package io.confluent.rest;

import com.fasterxml.jackson.annotation.JsonProperty;
import io.confluent.rest.annotations.PerformanceMetric;
import io.confluent.rest.mapr.test.MaprHomeSupport;
import io.confluent.rest.mapr.test.MaprTestLoginRule;
import java.io.File;
import java.io.IOException;
import java.net.SocketException;
import java.nio.file.Files;
import java.nio.file.StandardCopyOption;
import java.security.KeyPair;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.LinkedHashMap;
import java.util.Map;
import java.util.Objects;
import java.util.Properties;
import javax.net.ssl.SSLException;
import javax.servlet.http.HttpServletRequest;
import javax.ws.rs.GET;
import javax.ws.rs.InternalServerErrorException;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.Configurable;
import javax.ws.rs.core.Context;
import org.apache.http.client.ClientProtocolException;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.ssl.SSLContextBuilder;
import org.apache.http.ssl.SSLContexts;
import org.apache.kafka.common.config.types.Password;
import org.apache.kafka.common.metrics.KafkaMetric;
import org.apache.kafka.test.TestSslUtils;
import org.junit.Rule;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/rest/SslTest.class */
public class SslTest {
    private static final Logger log;
    private File trustStore;
    private File clientKeystore;
    private File serverKeystore;
    private File serverKeystoreBak;
    private File serverKeystoreErr;
    public static final String SSL_PASSWORD = "test1234";
    public static final String EXPECTED_200_MSG = "Response status must be 200.";
    public static final String EXPECTED_500_MSG = "Response status must be 500.";
    public static final int CERT_RELOAD_WAIT_TIME = 20000;

    @Rule
    public final MaprTestLoginRule loginRule = MaprTestLoginRule.forHadoopSimpleAndJpam();

    /* loaded from: input_file:io/confluent/rest/SslTest$SslTestApplication.class */
    private static class SslTestApplication extends Application<TestRestConfig> {
        public SslTestApplication(TestRestConfig testRestConfig) {
            super(testRestConfig);
        }

        public void setupResources(Configurable<?> configurable, TestRestConfig testRestConfig) {
            configurable.register(new SslTestResource());
        }

        public Map<String, String> getMetricsTags() {
            LinkedHashMap linkedHashMap = new LinkedHashMap();
            linkedHashMap.put("instance-id", "1");
            return linkedHashMap;
        }

        public /* bridge */ /* synthetic */ void setupResources(Configurable configurable, RestConfig restConfig) {
            setupResources((Configurable<?>) configurable, (TestRestConfig) restConfig);
        }
    }

    @Produces({"application/test.v1+json"})
    @Path("/test")
    /* loaded from: input_file:io/confluent/rest/SslTest$SslTestResource.class */
    public static class SslTestResource {

        @Context
        HttpServletRequest request;

        /* loaded from: input_file:io/confluent/rest/SslTest$SslTestResource$TestResponse.class */
        public static class TestResponse {
            @JsonProperty
            public String getMessage() {
                return "foo";
            }
        }

        @GET
        @PerformanceMetric("test")
        public TestResponse hello() {
            return new TestResponse();
        }

        @GET
        @Path("/http-only")
        @PerformanceMetric("http-only")
        public TestResponse httpOnly() {
            if (Objects.equals(this.request.getScheme(), "http")) {
                return new TestResponse();
            }
            throw new InternalServerErrorException("Got request on HTTP-only endpoint via non-http protocol");
        }

        @GET
        @Path("/https-only")
        @PerformanceMetric("https-only")
        public TestResponse httpsOnly() {
            if (Objects.equals(this.request.getScheme(), "https")) {
                return new TestResponse();
            }
            throw new InternalServerErrorException("Got request on HTTPS-only endpoint via non-https protocol");
        }
    }

    @BeforeEach
    public void setUp() throws Exception {
        try {
            this.trustStore = File.createTempFile("SslTest-truststore", ".jks");
            this.clientKeystore = File.createTempFile("SslTest-client-keystore", ".jks");
            this.serverKeystore = File.createTempFile("SslTest-server-keystore", ".jks");
            this.serverKeystoreBak = File.createTempFile("SslTest-server-keystore", ".jks.bak");
            this.serverKeystoreErr = File.createTempFile("SslTest-server-keystore", ".jks.err");
            HashMap hashMap = new HashMap();
            createKeystoreWithCert(this.clientKeystore, "client", hashMap);
            createKeystoreWithCert(this.serverKeystore, "server", hashMap);
            TestSslUtils.createTrustStore(this.trustStore.getAbsolutePath(), new Password("test1234"), hashMap);
            Files.copy(this.serverKeystore.toPath(), this.serverKeystoreBak.toPath(), StandardCopyOption.REPLACE_EXISTING);
            createWrongKeystoreWithCert(this.serverKeystoreErr, "server", new HashMap());
        } catch (IOException e) {
            throw new RuntimeException("Unable to create temporary files for trust stores and keystores.");
        }
    }

    private void createKeystoreWithCert(File file, String str, Map<String, X509Certificate> map) throws Exception {
        KeyPair generateKeyPair = TestSslUtils.generateKeyPair("RSA");
        X509Certificate generate = new TestSslUtils.CertificateBuilder(30, "SHA1withRSA").sanDnsNames(new String[]{SniHandlerIntegrationTest.KAFKA_REST_HOST}).generate("CN=mymachine.local, O=A client", generateKeyPair);
        TestSslUtils.createKeyStore(file.getPath(), new Password("test1234"), new Password("test1234"), str, generateKeyPair.getPrivate(), generate);
        map.put(str, generate);
    }

    private void configServerKeystore(Properties properties) {
        properties.put("ssl.keystore.location", this.serverKeystore.getAbsolutePath());
        properties.put("ssl.keystore.password", "test1234");
        properties.put("ssl.key.password", "test1234");
    }

    private void configServerTruststore(Properties properties) {
        properties.put("ssl.truststore.location", this.trustStore.getAbsolutePath());
        properties.put("ssl.truststore.password", "test1234");
    }

    private void enableSslClientAuth(Properties properties) {
        properties.put("ssl.client.authentication", "REQUIRED");
    }

    private void createWrongKeystoreWithCert(File file, String str, Map<String, X509Certificate> map) throws Exception {
        KeyPair generateKeyPair = TestSslUtils.generateKeyPair("RSA");
        X509Certificate generate = new TestSslUtils.CertificateBuilder(30, "SHA1withRSA").sanDnsNames(new String[]{"fail"}).generate("CN=mymachine.local, O=A client", generateKeyPair);
        TestSslUtils.createKeyStore(file.getPath(), new Password("test1234"), new Password("test1234"), str, generateKeyPair.getPrivate(), generate);
        map.put(str, generate);
    }

    @Test
    public void testHttpAndHttps() throws Exception {
        TestMetricsReporter.reset();
        Properties properties = new Properties();
        properties.put("listeners", "http://localhost:8080,https://localhost:8081");
        properties.put("metric.reporters", "io.confluent.rest.TestMetricsReporter");
        configServerKeystore(properties);
        SslTestApplication sslTestApplication = new SslTestApplication(TestRestConfig.clean(properties));
        try {
            sslTestApplication.start();
            Assertions.assertEquals(200, makeGetRequest("http://localhost:8080/test"), "Response status must be 200.");
            Assertions.assertEquals(200, makeGetRequest("https://localhost:8081/test", this.clientKeystore.getAbsolutePath(), "test1234", "test1234"), "Response status must be 200.");
            assertMetricsCollected();
            sslTestApplication.stop();
        } catch (Throwable th) {
            sslTestApplication.stop();
            throw th;
        }
    }

    @Test
    public void testServerSideHttpAndHttpsResolution() throws Exception {
        TestMetricsReporter.reset();
        Properties properties = new Properties();
        properties.put("listeners", "http://localhost:8080,https://localhost:8081");
        properties.put("metric.reporters", "io.confluent.rest.TestMetricsReporter");
        configServerKeystore(properties);
        SslTestApplication sslTestApplication = new SslTestApplication(TestRestConfig.maprCompatible(properties));
        try {
            sslTestApplication.start();
            Assertions.assertEquals(200, makeGetRequest("http://localhost:8080/test/http-only"), "Response status must be 200.");
            Assertions.assertEquals(500, makeGetRequest("http://localhost:8080/test/https-only"), EXPECTED_500_MSG);
            Assertions.assertEquals(200, makeGetRequest("https://localhost:8081/test/https-only", this.clientKeystore.getAbsolutePath(), "test1234", "test1234"), "Response status must be 200.");
            Assertions.assertEquals(500, makeGetRequest("https://localhost:8081/test/http-only", this.clientKeystore.getAbsolutePath(), "test1234", "test1234"), EXPECTED_500_MSG);
            assertMetricsCollected();
            sslTestApplication.stop();
        } catch (Throwable th) {
            sslTestApplication.stop();
            throw th;
        }
    }

    @Test
    public void testHttpsOnly() throws Exception {
        TestMetricsReporter.reset();
        Properties properties = new Properties();
        properties.put("listeners", "https://localhost:8080");
        properties.put("metric.reporters", "io.confluent.rest.TestMetricsReporter");
        configServerKeystore(properties);
        SslTestApplication sslTestApplication = new SslTestApplication(TestRestConfig.clean(properties));
        try {
            sslTestApplication.start();
            Assertions.assertEquals(200, makeGetRequest("https://localhost:8080/test", this.clientKeystore.getAbsolutePath(), "test1234", "test1234"), "Response status must be 200.");
            assertMetricsCollected();
            Assertions.assertThrows(ClientProtocolException.class, () -> {
                makeGetRequest("http://localhost:8080/test");
            });
            sslTestApplication.stop();
        } catch (Throwable th) {
            sslTestApplication.stop();
            throw th;
        }
    }

    @Test
    public void testHttpOnly() throws Exception {
        TestMetricsReporter.reset();
        Properties properties = new Properties();
        properties.put("listeners", "http://localhost:8080");
        properties.put("metric.reporters", "io.confluent.rest.TestMetricsReporter");
        SslTestApplication sslTestApplication = new SslTestApplication(TestRestConfig.clean(properties));
        try {
            sslTestApplication.start();
            Assertions.assertEquals(200, makeGetRequest("http://localhost:8080/test"), "Response status must be 200.");
            assertMetricsCollected();
            Assertions.assertThrows(SSLException.class, () -> {
                makeGetRequest("https://localhost:8080/test", this.clientKeystore.getAbsolutePath(), "test1234", "test1234");
            });
            sslTestApplication.stop();
        } catch (Throwable th) {
            sslTestApplication.stop();
            throw th;
        }
    }

    private void assertMetricsCollected() {
        Assertions.assertNotEquals(0, TestMetricsReporter.getMetricTimeseries().size(), "Expected to have metrics.");
        for (KafkaMetric kafkaMetric : TestMetricsReporter.getMetricTimeseries()) {
            if (kafkaMetric.metricName().name().equals("request-latency-max")) {
                Object metricValue = kafkaMetric.metricValue();
                Assertions.assertTrue(metricValue instanceof Double, "Request latency metrics should be measurable");
                Assertions.assertNotEquals(0.0d, ((Double) metricValue).doubleValue(), "Metrics should be collected (max latency shouldn't be 0)");
            }
        }
    }

    @Test
    public void testHttpsWithNoClientCertAndNoServerTruststore() throws Exception {
        Properties properties = new Properties();
        properties.put("listeners", "https://localhost:8080");
        configServerKeystore(properties);
        SslTestApplication sslTestApplication = new SslTestApplication(TestRestConfig.clean(properties));
        try {
            sslTestApplication.start();
            Assertions.assertEquals(200, makeGetRequest("https://localhost:8080/test"), "Response status must be 200.");
            sslTestApplication.stop();
        } catch (Throwable th) {
            sslTestApplication.stop();
            throw th;
        }
    }

    @Test
    public void testHttpsWithAuthAndBadClientCert() throws Exception {
        Properties properties = new Properties();
        String str = "https://localhost:8080";
        properties.put("listeners", "https://localhost:8080");
        configServerKeystore(properties);
        configServerTruststore(properties);
        enableSslClientAuth(properties);
        SslTestApplication sslTestApplication = new SslTestApplication(TestRestConfig.clean(properties));
        Assertions.assertThrows(SocketException.class, () -> {
            try {
                sslTestApplication.start();
                File createTempFile = File.createTempFile("SslTest-client-keystore", ".jks");
                createKeystoreWithCert(createTempFile, "client", new HashMap());
                try {
                    makeGetRequest(str + "/test", createTempFile.getAbsolutePath(), "test1234", "test1234");
                } catch (SSLException e) {
                    throw new SocketException(e.getMessage());
                }
            } finally {
                sslTestApplication.stop();
            }
        });
    }

    @Test
    public void testHttpsWithAuthAndNoClientCert() throws Exception {
        Properties properties = new Properties();
        String str = "https://localhost:8080";
        properties.put("listeners", "https://localhost:8080");
        configServerKeystore(properties);
        configServerTruststore(properties);
        enableSslClientAuth(properties);
        SslTestApplication sslTestApplication = new SslTestApplication(TestRestConfig.clean(properties));
        Assertions.assertThrows(SocketException.class, () -> {
            try {
                sslTestApplication.start();
                try {
                    makeGetRequest(str + "/test");
                } catch (SSLException e) {
                    throw new SocketException(e.toString());
                }
            } finally {
                sslTestApplication.stop();
            }
        });
    }

    private int makeGetRequest(String str, String str2, String str3, String str4) throws Exception {
        CloseableHttpClient build;
        log.debug("Making GET " + str);
        HttpGet httpGet = new HttpGet(str);
        if (str.startsWith("http://")) {
            build = HttpClients.createDefault();
        } else {
            SSLContextBuilder loadTrustMaterial = SSLContexts.custom().loadTrustMaterial(new TrustSelfSignedStrategy());
            if (str2 != null) {
                loadTrustMaterial.loadKeyMaterial(new File(str2), str3.toCharArray(), str4.toCharArray());
            }
            build = HttpClients.custom().setSSLSocketFactory(new SSLConnectionSocketFactory(loadTrustMaterial.build(), new String[]{"TLSv1.2"}, (String[]) null, SSLConnectionSocketFactory.getDefaultHostnameVerifier())).build();
        }
        CloseableHttpResponse closeableHttpResponse = null;
        try {
            closeableHttpResponse = build.execute(httpGet);
            int statusCode = closeableHttpResponse.getStatusLine().getStatusCode();
            if (closeableHttpResponse != null) {
                closeableHttpResponse.close();
            }
            build.close();
            return statusCode;
        } catch (Throwable th) {
            if (closeableHttpResponse != null) {
                closeableHttpResponse.close();
            }
            build.close();
            throw th;
        }
    }

    private int makeGetRequest(String str) throws Exception {
        return makeGetRequest(str, null, null, null);
    }

    static {
        MaprHomeSupport.activate();
        log = LoggerFactory.getLogger(SslTest.class);
    }
}
