package org.neo4j.driver.v1.integration;

import java.io.BufferedWriter;
import java.io.File;
import java.io.FileWriter;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.nio.channels.SocketChannel;
import java.security.cert.X509Certificate;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;
import org.mockito.Mockito;
import org.neo4j.driver.internal.logging.DevNullLogger;
import org.neo4j.driver.internal.net.BoltServerAddress;
import org.neo4j.driver.internal.security.SecurityPlan;
import org.neo4j.driver.internal.security.TLSSocketChannel;
import org.neo4j.driver.internal.security.TrustOnFirstUseTrustManager;
import org.neo4j.driver.internal.util.CertificateTool;
import org.neo4j.driver.v1.Config;
import org.neo4j.driver.v1.Driver;
import org.neo4j.driver.v1.GraphDatabase;
import org.neo4j.driver.v1.Logger;
import org.neo4j.driver.v1.Logging;
import org.neo4j.driver.v1.Session;
import org.neo4j.driver.v1.StatementResult;
import org.neo4j.driver.v1.exceptions.SecurityException;
import org.neo4j.driver.v1.util.CertificateToolTest;
import org.neo4j.driver.v1.util.Neo4jSettings;
import org.neo4j.driver.v1.util.TestNeo4j;

/* loaded from: input_file:org/neo4j/driver/v1/integration/TLSSocketChannelIT.class */
public class TLSSocketChannelIT {

    @Rule
    public TestNeo4j neo4j = new TestNeo4j();

    @Rule
    public TemporaryFolder folder = new TemporaryFolder();

    @BeforeClass
    public static void setup() throws IOException, InterruptedException {
    }

    @Test
    public void shouldPerformTLSHandshakeWithEmptyKnownCertsFile() throws Throwable {
        File createTempFile = File.createTempFile("neo4j_known_hosts", ".tmp");
        createTempFile.deleteOnExit();
        performTLSHandshakeUsingKnownCerts(createTempFile);
    }

    @Test
    public void shouldPerformTLSHandshakeWithTrustedCert() throws Throwable {
        try {
            BoltServerAddress boltServerAddress = BoltServerAddress.LOCAL_DEFAULT;
            File newFile = this.folder.newFile("temp_root_cert.cert");
            File newFile2 = this.folder.newFile("temp_root_key.key");
            CertificateToolTest.SelfSignedCertificateGenerator selfSignedCertificateGenerator = new CertificateToolTest.SelfSignedCertificateGenerator();
            selfSignedCertificateGenerator.saveSelfSignedCertificate(newFile);
            selfSignedCertificateGenerator.savePrivateKey(newFile2);
            File newFile3 = this.folder.newFile("temp_cert.cert");
            File newFile4 = this.folder.newFile("temp_key.key");
            CertificateToolTest.CertificateSigningRequestGenerator certificateSigningRequestGenerator = new CertificateToolTest.CertificateSigningRequestGenerator();
            X509Certificate sign = selfSignedCertificateGenerator.sign(certificateSigningRequestGenerator.certificateSigningRequest(), certificateSigningRequestGenerator.publicKey());
            certificateSigningRequestGenerator.savePrivateKey(newFile4);
            CertificateTool.saveX509Cert(sign, newFile3);
            this.neo4j.updateEncryptionKeyAndCert(newFile4, newFile3);
            Logger logger = (Logger) Mockito.mock(Logger.class);
            SocketChannel open = SocketChannel.open();
            open.connect(boltServerAddress.toSocketAddress());
            TLSSocketChannel.create(boltServerAddress, SecurityPlan.forCustomCASignedCertificates(newFile), open, logger).close();
            ((Logger) Mockito.verify(logger, Mockito.atLeastOnce())).debug("~~ [OPENING SECURE CHANNEL]", new Object[0]);
            this.neo4j.restart();
        } catch (Throwable th) {
            this.neo4j.restart();
            throw th;
        }
    }

    @Test
    public void shouldNotPerformTLSHandshakeWithNonSystemCert() throws Throwable {
        try {
            BoltServerAddress boltServerAddress = BoltServerAddress.LOCAL_DEFAULT;
            installRootCertificate();
            Logger logger = (Logger) Mockito.mock(Logger.class);
            SocketChannel open = SocketChannel.open();
            open.connect(new InetSocketAddress("localhost", 7687));
            TLSSocketChannel tLSSocketChannel = null;
            try {
                try {
                    tLSSocketChannel = TLSSocketChannel.create(boltServerAddress, SecurityPlan.forSystemCASignedCertificates(), open, logger);
                    Assert.fail("Should have thrown exception");
                    if (tLSSocketChannel != null) {
                        tLSSocketChannel.close();
                    }
                } catch (SecurityException e) {
                    MatcherAssert.assertThat(e.getMessage(), Matchers.containsString("General SSLEngine problem"));
                    MatcherAssert.assertThat(getRootCause(e).getMessage(), Matchers.containsString("unable to find valid certification path to requested target"));
                    if (tLSSocketChannel != null) {
                        tLSSocketChannel.close();
                    }
                }
            } catch (Throwable th) {
                if (tLSSocketChannel != null) {
                    tLSSocketChannel.close();
                }
                throw th;
            }
        } finally {
            this.neo4j.restart();
        }
    }

    @Test
    public void shouldFailTLSHandshakeDueToWrongCertInKnownCertsFile() throws Throwable {
        BoltServerAddress boltServerAddress = BoltServerAddress.LOCAL_DEFAULT;
        SocketChannel open = SocketChannel.open();
        open.connect(boltServerAddress.toSocketAddress());
        File createTempFile = File.createTempFile("neo4j_known_hosts", ".tmp");
        createTempFile.deleteOnExit();
        createFakeServerCertPairInKnownCerts(boltServerAddress, createTempFile);
        TLSSocketChannel tLSSocketChannel = null;
        try {
            try {
                tLSSocketChannel = TLSSocketChannel.create(boltServerAddress, SecurityPlan.forTrustOnFirstUse(createTempFile, boltServerAddress, DevNullLogger.DEV_NULL_LOGGER), open, DevNullLogger.DEV_NULL_LOGGER);
                Assert.fail("Should have thrown exception");
                if (tLSSocketChannel != null) {
                    tLSSocketChannel.close();
                }
            } catch (SecurityException e) {
                MatcherAssert.assertThat(e.getMessage(), Matchers.containsString("General SSLEngine problem"));
                MatcherAssert.assertThat(getRootCause(e).getMessage(), Matchers.containsString("If you trust the certificate the server uses now, simply remove the line that starts with"));
                if (tLSSocketChannel != null) {
                    tLSSocketChannel.close();
                }
            }
        } catch (Throwable th) {
            if (tLSSocketChannel != null) {
                tLSSocketChannel.close();
            }
            throw th;
        }
    }

    private void createFakeServerCertPairInKnownCerts(BoltServerAddress boltServerAddress, File file) throws Throwable {
        String boltServerAddress2 = boltServerAddress.toString();
        String fingerprint = TrustOnFirstUseTrustManager.fingerprint(CertificateToolTest.generateSelfSignedCertificate());
        BufferedWriter bufferedWriter = new BufferedWriter(new FileWriter(file, true));
        bufferedWriter.write(boltServerAddress2 + " " + fingerprint);
        bufferedWriter.newLine();
        bufferedWriter.close();
    }

    @Test
    public void shouldFailTLSHandshakeDueToServerCertNotSignedByKnownCA() throws Throwable {
        this.neo4j.restart(Neo4jSettings.TEST_SETTINGS.updateWith(Neo4jSettings.CERT_DIR, this.folder.getRoot().getAbsolutePath().replace("\\", "/")));
        SocketChannel open = SocketChannel.open();
        open.connect(this.neo4j.address().toSocketAddress());
        File newFile = this.folder.newFile("neo4j_trusted_cert.tmp");
        CertificateTool.saveX509Cert(CertificateToolTest.generateSelfSignedCertificate(), newFile);
        TLSSocketChannel tLSSocketChannel = null;
        try {
            try {
                tLSSocketChannel = TLSSocketChannel.create(this.neo4j.address(), SecurityPlan.forCustomCASignedCertificates(newFile), open, (Logger) Mockito.mock(Logger.class));
                Assert.fail("Should have thrown exception");
                if (tLSSocketChannel != null) {
                    tLSSocketChannel.close();
                }
            } catch (SecurityException e) {
                MatcherAssert.assertThat(e.getMessage(), Matchers.containsString("General SSLEngine problem"));
                MatcherAssert.assertThat(getRootCause(e).getMessage(), Matchers.containsString("No trusted certificate found"));
                if (tLSSocketChannel != null) {
                    tLSSocketChannel.close();
                }
            }
        } catch (Throwable th) {
            if (tLSSocketChannel != null) {
                tLSSocketChannel.close();
            }
            throw th;
        }
    }

    private Throwable getRootCause(Throwable th) {
        Throwable th2;
        Throwable th3 = th;
        do {
            th2 = th3;
            th3 = th2.getCause();
        } while (th3 != null);
        return th2;
    }

    @Test
    public void shouldPerformTLSHandshakeWithTheSameTrustedServerCert() throws Throwable {
        BoltServerAddress boltServerAddress = BoltServerAddress.LOCAL_DEFAULT;
        Logger logger = (Logger) Mockito.mock(Logger.class);
        SocketChannel open = SocketChannel.open();
        open.connect(boltServerAddress.toSocketAddress());
        TLSSocketChannel.create(boltServerAddress, SecurityPlan.forCustomCASignedCertificates(this.neo4j.tlsCertFile()), open, logger).close();
        ((Logger) Mockito.verify(logger, Mockito.atLeastOnce())).debug("~~ [OPENING SECURE CHANNEL]", new Object[0]);
    }

    @Test
    public void shouldEstablishTLSConnection() throws Throwable {
        Driver driver = GraphDatabase.driver(this.neo4j.uri(), this.neo4j.authToken(), Config.build().withEncryption().toConfig());
        Throwable th = null;
        try {
            Session session = driver.session();
            Throwable th2 = null;
            try {
                try {
                    StatementResult run = session.run("RETURN 1");
                    Assert.assertEquals(1L, run.next().get(0).asInt());
                    Assert.assertFalse(run.hasNext());
                    if (session != null) {
                        if (0 != 0) {
                            try {
                                session.close();
                            } catch (Throwable th3) {
                                th2.addSuppressed(th3);
                            }
                        } else {
                            session.close();
                        }
                    }
                    if (driver != null) {
                        if (0 == 0) {
                            driver.close();
                            return;
                        }
                        try {
                            driver.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    }
                } catch (Throwable th5) {
                    th2 = th5;
                    throw th5;
                }
            } catch (Throwable th6) {
                if (session != null) {
                    if (th2 != null) {
                        try {
                            session.close();
                        } catch (Throwable th7) {
                            th2.addSuppressed(th7);
                        }
                    } else {
                        session.close();
                    }
                }
                throw th6;
            }
        } catch (Throwable th8) {
            if (driver != null) {
                if (0 != 0) {
                    try {
                        driver.close();
                    } catch (Throwable th9) {
                        th.addSuppressed(th9);
                    }
                } else {
                    driver.close();
                }
            }
            throw th8;
        }
    }

    @Test
    public void shouldWarnIfUsingDeprecatedTLSOption() throws Throwable {
        Logger logger = (Logger) Mockito.mock(Logger.class);
        Logging logging = (Logging) Mockito.mock(Logging.class);
        Mockito.when(logging.getLog(org.mockito.Matchers.anyString())).thenReturn(logger);
        SocketChannel.open().connect(new InetSocketAddress("localhost", 7687));
        Driver driver = GraphDatabase.driver(this.neo4j.uri(), this.neo4j.authToken(), Config.build().withEncryptionLevel(Config.EncryptionLevel.REQUIRED).withTrustStrategy(Config.TrustStrategy.trustSignedBy(this.neo4j.tlsCertFile())).withLogging(logging).toConfig());
        Throwable th = null;
        try {
            Session session = driver.session();
            Throwable th2 = null;
            try {
                session.run("RETURN 1").consume();
                if (session != null) {
                    if (0 != 0) {
                        try {
                            session.close();
                        } catch (Throwable th3) {
                            th2.addSuppressed(th3);
                        }
                    } else {
                        session.close();
                    }
                }
                ((Logger) Mockito.verify(logger, Mockito.atLeastOnce())).warn("Option `TRUST_SIGNED_CERTIFICATE` has been deprecated and will be removed in a future version of the driver. Please switch to use `TRUST_CUSTOM_CA_SIGNED_CERTIFICATES` instead.", new Object[0]);
            } catch (Throwable th4) {
                if (session != null) {
                    if (0 != 0) {
                        try {
                            session.close();
                        } catch (Throwable th5) {
                            th2.addSuppressed(th5);
                        }
                    } else {
                        session.close();
                    }
                }
                throw th4;
            }
        } finally {
            if (driver != null) {
                if (0 != 0) {
                    try {
                        driver.close();
                    } catch (Throwable th6) {
                        th.addSuppressed(th6);
                    }
                } else {
                    driver.close();
                }
            }
        }
    }

    private void performTLSHandshakeUsingKnownCerts(File file) throws Throwable {
        Logger logger = (Logger) Mockito.mock(Logger.class);
        BoltServerAddress boltServerAddress = BoltServerAddress.LOCAL_DEFAULT;
        SocketChannel open = SocketChannel.open();
        open.connect(boltServerAddress.toSocketAddress());
        TLSSocketChannel.create(boltServerAddress, SecurityPlan.forTrustOnFirstUse(file, boltServerAddress, DevNullLogger.DEV_NULL_LOGGER), open, logger).close();
        ((Logger) Mockito.verify(logger, Mockito.atLeastOnce())).debug("~~ [CLOSED SECURE CHANNEL]", new Object[0]);
    }

    private File installRootCertificate() throws Exception {
        File newFile = this.folder.newFile("temp_root_cert.cert");
        File newFile2 = this.folder.newFile("temp_root_key.key");
        CertificateToolTest.SelfSignedCertificateGenerator selfSignedCertificateGenerator = new CertificateToolTest.SelfSignedCertificateGenerator();
        selfSignedCertificateGenerator.saveSelfSignedCertificate(newFile);
        selfSignedCertificateGenerator.savePrivateKey(newFile2);
        File newFile3 = this.folder.newFile("temp_cert.cert");
        File newFile4 = this.folder.newFile("temp_key.key");
        CertificateToolTest.CertificateSigningRequestGenerator certificateSigningRequestGenerator = new CertificateToolTest.CertificateSigningRequestGenerator();
        X509Certificate sign = selfSignedCertificateGenerator.sign(certificateSigningRequestGenerator.certificateSigningRequest(), certificateSigningRequestGenerator.publicKey());
        certificateSigningRequestGenerator.savePrivateKey(newFile4);
        CertificateTool.saveX509Cert(sign, newFile3);
        this.neo4j.updateEncryptionKeyAndCert(newFile4, newFile3);
        return newFile;
    }
}
