package org.apache.hadoop.hdds.security.x509.certificate.authority;

import java.io.IOException;
import java.nio.file.Paths;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.time.LocalDate;
import java.time.ZoneId;
import java.time.chrono.ChronoLocalDate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.Future;
import junit.framework.TestCase;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateApprover;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer;
import org.apache.hadoop.hdds.security.x509.certificate.authority.DefaultCAServer;
import org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultProfile;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.client.SCMCertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
import org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest;
import org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator;
import org.apache.ozone.test.LambdaTestUtils;
import org.bouncycastle.asn1.x509.CRLReason;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;

/* loaded from: input_file:org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.class */
public class TestDefaultCAServer {
    private static OzoneConfiguration conf = new OzoneConfiguration();

    @Rule
    public TemporaryFolder temporaryFolder = new TemporaryFolder();
    private MockCAStore caStore;

    @Before
    public void init() throws IOException {
        conf.set("ozone.metadata.dirs", this.temporaryFolder.newFolder().toString());
        this.caStore = new MockCAStore();
    }

    @Test
    public void testInit() throws SCMSecurityException, CertificateException, IOException {
        SecurityConfig securityConfig = new SecurityConfig(conf);
        DefaultCAServer defaultCAServer = new DefaultCAServer("testCA", RandomStringUtils.randomAlphabetic(4), RandomStringUtils.randomAlphabetic(4), this.caStore, new DefaultProfile(), Paths.get("scm", "ca").toString());
        defaultCAServer.init(securityConfig, CertificateServer.CAType.SELF_SIGNED_CA);
        X509CertificateHolder cACertificate = defaultCAServer.getCACertificate();
        Assert.assertNotNull(cACertificate);
        defaultCAServer.init(securityConfig, CertificateServer.CAType.SELF_SIGNED_CA);
        Assert.assertEquals(cACertificate, defaultCAServer.getCACertificate());
    }

    @Test
    public void testMissingCertificate() {
        try {
            new DefaultCAServer("testCA", RandomStringUtils.randomAlphabetic(4), RandomStringUtils.randomAlphabetic(4), this.caStore, new DefaultProfile(), Paths.get("scm", "ca").toString()).processVerificationStatus(DefaultCAServer.VerificationStatus.MISSING_CERTIFICATE, CertificateServer.CAType.SELF_SIGNED_CA).accept(new SecurityConfig(conf));
            Assert.fail("code should not reach here, exception should have been thrown.");
        } catch (IllegalStateException e) {
            TestCase.assertTrue(e.toString().contains("Missing Root Certs"));
        }
    }

    @Test
    public void testMissingKey() {
        try {
            new DefaultCAServer("testCA", RandomStringUtils.randomAlphabetic(4), RandomStringUtils.randomAlphabetic(4), this.caStore, new DefaultProfile(), Paths.get("scm", "ca").toString()).processVerificationStatus(DefaultCAServer.VerificationStatus.MISSING_KEYS, CertificateServer.CAType.SELF_SIGNED_CA).accept(new SecurityConfig(conf));
            Assert.fail("code should not reach here, exception should have been thrown.");
        } catch (IllegalStateException e) {
            TestCase.assertTrue(e.toString().contains("Missing Keys"));
        }
    }

    @Test
    public void testRequestCertificate() throws IOException, ExecutionException, InterruptedException, NoSuchProviderException, NoSuchAlgorithmException {
        String randomAlphabetic = RandomStringUtils.randomAlphabetic(4);
        String randomAlphabetic2 = RandomStringUtils.randomAlphabetic(4);
        String encodedString = CertificateSignRequest.getEncodedString(new CertificateSignRequest.Builder().addDnsName("hadoop.apache.org").addIpAddress("8.8.8.8").addServiceName("OzoneMarketingCluster002").setCA(false).setClusterID(randomAlphabetic2).setScmID(randomAlphabetic).setSubject("Ozone Cluster").setConfiguration(conf).setKey(new HDDSKeyGenerator(conf).generateKey()).build());
        DefaultCAServer defaultCAServer = new DefaultCAServer("testCA", randomAlphabetic2, randomAlphabetic, this.caStore, new DefaultProfile(), Paths.get("scm", "ca").toString());
        defaultCAServer.init(new SecurityConfig(conf), CertificateServer.CAType.SELF_SIGNED_CA);
        Future requestCertificate = defaultCAServer.requestCertificate(encodedString, CertificateApprover.ApprovalType.TESTING_AUTOMATIC, HddsProtos.NodeType.SCM);
        TestCase.assertTrue(requestCertificate.isDone());
        Assert.assertNotNull(requestCertificate.get());
    }

    @Test
    public void testRequestCertificateWithInvalidSubject() throws IOException, ExecutionException, InterruptedException, NoSuchProviderException, NoSuchAlgorithmException {
        String encodedString = CertificateSignRequest.getEncodedString(new CertificateSignRequest.Builder().addDnsName("hadoop.apache.org").addIpAddress("8.8.8.8").setCA(false).setSubject("Ozone Cluster").setConfiguration(conf).setKey(new HDDSKeyGenerator(conf).generateKey()).build());
        DefaultCAServer defaultCAServer = new DefaultCAServer("testCA", RandomStringUtils.randomAlphabetic(4), RandomStringUtils.randomAlphabetic(4), this.caStore, new DefaultProfile(), Paths.get("scm", "ca").toString());
        defaultCAServer.init(new SecurityConfig(conf), CertificateServer.CAType.SELF_SIGNED_CA);
        Future requestCertificate = defaultCAServer.requestCertificate(encodedString, CertificateApprover.ApprovalType.TESTING_AUTOMATIC, HddsProtos.NodeType.OM);
        TestCase.assertTrue(requestCertificate.isDone());
        Assert.assertNotNull(requestCertificate.get());
    }

    @Test
    public void testRevokeCertificates() throws Exception {
        String randomAlphabetic = RandomStringUtils.randomAlphabetic(4);
        String randomAlphabetic2 = RandomStringUtils.randomAlphabetic(4);
        Date date = new Date();
        DefaultCAServer defaultCAServer = new DefaultCAServer("testCA", randomAlphabetic2, randomAlphabetic, this.caStore, new DefaultProfile(), Paths.get("scm", "ca").toString());
        defaultCAServer.init(new SecurityConfig(conf), CertificateServer.CAType.SELF_SIGNED_CA);
        X509Certificate certificate = new JcaX509CertificateConverter().getCertificate((X509CertificateHolder) defaultCAServer.requestCertificate(CertificateSignRequest.getEncodedString(new CertificateSignRequest.Builder().addDnsName("hadoop.apache.org").addIpAddress("8.8.8.8").setCA(false).setSubject("testCA").setConfiguration(conf).setKey(new HDDSKeyGenerator(conf).generateKey()).build()), CertificateApprover.ApprovalType.TESTING_AUTOMATIC, HddsProtos.NodeType.OM).get());
        ArrayList arrayList = new ArrayList();
        arrayList.add(certificate.getSerialNumber());
        TestCase.assertTrue(defaultCAServer.revokeCertificates(arrayList, CRLReason.lookup(1), date).isDone());
        LambdaTestUtils.intercept(ExecutionException.class, "Certificates cannot be null", () -> {
            Future revokeCertificates = defaultCAServer.revokeCertificates(Collections.emptyList(), CRLReason.lookup(1), date);
            revokeCertificates.isDone();
            revokeCertificates.get();
        });
    }

    @Test
    public void testRequestCertificateWithInvalidSubjectFailure() throws Exception {
        String encodedString = CertificateSignRequest.getEncodedString(new CertificateSignRequest.Builder().addDnsName("hadoop.apache.org").addIpAddress("8.8.8.8").setCA(false).setScmID("wrong one").setClusterID("223432rf").setSubject("Ozone Cluster").setConfiguration(conf).setKey(new HDDSKeyGenerator(conf).generateKey()).build());
        DefaultCAServer defaultCAServer = new DefaultCAServer("testCA", RandomStringUtils.randomAlphabetic(4), RandomStringUtils.randomAlphabetic(4), this.caStore, new DefaultProfile(), Paths.get("scm", "ca").toString());
        defaultCAServer.init(new SecurityConfig(conf), CertificateServer.CAType.SELF_SIGNED_CA);
        LambdaTestUtils.intercept(ExecutionException.class, "ScmId and ClusterId in CSR subject are incorrect", () -> {
            Future requestCertificate = defaultCAServer.requestCertificate(encodedString, CertificateApprover.ApprovalType.TESTING_AUTOMATIC, HddsProtos.NodeType.OM);
            requestCertificate.isDone();
            requestCertificate.get();
        });
    }

    @Test(expected = IllegalStateException.class)
    public void testIntermediaryCAWithEmpty() throws Exception {
        new DefaultCAServer("testCA", RandomStringUtils.randomAlphabetic(4), RandomStringUtils.randomAlphabetic(4), this.caStore, new DefaultProfile(), Paths.get("scm", new String[0]).toString()).init(new SecurityConfig(conf), CertificateServer.CAType.INTERMEDIARY_CA);
    }

    @Test
    public void testIntermediaryCA() throws Exception {
        conf.set("hdds.x509.max.duration", "P3650D");
        String randomAlphanumeric = RandomStringUtils.randomAlphanumeric(4);
        String randomAlphanumeric2 = RandomStringUtils.randomAlphanumeric(4);
        DefaultCAServer defaultCAServer = new DefaultCAServer("rootCA", randomAlphanumeric, randomAlphanumeric2, this.caStore, new DefaultProfile(), Paths.get("scm", "ca").toString());
        defaultCAServer.init(new SecurityConfig(conf), CertificateServer.CAType.SELF_SIGNED_CA);
        SCMCertificateClient sCMCertificateClient = new SCMCertificateClient(new SecurityConfig(conf));
        Assert.assertEquals(CertificateClient.InitResponse.GETCERT, sCMCertificateClient.init());
        Future requestCertificate = defaultCAServer.requestCertificate(new CertificateSignRequest.Builder().addDnsName("hadoop.apache.org").addIpAddress("8.8.8.8").setCA(false).setSubject("testCA").setConfiguration(conf).setKey(new HDDSKeyGenerator(conf).generateKey()).build(), CertificateApprover.ApprovalType.TESTING_AUTOMATIC, HddsProtos.NodeType.SCM);
        Assert.assertTrue(requestCertificate.isDone());
        X509CertificateHolder x509CertificateHolder = (X509CertificateHolder) requestCertificate.get();
        Assert.assertNotNull(x509CertificateHolder);
        Assert.assertEquals(10L, x509CertificateHolder.getNotAfter().toInstant().atZone(ZoneId.systemDefault()).toLocalDate().compareTo((ChronoLocalDate) LocalDate.now()));
        sCMCertificateClient.storeCertificate(CertificateCodec.getPEMEncodedString(defaultCAServer.getCACertificate()), true, true);
        sCMCertificateClient.storeCertificate(CertificateCodec.getPEMEncodedString(x509CertificateHolder), true);
        new CertificateCodec(new SecurityConfig(conf), sCMCertificateClient.getComponentName()).writeCertificate(x509CertificateHolder);
        try {
            new DefaultCAServer("scmCA", randomAlphanumeric, randomAlphanumeric2, this.caStore, new DefaultProfile(), sCMCertificateClient.getComponentName()).init(new SecurityConfig(conf), CertificateServer.CAType.INTERMEDIARY_CA);
        } catch (Exception e) {
            Assert.fail("testIntermediaryCA failed during init");
        }
    }
}
