package org.apache.qpid.server.security;

import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.StandardCopyOption;
import java.security.cert.Certificate;
import java.util.List;
import java.util.Map;
import javax.net.ssl.KeyManager;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.BrokerModel;
import org.apache.qpid.server.model.BrokerTestHelper;
import org.apache.qpid.server.model.ConfiguredObjectFactory;
import org.apache.qpid.server.model.KeyStore;
import org.apache.qpid.server.util.DataUrlUtils;
import org.apache.qpid.test.utils.UnitTestBase;
import org.apache.qpid.test.utils.tls.AlternativeName;
import org.apache.qpid.test.utils.tls.CertificateEntry;
import org.apache.qpid.test.utils.tls.KeyCertificatePair;
import org.apache.qpid.test.utils.tls.KeyStoreEntry;
import org.apache.qpid.test.utils.tls.PrivateKeyEntry;
import org.apache.qpid.test.utils.tls.SecretKeyEntry;
import org.apache.qpid.test.utils.tls.TlsResource;
import org.apache.qpid.test.utils.tls.TlsResourceBuilder;
import org.apache.qpid.test.utils.tls.TlsResourceHelper;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.RegisterExtension;

/* loaded from: input_file:org/apache/qpid/server/security/FileKeyStoreTest.class */
public class FileKeyStoreTest extends UnitTestBase {

    @RegisterExtension
    public static final TlsResource TLS_RESOURCE = new TlsResource();
    private static final Broker<?> BROKER = BrokerTestHelper.createBrokerMock();
    private static final ConfiguredObjectFactory FACTORY = BrokerModel.getInstance().getObjectFactory();
    private static final String DN_FOO = "CN=foo";
    private static final String DN_BAR = "CN=bar";
    private static final String NAME = "myFileKeyStore";
    private static final String SECRET_KEY_ALIAS = "secret-key-alias";

    @Test
    public void testCreateKeyStoreFromFile_Success() throws Exception {
        KeyManager[] keyManagers = createFileKeyStore(Map.of("name", NAME, "storeUrl", TLS_RESOURCE.createSelfSignedKeyStore(DN_FOO).toFile().getAbsolutePath(), "password", TLS_RESOURCE.getSecret(), "keyStoreType", TLS_RESOURCE.getKeyStoreType())).getKeyManagers();
        Assertions.assertNotNull(keyManagers);
        Assertions.assertEquals(1, keyManagers.length, "Unexpected number of key managers");
        Assertions.assertNotNull(keyManagers[0], "Key manager unexpected null");
    }

    @Test
    public void testCreateKeyStoreWithAliasFromFile_Success() throws Exception {
        KeyManager[] keyManagers = createFileKeyStore(Map.of("name", NAME, "storeUrl", TLS_RESOURCE.createSelfSignedKeyStore(DN_FOO).toFile().getAbsolutePath(), "password", TLS_RESOURCE.getSecret(), "certificateAlias", TLS_RESOURCE.getPrivateKeyAlias(), "keyStoreType", TLS_RESOURCE.getKeyStoreType())).getKeyManagers();
        Assertions.assertNotNull(keyManagers);
        Assertions.assertEquals(1, keyManagers.length, "Unexpected number of key managers");
        Assertions.assertNotNull(keyManagers[0], "Key manager unexpected null");
    }

    @Test
    public void testCreateKeyStoreFromFile_WrongPassword() throws Exception {
        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, Map.of("name", NAME, "storeUrl", TLS_RESOURCE.createSelfSignedKeyStore(DN_FOO).toFile().getAbsolutePath(), "password", TLS_RESOURCE.getSecret() + "_", "keyStoreType", TLS_RESOURCE.getKeyStoreType()), "Check key store password");
    }

    @Test
    public void testCreateKeyStoreFromFile_UnknownAlias() throws Exception {
        Path createSelfSignedKeyStore = TLS_RESOURCE.createSelfSignedKeyStore(DN_FOO);
        String str = TLS_RESOURCE.getPrivateKeyAlias() + "_";
        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, Map.of("name", NAME, "storeUrl", createSelfSignedKeyStore.toFile().getAbsolutePath(), "password", TLS_RESOURCE.getSecret(), "certificateAlias", str, "keyStoreType", TLS_RESOURCE.getKeyStoreType()), String.format("Cannot find a certificate with alias '%s' in key store", str));
    }

    @Test
    public void testCreateKeyStoreFromFile_NonKeyAlias() throws Exception {
        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, Map.of("name", NAME, "storeUrl", TLS_RESOURCE.createSelfSignedTrustStore(DN_FOO).toFile().getAbsolutePath(), "password", TLS_RESOURCE.getSecret(), "certificateAlias", TLS_RESOURCE.getCertificateAlias(), "keyStoreType", TLS_RESOURCE.getKeyStoreType()), "does not identify a private key");
    }

    @Test
    public void testCreateKeyStoreFromDataUrl_Success() throws Exception {
        KeyManager[] keyManagers = createFileKeyStore(Map.of("name", NAME, "storeUrl", TLS_RESOURCE.createSelfSignedKeyStoreAsDataUrl(DN_FOO), "password", TLS_RESOURCE.getSecret(), "keyStoreType", TLS_RESOURCE.getKeyStoreType())).getKeyManagers();
        Assertions.assertNotNull(keyManagers);
        Assertions.assertEquals(1, keyManagers.length, "Unexpected number of key managers");
        Assertions.assertNotNull(keyManagers[0], "Key manager unexpected null");
    }

    @Test
    public void testCreateKeyStoreWithAliasFromDataUrl_Success() throws Exception {
        KeyManager[] keyManagers = createFileKeyStore(Map.of("name", NAME, "storeUrl", TLS_RESOURCE.createSelfSignedKeyStoreAsDataUrl(DN_FOO), "password", TLS_RESOURCE.getSecret(), "certificateAlias", TLS_RESOURCE.getPrivateKeyAlias(), "keyStoreType", TLS_RESOURCE.getKeyStoreType())).getKeyManagers();
        Assertions.assertNotNull(keyManagers);
        Assertions.assertEquals(1, keyManagers.length, "Unexpected number of key managers");
        Assertions.assertNotNull(keyManagers[0], "Key manager unexpected null");
    }

    @Test
    public void testCreateKeyStoreFromDataUrl_WrongPassword() throws Exception {
        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, Map.of("name", NAME, "password", TLS_RESOURCE.getSecret() + "_", "storeUrl", TLS_RESOURCE.createSelfSignedKeyStoreAsDataUrl(DN_FOO)), "Check key store password");
    }

    @Test
    public void testCreateKeyStoreFromDataUrl_BadKeystoreBytes() {
        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, Map.of("name", NAME, "password", TLS_RESOURCE.getSecret(), "storeUrl", DataUrlUtils.getDataUrlForBytes("notatruststore".getBytes())), "Cannot instantiate key store");
    }

    @Test
    public void testCreateKeyStoreFromDataUrl_UnknownAlias() throws Exception {
        String createSelfSignedKeyStoreAsDataUrl = TLS_RESOURCE.createSelfSignedKeyStoreAsDataUrl(DN_FOO);
        String str = TLS_RESOURCE.getPrivateKeyAlias() + "_";
        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, Map.of("name", NAME, "password", TLS_RESOURCE.getSecret(), "storeUrl", createSelfSignedKeyStoreAsDataUrl, "certificateAlias", str, "keyStoreType", TLS_RESOURCE.getKeyStoreType()), String.format("Cannot find a certificate with alias '%s' in key store", str));
    }

    @Test
    public void testEmptyKeystoreRejected() throws Exception {
        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, Map.of("name", NAME, "password", TLS_RESOURCE.getSecret(), "storeUrl", TLS_RESOURCE.createKeyStore(new KeyStoreEntry[0]).toFile().getAbsolutePath()), "must contain at least one private key");
    }

    @Test
    public void testKeystoreWithNoPrivateKeyRejected() throws Exception {
        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, KeyStore.class, Map.of("name", getTestName(), "password", TLS_RESOURCE.getSecret(), "storeUrl", TLS_RESOURCE.createSelfSignedTrustStore(DN_FOO).toFile().getAbsolutePath(), "keyStoreType", TLS_RESOURCE.getKeyStoreType()), "must contain at least one private key");
    }

    @Test
    public void testSymmetricKeysIgnored() throws Exception {
        Assertions.assertNotNull(createFileKeyStore(Map.of("name", NAME, "password", TLS_RESOURCE.getSecret(), "storeUrl", createSelfSignedKeyStoreWithSecretKeyAndCertificate("jceks", DN_FOO), "keyStoreType", "jceks")));
    }

    @Test
    public void testUpdateKeyStore_Success() throws Exception {
        FileKeyStore<?> createFileKeyStore = createFileKeyStore(Map.of("name", NAME, "storeUrl", TLS_RESOURCE.createSelfSignedKeyStore(DN_FOO).toFile().getAbsolutePath(), "password", TLS_RESOURCE.getSecret(), "keyStoreType", TLS_RESOURCE.getKeyStoreType()));
        Assertions.assertNull(createFileKeyStore.getCertificateAlias(), "Unexpected alias value before change");
        String str = TLS_RESOURCE.getSecret() + "_";
        Map of = Map.of("certificateAlias", str);
        IllegalConfigurationException assertThrows = Assertions.assertThrows(IllegalConfigurationException.class, () -> {
            createFileKeyStore.setAttributes(of);
        }, "Exception not thrown");
        Assertions.assertTrue(assertThrows.getMessage().contains(String.format("Cannot find a certificate with alias '%s' in key store", str)), "Exception text not as unexpected:" + assertThrows.getMessage());
        Assertions.assertNull(createFileKeyStore.getCertificateAlias(), "Unexpected alias value after failed change");
        createFileKeyStore.setAttributes(Map.of("certificateAlias", TLS_RESOURCE.getPrivateKeyAlias()));
        Assertions.assertEquals(TLS_RESOURCE.getPrivateKeyAlias(), createFileKeyStore.getCertificateAlias(), "Unexpected alias value after change that is expected to be successful");
    }

    @Test
    public void testReloadKeystore() throws Exception {
        Path createSelfSignedKeyStoreWithCertificate = TLS_RESOURCE.createSelfSignedKeyStoreWithCertificate(DN_FOO);
        Path createSelfSignedKeyStoreWithCertificate2 = TLS_RESOURCE.createSelfSignedKeyStoreWithCertificate(DN_BAR);
        FileKeyStore<?> createFileKeyStore = createFileKeyStore(Map.of("name", getTestName(), "storeUrl", createSelfSignedKeyStoreWithCertificate.toFile().getAbsolutePath(), "password", TLS_RESOURCE.getSecret()));
        Assertions.assertEquals(DN_FOO, getCertificate(createFileKeyStore).getIssuerName());
        Files.copy(createSelfSignedKeyStoreWithCertificate2, createSelfSignedKeyStoreWithCertificate, StandardCopyOption.REPLACE_EXISTING);
        createFileKeyStore.reload();
        Assertions.assertEquals(DN_BAR, getCertificate(createFileKeyStore).getIssuerName());
    }

    private FileKeyStore<?> createFileKeyStore(Map<String, Object> map) {
        return FACTORY.create(KeyStore.class, map, BROKER);
    }

    private CertificateDetails getCertificate(FileKeyStore<?> fileKeyStore) {
        List certificateDetails = fileKeyStore.getCertificateDetails();
        Assertions.assertNotNull(certificateDetails);
        Assertions.assertEquals(1, certificateDetails.size());
        return (CertificateDetails) certificateDetails.get(0);
    }

    public Path createSelfSignedKeyStoreWithSecretKeyAndCertificate(String str, String str2) throws Exception {
        KeyCertificatePair createSelfSigned = TlsResourceBuilder.createSelfSigned(str2, new AlternativeName[0]);
        return TLS_RESOURCE.createKeyStore(str, new KeyStoreEntry[]{new PrivateKeyEntry(TLS_RESOURCE.getPrivateKeyAlias(), createSelfSigned.getPrivateKey(), new Certificate[]{createSelfSigned.getCertificate()}), new CertificateEntry(TLS_RESOURCE.getCertificateAlias(), createSelfSigned.getCertificate()), new SecretKeyEntry(SECRET_KEY_ALIAS, TlsResourceHelper.createAESSecretKey())});
    }
}
