package io.confluent.kafka.multitenant;

import io.confluent.kafka.clients.CloudAdmin;
import java.net.MalformedURLException;
import java.net.URL;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.attribute.PosixFilePermissions;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import kafka.test.JarResourceLoader;
import org.apache.kafka.clients.admin.Admin;
import org.apache.kafka.clients.admin.AlterConfigsOptions;
import org.apache.kafka.clients.admin.AlterConfigsResult;
import org.apache.kafka.clients.admin.ConfluentAdmin;
import org.apache.kafka.clients.admin.MockAdminClient;
import org.apache.kafka.common.KafkaFuture;
import org.apache.kafka.common.Node;
import org.apache.kafka.common.errors.UnknownServerException;
import org.apache.kafka.common.network.ListenerName;
import org.apache.kafka.test.TestUtils;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Disabled;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.params.ParameterizedTest;
import org.junit.jupiter.params.provider.CsvSource;
import org.mockito.ArgumentCaptor;
import org.mockito.ArgumentMatchers;
import org.mockito.MockedStatic;
import org.mockito.Mockito;
import org.mockito.exceptions.base.MockitoAssertionError;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/confluent/kafka/multitenant/SslCertificateManagerTest.class */
public class SslCertificateManagerTest {
    static final long TEST_MAX_WAIT_MS = TimeUnit.SECONDS.toMillis(60);
    static final String SSL_CERTS_DIR = "mnt/sslcerts/";
    static final String DATA_DIR = "..data";
    static final String BROKER_ID = "0";
    static final URL TEST_ROOT;
    private static final URL TEST_SSL_CERTS_MAY;
    protected static final URL TEST_SSL_CERTS_AUG;
    ConfluentAdmin mockAdminClient;
    SslCertificateManager sslCache;
    String sslCertsPath;
    Path tempDir;
    static MockedStatic<LoggerFactory> loggerFactory;
    static Logger mockLog;

    @BeforeAll
    public static void beforeAll() {
        loggerFactory = Mockito.mockStatic(LoggerFactory.class);
        mockLog = (Logger) Mockito.mock(Logger.class);
        loggerFactory.when(() -> {
            LoggerFactory.getLogger(SslCertificateManager.class);
        }).thenReturn(mockLog);
        loggerFactory.when(() -> {
            LoggerFactory.getLogger(KafkaLogicalClusterMetadata.class);
        }).thenReturn(mockLog);
    }

    @AfterAll
    public static void afterAll() {
        loggerFactory.close();
    }

    @BeforeEach
    public void setUp() throws Exception {
        this.tempDir = TestUtils.tempDirectory().toPath();
        System.out.println("root resource: " + TEST_ROOT.getPath());
        Node node = new Node(0, MultiTenantRequestContextTest.LOCALHOST, MultiTenantRequestContextTest.KAFKA_PORT);
        this.sslCertsPath = String.valueOf(this.tempDir.toRealPath(new LinkOption[0])) + "/mnt/sslcerts/spec.json";
        this.mockAdminClient = (ConfluentAdmin) Mockito.spy(new MockAdminClient(Collections.singletonList(node), node));
        this.sslCache = new SslCertificateManager(BROKER_ID, (Object) null, this.sslCertsPath, str -> {
            return this.mockAdminClient;
        }, Arrays.asList("EXTERNAL"), useBcfks());
    }

    @AfterEach
    public void teardown() {
        this.sslCache.shutdown();
        this.sslCache.close();
    }

    protected boolean useBcfks() {
        return false;
    }

    protected String keyStoreType() {
        return "PKCS12";
    }

    protected void setUpKeyStoreException(MockedStatic<KeyStore> mockedStatic, Exception exc) {
        mockedStatic.when(() -> {
            KeyStore.getInstance(keyStoreType());
        }).thenThrow(new Throwable[]{exc});
    }

    protected void verifyKeyStoreCall(MockedStatic<KeyStore> mockedStatic) {
        mockedStatic.verify(() -> {
            KeyStore.getInstance((String) ArgumentMatchers.any());
        }, Mockito.times(1));
    }

    @Test
    public void testAdminClientInvokedAfterCertificateSync() throws Exception {
        KafkaLogicalClusterUtils.deleteFiles(this.tempDir, SSL_CERTS_DIR);
        Utils.syncCerts(this.tempDir, TEST_SSL_CERTS_AUG, SSL_CERTS_DIR);
        this.sslCache.loadSslCertFiles();
        ((ConfluentAdmin) Mockito.verify(this.mockAdminClient, Mockito.times(1))).incrementalAlterConfigs((Map) ArgumentMatchers.any(), (AlterConfigsOptions) ArgumentMatchers.any());
    }

    @Test
    public void testCertsCouldNotBeParsed() {
        try {
            MockedStatic mockStatic = Mockito.mockStatic(CertificateFactory.class);
            try {
                MockedStatic<KeyStore> mockStatic2 = Mockito.mockStatic(KeyStore.class);
                try {
                    CertificateException certificateException = new CertificateException("something bad");
                    mockStatic.when(() -> {
                        CertificateFactory.getInstance("X509");
                    }).thenThrow(new Throwable[]{certificateException});
                    KeyStoreException keyStoreException = new KeyStoreException("something worse");
                    setUpKeyStoreException(mockStatic2, keyStoreException);
                    KafkaLogicalClusterUtils.deleteFiles(this.tempDir, SSL_CERTS_DIR);
                    Utils.syncCerts(this.tempDir, TEST_SSL_CERTS_AUG, SSL_CERTS_DIR);
                    this.sslCache.loadSslCertFiles();
                    ((ConfluentAdmin) Mockito.verify(this.mockAdminClient, Mockito.times(1))).incrementalAlterConfigs((Map) ArgumentMatchers.any(), (AlterConfigsOptions) ArgumentMatchers.any());
                    mockStatic.verify(() -> {
                        CertificateFactory.getInstance((String) ArgumentMatchers.any());
                    }, Mockito.times(1));
                    verifyKeyStoreCall(mockStatic2);
                    ((Logger) Mockito.verify(mockLog, Mockito.times(1))).error(ArgumentMatchers.contains("X509"), (Throwable) ArgumentMatchers.eq(certificateException));
                    ((Logger) Mockito.verify(mockLog, Mockito.times(1))).error(ArgumentMatchers.contains(keyStoreType()), (Throwable) ArgumentMatchers.eq(keyStoreException));
                    if (mockStatic2 != null) {
                        mockStatic2.close();
                    }
                    if (mockStatic != null) {
                        mockStatic.close();
                    }
                } catch (Throwable th) {
                    if (mockStatic2 != null) {
                        try {
                            mockStatic2.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } finally {
            }
        } catch (Exception e) {
            Assertions.fail(e);
        }
    }

    @ParameterizedTest
    @CsvSource({"false,false", "true,false", "false,true"})
    public void testDynamicConfigsAfterCertificateSync(boolean z, boolean z2) throws Exception {
        KafkaLogicalClusterUtils.deleteFiles(this.tempDir, SSL_CERTS_DIR);
        Utils.syncCerts(this.tempDir, TEST_SSL_CERTS_AUG, SSL_CERTS_DIR);
        ArrayList arrayList = new ArrayList();
        arrayList.add("EXTERNAL");
        if (z) {
            arrayList.add("EXTERNAL_BACKCHANNEL");
        }
        Object obj = null;
        if (z2) {
            obj = BROKER_ID;
        }
        this.sslCache = new SslCertificateManager(BROKER_ID, obj, this.sslCertsPath, str -> {
            return this.mockAdminClient;
        }, arrayList, useBcfks());
        this.sslCache.loadSslCertFiles();
        ArgumentCaptor forClass = ArgumentCaptor.forClass(Map.class);
        ((ConfluentAdmin) Mockito.verify(this.mockAdminClient, Mockito.times(1))).incrementalAlterConfigs((Map) forClass.capture(), (AlterConfigsOptions) ArgumentMatchers.any());
        Map map = (Map) forClass.getValue();
        HashSet hashSet = new HashSet();
        if (arrayList.isEmpty()) {
            hashSet.add("listener.name.external.ssl.keystore.location");
            hashSet.add("listener.name.external.ssl.keystore.type");
        } else {
            arrayList.forEach(str2 -> {
                String configPrefix = new ListenerName(str2).configPrefix();
                hashSet.add(configPrefix + "ssl.keystore.location");
                hashSet.add(configPrefix + "ssl.keystore.type");
            });
        }
        Assertions.assertEquals(hashSet, (Set) map.values().stream().flatMap(collection -> {
            return collection.stream();
        }).map(alterConfigOp -> {
            return alterConfigOp.configEntry().name();
        }).collect(Collectors.toSet()));
    }

    @Test
    public void testAdminClientNotInvokedWithoutReadPermissionForCerts() throws Exception {
        Utils.syncCerts(this.tempDir, TEST_SSL_CERTS_AUG, SSL_CERTS_DIR);
        String str = String.valueOf(this.tempDir.toRealPath(new LinkOption[0])) + "/mnt/sslcerts//..data/fullchain.pem";
        String str2 = String.valueOf(this.tempDir.toRealPath(new LinkOption[0])) + "/mnt/sslcerts//..data/privkey.pem";
        Files.setPosixFilePermissions(Paths.get(str, new String[0]), PosixFilePermissions.fromString("-wx-wx-wx"));
        Files.setPosixFilePermissions(Paths.get(str2, new String[0]), PosixFilePermissions.fromString("-wx-wx-wx"));
        this.sslCache.loadSslCertFiles();
        ((ConfluentAdmin) Mockito.verify(this.mockAdminClient, Mockito.times(0))).incrementalAlterConfigs((Map) ArgumentMatchers.any(), (AlterConfigsOptions) ArgumentMatchers.any());
    }

    protected String getSpecFileName() {
        return "spec.json";
    }

    @Test
    public void testAdminClientNotInvokedWithoutSpecFile() throws Exception {
        String specFileName = getSpecFileName();
        KafkaLogicalClusterUtils.moveFile(specFileName, TEST_SSL_CERTS_AUG, TEST_ROOT);
        KafkaLogicalClusterUtils.deleteFiles(this.tempDir, SSL_CERTS_DIR);
        Utils.syncCerts(this.tempDir, TEST_SSL_CERTS_AUG, SSL_CERTS_DIR);
        this.sslCache.loadSslCertFiles();
        ((ConfluentAdmin) Mockito.verify(this.mockAdminClient, Mockito.times(0))).incrementalAlterConfigs((Map) ArgumentMatchers.any(), (AlterConfigsOptions) ArgumentMatchers.any());
        KafkaLogicalClusterUtils.moveFile(specFileName, TEST_ROOT, TEST_SSL_CERTS_AUG);
    }

    protected String getStoreFileName() {
        return "pkcs.p12";
    }

    @Test
    public void testAdminClientNotInvokedWithoutPKCSCertificate() throws Exception {
        String storeFileName = getStoreFileName();
        KafkaLogicalClusterUtils.moveFile(storeFileName, TEST_SSL_CERTS_AUG, TEST_ROOT);
        KafkaLogicalClusterUtils.deleteFiles(this.tempDir, SSL_CERTS_DIR);
        Utils.syncCerts(this.tempDir, TEST_SSL_CERTS_AUG, SSL_CERTS_DIR);
        this.sslCache.loadSslCertFiles();
        ((ConfluentAdmin) Mockito.verify(this.mockAdminClient, Mockito.times(0))).incrementalAlterConfigs((Map) ArgumentMatchers.any(), (AlterConfigsOptions) ArgumentMatchers.any());
        KafkaLogicalClusterUtils.moveFile(storeFileName, TEST_ROOT, TEST_SSL_CERTS_AUG);
    }

    @Test
    public void testAdminClientNotInvokedWithoutPrivkeyPemFile() throws Exception {
        KafkaLogicalClusterUtils.moveFile("privkey.pem", TEST_SSL_CERTS_AUG, TEST_ROOT);
        KafkaLogicalClusterUtils.deleteFiles(this.tempDir, SSL_CERTS_DIR);
        Utils.syncCerts(this.tempDir, TEST_ROOT, SSL_CERTS_DIR);
        this.sslCache.loadSslCertFiles();
        ((ConfluentAdmin) Mockito.verify(this.mockAdminClient, Mockito.times(0))).incrementalAlterConfigs((Map) ArgumentMatchers.any(), (AlterConfigsOptions) ArgumentMatchers.any());
        KafkaLogicalClusterUtils.moveFile("privkey.pem", TEST_ROOT, TEST_SSL_CERTS_AUG);
    }

    @Test
    public void testAdminClientNotInvokedWithoutFullchainPemFile() throws Exception {
        KafkaLogicalClusterUtils.moveFile("fullchain.pem", TEST_SSL_CERTS_AUG, TEST_ROOT);
        KafkaLogicalClusterUtils.deleteFiles(this.tempDir, SSL_CERTS_DIR);
        Utils.syncCerts(this.tempDir, TEST_SSL_CERTS_AUG, SSL_CERTS_DIR);
        this.sslCache.loadSslCertFiles();
        ((ConfluentAdmin) Mockito.verify(this.mockAdminClient, Mockito.times(0))).incrementalAlterConfigs((Map) ArgumentMatchers.any(), (AlterConfigsOptions) ArgumentMatchers.any());
        KafkaLogicalClusterUtils.moveFile("fullchain.pem", TEST_ROOT, TEST_SSL_CERTS_AUG);
    }

    private boolean verifyIncerementalAlterConfigsCalls(int i) {
        try {
            ((ConfluentAdmin) Mockito.verify(this.mockAdminClient, Mockito.times(i))).incrementalAlterConfigs((Map) ArgumentMatchers.any(), (AlterConfigsOptions) ArgumentMatchers.any());
            return true;
        } catch (MockitoAssertionError e) {
            return false;
        }
    }

    @Test
    public void testAdminClientInvocationOnIdenticalSslCertsSync() throws Exception {
        Utils.syncCerts(this.tempDir, TEST_SSL_CERTS_MAY, SSL_CERTS_DIR);
        this.sslCache.startWatching();
        this.sslCache.loadSslCertFiles();
        ((ConfluentAdmin) Mockito.verify(this.mockAdminClient, Mockito.times(1))).incrementalAlterConfigs((Map) ArgumentMatchers.any(), (AlterConfigsOptions) ArgumentMatchers.any());
        KafkaLogicalClusterUtils.deleteFiles(this.tempDir, SSL_CERTS_DIR);
        Utils.syncCerts(this.tempDir, TEST_SSL_CERTS_MAY, SSL_CERTS_DIR);
        ((ConfluentAdmin) Mockito.verify(this.mockAdminClient, Mockito.timeout(TEST_MAX_WAIT_MS).times(1))).incrementalAlterConfigs((Map) ArgumentMatchers.any(), (AlterConfigsOptions) ArgumentMatchers.any());
    }

    @Disabled("Flaky test tracked by KNET-14270")
    @Test
    public void testAdminClientInvocationOnDifferentSslCertsSync() throws Exception {
        Utils.syncCerts(this.tempDir, TEST_SSL_CERTS_MAY, SSL_CERTS_DIR);
        this.sslCache.startWatching();
        this.sslCache.loadSslCertFiles();
        ((ConfluentAdmin) Mockito.verify(this.mockAdminClient, Mockito.times(1))).incrementalAlterConfigs((Map) ArgumentMatchers.any(), (AlterConfigsOptions) ArgumentMatchers.any());
        KafkaLogicalClusterUtils.deleteFiles(this.tempDir, SSL_CERTS_DIR);
        Utils.syncCerts(this.tempDir, TEST_SSL_CERTS_AUG, SSL_CERTS_DIR);
        TestUtils.waitForCondition(() -> {
            return verifyIncerementalAlterConfigsCalls(2);
        }, TEST_MAX_WAIT_MS, "Should call after sync");
        KafkaLogicalClusterUtils.deleteFiles(this.tempDir, SSL_CERTS_DIR);
        Utils.syncCerts(this.tempDir, TEST_SSL_CERTS_MAY, SSL_CERTS_DIR);
        TestUtils.waitForCondition(() -> {
            return verifyIncerementalAlterConfigsCalls(3);
        }, TEST_MAX_WAIT_MS, "Should call after sync");
    }

    @Disabled("Flaky test tracked by KNET-14270")
    @Test
    public void testWatchServiceDoesNotTerminateOnDirectoryDeletion() throws Exception {
        Utils.syncCerts(this.tempDir, TEST_SSL_CERTS_MAY, SSL_CERTS_DIR);
        this.sslCache.startWatching();
        this.sslCache.loadSslCertFiles();
        ((ConfluentAdmin) Mockito.verify(this.mockAdminClient, Mockito.times(1))).incrementalAlterConfigs((Map) ArgumentMatchers.any(), (AlterConfigsOptions) ArgumentMatchers.any());
        KafkaLogicalClusterUtils.deleteFiles(this.tempDir, SSL_CERTS_DIR);
        Utils.syncCerts(this.tempDir, TEST_SSL_CERTS_AUG, SSL_CERTS_DIR);
        TestUtils.waitForCondition(() -> {
            return verifyIncerementalAlterConfigsCalls(2);
        }, TEST_MAX_WAIT_MS, "Should call after sync");
    }

    @Test
    public void testAdminClientRecreatedAfterError() throws Exception {
        Admin admin = (Admin) Mockito.mock(CloudAdmin.class);
        this.sslCache = new SslCertificateManager(BROKER_ID, (Object) null, this.sslCertsPath, str -> {
            return admin;
        }, Arrays.asList("EXTERNAL"), useBcfks());
        AlterConfigsResult alterConfigsResult = (AlterConfigsResult) Mockito.mock(AlterConfigsResult.class);
        KafkaFuture kafkaFuture = (KafkaFuture) Mockito.mock(KafkaFuture.class);
        Mockito.when(admin.incrementalAlterConfigs((Map) ArgumentMatchers.any(), (AlterConfigsOptions) ArgumentMatchers.any())).thenReturn(alterConfigsResult);
        Mockito.when(alterConfigsResult.all()).thenReturn(kafkaFuture);
        Mockito.when((Void) kafkaFuture.get()).thenThrow(new Throwable[]{new ExecutionException((Throwable) new UnknownServerException())}).thenAnswer(invocationOnMock -> {
            return null;
        });
        Utils.syncCerts(this.tempDir, TEST_SSL_CERTS_MAY, SSL_CERTS_DIR);
        this.sslCache.startWatching();
        this.sslCache.loadSslCertFiles();
        ((Admin) Mockito.verify(admin, Mockito.times(1))).incrementalAlterConfigs((Map) ArgumentMatchers.any(), (AlterConfigsOptions) ArgumentMatchers.any());
        Assertions.assertNull(this.sslCache.getAdminClient());
        this.sslCache.loadSslCertFiles();
        ((Admin) Mockito.verify(admin, Mockito.times(2))).incrementalAlterConfigs((Map) ArgumentMatchers.any(), (AlterConfigsOptions) ArgumentMatchers.any());
        Assertions.assertNotNull(this.sslCache.getAdminClient());
    }

    static {
        try {
            if (System.getenv("BAZEL_TEST") != null) {
                TEST_ROOT = Paths.get(System.getenv("TEST_TMPDIR"), new String[0]).toUri().toURL();
            } else {
                TEST_ROOT = SslCertificateManagerTest.class.getResource("/");
            }
            try {
                TEST_SSL_CERTS_MAY = JarResourceLoader.loadDirectoryFromResource(SslCertificateManagerTest.class, "/cert_exp_may").toURI().toURL();
                try {
                    TEST_SSL_CERTS_AUG = JarResourceLoader.loadDirectoryFromResource(SslCertificateManagerTest.class, "/cert_exp_aug").toURI().toURL();
                } catch (MalformedURLException e) {
                    throw new RuntimeException(e);
                }
            } catch (MalformedURLException e2) {
                throw new RuntimeException(e2);
            }
        } catch (MalformedURLException e3) {
            throw new RuntimeException(e3);
        }
    }
}
