package org.apache.nifi.minifi.c2.integration.test;

import com.palantir.docker.compose.DockerComposeExtension;
import com.palantir.docker.compose.connection.DockerPort;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.HttpURLConnection;
import java.net.InetSocketAddress;
import java.net.Proxy;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.attribute.FileAttribute;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManagerFactory;
import org.apache.commons.io.IOUtils;
import org.apache.nifi.minifi.commons.schema.ConfigSchema;
import org.apache.nifi.minifi.commons.schema.serialization.SchemaLoader;
import org.apache.nifi.security.util.KeyStoreUtils;
import org.apache.nifi.security.util.KeystoreType;
import org.apache.nifi.security.util.SslContextFactory;
import org.apache.nifi.security.util.StandardTlsConfiguration;
import org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandalone;
import org.apache.nifi.toolkit.tls.standalone.TlsToolkitStandaloneCommandLine;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:org/apache/nifi/minifi/c2/integration/test/AbstractTestSecure.class */
public abstract class AbstractTestSecure extends AbstractTestUnsecure {
    public static final String C2_URL = "https://c2:10443/c2/config";
    private final DockerComposeExtension docker;
    private final Path certificatesDirectory;
    private final SSLContext trustSslContext;

    /* JADX INFO: Access modifiers changed from: protected */
    public AbstractTestSecure(DockerComposeExtension dockerComposeExtension, Path path, SSLContext sSLContext) {
        this.docker = dockerComposeExtension;
        this.certificatesDirectory = path;
        this.trustSslContext = sSLContext;
    }

    @Override // org.apache.nifi.minifi.c2.integration.test.AbstractTestUnsecure
    protected String getConfigUrl(DockerComposeExtension dockerComposeExtension) {
        return "https://c2:10443/c2/config";
    }

    public static SSLContext initCertificates(Path path, List<String> list) throws Exception {
        ArrayList arrayList = new ArrayList(Arrays.asList("-O", "-o", path.toFile().getAbsolutePath(), "-C", "CN=user1", "-C", "CN=user2", "-C", "CN=user3", "-C", "CN=user4", "-S", "badKeystorePass", "-K", "badKeyPass", "-P", "badTrustPass"));
        for (String str : list) {
            arrayList.add("-n");
            arrayList.add(str);
        }
        Files.createDirectories(path, new FileAttribute[0]);
        TlsToolkitStandaloneCommandLine tlsToolkitStandaloneCommandLine = new TlsToolkitStandaloneCommandLine();
        tlsToolkitStandaloneCommandLine.parse((String[]) arrayList.toArray(new String[0]));
        new TlsToolkitStandalone().createNifiKeystoresAndTrustStores(tlsToolkitStandaloneCommandLine.createConfig());
        TlsToolkitStandaloneCommandLine tlsToolkitStandaloneCommandLine2 = new TlsToolkitStandaloneCommandLine();
        tlsToolkitStandaloneCommandLine2.parse(new String[]{"-O", "-o", path.getParent().resolve("badCert").toFile().getAbsolutePath(), "-C", "CN=user3"});
        new TlsToolkitStandalone().createNifiKeystoresAndTrustStores(tlsToolkitStandaloneCommandLine2.createConfig());
        KeyStore keyStore = KeyStoreUtils.getKeyStore("jks");
        FileInputStream fileInputStream = new FileInputStream(path.resolve("c2").resolve("truststore.jks").toFile().getAbsolutePath());
        Throwable th = null;
        try {
            try {
                keyStore.load(fileInputStream, "badTrustPass".toCharArray());
                if (fileInputStream != null) {
                    if (0 != 0) {
                        try {
                            fileInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        fileInputStream.close();
                    }
                }
                TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm()).init(keyStore);
                return SslContextFactory.createSslContext(new StandardTlsConfiguration((String) null, (String) null, (KeystoreType) null, path.resolve("c2").resolve("truststore.jks").toFile().getAbsolutePath(), "badTrustPass", KeystoreType.JKS));
            } finally {
            }
        } catch (Throwable th3) {
            if (fileInputStream != null) {
                if (th != null) {
                    try {
                        fileInputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    fileInputStream.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testNoClientCert() throws Exception {
        assertReturnCode("", this.trustSslContext, 403);
        assertReturnCode("?class=raspi2", this.trustSslContext, 403);
        assertReturnCode("?class=raspi3", this.trustSslContext, 403);
    }

    @Test
    public void testUser1() throws Exception {
        SSLContext loadSslContext = loadSslContext("user1");
        assertReturnCode("", loadSslContext, 403);
        Assertions.assertEquals("raspi2.v1", assertReturnCode("?class=raspi2", loadSslContext, 200).getFlowControllerProperties().getName());
        assertReturnCode("?class=raspi3", loadSslContext, 403);
    }

    @Test
    public void testUser2() throws Exception {
        SSLContext loadSslContext = loadSslContext("user2");
        assertReturnCode("", loadSslContext, 403);
        assertReturnCode("?class=raspi2", loadSslContext, 403);
        Assertions.assertEquals("raspi3.v2", assertReturnCode("?class=raspi3", loadSslContext, 200).getFlowControllerProperties().getName());
    }

    @Test
    public void testUser3() throws Exception {
        SSLContext loadSslContext = loadSslContext("user3");
        assertReturnCode("", loadSslContext, 400);
        Assertions.assertEquals("raspi2.v1", assertReturnCode("?class=raspi2", loadSslContext, 200).getFlowControllerProperties().getName());
        Assertions.assertEquals("raspi3.v2", assertReturnCode("?class=raspi3", loadSslContext, 200).getFlowControllerProperties().getName());
    }

    @Test
    public void testUser3WrongCA() {
        Assertions.assertThrows(IOException.class, () -> {
            assertReturnCode("?class=raspi3", loadSslContext("user3", this.certificatesDirectory.getParent().resolve("badCert")), 403);
        });
    }

    @Test
    public void testUser4() throws Exception {
        SSLContext loadSslContext = loadSslContext("user4");
        assertReturnCode("", loadSslContext, 403);
        assertReturnCode("?class=raspi2", loadSslContext, 403);
        assertReturnCode("?class=raspi3", loadSslContext, 403);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public SSLContext loadSslContext(String str) throws GeneralSecurityException, IOException {
        return loadSslContext(str, this.certificatesDirectory);
    }

    protected SSLContext loadSslContext(String str, Path path) throws GeneralSecurityException, IOException {
        InputStream newInputStream = Files.newInputStream(path.resolve("CN=" + str + ".password"), new OpenOption[0]);
        Throwable th = null;
        try {
            String iOUtils = IOUtils.toString(newInputStream, StandardCharsets.UTF_8);
            if (newInputStream != null) {
                if (0 != 0) {
                    try {
                        newInputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    newInputStream.close();
                }
            }
            return SslContextFactory.createSslContext(new StandardTlsConfiguration(path.resolve("CN=" + str + ".p12").toFile().getAbsolutePath(), iOUtils, KeystoreType.PKCS12, this.certificatesDirectory.resolve("c2").resolve("truststore.jks").toFile().getAbsolutePath(), "badTrustPass", KeystoreType.JKS));
        } catch (Throwable th3) {
            if (newInputStream != null) {
                if (0 != 0) {
                    try {
                        newInputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    newInputStream.close();
                }
            }
            throw th3;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public ConfigSchema assertReturnCode(String str, SSLContext sSLContext, int i) throws Exception {
        HttpsURLConnection openUrlConnection = openUrlConnection("https://c2:10443/c2/config" + str, sSLContext);
        try {
            Assertions.assertEquals(i, openUrlConnection.getResponseCode());
            if (i != 200) {
                openUrlConnection.disconnect();
                return null;
            }
            ConfigSchema loadConfigSchemaFromYaml = SchemaLoader.loadConfigSchemaFromYaml(openUrlConnection.getInputStream());
            openUrlConnection.disconnect();
            return loadConfigSchemaFromYaml;
        } catch (Throwable th) {
            openUrlConnection.disconnect();
            throw th;
        }
    }

    protected HttpsURLConnection openUrlConnection(String str, SSLContext sSLContext) throws IOException {
        DockerPort port = this.docker.containers().container("squid").port(3128);
        HttpsURLConnection httpsURLConnection = (HttpsURLConnection) new URL(str).openConnection(new Proxy(Proxy.Type.HTTP, new InetSocketAddress(port.getIp(), port.getExternalPort())));
        httpsURLConnection.setSSLSocketFactory(sSLContext.getSocketFactory());
        return httpsURLConnection;
    }

    @Override // org.apache.nifi.minifi.c2.integration.test.AbstractTestUnsecure
    protected HttpURLConnection openSuperUserUrlConnection(String str) throws IOException {
        try {
            return openUrlConnection(str, loadSslContext("user3"));
        } catch (GeneralSecurityException e) {
            throw new IOException(e);
        }
    }
}
