package org.apache.pinot.common.utils.tls;

import com.google.common.collect.ImmutableMap;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.net.URISyntaxException;
import java.nio.file.FileSystems;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.nio.file.StandardCopyOption;
import java.nio.file.WatchService;
import java.nio.file.attribute.FileAttribute;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;
import nl.altindag.ssl.SSLFactory;
import nl.altindag.ssl.trustmanager.HotSwappableX509ExtendedTrustManager;
import nl.altindag.ssl.trustmanager.UnsafeX509ExtendedTrustManager;
import org.apache.commons.io.FileUtils;
import org.apache.pinot.common.config.TlsConfig;
import org.testng.Assert;
import org.testng.annotations.AfterMethod;
import org.testng.annotations.BeforeMethod;
import org.testng.annotations.Test;

/* loaded from: input_file:org/apache/pinot/common/utils/tls/RenewableTlsUtilsTest.class */
public class RenewableTlsUtilsTest {
    private static final String TLS_RESOURCE_FOLDER = "tls/";
    private static final String TLS_KEYSTORE_FILE = "keystore.p12";
    private static final String TLS_TRUSTSTORE_FILE = "truststore.p12";
    private static final String TLS_KEYSTORE_UPDATED_FILE = "keystore-updated.p12";
    private static final String TLS_TRUSTSTORE_UPDATED_FILE = "truststore-updated.p12";
    private static final String PASSWORD = "changeit";
    private static final String KEYSTORE_TYPE = "PKCS12";
    private static final String TRUSTSTORE_TYPE = "PKCS12";
    private static final String KEY_NAME_ALIAS = "mykey";
    private static final String DEFAULT_TEST_TLS_DIR = new File(FileUtils.getTempDirectoryPath(), "test-tls-dir" + System.currentTimeMillis()).getAbsolutePath();
    private static final String TLS_KEYSTORE_FILE_PATH = DEFAULT_TEST_TLS_DIR + "/keystore.p12";
    private static final String TLS_TRUSTSTORE_FILE_PATH = DEFAULT_TEST_TLS_DIR + "/truststore.p12";

    @BeforeMethod
    public void setUp() throws IOException, URISyntaxException {
        copyResourceFilesToTempFolder(ImmutableMap.of(TLS_KEYSTORE_FILE, TLS_KEYSTORE_FILE, TLS_TRUSTSTORE_FILE, TLS_TRUSTSTORE_FILE));
    }

    private static void copyResourceFilesToTempFolder(Map<String, String> map) throws URISyntaxException, IOException {
        InputStream resourceAsStream;
        Files.createDirectories(Paths.get(DEFAULT_TEST_TLS_DIR, new String[0]), new FileAttribute[0]);
        for (Map.Entry<String, String> entry : map.entrySet()) {
            try {
                resourceAsStream = RenewableTlsUtilsTest.class.getClassLoader().getResourceAsStream("tls/" + entry.getKey());
            } catch (IOException e) {
                e.printStackTrace();
            }
            if (resourceAsStream == null) {
                throw new IOException("Resource file not found: " + entry.getKey());
                break;
            } else {
                try {
                    Files.copy(resourceAsStream, Paths.get(DEFAULT_TEST_TLS_DIR, entry.getValue()), StandardCopyOption.REPLACE_EXISTING);
                    if (resourceAsStream != null) {
                        resourceAsStream.close();
                    }
                } finally {
                }
            }
        }
    }

    @AfterMethod
    public void tearDown() {
        FileUtils.deleteQuietly(new File(DEFAULT_TEST_TLS_DIR));
    }

    @Test
    public void swappableSSLFactoryHasSameAsStaticOnes() throws NoSuchAlgorithmException, KeyManagementException, IOException, URISyntaxException {
        SecureRandom secureRandom = new SecureRandom();
        KeyManagerFactory createKeyManagerFactory = TlsUtils.createKeyManagerFactory(TLS_KEYSTORE_FILE_PATH, PASSWORD, "PKCS12");
        TrustManagerFactory createTrustManagerFactory = TlsUtils.createTrustManagerFactory(TLS_TRUSTSTORE_FILE_PATH, PASSWORD, "PKCS12");
        SSLContext sSLContext = SSLContext.getInstance("TLS");
        sSLContext.init(createKeyManagerFactory.getKeyManagers(), createTrustManagerFactory.getTrustManagers(), secureRandom);
        SSLFactory createSSLFactory = RenewableTlsUtils.createSSLFactory("PKCS12", TLS_KEYSTORE_FILE_PATH, PASSWORD, "PKCS12", TLS_TRUSTSTORE_FILE_PATH, PASSWORD, "TLS", secureRandom, true, false);
        KeyManagerFactory keyManagerFactory = (KeyManagerFactory) createSSLFactory.getKeyManagerFactory().get();
        Assert.assertEquals(keyManagerFactory.getKeyManagers().length, createKeyManagerFactory.getKeyManagers().length);
        Assert.assertEquals(keyManagerFactory.getKeyManagers().length, 1);
        assertSSLKeyManagersEqual(keyManagerFactory.getKeyManagers()[0], createKeyManagerFactory.getKeyManagers()[0]);
        TrustManagerFactory trustManagerFactory = (TrustManagerFactory) createSSLFactory.getTrustManagerFactory().get();
        Assert.assertEquals(trustManagerFactory.getTrustManagers().length, createTrustManagerFactory.getTrustManagers().length);
        Assert.assertEquals(trustManagerFactory.getTrustManagers().length, 1);
        assertSSLTrustManagersEqual(trustManagerFactory.getTrustManagers()[0], createTrustManagerFactory.getTrustManagers()[0]);
        SSLContext sslContext = createSSLFactory.getSslContext();
        Assert.assertEquals(sslContext.getProtocol(), sSLContext.getProtocol());
        Assert.assertEquals(sslContext.getProvider(), sSLContext.getProvider());
    }

    private static void assertSSLKeyManagersEqual(KeyManager keyManager, KeyManager keyManager2) {
        X509KeyManager x509KeyManager = (X509KeyManager) keyManager;
        X509KeyManager x509KeyManager2 = (X509KeyManager) keyManager2;
        Assert.assertEquals(x509KeyManager.getPrivateKey(KEY_NAME_ALIAS), x509KeyManager2.getPrivateKey(KEY_NAME_ALIAS));
        X509Certificate[] certificateChain = x509KeyManager.getCertificateChain(KEY_NAME_ALIAS);
        X509Certificate[] certificateChain2 = x509KeyManager2.getCertificateChain(KEY_NAME_ALIAS);
        Assert.assertEquals(certificateChain.length, certificateChain2.length);
        Assert.assertEquals(certificateChain.length, 1);
        Assert.assertEquals(certificateChain[0], certificateChain2[0]);
    }

    private static void assertSSLTrustManagersEqual(TrustManager trustManager, TrustManager trustManager2) {
        X509TrustManager x509TrustManager = (X509TrustManager) trustManager;
        X509TrustManager x509TrustManager2 = (X509TrustManager) trustManager2;
        Assert.assertEquals(x509TrustManager.getAcceptedIssuers().length, x509TrustManager2.getAcceptedIssuers().length);
        Assert.assertEquals(x509TrustManager.getAcceptedIssuers().length, 1);
        Assert.assertEquals(x509TrustManager.getAcceptedIssuers()[0], x509TrustManager2.getAcceptedIssuers()[0]);
    }

    @Test
    public void reloadSslFactoryWhenFileStoreChanges() throws IOException, URISyntaxException, InterruptedException {
        SecureRandom secureRandom = new SecureRandom();
        SSLFactory createSSLFactory = RenewableTlsUtils.createSSLFactory("PKCS12", TLS_KEYSTORE_FILE_PATH, PASSWORD, "PKCS12", TLS_TRUSTSTORE_FILE_PATH, PASSWORD, "TLS", secureRandom, true, false);
        X509ExtendedKeyManager x509ExtendedKeyManager = (X509ExtendedKeyManager) createSSLFactory.getKeyManager().get();
        X509ExtendedTrustManager x509ExtendedTrustManager = (X509ExtendedTrustManager) createSSLFactory.getTrustManager().get();
        SSLContext sslContext = createSSLFactory.getSslContext();
        PrivateKey privateKey = x509ExtendedKeyManager.getPrivateKey(KEY_NAME_ALIAS);
        X509Certificate x509Certificate = x509ExtendedKeyManager.getCertificateChain(KEY_NAME_ALIAS)[0];
        X509Certificate x509Certificate2 = x509ExtendedTrustManager.getAcceptedIssuers()[0];
        ExecutorService newFixedThreadPool = Executors.newFixedThreadPool(1);
        newFixedThreadPool.execute(() -> {
            try {
                RenewableTlsUtils.reloadSslFactoryWhenFileStoreChanges(createSSLFactory, "PKCS12", TLS_KEYSTORE_FILE_PATH, PASSWORD, "PKCS12", TLS_TRUSTSTORE_FILE_PATH, PASSWORD, "TLS", secureRandom, () -> {
                    return false;
                });
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        });
        updateTlsFilesAndWaitForSslFactoryToBeRenewed();
        newFixedThreadPool.shutdown();
        X509ExtendedKeyManager x509ExtendedKeyManager2 = (X509ExtendedKeyManager) createSSLFactory.getKeyManager().get();
        X509ExtendedTrustManager x509ExtendedTrustManager2 = (X509ExtendedTrustManager) createSSLFactory.getTrustManager().get();
        SSLContext sslContext2 = createSSLFactory.getSslContext();
        Assert.assertEquals(x509ExtendedKeyManager, x509ExtendedKeyManager2);
        Assert.assertEquals(x509ExtendedTrustManager, x509ExtendedTrustManager2);
        Assert.assertEquals(sslContext, sslContext2);
        Assert.assertNotEquals(privateKey, x509ExtendedKeyManager2.getPrivateKey(KEY_NAME_ALIAS));
        Assert.assertNotEquals(x509Certificate, x509ExtendedKeyManager2.getCertificateChain(KEY_NAME_ALIAS)[0]);
        Assert.assertNotEquals(x509Certificate2, x509ExtendedTrustManager2.getAcceptedIssuers()[0]);
    }

    @Test
    public void enableAutoRenewalFromFileStoreForSSLFactoryThrows() {
        SSLFactory createSSLFactory = RenewableTlsUtils.createSSLFactory("PKCS12", TLS_KEYSTORE_FILE_PATH, PASSWORD, "PKCS12", TLS_TRUSTSTORE_FILE_PATH, PASSWORD, "TLS", (SecureRandom) null, true, false);
        TlsConfig tlsConfig = new TlsConfig();
        tlsConfig.setKeyStoreType("PKCS12");
        tlsConfig.setKeyStorePath("ftp://" + TLS_KEYSTORE_FILE_PATH);
        tlsConfig.setKeyStorePassword(PASSWORD);
        tlsConfig.setTrustStoreType("PKCS12");
        tlsConfig.setTrustStorePath(TLS_TRUSTSTORE_FILE_PATH);
        tlsConfig.setTrustStorePassword(PASSWORD);
        RuntimeException runtimeException = null;
        try {
            RenewableTlsUtils.enableAutoRenewalFromFileStoreForSSLFactory(createSSLFactory, tlsConfig, () -> {
                return false;
            });
        } catch (RuntimeException e) {
            runtimeException = e;
        }
        Assert.assertNotNull(runtimeException);
        Assert.assertEquals(runtimeException.getMessage(), "java.lang.IllegalArgumentException: key store path must be a local file path or null when SSL auto renew is enabled");
        tlsConfig.setKeyStorePath(TLS_KEYSTORE_FILE_PATH);
        tlsConfig.setTrustStorePath("ftp://" + TLS_TRUSTSTORE_FILE_PATH);
        RuntimeException runtimeException2 = null;
        try {
            RenewableTlsUtils.enableAutoRenewalFromFileStoreForSSLFactory(createSSLFactory, tlsConfig, () -> {
                return false;
            });
        } catch (RuntimeException e2) {
            runtimeException2 = e2;
        }
        Assert.assertEquals(runtimeException2.getMessage(), "java.lang.IllegalArgumentException: trust store path must be a local file path or null when SSL auto renew is enabled");
        SSLFactory createSSLFactory2 = RenewableTlsUtils.createSSLFactory("PKCS12", TLS_KEYSTORE_FILE_PATH, PASSWORD, "PKCS12", TLS_TRUSTSTORE_FILE_PATH, PASSWORD, "TLS", (SecureRandom) null, false, false);
        RuntimeException runtimeException3 = null;
        tlsConfig.setTrustStorePath(TLS_TRUSTSTORE_FILE_PATH);
        try {
            RenewableTlsUtils.enableAutoRenewalFromFileStoreForSSLFactory(createSSLFactory2, tlsConfig, () -> {
                return false;
            });
        } catch (RuntimeException e3) {
            runtimeException3 = e3;
        }
        Assert.assertEquals(runtimeException3.getMessage(), "java.lang.IllegalArgumentException: key manager of the existing SSLFactory must be swappable");
        tlsConfig.setKeyStorePath((String) null);
        RuntimeException runtimeException4 = null;
        try {
            RenewableTlsUtils.enableAutoRenewalFromFileStoreForSSLFactory(createSSLFactory2, tlsConfig, () -> {
                return false;
            });
        } catch (RuntimeException e4) {
            runtimeException4 = e4;
        }
        Assert.assertEquals(runtimeException4.getMessage(), "java.lang.IllegalArgumentException: trust manager of the existing SSLFactory must be swappable");
    }

    @Test
    public void createSslFactoryInInsecureMode() {
        SecureRandom secureRandom = new SecureRandom();
        X509ExtendedTrustManager x509ExtendedTrustManager = (X509ExtendedTrustManager) RenewableTlsUtils.createSSLFactory("PKCS12", TLS_KEYSTORE_FILE_PATH, PASSWORD, "PKCS12", TLS_TRUSTSTORE_FILE_PATH, PASSWORD, "TLS", secureRandom, false, true).getTrustManager().get();
        Assert.assertTrue(x509ExtendedTrustManager instanceof UnsafeX509ExtendedTrustManager);
        Assert.assertEquals(x509ExtendedTrustManager.getAcceptedIssuers().length, 0);
        ensurSslFactoryUseUnsafeTrustManager(RenewableTlsUtils.createSSLFactory("PKCS12", TLS_KEYSTORE_FILE_PATH, PASSWORD, "PKCS12", TLS_TRUSTSTORE_FILE_PATH, PASSWORD, "TLS", secureRandom, true, true));
    }

    @Test
    public void createSSLFactoryAndEnableAutoRenewalWhenUsingFileStoresWithPinotSecureMode() throws IOException, URISyntaxException, InterruptedException {
        SSLFactory createSSLFactoryAndEnableAutoRenewalWhenUsingFileStores = RenewableTlsUtils.createSSLFactoryAndEnableAutoRenewalWhenUsingFileStores(createTlsConfig(), () -> {
            return false;
        });
        ensurSslFactoryUseNormalTrustManager(createSSLFactoryAndEnableAutoRenewalWhenUsingFileStores);
        updateTlsFilesAndWaitForSslFactoryToBeRenewed();
        ensurSslFactoryUseNormalTrustManager(createSSLFactoryAndEnableAutoRenewalWhenUsingFileStores);
    }

    @Test
    public void createSSLFactoryAndEnableAutoRenewalWhenUsingFileStoresWithPinotInsecureMode() throws IOException, URISyntaxException, InterruptedException {
        SSLFactory createSSLFactoryAndEnableAutoRenewalWhenUsingFileStores = RenewableTlsUtils.createSSLFactoryAndEnableAutoRenewalWhenUsingFileStores(createTlsConfig(), () -> {
            return true;
        });
        ensurSslFactoryUseUnsafeTrustManager(createSSLFactoryAndEnableAutoRenewalWhenUsingFileStores);
        updateTlsFilesAndWaitForSslFactoryToBeRenewed();
        ensurSslFactoryUseUnsafeTrustManager(createSSLFactoryAndEnableAutoRenewalWhenUsingFileStores);
    }

    private void ensurSslFactoryUseNormalTrustManager(SSLFactory sSLFactory) {
        HotSwappableX509ExtendedTrustManager hotSwappableX509ExtendedTrustManager = (X509ExtendedTrustManager) sSLFactory.getTrustManager().get();
        Assert.assertTrue(hotSwappableX509ExtendedTrustManager instanceof HotSwappableX509ExtendedTrustManager);
        Assert.assertFalse(hotSwappableX509ExtendedTrustManager.getInnerTrustManager() instanceof UnsafeX509ExtendedTrustManager);
        Assert.assertEquals(hotSwappableX509ExtendedTrustManager.getAcceptedIssuers().length, 1);
    }

    private void ensurSslFactoryUseUnsafeTrustManager(SSLFactory sSLFactory) {
        HotSwappableX509ExtendedTrustManager hotSwappableX509ExtendedTrustManager = (X509ExtendedTrustManager) sSLFactory.getTrustManager().get();
        Assert.assertTrue(hotSwappableX509ExtendedTrustManager instanceof HotSwappableX509ExtendedTrustManager);
        Assert.assertTrue(hotSwappableX509ExtendedTrustManager.getInnerTrustManager() instanceof UnsafeX509ExtendedTrustManager);
        Assert.assertEquals(hotSwappableX509ExtendedTrustManager.getAcceptedIssuers().length, 0);
    }

    private TlsConfig createTlsConfig() {
        TlsConfig tlsConfig = new TlsConfig();
        tlsConfig.setKeyStoreType("PKCS12");
        tlsConfig.setKeyStorePath(TLS_KEYSTORE_FILE_PATH);
        tlsConfig.setKeyStorePassword(PASSWORD);
        tlsConfig.setTrustStoreType("PKCS12");
        tlsConfig.setTrustStorePath(TLS_TRUSTSTORE_FILE_PATH);
        tlsConfig.setTrustStorePassword(PASSWORD);
        tlsConfig.setInsecure(false);
        return tlsConfig;
    }

    private void updateTlsFilesAndWaitForSslFactoryToBeRenewed() throws IOException, URISyntaxException, InterruptedException {
        WatchService newWatchService = FileSystems.getDefault().newWatchService();
        HashMap hashMap = new HashMap();
        RenewableTlsUtils.registerFile(newWatchService, hashMap, TLS_KEYSTORE_FILE_PATH);
        RenewableTlsUtils.registerFile(newWatchService, hashMap, TLS_TRUSTSTORE_FILE_PATH);
        Thread.sleep(100L);
        copyResourceFilesToTempFolder(ImmutableMap.of(TLS_KEYSTORE_UPDATED_FILE, TLS_KEYSTORE_FILE, TLS_TRUSTSTORE_UPDATED_FILE, TLS_TRUSTSTORE_FILE));
        newWatchService.take();
        Thread.sleep(500L);
    }
}
