package org.apache.hadoop.hdds.security.x509.certificate.authority;

import java.io.IOException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.cert.CertificateException;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.Future;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateApprover;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer;
import org.apache.hadoop.hdds.security.x509.certificate.authority.DefaultCAServer;
import org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest;
import org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator;
import org.apache.hadoop.test.LambdaTestUtils;
import org.bouncycastle.cert.X509CertificateHolder;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;

/* loaded from: input_file:org/apache/hadoop/hdds/security/x509/certificate/authority/TestDefaultCAServer.class */
public class TestDefaultCAServer {
    private static OzoneConfiguration conf = new OzoneConfiguration();

    @Rule
    public TemporaryFolder temporaryFolder = new TemporaryFolder();
    private MockCAStore caStore;

    @Before
    public void init() throws IOException {
        conf.set("ozone.metadata.dirs", this.temporaryFolder.newFolder().toString());
        this.caStore = new MockCAStore();
    }

    @Test
    public void testInit() throws SCMSecurityException, CertificateException, IOException {
        SecurityConfig securityConfig = new SecurityConfig(conf);
        DefaultCAServer defaultCAServer = new DefaultCAServer("testCA", RandomStringUtils.randomAlphabetic(4), RandomStringUtils.randomAlphabetic(4), this.caStore);
        defaultCAServer.init(securityConfig, CertificateServer.CAType.SELF_SIGNED_CA);
        X509CertificateHolder cACertificate = defaultCAServer.getCACertificate();
        Assert.assertNotNull(cACertificate);
        defaultCAServer.init(securityConfig, CertificateServer.CAType.SELF_SIGNED_CA);
        Assert.assertEquals(cACertificate, defaultCAServer.getCACertificate());
        try {
            defaultCAServer.init(securityConfig, CertificateServer.CAType.INTERMEDIARY_CA);
            Assert.fail("code should not reach here, exception should have been thrown.");
        } catch (IllegalStateException e) {
            Assert.assertTrue(e.toString().contains("Not implemented"));
        }
    }

    @Test
    public void testMissingCertificate() {
        try {
            new DefaultCAServer("testCA", RandomStringUtils.randomAlphabetic(4), RandomStringUtils.randomAlphabetic(4), this.caStore).processVerificationStatus(DefaultCAServer.VerificationStatus.MISSING_CERTIFICATE).accept(new SecurityConfig(conf));
            Assert.fail("code should not reach here, exception should have been thrown.");
        } catch (IllegalStateException e) {
            Assert.assertTrue(e.toString().contains("Missing Root Certs"));
        }
    }

    @Test
    public void testMissingKey() {
        try {
            new DefaultCAServer("testCA", RandomStringUtils.randomAlphabetic(4), RandomStringUtils.randomAlphabetic(4), this.caStore).processVerificationStatus(DefaultCAServer.VerificationStatus.MISSING_KEYS).accept(new SecurityConfig(conf));
            Assert.fail("code should not reach here, exception should have been thrown.");
        } catch (IllegalStateException e) {
            Assert.assertTrue(e.toString().contains("Missing Keys"));
        }
    }

    @Test
    public void testRequestCertificate() throws IOException, ExecutionException, InterruptedException, NoSuchProviderException, NoSuchAlgorithmException {
        String randomAlphabetic = RandomStringUtils.randomAlphabetic(4);
        String randomAlphabetic2 = RandomStringUtils.randomAlphabetic(4);
        String encodedString = CertificateSignRequest.getEncodedString(new CertificateSignRequest.Builder().addDnsName("hadoop.apache.org").addIpAddress("8.8.8.8").setCA(false).setClusterID(randomAlphabetic2).setScmID(randomAlphabetic).setSubject("Ozone Cluster").setConfiguration(conf).setKey(new HDDSKeyGenerator(conf).generateKey()).build());
        DefaultCAServer defaultCAServer = new DefaultCAServer("testCA", randomAlphabetic2, randomAlphabetic, this.caStore);
        defaultCAServer.init(new SecurityConfig(conf), CertificateServer.CAType.SELF_SIGNED_CA);
        Future requestCertificate = defaultCAServer.requestCertificate(encodedString, CertificateApprover.ApprovalType.TESTING_AUTOMATIC);
        Assert.assertTrue(requestCertificate.isDone());
        Assert.assertNotNull(requestCertificate.get());
    }

    @Test
    public void testRequestCertificateWithInvalidSubject() throws IOException, ExecutionException, InterruptedException, NoSuchProviderException, NoSuchAlgorithmException {
        String encodedString = CertificateSignRequest.getEncodedString(new CertificateSignRequest.Builder().addDnsName("hadoop.apache.org").addIpAddress("8.8.8.8").setCA(false).setSubject("Ozone Cluster").setConfiguration(conf).setKey(new HDDSKeyGenerator(conf).generateKey()).build());
        DefaultCAServer defaultCAServer = new DefaultCAServer("testCA", RandomStringUtils.randomAlphabetic(4), RandomStringUtils.randomAlphabetic(4), this.caStore);
        defaultCAServer.init(new SecurityConfig(conf), CertificateServer.CAType.SELF_SIGNED_CA);
        Future requestCertificate = defaultCAServer.requestCertificate(encodedString, CertificateApprover.ApprovalType.TESTING_AUTOMATIC);
        Assert.assertTrue(requestCertificate.isDone());
        Assert.assertNotNull(requestCertificate.get());
    }

    @Test
    public void testRequestCertificateWithInvalidSubjectFailure() throws Exception {
        String encodedString = CertificateSignRequest.getEncodedString(new CertificateSignRequest.Builder().addDnsName("hadoop.apache.org").addIpAddress("8.8.8.8").setCA(false).setScmID("wrong one").setClusterID("223432rf").setSubject("Ozone Cluster").setConfiguration(conf).setKey(new HDDSKeyGenerator(conf).generateKey()).build());
        DefaultCAServer defaultCAServer = new DefaultCAServer("testCA", RandomStringUtils.randomAlphabetic(4), RandomStringUtils.randomAlphabetic(4), this.caStore);
        defaultCAServer.init(new SecurityConfig(conf), CertificateServer.CAType.SELF_SIGNED_CA);
        LambdaTestUtils.intercept(ExecutionException.class, "ScmId and ClusterId in CSR subject are incorrect", () -> {
            Future requestCertificate = defaultCAServer.requestCertificate(encodedString, CertificateApprover.ApprovalType.TESTING_AUTOMATIC);
            requestCertificate.isDone();
            requestCertificate.get();
        });
    }
}
