH = "certs";
    private LdapConnector.TrustManagerProvider trustManagerProvider;
    private LdapConnector ldapConnector;
    private static final Set<String> ENABLED_TLS_PROTOCOLS = ImmutableSet.of("TLSv1.2");
    private static final Integer PORT = 389;
    private static final Integer SSL_PORT = 636;
    private static final String CONTAINER_CERTS_PATH = "/container/service/slapd/assets/certs";
    private static final String NETWORK_ALIAS = "ldapserver";
    private static final GenericContainer<?> container = new GenericContainer("osixia/openldap:1.4.0").waitingFor(Wait.forLogMessage(".*slapd starting.*", 1)).withEnv("LDAP_TLS_VERIFY_CLIENT", "allow").withEnv("LDAP_TLS_CRT_FILENAME", "server-cert.pem").withEnv("LDAP_TLS_KEY_FILENAME", "server-key.pem").withEnv("LDAP_TLS_CA_CRT_FILENAME", "CA-cert.pem").withEnv("LDAP_TLS_DH_PARAM_FILENAME", "dhparam.pem").withFileSystemBind(customCerts(), CONTAINER_CERTS_PATH, BindMode.READ_ONLY).withCommand("--copy-service").withNetworkAliases(new String[]{NETWORK_ALIAS}).withExposedPorts(new Integer[]{PORT, SSL_PORT}).withStartupTimeout(Duration.ofMinutes(1));

    @BeforeAll
    static void beforeAll() {
        container.start();
    }

    @BeforeEach
    void setUp() throws KeyStoreException, NoSuchAlgorithmException {
        LdapSettingsService ldapSettingsService = (LdapSettingsService) Mockito.mock(LdapSettingsService.class);
        this.trustManagerProvider = (LdapConnector.TrustManagerProvider) Mockito.mock(LdapConnector.TrustManagerProvider.class);
        mockTrustManagerWithSystemKeystore();
        this.ldapConnector = new LdapConnector(DEFAULT_TIMEOUT, ENABLED_TLS_PROTOCOLS, ldapSettingsService, this.trustManagerProvider);
    }

    @Test
    void shouldNotConnectViaTLSToSelfSignedCertIfValidationIsRequested() throws Exception {
        assertConnectionFailure(createTLSTestRequest(false));
    }

    @Test
    void shouldNotConnectViaTLSToCertWithMismatchingCommonNameIfValidationIsRequested() throws Exception {
        mockTrustManagerWithKeystore(singleCA());
        assertConnectionFailure(createRequest(internalUriWithIpAddress(), true, false));
    }

    @Test
    void shouldConnectViaTLSToTrustedCertWithMatchingCommonNameIfValidationIsRequested() throws Exception {
        mockTrustManagerWithKeystore(singleCA());
        assertConnectionSuccess(createRequest(internalUri(), true, false));
    }

    @Test
    void shouldConnectViaTLSToSelfSignedCertIfValidationIsNotRequested() throws Exception {
        assertConnectionSuccess(createTLSTestRequest(true));
    }

    @Test
    void shouldNotConnectViaSSLToSelfSignedCertIfValidationIsRequested() {
        assertConnectionFailure(createSSLTestRequest(false));
    }

    @Test
    void shouldNotConnectViaSSLToTrustedCertWithMismatchingHostnameIfValidationIsRequested() throws Exception {
        mockTrustManagerWithKeystore(singleCA());
        assertConnectionFailure(createRequest(internalSSLUriWithIpAddress(), false, false));
    }

    @Test
    void shouldConnectViaSSLToTrustedCertWithMatchingHostnameIfValidationIsRequested() throws Exception {
        mockTrustManagerWithKeystore(singleCA());
        assertConnectionSuccess(createSSLTestRequest(false));
    }

    @Test
    void shouldConnectViaSSLToSelfSignedCertIfValidationIsNotRequested() throws Exception {
        assertConnectionSuccess(createSSLTestRequest(true));
    }

    @Nonnull
    private LdapTestConfigRequest createTLSTestRequest(boolean z) {
        return createRequest(internalSSLUri(), true, z);
    }

    @Nonnull
    private LdapTestConfigRequest createSSLTestRequest(boolean z) {
        return createRequest(internalSSLUri(), false, z);
    }

    private LdapTestConfigRequest createRequest(URI uri, boolean z, boolean z2) {
        return LdapTestConfigRequest.create(ADMIN_NAME, ADMIN_PASSWORD, uri, z, z2, false, (String) null, (String) null, (String) null, (String) null, true, (String) null, (String) null, (String) null);
    }

    private void assertConnectionFailure(LdapTestConfigRequest ldapTestConfigRequest) {
        Assertions.assertThatThrownBy(() -> {
            this.ldapConnector.connect(ldapTestConfigRequest);
        }).isNotNull();
    }

    private void assertConnectionSuccess(LdapTestConfigRequest ldapTestConfigRequest) throws KeyStoreException, LdapException, NoSuchAlgorithmException, IOException {
        LdapNetworkConnection connect = this.ldapConnector.connect(ldapTestConfigRequest);
        Throwable th = null;
        try {
            try {
                Assertions.assertThat(connect.isAuthenticated()).isTrue();
                Assertions.assertThat(connect.isConnected()).isTrue();
                Assertions.assertThat(connect.isSecured()).isTrue();
                if (connect != null) {
                    if (0 == 0) {
                        connect.close();
                        return;
                    }
                    try {
                        connect.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (connect != null) {
                if (th != null) {
                    try {
                        connect.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    connect.close();
                }
            }
            throw th4;
        }
    }

    private void mockTrustManagerWithSystemKeystore() throws KeyStoreException, NoSuchAlgorithmException {
        mockTrustManagerWithKeystore(null);
    }

    private void mockTrustManagerWithKeystore(KeyStore keyStore) throws KeyStoreException, NoSuchAlgorithmException {
        Mockito.when(this.trustManagerProvider.create(ArgumentMatchers.anyString())).then(invocationOnMock -> {
            return provideTrustManager((String) invocationOnMock.getArgument(0), keyStore);
        });
    }

    private KeyStore singleCA() throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException {
        KeyStore keyStore = KeyStore.getInstance("JKS");
        keyStore.load(getClass().getResource("single-ca.jks").openStream(), "changeit".toCharArray());
        return keyStore;
    }

    private TrustManager provideTrustManager(String str, KeyStore keyStore) {
        try {
            return new DefaultX509TrustManager(str, keyStore);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    private static String customCerts() {
        try {
            return Paths.get(LdapConnectorSSLTLSIT.class.getResource(LOCAL_CERTS_PATH).toURI()).toFile().getAbsolutePath();
        } catch (URISyntaxException e) {
            throw new RuntimeException(e);
        }
    }

    private URI internalUri() {
        return URI.create(String.format(Locale.US, "ldap://%s:%d", container.getHost(), container.getMappedPort(PORT.intValue())));
    }

    private URI internalSSLUri() {
        return URI.create(String.format(Locale.US, "ldaps://%s:%d", container.getHost(), container.getMappedPort(SSL_PORT.intValue())));
    }

    private URI internalSSLUriWithIpAddress() {
        return URI.create(String.format(Locale.US, "ldaps://127.0.0.1:%d", container.getMappedPort(SSL_PORT.intValue())));
    }

    private URI internalUriWithIpAddress() {
        return URI.create(String.format(Locale.US, "ldap://127.0.0.1:%d", container.getMappedPort(SSL_PORT.intValue())));
    }
}
