/*
 * Copyright (C) The Arvados Authors. All rights reserved.
 *
 * SPDX-License-Identifier: AGPL-3.0 OR Apache-2.0
 *
 */

package org.arvados.client.api.client.factory;

import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.Response;
import okhttp3.mockwebserver.MockResponse;
import org.arvados.client.test.utils.ArvadosClientMockedWebServerTest;
import org.junit.Assert;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.mockito.junit.MockitoJUnitRunner;

import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSocketFactory;
import javax.net.ssl.TrustManagerFactory;
import java.io.FileInputStream;
import java.security.KeyStore;


@RunWith(MockitoJUnitRunner.class)
public class OkHttpClientFactoryTest extends ArvadosClientMockedWebServerTest {

    @Test(expected = javax.net.ssl.SSLHandshakeException.class)
    public void secureOkHttpClientIsCreated() throws Exception {

        // given
        OkHttpClientFactory factory = OkHttpClientFactory.builder().build();
        // * configure HTTPS server
        SSLSocketFactory sf = getSSLSocketFactoryWithSelfSignedCertificate();
        server.useHttps(sf, false);
        server.enqueue(new MockResponse().setBody("OK"));
        // * prepare client HTTP request
        Request request = new Request.Builder()
                .url("https://localhost:9000/")
                .build();

        // when - then (SSL certificate is verified)
        OkHttpClient actual = factory.create(false);
        Response response = actual.newCall(request).execute();
    }

    @Test
    public void insecureOkHttpClientIsCreated() throws Exception {
        // given
        OkHttpClientFactory factory = OkHttpClientFactory.builder().build();
        // * configure HTTPS server
        SSLSocketFactory sf = getSSLSocketFactoryWithSelfSignedCertificate();
        server.useHttps(sf, false);
        server.enqueue(new MockResponse().setBody("OK"));
        // * prepare client HTTP request
        Request request = new Request.Builder()
                .url("https://localhost:9000/")
                .build();

        // when (SSL certificate is not verified)
        OkHttpClient actual = factory.create(true);
        Response response = actual.newCall(request).execute();

        // then
        Assert.assertEquals(response.body().string(),"OK");
    }


    /*
        This ugly boilerplate is needed to enable self signed certificate.

        It requires selfsigned.keystore.jks file. It was generated with:
        keytool -genkey -v -keystore mystore.keystore.jks -alias alias_name -keyalg RSA -keysize 2048 -validity 10000
     */
    public SSLSocketFactory getSSLSocketFactoryWithSelfSignedCertificate() throws Exception {

        FileInputStream stream = new FileInputStream("src/test/resources/selfsigned.keystore.jks");
        char[] serverKeyStorePassword = "123456".toCharArray();
        KeyStore serverKeyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        serverKeyStore.load(stream, serverKeyStorePassword);

        String kmfAlgorithm = KeyManagerFactory.getDefaultAlgorithm();
        KeyManagerFactory kmf = KeyManagerFactory.getInstance(kmfAlgorithm);
        kmf.init(serverKeyStore, serverKeyStorePassword);

        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(kmfAlgorithm);
        trustManagerFactory.init(serverKeyStore);

        SSLContext sslContext = SSLContext.getInstance("SSL");
        sslContext.init(kmf.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
        return sslContext.getSocketFactory();
    }
}