package io.confluent.kafkarest.servlet;

import com.google.common.collect.ImmutableMap;
import io.confluent.kafka.http.server.KafkaHttpServer;
import io.confluent.kafka.test.cluster.EmbeddedKafkaCluster;
import io.confluent.kafkarest.KafkaRestResourceExtension;
import java.io.File;
import java.io.IOException;
import java.net.ServerSocket;
import java.nio.file.CopyOption;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.attribute.FileAttribute;
import java.security.KeyPair;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.Map;
import java.util.Properties;
import kafka.server.KafkaBroker;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.ssl.SSLContextBuilder;
import org.apache.http.ssl.SSLContexts;
import org.apache.kafka.common.config.types.Password;
import org.apache.kafka.test.TestSslUtils;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Tag("IntegrationTest")
/* loaded from: input_file:io/confluent/kafkarest/servlet/CertReloadIntegrationTest.class */
public class CertReloadIntegrationTest {
    private static final Logger log = LoggerFactory.getLogger(CertReloadIntegrationTest.class);
    private Path dataDir;
    private File clientKeystore;
    private File serverKeystore;
    private File serverKeystoreErr;
    private Path serverKeystorePath;
    public static final String SSL_PASSWORD = "test1234";

    @BeforeEach
    public void setUp() throws Exception {
        try {
            File file = Files.createTempDirectory("SslCertReloadTest", new FileAttribute[0]).toFile();
            file.deleteOnExit();
            this.dataDir = Paths.get(file.getAbsolutePath(), "..data");
            Path createDirectory = Files.createDirectory(Paths.get(file.getAbsolutePath(), "old"), new FileAttribute[0]);
            File file2 = Files.createFile(createDirectory.resolve("truststore.jks"), new FileAttribute[0]).toFile();
            this.clientKeystore = Files.createFile(createDirectory.resolve("client-keystore.jks"), new FileAttribute[0]).toFile();
            this.serverKeystore = Files.createFile(createDirectory.resolve("server-keystore.jks"), new FileAttribute[0]).toFile();
            HashMap hashMap = new HashMap();
            createKeystoreWithCert(this.clientKeystore, "client", hashMap);
            createKeystoreWithCert(this.serverKeystore, "server", hashMap);
            TestSslUtils.createTrustStore(file2.getAbsolutePath(), new Password(SSL_PASSWORD), hashMap);
            Path createDirectory2 = Files.createDirectory(Paths.get(file.getAbsolutePath(), "err"), new FileAttribute[0]);
            Files.copy(createDirectory.resolve("truststore.jks"), createDirectory2.resolve("truststore.jks"), new CopyOption[0]);
            Files.copy(createDirectory.resolve("client-keystore.jks"), createDirectory2.resolve("client-keystore.jks"), new CopyOption[0]);
            this.serverKeystoreErr = Files.createFile(createDirectory2.resolve("server-keystore.jks"), new FileAttribute[0]).toFile();
            createWrongKeystoreWithCert(this.serverKeystoreErr, "server", new HashMap());
            Path createDirectory3 = Files.createDirectory(Paths.get(file.getAbsolutePath(), "new"), new FileAttribute[0]);
            Files.copy(createDirectory.resolve("truststore.jks"), createDirectory3.resolve("truststore.jks"), new CopyOption[0]);
            Files.copy(createDirectory.resolve("client-keystore.jks"), createDirectory3.resolve("client-keystore.jks"), new CopyOption[0]);
            Files.copy(createDirectory.resolve("server-keystore.jks"), createDirectory3.resolve("server-keystore.jks"), new CopyOption[0]);
            Files.createSymbolicLink(Paths.get(file.getAbsolutePath(), "truststore.jks"), Paths.get("..data", "truststore.jks"), new FileAttribute[0]);
            Files.createSymbolicLink(Paths.get(file.getAbsolutePath(), "client-keystore.jks"), Paths.get("..data", "client-keystore.jks"), new FileAttribute[0]);
            this.serverKeystorePath = Files.createSymbolicLink(Paths.get(file.getAbsolutePath(), "server-keystore.jks"), Paths.get("..data", "server-keystore.jks"), new FileAttribute[0]);
            Files.createSymbolicLink(this.dataDir, Paths.get("old", new String[0]), new FileAttribute[0]);
        } catch (IOException e) {
            throw new RuntimeException("Unable to create temporary files for truststores and keystores.", e);
        }
    }

    private void createKeystoreWithCert(File file, String str, Map<String, X509Certificate> map) throws Exception {
        KeyPair generateKeyPair = TestSslUtils.generateKeyPair("RSA");
        X509Certificate generate = new TestSslUtils.CertificateBuilder(30, "SHA1withRSA").sanDnsNames(new String[]{"localhost"}).generate("CN=mymachine.local, O=A client", generateKeyPair);
        TestSslUtils.createKeyStore(file.getPath(), new Password(SSL_PASSWORD), new Password(SSL_PASSWORD), str, generateKeyPair.getPrivate(), generate);
        map.put(str, generate);
    }

    private void createWrongKeystoreWithCert(File file, String str, Map<String, X509Certificate> map) throws Exception {
        KeyPair generateKeyPair = TestSslUtils.generateKeyPair("RSA");
        X509Certificate generate = new TestSslUtils.CertificateBuilder(30, "SHA1withRSA").sanDnsNames(new String[]{"fail"}).generate("CN=mymachine.local, O=A client", generateKeyPair);
        TestSslUtils.createKeyStore(file.getPath(), new Password(SSL_PASSWORD), new Password(SSL_PASSWORD), str, generateKeyPair.getPrivate(), generate);
        map.put(str, generate);
    }

    @Test
    public void testCertReloadMultipleApplications() throws Exception {
        String str = "localhost:" + findUnusedPort();
        String str2 = "localhost:" + findUnusedPort();
        EmbeddedKafkaCluster embeddedKafkaCluster = new EmbeddedKafkaCluster();
        embeddedKafkaCluster.startQuorum();
        Properties properties = new Properties();
        properties.putAll(ImmutableMap.builder().put("confluent.http.server.listener.protocol.map", "EXTERNAL:https,INTERNAL:https").put("confluent.http.server.listeners", "EXTERNAL://" + str + ",INTERNAL://" + str2).put("kafka.rest.external.enable", "true").put("kafka.rest.internal.enable", "true").put("confluent.http.server.ssl.keystore.location", this.serverKeystorePath.toString()).put("confluent.http.server.ssl.keystore.password", SSL_PASSWORD).put("confluent.http.server.ssl.key.password", SSL_PASSWORD).put("confluent.http.server.ssl.keystore.watch.location", this.dataDir.toString()).put("confluent.http.server.ssl.keystore.reload", "true").put("kafka.rest.external.kafka.rest.resource.extension.class", KafkaRestResourceExtension.class.getName()).put("kafka.rest.internal.kafka.rest.resource.extension.class", KafkaRestResourceExtension.class.getName()).build());
        embeddedKafkaCluster.startBrokers(1, properties);
        String clusterId = ((KafkaBroker) embeddedKafkaCluster.kafkaBrokers().get(0)).clusterId();
        ((KafkaHttpServer) ((KafkaBroker) embeddedKafkaCluster.kafkaBrokers().get(0)).httpServer().get()).awaitStarted();
        Assertions.assertEquals(200, makeGetRequest("https://" + str + "/kafka/v3/clusters/" + clusterId));
        Assertions.assertEquals(200, makeGetRequest("https://" + str2 + "/kafka/v3/clusters/" + clusterId));
        this.serverKeystore.delete();
        Files.delete(this.dataDir);
        Files.createSymbolicLink(this.dataDir, Paths.get("err", new String[0]), new FileAttribute[0]);
        boolean z = false;
        for (int i = 0; i < 10; i++) {
            Thread.sleep(5000L);
            try {
                Assertions.assertEquals(200, makeGetRequest("https://" + str + "/kafka/v3/clusters/" + clusterId));
            } catch (Exception e) {
                log.info("Exception with broken server cert: {}", e.toString());
                z = true;
            }
        }
        Assertions.assertTrue(z, "expect hit error with broken server cert");
        this.serverKeystoreErr.delete();
        Files.delete(this.dataDir);
        Files.createSymbolicLink(this.dataDir, Paths.get("new", new String[0]), new FileAttribute[0]);
        for (int i2 = 0; i2 < 10; i2++) {
            Thread.sleep(5000L);
            try {
                Assertions.assertEquals(200, makeGetRequest("https://" + str + "/kafka/v3/clusters/" + clusterId));
                Assertions.assertEquals(200, makeGetRequest("https://" + str2 + "/kafka/v3/clusters/" + clusterId));
                z = false;
                break;
            } catch (Exception e2) {
                log.info("Exception waiting for correct server cert: {}", e2.toString());
            }
        }
        Assertions.assertTrue(!z, "expect no hit error with correct server cert");
    }

    private int makeGetRequest(String str) throws Exception {
        CloseableHttpClient build;
        HttpGet httpGet = new HttpGet(str);
        if (str.startsWith("http://")) {
            build = HttpClients.createDefault();
        } else {
            SSLContextBuilder loadTrustMaterial = SSLContexts.custom().loadTrustMaterial(new TrustSelfSignedStrategy());
            loadTrustMaterial.loadKeyMaterial(this.clientKeystore, SSL_PASSWORD.toCharArray(), SSL_PASSWORD.toCharArray());
            build = HttpClients.custom().setSSLSocketFactory(new SSLConnectionSocketFactory(loadTrustMaterial.build(), new String[]{"TLSv1.2"}, (String[]) null, SSLConnectionSocketFactory.getDefaultHostnameVerifier())).build();
        }
        CloseableHttpResponse closeableHttpResponse = null;
        try {
            closeableHttpResponse = build.execute(httpGet);
            int statusCode = closeableHttpResponse.getStatusLine().getStatusCode();
            if (closeableHttpResponse != null) {
                closeableHttpResponse.close();
            }
            build.close();
            return statusCode;
        } catch (Throwable th) {
            if (closeableHttpResponse != null) {
                closeableHttpResponse.close();
            }
            build.close();
            throw th;
        }
    }

    private static int findUnusedPort() throws IOException {
        ServerSocket serverSocket = new ServerSocket(0);
        Throwable th = null;
        try {
            int localPort = serverSocket.getLocalPort();
            if (serverSocket != null) {
                if (0 != 0) {
                    try {
                        serverSocket.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    serverSocket.close();
                }
            }
            return localPort;
        } catch (Throwable th3) {
            if (serverSocket != null) {
                if (0 != 0) {
                    try {
                        serverSocket.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    serverSocket.close();
                }
            }
            throw th3;
        }
    }
}
