package org.apache.slider.server.services.security;

import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.security.alias.CredentialProvider;
import org.apache.hadoop.security.alias.CredentialProviderFactory;
import org.apache.slider.core.conf.AggregateConf;
import org.apache.slider.core.conf.MapOperations;
import org.apache.slider.core.exceptions.SliderException;
import org.apache.slider.providers.agent.TestAgentAMManagementWS;
import org.apache.slider.server.services.security.SecurityStore;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;

/* loaded from: input_file:org/apache/slider/server/services/security/TestCertificateManager.class */
public class TestCertificateManager {

    @Rule
    public TemporaryFolder workDir = new TemporaryFolder();
    private File secDir;
    private CertificateManager certMan;

    @Before
    public void setup() throws Exception {
        this.certMan = new CertificateManager();
        MapOperations mapOperations = new MapOperations();
        this.secDir = new File(this.workDir.getRoot(), "security");
        mapOperations.put(TestAgentAMManagementWS.SSL_SERVER_KEYSTORE_LOCATION, new File(this.secDir, "keystore.p12").getAbsolutePath());
        this.certMan.initialize(mapOperations, "cahost", (String) null, (String) null);
    }

    @Test
    public void testServerCertificateGenerated() throws Exception {
        File file = new File(this.secDir, "ca.crt");
        Assert.assertTrue("Server CRD does not exist:" + file, file.exists());
    }

    @Test
    public void testAMKeystoreGenerated() throws Exception {
        File file = new File(this.secDir, "keystore.p12");
        Assert.assertTrue("Keystore does not exist: " + file, file.exists());
        FileInputStream fileInputStream = null;
        try {
            fileInputStream = new FileInputStream(file);
            KeyStore keyStore = KeyStore.getInstance("pkcs12");
            keyStore.load(fileInputStream, SecurityUtils.getKeystorePass().toCharArray());
            Certificate certificate = keyStore.getCertificate(keyStore.aliases().nextElement());
            Assert.assertNotNull(certificate);
            if (certificate instanceof X509Certificate) {
                X509Certificate x509Certificate = (X509Certificate) certificate;
                Assert.assertEquals("wrong DN", "CN=cahost", x509Certificate.getSubjectDN().getName());
                Assert.assertEquals("wrong Issuer DN", "CN=cahost", x509Certificate.getIssuerDN().getName());
            }
            if (fileInputStream != null) {
                fileInputStream.close();
            }
        } catch (Throwable th) {
            if (fileInputStream != null) {
                fileInputStream.close();
            }
            throw th;
        }
    }

    @Test
    public void testContainerCertificateGeneration() throws Exception {
        this.certMan.generateContainerCertificate("testhost", "container1");
        Assert.assertTrue("container certificate not generated", new File(this.secDir, "container1.crt").exists());
    }

    @Test
    public void testContainerKeystoreGeneration() throws Exception {
        validateKeystore(this.certMan.generateContainerKeystore("testhost", "container1", "component1", "password").getFile(), "testhost", "cahost");
    }

    private void validateKeystore(File file, String str, String str2) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
        Assert.assertTrue("container keystore not generated", file.exists());
        FileInputStream fileInputStream = null;
        try {
            fileInputStream = new FileInputStream(file);
            KeyStore keyStore = KeyStore.getInstance("pkcs12");
            keyStore.load(fileInputStream, "password".toCharArray());
            Certificate certificate = keyStore.getCertificate(keyStore.aliases().nextElement());
            Assert.assertNotNull(certificate);
            if (certificate instanceof X509Certificate) {
                X509Certificate x509Certificate = (X509Certificate) certificate;
                Assert.assertEquals("wrong DN", "CN=" + str + ", OU=container1", x509Certificate.getSubjectDN().getName());
                Assert.assertEquals("wrong Issuer DN", "CN=" + str2, x509Certificate.getIssuerDN().getName());
            }
            if (fileInputStream != null) {
                fileInputStream.close();
            }
        } catch (Throwable th) {
            if (fileInputStream != null) {
                fileInputStream.close();
            }
            throw th;
        }
    }

    @Test
    public void testContainerKeystoreGenerationViaStoresGenerator() throws Exception {
        AggregateConf aggregateConf = new AggregateConf();
        MapOperations mapOperations = new MapOperations();
        aggregateConf.getAppConf().components.put("component1", mapOperations);
        mapOperations.put("slider.component.keystore.password.property", "app1.component1.password.property");
        mapOperations.put("slider.component.security.stores.required", "true");
        aggregateConf.getAppConf().global.put("app1.component1.password.property", "password");
        aggregateConf.resolve();
        SecurityStore[] generateSecurityStores = StoresGenerator.generateSecurityStores("testhost", "container1", "component1", aggregateConf, mapOperations);
        Assert.assertEquals("wrong number of stores", 1L, generateSecurityStores.length);
        validateKeystore(generateSecurityStores[0].getFile(), "testhost", "cahost");
    }

    @Test
    public void testContainerKeystoreGenerationViaStoresGeneratorUsingGlobalProps() throws Exception {
        AggregateConf aggregateConf = new AggregateConf();
        MapOperations mapOperations = new MapOperations();
        aggregateConf.getAppConf().components.put("component1", mapOperations);
        mapOperations.put("slider.component.keystore.password.property", "app1.component1.password.property");
        aggregateConf.getAppConf().global.put("slider.component.security.stores.required", "true");
        mapOperations.put("app1.component1.password.property", "password");
        aggregateConf.resolve();
        SecurityStore[] generateSecurityStores = StoresGenerator.generateSecurityStores("testhost", "container1", "component1", aggregateConf, mapOperations);
        Assert.assertEquals("wrong number of stores", 1L, generateSecurityStores.length);
        validateKeystore(generateSecurityStores[0].getFile(), "testhost", "cahost");
    }

    @Test
    public void testContainerKeystoreGenerationViaStoresGeneratorOverrideGlobalSetting() throws Exception {
        AggregateConf aggregateConf = new AggregateConf();
        MapOperations mapOperations = setupComponentOptions(true, null, "app1.component1.password.property", null, null);
        aggregateConf.getAppConf().components.put("component1", mapOperations);
        aggregateConf.getAppConf().global.put("app1.component1.password.property", "password");
        aggregateConf.getAppConf().global.put("slider.component.security.stores.required", "false");
        aggregateConf.resolve();
        SecurityStore[] generateSecurityStores = StoresGenerator.generateSecurityStores("testhost", "container1", "component1", aggregateConf, mapOperations);
        Assert.assertEquals("wrong number of stores", 1L, generateSecurityStores.length);
        validateKeystore(generateSecurityStores[0].getFile(), "testhost", "cahost");
    }

    @Test
    public void testContainerTrusttoreGeneration() throws Exception {
        SecurityStore generateContainerKeystore = this.certMan.generateContainerKeystore("testhost", "container1", "component1", "keypass");
        Assert.assertTrue("container keystore not generated", generateContainerKeystore.getFile().exists());
        SecurityStore generateContainerTruststore = this.certMan.generateContainerTruststore("container1", "component1", "trustpass");
        Assert.assertTrue("container truststore not generated", generateContainerTruststore.getFile().exists());
        validateTruststore(generateContainerKeystore.getFile(), generateContainerTruststore.getFile());
    }

    @Test
    public void testContainerGenerationUsingStoresGeneratorNoTruststore() throws Exception {
        AggregateConf aggregateConf = new AggregateConf();
        MapOperations mapOperations = new MapOperations();
        mapOperations.put("slider.component.security.stores.required", "true");
        mapOperations.put("slider.component.keystore.credential.alias.property", "test.keystore.password");
        setupCredentials(aggregateConf, "test.keystore.password", null);
        SecurityStore[] generateSecurityStores = StoresGenerator.generateSecurityStores("testhost", "container1", "component1", aggregateConf, mapOperations);
        Assert.assertEquals("wrong number of stores", 1L, generateSecurityStores.length);
        File containerKeystoreFilePath = CertificateManager.getContainerKeystoreFilePath("container1", "component1");
        Assert.assertTrue("container keystore not generated", containerKeystoreFilePath.exists());
        Assert.assertTrue("keystore not in returned list", Arrays.asList(generateSecurityStores).contains(new SecurityStore(containerKeystoreFilePath, SecurityStore.StoreType.keystore)));
        File containerTruststoreFilePath = CertificateManager.getContainerTruststoreFilePath("component1", "container1");
        Assert.assertFalse("container truststore generated", containerTruststoreFilePath.exists());
        Assert.assertFalse("truststore in returned list", Arrays.asList(generateSecurityStores).contains(new SecurityStore(containerTruststoreFilePath, SecurityStore.StoreType.truststore)));
    }

    @Test
    public void testContainerGenerationUsingStoresGeneratorJustTruststoreWithDefaultAlias() throws Exception {
        AggregateConf aggregateConf = new AggregateConf();
        MapOperations mapOperations = setupComponentOptions(true);
        setupCredentials(aggregateConf, null, "component.truststore.credential.alias");
        SecurityStore[] generateSecurityStores = StoresGenerator.generateSecurityStores("testhost", "container1", "component1", aggregateConf, mapOperations);
        Assert.assertEquals("wrong number of stores", 1L, generateSecurityStores.length);
        File containerKeystoreFilePath = CertificateManager.getContainerKeystoreFilePath("container1", "component1");
        Assert.assertFalse("container keystore generated", containerKeystoreFilePath.exists());
        Assert.assertFalse("keystore in returned list", Arrays.asList(generateSecurityStores).contains(containerKeystoreFilePath));
        File containerTruststoreFilePath = CertificateManager.getContainerTruststoreFilePath("component1", "container1");
        Assert.assertTrue("container truststore not generated", containerTruststoreFilePath.exists());
        Assert.assertTrue("truststore not in returned list", Arrays.asList(generateSecurityStores).contains(new SecurityStore(containerTruststoreFilePath, SecurityStore.StoreType.truststore)));
    }

    @Test
    public void testContainerTrusttoreGenerationUsingStoresGenerator() throws Exception {
        AggregateConf aggregateConf = new AggregateConf();
        MapOperations mapOperations = setupComponentOptions(true, "test.keystore.password", null, "test.truststore.password", null);
        setupCredentials(aggregateConf, "test.keystore.password", "test.truststore.password");
        SecurityStore[] generateSecurityStores = StoresGenerator.generateSecurityStores("testhost", "container1", "component1", aggregateConf, mapOperations);
        Assert.assertEquals("wrong number of stores", 2L, generateSecurityStores.length);
        File containerKeystoreFilePath = CertificateManager.getContainerKeystoreFilePath("container1", "component1");
        Assert.assertTrue("container keystore not generated", containerKeystoreFilePath.exists());
        Assert.assertTrue("keystore not in returned list", Arrays.asList(generateSecurityStores).contains(new SecurityStore(containerKeystoreFilePath, SecurityStore.StoreType.keystore)));
        File containerTruststoreFilePath = CertificateManager.getContainerTruststoreFilePath("component1", "container1");
        Assert.assertTrue("container truststore not generated", containerTruststoreFilePath.exists());
        Assert.assertTrue("truststore not in returned list", Arrays.asList(generateSecurityStores).contains(new SecurityStore(containerTruststoreFilePath, SecurityStore.StoreType.truststore)));
        validateTruststore(containerKeystoreFilePath, containerTruststoreFilePath);
    }

    private void setupCredentials(AggregateConf aggregateConf, String str, String str2) throws Exception {
        Configuration configuration = new Configuration();
        String str3 = "jceks://file" + new Path(SecurityUtils.getSecurityDir(), "test.jks").toUri();
        new File(SecurityUtils.getSecurityDir(), "test.jks").delete();
        configuration.set("hadoop.security.credential.provider.path", str3);
        aggregateConf.getAppConf().credentials.put(str3, new ArrayList());
        CredentialProvider credentialProvider = (CredentialProvider) CredentialProviderFactory.getProviders(configuration).get(0);
        if (str != null) {
            try {
                credentialProvider.createCredentialEntry(str, new char[]{'k', 'e', 'y', 'p', 'a', 's', 's'});
            } catch (Exception e) {
                e.printStackTrace();
                throw e;
            }
        }
        if (str2 != null) {
            credentialProvider.createCredentialEntry(str2, new char[]{'t', 'r', 'u', 's', 't', 'p', 'a', 's', 's'});
        }
        credentialProvider.flush();
    }

    private MapOperations setupComponentOptions(boolean z) {
        return setupComponentOptions(z, null, null, null, null);
    }

    private MapOperations setupComponentOptions(boolean z, String str, String str2, String str3, String str4) {
        MapOperations mapOperations = new MapOperations();
        mapOperations.put("slider.component.security.stores.required", Boolean.toString(z));
        if (str != null) {
            mapOperations.put("slider.component.keystore.credential.alias.property", "test.keystore.password");
        }
        if (str3 != null) {
            mapOperations.put("slider.component.truststore.credential.alias.property", "test.truststore.password");
        }
        if (str2 != null) {
            mapOperations.put("slider.component.keystore.password.property", str2);
        }
        if (str4 != null) {
            mapOperations.put("slider.component.truststore.password.property", str4);
        }
        return mapOperations;
    }

    @Test
    public void testContainerStoresGenerationKeystoreOnly() throws Exception {
        AggregateConf aggregateConf = new AggregateConf();
        MapOperations mapOperations = new MapOperations();
        mapOperations.put("slider.component.security.stores.required", "true");
        setupCredentials(aggregateConf, "component.keystore.credential.alias", null);
        SecurityStore[] generateSecurityStores = StoresGenerator.generateSecurityStores("testhost", "container1", "component1", aggregateConf, mapOperations);
        Assert.assertEquals("wrong number of stores", 1L, generateSecurityStores.length);
        File containerKeystoreFilePath = CertificateManager.getContainerKeystoreFilePath("container1", "component1");
        Assert.assertTrue("container keystore not generated", containerKeystoreFilePath.exists());
        Assert.assertTrue("keystore not in returned list", Arrays.asList(generateSecurityStores).contains(new SecurityStore(containerKeystoreFilePath, SecurityStore.StoreType.keystore)));
        File containerTruststoreFilePath = CertificateManager.getContainerTruststoreFilePath("component1", "container1");
        Assert.assertFalse("container truststore generated", containerTruststoreFilePath.exists());
        Assert.assertFalse("truststore in returned list", Arrays.asList(generateSecurityStores).contains(new SecurityStore(containerTruststoreFilePath, SecurityStore.StoreType.truststore)));
    }

    @Test
    public void testContainerStoresGenerationMisconfiguration() throws Exception {
        AggregateConf aggregateConf = new AggregateConf();
        MapOperations mapOperations = new MapOperations();
        mapOperations.put("slider.component.security.stores.required", "true");
        setupCredentials(aggregateConf, "cant.be.found", null);
        try {
            StoresGenerator.generateSecurityStores("testhost", "container1", "component1", aggregateConf, mapOperations);
            Assert.fail("SliderException should have been generated");
        } catch (SliderException unused) {
        }
    }

    private void validateTruststore(File file, File file2) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
        FileInputStream fileInputStream = null;
        FileInputStream fileInputStream2 = null;
        try {
            fileInputStream = new FileInputStream(file);
            KeyStore keyStore = KeyStore.getInstance("pkcs12");
            keyStore.load(fileInputStream, "keypass".toCharArray());
            Certificate certificate = keyStore.getCertificate(keyStore.aliases().nextElement());
            Assert.assertNotNull(certificate);
            fileInputStream2 = new FileInputStream(file2);
            KeyStore keyStore2 = KeyStore.getInstance("pkcs12");
            keyStore2.load(fileInputStream2, "trustpass".toCharArray());
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(keyStore2);
            for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
                if (trustManager instanceof X509TrustManager) {
                    ((X509TrustManager) trustManager).checkServerTrusted(new X509Certificate[]{(X509Certificate) certificate}, "RSA_EXPORT");
                }
            }
            if (fileInputStream != null) {
                fileInputStream.close();
            }
            if (fileInputStream2 != null) {
                fileInputStream2.close();
            }
        } catch (Throwable th) {
            if (fileInputStream != null) {
                fileInputStream.close();
            }
            if (fileInputStream2 != null) {
                fileInputStream2.close();
            }
            throw th;
        }
    }
}
