package org.apache.hadoop.hdds.security.token;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.cert.CertificateException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.util.concurrent.TimeUnit;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.protocol.datanode.proto.ContainerProtos;
import org.apache.hadoop.hdds.security.token.ShortLivedTokenIdentifier;
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.security.token.Token;
import org.junit.Assert;
import org.junit.Test;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hdds/security/token/TokenVerifierTests.class */
public abstract class TokenVerifierTests<T extends ShortLivedTokenIdentifier> {
    private static final Logger LOG = LoggerFactory.getLogger(TokenVerifierTests.class);
    protected static final String CERT_ID = "123";

    /* loaded from: input_file:org/apache/hadoop/hdds/security/token/TokenVerifierTests$MockTokenManager.class */
    private class MockTokenManager extends ShortLivedTokenSecretManager<T> {
        MockTokenManager(SecurityConfig securityConfig) {
            super(securityConfig, TimeUnit.HOURS.toMillis(1L), TokenVerifierTests.CERT_ID, TokenVerifierTests.LOG);
        }

        public byte[] createPassword(T t) {
            return "asdf".getBytes(StandardCharsets.UTF_8);
        }
    }

    protected abstract TokenVerifier newTestSubject(SecurityConfig securityConfig, CertificateClient certificateClient);

    protected abstract String tokenEnabledConfigKey();

    protected abstract ContainerProtos.ContainerCommandRequestProto unverifiedRequest() throws IOException;

    protected abstract ContainerProtos.ContainerCommandRequestProto verifiedRequest(T t) throws IOException;

    protected abstract T newTokenId();

    @Test
    public void skipsVerificationIfDisabled() throws IOException {
        CertificateClient certificateClient = (CertificateClient) Mockito.mock(CertificateClient.class);
        newTestSubject(tokenDisabled(), certificateClient).verify("anyUser", anyToken(), verifiedRequest(newTokenId()));
        ((CertificateClient) Mockito.verify(certificateClient, Mockito.never())).getCertificate((String) ArgumentMatchers.any());
    }

    @Test
    public void skipsVerificationForMiscCommands() throws IOException {
        CertificateClient certificateClient = (CertificateClient) Mockito.mock(CertificateClient.class);
        newTestSubject(tokenEnabled(), certificateClient).verify("anyUser", anyToken(), unverifiedRequest());
        ((CertificateClient) Mockito.verify(certificateClient, Mockito.never())).getCertificate((String) ArgumentMatchers.any());
    }

    @Test
    public void rejectsExpiredCertificate() throws Exception {
        rejectsInvalidCertificate(CertificateExpiredException.class);
    }

    @Test
    public void rejectsNotYetValidCertificate() throws Exception {
        rejectsInvalidCertificate(CertificateNotYetValidException.class);
    }

    private void rejectsInvalidCertificate(Class<? extends CertificateException> cls) throws Exception {
        CertificateClient certificateClient = (CertificateClient) Mockito.mock(CertificateClient.class);
        Mockito.when(certificateClient.getCertificate(CERT_ID)).thenReturn(invalidCertificate(cls));
        ContainerProtos.ContainerCommandRequestProto verifiedRequest = verifiedRequest(newTokenId());
        TokenVerifier newTestSubject = newTestSubject(tokenEnabled(), certificateClient);
        Assert.assertThrows(BlockTokenException.class, () -> {
            newTestSubject.verify("anyUser", anyToken(), verifiedRequest);
        });
    }

    @Test
    public void rejectsInvalidSignature() throws Exception {
        CertificateClient certificateClient = (CertificateClient) Mockito.mock(CertificateClient.class);
        Mockito.when(certificateClient.getCertificate(CERT_ID)).thenReturn(validCertificate());
        Token token = new Token();
        validSignature(certificateClient, false);
        ContainerProtos.ContainerCommandRequestProto verifiedRequest = verifiedRequest(newTokenId());
        TokenVerifier newTestSubject = newTestSubject(tokenEnabled(), certificateClient);
        Assert.assertThrows(BlockTokenException.class, () -> {
            newTestSubject.verify("anyUser", token, verifiedRequest);
        });
    }

    @Test
    public void rejectsExpiredToken() throws Exception {
        SecurityConfig securityConfig = tokenEnabled();
        CertificateClient certificateClient = (CertificateClient) Mockito.mock(CertificateClient.class);
        Mockito.when(certificateClient.getCertificate(CERT_ID)).thenReturn(validCertificate());
        validSignature(certificateClient, true);
        MockTokenManager mockTokenManager = new MockTokenManager(securityConfig);
        T expired = expired(newTokenId());
        ContainerProtos.ContainerCommandRequestProto verifiedRequest = verifiedRequest(expired);
        Token generateToken = mockTokenManager.generateToken(expired);
        TokenVerifier newTestSubject = newTestSubject(tokenEnabled(), certificateClient);
        Assert.assertThrows(BlockTokenException.class, () -> {
            newTestSubject.verify("anyUser", generateToken, verifiedRequest);
        });
    }

    @Test
    public void acceptsValidToken() throws Exception {
        SecurityConfig securityConfig = tokenEnabled();
        CertificateClient certificateClient = (CertificateClient) Mockito.mock(CertificateClient.class);
        Mockito.when(certificateClient.getCertificate(CERT_ID)).thenReturn(validCertificate());
        validSignature(certificateClient, true);
        MockTokenManager mockTokenManager = new MockTokenManager(securityConfig);
        T valid = valid(newTokenId());
        ContainerProtos.ContainerCommandRequestProto verifiedRequest = verifiedRequest(valid);
        newTestSubject(securityConfig, certificateClient).verify("anyUser", mockTokenManager.generateToken(valid), verifiedRequest);
    }

    private T expired(T t) {
        t.setExpiry(Instant.now().minusSeconds(3600L));
        return t;
    }

    private T valid(T t) {
        t.setExpiry(Instant.now().plusSeconds(3600L));
        return t;
    }

    private void validSignature(CertificateClient certificateClient, boolean z) throws Exception {
        Mockito.when(Boolean.valueOf(certificateClient.verifySignature((byte[]) ArgumentMatchers.any(byte[].class), (byte[]) ArgumentMatchers.any(), (X509Certificate) ArgumentMatchers.any()))).thenReturn(Boolean.valueOf(z));
    }

    private static X509Certificate invalidCertificate(Class<? extends CertificateException> cls) throws CertificateExpiredException, CertificateNotYetValidException {
        X509Certificate x509Certificate = (X509Certificate) Mockito.mock(X509Certificate.class);
        ((X509Certificate) Mockito.doThrow(cls).when(x509Certificate)).checkValidity();
        return x509Certificate;
    }

    private static X509Certificate validCertificate() {
        return (X509Certificate) Mockito.mock(X509Certificate.class);
    }

    protected SecurityConfig tokenDisabled() {
        return getSecurityConfig(false);
    }

    protected SecurityConfig tokenEnabled() {
        return getSecurityConfig(true);
    }

    private SecurityConfig getSecurityConfig(boolean z) {
        OzoneConfiguration ozoneConfiguration = new OzoneConfiguration();
        ozoneConfiguration.setBoolean(tokenEnabledConfigKey(), z);
        return new SecurityConfig(ozoneConfiguration);
    }

    private static Token<?> anyToken() {
        return new Token<>();
    }
}
