package org.neo4j.ssl;

import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.NoSuchFileException;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.attribute.FileAttribute;
import javax.net.ssl.SSLException;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.ValueSource;
import org.neo4j.configuration.Config;
import org.neo4j.configuration.GraphDatabaseSettings;
import org.neo4j.configuration.SslSystemInternalSettings;
import org.neo4j.configuration.ssl.SslPolicyConfig;
import org.neo4j.configuration.ssl.SslPolicyScope;
import org.neo4j.io.fs.FileSystemAbstraction;
import org.neo4j.io.fs.FileUtils;
import org.neo4j.logging.NullLogProvider;
import org.neo4j.ssl.config.SslPolicyLoader;
import org.neo4j.test.extension.Inject;
import org.neo4j.test.extension.testdirectory.TestDirectoryExtension;
import org.neo4j.test.ssl.SelfSignedCertificateFactory;
import org.neo4j.test.utils.TestDirectory;

@TestDirectoryExtension
/* loaded from: input_file:org/neo4j/ssl/SslPolicyLoaderTest.class */
class SslPolicyLoaderTest {
    private static final String REVOCATION_ERROR_MSG = "Could not load CRL";
    private static final String TRUSTED_CERTS_ERROR_MSG = "Failed to create trust manager";

    @Inject
    private TestDirectory testDirectory;

    @Inject
    private FileSystemAbstraction fileSystem;
    private Path home;
    private Path publicCertificateFile;
    private Path privateKeyFile;
    private Path trustedDir;
    private Path revokedDir;
    private Path baseDir;

    SslPolicyLoaderTest() {
    }

    @BeforeEach
    void setup() throws Exception {
        this.home = this.testDirectory.directory("home");
        this.baseDir = this.home.resolve("certificates/default");
        this.publicCertificateFile = this.baseDir.resolve("public.crt");
        this.privateKeyFile = this.baseDir.resolve("private.key");
        new SelfSignedCertificateFactory().createSelfSignedCertificate(this.fileSystem, this.publicCertificateFile, this.privateKeyFile, "localhost");
        this.trustedDir = makeDir(this.baseDir, "trusted");
        FileUtils.copyFile(this.publicCertificateFile, this.trustedDir.resolve("public.crt"));
        this.revokedDir = makeDir(this.baseDir, "revoked");
    }

    @ValueSource(booleans = {true, false})
    @ParameterizedTest
    void shouldLoadBaseCryptographicObjects(boolean z) throws Exception {
        assertPolicyValid(createSslPolicyLoader(z).getPolicy(SslPolicyScope.TESTING));
    }

    @ValueSource(booleans = {true, false})
    @ParameterizedTest
    void shouldComplainIfUnparseableFilesPresentInTrusted(boolean z) throws IOException {
        writeJunkToFile(this.trustedDir, "foo.txt");
        Files.createFile(this.revokedDir.resolve("empty.crt"), new FileAttribute[0]);
        shouldThrowCertificateExceptionCreatingSslPolicy(TRUSTED_CERTS_ERROR_MSG, Exception.class, z);
    }

    @ValueSource(booleans = {true, false})
    @ParameterizedTest
    void shouldComplainIfDirectoriesPresentInTrusted(boolean z) throws IOException {
        makeDir(this.trustedDir, "foo");
        shouldThrowCertificateExceptionCreatingSslPolicy(TRUSTED_CERTS_ERROR_MSG, Exception.class, z);
    }

    @ValueSource(booleans = {true, false})
    @ParameterizedTest
    void shouldComplainIfUnparseableFilesPresentInRevoked(boolean z) throws IOException {
        writeJunkToFile(this.revokedDir, "foo.txt");
        shouldThrowCertificateExceptionCreatingSslPolicy(REVOCATION_ERROR_MSG, Exception.class, z);
    }

    @ValueSource(booleans = {true, false})
    @ParameterizedTest
    void shouldComplainIfDirectoriesPresentInRevoked(boolean z) throws IOException {
        makeDir(this.revokedDir, "foo");
        shouldThrowCertificateExceptionCreatingSslPolicy(REVOCATION_ERROR_MSG, Exception.class, z);
    }

    private void shouldThrowCertificateExceptionCreatingSslPolicy(String str, Class<? extends Exception> cls, boolean z) {
        SslPolicyConfig forScope = SslPolicyConfig.forScope(SslPolicyScope.TESTING);
        Config build = Config.newBuilder().set(GraphDatabaseSettings.neo4j_home, this.home.toAbsolutePath()).set(SslSystemInternalSettings.ignore_dotfiles, Boolean.valueOf(z)).set(forScope.enabled, Boolean.TRUE).set(forScope.base_directory, Path.of("certificates/default", new String[0])).build();
        Assertions.assertThat((Exception) org.junit.jupiter.api.Assertions.assertThrows(Exception.class, () -> {
            SslPolicyLoader.create(this.fileSystem, build, NullLogProvider.getInstance());
        })).hasMessageContaining(str).isInstanceOf(cls);
    }

    @ValueSource(booleans = {true, false})
    @ParameterizedTest
    void correctBehaviourIfDotfilesPresent(boolean z) throws IOException {
        writeJunkToFile(this.baseDir, ".README");
        writeJunkToFile(this.trustedDir, ".README");
        writeJunkToFile(this.revokedDir, ".README");
        if (z) {
            assertPolicyValid(createSslPolicyLoader(z).getPolicy(SslPolicyScope.TESTING));
        } else {
            org.junit.jupiter.api.Assertions.assertThrows(Exception.class, () -> {
                createSslPolicyLoader(z);
            });
        }
    }

    @ValueSource(booleans = {true, false})
    @ParameterizedTest
    void shouldNotComplainIfDotdirsPresent(boolean z) throws IOException {
        makeDir(this.baseDir, "..data");
        makeDir(this.trustedDir, "..data");
        makeDir(this.revokedDir, "..data");
        if (z) {
            assertPolicyValid(createSslPolicyLoader(z).getPolicy(SslPolicyScope.TESTING));
        } else {
            Assertions.assertThat(((Exception) org.junit.jupiter.api.Assertions.assertThrows(Exception.class, () -> {
                createSslPolicyLoader(z);
            })).getMessage()).contains(new CharSequence[]{TRUSTED_CERTS_ERROR_MSG});
        }
    }

    @Test
    void shouldComplainIfMissingPrivateKey() throws IOException {
        shouldComplainIfMissingFile(this.privateKeyFile, "Failed to load private key");
    }

    @Test
    void shouldComplainIfMissingPublicCertificate() throws IOException {
        shouldComplainIfMissingFile(this.publicCertificateFile, "Failed to load public certificate chain");
    }

    private void shouldComplainIfMissingFile(Path path, String str) throws IOException {
        Files.delete(path);
        SslPolicyConfig forScope = SslPolicyConfig.forScope(SslPolicyScope.TESTING);
        Config build = Config.newBuilder().set(GraphDatabaseSettings.neo4j_home, this.home.toAbsolutePath()).set(forScope.enabled, Boolean.TRUE).set(forScope.base_directory, Path.of("certificates/default", new String[0])).build();
        Exception exc = (Exception) org.junit.jupiter.api.Assertions.assertThrows(Exception.class, () -> {
            SslPolicyLoader.create(this.fileSystem, build, NullLogProvider.getInstance());
        });
        Assertions.assertThat(exc.getMessage()).contains(new CharSequence[]{str});
        Assertions.assertThat(exc.getCause()).isInstanceOf(NoSuchFileException.class);
    }

    @Test
    void shouldThrowIfPolicyNameDoesNotExist() {
        SslPolicyLoader create = SslPolicyLoader.create(this.fileSystem, Config.newBuilder().set(GraphDatabaseSettings.neo4j_home, this.home.toAbsolutePath()).set(SslPolicyConfig.forScope(SslPolicyScope.TESTING).base_directory, Path.of("certificates/default", new String[0])).build(), NullLogProvider.getInstance());
        org.junit.jupiter.api.Assertions.assertThrows(IllegalArgumentException.class, () -> {
            create.getPolicy(SslPolicyScope.BOLT);
        });
    }

    @Test
    void shouldReturnNullPolicyIfNullRequested() {
        org.junit.jupiter.api.Assertions.assertNull(SslPolicyLoader.create(this.fileSystem, Config.defaults(), NullLogProvider.getInstance()).getPolicy((SslPolicyScope) null));
    }

    private static Path makeDir(Path path, String str) throws IOException {
        Path resolve = path.resolve(str);
        Files.createDirectories(resolve, new FileAttribute[0]);
        return resolve;
    }

    private static void writeJunkToFile(Path path, String str) throws IOException {
        Files.write(path.resolve(str), "junk data".getBytes(), new OpenOption[0]);
    }

    private SslPolicyLoader createSslPolicyLoader(boolean z) {
        SslPolicyConfig forScope = SslPolicyConfig.forScope(SslPolicyScope.TESTING);
        return SslPolicyLoader.create(this.fileSystem, Config.newBuilder().set(GraphDatabaseSettings.neo4j_home, this.home.toAbsolutePath()).set(SslSystemInternalSettings.ignore_dotfiles, Boolean.valueOf(z)).set(forScope.enabled, Boolean.TRUE).set(forScope.base_directory, Path.of("certificates/default", new String[0])).build(), NullLogProvider.getInstance());
    }

    private static void assertPolicyValid(SslPolicy sslPolicy) throws SSLException {
        org.junit.jupiter.api.Assertions.assertNotNull(sslPolicy);
        org.junit.jupiter.api.Assertions.assertNotNull(sslPolicy.privateKey());
        org.junit.jupiter.api.Assertions.assertNotNull(sslPolicy.certificateChain());
        org.junit.jupiter.api.Assertions.assertNotNull(sslPolicy.nettyClientContext());
        org.junit.jupiter.api.Assertions.assertNotNull(sslPolicy.nettyServerContext());
    }
}
