package com.github.tomakehurst.wiremock;

import com.github.tomakehurst.wiremock.client.WireMock;
import com.github.tomakehurst.wiremock.common.Exceptions;
import com.github.tomakehurst.wiremock.common.FatalStartupException;
import com.github.tomakehurst.wiremock.common.SingleRootFileSource;
import com.github.tomakehurst.wiremock.core.WireMockConfiguration;
import com.github.tomakehurst.wiremock.http.ssl.HostVerifyingSSLSocketFactory;
import com.github.tomakehurst.wiremock.http.ssl.SSLContextBuilder;
import com.github.tomakehurst.wiremock.http.ssl.X509KeyStore;
import com.github.tomakehurst.wiremock.junit5.WireMockExtension;
import com.github.tomakehurst.wiremock.testsupport.TestFiles;
import com.github.tomakehurst.wiremock.testsupport.TestHttpHeader;
import com.github.tomakehurst.wiremock.testsupport.WireMockResponse;
import com.github.tomakehurst.wiremock.testsupport.WireMockTestClient;
import java.io.ByteArrayInputStream;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.attribute.FileAttribute;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.util.Base64;
import org.apache.hc.client5.http.DnsResolver;
import org.apache.hc.client5.http.SystemDefaultDnsResolver;
import org.apache.hc.client5.http.classic.methods.HttpGet;
import org.apache.hc.client5.http.impl.classic.CloseableHttpClient;
import org.apache.hc.client5.http.impl.classic.HttpClients;
import org.apache.hc.client5.http.impl.io.PoolingHttpClientConnectionManagerBuilder;
import org.apache.hc.client5.http.ssl.NoopHostnameVerifier;
import org.apache.hc.client5.http.ssl.SSLConnectionSocketFactory;
import org.apache.hc.core5.http.HttpHost;
import org.eclipse.jetty.client.HttpClient;
import org.eclipse.jetty.client.HttpProxy;
import org.eclipse.jetty.client.Origin;
import org.eclipse.jetty.client.ProxyConfiguration;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Disabled;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.condition.DisabledForJreRange;
import org.junit.jupiter.api.condition.JRE;
import org.junit.jupiter.api.extension.RegisterExtension;

/* loaded from: input_file:com/github/tomakehurst/wiremock/HttpsBrowserProxyAcceptanceTest.class */
public class HttpsBrowserProxyAcceptanceTest {
    private static final String TARGET_KEYSTORE_WITH_CUSTOM_CERT = TestFiles.KEY_STORE_PATH;
    private static final String PROXY_KEYSTORE_WITH_CUSTOM_CA_CERT = TestFiles.KEY_STORE_WITH_CA_PATH;
    private static final String NO_PREEXISTING_KEYSTORE_PATH = tempNonExistingPath("wiremock-keystores", "ca-keystore.jks");

    @RegisterExtension
    public static WireMockExtension target = WireMockExtension.newInstance().options(WireMockConfiguration.options().httpDisabled(true).keystorePath(TARGET_KEYSTORE_WITH_CUSTOM_CERT).dynamicHttpsPort()).build();

    @RegisterExtension
    public static WireMockExtension proxy = WireMockExtension.newInstance().options(WireMockConfiguration.options().dynamicPort().dynamicHttpsPort().fileSource(new SingleRootFileSource(setupTempFileRoot())).caKeystorePath(NO_PREEXISTING_KEYSTORE_PATH).enableBrowserProxying(true).trustAllProxyTargets(true)).build();
    private WireMockTestClient testClient;

    /* loaded from: input_file:com/github/tomakehurst/wiremock/HttpsBrowserProxyAcceptanceTest$CustomLocalTldDnsResolver.class */
    private static class CustomLocalTldDnsResolver implements DnsResolver {
        private final String tldToSendToLocalhost;

        public CustomLocalTldDnsResolver(String str) {
            this.tldToSendToLocalhost = str;
        }

        public InetAddress[] resolve(String str) throws UnknownHostException {
            return str.endsWith("." + this.tldToSendToLocalhost) ? new InetAddress[]{InetAddress.getLocalHost()} : new SystemDefaultDnsResolver().resolve(str);
        }

        public String resolveCanonicalHostname(String str) throws UnknownHostException {
            InetAddress[] resolve = resolve(str);
            return resolve.length > 0 ? resolve[0].getCanonicalHostName() : str;
        }
    }

    @BeforeEach
    public void addAResourceToProxy() {
        this.testClient = new WireMockTestClient(target.getHttpsPort());
    }

    @Test
    public void canProxyHttpsInBrowserProxyMode() throws Exception {
        target.stubFor(WireMock.get(WireMock.urlEqualTo("/whatever")).willReturn(WireMock.aResponse().withBody("Got it")));
        MatcherAssert.assertThat(this.testClient.getViaProxy(target.url("/whatever"), proxy.getPort()).content(), Matchers.is("Got it"));
    }

    @Test
    public void canProxyHttpsInBrowserHttpsProxyMode() throws Exception {
        target.stubFor(WireMock.get(WireMock.urlEqualTo("/whatever")).willReturn(WireMock.aResponse().withBody("Got it")));
        MatcherAssert.assertThat(this.testClient.getViaProxy(target.url("/whatever"), proxy.getHttpsPort(), "https").content(), Matchers.is("Got it"));
    }

    @Disabled("Jetty doesn't yet support proxying via HTTP2")
    @Test
    public void canProxyHttpsUsingHttp2InBrowserHttpsProxyMode() throws Exception {
        HttpClient create = Http2ClientFactory.create();
        ProxyConfiguration proxyConfiguration = create.getProxyConfiguration();
        proxyConfiguration.getProxies().add(new HttpProxy(new Origin.Address("localhost", proxy.getHttpsPort()), true));
        target.stubFor(WireMock.get(WireMock.urlEqualTo("/whatever")).willReturn(WireMock.aResponse().withBody("Got it")));
        MatcherAssert.assertThat(create.GET(target.url("/whatever")).getContentAsString(), Matchers.is("Got it"));
    }

    @Test
    public void canStubHttpsInBrowserProxyMode() throws Exception {
        target.stubFor(WireMock.get(WireMock.urlEqualTo("/stubbed")).willReturn(WireMock.aResponse().withBody("Should Not Be Returned")));
        proxy.stubFor(WireMock.get(WireMock.urlEqualTo("/stubbed")).willReturn(WireMock.aResponse().withBody("Stubbed Value")));
        target.stubFor(WireMock.get(WireMock.urlEqualTo("/not_stubbed")).willReturn(WireMock.aResponse().withBody("Should be served from target")));
        MatcherAssert.assertThat(this.testClient.getViaProxy(target.url("/stubbed"), proxy.getPort()).content(), Matchers.is("Stubbed Value"));
        MatcherAssert.assertThat(this.testClient.getViaProxy(target.url("/not_stubbed"), proxy.getPort()).content(), Matchers.is("Should be served from target"));
    }

    @Test
    public void canRecordHttpsInBrowserProxyMode() throws Exception {
        proxy.startRecording(target.baseUrl());
        String url = target.url("/record_me");
        target.stubFor(WireMock.get(WireMock.urlEqualTo("/record_me")).willReturn(WireMock.aResponse().withBody("Target response")));
        MatcherAssert.assertThat(this.testClient.getViaProxy(url, proxy.getPort()).content(), Matchers.is("Target response"));
        proxy.stopRecording();
        MatcherAssert.assertThat(this.testClient.getViaProxy(url, proxy.getPort()).content(), Matchers.is("Target response"));
    }

    @Test
    public void rejectsUntrustedTarget() {
        WireMockServer wireMockServer = new WireMockServer(WireMockConfiguration.wireMockConfig().dynamicPort().enableBrowserProxying(true));
        try {
            wireMockServer.start();
            target.stubFor(WireMock.get(WireMock.urlEqualTo("/whatever")).willReturn(WireMock.aResponse().withBody("Got it")));
            MatcherAssert.assertThat(Integer.valueOf(this.testClient.getViaProxy(target.url("/whatever"), wireMockServer.port()).statusCode()), Matchers.is(500));
        } finally {
            wireMockServer.stop();
        }
    }

    @Test
    public void trustsTargetIfTrustStoreContainsItsCertificate() {
        WireMockServer wireMockServer = new WireMockServer(WireMockConfiguration.wireMockConfig().dynamicPort().enableBrowserProxying(true).trustStorePath(TestFiles.TRUST_STORE_PATH).trustStorePassword(TestFiles.TRUST_STORE_PASSWORD));
        try {
            wireMockServer.start();
            target.stubFor(WireMock.get(WireMock.urlEqualTo("/whatever")).willReturn(WireMock.aResponse().withBody("Got it")));
            WireMockResponse viaProxy = this.testClient.getViaProxy(target.url("/whatever"), wireMockServer.port());
            MatcherAssert.assertThat(Integer.valueOf(viaProxy.statusCode()), Matchers.is(200));
            MatcherAssert.assertThat(viaProxy.content(), Matchers.is("Got it"));
        } finally {
            wireMockServer.stop();
        }
    }

    @Test
    public void canTrustSpecificTargetHosts() {
        WireMockServer wireMockServer = new WireMockServer(WireMockConfiguration.wireMockConfig().dynamicPort().enableBrowserProxying(true).trustedProxyTargets(new String[]{"localhost"}));
        try {
            wireMockServer.start();
            target.stubFor(WireMock.get(WireMock.urlEqualTo("/whatever")).willReturn(WireMock.aResponse().withBody("Got it")));
            WireMockResponse viaProxy = this.testClient.getViaProxy(target.url("/whatever"), wireMockServer.port());
            MatcherAssert.assertThat(Integer.valueOf(viaProxy.statusCode()), Matchers.is(200));
            MatcherAssert.assertThat(viaProxy.content(), Matchers.is("Got it"));
        } finally {
            wireMockServer.stop();
        }
    }

    @DisabledForJreRange(min = JRE.JAVA_17, disabledReason = "does not support generating certificates at runtime")
    @Test
    public void certificatesSignedWithUsersRootCertificate() throws Exception {
        WireMockServer wireMockServer = new WireMockServer(WireMockConfiguration.wireMockConfig().dynamicPort().enableBrowserProxying(true).trustAllProxyTargets(true).caKeystorePath(PROXY_KEYSTORE_WITH_CUSTOM_CA_CERT));
        try {
            wireMockServer.start();
            CloseableHttpClient build = HttpClients.custom().setConnectionManager(PoolingHttpClientConnectionManagerBuilder.create().setDnsResolver(new CustomLocalTldDnsResolver("internal")).setSSLSocketFactory(sslSocketFactoryThatTrusts(HttpsAcceptanceTest.readKeyStore(PROXY_KEYSTORE_WITH_CUSTOM_CA_CERT, "password"))).build()).setProxy(new HttpHost("localhost", wireMockServer.port())).build();
            build.execute(new HttpGet("https://fake1.nowildcards1.internal:" + target.getHttpsPort() + "/whatever"));
            build.execute(new HttpGet("https://fake2.nowildcards2.internal:" + target.getHttpsPort() + "/whatever"));
            wireMockServer.stop();
        } catch (Throwable th) {
            wireMockServer.stop();
            throw th;
        }
    }

    @DisabledForJreRange(min = JRE.JAVA_17, disabledReason = "does not support generating certificates at runtime")
    @Test
    public void certificatesSignedWithGeneratedRootCertificate() throws Exception {
        CloseableHttpClient build = HttpClients.custom().setConnectionManager(PoolingHttpClientConnectionManagerBuilder.create().setDnsResolver(new CustomLocalTldDnsResolver("internal")).setSSLSocketFactory(sslSocketFactoryThatTrusts(HttpsAcceptanceTest.readKeyStore(NO_PREEXISTING_KEYSTORE_PATH, "password"))).build()).setProxy(new HttpHost("localhost", proxy.getPort())).build();
        build.execute(new HttpGet("https://fake1.nowildcards1.internal:" + target.getHttpsPort() + "/whatever"));
        build.execute(new HttpGet("https://fake2.nowildcards2.internal:" + target.getHttpsPort() + "/whatever"));
    }

    @Test
    public void failsIfCaKeystorePathIsNotAKeystore() throws IOException {
        Assertions.assertThrows(IOException.class, () -> {
            new WireMockServer(WireMockConfiguration.options().enableBrowserProxying(true).caKeystorePath(Files.createTempFile("notakeystore", "jks", new FileAttribute[0]).toString()));
        });
    }

    @Test
    public void failsIfCaKeystoreDoesNotContainACaCertificate() throws Exception {
        WireMockServer wireMockServer = new WireMockServer(WireMockConfiguration.options().enableBrowserProxying(true).caKeystorePath(emptyKeyStore().toString()));
        Assertions.assertThrows(FatalStartupException.class, wireMockServer::start);
    }

    @DisabledForJreRange(min = JRE.JAVA_17, disabledReason = "does not support generating certificates at runtime")
    @Test
    public void certificateAuthorityCertCanBeDownloaded() throws Exception {
        WireMockResponse wireMockResponse = new WireMockTestClient(proxy.getPort()).get("/__admin/certs/wiremock-ca.crt", new TestHttpHeader[0]);
        Assertions.assertEquals(200, wireMockResponse.statusCode());
        Assertions.assertEquals("application/x-pem-file", wireMockResponse.firstHeader("Content-Type"));
        Assertions.assertEquals(new X509KeyStore(HttpsAcceptanceTest.readKeyStore(NO_PREEXISTING_KEYSTORE_PATH, "password"), "password".toCharArray()).getCertificateAuthority().certificateChain()[0], decode(wireMockResponse.content()));
    }

    private Certificate decode(String str) throws Exception {
        return CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(Base64.getMimeDecoder().decode(str.replace("-----BEGIN CERTIFICATE-----", "").replace("-----END CERTIFICATE-----", ""))));
    }

    private SSLConnectionSocketFactory sslSocketFactoryThatTrusts(KeyStore keyStore) throws NoSuchAlgorithmException, KeyManagementException, KeyStoreException {
        return new SSLConnectionSocketFactory(new HostVerifyingSSLSocketFactory(SSLContextBuilder.create().loadTrustMaterial(keyStore).build().getSocketFactory()), new NoopHostnameVerifier());
    }

    private static File setupTempFileRoot() {
        try {
            File file = Files.createTempDirectory("wiremock", new FileAttribute[0]).toFile();
            new File(file, "mappings").mkdirs();
            new File(file, "__files").mkdirs();
            return file;
        } catch (IOException e) {
            return (File) Exceptions.throwUnchecked(e, File.class);
        }
    }

    private static String tempNonExistingPath(String str, String str2) {
        try {
            return Files.createTempDirectory(str, new FileAttribute[0]).resolve(str2).toFile().getAbsolutePath();
        } catch (IOException e) {
            return (String) Exceptions.throwUnchecked(e, (Class) null);
        }
    }

    private static Path emptyKeyStore() throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        char[] charArray = "password".toCharArray();
        keyStore.load(null, charArray);
        Path createTempFile = Files.createTempFile("keystore-with-no-ca", "jks", new FileAttribute[0]);
        FileOutputStream fileOutputStream = new FileOutputStream(createTempFile.toFile());
        try {
            keyStore.store(fileOutputStream, charArray);
            fileOutputStream.close();
            return createTempFile;
        } catch (Throwable th) {
            try {
                fileOutputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }
}
