package org.apache.kafka.common.security.ssl;

import java.io.File;
import java.nio.file.Files;
import java.security.KeyStore;
import java.security.Security;
import java.util.Arrays;
import java.util.Map;
import java.util.Set;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.config.types.Password;
import org.apache.kafka.common.network.Mode;
import org.apache.kafka.common.security.ssl.SslEngineBuilder;
import org.apache.kafka.common.security.ssl.SslFactory;
import org.apache.kafka.common.security.ssl.mock.TestProviderCreator;
import org.apache.kafka.common.utils.Utils;
import org.apache.kafka.test.TestSslUtils;
import org.apache.kafka.test.TestUtils;
import org.junit.Assert;
import org.junit.Test;

/* loaded from: input_file:org/apache/kafka/common/security/ssl/SslFactoryTest.class */
public class SslFactoryTest {
    protected void configureSslBuilderClass(Map<String, Object> map) {
        map.put("ssl.engine.builder.class", "org.apache.kafka.common.security.ssl.KafkaSslEngineBuilder");
    }

    protected Set<String> enabledProtocols() {
        return Utils.mkSet(new String[]{"TLSv1.2"});
    }

    @Test
    public void testSslFactoryConfiguration() throws Exception {
        Map<String, Object> createSslConfig = TestSslUtils.createSslConfig(false, true, Mode.SERVER, File.createTempFile("truststore", ".jks"), "server");
        configureSslBuilderClass(createSslConfig);
        SslFactory sslFactory = new SslFactory(Mode.SERVER);
        sslFactory.configure(createSslConfig);
        SSLEngine createSslEngine = sslFactory.createSslEngine("localhost", 0);
        Assert.assertNotNull(createSslEngine);
        Assert.assertEquals(enabledProtocols(), Utils.mkSet(createSslEngine.getEnabledProtocols()));
        Assert.assertEquals(false, Boolean.valueOf(createSslEngine.getUseClientMode()));
    }

    @Test
    public void testSslFactoryWithCustomKeyManagerConfiguration() {
        TestProviderCreator testProviderCreator = new TestProviderCreator();
        Map<String, Object> createSslConfig = TestSslUtils.createSslConfig("TestAlgorithm", "TestAlgorithm");
        configureSslBuilderClass(createSslConfig);
        createSslConfig.put("security.providers", testProviderCreator.getClass().getName());
        SslFactory sslFactory = new SslFactory(Mode.SERVER);
        sslFactory.configure(createSslConfig);
        Assert.assertNotNull("SslEngineBuilder not created", sslFactory.sslEngineBuilder());
        Security.removeProvider(testProviderCreator.getProvider().getName());
    }

    @Test(expected = KafkaException.class)
    public void testSslFactoryWithoutProviderClassConfiguration() {
        new SslFactory(Mode.SERVER).configure(TestSslUtils.createSslConfig("TestAlgorithm", "TestAlgorithm"));
    }

    @Test(expected = KafkaException.class)
    public void testSslFactoryWithIncorrectProviderClassConfiguration() {
        Map<String, Object> createSslConfig = TestSslUtils.createSslConfig("TestAlgorithm", "TestAlgorithm");
        createSslConfig.put("security.providers", "com.fake.ProviderClass1,com.fake.ProviderClass2");
        new SslFactory(Mode.SERVER).configure(createSslConfig);
    }

    @Test
    public void testSslFactoryWithoutPasswordConfiguration() throws Exception {
        Map<String, Object> createSslConfig = TestSslUtils.createSslConfig(false, true, Mode.SERVER, File.createTempFile("truststore", ".jks"), "server");
        configureSslBuilderClass(createSslConfig);
        createSslConfig.remove("ssl.truststore.password");
        try {
            new SslFactory(Mode.SERVER).configure(createSslConfig);
        } catch (Exception e) {
            Assert.fail("An exception was thrown when configuring the truststore without a password: " + e);
        }
    }

    @Test
    public void testClientMode() throws Exception {
        Map<String, Object> createSslConfig = TestSslUtils.createSslConfig(false, true, Mode.CLIENT, File.createTempFile("truststore", ".jks"), "client");
        configureSslBuilderClass(createSslConfig);
        SslFactory sslFactory = new SslFactory(Mode.CLIENT);
        sslFactory.configure(createSslConfig);
        Assert.assertTrue(sslFactory.createSslEngine("localhost", 0).getUseClientMode());
    }

    @Test
    public void testReconfiguration() throws Exception {
        Map<String, Object> createSslConfig = TestSslUtils.createSslConfig(false, true, Mode.SERVER, File.createTempFile("truststore", ".jks"), "server");
        configureSslBuilderClass(createSslConfig);
        SslFactory sslFactory = new SslFactory(Mode.SERVER);
        sslFactory.configure(createSslConfig);
        SslEngineBuilder sslEngineBuilder = sslFactory.sslEngineBuilder();
        Assert.assertNotNull("SslEngineBuilder not created", sslEngineBuilder);
        sslFactory.reconfigure(createSslConfig);
        Assert.assertSame("SslEngineBuilder recreated unnecessarily", sslEngineBuilder, sslFactory.sslEngineBuilder());
        File createTempFile = File.createTempFile("truststore", ".jks");
        Map<String, Object> createSslConfig2 = TestSslUtils.createSslConfig(false, true, Mode.SERVER, createTempFile, "server");
        configureSslBuilderClass(createSslConfig2);
        sslFactory.reconfigure(createSslConfig2);
        Assert.assertNotSame("SslEngineBuilder not recreated", sslEngineBuilder, sslFactory.sslEngineBuilder());
        SslEngineBuilder sslEngineBuilder2 = sslFactory.sslEngineBuilder();
        createTempFile.setLastModified(System.currentTimeMillis() + 10000);
        sslFactory.reconfigure(createSslConfig2);
        Assert.assertNotSame("SslEngineBuilder not recreated", sslEngineBuilder2, sslFactory.sslEngineBuilder());
        SslEngineBuilder sslEngineBuilder3 = sslFactory.sslEngineBuilder();
        File file = new File((String) createSslConfig2.get("ssl.keystore.location"));
        file.setLastModified(System.currentTimeMillis() + 10000);
        sslFactory.reconfigure(createSslConfig2);
        Assert.assertNotSame("SslEngineBuilder not recreated", sslEngineBuilder3, sslFactory.sslEngineBuilder());
        SslEngineBuilder sslEngineBuilder4 = sslFactory.sslEngineBuilder();
        file.setLastModified(System.currentTimeMillis() + TestUtils.DEFAULT_MAX_WAIT_MS);
        sslFactory.validateReconfiguration(createSslConfig2);
        sslFactory.reconfigure(createSslConfig2);
        Assert.assertNotSame("SslEngineBuilder not recreated", sslEngineBuilder4, sslFactory.sslEngineBuilder());
        SslEngineBuilder sslEngineBuilder5 = sslFactory.sslEngineBuilder();
        file.setLastModified(System.currentTimeMillis() + 20000);
        Files.delete(file.toPath());
        sslFactory.reconfigure(createSslConfig2);
        Assert.assertSame("SslEngineBuilder recreated unnecessarily", sslEngineBuilder5, sslFactory.sslEngineBuilder());
    }

    @Test
    public void testReconfigurationWithoutTruststore() throws Exception {
        File createTempFile = File.createTempFile("truststore", ".jks");
        Map<String, Object> createSslConfig = TestSslUtils.createSslConfig(false, true, Mode.SERVER, createTempFile, "server");
        configureSslBuilderClass(createSslConfig);
        createSslConfig.remove("ssl.truststore.location");
        createSslConfig.remove("ssl.truststore.password");
        createSslConfig.remove("ssl.truststore.type");
        SslFactory sslFactory = new SslFactory(Mode.SERVER);
        sslFactory.configure(createSslConfig);
        SSLContext sslContext = sslFactory.sslEngineBuilder().sslContext();
        Assert.assertNotNull("SSL context not created", sslContext);
        Assert.assertSame("SSL context recreated unnecessarily", sslContext, sslFactory.sslEngineBuilder().sslContext());
        Assert.assertFalse(sslFactory.createSslEngine("localhost", 0).getUseClientMode());
        Map<String, Object> createSslConfig2 = TestSslUtils.createSslConfig(false, true, Mode.SERVER, createTempFile, "server");
        configureSslBuilderClass(createSslConfig2);
        try {
            sslFactory.validateReconfiguration(createSslConfig2);
            Assert.fail("Truststore configured dynamically for listener without previous truststore");
        } catch (ConfigException e) {
        }
    }

    @Test
    public void testReconfigurationWithoutKeystore() throws Exception {
        Map<String, Object> createSslConfig = TestSslUtils.createSslConfig(false, true, Mode.SERVER, File.createTempFile("truststore", ".jks"), "server");
        configureSslBuilderClass(createSslConfig);
        createSslConfig.remove("ssl.keystore.location");
        createSslConfig.remove("ssl.keystore.password");
        createSslConfig.remove("ssl.keystore.type");
        SslFactory sslFactory = new SslFactory(Mode.SERVER);
        sslFactory.configure(createSslConfig);
        SSLContext sslContext = sslFactory.sslEngineBuilder().sslContext();
        Assert.assertNotNull("SSL context not created", sslContext);
        Assert.assertSame("SSL context recreated unnecessarily", sslContext, sslFactory.sslEngineBuilder().sslContext());
        Assert.assertFalse(sslFactory.createSslEngine("localhost", 0).getUseClientMode());
        File createTempFile = File.createTempFile("truststore", ".jks");
        Map<String, Object> createSslConfig2 = TestSslUtils.createSslConfig(false, true, Mode.SERVER, createTempFile, "server");
        configureSslBuilderClass(createSslConfig2);
        createSslConfig2.remove("ssl.keystore.location");
        createSslConfig2.remove("ssl.keystore.password");
        createSslConfig2.remove("ssl.keystore.type");
        sslFactory.reconfigure(createSslConfig2);
        Assert.assertNotSame("SSL context not recreated", sslContext, sslFactory.sslEngineBuilder().sslContext());
        Map<String, Object> createSslConfig3 = TestSslUtils.createSslConfig(false, true, Mode.SERVER, createTempFile, "server");
        configureSslBuilderClass(createSslConfig3);
        try {
            sslFactory.validateReconfiguration(createSslConfig3);
            Assert.fail("Keystore configured dynamically for listener without previous keystore");
        } catch (ConfigException e) {
        }
    }

    @Test
    public void testKeyStoreTrustStoreValidation() throws Exception {
        Map<String, Object> createSslConfig = TestSslUtils.createSslConfig(false, true, Mode.SERVER, File.createTempFile("truststore", ".jks"), "server");
        configureSslBuilderClass(createSslConfig);
        SslFactory sslFactory = new SslFactory(Mode.SERVER);
        sslFactory.configure(createSslConfig);
        Assert.assertNotNull("SslEngineBuilder not created", sslFactory.sslEngineBuilder());
    }

    @Test
    public void testUntrustedKeyStoreValidationFails() throws Exception {
        File createTempFile = File.createTempFile("truststore1", ".jks");
        File createTempFile2 = File.createTempFile("truststore2", ".jks");
        Map<String, Object> createSslConfig = TestSslUtils.createSslConfig(false, true, Mode.SERVER, createTempFile, "server");
        configureSslBuilderClass(createSslConfig);
        Map<String, Object> createSslConfig2 = TestSslUtils.createSslConfig(false, true, Mode.SERVER, createTempFile2, "server");
        configureSslBuilderClass(createSslConfig2);
        SslFactory sslFactory = new SslFactory(Mode.SERVER, (String) null, true);
        for (String str : Arrays.asList("ssl.truststore.location", "ssl.truststore.password", "ssl.truststore.type", "ssl.trustmanager.algorithm")) {
            createSslConfig.put(str, createSslConfig2.get(str));
        }
        try {
            sslFactory.configure(createSslConfig);
            Assert.fail("Validation did not fail with untrusted truststore");
        } catch (ConfigException e) {
        }
    }

    @Test
    public void testKeystoreVerifiableUsingTruststore() throws Exception {
        Map<String, Object> createSslConfig = TestSslUtils.createSslConfig(false, true, Mode.SERVER, File.createTempFile("truststore1", ".jks"), "server");
        configureSslBuilderClass(createSslConfig);
        SslFactory sslFactory = new SslFactory(Mode.SERVER, (String) null, true);
        sslFactory.configure(createSslConfig);
        Map<String, Object> createSslConfig2 = TestSslUtils.createSslConfig(false, true, Mode.SERVER, File.createTempFile("truststore2", ".jks"), "server");
        configureSslBuilderClass(createSslConfig2);
        try {
            sslFactory.validateReconfiguration(createSslConfig2);
            Assert.fail("ValidateReconfiguration did not fail as expected");
        } catch (ConfigException e) {
        }
    }

    @Test
    public void testCertificateEntriesValidation() throws Exception {
        Map<String, Object> createSslConfig = TestSslUtils.createSslConfig(false, true, Mode.SERVER, File.createTempFile("truststore", ".jks"), "server");
        configureSslBuilderClass(createSslConfig);
        Map<String, Object> createSslConfig2 = TestSslUtils.createSslConfig(false, true, Mode.SERVER, File.createTempFile("truststore", ".jks"), "server", "Another CN");
        configureSslBuilderClass(createSslConfig2);
        KeyStore load = sslKeyStore(createSslConfig).load();
        KeyStore load2 = sslKeyStore(createSslConfig).load();
        Assert.assertEquals(SslFactory.CertificateEntries.create(load), SslFactory.CertificateEntries.create(load2));
        load2.setCertificateEntry("another", load.getCertificate("localhost"));
        Assert.assertEquals(SslFactory.CertificateEntries.create(load), SslFactory.CertificateEntries.create(load2));
        Assert.assertNotEquals(SslFactory.CertificateEntries.create(load), SslFactory.CertificateEntries.create(sslKeyStore(createSslConfig2).load()));
    }

    private SslEngineBuilder.SecurityStore sslKeyStore(Map<String, Object> map) {
        return new SslEngineBuilder.SecurityStore((String) map.get("ssl.keystore.type"), (String) map.get("ssl.keystore.location"), (Password) map.get("ssl.keystore.password"), (Password) map.get("ssl.key.password"));
    }

    private SslEngineBuilder.SecurityStore sslTrustStore(Map<String, Object> map) {
        return new SslEngineBuilder.SecurityStore((String) map.get("ssl.truststore.type"), (String) map.get("ssl.truststore.location"), (Password) map.get("ssl.truststore.password"), (Password) null);
    }
}
