package org.neo4j.ssl;

import io.netty.buffer.ByteBuf;
import io.netty.buffer.ByteBufAllocator;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.Objects;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.bouncycastle.operator.OperatorCreationException;
import org.hamcrest.core.IsCollectionContaining;
import org.junit.Assert;
import org.junit.Rule;
import org.junit.Test;
import org.neo4j.kernel.configuration.Config;
import org.neo4j.kernel.configuration.ssl.SslPolicyLoader;
import org.neo4j.logging.FormattedLogProvider;
import org.neo4j.logging.Level;
import org.neo4j.logging.LogProvider;
import org.neo4j.test.rule.TestDirectory;

/* loaded from: input_file:org/neo4j/ssl/SslPolicyLoaderIT.class */
public class SslPolicyLoaderIT {

    @Rule
    public TestDirectory testDirectory = TestDirectory.testDirectory();
    private static final LogProvider LOG_PROVIDER = FormattedLogProvider.withDefaultLogLevel(Level.DEBUG).toOutputStream(System.out);

    @Test
    public void certificatesWithInvalidCommonNameAreRejected() throws GeneralSecurityException, IOException, OperatorCreationException, InterruptedException {
        Config aConfig = HostnameVerificationHelper.aConfig("invalid-not-localhost", this.testDirectory);
        Config aConfig2 = HostnameVerificationHelper.aConfig("localhost", this.testDirectory);
        HostnameVerificationHelper.trust(aConfig, aConfig2);
        HostnameVerificationHelper.trust(aConfig2, aConfig);
        SslPolicy policy = SslPolicyLoader.create(aConfig, LOG_PROVIDER).getPolicy(HostnameVerificationHelper.POLICY_NAME);
        SslPolicy policy2 = SslPolicyLoader.create(aConfig2, LOG_PROVIDER).getPolicy(HostnameVerificationHelper.POLICY_NAME);
        SecureServer secureServer = new SecureServer(policy);
        secureServer.start();
        int port = secureServer.port();
        SecureClient secureClient = new SecureClient(policy2);
        try {
            try {
                secureClient.connect(port);
                secureClient.sslHandshakeFuture().get(1L, TimeUnit.MINUTES);
                secureServer.stop();
            } catch (ExecutionException e) {
                Assert.assertThat(causes(e).map((v0) -> {
                    return v0.getMessage();
                }).collect(Collectors.toList()), IsCollectionContaining.hasItem("No subject alternative DNS name matching localhost found."));
                secureServer.stop();
            } catch (TimeoutException e2) {
                e2.printStackTrace();
                secureServer.stop();
            }
        } catch (Throwable th) {
            secureServer.stop();
            throw th;
        }
    }

    @Test
    public void normalBehaviourIfServerCertificateMatchesClientExpectation() throws GeneralSecurityException, IOException, OperatorCreationException, InterruptedException, TimeoutException, ExecutionException {
        Config aConfig = HostnameVerificationHelper.aConfig("localhost", this.testDirectory);
        Config aConfig2 = HostnameVerificationHelper.aConfig("invalid-localhost", this.testDirectory);
        HostnameVerificationHelper.trust(aConfig, aConfig2);
        HostnameVerificationHelper.trust(aConfig2, aConfig);
        SslPolicy policy = SslPolicyLoader.create(aConfig, LOG_PROVIDER).getPolicy(HostnameVerificationHelper.POLICY_NAME);
        SslPolicy policy2 = SslPolicyLoader.create(aConfig2, LOG_PROVIDER).getPolicy(HostnameVerificationHelper.POLICY_NAME);
        SecureServer secureServer = new SecureServer(policy);
        secureServer.start();
        clientCanCommunicateWithServer(new SecureClient(policy2), secureServer);
    }

    @Test
    public void legacyPolicyDoesNotHaveHostnameVerification() throws GeneralSecurityException, IOException, OperatorCreationException, InterruptedException, TimeoutException, ExecutionException {
        Config aConfig = HostnameVerificationHelper.aConfig("invalid-localhost", this.testDirectory);
        Config aConfig2 = HostnameVerificationHelper.aConfig("invalid-localhost", this.testDirectory);
        HostnameVerificationHelper.trust(aConfig, aConfig2);
        HostnameVerificationHelper.trust(aConfig2, aConfig);
        SslPolicy policy = SslPolicyLoader.create(aConfig, LOG_PROVIDER).getPolicy("legacy");
        SslPolicy policy2 = SslPolicyLoader.create(aConfig2, LOG_PROVIDER).getPolicy("legacy");
        SecureServer secureServer = new SecureServer(policy);
        secureServer.start();
        clientCanCommunicateWithServer(new SecureClient(policy2), secureServer);
    }

    private void clientCanCommunicateWithServer(SecureClient secureClient, SecureServer secureServer) throws InterruptedException, TimeoutException, ExecutionException {
        try {
            secureClient.connect(secureServer.port());
            secureClient.channel().writeAndFlush(ByteBufAllocator.DEFAULT.buffer().writeBytes(new byte[]{1, 2, 3, 4}));
            ByteBuf writeBytes = ByteBufAllocator.DEFAULT.buffer().writeBytes(SecureServer.RESPONSE);
            Assert.assertTrue(secureClient.sslHandshakeFuture().get(1L, TimeUnit.MINUTES).isActive());
            secureClient.assertResponse(writeBytes);
            secureServer.stop();
        } catch (Throwable th) {
            secureServer.stop();
            throw th;
        }
    }

    private Stream<Throwable> causes(Throwable th) {
        Stream<Throwable> filter = Stream.of(th).filter((v0) -> {
            return Objects.nonNull(v0);
        });
        return (th == null || th.getCause() == null) ? filter : Stream.concat(filter, causes(th.getCause()));
    }
}
