package io.confluent.kafka.schemaregistry.security.authorizer;

import com.google.common.collect.ImmutableMap;
import io.confluent.common.security.SecureTestUtils;
import io.confluent.kafka.schemaregistry.avro.AvroCompatibilityLevel;
import io.confluent.kafka.schemaregistry.avro.AvroUtils;
import io.confluent.kafka.schemaregistry.client.rest.exceptions.RestClientException;
import io.confluent.kafka.schemaregistry.rest.SchemaRegistryConfig;
import io.confluent.kafka.schemaregistry.security.SchemaRegistrySecurityResourceExtension;
import io.confluent.kafka.schemaregistry.security.SrSecurityTestHarness;
import io.confluent.kafka.schemaregistry.storage.SchemaRegistry;
import java.io.File;
import java.io.FileInputStream;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.util.ArrayList;
import java.util.Properties;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManagerFactory;
import kafka.utils.TestUtils;
import org.apache.kafka.common.config.types.Password;
import org.apache.kafka.common.security.auth.SecurityProtocol;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import scala.collection.JavaConverters;

/* loaded from: input_file:io/confluent/kafka/schemaregistry/security/authorizer/AuthorizerIntegrationTest.class */
public class AuthorizerIntegrationTest extends SrSecurityTestHarness {
    Properties props;

    /* loaded from: input_file:io/confluent/kafka/schemaregistry/security/authorizer/AuthorizerIntegrationTest$TestAuthorizer.class */
    public static class TestAuthorizer implements SchemaRegistryAuthorizer {
        public void configure(SchemaRegistryConfig schemaRegistryConfig, SchemaRegistry schemaRegistry) {
        }

        public boolean authorize(AuthorizeRequest authorizeRequest) throws AuthorizerException {
            if (authorizeRequest.getSchemaRegistryResourceOperation().toString().endsWith("WRITE")) {
                return true;
            }
            String str = (String) authorizeRequest.getContainerRequestContext().getUriInfo().getPathParameters().getFirst("id");
            if (str == null || Integer.parseInt(str) >= 0) {
                return false;
            }
            throw new SchemaNotFoundAuthorizerException();
        }

        public void shutdown() {
        }
    }

    public AuthorizerIntegrationTest() {
        super(1, true, AvroCompatibilityLevel.BACKWARD.name);
        this.props = new Properties();
    }

    @BeforeEach
    public void setUp() throws Exception {
        super.setUp();
        setupClientSSL();
        TestUtils.waitUntilTrue(() -> {
            try {
                return this.restApp.restClient.getSchemaTypes();
            } catch (Exception e) {
                return Boolean.valueOf(((e instanceof RestClientException) && e.getStatus() == 402) ? false : true);
            }
        }, () -> {
            return "Fail to fetch a valid license";
        }, 5000L, 100L);
    }

    @Test
    public void testAllow() throws Exception {
        Assertions.assertEquals(1, this.restApp.restClient.registerSchema(AvroUtils.parseSchema("{\"type\":\"record\",\"name\":\"myrecord\",\"fields\":[{\"type\":\"string\",\"name\":\"f1\"}]}").canonicalString(), "testSubject"), "Registering should succeed");
    }

    @Test
    public void testReject() throws Exception {
        try {
            this.restApp.restClient.getLatestVersion("testSubject");
            Assertions.fail("Getting all versions from non-existing subject1 should fail with 403");
        } catch (RestClientException e) {
            Assertions.assertEquals(403, e.getStatus(), "Should get a 403 status for GET operations");
        }
        try {
            this.restApp.restClient.getLatestWithMetadata("testSubject", ImmutableMap.of("application.version", "v2"), false);
            Assertions.fail("Getting all versions from non-existing subject1 should fail with 403");
        } catch (RestClientException e2) {
            Assertions.assertEquals(403, e2.getStatus(), "Should get a 403 status for GET operations");
        }
    }

    @Test
    public void testNotFound() throws Exception {
        try {
            this.restApp.restClient.getOnlySchemaById(-1);
            Assertions.fail("Getting a schema from a non-existent schema ID should fail with 40403 (schema not found)");
        } catch (RestClientException e) {
            Assertions.assertEquals(404, e.getStatus(), "Should get a 404 status for GET non-existent schema ID");
        }
    }

    protected Properties getSchemaRegistryProperties() {
        this.props.put("schema.registry.resource.extension.class", SchemaRegistrySecurityResourceExtension.class.getName());
        this.props.put("confluent.schema.registry.authorizer.class", TestAuthorizer.class.getName());
        this.props.put("confluent.schema.registry.auth.mechanism", "SSL");
        this.props.put("schema.registry.inter.instance.protocol", "https");
        this.props.put("ssl.endpoint.identification.algorithm", "");
        try {
            File createTempFile = File.createTempFile("truststore", ".jks");
            createTempFile.deleteOnExit();
            this.props.putAll(SecureTestUtils.clientSslConfigsWithKeyStore(1, createTempFile, new Password("TrustPassword"), new ArrayList(), new ArrayList()));
            this.props.put("ssl.client.auth", "true");
            this.props.setProperty("confluent.license.bootstrap.servers", TestUtils.getBrokerListStrFromServers(JavaConverters.asScalaBuffer(this.servers), SecurityProtocol.PLAINTEXT));
            this.props.setProperty("confluent.license.security.protocol", "PLAINTEXT");
        } catch (Exception e) {
            e.printStackTrace();
        }
        return this.props;
    }

    protected String getSchemaRegistryProtocol() {
        return "https";
    }

    private void setupClientSSL() {
        Throwable th;
        KeyManagerFactory keyManagerFactory;
        KeyStore keyStore;
        try {
            HttpsURLConnection.setDefaultHostnameVerifier(new HostnameVerifier() { // from class: io.confluent.kafka.schemaregistry.security.authorizer.AuthorizerIntegrationTest.1
                @Override // javax.net.ssl.HostnameVerifier
                public boolean verify(String str, SSLSession sSLSession) {
                    return true;
                }
            });
            KeyStore keyStore2 = KeyStore.getInstance("JKS");
            FileInputStream fileInputStream = new FileInputStream((String) this.props.get("ssl.keystore.location"));
            Throwable th2 = null;
            try {
                try {
                    keyStore2.load(fileInputStream, ((String) this.props.get("ssl.keystore.password")).toCharArray());
                    if (fileInputStream != null) {
                        if (0 != 0) {
                            try {
                                fileInputStream.close();
                            } catch (Throwable th3) {
                                th2.addSuppressed(th3);
                            }
                        } else {
                            fileInputStream.close();
                        }
                    }
                    keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                    keyManagerFactory.init(keyStore2, ((String) this.props.get("ssl.keystore.password")).toCharArray());
                    keyStore = KeyStore.getInstance("JKS");
                    fileInputStream = new FileInputStream((String) this.props.get("ssl.truststore.location"));
                    th = null;
                } catch (Throwable th4) {
                    th2 = th4;
                    throw th4;
                }
                try {
                    try {
                        keyStore.load(fileInputStream, ((String) this.props.get("ssl.truststore.password")).toCharArray());
                        if (fileInputStream != null) {
                            if (0 != 0) {
                                try {
                                    fileInputStream.close();
                                } catch (Throwable th5) {
                                    th.addSuppressed(th5);
                                }
                            } else {
                                fileInputStream.close();
                            }
                        }
                        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                        trustManagerFactory.init(keyStore);
                        SSLContext sSLContext = SSLContext.getInstance("TLS");
                        sSLContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), new SecureRandom());
                        HttpsURLConnection.setDefaultSSLSocketFactory(sSLContext.getSocketFactory());
                    } catch (Throwable th6) {
                        th = th6;
                        throw th6;
                    }
                } finally {
                    if (fileInputStream != null) {
                        if (th != null) {
                            try {
                                fileInputStream.close();
                            } catch (Throwable th7) {
                                th.addSuppressed(th7);
                            }
                        } else {
                            fileInputStream.close();
                        }
                    }
                }
            } finally {
            }
        } catch (Exception e) {
            e.printStackTrace();
        }
    }
}
