package org.apache.qpid.server.security;

import java.io.Closeable;
import java.io.IOException;
import java.net.ServerSocket;
import java.net.Socket;
import java.nio.file.Path;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.atomic.AtomicBoolean;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.BrokerModel;
import org.apache.qpid.server.model.BrokerTestHelper;
import org.apache.qpid.server.model.ConfiguredObjectFactory;
import org.apache.qpid.server.model.TrustStore;
import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
import org.apache.qpid.test.utils.UnitTestBase;
import org.apache.qpid.test.utils.tls.AlternativeName;
import org.apache.qpid.test.utils.tls.KeyCertificatePair;
import org.apache.qpid.test.utils.tls.KeyStoreEntry;
import org.apache.qpid.test.utils.tls.PrivateKeyEntry;
import org.apache.qpid.test.utils.tls.TlsResource;
import org.apache.qpid.test.utils.tls.TlsResourceBuilder;
import org.apache.qpid.test.utils.tls.TlsResourceHelper;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.ClassRule;
import org.junit.Test;

/* loaded from: input_file:org/apache/qpid/server/security/SiteSpecificTrustStoreTest.class */
public class SiteSpecificTrustStoreTest extends UnitTestBase {

    @ClassRule
    public static final TlsResource TLS_RESOURCE = new TlsResource();
    private static final Broker BROKER = BrokerTestHelper.createBrokerMock();
    private static final ConfiguredObjectFactory FACTORY = BrokerModel.getInstance().getObjectFactory();
    private static final String EXPECTED_SUBJECT = "CN=localhost";
    private static final String EXPECTED_ISSUER = "CN=MyRootCA";
    private static final String DN_BAR = "CN=bar";
    private static final String NAME = "mySiteSpecificTrustStore";
    private static final String SITE_SPECIFIC_TRUST_STORE = "SiteSpecificTrustStore";
    private static final String NOT_SUPPORTED_URL = "file:/not/a/host";
    private static final String INVALID_URL = "notaurl:541";
    private static final String NOT_A_CRL = "/not/a/crl";
    private TestPeer _testPeer;
    private String _clrUrl;
    private KeyCertificatePair _caKeyCertPair;
    private KeyCertificatePair _keyCertPair;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/qpid/server/security/SiteSpecificTrustStoreTest$TestPeer.class */
    public class TestPeer implements Closeable {
        private final ExecutorService _socketAcceptExecutor;
        private ServerSocket _serverSocket;
        private final AtomicBoolean _shutdown;
        private boolean _accept;

        /* JADX INFO: Access modifiers changed from: private */
        /* loaded from: input_file:org/apache/qpid/server/security/SiteSpecificTrustStoreTest$TestPeer$AcceptingRunnable.class */
        public class AcceptingRunnable implements Runnable {
            private AcceptingRunnable() {
            }

            @Override // java.lang.Runnable
            public void run() {
                Socket accept;
                Throwable th;
                do {
                    try {
                        accept = TestPeer.this._serverSocket.accept();
                        th = null;
                    } catch (IOException e) {
                    }
                    try {
                        try {
                            do {
                            } while (accept.getInputStream().read() != -1);
                            if (accept != null) {
                                if (0 != 0) {
                                    try {
                                        accept.close();
                                    } catch (Throwable th2) {
                                        th.addSuppressed(th2);
                                    }
                                } else {
                                    accept.close();
                                }
                            }
                        } catch (Throwable th3) {
                            if (accept != null) {
                                if (th != null) {
                                    try {
                                        accept.close();
                                    } catch (Throwable th4) {
                                        th.addSuppressed(th4);
                                    }
                                } else {
                                    accept.close();
                                }
                            }
                            throw th3;
                            break;
                        }
                    } catch (Throwable th5) {
                        th = th5;
                        throw th5;
                        break;
                    }
                } while (!TestPeer.this._shutdown.get());
            }
        }

        private TestPeer() {
            this._socketAcceptExecutor = Executors.newSingleThreadExecutor();
            this._shutdown = new AtomicBoolean();
            this._accept = true;
        }

        public void setAccept(boolean z) {
            this._accept = z;
        }

        public int start() throws Exception {
            this._serverSocket = createTestSSLServerSocket();
            if (this._accept) {
                this._socketAcceptExecutor.execute(new AcceptingRunnable());
            }
            return this._serverSocket.getLocalPort();
        }

        @Override // java.io.Closeable, java.lang.AutoCloseable
        public void close() throws IOException {
            this._shutdown.set(true);
            try {
                if (this._serverSocket != null) {
                    this._serverSocket.close();
                }
            } finally {
                this._socketAcceptExecutor.shutdown();
            }
        }

        private ServerSocket createTestSSLServerSocket() throws Exception {
            char[] charArray = "".toCharArray();
            KeyStore createKeyStore = TlsResourceHelper.createKeyStore(KeyStore.getDefaultType(), charArray, new KeyStoreEntry[]{new PrivateKeyEntry("1", SiteSpecificTrustStoreTest.this._keyCertPair.getPrivateKey(), new Certificate[]{SiteSpecificTrustStoreTest.this._keyCertPair.getCertificate()})});
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            keyManagerFactory.init(createKeyStore, charArray);
            KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
            SSLContext tryGetSSLContext = SSLUtil.tryGetSSLContext();
            tryGetSSLContext.init(keyManagers, null, new SecureRandom());
            ServerSocket createServerSocket = tryGetSSLContext.getServerSocketFactory().createServerSocket(0);
            createServerSocket.setSoTimeout(100);
            return createServerSocket;
        }
    }

    @Before
    public void setUpSiteSpecificTrustStore() throws Exception {
        int intValue = Integer.getInteger("SiteSpecificTrustStoreTest.connectTimeout", 1000).intValue();
        int intValue2 = Integer.getInteger("SiteSpecificTrustStoreTest.readTimeout", 1000).intValue();
        setTestSystemProperty("qpid.trustStore.siteSpecific.connectTimeout", String.valueOf(intValue));
        setTestSystemProperty("qpid.trustStore.siteSpecific.readTimeout", String.valueOf(intValue2));
        this._caKeyCertPair = TlsResourceBuilder.createKeyPairAndRootCA(EXPECTED_ISSUER);
        this._keyCertPair = TlsResourceBuilder.createKeyPairAndCertificate(EXPECTED_SUBJECT, this._caKeyCertPair, new AlternativeName[0]);
        this._clrUrl = TLS_RESOURCE.createCrlAsDataUrl(this._caKeyCertPair, new X509Certificate[]{TlsResourceBuilder.createKeyPairAndCertificate(DN_BAR, this._caKeyCertPair, new AlternativeName[0]).getCertificate()});
    }

    @After
    public void tearDown() throws Exception {
        if (this._testPeer != null) {
            this._testPeer.close();
        }
    }

    @Test
    public void testMalformedSiteUrl() {
        HashMap hashMap = new HashMap();
        hashMap.put("name", NAME);
        hashMap.put("type", SITE_SPECIFIC_TRUST_STORE);
        hashMap.put("siteUrl", INVALID_URL);
        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, hashMap, String.format("'%s' is not a valid URL", INVALID_URL));
    }

    @Test
    public void testSiteUrlDoesNotSupplyHostPort() {
        HashMap hashMap = new HashMap();
        hashMap.put("name", NAME);
        hashMap.put("type", SITE_SPECIFIC_TRUST_STORE);
        hashMap.put("siteUrl", NOT_SUPPORTED_URL);
        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, hashMap, String.format("URL '%s' does not provide a hostname and port number", NOT_SUPPORTED_URL));
    }

    @Test
    public void testUnresponsiveSite() throws Exception {
        this._testPeer = new TestPeer();
        this._testPeer.setAccept(false);
        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, getTrustStoreAttributes(this._testPeer.start()), String.format("Unable to get certificate for '%s' from", NAME));
    }

    @Test
    public void testValidSiteUrl() throws Exception {
        this._testPeer = new TestPeer();
        Map<String, Object> trustStoreAttributes = getTrustStoreAttributes(this._testPeer.start());
        trustStoreAttributes.put("certificateRevocationCheckEnabled", true);
        trustStoreAttributes.put("certificateRevocationListUrl", this._clrUrl);
        List certificateDetails = createTestTrustStore(trustStoreAttributes).getCertificateDetails();
        Assert.assertEquals("Unexpected number of certificates", 1L, certificateDetails.size());
        CertificateDetails certificateDetails2 = (CertificateDetails) certificateDetails.get(0);
        Assert.assertEquals("Unexpected certificate subject", EXPECTED_SUBJECT, certificateDetails2.getSubjectName());
        Assert.assertEquals("Unexpected certificate issuer", EXPECTED_ISSUER, certificateDetails2.getIssuerName());
    }

    @Test
    public void testChangeOfCrlInValidSiteUrl() throws Exception {
        this._testPeer = new TestPeer();
        Map<String, Object> trustStoreAttributes = getTrustStoreAttributes(this._testPeer.start());
        trustStoreAttributes.put("certificateRevocationCheckEnabled", true);
        trustStoreAttributes.put("certificateRevocationListUrl", this._clrUrl);
        SiteSpecificTrustStore createTestTrustStore = createTestTrustStore(trustStoreAttributes);
        try {
            createTestTrustStore.setAttributes(Collections.singletonMap("certificateRevocationListUrl", NOT_A_CRL));
            Assert.fail("Exception not thrown");
        } catch (IllegalConfigurationException e) {
            String message = e.getMessage();
            Assert.assertTrue("Exception text not as unexpected:" + message, message.contains(String.format("Unable to load certificate revocation list '%s' for truststore '%s'", NOT_A_CRL, NAME)));
        }
        Assert.assertEquals("Unexpected CRL path value after failed change", this._clrUrl, createTestTrustStore.getCertificateRevocationListUrl());
        Path createCrl = TLS_RESOURCE.createCrl(this._caKeyCertPair, new X509Certificate[0]);
        createTestTrustStore.setAttributes(Collections.singletonMap("certificateRevocationListUrl", createCrl.toFile().getAbsolutePath()));
        Assert.assertEquals("Unexpected CRL path value after change that is expected to be successful", createCrl.toFile().getAbsolutePath(), createTestTrustStore.getCertificateRevocationListUrl());
    }

    @Test
    public void testValidSiteUrl_MissingCrlFile() throws Exception {
        this._testPeer = new TestPeer();
        Map<String, Object> trustStoreAttributes = getTrustStoreAttributes(this._testPeer.start());
        trustStoreAttributes.put("certificateRevocationCheckEnabled", true);
        trustStoreAttributes.put("certificateRevocationListUrl", NOT_A_CRL);
        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, trustStoreAttributes, String.format("Unable to load certificate revocation list '%s' for truststore '%s'", NOT_A_CRL, NAME));
    }

    @Test
    public void testRefreshCertificate() throws Exception {
        this._testPeer = new TestPeer();
        SiteSpecificTrustStore createTestTrustStore = createTestTrustStore(getTrustStoreAttributes(this._testPeer.start()));
        List certificateDetails = createTestTrustStore.getCertificateDetails();
        Assert.assertEquals("Unexpected number of certificates", 1L, certificateDetails.size());
        CertificateDetails certificateDetails2 = (CertificateDetails) certificateDetails.get(0);
        Assert.assertEquals("Unexpected certificate subject", EXPECTED_SUBJECT, certificateDetails2.getSubjectName());
        Assert.assertEquals("Unexpected certificate issuer", EXPECTED_ISSUER, certificateDetails2.getIssuerName());
        createTestTrustStore.refreshCertificate();
        CertificateDetails certificateDetails3 = (CertificateDetails) createTestTrustStore.getCertificateDetails().get(0);
        Assert.assertEquals("Unexpected certificate subject", EXPECTED_SUBJECT, certificateDetails3.getSubjectName());
        Assert.assertEquals("Unexpected certificate issuer", EXPECTED_ISSUER, certificateDetails3.getIssuerName());
    }

    private SiteSpecificTrustStore createTestTrustStore(Map<String, Object> map) {
        return FACTORY.create(TrustStore.class, map, BROKER);
    }

    private Map<String, Object> getTrustStoreAttributes(int i) {
        HashMap hashMap = new HashMap();
        hashMap.put("name", NAME);
        hashMap.put("type", SITE_SPECIFIC_TRUST_STORE);
        hashMap.put("siteUrl", String.format("https://localhost:%d", Integer.valueOf(i)));
        return hashMap;
    }
}
