package org.neo4j.ssl;

import io.netty.buffer.ByteBuf;
import io.netty.buffer.ByteBufAllocator;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.SSLException;
import org.hamcrest.Matchers;
import org.junit.After;
import org.junit.Assert;
import org.junit.Rule;
import org.junit.Test;
import org.neo4j.test.rule.TestDirectory;
import org.neo4j.test.rule.fs.DefaultFileSystemRule;

/* loaded from: input_file:org/neo4j/ssl/SslTrustTest.class */
public class SslTrustTest {
    private static final int UNRELATED_ID = 5;
    private static final byte[] REQUEST = {1, 2, 3, 4};

    @Rule
    public TestDirectory testDir = TestDirectory.testDirectory();

    @Rule
    public DefaultFileSystemRule fsRule = new DefaultFileSystemRule();
    private SecureServer server;
    private SecureClient client;
    private ByteBuf expected;

    @After
    public void cleanup() {
        if (this.expected != null) {
            this.expected.release();
        }
        if (this.client != null) {
            this.client.disconnect();
        }
        if (this.server != null) {
            this.server.stop();
        }
    }

    @Test
    public void partiesWithMutualTrustShouldCommunicate() throws Exception {
        SslResource install = SslResourceBuilder.selfSignedKeyId(0).trustKeyId(1).install(this.testDir.directory("server"));
        SslResource install2 = SslResourceBuilder.selfSignedKeyId(1).trustKeyId(0).install(this.testDir.directory("client"));
        this.server = new SecureServer(SslContextFactory.makeSslContext(install, true));
        this.server.start();
        this.client = new SecureClient(SslContextFactory.makeSslContext(install2, false));
        this.client.connect(this.server.port());
        this.client.channel().writeAndFlush(ByteBufAllocator.DEFAULT.buffer().writeBytes(REQUEST));
        this.expected = ByteBufAllocator.DEFAULT.buffer().writeBytes(SecureServer.RESPONSE);
        this.client.sslHandshakeFuture().get(1L, TimeUnit.MINUTES);
        this.client.assertResponse(this.expected);
    }

    @Test
    public void partiesWithMutualTrustThroughCAShouldCommunicate() throws Exception {
        SslResource install = SslResourceBuilder.caSignedKeyId(0).trustSignedByCA().install(this.testDir.directory("server"));
        SslResource install2 = SslResourceBuilder.caSignedKeyId(1).trustSignedByCA().install(this.testDir.directory("client"));
        this.server = new SecureServer(SslContextFactory.makeSslContext(install, true));
        this.server.start();
        this.client = new SecureClient(SslContextFactory.makeSslContext(install2, false));
        this.client.connect(this.server.port());
        this.client.channel().writeAndFlush(ByteBufAllocator.DEFAULT.buffer().writeBytes(REQUEST));
        this.expected = ByteBufAllocator.DEFAULT.buffer().writeBytes(SecureServer.RESPONSE);
        this.client.sslHandshakeFuture().get(1L, TimeUnit.MINUTES);
        this.client.assertResponse(this.expected);
    }

    @Test
    public void serverShouldNotCommunicateWithUntrustedClient() throws Exception {
        SslResource install = SslResourceBuilder.selfSignedKeyId(1).trustKeyId(0).install(this.testDir.directory("client"));
        this.server = new SecureServer(SslContextFactory.makeSslContext(SslResourceBuilder.selfSignedKeyId(0).trustKeyId(UNRELATED_ID).install(this.testDir.directory("server")), true));
        this.server.start();
        this.client = new SecureClient(SslContextFactory.makeSslContext(install, false));
        this.client.connect(this.server.port());
        try {
            this.client.sslHandshakeFuture().get(1L, TimeUnit.MINUTES);
            Assert.fail();
        } catch (ExecutionException e) {
            Assert.assertThat(e.getCause(), Matchers.instanceOf(SSLException.class));
        }
    }

    @Test
    public void clientShouldNotCommunicateWithUntrustedServer() throws Exception {
        SslResource install = SslResourceBuilder.selfSignedKeyId(0).trustKeyId(UNRELATED_ID).install(this.testDir.directory("client"));
        this.server = new SecureServer(SslContextFactory.makeSslContext(SslResourceBuilder.selfSignedKeyId(1).trustKeyId(0).install(this.testDir.directory("server")), true));
        this.server.start();
        this.client = new SecureClient(SslContextFactory.makeSslContext(install, false));
        this.client.connect(this.server.port());
        try {
            this.client.sslHandshakeFuture().get(1L, TimeUnit.MINUTES);
            Assert.fail();
        } catch (ExecutionException e) {
            Assert.assertThat(e.getCause(), Matchers.instanceOf(SSLException.class));
        }
    }

    @Test
    public void partiesWithMutualTrustThroughCAShouldNotCommunicateWhenServerRevoked() throws Exception {
        SslResource install = SslResourceBuilder.caSignedKeyId(0).trustSignedByCA().install(this.testDir.directory("server"));
        SslResource install2 = SslResourceBuilder.caSignedKeyId(1).trustSignedByCA().revoke(0).install(this.testDir.directory("client"));
        this.server = new SecureServer(SslContextFactory.makeSslContext(install, true));
        this.server.start();
        this.client = new SecureClient(SslContextFactory.makeSslContext(install2, false));
        this.client.connect(this.server.port());
        try {
            this.client.sslHandshakeFuture().get(1L, TimeUnit.MINUTES);
            Assert.fail("Server should have been revoked");
        } catch (ExecutionException e) {
            Assert.assertThat(e.getCause(), Matchers.instanceOf(SSLException.class));
        }
    }

    @Test
    public void partiesWithMutualTrustThroughCAShouldNotCommunicateWhenClientRevoked() throws Exception {
        SslResource install = SslResourceBuilder.caSignedKeyId(0).trustSignedByCA().revoke(1).install(this.testDir.directory("server"));
        SslResource install2 = SslResourceBuilder.caSignedKeyId(1).trustSignedByCA().install(this.testDir.directory("client"));
        this.server = new SecureServer(SslContextFactory.makeSslContext(install, true));
        this.server.start();
        this.client = new SecureClient(SslContextFactory.makeSslContext(install2, false));
        this.client.connect(this.server.port());
        try {
            this.client.sslHandshakeFuture().get(1L, TimeUnit.MINUTES);
            Assert.fail("Client should have been revoked");
        } catch (ExecutionException e) {
            Assert.assertThat(e.getCause(), Matchers.instanceOf(SSLException.class));
        }
    }
}
