package io.confluent.rest;

import java.io.File;
import java.io.IOException;
import java.security.KeyPair;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.Map;
import java.util.Properties;
import javax.net.ssl.SSLContext;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.ws.rs.GET;
import javax.ws.rs.Path;
import javax.ws.rs.core.Configurable;
import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
import org.apache.http.ssl.SSLContextBuilder;
import org.apache.http.ssl.SSLContexts;
import org.apache.kafka.common.config.types.Password;
import org.apache.kafka.test.TestSslUtils;
import org.eclipse.jetty.client.HttpClient;
import org.eclipse.jetty.client.api.ContentResponse;
import org.eclipse.jetty.security.AbstractLoginService;
import org.eclipse.jetty.security.ConstraintMapping;
import org.eclipse.jetty.security.ConstraintSecurityHandler;
import org.eclipse.jetty.security.ServerAuthException;
import org.eclipse.jetty.security.authentication.BasicAuthenticator;
import org.eclipse.jetty.server.Authentication;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.servlet.ServletContextHandler;
import org.eclipse.jetty.util.security.Constraint;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:io/confluent/rest/ErrorHandlerIntegrationTest.class */
public class ErrorHandlerIntegrationTest {
    private static final String DUMMY_EXCEPTION = "dummy exception";
    private Server server;
    private HttpClient httpClient;
    private Properties props;
    private File clientKeystore;
    public static final String SSL_PASSWORD = "test1234";

    /* loaded from: input_file:io/confluent/rest/ErrorHandlerIntegrationTest$DummyAuthenticator.class */
    private static class DummyAuthenticator extends BasicAuthenticator {
        private DummyAuthenticator() {
        }

        public Authentication validateRequest(ServletRequest servletRequest, ServletResponse servletResponse, boolean z) throws ServerAuthException {
            throw new RuntimeException(ErrorHandlerIntegrationTest.DUMMY_EXCEPTION);
        }
    }

    /* loaded from: input_file:io/confluent/rest/ErrorHandlerIntegrationTest$DummyLoginService.class */
    private static class DummyLoginService extends AbstractLoginService {
        private DummyLoginService() {
        }

        protected String[] loadRoleInfo(AbstractLoginService.UserPrincipal userPrincipal) {
            return new String[0];
        }

        protected AbstractLoginService.UserPrincipal loadUserInfo(String str) {
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/confluent/rest/ErrorHandlerIntegrationTest$TestApplication.class */
    public static class TestApplication extends Application<TestRestConfig> {
        TestApplication(TestRestConfig testRestConfig) {
            super(testRestConfig);
        }

        public void setupResources(Configurable<?> configurable, TestRestConfig testRestConfig) {
            configurable.register(TestResource.class);
        }

        protected void configureSecurityHandler(ServletContextHandler servletContextHandler) {
            ConstraintSecurityHandler constraintSecurityHandler = new ConstraintSecurityHandler();
            Constraint constraint = new Constraint();
            constraint.setAuthenticate(true);
            constraint.setRoles(new String[]{"**"});
            ConstraintMapping constraintMapping = new ConstraintMapping();
            constraintMapping.setConstraint(constraint);
            constraintMapping.setMethod("*");
            constraintMapping.setPathSpec("/*");
            constraintSecurityHandler.addConstraintMapping(constraintMapping);
            constraintSecurityHandler.setAuthenticator(new DummyAuthenticator());
            constraintSecurityHandler.setLoginService(new DummyLoginService());
            servletContextHandler.setSecurityHandler(constraintSecurityHandler);
        }

        public /* bridge */ /* synthetic */ void setupResources(Configurable configurable, RestConfig restConfig) {
            setupResources((Configurable<?>) configurable, (TestRestConfig) restConfig);
        }
    }

    @Path("/test")
    /* loaded from: input_file:io/confluent/rest/ErrorHandlerIntegrationTest$TestResource.class */
    public static class TestResource {
        @GET
        @Path("/path")
        public String path() {
            return "Ok";
        }
    }

    @BeforeEach
    public void setUp() {
        this.props = new Properties();
    }

    @AfterEach
    public void tearDown() throws Exception {
        this.httpClient.stop();
        this.server.stop();
        this.server.join();
    }

    @Test
    public void test_http_unhandledServerExceptionDisplaysStackTraceForInvalidAuthentication() throws Exception {
        this.props.setProperty("suppress.stack.trace.response", "false");
        startHttpServer("http");
        startHttpClient("http");
        ContentResponse send = this.httpClient.newRequest(this.server.getURI()).path("/test/path").accept(new String[]{"text/html"}).send();
        String contentAsString = send.getContentAsString();
        Assertions.assertEquals(500, send.getStatus());
        Assertions.assertTrue(contentAsString.toLowerCase().contains(DUMMY_EXCEPTION));
        Assertions.assertTrue(contentAsString.toLowerCase().contains("caused by"));
    }

    @Test
    public void test_https_unhandledServerExceptionDisplaysStackTraceFor400SNICheck() throws Exception {
        this.props.setProperty("suppress.stack.trace.response", "false");
        startHttpServer("https");
        startHttpClient("https");
        ContentResponse send = this.httpClient.newRequest(this.server.getURI()).path("/test/path").accept(new String[]{"text/html"}).header("Host", "abc.com").send();
        String contentAsString = send.getContentAsString();
        Assertions.assertEquals(400, send.getStatus());
        Assertions.assertTrue(contentAsString.toLowerCase().contains("host does not match sni"));
        Assertions.assertTrue(contentAsString.toLowerCase().contains("caused by"));
    }

    @Test
    public void test_http_handledServerExceptionDoesNotDisplayStackTraceForInvalidAuthentication() throws Exception {
        startHttpServer("http");
        startHttpClient("http");
        ContentResponse send = this.httpClient.newRequest(this.server.getURI()).path("/test/path").accept(new String[]{"text/html"}).send();
        String lowerCase = send.getContentAsString().toLowerCase();
        Assertions.assertEquals(500, send.getStatus());
        Assertions.assertFalse(lowerCase.contains(DUMMY_EXCEPTION));
        Assertions.assertFalse(lowerCase.contains("caused by"));
        Assertions.assertTrue(lowerCase.contains("server error"));
    }

    @Test
    public void test_https_handledServerExceptionDoesNotDisplayStackTraceFor400SNICheck() throws Exception {
        startHttpServer("https");
        startHttpClient("https");
        ContentResponse send = this.httpClient.newRequest(this.server.getURI()).path("/test/path").accept(new String[]{"text/html"}).header("Host", "abc.com").send();
        String contentAsString = send.getContentAsString();
        Assertions.assertEquals(400, send.getStatus());
        Assertions.assertTrue(contentAsString.toLowerCase().contains("host does not match sni"));
        Assertions.assertFalse(contentAsString.toLowerCase().contains("caused by"));
    }

    private void startHttpClient(String str) throws Exception {
        System.setProperty("sun.net.http.allowRestrictedHeaders", "true");
        if (str.equals("https")) {
            SSLContextBuilder loadTrustMaterial = SSLContexts.custom().loadTrustMaterial(new TrustSelfSignedStrategy());
            loadTrustMaterial.loadKeyMaterial(new File(this.clientKeystore.getAbsolutePath()), "test1234".toCharArray(), "test1234".toCharArray());
            SSLContext build = loadTrustMaterial.build();
            SslContextFactory.Client client = new SslContextFactory.Client();
            client.setSNIProvider(SslContextFactory.Client.SniProvider.NON_DOMAIN_SNI_PROVIDER);
            client.setSslContext(build);
            this.httpClient = new HttpClient(client);
        } else {
            this.httpClient = new HttpClient();
        }
        this.httpClient.start();
    }

    private void startHttpServer(String str) throws Exception {
        this.props.setProperty("listeners", str + "://localhost:" + TestUtils.getFreePort());
        if (str.equals("https")) {
            try {
                File createTempFile = File.createTempFile("SslTest-truststore", ".jks");
                File createTempFile2 = File.createTempFile("SslTest-server-keystore", ".jks");
                this.clientKeystore = File.createTempFile("SslTest-client-keystore", ".jks");
                HashMap hashMap = new HashMap();
                createKeystoreWithCert(this.clientKeystore, "client", hashMap);
                createKeystoreWithCert(createTempFile2, "server", hashMap);
                TestSslUtils.createTrustStore(createTempFile.getAbsolutePath(), new Password("test1234"), hashMap);
                configServerKeystore(this.props, createTempFile2);
                configServerTruststore(this.props, createTempFile);
            } catch (IOException e) {
                throw new RuntimeException("Unable to create temporary files for trust stores and keystores.");
            }
        }
        this.server = new TestApplication(TestRestConfig.maprCompatible(this.props)).createServer();
        this.server.start();
    }

    private void configServerKeystore(Properties properties, File file) {
        properties.put("ssl.keystore.location", file.getAbsolutePath());
        properties.put("ssl.keystore.password", "test1234");
        properties.put("ssl.key.password", "test1234");
    }

    private void configServerTruststore(Properties properties, File file) {
        properties.put("ssl.truststore.location", file.getAbsolutePath());
        properties.put("ssl.truststore.password", "test1234");
    }

    private void createKeystoreWithCert(File file, String str, Map<String, X509Certificate> map) throws Exception {
        KeyPair generateKeyPair = TestSslUtils.generateKeyPair("RSA");
        X509Certificate generate = new TestSslUtils.CertificateBuilder(30, "SHA1withRSA").sanDnsNames(new String[]{SniHandlerIntegrationTest.KAFKA_REST_HOST}).generate("CN=mymachine.localhost, O=A client", generateKeyPair);
        TestSslUtils.createKeyStore(file.getPath(), new Password("test1234"), new Password("test1234"), str, generateKeyPair.getPrivate(), generate);
        map.put(str, generate);
    }
}
