package org.neo4j.driver.v1.integration;

import java.io.BufferedWriter;
import java.io.File;
import java.io.FileWriter;
import java.io.IOException;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.URI;
import java.nio.channels.SocketChannel;
import java.security.cert.X509Certificate;
import javax.net.ssl.SSLHandshakeException;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;
import org.mockito.Mockito;
import org.neo4j.driver.internal.connector.socket.TLSSocketChannel;
import org.neo4j.driver.internal.connector.socket.TrustOnFirstUseTrustManager;
import org.neo4j.driver.internal.spi.Logger;
import org.neo4j.driver.internal.util.CertificateTool;
import org.neo4j.driver.v1.Config;
import org.neo4j.driver.v1.Driver;
import org.neo4j.driver.v1.GraphDatabase;
import org.neo4j.driver.v1.StatementResult;
import org.neo4j.driver.v1.util.CertificateToolTest;
import org.neo4j.driver.v1.util.Neo4jRunner;
import org.neo4j.driver.v1.util.Neo4jSettings;
import org.neo4j.driver.v1.util.TestNeo4j;

/* loaded from: input_file:org/neo4j/driver/v1/integration/TLSSocketChannelIT.class */
public class TLSSocketChannelIT {

    @Rule
    public TestNeo4j neo4j = new TestNeo4j();

    @Rule
    public TemporaryFolder folder = new TemporaryFolder();

    @BeforeClass
    public static void setup() throws IOException, InterruptedException {
    }

    @Test
    public void shouldPerformTLSHandshakeWithEmptyKnownCertsFile() throws Throwable {
        File createTempFile = File.createTempFile("neo4j_known_hosts", ".tmp");
        createTempFile.deleteOnExit();
        performTLSHandshakeUsingKnownCerts(createTempFile);
    }

    private void performTLSHandshakeUsingKnownCerts(File file) throws Throwable {
        Logger logger = (Logger) Mockito.mock(Logger.class);
        SocketChannel open = SocketChannel.open();
        open.connect(new InetSocketAddress("localhost", 7687));
        new TLSSocketChannel("localhost", 7687, open, logger, Config.TrustStrategy.trustOnFirstUse(file)).close();
        ((Logger) Mockito.verify(logger, Mockito.atLeastOnce())).debug("TLS connection enabled", new Object[0]);
        ((Logger) Mockito.verify(logger, Mockito.atLeastOnce())).debug("TLS connection established", new Object[0]);
        ((Logger) Mockito.verify(logger, Mockito.atLeastOnce())).debug("TLS connection closed", new Object[0]);
    }

    @Test
    public void shouldPerformTLSHandshakeWithTrustedCert() throws Throwable {
        try {
            File newFile = this.folder.newFile("temp_root_cert.cert");
            File newFile2 = this.folder.newFile("temp_root_key.key");
            CertificateToolTest.SelfSignedCertificateGenerator selfSignedCertificateGenerator = new CertificateToolTest.SelfSignedCertificateGenerator();
            selfSignedCertificateGenerator.saveSelfSignedCertificate(newFile);
            selfSignedCertificateGenerator.savePrivateKey(newFile2);
            File newFile3 = this.folder.newFile("temp_cert.cert");
            File newFile4 = this.folder.newFile("temp_key.key");
            CertificateToolTest.CertificateSigningRequestGenerator certificateSigningRequestGenerator = new CertificateToolTest.CertificateSigningRequestGenerator();
            X509Certificate sign = selfSignedCertificateGenerator.sign(certificateSigningRequestGenerator.certificateSigningRequest(), certificateSigningRequestGenerator.publicKey());
            certificateSigningRequestGenerator.savePrivateKey(newFile4);
            CertificateTool.saveX509Cert(sign, newFile3);
            this.neo4j.updateEncryptionKeyAndCert(newFile4, newFile3);
            Logger logger = (Logger) Mockito.mock(Logger.class);
            SocketChannel open = SocketChannel.open();
            open.connect(new InetSocketAddress("localhost", 7687));
            new TLSSocketChannel("localhost", 7687, open, logger, Config.TrustStrategy.trustSignedBy(newFile)).close();
            ((Logger) Mockito.verify(logger, Mockito.atLeastOnce())).debug("TLS connection enabled", new Object[0]);
            ((Logger) Mockito.verify(logger, Mockito.atLeastOnce())).debug("TLS connection established", new Object[0]);
            ((Logger) Mockito.verify(logger, Mockito.atLeastOnce())).debug("TLS connection closed", new Object[0]);
            this.neo4j.restartServerOnEmptyDatabase(Neo4jSettings.DEFAULT);
        } catch (Throwable th) {
            this.neo4j.restartServerOnEmptyDatabase(Neo4jSettings.DEFAULT);
            throw th;
        }
    }

    @Test
    public void shouldFailTLSHandshakeDueToWrongCertInKnownCertsFile() throws Throwable {
        SocketChannel open = SocketChannel.open();
        open.connect(new InetSocketAddress("localhost", 7687));
        File createTempFile = File.createTempFile("neo4j_known_hosts", ".tmp");
        createTempFile.deleteOnExit();
        createFakeServerCertPairInKnownCerts("localhost", 7687, createTempFile);
        TLSSocketChannel tLSSocketChannel = null;
        try {
            try {
                tLSSocketChannel = new TLSSocketChannel("localhost", 7687, open, (Logger) Mockito.mock(Logger.class), Config.TrustStrategy.trustOnFirstUse(createTempFile));
                tLSSocketChannel.close();
                if (tLSSocketChannel != null) {
                    tLSSocketChannel.close();
                }
            } catch (SSLHandshakeException e) {
                Assert.assertEquals("General SSLEngine problem", e.getMessage());
                Assert.assertEquals("General SSLEngine problem", e.getCause().getMessage());
                Assert.assertTrue(e.getCause().getCause().getMessage().contains("If you trust the certificate the server uses now, simply remove the line that starts with"));
                if (tLSSocketChannel != null) {
                    tLSSocketChannel.close();
                }
            }
        } catch (Throwable th) {
            if (tLSSocketChannel != null) {
                tLSSocketChannel.close();
            }
            throw th;
        }
    }

    private void createFakeServerCertPairInKnownCerts(String str, int i, File file) throws Throwable {
        String str2 = InetAddress.getByName(str).getHostAddress() + ":" + i;
        String fingerprint = TrustOnFirstUseTrustManager.fingerprint(CertificateToolTest.generateSelfSignedCertificate());
        BufferedWriter bufferedWriter = new BufferedWriter(new FileWriter(file, true));
        bufferedWriter.write(str2 + "," + fingerprint);
        bufferedWriter.newLine();
        bufferedWriter.close();
    }

    @Test
    public void shouldFailTLSHandshakeDueToServerCertNotSignedByKnownCA() throws Throwable {
        this.neo4j.restartServerOnEmptyDatabase(Neo4jSettings.DEFAULT.updateWith(Neo4jSettings.CERT_DIR, this.folder.getRoot().getAbsolutePath().replace("\\", "/")));
        SocketChannel open = SocketChannel.open();
        open.connect(new InetSocketAddress("localhost", 7687));
        File newFile = this.folder.newFile("neo4j_trusted_cert.tmp");
        CertificateTool.saveX509Cert(CertificateToolTest.generateSelfSignedCertificate(), newFile);
        TLSSocketChannel tLSSocketChannel = null;
        try {
            try {
                tLSSocketChannel = new TLSSocketChannel("localhost", 7687, open, (Logger) Mockito.mock(Logger.class), Config.TrustStrategy.trustSignedBy(newFile));
                tLSSocketChannel.close();
                if (tLSSocketChannel != null) {
                    tLSSocketChannel.close();
                }
            } catch (SSLHandshakeException e) {
                Assert.assertEquals("General SSLEngine problem", e.getMessage());
                Assert.assertEquals("General SSLEngine problem", e.getCause().getMessage());
                Assert.assertEquals("No trusted certificate found", e.getCause().getCause().getMessage());
                if (tLSSocketChannel != null) {
                    tLSSocketChannel.close();
                }
            }
        } catch (Throwable th) {
            if (tLSSocketChannel != null) {
                tLSSocketChannel.close();
            }
            throw th;
        }
    }

    @Test
    public void shouldPerformTLSHandshakeWithTheSameTrustedServerCert() throws Throwable {
        Logger logger = (Logger) Mockito.mock(Logger.class);
        SocketChannel open = SocketChannel.open();
        open.connect(new InetSocketAddress("localhost", 7687));
        new TLSSocketChannel("localhost", 7687, open, logger, Config.TrustStrategy.trustSignedBy(Neo4jSettings.DEFAULT_TLS_CERT_FILE)).close();
        ((Logger) Mockito.verify(logger, Mockito.atLeastOnce())).debug("TLS connection enabled", new Object[0]);
        ((Logger) Mockito.verify(logger, Mockito.atLeastOnce())).debug("TLS connection established", new Object[0]);
        ((Logger) Mockito.verify(logger, Mockito.atLeastOnce())).debug("TLS connection closed", new Object[0]);
    }

    @Test
    public void shouldEstablishTLSConnection() throws Throwable {
        Driver driver = GraphDatabase.driver(URI.create(Neo4jRunner.DEFAULT_URL), Config.build().withEncryptionLevel(Config.EncryptionLevel.REQUIRED).toConfig());
        StatementResult run = driver.session().run("RETURN 1");
        Assert.assertEquals(1L, run.next().get(0).asInt());
        Assert.assertFalse(run.hasNext());
        driver.close();
    }
}
