package org.graylog.security.authservice.ldap;

import com.google.common.collect.ImmutableSet;
import com.unboundid.ldap.sdk.LDAPConnection;
import com.unboundid.ldap.sdk.LDAPException;
import java.net.URI;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.util.Collections;
import java.util.Locale;
import java.util.Set;
import javax.net.ssl.TrustManager;
import org.assertj.core.api.Assertions;
import org.graylog.security.authservice.ldap.LDAPConnectorConfig;
import org.graylog.testing.ldap.LDAPTestUtils;
import org.graylog.testing.ldap.OpenLDAPContainer;
import org.graylog2.security.DefaultX509TrustManager;
import org.graylog2.security.TrustManagerProvider;
import org.graylog2.security.encryption.EncryptedValueService;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;
import org.testcontainers.junit.jupiter.Container;
import org.testcontainers.junit.jupiter.Testcontainers;

@Testcontainers
/* loaded from: input_file:org/graylog/security/authservice/ldap/UnboundLDAPConnectorTestTLSIT.class */
public class UnboundLDAPConnectorTestTLSIT {
    private static final int DEFAULT_TIMEOUT = 60000;
    private static final Set<String> ENABLED_TLS_PROTOCOLS = ImmutableSet.of("TLSv1.2");

    @Container
    private static final OpenLDAPContainer container = OpenLDAPContainer.createWithTLS();
    private TrustManagerProvider trustManagerProvider;
    private UnboundLDAPConnector ldapConnector;
    private final EncryptedValueService encryptedValueService = new EncryptedValueService("1234567890abcdef");

    @BeforeEach
    void setUp() throws KeyStoreException, NoSuchAlgorithmException {
        this.trustManagerProvider = (TrustManagerProvider) Mockito.mock(TrustManagerProvider.class);
        mockTrustManagerWithSystemKeystore();
        this.ldapConnector = new UnboundLDAPConnector(DEFAULT_TIMEOUT, ENABLED_TLS_PROTOCOLS, this.trustManagerProvider, this.encryptedValueService);
    }

    @Test
    void shouldNotConnectViaTLSToSelfSignedCertIfValidationIsRequested() {
        assertConnectionFailure(createStartTLSConfig(true));
    }

    @Test
    void shouldNotConnectViaTLSToCertWithMismatchingCommonNameIfValidationIsRequested() throws Exception {
        mockTrustManagerWithKeystore(singleCA());
        assertConnectionFailure(createConfig(ipURI(), LDAPTransportSecurity.START_TLS, true));
    }

    @Test
    void shouldConnectViaTLSToTrustedCertWithMatchingCommonNameIfValidationIsRequested() throws Exception {
        mockTrustManagerWithKeystore(singleCA());
        assertConnectionSuccess(createConfig(hostnameURI(), LDAPTransportSecurity.START_TLS, true));
    }

    @Test
    void shouldConnectViaTLSToSelfSignedCertIfValidationIsNotRequested() throws Exception {
        assertConnectionSuccess(createStartTLSConfig(false));
    }

    @Test
    void shouldNotConnectViaSSLToSelfSignedCertIfValidationIsRequested() {
        assertConnectionFailure(createTLSConfig(true));
    }

    @Test
    void shouldNotConnectViaSSLToTrustedCertWithMismatchingHostnameIfValidationIsRequested() throws Exception {
        mockTrustManagerWithKeystore(singleCA());
        assertConnectionFailure(createConfig(ipTLSURI(), LDAPTransportSecurity.TLS, true));
    }

    @Test
    void shouldConnectViaSSLToTrustedCertWithMatchingHostnameIfValidationIsRequested() throws Exception {
        mockTrustManagerWithKeystore(singleCA());
        assertConnectionSuccess(createTLSConfig(true));
    }

    @Test
    void shouldConnectViaSSLToSelfSignedCertIfValidationIsNotRequested() throws Exception {
        assertConnectionSuccess(createTLSConfig(false));
    }

    private LDAPConnectorConfig createStartTLSConfig(boolean z) {
        return createConfig(hostnameURI(), LDAPTransportSecurity.START_TLS, z);
    }

    private LDAPConnectorConfig createTLSConfig(boolean z) {
        return createConfig(hostnameTLSURI(), LDAPTransportSecurity.TLS, z);
    }

    private LDAPConnectorConfig createConfig(URI uri, LDAPTransportSecurity lDAPTransportSecurity, boolean z) {
        return LDAPConnectorConfig.builder().systemUsername(container.bindDn()).systemPassword(this.encryptedValueService.encrypt(container.bindPassword())).serverList(Collections.singletonList(LDAPConnectorConfig.LDAPServer.fromUrl(uri.toString()))).transportSecurity(lDAPTransportSecurity).verifyCertificates(z).build();
    }

    private void assertConnectionFailure(LDAPConnectorConfig lDAPConnectorConfig) {
        Assertions.assertThatThrownBy(() -> {
            this.ldapConnector.connect(lDAPConnectorConfig);
        }).isNotNull();
    }

    private void assertConnectionSuccess(LDAPConnectorConfig lDAPConnectorConfig) throws GeneralSecurityException, LDAPException {
        LDAPConnection connect = this.ldapConnector.connect(lDAPConnectorConfig);
        Throwable th = null;
        try {
            try {
                Assertions.assertThat(connect.getLastBindRequest()).isNotNull();
                Assertions.assertThat(connect.isConnected()).isTrue();
                if (lDAPConnectorConfig.transportSecurity() == LDAPTransportSecurity.START_TLS) {
                    Assertions.assertThat(connect.getStartTLSRequest()).isNotNull();
                }
                Assertions.assertThat(connect.getSSLSession()).isNotNull();
                if (connect != null) {
                    if (0 == 0) {
                        connect.close();
                        return;
                    }
                    try {
                        connect.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (connect != null) {
                if (th != null) {
                    try {
                        connect.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    connect.close();
                }
            }
            throw th4;
        }
    }

    private void mockTrustManagerWithSystemKeystore() throws KeyStoreException, NoSuchAlgorithmException {
        mockTrustManagerWithKeystore(null);
    }

    private void mockTrustManagerWithKeystore(KeyStore keyStore) throws KeyStoreException, NoSuchAlgorithmException {
        Mockito.when(this.trustManagerProvider.create(ArgumentMatchers.anyString())).then(invocationOnMock -> {
            return provideTrustManager((String) invocationOnMock.getArgument(0), keyStore);
        });
    }

    private KeyStore singleCA() {
        return LDAPTestUtils.getKeystore("single-ca.jks");
    }

    private TrustManager provideTrustManager(String str, KeyStore keyStore) {
        try {
            return new DefaultX509TrustManager(str, keyStore);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    private URI hostnameURI() {
        return URI.create(String.format(Locale.US, "ldap://%s:%d", container.getHost(), Integer.valueOf(container.ldapPort())));
    }

    private URI hostnameTLSURI() {
        return URI.create(String.format(Locale.US, "ldaps://%s:%d", container.getHost(), Integer.valueOf(container.ldapsPort())));
    }

    private URI ipURI() {
        return URI.create(String.format(Locale.US, "ldap://127.0.0.1:%d", Integer.valueOf(container.ldapPort())));
    }

    private URI ipTLSURI() {
        return URI.create(String.format(Locale.US, "ldaps://127.0.0.1:%d", Integer.valueOf(container.ldapsPort())));
    }
}
