package io.confluent.rest;

import com.fasterxml.jackson.annotation.JsonProperty;
import java.io.File;
import java.io.IOException;
import java.nio.file.CopyOption;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.attribute.FileAttribute;
import java.security.KeyPair;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.Map;
import java.util.Properties;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.GET;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Configurable;
import javax.ws.rs.core.Context;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.ssl.SSLContextBuilder;
import org.apache.http.ssl.SSLContexts;
import org.apache.kafka.common.config.types.Password;
import org.apache.kafka.test.TestSslUtils;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/rest/SslCertReloadTest.class */
public class SslCertReloadTest {
    private static final Logger log = LoggerFactory.getLogger(SslCertReloadTest.class);
    private File watchDir;
    private Path dataDir;
    private File trustStore;
    private File clientKeystore;
    private File serverKeystore;
    private File serverKeystoreErr;
    private Path serverKeystorePath;
    public static final String SSL_PASSWORD = "test1234";
    public static final String EXPECTED_200_MSG = "Response status must be 200.";

    /* loaded from: input_file:io/confluent/rest/SslCertReloadTest$SslTestApplication.class */
    private static class SslTestApplication extends Application<TestRestConfig> {
        public SslTestApplication(TestRestConfig testRestConfig) {
            super(testRestConfig);
        }

        public void setupResources(Configurable<?> configurable, TestRestConfig testRestConfig) {
            configurable.register(new SslTestResource());
        }

        public /* bridge */ /* synthetic */ void setupResources(Configurable configurable, RestConfig restConfig) {
            setupResources((Configurable<?>) configurable, (TestRestConfig) restConfig);
        }
    }

    @Produces({"application/test.v1+json"})
    @javax.ws.rs.Path("/test")
    /* loaded from: input_file:io/confluent/rest/SslCertReloadTest$SslTestResource.class */
    public static class SslTestResource {

        @Context
        HttpServletRequest request;

        /* loaded from: input_file:io/confluent/rest/SslCertReloadTest$SslTestResource$TestResponse.class */
        public static class TestResponse {
            @JsonProperty
            public String getMessage() {
                return "foo";
            }
        }

        @GET
        public TestResponse hello() {
            return new TestResponse();
        }
    }

    @BeforeEach
    public void setUp() throws Exception {
        try {
            this.watchDir = Files.createTempDirectory("SslCertReloadTest", new FileAttribute[0]).toFile();
            this.watchDir.deleteOnExit();
            this.dataDir = Paths.get(this.watchDir.getAbsolutePath(), "..data");
            Path createDirectory = Files.createDirectory(Paths.get(this.watchDir.getAbsolutePath(), "old"), new FileAttribute[0]);
            this.trustStore = Files.createFile(createDirectory.resolve("truststore.jks"), new FileAttribute[0]).toFile();
            this.clientKeystore = Files.createFile(createDirectory.resolve("client-keystore.jks"), new FileAttribute[0]).toFile();
            this.serverKeystore = Files.createFile(createDirectory.resolve("server-keystore.jks"), new FileAttribute[0]).toFile();
            HashMap hashMap = new HashMap();
            createKeystoreWithCert(this.clientKeystore, "client", hashMap);
            createKeystoreWithCert(this.serverKeystore, "server", hashMap);
            TestSslUtils.createTrustStore(this.trustStore.getAbsolutePath(), new Password("test1234"), hashMap);
            Path createDirectory2 = Files.createDirectory(Paths.get(this.watchDir.getAbsolutePath(), "err"), new FileAttribute[0]);
            Files.copy(createDirectory.resolve("truststore.jks"), createDirectory2.resolve("truststore.jks"), new CopyOption[0]);
            Files.copy(createDirectory.resolve("client-keystore.jks"), createDirectory2.resolve("client-keystore.jks"), new CopyOption[0]);
            this.serverKeystoreErr = Files.createFile(createDirectory2.resolve("server-keystore.jks"), new FileAttribute[0]).toFile();
            createWrongKeystoreWithCert(this.serverKeystoreErr, "server", new HashMap());
            Path createDirectory3 = Files.createDirectory(Paths.get(this.watchDir.getAbsolutePath(), "new"), new FileAttribute[0]);
            Files.copy(createDirectory.resolve("truststore.jks"), createDirectory3.resolve("truststore.jks"), new CopyOption[0]);
            Files.copy(createDirectory.resolve("client-keystore.jks"), createDirectory3.resolve("client-keystore.jks"), new CopyOption[0]);
            Files.copy(createDirectory.resolve("server-keystore.jks"), createDirectory3.resolve("server-keystore.jks"), new CopyOption[0]);
            Files.createSymbolicLink(Paths.get(this.watchDir.getAbsolutePath(), "truststore.jks"), Paths.get("..data", "truststore.jks"), new FileAttribute[0]);
            Files.createSymbolicLink(Paths.get(this.watchDir.getAbsolutePath(), "client-keystore.jks"), Paths.get("..data", "client-keystore.jks"), new FileAttribute[0]);
            this.serverKeystorePath = Files.createSymbolicLink(Paths.get(this.watchDir.getAbsolutePath(), "server-keystore.jks"), Paths.get("..data", "server-keystore.jks"), new FileAttribute[0]);
            Files.createSymbolicLink(this.dataDir, Paths.get("old", new String[0]), new FileAttribute[0]);
        } catch (IOException e) {
            throw new RuntimeException("Unable to create temporary files for truststores and keystores.", e);
        }
    }

    private void createKeystoreWithCert(File file, String str, Map<String, X509Certificate> map) throws Exception {
        KeyPair generateKeyPair = TestSslUtils.generateKeyPair("RSA");
        X509Certificate generate = new TestSslUtils.CertificateBuilder(30, "SHA1withRSA").sanDnsNames(new String[]{SniHandlerIntegrationTest.KAFKA_REST_HOST}).generate("CN=mymachine.local, O=A client", generateKeyPair);
        TestSslUtils.createKeyStore(file.getPath(), new Password("test1234"), new Password("test1234"), str, generateKeyPair.getPrivate(), generate);
        map.put(str, generate);
    }

    private void createWrongKeystoreWithCert(File file, String str, Map<String, X509Certificate> map) throws Exception {
        KeyPair generateKeyPair = TestSslUtils.generateKeyPair("RSA");
        X509Certificate generate = new TestSslUtils.CertificateBuilder(30, "SHA1withRSA").sanDnsNames(new String[]{"fail"}).generate("CN=mymachine.local, O=A client", generateKeyPair);
        TestSslUtils.createKeyStore(file.getPath(), new Password("test1234"), new Password("test1234"), str, generateKeyPair.getPrivate(), generate);
        map.put(str, generate);
    }

    @Test
    public void testHttpsWithAutoReload() throws Exception {
        Properties properties = new Properties();
        properties.put("listeners", "https://localhost:8082");
        properties.put("metric.reporters", "io.confluent.rest.TestMetricsReporter");
        properties.put("ssl.keystore.location", this.serverKeystorePath.toString());
        properties.put("ssl.keystore.password", "test1234");
        properties.put("ssl.key.password", "test1234");
        properties.put("ssl.keystore.watch.location", this.dataDir.toString());
        properties.put("ssl.keystore.reload", "true");
        SslTestApplication sslTestApplication = new SslTestApplication(TestRestConfig.maprCompatible(properties));
        try {
            try {
                sslTestApplication.start();
                Assertions.assertEquals(200, makeGetRequest("https://localhost:8082/test", this.clientKeystore.getAbsolutePath(), "test1234", "test1234"), "Response status must be 200.");
                this.serverKeystore.delete();
                Files.delete(this.dataDir);
                Files.createSymbolicLink(this.dataDir, Paths.get("err", new String[0]), new FileAttribute[0]);
                boolean z = false;
                for (int i = 0; i < 10; i++) {
                    Thread.sleep(5000L);
                    try {
                        makeGetRequest("https://localhost:8082/test", this.clientKeystore.getAbsolutePath(), "test1234", "test1234");
                    } catch (Exception e) {
                        log.info("Exception with broken server cert: {}", e.toString());
                        z = true;
                    }
                }
                Assertions.assertTrue(z, "expect hit error with broken server cert");
                this.serverKeystoreErr.delete();
                Files.delete(this.dataDir);
                Files.createSymbolicLink(this.dataDir, Paths.get("new", new String[0]), new FileAttribute[0]);
                for (int i2 = 0; i2 < 10; i2++) {
                    Thread.sleep(5000L);
                    try {
                        Assertions.assertEquals(200, makeGetRequest("https://localhost:8082/test", this.clientKeystore.getAbsolutePath(), "test1234", "test1234"), "Response status must be 200.");
                        z = false;
                        break;
                    } catch (Exception e2) {
                        log.info("Exception waiting for correct server cert: {}", e2.toString());
                    }
                }
                Assertions.assertTrue(!z, "expect no hit error with correct server cert");
                sslTestApplication.stop();
            } catch (Exception e3) {
                log.info(e3.toString());
                sslTestApplication.stop();
            }
        } catch (Throwable th) {
            sslTestApplication.stop();
            throw th;
        }
    }

    private int makeGetRequest(String str, String str2, String str3, String str4) throws Exception {
        CloseableHttpClient build;
        log.debug("Making GET " + str);
        HttpGet httpGet = new HttpGet(str);
        if (str.startsWith("http://")) {
            build = HttpClients.createDefault();
        } else {
            SSLContextBuilder loadTrustMaterial = SSLContexts.custom().loadTrustMaterial(new TrustSelfSignedStrategy());
            if (str2 != null) {
                loadTrustMaterial.loadKeyMaterial(new File(str2), str3.toCharArray(), str4.toCharArray());
            }
            build = HttpClients.custom().setSSLSocketFactory(new SSLConnectionSocketFactory(loadTrustMaterial.build(), new String[]{"TLSv1.2"}, (String[]) null, SSLConnectionSocketFactory.getDefaultHostnameVerifier())).build();
        }
        CloseableHttpResponse closeableHttpResponse = null;
        try {
            closeableHttpResponse = build.execute(httpGet);
            int statusCode = closeableHttpResponse.getStatusLine().getStatusCode();
            if (closeableHttpResponse != null) {
                closeableHttpResponse.close();
            }
            build.close();
            return statusCode;
        } catch (Throwable th) {
            if (closeableHttpResponse != null) {
                closeableHttpResponse.close();
            }
            build.close();
            throw th;
        }
    }
}
