package org.apache.hadoop.hdds.scm.server;

import java.io.IOException;
import java.math.BigInteger;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.attribute.FileAttribute;
import java.security.KeyPair;
import java.security.cert.X509CRLEntry;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Date;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
import org.apache.hadoop.hdds.scm.ha.SCMRatisServer;
import org.apache.hadoop.hdds.scm.metadata.SCMMetadataStore;
import org.apache.hadoop.hdds.scm.metadata.SCMMetadataStoreImpl;
import org.apache.hadoop.hdds.scm.server.SCMCertStore;
import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.CertificateTestUtils;
import org.apache.hadoop.hdds.security.x509.certificate.CertInfo;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CRLApprover;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateStore;
import org.apache.hadoop.hdds.security.x509.certificate.authority.DefaultCRLApprover;
import org.apache.hadoop.hdds.security.x509.crl.CRLInfo;
import org.apache.hadoop.hdds.utils.db.Table;
import org.apache.hadoop.hdds.utils.db.TableIterator;
import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
import org.bouncycastle.asn1.x509.CRLReason;
import org.bouncycastle.cert.X509CertificateHolder;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.io.TempDir;

/* loaded from: input_file:org/apache/hadoop/hdds/scm/server/TestSCMCertStore.class */
public class TestSCMCertStore {
    private static final String COMPONENT_NAME = "scm";
    private static final Long INITIAL_SEQUENCE_ID = 1L;
    private OzoneConfiguration config;
    private SCMMetadataStore scmMetadataStore;
    private CertificateStore scmCertStore;
    private SecurityConfig securityConfig;
    private X509Certificate x509Certificate;
    private KeyPair keyPair;
    private CRLApprover crlApprover;

    @BeforeEach
    public void setUp(@TempDir Path path) throws Exception {
        this.config = new OzoneConfiguration();
        this.config.set("ozone.metadata.dirs", path.toAbsolutePath().toString());
        this.securityConfig = new SecurityConfig(this.config);
        this.keyPair = KeyStoreTestUtil.generateKeyPair("RSA");
        this.scmMetadataStore = new SCMMetadataStoreImpl(this.config);
        this.scmCertStore = new SCMCertStore.Builder().setRatisServer((SCMRatisServer) null).setCRLSequenceId(INITIAL_SEQUENCE_ID.longValue()).setMetadaStore(this.scmMetadataStore).build();
        Files.createDirectories(this.securityConfig.getKeyLocation(COMPONENT_NAME), new FileAttribute[0]);
        this.x509Certificate = generateX509Cert();
        this.crlApprover = new DefaultCRLApprover(this.securityConfig, this.keyPair.getPrivate());
    }

    @AfterEach
    public void destroyDbStore() throws Exception {
        if (this.scmMetadataStore.getStore() != null) {
            this.scmMetadataStore.getStore().close();
        }
    }

    @Test
    public void testRevokeCertificates() throws Exception {
        BigInteger serialNumber = this.x509Certificate.getSerialNumber();
        this.scmCertStore.storeValidCertificate(serialNumber, this.x509Certificate, HddsProtos.NodeType.SCM);
        Date date = new Date();
        Assertions.assertNotNull(this.scmCertStore.getCertificateByID(serialNumber, CertificateStore.CertType.VALID_CERTS));
        X509CertificateHolder x509CertificateHolder = new X509CertificateHolder(generateX509Cert().getEncoded());
        ArrayList arrayList = new ArrayList();
        arrayList.add(this.x509Certificate.getSerialNumber());
        Optional revokeCertificates = this.scmCertStore.revokeCertificates(arrayList, x509CertificateHolder, CRLReason.lookup(1), date, this.crlApprover);
        Assertions.assertTrue(revokeCertificates.isPresent());
        Assertions.assertEquals(INITIAL_SEQUENCE_ID.longValue() + 1, ((Long) revokeCertificates.get()).longValue());
        Assertions.assertNull(this.scmCertStore.getCertificateByID(serialNumber, CertificateStore.CertType.VALID_CERTS));
        CertInfo revokedCertificateInfoByID = this.scmCertStore.getRevokedCertificateInfoByID(serialNumber);
        Assertions.assertNotNull(revokedCertificateInfoByID);
        Assertions.assertNotNull(revokedCertificateInfoByID.getX509Certificate());
        Assertions.assertTrue(revokedCertificateInfoByID.getTimestamp() > 0, "Timestamp should be greater than 0");
        long latestCrlId = this.scmCertStore.getLatestCrlId();
        Assertions.assertEquals(((Long) revokeCertificates.get()).longValue(), latestCrlId);
        List crls = this.scmCertStore.getCrls(Arrays.asList(Long.valueOf(latestCrlId)));
        Assertions.assertEquals(1, crls.size());
        Assertions.assertNotNull(this.scmMetadataStore.getCRLInfoTable().get(revokeCertificates.get()));
        Assertions.assertEquals(INITIAL_SEQUENCE_ID.longValue() + 1, ((Long) this.scmMetadataStore.getCRLSequenceIdTable().get("CRL_SEQUENCE_ID")).longValue());
        CRLInfo cRLInfo = (CRLInfo) crls.get(0);
        Assertions.assertEquals(cRLInfo.getCrlSequenceID(), ((Long) revokeCertificates.get()).longValue());
        Set<? extends X509CRLEntry> revokedCertificates = cRLInfo.getX509CRL().getRevokedCertificates();
        Assertions.assertEquals(1L, revokedCertificates.size());
        Assertions.assertEquals(this.x509Certificate.getSerialNumber(), revokedCertificates.iterator().next().getSerialNumber());
        Assertions.assertFalse(this.scmCertStore.revokeCertificates(arrayList, x509CertificateHolder, CRLReason.lookup(0), date, this.crlApprover).isPresent());
        Assertions.assertEquals(1L, getTableSize(this.scmMetadataStore.getCRLInfoTable()));
        ArrayList arrayList2 = new ArrayList();
        for (int i = 0; i < 3; i++) {
            X509Certificate generateX509Cert = generateX509Cert();
            this.scmCertStore.storeValidCertificate(generateX509Cert.getSerialNumber(), generateX509Cert, HddsProtos.NodeType.SCM);
            arrayList2.add(generateX509Cert.getSerialNumber());
        }
        Optional revokeCertificates2 = this.scmCertStore.revokeCertificates(arrayList2.subList(0, 2), x509CertificateHolder, CRLReason.lookup(10), date, this.crlApprover);
        Assertions.assertTrue(revokeCertificates2.isPresent());
        Assertions.assertEquals(((Long) revokeCertificates2.get()).longValue(), this.scmCertStore.getLatestCrlId());
        Assertions.assertEquals(INITIAL_SEQUENCE_ID.longValue() + 2, ((Long) revokeCertificates2.get()).longValue());
        Assertions.assertEquals(INITIAL_SEQUENCE_ID.longValue() + 2, ((Long) this.scmMetadataStore.getCRLSequenceIdTable().get("CRL_SEQUENCE_ID")).longValue());
        CRLInfo cRLInfo2 = (CRLInfo) this.scmCertStore.getCrls(Arrays.asList(Long.valueOf(INITIAL_SEQUENCE_ID.longValue() + 2))).get(0);
        Set<? extends X509CRLEntry> revokedCertificates2 = cRLInfo2.getX509CRL().getRevokedCertificates();
        Assertions.assertEquals(2L, revokedCertificates2.size());
        Assertions.assertNotNull(revokedCertificates2.stream().filter(x509CRLEntry -> {
            return x509CRLEntry.getSerialNumber().equals(arrayList2.get(0));
        }).findAny());
        Assertions.assertNotNull(revokedCertificates2.stream().filter(x509CRLEntry2 -> {
            return x509CRLEntry2.getSerialNumber().equals(arrayList2.get(1));
        }).findAny());
        Assertions.assertEquals(cRLInfo2.getCrlSequenceID(), ((Long) revokeCertificates2.get()).longValue());
        TableIterator it = this.scmMetadataStore.getValidCertsTable().iterator();
        Throwable th = null;
        try {
            try {
                Assertions.assertTrue(it.hasNext());
                Assertions.assertEquals(arrayList2.get(2), ((Table.KeyValue) it.next()).getKey());
                Assertions.assertFalse(it.hasNext());
                if (it != null) {
                    if (0 != 0) {
                        try {
                            it.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        it.close();
                    }
                }
                Assertions.assertEquals(3L, getTableSize(this.scmMetadataStore.getRevokedCertsV2Table()));
            } finally {
            }
        } catch (Throwable th3) {
            if (it != null) {
                if (th != null) {
                    try {
                        it.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    it.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testRevokeCertificatesForFutureTime() throws Exception {
        BigInteger serialNumber = this.x509Certificate.getSerialNumber();
        this.scmCertStore.storeValidCertificate(serialNumber, this.x509Certificate, HddsProtos.NodeType.SCM);
        Date date = new Date(new Date().getTime() + 500);
        X509CertificateHolder x509CertificateHolder = new X509CertificateHolder(generateX509Cert().getEncoded());
        ArrayList arrayList = new ArrayList();
        arrayList.add(this.x509Certificate.getSerialNumber());
        Optional revokeCertificates = this.scmCertStore.revokeCertificates(arrayList, x509CertificateHolder, CRLReason.lookup(1), date, this.crlApprover);
        Assertions.assertTrue(revokeCertificates.isPresent());
        Assertions.assertEquals(INITIAL_SEQUENCE_ID.longValue() + 1, ((Long) revokeCertificates.get()).longValue());
        Assertions.assertNotNull(this.scmCertStore.getCertificateByID(serialNumber, CertificateStore.CertType.VALID_CERTS));
        Assertions.assertNull(this.scmCertStore.getRevokedCertificateInfoByID(serialNumber));
    }

    private X509Certificate generateX509Cert() throws Exception {
        return KeyStoreTestUtil.generateCertificate("CN=Test", this.keyPair, 30, "SHA256withRSA");
    }

    private long getTableSize(Table<?, ?> table) throws IOException {
        TableIterator it = table.iterator();
        Throwable th = null;
        long j = 0;
        while (it.hasNext()) {
            try {
                try {
                    j++;
                    it.next();
                } finally {
                }
            } catch (Throwable th2) {
                if (it != null) {
                    if (th != null) {
                        try {
                            it.close();
                        } catch (Throwable th3) {
                            th.addSuppressed(th3);
                        }
                    } else {
                        it.close();
                    }
                }
                throw th2;
            }
        }
        long j2 = j;
        if (it != null) {
            if (0 != 0) {
                try {
                    it.close();
                } catch (Throwable th4) {
                    th.addSuppressed(th4);
                }
            } else {
                it.close();
            }
        }
        return j2;
    }

    @Test
    public void testGetAndListCertificates() throws Exception {
        X509Certificate generateX509Cert = generateX509Cert();
        this.scmCertStore.storeValidCertificate(generateX509Cert.getSerialNumber(), generateX509Cert, HddsProtos.NodeType.SCM);
        checkListCerts(HddsProtos.NodeType.SCM, 1);
        X509Certificate generateX509Cert2 = generateX509Cert();
        this.scmCertStore.storeValidCertificate(generateX509Cert2.getSerialNumber(), generateX509Cert2, HddsProtos.NodeType.SCM);
        checkListCerts(HddsProtos.NodeType.SCM, 2);
        X509Certificate generateX509Cert3 = generateX509Cert();
        this.scmCertStore.storeValidCertificate(generateX509Cert3.getSerialNumber(), generateX509Cert3, HddsProtos.NodeType.SCM);
        checkListCerts(HddsProtos.NodeType.SCM, 3);
        X509Certificate generateX509Cert4 = generateX509Cert();
        this.scmCertStore.storeValidCertificate(generateX509Cert4.getSerialNumber(), generateX509Cert4, HddsProtos.NodeType.OM);
        checkListCerts(HddsProtos.NodeType.OM, 4);
        X509Certificate generateX509Cert5 = generateX509Cert();
        this.scmCertStore.storeValidCertificate(generateX509Cert5.getSerialNumber(), generateX509Cert5, HddsProtos.NodeType.DATANODE);
        checkListCerts(HddsProtos.NodeType.OM, 5);
    }

    @Test
    public void testRemoveAllCertificates() throws Exception {
        X509Certificate createSelfSignedCert = CertificateTestUtils.createSelfSignedCert(this.keyPair, "1", Duration.ofDays(1L), BigInteger.valueOf(1L));
        X509Certificate createSelfSignedCert2 = CertificateTestUtils.createSelfSignedCert(this.keyPair, "2", Duration.ofNanos(1L), BigInteger.valueOf(2L));
        X509Certificate createSelfSignedCert3 = CertificateTestUtils.createSelfSignedCert(this.keyPair, "3", Duration.ofDays(1L), BigInteger.valueOf(3L));
        X509Certificate createSelfSignedCert4 = CertificateTestUtils.createSelfSignedCert(this.keyPair, "4", Duration.ofNanos(1L), BigInteger.valueOf(4L));
        this.scmCertStore.storeValidCertificate(createSelfSignedCert.getSerialNumber(), createSelfSignedCert, HddsProtos.NodeType.SCM);
        this.scmCertStore.storeValidCertificate(createSelfSignedCert2.getSerialNumber(), createSelfSignedCert2, HddsProtos.NodeType.SCM);
        this.scmCertStore.storeValidCertificate(createSelfSignedCert3.getSerialNumber(), createSelfSignedCert3, HddsProtos.NodeType.OM);
        this.scmCertStore.storeValidCertificate(createSelfSignedCert4.getSerialNumber(), createSelfSignedCert4, HddsProtos.NodeType.OM);
        checkListCerts(HddsProtos.NodeType.OM, 4);
        checkListCerts(HddsProtos.NodeType.SCM, 2);
        this.scmCertStore.removeAllExpiredCertificates();
        checkListCerts(HddsProtos.NodeType.OM, 2);
        checkListCerts(HddsProtos.NodeType.SCM, 1);
    }

    private void checkListCerts(HddsProtos.NodeType nodeType, int i) throws Exception {
        Assertions.assertEquals(i, this.scmCertStore.listCertificate(nodeType, BigInteger.valueOf(0L), 10, CertificateStore.CertType.VALID_CERTS).size());
    }
}
