package org.apache.kafka.common.security.ssl;

import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.Security;
import java.util.Arrays;
import java.util.Map;
import java.util.Properties;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.config.types.Password;
import org.apache.kafka.common.network.Mode;
import org.apache.kafka.common.security.TestSecurityConfig;
import org.apache.kafka.common.security.auth.SslEngineFactory;
import org.apache.kafka.common.security.ssl.DefaultSslEngineFactory;
import org.apache.kafka.common.security.ssl.SslFactory;
import org.apache.kafka.common.security.ssl.mock.TestProviderCreator;
import org.apache.kafka.common.utils.Utils;
import org.apache.kafka.test.TestSslUtils;
import org.apache.kafka.test.TestUtils;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:org/apache/kafka/common/security/ssl/SslFactoryTest.class */
public abstract class SslFactoryTest {
    private final String tlsProtocol;

    public SslFactoryTest(String str) {
        this.tlsProtocol = str;
    }

    @Test
    public void testSslFactoryConfiguration() throws Exception {
        Map<String, Object> build = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(TestUtils.tempFile("truststore", ".jks")).build();
        SslFactory sslFactory = new SslFactory(Mode.SERVER);
        sslFactory.configure(build);
        SSLEngine createSslEngine = sslFactory.createSslEngine("localhost", 0);
        Assertions.assertNotNull(createSslEngine);
        Assertions.assertEquals(Utils.mkSet(new String[]{this.tlsProtocol}), Utils.mkSet(createSslEngine.getEnabledProtocols()));
        Assertions.assertEquals(false, Boolean.valueOf(createSslEngine.getUseClientMode()));
    }

    @Test
    public void testSslFactoryWithCustomKeyManagerConfiguration() {
        TestProviderCreator testProviderCreator = new TestProviderCreator();
        Map<String, Object> createSslConfig = TestSslUtils.createSslConfig("TestAlgorithm", "TestAlgorithm", this.tlsProtocol);
        createSslConfig.put("security.providers", testProviderCreator.getClass().getName());
        SslFactory sslFactory = new SslFactory(Mode.SERVER);
        sslFactory.configure(createSslConfig);
        Assertions.assertNotNull(sslFactory.sslEngineFactory(), "SslEngineFactory not created");
        Security.removeProvider(testProviderCreator.getProvider().getName());
    }

    @Test
    public void testSslFactoryWithoutProviderClassConfiguration() {
        Map<String, Object> createSslConfig = TestSslUtils.createSslConfig("TestAlgorithm", "TestAlgorithm", this.tlsProtocol);
        SslFactory sslFactory = new SslFactory(Mode.SERVER);
        Assertions.assertThrows(KafkaException.class, () -> {
            sslFactory.configure(createSslConfig);
        });
    }

    @Test
    public void testSslFactoryWithIncorrectProviderClassConfiguration() {
        Map<String, Object> createSslConfig = TestSslUtils.createSslConfig("TestAlgorithm", "TestAlgorithm", this.tlsProtocol);
        createSslConfig.put("security.providers", "com.fake.ProviderClass1,com.fake.ProviderClass2");
        SslFactory sslFactory = new SslFactory(Mode.SERVER);
        Assertions.assertThrows(KafkaException.class, () -> {
            sslFactory.configure(createSslConfig);
        });
    }

    @Test
    public void testSslFactoryWithoutPasswordConfiguration() throws Exception {
        Map<String, Object> build = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(TestUtils.tempFile("truststore", ".jks")).build();
        build.remove("ssl.truststore.password");
        try {
            new SslFactory(Mode.SERVER).configure(build);
        } catch (Exception e) {
            Assertions.fail("An exception was thrown when configuring the truststore without a password: " + e);
        }
    }

    @Test
    public void testClientMode() throws Exception {
        Map<String, Object> build = sslConfigsBuilder(Mode.CLIENT).createNewTrustStore(TestUtils.tempFile("truststore", ".jks")).useClientCert(false).build();
        SslFactory sslFactory = new SslFactory(Mode.CLIENT);
        sslFactory.configure(build);
        Assertions.assertTrue(sslFactory.createSslEngine("localhost", 0).getUseClientMode());
    }

    @Test
    public void staleSslEngineFactoryShouldBeClosed() throws IOException, GeneralSecurityException {
        Map<String, Object> build = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(TestUtils.tempFile("truststore", ".jks")).useClientCert(false).build();
        build.put("ssl.engine.factory.class", TestSslUtils.TestSslEngineFactory.class);
        SslFactory sslFactory = new SslFactory(Mode.SERVER);
        sslFactory.configure(build);
        TestSslUtils.TestSslEngineFactory testSslEngineFactory = (TestSslUtils.TestSslEngineFactory) sslFactory.sslEngineFactory();
        Assertions.assertNotNull(testSslEngineFactory);
        Assertions.assertFalse(testSslEngineFactory.closed);
        Map<String, Object> build2 = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(TestUtils.tempFile("truststore", ".jks")).build();
        build2.put("ssl.engine.factory.class", TestSslUtils.TestSslEngineFactory.class);
        sslFactory.reconfigure(build2);
        Assertions.assertNotEquals(testSslEngineFactory, (TestSslUtils.TestSslEngineFactory) sslFactory.sslEngineFactory());
        Assertions.assertTrue(testSslEngineFactory.closed);
    }

    @Test
    public void testReconfiguration() throws Exception {
        Map<String, Object> build = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(TestUtils.tempFile("truststore", ".jks")).build();
        SslFactory sslFactory = new SslFactory(Mode.SERVER);
        sslFactory.configure(build);
        SslEngineFactory sslEngineFactory = sslFactory.sslEngineFactory();
        Assertions.assertNotNull(sslEngineFactory, "SslEngineFactory not created");
        sslFactory.reconfigure(build);
        Assertions.assertSame(sslEngineFactory, sslFactory.sslEngineFactory(), "SslEngineFactory recreated unnecessarily");
        File tempFile = TestUtils.tempFile("truststore", ".jks");
        Map<String, Object> build2 = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(tempFile).build();
        sslFactory.reconfigure(build2);
        Assertions.assertNotSame(sslEngineFactory, sslFactory.sslEngineFactory(), "SslEngineFactory not recreated");
        SslEngineFactory sslEngineFactory2 = sslFactory.sslEngineFactory();
        tempFile.setLastModified(System.currentTimeMillis() + 10000);
        sslFactory.reconfigure(build2);
        Assertions.assertNotSame(sslEngineFactory2, sslFactory.sslEngineFactory(), "SslEngineFactory not recreated");
        SslEngineFactory sslEngineFactory3 = sslFactory.sslEngineFactory();
        File file = new File((String) build2.get("ssl.keystore.location"));
        file.setLastModified(System.currentTimeMillis() + 10000);
        sslFactory.reconfigure(build2);
        Assertions.assertNotSame(sslEngineFactory3, sslFactory.sslEngineFactory(), "SslEngineFactory not recreated");
        SslEngineFactory sslEngineFactory4 = sslFactory.sslEngineFactory();
        file.setLastModified(System.currentTimeMillis() + TestUtils.DEFAULT_MAX_WAIT_MS);
        sslFactory.validateReconfiguration(build2);
        sslFactory.reconfigure(build2);
        Assertions.assertNotSame(sslEngineFactory4, sslFactory.sslEngineFactory(), "SslEngineFactory not recreated");
        SslEngineFactory sslEngineFactory5 = sslFactory.sslEngineFactory();
        file.setLastModified(System.currentTimeMillis() + 20000);
        Files.delete(file.toPath());
        sslFactory.reconfigure(build2);
        Assertions.assertSame(sslEngineFactory5, sslFactory.sslEngineFactory(), "SslEngineFactory recreated unnecessarily");
    }

    @Test
    public void testReconfigurationWithoutTruststore() throws Exception {
        File tempFile = TestUtils.tempFile("truststore", ".jks");
        Map<String, Object> build = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(tempFile).build();
        build.remove("ssl.truststore.location");
        build.remove("ssl.truststore.password");
        build.remove("ssl.truststore.type");
        SslFactory sslFactory = new SslFactory(Mode.SERVER);
        sslFactory.configure(build);
        SSLContext sslContext = sslFactory.sslEngineFactory().sslContext();
        Assertions.assertNotNull(sslContext, "SSL context not created");
        Assertions.assertSame(sslContext, sslFactory.sslEngineFactory().sslContext(), "SSL context recreated unnecessarily");
        Assertions.assertFalse(sslFactory.createSslEngine("localhost", 0).getUseClientMode());
        try {
            sslFactory.validateReconfiguration(sslConfigsBuilder(Mode.SERVER).createNewTrustStore(tempFile).build());
            Assertions.fail("Truststore configured dynamically for listener without previous truststore");
        } catch (ConfigException e) {
        }
    }

    @Test
    public void testReconfigurationWithoutKeystore() throws Exception {
        Map<String, Object> build = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(TestUtils.tempFile("truststore", ".jks")).build();
        build.remove("ssl.keystore.location");
        build.remove("ssl.keystore.password");
        build.remove("ssl.keystore.type");
        SslFactory sslFactory = new SslFactory(Mode.SERVER);
        sslFactory.configure(build);
        SSLContext sslContext = sslFactory.sslEngineFactory().sslContext();
        Assertions.assertNotNull(sslContext, "SSL context not created");
        Assertions.assertSame(sslContext, sslFactory.sslEngineFactory().sslContext(), "SSL context recreated unnecessarily");
        Assertions.assertFalse(sslFactory.createSslEngine("localhost", 0).getUseClientMode());
        File tempFile = TestUtils.tempFile("truststore", ".jks");
        Map<String, Object> build2 = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(tempFile).build();
        build2.remove("ssl.keystore.location");
        build2.remove("ssl.keystore.password");
        build2.remove("ssl.keystore.type");
        sslFactory.reconfigure(build2);
        Assertions.assertNotSame(sslContext, sslFactory.sslEngineFactory().sslContext(), "SSL context not recreated");
        try {
            sslFactory.validateReconfiguration(sslConfigsBuilder(Mode.SERVER).createNewTrustStore(tempFile).build());
            Assertions.fail("Keystore configured dynamically for listener without previous keystore");
        } catch (ConfigException e) {
        }
    }

    @Test
    public void testPemReconfiguration() throws Exception {
        Properties properties = new Properties();
        properties.putAll(sslConfigsBuilder(Mode.SERVER).createNewTrustStore(null).usePem(true).build());
        TestSecurityConfig testSecurityConfig = new TestSecurityConfig(properties);
        SslFactory sslFactory = new SslFactory(Mode.SERVER);
        sslFactory.configure(testSecurityConfig.values());
        SslEngineFactory sslEngineFactory = sslFactory.sslEngineFactory();
        Assertions.assertNotNull(sslEngineFactory, "SslEngineFactory not created");
        properties.put("some.config", "some.value");
        sslFactory.reconfigure(new TestSecurityConfig(properties).values());
        Assertions.assertSame(sslEngineFactory, sslFactory.sslEngineFactory(), "SslEngineFactory recreated unnecessarily");
        properties.put("ssl.keystore.key", new Password(((Password) properties.get("ssl.keystore.key")).value() + " "));
        sslFactory.reconfigure(new TestSecurityConfig(properties).values());
        Assertions.assertNotSame(sslEngineFactory, sslFactory.sslEngineFactory(), "SslEngineFactory not recreated");
        SslEngineFactory sslEngineFactory2 = sslFactory.sslEngineFactory();
        properties.put("ssl.keystore.certificate.chain", new Password(((Password) properties.get("ssl.keystore.certificate.chain")).value() + " "));
        sslFactory.reconfigure(new TestSecurityConfig(properties).values());
        Assertions.assertNotSame(sslEngineFactory2, sslFactory.sslEngineFactory(), "SslEngineFactory not recreated");
        SslEngineFactory sslEngineFactory3 = sslFactory.sslEngineFactory();
        properties.put("ssl.truststore.certificates", new Password(((Password) properties.get("ssl.truststore.certificates")).value() + " "));
        sslFactory.reconfigure(new TestSecurityConfig(properties).values());
        Assertions.assertNotSame(sslEngineFactory3, sslFactory.sslEngineFactory(), "SslEngineFactory not recreated");
        sslFactory.sslEngineFactory();
    }

    @Test
    public void testKeyStoreTrustStoreValidation() throws Exception {
        Map<String, Object> build = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(TestUtils.tempFile("truststore", ".jks")).build();
        SslFactory sslFactory = new SslFactory(Mode.SERVER);
        sslFactory.configure(build);
        Assertions.assertNotNull(sslFactory.sslEngineFactory(), "SslEngineFactory not created");
    }

    @Test
    public void testUntrustedKeyStoreValidationFails() throws Exception {
        File tempFile = TestUtils.tempFile("truststore1", ".jks");
        File tempFile2 = TestUtils.tempFile("truststore2", ".jks");
        Map<String, Object> build = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(tempFile).build();
        Map<String, Object> build2 = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(tempFile2).build();
        SslFactory sslFactory = new SslFactory(Mode.SERVER, (String) null, true);
        for (String str : Arrays.asList("ssl.truststore.location", "ssl.truststore.password", "ssl.truststore.type", "ssl.trustmanager.algorithm")) {
            build.put(str, build2.get(str));
        }
        try {
            sslFactory.configure(build);
            Assertions.fail("Validation did not fail with untrusted truststore");
        } catch (ConfigException e) {
        }
    }

    @Test
    public void testKeystoreVerifiableUsingTruststore() throws Exception {
        verifyKeystoreVerifiableUsingTruststore(false, this.tlsProtocol);
    }

    @Test
    public void testPemKeystoreVerifiableUsingTruststore() throws Exception {
        verifyKeystoreVerifiableUsingTruststore(true, this.tlsProtocol);
    }

    private void verifyKeystoreVerifiableUsingTruststore(boolean z, String str) throws Exception {
        Map<String, Object> build = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(z ? null : TestUtils.tempFile("truststore1", ".jks")).usePem(z).build();
        SslFactory sslFactory = new SslFactory(Mode.SERVER, (String) null, true);
        sslFactory.configure(build);
        try {
            sslFactory.validateReconfiguration(sslConfigsBuilder(Mode.SERVER).createNewTrustStore(z ? null : TestUtils.tempFile("truststore2", ".jks")).usePem(z).build());
            Assertions.fail("ValidateReconfiguration did not fail as expected");
        } catch (ConfigException e) {
        }
    }

    @Test
    public void testCertificateEntriesValidation() throws Exception {
        verifyCertificateEntriesValidation(false, this.tlsProtocol);
    }

    @Test
    public void testPemCertificateEntriesValidation() throws Exception {
        verifyCertificateEntriesValidation(true, this.tlsProtocol);
    }

    private void verifyCertificateEntriesValidation(boolean z, String str) throws Exception {
        Map<String, Object> build = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(z ? null : TestUtils.tempFile("truststore", ".jks")).usePem(z).build();
        Map<String, Object> build2 = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(z ? null : TestUtils.tempFile("truststore", ".jks")).cn("Another CN").usePem(z).build();
        KeyStore sslKeyStore = sslKeyStore(build);
        KeyStore sslKeyStore2 = sslKeyStore(build);
        Assertions.assertEquals(SslFactory.CertificateEntries.create(sslKeyStore), SslFactory.CertificateEntries.create(sslKeyStore2));
        sslKeyStore2.setCertificateEntry("another", sslKeyStore.getCertificate("localhost"));
        Assertions.assertEquals(SslFactory.CertificateEntries.create(sslKeyStore), SslFactory.CertificateEntries.create(sslKeyStore2));
        Assertions.assertNotEquals(SslFactory.CertificateEntries.create(sslKeyStore), SslFactory.CertificateEntries.create(sslKeyStore(build2)));
    }

    @Test
    public void testClientSpecifiedSslEngineFactoryUsed() throws Exception {
        Map<String, Object> build = sslConfigsBuilder(Mode.CLIENT).createNewTrustStore(TestUtils.tempFile("truststore", ".jks")).useClientCert(false).build();
        build.put("ssl.engine.factory.class", TestSslUtils.TestSslEngineFactory.class);
        SslFactory sslFactory = new SslFactory(Mode.CLIENT);
        sslFactory.configure(build);
        Assertions.assertTrue(sslFactory.sslEngineFactory() instanceof TestSslUtils.TestSslEngineFactory, "SslEngineFactory must be of expected type");
    }

    @Test
    public void testEngineFactoryClosed() throws Exception {
        Map<String, Object> build = sslConfigsBuilder(Mode.CLIENT).createNewTrustStore(TestUtils.tempFile("truststore", ".jks")).useClientCert(false).build();
        build.put("ssl.engine.factory.class", TestSslUtils.TestSslEngineFactory.class);
        SslFactory sslFactory = new SslFactory(Mode.CLIENT);
        sslFactory.configure(build);
        TestSslUtils.TestSslEngineFactory testSslEngineFactory = (TestSslUtils.TestSslEngineFactory) sslFactory.sslEngineFactory();
        Assertions.assertFalse(testSslEngineFactory.closed);
        sslFactory.close();
        Assertions.assertTrue(testSslEngineFactory.closed);
    }

    @Test
    public void testServerSpecifiedSslEngineFactoryUsed() throws Exception {
        Map<String, Object> build = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(TestUtils.tempFile("truststore", ".jks")).useClientCert(false).build();
        build.put("ssl.engine.factory.class", TestSslUtils.TestSslEngineFactory.class);
        SslFactory sslFactory = new SslFactory(Mode.SERVER);
        sslFactory.configure(build);
        Assertions.assertTrue(sslFactory.sslEngineFactory() instanceof TestSslUtils.TestSslEngineFactory, "SslEngineFactory must be of expected type");
    }

    @Test
    public void testInvalidSslEngineFactory() throws Exception {
        Map<String, Object> build = sslConfigsBuilder(Mode.CLIENT).createNewTrustStore(TestUtils.tempFile("truststore", ".jks")).useClientCert(false).build();
        build.put("ssl.engine.factory.class", String.class);
        SslFactory sslFactory = new SslFactory(Mode.CLIENT);
        Assertions.assertThrows(ClassCastException.class, () -> {
            sslFactory.configure(build);
        });
    }

    @Test
    public void testUsedConfigs() throws IOException, GeneralSecurityException {
        Map<String, Object> build = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(TestUtils.tempFile("truststore", ".jks")).useClientCert(false).build();
        build.put("ssl.engine.factory.class", TestSslUtils.TestSslEngineFactory.class);
        TestSecurityConfig testSecurityConfig = new TestSecurityConfig(build);
        new SslFactory(Mode.SERVER).configure(testSecurityConfig.values());
        Assertions.assertFalse(testSecurityConfig.unused().contains("ssl.engine.factory.class"));
    }

    private KeyStore sslKeyStore(Map<String, Object> map) {
        return (map.get("ssl.keystore.location") != null ? new DefaultSslEngineFactory.FileBasedStore((String) map.get("ssl.keystore.type"), (String) map.get("ssl.keystore.location"), (Password) map.get("ssl.keystore.password"), (Password) map.get("ssl.key.password"), true) : new DefaultSslEngineFactory.PemStore((Password) map.get("ssl.keystore.certificate.chain"), (Password) map.get("ssl.keystore.key"), (Password) map.get("ssl.key.password"))).get();
    }

    private TestSslUtils.SslConfigsBuilder sslConfigsBuilder(Mode mode) {
        return new TestSslUtils.SslConfigsBuilder(mode).tlsProtocol(this.tlsProtocol);
    }
}
