package org.apache.hive.common.util;

import java.io.File;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyPair;
import java.security.cert.X509Certificate;
import javax.net.ssl.SSLSocket;
import org.apache.hadoop.hive.common.auth.HiveAuthUtils;
import org.apache.hadoop.hive.common.auth.TServerSocketFactory;
import org.apache.hadoop.hive.conf.HiveConf;
import org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory;
import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
import org.apache.hadoop.security.ssl.SSLFactory;
import org.apache.thrift.TException;
import org.apache.thrift.TProcessor;
import org.apache.thrift.TProcessorFactory;
import org.apache.thrift.protocol.TBinaryProtocol;
import org.apache.thrift.server.TThreadPoolServer;
import org.apache.thrift.transport.TServerSocket;
import org.apache.thrift.transport.TSocket;
import org.apache.thrift.transport.TTransport;
import org.apache.thrift.transport.TTransportException;
import org.apache.thrift.transport.TTransportFactory;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;

/* loaded from: input_file:org/apache/hive/common/util/TestHopsTLSTSocketFactory.class */
public class TestHopsTLSTSocketFactory {
    private Thread serverThread;
    private TThreadPoolServer server;
    private Path serverKeyStore;
    private Path serverTrustStore;
    private Path clientKeyStore;
    private Path clientTrustStore;
    private String outputDir;
    private X509Certificate caCert;
    private String password = "11111";
    private KeyPair caKeyPair = null;
    private String keyAlg = "RSA";
    private String signAlg = "SHA256withRSA";

    @Rule
    public final ExpectedException rule = ExpectedException.none();

    /* loaded from: input_file:org/apache/hive/common/util/TestHopsTLSTSocketFactory$TestProcessorFactory.class */
    private static final class TestProcessorFactory extends TProcessorFactory {
        public TestProcessorFactory() {
            super((TProcessor) null);
        }

        public TProcessor getProcessor(TTransport tTransport) {
            return (tProtocol, tProtocol2) -> {
                tProtocol.readMessageBegin();
                return true;
            };
        }
    }

    @Before
    public void startServer() throws Exception {
        this.outputDir = KeyStoreTestUtil.getClasspathDir(TestHopsTLSTSocketFactory.class);
        this.caKeyPair = KeyStoreTestUtil.generateKeyPair(this.keyAlg);
        this.caCert = KeyStoreTestUtil.generateCertificate("CN=CARoot", this.caKeyPair, 42, this.signAlg);
        generateServerCerts("first");
        generateClientCerts();
        KeyStoreTestUtil.saveConfig(new File(Paths.get(this.outputDir, "ssl-server.xml").toUri()), KeyStoreTestUtil.createServerSSLConfig(this.serverKeyStore.toString(), this.password, this.password, this.serverTrustStore.toString(), this.password, ""));
        HiveConf hiveConf = new HiveConf();
        hiveConf.setBoolean("ipc.server.ssl.enabled", true);
        hiveConf.addResource("ssl-server.xml");
        hiveConf.setLong(FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.SERVER, "ssl.{0}.keystore.reload.interval"), 1000L);
        hiveConf.setLong(FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.SERVER, "ssl.{0}.truststore.reload.interval"), 1000L);
        hiveConf.set("hadoop.ssl.enabled.protocols", "TLSv1.2,TLSv1.1,TLSv1");
        hiveConf.set("hadoop.ssl.hostname.verifier", "ALLOW_ALL");
        TServerSocket serverSocket = TServerSocketFactory.getServerSocket(hiveConf, TServerSocketFactory.TSocketType.TWOWAYTLS, (String) null, 3245);
        this.serverThread = new Thread(() -> {
            this.server = new TThreadPoolServer(new TThreadPoolServer.Args(serverSocket).processorFactory(new TestProcessorFactory()).transportFactory(new TTransportFactory()).protocolFactory(new TBinaryProtocol.Factory()).inputProtocolFactory(new TBinaryProtocol.Factory()).minWorkerThreads(1).maxWorkerThreads(2));
            this.server.serve();
        });
        this.serverThread.start();
        Thread.sleep(1000L);
    }

    @After
    public void stopServer() throws Exception {
        this.server.stop();
        this.serverThread.join();
    }

    @Test
    public void testFailConnectionWithoutClientAuth() throws Exception {
        TTransport tLSClientSocket = HiveAuthUtils.getTLSClientSocket("localhost", 3245, 0, this.clientTrustStore.toString(), this.password);
        tLSClientSocket.write("Some random bytes".getBytes());
        this.rule.expect(TTransportException.class);
        tLSClientSocket.flush();
        tLSClientSocket.close();
    }

    @Test
    public void testCertificateReloading() throws Exception {
        TTransport tTransport = HiveAuthUtils.get2WayTLSClientSocket("localhost", 3245, 0, this.clientTrustStore.toString(), this.password, this.clientKeyStore.toString(), this.password);
        validateCN(tTransport, "first");
        tTransport.close();
        generateServerCerts("second");
        Thread.sleep(5000L);
        TTransport tTransport2 = HiveAuthUtils.get2WayTLSClientSocket("localhost", 3245, 0, this.clientTrustStore.toString(), this.password, this.clientKeyStore.toString(), this.password);
        validateCN(tTransport2, "second");
        tTransport2.close();
    }

    private void validateCN(TTransport tTransport, String str) throws Exception {
        javax.security.cert.X509Certificate[] peerCertificateChain = ((SSLSocket) ((TSocket) tTransport).getSocket()).getSession().getPeerCertificateChain();
        if (peerCertificateChain.length == 0) {
            throw new TException("Missing certificates");
        }
        String[] split = peerCertificateChain[0].getSubjectDN().getName().split(",")[0].split("=", 2);
        if (split.length != 2) {
            throw new TException("Cannot authenticate the user: Unrecognized CN format");
        }
        Assert.assertEquals(split[1], str);
    }

    private void generateServerCerts(String str) throws Exception {
        KeyPair generateKeyPair = KeyStoreTestUtil.generateKeyPair(this.keyAlg);
        X509Certificate generateSignedCertificate = KeyStoreTestUtil.generateSignedCertificate("CN=" + str, generateKeyPair, 42, this.signAlg, this.caKeyPair.getPrivate(), this.caCert);
        this.serverKeyStore = Paths.get(this.outputDir, "server.keystore.jks");
        this.serverTrustStore = Paths.get(this.outputDir, "server.truststore.jks");
        KeyStoreTestUtil.createKeyStore(this.serverKeyStore.toString(), this.password, this.password, "server_alias", generateKeyPair.getPrivate(), generateSignedCertificate);
        KeyStoreTestUtil.createTrustStore(this.serverTrustStore.toString(), this.password, "CARoot", this.caCert);
    }

    private void generateClientCerts() throws Exception {
        KeyPair generateKeyPair = KeyStoreTestUtil.generateKeyPair(this.keyAlg);
        X509Certificate generateSignedCertificate = KeyStoreTestUtil.generateSignedCertificate("CN=client", generateKeyPair, 42, this.signAlg, this.caKeyPair.getPrivate(), this.caCert);
        this.clientKeyStore = Paths.get(this.outputDir, "client.keystore.jks");
        this.clientTrustStore = Paths.get(this.outputDir, "client.truststore.jks");
        KeyStoreTestUtil.createKeyStore(this.clientKeyStore.toString(), this.password, this.password, "client_alias", generateKeyPair.getPrivate(), generateSignedCertificate);
        KeyStoreTestUtil.createTrustStore(this.clientTrustStore.toString(), this.password, "CARoot", this.caCert);
    }
}
