package io.confluent.kafka.schemaregistry.security;

import io.confluent.kafka.schemaregistry.security.config.SecureSchemaRegistryConfig;
import io.confluent.kafka.schemaregistry.storage.SchemaRegistry;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Paths;
import java.util.Arrays;
import java.util.Collections;
import java.util.Properties;
import javax.ws.rs.core.Configurable;
import org.junit.Assert;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:io/confluent/kafka/schemaregistry/security/SchemaRegistryFipsResourceExtensionTest.class */
public class SchemaRegistryFipsResourceExtensionTest {
    @Test
    public void testFipsNotEnabled() throws Exception {
        try {
            SchemaRegistryFipsResourceExtension.validateFipsConfig(new SecureSchemaRegistryConfig(new Properties()));
        } catch (Exception e) {
            Assertions.fail("Validation should succeed when FIPS disabled: " + e.getMessage());
        }
    }

    @Test
    public void testEmptySecurityProvider() throws Exception {
        Properties properties = new Properties();
        properties.put("enable.fips", true);
        SecureSchemaRegistryConfig secureSchemaRegistryConfig = new SecureSchemaRegistryConfig(properties);
        Assertions.assertEquals("FIPS 140-2 Configuration Error, invalid security provider: <empty>", ((Exception) Assert.assertThrows(SecurityException.class, () -> {
            SchemaRegistryFipsResourceExtension.validateFipsConfig(secureSchemaRegistryConfig);
        })).getMessage());
    }

    @Test
    public void testInvalidCipherSuites() throws Exception {
        Properties properties = new Properties();
        properties.put("enable.fips", true);
        properties.put("security.providers", "valid.cipher");
        properties.put("listeners", Arrays.asList("https://localhost:8080", "https://localhost:8081"));
        properties.put("ssl.cipher.suites", Collections.singletonList("TLS_RSA_WITH_NULL_MD5"));
        properties.put("ssl.enabled.protocols", Collections.singletonList("TLSv1.2"));
        SecureSchemaRegistryConfig secureSchemaRegistryConfig = new SecureSchemaRegistryConfig(properties);
        Assertions.assertEquals("FIPS 140-2 Configuration Error, invalid cipher suites: TLS_RSA_WITH_NULL_MD5", ((Exception) Assert.assertThrows(SecurityException.class, () -> {
            SchemaRegistryFipsResourceExtension.validateFipsConfig(secureSchemaRegistryConfig);
        })).getMessage());
    }

    @Test
    public void testValidInvalidCipherSuites() throws Exception {
        Properties properties = new Properties();
        properties.put("enable.fips", true);
        properties.put("security.providers", "valid.cipher");
        properties.put("listeners", Arrays.asList("https://localhost:8080", "https://localhost:8081"));
        properties.put("ssl.cipher.suites", Arrays.asList("TLS_RSA_WITH_NULL_MD5", "TLS_RSA_WITH_AES_256_CCM"));
        properties.put("ssl.enabled.protocols", Collections.singletonList("TLSv1.2"));
        SecureSchemaRegistryConfig secureSchemaRegistryConfig = new SecureSchemaRegistryConfig(properties);
        Assertions.assertEquals("FIPS 140-2 Configuration Error, invalid cipher suites: TLS_RSA_WITH_NULL_MD5", ((Exception) Assert.assertThrows(SecurityException.class, () -> {
            SchemaRegistryFipsResourceExtension.validateFipsConfig(secureSchemaRegistryConfig);
        })).getMessage());
    }

    @Test
    public void testInvalidRestProtocol() throws Exception {
        Properties properties = new Properties();
        properties.put("enable.fips", true);
        properties.put("security.providers", "valid.cipher");
        properties.put("listeners", Arrays.asList("https://localhost:8080", "http://localhost:8081"));
        properties.put("ssl.cipher.suites", Collections.singletonList("TLS_RSA_WITH_AES_256_CCM"));
        properties.put("ssl.enabled.protocols", Collections.singletonList("TLSv1.2"));
        SecureSchemaRegistryConfig secureSchemaRegistryConfig = new SecureSchemaRegistryConfig(properties);
        Assertions.assertEquals("FIPS 140-2 Configuration Error, invalid rest protocol: http", ((Exception) Assert.assertThrows(SecurityException.class, () -> {
            SchemaRegistryFipsResourceExtension.validateFipsConfig(secureSchemaRegistryConfig);
        })).getMessage());
    }

    @Test
    public void testEmptyEnabledProtocols() throws Exception {
        Properties properties = new Properties();
        properties.put("enable.fips", true);
        properties.put("security.providers", "valid.cipher");
        properties.put("listeners", Arrays.asList("https://localhost:8080", "https://localhost:8081"));
        properties.put("ssl.cipher.suites", Collections.singletonList("TLS_RSA_WITH_AES_256_CCM"));
        SecureSchemaRegistryConfig secureSchemaRegistryConfig = new SecureSchemaRegistryConfig(properties);
        Assertions.assertEquals("FIPS 140-2 Configuration Error, invalid TLS versions: <empty>", ((Exception) Assert.assertThrows(SecurityException.class, () -> {
            SchemaRegistryFipsResourceExtension.validateFipsConfig(secureSchemaRegistryConfig);
        })).getMessage());
    }

    @Test
    public void testInvalidEnabledProtocols() throws Exception {
        Properties properties = new Properties();
        properties.put("enable.fips", true);
        properties.put("security.providers", "valid.cipher");
        properties.put("listeners", Arrays.asList("https://localhost:8080", "https://localhost:8081"));
        properties.put("ssl.cipher.suites", Collections.singletonList("TLS_RSA_WITH_AES_256_CCM"));
        properties.put("ssl.enabled.protocols", Collections.singletonList("TLSv1.1"));
        SecureSchemaRegistryConfig secureSchemaRegistryConfig = new SecureSchemaRegistryConfig(properties);
        Assertions.assertEquals("FIPS 140-2 Configuration Error, invalid TLS versions: TLSv1.1", ((Exception) Assert.assertThrows(SecurityException.class, () -> {
            SchemaRegistryFipsResourceExtension.validateFipsConfig(secureSchemaRegistryConfig);
        })).getMessage());
    }

    @Test
    public void testValidInvalidEnabledProtocols() throws Exception {
        Properties properties = new Properties();
        properties.put("enable.fips", true);
        properties.put("security.providers", "valid.cipher");
        properties.put("listeners", Arrays.asList("https://localhost:8080", "https://localhost:8081"));
        properties.put("ssl.cipher.suites", Collections.singletonList("TLS_RSA_WITH_AES_256_CCM"));
        properties.put("ssl.enabled.protocols", Arrays.asList("TLSv1.1", "TLSv1.2"));
        SecureSchemaRegistryConfig secureSchemaRegistryConfig = new SecureSchemaRegistryConfig(properties);
        Assertions.assertEquals("FIPS 140-2 Configuration Error, invalid TLS versions: TLSv1.1", ((Exception) Assert.assertThrows(SecurityException.class, () -> {
            SchemaRegistryFipsResourceExtension.validateFipsConfig(secureSchemaRegistryConfig);
        })).getMessage());
    }

    @Test
    public void testInvalidBrokerSecurityProtocol() throws Exception {
        Properties properties = new Properties();
        properties.put("enable.fips", true);
        properties.put("security.providers", "valid.cipher");
        properties.put("listeners", Arrays.asList("https://localhost:8080", "https://localhost:8081"));
        properties.put("ssl.cipher.suites", Collections.singletonList("TLS_RSA_WITH_AES_256_CCM"));
        properties.put("ssl.enabled.protocols", Collections.singletonList("TLSv1.2"));
        properties.put("kafkastore.security.protocol", "SASL_PLAINTEXT");
        SecureSchemaRegistryConfig secureSchemaRegistryConfig = new SecureSchemaRegistryConfig(properties);
        Assertions.assertEquals("FIPS 140-2 Configuration Error, invalid broker protocols: kafkastore.security.protocol:SASL_PLAINTEXT", ((Exception) Assert.assertThrows(SecurityException.class, () -> {
            SchemaRegistryFipsResourceExtension.validateFipsConfig(secureSchemaRegistryConfig);
        })).getMessage());
    }

    @Test
    public void testInvalidNamedListenerConfig() throws Exception {
        Properties properties = new Properties();
        properties.put("enable.fips", true);
        properties.put("security.providers", "valid.cipher");
        properties.put("listeners", Arrays.asList("https://localhost:8080", "https://localhost:8081"));
        properties.put("ssl.cipher.suites", Arrays.asList("TLS_RSA_WITH_AES_256_CCM", "TLS_AES_128_CCM_SHA256"));
        properties.put("ssl.enabled.protocols", Collections.singletonList("TLSv1.2"));
        properties.put("listener.name.https.ssl.enabled.protocols", Collections.singletonList("TLSv1.1"));
        SecureSchemaRegistryConfig secureSchemaRegistryConfig = new SecureSchemaRegistryConfig(properties);
        Assertions.assertEquals("FIPS 140-2 Configuration Error, invalid TLS versions: TLSv1.1", ((Exception) Assert.assertThrows(SecurityException.class, () -> {
            SchemaRegistryFipsResourceExtension.validateFipsConfig(secureSchemaRegistryConfig);
        })).getMessage());
    }

    @Test
    public void testSucceed() throws Exception {
        Properties properties = new Properties();
        properties.put("enable.fips", true);
        properties.put("security.providers", "valid.cipher");
        properties.put("listeners", Arrays.asList("https://localhost:8080", "https://localhost:8081"));
        properties.put("ssl.enabled.protocols", Collections.singletonList("TLSv1.2"));
        properties.put("kafkastore.security.protocol", "SSL");
        try {
            SchemaRegistryFipsResourceExtension.validateFipsConfig(new SecureSchemaRegistryConfig(properties));
        } catch (Exception e) {
            Assertions.fail("FIPS validation should succeed: " + e.getMessage());
        }
    }

    @Test
    public void testSucceedFromFile() throws Exception {
        Properties properties = new Properties();
        properties.load(Files.newInputStream(Paths.get("src/test/resources/sr.properties", new String[0]), new OpenOption[0]));
        try {
            SchemaRegistryFipsResourceExtension.validateFipsConfig(new SecureSchemaRegistryConfig(properties));
        } catch (Exception e) {
            Assertions.fail("FIPS validation should succeed: " + e.getMessage());
        }
    }

    @Test
    public void testRegister() throws Exception {
        Properties properties = new Properties();
        properties.put("enable.fips", true);
        properties.put("security.providers", "valid.cipher");
        properties.put("listeners", Arrays.asList("https://localhost:8080", "https://localhost:8081"));
        properties.put("ssl.cipher.suites", Collections.singletonList("TLS_RSA_WITH_AES_256_CCM"));
        properties.put("ssl.enabled.protocols", Collections.singletonList("TLSv1.2"));
        properties.put("kafkastore.security.protocol", "SSL");
        try {
            new SchemaRegistryFipsResourceExtension().register((Configurable) null, new SecureSchemaRegistryConfig(properties), (SchemaRegistry) null);
        } catch (Exception e) {
            Assertions.fail("Registering the extension should succeed");
        }
    }

    @Test
    public void testClose() {
        try {
            new SchemaRegistryFipsResourceExtension().close();
        } catch (Exception e) {
            Assertions.fail();
        }
    }
}
