#!/usr/bin/env bash

#
# Licensed to the Apache Software Foundation (ASF) under one
# or more contributor license agreements.  See the NOTICE file
# distributed with this work for additional information
# regarding copyright ownership.  The ASF licenses this file
# to you under the Apache License, Version 2.0 (the
# "License"); you may not use this file except in compliance
# with the License.  You may obtain a copy of the License at
#
#   http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing,
# software distributed under the License is distributed on an
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
# KIND, either express or implied.  See the License for the
# specific language governing permissions and limitations
# under the License.
#

# Run a simple test over SSL

#set -x

CONFIG=$(dirname $0)/config.null
TEST_CERT_DIR=`pwd`/test_cert_dir
CERT_DB=${TEST_CERT_DIR}/test_cert_db
CERT_PW_FILE=`pwd`/cert.password
TEST_HOSTNAME=127.0.0.1
TEST_CLIENT_CERT=rumplestiltskin
CA_PEM_FILE=${TEST_CERT_DIR}/ca_cert.pem
OTHER_CA_CERT_DB=${TEST_CERT_DIR}/x_ca_cert_db
OTHER_CA_PEM_FILE=${TEST_CERT_DIR}/other_ca_cert.pem
PY_PING_BROKER=${QPID_TEST_SRC_DIR}/ping_broker
COUNT=10

if [[ -a $AMQP_LIB ]] ; then
    MODULES="--load-module $AMQP_LIB"
fi

trap cleanup EXIT

error() { echo $*; exit 1; }

# create the test certificate database
#    $1 = string used as Subject in server's certificate
#    $2 = string used as SubjectAlternateName (SAN) in server's certificate
create_certs() {

    local CERT_SUBJECT=${1:-"CN=${TEST_HOSTNAME},O=MyCo,ST=Massachusetts,C=US"}
    local CERT_SAN=${2:-"*.server.com"}

    mkdir -p ${TEST_CERT_DIR}
    rm -rf ${TEST_CERT_DIR}/*

    # Set Up a CA with a self-signed Certificate
    #
    mkdir -p ${CERT_DB}
    certutil -N -d ${CERT_DB} -f ${CERT_PW_FILE}
    certutil -S -d ${CERT_DB} -n "Test-CA" -s "CN=Test-CA,O=MyCo,ST=Massachusetts,C=US" -t "CT,," -x -f ${CERT_PW_FILE} -z /bin/sh >/dev/null 2>&1
    certutil -L -d ${CERT_DB} -n "Test-CA" -a -o ${CERT_DB}/rootca.crt -f ${CERT_PW_FILE}
    #certutil -L -d ${CERT_DB} -f ${CERT_PW_FILE}

    # create server certificate signed by Test-CA
    #
    certutil -R -d ${CERT_DB} -s "${CERT_SUBJECT}" -o ${TEST_CERT_DIR}/server.req -f ${CERT_PW_FILE} -z /bin/sh > /dev/null 2>&1
    certutil -C -d ${CERT_DB} -c "Test-CA" -8 "${CERT_SAN}" -i ${TEST_CERT_DIR}/server.req -o ${TEST_CERT_DIR}/server.crt -f ${CERT_PW_FILE} -m ${RANDOM}
    certutil -A -d ${CERT_DB} -n ${TEST_HOSTNAME} -i ${TEST_CERT_DIR}/server.crt -t "Pu,,"

    # create a certificate to identify the client
    #
    certutil -R -d ${CERT_DB} -s "CN=${TEST_CLIENT_CERT}" -o ${TEST_CERT_DIR}/client.req -f ${CERT_PW_FILE} -z /bin/sh > /dev/null 2>&1
    certutil -C -d ${CERT_DB} -c "Test-CA" -8 "*.client.com" -i ${TEST_CERT_DIR}/client.req -o ${TEST_CERT_DIR}/client.crt -f ${CERT_PW_FILE} -m ${RANDOM}
    certutil -A -d ${CERT_DB} -n ${TEST_CLIENT_CERT} -i ${TEST_CERT_DIR}/client.crt -t "Pu,,"
    ###
    #certutil -N -d ${SERVER_CERT_DIR} -f ${CERT_PW_FILE}
    #certutil -S -d ${SERVER_CERT_DIR} -n ${TEST_HOSTNAME} -s "CN=${TEST_HOSTNAME}" -t "CT,," -x -f ${CERT_PW_FILE} -z /usr/bin/certutil
    #certutil -S -d ${SERVER_CERT_DIR} -n ${TEST_CLIENT_CERT} -s "CN=${TEST_CLIENT_CERT}" -t "CT,," -x -f ${CERT_PW_FILE} -z /usr/bin/certutil

    # Set up a separate DB with its own CA for testing failure to validate scenario
    #
    mkdir -p ${OTHER_CA_CERT_DB}
    certutil -N -d ${OTHER_CA_CERT_DB} -f ${CERT_PW_FILE}
    certutil -S -d ${OTHER_CA_CERT_DB} -n "Other-Test-CA" -s "CN=Another Test CA,O=MyCo,ST=Massachusetts,C=US" -t "CT,," -x -f ${CERT_PW_FILE} -z /bin/sh >/dev/null 2>&1
    certutil -L -d ${OTHER_CA_CERT_DB} -n "Other-Test-CA" -a -o ${OTHER_CA_CERT_DB}/rootca.crt -f ${CERT_PW_FILE}
    #certutil -L -d ${OTHER_CA_CERT_DB} -f ${CERT_PW_FILE}
}

delete_certs() {
    if [[ -e ${TEST_CERT_DIR} ]] ;  then
        rm -rf ${TEST_CERT_DIR}
    fi
}

# Don't need --no-module-dir or --no-data-dir as they are set as env vars in test_env.sh
COMMON_OPTS="--daemon --config $CONFIG --ssl-cert-db $CERT_DB --ssl-cert-password-file $CERT_PW_FILE --ssl-cert-name $TEST_HOSTNAME"

# Start new brokers:
#   $1 must be integer
#   $2 = extra opts
# Append used ports to PORTS variable
start_brokers() {
    local -a ports
    for (( i=0; $i<$1; i++)) do
    ports[$i]=$($QPIDD_EXEC --port 0 --interface 127.0.0.1 $COMMON_OPTS $2) || error "Could not start broker $i"
    done
    PORTS=( ${PORTS[@]} ${ports[@]} )
}

# Stop single broker:
#   $1 is number of broker to stop (0 based)
stop_broker() {
    $QPIDD_EXEC -qp ${PORTS[$1]}

    # Remove from ports array
    unset PORTS[$1]
}

stop_brokers() {
    for port in "${PORTS[@]}";
    do
        $QPIDD_EXEC -qp $port
    done
    PORTS=()
}

pick_port() {
    # We need a fixed port to set --cluster-url. Use qpidd to pick a free port.
    PICK=`../qpidd --no-module-dir --listen-disable ssl -dp0`
    ../qpidd --no-module-dir -qp $PICK
    echo $PICK
}

cleanup() {
    stop_brokers
    delete_certs
    rm -f ${CERT_PW_FILE}
}

start_ssl_broker() {
    start_brokers 1 "--transport ssl --ssl-port 0 --require-encryption --auth no $MODULES"
}

start_ssl_mux_broker() {
    ../qpidd $COMMON_OPTS --port $1 --ssl-port $1 --auth no
    PORTS=( ${PORTS[@]} $1 )
}

sasl_config_dir=$QPID_TEST_EXEC_DIR/sasl_config

start_authenticating_broker() {
    start_brokers 1 "--transport ssl --ssl-port 0 --require-encryption --ssl-sasl-no-dict --ssl-require-client-authentication --auth yes --sasl-config=${sasl_config_dir} $MODULES"
}

ssl_cluster_broker() {		# $1 = port
    start_brokers 1 "--ssl-port $1 --auth no --load-module  $CLUSTER_LIB --cluster-name ssl_test.$HOSTNAME.$$ --cluster-url amqp:ssl:$TEST_HOSTNAME:$1"

    # Wait for broker to be ready
    qpid-ping -Pssl -b $TEST_HOSTNAME:$1 -q || { echo "Cannot connect to broker on $1"; exit 1; }
}

CERTUTIL=$(type -p certutil)
if [[ !(-x $CERTUTIL) ]] ; then
    echo "No certutil, skipping ssl test";
    exit 0;
fi

if [[ !(-e ${CERT_PW_FILE}) ]] ;  then
    echo password > ${CERT_PW_FILE}
fi
delete_certs
create_certs || error "Could not create test certificate database"

start_ssl_broker
PORT=${PORTS[0]}
echo "Running SSL test on port $PORT"
export QPID_NO_MODULE_DIR=1
export QPID_SSL_CERT_DB=${CERT_DB}
export QPID_SSL_CERT_PASSWORD_FILE=${CERT_PW_FILE}

## Test connection via connection settings
./qpid-perftest --count ${COUNT} --port ${PORT} -P ssl -b $TEST_HOSTNAME --summary

## Test connection with a URL
URL=amqp:ssl:$TEST_HOSTNAME:$PORT
./qpid-send -b $URL --content-string=hello -a "foo;{create:always}"
MSG=`./qpid-receive -b $URL -a "foo;{create:always}" --messages 1`
test "$MSG" = "hello" || { echo "receive failed '$MSG' != 'hello'"; exit 1; }

if [[ -a $AMQP_LIB ]] ; then
    echo "Testing ssl over AMQP 1.0"
    ./qpid-send --connection-options '{protocol:amqp1.0}'  -b $URL --content-string=hello -a "foo;{create:always}"
    MSG=`./qpid-receive --connection-options '{protocol:amqp1.0}' -b $URL -a "foo;{create:always}" --messages 1`
    test "$MSG" = "hello" || { echo "receive failed for AMQP 1.0 '$MSG' != 'hello'"; exit 1; }
fi

## Test connection with a combination of URL and connection options (in messaging API)
URL=$TEST_HOSTNAME:$PORT
./qpid-send -b $URL --connection-options '{transport:ssl,heartbeat:2}' --content-string='hello again' -a "foo;{create:always}"
MSG=`./qpid-receive -b $URL --connection-options '{transport:ssl,heartbeat:2}' -a "foo;{create:always}" --messages 1`
test "$MSG" = "hello again" || { echo "receive failed '$MSG' != 'hello again'"; exit 1; }

## Test using the Python client
if test -d $PYTHON_DIR; then
    echo "Testing Non-Authenticating with Python Client..."
    URL=amqps://$TEST_HOSTNAME:$PORT
    if `$PY_PING_BROKER -b $URL`; then echo "    Passed"; else { echo "    Failed"; exit 1; }; fi
else
    echo "Skipping python part of ssl_test, no python dir."
fi

#### Client Authentication tests

start_authenticating_broker
PORT2=${PORTS[1]}
echo "Running SSL client authentication test on port $PORT2"
URL=amqp:ssl:$TEST_HOSTNAME:$PORT2

## See if you can set the SSL cert-name for the connection
./qpid-send -b $URL --connection-options "{ssl-cert-name: $TEST_CLIENT_CERT }"  --content-string=hello -a "bar;{create:always}"
MSG2=`./qpid-receive -b $URL  --connection-options "{ssl-cert-name: $TEST_CLIENT_CERT }" -a "bar;{create:always}" --messages 1`
test "$MSG2" = "hello" || { echo "receive failed '$MSG2' != 'hello'"; exit 1; }

## Make sure that connect fails with an invalid SSL cert-name
./qpid-send -b $URL --connection-options "{ssl-cert-name: pignose }" --content-string=hello -a "baz;{create:always}" 2>/dev/null 1>/dev/null
MSG3=`./qpid-receive -b $URL  --connection-options "{ssl-cert-name: pignose }" -a "baz;{create:always}" --messages 1 2>/dev/null`
test "$MSG3" = "" || { echo "receive succeeded without valid ssl cert '$MSG3' != ''"; exit 1; }

stop_brokers

# Test ssl muxed with plain TCP on the same connection

# Test a specified port number - since tcp/ssl are the same port don't need to specify --transport ssl
PORT=`pick_port`
start_ssl_mux_broker $PORT || error "Could not start broker"
echo "Running SSL/TCP mux test on fixed port $PORT"

## Test connection via connection settings
./qpid-perftest --count ${COUNT} --port ${PORT} -P ssl -b $TEST_HOSTNAME --summary || error "SSL connection failed!"
./qpid-perftest --count ${COUNT} --port ${PORT} -P tcp -b $TEST_HOSTNAME --summary || error "TCP connection failed!"

# Test a broker chosen port - since ssl chooses port need to use --transport ssl here
start_ssl_broker
PORT=${PORTS[0]}
echo "Running SSL/TCP mux test on random port $PORT"

## Test connection via connection settings
./qpid-perftest --count ${COUNT} --port ${PORT} -P ssl -b $TEST_HOSTNAME --summary || error "SSL connection failed!"
./qpid-perftest --count ${COUNT} --port ${PORT} -P tcp -b $TEST_HOSTNAME --summary || error "TCP connection failed!"

stop_brokers

### Additional tests that require 'openssl' and 'pk12util' to be installed (optional)

PK12UTIL=$(type -p pk12util)
if [[ !(-x $PK12UTIL) ]] ; then
    echo >&2 "'pk12util' command not available, skipping remaining tests"
    exit 0
fi

OPENSSL=$(type -p openssl)
if [[ !(-x $OPENSSL) ]] ; then
    echo >&2 "'openssl' command not available, skipping remaining tests"
    exit 0
fi

if test -d $PYTHON_DIR; then
## verify python version > 2.5 (only 2.6+ does certificate checking)
    PY_VERSION=$(python -c "import sys; print hex(sys.hexversion)")
    if (( PY_VERSION < 0x02060000 )); then
	echo >&2 "Detected python version < 2.6 - skipping certificate verification tests"
	exit 0
    fi

    echo "Testing Certificate validation and Authentication with the Python Client..."

# extract the CA's certificate as a PEM file
    get_ca_certs() {
	$PK12UTIL -o ${TEST_CERT_DIR}/CA_pk12.out -d ${CERT_DB} -n "Test-CA"  -w ${CERT_PW_FILE} -k ${CERT_PW_FILE} > /dev/null
	$OPENSSL pkcs12 -in ${TEST_CERT_DIR}/CA_pk12.out -out ${CA_PEM_FILE} -nokeys -passin file:${CERT_PW_FILE} >/dev/null
	$PK12UTIL -o ${TEST_CERT_DIR}/other_CA_pk12.out -d ${OTHER_CA_CERT_DB} -n "Other-Test-CA" -w ${CERT_PW_FILE} -k ${CERT_PW_FILE} > /dev/null
	$OPENSSL pkcs12 -in ${TEST_CERT_DIR}/other_CA_pk12.out -out ${OTHER_CA_PEM_FILE} -nokeys -passin file:${CERT_PW_FILE} >/dev/null
    }

    get_ca_certs || error "Could not extract CA certificates as PEM files"
    start_ssl_broker
    PORT=${PORTS[0]}
    URL=amqps://$TEST_HOSTNAME:$PORT
# verify the python client can authenticate the broker using the CA
    if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}`; then echo "    Passed"; else { echo "    Failed"; exit 1; }; fi
# verify the python client fails to authenticate the broker when using the other CA
    if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${OTHER_CA_PEM_FILE} > /dev/null 2>&1`; then { echo "    Failed"; exit 1; }; else echo "    Passed"; fi
    stop_brokers

# create a certificate without matching TEST_HOSTNAME, should fail to verify

    create_certs "O=MyCo" "*.${TEST_HOSTNAME}.com" || error "Could not create server test certificate"
    get_ca_certs || error "Could not extract CA certificates as PEM files"
    start_ssl_broker
    PORT=${PORTS[0]}
    URL=amqps://$TEST_HOSTNAME:$PORT
    if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE} > /dev/null 2>&1`; then { echo "    Failed"; exit 1; }; else echo "    Passed"; fi
# but disabling the check for the hostname should pass
    if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE} --ssl-skip-hostname-check`; then echo "    Passed"; else { echo "    Failed"; exit 1; }; fi
    stop_brokers

# test SubjectAltName parsing

    if (( PY_VERSION >= 0x02070300 )); then
    # python 2.7.3+ supports SubjectAltName extraction
    # create a certificate with TEST_HOSTNAME only in SAN, should verify OK
	create_certs "O=MyCo" "*.foo.com,${TEST_HOSTNAME},*xyz.com" || error "Could not create server test certificate"
	get_ca_certs || error "Could not extract CA certificates as PEM files"
	start_ssl_broker
	PORT=${PORTS[0]}
	URL=amqps://$TEST_HOSTNAME:$PORT
	if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}`; then echo "    Passed"; else { echo "    Failed"; exit 1; }; fi
	stop_brokers

	create_certs "O=MyCo" "*${TEST_HOSTNAME}" || error "Could not create server test certificate"
	get_ca_certs || error "Could not extract CA certificates as PEM files"
	start_ssl_broker
	PORT=${PORTS[0]}
	URL=amqps://$TEST_HOSTNAME:$PORT
	if `${PY_PING_BROKER} -b $URL --ssl-trustfile=${CA_PEM_FILE}`; then echo "    Passed"; else { echo "    Failed"; exit 1; }; fi
	stop_brokers
    fi

fi