package org.apache.hadoop.ozone;

import java.io.File;
import java.io.IOException;
import java.net.InetAddress;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.attribute.FileAttribute;
import java.security.cert.X509Certificate;
import java.sql.Date;
import java.time.LocalDate;
import java.time.LocalDateTime;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.UUID;
import java.util.concurrent.Callable;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.hdds.annotation.InterfaceAudience;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.protocol.SCMSecurityProtocol;
import org.apache.hadoop.hdds.scm.HddsTestUtils;
import org.apache.hadoop.hdds.scm.ScmConfig;
import org.apache.hadoop.hdds.scm.ScmInfo;
import org.apache.hadoop.hdds.scm.server.SCMHTTPServerConfig;
import org.apache.hadoop.hdds.scm.server.SCMStorageConfig;
import org.apache.hadoop.hdds.scm.server.StorageContainerManager;
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
import org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator;
import org.apache.hadoop.hdds.security.x509.keys.KeyCodec;
import org.apache.hadoop.hdds.utils.HddsServerUtil;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.ipc.Client;
import org.apache.hadoop.ipc.RPC;
import org.apache.hadoop.ipc.RemoteException;
import org.apache.hadoop.ipc.Server;
import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem;
import org.apache.hadoop.minikdc.MiniKdc;
import org.apache.hadoop.net.ServerSocketUtil;
import org.apache.hadoop.ozone.client.CertificateClientTestImpl;
import org.apache.hadoop.ozone.common.Storage;
import org.apache.hadoop.ozone.om.OMStorage;
import org.apache.hadoop.ozone.om.OzoneManager;
import org.apache.hadoop.ozone.om.exceptions.OMException;
import org.apache.hadoop.ozone.om.helpers.OmVolumeArgs;
import org.apache.hadoop.ozone.om.helpers.S3SecretValue;
import org.apache.hadoop.ozone.om.protocolPB.OmTransportFactory;
import org.apache.hadoop.ozone.om.protocolPB.OzoneManagerProtocolClientSideTranslatorPB;
import org.apache.hadoop.ozone.om.protocolPB.OzoneManagerProtocolPB;
import org.apache.hadoop.ozone.security.OzoneTokenIdentifier;
import org.apache.hadoop.security.KerberosAuthException;
import org.apache.hadoop.security.SaslRpcServer;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.test.GenericTestUtils;
import org.apache.hadoop.test.LambdaTestUtils;
import org.apache.ratis.protocol.ClientId;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;
import org.junit.rules.Timeout;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.slf4j.event.Level;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/ozone/TestSecureOzoneCluster.class */
public final class TestSecureOzoneCluster {
    private static final String COMPONENT = "test";
    private static final String OM_CERT_SERIAL_ID = "9879877970576";
    private static final Logger LOG = LoggerFactory.getLogger(TestSecureOzoneCluster.class);

    @Rule
    public Timeout timeout = new Timeout(80000);

    @Rule
    public TemporaryFolder folder = new TemporaryFolder();
    private MiniKdc miniKdc;
    private OzoneConfiguration conf;
    private File workDir;
    private File scmKeytab;
    private File spnegoKeytab;
    private File omKeyTab;
    private File testUserKeytab;
    private String testUserPrincipal;
    private StorageContainerManager scm;
    private OzoneManager om;
    private String host;
    private String clusterId;
    private String scmId;
    private String omId;
    private OzoneManagerProtocolClientSideTranslatorPB omClient;

    @Before
    public void init() {
        try {
            this.conf = new OzoneConfiguration();
            this.conf.set("ozone.scm.client.address", "localhost");
            this.conf.setInt("ozone.scm.client.port", ServerSocketUtil.getPort(9860, 100));
            this.conf.setInt("ozone.scm.datanode.port", ServerSocketUtil.getPort(9861, 100));
            this.conf.setInt("ozone.scm.block.client.port", ServerSocketUtil.getPort(9863, 100));
            this.conf.setInt("ozone.scm.security.service.port", ServerSocketUtil.getPort(9961, 100));
            DefaultMetricsSystem.setMiniClusterMode(true);
            this.conf.set("ozone.metadata.dirs", Paths.get(this.folder.newFolder().toString(), "om-meta").toString());
            this.conf.setBoolean("ozone.security.enabled", true);
            this.conf.set("hadoop.security.authentication", UserGroupInformation.AuthenticationMethod.KERBEROS.name());
            this.workDir = GenericTestUtils.getTestDir(getClass().getSimpleName());
            startMiniKdc();
            setSecureConfig();
            createCredentialsInKDC();
            generateKeyPair();
        } catch (Exception e) {
            LOG.error("Failed to initialize TestSecureOzoneCluster", e);
        }
    }

    @After
    public void stop() {
        try {
            stopMiniKdc();
            if (this.scm != null) {
                this.scm.stop();
            }
            IOUtils.closeQuietly(this.om);
            IOUtils.closeQuietly(this.omClient);
        } catch (Exception e) {
            LOG.error("Failed to stop TestSecureOzoneCluster", e);
        }
    }

    private void createCredentialsInKDC() throws Exception {
        ScmConfig scmConfig = (ScmConfig) this.conf.getObject(ScmConfig.class);
        SCMHTTPServerConfig sCMHTTPServerConfig = (SCMHTTPServerConfig) this.conf.getObject(SCMHTTPServerConfig.class);
        createPrincipal(this.scmKeytab, scmConfig.getKerberosPrincipal());
        createPrincipal(this.spnegoKeytab, sCMHTTPServerConfig.getKerberosPrincipal());
        createPrincipal(this.testUserKeytab, this.testUserPrincipal);
        createPrincipal(this.omKeyTab, this.conf.get("ozone.om.kerberos.principal"));
    }

    private void createPrincipal(File file, String... strArr) throws Exception {
        this.miniKdc.createPrincipal(file, strArr);
    }

    private void startMiniKdc() throws Exception {
        this.miniKdc = new MiniKdc(MiniKdc.createConf(), this.workDir);
        this.miniKdc.start();
    }

    private void stopMiniKdc() {
        this.miniKdc.stop();
    }

    private void setSecureConfig() throws IOException {
        this.conf.setBoolean("ozone.security.enabled", true);
        this.host = InetAddress.getLocalHost().getCanonicalHostName().toLowerCase();
        this.conf.set("hadoop.security.authentication", "kerberos");
        this.conf.set("ozone.administrators", UserGroupInformation.getCurrentUser().getUserName());
        String realm = this.miniKdc.getRealm();
        String str = this.host + "@" + realm;
        this.conf.set("hdds.scm.kerberos.principal", "scm/" + str);
        this.conf.set(SCMHTTPServerConfig.ConfigStrings.HDDS_SCM_HTTP_KERBEROS_PRINCIPAL_KEY, "HTTP_SCM/" + str);
        this.conf.set("ozone.om.kerberos.principal", "om/" + str);
        this.conf.set("ozone.om.http.auth.kerberos.principal", "HTTP_OM/" + str);
        this.scmKeytab = new File(this.workDir, "scm.keytab");
        this.spnegoKeytab = new File(this.workDir, "http.keytab");
        this.omKeyTab = new File(this.workDir, "om.keytab");
        this.testUserKeytab = new File(this.workDir, "testuser.keytab");
        this.testUserPrincipal = "test@" + realm;
        this.conf.set("hdds.scm.kerberos.keytab.file", this.scmKeytab.getAbsolutePath());
        this.conf.set(SCMHTTPServerConfig.ConfigStrings.HDDS_SCM_HTTP_KERBEROS_KEYTAB_FILE_KEY, this.spnegoKeytab.getAbsolutePath());
        this.conf.set("ozone.om.kerberos.keytab.file", this.omKeyTab.getAbsolutePath());
        this.conf.set("ozone.om.http.auth.kerberos.keytab", this.spnegoKeytab.getAbsolutePath());
    }

    @Test
    public void testSecureScmStartupSuccess() throws Exception {
        initSCM();
        this.scm = StorageContainerManager.createSCM(this.conf);
        ScmInfo scmInfo = this.scm.getClientProtocolServer().getScmInfo();
        Assert.assertEquals(this.clusterId, scmInfo.getClusterId());
        Assert.assertEquals(this.scmId, scmInfo.getScmId());
    }

    @Test
    public void testSCMSecurityProtocol() throws Exception {
        initSCM();
        this.scm = HddsTestUtils.getScm(this.conf);
        try {
            this.scm.start();
            UserGroupInformation loginUserFromKeytabAndReturnUGI = UserGroupInformation.loginUserFromKeytabAndReturnUGI(this.testUserPrincipal, this.testUserKeytab.getCanonicalPath());
            loginUserFromKeytabAndReturnUGI.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.KERBEROS);
            SCMSecurityProtocol scmSecurityClient = HddsServerUtil.getScmSecurityClient(this.conf, loginUserFromKeytabAndReturnUGI);
            Assert.assertNotNull(scmSecurityClient);
            Assert.assertNotNull(scmSecurityClient.getCACertificate());
            LambdaTestUtils.intercept(RemoteException.class, "Certificate not found", () -> {
                return scmSecurityClient.getCertificate("1");
            });
            UserGroupInformation createRemoteUser = UserGroupInformation.createRemoteUser(COMPONENT);
            createRemoteUser.setAuthenticationMethod(SaslRpcServer.AuthMethod.TOKEN);
            SCMSecurityProtocol scmSecurityClient2 = HddsServerUtil.getScmSecurityClient(this.conf, createRemoteUser);
            scmSecurityClient2.getClass();
            LambdaTestUtils.intercept(IOException.class, "Client cannot authenticate via:[KERBEROS]", scmSecurityClient2::getCACertificate);
            LambdaTestUtils.intercept(IOException.class, "Client cannot authenticate via:[KERBEROS]", () -> {
                return scmSecurityClient2.getCertificate("1");
            });
            if (this.scm != null) {
                this.scm.stop();
            }
        } catch (Throwable th) {
            if (this.scm != null) {
                this.scm.stop();
            }
            throw th;
        }
    }

    private void initSCM() throws IOException {
        this.clusterId = UUID.randomUUID().toString();
        this.scmId = UUID.randomUUID().toString();
        this.omId = UUID.randomUUID().toString();
        Path path = Paths.get(this.folder.newFolder().toString(), "scm-meta");
        Files.createDirectories(path, new FileAttribute[0]);
        this.conf.set("ozone.metadata.dirs", path.toString());
        SCMStorageConfig sCMStorageConfig = new SCMStorageConfig(this.conf);
        sCMStorageConfig.setClusterId(this.clusterId);
        sCMStorageConfig.setScmId(this.scmId);
        sCMStorageConfig.initialize();
    }

    @Test
    public void testSecureScmStartupFailure() throws Exception {
        initSCM();
        this.conf.set("hdds.scm.kerberos.keytab.file", "");
        this.conf.set("hadoop.security.authentication", "kerberos");
        LambdaTestUtils.intercept(IOException.class, "Running in secure mode, but config doesn't have a keytab", () -> {
            return StorageContainerManager.createSCM(this.conf);
        });
        this.conf.set("hdds.scm.kerberos.principal", "scm/_HOST@EXAMPLE.com");
        this.conf.set("hdds.scm.kerberos.keytab.file", "/etc/security/keytabs/scm.keytab");
        testCommonKerberosFailures(() -> {
            return StorageContainerManager.createSCM(this.conf);
        });
    }

    private void testCommonKerberosFailures(Callable<?> callable) throws Exception {
        LambdaTestUtils.intercept(KerberosAuthException.class, "failure to login: for principal:", callable);
        this.conf.set("hadoop.security.authentication", "OAuth2");
        LambdaTestUtils.intercept(IllegalArgumentException.class, "Invalid attribute value for hadoop.security.authentication of OAuth2", callable);
        this.conf.set("hadoop.security.authentication", "KERBEROS_SSL");
        LambdaTestUtils.intercept(AuthenticationException.class, "KERBEROS_SSL authentication method not", callable);
    }

    @Test
    public void testSecureOMInitializationFailure() throws Exception {
        initSCM();
        this.scm = StorageContainerManager.createSCM(this.conf);
        setupOm(this.conf);
        this.conf.set("ozone.om.kerberos.principal", "non-existent-user@EXAMPLE.com");
        testCommonKerberosFailures(() -> {
            return OzoneManager.createOm(this.conf);
        });
    }

    @Test
    public void testSecureOmInitializationSuccess() throws Exception {
        initSCM();
        this.scm = StorageContainerManager.createSCM(this.conf);
        GenericTestUtils.LogCapturer captureLogs = GenericTestUtils.LogCapturer.captureLogs(OzoneManager.getLogger());
        GenericTestUtils.setLogLevel(OzoneManager.getLogger(), Level.INFO);
        setupOm(this.conf);
        try {
            this.om.start();
        } catch (Exception e) {
            Assert.assertTrue(captureLogs.getOutput().contains("Ozone Manager login successful"));
        }
    }

    @Test
    public void testAccessControlExceptionOnClient() throws Exception {
        initSCM();
        this.scm = StorageContainerManager.createSCM(this.conf);
        GenericTestUtils.LogCapturer captureLogs = GenericTestUtils.LogCapturer.captureLogs(OzoneManager.getLogger());
        GenericTestUtils.setLogLevel(OzoneManager.getLogger(), Level.INFO);
        setupOm(this.conf);
        RPC.getProtocolVersion(OzoneManagerProtocolPB.class);
        try {
            this.om.setCertClient(new CertificateClientTestImpl(this.conf));
            this.om.start();
        } catch (Exception e) {
            Assert.assertTrue(captureLogs.getOutput().contains("Ozone Manager login successful"));
        }
        UserGroupInformation loginUserFromKeytabAndReturnUGI = UserGroupInformation.loginUserFromKeytabAndReturnUGI(this.testUserPrincipal, this.testUserKeytab.getCanonicalPath());
        loginUserFromKeytabAndReturnUGI.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.KERBEROS);
        try {
            new OzoneManagerProtocolClientSideTranslatorPB(OmTransportFactory.create(this.conf, loginUserFromKeytabAndReturnUGI, (String) null), ClientId.randomId().toString()).createVolume(new OmVolumeArgs.Builder().setVolume("vol1").setOwnerName("owner1").setAdminName("admin").build());
        } catch (IOException e2) {
            Assert.fail("Secure client should be able to create volume.");
        }
        OzoneManagerProtocolClientSideTranslatorPB ozoneManagerProtocolClientSideTranslatorPB = new OzoneManagerProtocolClientSideTranslatorPB(OmTransportFactory.create(this.conf, UserGroupInformation.createUserForTesting("testuser1", new String[]{COMPONENT}), (String) null), ClientId.randomId().toString());
        GenericTestUtils.LogCapturer captureLogs2 = GenericTestUtils.LogCapturer.captureLogs(Client.LOG);
        LambdaTestUtils.intercept(IOException.class, "org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]", () -> {
            return ozoneManagerProtocolClientSideTranslatorPB.listAllVolumes((String) null, (String) null, 0);
        });
        Assert.assertEquals("There should be no retry on AccessControlException", 1L, StringUtils.countMatches(captureLogs2.getOutput(), "org.apache.hadoop.security.AccessControlException: Client cannot authenticate via:[TOKEN, KERBEROS]"));
    }

    private void generateKeyPair() throws Exception {
        new KeyCodec(new SecurityConfig(this.conf), COMPONENT).writeKey(new HDDSKeyGenerator(this.conf).generateKey(), true);
    }

    @Test
    public void testDelegationTokenRenewal() throws Exception {
        GenericTestUtils.setLogLevel(LoggerFactory.getLogger(Server.class.getName()), Level.INFO);
        GenericTestUtils.LogCapturer captureLogs = GenericTestUtils.LogCapturer.captureLogs(OzoneManager.getLogger());
        OzoneConfiguration ozoneConfiguration = new OzoneConfiguration(this.conf);
        ozoneConfiguration.setLong("ozone.manager.delegation.token.max-lifetime", 1000);
        setupOm(ozoneConfiguration);
        RPC.getProtocolVersion(OzoneManagerProtocolPB.class);
        OzoneManager.setTestSecureOmFlag(true);
        try {
            this.om.setCertClient(new CertificateClientTestImpl(this.conf));
            this.om.start();
            this.omClient = new OzoneManagerProtocolClientSideTranslatorPB(OmTransportFactory.create(this.conf, UserGroupInformation.getCurrentUser(), (String) null), RandomStringUtils.randomAscii(5));
            Token delegationToken = this.omClient.getDelegationToken(new Text("om"));
            Assert.assertNotNull(delegationToken);
            Assert.assertEquals("OzoneToken", delegationToken.getKind().toString());
            Assert.assertEquals(OmUtils.getOmRpcAddress(this.conf), delegationToken.getService().toString());
            Assert.assertTrue(this.omClient.renewDelegationToken(delegationToken) > 0);
            captureLogs.clearOutput();
            Thread.sleep(1000);
            Assert.assertEquals(OMException.ResultCodes.TOKEN_EXPIRED, LambdaTestUtils.intercept(OMException.class, "TOKEN_EXPIRED", () -> {
                return Long.valueOf(this.omClient.renewDelegationToken(delegationToken));
            }).getResult());
            captureLogs.clearOutput();
            Token delegationToken2 = this.omClient.getDelegationToken(new Text("randomService"));
            Assert.assertNotNull(delegationToken2);
            LambdaTestUtils.intercept(OMException.class, "Delegation token renewal failed", () -> {
                return Long.valueOf(this.omClient.renewDelegationToken(delegationToken2));
            });
            Assert.assertTrue(captureLogs.getOutput().contains(" with non-matching renewer randomService"));
            captureLogs.clearOutput();
            OzoneTokenIdentifier readProtoBuf = OzoneTokenIdentifier.readProtoBuf(delegationToken.getIdentifier());
            readProtoBuf.setRenewer(new Text("om"));
            readProtoBuf.setMaxDate(System.currentTimeMillis() * 2);
            Token token = new Token(readProtoBuf.getBytes(), delegationToken2.getPassword(), delegationToken2.getKind(), delegationToken2.getService());
            LambdaTestUtils.intercept(OMException.class, "Delegation token renewal failed", () -> {
                return Long.valueOf(this.omClient.renewDelegationToken(token));
            });
            Assert.assertTrue(captureLogs.getOutput().contains("can't be found in cache"));
            captureLogs.clearOutput();
            this.om.stop();
            this.om.join();
        } catch (Throwable th) {
            this.om.stop();
            this.om.join();
            throw th;
        }
    }

    private void setupOm(OzoneConfiguration ozoneConfiguration) throws Exception {
        OMStorage oMStorage = new OMStorage(ozoneConfiguration);
        oMStorage.setClusterId("testClusterId");
        oMStorage.setScmId("testScmId");
        oMStorage.setOmCertSerialId(OM_CERT_SERIAL_ID);
        oMStorage.initialize();
        OzoneManager.setTestSecureOmFlag(true);
        this.om = OzoneManager.createOm(ozoneConfiguration);
    }

    @Test
    public void testGetS3Secret() throws Exception {
        setupOm(this.conf);
        RPC.getProtocolVersion(OzoneManagerProtocolPB.class);
        try {
            this.om.setCertClient(new CertificateClientTestImpl(this.conf));
            this.om.start();
            UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
            String userName = currentUser.getUserName();
            this.omClient = new OzoneManagerProtocolClientSideTranslatorPB(OmTransportFactory.create(this.conf, currentUser, (String) null), RandomStringUtils.randomAscii(5));
            S3SecretValue s3Secret = this.omClient.getS3Secret(userName);
            S3SecretValue s3Secret2 = this.omClient.getS3Secret(userName);
            Assert.assertEquals(s3Secret.getAwsSecret(), s3Secret2.getAwsSecret());
            Assert.assertEquals(s3Secret.getAwsAccessKey(), s3Secret2.getAwsAccessKey());
            try {
                this.omClient.getS3Secret("HADOOP/JOHNDOE");
                Assert.fail("testGetS3Secret failed");
            } catch (IOException e) {
                GenericTestUtils.assertExceptionContains("USER_MISMATCH", e);
            }
        } finally {
            IOUtils.closeQuietly(this.om);
        }
    }

    @Test
    public void testSecureOmReInit() throws Exception {
        GenericTestUtils.LogCapturer captureLogs = GenericTestUtils.LogCapturer.captureLogs(OzoneManager.getLogger());
        captureLogs.clearOutput();
        this.conf.set("ozone.om.kerberos.principal", "scm/" + this.host + "@" + this.miniKdc.getRealm());
        this.omKeyTab = new File(this.workDir, "scm.keytab");
        this.conf.set("ozone.om.kerberos.keytab.file", this.omKeyTab.getAbsolutePath());
        initSCM();
        try {
            this.scm = HddsTestUtils.getScm(this.conf);
            this.scm.start();
            this.conf.setBoolean("ozone.security.enabled", false);
            initializeOmStorage(new OMStorage(this.conf));
            OzoneManager.setTestSecureOmFlag(true);
            this.om = OzoneManager.createOm(this.conf);
            Assert.assertNull(this.om.getCertificateClient());
            Assert.assertFalse(captureLogs.getOutput().contains("Init response: GETCERT"));
            Assert.assertFalse(captureLogs.getOutput().contains("Successfully stored SCM signed certificate"));
            this.conf.setBoolean("ozone.security.enabled", true);
            OzoneManager.omInit(this.conf);
            this.om.stop();
            this.om = OzoneManager.createOm(this.conf);
            Assert.assertNotNull(this.om.getCertificateClient());
            Assert.assertNotNull(this.om.getCertificateClient().getPublicKey());
            Assert.assertNotNull(this.om.getCertificateClient().getPrivateKey());
            Assert.assertNotNull(this.om.getCertificateClient().getCertificate());
            Assert.assertTrue(captureLogs.getOutput().contains("Init response: GETCERT"));
            Assert.assertTrue(captureLogs.getOutput().contains("Successfully stored SCM signed certificate"));
            validateCertificate(this.om.getCertificateClient().getCertificate());
            if (this.scm != null) {
                this.scm.stop();
            }
        } catch (Throwable th) {
            if (this.scm != null) {
                this.scm.stop();
            }
            throw th;
        }
    }

    @Test
    public void testSecureOmInitSuccess() throws Exception {
        GenericTestUtils.LogCapturer captureLogs = GenericTestUtils.LogCapturer.captureLogs(OzoneManager.getLogger());
        captureLogs.clearOutput();
        initSCM();
        try {
            this.scm = HddsTestUtils.getScm(this.conf);
            this.scm.start();
            initializeOmStorage(new OMStorage(this.conf));
            OzoneManager.setTestSecureOmFlag(true);
            this.om = OzoneManager.createOm(this.conf);
            Assert.assertNotNull(this.om.getCertificateClient());
            Assert.assertNotNull(this.om.getCertificateClient().getPublicKey());
            Assert.assertNotNull(this.om.getCertificateClient().getPrivateKey());
            Assert.assertNotNull(this.om.getCertificateClient().getCertificate());
            Assert.assertTrue(captureLogs.getOutput().contains("Init response: GETCERT"));
            Assert.assertTrue(captureLogs.getOutput().contains("Successfully stored SCM signed certificate"));
            validateCertificate(this.om.getCertificateClient().getCertificate());
            X509Certificate x509Cert = CertificateCodec.getX509Cert(this.scm.getSecurityProtocolServer().getCACertificate());
            Assert.assertEquals(x509Cert, this.om.getCertificateClient().getCertificate(x509Cert.getSerialNumber().toString()));
            if (this.scm != null) {
                this.scm.stop();
            }
            IOUtils.closeQuietly(this.om);
        } catch (Throwable th) {
            if (this.scm != null) {
                this.scm.stop();
            }
            IOUtils.closeQuietly(this.om);
            throw th;
        }
    }

    public void validateCertificate(X509Certificate x509Certificate) throws Exception {
        RDN rdn = new JcaX509CertificateHolder(x509Certificate).getIssuer().getRDNs(BCStyle.CN)[0];
        String str = "scm@" + InetAddress.getLocalHost().getHostName();
        Assert.assertEquals(str, rdn.getFirst().getValue().toString());
        Assert.assertEquals(str, rdn.getFirst().getValue().toString());
        LocalDate localDate = LocalDateTime.now().toLocalDate();
        Assert.assertTrue(x509Certificate.getNotAfter().after(Date.valueOf(localDate.plus(1L, (TemporalUnit) ChronoUnit.DAYS))));
        Assert.assertTrue(x509Certificate.getNotAfter().before(Date.valueOf(localDate.plus(400L, (TemporalUnit) ChronoUnit.DAYS))));
        Assert.assertTrue(x509Certificate.getSubjectDN().toString().contains(this.scmId));
        Assert.assertTrue(x509Certificate.getSubjectDN().toString().contains(this.clusterId));
        Assert.assertTrue(x509Certificate.getIssuerDN().toString().contains(str));
        Assert.assertTrue(x509Certificate.getIssuerDN().toString().contains(this.scmId));
        Assert.assertTrue(x509Certificate.getIssuerDN().toString().contains(this.clusterId));
        Assert.assertEquals(x509Certificate.getPublicKey().toString(), this.om.getCertificateClient().getPublicKey().toString());
    }

    private void initializeOmStorage(OMStorage oMStorage) throws IOException {
        if (oMStorage.getState() == Storage.StorageState.INITIALIZED) {
            return;
        }
        oMStorage.setClusterId(this.clusterId);
        oMStorage.setScmId(this.scmId);
        oMStorage.setOmId(this.omId);
        if (OzoneSecurityUtil.isSecurityEnabled(this.conf)) {
            OzoneManager.initializeSecurity(this.conf, oMStorage);
        }
        oMStorage.initialize();
    }
}
