package org.apache.hadoop.hdds.security.x509.certificate.authority;

import com.google.common.collect.ImmutableList;
import java.io.IOException;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.CertPath;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.time.LocalDate;
import java.time.LocalDateTime;
import java.time.ZoneId;
import java.time.chrono.ChronoLocalDate;
import java.time.temporal.TemporalAccessor;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Date;
import java.util.UUID;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.Future;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
import org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB;
import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateApprover;
import org.apache.hadoop.hdds.security.x509.certificate.authority.DefaultCAServer;
import org.apache.hadoop.hdds.security.x509.certificate.authority.profile.DefaultCAProfile;
import org.apache.hadoop.hdds.security.x509.certificate.authority.profile.DefaultProfile;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.client.SCMCertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateSignRequest;
import org.apache.hadoop.hdds.security.x509.certificate.utils.SelfSignedCertificate;
import org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator;
import org.apache.hadoop.hdds.security.x509.keys.KeyCodec;
import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
import org.bouncycastle.asn1.x509.CRLReason;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.jcajce.provider.asymmetric.x509.CertificateFactory;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.io.TempDir;

/* loaded from: input_file:org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.class */
public class TestDefaultCAServer {
    private OzoneConfiguration conf;
    private SecurityConfig securityConfig;
    private MockCAStore caStore;

    @BeforeEach
    public void init(@TempDir Path path) throws IOException {
        this.conf = new OzoneConfiguration();
        this.conf.set("ozone.metadata.dirs", path.toString());
        this.securityConfig = new SecurityConfig(this.conf);
        this.caStore = new MockCAStore();
    }

    @Test
    public void testInit() throws SCMSecurityException, CertificateException, IOException {
        DefaultCAServer defaultCAServer = new DefaultCAServer("testCA", RandomStringUtils.randomAlphabetic(4), RandomStringUtils.randomAlphabetic(4), this.caStore, new DefaultProfile(), Paths.get("scm", "ca").toString());
        defaultCAServer.init(this.securityConfig, CAType.ROOT);
        X509CertificateHolder cACertificate = defaultCAServer.getCACertificate();
        Assertions.assertNotNull(cACertificate);
        defaultCAServer.init(this.securityConfig, CAType.ROOT);
        Assertions.assertEquals(cACertificate, defaultCAServer.getCACertificate());
    }

    @Test
    public void testMissingCertificate() {
        try {
            new DefaultCAServer("testCA", RandomStringUtils.randomAlphabetic(4), RandomStringUtils.randomAlphabetic(4), this.caStore, new DefaultProfile(), Paths.get("scm", "ca").toString()).processVerificationStatus(DefaultCAServer.VerificationStatus.MISSING_CERTIFICATE, CAType.ROOT).accept(this.securityConfig);
            Assertions.fail("code should not reach here, exception should have been thrown.");
        } catch (IllegalStateException e) {
            Assertions.assertTrue(e.toString().contains("Missing Root Certs"));
        }
    }

    @Test
    public void testMissingKey() {
        try {
            new DefaultCAServer("testCA", RandomStringUtils.randomAlphabetic(4), RandomStringUtils.randomAlphabetic(4), this.caStore, new DefaultProfile(), Paths.get("scm", "ca").toString()).processVerificationStatus(DefaultCAServer.VerificationStatus.MISSING_KEYS, CAType.ROOT).accept(this.securityConfig);
            Assertions.fail("code should not reach here, exception should have been thrown.");
        } catch (IllegalStateException e) {
            Assertions.assertTrue(e.toString().contains("Missing Keys"));
        }
    }

    @Test
    public void testRequestCertificate() throws IOException, ExecutionException, InterruptedException, NoSuchProviderException, NoSuchAlgorithmException, CertificateException {
        String randomAlphabetic = RandomStringUtils.randomAlphabetic(4);
        String randomAlphabetic2 = RandomStringUtils.randomAlphabetic(4);
        PKCS10CertificationRequest build = new CertificateSignRequest.Builder().addDnsName("hadoop.apache.org").addIpAddress("8.8.8.8").addServiceName("OzoneMarketingCluster002").setCA(false).setClusterID(randomAlphabetic2).setScmID(randomAlphabetic).setSubject("Ozone Cluster").setConfiguration(this.securityConfig).setKey(new HDDSKeyGenerator(this.securityConfig).generateKey()).build();
        DefaultCAServer defaultCAServer = new DefaultCAServer("testCA", randomAlphabetic2, randomAlphabetic, this.caStore, new DefaultProfile(), Paths.get("scm", "ca").toString());
        defaultCAServer.init(this.securityConfig, CAType.ROOT);
        Future requestCertificate = defaultCAServer.requestCertificate(build, CertificateApprover.ApprovalType.TESTING_AUTOMATIC, HddsProtos.NodeType.SCM, String.valueOf(System.nanoTime()));
        Assertions.assertTrue(requestCertificate.isDone());
        X509Certificate x509Certificate = (X509Certificate) ((CertPath) requestCertificate.get()).getCertificates().get(1);
        Assertions.assertEquals(x509Certificate, CertificateCodec.getX509Certificate(defaultCAServer.getCACertificate()));
        Assertions.assertEquals(x509Certificate.getSubjectX500Principal(), CertificateCodec.firstCertificateFrom((CertPath) requestCertificate.get()).getIssuerX500Principal());
    }

    @Test
    public void testRequestCertificateWithInvalidSubject() throws IOException, ExecutionException, InterruptedException, NoSuchProviderException, NoSuchAlgorithmException {
        PKCS10CertificationRequest build = new CertificateSignRequest.Builder().addDnsName("hadoop.apache.org").addIpAddress("8.8.8.8").setCA(false).setSubject("Ozone Cluster").setConfiguration(this.securityConfig).setKey(new HDDSKeyGenerator(this.securityConfig).generateKey()).build();
        DefaultCAServer defaultCAServer = new DefaultCAServer("testCA", RandomStringUtils.randomAlphabetic(4), RandomStringUtils.randomAlphabetic(4), this.caStore, new DefaultProfile(), Paths.get("scm", "ca").toString());
        defaultCAServer.init(this.securityConfig, CAType.ROOT);
        Future requestCertificate = defaultCAServer.requestCertificate(build, CertificateApprover.ApprovalType.TESTING_AUTOMATIC, HddsProtos.NodeType.OM, String.valueOf(System.nanoTime()));
        Assertions.assertTrue(requestCertificate.isDone());
        Assertions.assertNotNull(CertificateCodec.firstCertificateFrom((CertPath) requestCertificate.get()));
    }

    @Test
    public void testRevokeCertificates() throws Exception {
        String randomAlphabetic = RandomStringUtils.randomAlphabetic(4);
        String randomAlphabetic2 = RandomStringUtils.randomAlphabetic(4);
        Date date = new Date();
        DefaultCAServer defaultCAServer = new DefaultCAServer("testCA", randomAlphabetic2, randomAlphabetic, this.caStore, new DefaultProfile(), Paths.get("scm", "ca").toString());
        defaultCAServer.init(this.securityConfig, CAType.ROOT);
        X509Certificate firstCertificateFrom = CertificateCodec.firstCertificateFrom((CertPath) defaultCAServer.requestCertificate(new CertificateSignRequest.Builder().addDnsName("hadoop.apache.org").addIpAddress("8.8.8.8").setCA(false).setSubject("testCA").setConfiguration(this.securityConfig).setKey(new HDDSKeyGenerator(this.securityConfig).generateKey()).build(), CertificateApprover.ApprovalType.TESTING_AUTOMATIC, HddsProtos.NodeType.OM, String.valueOf(System.nanoTime())).get());
        ArrayList arrayList = new ArrayList();
        arrayList.add(firstCertificateFrom.getSerialNumber());
        Assertions.assertTrue(defaultCAServer.revokeCertificates(arrayList, CRLReason.lookup(1), date).isDone());
        Assertions.assertTrue(((ExecutionException) Assertions.assertThrows(ExecutionException.class, () -> {
            defaultCAServer.revokeCertificates(Collections.emptyList(), CRLReason.lookup(1), date).get();
        })).getCause().getMessage().contains("Certificates cannot be null"));
    }

    @Test
    public void testRequestCertificateWithInvalidSubjectFailure() throws Exception {
        PKCS10CertificationRequest build = new CertificateSignRequest.Builder().addDnsName("hadoop.apache.org").addIpAddress("8.8.8.8").setCA(false).setScmID("wrong one").setClusterID("223432rf").setSubject("Ozone Cluster").setConfiguration(this.securityConfig).setKey(new HDDSKeyGenerator(this.securityConfig).generateKey()).build();
        DefaultCAServer defaultCAServer = new DefaultCAServer("testCA", RandomStringUtils.randomAlphabetic(4), RandomStringUtils.randomAlphabetic(4), this.caStore, new DefaultProfile(), Paths.get("scm", "ca").toString());
        defaultCAServer.init(this.securityConfig, CAType.ROOT);
        Assertions.assertTrue(((ExecutionException) Assertions.assertThrows(ExecutionException.class, () -> {
            defaultCAServer.requestCertificate(build, CertificateApprover.ApprovalType.TESTING_AUTOMATIC, HddsProtos.NodeType.OM, String.valueOf(System.nanoTime())).get();
        })).getCause().getMessage().contains("ScmId and ClusterId in CSR subject are incorrect"));
    }

    @Test
    public void testIntermediaryCAWithEmpty() {
        DefaultCAServer defaultCAServer = new DefaultCAServer("testCA", RandomStringUtils.randomAlphabetic(4), RandomStringUtils.randomAlphabetic(4), this.caStore, new DefaultProfile(), Paths.get("scm", new String[0]).toString());
        Assertions.assertThrows(IllegalStateException.class, () -> {
            defaultCAServer.init(this.securityConfig, CAType.SUBORDINATE);
        });
    }

    @Test
    public void testExternalRootCA(@TempDir Path path) throws Exception {
        setExternalPathsInConfig(path, "CaCert.pem");
        SCMCertificateClient sCMCertificateClient = new SCMCertificateClient(this.securityConfig, (SCMSecurityProtocolClientSideTranslatorPB) null, (String) null);
        Throwable th = null;
        try {
            try {
                KeyPair generateKeyPair = KeyStoreTestUtil.generateKeyPair("RSA");
                new KeyCodec(this.securityConfig, sCMCertificateClient.getComponentName()).writeKey(path, generateKeyPair, true);
                X509CertificateHolder generateExternalCert = generateExternalCert(generateKeyPair);
                new CertificateCodec(this.securityConfig, sCMCertificateClient.getComponentName()).writeCertificate(path, "CaCert.pem", CertificateCodec.getPEMEncodedString(generateExternalCert));
                DefaultCAServer defaultCAServer = new DefaultCAServer("testCA", RandomStringUtils.randomAlphabetic(4), RandomStringUtils.randomAlphabetic(4), this.caStore, new DefaultProfile(), Paths.get("scm", "ca").toString());
                defaultCAServer.init(this.securityConfig, CAType.ROOT);
                Assertions.assertEquals(generateExternalCert, defaultCAServer.getCACertificate());
                if (sCMCertificateClient != null) {
                    if (0 == 0) {
                        sCMCertificateClient.close();
                        return;
                    }
                    try {
                        sCMCertificateClient.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (sCMCertificateClient != null) {
                if (th != null) {
                    try {
                        sCMCertificateClient.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    sCMCertificateClient.close();
                }
            }
            throw th4;
        }
    }

    private void setExternalPathsInConfig(Path path, String str) {
        String path2 = Paths.get(path.toString(), str).toString();
        String path3 = Paths.get(path.toString(), "private.pem").toString();
        String path4 = Paths.get(path.toString(), "public.pem").toString();
        this.conf.set("hdds.x509.rootca.certificate.file", path2);
        this.conf.set("hdds.x509.rootca.private.key.file", path3);
        this.conf.set("hdds.x509.rootca.public.key.file", path4);
        this.securityConfig = new SecurityConfig(this.conf);
    }

    @Test
    public void testInitWithCertChain(@TempDir Path path) throws Exception {
        setExternalPathsInConfig(path, "CaCert.pem");
        DefaultApprover defaultApprover = new DefaultApprover(new DefaultCAProfile(), this.securityConfig);
        SCMCertificateClient sCMCertificateClient = new SCMCertificateClient(this.securityConfig, (SCMSecurityProtocolClientSideTranslatorPB) null, (String) null);
        Throwable th = null;
        try {
            try {
                String randomAlphabetic = RandomStringUtils.randomAlphabetic(4);
                String randomAlphabetic2 = RandomStringUtils.randomAlphabetic(4);
                KeyPair generateKey = new HDDSKeyGenerator(this.securityConfig).generateKey();
                new KeyCodec(this.securityConfig, sCMCertificateClient.getComponentName()).writeKey(path, generateKey, true);
                LocalDate localDate = LocalDate.now().atStartOfDay().toLocalDate();
                LocalDate from = LocalDate.from((TemporalAccessor) LocalDate.now().atStartOfDay().plusDays(10L));
                PKCS10CertificationRequest build = new CertificateSignRequest.Builder().addDnsName("hadoop.apache.org").addIpAddress("8.8.8.8").addServiceName("OzoneMarketingCluster002").setCA(false).setClusterID(randomAlphabetic2).setScmID(randomAlphabetic).setSubject("Ozone Cluster").setConfiguration(this.securityConfig).setKey(generateKey).build();
                X509CertificateHolder generateExternalCert = generateExternalCert(generateKey);
                X509CertificateHolder sign = defaultApprover.sign(this.securityConfig, generateKey.getPrivate(), generateExternalCert, java.sql.Date.valueOf(localDate), java.sql.Date.valueOf(from), build, randomAlphabetic, randomAlphabetic2, String.valueOf(System.nanoTime()));
                new CertificateCodec(this.securityConfig, sCMCertificateClient.getComponentName()).writeCertificate(path, "CaCert.pem", CertificateCodec.getPEMEncodedString(new CertificateFactory().engineGenerateCertPath(ImmutableList.of(CertificateCodec.getX509Certificate(sign), CertificateCodec.getX509Certificate(generateExternalCert)))));
                DefaultCAServer defaultCAServer = new DefaultCAServer("testCA", RandomStringUtils.randomAlphabetic(4), RandomStringUtils.randomAlphabetic(4), this.caStore, new DefaultProfile(), Paths.get("scm", "ca").toString());
                defaultCAServer.init(this.securityConfig, CAType.ROOT);
                Assertions.assertEquals(sign, defaultCAServer.getCACertificate());
                if (sCMCertificateClient != null) {
                    if (0 == 0) {
                        sCMCertificateClient.close();
                        return;
                    }
                    try {
                        sCMCertificateClient.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (sCMCertificateClient != null) {
                if (th != null) {
                    try {
                        sCMCertificateClient.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    sCMCertificateClient.close();
                }
            }
            throw th4;
        }
    }

    @Test
    public void testIntermediaryCA() throws Exception {
        this.conf.set("hdds.x509.max.duration", "P3650D");
        this.securityConfig = new SecurityConfig(this.conf);
        String randomAlphanumeric = RandomStringUtils.randomAlphanumeric(4);
        String randomAlphanumeric2 = RandomStringUtils.randomAlphanumeric(4);
        DefaultCAServer defaultCAServer = new DefaultCAServer("rootCA", randomAlphanumeric, randomAlphanumeric2, this.caStore, new DefaultProfile(), Paths.get("scm", "ca").toString());
        defaultCAServer.init(this.securityConfig, CAType.ROOT);
        SCMCertificateClient sCMCertificateClient = new SCMCertificateClient(this.securityConfig, (SCMSecurityProtocolClientSideTranslatorPB) null, (String) null);
        Throwable th = null;
        try {
            try {
                Assertions.assertEquals(CertificateClient.InitResponse.GETCERT, sCMCertificateClient.init());
                Future requestCertificate = defaultCAServer.requestCertificate(new CertificateSignRequest.Builder().addDnsName("hadoop.apache.org").addIpAddress("8.8.8.8").setCA(false).setSubject("testCA").setConfiguration(this.securityConfig).setKey(new HDDSKeyGenerator(this.securityConfig).generateKey()).build(), CertificateApprover.ApprovalType.TESTING_AUTOMATIC, HddsProtos.NodeType.SCM, String.valueOf(System.nanoTime()));
                Assertions.assertTrue(requestCertificate.isDone());
                X509CertificateHolder certificateHolder = CertificateCodec.getCertificateHolder(CertificateCodec.firstCertificateFrom((CertPath) requestCertificate.get()));
                Assertions.assertNotNull(certificateHolder);
                Assertions.assertEquals(0, certificateHolder.getNotAfter().toInstant().atZone(ZoneId.systemDefault()).toLocalDate().compareTo((ChronoLocalDate) LocalDate.now().plusDays(3650L)));
                sCMCertificateClient.storeCertificate(CertificateCodec.getPEMEncodedString(defaultCAServer.getCACertificate()), CAType.SUBORDINATE);
                sCMCertificateClient.storeCertificate(CertificateCodec.getPEMEncodedString(certificateHolder), CAType.NONE);
                new CertificateCodec(this.securityConfig, sCMCertificateClient.getComponentName()).writeCertificate(certificateHolder);
                try {
                    new DefaultCAServer("scmCA", randomAlphanumeric, randomAlphanumeric2, this.caStore, new DefaultProfile(), sCMCertificateClient.getComponentName()).init(this.securityConfig, CAType.SUBORDINATE);
                } catch (Exception e) {
                    Assertions.fail("testIntermediaryCA failed during init");
                }
                if (sCMCertificateClient != null) {
                    if (0 == 0) {
                        sCMCertificateClient.close();
                        return;
                    }
                    try {
                        sCMCertificateClient.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (sCMCertificateClient != null) {
                if (th != null) {
                    try {
                        sCMCertificateClient.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    sCMCertificateClient.close();
                }
            }
            throw th4;
        }
    }

    private X509CertificateHolder generateExternalCert(KeyPair keyPair) throws Exception {
        LocalDateTime now = LocalDateTime.now();
        LocalDateTime plusYears = now.plusYears(1L);
        String uuid = UUID.randomUUID().toString();
        return SelfSignedCertificate.newBuilder().setBeginDate(now).setEndDate(plusYears).setClusterID(uuid).setScmID(UUID.randomUUID().toString()).setSubject("testRootCert").setKey(keyPair).setConfiguration(this.securityConfig).makeCA().addInetAddresses().build();
    }
}
