package org.apache.druid.tests.security;

import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.base.Throwables;
import com.google.inject.Inject;
import java.io.IOException;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLException;
import org.apache.druid.guice.annotations.Client;
import org.apache.druid.guice.http.DruidHttpClientConfig;
import org.apache.druid.guice.http.LifecycleUtils;
import org.apache.druid.https.SSLClientConfig;
import org.apache.druid.java.util.common.ISE;
import org.apache.druid.java.util.common.StringUtils;
import org.apache.druid.java.util.common.lifecycle.Lifecycle;
import org.apache.druid.java.util.common.logger.Logger;
import org.apache.druid.java.util.http.client.CredentialedHttpClient;
import org.apache.druid.java.util.http.client.HttpClient;
import org.apache.druid.java.util.http.client.HttpClientConfig;
import org.apache.druid.java.util.http.client.HttpClientInit;
import org.apache.druid.java.util.http.client.Request;
import org.apache.druid.java.util.http.client.auth.BasicCredentials;
import org.apache.druid.java.util.http.client.response.StatusResponseHandler;
import org.apache.druid.java.util.http.client.response.StatusResponseHolder;
import org.apache.druid.server.security.TLSUtils;
import org.apache.druid.testing.IntegrationTestingConfig;
import org.apache.druid.testing.guice.DruidTestModuleFactory;
import org.jboss.netty.handler.codec.http.HttpMethod;
import org.jboss.netty.handler.codec.http.HttpResponseStatus;
import org.joda.time.Duration;
import org.testng.Assert;
import org.testng.annotations.Guice;
import org.testng.annotations.Test;

@Guice(moduleFactory = DruidTestModuleFactory.class)
/* loaded from: input_file:org/apache/druid/tests/security/ITTLSTest.class */
public class ITTLSTest {
    private static final Logger LOG = new Logger(ITTLSTest.class);
    private static final Duration SSL_HANDSHAKE_TIMEOUT = new Duration(30000);
    private static final int MAX_CONNECTION_EXCEPTION_RETRIES = 30;

    @Inject
    IntegrationTestingConfig config;

    @Inject
    ObjectMapper jsonMapper;

    @Inject
    SSLClientConfig sslClientConfig;

    @Client
    @Inject
    HttpClient httpClient;

    @Client
    @Inject
    DruidHttpClientConfig httpClientConfig;
    StatusResponseHandler responseHandler = new StatusResponseHandler(StandardCharsets.UTF_8);

    @Test
    public void testPlaintextAccess() {
        LOG.info("---------Testing resource access without TLS---------", new Object[0]);
        CredentialedHttpClient credentialedHttpClient = new CredentialedHttpClient(new BasicCredentials("admin", "priest"), this.httpClient);
        makeRequest(credentialedHttpClient, HttpMethod.GET, this.config.getCoordinatorUrl() + "/status", null);
        makeRequest(credentialedHttpClient, HttpMethod.GET, this.config.getIndexerUrl() + "/status", null);
        makeRequest(credentialedHttpClient, HttpMethod.GET, this.config.getBrokerUrl() + "/status", null);
        makeRequest(credentialedHttpClient, HttpMethod.GET, this.config.getHistoricalUrl() + "/status", null);
        makeRequest(credentialedHttpClient, HttpMethod.GET, this.config.getRouterUrl() + "/status", null);
        makeRequest(credentialedHttpClient, HttpMethod.GET, this.config.getPermissiveRouterUrl() + "/status", null);
        makeRequest(credentialedHttpClient, HttpMethod.GET, this.config.getNoClientAuthRouterUrl() + "/status", null);
    }

    @Test
    public void testTLSNodeAccess() {
        LOG.info("---------Testing resource access with TLS enabled---------", new Object[0]);
        CredentialedHttpClient credentialedHttpClient = new CredentialedHttpClient(new BasicCredentials("admin", "priest"), this.httpClient);
        makeRequest(credentialedHttpClient, HttpMethod.GET, this.config.getCoordinatorTLSUrl() + "/status", null);
        makeRequest(credentialedHttpClient, HttpMethod.GET, this.config.getIndexerTLSUrl() + "/status", null);
        makeRequest(credentialedHttpClient, HttpMethod.GET, this.config.getBrokerTLSUrl() + "/status", null);
        makeRequest(credentialedHttpClient, HttpMethod.GET, this.config.getHistoricalTLSUrl() + "/status", null);
        makeRequest(credentialedHttpClient, HttpMethod.GET, this.config.getRouterTLSUrl() + "/status", null);
        makeRequest(credentialedHttpClient, HttpMethod.GET, this.config.getPermissiveRouterTLSUrl() + "/status", null);
        makeRequest(credentialedHttpClient, HttpMethod.GET, this.config.getNoClientAuthRouterTLSUrl() + "/status", null);
    }

    @Test
    public void testTLSNodeAccessWithIntermediate() {
        LOG.info("---------Testing TLS resource access with 3-part cert chain---------", new Object[0]);
        HttpClient makeCustomHttpClient = makeCustomHttpClient("client_tls/intermediate_ca_client.jks", "intermediate_ca_client");
        makeRequest(makeCustomHttpClient, HttpMethod.GET, this.config.getCoordinatorTLSUrl() + "/status", null);
        makeRequest(makeCustomHttpClient, HttpMethod.GET, this.config.getIndexerTLSUrl() + "/status", null);
        makeRequest(makeCustomHttpClient, HttpMethod.GET, this.config.getBrokerTLSUrl() + "/status", null);
        makeRequest(makeCustomHttpClient, HttpMethod.GET, this.config.getHistoricalTLSUrl() + "/status", null);
        makeRequest(makeCustomHttpClient, HttpMethod.GET, this.config.getRouterTLSUrl() + "/status", null);
        makeRequest(makeCustomHttpClient, HttpMethod.GET, this.config.getPermissiveRouterTLSUrl() + "/status", null);
        makeRequest(makeCustomHttpClient, HttpMethod.GET, this.config.getNoClientAuthRouterTLSUrl() + "/status", null);
    }

    @Test
    public void checkAccessWithNoCert() {
        LOG.info("---------Testing TLS resource access without a certificate---------", new Object[0]);
        HttpClient makeCertlessClient = makeCertlessClient();
        checkFailedAccessNoCert(makeCertlessClient, HttpMethod.GET, this.config.getCoordinatorTLSUrl());
        checkFailedAccessNoCert(makeCertlessClient, HttpMethod.GET, this.config.getIndexerTLSUrl());
        checkFailedAccessNoCert(makeCertlessClient, HttpMethod.GET, this.config.getBrokerTLSUrl());
        checkFailedAccessNoCert(makeCertlessClient, HttpMethod.GET, this.config.getHistoricalTLSUrl());
        checkFailedAccessNoCert(makeCertlessClient, HttpMethod.GET, this.config.getRouterTLSUrl());
        checkFailedAccessNoCert(makeCertlessClient, HttpMethod.GET, this.config.getPermissiveRouterTLSUrl());
        makeRequest(makeCertlessClient, HttpMethod.GET, this.config.getNoClientAuthRouterTLSUrl() + "/status", null);
    }

    @Test
    public void checkAccessWithWrongHostname() {
        LOG.info("---------Testing TLS resource access when client certificate has non-matching hostnames---------", new Object[0]);
        HttpClient makeCustomHttpClient = makeCustomHttpClient("client_tls/invalid_hostname_client.jks", "invalid_hostname_client");
        checkFailedAccessWrongHostname(makeCustomHttpClient, HttpMethod.GET, this.config.getCoordinatorTLSUrl());
        checkFailedAccessWrongHostname(makeCustomHttpClient, HttpMethod.GET, this.config.getIndexerTLSUrl());
        checkFailedAccessWrongHostname(makeCustomHttpClient, HttpMethod.GET, this.config.getBrokerTLSUrl());
        checkFailedAccessWrongHostname(makeCustomHttpClient, HttpMethod.GET, this.config.getHistoricalTLSUrl());
        checkFailedAccessWrongHostname(makeCustomHttpClient, HttpMethod.GET, this.config.getRouterTLSUrl());
        makeRequest(makeCustomHttpClient, HttpMethod.GET, this.config.getPermissiveRouterTLSUrl() + "/status", null);
        makeRequest(makeCustomHttpClient, HttpMethod.GET, this.config.getNoClientAuthRouterTLSUrl() + "/status", null);
    }

    @Test
    public void checkAccessWithWrongRoot() {
        LOG.info("---------Testing TLS resource access when client certificate is signed by a non-trusted root CA---------", new Object[0]);
        HttpClient makeCustomHttpClient = makeCustomHttpClient("client_tls/client_another_root.jks", "druid_another_root");
        checkFailedAccessWrongRoot(makeCustomHttpClient, HttpMethod.GET, this.config.getCoordinatorTLSUrl());
        checkFailedAccessWrongRoot(makeCustomHttpClient, HttpMethod.GET, this.config.getIndexerTLSUrl());
        checkFailedAccessWrongRoot(makeCustomHttpClient, HttpMethod.GET, this.config.getBrokerTLSUrl());
        checkFailedAccessWrongRoot(makeCustomHttpClient, HttpMethod.GET, this.config.getHistoricalTLSUrl());
        checkFailedAccessWrongRoot(makeCustomHttpClient, HttpMethod.GET, this.config.getRouterTLSUrl());
        checkFailedAccessWrongRoot(makeCustomHttpClient, HttpMethod.GET, this.config.getPermissiveRouterTLSUrl());
        makeRequest(makeCustomHttpClient, HttpMethod.GET, this.config.getNoClientAuthRouterTLSUrl() + "/status", null);
    }

    @Test
    public void checkAccessWithRevokedCert() {
        LOG.info("---------Testing TLS resource access when client certificate has been revoked---------", new Object[0]);
        HttpClient makeCustomHttpClient = makeCustomHttpClient("client_tls/revoked_client.jks", "revoked_druid");
        checkFailedAccessRevoked(makeCustomHttpClient, HttpMethod.GET, this.config.getCoordinatorTLSUrl());
        checkFailedAccessRevoked(makeCustomHttpClient, HttpMethod.GET, this.config.getIndexerTLSUrl());
        checkFailedAccessRevoked(makeCustomHttpClient, HttpMethod.GET, this.config.getBrokerTLSUrl());
        checkFailedAccessRevoked(makeCustomHttpClient, HttpMethod.GET, this.config.getHistoricalTLSUrl());
        checkFailedAccessRevoked(makeCustomHttpClient, HttpMethod.GET, this.config.getRouterTLSUrl());
        makeRequest(makeCustomHttpClient, HttpMethod.GET, this.config.getPermissiveRouterTLSUrl() + "/status", null);
        makeRequest(makeCustomHttpClient, HttpMethod.GET, this.config.getNoClientAuthRouterTLSUrl() + "/status", null);
    }

    @Test
    public void checkAccessWithExpiredCert() {
        LOG.info("---------Testing TLS resource access when client certificate has expired---------", new Object[0]);
        HttpClient makeCustomHttpClient = makeCustomHttpClient("client_tls/expired_client.jks", "expired_client");
        checkFailedAccessExpired(makeCustomHttpClient, HttpMethod.GET, this.config.getCoordinatorTLSUrl());
        checkFailedAccessExpired(makeCustomHttpClient, HttpMethod.GET, this.config.getIndexerTLSUrl());
        checkFailedAccessExpired(makeCustomHttpClient, HttpMethod.GET, this.config.getBrokerTLSUrl());
        checkFailedAccessExpired(makeCustomHttpClient, HttpMethod.GET, this.config.getHistoricalTLSUrl());
        checkFailedAccessExpired(makeCustomHttpClient, HttpMethod.GET, this.config.getRouterTLSUrl());
        checkFailedAccessExpired(makeCustomHttpClient, HttpMethod.GET, this.config.getPermissiveRouterTLSUrl());
        makeRequest(makeCustomHttpClient, HttpMethod.GET, this.config.getNoClientAuthRouterTLSUrl() + "/status", null);
    }

    @Test
    public void checkAccessWithNotCASignedCert() {
        LOG.info("---------Testing TLS resource access when client certificate is signed by a non-CA intermediate cert---------", new Object[0]);
        HttpClient makeCustomHttpClient = makeCustomHttpClient("client_tls/invalid_ca_client.jks", "invalid_ca_client");
        checkFailedAccessNotCA(makeCustomHttpClient, HttpMethod.GET, this.config.getCoordinatorTLSUrl());
        checkFailedAccessNotCA(makeCustomHttpClient, HttpMethod.GET, this.config.getIndexerTLSUrl());
        checkFailedAccessNotCA(makeCustomHttpClient, HttpMethod.GET, this.config.getBrokerTLSUrl());
        checkFailedAccessNotCA(makeCustomHttpClient, HttpMethod.GET, this.config.getHistoricalTLSUrl());
        checkFailedAccessNotCA(makeCustomHttpClient, HttpMethod.GET, this.config.getRouterTLSUrl());
        checkFailedAccessNotCA(makeCustomHttpClient, HttpMethod.GET, this.config.getPermissiveRouterTLSUrl());
        makeRequest(makeCustomHttpClient, HttpMethod.GET, this.config.getNoClientAuthRouterTLSUrl() + "/status", null);
    }

    private void checkFailedAccessNoCert(HttpClient httpClient, HttpMethod httpMethod, String str) {
        checkFailedAccess(httpClient, httpMethod, str + "/status", "Certless", SSLException.class, "Received fatal alert: bad_certificate");
    }

    private void checkFailedAccessWrongHostname(HttpClient httpClient, HttpMethod httpMethod, String str) {
        checkFailedAccess(httpClient, httpMethod, str + "/status", "Wrong hostname", SSLException.class, "Received fatal alert: certificate_unknown");
    }

    private void checkFailedAccessWrongRoot(HttpClient httpClient, HttpMethod httpMethod, String str) {
        checkFailedAccess(httpClient, httpMethod, str + "/status", "Wrong root cert", SSLException.class, "Received fatal alert: certificate_unknown");
    }

    private void checkFailedAccessRevoked(HttpClient httpClient, HttpMethod httpMethod, String str) {
        checkFailedAccess(httpClient, httpMethod, str + "/status", "Revoked cert", SSLException.class, "Received fatal alert: certificate_unknown");
    }

    private void checkFailedAccessExpired(HttpClient httpClient, HttpMethod httpMethod, String str) {
        checkFailedAccess(httpClient, httpMethod, str + "/status", "Expired cert", SSLException.class, "Received fatal alert: certificate_unknown");
    }

    private void checkFailedAccessNotCA(HttpClient httpClient, HttpMethod httpMethod, String str) {
        checkFailedAccess(httpClient, httpMethod, str + "/status", "Cert signed by non-CA", SSLException.class, "Received fatal alert: certificate_unknown");
    }

    private HttpClientConfig.Builder getHttpClientConfigBuilder(SSLContext sSLContext) {
        return HttpClientConfig.builder().withNumConnections(this.httpClientConfig.getNumConnections()).withReadTimeout(this.httpClientConfig.getReadTimeout()).withWorkerCount(this.httpClientConfig.getNumMaxThreads()).withCompressionCodec(HttpClientConfig.CompressionCodec.valueOf(StringUtils.toUpperCase(this.httpClientConfig.getCompressionCodec()))).withUnusedConnectionTimeoutDuration(this.httpClientConfig.getUnusedConnectionTimeout()).withSslHandshakeTimeout(SSL_HANDSHAKE_TIMEOUT).withSslContext(sSLContext);
    }

    private HttpClient makeCustomHttpClient(String str, String str2) {
        return new CredentialedHttpClient(new BasicCredentials("admin", "priest"), HttpClientInit.createClient(getHttpClientConfigBuilder(new TLSUtils.ClientSSLContextBuilder().setProtocol(this.sslClientConfig.getProtocol()).setTrustStoreType(this.sslClientConfig.getTrustStoreType()).setTrustStorePath(this.sslClientConfig.getTrustStorePath()).setTrustStoreAlgorithm(this.sslClientConfig.getTrustStoreAlgorithm()).setTrustStorePasswordProvider(this.sslClientConfig.getTrustStorePasswordProvider()).setKeyStoreType(this.sslClientConfig.getKeyStoreType()).setKeyStorePath(str).setKeyStoreAlgorithm(this.sslClientConfig.getKeyManagerFactoryAlgorithm()).setCertAlias(str2).setKeyStorePasswordProvider(this.sslClientConfig.getKeyStorePasswordProvider()).setKeyManagerFactoryPasswordProvider(this.sslClientConfig.getKeyManagerPasswordProvider()).build()).build(), LifecycleUtils.asMmxLifecycle(new Lifecycle())));
    }

    private HttpClient makeCertlessClient() {
        return new CredentialedHttpClient(new BasicCredentials("admin", "priest"), HttpClientInit.createClient(getHttpClientConfigBuilder(new TLSUtils.ClientSSLContextBuilder().setProtocol(this.sslClientConfig.getProtocol()).setTrustStoreType(this.sslClientConfig.getTrustStoreType()).setTrustStorePath(this.sslClientConfig.getTrustStorePath()).setTrustStoreAlgorithm(this.sslClientConfig.getTrustStoreAlgorithm()).setTrustStorePasswordProvider(this.sslClientConfig.getTrustStorePasswordProvider()).build()).build(), LifecycleUtils.asMmxLifecycle(new Lifecycle())));
    }

    private void checkFailedAccess(HttpClient httpClient, HttpMethod httpMethod, String str, String str2, Class cls, String str3) {
        int i = 0;
        while (true) {
            try {
                makeRequest(httpClient, httpMethod, str, null, -1);
                Assert.fail(StringUtils.format("Test failed, did not get %s.", new Object[]{cls}));
            } catch (RuntimeException e) {
                Throwable rootCause = Throwables.getRootCause(e);
                if (!(rootCause instanceof IOException) || (!"Broken pipe".equals(rootCause.getMessage()) && !"Connection reset by peer".contains(rootCause.getMessage()))) {
                    break;
                }
                if (i > MAX_CONNECTION_EXCEPTION_RETRIES) {
                    Assert.fail(StringUtils.format("Broken pipe / connection reset retries exhausted, test failed, did not get %s.", new Object[]{cls}));
                    break;
                }
                i++;
                Assert.assertTrue(cls.isInstance(rootCause), StringUtils.format("Expected %s but found %s instead.", new Object[]{cls, rootCause}));
                Assert.assertEquals(rootCause.getMessage(), str3);
                LOG.info("%s client [%s] request failed as expected when accessing [%s]", new Object[]{str2, httpMethod, str});
            }
        }
        Assert.assertTrue(cls.isInstance(rootCause), StringUtils.format("Expected %s but found %s instead.", new Object[]{cls, rootCause}));
        Assert.assertEquals(rootCause.getMessage(), str3);
        LOG.info("%s client [%s] request failed as expected when accessing [%s]", new Object[]{str2, httpMethod, str});
    }

    private StatusResponseHolder makeRequest(HttpClient httpClient, HttpMethod httpMethod, String str, byte[] bArr) {
        return makeRequest(httpClient, httpMethod, str, bArr, 4);
    }

    private StatusResponseHolder makeRequest(HttpClient httpClient, HttpMethod httpMethod, String str, byte[] bArr, int i) {
        try {
            Request request = new Request(httpMethod, new URL(str));
            if (bArr != null) {
                request.setContent("application/json", bArr);
            }
            int i2 = 0;
            while (true) {
                StatusResponseHolder statusResponseHolder = (StatusResponseHolder) httpClient.go(request, this.responseHandler).get();
                if (statusResponseHolder.getStatus().equals(HttpResponseStatus.OK)) {
                    LOG.info("[%s] request to [%s] succeeded.", new Object[]{httpMethod, str});
                    return statusResponseHolder;
                }
                String format = StringUtils.format("Error while making request to url[%s] status[%s] content[%s]", new Object[]{str, statusResponseHolder.getStatus(), statusResponseHolder.getContent()});
                if (i2 > i) {
                    throw new ISE(format, new Object[0]);
                }
                LOG.error(format, new Object[0]);
                LOG.error("retrying in 3000ms, retryCount: " + i2, new Object[0]);
                i2++;
                Thread.sleep(3000L);
            }
        } catch (Exception e) {
            throw Throwables.propagate(e);
        }
    }
}
