package org.apache.hadoop.hdds.security.x509.certificate.client;

import java.io.File;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.attribute.FileAttribute;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.util.Arrays;
import java.util.UUID;
import java.util.function.Consumer;
import java.util.function.Predicate;
import org.apache.commons.io.FileUtils;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.protocol.MockDatanodeDetails;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos;
import org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB;
import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CAType;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
import org.apache.hadoop.hdds.security.x509.exception.CertificateException;
import org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator;
import org.apache.hadoop.hdds.security.x509.keys.KeyCodec;
import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
import org.apache.ozone.test.GenericTestUtils;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.io.TempDir;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;
import org.slf4j.Logger;

/* loaded from: input_file:org/apache/hadoop/hdds/security/x509/certificate/client/TestDefaultCertificateClient.class */
public class TestDefaultCertificateClient {
    private String certSerialId;
    private X509Certificate x509Certificate;
    private DNCertificateClient dnCertClient;
    private HDDSKeyGenerator keyGenerator;
    private Path dnMetaDirPath;
    private SecurityConfig dnSecurityConfig;
    private SCMSecurityProtocolClientSideTranslatorPB scmSecurityClient;
    private static final String DN_COMPONENT = "dn";
    private KeyCodec dnKeyCodec;

    @BeforeEach
    public void setUp() throws Exception {
        OzoneConfiguration ozoneConfiguration = new OzoneConfiguration();
        ozoneConfiguration.setStrings("ozone.scm.names", new String[]{"localhost"});
        ozoneConfiguration.setInt("ipc.client.connect.max.retries", 2);
        this.dnMetaDirPath = Paths.get(GenericTestUtils.getTempPath(UUID.randomUUID().toString()), "test");
        ozoneConfiguration.set("hdds.metadata.dir", this.dnMetaDirPath.toString());
        this.dnSecurityConfig = new SecurityConfig(ozoneConfiguration);
        this.keyGenerator = new HDDSKeyGenerator(this.dnSecurityConfig);
        this.dnKeyCodec = new KeyCodec(this.dnSecurityConfig, DN_COMPONENT);
        Files.createDirectories(this.dnSecurityConfig.getKeyLocation(DN_COMPONENT), new FileAttribute[0]);
        this.x509Certificate = generateX509Cert(null);
        this.certSerialId = this.x509Certificate.getSerialNumber().toString();
        this.scmSecurityClient = (SCMSecurityProtocolClientSideTranslatorPB) Mockito.mock(SCMSecurityProtocolClientSideTranslatorPB.class);
        getCertClient();
    }

    private void getCertClient() throws IOException {
        if (this.dnCertClient != null) {
            this.dnCertClient.close();
        }
        this.dnCertClient = new DNCertificateClient(this.dnSecurityConfig, this.scmSecurityClient, MockDatanodeDetails.randomDatanodeDetails(), this.certSerialId, (Consumer) null, () -> {
            System.exit(1);
        });
    }

    @AfterEach
    public void tearDown() throws IOException {
        this.dnCertClient.close();
        this.dnCertClient = null;
        FileUtils.deleteQuietly(this.dnMetaDirPath.toFile());
    }

    @Test
    public void testKeyOperations() throws Exception {
        cleanupOldKeyPair();
        PrivateKey privateKey = this.dnCertClient.getPrivateKey();
        Assertions.assertNull(this.dnCertClient.getPublicKey());
        Assertions.assertNull(privateKey);
        KeyPair generateKeyPairFiles = generateKeyPairFiles();
        PrivateKey privateKey2 = this.dnCertClient.getPrivateKey();
        Assertions.assertNotNull(privateKey2);
        Assertions.assertEquals(privateKey2, generateKeyPairFiles.getPrivate());
        PublicKey publicKey = this.dnCertClient.getPublicKey();
        Assertions.assertNotNull(publicKey);
        Assertions.assertEquals(publicKey, generateKeyPairFiles.getPublic());
    }

    private KeyPair generateKeyPairFiles() throws Exception {
        cleanupOldKeyPair();
        KeyPair generateKey = this.keyGenerator.generateKey();
        this.dnKeyCodec.writePrivateKey(generateKey.getPrivate());
        this.dnKeyCodec.writePublicKey(generateKey.getPublic());
        return generateKey;
    }

    private void cleanupOldKeyPair() {
        FileUtils.deleteQuietly(Paths.get(this.dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(), this.dnSecurityConfig.getPrivateKeyFileName()).toFile());
        FileUtils.deleteQuietly(Paths.get(this.dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(), this.dnSecurityConfig.getPublicKeyFileName()).toFile());
    }

    @Test
    public void testCertificateOps() throws Exception {
        Assertions.assertNull(this.dnCertClient.getCertificate());
        this.dnCertClient.storeCertificate(CertificateCodec.getPEMEncodedString(this.x509Certificate), CAType.SUBORDINATE);
        X509Certificate certificate = this.dnCertClient.getCertificate(this.x509Certificate.getSerialNumber().toString());
        Assertions.assertNotNull(certificate);
        Assertions.assertTrue(certificate.getEncoded().length > 0);
        Assertions.assertEquals(this.x509Certificate, certificate);
    }

    private X509Certificate generateX509Cert(KeyPair keyPair) throws Exception {
        if (keyPair == null) {
            keyPair = generateKeyPairFiles();
        }
        return KeyStoreTestUtil.generateCertificate("CN=Test", keyPair, 30, this.dnSecurityConfig.getSignatureAlgo());
    }

    @Test
    public void testSignDataStream() throws Exception {
        String random = RandomStringUtils.random(100);
        FileUtils.deleteQuietly(Paths.get(this.dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(), this.dnSecurityConfig.getPrivateKeyFileName()).toFile());
        FileUtils.deleteQuietly(Paths.get(this.dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(), this.dnSecurityConfig.getPublicKeyFileName()).toFile());
        Assertions.assertTrue(((IOException) Assertions.assertThrows(IOException.class, () -> {
            this.dnCertClient.signData(random.getBytes(StandardCharsets.UTF_8));
        })).getMessage().contains("Error while signing the stream"));
        generateKeyPairFiles();
        validateHash(this.dnCertClient.signData(random.getBytes(StandardCharsets.UTF_8)), random.getBytes(StandardCharsets.UTF_8));
    }

    private void validateHash(byte[] bArr, byte[] bArr2) throws Exception {
        Signature signature = Signature.getInstance(this.dnSecurityConfig.getSignatureAlgo(), this.dnSecurityConfig.getProvider());
        signature.initVerify(this.dnCertClient.getPublicKey());
        signature.update(bArr2);
        Assertions.assertTrue(signature.verify(bArr));
    }

    @Test
    public void verifySignatureStream() throws Exception {
        String random = RandomStringUtils.random(500);
        Assertions.assertTrue(this.dnCertClient.verifySignature(random.getBytes(StandardCharsets.UTF_8), this.dnCertClient.signData(random.getBytes(StandardCharsets.UTF_8)), this.x509Certificate));
        Assertions.assertFalse(this.dnCertClient.verifySignature(random.getBytes(StandardCharsets.UTF_8), "abc".getBytes(StandardCharsets.UTF_8), this.x509Certificate));
    }

    @Test
    public void verifySignatureDataArray() throws Exception {
        String random = RandomStringUtils.random(500);
        Assertions.assertTrue(this.dnCertClient.verifySignature(random.getBytes(StandardCharsets.UTF_8), this.dnCertClient.signData(random.getBytes(StandardCharsets.UTF_8)), this.x509Certificate));
        Assertions.assertFalse(this.dnCertClient.verifySignature(random.getBytes(StandardCharsets.UTF_8), "abc".getBytes(StandardCharsets.UTF_8), this.x509Certificate));
    }

    @Test
    public void testCertificateLoadingOnInit() throws Exception {
        KeyPair generateKey = this.keyGenerator.generateKey();
        X509Certificate generateX509Cert = generateX509Cert(generateKey);
        X509Certificate generateX509Cert2 = generateX509Cert(generateKey);
        X509Certificate generateX509Cert3 = generateX509Cert(generateKey);
        X509Certificate generateX509Cert4 = generateX509Cert(generateKey);
        X509Certificate generateX509Cert5 = generateX509Cert(generateKey);
        X509Certificate generateX509Cert6 = generateX509Cert(generateKey);
        X509Certificate generateX509Cert7 = generateX509Cert(generateKey);
        Path certificateLocation = this.dnSecurityConfig.getCertificateLocation(DN_COMPONENT);
        CertificateCodec certificateCodec = new CertificateCodec(this.dnSecurityConfig, DN_COMPONENT);
        Assertions.assertTrue(Assertions.assertThrows(CertificateException.class, () -> {
            this.dnCertClient.getCertificate(generateX509Cert.getSerialNumber().toString());
        }).getMessage().contains("Error while getting certificate"));
        Assertions.assertTrue(Assertions.assertThrows(CertificateException.class, () -> {
            this.dnCertClient.getCertificate(generateX509Cert2.getSerialNumber().toString());
        }).getMessage().contains("Error while getting certificate"));
        Assertions.assertTrue(Assertions.assertThrows(CertificateException.class, () -> {
            this.dnCertClient.getCertificate(generateX509Cert3.getSerialNumber().toString());
        }).getMessage().contains("Error while getting certificate"));
        certificateCodec.writeCertificate(certificateLocation, "1.crt", CertificateCodec.getPEMEncodedString(generateX509Cert));
        certificateCodec.writeCertificate(certificateLocation, "2.crt", CertificateCodec.getPEMEncodedString(generateX509Cert2));
        certificateCodec.writeCertificate(certificateLocation, "3.crt", CertificateCodec.getPEMEncodedString(generateX509Cert3));
        certificateCodec.writeCertificate(certificateLocation, CAType.ROOT.getFileNamePrefix() + "1.crt", CertificateCodec.getPEMEncodedString(generateX509Cert4));
        certificateCodec.writeCertificate(certificateLocation, CAType.ROOT.getFileNamePrefix() + "2.crt", CertificateCodec.getPEMEncodedString(generateX509Cert5));
        certificateCodec.writeCertificate(certificateLocation, CAType.SUBORDINATE.getFileNamePrefix() + "1.crt", CertificateCodec.getPEMEncodedString(generateX509Cert6));
        certificateCodec.writeCertificate(certificateLocation, CAType.SUBORDINATE.getFileNamePrefix() + "2.crt", CertificateCodec.getPEMEncodedString(generateX509Cert7));
        if (this.dnCertClient != null) {
            this.dnCertClient.close();
        }
        this.dnCertClient = new DNCertificateClient(this.dnSecurityConfig, (SCMSecurityProtocolClientSideTranslatorPB) null, MockDatanodeDetails.randomDatanodeDetails(), this.certSerialId, (Consumer) null, (Runnable) null);
        Assertions.assertNotNull(this.dnCertClient.getCertificate(generateX509Cert.getSerialNumber().toString()));
        Assertions.assertNotNull(this.dnCertClient.getCertificate(generateX509Cert2.getSerialNumber().toString()));
        Assertions.assertNotNull(this.dnCertClient.getCertificate(generateX509Cert3.getSerialNumber().toString()));
        Assertions.assertEquals(2, this.dnCertClient.getAllCaCerts().size());
        Assertions.assertTrue(this.dnCertClient.getAllCaCerts().contains(generateX509Cert6));
        Assertions.assertTrue(this.dnCertClient.getAllCaCerts().contains(generateX509Cert7));
        Assertions.assertEquals(2, this.dnCertClient.getAllRootCaCerts().size());
        Assertions.assertTrue(this.dnCertClient.getAllRootCaCerts().contains(generateX509Cert4));
        Assertions.assertTrue(this.dnCertClient.getAllRootCaCerts().contains(generateX509Cert5));
    }

    @Test
    public void testStoreCertificate() throws Exception {
        KeyPair generateKey = this.keyGenerator.generateKey();
        X509Certificate generateX509Cert = generateX509Cert(generateKey);
        X509Certificate generateX509Cert2 = generateX509Cert(generateKey);
        X509Certificate generateX509Cert3 = generateX509Cert(generateKey);
        this.dnCertClient.storeCertificate(CertificateCodec.getPEMEncodedString(generateX509Cert), CAType.NONE);
        this.dnCertClient.storeCertificate(CertificateCodec.getPEMEncodedString(generateX509Cert2), CAType.NONE);
        this.dnCertClient.storeCertificate(CertificateCodec.getPEMEncodedString(generateX509Cert3), CAType.NONE);
        Assertions.assertNotNull(this.dnCertClient.getCertificate(generateX509Cert.getSerialNumber().toString()));
        Assertions.assertNotNull(this.dnCertClient.getCertificate(generateX509Cert2.getSerialNumber().toString()));
        Assertions.assertNotNull(this.dnCertClient.getCertificate(generateX509Cert3.getSerialNumber().toString()));
    }

    @Test
    public void testStoreMultipleRootCACertificate() throws Exception {
        KeyPair generateKey = this.keyGenerator.generateKey();
        X509Certificate generateX509Cert = generateX509Cert(generateKey);
        X509Certificate generateX509Cert2 = generateX509Cert(generateKey);
        X509Certificate generateX509Cert3 = generateX509Cert(generateKey);
        this.dnCertClient.storeCertificate(CertificateCodec.getPEMEncodedString(generateX509Cert), CAType.ROOT);
        this.dnCertClient.storeCertificate(CertificateCodec.getPEMEncodedString(generateX509Cert2), CAType.ROOT);
        this.dnCertClient.storeCertificate(CertificateCodec.getPEMEncodedString(generateX509Cert3), CAType.ROOT);
        Assertions.assertEquals(generateX509Cert, this.dnCertClient.getCertificate(generateX509Cert.getSerialNumber().toString()));
        Assertions.assertEquals(generateX509Cert2, this.dnCertClient.getCertificate(generateX509Cert2.getSerialNumber().toString()));
        Assertions.assertEquals(generateX509Cert3, this.dnCertClient.getCertificate(generateX509Cert3.getSerialNumber().toString()));
    }

    @Test
    public void testInitCertAndKeypairValidationFailures() throws Exception {
        GenericTestUtils.LogCapturer captureLogs = GenericTestUtils.LogCapturer.captureLogs(this.dnCertClient.getLogger());
        KeyPair generateKey = this.keyGenerator.generateKey();
        KeyPair generateKey2 = this.keyGenerator.generateKey();
        captureLogs.clearOutput();
        FileUtils.deleteQuietly(Paths.get(this.dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(), this.dnSecurityConfig.getPrivateKeyFileName()).toFile());
        FileUtils.deleteQuietly(Paths.get(this.dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(), this.dnSecurityConfig.getPublicKeyFileName()).toFile());
        this.dnKeyCodec.writePrivateKey(generateKey.getPrivate());
        this.dnKeyCodec.writePublicKey(generateKey2.getPublic());
        Assertions.assertEquals(CertificateClient.InitResponse.FAILURE, this.dnCertClient.init());
        Assertions.assertTrue(captureLogs.getOutput().contains("Keypair validation failed"));
        captureLogs.clearOutput();
        getCertClient();
        FileUtils.deleteQuietly(Paths.get(this.dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(), this.dnSecurityConfig.getCertificateFileName()).toFile());
        new CertificateCodec(this.dnSecurityConfig, DN_COMPONENT).writeCertificate(new X509CertificateHolder(this.x509Certificate.getEncoded()));
        Assertions.assertEquals(CertificateClient.InitResponse.FAILURE, this.dnCertClient.init());
        Assertions.assertTrue(captureLogs.getOutput().contains("Keypair validation failed"));
        captureLogs.clearOutput();
        FileUtils.deleteQuietly(Paths.get(this.dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(), this.dnSecurityConfig.getPublicKeyFileName()).toFile());
        getCertClient();
        this.dnKeyCodec.writePublicKey(generateKey.getPublic());
        Assertions.assertEquals(CertificateClient.InitResponse.FAILURE, this.dnCertClient.init());
        Assertions.assertTrue(captureLogs.getOutput().contains("Stored certificate is generated with different"));
        captureLogs.clearOutput();
        getCertClient();
        FileUtils.deleteQuietly(Paths.get(this.dnSecurityConfig.getKeyLocation(DN_COMPONENT).toString(), this.dnSecurityConfig.getPublicKeyFileName()).toFile());
        Assertions.assertEquals(CertificateClient.InitResponse.FAILURE, this.dnCertClient.init());
        Assertions.assertTrue(captureLogs.getOutput().contains("Can't recover public key"));
    }

    @Test
    public void testTimeBeforeExpiryGracePeriod() throws Exception {
        KeyPair generateKey = this.keyGenerator.generateKey();
        Duration renewalGracePeriod = this.dnSecurityConfig.getRenewalGracePeriod();
        X509Certificate generateCertificate = KeyStoreTestUtil.generateCertificate("CN=Test", generateKey, (int) renewalGracePeriod.toDays(), this.dnSecurityConfig.getSignatureAlgo());
        this.dnCertClient.storeCertificate(CertificateCodec.getPEMEncodedString(generateCertificate), CAType.SUBORDINATE);
        Assertions.assertTrue(this.dnCertClient.timeBeforeExpiryGracePeriod(generateCertificate).isZero());
        X509Certificate generateCertificate2 = KeyStoreTestUtil.generateCertificate("CN=Test", generateKey, (int) (renewalGracePeriod.toDays() + 1), this.dnSecurityConfig.getSignatureAlgo());
        this.dnCertClient.storeCertificate(CertificateCodec.getPEMEncodedString(generateCertificate2), CAType.SUBORDINATE);
        Duration timeBeforeExpiryGracePeriod = this.dnCertClient.timeBeforeExpiryGracePeriod(generateCertificate2);
        Assertions.assertTrue(timeBeforeExpiryGracePeriod.toMillis() < Duration.ofDays(1L).toMillis() && timeBeforeExpiryGracePeriod.toMillis() > Duration.ofHours(23L).plusMinutes(59L).toMillis());
    }

    @Test
    public void testRenewAndStoreKeyAndCertificate() throws Exception {
        new CertificateCodec(this.dnSecurityConfig, this.dnSecurityConfig.getCertificateLocation(DN_COMPONENT)).writeCertificate(new X509CertificateHolder(this.x509Certificate.getEncoded()));
        String pEMEncodedString = CertificateCodec.getPEMEncodedString(generateX509Cert(null));
        Mockito.when(this.scmSecurityClient.getDataNodeCertificateChain((HddsProtos.DatanodeDetailsProto) ArgumentMatchers.any(), ArgumentMatchers.anyString())).thenReturn(SCMSecurityProtocolProtos.SCMGetCertResponseProto.newBuilder().setResponseCode(SCMSecurityProtocolProtos.SCMGetCertResponseProto.ResponseCode.success).setX509Certificate(pEMEncodedString).setX509CACertificate(pEMEncodedString).build());
        String bigInteger = this.dnCertClient.getCertificate().getSerialNumber().toString();
        Assertions.assertNotEquals(bigInteger, this.dnCertClient.renewAndStoreKeyAndCertificate(true));
        Assertions.assertEquals(this.dnCertClient.getCertificate().getSerialNumber().toString(), bigInteger);
        File file = new File(this.dnSecurityConfig.getKeyLocation(this.dnCertClient.getComponentName()).toString() + "-next");
        File file2 = new File(this.dnSecurityConfig.getCertificateLocation(this.dnCertClient.getComponentName()).toString() + "-next");
        File file3 = new File(this.dnSecurityConfig.getKeyLocation(this.dnCertClient.getComponentName()).toString() + "-previous");
        File file4 = new File(this.dnSecurityConfig.getCertificateLocation(this.dnCertClient.getComponentName()).toString() + "-previous");
        Assertions.assertTrue(file3.exists());
        Assertions.assertTrue(file4.exists());
        Assertions.assertFalse(file.exists());
        Assertions.assertFalse(file2.exists());
        this.dnCertClient.cleanBackupDir();
        Files.createDirectories(file.toPath(), new FileAttribute[0]);
        Files.createDirectories(file2.toPath(), new FileAttribute[0]);
        KeyPair generateKeyPair = KeyStoreTestUtil.generateKeyPair("RSA");
        new KeyCodec(this.dnSecurityConfig, file.toPath()).writeKey(generateKeyPair);
        this.dnCertClient.storeCertificate(CertificateCodec.getPEMEncodedString(KeyStoreTestUtil.generateCertificate("CN=OzoneMaster", generateKeyPair, 30, "SHA256withRSA")), CAType.NONE, new CertificateCodec(this.dnSecurityConfig, file2.toPath()), false, false);
        this.dnCertClient.renewAndStoreKeyAndCertificate(true);
    }

    @Test
    public void testCloseCertificateClient(@TempDir File file) throws Exception {
        OzoneConfiguration ozoneConfiguration = new OzoneConfiguration();
        ozoneConfiguration.set("hdds.metadata.dir", file.getPath());
        SecurityConfig securityConfig = new SecurityConfig(ozoneConfiguration);
        String str = "test";
        CertificateCodec certificateCodec = new CertificateCodec(securityConfig, "test");
        X509Certificate generateX509Cert = generateX509Cert(null);
        certificateCodec.writeCertificate(new X509CertificateHolder(generateX509Cert.getEncoded()));
        DefaultCertificateClient defaultCertificateClient = new DefaultCertificateClient(securityConfig, null, (Logger) Mockito.mock(Logger.class), generateX509Cert.getSerialNumber().toString(), str, "", null, null) { // from class: org.apache.hadoop.hdds.security.x509.certificate.client.TestDefaultCertificateClient.1
            protected String signAndStoreCertificate(PKCS10CertificationRequest pKCS10CertificationRequest, Path path) {
                return "";
            }

            protected SCMSecurityProtocolProtos.SCMGetCertResponseProto getCertificateSignResponse(PKCS10CertificationRequest pKCS10CertificationRequest) {
                return null;
            }

            protected String signAndStoreCertificate(PKCS10CertificationRequest pKCS10CertificationRequest, Path path, boolean z) {
                return null;
            }
        };
        Thread[] threadArr = new Thread[Thread.activeCount()];
        Thread.enumerate(threadArr);
        Predicate predicate = thread -> {
            return thread != null && thread.getName().equals(new StringBuilder().append(str).append("-CertificateRenewerService").toString());
        };
        MatcherAssert.assertThat(Long.valueOf(Arrays.stream(threadArr).filter(predicate).count()), CoreMatchers.is(1L));
        Thread thread2 = (Thread) Arrays.stream(threadArr).filter(predicate).findFirst().get();
        defaultCertificateClient.close();
        thread2.join();
        MatcherAssert.assertThat(Long.valueOf(Arrays.stream(new Thread[Thread.activeCount()]).filter(predicate).count()), CoreMatchers.is(0L));
    }
}
