package org.apache.qpid.server.security.auth.manager;

import java.io.File;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.nio.charset.StandardCharsets;
import java.nio.file.FileSystems;
import java.security.Principal;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.atomic.AtomicBoolean;
import java.util.stream.Collectors;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosKey;
import javax.security.auth.kerberos.KerberosPrincipal;
import org.apache.directory.api.ldap.model.entry.DefaultEntry;
import org.apache.directory.api.ldap.model.exception.LdapException;
import org.apache.directory.api.util.Strings;
import org.apache.directory.server.annotations.CreateLdapServer;
import org.apache.directory.server.annotations.CreateTransport;
import org.apache.directory.server.annotations.SaslMechanism;
import org.apache.directory.server.core.annotations.ApplyLdifFiles;
import org.apache.directory.server.core.annotations.CreateDS;
import org.apache.directory.server.core.annotations.CreatePartition;
import org.apache.directory.server.core.api.DirectoryService;
import org.apache.directory.server.core.kerberos.KeyDerivationInterceptor;
import org.apache.directory.server.ldap.LdapServer;
import org.apache.directory.server.ldap.handlers.sasl.gssapi.GssapiMechanismHandler;
import org.apache.directory.server.ldap.handlers.sasl.plain.PlainMechanismHandler;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.keytab.Keytab;
import org.apache.kerby.kerberos.kerb.keytab.KeytabEntry;
import org.apache.kerby.kerberos.kerb.server.KdcConfigKey;
import org.apache.kerby.kerberos.kerb.server.SimpleKdcServer;
import org.apache.kerby.kerberos.kerb.type.KerberosTime;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionKey;
import org.apache.kerby.kerberos.kerb.type.base.EncryptionType;
import org.apache.kerby.kerberos.kerb.type.base.PrincipalName;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.BrokerTestHelper;
import org.apache.qpid.server.model.NamedAddressSpace;
import org.apache.qpid.server.security.auth.AuthenticationResult;
import org.apache.qpid.server.security.auth.SocketConnectionPrincipal;
import org.apache.qpid.server.security.auth.sasl.SaslNegotiator;
import org.apache.qpid.server.security.auth.sasl.SaslSettings;
import org.apache.qpid.server.security.auth.sasl.plain.PlainNegotiatorTest;
import org.apache.qpid.server.test.KerberosUtilities;
import org.apache.qpid.test.utils.CreateLdapServerExtension;
import org.apache.qpid.test.utils.JvmVendor;
import org.apache.qpid.test.utils.SystemPropertySetter;
import org.apache.qpid.test.utils.TestFileUtils;
import org.apache.qpid.test.utils.UnitTestBase;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Assumptions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.RegisterExtension;
import org.mockito.Mockito;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP")}, allowAnonymousAccess = true, saslHost = SimpleLDAPAuthenticationManagerTest.HOSTNAME, saslPrincipal = "ldap/localhost@QPID.ORG", saslMechanisms = {@SaslMechanism(name = "PLAIN", implClass = PlainMechanismHandler.class), @SaslMechanism(name = "GSSAPI", implClass = GssapiMechanismHandler.class)})
@CreateDS(name = "testDS", partitions = {@CreatePartition(name = "test", suffix = SimpleLDAPAuthenticationManagerTest.ROOT)}, additionalInterceptors = {KeyDerivationInterceptor.class})
@ApplyLdifFiles({"users.ldif"})
/* loaded from: input_file:org/apache/qpid/server/security/auth/manager/SimpleLDAPAuthenticationManagerTest.class */
public class SimpleLDAPAuthenticationManagerTest extends UnitTestBase {
    private static final String ROOT = "dc=qpid,dc=org";
    private static final String USERS_DN = "ou=users,dc=qpid,dc=org";
    private static final String SEARCH_CONTEXT_VALUE = "ou=users,dc=qpid,dc=org";
    private static final String SEARCH_FILTER_VALUE = "(uid={0})";
    private static final String LDAP_URL_TEMPLATE = "ldap://localhost:%d";
    private static final String USER_1_NAME = "test1";
    private static final String USER_1_PASSWORD = "password1";
    private static final String USER_1_DN = "cn=integration-test1,ou=users,dc=qpid,dc=org";
    private static final String USER_2_NAME = "test2";
    private static final String USER_2_PASSWORD = "password2";
    private static final String GROUP_SEARCH_CONTEXT_VALUE = "ou=groups,dc=qpid,dc=org";
    private static final String GROUP_SEARCH_FILTER_VALUE = "(member={0})";
    private static final String LDAP_SERVICE_NAME = "ldap";
    private static final String REALM = "QPID.ORG";
    private static final String HOSTNAME = "localhost";
    private static final String BROKER_PRINCIPAL = "service/localhost";
    private static final String LOGIN_SCOPE = "ldap-gssapi-bind";
    private SimpleLDAPAuthenticationManager<?> _authenticationProvider;
    private SimpleKdcServer kerbyServer;
    private static final Logger LOGGER = LoggerFactory.getLogger(SimpleLDAPAuthenticationManagerTest.class);
    private static final String LINE_SEPARATOR = System.lineSeparator();
    private static final AtomicBoolean KERBEROS_SETUP = new AtomicBoolean();
    private static final KerberosUtilities UTILS = new KerberosUtilities();

    @RegisterExtension
    public static CreateLdapServerExtension LDAP = new CreateLdapServerExtension();

    @RegisterExtension
    public static final SystemPropertySetter SYSTEM_PROPERTY_SETTER = new SystemPropertySetter();

    @BeforeEach
    public void setUp() {
        this._authenticationProvider = createAuthenticationProvider();
    }

    @AfterEach
    public void tearDown() {
        if (this._authenticationProvider != null) {
            this._authenticationProvider.close();
        }
    }

    @AfterAll
    public void afterAll() {
        File file = new File(FileSystems.getDefault().getPath("target", new String[0]).toFile(), "kerberos.keytab");
        if (file.exists() && !file.delete()) {
            throw new RuntimeException("Failed to delete keytab file:" + file.getAbsolutePath());
        }
        if (this.kerbyServer != null) {
            try {
                this.kerbyServer.stop();
                this.kerbyServer = null;
            } catch (Exception e) {
                throw new RuntimeException("Failed to stop kerberos server", e);
            }
        }
    }

    @Test
    public void testAuthenticateSuccess() {
        AuthenticationResult authenticate = this._authenticationProvider.authenticate(USER_1_NAME, USER_1_PASSWORD);
        Assertions.assertEquals(AuthenticationResult.AuthenticationStatus.SUCCESS, authenticate.getStatus());
        Assertions.assertEquals(USER_1_DN, authenticate.getMainPrincipal().getName());
    }

    @Test
    public void testAuthenticateFailure() {
        Assertions.assertEquals(AuthenticationResult.AuthenticationStatus.ERROR, this._authenticationProvider.authenticate(USER_1_NAME, "password1_").getStatus());
    }

    @Test
    public void testSaslPlainNegotiatorPlain() {
        SaslSettings saslSettings = (SaslSettings) Mockito.mock(SaslSettings.class);
        Mockito.when(saslSettings.getLocalFQDN()).thenReturn(HOSTNAME);
        SaslNegotiator createSaslNegotiator = this._authenticationProvider.createSaslNegotiator("PLAIN", saslSettings, (NamedAddressSpace) null);
        Assertions.assertNotNull(createSaslNegotiator, "Could not create SASL negotiator for mechanism 'PLAIN'");
        Assertions.assertEquals(AuthenticationResult.AuthenticationStatus.CONTINUE, createSaslNegotiator.handleResponse(new byte[0]).getStatus(), "Unexpected authentication status");
        Assertions.assertEquals(AuthenticationResult.AuthenticationStatus.SUCCESS, createSaslNegotiator.handleResponse(String.format(PlainNegotiatorTest.RESPONSE_FORMAT_STRING, USER_1_NAME, USER_1_PASSWORD).getBytes(StandardCharsets.UTF_8)).getStatus(), "Unexpected authentication status");
    }

    @Test
    public void testGroups() {
        this._authenticationProvider.setAttributes(Map.of("groupSearchContext", GROUP_SEARCH_CONTEXT_VALUE, "groupSearchFilter", GROUP_SEARCH_FILTER_VALUE));
        AuthenticationResult authenticate = this._authenticationProvider.authenticate(USER_1_NAME, USER_1_PASSWORD);
        Assertions.assertEquals(AuthenticationResult.AuthenticationStatus.SUCCESS, authenticate.getStatus());
        Assertions.assertEquals(USER_1_DN, authenticate.getMainPrincipal().getName());
        Set principals = authenticate.getPrincipals();
        Assertions.assertNotNull(principals);
        Assertions.assertNotNull((Principal) principals.stream().filter(principal -> {
            return "cn=group1,ou=groups,dc=qpid,dc=org".equalsIgnoreCase(principal.getName());
        }).findFirst().orElse(null));
    }

    @Test
    public void testAuthenticateSuccessWhenCachingEnabled() {
        this._authenticationProvider.setAttributes(Map.of("context", Map.of("qpid.auth.cache.size", "1")));
        SocketConnectionPrincipal socketConnectionPrincipal = (SocketConnectionPrincipal) Mockito.mock(SocketConnectionPrincipal.class);
        Mockito.when(socketConnectionPrincipal.getRemoteAddress()).thenReturn(new InetSocketAddress(HOSTNAME, 5672));
        AuthenticationResult authenticationResult = (AuthenticationResult) Subject.doAs(new Subject(true, Set.of(socketConnectionPrincipal), Set.of(), Set.of()), () -> {
            return this._authenticationProvider.authenticate(USER_1_NAME, USER_1_PASSWORD);
        });
        Assertions.assertEquals(AuthenticationResult.AuthenticationStatus.SUCCESS, authenticationResult.getStatus());
        Assertions.assertEquals(USER_1_DN, authenticationResult.getMainPrincipal().getName());
    }

    @Test
    public void testGssapiBindWithKeyTab() throws Exception {
        setUpKerberosAndJaas();
        AuthenticationResult authenticate = createAuthenticationProvider(Map.of("authenticationMethod", LdapAuthenticationMethod.GSSAPI.name(), "loginConfigScope", LOGIN_SCOPE)).authenticate(USER_1_NAME, USER_1_PASSWORD);
        Assertions.assertEquals(AuthenticationResult.AuthenticationStatus.SUCCESS, authenticate.getStatus());
        Assertions.assertEquals(USER_1_DN, authenticate.getMainPrincipal().getName());
    }

    @Test
    public void testChangeAuthenticationToGssapi() throws Exception {
        setUpKerberosAndJaas();
        this._authenticationProvider.setAttributes(Map.of("authenticationMethod", LdapAuthenticationMethod.GSSAPI.name(), "loginConfigScope", LOGIN_SCOPE));
        AuthenticationResult authenticate = this._authenticationProvider.authenticate(USER_1_NAME, USER_1_PASSWORD);
        Assertions.assertEquals(AuthenticationResult.AuthenticationStatus.SUCCESS, authenticate.getStatus());
        Assertions.assertEquals(USER_1_DN, authenticate.getMainPrincipal().getName());
    }

    @Test
    public void testChangeAuthenticationToGssapiWithInvalidScope() throws Exception {
        setUpKerberosAndJaas();
        Map of = Map.of("authenticationMethod", LdapAuthenticationMethod.GSSAPI.name(), "loginConfigScope", "non-existing");
        Assertions.assertThrows(IllegalConfigurationException.class, () -> {
            this._authenticationProvider.setAttributes(of);
        }, "Exception is expected");
    }

    @Test
    public void testChangeAuthenticationToGssapiWhenConfigIsBroken() throws Exception {
        setUpKerberosAndJaas();
        Map of = Map.of("authenticationMethod", LdapAuthenticationMethod.GSSAPI.name(), "loginConfigScope", "ldap-gssapi-bind-broken");
        Assertions.assertThrows(IllegalConfigurationException.class, () -> {
            this._authenticationProvider.setAttributes(of);
        }, "Exception is expected");
    }

    @Test
    public void testChangeAuthenticationToGssapiNoScopeProvided() throws Exception {
        setUpKerberosAndJaas();
        this._authenticationProvider.setAttributes(Map.of("authenticationMethod", LdapAuthenticationMethod.GSSAPI.name()));
        AuthenticationResult authenticate = this._authenticationProvider.authenticate(USER_1_NAME, USER_1_PASSWORD);
        Assertions.assertEquals(AuthenticationResult.AuthenticationStatus.SUCCESS, authenticate.getStatus());
        Assertions.assertEquals(USER_1_DN, authenticate.getMainPrincipal().getName());
    }

    @Test
    public void extractUserCN() {
        this._authenticationProvider.setAttributes(Map.of("useFullLDAPName", "false"));
        AuthenticationResult authenticate = this._authenticationProvider.authenticate(USER_1_NAME, USER_1_PASSWORD);
        Assertions.assertEquals(AuthenticationResult.AuthenticationStatus.SUCCESS, authenticate.getStatus());
        Assertions.assertEquals("integration-test1", authenticate.getMainPrincipal().getName());
    }

    @Test
    public void extractInvalidUserCN() {
        this._authenticationProvider.setAttributes(Map.of("useFullLDAPName", "false"));
        AuthenticationResult authenticate = this._authenticationProvider.authenticate(USER_2_NAME, USER_2_PASSWORD);
        Assertions.assertEquals(AuthenticationResult.AuthenticationStatus.ERROR, authenticate.getStatus());
        Assertions.assertEquals("Failed to extract CN from LDAP name 'uid=test2,ou=users,dc=qpid,dc=org'", authenticate.getCause().getMessage());
    }

    private SimpleLDAPAuthenticationManagerImpl createAuthenticationProvider() {
        return createAuthenticationProvider(Map.of());
    }

    private SimpleLDAPAuthenticationManagerImpl createAuthenticationProvider(Map<String, Object> map) {
        Broker<?> createBrokerMock = BrokerTestHelper.createBrokerMock();
        HashMap hashMap = new HashMap();
        hashMap.put("name", getTestName());
        hashMap.put("searchContext", "ou=users,dc=qpid,dc=org");
        hashMap.put("providerUrl", String.format(LDAP_URL_TEMPLATE, Integer.valueOf(LDAP.getLdapServer().getPort())));
        hashMap.put("searchFilter", SEARCH_FILTER_VALUE);
        hashMap.put("context", Map.of("qpid.auth.cache.size", "0"));
        hashMap.putAll(map);
        SimpleLDAPAuthenticationManagerImpl simpleLDAPAuthenticationManagerImpl = new SimpleLDAPAuthenticationManagerImpl(hashMap, createBrokerMock);
        simpleLDAPAuthenticationManagerImpl.open();
        return simpleLDAPAuthenticationManagerImpl;
    }

    private void setUpKerberosAndJaas() throws Exception {
        Assumptions.assumeFalse(Objects.equals(getJvmVendor(), JvmVendor.IBM));
        if (KERBEROS_SETUP.compareAndSet(false, true)) {
            setUpKerberos();
            setUpJaas();
        }
    }

    private void setUpKerberos() throws Exception {
        LdapServer ldapServer = LDAP.getLdapServer();
        int port = ldapServer.getPort() + 1;
        this.kerbyServer = new SimpleKdcServer();
        this.kerbyServer.setKdcHost(HOSTNAME);
        this.kerbyServer.setKdcRealm("QPID.ORG");
        this.kerbyServer.setAllowTcp(true);
        this.kerbyServer.setAllowUdp(false);
        this.kerbyServer.setKdcTcpPort(port);
        this.kerbyServer.setWorkDir(FileSystems.getDefault().getPath("target", new String[0]).toFile());
        this.kerbyServer.getKdcConfig().setBoolean(KdcConfigKey.PA_ENC_TIMESTAMP_REQUIRED, false);
        this.kerbyServer.init();
        this.kerbyServer.start();
        SYSTEM_PROPERTY_SETTER.setSystemProperty("java.security.krb5.conf", createKrb5Conf(port));
        SYSTEM_PROPERTY_SETTER.setSystemProperty("java.security.krb5.realm", (String) null);
        SYSTEM_PROPERTY_SETTER.setSystemProperty("java.security.krb5.kdc", (String) null);
        String name = new KerberosPrincipal("ldap/localhost@QPID.ORG", 3).getName();
        ldapServer.setSaslHost(name.substring(name.indexOf("/") + 1, name.indexOf("@")));
        ldapServer.setSaslPrincipal(name);
        ldapServer.setSaslRealms(List.of("QPID.ORG"));
        ldapServer.setSearchBaseDn("ou=users,dc=qpid,dc=org");
        String uuid = randomUUID().toString();
        createPrincipal("KDC", "KDC", "krbtgt", randomUUID().toString(), "krbtgt/QPID.ORG@QPID.ORG");
        createPrincipal("Service", "LDAP Service", LDAP_SERVICE_NAME, uuid, name);
        createKerberosPrincipal(name, uuid);
    }

    private void setUpJaas() throws Exception {
        createKeyTab(BROKER_PRINCIPAL);
        UTILS.prepareConfiguration(KerberosUtilities.HOST_NAME, SYSTEM_PROPERTY_SETTER);
    }

    private String createKrb5Conf(int i) throws IOException {
        File createFile = createFile("krb5", ".conf");
        String format = String.format("[libdefaults]%1$s    default_realm = %2$s%1$s    udp_preference_limit = 1%1$s    default_tkt_enctypes = aes128-cts-hmac-sha1-96 rc4-hmac%1$s    default_tgs_enctypes = aes128-cts-hmac-sha1-96  rc4-hmac%1$s    permitted_enctypes = aes128-cts-hmac-sha1-96 rc4-hmac%1$s[realms]%1$s    %2$s = {%1$s    kdc = %3$s%1$s    }%1$s[domain_realm]%1$s    .%4$s = %2$s%1$s    %4$s = %2$s%1$s", LINE_SEPARATOR, "QPID.ORG", "localhost:" + i, Strings.toLowerCaseAscii("QPID.ORG"));
        LOGGER.debug("krb5.conf:" + format);
        TestFileUtils.saveTextContentInFile(format, createFile);
        return createFile.getAbsolutePath();
    }

    private void createPrincipal(String str, String str2, String str3, String str4, String str5) throws LdapException {
        DirectoryService directoryService = LDAP.getDirectoryService();
        DefaultEntry defaultEntry = new DefaultEntry(directoryService.getSchemaManager());
        defaultEntry.setDn(String.format("uid=%s,%s", str3, "ou=users,dc=qpid,dc=org"));
        defaultEntry.add("objectClass", new String[]{"top", "person", "inetOrgPerson", "krb5principal", "krb5kdcentry"});
        defaultEntry.add("cn", new String[]{str2});
        defaultEntry.add("sn", new String[]{str});
        defaultEntry.add("uid", new String[]{str3});
        defaultEntry.add("userPassword", new String[]{str4});
        defaultEntry.add("krb5PrincipalName", new String[]{str5});
        defaultEntry.add("krb5KeyVersionNumber", new String[]{"0"});
        directoryService.getAdminSession().add(defaultEntry);
    }

    private void createPrincipal(String str, String str2) throws LdapException {
        createPrincipal(str, str, str, str2, str + "@QPID.ORG");
    }

    private void createPrincipal(File file, String... strArr) throws LdapException, IOException {
        Keytab keytab = new Keytab();
        String uuid = randomUUID().toString();
        for (String str : strArr) {
            createPrincipal(str, uuid);
            String str2 = str + "@QPID.ORG";
            KerberosTime kerberosTime = new KerberosTime();
            keytab.addKeytabEntries((List) getKerberosKeys(str2, uuid).stream().map(encryptionKey -> {
                return new KeytabEntry(new PrincipalName(str2), kerberosTime, encryptionKey.getKvno(), encryptionKey);
            }).collect(Collectors.toList()));
            createKerberosPrincipal(str2, uuid);
        }
        keytab.store(file);
    }

    private void createKeyTab(String... strArr) throws LdapException, IOException {
        createPrincipal(createFile("kerberos", ".keytab"), strArr);
    }

    private File createFile(String str, String str2) throws IOException {
        File file = new File(FileSystems.getDefault().getPath("target", new String[0]).toFile(), str + str2);
        if (file.exists() && !file.delete()) {
            throw new IOException(String.format("Cannot delete existing file '%s'", file.getAbsolutePath()));
        }
        if (file.createNewFile()) {
            return file;
        }
        throw new IOException(String.format("Cannot create file '%s'", file.getAbsolutePath()));
    }

    private void createKerberosPrincipal(String str, String str2) {
        try {
            if (this.kerbyServer.getIdentityService().getIdentity(str) == null) {
                this.kerbyServer.createPrincipal(str, str2);
            }
        } catch (KrbException e) {
            throw new RuntimeException((Throwable) e);
        }
    }

    private List<EncryptionKey> getKerberosKeys(String str, String str2) {
        return (List) Map.of(EncryptionType.DES_CBC_MD5, "DES", EncryptionType.DES3_CBC_SHA1_KD, "DESede", EncryptionType.RC4_HMAC, "ArcFourHmac", EncryptionType.AES128_CTS_HMAC_SHA1_96, "AES128", EncryptionType.AES256_CTS_HMAC_SHA1_96, "AES256").entrySet().stream().map(entry -> {
            return new EncryptionKey((EncryptionType) entry.getKey(), new KerberosKey(new KerberosPrincipal(str), str2.toCharArray(), (String) entry.getValue()).getEncoded(), 0);
        }).collect(Collectors.toList());
    }
}
