package org.neo4j.ssl;

import io.netty.bootstrap.Bootstrap;
import io.netty.bootstrap.ServerBootstrap;
import io.netty.buffer.ByteBuf;
import io.netty.buffer.ByteBufAllocator;
import io.netty.channel.Channel;
import io.netty.channel.ChannelHandler;
import io.netty.channel.ChannelHandlerContext;
import io.netty.channel.ChannelInitializer;
import io.netty.channel.ChannelOption;
import io.netty.channel.ChannelPipeline;
import io.netty.channel.SimpleChannelInboundHandler;
import io.netty.channel.nio.NioEventLoopGroup;
import io.netty.channel.socket.SocketChannel;
import io.netty.channel.socket.nio.NioServerSocketChannel;
import io.netty.channel.socket.nio.NioSocketChannel;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslHandler;
import io.netty.handler.ssl.SslProvider;
import io.netty.util.concurrent.Future;
import java.io.File;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.security.cert.CertificateException;
import java.util.HashMap;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLException;
import org.apache.commons.lang3.SystemUtils;
import org.hamcrest.Matchers;
import org.junit.After;
import org.junit.Assume;
import org.junit.Rule;
import org.junit.Test;
import org.neo4j.kernel.configuration.Config;
import org.neo4j.kernel.configuration.ssl.SslPolicyConfig;
import org.neo4j.kernel.configuration.ssl.SslPolicyLoader;
import org.neo4j.kernel.configuration.ssl.SslSystemSettings;
import org.neo4j.logging.NullLogProvider;
import org.neo4j.test.assertion.Assert;
import org.neo4j.test.rule.TestDirectory;
import org.neo4j.test.rule.fs.DefaultFileSystemRule;

/* loaded from: input_file:org/neo4j/ssl/SecureCommunicationsTest.class */
public class SecureCommunicationsTest {

    @Rule
    public TestDirectory testDir = TestDirectory.testDirectory();

    @Rule
    public DefaultFileSystemRule fsRule = new DefaultFileSystemRule();
    private SecureServer server;
    private SecureClient client;
    private ByteBuf expected;
    private static final byte[] REQUEST = {1, 2, 3, 4};
    private static final int UNRELATED_ID = 5;
    private static final byte[] RESPONSE = {UNRELATED_ID, 6, 7, 8};

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/neo4j/ssl/SecureCommunicationsTest$Bucket.class */
    public class Bucket extends SimpleChannelInboundHandler<ByteBuf> {
        private final ByteBuf collectedData = ByteBufAllocator.DEFAULT.buffer();

        Bucket() {
        }

        /* JADX INFO: Access modifiers changed from: protected */
        public void channelRead0(ChannelHandlerContext channelHandlerContext, ByteBuf byteBuf) throws Exception {
            this.collectedData.writeBytes(byteBuf);
        }

        public void exceptionCaught(ChannelHandlerContext channelHandlerContext, Throwable th) throws Exception {
        }
    }

    /* loaded from: input_file:org/neo4j/ssl/SecureCommunicationsTest$ClientInitializer.class */
    public class ClientInitializer extends ChannelInitializer<SocketChannel> {
        SslContext sslContext;
        private final Bucket bucket;
        private Future<Channel> handshakeFuture;

        ClientInitializer(SslContext sslContext, Bucket bucket) {
            this.sslContext = sslContext;
            this.bucket = bucket;
        }

        /* JADX INFO: Access modifiers changed from: protected */
        public void initChannel(SocketChannel socketChannel) throws Exception {
            ChannelPipeline pipeline = socketChannel.pipeline();
            SSLEngine newEngine = this.sslContext.newEngine(socketChannel.alloc());
            newEngine.setUseClientMode(true);
            ChannelHandler sslHandler = new SslHandler(newEngine);
            this.handshakeFuture = sslHandler.handshakeFuture();
            pipeline.addLast(new ChannelHandler[]{sslHandler});
            pipeline.addLast(new ChannelHandler[]{this.bucket});
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/neo4j/ssl/SecureCommunicationsTest$Responder.class */
    public class Responder extends SimpleChannelInboundHandler<ByteBuf> {
        private Responder() {
        }

        /* JADX INFO: Access modifiers changed from: protected */
        public void channelRead0(ChannelHandlerContext channelHandlerContext, ByteBuf byteBuf) throws Exception {
            channelHandlerContext.channel().writeAndFlush(channelHandlerContext.alloc().buffer().writeBytes(SecureCommunicationsTest.RESPONSE));
        }

        public void exceptionCaught(ChannelHandlerContext channelHandlerContext, Throwable th) throws Exception {
        }
    }

    /* loaded from: input_file:org/neo4j/ssl/SecureCommunicationsTest$SecureClient.class */
    private class SecureClient {
        ClientInitializer clientInitializer;
        Bootstrap bootstrap;
        NioEventLoopGroup eventLoopGroup = new NioEventLoopGroup();
        Channel channel;
        Bucket bucket;

        SecureClient(SslContext sslContext) {
            this.bucket = new Bucket();
            this.clientInitializer = new ClientInitializer(sslContext, this.bucket);
            this.bootstrap = new Bootstrap().group(this.eventLoopGroup).channel(NioSocketChannel.class).handler(this.clientInitializer);
        }

        void connect(int i) {
            this.channel = this.bootstrap.connect("localhost", i).awaitUninterruptibly().channel();
        }

        void disconnect() {
            if (this.channel != null) {
                this.channel.close().awaitUninterruptibly();
                this.eventLoopGroup.shutdownGracefully(0L, 0L, TimeUnit.SECONDS);
            }
            this.bucket.collectedData.release();
        }

        void assertResponse(ByteBuf byteBuf) throws InterruptedException {
            Assert.assertEventually(this.channel.toString(), () -> {
                return this.bucket.collectedData;
            }, Matchers.equalTo(byteBuf), 5L, TimeUnit.SECONDS);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/neo4j/ssl/SecureCommunicationsTest$SecureServer.class */
    public class SecureServer {
        SslContext sslContext;
        Channel channel;
        NioEventLoopGroup eventLoopGroup;

        SecureServer(SslContext sslContext) {
            this.sslContext = sslContext;
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void start() {
            this.eventLoopGroup = new NioEventLoopGroup();
            this.channel = new ServerBootstrap().group(this.eventLoopGroup).channel(NioServerSocketChannel.class).option(ChannelOption.SO_REUSEADDR, true).localAddress(0).childHandler(new ChannelInitializer<SocketChannel>() { // from class: org.neo4j.ssl.SecureCommunicationsTest.SecureServer.1
                /* JADX INFO: Access modifiers changed from: protected */
                public void initChannel(SocketChannel socketChannel) throws Exception {
                    ChannelPipeline pipeline = socketChannel.pipeline();
                    SSLEngine newEngine = SecureServer.this.sslContext.newEngine(socketChannel.alloc());
                    newEngine.setNeedClientAuth(true);
                    pipeline.addLast(new ChannelHandler[]{new SslHandler(newEngine)});
                    pipeline.addLast(new ChannelHandler[]{new Responder()});
                }
            }).bind().syncUninterruptibly().channel();
        }

        /* JADX INFO: Access modifiers changed from: private */
        public void stop() {
            this.channel.close().awaitUninterruptibly();
            this.channel = null;
            this.eventLoopGroup.shutdownGracefully(0L, 0L, TimeUnit.SECONDS);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public int port() {
            return ((InetSocketAddress) this.channel.localAddress()).getPort();
        }
    }

    @After
    public void cleanup() {
        if (this.expected != null) {
            this.expected.release();
        }
        if (this.client != null) {
            this.client.disconnect();
        }
        if (this.server != null) {
            this.server.stop();
        }
    }

    @Test
    public void partiesWithMutualTrustShouldCommunicate() throws Exception {
        SslResource install = SslResourceBuilder.selfSignedKeyId(0).trustKeyId(1).install(this.testDir.directory("server"));
        SslResource install2 = SslResourceBuilder.selfSignedKeyId(1).trustKeyId(0).install(this.testDir.directory("client"));
        this.server = new SecureServer(makeSslContext(install, true));
        this.server.start();
        this.client = new SecureClient(makeSslContext(install2, false));
        this.client.connect(this.server.port());
        this.client.channel.writeAndFlush(ByteBufAllocator.DEFAULT.buffer().writeBytes(REQUEST));
        this.expected = ByteBufAllocator.DEFAULT.buffer().writeBytes(RESPONSE);
        this.client.clientInitializer.handshakeFuture.get();
        this.client.assertResponse(this.expected);
    }

    @Test
    public void partiesWithMutualTrustThroughCAShouldCommunicate() throws Exception {
        SslResource install = SslResourceBuilder.caSignedKeyId(0).trustSignedByCA().install(this.testDir.directory("server"));
        SslResource install2 = SslResourceBuilder.caSignedKeyId(1).trustSignedByCA().install(this.testDir.directory("client"));
        this.server = new SecureServer(makeSslContext(install, true));
        this.server.start();
        this.client = new SecureClient(makeSslContext(install2, false));
        this.client.connect(this.server.port());
        this.client.channel.writeAndFlush(ByteBufAllocator.DEFAULT.buffer().writeBytes(REQUEST));
        this.expected = ByteBufAllocator.DEFAULT.buffer().writeBytes(RESPONSE);
        this.client.clientInitializer.handshakeFuture.get();
        this.client.assertResponse(this.expected);
    }

    @Test
    public void serverShouldNotCommunicateWithUntrustedClient() throws Exception {
        SslResource install = SslResourceBuilder.selfSignedKeyId(1).trustKeyId(0).install(this.testDir.directory("client"));
        this.server = new SecureServer(makeSslContext(SslResourceBuilder.selfSignedKeyId(0).trustKeyId(UNRELATED_ID).install(this.testDir.directory("server")), true));
        this.server.start();
        this.client = new SecureClient(makeSslContext(install, false));
        this.client.connect(this.server.port());
        try {
            this.client.clientInitializer.handshakeFuture.get();
            org.junit.Assert.fail();
        } catch (ExecutionException e) {
            org.junit.Assert.assertThat(e.getCause(), Matchers.instanceOf(SSLException.class));
        }
    }

    @Test
    public void clientShouldNotCommunicateWithUntrustedServer() throws Exception {
        SslResource install = SslResourceBuilder.selfSignedKeyId(0).trustKeyId(UNRELATED_ID).install(this.testDir.directory("client"));
        this.server = new SecureServer(makeSslContext(SslResourceBuilder.selfSignedKeyId(1).trustKeyId(0).install(this.testDir.directory("server")), true));
        this.server.start();
        this.client = new SecureClient(makeSslContext(install, false));
        this.client.connect(this.server.port());
        try {
            this.client.clientInitializer.handshakeFuture.get();
            org.junit.Assert.fail();
        } catch (ExecutionException e) {
            org.junit.Assert.assertThat(e.getCause(), Matchers.instanceOf(SSLException.class));
        }
    }

    @Test
    public void partiesWithMutualTrustThroughCAShouldNotCommunicateWhenServerRevoked() throws Exception {
        SslResource install = SslResourceBuilder.caSignedKeyId(0).trustSignedByCA().install(this.testDir.directory("server"));
        SslResource install2 = SslResourceBuilder.caSignedKeyId(1).trustSignedByCA().revoke(0).install(this.testDir.directory("client"));
        this.server = new SecureServer(makeSslContext(install, true));
        this.server.start();
        this.client = new SecureClient(makeSslContext(install2, false));
        this.client.connect(this.server.port());
        try {
            this.client.clientInitializer.handshakeFuture.get();
            org.junit.Assert.fail("Server should have been revoked");
        } catch (ExecutionException e) {
            org.junit.Assert.assertThat(e.getCause(), Matchers.instanceOf(SSLException.class));
        }
    }

    @Test
    public void partiesWithMutualTrustThroughCAShouldNotCommunicateWhenClientRevoked() throws Exception {
        SslResource install = SslResourceBuilder.caSignedKeyId(0).trustSignedByCA().revoke(1).install(this.testDir.directory("server"));
        SslResource install2 = SslResourceBuilder.caSignedKeyId(1).trustSignedByCA().install(this.testDir.directory("client"));
        this.server = new SecureServer(makeSslContext(install, true));
        this.server.start();
        this.client = new SecureClient(makeSslContext(install2, false));
        this.client.connect(this.server.port());
        try {
            this.client.clientInitializer.handshakeFuture.get();
            org.junit.Assert.fail("Client should have been revoked");
        } catch (ExecutionException e) {
            org.junit.Assert.assertThat(e.getCause(), Matchers.instanceOf(SSLException.class));
        }
    }

    @Test
    public void shouldSupportOpenSSLOnSupportedPlatforms() throws Exception {
        Assume.assumeTrue(SystemUtils.IS_OS_WINDOWS || SystemUtils.IS_OS_LINUX || SystemUtils.IS_OS_MAC_OSX);
        Assume.assumeThat(System.getProperty("os.arch"), Matchers.equalTo("x86_64"));
        Assume.assumeThat(SystemUtils.JAVA_VENDOR, Matchers.isOneOf(new String[]{"Oracle Corporation", "Sun Microsystems Inc."}));
        SslResource install = SslResourceBuilder.selfSignedKeyId(0).trustKeyId(1).install(this.testDir.directory("server"));
        SslResource install2 = SslResourceBuilder.selfSignedKeyId(1).trustKeyId(0).install(this.testDir.directory("client"));
        this.server = new SecureServer(makeSslContext(install, true, SslProvider.OPENSSL.name()));
        this.server.start();
        this.client = new SecureClient(makeSslContext(install2, false, SslProvider.OPENSSL.name()));
        this.client.connect(this.server.port());
        this.client.channel.writeAndFlush(ByteBufAllocator.DEFAULT.buffer().writeBytes(REQUEST));
        this.expected = ByteBufAllocator.DEFAULT.buffer().writeBytes(RESPONSE);
        this.client.clientInitializer.handshakeFuture.get();
        this.client.assertResponse(this.expected);
    }

    private SslContext makeSslContext(SslResource sslResource, boolean z) throws CertificateException, IOException {
        return makeSslContext(sslResource, z, SslProvider.JDK.name());
    }

    private SslContext makeSslContext(SslResource sslResource, boolean z, String str) throws CertificateException, IOException {
        HashMap hashMap = new HashMap();
        hashMap.put(SslSystemSettings.netty_ssl_provider.name(), str);
        SslPolicyConfig sslPolicyConfig = new SslPolicyConfig("default");
        File parentFile = sslResource.privateKey().getParentFile();
        new File(parentFile, "trusted").mkdirs();
        new File(parentFile, "revoked").mkdirs();
        hashMap.put(sslPolicyConfig.base_directory.name(), parentFile.getPath());
        hashMap.put(sslPolicyConfig.private_key.name(), sslResource.privateKey().getPath());
        hashMap.put(sslPolicyConfig.public_certificate.name(), sslResource.publicCertificate().getPath());
        hashMap.put(sslPolicyConfig.trusted_dir.name(), sslResource.trustedDirectory().getPath());
        hashMap.put(sslPolicyConfig.revoked_dir.name(), sslResource.revokedDirectory().getPath());
        SslPolicy policy = SslPolicyLoader.create(Config.serverDefaults(hashMap), NullLogProvider.getInstance()).getPolicy("default");
        return z ? policy.nettyServerContext() : policy.nettyClientContext();
    }
}
