package org.apache.hadoop.hdds.security.token;

import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import javax.crypto.SecretKey;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.protocol.datanode.proto.ContainerProtos;
import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.symmetric.ManagedSecretKey;
import org.apache.hadoop.hdds.security.symmetric.SecretKeySignerClient;
import org.apache.hadoop.hdds.security.symmetric.SecretKeyVerifierClient;
import org.apache.hadoop.hdds.security.token.ShortLivedTokenIdentifier;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;
import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert;
import org.jetbrains.annotations.NotNull;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hdds/security/token/TokenVerifierTests.class */
public abstract class TokenVerifierTests<T extends ShortLivedTokenIdentifier> {
    private static final Logger LOG = LoggerFactory.getLogger(TokenVerifierTests.class);
    protected static final UUID SECRET_KEY_ID = UUID.randomUUID();

    /* loaded from: input_file:org/apache/hadoop/hdds/security/token/TokenVerifierTests$MockTokenManager.class */
    private class MockTokenManager extends ShortLivedTokenSecretManager<T> {
        MockTokenManager() {
            super(TimeUnit.HOURS.toMillis(1L), (SecretKeySignerClient) Mockito.mock(SecretKeySignerClient.class));
        }

        public byte[] createPassword(T t) {
            return "asdf".getBytes(StandardCharsets.UTF_8);
        }
    }

    protected abstract TokenVerifier newTestSubject(SecurityConfig securityConfig, SecretKeyVerifierClient secretKeyVerifierClient);

    protected abstract String tokenEnabledConfigKey();

    protected abstract ContainerProtos.ContainerCommandRequestProto unverifiedRequest() throws IOException;

    protected abstract ContainerProtos.ContainerCommandRequestProto verifiedRequest(T t) throws IOException;

    protected abstract T newTokenId();

    @Test
    public void skipsVerificationIfDisabled() throws IOException {
        SecretKeyVerifierClient secretKeyVerifierClient = (SecretKeyVerifierClient) Mockito.mock(SecretKeyVerifierClient.class);
        newTestSubject(tokenDisabled(), secretKeyVerifierClient).verify("anyUser", anyToken(), verifiedRequest(newTokenId()));
        ((SecretKeyVerifierClient) Mockito.verify(secretKeyVerifierClient, Mockito.never())).getSecretKey((UUID) ArgumentMatchers.any());
    }

    @Test
    public void skipsVerificationForMiscCommands() throws IOException {
        SecretKeyVerifierClient secretKeyVerifierClient = (SecretKeyVerifierClient) Mockito.mock(SecretKeyVerifierClient.class);
        newTestSubject(tokenEnabled(), secretKeyVerifierClient).verify("anyUser", anyToken(), unverifiedRequest());
        ((SecretKeyVerifierClient) Mockito.verify(secretKeyVerifierClient, Mockito.never())).getSecretKey((UUID) ArgumentMatchers.any());
    }

    @Test
    public void rejectsExpiredSecretKey() throws Exception {
        SecretKeyVerifierClient secretKeyVerifierClient = (SecretKeyVerifierClient) Mockito.mock(SecretKeyVerifierClient.class);
        Instant minus = Instant.now().minus((TemporalAmount) Duration.ofHours(1L));
        Mockito.when(secretKeyVerifierClient.getSecretKey(SECRET_KEY_ID)).thenReturn(new ManagedSecretKey(UUID.randomUUID(), minus, minus, (SecretKey) Mockito.mock(SecretKey.class)));
        T newTokenId = newTokenId();
        ContainerProtos.ContainerCommandRequestProto verifiedRequest = verifiedRequest(newTokenId);
        TokenVerifier newTestSubject = newTestSubject(tokenEnabled(), secretKeyVerifierClient);
        Token generateToken = new MockTokenManager().generateToken(newTokenId);
        MatcherAssert.assertThat(Assertions.assertThrows(BlockTokenException.class, () -> {
            newTestSubject.verify("anyUser", generateToken, verifiedRequest);
        }).getMessage(), CoreMatchers.containsString("expired secret key"));
    }

    @Test
    public void rejectsTokenWithInvalidSecretId() throws Exception {
        SecretKeyVerifierClient secretKeyVerifierClient = (SecretKeyVerifierClient) Mockito.mock(SecretKeyVerifierClient.class);
        Mockito.when(secretKeyVerifierClient.getSecretKey(SECRET_KEY_ID)).thenReturn((Object) null);
        T newTokenId = newTokenId();
        ContainerProtos.ContainerCommandRequestProto verifiedRequest = verifiedRequest(newTokenId);
        TokenVerifier newTestSubject = newTestSubject(tokenEnabled(), secretKeyVerifierClient);
        Token generateToken = new MockTokenManager().generateToken(newTokenId);
        MatcherAssert.assertThat(Assertions.assertThrows(BlockTokenException.class, () -> {
            newTestSubject.verify("anyUser", generateToken, verifiedRequest);
        }).getMessage(), CoreMatchers.containsString("Can't find the signing secret key"));
    }

    @Test
    public void rejectsInvalidSignature() throws Exception {
        SecretKeyVerifierClient mockSecretKeyClient = mockSecretKeyClient(false);
        MockTokenManager mockTokenManager = new MockTokenManager();
        T newTokenId = newTokenId();
        Token generateToken = mockTokenManager.generateToken(newTokenId);
        ContainerProtos.ContainerCommandRequestProto verifiedRequest = verifiedRequest(newTokenId);
        TokenVerifier newTestSubject = newTestSubject(tokenEnabled(), mockSecretKeyClient);
        MatcherAssert.assertThat(Assertions.assertThrows(BlockTokenException.class, () -> {
            newTestSubject.verify("anyUser", generateToken, verifiedRequest);
        }).getMessage(), CoreMatchers.containsString("Invalid token for user"));
    }

    @NotNull
    private SecretKeyVerifierClient mockSecretKeyClient(boolean z) throws IOException {
        SecretKeyVerifierClient secretKeyVerifierClient = (SecretKeyVerifierClient) Mockito.mock(SecretKeyVerifierClient.class);
        ManagedSecretKey managedSecretKey = (ManagedSecretKey) Mockito.mock(ManagedSecretKey.class);
        Mockito.when(secretKeyVerifierClient.getSecretKey(SECRET_KEY_ID)).thenReturn(managedSecretKey);
        Mockito.when(Boolean.valueOf(managedSecretKey.isValidSignature((TokenIdentifier) ArgumentMatchers.any(), (byte[]) ArgumentMatchers.any()))).thenReturn(Boolean.valueOf(z));
        return secretKeyVerifierClient;
    }

    @Test
    public void rejectsExpiredToken() throws Exception {
        SecretKeyVerifierClient mockSecretKeyClient = mockSecretKeyClient(true);
        MockTokenManager mockTokenManager = new MockTokenManager();
        T expired = expired(newTokenId());
        ContainerProtos.ContainerCommandRequestProto verifiedRequest = verifiedRequest(expired);
        Token generateToken = mockTokenManager.generateToken(expired);
        TokenVerifier newTestSubject = newTestSubject(tokenEnabled(), mockSecretKeyClient);
        MatcherAssert.assertThat(Assertions.assertThrows(BlockTokenException.class, () -> {
            newTestSubject.verify("anyUser", generateToken, verifiedRequest);
        }).getMessage(), CoreMatchers.containsString("Expired token for user"));
    }

    @Test
    public void acceptsValidToken() throws Exception {
        SecurityConfig securityConfig = tokenEnabled();
        SecretKeyVerifierClient mockSecretKeyClient = mockSecretKeyClient(true);
        MockTokenManager mockTokenManager = new MockTokenManager();
        T valid = valid(newTokenId());
        ContainerProtos.ContainerCommandRequestProto verifiedRequest = verifiedRequest(valid);
        newTestSubject(securityConfig, mockSecretKeyClient).verify("anyUser", mockTokenManager.generateToken(valid), verifiedRequest);
    }

    private T expired(T t) {
        t.setExpiry(Instant.now().minusSeconds(3600L));
        return t;
    }

    private T valid(T t) {
        t.setExpiry(Instant.now().plusSeconds(3600L));
        return t;
    }

    protected SecurityConfig tokenDisabled() {
        return getSecurityConfig(false);
    }

    protected SecurityConfig tokenEnabled() {
        return getSecurityConfig(true);
    }

    private SecurityConfig getSecurityConfig(boolean z) {
        OzoneConfiguration ozoneConfiguration = new OzoneConfiguration();
        ozoneConfiguration.setBoolean(tokenEnabledConfigKey(), z);
        return new SecurityConfig(ozoneConfiguration);
    }

    private static Token<?> anyToken() {
        return new Token<>();
    }
}
