package org.apache.hadoop.security.ssl;

import io.hops.security.MockEnvironmentVariablesService;
import io.hops.security.SuperuserKeystoresLoader;
import java.io.File;
import java.io.FileWriter;
import java.io.IOException;
import java.nio.file.NoSuchFileException;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyPair;
import java.security.PrivilegedExceptionAction;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.concurrent.TimeUnit;
import org.apache.commons.io.FileUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.ipc.ProtobufRpcEngine;
import org.apache.hadoop.ipc.RPC;
import org.apache.hadoop.ipc.RemoteException;
import org.apache.hadoop.ipc.Server;
import org.apache.hadoop.ipc.TestRpcBase;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.ssl.CRLValidatorFactory;
import org.apache.hadoop.security.ssl.RpcTLSUtils;
import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.util.envVars.EnvironmentVariablesFactory;
import org.apache.log4j.LogManager;
import org.apache.log4j.Logger;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.PEMWriter;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;

/* loaded from: input_file:org/apache/hadoop/security/ssl/TestCRLValidator.class */
public class TestCRLValidator {
    private Configuration conf;
    private final String keyAlgorithm = "RSA";
    private final String signatureAlgorithm = "SHA256withRSA";
    private final String password = "password";

    @Rule
    public final ExpectedException rule = ExpectedException.none();
    private static final Logger LOG = LogManager.getLogger(TestCRLValidator.class);
    private static final String BASE_DIR = Paths.get(System.getProperty("test.build.dir", Paths.get("target", "test-dir").toString()), TestCRLValidator.class.getSimpleName()).toString();
    private static final File BASE_DIR_FILE = new File(BASE_DIR);
    private static String confDir = null;

    @BeforeClass
    public static void setup() throws Exception {
        Security.addProvider(new BouncyCastleProvider());
        BASE_DIR_FILE.mkdirs();
        confDir = KeyStoreTestUtil.getClasspathDir(TestCRLValidator.class);
    }

    @Before
    public void setupTest() throws Exception {
        this.conf = new Configuration();
        CRLValidatorFactory.getInstance().clearCache();
        CRLFetcherFactory.getInstance().clearFetcherCache();
    }

    @AfterClass
    public static void tearDown() throws Exception {
        if (BASE_DIR_FILE.exists()) {
            FileUtils.deleteDirectory(BASE_DIR_FILE);
        }
        File file = Paths.get(confDir, TestCRLValidator.class.getSimpleName() + ".ssl-server.xml").toFile();
        if (file.exists()) {
            file.delete();
        }
    }

    @Test
    public void testServerWithCRLValid() throws Exception {
        UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
        SuperuserKeystoresLoader superuserKeystoresLoader = new SuperuserKeystoresLoader(this.conf);
        Path path = Paths.get(BASE_DIR, superuserKeystoresLoader.getSuperKeystoreFilename(currentUser.getUserName()));
        Path path2 = Paths.get(BASE_DIR, superuserKeystoresLoader.getSuperTruststoreFilename(currentUser.getUserName()));
        Path path3 = Paths.get(BASE_DIR, superuserKeystoresLoader.getSuperMaterialPasswdFilename(currentUser.getUserName()));
        Path path4 = Paths.get(BASE_DIR, "input.server.crl.pem");
        Path path5 = Paths.get(BASE_DIR, "server.crl.pem");
        Server server = null;
        RpcTLSUtils.TestCryptoMaterial testCryptoMaterial = RpcTLSUtils.setupTLSMaterial(this.conf, new RpcTLSUtils.TLSSetup.Builder().setKeyAlgorithm("RSA").setSignatureAlgorithm("SHA256withRSA").setServerKstore(path).setServerTstore(path2).setServerStorePassword("password").setServerStorePasswordLocation(path3).setClientKstore(Paths.get(BASE_DIR, "Client_username__kstore.jks")).setClientTstore(Paths.get(BASE_DIR, "Client_username__tstore.jks")).setClientStorePassword("password").setClientPasswordLocation(Paths.get(BASE_DIR, "Client_username__cert.key")).setClientUserName("Client_username").build(), TestCRLValidator.class);
        writeCRLToFile(KeyStoreTestUtil.generateCRL(testCryptoMaterial.getServerCertificate(), testCryptoMaterial.getServerKeyPair().getPrivate(), "SHA256withRSA", null, null), path4);
        configureCRL(this.conf, path4, path5);
        RPC.setProtocolEngine(this.conf, TestRpcBase.TestRpcService.class, ProtobufRpcEngine.class);
        RevocationListFetcherService startCRLFetcherService = startCRLFetcherService(this.conf);
        CRLValidator cRLValidator = new CRLValidator(this.conf);
        cRLValidator.setReloadTimeunit(TimeUnit.SECONDS);
        cRLValidator.setReloadInterval(1L);
        CRLValidatorFactory.getInstance().registerValidator(CRLValidatorFactory.TYPE.NORMAL, cRLValidator);
        RpcTLSUtils.MockEnvironmentVariables mockEnvironmentVariables = new RpcTLSUtils.MockEnvironmentVariables();
        mockEnvironmentVariables.setEnv("MATERIAL_DIRECTORY", BASE_DIR);
        EnvironmentVariablesFactory.setInstance(mockEnvironmentVariables);
        try {
            server = TestRpcBase.setupTestServer(TestRpcBase.newServerBuilder(this.conf).setNumHandlers(1).setSecretManager((SecretManager) null).setnumReaders(2));
            Assert.assertEquals(RpcTLSUtils.makeEchoRequest(UserGroupInformation.createRemoteUser("Client_username"), server.getListenerAddress(), this.conf, "Hello, is it me you're looking for?").getMessage(), "Hello, is it me you're looking for?");
            if (server != null) {
                server.stop();
            }
            if (startCRLFetcherService != null) {
                startCRLFetcherService.serviceStop();
            }
        } catch (Throwable th) {
            if (server != null) {
                server.stop();
            }
            if (startCRLFetcherService != null) {
                startCRLFetcherService.serviceStop();
            }
            throw th;
        }
    }

    @Test
    public void testServerWithEnabledButMissingCRL() throws Exception {
        UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
        SuperuserKeystoresLoader superuserKeystoresLoader = new SuperuserKeystoresLoader(this.conf);
        Path path = Paths.get(BASE_DIR, superuserKeystoresLoader.getSuperKeystoreFilename(currentUser.getUserName()));
        Path path2 = Paths.get(BASE_DIR, superuserKeystoresLoader.getSuperTruststoreFilename(currentUser.getUserName()));
        Path path3 = Paths.get(BASE_DIR, superuserKeystoresLoader.getSuperMaterialPasswdFilename(currentUser.getUserName()));
        Path path4 = Paths.get(BASE_DIR, "input.server.crl.pem");
        Path path5 = Paths.get(BASE_DIR, "server.crl.pem");
        Server server = null;
        RpcTLSUtils.TestCryptoMaterial testCryptoMaterial = RpcTLSUtils.setupTLSMaterial(this.conf, new RpcTLSUtils.TLSSetup.Builder().setKeyAlgorithm("RSA").setSignatureAlgorithm("SHA256withRSA").setServerKstore(path).setServerTstore(path2).setServerStorePassword("password").setServerStorePasswordLocation(path3).setClientKstore(Paths.get(BASE_DIR, "Client_username__kstore.jks")).setClientTstore(Paths.get(BASE_DIR, "Client_username__tstore.jks")).setClientStorePassword("password").setClientPasswordLocation(Paths.get(BASE_DIR, "Client_username__cert.key")).setClientUserName("Client_username").build(), TestCRLValidator.class);
        writeCRLToFile(KeyStoreTestUtil.generateCRL(testCryptoMaterial.getServerCertificate(), testCryptoMaterial.getServerKeyPair().getPrivate(), "SHA256withRSA", null, testCryptoMaterial.getClientCertificate().getSerialNumber()), path4);
        configureCRL(this.conf, path4, path5);
        RPC.setProtocolEngine(this.conf, TestRpcBase.TestRpcService.class, ProtobufRpcEngine.class);
        RpcTLSUtils.MockEnvironmentVariables mockEnvironmentVariables = new RpcTLSUtils.MockEnvironmentVariables();
        mockEnvironmentVariables.setEnv("MATERIAL_DIRECTORY", BASE_DIR);
        EnvironmentVariablesFactory.setInstance(mockEnvironmentVariables);
        RPC.Builder builder = TestRpcBase.newServerBuilder(this.conf).setNumHandlers(1).setSecretManager((SecretManager) null).setnumReaders(2);
        try {
            this.rule.expect(NoSuchFileException.class);
            server = TestRpcBase.setupTestServer(builder);
            if (server != null) {
                server.stop();
            }
        } catch (Throwable th) {
            if (server != null) {
                server.stop();
            }
            throw th;
        }
    }

    @Test
    public void testServerWithCRLInvalid() throws Exception {
        UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
        SuperuserKeystoresLoader superuserKeystoresLoader = new SuperuserKeystoresLoader(this.conf);
        Path path = Paths.get(BASE_DIR, superuserKeystoresLoader.getSuperKeystoreFilename(currentUser.getUserName()));
        Path path2 = Paths.get(BASE_DIR, superuserKeystoresLoader.getSuperTruststoreFilename(currentUser.getUserName()));
        Path path3 = Paths.get(BASE_DIR, superuserKeystoresLoader.getSuperMaterialPasswdFilename(currentUser.getUserName()));
        Path path4 = Paths.get(BASE_DIR, "input.server.crl.pem");
        Path path5 = Paths.get(BASE_DIR, "server.crl.pem");
        Server server = null;
        RpcTLSUtils.TestCryptoMaterial testCryptoMaterial = RpcTLSUtils.setupTLSMaterial(this.conf, new RpcTLSUtils.TLSSetup.Builder().setKeyAlgorithm("RSA").setSignatureAlgorithm("SHA256withRSA").setServerKstore(path).setServerTstore(path2).setServerStorePassword("password").setServerStorePasswordLocation(path3).setClientKstore(Paths.get(BASE_DIR, "Client_username__kstore.jks")).setClientTstore(Paths.get(BASE_DIR, "Client_username__tstore.jks")).setClientStorePassword("password").setClientPasswordLocation(Paths.get(BASE_DIR, "Client_username__cert.key")).setClientUserName("Client_username").build(), TestCRLValidator.class);
        X509CRL generateCRL = KeyStoreTestUtil.generateCRL(testCryptoMaterial.getServerCertificate(), testCryptoMaterial.getServerKeyPair().getPrivate(), "SHA256withRSA", null, testCryptoMaterial.getClientCertificate().getSerialNumber());
        writeCRLToFile(generateCRL, path4);
        configureCRL(this.conf, path4, path5);
        RPC.setProtocolEngine(this.conf, TestRpcBase.TestRpcService.class, ProtobufRpcEngine.class);
        RevocationListFetcherService startCRLFetcherService = startCRLFetcherService(this.conf);
        CRLValidator cRLValidator = new CRLValidator(this.conf);
        cRLValidator.setReloadTimeunit(TimeUnit.SECONDS);
        cRLValidator.setReloadInterval(1L);
        cRLValidator.startReloadingThread();
        CRLValidatorFactory.getInstance().registerValidator(CRLValidatorFactory.TYPE.NORMAL, cRLValidator);
        RpcTLSUtils.MockEnvironmentVariables mockEnvironmentVariables = new RpcTLSUtils.MockEnvironmentVariables();
        mockEnvironmentVariables.setEnv("MATERIAL_DIRECTORY", BASE_DIR);
        EnvironmentVariablesFactory.setInstance(mockEnvironmentVariables);
        try {
            server = TestRpcBase.setupTestServer(TestRpcBase.newServerBuilder(this.conf).setNumHandlers(1).setSecretManager((SecretManager) null).setnumReaders(2));
            UserGroupInformation createRemoteUser = UserGroupInformation.createRemoteUser("Client_username");
            boolean z = false;
            try {
                RpcTLSUtils.makeEchoRequest(createRemoteUser, server.getListenerAddress(), this.conf, "Hello, is it me you're looking for?");
            } catch (Exception e) {
                if (e.getCause().getCause() instanceof RemoteException) {
                    if (!e.getCause().getCause().getMessage().contains("HopsCRLValidator: Certificate " + testCryptoMaterial.getClientCertificate().getSubjectDN() + " has been revoked by " + generateCRL.getIssuerX500Principal())) {
                        throw e;
                    }
                    z = true;
                }
            }
            Assert.assertTrue(z);
            LOG.info("Removing client certificate from CRL and wait for the CRL fetcher to pick it up");
            writeCRLToFile(KeyStoreTestUtil.generateCRL(testCryptoMaterial.getServerCertificate(), testCryptoMaterial.getServerKeyPair().getPrivate(), "SHA256withRSA", null, null), path4);
            TimeUnit.SECONDS.sleep((startCRLFetcherService.getFetcherInterval() * 2) + (cRLValidator.getReloadInterval() * 2));
            Assert.assertEquals(RpcTLSUtils.makeEchoRequest(createRemoteUser, server.getListenerAddress(), this.conf, "Hello, is it me you're looking for?").getMessage(), "Hello, is it me you're looking for?");
            if (server != null) {
                server.stop();
            }
            if (startCRLFetcherService != null) {
                startCRLFetcherService.serviceStop();
            }
        } catch (Throwable th) {
            if (server != null) {
                server.stop();
            }
            if (startCRLFetcherService != null) {
                startCRLFetcherService.serviceStop();
            }
            throw th;
        }
    }

    @Test
    public void testValidator() throws Exception {
        UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
        SuperuserKeystoresLoader superuserKeystoresLoader = new SuperuserKeystoresLoader(this.conf);
        Path path = Paths.get(BASE_DIR, superuserKeystoresLoader.getSuperTruststoreFilename(currentUser.getUserName()));
        FileUtils.writeStringToFile(Paths.get(BASE_DIR, superuserKeystoresLoader.getSuperMaterialPasswdFilename(currentUser.getUserName())).toFile(), "password");
        Path path2 = Paths.get(BASE_DIR, "crl.pem");
        KeyPair generateKeyPair = KeyStoreTestUtil.generateKeyPair("RSA");
        X509Certificate generateCertificate = KeyStoreTestUtil.generateCertificate("CN=rootCA", generateKeyPair, 60, "SHA256withRSA", true);
        KeyStoreTestUtil.createTrustStore(path.toString(), "password", "rootca", generateCertificate);
        X509Certificate generateSignedCertificate = KeyStoreTestUtil.generateSignedCertificate("CN=client", KeyStoreTestUtil.generateKeyPair("RSA"), 30, "SHA256withRSA", generateKeyPair.getPrivate(), generateCertificate);
        generateSignedCertificate.verify(generateKeyPair.getPublic());
        X509CRL generateCRL = KeyStoreTestUtil.generateCRL(generateCertificate, generateKeyPair.getPrivate(), "SHA256withRSA", null, null);
        writeCRLToFile(generateCRL, path2);
        this.conf.set("hops.tls.superuser-material-directory", BASE_DIR);
        this.conf.set("hops.crl.output.file", path2.toString());
        CRLValidator validator = CRLValidatorFactory.getInstance().getValidator(CRLValidatorFactory.TYPE.TESTING, this.conf, this.conf);
        Certificate[] certificateArr = {generateSignedCertificate, generateCertificate};
        validator.validate(certificateArr);
        X509CRL generateCRL2 = KeyStoreTestUtil.generateCRL(generateCertificate, generateKeyPair.getPrivate(), "SHA256withRSA", generateCRL, generateSignedCertificate.getSerialNumber());
        TimeUnit.SECONDS.sleep(1L);
        writeCRLToFile(generateCRL2, path2);
        TimeUnit.SECONDS.sleep(validator.getReloadInterval() * 2);
        this.rule.expect(CertificateException.class);
        validator.validate(certificateArr);
    }

    @Test
    public void testCRLValidatorFactory() throws Exception {
        UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
        SuperuserKeystoresLoader superuserKeystoresLoader = new SuperuserKeystoresLoader(this.conf);
        Path path = Paths.get(BASE_DIR, superuserKeystoresLoader.getSuperTruststoreFilename(currentUser.getUserName()));
        FileUtils.writeStringToFile(Paths.get(BASE_DIR, superuserKeystoresLoader.getSuperMaterialPasswdFilename(currentUser.getUserName())).toFile(), "password");
        Path path2 = Paths.get(BASE_DIR, "crl.pem");
        KeyPair generateKeyPair = KeyStoreTestUtil.generateKeyPair("RSA");
        X509Certificate generateCertificate = KeyStoreTestUtil.generateCertificate("CN=root", generateKeyPair, 60, "SHA256withRSA", true);
        KeyStoreTestUtil.createTrustStore(path.toString(), "password", "root", generateCertificate);
        writeCRLToFile(KeyStoreTestUtil.generateCRL(generateCertificate, generateKeyPair.getPrivate(), "SHA256withRSA", null, null), path2);
        this.conf.set("hops.tls.superuser-material-directory", BASE_DIR);
        this.conf.set("hops.crl.output.file", path2.toString());
        CRLValidator validator = CRLValidatorFactory.getInstance().getValidator(CRLValidatorFactory.TYPE.NORMAL, this.conf, this.conf);
        Assert.assertEquals(validator, CRLValidatorFactory.getInstance().getValidator(CRLValidatorFactory.TYPE.NORMAL, this.conf, this.conf));
        CRLValidator validator2 = CRLValidatorFactory.getInstance().getValidator(CRLValidatorFactory.TYPE.TESTING, this.conf, this.conf);
        Assert.assertEquals(validator2, CRLValidatorFactory.getInstance().getValidator(CRLValidatorFactory.TYPE.TESTING, this.conf, this.conf));
        Assert.assertNotEquals(validator, validator2);
    }

    @Test
    public void testCRLValidatioFactoryNonSuperuser() throws Exception {
        Path path = Paths.get(BASE_DIR, "k_certificate");
        Path path2 = Paths.get(BASE_DIR, "t_certificate");
        FileUtils.writeStringToFile(Paths.get(BASE_DIR, "material_passwd").toFile(), "password");
        Path path3 = Paths.get(BASE_DIR, "crl.pem");
        KeyPair generateKeyPair = KeyStoreTestUtil.generateKeyPair("RSA");
        X509Certificate generateCertificate = KeyStoreTestUtil.generateCertificate("CN=root", generateKeyPair, 60, "SHA256withRSA", true);
        KeyStoreTestUtil.createKeyStore(path.toString(), "password", "password", "root", generateKeyPair.getPrivate(), generateCertificate);
        KeyStoreTestUtil.createTrustStore(path2.toString(), "password", "root", generateCertificate);
        writeCRLToFile(KeyStoreTestUtil.generateCRL(generateCertificate, generateKeyPair.getPrivate(), "SHA256withRSA", null, null), path3);
        this.conf.set("hops.tls.superuser-material-directory", BASE_DIR);
        this.conf.set("hops.crl.output.file", path3.toString());
        MockEnvironmentVariablesService mockEnvironmentVariablesService = new MockEnvironmentVariablesService();
        mockEnvironmentVariablesService.setEnv("PWD", BASE_DIR);
        EnvironmentVariablesFactory.setInstance(mockEnvironmentVariablesService);
        Assert.assertNotNull((CRLValidator) UserGroupInformation.createRemoteUser("application__user").doAs(new PrivilegedExceptionAction<CRLValidator>() { // from class: org.apache.hadoop.security.ssl.TestCRLValidator.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public CRLValidator run() throws Exception {
                return CRLValidatorFactory.getInstance().getValidator(CRLValidatorFactory.TYPE.NORMAL, TestCRLValidator.this.conf, TestCRLValidator.this.conf);
            }
        }));
    }

    @Test
    public void testRetryActions() throws Exception {
        boolean z = false;
        try {
            new CRLValidator(this.conf);
        } catch (NoSuchFileException e) {
            z = true;
        }
        Assert.assertTrue(z);
    }

    private void writeCRLToFile(X509CRL x509crl, Path path) throws IOException {
        FileWriter fileWriter = new FileWriter(path.toFile(), false);
        Throwable th = null;
        try {
            try {
                PEMWriter pEMWriter = new PEMWriter(fileWriter);
                pEMWriter.writeObject(x509crl);
                pEMWriter.flush();
                fileWriter.flush();
                pEMWriter.close();
                if (fileWriter != null) {
                    if (0 == 0) {
                        fileWriter.close();
                        return;
                    }
                    try {
                        fileWriter.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (fileWriter != null) {
                if (th != null) {
                    try {
                        fileWriter.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    fileWriter.close();
                }
            }
            throw th4;
        }
    }

    private void configureCRL(Configuration configuration, Path path, Path path2) {
        configuration.setBoolean("hops.crl.validation.enabled", true);
        configuration.set("hops.crl.fetcher.class", "org.apache.hadoop.security.ssl.RemoteCRLFetcher");
        configuration.set("hops.crl.fetcher.interval", "1s");
        configuration.set("hops.crl.input.uri", "file://" + path.toString());
        configuration.set("hops.crl.output.file", path2.toString());
    }

    private RevocationListFetcherService startCRLFetcherService(Configuration configuration) throws Exception {
        RevocationListFetcherService revocationListFetcherService = new RevocationListFetcherService();
        revocationListFetcherService.setIntervalTimeUnit(TimeUnit.SECONDS);
        revocationListFetcherService.serviceInit(configuration);
        revocationListFetcherService.serviceStart();
        return revocationListFetcherService;
    }
}
