package org.sparkproject.jetty.server.ssl;

import java.io.File;
import java.io.FileNotFoundException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;
import java.nio.charset.StandardCharsets;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.concurrent.LinkedBlockingQueue;
import java.util.function.Consumer;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.net.ssl.SNIHostName;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLSocket;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.condition.DisabledOnOs;
import org.junit.jupiter.api.condition.OS;
import org.sparkproject.jetty.http.HttpTester;
import org.sparkproject.jetty.http.HttpVersion;
import org.sparkproject.jetty.io.Connection;
import org.sparkproject.jetty.io.ssl.SslConnection;
import org.sparkproject.jetty.server.ConnectionFactory;
import org.sparkproject.jetty.server.HttpConfiguration;
import org.sparkproject.jetty.server.HttpConnectionFactory;
import org.sparkproject.jetty.server.Request;
import org.sparkproject.jetty.server.SecureRequestCustomizer;
import org.sparkproject.jetty.server.Server;
import org.sparkproject.jetty.server.ServerConnector;
import org.sparkproject.jetty.server.SocketCustomizationListener;
import org.sparkproject.jetty.server.SslConnectionFactory;
import org.sparkproject.jetty.server.handler.AbstractHandler;
import org.sparkproject.jetty.server.handler.ErrorHandler;
import org.sparkproject.jetty.util.IO;
import org.sparkproject.jetty.util.ssl.SslContextFactory;

/* loaded from: input_file:org/sparkproject/jetty/server/ssl/SniSslConnectionFactoryTest.class */
public class SniSslConnectionFactoryTest {
    private Server _server;
    private ServerConnector _connector;
    private HttpConfiguration _httpsConfiguration;
    private int _port;

    @BeforeEach
    public void before() {
        this._server = new Server();
        HttpConfiguration httpConfiguration = new HttpConfiguration();
        httpConfiguration.setSecureScheme("https");
        httpConfiguration.setSecurePort(8443);
        httpConfiguration.setOutputBufferSize(32768);
        this._httpsConfiguration = new HttpConfiguration(httpConfiguration);
        SecureRequestCustomizer secureRequestCustomizer = new SecureRequestCustomizer();
        secureRequestCustomizer.setSniHostCheck(true);
        this._httpsConfiguration.addCustomizer(secureRequestCustomizer);
        this._httpsConfiguration.addCustomizer((connector, httpConfiguration2, request) -> {
            SslConnection.DecryptedEndPoint endPoint = request.getHttpChannel().getEndPoint();
            if (endPoint instanceof SslConnection.DecryptedEndPoint) {
                try {
                    for (Certificate certificate : endPoint.getSslConnection().getSSLEngine().getSession().getLocalCertificates()) {
                        request.getResponse().getHttpFields().add("X-Cert", ((X509Certificate) certificate).getSubjectDN().toString());
                    }
                } catch (Throwable th) {
                    th.printStackTrace();
                }
            }
        });
    }

    protected void start(String str) throws Exception {
        start(server -> {
            server.setKeyStorePath(str);
            server.setKeyManagerPassword("keypwd");
        });
    }

    protected void start(Consumer<SslContextFactory.Server> consumer) throws Exception {
        SslContextFactory.Server server = new SslContextFactory.Server();
        if (OS.WINDOWS.isCurrentOs()) {
        }
        server.setKeyStorePassword("storepwd");
        consumer.accept(server);
        File file = server.getKeyStoreResource().getFile();
        if (!file.exists()) {
            throw new FileNotFoundException(file.getAbsolutePath());
        }
        ServerConnector serverConnector = new ServerConnector(this._server, new ConnectionFactory[]{new SslConnectionFactory(server, HttpVersion.HTTP_1_1.asString()), new HttpConnectionFactory(this._httpsConfiguration)});
        this._connector = serverConnector;
        this._server.addConnector(serverConnector);
        this._server.setHandler(new AbstractHandler() { // from class: org.sparkproject.jetty.server.ssl.SniSslConnectionFactoryTest.1
            public void handle(String str, Request request, HttpServletRequest httpServletRequest, HttpServletResponse httpServletResponse) {
                request.setHandled(true);
                httpServletResponse.setStatus(200);
                httpServletResponse.setHeader("X-URL", httpServletRequest.getRequestURI());
                httpServletResponse.setHeader("X-HOST", httpServletRequest.getServerName());
            }
        });
        this._server.start();
        this._port = serverConnector.getLocalPort();
    }

    @AfterEach
    public void after() throws Exception {
        if (this._server != null) {
            this._server.stop();
        }
    }

    @Test
    public void testConnect() throws Exception {
        start("src/test/resources/keystore_sni.p12");
        MatcherAssert.assertThat(getResponse("127.0.0.1", null), Matchers.containsString("X-HOST: 127.0.0.1"));
    }

    @Test
    public void testSNIConnectNoWild() throws Exception {
        start("src/test/resources/keystore_sni_nowild.p12");
        String response = getResponse("www.acme.org", null);
        MatcherAssert.assertThat(response, Matchers.containsString("X-HOST: www.acme.org"));
        MatcherAssert.assertThat(response, Matchers.containsString("X-Cert: OU=default"));
        String response2 = getResponse("www.example.com", null);
        MatcherAssert.assertThat(response2, Matchers.containsString("X-HOST: www.example.com"));
        MatcherAssert.assertThat(response2, Matchers.containsString("X-Cert: OU=example"));
    }

    @Test
    public void testSNIConnect() throws Exception {
        start(server -> {
            server.setKeyStorePath("src/test/resources/keystore_sni.p12");
            server.setKeyManagerPassword("OBF:1u2u1wml1z7s1z7a1wnl1u2g");
            server.setSNISelector((str, principalArr, sSLSession, str2, collection) -> {
                return server.sniSelect(str, principalArr, sSLSession, str2, (List) collection.stream().sorted((x509, x5092) -> {
                    if (x509.matches("domain.com")) {
                        return -1;
                    }
                    return x5092.matches("domain.com") ? 1 : 0;
                }).collect(Collectors.toList()));
            });
        });
        MatcherAssert.assertThat(getResponse("jetty.eclipse.org", "jetty.eclipse.org"), Matchers.containsString("X-HOST: jetty.eclipse.org"));
        MatcherAssert.assertThat(getResponse("www.example.com", "www.example.com"), Matchers.containsString("X-HOST: www.example.com"));
        MatcherAssert.assertThat(getResponse("foo.domain.com", "*.domain.com"), Matchers.containsString("X-HOST: foo.domain.com"));
        MatcherAssert.assertThat(getResponse("sub.domain.com", "sub.domain.com"), Matchers.containsString("X-HOST: sub.domain.com"));
        MatcherAssert.assertThat(getResponse("m.san.com", "san example"), Matchers.containsString("X-HOST: m.san.com"));
        MatcherAssert.assertThat(getResponse("www.san.com", "san example"), Matchers.containsString("X-HOST: www.san.com"));
    }

    @Test
    public void testWildSNIConnect() throws Exception {
        start("src/test/resources/keystore_sni.p12");
        MatcherAssert.assertThat(getResponse("domain.com", "www.domain.com", "*.domain.com"), Matchers.containsString("X-HOST: www.domain.com"));
        MatcherAssert.assertThat(getResponse("domain.com", "domain.com", "*.domain.com"), Matchers.containsString("X-HOST: domain.com"));
        MatcherAssert.assertThat(getResponse("www.domain.com", "www.domain.com", "*.domain.com"), Matchers.containsString("X-HOST: www.domain.com"));
    }

    @Test
    public void testBadSNIConnect() throws Exception {
        start("src/test/resources/keystore_sni.p12");
        String response = getResponse("www.example.com", "some.other.com", "www.example.com");
        MatcherAssert.assertThat(response, Matchers.containsString("HTTP/1.1 400 "));
        MatcherAssert.assertThat(response, Matchers.containsString("Host does not match SNI"));
    }

    @DisabledOnOs(value = {OS.WINDOWS}, disabledReason = "TLSv1.3 behavior differences between Linux and Windows")
    @Test
    public void testWrongSNIRejectedConnection() throws Exception {
        start(server -> {
            server.setKeyStorePath("src/test/resources/keystore_sni.p12");
            server.setKeyManagerPassword("OBF:1u2u1wml1z7s1z7a1wnl1u2g");
            server.setSniRequired(true);
        });
        Assertions.assertThrows(SSLHandshakeException.class, () -> {
            getResponse("wrong.com", "wrong.com", null);
        });
        Assertions.assertThrows(SSLHandshakeException.class, () -> {
            getResponse(null, "wrong.com", null);
        });
    }

    @Test
    public void testWrongSNIRejectedBadRequest() throws Exception {
        start(server -> {
            server.setKeyStorePath("src/test/resources/keystore_sni.p12");
            server.setKeyManagerPassword("OBF:1u2u1wml1z7s1z7a1wnl1u2g");
            server.setSniRequired(false);
            Stream stream = this._httpsConfiguration.getCustomizers().stream();
            Class<SecureRequestCustomizer> cls = SecureRequestCustomizer.class;
            Objects.requireNonNull(SecureRequestCustomizer.class);
            Stream filter = stream.filter((v1) -> {
                return r1.isInstance(v1);
            });
            Class<SecureRequestCustomizer> cls2 = SecureRequestCustomizer.class;
            Objects.requireNonNull(SecureRequestCustomizer.class);
            filter.map((v1) -> {
                return r1.cast(v1);
            }).forEach(secureRequestCustomizer -> {
                secureRequestCustomizer.setSniRequired(true);
            });
        });
        HttpTester.Response parseResponse = HttpTester.parseResponse(getResponse("wrong.com", "wrong.com", null));
        Assertions.assertNotNull(parseResponse);
        MatcherAssert.assertThat(Integer.valueOf(parseResponse.getStatus()), Matchers.is(400));
        HttpTester.Response parseResponse2 = HttpTester.parseResponse(getResponse(null, "wrong.com", null));
        Assertions.assertNotNull(parseResponse2);
        MatcherAssert.assertThat(Integer.valueOf(parseResponse2.getStatus()), Matchers.is(400));
    }

    @DisabledOnOs(value = {OS.WINDOWS}, disabledReason = "TLSv1.3 behavior differences between Linux and Windows")
    @Test
    public void testWrongSNIRejectedFunction() throws Exception {
        start(server -> {
            server.setKeyStorePath("src/test/resources/keystore_sni.p12");
            server.setKeyManagerPassword("OBF:1u2u1wml1z7s1z7a1wnl1u2g");
            server.setSniRequired(true);
            server.setSNISelector((str, principalArr, sSLSession, str2, collection) -> {
                return str2 == null ? "delegate_no_sni_match" : server.sniSelect(str, principalArr, sSLSession, str2, collection);
            });
            Stream stream = this._httpsConfiguration.getCustomizers().stream();
            Class<SecureRequestCustomizer> cls = SecureRequestCustomizer.class;
            Objects.requireNonNull(SecureRequestCustomizer.class);
            Stream filter = stream.filter((v1) -> {
                return r1.isInstance(v1);
            });
            Class<SecureRequestCustomizer> cls2 = SecureRequestCustomizer.class;
            Objects.requireNonNull(SecureRequestCustomizer.class);
            filter.map((v1) -> {
                return r1.cast(v1);
            }).forEach(secureRequestCustomizer -> {
                secureRequestCustomizer.setSniRequired(true);
            });
        });
        Assertions.assertThrows(SSLHandshakeException.class, () -> {
            getResponse("wrong.com", "wrong.com", null);
        });
        HttpTester.Response parseResponse = HttpTester.parseResponse(getResponse(null, "wrong.com", null));
        Assertions.assertNotNull(parseResponse);
        MatcherAssert.assertThat(Integer.valueOf(parseResponse.getStatus()), Matchers.is(400));
    }

    @DisabledOnOs(value = {OS.WINDOWS}, disabledReason = "TLSv1.3 behavior differences between Linux and Windows")
    @Test
    public void testWrongSNIRejectedConnectionWithNonSNIKeystore() throws Exception {
        start(server -> {
            server.setKeyStorePath("src/test/resources/keystore");
            server.setKeyManagerPassword("OBF:1u2u1wml1z7s1z7a1wnl1u2g");
            server.setSniRequired(true);
        });
        Assertions.assertThrows(SSLHandshakeException.class, () -> {
            getResponse("wrong.com", "wrong.com", null);
        });
        Assertions.assertThrows(SSLHandshakeException.class, () -> {
            getResponse(null, "wrong.com", null);
        });
        HttpTester.Response parseResponse = HttpTester.parseResponse(getResponse("jetty.eclipse.org", "jetty.eclipse.org", null));
        Assertions.assertNotNull(parseResponse);
        MatcherAssert.assertThat(Integer.valueOf(parseResponse.getStatus()), Matchers.is(200));
    }

    @Test
    public void testSameConnectionRequestsForManyDomains() throws Exception {
        start("src/test/resources/keystore_sni.p12");
        this._server.setErrorHandler(new ErrorHandler());
        SslContextFactory.Client client = new SslContextFactory.Client(true);
        client.start();
        try {
            SSLSocket sSLSocket = (SSLSocket) client.getSslContext().getSocketFactory().createSocket("127.0.0.1", this._port);
            try {
                SNIHostName sNIHostName = new SNIHostName("m.san.com");
                SSLParameters sSLParameters = sSLSocket.getSSLParameters();
                sSLParameters.setServerNames(Collections.singletonList(sNIHostName));
                sSLSocket.setSSLParameters(sSLParameters);
                sSLSocket.startHandshake();
                OutputStream outputStream = sSLSocket.getOutputStream();
                outputStream.write("GET /ctx/path HTTP/1.1\r\nHost: m.san.com\r\n\r\n".getBytes(StandardCharsets.UTF_8));
                outputStream.flush();
                InputStream inputStream = sSLSocket.getInputStream();
                HttpTester.Response parseResponse = HttpTester.parseResponse(inputStream);
                Assertions.assertNotNull(parseResponse);
                MatcherAssert.assertThat(Integer.valueOf(parseResponse.getStatus()), Matchers.is(200));
                outputStream.write("GET /ctx/path HTTP/1.1\r\nHost: www.san.com\r\n\r\n".getBytes(StandardCharsets.UTF_8));
                outputStream.flush();
                HttpTester.Response parseResponse2 = HttpTester.parseResponse(inputStream);
                Assertions.assertNotNull(parseResponse2);
                MatcherAssert.assertThat(Integer.valueOf(parseResponse2.getStatus()), Matchers.is(200));
                outputStream.write("GET /ctx/path HTTP/1.1\r\nHost: www.example.com\r\n\r\n".getBytes(StandardCharsets.UTF_8));
                outputStream.flush();
                HttpTester.Response parseResponse3 = HttpTester.parseResponse(inputStream);
                Assertions.assertNotNull(parseResponse3);
                MatcherAssert.assertThat(Integer.valueOf(parseResponse3.getStatus()), Matchers.is(400));
                MatcherAssert.assertThat(parseResponse3.getContent(), Matchers.containsString("Host does not match SNI"));
                if (sSLSocket != null) {
                    sSLSocket.close();
                }
            } finally {
            }
        } finally {
            client.stop();
        }
    }

    @Test
    public void testSameConnectionRequestsForManyWildDomains() throws Exception {
        start("src/test/resources/keystore_sni.p12");
        SslContextFactory.Client client = new SslContextFactory.Client(true);
        client.start();
        try {
            SSLSocket sSLSocket = (SSLSocket) client.getSslContext().getSocketFactory().createSocket("127.0.0.1", this._port);
            try {
                SNIHostName sNIHostName = new SNIHostName("www.domain.com");
                SSLParameters sSLParameters = sSLSocket.getSSLParameters();
                sSLParameters.setServerNames(Collections.singletonList(sNIHostName));
                sSLSocket.setSSLParameters(sSLParameters);
                sSLSocket.startHandshake();
                OutputStream outputStream = sSLSocket.getOutputStream();
                outputStream.write("GET /ctx/path HTTP/1.1\r\nHost: www.domain.com\r\n\r\n".getBytes(StandardCharsets.UTF_8));
                outputStream.flush();
                InputStream inputStream = sSLSocket.getInputStream();
                HttpTester.Response parseResponse = HttpTester.parseResponse(inputStream);
                Assertions.assertNotNull(parseResponse);
                MatcherAssert.assertThat(Integer.valueOf(parseResponse.getStatus()), Matchers.is(200));
                outputStream.write("GET /ctx/path HTTP/1.1\r\nHost: assets.domain.com\r\n\r\n".getBytes(StandardCharsets.UTF_8));
                outputStream.flush();
                HttpTester.Response parseResponse2 = HttpTester.parseResponse(inputStream);
                Assertions.assertNotNull(parseResponse2);
                MatcherAssert.assertThat(Integer.valueOf(parseResponse2.getStatus()), Matchers.is(200));
                outputStream.write("GET /ctx/path HTTP/1.1\r\nHost: www.example.com\r\n\r\n".getBytes(StandardCharsets.UTF_8));
                outputStream.flush();
                HttpTester.Response parseResponse3 = HttpTester.parseResponse(inputStream);
                Assertions.assertNotNull(parseResponse3);
                MatcherAssert.assertThat(Integer.valueOf(parseResponse3.getStatus()), Matchers.is(400));
                MatcherAssert.assertThat(parseResponse3.getContent(), Matchers.containsString("Host does not match SNI"));
                if (sSLSocket != null) {
                    sSLSocket.close();
                }
            } finally {
            }
        } finally {
            client.stop();
        }
    }

    @Test
    public void testSocketCustomization() throws Exception {
        start("src/test/resources/keystore_sni.p12");
        final LinkedBlockingQueue linkedBlockingQueue = new LinkedBlockingQueue();
        this._connector.addBean(new SocketCustomizationListener() { // from class: org.sparkproject.jetty.server.ssl.SniSslConnectionFactoryTest.2
            protected void customize(Socket socket, Class<? extends Connection> cls, boolean z) {
                linkedBlockingQueue.add("customize connector " + cls + "," + z);
            }
        });
        ((SslConnectionFactory) this._connector.getBean(SslConnectionFactory.class)).addBean(new SocketCustomizationListener() { // from class: org.sparkproject.jetty.server.ssl.SniSslConnectionFactoryTest.3
            protected void customize(Socket socket, Class<? extends Connection> cls, boolean z) {
                linkedBlockingQueue.add("customize ssl " + cls + "," + z);
            }
        });
        ((HttpConnectionFactory) this._connector.getBean(HttpConnectionFactory.class)).addBean(new SocketCustomizationListener() { // from class: org.sparkproject.jetty.server.ssl.SniSslConnectionFactoryTest.4
            protected void customize(Socket socket, Class<? extends Connection> cls, boolean z) {
                linkedBlockingQueue.add("customize http " + cls + "," + z);
            }
        });
        MatcherAssert.assertThat(getResponse("127.0.0.1", null), Matchers.containsString("X-HOST: 127.0.0.1"));
        Assertions.assertEquals("customize connector class org.eclipse.jetty.io.ssl.SslConnection,false", linkedBlockingQueue.poll());
        Assertions.assertEquals("customize ssl class org.eclipse.jetty.io.ssl.SslConnection,false", linkedBlockingQueue.poll());
        Assertions.assertEquals("customize connector class org.eclipse.jetty.server.HttpConnection,true", linkedBlockingQueue.poll());
        Assertions.assertEquals("customize http class org.eclipse.jetty.server.HttpConnection,true", linkedBlockingQueue.poll());
        Assertions.assertEquals(0, linkedBlockingQueue.size());
    }

    @Test
    public void testSNIWithDifferentKeyTypes() throws Exception {
        start(server -> {
            server.setKeyStorePath("src/test/resources/keystore_sni_key_types.p12");
        });
        Assertions.assertEquals(200, HttpTester.parseResponse(getResponse("rsa.domain.com", "rsa.domain.com")).getStatus());
        Assertions.assertEquals(200, HttpTester.parseResponse(getResponse("ec.domain.com", "ec.domain.com")).getStatus());
    }

    private String getResponse(String str, String str2) throws Exception {
        String response = getResponse(str, str, str2);
        MatcherAssert.assertThat(response, Matchers.startsWith("HTTP/1.1 200 "));
        MatcherAssert.assertThat(response, Matchers.containsString("X-URL: /ctx/path"));
        return response;
    }

    private String getResponse(String str, String str2, String str3) throws Exception {
        SslContextFactory.Client client = new SslContextFactory.Client(true);
        client.start();
        try {
            SSLSocket sSLSocket = (SSLSocket) client.getSslContext().getSocketFactory().createSocket("127.0.0.1", this._port);
            if (str != null) {
                try {
                    SNIHostName sNIHostName = new SNIHostName(str);
                    ArrayList arrayList = new ArrayList();
                    arrayList.add(sNIHostName);
                    SSLParameters sSLParameters = sSLSocket.getSSLParameters();
                    sSLParameters.setServerNames(arrayList);
                    sSLSocket.setSSLParameters(sSLParameters);
                } finally {
                }
            }
            sSLSocket.startHandshake();
            if (str3 != null) {
                MatcherAssert.assertThat(((X509Certificate) sSLSocket.getSession().getPeerCertificates()[0]).getSubjectX500Principal().getName("CANONICAL"), Matchers.startsWith("cn=" + str3));
            }
            sSLSocket.getOutputStream().write(("GET /ctx/path HTTP/1.0\r\nHost: " + str2 + ":" + this._port + "\r\n\r\n").getBytes(StandardCharsets.ISO_8859_1));
            String io = IO.toString(sSLSocket.getInputStream());
            if (sSLSocket != null) {
                sSLSocket.close();
            }
            return io;
        } finally {
            client.stop();
        }
    }
}
