#!/usr/bin/env bash

#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.
#

# Run a simple test over SSL

source env.sh
set -e                          # Fail on any un-checked error. Relaxed at points below.

trap stop_brokers EXIT

CONFIG=$(dirname $0)/qpidd-empty.conf
TEST_CERT_DIR=`pwd`/test_cert_dir
CERT_DB=${TEST_CERT_DIR}/test_cert_db
CERT_PW_FILE=`pwd`/cert.password
TEST_HOSTNAME=127.0.0.1
TEST_CLIENT_CERT=rumplestiltskin
CA_PEM_FILE=${TEST_CERT_DIR}/ca_cert.pem
OTHER_CA_CERT_DB=${TEST_CERT_DIR}/x_ca_cert_db
OTHER_CA_PEM_FILE=${TEST_CERT_DIR}/other_ca_cert.pem
PY_PING_BROKER=$SOURCE_DIR/src/tests/ping_broker
COUNT=10

if [[ -a $AMQP_LIB ]] ; then
    MODULES="--load-module $AMQP_LIB"
fi

RET=0                           # Return value for script
fatal() { echo $*; exit 1; }
error() { echo $*; RET=$((RET + 1)); } # Contine with other tests but fail the script

expect_pass() {
    line=$1; shift;
    echo "expect pass: $*"
    OUT=$("$@" 2>&1) || error -e "$OUT\n$0:$line: failed"
}
expect_fail() {
    line=$1; shift;
    echo "expect fail: $*"
    if "$@" > /dev/null 2>&1; then error "$0:$line: unexpected pass"; else true; fi
}

# create the test certificate database
#    $1 = string used as Subject in server's certificate
#    $2 = string used as SubjectAlternateName (SAN) in server's certificate
create_certs() {

    local CERT_SUBJECT=${1:-"CN=${TEST_HOSTNAME},O=MyCo,ST=Massachusetts,C=US"}
    local CERT_SAN=${2:-"*.server.com"}

    mkdir -p ${TEST_CERT_DIR}
    rm -rf ${TEST_CERT_DIR}/*

    # Set Up a CA with a self-signed Certificate
    #
    mkdir -p ${CERT_DB}
    certutil -N -d ${CERT_DB} -f ${CERT_PW_FILE}
    certutil -S -d ${CERT_DB} -n "Test-CA" -s "CN=Test-CA,O=MyCo,ST=Massachusetts,C=US" -t "CT,," -x -f ${CERT_PW_FILE} -z /bin/sh --keyUsage certSigning >/dev/null 2>&1
    certutil -L -d ${CERT_DB} -n "Test-CA" -a -o ${CERT_DB}/rootca.crt -f ${CERT_PW_FILE}
    #certutil -L -d ${CERT_DB} -f ${CERT_PW_FILE}

    # create server certificate signed by Test-CA
    #
    certutil -R -d ${CERT_DB} -s "${CERT_SUBJECT}" -o ${TEST_CERT_DIR}/server.req -f ${CERT_PW_FILE} -z /bin/sh > /dev/null 2>&1
    certutil -C -d ${CERT_DB} -c "Test-CA" -8 "${CERT_SAN}" -i ${TEST_CERT_DIR}/server.req -o ${TEST_CERT_DIR}/server.crt -f ${CERT_PW_FILE} -m ${RANDOM}
    certutil -A -d ${CERT_DB} -n ${TEST_HOSTNAME} -i ${TEST_CERT_DIR}/server.crt -t "Pu,,"  >/dev/null 2>&1

    # create a certificate to identify the client
    #
    certutil -R -d ${CERT_DB} -s "CN=${TEST_CLIENT_CERT}" -o ${TEST_CERT_DIR}/client.req -f ${CERT_PW_FILE} -z /bin/sh > /dev/null 2>&1
    certutil -C -d ${CERT_DB} -c "Test-CA" -8 "*.client.com" -i ${TEST_CERT_DIR}/client.req -o ${TEST_CERT_DIR}/client.crt -f ${CERT_PW_FILE} -m ${RANDOM}
    certutil -A -d ${CERT_DB} -n ${TEST_CLIENT_CERT} -i ${TEST_CERT_DIR}/client.crt -t "Pu,,"  >/dev/null 2>&1
    ###
    #certutil -N -d ${SERVER_CERT_DIR} -f ${CERT_PW_FILE}
    #certutil -S -d ${SERVER_CERT_DIR} -n ${TEST_HOSTNAME} -s "CN=${TEST_HOSTNAME}" -t "CT,," -x -f ${CERT_PW_FILE} -z /usr/bin/certutil
    #certutil -S -d ${SERVER_CERT_DIR} -n ${TEST_CLIENT_CERT} -s "CN=${TEST_CLIENT_CERT}" -t "CT,," -x -f ${CERT_PW_FILE} -z /usr/bin/certutil

    # Set up a separate DB with its own CA for testing failure to validate scenario
    #
    mkdir -p ${OTHER_CA_CERT_DB}
    certutil -N -d ${OTHER_CA_CERT_DB} -f ${CERT_PW_FILE}
    certutil -S -d ${OTHER_CA_CERT_DB} -n "Other-Test-CA" -s "CN=Another Test CA,O=MyCo,ST=Massachusetts,C=US" -t "CT,," -x -f ${CERT_PW_FILE} -z /bin/sh >/dev/null 2>&1
    certutil -L -d ${OTHER_CA_CERT_DB} -n "Other-Test-CA" -a -o ${OTHER_CA_CERT_DB}/rootca.crt -f ${CERT_PW_FILE}
    #certutil -L -d ${OTHER_CA_CERT_DB} -f ${CERT_PW_FILE}
}

delete_certs() {
    if [[ -e ${TEST_CERT_DIR} ]] ;  then
        rm -rf ${TEST_CERT_DIR}
    fi
}

# Don't need --no-module-dir or --no-data-dir as they are set as env vars in env.sh
COMMON_OPTS="--daemon --config $CONFIG --ssl-cert-db $CERT_DB --ssl-cert-password-file $CERT_PW_FILE --ssl-cert-name $TEST_HOSTNAME"

# Start new brokers:
#   $1 must be integer
#   $2 = extra opts
# Append used ports to PORTS variable
start_brokers() {
    local -a ports
    for (( i=0; $i<$1; i++)) do
    ports[$i]=$(qpidd --port 0 --interface 127.0.0.1 $COMMON_OPTS $2) || fatal "Could not start broker $i"
    done
    PORTS=( ${PORTS[@]} ${ports[@]} )
}

# Stop single broker:
#   $1 is number of broker to stop (0 based)
stop_broker() {
    qpidd -qp ${PORTS[$1]}

    # Remove from ports array
    unset PORTS[$1]
}

stop_brokers() {
    for port in "${PORTS[@]}"; do
        qpidd -qp $port || true
    done
    PORTS=()
}

pick_port() {
    # We need a fixed port to set --cluster-url. Use qpidd to pick a free port.
    PICK=`qpidd --no-module-dir --listen-disable ssl -dp0`
    qpidd --no-module-dir -qp $PICK
    echo $PICK
}

start_ssl_broker() {
    start_brokers 1 "--transport ssl --ssl-port 0 --require-encryption --auth no $MODULES"
}

start_ssl_mux_broker() {
    qpidd $COMMON_OPTS --port $1 --ssl-port $1 --auth no
    PORTS=( ${PORTS[@]} $1 )
}

sasl_config_dir=$BUILD_DIR/src/tests/sasl_config

start_authenticating_broker() {
    start_brokers 1 "--transport ssl --ssl-port 0 --require-encryption --ssl-sasl-no-dict --ssl-require-client-authentication --auth yes --sasl-config=${sasl_config_dir} $MODULES"
}

ssl_cluster_broker() {		# $1 = port
    start_brokers 1 "--ssl-port $1 --auth no --load-module  $CLUSTER_LIB --cluster-name ssl_test.$HOSTNAME.$$ --cluster-url amqp:ssl:$TEST_HOSTNAME:$1"

    # Wait for broker to be ready
    qpid-ping -Pssl -b $TEST_HOSTNAME:$1 -q || { echo "Cannot connect to broker on $1"; exit 1; }
}

set +e
CERTUTIL=$(type -p certutil)
set -e
if [[ !(-x $CERTUTIL) ]] ; then
    echo "No certutil, skipping ssl test";
    exit $RET
fi

if [[ !(-e ${CERT_PW_FILE}) ]] ;  then
    echo password > ${CERT_PW_FILE}
fi

delete_certs
create_certs || fatal "Could not create test certificate database"

start_ssl_broker
PORT=${PORTS[0]}
echo "Running SSL test on port $PORT"
export QPID_NO_MODULE_DIR=1
export QPID_SSL_CERT_DB=${CERT_DB}
export QPID_SSL_CERT_PASSWORD_FILE=${CERT_PW_FILE}

## Test connection via connection settings
qpid-perftest --count ${COUNT} --port ${PORT} -P ssl -b $TEST_HOSTNAME --summary

## Test connection with a URL
URL=amqp:ssl:$TEST_HOSTNAME:$PORT
qpid-send -b $URL --content-string=hello -a "foo;{create:always}"
MSG=`qpid-receive -b $URL -a "foo;{create:always}" --messages 1`
test "$MSG" = "hello" || { echo "receive failed '$MSG' != 'hello'"; exit 1; }

if [[ -a $AMQP_LIB ]] ; then
    echo "Testing ssl over AMQP 1.0"
    qpid-send --connection-options '{protocol:amqp1.0}'  -b $URL --content-string=hello -a "foo;{create:always}"
    MSG=`qpid-receive --connection-options '{protocol:amqp1.0}' -b $URL -a "foo;{create:always}" --messages 1`
    test "$MSG" = "hello" || { echo "receive failed for AMQP 1.0 '$MSG' != 'hello'"; exit 1; }
fi

## Test connection with a combination of URL and connection options (in messaging API)
URL=$TEST_HOSTNAME:$PORT
qpid-send -b $URL --connection-options '{transport:ssl,heartbeat:2}' --content-string='hello again' -a "foo;{create:always}"
MSG=`qpid-receive -b $URL --connection-options '{transport:ssl,heartbeat:2}' -a "foo;{create:always}" --messages 1`
test "$MSG" = "hello again" || { echo "receive failed '$MSG' != 'hello again'"; exit 1; }

## Test using the Python client
if test -d $PYTHON_DIR; then
    echo "Testing Non-Authenticating with Python Client..."
    URL=amqps://$TEST_HOSTNAME:$PORT
    expect_pass $LINENO $PY_PING_BROKER -b $URL
else
    echo "Skipping python part of ssl_test, no python dir."
fi

#### Client Authentication tests

start_authenticating_broker
PORT2=${PORTS[1]}
echo "Running SSL client authentication test on port $PORT2"
URL=amqp:ssl:$TEST_HOSTNAME:$PORT2

## See if you can set the SSL cert-name for the connection
qpid-send -b $URL --connection-options "{ssl-cert-name: $TEST_CLIENT_CERT }"  --content-string=hello -a "bar;{create:always}"
MSG2=`qpid-receive -b $URL  --connection-options "{ssl-cert-name: $TEST_CLIENT_CERT }" -a "bar;{create:always}" --messages 1`
test "$MSG2" = "hello" || { echo "receive failed '$MSG2' != 'hello'"; exit 1; }

## Make sure that connect fails with an invalid SSL cert-name
expect_fail $LINENO  qpid-send -b $URL --connection-options "{ssl-cert-name: pignose }" --content-string=hello -a "baz;{create:always}"
expect_fail $LINENO qpid-receive -b $URL  --connection-options "{ssl-cert-name: pignose }" -a "baz;{create:always}" --messages 1
stop_brokers

# Test ssl muxed with plain TCP on the same connection

# Test a specified port number - since tcp/ssl are the same port don't need to specify --transport ssl
PORT=`pick_port`
start_ssl_mux_broker $PORT || fatal "Could not start broker"
echo "Running SSL/TCP mux test on fixed port $PORT"

## Test connection via connection settings
qpid-perftest --count ${COUNT} --port ${PORT} -P ssl -b $TEST_HOSTNAME --summary || fatal "SSL connection failed!"
qpid-perftest --count ${COUNT} --port ${PORT} -P tcp -b $TEST_HOSTNAME --summary || fatal "TCP connection failed!"

# Test a broker chosen port - since ssl chooses port need to use --transport ssl here
start_ssl_broker
PORT=${PORTS[0]}
echo "Running SSL/TCP mux test on random port $PORT"

## Test connection via connection settings
qpid-perftest --count ${COUNT} --port ${PORT} -P ssl -b $TEST_HOSTNAME --summary || fatal "SSL connection failed!"
qpid-perftest --count ${COUNT} --port ${PORT} -P tcp -b $TEST_HOSTNAME --summary || fatal "TCP connection failed!"

stop_brokers

### Additional tests that require 'openssl' and 'pk12util' to be installed (optional)

set +e
PK12UTIL=$(type -p pk12util)
if [[ !(-x $PK12UTIL) ]] ; then
    echo >&2 "'pk12util' command not available, skipping remaining tests"
    exit $RET
fi

OPENSSL=$(type -p openssl)
if [[ !(-x $OPENSSL) ]] ; then
    echo >&2 "'openssl' command not available, skipping remaining tests"
    exit $RET
fi

## verify python version > 2.5 (only 2.6+ does certificate checking)
PY_VERSION=$(python -c "import sys; print hex(sys.hexversion)")
if (( PY_VERSION < 0x02060000 )); then
    echo >&2 "Detected python version < 2.6 - skipping certificate verification tests"
    exit $RET
fi
set -e

echo "Testing Certificate validation and Authentication with the Python Client..."

# extract the CA's certificate as a PEM file
get_ca_certs() {
    $PK12UTIL -o ${TEST_CERT_DIR}/CA_pk12.out -d ${CERT_DB} -n "Test-CA"  -w ${CERT_PW_FILE} -k ${CERT_PW_FILE} > /dev/null
    $OPENSSL pkcs12 -in ${TEST_CERT_DIR}/CA_pk12.out -out ${CA_PEM_FILE} -nokeys -passin file:${CERT_PW_FILE} >/dev/null
    $PK12UTIL -o ${TEST_CERT_DIR}/other_CA_pk12.out -d ${OTHER_CA_CERT_DB} -n "Other-Test-CA" -w ${CERT_PW_FILE} -k ${CERT_PW_FILE} > /dev/null
    $OPENSSL pkcs12 -in ${TEST_CERT_DIR}/other_CA_pk12.out -out ${OTHER_CA_PEM_FILE} -nokeys -passin file:${CERT_PW_FILE} >/dev/null
}

get_ca_certs || fatal "Could not extract CA certificates as PEM files"
start_ssl_broker
PORT=${PORTS[0]}
URL=amqps://$TEST_HOSTNAME:$PORT
# verify the python client can authenticate the broker using the CA
expect_pass $LINENO ${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}
# verify the python client fails to authenticate the broker when using the other CA
expect_fail $LINENO ${PY_PING_BROKER} -b $URL --ssl-trustfile=${OTHER_CA_PEM_FILE}
stop_brokers

# create a certificate without matching TEST_HOSTNAME, should fail to verify

create_certs "O=MyCo" "*.${TEST_HOSTNAME}.com" || fatal "Could not create server test certificate"
get_ca_certs || fatal "Could not extract CA certificates as PEM files"
start_ssl_broker
PORT=${PORTS[0]}
URL=amqps://$TEST_HOSTNAME:$PORT
expect_fail $LINENO ${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}
# but disabling the check for the hostname should pass
expect_pass $LINENO ${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE} --ssl-skip-hostname-check
stop_brokers

# test SubjectAltName parsing

if (( PY_VERSION >= 0x02070300 )); then
# python 2.7.3+ supports SubjectAltName extraction
# create a certificate with TEST_HOSTNAME only in SAN, should verify OK
    create_certs "O=MyCo" "*.foo.com,${TEST_HOSTNAME},*xyz.com" || fatal "Could not create server test certificate"
    get_ca_certs || fatal "Could not extract CA certificates as PEM files"
    start_ssl_broker
    PORT=${PORTS[0]}
    URL=amqps://$TEST_HOSTNAME:$PORT
    expect_pass $LINENO ${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}
    stop_brokers

    create_certs "O=MyCo" "*${TEST_HOSTNAME}" || fatal "Could not create server test certificate"
    get_ca_certs || fatal "Could not extract CA certificates as PEM files"
    start_ssl_broker
    PORT=${PORTS[0]}
    URL=amqps://$TEST_HOSTNAME:$PORT
    expect_pass $LINENO ${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}
    stop_brokers
fi

exit $RET
