package org.apache.qpid.server.security.encryption;

import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.google.common.util.concurrent.SettableFuture;
import java.io.File;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.attribute.FileAttribute;
import java.security.SecureRandom;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Random;
import java.util.concurrent.TimeUnit;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.SecretKeySpec;
import org.apache.qpid.server.SystemLauncher;
import org.apache.qpid.server.SystemLauncherListener;
import org.apache.qpid.server.model.AuthenticationProvider;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.SystemConfig;
import org.apache.qpid.server.model.User;
import org.apache.qpid.server.security.auth.TestPrincipalUtils;
import org.apache.qpid.server.util.FileUtils;
import org.apache.qpid.test.utils.UnitTestBase;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Assumptions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:org/apache/qpid/server/security/encryption/AESGCMKeyFileEncrypterTest.class */
public class AESGCMKeyFileEncrypterTest extends UnitTestBase {
    public static final int BROKER_START_TIMEOUT = 10;
    private static final String SECRET = "secret";
    private static SecretKeySpec secretKey;
    private final SecureRandom _random = new SecureRandom();
    private Path _configurationLocation;
    private Path _workDir;
    private Broker<?> _broker;
    private SystemLauncher _systemLauncher;

    @BeforeEach
    public void setUp() throws Exception {
        Assumptions.assumeTrue(AbstractAESKeyFileEncrypterFactoryTest.isStrongEncryptionEnabled());
        byte[] bArr = new byte[32];
        this._random.nextBytes(bArr);
        secretKey = new SecretKeySpec(bArr, "AES");
    }

    @AfterEach
    public void tearDown() throws Exception {
        if (this._systemLauncher != null) {
            this._systemLauncher.shutdown();
        }
        if (this._workDir != null) {
            FileUtils.deleteDirectory(this._workDir.toFile().getAbsolutePath());
        }
    }

    @Test
    public void testRepeatedEncryptionsReturnDifferentValues() {
        AESGCMKeyFileEncrypter aESGCMKeyFileEncrypter = new AESGCMKeyFileEncrypter(secretKey);
        HashSet hashSet = new HashSet();
        for (int i = 0; i < 10; i++) {
            hashSet.add(aESGCMKeyFileEncrypter.encrypt("secret"));
        }
        Assertions.assertEquals(10, hashSet.size(), "Not all encryptions were distinct");
        Iterator it = hashSet.iterator();
        while (it.hasNext()) {
            Assertions.assertEquals("secret", aESGCMKeyFileEncrypter.decrypt((String) it.next()), "Not all encryptions decrypt correctly");
        }
    }

    @Test
    public void testCreationFailsOnInvalidSecret() throws Exception {
        IllegalArgumentException illegalArgumentException = (IllegalArgumentException) Assertions.assertThrows(IllegalArgumentException.class, () -> {
            new AESGCMKeyFileEncrypter((SecretKey) null);
        }, "An encrypter should not be creatable from a null key");
        Assertions.assertTrue(illegalArgumentException.getMessage().contains("A non null secret key must be supplied"), "Unexpected exception message:" + illegalArgumentException.getMessage());
        PBEKeySpec pBEKeySpec = new PBEKeySpec("secret".toCharArray());
        SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBEWithMD5AndDES");
        IllegalArgumentException illegalArgumentException2 = (IllegalArgumentException) Assertions.assertThrows(IllegalArgumentException.class, () -> {
            new AESGCMKeyFileEncrypter(secretKeyFactory.generateSecret(pBEKeySpec));
        }, "An encrypter should not be creatable from the wrong type of secret key");
        Assertions.assertTrue(illegalArgumentException2.getMessage().contains("Provided secret key was for the algorithm: PBEWithMD5AndDES when AES was needed."), "Unexpected exception message:" + illegalArgumentException2.getMessage());
    }

    @Test
    public void testEncryptionOfEmptyString() {
        doTestSimpleEncryptDecrypt("");
    }

    @Test
    public void testEncryptingNullFails() {
        AESGCMKeyFileEncrypter aESGCMKeyFileEncrypter = new AESGCMKeyFileEncrypter(secretKey);
        Assertions.assertThrows(NullPointerException.class, () -> {
            aESGCMKeyFileEncrypter.encrypt((String) null);
        }, "Attempting to encrypt null should fail");
    }

    @Test
    public void testEncryptingVeryLargeSecret() {
        byte[] bArr = new byte[4096];
        new Random().nextBytes(bArr);
        for (int i = 0; i < bArr.length; i++) {
            bArr[i] = (byte) (bArr[i] & 239);
        }
        doTestSimpleEncryptDecrypt(new String(bArr, StandardCharsets.US_ASCII));
    }

    @Test
    public void testDecryptNonsense() {
        AESGCMKeyFileEncrypter aESGCMKeyFileEncrypter = new AESGCMKeyFileEncrypter(secretKey);
        Assertions.assertThrows(NullPointerException.class, () -> {
            aESGCMKeyFileEncrypter.decrypt((String) null);
        }, "Should not decrypt a null value");
        Assertions.assertThrows(IllegalArgumentException.class, () -> {
            aESGCMKeyFileEncrypter.decrypt("");
        }, "Should not decrypt the empty String");
        Assertions.assertThrows(IllegalArgumentException.class, () -> {
            aESGCMKeyFileEncrypter.decrypt("thisisnonsense");
        }, "Should not decrypt a small amount of nonsense");
        Assertions.assertThrows(IllegalArgumentException.class, () -> {
            aESGCMKeyFileEncrypter.decrypt("thisisn'tvalidBase64!soitshouldfailwithanIllegalArgumentException");
        }, "Should not decrypt a larger amount of nonsense");
    }

    @Test
    public void testChangeOfEncryptionToGCM() throws Exception {
        createBrokerAndAuthenticationProviderWithEncrypterPassword("AESKeyFile");
        String encryptedPasswordFromConfig = getEncryptedPasswordFromConfig();
        SecretKeySpec secretKeySpec = new SecretKeySpec(getBrokerSecretKey(), "AES");
        Assertions.assertEquals("secret", new AESKeyFileEncrypter(secretKeySpec).decrypt(encryptedPasswordFromConfig), "Decrypted text doesnt match original");
        this._broker.setAttributes(Map.of("confidentialConfigurationEncryptionProvider", "AESGCMKeyFile"));
        Assertions.assertEquals("secret", new AESGCMKeyFileEncrypter(secretKeySpec).decrypt(getEncryptedPasswordFromConfig()), "Decrypted text doesnt match original");
    }

    @Test
    public void testSetKeyLocationAsExpression() throws Exception {
        Path createTempDirectory = Files.createTempDirectory("qpid_work_dir", new FileAttribute[0]);
        File file = new File(createTempDirectory.toFile(), "test.key");
        AbstractAESKeyFileEncrypterFactory.createAndPopulateKeyFile(file);
        createBrokerAndAuthenticationProviderWithEncrypterPassword("AESGCMKeyFile", createTempDirectory, Map.of("encrypter.key.file", "${qpid.work_dir}" + File.separator + file.getName()));
        Assertions.assertEquals("secret", new AESGCMKeyFileEncrypter(new SecretKeySpec(Files.readAllBytes(file.toPath()), "AES")).decrypt(getEncryptedPasswordFromConfig()), "Decrypted text doesnt match original");
    }

    @Test
    public void testChangeOfEncryptionToAES() throws Exception {
        createBrokerAndAuthenticationProviderWithEncrypterPassword("AESGCMKeyFile");
        String encryptedPasswordFromConfig = getEncryptedPasswordFromConfig();
        SecretKeySpec secretKeySpec = new SecretKeySpec(getBrokerSecretKey(), "AES");
        Assertions.assertEquals("secret", new AESGCMKeyFileEncrypter(secretKeySpec).decrypt(encryptedPasswordFromConfig), "Decrypted text doesnt match original");
        this._broker.setAttributes(Map.of("confidentialConfigurationEncryptionProvider", "AESKeyFile"));
        Assertions.assertEquals("secret", new AESKeyFileEncrypter(secretKeySpec).decrypt(getEncryptedPasswordFromConfig()), "Decrypted text doesnt match original");
    }

    private void doTestSimpleEncryptDecrypt(String str) {
        AESGCMKeyFileEncrypter aESGCMKeyFileEncrypter = new AESGCMKeyFileEncrypter(secretKey);
        String encrypt = aESGCMKeyFileEncrypter.encrypt(str);
        Assertions.assertNotNull(encrypt, "Encrypter did not return a result from encryption");
        Assertions.assertNotEquals(str, encrypt, "Plain text and encrypted version are equal");
        String decrypt = aESGCMKeyFileEncrypter.decrypt(encrypt);
        Assertions.assertNotNull(decrypt, "Encrypter did not return a result from decryption");
        Assertions.assertEquals(str, decrypt, "Encryption was not reversible");
    }

    private void createBrokerAndAuthenticationProviderWithEncrypterPassword(Object obj) throws Exception {
        createBrokerAndAuthenticationProviderWithEncrypterPassword(obj, Files.createTempDirectory("qpid_work_dir", new FileAttribute[0]), Map.of());
    }

    private void createBrokerAndAuthenticationProviderWithEncrypterPassword(Object obj, Path path, Map<String, String> map) throws Exception {
        this._workDir = path;
        Map of = Map.of("qpid.work_dir", path.toFile().getAbsolutePath());
        this._configurationLocation = Files.createTempFile(this._workDir, "config", ".json", new FileAttribute[0]);
        new ObjectMapper().writeValue(this._configurationLocation.toFile(), Map.of("name", getTestName(), "modelVersion", "9.1", "confidentialConfigurationEncryptionProvider", obj, "context", map));
        Map of2 = Map.of("storePath", this._configurationLocation.toFile().getAbsolutePath(), "preferenceStoreAttributes", "{\"type\": \"Noop\"}", "type", "JSON", "startupLoggedToSystemOut", Boolean.FALSE, "context", of);
        final SettableFuture create = SettableFuture.create();
        this._systemLauncher = new SystemLauncher(new SystemLauncherListener.DefaultSystemLauncherListener() { // from class: org.apache.qpid.server.security.encryption.AESGCMKeyFileEncrypterTest.1
            public void onContainerResolve(SystemConfig<?> systemConfig) {
                create.set(systemConfig);
            }
        });
        this._systemLauncher.startup(of2);
        this._broker = ((SystemConfig) create.get(10L, TimeUnit.SECONDS)).getContainer();
        AuthenticationProvider createChild = this._broker.createChild(AuthenticationProvider.class, Map.of("name", TestPrincipalUtils.TEST_AUTH_PROVIDER_NAME, "type", "Plain"));
        HashMap hashMap = new HashMap();
        hashMap.put("type", "managed");
        hashMap.put("name", "guest");
        hashMap.put("password", "secret");
        createChild.createChild(User.class, hashMap);
    }

    private byte[] getBrokerSecretKey() throws IOException {
        return Files.readAllBytes(Paths.get(AbstractAESKeyFileEncrypterFactory.getSecretKeyLocation(this._broker), new String[0]));
    }

    private String getEncryptedPasswordFromConfig() throws IOException {
        return (String) ((HashMap) ((List) ((Map) ((List) ((Map) new ObjectMapper().readValue(this._configurationLocation.toFile(), new TypeReference<Map<String, Object>>() { // from class: org.apache.qpid.server.security.encryption.AESGCMKeyFileEncrypterTest.2
        })).get("authenticationproviders")).get(0)).get("users")).get(0)).get("password");
    }
}
