package org.apache.kafka.common.network;

import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.IOException;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.nio.ByteBuffer;
import java.nio.channels.Channels;
import java.nio.channels.SelectionKey;
import java.nio.channels.SocketChannel;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.atomic.AtomicInteger;
import java.util.concurrent.atomic.AtomicLong;
import java.util.function.Supplier;
import java.util.function.UnaryOperator;
import java.util.stream.Stream;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import net.jqwik.api.Disabled;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.config.AbstractConfig;
import org.apache.kafka.common.config.ConfigException;
import org.apache.kafka.common.config.SslConfigs;
import org.apache.kafka.common.config.internals.ConfluentConfigs;
import org.apache.kafka.common.config.types.Password;
import org.apache.kafka.common.errors.InvalidConfigurationException;
import org.apache.kafka.common.memory.MemoryPool;
import org.apache.kafka.common.message.ApiMessageType;
import org.apache.kafka.common.metrics.Metrics;
import org.apache.kafka.common.network.CertStores;
import org.apache.kafka.common.network.ChannelState;
import org.apache.kafka.common.requests.ApiVersionsResponse;
import org.apache.kafka.common.security.DefaultRequestCallbackManager;
import org.apache.kafka.common.security.TestSecurityConfig;
import org.apache.kafka.common.security.auth.SecurityProtocol;
import org.apache.kafka.common.security.authenticator.CredentialCache;
import org.apache.kafka.common.security.ssl.DefaultSslEngineFactory;
import org.apache.kafka.common.security.ssl.NettySslEngineFactory;
import org.apache.kafka.common.security.ssl.SslFactory;
import org.apache.kafka.common.security.token.delegation.internals.DelegationTokenCache;
import org.apache.kafka.common.utils.Java;
import org.apache.kafka.common.utils.LogContext;
import org.apache.kafka.common.utils.Time;
import org.apache.kafka.common.utils.Utils;
import org.apache.kafka.server.audit.AuditEvent;
import org.apache.kafka.server.audit.AuditEventStatus;
import org.apache.kafka.server.audit.AuditLogProvider;
import org.apache.kafka.server.audit.AuthenticationEvent;
import org.apache.kafka.test.TestSslUtils;
import org.apache.kafka.test.TestUtils;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Assumptions;
import org.junit.jupiter.api.extension.ExtensionContext;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.Arguments;
import org.junit.jupiter.params.provider.ArgumentsProvider;
import org.junit.jupiter.params.provider.ArgumentsSource;

/*  JADX ERROR: NullPointerException in pass: ClassModifier
    java.lang.NullPointerException: Cannot invoke "java.util.List.forEach(java.util.function.Consumer)" because "blocks" is null
    	at jadx.core.utils.BlockUtils.collectAllInsns(BlockUtils.java:1017)
    	at jadx.core.dex.visitors.ClassModifier.removeBridgeMethod(ClassModifier.java:239)
    	at jadx.core.dex.visitors.ClassModifier.removeSyntheticMethods(ClassModifier.java:154)
    	at java.base/java.util.ArrayList.forEach(ArrayList.java:1596)
    	at jadx.core.dex.visitors.ClassModifier.visit(ClassModifier.java:64)
    	at jadx.core.dex.visitors.ClassModifier.visit(ClassModifier.java:57)
    */
/* loaded from: input_file:org/apache/kafka/common/network/SslTransportLayerTest.class */
public class SslTransportLayerTest {
    private static final int BUFFER_SIZE = 4096;
    private static Time time = Time.SYSTEM;
    private NioEchoServer server;
    private Selector selector;

    /* renamed from: org.apache.kafka.common.network.SslTransportLayerTest$1 */
    /* loaded from: input_file:org/apache/kafka/common/network/SslTransportLayerTest$1.class */
    public class AnonymousClass1 extends TestSslChannelBuilder {
        AnonymousClass1(Mode mode) {
            super(mode);
        }

        @Override // org.apache.kafka.common.network.SslTransportLayerTest.TestSslChannelBuilder
        protected TestSslChannelBuilder.TestSslTransportLayer newTransportLayer(String str, SelectionKey selectionKey, SSLEngine sSLEngine, Mode mode, ProxyProtocolEngine proxyProtocolEngine) {
            SSLParameters sSLParameters = sSLEngine.getSSLParameters();
            sSLParameters.setEndpointIdentificationAlgorithm("HTTPS");
            sSLEngine.setSSLParameters(sSLParameters);
            return super.newTransportLayer(str, selectionKey, sSLEngine, mode, proxyProtocolEngine);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apache.kafka.common.network.SslTransportLayerTest$2 */
    /* loaded from: input_file:org/apache/kafka/common/network/SslTransportLayerTest$2.class */
    public class AnonymousClass2 extends TestSslChannelBuilder {

        /* renamed from: org.apache.kafka.common.network.SslTransportLayerTest$2$1 */
        /* loaded from: input_file:org/apache/kafka/common/network/SslTransportLayerTest$2$1.class */
        class AnonymousClass1 extends TestSslChannelBuilder.TestSslTransportLayer {
            AnonymousClass1(String str, SelectionKey selectionKey, SSLEngine sSLEngine, Mode mode, ProxyProtocolEngine proxyProtocolEngine) {
                super(str, selectionKey, sSLEngine, mode, proxyProtocolEngine);
            }

            protected int maybeReadAndProcessProxyHeaders() throws IOException {
                this.proxyProtocolEngine.processHeaders(this.netReadBuffer);
                return 60;
            }
        }

        AnonymousClass2(Mode mode) {
            super(mode);
        }

        @Override // org.apache.kafka.common.network.SslTransportLayerTest.TestSslChannelBuilder
        protected TestSslChannelBuilder.TestSslTransportLayer newTransportLayer(String str, SelectionKey selectionKey, SSLEngine sSLEngine, Mode mode, ProxyProtocolEngine proxyProtocolEngine) {
            return new TestSslChannelBuilder.TestSslTransportLayer(str, selectionKey, sSLEngine, mode, proxyProtocolEngine) { // from class: org.apache.kafka.common.network.SslTransportLayerTest.2.1
                AnonymousClass1(String str2, SelectionKey selectionKey2, SSLEngine sSLEngine2, Mode mode2, ProxyProtocolEngine proxyProtocolEngine2) {
                    super(str2, selectionKey2, sSLEngine2, mode2, proxyProtocolEngine2);
                }

                protected int maybeReadAndProcessProxyHeaders() throws IOException {
                    this.proxyProtocolEngine.processHeaders(this.netReadBuffer);
                    return 60;
                }
            };
        }
    }

    /* loaded from: input_file:org/apache/kafka/common/network/SslTransportLayerTest$Args.class */
    public static class Args {
        private final String tlsProtocol;
        private final boolean useInlinePem;
        private final Class<?> engineFactoryClass;
        private CertStores serverCertStores;
        private CertStores clientCertStores;
        private Map<String, Object> sslClientConfigs;
        private Map<String, Object> sslServerConfigs;
        private Map<String, Object> sslConfigOverrides = new HashMap();
        private TestAuditLogProvider auditLogProvider;

        public Args(String str, boolean z, Class<?> cls) throws Exception {
            this.tlsProtocol = str;
            this.useInlinePem = z;
            this.engineFactoryClass = cls;
            this.sslConfigOverrides.put("ssl.protocol", str);
            this.sslConfigOverrides.put("ssl.enabled.protocols", Collections.singletonList(str));
            init();
        }

        Map<String, Object> getTrustingConfig(CertStores certStores, CertStores certStores2) {
            Map<String, Object> trustingConfig = certStores.getTrustingConfig(certStores2);
            trustingConfig.putAll(this.sslConfigOverrides);
            return trustingConfig;
        }

        private void init() throws Exception {
            this.serverCertStores = SslTransportLayerTest.certBuilder(true, "server", this.useInlinePem).addHostName("localhost").build();
            this.clientCertStores = SslTransportLayerTest.certBuilder(false, "client", this.useInlinePem).addHostName("localhost").build();
            this.sslServerConfigs = getTrustingConfig(this.serverCertStores, this.clientCertStores);
            this.sslClientConfigs = getTrustingConfig(this.clientCertStores, this.serverCertStores);
            this.sslServerConfigs.put("ssl.engine.factory.class", this.engineFactoryClass);
            this.sslClientConfigs.put("ssl.engine.factory.class", this.engineFactoryClass);
            this.auditLogProvider = new TestAuditLogProvider();
        }

        public boolean supportsCipherConfiguration() {
            return (this.tlsProtocol.equals("TLSv1.3") && this.sslServerConfigs.get("ssl.engine.factory.class") == NettySslEngineFactory.class) ? false : true;
        }

        public String[] supportedCipherSuites() {
            return this.tlsProtocol.equals("TLSv1.3") ? new String[]{"TLS_AES_256_GCM_SHA384", "TLS_AES_128_GCM_SHA256"} : new String[]{"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"};
        }

        public String toString() {
            return "tlsProtocol=" + this.tlsProtocol + ", useInlinePem=" + this.useInlinePem;
        }
    }

    @FunctionalInterface
    /* loaded from: input_file:org/apache/kafka/common/network/SslTransportLayerTest$FailureAction.class */
    public interface FailureAction {
        public static final FailureAction NO_OP = () -> {
        };
        public static final FailureAction THROW_IO_EXCEPTION = () -> {
            throw new IOException("Test IO exception");
        };

        void run() throws IOException;
    }

    /* loaded from: input_file:org/apache/kafka/common/network/SslTransportLayerTest$SslTransportLayerArgumentsProvider.class */
    private static class SslTransportLayerArgumentsProvider implements ArgumentsProvider {
        private SslTransportLayerArgumentsProvider() {
        }

        public Stream<? extends Arguments> provideArguments(ExtensionContext extensionContext) throws Exception {
            ArrayList arrayList = new ArrayList();
            arrayList.add(Arguments.of(new Object[]{new Args("TLSv1.2", false, DefaultSslEngineFactory.class)}));
            arrayList.add(Arguments.of(new Object[]{new Args("TLSv1.2", true, DefaultSslEngineFactory.class)}));
            arrayList.add(Arguments.of(new Object[]{new Args("TLSv1.2", true, NettySslEngineFactory.class)}));
            if (Java.IS_JAVA11_COMPATIBLE) {
                arrayList.add(Arguments.of(new Object[]{new Args("TLSv1.3", false, DefaultSslEngineFactory.class)}));
                arrayList.add(Arguments.of(new Object[]{new Args("TLSv1.3", false, NettySslEngineFactory.class)}));
            }
            return arrayList.stream();
        }
    }

    /* loaded from: input_file:org/apache/kafka/common/network/SslTransportLayerTest$TestAuditLogProvider.class */
    public static class TestAuditLogProvider implements AuditLogProvider {
        public final List<AuthenticationEvent> authenticationEvents;

        private TestAuditLogProvider() {
            this.authenticationEvents = new ArrayList();
        }

        public boolean providerConfigured(Map<String, ?> map) {
            return false;
        }

        public void logEvent(AuditEvent auditEvent) {
            this.authenticationEvents.add((AuthenticationEvent) auditEvent);
        }

        public void setSanitizer(UnaryOperator<AuditEvent> unaryOperator) {
        }

        public boolean usesMetadataFromThisKafkaCluster() {
            return false;
        }

        public void close(String str) throws Exception {
            close();
        }

        public void close() throws Exception {
        }

        public Set<String> reconfigurableConfigs() {
            return null;
        }

        public void validateReconfiguration(Map<String, ?> map) throws ConfigException {
        }

        public void reconfigure(Map<String, ?> map) {
        }

        public void configure(Map<String, ?> map) {
        }

        /* synthetic */ TestAuditLogProvider(AnonymousClass1 anonymousClass1) {
            this();
        }
    }

    /* loaded from: input_file:org/apache/kafka/common/network/SslTransportLayerTest$TestSslChannelBuilder.class */
    public static class TestSslChannelBuilder extends SslChannelBuilder {
        private Integer netReadBufSizeOverride;
        private Integer netWriteBufSizeOverride;
        private Integer appBufSizeOverride;
        private long failureIndex;
        FailureAction readFailureAction;
        FailureAction flushFailureAction;
        int flushDelayCount;
        private final Mode mode;

        /* JADX INFO: Access modifiers changed from: package-private */
        /* loaded from: input_file:org/apache/kafka/common/network/SslTransportLayerTest$TestSslChannelBuilder$ResizeableBufferSize.class */
        public static class ResizeableBufferSize {
            private Integer bufSizeOverride;

            ResizeableBufferSize(Integer num) {
                this.bufSizeOverride = num;
            }

            int updateAndGet(int i, boolean z) {
                int i2 = i;
                if (this.bufSizeOverride != null) {
                    if (z) {
                        this.bufSizeOverride = Integer.valueOf(Math.min(this.bufSizeOverride.intValue() * 2, i2));
                    }
                    i2 = this.bufSizeOverride.intValue();
                }
                return i2;
            }
        }

        /* loaded from: input_file:org/apache/kafka/common/network/SslTransportLayerTest$TestSslChannelBuilder$TestSslTransportLayer.class */
        public class TestSslTransportLayer extends SslTransportLayer {
            private final ResizeableBufferSize netReadBufSize;
            private final ResizeableBufferSize netWriteBufSize;
            private final ResizeableBufferSize appBufSize;
            private final AtomicLong numReadsRemaining;
            private final AtomicLong numFlushesRemaining;
            private final AtomicInteger numDelayedFlushesRemaining;

            public TestSslTransportLayer(String str, SelectionKey selectionKey, SSLEngine sSLEngine, Mode mode, ProxyProtocolEngine proxyProtocolEngine) {
                super(str, selectionKey, sSLEngine, new DefaultChannelMetadataRegistry(), mode, proxyProtocolEngine);
                this.netReadBufSize = new ResizeableBufferSize(TestSslChannelBuilder.this.netReadBufSizeOverride);
                this.netWriteBufSize = new ResizeableBufferSize(TestSslChannelBuilder.this.netWriteBufSizeOverride);
                this.appBufSize = new ResizeableBufferSize(TestSslChannelBuilder.this.appBufSizeOverride);
                this.numReadsRemaining = new AtomicLong(TestSslChannelBuilder.this.failureIndex);
                this.numFlushesRemaining = new AtomicLong(TestSslChannelBuilder.this.failureIndex);
                this.numDelayedFlushesRemaining = new AtomicInteger(TestSslChannelBuilder.this.flushDelayCount);
            }

            protected int netReadBufferSize() {
                return this.netReadBufSize.updateAndGet(super.netReadBufferSize(), (netReadBuffer() == null || netReadBuffer().hasRemaining()) ? false : true);
            }

            protected int netWriteBufferSize() {
                return this.netWriteBufSize.updateAndGet(super.netWriteBufferSize(), true);
            }

            protected int applicationBufferSize() {
                return this.appBufSize.updateAndGet(super.applicationBufferSize(), true);
            }

            protected int readFromSocketChannel() throws IOException {
                if (this.numReadsRemaining.decrementAndGet() == 0 && !ready()) {
                    TestSslChannelBuilder.this.readFailureAction.run();
                }
                return super.readFromSocketChannel();
            }

            protected boolean flush(ByteBuffer byteBuffer) throws IOException {
                if (!byteBuffer.hasRemaining()) {
                    return super.flush(byteBuffer);
                }
                if (this.numFlushesRemaining.decrementAndGet() == 0 && !ready()) {
                    TestSslChannelBuilder.this.flushFailureAction.run();
                } else if (this.numDelayedFlushesRemaining.getAndDecrement() != 0) {
                    return false;
                }
                resetDelayedFlush();
                return super.flush(byteBuffer);
            }

            protected void startHandshake() throws IOException {
                Assertions.assertTrue(socketChannel().isConnected(), "SSL handshake initialized too early");
                super.startHandshake();
            }

            private void resetDelayedFlush() {
                this.numDelayedFlushesRemaining.set(TestSslChannelBuilder.this.flushDelayCount);
            }
        }

        public TestSslChannelBuilder(Mode mode) {
            super(mode, ListenerName.forSecurityProtocol(SecurityProtocol.SSL), false, new LogContext(), new ProxyProtocolEngineFactory(ProxyProtocol.NONE));
            this.failureIndex = Long.MAX_VALUE;
            this.readFailureAction = FailureAction.NO_OP;
            this.flushFailureAction = FailureAction.NO_OP;
            this.flushDelayCount = 0;
            this.mode = mode;
        }

        public TestSslChannelBuilder(Mode mode, ProxyProtocolEngineFactory proxyProtocolEngineFactory) {
            super(mode, ListenerName.forSecurityProtocol(SecurityProtocol.SSL), false, new LogContext(), proxyProtocolEngineFactory);
            this.failureIndex = Long.MAX_VALUE;
            this.readFailureAction = FailureAction.NO_OP;
            this.flushFailureAction = FailureAction.NO_OP;
            this.flushDelayCount = 0;
            this.mode = mode;
        }

        public void configureBufferSizes(Integer num, Integer num2, Integer num3) {
            this.netReadBufSizeOverride = num;
            this.netWriteBufSizeOverride = num2;
            this.appBufSizeOverride = num3;
        }

        protected SslTransportLayer buildTransportLayer(SslFactory sslFactory, String str, SelectionKey selectionKey, ChannelMetadataRegistry channelMetadataRegistry, ProxyProtocolEngine proxyProtocolEngine) {
            return newTransportLayer(str, selectionKey, sslFactory.createSslEngine(((SocketChannel) selectionKey.channel()).socket()), this.mode, proxyProtocolEngine);
        }

        protected TestSslTransportLayer newTransportLayer(String str, SelectionKey selectionKey, SSLEngine sSLEngine, Mode mode, ProxyProtocolEngine proxyProtocolEngine) {
            return new TestSslTransportLayer(str, selectionKey, sSLEngine, mode, proxyProtocolEngine);
        }

        /*  JADX ERROR: Failed to decode insn: 0x0002: MOVE_MULTI, method: org.apache.kafka.common.network.SslTransportLayerTest.TestSslChannelBuilder.access$1302(org.apache.kafka.common.network.SslTransportLayerTest$TestSslChannelBuilder, long):long
            java.lang.ArrayIndexOutOfBoundsException: arraycopy: source index -1 out of bounds for object array[6]
            	at java.base/java.lang.System.arraycopy(Native Method)
            	at jadx.plugins.input.java.data.code.StackState.insert(StackState.java:49)
            	at jadx.plugins.input.java.data.code.CodeDecodeState.insert(CodeDecodeState.java:118)
            	at jadx.plugins.input.java.data.code.JavaInsnsRegister.dup2x1(JavaInsnsRegister.java:313)
            	at jadx.plugins.input.java.data.code.JavaInsnData.decode(JavaInsnData.java:46)
            	at jadx.core.dex.instructions.InsnDecoder.lambda$process$0(InsnDecoder.java:54)
            	at jadx.plugins.input.java.data.code.JavaCodeReader.visitInstructions(JavaCodeReader.java:81)
            	at jadx.core.dex.instructions.InsnDecoder.process(InsnDecoder.java:50)
            	at jadx.core.dex.nodes.MethodNode.load(MethodNode.java:156)
            	at jadx.core.dex.nodes.ClassNode.load(ClassNode.java:443)
            	at jadx.core.dex.nodes.ClassNode.load(ClassNode.java:449)
            	at jadx.core.ProcessClass.process(ProcessClass.java:70)
            	at jadx.core.ProcessClass.generateCode(ProcessClass.java:118)
            	at jadx.core.dex.nodes.ClassNode.generateClassCode(ClassNode.java:400)
            	at jadx.core.dex.nodes.ClassNode.decompile(ClassNode.java:388)
            	at jadx.core.dex.nodes.ClassNode.getCode(ClassNode.java:338)
            */
        static /* synthetic */ long access$1302(org.apache.kafka.common.network.SslTransportLayerTest.TestSslChannelBuilder r6, long r7) {
            /*
                r0 = r6
                r1 = r7
                // decode failed: arraycopy: source index -1 out of bounds for object array[6]
                r0.failureIndex = r1
                return r-1
            */
            throw new UnsupportedOperationException("Method not decompiled: org.apache.kafka.common.network.SslTransportLayerTest.TestSslChannelBuilder.access$1302(org.apache.kafka.common.network.SslTransportLayerTest$TestSslChannelBuilder, long):long");
        }
    }

    public SslTransportLayerTest() {
    }

    @AfterEach
    public void teardown() throws Exception {
        if (this.selector != null) {
            this.selector.close();
        }
        if (this.server != null) {
            this.server.close();
        }
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testValidEndpointIdentificationSanDns(Args args) throws Exception {
        createSelector(args);
        this.server = createEchoServer(args, SecurityProtocol.SSL);
        args.sslClientConfigs.put("ssl.endpoint.identification.algorithm", "HTTPS");
        createSelector(args.sslClientConfigs);
        this.selector.connect(KafkaChannelTest.CHANNEL_ID, new InetSocketAddress("localhost", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(this.selector, KafkaChannelTest.CHANNEL_ID, 100, 10);
        this.server.verifyAuthenticationMetrics(1, 0);
        verifyAuditLogEvent(args, true);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testValidEndpointIdentificationSanIp(Args args) throws Exception {
        args.serverCertStores = certBuilder(true, "server", args.useInlinePem).hostAddress(InetAddress.getByName("127.0.0.1")).build();
        args.clientCertStores = certBuilder(false, "client", args.useInlinePem).hostAddress(InetAddress.getByName("127.0.0.1")).build();
        args.sslServerConfigs = args.getTrustingConfig(args.serverCertStores, args.clientCertStores);
        args.sslClientConfigs = args.getTrustingConfig(args.clientCertStores, args.serverCertStores);
        this.server = createEchoServer(args, SecurityProtocol.SSL);
        args.sslClientConfigs.put("ssl.endpoint.identification.algorithm", "HTTPS");
        createSelector(args.sslClientConfigs);
        this.selector.connect(KafkaChannelTest.CHANNEL_ID, new InetSocketAddress("127.0.0.1", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(this.selector, KafkaChannelTest.CHANNEL_ID, 100, 10);
        verifyAuditLogEvent(args, true);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testValidEndpointIdentificationCN(Args args) throws Exception {
        args.serverCertStores = certBuilder(true, "localhost", args.useInlinePem).build();
        args.clientCertStores = certBuilder(false, "localhost", args.useInlinePem).build();
        args.sslServerConfigs = args.getTrustingConfig(args.serverCertStores, args.clientCertStores);
        args.sslClientConfigs = args.getTrustingConfig(args.clientCertStores, args.serverCertStores);
        args.sslClientConfigs.put("ssl.endpoint.identification.algorithm", "HTTPS");
        args.auditLogProvider = new TestAuditLogProvider();
        verifySslConfigs(args);
        verifyAuditLogEvent(args, true);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testEndpointIdentificationNoReverseLookup(Args args) throws Exception {
        this.server = createEchoServer(args, SecurityProtocol.SSL);
        args.sslClientConfigs.put("ssl.endpoint.identification.algorithm", "HTTPS");
        createSelector(args.sslClientConfigs);
        this.selector.connect(KafkaChannelTest.CHANNEL_ID, new InetSocketAddress("127.0.0.1", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.waitForChannelClose(this.selector, KafkaChannelTest.CHANNEL_ID, ChannelState.State.AUTHENTICATION_FAILED);
        verifyAuditLogEvent(args, false);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testClientEndpointNotValidated(Args args) throws Exception {
        args.clientCertStores = certBuilder(false, "non-existent.com", args.useInlinePem).build();
        args.serverCertStores = certBuilder(true, "localhost", args.useInlinePem).build();
        args.sslServerConfigs = args.getTrustingConfig(args.serverCertStores, args.clientCertStores);
        args.sslClientConfigs = args.getTrustingConfig(args.clientCertStores, args.serverCertStores);
        AnonymousClass1 anonymousClass1 = new TestSslChannelBuilder(Mode.SERVER) { // from class: org.apache.kafka.common.network.SslTransportLayerTest.1
            AnonymousClass1(Mode mode) {
                super(mode);
            }

            @Override // org.apache.kafka.common.network.SslTransportLayerTest.TestSslChannelBuilder
            protected TestSslChannelBuilder.TestSslTransportLayer newTransportLayer(String str, SelectionKey selectionKey, SSLEngine sSLEngine, Mode mode, ProxyProtocolEngine proxyProtocolEngine) {
                SSLParameters sSLParameters = sSLEngine.getSSLParameters();
                sSLParameters.setEndpointIdentificationAlgorithm("HTTPS");
                sSLEngine.setSSLParameters(sSLParameters);
                return super.newTransportLayer(str, selectionKey, sSLEngine, mode, proxyProtocolEngine);
            }
        };
        anonymousClass1.configure(args.sslServerConfigs);
        this.server = new NioEchoServer(ListenerName.forSecurityProtocol(SecurityProtocol.SSL), SecurityProtocol.SSL, new TestSecurityConfig(args.sslServerConfigs), "localhost", anonymousClass1, null, time);
        this.server.start();
        createSelector(args.sslClientConfigs);
        this.selector.connect(KafkaChannelTest.CHANNEL_ID, new InetSocketAddress("localhost", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(this.selector, KafkaChannelTest.CHANNEL_ID, 100, 10);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testInvalidEndpointIdentification(Args args) throws Exception {
        args.serverCertStores = certBuilder(true, "server", args.useInlinePem).addHostName("notahost").build();
        args.clientCertStores = certBuilder(false, "client", args.useInlinePem).addHostName("localhost").build();
        args.sslServerConfigs = args.getTrustingConfig(args.serverCertStores, args.clientCertStores);
        args.sslClientConfigs = args.getTrustingConfig(args.clientCertStores, args.serverCertStores);
        args.sslClientConfigs.put("ssl.endpoint.identification.algorithm", "HTTPS");
        verifySslConfigsWithHandshakeFailure(args);
        verifyAuditLogEvent(args, false);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testEndpointIdentificationDisabled(Args args) throws Exception {
        args.serverCertStores = certBuilder(true, "server", args.useInlinePem).addHostName("notahost").build();
        args.clientCertStores = certBuilder(false, "client", args.useInlinePem).addHostName("localhost").build();
        args.sslServerConfigs = args.getTrustingConfig(args.serverCertStores, args.clientCertStores);
        args.sslClientConfigs = args.getTrustingConfig(args.clientCertStores, args.serverCertStores);
        this.server = createEchoServer(args, SecurityProtocol.SSL);
        InetSocketAddress inetSocketAddress = new InetSocketAddress("localhost", this.server.port());
        args.sslClientConfigs.put("ssl.endpoint.identification.algorithm", "");
        createSelector(args.sslClientConfigs);
        this.selector.connect("1", inetSocketAddress, BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(this.selector, "1", 100, 10);
        args.sslClientConfigs.put("ssl.endpoint.identification.algorithm", null);
        createSelector(args.sslClientConfigs);
        this.selector.connect("2", inetSocketAddress, BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(this.selector, "2", 100, 10);
        args.sslClientConfigs.put("ssl.endpoint.identification.algorithm", "HTTPS");
        createSelector(args.sslClientConfigs);
        this.selector.connect("3", inetSocketAddress, BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.waitForChannelClose(this.selector, "3", ChannelState.State.AUTHENTICATION_FAILED);
        this.selector.close();
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testClientAuthenticationRequiredValidProvided(Args args) throws Exception {
        args.sslServerConfigs.put("ssl.client.auth", "required");
        verifySslConfigs(args);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testListenerConfigOverride(Args args) throws Exception {
        ListenerName listenerName = new ListenerName("client");
        args.sslServerConfigs.put("ssl.client.auth", "required");
        args.sslServerConfigs.put(listenerName.configPrefix() + "ssl.client.auth", "none");
        this.server = createEchoServer(args, SecurityProtocol.SSL);
        InetSocketAddress inetSocketAddress = new InetSocketAddress("localhost", this.server.port());
        createSelector(args.sslClientConfigs);
        this.selector.connect(KafkaChannelTest.CHANNEL_ID, inetSocketAddress, BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(this.selector, KafkaChannelTest.CHANNEL_ID, 100, 10);
        this.selector.close();
        Set<String> set = CertStores.KEYSTORE_PROPS;
        Map map = args.sslClientConfigs;
        map.getClass();
        set.forEach((v1) -> {
            r1.remove(v1);
        });
        createSelector(args.sslClientConfigs);
        this.selector.connect(KafkaChannelTest.CHANNEL_ID, inetSocketAddress, BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.waitForChannelClose(this.selector, KafkaChannelTest.CHANNEL_ID, ChannelState.State.AUTHENTICATION_FAILED);
        this.selector.close();
        this.server.close();
        this.server = createEchoServer(args, listenerName, SecurityProtocol.SSL);
        InetSocketAddress inetSocketAddress2 = new InetSocketAddress("localhost", this.server.port());
        createSelector(args.sslClientConfigs);
        this.selector.connect(KafkaChannelTest.CHANNEL_ID, inetSocketAddress2, BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(this.selector, KafkaChannelTest.CHANNEL_ID, 100, 10);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testClientAuthenticationRequiredUntrustedProvided(Args args) throws Exception {
        args.sslServerConfigs = args.serverCertStores.getUntrustingConfig();
        args.sslServerConfigs.putAll(args.sslConfigOverrides);
        args.sslServerConfigs.put("ssl.client.auth", "required");
        verifySslConfigsWithHandshakeFailure(args);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testClientAuthenticationRequiredNotProvided(Args args) throws Exception {
        args.sslServerConfigs.put("ssl.client.auth", "required");
        Set<String> set = CertStores.KEYSTORE_PROPS;
        Map map = args.sslClientConfigs;
        map.getClass();
        set.forEach((v1) -> {
            r1.remove(v1);
        });
        verifySslConfigsWithHandshakeFailure(args);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testClientAuthenticationDisabledUntrustedProvided(Args args) throws Exception {
        args.sslServerConfigs = args.serverCertStores.getUntrustingConfig();
        args.sslServerConfigs.putAll(args.sslConfigOverrides);
        args.sslServerConfigs.put("ssl.client.auth", "none");
        verifySslConfigs(args);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testClientAuthenticationDisabledNotProvided(Args args) throws Exception {
        args.sslServerConfigs.put("ssl.client.auth", "none");
        Set<String> set = CertStores.KEYSTORE_PROPS;
        Map map = args.sslClientConfigs;
        map.getClass();
        set.forEach((v1) -> {
            r1.remove(v1);
        });
        verifySslConfigs(args);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testClientAuthenticationRequestedValidProvided(Args args) throws Exception {
        args.sslServerConfigs.put("ssl.client.auth", "requested");
        verifySslConfigs(args);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testClientAuthenticationRequestedNotProvided(Args args) throws Exception {
        args.sslServerConfigs.put("ssl.client.auth", "requested");
        Set<String> set = CertStores.KEYSTORE_PROPS;
        Map map = args.sslClientConfigs;
        map.getClass();
        set.forEach((v1) -> {
            r1.remove(v1);
        });
        verifySslConfigs(args);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testDsaKeyPair(Args args) throws Exception {
        Assumptions.assumeTrue(args.tlsProtocol.equals("TLSv1.2"));
        args.serverCertStores = certBuilder(true, "server", args.useInlinePem).keyAlgorithm("DSA").build();
        args.clientCertStores = certBuilder(false, "client", args.useInlinePem).keyAlgorithm("DSA").build();
        args.sslServerConfigs = args.getTrustingConfig(args.serverCertStores, args.clientCertStores);
        args.sslClientConfigs = args.getTrustingConfig(args.clientCertStores, args.serverCertStores);
        args.sslServerConfigs.put("ssl.client.auth", "required");
        verifySslConfigs(args);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testECKeyPair(Args args) throws Exception {
        args.serverCertStores = certBuilder(true, "server", args.useInlinePem).keyAlgorithm("EC").build();
        args.clientCertStores = certBuilder(false, "client", args.useInlinePem).keyAlgorithm("EC").build();
        args.sslServerConfigs = args.getTrustingConfig(args.serverCertStores, args.clientCertStores);
        args.sslClientConfigs = args.getTrustingConfig(args.clientCertStores, args.serverCertStores);
        args.sslServerConfigs.put("ssl.client.auth", "required");
        verifySslConfigs(args);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testPemFiles(Args args) throws Exception {
        TestSslUtils.convertToPem(args.sslServerConfigs, true, true);
        TestSslUtils.convertToPem(args.sslClientConfigs, true, true);
        args.sslServerConfigs.put("ssl.client.auth", "required");
        verifySslConfigs(args);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testPemFilesWithoutClientKeyPassword(Args args) throws Exception {
        boolean z = args.useInlinePem;
        TestSslUtils.convertToPem(args.sslServerConfigs, !z, true);
        TestSslUtils.convertToPem(args.sslClientConfigs, !z, false);
        args.sslServerConfigs.put("ssl.client.auth", "required");
        this.server = createEchoServer(args, SecurityProtocol.SSL);
        if (args.useInlinePem || !NettySslEngineFactory.class.isAssignableFrom(args.engineFactoryClass)) {
            verifySslConfigs(args);
        } else {
            Assertions.assertThrows(InvalidConfigurationException.class, () -> {
                createSelector(args.sslClientConfigs);
            });
        }
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testPemFilesWithoutServerKeyPassword(Args args) throws Exception {
        TestSslUtils.convertToPem(args.sslServerConfigs, !args.useInlinePem, false);
        TestSslUtils.convertToPem(args.sslClientConfigs, !args.useInlinePem, true);
        if (args.useInlinePem || !NettySslEngineFactory.class.isAssignableFrom(args.engineFactoryClass)) {
            verifySslConfigs(args);
        } else {
            Assertions.assertThrows(InvalidConfigurationException.class, () -> {
                createEchoServer(args, SecurityProtocol.SSL);
            });
        }
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testInvalidSecureRandomImplementation(Args args) {
        SslChannelBuilder newClientChannelBuilder = newClientChannelBuilder();
        Throwable th = null;
        try {
            try {
                args.sslClientConfigs.put("ssl.secure.random.implementation", "invalid");
                Assertions.assertThrows(KafkaException.class, () -> {
                    newClientChannelBuilder.configure(args.sslClientConfigs);
                });
                if (newClientChannelBuilder != null) {
                    if (0 == 0) {
                        newClientChannelBuilder.close();
                        return;
                    }
                    try {
                        newClientChannelBuilder.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (newClientChannelBuilder != null) {
                if (th != null) {
                    try {
                        newClientChannelBuilder.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    newClientChannelBuilder.close();
                }
            }
            throw th4;
        }
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testInvalidTruststorePassword(Args args) {
        SslChannelBuilder newClientChannelBuilder = newClientChannelBuilder();
        Throwable th = null;
        try {
            try {
                args.sslClientConfigs.put("ssl.truststore.password", "invalid");
                Assertions.assertThrows(KafkaException.class, () -> {
                    newClientChannelBuilder.configure(args.sslClientConfigs);
                });
                if (newClientChannelBuilder != null) {
                    if (0 == 0) {
                        newClientChannelBuilder.close();
                        return;
                    }
                    try {
                        newClientChannelBuilder.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (newClientChannelBuilder != null) {
                if (th != null) {
                    try {
                        newClientChannelBuilder.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    newClientChannelBuilder.close();
                }
            }
            throw th4;
        }
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testInvalidKeystorePassword(Args args) {
        SslChannelBuilder newClientChannelBuilder = newClientChannelBuilder();
        Throwable th = null;
        try {
            try {
                args.sslClientConfigs.put("ssl.keystore.password", "invalid");
                Assertions.assertThrows(KafkaException.class, () -> {
                    newClientChannelBuilder.configure(args.sslClientConfigs);
                });
                if (newClientChannelBuilder != null) {
                    if (0 == 0) {
                        newClientChannelBuilder.close();
                        return;
                    }
                    try {
                        newClientChannelBuilder.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (newClientChannelBuilder != null) {
                if (th != null) {
                    try {
                        newClientChannelBuilder.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    newClientChannelBuilder.close();
                }
            }
            throw th4;
        }
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testNullTruststorePassword(Args args) throws Exception {
        args.sslClientConfigs.remove("ssl.truststore.password");
        args.sslServerConfigs.remove("ssl.truststore.password");
        verifySslConfigs(args);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testInvalidKeyPassword(Args args) throws Exception {
        args.sslServerConfigs.put("ssl.key.password", new Password("invalid"));
        if (args.useInlinePem || args.engineFactoryClass == NettySslEngineFactory.class) {
            Assertions.assertThrows(InvalidConfigurationException.class, () -> {
                createEchoServer(args, SecurityProtocol.SSL);
            });
        } else {
            verifySslConfigsWithHandshakeFailure(args);
        }
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testTlsDefaults(Args args) throws Exception {
        args.sslServerConfigs = args.serverCertStores.getTrustingConfig(args.clientCertStores);
        args.sslClientConfigs = args.clientCertStores.getTrustingConfig(args.serverCertStores);
        Assertions.assertEquals(SslConfigs.DEFAULT_SSL_PROTOCOL, args.sslServerConfigs.get("ssl.protocol"));
        Assertions.assertEquals(SslConfigs.DEFAULT_SSL_PROTOCOL, args.sslClientConfigs.get("ssl.protocol"));
        this.server = createEchoServer(args, SecurityProtocol.SSL);
        createSelector(args.sslClientConfigs);
        this.selector.connect(KafkaChannelTest.CHANNEL_ID, new InetSocketAddress("localhost", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(this.selector, KafkaChannelTest.CHANNEL_ID, 10, 100);
        this.server.verifyAuthenticationMetrics(1, 0);
        this.selector.close();
    }

    private void checkAuthenticationFailed(Args args, String str, String str2) throws IOException {
        args.sslClientConfigs.put("ssl.enabled.protocols", Arrays.asList(str2));
        createSelector(args.sslClientConfigs);
        this.selector.connect(str, new InetSocketAddress("localhost", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.waitForChannelClose(this.selector, str, ChannelState.State.AUTHENTICATION_FAILED);
        this.selector.close();
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testUnsupportedCiphers(Args args) throws Exception {
        Assumptions.assumeTrue(args.supportsCipherConfiguration());
        String[] supportedCipherSuites = args.supportedCipherSuites();
        args.sslServerConfigs.put("ssl.cipher.suites", Arrays.asList(supportedCipherSuites[0]));
        this.server = createEchoServer(args, SecurityProtocol.SSL);
        args.sslClientConfigs.put("ssl.cipher.suites", Arrays.asList(supportedCipherSuites[1]));
        createSelector(args.sslClientConfigs);
        checkAuthenticationFailed(args, "1", args.tlsProtocol);
        this.server.verifyAuthenticationMetrics(0, 1);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testServerRequestMetrics(Args args) throws Exception {
        this.server = createEchoServer(args, SecurityProtocol.SSL);
        createSelector(args.sslClientConfigs, 16384, 16384, 16384);
        this.selector.connect(KafkaChannelTest.CHANNEL_ID, new InetSocketAddress("localhost", this.server.port()), 102400, 102400);
        NetworkTestUtils.waitForChannelReady(this.selector, KafkaChannelTest.CHANNEL_ID);
        this.selector.send(new NetworkSend(KafkaChannelTest.CHANNEL_ID, ByteBufferSend.sizePrefixed(ByteBuffer.wrap(TestUtils.randomString(1048576).getBytes()))));
        while (this.selector.completedReceives().isEmpty()) {
            this.selector.poll(100L);
        }
        int i = 1048576 + 4;
        this.server.waitForMetric("incoming-byte", i);
        this.server.waitForMetric("outgoing-byte", i);
        this.server.waitForMetric("request", 1.0d);
        this.server.waitForMetric("response", 1.0d);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testSelectorPollReadSize(Args args) throws Exception {
        this.server = createEchoServer(args, SecurityProtocol.SSL);
        createSelector(args.sslClientConfigs, 16384, 16384, 16384);
        this.selector.connect(KafkaChannelTest.CHANNEL_ID, new InetSocketAddress("localhost", this.server.port()), 102400, 102400);
        NetworkTestUtils.checkClientConnection(this.selector, KafkaChannelTest.CHANNEL_ID, 81920, 1);
        String randomString = TestUtils.randomString(81920);
        this.selector.send(new NetworkSend(KafkaChannelTest.CHANNEL_ID, ByteBufferSend.sizePrefixed(ByteBuffer.wrap(randomString.getBytes()))));
        TestUtils.waitForCondition(() -> {
            try {
                this.selector.poll(100L);
                return this.selector.completedSends().size() > 0;
            } catch (IOException e) {
                return false;
            }
        }, "Timed out waiting for message to be sent");
        TestUtils.waitForCondition(() -> {
            return this.server.numSent() >= 2;
        }, "Timed out waiting for echo server to send message");
        this.selector.poll(1000L);
        Collection completedReceives = this.selector.completedReceives();
        Assertions.assertEquals(1, completedReceives.size());
        Assertions.assertEquals(randomString, new String(Utils.toArray(((NetworkReceive) completedReceives.iterator().next()).payload())));
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testNetReadBufferResize(Args args) throws Exception {
        this.server = createEchoServer(args, SecurityProtocol.SSL);
        createSelector(args.sslClientConfigs, 10, null, null);
        this.selector.connect(KafkaChannelTest.CHANNEL_ID, new InetSocketAddress("localhost", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(this.selector, KafkaChannelTest.CHANNEL_ID, 64000, 10);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testNetWriteBufferResize(Args args) throws Exception {
        this.server = createEchoServer(args, SecurityProtocol.SSL);
        createSelector(args.sslClientConfigs, null, 10, null);
        this.selector.connect(KafkaChannelTest.CHANNEL_ID, new InetSocketAddress("localhost", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(this.selector, KafkaChannelTest.CHANNEL_ID, 64000, 10);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testApplicationBufferResize(Args args) throws Exception {
        this.server = createEchoServer(args, SecurityProtocol.SSL);
        createSelector(args.sslClientConfigs, null, null, 10);
        this.selector.connect(KafkaChannelTest.CHANNEL_ID, new InetSocketAddress("localhost", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(this.selector, KafkaChannelTest.CHANNEL_ID, 64000, 10);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @Disabled
    @ParameterizedTest
    public void testNetworkThreadTimeRecorded(Args args) throws Exception {
        LogContext logContext = new LogContext();
        SslChannelBuilder sslChannelBuilder = new SslChannelBuilder(Mode.CLIENT, (ListenerName) null, false, logContext, new ProxyProtocolEngineFactory(ProxyProtocol.NONE));
        sslChannelBuilder.configure(args.sslClientConfigs);
        Selector selector = new Selector(-1, -1L, new Metrics(), Time.SYSTEM, "MetricGroup", new HashMap(), false, true, sslChannelBuilder, MemoryPool.NONE, logContext);
        Throwable th = null;
        try {
            try {
                this.server = createEchoServer(args, SecurityProtocol.SSL);
                selector.connect(KafkaChannelTest.CHANNEL_ID, new InetSocketAddress("localhost", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
                String randomString = TestUtils.randomString(1048576);
                NetworkTestUtils.waitForChannelReady(selector, KafkaChannelTest.CHANNEL_ID);
                KafkaChannel channel = selector.channel(KafkaChannelTest.CHANNEL_ID);
                Assertions.assertTrue(channel.metrics().networkIoTimeNanos() > 0, "SSL handshake time not recorded");
                Assertions.assertEquals(0L, channel.metrics().writeIoTimeNanos());
                channel.resetNetworkIoTimes();
                Assertions.assertEquals(0L, channel.metrics().networkIoTimeNanos(), "Time not reset");
                selector.mute(KafkaChannelTest.CHANNEL_ID);
                selector.send(new NetworkSend(KafkaChannelTest.CHANNEL_ID, ByteBufferSend.sizePrefixed(ByteBuffer.wrap(randomString.getBytes()))));
                while (selector.completedSends().isEmpty()) {
                    selector.poll(100L);
                }
                long networkIoTimeNanos = channel.metrics().networkIoTimeNanos();
                Assertions.assertTrue(networkIoTimeNanos > 0, "Send time not recorded: " + networkIoTimeNanos);
                Assertions.assertEquals(networkIoTimeNanos, channel.metrics().writeIoTimeNanos());
                channel.resetNetworkIoTimes();
                Assertions.assertEquals(0L, channel.metrics().networkIoTimeNanos(), "Time not reset");
                Assertions.assertEquals(0L, channel.metrics().writeIoTimeNanos(), "Write time not reset");
                Assertions.assertFalse(channel.hasBytesBuffered(), "Unexpected bytes buffered");
                Assertions.assertEquals(0, selector.completedReceives().size());
                selector.unmute(KafkaChannelTest.CHANNEL_ID);
                TestUtils.waitForCondition(() -> {
                    try {
                        selector.poll(100L);
                        return !selector.completedReceives().isEmpty();
                    } catch (IOException e) {
                        return false;
                    }
                }, "Timed out waiting for a message to receive from echo server");
                long networkIoTimeNanos2 = channel.metrics().networkIoTimeNanos();
                Assertions.assertTrue(networkIoTimeNanos2 > 0, "Receive time not recorded: " + networkIoTimeNanos2);
                Assertions.assertEquals(0L, channel.metrics().writeIoTimeNanos());
                if (selector != null) {
                    if (0 == 0) {
                        selector.close();
                        return;
                    }
                    try {
                        selector.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (selector != null) {
                if (th != null) {
                    try {
                        selector.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    selector.close();
                }
            }
            throw th4;
        }
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testIOExceptionsDuringHandshakeRead(Args args) throws Exception {
        this.server = createEchoServer(args, SecurityProtocol.SSL);
        testIOExceptionsDuringHandshake(args, FailureAction.THROW_IO_EXCEPTION, FailureAction.NO_OP);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testIOExceptionsDuringHandshakeWrite(Args args) throws Exception {
        this.server = createEchoServer(args, SecurityProtocol.SSL);
        testIOExceptionsDuringHandshake(args, FailureAction.NO_OP, FailureAction.THROW_IO_EXCEPTION);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testUngracefulRemoteCloseDuringHandshakeRead(Args args) throws Exception {
        this.server = createEchoServer(args, SecurityProtocol.SSL);
        NioEchoServer nioEchoServer = this.server;
        nioEchoServer.getClass();
        testIOExceptionsDuringHandshake(args, nioEchoServer::closeSocketChannels, FailureAction.NO_OP);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testUngracefulRemoteCloseDuringHandshakeWrite(Args args) throws Exception {
        this.server = createEchoServer(args, SecurityProtocol.SSL);
        FailureAction failureAction = FailureAction.NO_OP;
        NioEchoServer nioEchoServer = this.server;
        nioEchoServer.getClass();
        testIOExceptionsDuringHandshake(args, failureAction, nioEchoServer::closeSocketChannels);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testGracefulRemoteCloseDuringHandshakeRead(Args args) throws Exception {
        this.server = createEchoServer(args, SecurityProtocol.SSL);
        FailureAction failureAction = FailureAction.NO_OP;
        NioEchoServer nioEchoServer = this.server;
        nioEchoServer.getClass();
        testIOExceptionsDuringHandshake(args, failureAction, nioEchoServer::closeKafkaChannels);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testGracefulRemoteCloseDuringHandshakeWrite(Args args) throws Exception {
        this.server = createEchoServer(args, SecurityProtocol.SSL);
        NioEchoServer nioEchoServer = this.server;
        nioEchoServer.getClass();
        testIOExceptionsDuringHandshake(args, nioEchoServer::closeKafkaChannels, FailureAction.NO_OP);
    }

    private void testIOExceptionsDuringHandshake(Args args, FailureAction failureAction, FailureAction failureAction2) throws Exception {
        TestSslChannelBuilder testSslChannelBuilder = new TestSslChannelBuilder(Mode.CLIENT);
        boolean z = false;
        for (int i = 1; i <= 100; i++) {
            String valueOf = String.valueOf(i);
            testSslChannelBuilder.readFailureAction = failureAction;
            testSslChannelBuilder.flushFailureAction = failureAction2;
            TestSslChannelBuilder.access$1302(testSslChannelBuilder, i);
            testSslChannelBuilder.configure(args.sslClientConfigs);
            this.selector = new Selector(10000L, new Metrics(), time, "MetricGroup", testSslChannelBuilder, new LogContext());
            this.selector.connect(valueOf, new InetSocketAddress("localhost", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
            int i2 = 0;
            while (true) {
                if (i2 >= 30) {
                    break;
                }
                this.selector.poll(1000L);
                KafkaChannel channel = this.selector.channel(valueOf);
                if (channel != null && channel.ready()) {
                    z = true;
                    break;
                } else if (this.selector.disconnected().containsKey(valueOf)) {
                    ChannelState.State state = ((ChannelState) this.selector.disconnected().get(valueOf)).state();
                    Assertions.assertTrue(state == ChannelState.State.AUTHENTICATE || state == ChannelState.State.READY, "Unexpected channel state " + state);
                } else {
                    i2++;
                }
            }
            KafkaChannel channel2 = this.selector.channel(valueOf);
            if (channel2 != null) {
                Assertions.assertTrue(channel2.ready(), "Channel not ready or disconnected:" + channel2.state().state());
            }
            this.selector.close();
        }
        Assertions.assertTrue(z, "Too many invocations of read/write during SslTransportLayer.handshake()");
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testPeerNotifiedOfHandshakeFailure(Args args) throws Exception {
        args.sslServerConfigs = args.serverCertStores.getUntrustingConfig();
        args.sslServerConfigs.putAll(args.sslConfigOverrides);
        args.sslServerConfigs.put("ssl.client.auth", "required");
        for (int i = 0; i < 3; i++) {
            String valueOf = String.valueOf(i);
            TestSslChannelBuilder testSslChannelBuilder = new TestSslChannelBuilder(Mode.SERVER);
            testSslChannelBuilder.configure(args.sslServerConfigs);
            testSslChannelBuilder.flushDelayCount = i;
            this.server = new NioEchoServer(ListenerName.forSecurityProtocol(SecurityProtocol.SSL), SecurityProtocol.SSL, new TestSecurityConfig(args.sslServerConfigs), "localhost", testSslChannelBuilder, null, time);
            this.server.start();
            createSelector(args.sslClientConfigs);
            this.selector.connect(valueOf, new InetSocketAddress("localhost", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
            NetworkTestUtils.waitForChannelClose(this.selector, valueOf, ChannelState.State.AUTHENTICATION_FAILED);
            this.server.close();
            this.selector.close();
            testSslChannelBuilder.close();
        }
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testPeerNotifiedOfHandshakeFailureWithClientSideDelay(Args args) throws Exception {
        args.sslServerConfigs.put("ssl.client.auth", "required");
        Set<String> set = CertStores.KEYSTORE_PROPS;
        Map map = args.sslClientConfigs;
        map.getClass();
        set.forEach((v1) -> {
            r1.remove(v1);
        });
        verifySslConfigsWithHandshakeFailure(args, 1);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testCloseSsl(Args args) throws Exception {
        testClose(args, SecurityProtocol.SSL, newClientChannelBuilder());
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testClosePlaintext(Args args) throws Exception {
        testClose(args, SecurityProtocol.PLAINTEXT, new PlaintextChannelBuilder(Mode.CLIENT, (ListenerName) null, new ProxyProtocolEngineFactory(ProxyProtocol.NONE)));
    }

    private SslChannelBuilder newClientChannelBuilder() {
        return new SslChannelBuilder(Mode.CLIENT, (ListenerName) null, false, new LogContext(), new ProxyProtocolEngineFactory(ProxyProtocol.NONE));
    }

    private void testClose(Args args, SecurityProtocol securityProtocol, ChannelBuilder channelBuilder) throws Exception {
        this.server = createEchoServer(args, securityProtocol);
        channelBuilder.configure(args.sslClientConfigs);
        this.selector = new Selector(5000L, new Metrics(), time, "MetricGroup", channelBuilder, new LogContext());
        this.selector.connect(KafkaChannelTest.CHANNEL_ID, new InetSocketAddress("localhost", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.waitForChannelReady(this.selector, KafkaChannelTest.CHANNEL_ID);
        TestUtils.waitForCondition(() -> {
            return this.server.selector().channels().stream().allMatch((v0) -> {
                return v0.ready();
            });
        }, "Channel not ready");
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        this.server.outputChannel(Channels.newChannel(byteArrayOutputStream));
        this.server.selector().muteAll();
        byte[] bytes = TestUtils.randomString(100).getBytes();
        int length = 20 * (bytes.length + 4);
        for (int i = 0; i < 20; i++) {
            this.selector.send(new NetworkSend(KafkaChannelTest.CHANNEL_ID, ByteBufferSend.sizePrefixed(ByteBuffer.wrap(bytes))));
            do {
                this.selector.poll(0L);
            } while (this.selector.completedSends().isEmpty());
        }
        this.server.selector().unmuteAll();
        this.selector.close(KafkaChannelTest.CHANNEL_ID);
        TestUtils.waitForCondition(() -> {
            return byteArrayOutputStream.toByteArray().length == length;
        }, 5000L, "All requests sent were not processed");
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testInterBrokerSslConfigValidation(Args args) throws Exception {
        SecurityProtocol securityProtocol = SecurityProtocol.SSL;
        args.sslServerConfigs.put("ssl.client.auth", "required");
        args.sslServerConfigs.put("ssl.endpoint.identification.algorithm", "HTTPS");
        args.sslServerConfigs.putAll(args.serverCertStores.keyStoreProps());
        args.sslServerConfigs.putAll(args.serverCertStores.trustStoreProps());
        args.sslClientConfigs.putAll(args.serverCertStores.keyStoreProps());
        args.sslClientConfigs.putAll(args.serverCertStores.trustStoreProps());
        TestSecurityConfig testSecurityConfig = new TestSecurityConfig(args.sslServerConfigs);
        ListenerName forSecurityProtocol = ListenerName.forSecurityProtocol(securityProtocol);
        this.server = new NioEchoServer(forSecurityProtocol, securityProtocol, testSecurityConfig, "localhost", ChannelBuilders.serverChannelBuilder(forSecurityProtocol, true, securityProtocol, testSecurityConfig, (CredentialCache) null, (DelegationTokenCache) null, time, new LogContext(), defaultApiVersionsSupplier(), new DefaultRequestCallbackManager()), null, time);
        this.server.start();
        this.selector = createSelector(args.sslClientConfigs, null, null, null);
        this.selector.connect(KafkaChannelTest.CHANNEL_ID, new InetSocketAddress("localhost", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(this.selector, KafkaChannelTest.CHANNEL_ID, 100, 10);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testInterBrokerSslConfigValidationFailure(Args args) {
        SecurityProtocol securityProtocol = SecurityProtocol.SSL;
        args.sslServerConfigs.put("ssl.client.auth", "required");
        TestSecurityConfig testSecurityConfig = new TestSecurityConfig(args.sslServerConfigs);
        ListenerName forSecurityProtocol = ListenerName.forSecurityProtocol(securityProtocol);
        Assertions.assertThrows(KafkaException.class, () -> {
            ChannelBuilders.serverChannelBuilder(forSecurityProtocol, true, securityProtocol, testSecurityConfig, (CredentialCache) null, (DelegationTokenCache) null, time, new LogContext(), defaultApiVersionsSupplier(), new DefaultRequestCallbackManager());
        });
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testServerKeystoreDynamicUpdate(Args args) throws Exception {
        SecurityProtocol securityProtocol = SecurityProtocol.SSL;
        TestSecurityConfig testSecurityConfig = new TestSecurityConfig(args.sslServerConfigs);
        ListenerName forSecurityProtocol = ListenerName.forSecurityProtocol(securityProtocol);
        ChannelBuilder serverChannelBuilder = ChannelBuilders.serverChannelBuilder(forSecurityProtocol, false, securityProtocol, testSecurityConfig, (CredentialCache) null, (DelegationTokenCache) null, time, new LogContext(), defaultApiVersionsSupplier(), new DefaultRequestCallbackManager());
        this.server = new NioEchoServer(forSecurityProtocol, securityProtocol, testSecurityConfig, "localhost", serverChannelBuilder, null, time);
        this.server.start();
        InetSocketAddress inetSocketAddress = new InetSocketAddress("localhost", this.server.port());
        Selector createSelector = createSelector(args.sslClientConfigs);
        createSelector.connect(KafkaChannelTest.CHANNEL_ID, inetSocketAddress, BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(this.selector, KafkaChannelTest.CHANNEL_ID, 100, 10);
        CertStores build = certBuilder(true, "server", args.useInlinePem).addHostName("localhost").build();
        Map<String, Object> keyStoreProps = build.keyStoreProps();
        Assertions.assertTrue(serverChannelBuilder instanceof ListenerReconfigurable, "SslChannelBuilder not reconfigurable");
        ListenerReconfigurable listenerReconfigurable = (ListenerReconfigurable) serverChannelBuilder;
        Assertions.assertEquals(forSecurityProtocol, listenerReconfigurable.listenerName());
        listenerReconfigurable.validateReconfiguration(keyStoreProps);
        listenerReconfigurable.reconfigure(keyStoreProps);
        createSelector.connect("1", inetSocketAddress, BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.waitForChannelClose(createSelector, "1", ChannelState.State.AUTHENTICATION_FAILED);
        args.sslClientConfigs = args.getTrustingConfig(args.clientCertStores, build);
        Selector createSelector2 = createSelector(args.sslClientConfigs);
        createSelector2.connect("2", inetSocketAddress, BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(createSelector2, "2", 100, 10);
        NetworkTestUtils.checkClientConnection(createSelector, KafkaChannelTest.CHANNEL_ID, 100, 10);
        verifyInvalidReconfigure(listenerReconfigurable, args.getTrustingConfig(certBuilder(true, "server", args.useInlinePem).addHostName("127.0.0.1").build(), args.clientCertStores), "keystore with different SubjectAltName");
        HashMap hashMap = new HashMap();
        hashMap.put("ssl.keystore.type", "PKCS12");
        hashMap.put("ssl.keystore.location", "some.keystore.path");
        hashMap.put("ssl.keystore.password", new Password("some.keystore.password"));
        hashMap.put("ssl.key.password", new Password("some.key.password"));
        verifyInvalidReconfigure(listenerReconfigurable, hashMap, "keystore not found");
        createSelector2.connect("3", inetSocketAddress, BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(createSelector2, "3", 100, 10);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testServerKeystoreDynamicUpdateWithNewSubjectAltName(Args args) throws Exception {
        SecurityProtocol securityProtocol = SecurityProtocol.SSL;
        TestSecurityConfig testSecurityConfig = new TestSecurityConfig(args.sslServerConfigs);
        ListenerName forSecurityProtocol = ListenerName.forSecurityProtocol(securityProtocol);
        ChannelBuilder serverChannelBuilder = ChannelBuilders.serverChannelBuilder(forSecurityProtocol, false, securityProtocol, testSecurityConfig, (CredentialCache) null, (DelegationTokenCache) null, time, new LogContext(), defaultApiVersionsSupplier(), new DefaultRequestCallbackManager());
        this.server = new NioEchoServer(forSecurityProtocol, securityProtocol, testSecurityConfig, "localhost", serverChannelBuilder, null, time);
        this.server.start();
        InetSocketAddress inetSocketAddress = new InetSocketAddress("localhost", this.server.port());
        Selector createSelector = createSelector(args.sslClientConfigs);
        createSelector.connect("1", inetSocketAddress, BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(createSelector, "1", 100, 10);
        createSelector.close();
        TestSslUtils.CertificateBuilder sanDnsNames = new TestSslUtils.CertificateBuilder().sanDnsNames("localhost", "*.example.com");
        String str = (String) args.sslClientConfigs.get("ssl.truststore.location");
        File file = str != null ? new File(str) : null;
        TestSslUtils.SslConfigsBuilder usePem = new TestSslUtils.SslConfigsBuilder(Mode.SERVER).useClientCert(false).certAlias("server").cn("server").certBuilder(sanDnsNames).createNewTrustStore(file).usePem(args.useInlinePem);
        Map<String, Object> build = usePem.build();
        HashMap hashMap = new HashMap();
        for (String str2 : CertStores.KEYSTORE_PROPS) {
            hashMap.put(str2, build.get(str2));
        }
        ListenerReconfigurable listenerReconfigurable = (ListenerReconfigurable) serverChannelBuilder;
        listenerReconfigurable.validateReconfiguration(hashMap);
        listenerReconfigurable.reconfigure(hashMap);
        for (String str3 : CertStores.TRUSTSTORE_PROPS) {
            args.sslClientConfigs.put(str3, build.get(str3));
        }
        Selector createSelector2 = createSelector(args.sslClientConfigs);
        createSelector2.connect("2", inetSocketAddress, BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(createSelector2, "2", 100, 10);
        TestSslUtils.CertificateBuilder sanDnsNames2 = new TestSslUtils.CertificateBuilder().sanDnsNames("localhost");
        if (!args.useInlinePem) {
            usePem.useExistingTrustStore(file);
        }
        Map<String, Object> build2 = usePem.certBuilder(sanDnsNames2).build();
        HashMap hashMap2 = new HashMap();
        for (String str4 : CertStores.KEYSTORE_PROPS) {
            hashMap2.put(str4, build2.get(str4));
        }
        verifyInvalidReconfigure(listenerReconfigurable, hashMap2, "keystore without existing SubjectAltName");
        createSelector2.connect("3", inetSocketAddress, BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(createSelector2, "3", 100, 10);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testServerTruststoreDynamicUpdate(Args args) throws Exception {
        SecurityProtocol securityProtocol = SecurityProtocol.SSL;
        args.sslServerConfigs.put("ssl.client.auth", "required");
        TestSecurityConfig testSecurityConfig = new TestSecurityConfig(args.sslServerConfigs);
        ListenerName forSecurityProtocol = ListenerName.forSecurityProtocol(securityProtocol);
        ChannelBuilder serverChannelBuilder = ChannelBuilders.serverChannelBuilder(forSecurityProtocol, false, securityProtocol, testSecurityConfig, (CredentialCache) null, (DelegationTokenCache) null, time, new LogContext(), defaultApiVersionsSupplier(), new DefaultRequestCallbackManager());
        this.server = new NioEchoServer(forSecurityProtocol, securityProtocol, testSecurityConfig, "localhost", serverChannelBuilder, null, time);
        this.server.start();
        InetSocketAddress inetSocketAddress = new InetSocketAddress("localhost", this.server.port());
        Selector createSelector = createSelector(args.sslClientConfigs);
        createSelector.connect(KafkaChannelTest.CHANNEL_ID, inetSocketAddress, BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(this.selector, KafkaChannelTest.CHANNEL_ID, 100, 10);
        CertStores build = certBuilder(true, "client", args.useInlinePem).addHostName("localhost").build();
        args.sslClientConfigs = args.getTrustingConfig(build, args.serverCertStores);
        Map<String, Object> trustStoreProps = build.trustStoreProps();
        Assertions.assertTrue(serverChannelBuilder instanceof ListenerReconfigurable, "SslChannelBuilder not reconfigurable");
        ListenerReconfigurable listenerReconfigurable = (ListenerReconfigurable) serverChannelBuilder;
        Assertions.assertEquals(forSecurityProtocol, listenerReconfigurable.listenerName());
        listenerReconfigurable.validateReconfiguration(trustStoreProps);
        listenerReconfigurable.reconfigure(trustStoreProps);
        createSelector.connect("1", inetSocketAddress, BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.waitForChannelClose(createSelector, "1", ChannelState.State.AUTHENTICATION_FAILED);
        Selector createSelector2 = createSelector(args.sslClientConfigs);
        createSelector2.connect("2", inetSocketAddress, BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(createSelector2, "2", 100, 10);
        NetworkTestUtils.checkClientConnection(createSelector, KafkaChannelTest.CHANNEL_ID, 100, 10);
        HashMap hashMap = new HashMap(trustStoreProps);
        hashMap.put("ssl.truststore.type", "INVALID_TYPE");
        verifyInvalidReconfigure(listenerReconfigurable, hashMap, "invalid truststore type");
        HashMap hashMap2 = new HashMap();
        hashMap2.put("ssl.truststore.type", "PKCS12");
        hashMap2.put("ssl.truststore.location", "some.truststore.path");
        hashMap2.put("ssl.truststore.password", new Password("some.truststore.password"));
        verifyInvalidReconfigure(listenerReconfigurable, hashMap2, "truststore not found");
        createSelector2.connect("3", inetSocketAddress, BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(createSelector2, "3", 100, 10);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testServerCipherDynamicUpdate(Args args) throws Exception {
        Assumptions.assumeTrue(args.supportsCipherConfiguration());
        String[] supportedCipherSuites = args.supportedCipherSuites();
        String str = supportedCipherSuites[0];
        SecurityProtocol securityProtocol = SecurityProtocol.SSL;
        args.sslServerConfigs.put("ssl.client.auth", "required");
        args.sslServerConfigs.put("ssl.cipher.suites", Collections.singletonList(str));
        TestSecurityConfig testSecurityConfig = new TestSecurityConfig(args.sslServerConfigs);
        ListenerName forSecurityProtocol = ListenerName.forSecurityProtocol(securityProtocol);
        ListenerReconfigurable serverChannelBuilder = ChannelBuilders.serverChannelBuilder(forSecurityProtocol, false, securityProtocol, testSecurityConfig, (CredentialCache) null, (DelegationTokenCache) null, time, new LogContext(), defaultApiVersionsSupplier(), new DefaultRequestCallbackManager());
        this.server = new NioEchoServer(forSecurityProtocol, securityProtocol, testSecurityConfig, "localhost", serverChannelBuilder, null, time);
        this.server.start();
        InetSocketAddress inetSocketAddress = new InetSocketAddress("localhost", this.server.port());
        Selector createSelector = createSelector(args);
        createSelector.connect(KafkaChannelTest.CHANNEL_ID, inetSocketAddress, BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(createSelector, KafkaChannelTest.CHANNEL_ID, 100, 10);
        String str2 = supportedCipherSuites[1];
        Map<String, Object> map = args.sslClientConfigs;
        map.put("ssl.cipher.suites", Collections.singletonList(str2));
        Selector createSelector2 = createSelector(map);
        createSelector2.connect(KafkaChannelTest.CHANNEL_ID, inetSocketAddress, BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.waitForChannelClose(createSelector2, KafkaChannelTest.CHANNEL_ID, ChannelState.State.AUTHENTICATION_FAILED);
        Map map2 = args.sslServerConfigs;
        map2.put("ssl.cipher.suites", Collections.singletonList(str2));
        ListenerReconfigurable listenerReconfigurable = serverChannelBuilder;
        Assertions.assertEquals(forSecurityProtocol, listenerReconfigurable.listenerName());
        listenerReconfigurable.validateReconfiguration(map2);
        listenerReconfigurable.reconfigure(map2);
        createSelector2.connect("1", inetSocketAddress, BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(createSelector2, "1", 100, 10);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testEngineFactoryDynamicUpdate(Args args) throws Exception {
        SecurityProtocol securityProtocol = SecurityProtocol.SSL;
        args.sslServerConfigs.put("ssl.client.auth", "required");
        args.sslServerConfigs.put("ssl.engine.factory.class", NettySslEngineFactory.class);
        TestSecurityConfig testSecurityConfig = new TestSecurityConfig(args.sslServerConfigs);
        ListenerName forSecurityProtocol = ListenerName.forSecurityProtocol(securityProtocol);
        SslChannelBuilder serverChannelBuilder = ChannelBuilders.serverChannelBuilder(forSecurityProtocol, false, securityProtocol, testSecurityConfig, (CredentialCache) null, (DelegationTokenCache) null, time, new LogContext(), defaultApiVersionsSupplier(), new DefaultRequestCallbackManager());
        Assertions.assertTrue(serverChannelBuilder.sslEngineFactory() instanceof NettySslEngineFactory);
        this.server = new NioEchoServer(forSecurityProtocol, securityProtocol, testSecurityConfig, "localhost", serverChannelBuilder, null, time);
        this.server.start();
        InetSocketAddress inetSocketAddress = new InetSocketAddress("localhost", this.server.port());
        Selector createSelector = createSelector(args);
        createSelector.connect(KafkaChannelTest.CHANNEL_ID, inetSocketAddress, BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(createSelector, KafkaChannelTest.CHANNEL_ID, 100, 10);
        Map map = args.sslServerConfigs;
        map.put("listener.name." + forSecurityProtocol + ".ssl.engine.factory.class", DefaultSslEngineFactory.class);
        ListenerReconfigurable listenerReconfigurable = (ListenerReconfigurable) serverChannelBuilder;
        Assertions.assertEquals(forSecurityProtocol, listenerReconfigurable.listenerName());
        listenerReconfigurable.validateReconfiguration(map);
        listenerReconfigurable.reconfigure(map);
        Assertions.assertTrue(serverChannelBuilder.sslEngineFactory() instanceof DefaultSslEngineFactory);
        createSelector.connect("1", inetSocketAddress, BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(createSelector, "1", 100, 10);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testCustomClientSslEngineFactory(Args args) throws Exception {
        args.sslClientConfigs.put("ssl.engine.factory.class", TestSslUtils.TestSslEngineFactory.class);
        verifySslConfigs(args);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testCustomServerSslEngineFactory(Args args) throws Exception {
        args.sslServerConfigs.put("ssl.engine.factory.class", TestSslUtils.TestSslEngineFactory.class);
        verifySslConfigs(args);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testCustomClientAndServerSslEngineFactory(Args args) throws Exception {
        args.sslClientConfigs.put("ssl.engine.factory.class", TestSslUtils.TestSslEngineFactory.class);
        args.sslServerConfigs.put("ssl.engine.factory.class", TestSslUtils.TestSslEngineFactory.class);
        verifySslConfigs(args);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testInvalidSslEngineFactory(Args args) {
        args.sslClientConfigs.put("ssl.engine.factory.class", String.class);
        Assertions.assertThrows(KafkaException.class, () -> {
            createSelector(args.sslClientConfigs);
        });
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testLogMessageForSslHandshakeException(Args args) throws Exception {
        this.server = createEchoServer(args, SecurityProtocol.SSL);
        args.sslClientConfigs.put("ssl.endpoint.identification.algorithm", "HTTPS");
        createSelector(args);
        this.selector.connect(KafkaChannelTest.CHANNEL_ID, new InetSocketAddress("127.0.0.1", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.waitTillServerConnectionWithAuthFailure(this.server.selector(), this.selector, "SSL handshake failed", "errorMessage=SSL handshake failed", true);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testWithProxyProtocolEngine(Args args) throws Exception {
        SecurityProtocol securityProtocol = SecurityProtocol.SSL;
        args.sslServerConfigs.put("ssl.client.auth", "required");
        TestSecurityConfig testSecurityConfig = new TestSecurityConfig(args.sslServerConfigs);
        ListenerName forSecurityProtocol = ListenerName.forSecurityProtocol(securityProtocol);
        InetAddress localHost = InetAddress.getLocalHost();
        this.server = new NioEchoServer(forSecurityProtocol, securityProtocol, testSecurityConfig, "localhost", ChannelBuilders.serverChannelBuilder(forSecurityProtocol, false, securityProtocol, testSecurityConfig, (CredentialCache) null, (DelegationTokenCache) null, time, new LogContext(), defaultApiVersionsSupplier(), new DefaultRequestCallbackManager(), new ProxyProtocolEngineFactory(() -> {
            return new TestProxyProtocolEngine(localHost, 31313);
        })), null, time);
        this.server.start();
        InetSocketAddress inetSocketAddress = new InetSocketAddress("localhost", this.server.port());
        Selector createSelector = createSelector(args);
        createSelector.connect(KafkaChannelTest.CHANNEL_ID, inetSocketAddress, BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(createSelector, KafkaChannelTest.CHANNEL_ID, 100, 10);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testProxyEngineConsumesFullSocketRead(Args args) throws Exception {
        args.sslServerConfigs.put("ssl.client.auth", "required");
        AnonymousClass2 anonymousClass2 = new TestSslChannelBuilder(Mode.SERVER) { // from class: org.apache.kafka.common.network.SslTransportLayerTest.2

            /* renamed from: org.apache.kafka.common.network.SslTransportLayerTest$2$1 */
            /* loaded from: input_file:org/apache/kafka/common/network/SslTransportLayerTest$2$1.class */
            class AnonymousClass1 extends TestSslChannelBuilder.TestSslTransportLayer {
                AnonymousClass1(String str2, SelectionKey selectionKey2, SSLEngine sSLEngine2, Mode mode2, ProxyProtocolEngine proxyProtocolEngine2) {
                    super(str2, selectionKey2, sSLEngine2, mode2, proxyProtocolEngine2);
                }

                protected int maybeReadAndProcessProxyHeaders() throws IOException {
                    this.proxyProtocolEngine.processHeaders(this.netReadBuffer);
                    return 60;
                }
            }

            AnonymousClass2(Mode mode) {
                super(mode);
            }

            @Override // org.apache.kafka.common.network.SslTransportLayerTest.TestSslChannelBuilder
            protected TestSslChannelBuilder.TestSslTransportLayer newTransportLayer(String str2, SelectionKey selectionKey2, SSLEngine sSLEngine2, Mode mode2, ProxyProtocolEngine proxyProtocolEngine2) {
                return new TestSslChannelBuilder.TestSslTransportLayer(str2, selectionKey2, sSLEngine2, mode2, proxyProtocolEngine2) { // from class: org.apache.kafka.common.network.SslTransportLayerTest.2.1
                    AnonymousClass1(String str22, SelectionKey selectionKey22, SSLEngine sSLEngine22, Mode mode22, ProxyProtocolEngine proxyProtocolEngine22) {
                        super(str22, selectionKey22, sSLEngine22, mode22, proxyProtocolEngine22);
                    }

                    protected int maybeReadAndProcessProxyHeaders() throws IOException {
                        this.proxyProtocolEngine.processHeaders(this.netReadBuffer);
                        return 60;
                    }
                };
            }
        };
        anonymousClass2.configure(new TestSecurityConfig(args.sslServerConfigs).values());
        this.server = new NioEchoServer(ListenerName.forSecurityProtocol(SecurityProtocol.SSL), SecurityProtocol.SSL, (AbstractConfig) new TestSecurityConfig(args.sslServerConfigs), "localhost", (ChannelBuilder) anonymousClass2, (CredentialCache) null, 100, time);
        this.server.start();
        createSelector(args.sslClientConfigs).connect(KafkaChannelTest.CHANNEL_ID, new InetSocketAddress("localhost", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(this.selector, KafkaChannelTest.CHANNEL_ID, 100, 10);
    }

    @ArgumentsSource(SslTransportLayerArgumentsProvider.class)
    @ParameterizedTest
    public void testHandleProxyProtocolBuffer(Args args) throws Exception {
        args.sslServerConfigs.put("ssl.client.auth", "required");
        SecurityProtocol securityProtocol = SecurityProtocol.SSL;
        this.server = NetworkTestUtils.createEchoServer(ListenerName.forSecurityProtocol(securityProtocol), securityProtocol, new TestSecurityConfig(args.sslServerConfigs), null, 0, time, null, new ProxyProtocolEngineFactory(ProxyProtocol.V2));
        InetSocketAddress inetSocketAddress = new InetSocketAddress("localhost", this.server.port());
        HashMap hashMap = new HashMap(args.sslClientConfigs);
        hashMap.put("confluent.proxy.protocol.client.address", "1.1.1.1");
        hashMap.put("confluent.proxy.protocol.client.port", 1111);
        hashMap.put("confluent.proxy.protocol.client.mode", ConfluentConfigs.PROXY_PROTOCOL_CLIENT_MODE_DEFAULT);
        Selector createSelector = createSelector(hashMap, new ProxyProtocolEngineFactory(ProxyProtocol.V2, hashMap, Mode.CLIENT, new LogContext()), null, null, null);
        Throwable th = null;
        try {
            try {
                createSelector.connect(KafkaChannelTest.CHANNEL_ID, inetSocketAddress, BUFFER_SIZE, BUFFER_SIZE);
                NetworkTestUtils.checkClientConnection(this.selector, KafkaChannelTest.CHANNEL_ID, 100, 10);
                if (createSelector != null) {
                    if (0 == 0) {
                        createSelector.close();
                        return;
                    }
                    try {
                        createSelector.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (createSelector != null) {
                if (th != null) {
                    try {
                        createSelector.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    createSelector.close();
                }
            }
            throw th4;
        }
    }

    private void verifyInvalidReconfigure(ListenerReconfigurable listenerReconfigurable, Map<String, Object> map, String str) {
        Assertions.assertThrows(KafkaException.class, () -> {
            listenerReconfigurable.validateReconfiguration(map);
        });
        Assertions.assertThrows(KafkaException.class, () -> {
            listenerReconfigurable.reconfigure(map);
        });
    }

    private Selector createSelector(Map<String, Object> map) {
        return createSelector(map, null, null, null);
    }

    private Selector createSelector(Map<String, Object> map, Integer num, Integer num2, Integer num3) {
        return createSelector(map, new ProxyProtocolEngineFactory(ProxyProtocol.NONE), num, num2, num3);
    }

    private Selector createSelector(Map<String, Object> map, ProxyProtocolEngineFactory proxyProtocolEngineFactory, Integer num, Integer num2, Integer num3) {
        TestSslChannelBuilder testSslChannelBuilder = new TestSslChannelBuilder(Mode.CLIENT, proxyProtocolEngineFactory);
        testSslChannelBuilder.configureBufferSizes(num, num2, num3);
        testSslChannelBuilder.configure(map);
        this.selector = new Selector(500000L, new Metrics(), time, "MetricGroup", testSslChannelBuilder, new LogContext());
        return this.selector;
    }

    private NioEchoServer createEchoServer(Args args, ListenerName listenerName, SecurityProtocol securityProtocol) throws Exception {
        return NetworkTestUtils.createEchoServer(listenerName, securityProtocol, new TestSecurityConfig(args.sslServerConfigs), (CredentialCache) null, time, (Optional<AuditLogProvider>) Optional.of(args.auditLogProvider));
    }

    private NioEchoServer createEchoServer(Args args, SecurityProtocol securityProtocol) throws Exception {
        return createEchoServer(args, ListenerName.forSecurityProtocol(securityProtocol), securityProtocol);
    }

    private Selector createSelector(Args args) {
        LogContext logContext = new LogContext();
        SslChannelBuilder sslChannelBuilder = new SslChannelBuilder(Mode.CLIENT, (ListenerName) null, false, logContext, new ProxyProtocolEngineFactory(ProxyProtocol.NONE));
        sslChannelBuilder.configure(args.sslClientConfigs);
        this.selector = new Selector(5000L, new Metrics(), time, "MetricGroup", sslChannelBuilder, logContext);
        return this.selector;
    }

    private void verifySslConfigs(Args args) throws Exception {
        this.server = createEchoServer(args, SecurityProtocol.SSL);
        createSelector(args.sslClientConfigs);
        this.selector.connect(KafkaChannelTest.CHANNEL_ID, new InetSocketAddress("localhost", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(this.selector, KafkaChannelTest.CHANNEL_ID, 100, 10);
    }

    private void verifySslConfigsWithHandshakeFailure(Args args) throws Exception {
        verifySslConfigsWithHandshakeFailure(args, 0);
    }

    private void verifySslConfigsWithHandshakeFailure(Args args, int i) throws Exception {
        this.server = createEchoServer(args, SecurityProtocol.SSL);
        createSelector(args.sslClientConfigs);
        this.selector.connect(KafkaChannelTest.CHANNEL_ID, new InetSocketAddress("localhost", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.waitForChannelClose(this.selector, KafkaChannelTest.CHANNEL_ID, ChannelState.State.AUTHENTICATION_FAILED, i);
        this.server.verifyAuthenticationMetrics(0, 1);
    }

    public static CertStores.Builder certBuilder(boolean z, String str, boolean z2) {
        return new CertStores.Builder(z).cn(str).usePem(z2);
    }

    private Supplier<ApiVersionsResponse> defaultApiVersionsSupplier() {
        return () -> {
            return TestUtils.defaultApiVersionsResponse(ApiMessageType.ListenerType.ZK_BROKER);
        };
    }

    private void verifyAuditLogEvent(Args args, boolean z) throws InterruptedException {
        TestUtils.waitForCondition(() -> {
            return args.auditLogProvider.authenticationEvents.size() == 1;
        }, "audit event not generated");
        AuthenticationEvent authenticationEvent = args.auditLogProvider.authenticationEvents.get(0);
        Assertions.assertNotNull(authenticationEvent.authenticationContext());
        if (z) {
            Assertions.assertEquals(AuditEventStatus.SUCCESS, authenticationEvent.status());
        } else {
            Assertions.assertEquals(AuditEventStatus.UNKNOWN_USER_DENIED, authenticationEvent.status());
            Assertions.assertTrue(authenticationEvent.authenticationException().isPresent());
        }
    }

    static {
    }
}
