package org.apache.hadoop.hdds.security.x509.certificate.client;

import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.attribute.FileAttribute;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.X509Certificate;
import java.util.UUID;
import org.apache.commons.io.FileUtils;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
import org.apache.hadoop.hdds.security.x509.exceptions.CertificateException;
import org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator;
import org.apache.hadoop.hdds.security.x509.keys.KeyCodec;
import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
import org.apache.hadoop.test.GenericTestUtils;
import org.apache.hadoop.test.LambdaTestUtils;
import org.bouncycastle.cert.X509CertificateHolder;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:org/apache/hadoop/hdds/security/x509/certificate/client/TestDefaultCertificateClient.class */
public class TestDefaultCertificateClient {
    private String certSerialId;
    private X509Certificate x509Certificate;
    private OMCertificateClient omCertClient;
    private DNCertificateClient dnCertClient;
    private HDDSKeyGenerator keyGenerator;
    private Path omMetaDirPath;
    private Path dnMetaDirPath;
    private SecurityConfig omSecurityConfig;
    private SecurityConfig dnSecurityConfig;
    private static final String UTF = "UTF-8";
    private static final String DN_COMPONENT = "dn";
    private static final String OM_COMPONENT = "om";
    private KeyCodec omKeyCodec;
    private KeyCodec dnKeyCodec;

    @Before
    public void setUp() throws Exception {
        OzoneConfiguration ozoneConfiguration = new OzoneConfiguration();
        ozoneConfiguration.setStrings("ozone.scm.names", new String[]{"localhost"});
        ozoneConfiguration.setInt("ipc.client.connect.max.retries", 2);
        String tempPath = GenericTestUtils.getTempPath(UUID.randomUUID().toString());
        String tempPath2 = GenericTestUtils.getTempPath(UUID.randomUUID().toString());
        this.omMetaDirPath = Paths.get(tempPath, "test");
        this.dnMetaDirPath = Paths.get(tempPath2, "test");
        ozoneConfiguration.set("hdds.metadata.dir", this.omMetaDirPath.toString());
        this.omSecurityConfig = new SecurityConfig(ozoneConfiguration);
        ozoneConfiguration.set("hdds.metadata.dir", this.dnMetaDirPath.toString());
        this.dnSecurityConfig = new SecurityConfig(ozoneConfiguration);
        this.keyGenerator = new HDDSKeyGenerator(this.omSecurityConfig);
        this.omKeyCodec = new KeyCodec(this.omSecurityConfig, OM_COMPONENT);
        this.dnKeyCodec = new KeyCodec(this.dnSecurityConfig, DN_COMPONENT);
        Files.createDirectories(this.omSecurityConfig.getKeyLocation(OM_COMPONENT), new FileAttribute[0]);
        Files.createDirectories(this.dnSecurityConfig.getKeyLocation(DN_COMPONENT), new FileAttribute[0]);
        this.x509Certificate = generateX509Cert(null);
        this.certSerialId = this.x509Certificate.getSerialNumber().toString();
        getCertClient();
    }

    private void getCertClient() {
        this.omCertClient = new OMCertificateClient(this.omSecurityConfig, this.certSerialId);
        this.dnCertClient = new DNCertificateClient(this.dnSecurityConfig, this.certSerialId);
    }

    @After
    public void tearDown() {
        this.omCertClient = null;
        this.dnCertClient = null;
        FileUtils.deleteQuietly(this.omMetaDirPath.toFile());
        FileUtils.deleteQuietly(this.dnMetaDirPath.toFile());
    }

    @Test
    public void testKeyOperations() throws Exception {
        cleanupOldKeyPair();
        PrivateKey privateKey = this.omCertClient.getPrivateKey();
        Assert.assertNull(this.omCertClient.getPublicKey());
        Assert.assertNull(privateKey);
        KeyPair generateKeyPairFiles = generateKeyPairFiles();
        PrivateKey privateKey2 = this.omCertClient.getPrivateKey();
        Assert.assertNotNull(privateKey2);
        Assert.assertEquals(privateKey2, generateKeyPairFiles.getPrivate());
        PublicKey publicKey = this.dnCertClient.getPublicKey();
        Assert.assertNotNull(publicKey);
        Assert.assertEquals(publicKey, generateKeyPairFiles.getPublic());
    }

    private KeyPair generateKeyPairFiles() throws Exception {
        cleanupOldKeyPair();
        KeyPair generateKey = this.keyGenerator.generateKey();
        this.omKeyCodec.writePrivateKey(generateKey.getPrivate());
        this.omKeyCodec.writePublicKey(generateKey.getPublic());
        this.dnKeyCodec.writePrivateKey(generateKey.getPrivate());
        this.dnKeyCodec.writePublicKey(generateKey.getPublic());
        return generateKey;
    }

    private void cleanupOldKeyPair() {
        FileUtils.deleteQuietly(Paths.get(this.omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(), this.omSecurityConfig.getPrivateKeyFileName()).toFile());
        FileUtils.deleteQuietly(Paths.get(this.omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(), this.omSecurityConfig.getPublicKeyFileName()).toFile());
        FileUtils.deleteQuietly(Paths.get(this.dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(), this.dnSecurityConfig.getPrivateKeyFileName()).toFile());
        FileUtils.deleteQuietly(Paths.get(this.dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(), this.dnSecurityConfig.getPublicKeyFileName()).toFile());
    }

    @Test
    public void testCertificateOps() throws Exception {
        Assert.assertNull(this.omCertClient.getCertificate());
        this.omCertClient.storeCertificate(CertificateCodec.getPEMEncodedString(this.x509Certificate), true);
        X509Certificate certificate = this.omCertClient.getCertificate(this.x509Certificate.getSerialNumber().toString());
        Assert.assertNotNull(certificate);
        Assert.assertTrue(certificate.getEncoded().length > 0);
        Assert.assertEquals(certificate, this.x509Certificate);
    }

    private X509Certificate generateX509Cert(KeyPair keyPair) throws Exception {
        if (keyPair == null) {
            keyPair = generateKeyPairFiles();
        }
        return KeyStoreTestUtil.generateCertificate("CN=Test", keyPair, 30, this.omSecurityConfig.getSignatureAlgo());
    }

    @Test
    public void testSignDataStream() throws Exception {
        String random = RandomStringUtils.random(100, UTF);
        FileUtils.deleteQuietly(Paths.get(this.omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(), this.omSecurityConfig.getPrivateKeyFileName()).toFile());
        FileUtils.deleteQuietly(Paths.get(this.omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(), this.omSecurityConfig.getPublicKeyFileName()).toFile());
        LambdaTestUtils.intercept(IOException.class, "Error while signing the stream", () -> {
            return this.omCertClient.signDataStream(IOUtils.toInputStream(random, UTF));
        });
        generateKeyPairFiles();
        validateHash(this.omCertClient.signDataStream(IOUtils.toInputStream(random, UTF)), random.getBytes());
    }

    private void validateHash(byte[] bArr, byte[] bArr2) throws Exception {
        Signature signature = Signature.getInstance(this.omSecurityConfig.getSignatureAlgo(), this.omSecurityConfig.getProvider());
        signature.initVerify(this.omCertClient.getPublicKey());
        signature.update(bArr2);
        Assert.assertTrue(signature.verify(bArr));
    }

    @Test
    public void verifySignatureStream() throws Exception {
        String random = RandomStringUtils.random(500, UTF);
        byte[] signDataStream = this.omCertClient.signDataStream(IOUtils.toInputStream(random, UTF));
        Assert.assertTrue(this.omCertClient.verifySignature(random.getBytes(), signDataStream, this.x509Certificate));
        Assert.assertTrue(this.omCertClient.verifySignature(IOUtils.toInputStream(random, UTF), signDataStream, this.x509Certificate));
        Assert.assertFalse(this.omCertClient.verifySignature(random.getBytes(), "abc".getBytes(), this.x509Certificate));
        Assert.assertFalse(this.omCertClient.verifySignature(IOUtils.toInputStream(random, UTF), "abc".getBytes(), this.x509Certificate));
    }

    @Test
    public void verifySignatureDataArray() throws Exception {
        String random = RandomStringUtils.random(500, UTF);
        byte[] signData = this.omCertClient.signData(random.getBytes());
        Assert.assertTrue(this.omCertClient.verifySignature(random.getBytes(), signData, this.x509Certificate));
        Assert.assertTrue(this.omCertClient.verifySignature(IOUtils.toInputStream(random, UTF), signData, this.x509Certificate));
        Assert.assertFalse(this.omCertClient.verifySignature(random.getBytes(), "abc".getBytes(), this.x509Certificate));
        Assert.assertFalse(this.omCertClient.verifySignature(IOUtils.toInputStream(random, UTF), "abc".getBytes(), this.x509Certificate));
    }

    @Test
    public void queryCertificate() throws Exception {
        LambdaTestUtils.intercept(UnsupportedOperationException.class, "Operation not supported", () -> {
            return this.omCertClient.queryCertificate("");
        });
    }

    @Test
    public void testCertificateLoadingOnInit() throws Exception {
        KeyPair generateKey = this.keyGenerator.generateKey();
        X509Certificate generateX509Cert = generateX509Cert(generateKey);
        X509Certificate generateX509Cert2 = generateX509Cert(generateKey);
        X509Certificate generateX509Cert3 = generateX509Cert(generateKey);
        Path certificateLocation = this.dnSecurityConfig.getCertificateLocation(DN_COMPONENT);
        CertificateCodec certificateCodec = new CertificateCodec(this.dnSecurityConfig, DN_COMPONENT);
        LambdaTestUtils.intercept(CertificateException.class, "Error while getting certificate", () -> {
            return this.dnCertClient.getCertificate(generateX509Cert.getSerialNumber().toString());
        });
        LambdaTestUtils.intercept(CertificateException.class, "Error while getting certificate", () -> {
            return this.dnCertClient.getCertificate(generateX509Cert2.getSerialNumber().toString());
        });
        LambdaTestUtils.intercept(CertificateException.class, "Error while getting certificate", () -> {
            return this.dnCertClient.getCertificate(generateX509Cert3.getSerialNumber().toString());
        });
        certificateCodec.writeCertificate(certificateLocation, "1.crt", CertificateCodec.getPEMEncodedString(generateX509Cert), true);
        certificateCodec.writeCertificate(certificateLocation, "2.crt", CertificateCodec.getPEMEncodedString(generateX509Cert2), true);
        certificateCodec.writeCertificate(certificateLocation, "3.crt", CertificateCodec.getPEMEncodedString(generateX509Cert3), true);
        this.dnCertClient = new DNCertificateClient(this.dnSecurityConfig, this.certSerialId);
        Assert.assertNotNull(this.dnCertClient.getCertificate(generateX509Cert.getSerialNumber().toString()));
        Assert.assertNotNull(this.dnCertClient.getCertificate(generateX509Cert2.getSerialNumber().toString()));
        Assert.assertNotNull(this.dnCertClient.getCertificate(generateX509Cert3.getSerialNumber().toString()));
    }

    @Test
    public void testStoreCertificate() throws Exception {
        KeyPair generateKey = this.keyGenerator.generateKey();
        X509Certificate generateX509Cert = generateX509Cert(generateKey);
        X509Certificate generateX509Cert2 = generateX509Cert(generateKey);
        X509Certificate generateX509Cert3 = generateX509Cert(generateKey);
        this.dnCertClient.storeCertificate(CertificateCodec.getPEMEncodedString(generateX509Cert), true);
        this.dnCertClient.storeCertificate(CertificateCodec.getPEMEncodedString(generateX509Cert2), true);
        this.dnCertClient.storeCertificate(CertificateCodec.getPEMEncodedString(generateX509Cert3), true);
        Assert.assertNotNull(this.dnCertClient.getCertificate(generateX509Cert.getSerialNumber().toString()));
        Assert.assertNotNull(this.dnCertClient.getCertificate(generateX509Cert2.getSerialNumber().toString()));
        Assert.assertNotNull(this.dnCertClient.getCertificate(generateX509Cert3.getSerialNumber().toString()));
    }

    @Test
    public void testInitCertAndKeypairValidationFailures() throws Exception {
        GenericTestUtils.LogCapturer captureLogs = GenericTestUtils.LogCapturer.captureLogs(this.dnCertClient.getLogger());
        GenericTestUtils.LogCapturer captureLogs2 = GenericTestUtils.LogCapturer.captureLogs(this.omCertClient.getLogger());
        KeyPair generateKey = this.keyGenerator.generateKey();
        KeyPair generateKey2 = this.keyGenerator.generateKey();
        captureLogs.clearOutput();
        captureLogs2.clearOutput();
        FileUtils.deleteQuietly(Paths.get(this.omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(), this.omSecurityConfig.getPrivateKeyFileName()).toFile());
        FileUtils.deleteQuietly(Paths.get(this.omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(), this.omSecurityConfig.getPublicKeyFileName()).toFile());
        FileUtils.deleteQuietly(Paths.get(this.dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(), this.dnSecurityConfig.getPrivateKeyFileName()).toFile());
        FileUtils.deleteQuietly(Paths.get(this.dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(), this.dnSecurityConfig.getPublicKeyFileName()).toFile());
        this.omKeyCodec.writePrivateKey(generateKey.getPrivate());
        this.omKeyCodec.writePublicKey(generateKey2.getPublic());
        this.dnKeyCodec.writePrivateKey(generateKey.getPrivate());
        this.dnKeyCodec.writePublicKey(generateKey2.getPublic());
        Assert.assertEquals(this.dnCertClient.init(), CertificateClient.InitResponse.FAILURE);
        Assert.assertTrue(captureLogs.getOutput().contains("Keypair validation failed"));
        captureLogs.clearOutput();
        captureLogs2.clearOutput();
        Assert.assertEquals(this.omCertClient.init(), CertificateClient.InitResponse.FAILURE);
        Assert.assertTrue(captureLogs2.getOutput().contains("Keypair validation failed"));
        captureLogs.clearOutput();
        captureLogs2.clearOutput();
        getCertClient();
        FileUtils.deleteQuietly(Paths.get(this.omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(), this.omSecurityConfig.getCertificateFileName()).toFile());
        FileUtils.deleteQuietly(Paths.get(this.dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(), this.dnSecurityConfig.getCertificateFileName()).toFile());
        new CertificateCodec(this.omSecurityConfig, OM_COMPONENT).writeCertificate(new X509CertificateHolder(this.x509Certificate.getEncoded()));
        new CertificateCodec(this.dnSecurityConfig, DN_COMPONENT).writeCertificate(new X509CertificateHolder(this.x509Certificate.getEncoded()));
        Assert.assertEquals(this.dnCertClient.init(), CertificateClient.InitResponse.FAILURE);
        Assert.assertTrue(captureLogs.getOutput().contains("Keypair validation failed"));
        captureLogs.clearOutput();
        captureLogs2.clearOutput();
        Assert.assertEquals(this.omCertClient.init(), CertificateClient.InitResponse.FAILURE);
        Assert.assertTrue(captureLogs2.getOutput().contains("Keypair validation failed"));
        captureLogs.clearOutput();
        captureLogs2.clearOutput();
        FileUtils.deleteQuietly(Paths.get(this.omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(), this.omSecurityConfig.getPublicKeyFileName()).toFile());
        FileUtils.deleteQuietly(Paths.get(this.dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(), this.dnSecurityConfig.getPublicKeyFileName()).toFile());
        getCertClient();
        this.omKeyCodec.writePublicKey(generateKey.getPublic());
        this.dnKeyCodec.writePublicKey(generateKey.getPublic());
        Assert.assertEquals(this.dnCertClient.init(), CertificateClient.InitResponse.FAILURE);
        Assert.assertTrue(captureLogs.getOutput().contains("Stored certificate is generated with different"));
        captureLogs.clearOutput();
        captureLogs2.clearOutput();
        Assert.assertEquals(this.omCertClient.init(), CertificateClient.InitResponse.FAILURE);
        Assert.assertTrue(captureLogs2.getOutput().contains("Stored certificate is generated with different"));
        captureLogs.clearOutput();
        captureLogs2.clearOutput();
        getCertClient();
        FileUtils.deleteQuietly(Paths.get(this.omSecurityConfig.getKeyLocation(OM_COMPONENT).toString(), this.omSecurityConfig.getPublicKeyFileName()).toFile());
        FileUtils.deleteQuietly(Paths.get(this.dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(), this.dnSecurityConfig.getPublicKeyFileName()).toFile());
        Assert.assertEquals(this.dnCertClient.init(), CertificateClient.InitResponse.FAILURE);
        Assert.assertTrue(captureLogs.getOutput().contains("Can't recover public key"));
        Assert.assertEquals(this.omCertClient.init(), CertificateClient.InitResponse.FAILURE);
        Assert.assertTrue(captureLogs2.getOutput().contains("Can't recover public key"));
        captureLogs.clearOutput();
        captureLogs2.clearOutput();
    }
}
