package org.wildfly.elytron.web.undertow.common;

import java.io.IOException;
import java.io.InputStream;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.Principal;
import java.security.spec.AlgorithmParameterSpec;
import java.util.concurrent.atomic.AtomicInteger;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509TrustManager;
import javax.security.auth.x500.X500Principal;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpUriRequest;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Rule;
import org.junit.Test;
import org.wildfly.security.auth.SupportLevel;
import org.wildfly.security.auth.permission.LoginPermission;
import org.wildfly.security.auth.realm.KeyStoreBackedSecurityRealm;
import org.wildfly.security.auth.server.PrincipalDecoder;
import org.wildfly.security.auth.server.RealmIdentity;
import org.wildfly.security.auth.server.RealmUnavailableException;
import org.wildfly.security.auth.server.SecurityDomain;
import org.wildfly.security.auth.server.SecurityRealm;
import org.wildfly.security.credential.Credential;
import org.wildfly.security.evidence.Evidence;
import org.wildfly.security.permission.PermissionVerifier;
import org.wildfly.security.ssl.SSLContextBuilder;
import org.wildfly.security.ssl.test.util.CAGenerationTool;
import org.wildfly.security.x500.X500;
import org.wildfly.security.x500.principal.X500AttributePrincipalDecoder;

/* loaded from: input_file:org/wildfly/elytron/web/undertow/common/ClientCertAuthenticationBase.class */
public abstract class ClientCertAuthenticationBase extends AbstractHttpServerMechanismTest {
    private static CAGenerationTool caGenerationTool = null;
    private static final String TLS_LOCATION = "./target/test-classes/tls";
    private SecurityRealm securityRealm;

    @Rule
    public UndertowServer serverA = createUndertowServerA();

    @Rule
    public UndertowServer serverB = createUndertowServerB();
    private AtomicInteger realmIdentityInvocationCount = new AtomicInteger(0);

    protected ClientCertAuthenticationBase() throws Exception {
    }

    @BeforeClass
    public static void beforeClass() throws Exception {
        caGenerationTool = CAGenerationTool.builder().setBaseDir(TLS_LOCATION).setRequestIdentities(new CAGenerationTool.Identity[]{CAGenerationTool.Identity.LADYBIRD, CAGenerationTool.Identity.SCARAB}).build();
        caGenerationTool.createSelfSignedIdentity("tiger", new X500Principal("CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, C=Unknown"), "tiger.keystore");
    }

    @AfterClass
    public static void afterClass() throws IOException {
        caGenerationTool.close();
    }

    @Test
    public void testSuccessfulAuthentication() throws Exception {
        assertSuccessfulResponse(HttpClientBuilder.create().setSSLContext(createRecognizedSSLContext()).setSSLHostnameVerifier((str, sSLSession) -> {
            return true;
        }).build().execute((HttpUriRequest) new HttpGet(this.serverA.createUri())), "ladybird");
    }

    @Test
    public void testClientCertAfterSession() throws Exception {
        assertSuccessfulResponse(HttpClientBuilder.create().setSSLContext(createRecognizedSSLContext()).setSSLHostnameVerifier((str, sSLSession) -> {
            return true;
        }).build().execute((HttpUriRequest) new HttpGet(this.serverB.createUri())), "ladybird");
    }

    @Test
    public void testSSLSessionIdentityCacheHit() throws Exception {
        CloseableHttpClient build = HttpClientBuilder.create().disableConnectionState().setSSLContext(createRecognizedSSLContext()).setSSLHostnameVerifier((str, sSLSession) -> {
            return true;
        }).build();
        assertSuccessfulResponse(build.execute((HttpUriRequest) new HttpGet(this.serverA.createUri())), "ladybird");
        Assert.assertEquals(2L, this.realmIdentityInvocationCount.get());
        for (int i = 0; i < 10; i++) {
            assertSuccessfulResponse(build.execute((HttpUriRequest) new HttpGet(this.serverA.createUri())), "ladybird");
        }
        Assert.assertEquals(2L, this.realmIdentityInvocationCount.get());
    }

    @Test
    public void testFailedAuthentication() throws Exception {
        Assert.assertEquals(403L, HttpClientBuilder.create().setSSLContext(createUnrecognizedSSLContext()).setSSLHostnameVerifier((str, sSLSession) -> {
            return true;
        }).build().execute((HttpUriRequest) new HttpGet(this.serverA.createUri())).getStatusLine().getStatusCode());
    }

    @Override // org.wildfly.elytron.web.undertow.common.AbstractHttpServerMechanismTest
    protected String getMechanismName() {
        return "CLIENT_CERT";
    }

    @Override // org.wildfly.elytron.web.undertow.common.AbstractHttpServerMechanismTest
    protected SecurityDomain doCreateSecurityDomain() throws Exception {
        final KeyStoreBackedSecurityRealm keyStoreBackedSecurityRealm = new KeyStoreBackedSecurityRealm(loadKeyStore("/tls/beetles.keystore"));
        this.securityRealm = new SecurityRealm() { // from class: org.wildfly.elytron.web.undertow.common.ClientCertAuthenticationBase.1
            @Override // org.wildfly.security.auth.server.SecurityRealm
            public RealmIdentity getRealmIdentity(Principal principal) throws RealmUnavailableException {
                ClientCertAuthenticationBase.this.realmIdentityInvocationCount.incrementAndGet();
                return keyStoreBackedSecurityRealm.getRealmIdentity(principal);
            }

            @Override // org.wildfly.security.auth.server.SecurityRealm
            public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> cls, String str, AlgorithmParameterSpec algorithmParameterSpec) throws RealmUnavailableException {
                return keyStoreBackedSecurityRealm.getCredentialAcquireSupport(cls, str, algorithmParameterSpec);
            }

            @Override // org.wildfly.security.auth.server.SecurityRealm
            public SupportLevel getEvidenceVerifySupport(Class<? extends Evidence> cls, String str) throws RealmUnavailableException {
                return keyStoreBackedSecurityRealm.getEvidenceVerifySupport(cls, str);
            }
        };
        return SecurityDomain.builder().addRealm("KeystoreRealm", this.securityRealm).build().setDefaultRealmName("KeystoreRealm").setPrincipalDecoder(PrincipalDecoder.aggregate(new X500AttributePrincipalDecoder(X500.OID_AT_COMMON_NAME, 1), PrincipalDecoder.DEFAULT)).setPreRealmRewriter(str -> {
            return str.toLowerCase();
        }).setPermissionMapper((permissionMappable, roles) -> {
            return PermissionVerifier.from(new LoginPermission());
        }).build();
    }

    private SSLContext createRecognizedSSLContext() throws Exception {
        SSLContext sSLContext = SSLContext.getInstance("TLS");
        sSLContext.init(new KeyManager[]{getKeyManager("/tls/ladybird.keystore")}, new TrustManager[]{getCATrustManager()}, null);
        return sSLContext;
    }

    private SSLContext createUnrecognizedSSLContext() throws Exception {
        SSLContext sSLContext = SSLContext.getInstance("TLS");
        sSLContext.init(new KeyManager[]{getKeyManager("/tls/tiger.keystore")}, new TrustManager[]{getCATrustManager()}, null);
        return sSLContext;
    }

    protected X509ExtendedKeyManager getKeyManager(String str) throws Exception {
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        keyManagerFactory.init(loadKeyStore(str), "Elytron".toCharArray());
        for (KeyManager keyManager : keyManagerFactory.getKeyManagers()) {
            if (keyManager instanceof X509ExtendedKeyManager) {
                return (X509ExtendedKeyManager) keyManager;
            }
        }
        throw new IllegalStateException("Unable to obtain X509ExtendedKeyManager.");
    }

    protected X509TrustManager getCATrustManager() throws Exception {
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(loadKeyStore("/tls/ca.truststore"));
        for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
            if (trustManager instanceof X509TrustManager) {
                return (X509TrustManager) trustManager;
            }
        }
        throw new IllegalStateException("Unable to obtain X509TrustManager.");
    }

    private KeyStore loadKeyStore(String str) throws Exception {
        KeyStore keyStore = KeyStore.getInstance("jks");
        InputStream resourceAsStream = ClientCertAuthenticationBase.class.getResourceAsStream(str);
        try {
            Assert.assertNotNull("InputStream must not be null", resourceAsStream);
            keyStore.load(resourceAsStream, "Elytron".toCharArray());
            if (resourceAsStream != null) {
                resourceAsStream.close();
            }
            return keyStore;
        } catch (Throwable th) {
            if (resourceAsStream != null) {
                try {
                    resourceAsStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    protected SSLContext getSSLContext(boolean z) throws GeneralSecurityException, Exception {
        SSLContextBuilder trustManager = new SSLContextBuilder().setSecurityDomain(getSecurityDomain()).setKeyManager(getKeyManager("/tls/scarab.keystore")).setTrustManager(getCATrustManager());
        if (z) {
            trustManager.setWantClientAuth(true);
        }
        return trustManager.build().create();
    }

    protected abstract UndertowServer createUndertowServerA() throws Exception;

    protected abstract UndertowServer createUndertowServerB() throws Exception;
}
