package org.apache.hadoop.ozone.security;

import java.io.ByteArrayInputStream;
import java.io.DataInputStream;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.X509Certificate;
import java.util.EnumSet;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.protocol.datanode.proto.ContainerProtos;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
import org.apache.hadoop.hdds.security.token.BlockTokenException;
import org.apache.hadoop.hdds.security.token.BlockTokenVerifier;
import org.apache.hadoop.hdds.security.token.OzoneBlockTokenIdentifier;
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.client.OMCertificateClient;
import org.apache.hadoop.hdds.security.x509.exceptions.CertificateException;
import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.test.GenericTestUtils;
import org.apache.hadoop.test.LambdaTestUtils;
import org.apache.hadoop.util.Time;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:org/apache/hadoop/ozone/security/TestOzoneBlockTokenSecretManager.class */
public class TestOzoneBlockTokenSecretManager {
    private OzoneBlockTokenSecretManager secretManager;
    private KeyPair keyPair;
    private X509Certificate x509Certificate;
    private long expiryTime;
    private String omCertSerialId;
    private CertificateClient client;
    private static final String BASEDIR = GenericTestUtils.getTempPath(TestOzoneBlockTokenSecretManager.class.getSimpleName());
    private BlockTokenVerifier tokenVerifier;

    @Before
    public void setUp() throws Exception {
        OzoneConfiguration ozoneConfiguration = new OzoneConfiguration();
        ozoneConfiguration.set("ozone.metadata.dirs", BASEDIR);
        ozoneConfiguration.setBoolean("hdds.block.token.enabled", true);
        this.keyPair = KeyStoreTestUtil.generateKeyPair("RSA");
        this.expiryTime = Time.monotonicNow() + 86400;
        SecurityConfig securityConfig = new SecurityConfig(ozoneConfiguration);
        this.x509Certificate = KeyStoreTestUtil.generateCertificate("CN=OzoneMaster", this.keyPair, 30, "SHA256withRSA");
        this.omCertSerialId = this.x509Certificate.getSerialNumber().toString();
        this.secretManager = new OzoneBlockTokenSecretManager(securityConfig, this.expiryTime, this.omCertSerialId);
        this.client = getCertificateClient(securityConfig);
        this.client.init();
        this.secretManager.start(this.client);
        this.tokenVerifier = new BlockTokenVerifier(securityConfig, this.client);
    }

    private CertificateClient getCertificateClient(SecurityConfig securityConfig) throws Exception {
        return new OMCertificateClient(securityConfig) { // from class: org.apache.hadoop.ozone.security.TestOzoneBlockTokenSecretManager.1
            public X509Certificate getCertificate() {
                return TestOzoneBlockTokenSecretManager.this.x509Certificate;
            }

            public X509Certificate getCertificate(String str) throws CertificateException {
                return TestOzoneBlockTokenSecretManager.this.x509Certificate;
            }

            public PrivateKey getPrivateKey() {
                return TestOzoneBlockTokenSecretManager.this.keyPair.getPrivate();
            }

            public PublicKey getPublicKey() {
                return TestOzoneBlockTokenSecretManager.this.keyPair.getPublic();
            }
        };
    }

    @After
    public void tearDown() throws Exception {
        this.secretManager = null;
    }

    @Test
    public void testGenerateToken() throws Exception {
        Token generateToken = this.secretManager.generateToken("101", EnumSet.allOf(HddsProtos.BlockTokenSecretProto.AccessModeProto.class), 100L);
        OzoneBlockTokenIdentifier readFieldsProtobuf = OzoneBlockTokenIdentifier.readFieldsProtobuf(new DataInputStream(new ByteArrayInputStream(generateToken.getIdentifier())));
        Assert.assertTrue(readFieldsProtobuf.getBlockId().equals("101"));
        Assert.assertTrue(readFieldsProtobuf.getAccessModes().equals(EnumSet.allOf(HddsProtos.BlockTokenSecretProto.AccessModeProto.class)));
        Assert.assertTrue(readFieldsProtobuf.getOmCertSerialId().equals(this.omCertSerialId));
        validateHash(generateToken.getPassword(), generateToken.getIdentifier());
    }

    @Test
    public void testCreateIdentifierSuccess() throws Exception {
        OzoneBlockTokenIdentifier createIdentifier = this.secretManager.createIdentifier("testUser", "101", EnumSet.allOf(HddsProtos.BlockTokenSecretProto.AccessModeProto.class), 100L);
        Assert.assertTrue(createIdentifier.getOwnerId().equals("testUser"));
        Assert.assertTrue(createIdentifier.getBlockId().equals("101"));
        Assert.assertTrue(createIdentifier.getAccessModes().equals(EnumSet.allOf(HddsProtos.BlockTokenSecretProto.AccessModeProto.class)));
        Assert.assertTrue(createIdentifier.getOmCertSerialId().equals(this.omCertSerialId));
        validateHash(this.secretManager.createPassword(createIdentifier), createIdentifier.getBytes());
    }

    private void validateHash(byte[] bArr, byte[] bArr2) throws Exception {
        Signature signature = Signature.getInstance(this.secretManager.getDefaultSignatureAlgorithm());
        signature.initVerify(this.client.getPublicKey());
        signature.update(bArr2);
        Assert.assertTrue(signature.verify(bArr));
    }

    @Test
    public void testCreateIdentifierFailure() throws Exception {
        LambdaTestUtils.intercept(SecurityException.class, "Ozone block token can't be created without owner and access mode information.", () -> {
            this.secretManager.createIdentifier();
        });
    }

    @Test
    public void testRenewToken() throws Exception {
        LambdaTestUtils.intercept(UnsupportedOperationException.class, "Renew token operation is not supported for ozone block tokens.", () -> {
            this.secretManager.renewToken((Token) null, (String) null);
        });
    }

    @Test
    public void testCancelToken() throws Exception {
        LambdaTestUtils.intercept(UnsupportedOperationException.class, "Cancel token operation is not supported for ozone block tokens.", () -> {
            this.secretManager.cancelToken((Token) null, (String) null);
        });
    }

    @Test
    public void testVerifySignatureFailure() throws Exception {
        OzoneBlockTokenIdentifier ozoneBlockTokenIdentifier = new OzoneBlockTokenIdentifier("testUser", "4234", EnumSet.allOf(HddsProtos.BlockTokenSecretProto.AccessModeProto.class), Time.now() + 86400, "123444", 1024L);
        LambdaTestUtils.intercept(UnsupportedOperationException.class, "operation is not supported for block tokens", () -> {
            return Boolean.valueOf(this.secretManager.verifySignature(ozoneBlockTokenIdentifier, this.client.signData(ozoneBlockTokenIdentifier.getBytes())));
        });
    }

    @Test
    public void testBlockTokenVerifier() throws Exception {
        Token generateToken = this.secretManager.generateToken("testUser", "101", EnumSet.allOf(HddsProtos.BlockTokenSecretProto.AccessModeProto.class), 100L);
        OzoneBlockTokenIdentifier readFieldsProtobuf = OzoneBlockTokenIdentifier.readFieldsProtobuf(new DataInputStream(new ByteArrayInputStream(generateToken.getIdentifier())));
        Assert.assertTrue(readFieldsProtobuf.getOwnerId().equals("testUser"));
        Assert.assertTrue(readFieldsProtobuf.getBlockId().equals("101"));
        Assert.assertTrue(readFieldsProtobuf.getAccessModes().equals(EnumSet.allOf(HddsProtos.BlockTokenSecretProto.AccessModeProto.class)));
        Assert.assertTrue(readFieldsProtobuf.getOmCertSerialId().equals(this.omCertSerialId));
        validateHash(generateToken.getPassword(), readFieldsProtobuf.getBytes());
        this.tokenVerifier.verify("testUser", generateToken.encodeToUrlString(), ContainerProtos.Type.PutBlock, "101");
        String str = "NotAllowedBlockID";
        LambdaTestUtils.intercept(BlockTokenException.class, "Token for block ID: 101 can't be used to access block: NotAllowedBlockID", () -> {
            this.tokenVerifier.verify("testUser", generateToken.encodeToUrlString(), ContainerProtos.Type.PutBlock, str);
        });
        this.tokenVerifier.verify((String) null, (String) null, ContainerProtos.Type.CloseContainer, (String) null);
    }
}
