package org.apache.bookkeeper.tls;

import java.io.IOException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.concurrent.CountDownLatch;
import org.apache.bookkeeper.auth.AuthCallbacks;
import org.apache.bookkeeper.auth.AuthToken;
import org.apache.bookkeeper.auth.BookieAuthProvider;
import org.apache.bookkeeper.auth.ClientAuthProvider;
import org.apache.bookkeeper.client.BKException;
import org.apache.bookkeeper.client.BookKeeper;
import org.apache.bookkeeper.client.BookKeeperAdmin;
import org.apache.bookkeeper.client.LedgerEntry;
import org.apache.bookkeeper.client.LedgerHandle;
import org.apache.bookkeeper.client.LedgerMetadata;
import org.apache.bookkeeper.conf.ClientConfiguration;
import org.apache.bookkeeper.conf.ServerConfiguration;
import org.apache.bookkeeper.net.BookieSocketAddress;
import org.apache.bookkeeper.proto.BookieConnectionPeer;
import org.apache.bookkeeper.proto.ClientConnectionPeer;
import org.apache.bookkeeper.proto.TestPerChannelBookieClient;
import org.apache.bookkeeper.test.BookKeeperClusterTestCase;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/bookkeeper/tls/TestTLS.class */
public class TestTLS extends BookKeeperClusterTestCase {
    static Logger LOG = LoggerFactory.getLogger(TestPerChannelBookieClient.class);
    private static boolean secureClientSideChannel = false;
    private static Collection<Object> secureClientSideChannelPrincipals = null;
    private static boolean secureBookieSideChannel = false;
    private static Collection<Object> secureBookieSideChannelPrincipals = null;

    /* loaded from: input_file:org/apache/bookkeeper/tls/TestTLS$AllowOnlyBookiesWithX509Certificates.class */
    private static class AllowOnlyBookiesWithX509Certificates implements ClientAuthProvider.Factory {
        private AllowOnlyBookiesWithX509Certificates() {
        }

        public String getPluginName() {
            return "tls";
        }

        public void init(ClientConfiguration clientConfiguration) {
        }

        public ClientAuthProvider newProvider(final ClientConnectionPeer clientConnectionPeer, AuthCallbacks.GenericCallback<Void> genericCallback) {
            return new ClientAuthProvider() { // from class: org.apache.bookkeeper.tls.TestTLS.AllowOnlyBookiesWithX509Certificates.1
                AuthCallbacks.GenericCallback<AuthToken> completeCallback;

                public void init(AuthCallbacks.GenericCallback<AuthToken> genericCallback2) {
                    this.completeCallback = genericCallback2;
                }

                public void onProtocolUpgrade() {
                    boolean unused = TestTLS.secureClientSideChannel = clientConnectionPeer.isSecure();
                    Collection unused2 = TestTLS.secureClientSideChannelPrincipals = clientConnectionPeer.getProtocolPrincipals();
                    Collection protocolPrincipals = clientConnectionPeer.getProtocolPrincipals();
                    if (!clientConnectionPeer.isSecure() || protocolPrincipals.isEmpty()) {
                        this.completeCallback.operationComplete(-102, AuthToken.NULL);
                    } else {
                        Assert.assertTrue(protocolPrincipals.iterator().next() instanceof X509Certificate);
                        this.completeCallback.operationComplete(0, AuthToken.NULL);
                    }
                }

                public void process(AuthToken authToken, AuthCallbacks.GenericCallback<AuthToken> genericCallback2) {
                }
            };
        }
    }

    /* loaded from: input_file:org/apache/bookkeeper/tls/TestTLS$AllowOnlyClientsWithX509Certificates.class */
    private static class AllowOnlyClientsWithX509Certificates implements BookieAuthProvider.Factory {
        private AllowOnlyClientsWithX509Certificates() {
        }

        public String getPluginName() {
            return "tls";
        }

        public void init(ServerConfiguration serverConfiguration) throws IOException {
        }

        public BookieAuthProvider newProvider(final BookieConnectionPeer bookieConnectionPeer, final AuthCallbacks.GenericCallback<Void> genericCallback) {
            return new BookieAuthProvider() { // from class: org.apache.bookkeeper.tls.TestTLS.AllowOnlyClientsWithX509Certificates.1
                AuthCallbacks.GenericCallback<Void> completeCallback;

                {
                    this.completeCallback = genericCallback;
                }

                public void onProtocolUpgrade() {
                    boolean unused = TestTLS.secureBookieSideChannel = bookieConnectionPeer.isSecure();
                    Collection unused2 = TestTLS.secureBookieSideChannelPrincipals = bookieConnectionPeer.getProtocolPrincipals();
                    Collection protocolPrincipals = bookieConnectionPeer.getProtocolPrincipals();
                    if (!bookieConnectionPeer.isSecure() || protocolPrincipals.isEmpty()) {
                        this.completeCallback.operationComplete(-102, (Object) null);
                    } else {
                        Assert.assertTrue(protocolPrincipals.iterator().next() instanceof X509Certificate);
                        this.completeCallback.operationComplete(0, (Object) null);
                    }
                }

                public void process(AuthToken authToken, AuthCallbacks.GenericCallback<AuthToken> genericCallback2) {
                }
            };
        }
    }

    public TestTLS() {
        super(3);
    }

    @Override // org.apache.bookkeeper.test.BookKeeperClusterTestCase
    @Before
    public void setUp() throws Exception {
        this.baseClientConf.setTLSProviderFactoryClass(TLSContextFactory.class.getName());
        this.baseClientConf.setTLSClientAuthentication(true);
        this.baseClientConf.setTLSKeyStoreType("JKS");
        this.baseClientConf.setTLSKeyStore(getClass().getClassLoader().getResource("client.jks").getPath());
        this.baseClientConf.setTLSKeyStorePasswordPath(getClass().getClassLoader().getResource("keyStoreClientPassword.txt").getPath());
        this.baseClientConf.setTLSTrustStoreType("JKS");
        this.baseClientConf.setTLSTrustStore(getClass().getClassLoader().getResource("cacerts").getPath());
        this.baseClientConf.setTLSTrustStorePasswordPath(getClass().getClassLoader().getResource("trustStorePassword.txt").getPath());
        this.baseConf.setTLSProviderFactoryClass(TLSContextFactory.class.getName());
        this.baseConf.setTLSClientAuthentication(true);
        this.baseConf.setTLSKeyStoreType("JKS");
        this.baseConf.setTLSKeyStore(getClass().getClassLoader().getResource("server.jks").getPath());
        this.baseConf.setTLSKeyStorePasswordPath(getClass().getClassLoader().getResource("keyStoreServerPassword.txt").getPath());
        this.baseConf.setTLSTrustStoreType("JKS");
        this.baseConf.setTLSTrustStore(getClass().getClassLoader().getResource("cacerts").getPath());
        this.baseConf.setTLSTrustStorePasswordPath(getClass().getClassLoader().getResource("trustStorePassword.txt").getPath());
        super.setUp();
    }

    @Override // org.apache.bookkeeper.test.BookKeeperClusterTestCase
    @After
    public void tearDown() throws Exception {
        super.tearDown();
    }

    @Test
    public void testStartTLSServerNoKeyStore() throws Exception {
        try {
            this.bs.add(startBookie(newServerConfiguration().setTLSKeyStore((String) null)));
            Assert.fail("Shouldn't have been able to start");
        } catch (SecurityException e) {
            Assert.assertTrue(true);
        }
    }

    @Test
    public void testStartTLSServerBadPassword() throws Exception {
        try {
            this.bs.add(startBookie(newServerConfiguration().setTLSKeyStorePasswordPath("badpassword")));
            Assert.fail("Shouldn't have been able to start");
        } catch (SecurityException e) {
            Assert.assertTrue(true);
        }
    }

    private LedgerMetadata testClient(ClientConfiguration clientConfiguration, int i) throws Exception {
        BookKeeper bookKeeper = new BookKeeper(clientConfiguration);
        Throwable th = null;
        try {
            byte[] bytes = "testPassword".getBytes();
            byte[] bytes2 = "testEntry".getBytes();
            LedgerHandle createLedger = bookKeeper.createLedger(i, i, BookKeeper.DigestType.CRC32, bytes);
            Throwable th2 = null;
            for (int i2 = 0; i2 <= 100; i2++) {
                try {
                    try {
                        createLedger.addEntry(bytes2);
                    } finally {
                    }
                } catch (Throwable th3) {
                    if (createLedger != null) {
                        if (th2 != null) {
                            try {
                                createLedger.close();
                            } catch (Throwable th4) {
                                th2.addSuppressed(th4);
                            }
                        } else {
                            createLedger.close();
                        }
                    }
                    throw th3;
                }
            }
            long id = createLedger.getId();
            if (createLedger != null) {
                if (0 != 0) {
                    try {
                        createLedger.close();
                    } catch (Throwable th5) {
                        th2.addSuppressed(th5);
                    }
                } else {
                    createLedger.close();
                }
            }
            LedgerHandle openLedger = bookKeeper.openLedger(id, BookKeeper.DigestType.CRC32, bytes);
            Throwable th6 = null;
            try {
                try {
                    Enumeration readEntries = openLedger.readEntries(0L, 100);
                    while (readEntries.hasMoreElements()) {
                        Assert.assertTrue("Entry contents incorrect", Arrays.equals(((LedgerEntry) readEntries.nextElement()).getEntry(), bytes2));
                    }
                    LedgerMetadata ledgerMetadata = new BookKeeperAdmin(bookKeeper).getLedgerMetadata(openLedger);
                    if (openLedger != null) {
                        if (0 != 0) {
                            try {
                                openLedger.close();
                            } catch (Throwable th7) {
                                th6.addSuppressed(th7);
                            }
                        } else {
                            openLedger.close();
                        }
                    }
                    return ledgerMetadata;
                } finally {
                }
            } catch (Throwable th8) {
                if (openLedger != null) {
                    if (th6 != null) {
                        try {
                            openLedger.close();
                        } catch (Throwable th9) {
                            th6.addSuppressed(th9);
                        }
                    } else {
                        openLedger.close();
                    }
                }
                throw th8;
            }
        } finally {
            if (bookKeeper != null) {
                if (0 != 0) {
                    try {
                        bookKeeper.close();
                    } catch (Throwable th10) {
                        th.addSuppressed(th10);
                    }
                } else {
                    bookKeeper.close();
                }
            }
        }
    }

    @Test
    public void testConnectToTLSClusterTLSClient() throws Exception {
        testClient(new ClientConfiguration(this.baseClientConf), this.numBookies);
    }

    @Test
    public void testConnectToTLSClusterMixedClient() throws Exception {
        testClient(new ClientConfiguration(this.baseClientConf), this.numBookies);
        ClientConfiguration clientConfiguration = new ClientConfiguration(this.baseClientConf);
        clientConfiguration.setTLSProviderFactoryClass((String) null);
        testClient(clientConfiguration, this.numBookies);
    }

    @Test
    public void testConnectToTLSClusterTLSClientWithTLSNoAuthentication() throws Exception {
        ServerConfiguration serverConfiguration = new ServerConfiguration(this.baseConf);
        serverConfiguration.setTLSClientAuthentication(false);
        restartBookies(serverConfiguration);
        testClient(new ClientConfiguration(this.baseClientConf), this.numBookies);
    }

    @Test
    public void testConnectToTLSClusterTLSClientWithAuthentication() throws Exception {
        try {
            testClient(new ClientConfiguration(this.baseClientConf), this.numBookies);
        } catch (BKException.BKNotEnoughBookiesException e) {
            Assert.fail("Client should be able to connect to bookie");
        }
    }

    @Test
    public void testConnectToTLSClusterNonTLSClient() throws Exception {
        ClientConfiguration clientConfiguration = new ClientConfiguration(this.baseClientConf);
        clientConfiguration.setTLSProviderFactoryClass((String) null);
        try {
            testClient(clientConfiguration, this.numBookies);
        } catch (BKException.BKNotEnoughBookiesException e) {
            Assert.fail("non tls client should be able to connect to tls enabled bookies");
        }
    }

    @Test
    public void testClientWantsTLSNoServersHaveIt() throws Exception {
        ServerConfiguration serverConfiguration = new ServerConfiguration();
        Iterator<ServerConfiguration> it = this.bsConfs.iterator();
        while (it.hasNext()) {
            it.next().setTLSProviderFactoryClass((String) null);
        }
        restartBookies(serverConfiguration);
        try {
            testClient(new ClientConfiguration(this.baseClientConf), this.numBookies);
            Assert.fail("Shouldn't be able to connect");
        } catch (BKException.BKNotEnoughBookiesException e) {
        }
    }

    @Test
    public void testTLSClientButOnlyFewTLSServers() throws Exception {
        ServerConfiguration serverConfiguration = new ServerConfiguration();
        Iterator<ServerConfiguration> it = this.bsConfs.iterator();
        while (it.hasNext()) {
            it.next().setTLSProviderFactoryClass((String) null);
        }
        restartBookies(serverConfiguration);
        this.baseConf.setTLSProviderFactoryClass(TLSContextFactory.class.getName());
        HashSet hashSet = new HashSet();
        hashSet.add(Integer.valueOf(startNewBookie()));
        hashSet.add(Integer.valueOf(startNewBookie()));
        LedgerMetadata testClient = testClient(new ClientConfiguration(this.baseClientConf), 2);
        Assert.assertTrue(testClient.getEnsembles().size() > 0);
        Iterator it2 = testClient.getEnsembles().values().iterator();
        while (it2.hasNext()) {
            Iterator it3 = ((ArrayList) it2.next()).iterator();
            while (it3.hasNext()) {
                Assert.assertTrue(hashSet.contains(Integer.valueOf(((BookieSocketAddress) it3.next()).getPort())));
            }
        }
    }

    @Test
    public void testClientAuthPlugin() throws Exception {
        secureClientSideChannel = false;
        secureClientSideChannelPrincipals = null;
        ClientConfiguration clientConfiguration = new ClientConfiguration(this.baseClientConf);
        clientConfiguration.setClientAuthProviderFactoryClass(AllowOnlyBookiesWithX509Certificates.class.getName());
        testClient(clientConfiguration, this.numBookies);
        Assert.assertTrue(secureClientSideChannel);
        Assert.assertNotNull(secureClientSideChannelPrincipals);
        Assert.assertTrue(!secureClientSideChannelPrincipals.isEmpty());
        Assert.assertTrue(secureClientSideChannelPrincipals.iterator().next() instanceof Certificate);
        Assert.assertTrue(((Certificate) secureClientSideChannelPrincipals.iterator().next()) instanceof X509Certificate);
    }

    @Test
    public void testBookieAuthPluginRequireClientTLSAuthentication() throws Exception {
        ServerConfiguration serverConfiguration = new ServerConfiguration(this.baseConf);
        serverConfiguration.setBookieAuthProviderFactoryClass(AllowOnlyClientsWithX509Certificates.class.getName());
        restartBookies(serverConfiguration);
        secureBookieSideChannel = false;
        secureBookieSideChannelPrincipals = null;
        testClient(new ClientConfiguration(this.baseClientConf), this.numBookies);
        Assert.assertTrue(secureBookieSideChannel);
        Assert.assertNotNull(secureBookieSideChannelPrincipals);
        Assert.assertTrue(!secureBookieSideChannelPrincipals.isEmpty());
        Assert.assertTrue(secureBookieSideChannelPrincipals.iterator().next() instanceof Certificate);
        Assert.assertTrue(((Certificate) secureBookieSideChannelPrincipals.iterator().next()) instanceof X509Certificate);
    }

    @Test
    public void testBookieAuthPluginDenyAccesstoClientWithoutTLSAuthentication() throws Exception {
        ServerConfiguration serverConfiguration = new ServerConfiguration(this.baseConf);
        serverConfiguration.setTLSClientAuthentication(false);
        serverConfiguration.setBookieAuthProviderFactoryClass(AllowOnlyClientsWithX509Certificates.class.getName());
        restartBookies(serverConfiguration);
        secureBookieSideChannel = false;
        secureBookieSideChannelPrincipals = null;
        ClientConfiguration clientConfiguration = new ClientConfiguration(this.baseClientConf);
        clientConfiguration.setTLSClientAuthentication(false);
        try {
            testClient(clientConfiguration, this.numBookies);
            Assert.fail("Shouldn't be able to connect");
        } catch (BKException.BKUnauthorizedAccessException e) {
        }
        Assert.assertTrue(secureBookieSideChannel);
        Assert.assertNotNull(secureBookieSideChannelPrincipals);
        Assert.assertTrue(secureBookieSideChannelPrincipals.isEmpty());
    }

    @Test
    public void testBookieAuthPluginDenyAccessToClientWithoutTLS() throws Exception {
        ServerConfiguration serverConfiguration = new ServerConfiguration(this.baseConf);
        serverConfiguration.setBookieAuthProviderFactoryClass(AllowOnlyClientsWithX509Certificates.class.getName());
        restartBookies(serverConfiguration);
        secureBookieSideChannel = false;
        secureBookieSideChannelPrincipals = null;
        ClientConfiguration clientConfiguration = new ClientConfiguration(this.baseClientConf);
        clientConfiguration.setTLSProviderFactoryClass("");
        try {
            testClient(clientConfiguration, this.numBookies);
            Assert.fail("Shouldn't be able to connect");
        } catch (BKException.BKUnauthorizedAccessException e) {
        }
        Assert.assertFalse(secureBookieSideChannel);
        Assert.assertNull(secureBookieSideChannelPrincipals);
    }

    @Test
    public void testMixedCluster() throws Exception {
        ClientConfiguration clientConfiguration = new ClientConfiguration(this.baseClientConf);
        int i = this.numBookies;
        ServerConfiguration newServerConfiguration = newServerConfiguration();
        newServerConfiguration.setTLSProviderFactoryClass(TLSContextFactory.class.getName());
        this.bs.add(startBookie(newServerConfiguration));
        testClient(clientConfiguration, i + 1);
    }

    @Test
    public void testHungServer() throws Exception {
        ClientConfiguration clientConfiguration = new ClientConfiguration(this.baseClientConf);
        CountDownLatch countDownLatch = new CountDownLatch(1);
        sleepBookie(getBookie(0), countDownLatch);
        try {
            testClient(clientConfiguration, this.numBookies);
            Assert.fail("Shouldn't be able to connect");
        } catch (BKException.BKNotEnoughBookiesException e) {
        }
        LOG.info("latch countdown");
        countDownLatch.countDown();
    }
}
