package org.apache.hadoop.ozone.security;

import java.io.ByteArrayInputStream;
import java.io.DataInputStream;
import java.io.IOException;
import java.math.BigInteger;
import java.security.KeyPair;
import java.security.SecureRandom;
import java.security.Signature;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.util.Date;
import java.util.EnumSet;
import java.util.concurrent.TimeUnit;
import org.apache.hadoop.hdds.client.BlockID;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.protocol.datanode.proto.ContainerProtos;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
import org.apache.hadoop.hdds.scm.pipeline.MockPipeline;
import org.apache.hadoop.hdds.scm.pipeline.Pipeline;
import org.apache.hadoop.hdds.security.token.BlockTokenException;
import org.apache.hadoop.hdds.security.token.BlockTokenVerifier;
import org.apache.hadoop.hdds.security.token.OzoneBlockTokenIdentifier;
import org.apache.hadoop.hdds.security.token.TokenVerifier;
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.client.OMCertificateClient;
import org.apache.hadoop.ozone.container.ContainerTestHelper;
import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.util.Time;
import org.apache.ozone.test.GenericTestUtils;
import org.apache.ozone.test.LambdaTestUtils;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x509.AlgorithmIdentifier;
import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
import org.bouncycastle.cert.X509v1CertificateBuilder;
import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import org.bouncycastle.crypto.util.PrivateKeyFactory;
import org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder;
import org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.bc.BcRSAContentSignerBuilder;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;

/* loaded from: input_file:org/apache/hadoop/ozone/security/TestOzoneBlockTokenSecretManager.class */
public class TestOzoneBlockTokenSecretManager {
    private static final String BASEDIR = GenericTestUtils.getTempPath(TestOzoneBlockTokenSecretManager.class.getSimpleName());
    private static final String ALGORITHM = "SHA256withRSA";
    private OzoneBlockTokenSecretManager secretManager;
    private KeyPair keyPair;
    private String omCertSerialId;
    private CertificateClient client;
    private TokenVerifier tokenVerifier;
    private Pipeline pipeline;

    @Before
    public void setUp() throws Exception {
        this.pipeline = MockPipeline.createPipeline(3);
        OzoneConfiguration ozoneConfiguration = new OzoneConfiguration();
        ozoneConfiguration.set("ozone.metadata.dirs", BASEDIR);
        ozoneConfiguration.setBoolean("hdds.block.token.enabled", true);
        this.keyPair = KeyStoreTestUtil.generateKeyPair("RSA");
        SecurityConfig securityConfig = new SecurityConfig(ozoneConfiguration);
        X509Certificate generateCertificate = KeyStoreTestUtil.generateCertificate("CN=OzoneMaster", this.keyPair, 30, ALGORITHM);
        this.omCertSerialId = generateCertificate.getSerialNumber().toString();
        this.secretManager = new OzoneBlockTokenSecretManager(securityConfig, TimeUnit.HOURS.toMillis(1L), this.omCertSerialId);
        this.client = (CertificateClient) Mockito.mock(OMCertificateClient.class);
        Mockito.when(this.client.getCertificate()).thenReturn(generateCertificate);
        Mockito.when(this.client.getCertificate(ArgumentMatchers.anyString())).thenReturn(generateCertificate);
        Mockito.when(this.client.getPublicKey()).thenReturn(this.keyPair.getPublic());
        Mockito.when(this.client.getPrivateKey()).thenReturn(this.keyPair.getPrivate());
        Mockito.when(this.client.getSignatureAlgorithm()).thenReturn(securityConfig.getSignatureAlgo());
        Mockito.when(this.client.getSecurityProvider()).thenReturn(securityConfig.getProvider());
        Mockito.when(Boolean.valueOf(this.client.verifySignature((byte[]) Mockito.any(), (byte[]) Mockito.any(), (X509Certificate) Mockito.any()))).thenCallRealMethod();
        this.secretManager.start(this.client);
        this.tokenVerifier = new BlockTokenVerifier(securityConfig, this.client);
    }

    @After
    public void tearDown() {
        this.secretManager = null;
    }

    @Test
    public void testGenerateToken() throws Exception {
        BlockID blockID = new BlockID(101L, 0L);
        Token generateToken = this.secretManager.generateToken(blockID, EnumSet.allOf(HddsProtos.BlockTokenSecretProto.AccessModeProto.class), 100L);
        OzoneBlockTokenIdentifier readFieldsProtobuf = OzoneBlockTokenIdentifier.readFieldsProtobuf(new DataInputStream(new ByteArrayInputStream(generateToken.getIdentifier())));
        Assert.assertEquals(OzoneBlockTokenIdentifier.getTokenService(blockID), readFieldsProtobuf.getService());
        Assert.assertEquals(EnumSet.allOf(HddsProtos.BlockTokenSecretProto.AccessModeProto.class), readFieldsProtobuf.getAccessModes());
        Assert.assertEquals(this.omCertSerialId, readFieldsProtobuf.getCertSerialId());
        validateHash(generateToken.getPassword(), generateToken.getIdentifier());
    }

    @Test
    public void testCreateIdentifierSuccess() throws Exception {
        BlockID blockID = new BlockID(101L, 0L);
        OzoneBlockTokenIdentifier createIdentifier = this.secretManager.createIdentifier("testUser", blockID, EnumSet.allOf(HddsProtos.BlockTokenSecretProto.AccessModeProto.class), 100L);
        Assert.assertEquals("testUser", createIdentifier.getOwnerId());
        Assert.assertEquals(BlockTokenVerifier.getTokenService(blockID), createIdentifier.getService());
        Assert.assertEquals(EnumSet.allOf(HddsProtos.BlockTokenSecretProto.AccessModeProto.class), createIdentifier.getAccessModes());
        Assert.assertEquals(this.omCertSerialId, createIdentifier.getCertSerialId());
        validateHash(this.secretManager.createPassword(createIdentifier), createIdentifier.getBytes());
    }

    @Test
    public void tokenCanBeUsedForSpecificBlock() throws Exception {
        BlockID blockID = new BlockID(101L, 0L);
        Token generateToken = this.secretManager.generateToken("testUser", blockID, EnumSet.allOf(HddsProtos.BlockTokenSecretProto.AccessModeProto.class), 100L);
        String encodeToUrlString = generateToken.encodeToUrlString();
        this.tokenVerifier.verify("testUser", generateToken, ContainerTestHelper.getPutBlockRequest(this.pipeline, encodeToUrlString, ContainerTestHelper.getWriteChunkRequest(this.pipeline, blockID, 100, encodeToUrlString).getWriteChunk()));
    }

    @Test
    public void tokenCannotBeUsedForOtherBlock() throws Exception {
        BlockID blockID = new BlockID(101L, 0L);
        BlockID blockID2 = new BlockID(102L, 0L);
        Token generateToken = this.secretManager.generateToken("testUser", blockID, EnumSet.allOf(HddsProtos.BlockTokenSecretProto.AccessModeProto.class), 100L);
        ContainerProtos.ContainerCommandRequestProto writeChunkRequest = ContainerTestHelper.getWriteChunkRequest(this.pipeline, blockID2, 100, generateToken.encodeToUrlString());
        String message = Assert.assertThrows(BlockTokenException.class, () -> {
            this.tokenVerifier.verify("testUser", generateToken, writeChunkRequest);
        }).getMessage();
        Assert.assertTrue(message, message.contains("Token for ID: " + OzoneBlockTokenIdentifier.getTokenService(blockID) + " can't be used to access: " + OzoneBlockTokenIdentifier.getTokenService(blockID2)));
    }

    private void validateHash(byte[] bArr, byte[] bArr2) throws Exception {
        Signature signature = Signature.getInstance(this.secretManager.getDefaultSignatureAlgorithm());
        signature.initVerify(this.client.getPublicKey());
        signature.update(bArr2);
        Assert.assertTrue(signature.verify(bArr));
    }

    @Test
    public void testCreateIdentifierFailure() throws Exception {
        LambdaTestUtils.intercept(SecurityException.class, "Ozone block token can't be created without owner and access mode information.", () -> {
            this.secretManager.createIdentifier();
        });
    }

    @Test
    public void testRenewToken() throws Exception {
        LambdaTestUtils.intercept(UnsupportedOperationException.class, "Renew token operation is not supported for ozone block tokens.", () -> {
            this.secretManager.renewToken((Token) null, (String) null);
        });
    }

    @Test
    public void testCancelToken() throws Exception {
        LambdaTestUtils.intercept(UnsupportedOperationException.class, "Cancel token operation is not supported for ozone block tokens.", () -> {
            this.secretManager.cancelToken((Token) null, (String) null);
        });
    }

    @Test
    public void testVerifySignatureFailure() throws Exception {
        OzoneBlockTokenIdentifier ozoneBlockTokenIdentifier = new OzoneBlockTokenIdentifier("testUser", "123", EnumSet.allOf(HddsProtos.BlockTokenSecretProto.AccessModeProto.class), Time.now() + 86400, "123444", 1024L);
        LambdaTestUtils.intercept(UnsupportedOperationException.class, "operation is not supported for block tokens", () -> {
            return Boolean.valueOf(this.secretManager.verifySignature(ozoneBlockTokenIdentifier, this.client.signData(ozoneBlockTokenIdentifier.getBytes())));
        });
    }

    @Test
    public void testBlockTokenReadAccessMode() throws Exception {
        BlockID blockID = new BlockID(101L, 0L);
        Token generateToken = this.secretManager.generateToken("testUser1", blockID, EnumSet.of(HddsProtos.BlockTokenSecretProto.AccessModeProto.READ), 100L);
        String encodeToUrlString = generateToken.encodeToUrlString();
        ContainerProtos.ContainerCommandRequestProto putBlockRequest = ContainerTestHelper.getPutBlockRequest(this.pipeline, encodeToUrlString, ContainerTestHelper.getWriteChunkRequest(this.pipeline, blockID, 100, encodeToUrlString).getWriteChunk());
        ContainerProtos.ContainerCommandRequestProto blockRequest = ContainerTestHelper.getBlockRequest(this.pipeline, putBlockRequest.getPutBlock());
        String message = Assert.assertThrows(BlockTokenException.class, () -> {
            this.tokenVerifier.verify("testUser1", generateToken, putBlockRequest);
        }).getMessage();
        Assert.assertTrue(message, message.contains("doesn't have WRITE permission"));
        this.tokenVerifier.verify("testUser1", generateToken, blockRequest);
    }

    @Test
    public void testBlockTokenWriteAccessMode() throws Exception {
        BlockID blockID = new BlockID(102L, 0L);
        Token generateToken = this.secretManager.generateToken("testUser2", blockID, EnumSet.of(HddsProtos.BlockTokenSecretProto.AccessModeProto.WRITE), 100L);
        ContainerProtos.ContainerCommandRequestProto writeChunkRequest = ContainerTestHelper.getWriteChunkRequest(this.pipeline, blockID, 100, generateToken.encodeToUrlString());
        ContainerProtos.ContainerCommandRequestProto readChunkRequest = ContainerTestHelper.getReadChunkRequest(this.pipeline, writeChunkRequest.getWriteChunk());
        this.tokenVerifier.verify("testUser2", generateToken, writeChunkRequest);
        String message = Assert.assertThrows(BlockTokenException.class, () -> {
            this.tokenVerifier.verify("testUser2", generateToken, readChunkRequest);
        }).getMessage();
        Assert.assertTrue(message, message.contains("doesn't have READ permission"));
    }

    @Test
    public void testExpiredCertificate() throws Exception {
        String str = "testUser2";
        BlockID blockID = new BlockID(102L, 0L);
        Token generateToken = this.secretManager.generateToken("testUser2", blockID, EnumSet.allOf(HddsProtos.BlockTokenSecretProto.AccessModeProto.class), 100L);
        ContainerProtos.ContainerCommandRequestProto writeChunkRequest = ContainerTestHelper.getWriteChunkRequest(this.pipeline, blockID, 100, generateToken.encodeToUrlString());
        this.tokenVerifier.verify("testUser", generateToken, writeChunkRequest);
        Mockito.when(this.client.getCertificate(ArgumentMatchers.anyString())).thenReturn(generateExpiredCert("CN=OzoneMaster", this.keyPair, ALGORITHM));
        String message = Assert.assertThrows(BlockTokenException.class, () -> {
            this.tokenVerifier.verify(str, generateToken, writeChunkRequest);
        }).getMessage();
        Assert.assertTrue(message, message.contains("Token can't be verified due to expired certificate"));
    }

    @Test
    public void testNetYetValidCertificate() throws Exception {
        String str = "testUser2";
        BlockID blockID = new BlockID(102L, 0L);
        Token generateToken = this.secretManager.generateToken("testUser2", blockID, EnumSet.allOf(HddsProtos.BlockTokenSecretProto.AccessModeProto.class), 100L);
        ContainerProtos.ContainerCommandRequestProto writeChunkRequest = ContainerTestHelper.getWriteChunkRequest(this.pipeline, blockID, 100, generateToken.encodeToUrlString());
        this.tokenVerifier.verify("testUser2", generateToken, writeChunkRequest);
        Mockito.when(this.client.getCertificate(ArgumentMatchers.anyString())).thenReturn(generateNotValidYetCert("CN=OzoneMaster", this.keyPair, ALGORITHM));
        String message = Assert.assertThrows(BlockTokenException.class, () -> {
            this.tokenVerifier.verify(str, generateToken, writeChunkRequest);
        }).getMessage();
        Assert.assertTrue(message, message.contains("Token can't be verified due to not yet valid certificate"));
    }

    private X509Certificate generateExpiredCert(String str, KeyPair keyPair, String str2) throws CertificateException, IllegalStateException, IOException, OperatorCreationException {
        Date date = new Date();
        return generateTestCert(str, keyPair, str2, date, date);
    }

    private X509Certificate generateNotValidYetCert(String str, KeyPair keyPair, String str2) throws CertificateException, IllegalStateException, IOException, OperatorCreationException {
        Date date = new Date(Instant.now().toEpochMilli() + 100000);
        return generateTestCert(str, keyPair, str2, date, new Date(date.getTime() + 200000));
    }

    private X509Certificate generateTestCert(String str, KeyPair keyPair, String str2, Date date, Date date2) throws CertificateException, IllegalStateException, IOException, OperatorCreationException {
        BigInteger bigInteger = new BigInteger(64, new SecureRandom());
        SubjectPublicKeyInfo subjectPublicKeyInfo = SubjectPublicKeyInfo.getInstance(keyPair.getPublic().getEncoded());
        X500Name x500Name = new X500Name(str);
        X509v1CertificateBuilder x509v1CertificateBuilder = new X509v1CertificateBuilder(x500Name, bigInteger, date, date2, x500Name, subjectPublicKeyInfo);
        AlgorithmIdentifier find = new DefaultSignatureAlgorithmIdentifierFinder().find(str2);
        return new JcaX509CertificateConverter().getCertificate(x509v1CertificateBuilder.build(new BcRSAContentSignerBuilder(find, new DefaultDigestAlgorithmIdentifierFinder().find(find)).build(PrivateKeyFactory.createKey(keyPair.getPrivate().getEncoded()))));
    }
}
