package io.confluent.kafka.server.plugins.ssl;

import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.List;
import javax.net.ssl.X509ExtendedTrustManager;
import org.apache.kafka.common.Uuid;
import org.apache.kafka.server.traffic.TrafficNetworkIdRoutes;
import org.apache.kafka.server.traffic.TrafficNetworkIdRoutesStore;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;

/* loaded from: input_file:io/confluent/kafka/server/plugins/ssl/NetworkLinkTrustManagerTest.class */
public class NetworkLinkTrustManagerTest extends ConfluentTrustManagerTest {
    private String brokerSessionUuid;

    @Override // io.confluent.kafka.server.plugins.ssl.ConfluentTrustManagerTest
    @BeforeEach
    public void setUp() throws Exception {
        this.brokerSessionUuid = Uuid.randomUuid().toString();
        super.setUp();
        TrafficNetworkIdRoutesStore.addRoutes(this.brokerSessionUuid, new TrafficNetworkIdRoutes(Arrays.asList("n1"), (List) null));
    }

    @Override // io.confluent.kafka.server.plugins.ssl.ConfluentTrustManagerTest
    protected void createTrustManager() {
        this.brokerConfigs.put("broker.session.uuid", this.brokerSessionUuid);
        this.trustManager = new NetworkLinkTrustManager(this.brokerConfigs, (X509ExtendedTrustManager) null);
    }

    @Test
    public void testAllowedDNSDomainSuffix() throws Exception {
        TrafficNetworkIdRoutesStore.addRoutes(this.brokerSessionUuid, new TrafficNetworkIdRoutes(Arrays.asList("n1, n2"), (List) null));
        Assertions.assertTrue(this.trustManager.verifyClientCerts(new X509Certificate[]{buildCert("*.us-west-2.aws.confluent.cloud", SUBJECT_ALT_DNS_NAMES)}));
        TrafficNetworkIdRoutesStore.addRoutes(this.brokerSessionUuid, new TrafficNetworkIdRoutes(Arrays.asList("n1, n2"), Arrays.asList("us-west-1.aws.devel.cpdev.cloud", "us-east-1.aws.devel.cpdev.cloud")));
        Assertions.assertTrue(this.trustManager.verifyClientCerts(new X509Certificate[]{buildCert("*.us-west-2.aws.confluent.cloud", SUBJECT_ALT_DNS_NAMES)}));
        TrafficNetworkIdRoutesStore.addRoutes(this.brokerSessionUuid, new TrafficNetworkIdRoutes(Arrays.asList("n1, n2"), Arrays.asList("us-west-1.aws.devel.cpdev.cloud", "us-west-2.aws.devel.cpdev.cloud")));
        Assertions.assertTrue(this.trustManager.verifyClientCerts(new X509Certificate[]{buildCert("*.us-west-2.aws.confluent.cloud", SUBJECT_ALT_DNS_NAMES)}));
    }

    @Test
    public void testDisallowedDNSDomainSuffix() throws Exception {
        TrafficNetworkIdRoutesStore.removeRoutes(this.brokerSessionUuid);
        verifyCertsNoRoutes(new X509Certificate[]{buildCert("*.us-west-2.aws.confluent.cloud", SUBJECT_ALT_DNS_NAMES)});
        TrafficNetworkIdRoutesStore.addRoutes(this.brokerSessionUuid, new TrafficNetworkIdRoutes(Arrays.asList(new String[0]), Arrays.asList(new String[0])));
        verifyCertsFailure(new X509Certificate[]{buildCert("*.us-west-2.aws.confluent.cloud", SUBJECT_ALT_DNS_NAMES)});
        TrafficNetworkIdRoutesStore.addRoutes(this.brokerSessionUuid, new TrafficNetworkIdRoutes(Arrays.asList("n1"), Arrays.asList("us-east-1.aws.devel.cpdev.cloud")));
        verifyCertsFailure(new X509Certificate[]{buildCert("*.us-west-2.aws.confluent.cloud", SUBJECT_ALT_DNS_NAMES)});
        TrafficNetworkIdRoutesStore.addRoutes(this.brokerSessionUuid, new TrafficNetworkIdRoutes(Arrays.asList("n1, n2"), Arrays.asList("us-east-2.aws.devel.cpdev.cloud")));
        verifyCertsFailure(new X509Certificate[]{buildCert("*.us-west-2.aws.confluent.cloud", SUBJECT_ALT_DNS_NAMES)});
    }

    private void verifyCertsNoRoutes(X509Certificate[] x509CertificateArr) {
        Assertions.assertEquals("Traffic network routes are not available", ((CertificateException) Assertions.assertThrows(CertificateException.class, () -> {
            this.trustManager.verifyClientCerts(x509CertificateArr);
        })).getMessage());
    }
}
