package io.confluent.kafka.multitenant.integration.test;

import io.confluent.kafka.multitenant.Utils;
import io.confluent.kafka.multitenant.integration.cluster.LogicalCluster;
import io.confluent.kafka.multitenant.integration.cluster.PhysicalCluster;
import io.confluent.kafka.security.audit.event.ConfluentAuthenticationEvent;
import io.confluent.kafka.security.authorizer.MockAuditLogProvider;
import java.io.IOException;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.util.Properties;
import java.util.concurrent.TimeUnit;
import kafka.server.KafkaConfig$;
import org.apache.kafka.common.errors.SslAuthenticationException;
import org.apache.kafka.common.security.auth.SecurityProtocol;
import org.apache.kafka.common.utils.Time;
import org.apache.kafka.server.audit.AuditEventStatus;
import org.apache.kafka.test.TestUtils;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Tag;
import org.junit.jupiter.api.Test;

@Tag("integration")
/* loaded from: input_file:io/confluent/kafka/multitenant/integration/test/SslCertificateIntegrationTest.class */
public class SslCertificateIntegrationTest {
    private static final Long TEST_CACHE_RELOAD_DELAY_MS = Long.valueOf(TimeUnit.SECONDS.toMillis(5));
    private static final String SSL_CERTS_DIR = "mnt/sslcerts/";
    private static final String SSL_CERTS_MAY_URL = "/cert_exp_may";
    private Path tempDir;
    private IntegrationTestHarness testHarness;
    private String brokerUUID;
    private LogicalCluster logicalCluster1;
    private LogicalCluster logicalCluster2;
    protected Time time;

    @BeforeEach
    public void setUp() throws Exception {
        this.tempDir = TestUtils.tempDirectory().toPath();
        MockAuditLogProvider.reset();
        Utils.createLogicalClusterFile(Utils.LC_META_ABC, this.tempDir);
        Utils.createLogicalClusterFile(Utils.LC_META_XYZ, this.tempDir);
        Utils.syncCerts(this.tempDir, getClass().getResource(SSL_CERTS_MAY_URL), SSL_CERTS_DIR);
        this.testHarness = new IntegrationTestHarness();
        PhysicalCluster start = this.testHarness.start(brokerProps());
        this.logicalCluster1 = start.createLogicalCluster("tenantA", 100, 9, 11, 12);
        this.logicalCluster2 = start.createLogicalCluster("tenantB", 200, 9, 21, 22);
    }

    @AfterEach
    public void tearDown() throws Exception {
        this.testHarness.shutdown();
    }

    private Properties brokerProps() throws IOException {
        this.brokerUUID = "uuid";
        Properties properties = new Properties();
        properties.put(KafkaConfig$.MODULE$.BrokerSessionUuidProp(), this.brokerUUID);
        properties.put("multitenant.metadata.dir", this.tempDir.toRealPath(new LinkOption[0]).toString());
        properties.put("multitenant.metadata.class", "io.confluent.kafka.multitenant.PhysicalClusterMetadata");
        properties.put("multitenant.metadata.reload.delay.ms", TEST_CACHE_RELOAD_DELAY_MS);
        properties.put("listeners", "INTERNAL://localhost:0, SSL://localhost:0");
        properties.put("advertised.listeners", "INTERNAL://localhost:0, SSL://localhost:0");
        properties.put("listener.security.protocol.map", "INTERNAL:PLAINTEXT, SSL:SSL");
        properties.put("ssl.keystore.location", this.tempDir.toRealPath(new LinkOption[0]) + "/" + SSL_CERTS_DIR + "/pkcs.p12");
        properties.put("ssl.keystore.password", "mystorepassword");
        properties.put("ssl.keystore.type", "PKCS12");
        properties.put("ssl.endpoint.identification.algorithm", "");
        properties.put("confluent.security.event.logger.authentication.enable", "true");
        properties.put(MockAuditLogProvider.AUDIT_PROVIDER_CONFIG, "TEST");
        return properties;
    }

    @Test
    public void testProduceConsumeFailsOnExpiredCertificateSync() {
        Assertions.assertThrows(SslAuthenticationException.class, () -> {
            this.testHarness.produceConsume(this.logicalCluster1.user(11), this.logicalCluster2.user(21), "testtopic", "group", 0, SecurityProtocol.SSL);
        });
        ConfluentAuthenticationEvent lastAuthenticationEntry = MockAuditLogProvider.getInstance(this.brokerUUID).lastAuthenticationEntry();
        Assertions.assertFalse(lastAuthenticationEntry.principal().isPresent());
        Assertions.assertEquals(AuditEventStatus.UNKNOWN_USER_DENIED, lastAuthenticationEntry.status());
        Assertions.assertTrue(lastAuthenticationEntry.authenticationException().isPresent());
    }
}
