package org.apache.qpid.server.security;

import com.google.common.collect.ImmutableMap;
import java.io.Closeable;
import java.io.IOException;
import java.io.InputStream;
import java.net.ServerSocket;
import java.net.Socket;
import java.nio.file.Path;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.atomic.AtomicBoolean;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.BrokerModel;
import org.apache.qpid.server.model.BrokerTestHelper;
import org.apache.qpid.server.model.ConfiguredObjectFactory;
import org.apache.qpid.server.model.TrustStore;
import org.apache.qpid.server.transport.network.security.ssl.SSLUtil;
import org.apache.qpid.test.utils.UnitTestBase;
import org.apache.qpid.test.utils.tls.AlternativeName;
import org.apache.qpid.test.utils.tls.KeyCertificatePair;
import org.apache.qpid.test.utils.tls.KeyStoreEntry;
import org.apache.qpid.test.utils.tls.PrivateKeyEntry;
import org.apache.qpid.test.utils.tls.TlsResource;
import org.apache.qpid.test.utils.tls.TlsResourceBuilder;
import org.apache.qpid.test.utils.tls.TlsResourceHelper;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.RegisterExtension;

/* loaded from: input_file:org/apache/qpid/server/security/SiteSpecificTrustStoreTest.class */
public class SiteSpecificTrustStoreTest extends UnitTestBase {

    @RegisterExtension
    public static final TlsResource TLS_RESOURCE = new TlsResource();
    private static final Broker<?> BROKER = BrokerTestHelper.createBrokerMock();
    private static final ConfiguredObjectFactory FACTORY = BrokerModel.getInstance().getObjectFactory();
    private static final String EXPECTED_SUBJECT = "CN=localhost";
    private static final String EXPECTED_ISSUER = "CN=MyRootCA";
    private static final String DN_BAR = "CN=bar";
    private static final String NAME = "mySiteSpecificTrustStore";
    private static final String SITE_SPECIFIC_TRUST_STORE = "SiteSpecificTrustStore";
    private static final String NOT_SUPPORTED_URL = "file:/not/a/host";
    private static final String INVALID_URL = "notaurl:541";
    private static final String NOT_A_CRL = "/not/a/crl";
    private TestPeer _testPeer;
    private String _clrUrl;
    private KeyCertificatePair _caKeyCertPair;
    private KeyCertificatePair _keyCertPair;

    /* loaded from: input_file:org/apache/qpid/server/security/SiteSpecificTrustStoreTest$TestPeer.class */
    private class TestPeer implements Closeable {
        private ServerSocket _serverSocket;
        private final ExecutorService _socketAcceptExecutor = Executors.newSingleThreadExecutor();
        private final AtomicBoolean _shutdown = new AtomicBoolean();
        private boolean _accept = true;

        /* JADX INFO: Access modifiers changed from: private */
        /* loaded from: input_file:org/apache/qpid/server/security/SiteSpecificTrustStoreTest$TestPeer$AcceptingRunnable.class */
        public class AcceptingRunnable implements Runnable {
            private AcceptingRunnable() {
            }

            @Override // java.lang.Runnable
            public void run() {
                do {
                    try {
                        Socket accept = TestPeer.this._serverSocket.accept();
                        try {
                            InputStream inputStream = accept.getInputStream();
                            do {
                                try {
                                } catch (Throwable th) {
                                    if (inputStream != null) {
                                        try {
                                            inputStream.close();
                                        } catch (Throwable th2) {
                                            th.addSuppressed(th2);
                                        }
                                    }
                                    throw th;
                                    break;
                                }
                            } while (inputStream.read() != -1);
                            if (inputStream != null) {
                                inputStream.close();
                            }
                            if (accept != null) {
                                accept.close();
                            }
                        } catch (Throwable th3) {
                            if (accept != null) {
                                try {
                                    accept.close();
                                } catch (Throwable th4) {
                                    th3.addSuppressed(th4);
                                }
                            }
                            throw th3;
                            break;
                        }
                    } catch (IOException e) {
                    }
                } while (!TestPeer.this._shutdown.get());
            }
        }

        private TestPeer() {
        }

        public void setAccept(boolean z) {
            this._accept = z;
        }

        public int start() throws Exception {
            this._serverSocket = createTestSSLServerSocket();
            if (this._accept) {
                this._socketAcceptExecutor.execute(new AcceptingRunnable());
            }
            return this._serverSocket.getLocalPort();
        }

        @Override // java.io.Closeable, java.lang.AutoCloseable
        public void close() throws IOException {
            this._shutdown.set(true);
            try {
                if (this._serverSocket != null) {
                    this._serverSocket.close();
                }
            } finally {
                this._socketAcceptExecutor.shutdown();
            }
        }

        private ServerSocket createTestSSLServerSocket() throws Exception {
            char[] charArray = "".toCharArray();
            KeyStore createKeyStore = TlsResourceHelper.createKeyStore(KeyStore.getDefaultType(), charArray, new KeyStoreEntry[]{new PrivateKeyEntry("1", SiteSpecificTrustStoreTest.this._keyCertPair.getPrivateKey(), new Certificate[]{SiteSpecificTrustStoreTest.this._keyCertPair.getCertificate()})});
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            keyManagerFactory.init(createKeyStore, charArray);
            KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
            SSLContext tryGetSSLContext = SSLUtil.tryGetSSLContext();
            tryGetSSLContext.init(keyManagers, null, new SecureRandom());
            ServerSocket createServerSocket = tryGetSSLContext.getServerSocketFactory().createServerSocket(0);
            createServerSocket.setSoTimeout(100);
            return createServerSocket;
        }
    }

    @BeforeEach
    public void setUpSiteSpecificTrustStore() throws Exception {
        int intValue = Integer.getInteger("SiteSpecificTrustStoreTest.connectTimeout", 1000).intValue();
        int intValue2 = Integer.getInteger("SiteSpecificTrustStoreTest.readTimeout", 1000).intValue();
        setTestSystemProperty("qpid.trustStore.siteSpecific.connectTimeout", String.valueOf(intValue));
        setTestSystemProperty("qpid.trustStore.siteSpecific.readTimeout", String.valueOf(intValue2));
        this._caKeyCertPair = TlsResourceBuilder.createKeyPairAndRootCA(EXPECTED_ISSUER);
        this._keyCertPair = TlsResourceBuilder.createKeyPairAndCertificate(EXPECTED_SUBJECT, this._caKeyCertPair, new AlternativeName[0]);
        this._clrUrl = TLS_RESOURCE.createCrlAsDataUrl(this._caKeyCertPair, new X509Certificate[]{TlsResourceBuilder.createKeyPairAndCertificate(DN_BAR, this._caKeyCertPair, new AlternativeName[0]).getCertificate()});
    }

    @AfterEach
    public void tearDown() throws Exception {
        if (this._testPeer != null) {
            this._testPeer.close();
        }
    }

    @Test
    public void testMalformedSiteUrl() {
        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, Map.of("name", NAME, "type", SITE_SPECIFIC_TRUST_STORE, "siteUrl", INVALID_URL), String.format("'%s' is not a valid URL", INVALID_URL));
    }

    @Test
    public void testSiteUrlDoesNotSupplyHostPort() {
        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, Map.of("name", NAME, "type", SITE_SPECIFIC_TRUST_STORE, "siteUrl", NOT_SUPPORTED_URL), String.format("URL '%s' does not provide a hostname and port number", NOT_SUPPORTED_URL));
    }

    @Test
    public void testUnresponsiveSite() throws Exception {
        this._testPeer = new TestPeer();
        this._testPeer.setAccept(false);
        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, getTrustStoreAttributes(this._testPeer.start()), String.format("Unable to get certificate for '%s' from", NAME));
    }

    @Test
    public void testValidSiteUrl() throws Exception {
        this._testPeer = new TestPeer();
        List certificateDetails = createTestTrustStore(ImmutableMap.builder().putAll(getTrustStoreAttributes(this._testPeer.start())).put("certificateRevocationCheckEnabled", true).put("certificateRevocationListUrl", this._clrUrl).build()).getCertificateDetails();
        Assertions.assertEquals(1, certificateDetails.size(), "Unexpected number of certificates");
        CertificateDetails certificateDetails2 = (CertificateDetails) certificateDetails.get(0);
        Assertions.assertEquals(EXPECTED_SUBJECT, certificateDetails2.getSubjectName(), "Unexpected certificate subject");
        Assertions.assertEquals(EXPECTED_ISSUER, certificateDetails2.getIssuerName(), "Unexpected certificate issuer");
    }

    @Test
    public void testChangeOfCrlInValidSiteUrl() throws Exception {
        this._testPeer = new TestPeer();
        SiteSpecificTrustStore createTestTrustStore = createTestTrustStore(ImmutableMap.builder().putAll(getTrustStoreAttributes(this._testPeer.start())).put("certificateRevocationCheckEnabled", true).put("certificateRevocationListUrl", this._clrUrl).build());
        IllegalConfigurationException assertThrows = Assertions.assertThrows(IllegalConfigurationException.class, () -> {
            createTestTrustStore.setAttributes(Map.of("certificateRevocationListUrl", NOT_A_CRL));
        }, "Exception not thrown");
        Assertions.assertTrue(assertThrows.getMessage().contains(String.format("Unable to load certificate revocation list '%s' for truststore '%s'", NOT_A_CRL, NAME)), "Exception text not as unexpected:" + assertThrows.getMessage());
        Assertions.assertEquals(this._clrUrl, createTestTrustStore.getCertificateRevocationListUrl(), "Unexpected CRL path value after failed change");
        Path createCrl = TLS_RESOURCE.createCrl(this._caKeyCertPair, new X509Certificate[0]);
        createTestTrustStore.setAttributes(Map.of("certificateRevocationListUrl", createCrl.toFile().getAbsolutePath()));
        Assertions.assertEquals(createCrl.toFile().getAbsolutePath(), createTestTrustStore.getCertificateRevocationListUrl(), "Unexpected CRL path value after change that is expected to be successful");
    }

    @Test
    public void testValidSiteUrl_MissingCrlFile() throws Exception {
        this._testPeer = new TestPeer();
        KeyStoreTestHelper.checkExceptionThrownDuringKeyStoreCreation(FACTORY, BROKER, TrustStore.class, ImmutableMap.builder().putAll(getTrustStoreAttributes(this._testPeer.start())).put("certificateRevocationCheckEnabled", true).put("certificateRevocationListUrl", NOT_A_CRL).build(), String.format("Unable to load certificate revocation list '%s' for truststore '%s'", NOT_A_CRL, NAME));
    }

    @Test
    public void testRefreshCertificate() throws Exception {
        this._testPeer = new TestPeer();
        SiteSpecificTrustStore createTestTrustStore = createTestTrustStore(getTrustStoreAttributes(this._testPeer.start()));
        List certificateDetails = createTestTrustStore.getCertificateDetails();
        Assertions.assertEquals(1, certificateDetails.size(), "Unexpected number of certificates");
        CertificateDetails certificateDetails2 = (CertificateDetails) certificateDetails.get(0);
        Assertions.assertEquals(EXPECTED_SUBJECT, certificateDetails2.getSubjectName(), "Unexpected certificate subject");
        Assertions.assertEquals(EXPECTED_ISSUER, certificateDetails2.getIssuerName(), "Unexpected certificate issuer");
        createTestTrustStore.refreshCertificate();
        CertificateDetails certificateDetails3 = (CertificateDetails) createTestTrustStore.getCertificateDetails().get(0);
        Assertions.assertEquals(EXPECTED_SUBJECT, certificateDetails3.getSubjectName(), "Unexpected certificate subject");
        Assertions.assertEquals(EXPECTED_ISSUER, certificateDetails3.getIssuerName(), "Unexpected certificate issuer");
    }

    private SiteSpecificTrustStore createTestTrustStore(Map<String, Object> map) {
        return FACTORY.create(TrustStore.class, map, BROKER);
    }

    private Map<String, Object> getTrustStoreAttributes(int i) {
        return Map.of("name", NAME, "type", SITE_SPECIFIC_TRUST_STORE, "siteUrl", String.format("https://localhost:%d", Integer.valueOf(i)));
    }
}
