package org.apache.hadoop.hdds.scm.security;

import java.io.File;
import java.io.IOException;
import java.math.BigInteger;
import java.security.KeyPair;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.time.LocalDateTime;
import java.time.format.DateTimeParseException;
import java.time.temporal.TemporalAmount;
import java.util.Calendar;
import java.util.Date;
import java.util.UUID;
import java.util.concurrent.TimeoutException;
import org.apache.commons.lang3.StringUtils;
import org.apache.hadoop.fs.FileUtil;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB;
import org.apache.hadoop.hdds.scm.ha.SCMContext;
import org.apache.hadoop.hdds.scm.ha.SCMHAManager;
import org.apache.hadoop.hdds.scm.ha.SCMRatisServerImpl;
import org.apache.hadoop.hdds.scm.ha.SCMServiceManager;
import org.apache.hadoop.hdds.scm.ha.SequenceIdGenerator;
import org.apache.hadoop.hdds.scm.ha.StatefulServiceStateManager;
import org.apache.hadoop.hdds.scm.server.SCMSecurityProtocolServer;
import org.apache.hadoop.hdds.scm.server.SCMStorageConfig;
import org.apache.hadoop.hdds.scm.server.StorageContainerManager;
import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.CertInfo;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer;
import org.apache.hadoop.hdds.security.x509.certificate.client.SCMCertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
import org.apache.hadoop.hdds.security.x509.certificate.utils.SelfSignedCertificate;
import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
import org.apache.ozone.test.GenericTestUtils;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.mockito.Mockito;
import org.slf4j.event.Level;

/* loaded from: input_file:org/apache/hadoop/hdds/scm/security/TestRootCARotationManager.class */
public class TestRootCARotationManager {
    private OzoneConfiguration ozoneConfig;
    private SecurityConfig securityConfig;
    private RootCARotationManager rootCARotationManager;
    private StorageContainerManager scm;
    private SCMCertificateClient scmCertClient;
    private SCMServiceManager scmServiceManager;
    private SCMHAManager scmhaManager;
    private SCMContext scmContext;
    private SequenceIdGenerator sequenceIdGenerator;
    private SCMStorageConfig scmStorageConfig;
    private SCMSecurityProtocolServer scmSecurityProtocolServer;
    private RootCARotationHandlerImpl handler;
    private StatefulServiceStateManager statefulServiceStateManager;
    private File testDir;
    private String cID = UUID.randomUUID().toString();
    private String scmID = UUID.randomUUID().toString();
    private BigInteger certID = new BigInteger("1");

    @BeforeEach
    public void init() throws IOException, TimeoutException, CertificateException {
        this.ozoneConfig = new OzoneConfiguration();
        this.testDir = GenericTestUtils.getTestDir(TestRootCARotationManager.class.getSimpleName() + UUID.randomUUID());
        this.ozoneConfig.set("ozone.metadata.dirs", this.testDir.getAbsolutePath());
        this.ozoneConfig.setBoolean("hdds.x509.grace.duration.token.checks.enabled", false);
        this.ozoneConfig.setBoolean("hdds.x509.ca.rotation.enabled", true);
        this.scm = (StorageContainerManager) Mockito.mock(StorageContainerManager.class);
        this.securityConfig = new SecurityConfig(this.ozoneConfig);
        this.scmCertClient = new SCMCertificateClient(this.securityConfig, (SCMSecurityProtocolClientSideTranslatorPB) null, this.scmID, this.cID, this.certID.toString(), "localhost");
        this.scmServiceManager = new SCMServiceManager();
        this.scmContext = (SCMContext) Mockito.mock(SCMContext.class);
        this.scmhaManager = (SCMHAManager) Mockito.mock(SCMHAManager.class);
        this.sequenceIdGenerator = (SequenceIdGenerator) Mockito.mock(SequenceIdGenerator.class);
        this.scmStorageConfig = new SCMStorageConfig(this.ozoneConfig);
        this.scmStorageConfig.setScmId(this.scmID);
        this.scmStorageConfig.setClusterId(this.cID);
        this.scmSecurityProtocolServer = (SCMSecurityProtocolServer) Mockito.mock(SCMSecurityProtocolServer.class);
        this.handler = (RootCARotationHandlerImpl) Mockito.mock(RootCARotationHandlerImpl.class);
        this.statefulServiceStateManager = (StatefulServiceStateManager) Mockito.mock(StatefulServiceStateManager.class);
        Mockito.when(Boolean.valueOf(this.scmContext.isLeader())).thenReturn(true);
        Mockito.when(this.scm.getConfiguration()).thenReturn(this.ozoneConfig);
        Mockito.when(this.scm.getScmCertificateClient()).thenReturn(this.scmCertClient);
        Mockito.when(this.scm.getScmContext()).thenReturn(this.scmContext);
        Mockito.when(this.scm.getSCMServiceManager()).thenReturn(this.scmServiceManager);
        Mockito.when(this.scm.getScmHAManager()).thenReturn(this.scmhaManager);
        Mockito.when(this.scmhaManager.getRatisServer()).thenReturn(Mockito.mock(SCMRatisServerImpl.class));
        Mockito.when(this.scm.getSequenceIdGen()).thenReturn(this.sequenceIdGenerator);
        Mockito.when(Long.valueOf(this.sequenceIdGenerator.getNextId(Mockito.anyString()))).thenReturn(2L);
        Mockito.when(this.scm.getScmStorageConfig()).thenReturn(this.scmStorageConfig);
        Mockito.when(this.scm.getSecurityProtocolServer()).thenReturn(this.scmSecurityProtocolServer);
        ((SCMSecurityProtocolServer) Mockito.doNothing().when(this.scmSecurityProtocolServer)).setRootCertificateServer((CertificateServer) Mockito.anyObject());
        ((RootCARotationHandlerImpl) Mockito.doNothing().when(this.handler)).rotationPrepare(Mockito.anyString());
        Mockito.when(this.scm.getStatefulServiceStateManager()).thenReturn(this.statefulServiceStateManager);
        Mockito.when(this.statefulServiceStateManager.readConfiguration(Mockito.anyString())).thenReturn((Object) null);
    }

    @AfterEach
    public void tearDown() throws Exception {
        if (this.rootCARotationManager != null) {
            this.rootCARotationManager.stop();
        }
        FileUtil.fullyDelete(this.testDir);
    }

    @Test
    public void testProperties() {
        this.ozoneConfig.set("hdds.x509.ca.rotation.check.interval", "P28");
        try {
            this.rootCARotationManager = new RootCARotationManager(this.scm);
            Assertions.fail("Should fail");
        } catch (Exception e) {
            Assertions.assertTrue(e instanceof DateTimeParseException);
        }
        this.ozoneConfig.set("hdds.x509.ca.rotation.check.interval", "P28D");
        try {
            this.rootCARotationManager = new RootCARotationManager(this.scm);
            Assertions.fail("Should fail");
        } catch (Exception e2) {
            Assertions.assertTrue(e2 instanceof IllegalArgumentException);
            Assertions.assertTrue(e2.getMessage().contains("should be smaller than"));
        }
        this.ozoneConfig.set("hdds.x509.ca.rotation.check.interval", "P1D");
        this.ozoneConfig.set("hdds.x509.ca.rotation.time-of-day", "01:00");
        try {
            this.rootCARotationManager = new RootCARotationManager(this.scm);
            Assertions.fail("Should fail");
        } catch (Exception e3) {
            Assertions.assertTrue(e3 instanceof IllegalArgumentException);
            Assertions.assertTrue(e3.getMessage().contains("should follow the hh:mm:ss format"));
        }
        this.ozoneConfig.set("hdds.x509.ca.rotation.check.interval", "P1D");
        this.ozoneConfig.set("hdds.x509.ca.rotation.time-of-day", "01:00:00");
        try {
            this.rootCARotationManager = new RootCARotationManager(this.scm);
        } catch (Exception e4) {
            Assertions.fail("Should succeed");
        }
        this.ozoneConfig.setBoolean("hdds.x509.ca.rotation.enabled", false);
        this.ozoneConfig.set("hdds.x509.ca.rotation.check.interval", "P28D");
        try {
            this.rootCARotationManager = new RootCARotationManager(this.scm);
        } catch (Exception e5) {
            Assertions.fail("Should succeed");
        }
    }

    @Test
    public void testRotationOnSchedule() throws Exception {
        this.ozoneConfig.set("hdds.x509.ca.rotation.check.interval", "PT2S");
        this.ozoneConfig.set("hdds.x509.renew.grace.duration", "PT15S");
        this.ozoneConfig.set("hdds.x509.ca.rotation.ack.timeout", "PT2S");
        this.ozoneConfig.set("hdds.x509.expired.certificate.check.interval", "PT15S");
        Date time = Calendar.getInstance().getTime();
        time.setSeconds(time.getSeconds() + 10);
        this.ozoneConfig.set("hdds.x509.ca.rotation.time-of-day", String.format("%02d", Integer.valueOf(time.getHours())) + ":" + String.format("%02d", Integer.valueOf(time.getMinutes())) + ":" + String.format("%02d", Integer.valueOf(time.getSeconds())));
        X509Certificate generateX509Cert = generateX509Cert(this.ozoneConfig, LocalDateTime.now(), Duration.ofSeconds(35L));
        this.scmCertClient.setCACertificate(generateX509Cert);
        this.rootCARotationManager = new RootCARotationManager(this.scm);
        this.rootCARotationManager.setRootCARotationHandler(this.handler);
        GenericTestUtils.LogCapturer captureLogs = GenericTestUtils.LogCapturer.captureLogs(RootCARotationManager.LOG);
        GenericTestUtils.setLogLevel(RootCARotationManager.LOG, Level.INFO);
        this.rootCARotationManager.start();
        this.rootCARotationManager.notifyStatusChanged();
        String str = "Root certificate " + generateX509Cert.getSerialNumber().toString() + " rotation is started.";
        GenericTestUtils.waitFor(() -> {
            return !captureLogs.getOutput().contains("Start the rotation immediately") && captureLogs.getOutput().contains(str);
        }, 100, 10000);
        Assertions.assertEquals(1, StringUtils.countMatches(captureLogs.getOutput(), str));
    }

    @Test
    public void testRotationImmediately() throws Exception {
        this.ozoneConfig.set("hdds.x509.ca.rotation.check.interval", "PT2S");
        this.ozoneConfig.set("hdds.x509.renew.grace.duration", "PT15S");
        this.ozoneConfig.set("hdds.x509.ca.rotation.ack.timeout", "PT2S");
        Date time = Calendar.getInstance().getTime();
        time.setMinutes(time.getMinutes() + 5);
        this.ozoneConfig.set("hdds.x509.ca.rotation.time-of-day", String.format("%02d", Integer.valueOf(time.getHours())) + ":" + String.format("%02d", Integer.valueOf(time.getMinutes())) + ":" + String.format("%02d", Integer.valueOf(time.getSeconds())));
        X509Certificate generateX509Cert = generateX509Cert(this.ozoneConfig, LocalDateTime.now(), Duration.ofSeconds(35L));
        this.scmCertClient.setCACertificate(generateX509Cert);
        this.rootCARotationManager = new RootCARotationManager(this.scm);
        this.rootCARotationManager.setRootCARotationHandler(this.handler);
        GenericTestUtils.LogCapturer captureLogs = GenericTestUtils.LogCapturer.captureLogs(RootCARotationManager.LOG);
        GenericTestUtils.setLogLevel(RootCARotationManager.LOG, Level.INFO);
        this.rootCARotationManager.start();
        this.rootCARotationManager.notifyStatusChanged();
        GenericTestUtils.waitFor(() -> {
            return captureLogs.getOutput().contains("Start the rotation immediately") && captureLogs.getOutput().contains(new StringBuilder().append("Root certificate ").append(generateX509Cert.getSerialNumber().toString()).append(" rotation is started.").toString());
        }, 100, 10000);
    }

    @Test
    public void testPostProcessingCheck() throws Exception {
        this.ozoneConfig.set("hdds.x509.ca.rotation.check.interval", "PT2S");
        this.ozoneConfig.set("hdds.x509.renew.grace.duration", "PT20S");
        this.ozoneConfig.set("hdds.x509.ca.rotation.ack.timeout", "PT5S");
        this.ozoneConfig.set("hdds.x509.rootca.certificate.polling.interval", "PT10S");
        Date time = Calendar.getInstance().getTime();
        time.setMinutes(time.getMinutes() + 5);
        this.ozoneConfig.set("hdds.x509.ca.rotation.time-of-day", String.format("%02d", Integer.valueOf(time.getHours())) + ":" + String.format("%02d", Integer.valueOf(time.getMinutes())) + ":" + String.format("%02d", Integer.valueOf(time.getSeconds())));
        X509Certificate generateX509Cert = generateX509Cert(this.ozoneConfig, LocalDateTime.now(), Duration.ofSeconds(90L));
        this.scmCertClient.setCACertificate(generateX509Cert);
        new CertificateCodec(this.securityConfig, "scm/sub-ca").writeCertificate(CertificateCodec.getCertificateHolder(generateX509Cert));
        this.rootCARotationManager = new RootCARotationManager(this.scm);
        this.rootCARotationManager.setRootCARotationHandler(this.handler);
        GenericTestUtils.LogCapturer captureLogs = GenericTestUtils.LogCapturer.captureLogs(RootCARotationManager.LOG);
        GenericTestUtils.setLogLevel(RootCARotationManager.LOG, Level.INFO);
        this.rootCARotationManager.start();
        this.rootCARotationManager.notifyStatusChanged();
        GenericTestUtils.waitFor(() -> {
            return captureLogs.getOutput().contains("No RootCARotationManager configuration found in stateful storage");
        }, 100, 10000);
        Mockito.when(this.statefulServiceStateManager.readConfiguration(Mockito.anyString())).thenReturn(new CertInfo.Builder().setX509Certificate(generateX509Cert).setTimestamp(generateX509Cert.getNotBefore().getTime()).build().getProtobuf().toByteString());
        captureLogs.clearOutput();
        Mockito.when(Boolean.valueOf(this.scmContext.isLeader())).thenReturn(false);
        this.rootCARotationManager.notifyStatusChanged();
        Mockito.when(Boolean.valueOf(this.scmContext.isLeader())).thenReturn(true);
        this.rootCARotationManager.notifyStatusChanged();
        GenericTestUtils.waitFor(() -> {
            return captureLogs.getOutput().contains("isPostProcessing is true for");
        }, 100, 20000);
        captureLogs.clearOutput();
        Mockito.when(Boolean.valueOf(this.scmContext.isLeader())).thenReturn(false);
        this.rootCARotationManager.notifyStatusChanged();
        GenericTestUtils.waitFor(() -> {
            return captureLogs.getOutput().contains("disable monitor task");
        }, 100, 20000);
        captureLogs.clearOutput();
        Mockito.when(Boolean.valueOf(this.scmContext.isLeader())).thenReturn(true);
        this.rootCARotationManager.notifyStatusChanged();
        GenericTestUtils.waitFor(() -> {
            return captureLogs.getOutput().contains("isPostProcessing is true for");
        }, 100, 20000);
        ((StatefulServiceStateManager) Mockito.doNothing().when(this.statefulServiceStateManager)).deleteConfiguration(Mockito.anyString());
        GenericTestUtils.waitFor(() -> {
            return captureLogs.getOutput().contains("isPostProcessing is false") && captureLogs.getOutput().contains("Stateful configuration is deleted");
        }, 100, 20000);
        ((StatefulServiceStateManager) Mockito.verify(this.statefulServiceStateManager, Mockito.times(1))).deleteConfiguration(Mockito.anyString());
    }

    private X509Certificate generateX509Cert(OzoneConfiguration ozoneConfiguration, LocalDateTime localDateTime, Duration duration) throws Exception {
        KeyPair generateKeyPair = KeyStoreTestUtil.generateKeyPair("RSA");
        LocalDateTime now = localDateTime == null ? LocalDateTime.now() : localDateTime;
        return new JcaX509CertificateConverter().getCertificate(SelfSignedCertificate.newBuilder().setBeginDate(now).setEndDate(now.plus((TemporalAmount) duration)).setScmID(this.scmID).setClusterID(this.cID).setSubject("localhost").setConfiguration(new SecurityConfig(ozoneConfiguration)).setKey(generateKeyPair).makeCA(this.certID).build());
    }
}
