package org.apache.kudu.client;

import java.nio.ByteBuffer;
import java.security.AccessController;
import java.security.KeyStore;
import java.util.ArrayList;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLEngineResult;
import javax.net.ssl.SSLException;
import javax.security.auth.Subject;
import org.apache.kudu.client.Negotiator;
import org.apache.kudu.rpc.RpcHeader;
import org.apache.kudu.security.Token;
import org.apache.kudu.shaded.com.google.common.collect.ImmutableList;
import org.apache.kudu.shaded.com.google.common.collect.Lists;
import org.apache.kudu.shaded.com.google.protobuf.ByteString;
import org.apache.kudu.shaded.com.google.protobuf.Message;
import org.apache.kudu.shaded.com.google.protobuf.TextFormat;
import org.apache.kudu.shaded.org.jboss.netty.buffer.ChannelBuffer;
import org.apache.kudu.shaded.org.jboss.netty.channel.ChannelUpstreamHandler;
import org.apache.kudu.shaded.org.jboss.netty.handler.codec.embedder.DecoderEmbedder;
import org.apache.kudu.shaded.org.jboss.netty.handler.ssl.SslHandler;
import org.apache.kudu.util.SecurityUtil;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/kudu/client/TestNegotiator.class */
public class TestNegotiator {
    private DecoderEmbedder<Object> embedder;
    private SecurityContext secContext;
    private SSLEngine serverEngine;
    private static final String CA_CERT_DER = "-----BEGIN CERTIFICATE-----\nMIIDXTCCAkWgAwIBAgIJAOOmFHYkBz4rMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwHhcNMTYxMTAyMjI0OTQ5WhcNMTcwMjEwMjI0OTQ5WjBFMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAppo9GwiDisQVYAF9NXl8ykqo0MIi5rfNwiE9kUWbZ2ejzxs+1Cf7WCn4mzbkJx5ZscRjhnNb6dJxtZJeid/qgiNVBcNzh35H8J+ao0tEbHjCs7rKOX0etsFUp4GQwYkdfpvVBsU8ciXvkxhvt1XjSU3/YJJRAvCyGVxUQlKiVKGCD4OnFNBwMdNw7qI8ryiRv++7I9udfSuM713yMeBtkkV7hWUfxrTgQOLsV/CS+TsSoOJ7JJqHozeZ+VYom85UqSfpIFJVzM6S7BTb6SX/vwYIoS70gubT3HbHgDRcMvpCye1npHL9fL7B87XZn7wnnUem0eeCqWyUjJ82Uj9mQQIDAQABo1AwTjAdBgNVHQ4EFgQUOY7rpWGoZMrmyRZ9RohPWVwyPBowHwYDVR0jBBgwFoAUOY7rpWGoZMrmyRZ9RohPWVwyPBowDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEATKh3io8ruqbhmopY3xQWA2pEhs4ZSu3H+AfULMruVsXKEZjWp27nTsFaxLZYUlzeZr0EcWwZ79qkcA8Dyj+mVHhrCAPpcjsDACh1ZdUQAgASkVS4VQvkukct3DFa3y0lz5VwQIxjoQR5y6dCvxxXT9NpRo/Z7pd4MRhEbz3NT6PScQ9f2MTrR0NOikLdB98JlpKQbEKxzbMhWDw4J3mrmK6zdemjdCcRDsBVPswKnyAjkibXaZkpNRzjvDNAgO88MKlArCYoyRZqIfkcSXAwwTdGQ+5GQLsY9zS49Rrhk9R7eOmDhaHybdRBDqW1JiCSmzURZAxlnrjox4GmC3JJaA==\n-----END CERTIFICATE-----";
    static final Logger LOG = LoggerFactory.getLogger(TestNegotiator.class);
    private static final char[] KEYSTORE_PASSWORD = "password".toCharArray();

    @Before
    public void setup() {
        this.serverEngine = createServerEngine();
        this.serverEngine.setUseClientMode(false);
        this.secContext = new SecurityContext(Subject.getSubject(AccessController.getContext()));
    }

    private void startNegotiation(boolean z) {
        ChannelUpstreamHandler negotiator = new Negotiator("127.0.0.1", this.secContext, false);
        ((Negotiator) negotiator).overrideLoopbackForTests = z;
        this.embedder = new DecoderEmbedder<>(new ChannelUpstreamHandler[]{negotiator});
        negotiator.sendHello(this.embedder.getPipeline().getChannel());
    }

    static CallResponse fakeResponse(RpcHeader.ResponseHeader responseHeader, Message message) {
        ChannelBuffer channelBuffer = KuduRpc.toChannelBuffer(responseHeader, message);
        return new CallResponse(channelBuffer.slice(4, channelBuffer.readableBytes() - 4));
    }

    KeyStore loadTestKeystore() throws Exception {
        KeyStore keyStore = KeyStore.getInstance("JKS");
        keyStore.load(TestNegotiator.class.getResourceAsStream("/test-key-and-cert.jks"), KEYSTORE_PASSWORD);
        return keyStore;
    }

    SSLEngine createServerEngine() {
        try {
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
            keyManagerFactory.init(loadTestKeystore(), KEYSTORE_PASSWORD);
            SSLContext sSLContext = SSLContext.getInstance("TLS");
            sSLContext.init(keyManagerFactory.getKeyManagers(), null, null);
            return sSLContext.createSSLEngine();
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    private Negotiator.Success assertComplete() {
        RpcHeader.ConnectionContextPB body = ((RpcOutboundMessage) this.embedder.poll()).getBody();
        Assert.assertEquals(-3L, r0.getHeaderBuilder().getCallId());
        Assert.assertEquals(System.getProperty("user.name"), body.getDEPRECATEDUserInfo().getRealUser());
        Negotiator.Success success = (Negotiator.Success) this.embedder.poll();
        Assert.assertNotNull(success);
        return success;
    }

    @Test
    public void testChannelBinding() throws Exception {
        Assert.assertEquals(32L, SecurityUtil.getEndpointChannelBindings(loadTestKeystore().getCertificate("1")).length);
    }

    @Test
    public void testNegotiation() {
        startNegotiation(false);
        RpcHeader.NegotiatePB body = ((RpcOutboundMessage) this.embedder.poll()).getBody();
        Assert.assertEquals(-33L, r0.getHeaderBuilder().getCallId());
        Assert.assertEquals(RpcHeader.NegotiatePB.NegotiateStep.NEGOTIATE, body.getStep());
        this.embedder.offer(fakeResponse(RpcHeader.ResponseHeader.newBuilder().setCallId(-33).build(), RpcHeader.NegotiatePB.newBuilder().addSaslMechanisms(RpcHeader.NegotiatePB.SaslMechanism.newBuilder().setMechanism("PLAIN")).setStep(RpcHeader.NegotiatePB.NegotiateStep.NEGOTIATE).build()));
        RpcHeader.NegotiatePB body2 = ((RpcOutboundMessage) this.embedder.poll()).getBody();
        Assert.assertEquals(-33L, r0.getHeaderBuilder().getCallId());
        Assert.assertEquals(RpcHeader.NegotiatePB.NegotiateStep.SASL_INITIATE, body2.getStep());
        Assert.assertEquals(1L, body2.getSaslMechanismsCount());
        Assert.assertEquals("PLAIN", body2.getSaslMechanisms(0).getMechanism());
        Assert.assertTrue(body2.hasToken());
        this.embedder.offer(fakeResponse(RpcHeader.ResponseHeader.newBuilder().setCallId(-33).build(), RpcHeader.NegotiatePB.newBuilder().setStep(RpcHeader.NegotiatePB.NegotiateStep.SASL_SUCCESS).build()));
        assertComplete();
    }

    private static void runTasks(SSLEngineResult sSLEngineResult, SSLEngine sSLEngine) {
        if (sSLEngineResult.getHandshakeStatus() != SSLEngineResult.HandshakeStatus.NEED_TASK) {
            return;
        }
        while (true) {
            Runnable delegatedTask = sSLEngine.getDelegatedTask();
            if (delegatedTask == null) {
                return;
            } else {
                delegatedTask.run();
            }
        }
    }

    private static CallResponse runServerStep(SSLEngine sSLEngine, ByteString byteString) throws SSLException {
        LOG.debug("Handling TLS message from client: {}", Bytes.hex(byteString.toByteArray()));
        ByteBuffer allocate = ByteBuffer.allocate(sSLEngine.getSession().getPacketBufferSize());
        ByteBuffer asReadOnlyByteBuffer = byteString.asReadOnlyByteBuffer();
        do {
            runTasks(sSLEngine.unwrap(asReadOnlyByteBuffer, allocate), sSLEngine);
        } while (sSLEngine.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_UNWRAP);
        if (sSLEngine.getHandshakeStatus() != SSLEngineResult.HandshakeStatus.NEED_WRAP) {
            if (sSLEngine.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NOT_HANDSHAKING) {
                return null;
            }
            throw new AssertionError("unexpected state: " + sSLEngine.getHandshakeStatus());
        }
        ArrayList newArrayList = Lists.newArrayList();
        while (sSLEngine.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_WRAP) {
            allocate.clear();
            runTasks(sSLEngine.wrap(ByteBuffer.allocate(0), allocate), sSLEngine);
            allocate.flip();
            newArrayList.add(ByteString.copyFrom(allocate));
        }
        return fakeResponse(RpcHeader.ResponseHeader.newBuilder().setCallId(-33).build(), RpcHeader.NegotiatePB.newBuilder().setTlsHandshake(ByteString.copyFrom(newArrayList)).setStep(RpcHeader.NegotiatePB.NegotiateStep.TLS_HANDSHAKE).build());
    }

    private void runTlsHandshake() throws SSLException {
        RpcHeader.NegotiatePB body = ((RpcOutboundMessage) this.embedder.poll()).getBody();
        Assert.assertEquals(RpcHeader.NegotiatePB.NegotiateStep.TLS_HANDSHAKE, body.getStep());
        this.embedder.offer(runServerStep(this.serverEngine, body.getTlsHandshake()));
        RpcHeader.NegotiatePB body2 = ((RpcOutboundMessage) this.embedder.poll()).getBody();
        Assert.assertEquals(RpcHeader.NegotiatePB.NegotiateStep.TLS_HANDSHAKE, body2.getStep());
        this.embedder.offer(runServerStep(this.serverEngine, body2.getTlsHandshake()));
    }

    @Test
    public void testTlsNegotiation() throws Exception {
        startNegotiation(false);
        RpcHeader.NegotiatePB body = ((RpcOutboundMessage) this.embedder.poll()).getBody();
        Assert.assertEquals(RpcHeader.NegotiatePB.NegotiateStep.NEGOTIATE, body.getStep());
        Assert.assertTrue(body.getSupportedFeaturesList().contains(RpcHeader.RpcFeatureFlag.TLS));
        this.embedder.offer(fakeResponse(RpcHeader.ResponseHeader.newBuilder().setCallId(-33).build(), RpcHeader.NegotiatePB.newBuilder().addSaslMechanisms(RpcHeader.NegotiatePB.SaslMechanism.newBuilder().setMechanism("PLAIN")).addSupportedFeatures(RpcHeader.RpcFeatureFlag.TLS).setStep(RpcHeader.NegotiatePB.NegotiateStep.NEGOTIATE).build()));
        runTlsHandshake();
        Assert.assertTrue(this.embedder.getPipeline().getFirst() instanceof SslHandler);
        Assert.assertEquals(RpcHeader.NegotiatePB.NegotiateStep.SASL_INITIATE, ((RpcOutboundMessage) this.embedder.poll()).getBody().getStep());
    }

    @Test
    public void testTlsNegotiationAuthOnly() throws Exception {
        startNegotiation(true);
        RpcHeader.NegotiatePB body = ((RpcOutboundMessage) this.embedder.poll()).getBody();
        Assert.assertEquals(RpcHeader.NegotiatePB.NegotiateStep.NEGOTIATE, body.getStep());
        Assert.assertTrue(body.getSupportedFeaturesList().contains(RpcHeader.RpcFeatureFlag.TLS));
        Assert.assertTrue(body.getSupportedFeaturesList().contains(RpcHeader.RpcFeatureFlag.TLS_AUTHENTICATION_ONLY));
        this.embedder.offer(fakeResponse(RpcHeader.ResponseHeader.newBuilder().setCallId(-33).build(), RpcHeader.NegotiatePB.newBuilder().addSaslMechanisms(RpcHeader.NegotiatePB.SaslMechanism.newBuilder().setMechanism("PLAIN")).addSupportedFeatures(RpcHeader.RpcFeatureFlag.TLS).addSupportedFeatures(RpcHeader.RpcFeatureFlag.TLS_AUTHENTICATION_ONLY).setStep(RpcHeader.NegotiatePB.NegotiateStep.NEGOTIATE).build()));
        runTlsHandshake();
        Assert.assertFalse(this.embedder.getPipeline().getFirst() instanceof SslHandler);
        Assert.assertEquals(RpcHeader.NegotiatePB.NegotiateStep.SASL_INITIATE, ((RpcOutboundMessage) this.embedder.poll()).getBody().getStep());
    }

    @Test
    public void testNoTokenAuthWhenNoTrustedCerts() throws Exception {
        this.secContext.setAuthenticationToken(Token.SignedTokenPB.getDefaultInstance());
        startNegotiation(false);
        Assert.assertEquals("supported_features: APPLICATION_FEATURE_FLAGS supported_features: TLS step: NEGOTIATE authn_types { sasl { } }", TextFormat.shortDebugString(((RpcOutboundMessage) this.embedder.poll()).getBody()));
    }

    @Test
    public void testTokenAuthWithTrustedCerts() throws Exception {
        this.secContext.trustCertificates(ImmutableList.of(ByteString.copyFromUtf8(CA_CERT_DER)));
        this.secContext.setAuthenticationToken(Token.SignedTokenPB.getDefaultInstance());
        startNegotiation(false);
        Assert.assertEquals("supported_features: APPLICATION_FEATURE_FLAGS supported_features: TLS step: NEGOTIATE authn_types { sasl { } } authn_types { token { } }", TextFormat.shortDebugString(((RpcOutboundMessage) this.embedder.poll()).getBody()));
        this.embedder.offer(fakeResponse(RpcHeader.ResponseHeader.newBuilder().setCallId(-33).build(), RpcHeader.NegotiatePB.newBuilder().addSupportedFeatures(RpcHeader.RpcFeatureFlag.TLS).addAuthnTypes(RpcHeader.AuthenticationTypePB.newBuilder().setToken(RpcHeader.AuthenticationTypePB.Token.getDefaultInstance())).setStep(RpcHeader.NegotiatePB.NegotiateStep.NEGOTIATE).build()));
        runTlsHandshake();
        Assert.assertEquals("step: TOKEN_EXCHANGE authn_token { }", TextFormat.shortDebugString(((RpcOutboundMessage) this.embedder.poll()).getBody()));
        this.embedder.offer(fakeResponse(RpcHeader.ResponseHeader.newBuilder().setCallId(-33).build(), RpcHeader.NegotiatePB.newBuilder().setStep(RpcHeader.NegotiatePB.NegotiateStep.TOKEN_EXCHANGE).build()));
        assertComplete();
    }
}
