package org.apache.hadoop.hdds.security.token;

import java.io.ByteArrayInputStream;
import java.io.DataInputStream;
import java.security.NoSuchAlgorithmException;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.EnumSet;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import org.apache.hadoop.hdds.client.BlockID;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.protocol.datanode.proto.ContainerProtos;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
import org.apache.hadoop.hdds.scm.pipeline.MockPipeline;
import org.apache.hadoop.hdds.scm.pipeline.Pipeline;
import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.symmetric.ManagedSecretKey;
import org.apache.hadoop.hdds.security.symmetric.SecretKeySignerClient;
import org.apache.hadoop.hdds.security.symmetric.SecretKeyTestUtil;
import org.apache.hadoop.hdds.security.symmetric.SecretKeyVerifierClient;
import org.apache.hadoop.ozone.container.ContainerTestHelper;
import org.apache.hadoop.security.token.Token;
import org.apache.ozone.test.GenericTestUtils;
import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;

/* loaded from: input_file:org/apache/hadoop/hdds/security/token/TestOzoneBlockTokenSecretManager.class */
public class TestOzoneBlockTokenSecretManager {
    private static final String BASEDIR = GenericTestUtils.getTempPath(TestOzoneBlockTokenSecretManager.class.getSimpleName());
    private static final String ALGORITHM = "HmacSHA256";
    private OzoneBlockTokenSecretManager secretManager;
    private UUID secretKeyId;
    private SecretKeyVerifierClient secretKeyClient;
    private TokenVerifier tokenVerifier;
    private Pipeline pipeline;
    private ManagedSecretKey secretKey;

    @BeforeEach
    public void setUp() throws Exception {
        this.pipeline = MockPipeline.createPipeline(3);
        OzoneConfiguration ozoneConfiguration = new OzoneConfiguration();
        ozoneConfiguration.set("ozone.metadata.dirs", BASEDIR);
        ozoneConfiguration.setBoolean("hdds.block.token.enabled", true);
        SecurityConfig securityConfig = new SecurityConfig(ozoneConfiguration);
        this.secretKey = generateValidSecretKey();
        this.secretKeyId = this.secretKey.getId();
        this.secretKeyClient = (SecretKeyVerifierClient) Mockito.mock(SecretKeyVerifierClient.class);
        SecretKeySignerClient secretKeySignerClient = (SecretKeySignerClient) Mockito.mock(SecretKeySignerClient.class);
        Mockito.when(secretKeySignerClient.getCurrentSecretKey()).thenReturn(this.secretKey);
        Mockito.when(this.secretKeyClient.getSecretKey(this.secretKeyId)).thenReturn(this.secretKey);
        this.secretManager = new OzoneBlockTokenSecretManager(TimeUnit.HOURS.toMillis(1L), secretKeySignerClient);
        this.tokenVerifier = new BlockTokenVerifier(securityConfig, this.secretKeyClient);
    }

    @Test
    public void testGenerateToken() throws Exception {
        BlockID blockID = new BlockID(101L, 0L);
        Token generateToken = this.secretManager.generateToken(blockID, EnumSet.allOf(HddsProtos.BlockTokenSecretProto.AccessModeProto.class), 100L);
        OzoneBlockTokenIdentifier readFieldsProtobuf = OzoneBlockTokenIdentifier.readFieldsProtobuf(new DataInputStream(new ByteArrayInputStream(generateToken.getIdentifier())));
        Assertions.assertEquals(OzoneBlockTokenIdentifier.getTokenService(blockID), readFieldsProtobuf.getService());
        Assertions.assertEquals(EnumSet.allOf(HddsProtos.BlockTokenSecretProto.AccessModeProto.class), readFieldsProtobuf.getAccessModes());
        Assertions.assertEquals(this.secretKeyId, readFieldsProtobuf.getSecretKeyId());
        Assertions.assertTrue(this.secretKey.isValidSignature(generateToken.getIdentifier(), generateToken.getPassword()));
    }

    @Test
    public void testCreateIdentifierSuccess() {
        BlockID blockID = new BlockID(101L, 0L);
        OzoneBlockTokenIdentifier createIdentifier = this.secretManager.createIdentifier("testUser", blockID, EnumSet.allOf(HddsProtos.BlockTokenSecretProto.AccessModeProto.class), 100L);
        Assertions.assertEquals("testUser", createIdentifier.getOwnerId());
        Assertions.assertEquals(BlockTokenVerifier.getTokenService(blockID), createIdentifier.getService());
        Assertions.assertEquals(EnumSet.allOf(HddsProtos.BlockTokenSecretProto.AccessModeProto.class), createIdentifier.getAccessModes());
        byte[] createPassword = this.secretManager.createPassword(createIdentifier);
        Assertions.assertEquals(this.secretKeyId, createIdentifier.getSecretKeyId());
        Assertions.assertTrue(this.secretKey.isValidSignature(createIdentifier.getBytes(), createPassword));
    }

    @Test
    public void tokenCanBeUsedForSpecificBlock() throws Exception {
        BlockID blockID = new BlockID(101L, 0L);
        Token generateToken = this.secretManager.generateToken("testUser", blockID, EnumSet.allOf(HddsProtos.BlockTokenSecretProto.AccessModeProto.class), 100L);
        String encodeToUrlString = generateToken.encodeToUrlString();
        this.tokenVerifier.verify("testUser", generateToken, ContainerTestHelper.newPutBlockRequestBuilder(this.pipeline, ContainerTestHelper.newWriteChunkRequestBuilder(this.pipeline, blockID, 100).setEncodedToken(encodeToUrlString).build().getWriteChunk()).setEncodedToken(encodeToUrlString).build());
    }

    @Test
    public void tokenCannotBeUsedForOtherBlock() throws Exception {
        BlockID blockID = new BlockID(101L, 0L);
        BlockID blockID2 = new BlockID(102L, 0L);
        Token generateToken = this.secretManager.generateToken("testUser", blockID, EnumSet.allOf(HddsProtos.BlockTokenSecretProto.AccessModeProto.class), 100L);
        ContainerProtos.ContainerCommandRequestProto build = ContainerTestHelper.newWriteChunkRequestBuilder(this.pipeline, blockID2, 100).setEncodedToken(generateToken.encodeToUrlString()).build();
        MatcherAssert.assertThat(Assertions.assertThrows(BlockTokenException.class, () -> {
            this.tokenVerifier.verify("testUser", generateToken, build);
        }).getMessage(), CoreMatchers.containsString("Token for ID: " + OzoneBlockTokenIdentifier.getTokenService(blockID) + " can't be used to access: " + OzoneBlockTokenIdentifier.getTokenService(blockID2)));
    }

    @Test
    public void testBlockTokenReadAccessMode() throws Exception {
        BlockID blockID = new BlockID(101L, 0L);
        Token generateToken = this.secretManager.generateToken("testUser1", blockID, EnumSet.of(HddsProtos.BlockTokenSecretProto.AccessModeProto.READ), 100L);
        String encodeToUrlString = generateToken.encodeToUrlString();
        ContainerProtos.ContainerCommandRequestProto build = ContainerTestHelper.newPutBlockRequestBuilder(this.pipeline, ContainerTestHelper.newWriteChunkRequestBuilder(this.pipeline, blockID, 100).setEncodedToken(encodeToUrlString).build().getWriteChunk()).setEncodedToken(encodeToUrlString).build();
        ContainerProtos.ContainerCommandRequestProto blockRequest = ContainerTestHelper.getBlockRequest(this.pipeline, build.getPutBlock());
        MatcherAssert.assertThat(Assertions.assertThrows(BlockTokenException.class, () -> {
            this.tokenVerifier.verify("testUser1", generateToken, build);
        }).getMessage(), CoreMatchers.containsString("doesn't have WRITE permission"));
        this.tokenVerifier.verify("testUser1", generateToken, blockRequest);
    }

    @Test
    public void testBlockTokenWriteAccessMode() throws Exception {
        BlockID blockID = new BlockID(102L, 0L);
        Token generateToken = this.secretManager.generateToken("testUser2", blockID, EnumSet.of(HddsProtos.BlockTokenSecretProto.AccessModeProto.WRITE), 100L);
        ContainerProtos.ContainerCommandRequestProto build = ContainerTestHelper.newWriteChunkRequestBuilder(this.pipeline, blockID, 100).setEncodedToken(generateToken.encodeToUrlString()).build();
        ContainerProtos.ContainerCommandRequestProto readChunkRequest = ContainerTestHelper.getReadChunkRequest(this.pipeline, build.getWriteChunk());
        this.tokenVerifier.verify("testUser2", generateToken, build);
        MatcherAssert.assertThat(Assertions.assertThrows(BlockTokenException.class, () -> {
            this.tokenVerifier.verify("testUser2", generateToken, readChunkRequest);
        }).getMessage(), CoreMatchers.containsString("doesn't have READ permission"));
    }

    @Test
    public void testExpiredSecretKey() throws Exception {
        String str = "testUser2";
        BlockID blockID = new BlockID(102L, 0L);
        Token generateToken = this.secretManager.generateToken("testUser2", blockID, EnumSet.allOf(HddsProtos.BlockTokenSecretProto.AccessModeProto.class), 100L);
        ContainerProtos.ContainerCommandRequestProto build = ContainerTestHelper.newWriteChunkRequestBuilder(this.pipeline, blockID, 100).setEncodedToken(generateToken.encodeToUrlString()).build();
        this.tokenVerifier.verify("testUser", generateToken, build);
        Mockito.when(this.secretKeyClient.getSecretKey((UUID) ArgumentMatchers.any())).thenReturn(generateExpiredSecretKey());
        MatcherAssert.assertThat(Assertions.assertThrows(BlockTokenException.class, () -> {
            this.tokenVerifier.verify(str, generateToken, build);
        }).getMessage(), CoreMatchers.containsString("Token can't be verified due to expired secret key"));
    }

    private ManagedSecretKey generateValidSecretKey() throws NoSuchAlgorithmException {
        return SecretKeyTestUtil.generateKey(ALGORITHM, Instant.now(), Duration.ofDays(1L));
    }

    private ManagedSecretKey generateExpiredSecretKey() throws Exception {
        return SecretKeyTestUtil.generateKey(ALGORITHM, Instant.now().minus((TemporalAmount) Duration.ofDays(2L)), Duration.ofDays(1L));
    }
}
