package io.confluent.kafka.server.plugins.ssl;

import io.confluent.kafka.multitenant.MultiTenantRequestContextTest;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import javax.net.ssl.X509ExtendedTrustManager;
import kafka.server.ssl.CertificateIdsJsonConfig;
import org.apache.kafka.test.TestSslUtils;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:io/confluent/kafka/server/plugins/ssl/ConfluentTrustManagerTest.class */
public class ConfluentTrustManagerTest {
    protected static final String CN = "*.us-west-2.aws.confluent.cloud";
    protected static final String OTHER_CN = "*.us-west-1.aws.confluent.cloud";
    protected static final String[] SUBJECT_ALT_DNS_NAMES = {"*.us-west-1.aws.devel.cpdev.cloud", "*.us-west-2.aws.devel.cpdev.cloud"};
    protected Map<String, String> brokerConfigs = new HashMap();
    protected ConfluentTrustManager trustManager;
    private X509Certificate revokedCert1;
    private X509Certificate revokedCert2;
    private X509Certificate revokedCert3;

    @BeforeEach
    public void setUp() throws Exception {
        this.revokedCert1 = buildCert(CN, SUBJECT_ALT_DNS_NAMES);
        this.revokedCert2 = buildCert(CN, SUBJECT_ALT_DNS_NAMES);
        this.revokedCert3 = buildCert(OTHER_CN, SUBJECT_ALT_DNS_NAMES);
        this.brokerConfigs.put("confluent.security.revoked.certificate.ids", CertificateIdsJsonConfig.toJson(new CertificateIdsJsonConfig[]{new CertificateIdsJsonConfig(this.revokedCert1.getIssuerX500Principal().getName(), Arrays.asList(this.revokedCert1.getSerialNumber().toString(16), this.revokedCert2.getSerialNumber().toString(16))), new CertificateIdsJsonConfig(this.revokedCert3.getIssuerX500Principal().getName().toLowerCase(Locale.ROOT), Collections.singletonList(this.revokedCert3.getSerialNumber().toString(16)))}));
        createTrustManager();
    }

    protected void createTrustManager() {
        this.trustManager = new ConfluentTrustManager(this.brokerConfigs, (X509ExtendedTrustManager) null);
    }

    @Test
    public void testEmptySubjectAltNames() throws Exception {
        Assertions.assertTrue(this.trustManager.getSubjectAltNames(buildCert(CN, new String[0])).isEmpty());
    }

    @Test
    public void testGetSubjectAltNames() throws Exception {
        List subjectAltNames = this.trustManager.getSubjectAltNames(buildCert(CN, SUBJECT_ALT_DNS_NAMES));
        Arrays.stream(SUBJECT_ALT_DNS_NAMES).forEach(str -> {
            Assertions.assertTrue(subjectAltNames.contains(str));
        });
    }

    @Test
    public void testIsConfluentCert() throws Exception {
        Assertions.assertTrue(this.trustManager.isConfluentCert(buildCert(CN, SUBJECT_ALT_DNS_NAMES)));
        Assertions.assertTrue(this.trustManager.isConfluentCert(buildCert(CN, MultiTenantRequestContextTest.LOCALHOST, SUBJECT_ALT_DNS_NAMES[0])));
        Assertions.assertFalse(this.trustManager.isConfluentCert(buildCert(CN, new String[0])));
        Assertions.assertFalse(this.trustManager.isConfluentCert(buildCert(CN, MultiTenantRequestContextTest.LOCALHOST)));
    }

    @Test
    public void testVerifyCerts() throws Exception {
        Assertions.assertTrue(this.trustManager.verifyClientCerts(new X509Certificate[]{buildCert(CN, SUBJECT_ALT_DNS_NAMES)}));
        Assertions.assertTrue(this.trustManager.verifyClientCerts(new X509Certificate[]{buildCert(MultiTenantRequestContextTest.LOCALHOST, new String[0]), buildCert(CN, SUBJECT_ALT_DNS_NAMES)}));
        Assertions.assertTrue(this.trustManager.verifyClientCerts(new X509Certificate[]{buildCert(MultiTenantRequestContextTest.LOCALHOST, MultiTenantRequestContextTest.LOCALHOST), buildCert(CN, SUBJECT_ALT_DNS_NAMES), buildCert(MultiTenantRequestContextTest.LOCALHOST, new String[0])}));
    }

    @Test
    public void testVerifyCertsFails() throws Exception {
        verifyCertsFailure(new X509Certificate[]{buildCert(MultiTenantRequestContextTest.LOCALHOST, new String[0])});
        verifyCertsFailure(new X509Certificate[0]);
        verifyCertsFailure(new X509Certificate[]{buildCert(CN, new String[0])});
        verifyCertsFailure(new X509Certificate[]{buildCert(CN, MultiTenantRequestContextTest.LOCALHOST)});
        verifyCertsFailure(new X509Certificate[]{this.revokedCert1});
        verifyCertsFailure(new X509Certificate[]{this.revokedCert2});
        verifyCertsFailure(new X509Certificate[]{this.revokedCert3});
    }

    @Test
    public void testRevokedCertIds() {
        this.brokerConfigs.put("confluent.security.revoked.certificate.ids", "");
        Assertions.assertTrue(this.trustManager.revokedCertificateIds(this.brokerConfigs).isEmpty());
        this.brokerConfigs.put("confluent.security.revoked.certificate.ids", " ");
        Assertions.assertTrue(this.trustManager.revokedCertificateIds(this.brokerConfigs).isEmpty());
        this.brokerConfigs.put("confluent.security.revoked.certificate.ids", "[]");
        Assertions.assertTrue(this.trustManager.revokedCertificateIds(this.brokerConfigs).isEmpty());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void verifyCertsFailure(X509Certificate[] x509CertificateArr) {
        Assertions.assertTrue(((CertificateException) Assertions.assertThrows(CertificateException.class, () -> {
            this.trustManager.verifyClientCerts(x509CertificateArr);
        })).getMessage().equals("A trusted client certificate not found"));
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public X509Certificate buildCert(String str, String... strArr) throws Exception {
        return new TestSslUtils.CertificateBuilder().sanDnsNames(strArr).generate("CN=" + str + ", O=A client", TestSslUtils.generateKeyPair("RSA"));
    }
}
