package org.apache.hadoop.ozone;

import java.io.File;
import java.io.IOException;
import java.nio.file.Paths;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.cert.CertificateExpiredException;
import java.time.Duration;
import java.time.LocalDateTime;
import java.time.temporal.TemporalAmount;
import java.util.ArrayList;
import java.util.concurrent.Callable;
import org.apache.commons.io.FileUtils;
import org.apache.hadoop.fs.FileUtil;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.protocol.DatanodeDetails;
import org.apache.hadoop.hdds.protocol.MockDatanodeDetails;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos;
import org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB;
import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.DNCertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
import org.apache.hadoop.hdds.security.x509.certificate.utils.SelfSignedCertificate;
import org.apache.hadoop.hdds.security.x509.keys.KeyCodec;
import org.apache.hadoop.ozone.TestHddsDatanodeService;
import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
import org.apache.hadoop.util.ServicePlugin;
import org.apache.ozone.test.GenericTestUtils;
import org.apache.ozone.test.tag.Flaky;
import org.bouncycastle.cert.X509CertificateHolder;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;

/* loaded from: input_file:org/apache/hadoop/ozone/TestHddsSecureDatanodeInit.class */
public class TestHddsSecureDatanodeInit {
    private static File testDir;
    private static OzoneConfiguration conf;
    private static HddsDatanodeService service;
    private static String[] args = new String[0];
    private static PrivateKey privateKey;
    private static PublicKey publicKey;
    private static GenericTestUtils.LogCapturer dnLogs;
    private static SecurityConfig securityConfig;
    private static KeyCodec keyCodec;
    private static CertificateCodec certCodec;
    private static X509CertificateHolder certHolder;
    private static final String DN_COMPONENT = "dn";
    private static final int CERT_LIFETIME = 15;
    private DNCertificateClient client;
    private static DatanodeDetails datanodeDetails;
    private static SCMSecurityProtocolClientSideTranslatorPB scmClient;

    @BeforeAll
    public static void setUp() throws Exception {
        testDir = GenericTestUtils.getRandomizedTestDir();
        conf = new OzoneConfiguration();
        conf.set("ozone.metadata.dirs", testDir.getPath());
        conf.set("dfs.datanode.data.dir", testDir + "/disk1");
        conf.setBoolean("ozone.security.enabled", true);
        conf.setClass("hdds.datanode.plugins", TestHddsDatanodeService.MockService.class, ServicePlugin.class);
        conf.set("hdds.x509.renew.grace.duration", "PT5S");
        conf.set("hdds.x509.ca.rotation.check.interval", "PT1S");
        conf.setBoolean("hdds.x509.grace.duration.token.checks.enabled", false);
        conf.set("hdds.x509.ca.rotation.ack.timeout", "PT1S");
        securityConfig = new SecurityConfig(conf);
        service = new HddsDatanodeService(args) { // from class: org.apache.hadoop.ozone.TestHddsSecureDatanodeInit.1
            SCMSecurityProtocolClientSideTranslatorPB createScmSecurityClient() throws IOException {
                return (SCMSecurityProtocolClientSideTranslatorPB) Mockito.mock(SCMSecurityProtocolClientSideTranslatorPB.class);
            }
        };
        callQuietly(() -> {
            service.start(conf);
            return null;
        });
        callQuietly(() -> {
            service.initializeCertificateClient(service.getCertificateClient());
            return null;
        });
        dnLogs = GenericTestUtils.LogCapturer.captureLogs(service.getCertificateClient().getLogger());
        certCodec = new CertificateCodec(securityConfig, DN_COMPONENT);
        keyCodec = new KeyCodec(securityConfig, DN_COMPONENT);
        dnLogs.clearOutput();
        privateKey = service.getCertificateClient().getPrivateKey();
        publicKey = service.getCertificateClient().getPublicKey();
        certHolder = generateX509CertHolder(new KeyPair(publicKey, privateKey), null, Duration.ofSeconds(15L));
        datanodeDetails = MockDatanodeDetails.randomDatanodeDetails();
        scmClient = (SCMSecurityProtocolClientSideTranslatorPB) Mockito.mock(SCMSecurityProtocolClientSideTranslatorPB.class);
    }

    @AfterAll
    public static void tearDown() {
        FileUtil.fullyDelete(testDir);
    }

    @BeforeEach
    public void setUpDNCertClient() throws IOException {
        FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(DN_COMPONENT).toString(), securityConfig.getPrivateKeyFileName()).toFile());
        FileUtils.deleteQuietly(Paths.get(securityConfig.getKeyLocation(DN_COMPONENT).toString(), securityConfig.getPublicKeyFileName()).toFile());
        FileUtils.deleteQuietly(Paths.get(securityConfig.getCertificateLocation(DN_COMPONENT).toString(), securityConfig.getCertificateFileName()).toFile());
        dnLogs.clearOutput();
        this.client = new DNCertificateClient(securityConfig, scmClient, datanodeDetails, certHolder.getSerialNumber().toString(), str -> {
        }, (Runnable) null);
    }

    @AfterEach
    public void tearDownClient() throws IOException {
        this.client.close();
    }

    @Test
    public void testSecureDnStartupCase0() {
        Assertions.assertThrows(Exception.class, () -> {
            service.initializeCertificateClient(this.client);
        });
        Assertions.assertNotNull(this.client.getPrivateKey());
        Assertions.assertNotNull(this.client.getPublicKey());
        Assertions.assertNull(this.client.getCertificate());
        Assertions.assertTrue(dnLogs.getOutput().contains("Init response: GETCERT"));
    }

    @Test
    public void testSecureDnStartupCase1() throws Exception {
        certCodec.writeCertificate(certHolder);
        Assertions.assertTrue(((RuntimeException) Assertions.assertThrows(RuntimeException.class, () -> {
            service.initializeCertificateClient(this.client);
        })).getMessage().contains("DN security initialization failed"));
        Assertions.assertNull(this.client.getPrivateKey());
        Assertions.assertNull(this.client.getPublicKey());
        Assertions.assertNotNull(this.client.getCertificate());
        Assertions.assertTrue(dnLogs.getOutput().contains("Init response: FAILURE"));
    }

    @Test
    public void testSecureDnStartupCase2() throws Exception {
        keyCodec.writePublicKey(publicKey);
        Assertions.assertTrue(((RuntimeException) Assertions.assertThrows(RuntimeException.class, () -> {
            service.initializeCertificateClient(this.client);
        })).getMessage().contains("DN security initialization failed"));
        Assertions.assertNull(this.client.getPrivateKey());
        Assertions.assertNotNull(this.client.getPublicKey());
        Assertions.assertNull(this.client.getCertificate());
        Assertions.assertTrue(dnLogs.getOutput().contains("Init response: FAILURE"));
    }

    @Test
    public void testSecureDnStartupCase3() throws Exception {
        keyCodec.writePublicKey(publicKey);
        certCodec.writeCertificate(certHolder);
        Assertions.assertTrue(((RuntimeException) Assertions.assertThrows(RuntimeException.class, () -> {
            service.initializeCertificateClient(this.client);
        })).getMessage().contains("DN security initialization failed"));
        Assertions.assertNull(this.client.getPrivateKey());
        Assertions.assertNotNull(this.client.getPublicKey());
        Assertions.assertNotNull(this.client.getCertificate());
        Assertions.assertTrue(dnLogs.getOutput().contains("Init response: FAILURE"));
    }

    @Test
    public void testSecureDnStartupCase4() throws Exception {
        keyCodec.writePrivateKey(privateKey);
        String pEMEncodedString = CertificateCodec.getPEMEncodedString(generateX509CertHolder(null, null, Duration.ofSeconds(15L)));
        Mockito.when(scmClient.getDataNodeCertificateChain((HddsProtos.DatanodeDetailsProto) ArgumentMatchers.anyObject(), ArgumentMatchers.anyString())).thenReturn(SCMSecurityProtocolProtos.SCMGetCertResponseProto.newBuilder().setResponseCode(SCMSecurityProtocolProtos.SCMGetCertResponseProto.ResponseCode.success).setX509Certificate(pEMEncodedString).setX509CACertificate(pEMEncodedString).build());
        service.initializeCertificateClient(this.client);
        Assertions.assertNotNull(this.client.getPrivateKey());
        Assertions.assertNotNull(this.client.getPublicKey());
        Assertions.assertNotNull(this.client.getCertificate());
        Assertions.assertTrue(dnLogs.getOutput().contains("Init response: GETCERT"));
        dnLogs.clearOutput();
        Mockito.when(scmClient.getDataNodeCertificateChain((HddsProtos.DatanodeDetailsProto) ArgumentMatchers.anyObject(), ArgumentMatchers.anyString())).thenReturn((Object) null);
    }

    @Test
    public void testSecureDnStartupCase5() throws Exception {
        certCodec.writeCertificate(certHolder);
        keyCodec.writePrivateKey(privateKey);
        service.initializeCertificateClient(this.client);
        Assertions.assertNotNull(this.client.getPrivateKey());
        Assertions.assertNotNull(this.client.getPublicKey());
        Assertions.assertNotNull(this.client.getCertificate());
        Assertions.assertTrue(dnLogs.getOutput().contains("Init response: SUCCESS"));
    }

    @Test
    public void testSecureDnStartupCase6() throws Exception {
        keyCodec.writePublicKey(publicKey);
        keyCodec.writePrivateKey(privateKey);
        Assertions.assertThrows(Exception.class, () -> {
            service.initializeCertificateClient(this.client);
        });
        Assertions.assertNotNull(this.client.getPrivateKey());
        Assertions.assertNotNull(this.client.getPublicKey());
        Assertions.assertNull(this.client.getCertificate());
        Assertions.assertTrue(dnLogs.getOutput().contains("Init response: GETCERT"));
    }

    @Test
    public void testSecureDnStartupCase7() throws Exception {
        keyCodec.writePublicKey(publicKey);
        keyCodec.writePrivateKey(privateKey);
        certCodec.writeCertificate(certHolder);
        service.initializeCertificateClient(this.client);
        Assertions.assertNotNull(this.client.getPrivateKey());
        Assertions.assertNotNull(this.client.getPublicKey());
        Assertions.assertNotNull(this.client.getCertificate());
        Assertions.assertTrue(dnLogs.getOutput().contains("Init response: SUCCESS"));
    }

    public static void callQuietly(Callable callable) {
        try {
            callable.call();
        } catch (Throwable th) {
            th.printStackTrace();
        }
    }

    @Test
    public void testCertificateRotation() throws Exception {
        certCodec.writeCertificate(certHolder);
        X509CertificateHolder generateX509CertHolder = generateX509CertHolder(null, LocalDateTime.now().plus((TemporalAmount) securityConfig.getRenewalGracePeriod()), Duration.ofSeconds(15L));
        String pEMEncodedString = CertificateCodec.getPEMEncodedString(generateX509CertHolder);
        Mockito.when(scmClient.getDataNodeCertificateChain((HddsProtos.DatanodeDetailsProto) ArgumentMatchers.anyObject(), ArgumentMatchers.anyString())).thenReturn(SCMSecurityProtocolProtos.SCMGetCertResponseProto.newBuilder().setResponseCode(SCMSecurityProtocolProtos.SCMGetCertResponseProto.ResponseCode.success).setX509Certificate(pEMEncodedString).setX509CACertificate(pEMEncodedString).setX509RootCACertificate(pEMEncodedString).build());
        ArrayList arrayList = new ArrayList();
        arrayList.add(pEMEncodedString);
        Mockito.when(scmClient.getAllRootCaCertificates()).thenReturn(arrayList);
        String bigInteger = generateX509CertHolder.getSerialNumber().toString();
        Assertions.assertFalse(bigInteger.equals(this.client.getCertificate().getSerialNumber().toString()));
        this.client.startCertificateRenewerService();
        GenericTestUtils.waitFor(() -> {
            return this.client.getCertificate().getSerialNumber().toString().equals(bigInteger);
        }, 1000, 15000);
        PrivateKey privateKey2 = this.client.getPrivateKey();
        PublicKey publicKey2 = this.client.getPublicKey();
        String bigInteger2 = this.client.getCACertificate().getSerialNumber().toString();
        String bigInteger3 = this.client.getRootCACertificate().getSerialNumber().toString();
        X509CertificateHolder generateX509CertHolder2 = generateX509CertHolder(null, null, Duration.ofSeconds(15L));
        arrayList.remove(pEMEncodedString);
        String pEMEncodedString2 = CertificateCodec.getPEMEncodedString(generateX509CertHolder2);
        Mockito.when(scmClient.getDataNodeCertificateChain((HddsProtos.DatanodeDetailsProto) ArgumentMatchers.anyObject(), ArgumentMatchers.anyString())).thenReturn(SCMSecurityProtocolProtos.SCMGetCertResponseProto.newBuilder().setResponseCode(SCMSecurityProtocolProtos.SCMGetCertResponseProto.ResponseCode.success).setX509Certificate(pEMEncodedString2).setX509CACertificate(pEMEncodedString2).setX509RootCACertificate(pEMEncodedString2).build());
        arrayList.add(pEMEncodedString2);
        Mockito.when(scmClient.getAllRootCaCertificates()).thenReturn(arrayList);
        String bigInteger4 = generateX509CertHolder2.getSerialNumber().toString();
        GenericTestUtils.waitFor(() -> {
            return this.client.getCertificate().getSerialNumber().toString().equals(bigInteger4);
        }, 1000, 15000);
        Assertions.assertFalse(this.client.getPrivateKey().equals(privateKey2));
        Assertions.assertFalse(this.client.getPublicKey().equals(publicKey2));
        Assertions.assertFalse(this.client.getCACertificate().getSerialNumber().toString().equals(bigInteger2));
        Assertions.assertFalse(this.client.getRootCACertificate().getSerialNumber().toString().equals(bigInteger3));
    }

    @Flaky({"HDDS-8873"})
    @Test
    public void testCertificateRotationRecoverableFailure() throws Exception {
        certCodec.writeCertificate(certHolder);
        X509CertificateHolder generateX509CertHolder = generateX509CertHolder(null, LocalDateTime.now().plus((TemporalAmount) securityConfig.getRenewalGracePeriod()), Duration.ofSeconds(15L));
        Mockito.when(scmClient.getDataNodeCertificateChain((HddsProtos.DatanodeDetailsProto) ArgumentMatchers.anyObject(), ArgumentMatchers.anyString())).thenReturn(SCMSecurityProtocolProtos.SCMGetCertResponseProto.newBuilder().setResponseCode(SCMSecurityProtocolProtos.SCMGetCertResponseProto.ResponseCode.success).setX509Certificate(CertificateCodec.getPEMEncodedString(generateX509CertHolder)).build());
        String bigInteger = generateX509CertHolder.getSerialNumber().toString();
        Assertions.assertFalse(bigInteger.equals(this.client.getCertificate().getSerialNumber().toString()));
        this.client.startCertificateRenewerService();
        Thread.sleep(15000L);
        Assertions.assertFalse(bigInteger.equals(this.client.getCertificate().getSerialNumber().toString()));
        try {
            this.client.getCertificate().checkValidity();
        } catch (Exception e) {
            Assertions.assertTrue(e instanceof CertificateExpiredException);
        }
        X509CertificateHolder generateX509CertHolder2 = generateX509CertHolder(null, null, Duration.ofSeconds(15L));
        String pEMEncodedString = CertificateCodec.getPEMEncodedString(generateX509CertHolder2);
        Mockito.when(scmClient.getDataNodeCertificateChain((HddsProtos.DatanodeDetailsProto) ArgumentMatchers.anyObject(), ArgumentMatchers.anyString())).thenReturn(SCMSecurityProtocolProtos.SCMGetCertResponseProto.newBuilder().setResponseCode(SCMSecurityProtocolProtos.SCMGetCertResponseProto.ResponseCode.success).setX509Certificate(pEMEncodedString).setX509CACertificate(pEMEncodedString).build());
        String bigInteger2 = generateX509CertHolder2.getSerialNumber().toString();
        GenericTestUtils.waitFor(() -> {
            return this.client.getCertificate().getSerialNumber().toString().equals(bigInteger2);
        }, 1000, 15000);
    }

    private static X509CertificateHolder generateX509CertHolder(KeyPair keyPair, LocalDateTime localDateTime, Duration duration) throws Exception {
        if (keyPair == null) {
            keyPair = KeyStoreTestUtil.generateKeyPair("RSA");
        }
        LocalDateTime now = localDateTime == null ? LocalDateTime.now() : localDateTime;
        return SelfSignedCertificate.newBuilder().setBeginDate(now).setEndDate(now.plus((TemporalAmount) duration)).setClusterID("cluster").setKey(keyPair).setSubject("localhost").setConfiguration(securityConfig).setScmID("test").build();
    }
}
