package org.apache.kafka.common.security.authenticator;

import java.io.IOException;
import java.net.InetSocketAddress;
import java.util.Arrays;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import org.apache.kafka.common.errors.AuthenticationException;
import org.apache.kafka.common.errors.SaslAuthenticationException;
import org.apache.kafka.common.network.CertStores;
import org.apache.kafka.common.network.ChannelBuilder;
import org.apache.kafka.common.network.ChannelBuilders;
import org.apache.kafka.common.network.ChannelState;
import org.apache.kafka.common.network.ListenerName;
import org.apache.kafka.common.network.NetworkTestUtils;
import org.apache.kafka.common.network.NioEchoServer;
import org.apache.kafka.common.network.Selector;
import org.apache.kafka.common.security.JaasContext;
import org.apache.kafka.common.security.TestSecurityConfig;
import org.apache.kafka.common.security.auth.SecurityProtocol;
import org.apache.kafka.common.security.authenticator.SaslAuthenticatorTest;
import org.apache.kafka.common.security.authenticator.TestDigestLoginModule;
import org.apache.kafka.common.utils.LogContext;
import org.apache.kafka.common.utils.MockTime;
import org.apache.kafka.test.TestUtils;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:org/apache/kafka/common/security/authenticator/SaslAuthenticatorFailureDelayTest.class */
public abstract class SaslAuthenticatorFailureDelayTest {
    private static final int BUFFER_SIZE = 4096;
    private final MockTime time = new MockTime(1);
    private NioEchoServer server;
    private Selector selector;
    private ChannelBuilder channelBuilder;
    private CertStores serverCertStores;
    private CertStores clientCertStores;
    private Map<String, Object> saslClientConfigs;
    private Map<String, Object> saslServerConfigs;
    private CredentialCache credentialCache;
    private long startTimeMs;
    private final int failedAuthenticationDelayMs;

    public SaslAuthenticatorFailureDelayTest(int i) {
        this.failedAuthenticationDelayMs = i;
    }

    @BeforeEach
    public void setup() throws Exception {
        LoginManager.closeAll();
        this.serverCertStores = new CertStores(true, "localhost");
        this.clientCertStores = new CertStores(false, "localhost");
        this.saslServerConfigs = this.serverCertStores.getTrustingConfig(this.clientCertStores);
        this.saslClientConfigs = this.clientCertStores.getTrustingConfig(this.serverCertStores);
        this.credentialCache = new CredentialCache();
        SaslAuthenticatorTest.TestLogin.loginCount.set(0);
        this.startTimeMs = this.time.milliseconds();
    }

    @AfterEach
    public void teardown() throws Exception {
        long milliseconds = this.time.milliseconds();
        if (this.server != null) {
            this.server.close();
        }
        if (this.selector != null) {
            this.selector.close();
        }
        Assertions.assertTrue(milliseconds - this.startTimeMs >= ((long) this.failedAuthenticationDelayMs), "timeSpent: " + (milliseconds - this.startTimeMs));
    }

    @Test
    public void testInvalidPasswordSaslPlain() throws Exception {
        SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
        configureMechanisms("PLAIN", Arrays.asList("PLAIN")).setClientOptions("PLAIN", "myuser", "invalidpassword");
        this.server = createEchoServer(securityProtocol);
        createAndCheckClientAuthenticationFailure(securityProtocol, "0", "PLAIN", "Authentication failed: Invalid username or password");
        this.server.verifyAuthenticationMetrics(0, 1);
    }

    @Test
    public void testInvalidPasswordSaslScram() throws Exception {
        SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
        configureMechanisms("SCRAM-SHA-256", Collections.singletonList("SCRAM-SHA-256")).setClientOptions("SCRAM-SHA-256", "myuser", "invalidpassword");
        this.server = createEchoServer(securityProtocol);
        createAndCheckClientAuthenticationFailure(securityProtocol, "0", "SCRAM-SHA-256", null);
        this.server.verifyAuthenticationMetrics(0, 1);
    }

    @Test
    public void testDisabledSaslMechanism() throws Exception {
        SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
        configureMechanisms("SCRAM-SHA-256", Collections.singletonList("SCRAM-SHA-256")).setClientOptions("PLAIN", "myuser", "invalidpassword");
        this.server = createEchoServer(securityProtocol);
        createAndCheckClientAuthenticationFailure(securityProtocol, "0", "SCRAM-SHA-256", null);
        this.server.verifyAuthenticationMetrics(0, 1);
    }

    @Test
    public void testClientConnectionClose() throws Exception {
        SecurityProtocol securityProtocol = SecurityProtocol.SASL_SSL;
        configureMechanisms("PLAIN", Arrays.asList("PLAIN")).setClientOptions("PLAIN", "myuser", "invalidpassword");
        this.server = createEchoServer(securityProtocol);
        createClientConnection(securityProtocol, "0");
        Map<?, ?> delayedClosingChannels = NetworkTestUtils.delayedClosingChannels(this.server.selector());
        TestUtils.waitForCondition(() -> {
            poll(this.selector);
            return !this.server.selector().channels().isEmpty();
        }, "Timeout waiting for connection");
        TestUtils.waitForCondition(() -> {
            poll(this.selector);
            return this.failedAuthenticationDelayMs == 0 || !delayedClosingChannels.isEmpty();
        }, "Timeout waiting for auth failure");
        this.selector.close();
        this.selector = null;
        TestUtils.waitForCondition(() -> {
            return this.failedAuthenticationDelayMs == 0 || delayedClosingChannels.isEmpty();
        }, "Timeout waiting for delayed response remove");
        TestUtils.waitForCondition(() -> {
            return this.server.selector().channels().isEmpty();
        }, "Timeout waiting for connection close");
        TestUtils.waitForCondition(() -> {
            return this.time.milliseconds() > (this.startTimeMs + ((long) this.failedAuthenticationDelayMs)) + 1;
        }, "Timeout when waiting for auth failure response timeout to elapse");
        NetworkTestUtils.completeDelayedChannelClose(this.server.selector(), this.time.nanoseconds());
    }

    private void poll(Selector selector) {
        try {
            selector.poll(50L);
        } catch (IOException e) {
            throw new RuntimeException("Unexpected failure during selector poll", e);
        }
    }

    private TestJaasConfig configureMechanisms(String str, List<String> list) {
        this.saslClientConfigs.put("sasl.mechanism", str);
        this.saslServerConfigs.put("sasl.enabled.mechanisms", list);
        if (list.contains("DIGEST-MD5")) {
            this.saslServerConfigs.put("digest-md5.sasl.server.callback.handler.class", TestDigestLoginModule.DigestServerCallbackHandler.class.getName());
        }
        return TestJaasConfig.createConfiguration(str, list);
    }

    private void createSelector(SecurityProtocol securityProtocol, Map<String, Object> map) {
        if (this.selector != null) {
            this.selector.close();
            this.selector = null;
        }
        this.channelBuilder = ChannelBuilders.clientChannelBuilder(securityProtocol, JaasContext.Type.CLIENT, new TestSecurityConfig(map), (ListenerName) null, (String) this.saslClientConfigs.get("sasl.mechanism"), this.time, true, new LogContext());
        this.selector = NetworkTestUtils.createSelector(this.channelBuilder, this.time);
    }

    private NioEchoServer createEchoServer(SecurityProtocol securityProtocol) throws Exception {
        return createEchoServer(ListenerName.forSecurityProtocol(securityProtocol), securityProtocol);
    }

    private NioEchoServer createEchoServer(ListenerName listenerName, SecurityProtocol securityProtocol) throws Exception {
        return NetworkTestUtils.createEchoServer(listenerName, securityProtocol, new TestSecurityConfig(this.saslServerConfigs), this.credentialCache, this.time);
    }

    private void createClientConnection(SecurityProtocol securityProtocol, String str) throws Exception {
        createSelector(securityProtocol, this.saslClientConfigs);
        this.selector.connect(str, new InetSocketAddress("127.0.0.1", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
    }

    private void createAndCheckClientAuthenticationFailure(SecurityProtocol securityProtocol, String str, String str2, String str3) throws Exception {
        AuthenticationException exception = createAndCheckClientConnectionFailure(securityProtocol, str).exception();
        Assertions.assertTrue(exception instanceof SaslAuthenticationException, "Invalid exception class " + exception.getClass());
        if (str3 == null) {
            str3 = "Authentication failed during authentication due to invalid credentials with SASL mechanism " + str2;
        }
        Assertions.assertEquals(str3, exception.getMessage());
    }

    private ChannelState createAndCheckClientConnectionFailure(SecurityProtocol securityProtocol, String str) throws Exception {
        createClientConnection(securityProtocol, str);
        ChannelState waitForChannelClose = NetworkTestUtils.waitForChannelClose(this.selector, str, ChannelState.State.AUTHENTICATION_FAILED);
        this.selector.close();
        this.selector = null;
        return waitForChannelClose;
    }
}
