package org.apache.kafka.common.security.ssl;

import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.Security;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Map;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.config.types.Password;
import org.apache.kafka.common.network.Mode;
import org.apache.kafka.common.security.auth.SslEngineFactory;
import org.apache.kafka.common.security.ssl.DefaultSslEngineFactory;
import org.apache.kafka.common.security.ssl.SslFactory;
import org.apache.kafka.common.security.ssl.mock.TestProviderCreator;
import org.apache.kafka.common.utils.Java;
import org.apache.kafka.common.utils.Utils;
import org.apache.kafka.test.TestSslUtils;
import org.apache.kafka.test.TestUtils;
import org.junit.Assert;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;

@RunWith(Parameterized.class)
/* loaded from: input_file:org/apache/kafka/common/security/ssl/SslFactoryTest.class */
public class SslFactoryTest {
    final String tlsProtocol;

    @Parameterized.Parameters(name = "tlsProtocol={0}")
    public static Collection<Object[]> data() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new Object[]{"TLSv1.2"});
        if (Java.IS_JAVA11_COMPATIBLE) {
            arrayList.add(new Object[]{"TLSv1.3"});
        }
        return arrayList;
    }

    public SslFactoryTest(String str) {
        this.tlsProtocol = str;
    }

    protected void configureSslBuilderClass(Map<String, Object> map) {
        map.put("ssl.engine.factory.class", DefaultSslEngineFactory.class);
    }

    @Test
    public void testSslFactoryConfiguration() throws Exception {
        Map<String, Object> build = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(File.createTempFile("truststore", ".jks")).build();
        configureSslBuilderClass(build);
        SslFactory sslFactory = new SslFactory(Mode.SERVER);
        sslFactory.configure(build);
        SSLEngine createSslEngine = sslFactory.createSslEngine("localhost", 0);
        Assert.assertNotNull(createSslEngine);
        Assert.assertEquals(Utils.mkSet(new String[]{this.tlsProtocol}), Utils.mkSet(createSslEngine.getEnabledProtocols()));
        Assert.assertEquals(false, Boolean.valueOf(createSslEngine.getUseClientMode()));
    }

    @Test
    public void testSslFactoryWithCustomKeyManagerConfiguration() {
        TestProviderCreator testProviderCreator = new TestProviderCreator();
        Map<String, Object> createSslConfig = TestSslUtils.createSslConfig("TestAlgorithm", "TestAlgorithm", this.tlsProtocol);
        configureSslBuilderClass(createSslConfig);
        createSslConfig.put("security.providers", testProviderCreator.getClass().getName());
        SslFactory sslFactory = new SslFactory(Mode.SERVER);
        sslFactory.configure(createSslConfig);
        Assert.assertNotNull("SslEngineFactory not created", sslFactory.sslEngineFactory());
        Security.removeProvider(testProviderCreator.getProvider().getName());
    }

    @Test(expected = KafkaException.class)
    public void testSslFactoryWithoutProviderClassConfiguration() {
        new SslFactory(Mode.SERVER).configure(TestSslUtils.createSslConfig("TestAlgorithm", "TestAlgorithm", this.tlsProtocol));
    }

    @Test(expected = KafkaException.class)
    public void testSslFactoryWithIncorrectProviderClassConfiguration() {
        Map<String, Object> createSslConfig = TestSslUtils.createSslConfig("TestAlgorithm", "TestAlgorithm", this.tlsProtocol);
        createSslConfig.put("security.providers", "com.fake.ProviderClass1,com.fake.ProviderClass2");
        new SslFactory(Mode.SERVER).configure(createSslConfig);
    }

    @Test
    public void testSslFactoryWithoutPasswordConfiguration() throws Exception {
        Map<String, Object> build = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(File.createTempFile("truststore", ".jks")).build();
        configureSslBuilderClass(build);
        build.remove("ssl.truststore.password");
        try {
            new SslFactory(Mode.SERVER).configure(build);
        } catch (Exception e) {
            Assert.fail("An exception was thrown when configuring the truststore without a password: " + e);
        }
    }

    @Test
    public void testClientMode() throws Exception {
        Map<String, Object> build = sslConfigsBuilder(Mode.CLIENT).createNewTrustStore(File.createTempFile("truststore", ".jks")).useClientCert(false).build();
        configureSslBuilderClass(build);
        SslFactory sslFactory = new SslFactory(Mode.CLIENT);
        sslFactory.configure(build);
        Assert.assertTrue(sslFactory.createSslEngine("localhost", 0).getUseClientMode());
    }

    @Test
    public void staleSslEngineFactoryShouldBeClosed() throws IOException, GeneralSecurityException {
        Map<String, Object> build = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(File.createTempFile("truststore", ".jks")).useClientCert(false).build();
        build.put("ssl.engine.factory.class", TestSslUtils.TestSslEngineFactory.class);
        SslFactory sslFactory = new SslFactory(Mode.SERVER);
        sslFactory.configure(build);
        TestSslUtils.TestSslEngineFactory testSslEngineFactory = (TestSslUtils.TestSslEngineFactory) sslFactory.sslEngineFactory();
        Assert.assertNotNull(testSslEngineFactory);
        Assert.assertFalse(testSslEngineFactory.closed);
        Map<String, Object> build2 = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(File.createTempFile("truststore", ".jks")).build();
        build2.put("ssl.engine.factory.class", TestSslUtils.TestSslEngineFactory.class);
        sslFactory.reconfigure(build2);
        Assert.assertNotEquals(testSslEngineFactory, (TestSslUtils.TestSslEngineFactory) sslFactory.sslEngineFactory());
        Assert.assertTrue(testSslEngineFactory.closed);
    }

    @Test
    public void testReconfiguration() throws Exception {
        Map<String, Object> build = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(File.createTempFile("truststore", ".jks")).build();
        configureSslBuilderClass(build);
        SslFactory sslFactory = new SslFactory(Mode.SERVER);
        sslFactory.configure(build);
        SslEngineFactory sslEngineFactory = sslFactory.sslEngineFactory();
        Assert.assertNotNull("SslEngineFactory not created", sslEngineFactory);
        sslFactory.reconfigure(build);
        Assert.assertSame("SslEngineFactory recreated unnecessarily", sslEngineFactory, sslFactory.sslEngineFactory());
        File createTempFile = File.createTempFile("truststore", ".jks");
        Map<String, Object> build2 = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(createTempFile).build();
        configureSslBuilderClass(build2);
        sslFactory.reconfigure(build2);
        Assert.assertNotSame("SslEngineFactory not recreated", sslEngineFactory, sslFactory.sslEngineFactory());
        SslEngineFactory sslEngineFactory2 = sslFactory.sslEngineFactory();
        createTempFile.setLastModified(System.currentTimeMillis() + 10000);
        sslFactory.reconfigure(build2);
        Assert.assertNotSame("SslEngineFactory not recreated", sslEngineFactory2, sslFactory.sslEngineFactory());
        SslEngineFactory sslEngineFactory3 = sslFactory.sslEngineFactory();
        File file = new File((String) build2.get("ssl.keystore.location"));
        file.setLastModified(System.currentTimeMillis() + 10000);
        sslFactory.reconfigure(build2);
        Assert.assertNotSame("SslEngineFactory not recreated", sslEngineFactory3, sslFactory.sslEngineFactory());
        SslEngineFactory sslEngineFactory4 = sslFactory.sslEngineFactory();
        file.setLastModified(System.currentTimeMillis() + TestUtils.DEFAULT_MAX_WAIT_MS);
        sslFactory.validateReconfiguration(build2);
        sslFactory.reconfigure(build2);
        Assert.assertNotSame("SslEngineFactory not recreated", sslEngineFactory4, sslFactory.sslEngineFactory());
        SslEngineFactory sslEngineFactory5 = sslFactory.sslEngineFactory();
        file.setLastModified(System.currentTimeMillis() + 20000);
        Files.delete(file.toPath());
        sslFactory.reconfigure(build2);
        Assert.assertSame("SslEngineFactory recreated unnecessarily", sslEngineFactory5, sslFactory.sslEngineFactory());
    }

    @Test
    public void testReconfigurationWithoutTruststore() throws Exception {
        File createTempFile = File.createTempFile("truststore", ".jks");
        Map<String, Object> build = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(createTempFile).build();
        configureSslBuilderClass(build);
        build.remove("ssl.truststore.location");
        build.remove("ssl.truststore.password");
        build.remove("ssl.truststore.type");
        SslFactory sslFactory = new SslFactory(Mode.SERVER);
        sslFactory.configure(build);
        SSLContext sslContext = sslFactory.sslEngineFactory().sslContext();
        Assert.assertNotNull("SSL context not created", sslContext);
        Assert.assertSame("SSL context recreated unnecessarily", sslContext, sslFactory.sslEngineFactory().sslContext());
        Assert.assertFalse(sslFactory.createSslEngine("localhost", 0).getUseClientMode());
        Map<String, Object> build2 = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(createTempFile).build();
        configureSslBuilderClass(build2);
        try {
            sslFactory.validateReconfiguration(build2);
            Assert.fail("Truststore configured dynamically for listener without previous truststore");
        } catch (ConfigException e) {
        }
    }

    @Test
    public void testReconfigurationWithoutKeystore() throws Exception {
        Map<String, Object> build = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(File.createTempFile("truststore", ".jks")).build();
        configureSslBuilderClass(build);
        build.remove("ssl.keystore.location");
        build.remove("ssl.keystore.password");
        build.remove("ssl.keystore.type");
        SslFactory sslFactory = new SslFactory(Mode.SERVER);
        sslFactory.configure(build);
        SSLContext sslContext = sslFactory.sslEngineFactory().sslContext();
        Assert.assertNotNull("SSL context not created", sslContext);
        Assert.assertSame("SSL context recreated unnecessarily", sslContext, sslFactory.sslEngineFactory().sslContext());
        Assert.assertFalse(sslFactory.createSslEngine("localhost", 0).getUseClientMode());
        File createTempFile = File.createTempFile("truststore", ".jks");
        Map<String, Object> build2 = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(createTempFile).build();
        configureSslBuilderClass(build2);
        build2.remove("ssl.keystore.location");
        build2.remove("ssl.keystore.password");
        build2.remove("ssl.keystore.type");
        sslFactory.reconfigure(build2);
        Assert.assertNotSame("SSL context not recreated", sslContext, sslFactory.sslEngineFactory().sslContext());
        Map<String, Object> build3 = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(createTempFile).build();
        configureSslBuilderClass(build3);
        try {
            sslFactory.validateReconfiguration(build3);
            Assert.fail("Keystore configured dynamically for listener without previous keystore");
        } catch (ConfigException e) {
        }
    }

    @Test
    public void testKeyStoreTrustStoreValidation() throws Exception {
        Map<String, Object> build = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(File.createTempFile("truststore", ".jks")).build();
        configureSslBuilderClass(build);
        SslFactory sslFactory = new SslFactory(Mode.SERVER);
        sslFactory.configure(build);
        Assert.assertNotNull("SslEngineFactory not created", sslFactory.sslEngineFactory());
    }

    @Test
    public void testUntrustedKeyStoreValidationFails() throws Exception {
        File createTempFile = File.createTempFile("truststore1", ".jks");
        File createTempFile2 = File.createTempFile("truststore2", ".jks");
        Map<String, Object> build = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(createTempFile).build();
        configureSslBuilderClass(build);
        Map<String, Object> build2 = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(createTempFile2).build();
        configureSslBuilderClass(build2);
        SslFactory sslFactory = new SslFactory(Mode.SERVER, (String) null, true);
        for (String str : Arrays.asList("ssl.truststore.location", "ssl.truststore.password", "ssl.truststore.type", "ssl.trustmanager.algorithm")) {
            build.put(str, build2.get(str));
        }
        try {
            sslFactory.configure(build);
            Assert.fail("Validation did not fail with untrusted truststore");
        } catch (ConfigException e) {
        }
    }

    @Test
    public void testKeystoreVerifiableUsingTruststore() throws Exception {
        Map<String, Object> build = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(File.createTempFile("truststore1", ".jks")).build();
        configureSslBuilderClass(build);
        SslFactory sslFactory = new SslFactory(Mode.SERVER, (String) null, true);
        sslFactory.configure(build);
        Map<String, Object> build2 = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(File.createTempFile("truststore2", ".jks")).build();
        configureSslBuilderClass(build2);
        try {
            sslFactory.validateReconfiguration(build2);
            Assert.fail("ValidateReconfiguration did not fail as expected");
        } catch (ConfigException e) {
        }
    }

    @Test
    public void testCertificateEntriesValidation() throws Exception {
        Map<String, Object> build = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(File.createTempFile("truststore", ".jks")).build();
        configureSslBuilderClass(build);
        Map<String, Object> build2 = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(File.createTempFile("truststore", ".jks")).cn("Another CN").build();
        configureSslBuilderClass(build2);
        KeyStore keyStore = sslKeyStore(build).get();
        KeyStore keyStore2 = sslKeyStore(build).get();
        Assert.assertEquals(SslFactory.CertificateEntries.create(keyStore), SslFactory.CertificateEntries.create(keyStore2));
        keyStore2.setCertificateEntry("another", keyStore.getCertificate("localhost"));
        Assert.assertEquals(SslFactory.CertificateEntries.create(keyStore), SslFactory.CertificateEntries.create(keyStore2));
        Assert.assertNotEquals(SslFactory.CertificateEntries.create(keyStore), SslFactory.CertificateEntries.create(sslKeyStore(build2).get()));
    }

    @Test
    public void testClientSpecifiedSslEngineFactoryUsed() throws Exception {
        Map<String, Object> build = sslConfigsBuilder(Mode.CLIENT).createNewTrustStore(File.createTempFile("truststore", ".jks")).useClientCert(false).build();
        build.put("ssl.engine.factory.class", TestSslUtils.TestSslEngineFactory.class);
        SslFactory sslFactory = new SslFactory(Mode.CLIENT);
        sslFactory.configure(build);
        Assert.assertTrue("SslEngineFactory must be of expected type", sslFactory.sslEngineFactory() instanceof TestSslUtils.TestSslEngineFactory);
    }

    @Test
    public void testEngineFactoryClosed() throws Exception {
        Map<String, Object> build = sslConfigsBuilder(Mode.CLIENT).createNewTrustStore(File.createTempFile("truststore", ".jks")).useClientCert(false).build();
        build.put("ssl.engine.factory.class", TestSslUtils.TestSslEngineFactory.class);
        SslFactory sslFactory = new SslFactory(Mode.CLIENT);
        sslFactory.configure(build);
        TestSslUtils.TestSslEngineFactory testSslEngineFactory = (TestSslUtils.TestSslEngineFactory) sslFactory.sslEngineFactory();
        Assert.assertFalse(testSslEngineFactory.closed);
        sslFactory.close();
        Assert.assertTrue(testSslEngineFactory.closed);
    }

    @Test
    public void testServerSpecifiedSslEngineFactoryUsed() throws Exception {
        Map<String, Object> build = sslConfigsBuilder(Mode.SERVER).createNewTrustStore(File.createTempFile("truststore", ".jks")).useClientCert(false).build();
        build.put("ssl.engine.factory.class", TestSslUtils.TestSslEngineFactory.class);
        SslFactory sslFactory = new SslFactory(Mode.SERVER);
        sslFactory.configure(build);
        Assert.assertTrue("SslEngineFactory must be of expected type", sslFactory.sslEngineFactory() instanceof TestSslUtils.TestSslEngineFactory);
    }

    @Test(expected = ClassCastException.class)
    public void testInvalidSslEngineFactory() throws Exception {
        Map<String, Object> build = sslConfigsBuilder(Mode.CLIENT).createNewTrustStore(File.createTempFile("truststore", ".jks")).useClientCert(false).build();
        build.put("ssl.engine.factory.class", String.class);
        new SslFactory(Mode.CLIENT).configure(build);
    }

    private DefaultSslEngineFactory.SecurityStore sslKeyStore(Map<String, Object> map) {
        return new DefaultSslEngineFactory.SecurityStore((String) map.get("ssl.keystore.type"), (String) map.get("ssl.keystore.location"), (Password) map.get("ssl.keystore.password"), (Password) map.get("ssl.key.password"));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public TestSslUtils.SslConfigsBuilder sslConfigsBuilder(Mode mode) {
        return new TestSslUtils.SslConfigsBuilder(mode).tlsProtocol(this.tlsProtocol);
    }
}
