package org.apache.bookkeeper.tls;

import java.io.File;
import java.io.IOException;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.Collection;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicInteger;
import org.apache.bookkeeper.auth.AuthCallbacks;
import org.apache.bookkeeper.auth.AuthToken;
import org.apache.bookkeeper.auth.BookieAuthProvider;
import org.apache.bookkeeper.auth.ClientAuthProvider;
import org.apache.bookkeeper.client.BKException;
import org.apache.bookkeeper.client.BookKeeper;
import org.apache.bookkeeper.client.BookKeeperAdmin;
import org.apache.bookkeeper.client.BookKeeperTestClient;
import org.apache.bookkeeper.client.LedgerEntry;
import org.apache.bookkeeper.client.LedgerHandle;
import org.apache.bookkeeper.client.api.LedgerMetadata;
import org.apache.bookkeeper.conf.ClientConfiguration;
import org.apache.bookkeeper.conf.ServerConfiguration;
import org.apache.bookkeeper.net.BookieId;
import org.apache.bookkeeper.proto.BookieConnectionPeer;
import org.apache.bookkeeper.proto.BookieServer;
import org.apache.bookkeeper.proto.ClientConnectionPeer;
import org.apache.bookkeeper.proto.TestPerChannelBookieClient;
import org.apache.bookkeeper.test.BookKeeperClusterTestCase;
import org.apache.bookkeeper.test.TestStatsProvider;
import org.apache.bookkeeper.tls.TLSContextFactory;
import org.apache.bookkeeper.util.IOUtils;
import org.apache.commons.io.FileUtils;
import org.junit.After;
import org.junit.Assert;
import org.junit.Assume;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@RunWith(Parameterized.class)
/* loaded from: input_file:org/apache/bookkeeper/tls/TestTLS.class */
public class TestTLS extends BookKeeperClusterTestCase {
    private static final Logger LOG = LoggerFactory.getLogger(TestPerChannelBookieClient.class);
    private static boolean secureClientSideChannel = false;
    private static Collection<Object> secureClientSideChannelPrincipals = null;
    private static boolean secureBookieSideChannel = false;
    private static Collection<Object> secureBookieSideChannelPrincipals = null;
    private TLSContextFactory.KeyStoreType clientKeyStoreFormat;
    private TLSContextFactory.KeyStoreType clientTrustStoreFormat;
    private TLSContextFactory.KeyStoreType serverKeyStoreFormat;
    private TLSContextFactory.KeyStoreType serverTrustStoreFormat;
    private final boolean useV2Protocol;

    /* renamed from: org.apache.bookkeeper.tls.TestTLS$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/bookkeeper/tls/TestTLS$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$bookkeeper$tls$TLSContextFactory$KeyStoreType = new int[TLSContextFactory.KeyStoreType.values().length];

        static {
            try {
                $SwitchMap$org$apache$bookkeeper$tls$TLSContextFactory$KeyStoreType[TLSContextFactory.KeyStoreType.PEM.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$bookkeeper$tls$TLSContextFactory$KeyStoreType[TLSContextFactory.KeyStoreType.JKS.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$bookkeeper$tls$TLSContextFactory$KeyStoreType[TLSContextFactory.KeyStoreType.PKCS12.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    /* loaded from: input_file:org/apache/bookkeeper/tls/TestTLS$AllowOnlyBookiesWithX509Certificates.class */
    private static class AllowOnlyBookiesWithX509Certificates implements ClientAuthProvider.Factory {
        private AllowOnlyBookiesWithX509Certificates() {
        }

        public String getPluginName() {
            return "tls";
        }

        public void init(ClientConfiguration clientConfiguration) {
        }

        public ClientAuthProvider newProvider(final ClientConnectionPeer clientConnectionPeer, AuthCallbacks.GenericCallback<Void> genericCallback) {
            return new ClientAuthProvider() { // from class: org.apache.bookkeeper.tls.TestTLS.AllowOnlyBookiesWithX509Certificates.1
                AuthCallbacks.GenericCallback<AuthToken> completeCallback;

                public void init(AuthCallbacks.GenericCallback<AuthToken> genericCallback2) {
                    this.completeCallback = genericCallback2;
                }

                public void onProtocolUpgrade() {
                    boolean unused = TestTLS.secureClientSideChannel = clientConnectionPeer.isSecure();
                    Collection unused2 = TestTLS.secureClientSideChannelPrincipals = clientConnectionPeer.getProtocolPrincipals();
                    Collection protocolPrincipals = clientConnectionPeer.getProtocolPrincipals();
                    if (!clientConnectionPeer.isSecure() || protocolPrincipals.isEmpty()) {
                        this.completeCallback.operationComplete(-102, AuthToken.NULL);
                    } else {
                        Assert.assertTrue(protocolPrincipals.iterator().next() instanceof X509Certificate);
                        this.completeCallback.operationComplete(0, AuthToken.NULL);
                    }
                }

                public void process(AuthToken authToken, AuthCallbacks.GenericCallback<AuthToken> genericCallback2) {
                }
            };
        }
    }

    /* loaded from: input_file:org/apache/bookkeeper/tls/TestTLS$AllowOnlyClientsWithX509Certificates.class */
    private static class AllowOnlyClientsWithX509Certificates implements BookieAuthProvider.Factory {
        private AllowOnlyClientsWithX509Certificates() {
        }

        public String getPluginName() {
            return "tls";
        }

        public void init(ServerConfiguration serverConfiguration) throws IOException {
        }

        public BookieAuthProvider newProvider(final BookieConnectionPeer bookieConnectionPeer, final AuthCallbacks.GenericCallback<Void> genericCallback) {
            return new BookieAuthProvider() { // from class: org.apache.bookkeeper.tls.TestTLS.AllowOnlyClientsWithX509Certificates.1
                AuthCallbacks.GenericCallback<Void> completeCallback;

                {
                    this.completeCallback = genericCallback;
                }

                public void onProtocolUpgrade() {
                    boolean unused = TestTLS.secureBookieSideChannel = bookieConnectionPeer.isSecure();
                    Collection unused2 = TestTLS.secureBookieSideChannelPrincipals = bookieConnectionPeer.getProtocolPrincipals();
                    Collection protocolPrincipals = bookieConnectionPeer.getProtocolPrincipals();
                    if (!bookieConnectionPeer.isSecure() || protocolPrincipals.isEmpty()) {
                        this.completeCallback.operationComplete(-102, (Object) null);
                    } else {
                        Assert.assertTrue(protocolPrincipals.iterator().next() instanceof X509Certificate);
                        this.completeCallback.operationComplete(0, (Object) null);
                    }
                }

                public void process(AuthToken authToken, AuthCallbacks.GenericCallback<AuthToken> genericCallback2) {
                }
            };
        }
    }

    @Parameterized.Parameters
    public static Collection<Object[]> data() {
        return Arrays.asList(new Object[]{"JKS", "JKS", false}, new Object[]{"PEM", "PEM", false}, new Object[]{"PEM", "PEM", true}, new Object[]{"PKCS12", "PKCS12", false}, new Object[]{"JKS", "PEM", false}, new Object[]{"PEM", "PKCS12", false}, new Object[]{"PKCS12", "JKS", false});
    }

    public TestTLS(String str, String str2, boolean z) {
        super(3);
        this.clientKeyStoreFormat = TLSContextFactory.KeyStoreType.valueOf(str);
        this.clientTrustStoreFormat = TLSContextFactory.KeyStoreType.valueOf(str2);
        this.serverKeyStoreFormat = TLSContextFactory.KeyStoreType.valueOf(str);
        this.serverTrustStoreFormat = TLSContextFactory.KeyStoreType.valueOf(str2);
        this.useV2Protocol = z;
    }

    private String getResourcePath(String str) throws Exception {
        return getClass().getClassLoader().getResource(str).toURI().getPath();
    }

    @Override // org.apache.bookkeeper.test.BookKeeperClusterTestCase
    @Before
    public void setUp() throws Exception {
        this.baseClientConf.setTLSProviderFactoryClass(TLSContextFactory.class.getName());
        this.baseClientConf.setTLSClientAuthentication(true);
        this.baseClientConf.setUseV2WireProtocol(this.useV2Protocol);
        switch (AnonymousClass1.$SwitchMap$org$apache$bookkeeper$tls$TLSContextFactory$KeyStoreType[this.clientKeyStoreFormat.ordinal()]) {
            case 1:
                this.baseClientConf.setTLSKeyStoreType("PEM");
                this.baseClientConf.setTLSKeyStore(getResourcePath("client-key.pem"));
                this.baseClientConf.setTLSCertificatePath(getResourcePath("client-cert.pem"));
                break;
            case 2:
                this.baseClientConf.setTLSKeyStoreType("JKS");
                this.baseClientConf.setTLSKeyStore(getResourcePath("client-key.jks"));
                this.baseClientConf.setTLSKeyStorePasswordPath(getResourcePath("keyStoreClientPassword.txt"));
                break;
            case 3:
                this.baseClientConf.setTLSKeyStoreType("PKCS12");
                this.baseClientConf.setTLSKeyStore(getResourcePath("client-key.p12"));
                this.baseClientConf.setTLSKeyStorePasswordPath(getResourcePath("keyStoreClientPassword.txt"));
                break;
            default:
                throw new Exception("Invalid client keystore format" + this.clientKeyStoreFormat);
        }
        switch (AnonymousClass1.$SwitchMap$org$apache$bookkeeper$tls$TLSContextFactory$KeyStoreType[this.clientTrustStoreFormat.ordinal()]) {
            case 1:
                this.baseClientConf.setTLSTrustStoreType("PEM");
                this.baseClientConf.setTLSTrustStore(getResourcePath("server-cert.pem"));
                break;
            case 2:
                this.baseClientConf.setTLSTrustStoreType("JKS");
                this.baseClientConf.setTLSTrustStore(getResourcePath("server-key.jks"));
                this.baseClientConf.setTLSTrustStorePasswordPath(getResourcePath("keyStoreServerPassword.txt"));
                break;
            case 3:
                this.baseClientConf.setTLSTrustStoreType("PKCS12");
                this.baseClientConf.setTLSTrustStore(getResourcePath("server-key.p12"));
                this.baseClientConf.setTLSTrustStorePasswordPath(getResourcePath("keyStoreServerPassword.txt"));
                break;
            default:
                throw new Exception("Invalid client keystore format" + this.clientTrustStoreFormat);
        }
        this.baseConf.setTLSProviderFactoryClass(TLSContextFactory.class.getName());
        this.baseConf.setTLSClientAuthentication(true);
        switch (AnonymousClass1.$SwitchMap$org$apache$bookkeeper$tls$TLSContextFactory$KeyStoreType[this.serverKeyStoreFormat.ordinal()]) {
            case 1:
                this.baseConf.setTLSKeyStoreType("PEM");
                this.baseConf.setTLSKeyStore(getResourcePath("server-key.pem"));
                this.baseConf.setTLSCertificatePath(getResourcePath("server-cert.pem"));
                break;
            case 2:
                this.baseConf.setTLSKeyStoreType("JKS");
                this.baseConf.setTLSKeyStore(getResourcePath("server-key.jks"));
                this.baseConf.setTLSKeyStorePasswordPath(getResourcePath("keyStoreServerPassword.txt"));
                break;
            case 3:
                this.baseConf.setTLSKeyStoreType("PKCS12");
                this.baseConf.setTLSKeyStore(getResourcePath("server-key.p12"));
                this.baseConf.setTLSKeyStorePasswordPath(getResourcePath("keyStoreServerPassword.txt"));
                break;
            default:
                throw new Exception("Invalid server keystore format" + this.serverKeyStoreFormat);
        }
        switch (AnonymousClass1.$SwitchMap$org$apache$bookkeeper$tls$TLSContextFactory$KeyStoreType[this.serverTrustStoreFormat.ordinal()]) {
            case 1:
                this.baseConf.setTLSTrustStoreType("PEM");
                this.baseConf.setTLSTrustStore(getResourcePath("client-cert.pem"));
                break;
            case 2:
                this.baseConf.setTLSTrustStoreType("JKS");
                this.baseConf.setTLSTrustStore(getResourcePath("client-key.jks"));
                this.baseConf.setTLSTrustStorePasswordPath(getResourcePath("keyStoreClientPassword.txt"));
                break;
            case 3:
                this.baseConf.setTLSTrustStoreType("PKCS12");
                this.baseConf.setTLSTrustStore(getResourcePath("client-key.p12"));
                this.baseConf.setTLSTrustStorePasswordPath(getResourcePath("keyStoreClientPassword.txt"));
                break;
            default:
                throw new Exception("Invalid server keystore format" + this.serverTrustStoreFormat);
        }
        super.setUp();
    }

    @Override // org.apache.bookkeeper.test.BookKeeperClusterTestCase
    @After
    public void tearDown() throws Exception {
        super.tearDown();
    }

    @Test
    public void testGetBouncyCastleProviderName() throws Exception {
        Assert.assertEquals(TLSContextFactory.getProvider().getName(), "BCFIPS");
    }

    @Test
    public void testStartTLSServerNoKeyStore() throws Exception {
        try {
            this.bs.add(startBookie(newServerConfiguration().setTLSKeyStore((String) null)));
            Assert.fail("Shouldn't have been able to start");
        } catch (SecurityException e) {
            Assert.assertTrue(true);
        }
    }

    @Test
    public void testKeyMismatchFailure() throws Exception {
        Assume.assumeTrue(this.serverKeyStoreFormat == TLSContextFactory.KeyStoreType.PEM);
        ClientConfiguration clientConfiguration = new ClientConfiguration(this.baseClientConf);
        ServerConfiguration tLSCertificatePath = this.bsConfs.get(0).setTLSCertificatePath(getResourcePath("client-cert.pem"));
        killBookie(0);
        LOG.info("Sleeping for 1s before restarting bookie with bad cert");
        Thread.sleep(1000L);
        this.bs.add(startBookie(tLSCertificatePath));
        this.bsConfs.add(tLSCertificatePath);
        BookKeeper bookKeeper = new BookKeeper(clientConfiguration);
        byte[] bytes = "testPassword".getBytes();
        byte[] bytes2 = "testEntry".getBytes();
        try {
            LedgerHandle createLedger = bookKeeper.createLedger(this.numBookies, this.numBookies, BookKeeper.DigestType.CRC32, bytes);
            for (int i = 0; i <= 2; i++) {
                try {
                    createLedger.addEntry(bytes2);
                } finally {
                }
            }
            Assert.fail("Should have failed with not enough bookies to write");
            if (createLedger != null) {
                createLedger.close();
            }
        } catch (BKException.BKNotEnoughBookiesException e) {
        }
    }

    @Test
    public void testStartTLSServerBadPassword() throws Exception {
        try {
            this.bs.add(startBookie(newServerConfiguration().setTLSKeyStorePasswordPath("badpassword")));
            Assert.fail("Shouldn't have been able to start");
        } catch (SecurityException e) {
            Assert.assertTrue(true);
        }
    }

    private LedgerMetadata testClient(BookKeeper bookKeeper, int i) throws Exception {
        byte[] bytes = "testPassword".getBytes();
        byte[] bytes2 = "testEntry".getBytes();
        LedgerHandle createLedger = bookKeeper.createLedger(i, i, BookKeeper.DigestType.CRC32, bytes);
        for (int i2 = 0; i2 <= 100; i2++) {
            try {
                createLedger.addEntry(bytes2);
            } catch (Throwable th) {
                if (createLedger != null) {
                    try {
                        createLedger.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
        long id = createLedger.getId();
        if (createLedger != null) {
            createLedger.close();
        }
        LedgerHandle openLedger = bookKeeper.openLedger(id, BookKeeper.DigestType.CRC32, bytes);
        try {
            Enumeration readEntries = openLedger.readEntries(0L, 100);
            while (readEntries.hasMoreElements()) {
                Assert.assertTrue("Entry contents incorrect", Arrays.equals(((LedgerEntry) readEntries.nextElement()).getEntry(), bytes2));
            }
            LedgerMetadata ledgerMetadata = new BookKeeperAdmin(bookKeeper, this.baseClientConf).getLedgerMetadata(openLedger);
            if (openLedger != null) {
                openLedger.close();
            }
            return ledgerMetadata;
        } catch (Throwable th3) {
            if (openLedger != null) {
                try {
                    openLedger.close();
                } catch (Throwable th4) {
                    th3.addSuppressed(th4);
                }
            }
            throw th3;
        }
    }

    private LedgerMetadata testClient(ClientConfiguration clientConfiguration, int i) throws Exception {
        BookKeeper bookKeeper = new BookKeeper(clientConfiguration);
        try {
            LedgerMetadata testClient = testClient(bookKeeper, i);
            bookKeeper.close();
            return testClient;
        } catch (Throwable th) {
            try {
                bookKeeper.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    @Test
    public void testConnectToTLSClusterTLSClient() throws Exception {
        testClient(new ClientConfiguration(this.baseClientConf), this.numBookies);
    }

    @Test
    public void testConnectToLocalTLSClusterTLSClient() throws Exception {
        if (this.useV2Protocol) {
            return;
        }
        ServerConfiguration serverConfiguration = new ServerConfiguration();
        for (ServerConfiguration serverConfiguration2 : this.bsConfs) {
            serverConfiguration2.setDisableServerSocketBind(true);
            serverConfiguration2.setEnableLocalTransport(true);
        }
        restartBookies(serverConfiguration);
        testClient(new ClientConfiguration(this.baseClientConf), this.numBookies);
    }

    @Test
    public void testRefreshDurationForBookieCerts() throws Exception {
        Assume.assumeTrue(this.serverKeyStoreFormat == TLSContextFactory.KeyStoreType.PEM);
        ServerConfiguration serverConfiguration = new ServerConfiguration();
        String tLSKeyStore = this.bsConfs.get(0).getTLSKeyStore();
        String resourcePath = getResourcePath("client-key.pem");
        File file = new File(tLSKeyStore);
        File createTempFileAndDeleteOnExit = IOUtils.createTempFileAndDeleteOnExit(tLSKeyStore, "refresh");
        createTempFileAndDeleteOnExit.deleteOnExit();
        FileUtils.copyFile(new File(resourcePath), createTempFileAndDeleteOnExit);
        for (ServerConfiguration serverConfiguration2 : this.bsConfs) {
            serverConfiguration2.setTLSCertFilesRefreshDurationSeconds(1L);
            serverConfiguration2.setTLSKeyStore(createTempFileAndDeleteOnExit.getAbsolutePath());
        }
        restartBookies(serverConfiguration);
        ClientConfiguration clientConfiguration = new ClientConfiguration(this.baseClientConf);
        try {
            testClient(clientConfiguration, this.numBookies);
            Assert.fail("Should have fail due to invalid cert");
        } catch (Exception e) {
        }
        Thread.sleep((1 * 1000) + 1000);
        FileUtils.copyFile(file, createTempFileAndDeleteOnExit);
        createTempFileAndDeleteOnExit.setLastModified(System.currentTimeMillis() + 1000);
        testClient(clientConfiguration, this.numBookies);
        createTempFileAndDeleteOnExit.delete();
    }

    @Test
    public void testRefreshDurationForBookkeeperClientCerts() throws Exception {
        Assume.assumeTrue(this.serverKeyStoreFormat == TLSContextFactory.KeyStoreType.PEM);
        ClientConfiguration clientConfiguration = new ClientConfiguration(this.baseClientConf);
        String tLSCertificatePath = this.baseClientConf.getTLSCertificatePath();
        String resourcePath = getResourcePath("server-cert.pem");
        File file = new File(tLSCertificatePath);
        File createTempFileAndDeleteOnExit = IOUtils.createTempFileAndDeleteOnExit(tLSCertificatePath, "refresh");
        createTempFileAndDeleteOnExit.deleteOnExit();
        FileUtils.copyFile(new File(resourcePath), createTempFileAndDeleteOnExit);
        clientConfiguration.setTLSCertFilesRefreshDurationSeconds(1L);
        clientConfiguration.setTLSCertificatePath(createTempFileAndDeleteOnExit.getAbsolutePath());
        BookKeeper bookKeeper = new BookKeeper(clientConfiguration);
        try {
            byte[] bytes = "testEntry".getBytes();
            byte[] bytes2 = "testPassword".getBytes();
            CountDownLatch countDownLatch = new CountDownLatch(1);
            AtomicInteger atomicInteger = new AtomicInteger(-1);
            LedgerHandle createLedger = bookKeeper.createLedger(1, 1, BookKeeper.DigestType.CRC32, bytes2);
            for (int i = 0; i <= 1; i++) {
                createLedger.asyncAddEntry(bytes, (i2, ledgerHandle, j, obj) -> {
                    atomicInteger.set(i2);
                    countDownLatch.countDown();
                }, (Object) null);
            }
            countDownLatch.await(1L, TimeUnit.SECONDS);
            Assert.assertNotEquals(atomicInteger.get(), 0L);
            Thread.sleep((2 * 1000) + 1000);
            FileUtils.copyFile(file, createTempFileAndDeleteOnExit);
            createTempFileAndDeleteOnExit.setLastModified(System.currentTimeMillis() + 1000);
            CountDownLatch countDownLatch2 = new CountDownLatch(1);
            AtomicInteger atomicInteger2 = new AtomicInteger(-1);
            LedgerHandle createLedger2 = bookKeeper.createLedger(1, 1, BookKeeper.DigestType.CRC32, bytes2);
            for (int i3 = 0; i3 <= 1; i3++) {
                createLedger2.asyncAddEntry(bytes, (i4, ledgerHandle2, j2, obj2) -> {
                    atomicInteger2.set(i4);
                    countDownLatch2.countDown();
                }, (Object) null);
            }
            countDownLatch2.await(1L, TimeUnit.SECONDS);
            Assert.assertEquals(atomicInteger2.get(), 0L);
            createTempFileAndDeleteOnExit.delete();
            bookKeeper.close();
        } catch (Throwable th) {
            try {
                bookKeeper.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    @Test
    public void testConnectToTLSClusterMixedClient() throws Exception {
        testClient(new ClientConfiguration(this.baseClientConf), this.numBookies);
        ClientConfiguration clientConfiguration = new ClientConfiguration(this.baseClientConf);
        clientConfiguration.setTLSProviderFactoryClass((String) null);
        testClient(clientConfiguration, this.numBookies);
    }

    @Test
    public void testConnectToTLSClusterTLSClientWithTLSNoAuthentication() throws Exception {
        ServerConfiguration serverConfiguration = new ServerConfiguration(this.baseConf);
        serverConfiguration.setTLSClientAuthentication(false);
        restartBookies(serverConfiguration);
        testClient(new ClientConfiguration(this.baseClientConf), this.numBookies);
    }

    @Test
    public void testConnectToTLSClusterTLSClientWithAuthentication() throws Exception {
        try {
            testClient(new ClientConfiguration(this.baseClientConf), this.numBookies);
        } catch (BKException.BKNotEnoughBookiesException e) {
            Assert.fail("Client should be able to connect to bookie");
        }
    }

    @Test
    public void testConnectToTLSClusterNonTLSClient() throws Exception {
        ClientConfiguration clientConfiguration = new ClientConfiguration(this.baseClientConf);
        clientConfiguration.setTLSProviderFactoryClass((String) null);
        try {
            testClient(clientConfiguration, this.numBookies);
        } catch (BKException.BKNotEnoughBookiesException e) {
            Assert.fail("non tls client should be able to connect to tls enabled bookies");
        }
    }

    @Test
    public void testClientWantsTLSNoServersHaveIt() throws Exception {
        ServerConfiguration serverConfiguration = new ServerConfiguration();
        Iterator<ServerConfiguration> it = this.bsConfs.iterator();
        while (it.hasNext()) {
            it.next().setTLSProviderFactoryClass((String) null);
        }
        restartBookies(serverConfiguration);
        try {
            testClient(new ClientConfiguration(this.baseClientConf), this.numBookies);
            Assert.fail("Shouldn't be able to connect");
        } catch (BKException.BKNotEnoughBookiesException e) {
        }
    }

    @Test
    public void testTLSClientButOnlyFewTLSServers() throws Exception {
        ServerConfiguration serverConfiguration = new ServerConfiguration();
        Iterator<ServerConfiguration> it = this.bsConfs.iterator();
        while (it.hasNext()) {
            it.next().setTLSProviderFactoryClass((String) null);
        }
        restartBookies(serverConfiguration);
        this.baseConf.setTLSProviderFactoryClass(TLSContextFactory.class.getName());
        HashSet hashSet = new HashSet();
        hashSet.add(Integer.valueOf(startNewBookie()));
        hashSet.add(Integer.valueOf(startNewBookie()));
        ClientConfiguration clientConfiguration = new ClientConfiguration(this.baseClientConf);
        LedgerMetadata testClient = testClient(clientConfiguration, 2);
        Assert.assertTrue(testClient.getAllEnsembles().size() > 0);
        Collection values = testClient.getAllEnsembles().values();
        BookKeeper bookKeeper = new BookKeeper(clientConfiguration);
        try {
            Iterator it2 = values.iterator();
            while (it2.hasNext()) {
                Iterator it3 = ((List) it2.next()).iterator();
                while (it3.hasNext()) {
                    Assert.assertTrue(hashSet.contains(Integer.valueOf(bookKeeper.getBookieAddressResolver().resolve((BookieId) it3.next()).getPort())));
                }
            }
            bookKeeper.close();
        } catch (Throwable th) {
            try {
                bookKeeper.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    @Test
    public void testClientAuthPlugin() throws Exception {
        secureClientSideChannel = false;
        secureClientSideChannelPrincipals = null;
        ClientConfiguration clientConfiguration = new ClientConfiguration(this.baseClientConf);
        clientConfiguration.setClientAuthProviderFactoryClass(AllowOnlyBookiesWithX509Certificates.class.getName());
        testClient(clientConfiguration, this.numBookies);
        Assert.assertTrue(secureClientSideChannel);
        Assert.assertNotNull(secureClientSideChannelPrincipals);
        Assert.assertTrue(!secureClientSideChannelPrincipals.isEmpty());
        Assert.assertTrue(secureClientSideChannelPrincipals.iterator().next() instanceof Certificate);
        Assert.assertTrue(((Certificate) secureClientSideChannelPrincipals.iterator().next()) instanceof X509Certificate);
    }

    @Test
    public void testBookieAuthPluginRequireClientTLSAuthentication() throws Exception {
        ServerConfiguration serverConfiguration = new ServerConfiguration(this.baseConf);
        serverConfiguration.setBookieAuthProviderFactoryClass(AllowOnlyClientsWithX509Certificates.class.getName());
        restartBookies(serverConfiguration);
        secureBookieSideChannel = false;
        secureBookieSideChannelPrincipals = null;
        testClient(new ClientConfiguration(this.baseClientConf), this.numBookies);
        Assert.assertTrue(secureBookieSideChannel);
        Assert.assertNotNull(secureBookieSideChannelPrincipals);
        Assert.assertTrue(!secureBookieSideChannelPrincipals.isEmpty());
        Assert.assertTrue(secureBookieSideChannelPrincipals.iterator().next() instanceof Certificate);
        Assert.assertTrue(((Certificate) secureBookieSideChannelPrincipals.iterator().next()) instanceof X509Certificate);
    }

    @Test
    public void testBookieAuthPluginRequireClientTLSAuthenticationLocal() throws Exception {
        if (this.useV2Protocol) {
            return;
        }
        ServerConfiguration serverConfiguration = new ServerConfiguration(this.baseConf);
        serverConfiguration.setBookieAuthProviderFactoryClass(AllowOnlyClientsWithX509Certificates.class.getName());
        serverConfiguration.setDisableServerSocketBind(true);
        serverConfiguration.setEnableLocalTransport(true);
        restartBookies(serverConfiguration);
        secureBookieSideChannel = false;
        secureBookieSideChannelPrincipals = null;
        testClient(new ClientConfiguration(this.baseClientConf), this.numBookies);
        Assert.assertTrue(secureBookieSideChannel);
        Assert.assertNotNull(secureBookieSideChannelPrincipals);
        Assert.assertTrue(!secureBookieSideChannelPrincipals.isEmpty());
        Assert.assertTrue(secureBookieSideChannelPrincipals.iterator().next() instanceof Certificate);
        Assert.assertTrue(((Certificate) secureBookieSideChannelPrincipals.iterator().next()) instanceof X509Certificate);
    }

    @Test
    public void testRoleBasedAuthZInCertificate() throws Exception {
        ServerConfiguration serverConfiguration = new ServerConfiguration(this.baseConf);
        serverConfiguration.setBookieAuthProviderFactoryClass(BookieAuthZFactory.class.getCanonicalName());
        serverConfiguration.setAuthorizedRoles("testRole,testRole1");
        restartBookies(serverConfiguration);
        try {
            testClient(new ClientConfiguration(this.baseClientConf), this.numBookies);
        } catch (BKException.BKUnauthorizedAccessException e) {
            Assert.fail("Could not verify given role.");
        }
    }

    @Test
    public void testBookieAuthPluginDenyAccesstoClientWithoutTLSAuthentication() throws Exception {
        ServerConfiguration serverConfiguration = new ServerConfiguration(this.baseConf);
        serverConfiguration.setTLSClientAuthentication(false);
        serverConfiguration.setBookieAuthProviderFactoryClass(AllowOnlyClientsWithX509Certificates.class.getName());
        restartBookies(serverConfiguration);
        secureBookieSideChannel = false;
        secureBookieSideChannelPrincipals = null;
        ClientConfiguration clientConfiguration = new ClientConfiguration(this.baseClientConf);
        clientConfiguration.setTLSClientAuthentication(false);
        try {
            testClient(clientConfiguration, this.numBookies);
            Assert.fail("Shouldn't be able to connect");
        } catch (BKException.BKUnauthorizedAccessException e) {
        } catch (BKException.BKNotEnoughBookiesException e2) {
            if (!this.useV2Protocol) {
                Assert.fail("Unexpected exception occurred.");
            }
        }
        Assert.assertTrue(secureBookieSideChannel);
        Assert.assertNotNull(secureBookieSideChannelPrincipals);
        Assert.assertTrue(secureBookieSideChannelPrincipals.isEmpty());
    }

    @Test
    public void testBookieAuthPluginDenyAccessToClientWithoutTLSAuthenticationLocal() throws Exception {
        ServerConfiguration serverConfiguration = new ServerConfiguration(this.baseConf);
        serverConfiguration.setTLSClientAuthentication(false);
        serverConfiguration.setBookieAuthProviderFactoryClass(AllowOnlyClientsWithX509Certificates.class.getName());
        serverConfiguration.setDisableServerSocketBind(true);
        serverConfiguration.setEnableLocalTransport(true);
        restartBookies(serverConfiguration);
        secureBookieSideChannel = false;
        secureBookieSideChannelPrincipals = null;
        ClientConfiguration clientConfiguration = new ClientConfiguration(this.baseClientConf);
        clientConfiguration.setTLSClientAuthentication(false);
        try {
            testClient(clientConfiguration, this.numBookies);
            Assert.fail("Shouldn't be able to connect");
        } catch (BKException.BKUnauthorizedAccessException e) {
        } catch (BKException.BKNotEnoughBookiesException e2) {
            if (!this.useV2Protocol) {
                Assert.fail("Unexpected exception occurred.");
            }
        }
        Assert.assertTrue(secureBookieSideChannel);
        Assert.assertNotNull(secureBookieSideChannelPrincipals);
        Assert.assertTrue(secureBookieSideChannelPrincipals.isEmpty());
    }

    @Test
    public void testBookieAuthPluginDenyAccessToClientWithoutTLS() throws Exception {
        ServerConfiguration serverConfiguration = new ServerConfiguration(this.baseConf);
        serverConfiguration.setBookieAuthProviderFactoryClass(AllowOnlyClientsWithX509Certificates.class.getName());
        restartBookies(serverConfiguration);
        secureBookieSideChannel = false;
        secureBookieSideChannelPrincipals = null;
        ClientConfiguration clientConfiguration = new ClientConfiguration(this.baseClientConf);
        clientConfiguration.setTLSProviderFactoryClass((String) null);
        try {
            testClient(clientConfiguration, this.numBookies);
            Assert.fail("Shouldn't be able to connect");
        } catch (BKException.BKUnauthorizedAccessException e) {
        }
        Assert.assertFalse(secureBookieSideChannel);
        Assert.assertNull(secureBookieSideChannelPrincipals);
    }

    @Test
    public void testMixedCluster() throws Exception {
        ClientConfiguration clientConfiguration = new ClientConfiguration(this.baseClientConf);
        int i = this.numBookies;
        ServerConfiguration newServerConfiguration = newServerConfiguration();
        newServerConfiguration.setTLSProviderFactoryClass(TLSContextFactory.class.getName());
        this.bs.add(startBookie(newServerConfiguration));
        testClient(clientConfiguration, i + 1);
    }

    @Test
    public void testHungServer() throws Exception {
        ClientConfiguration clientConfiguration = new ClientConfiguration(this.baseClientConf);
        CountDownLatch countDownLatch = new CountDownLatch(1);
        sleepBookie(getBookie(0), countDownLatch);
        try {
            testClient(clientConfiguration, this.numBookies);
            Assert.fail("Shouldn't be able to connect");
        } catch (BKException.BKNotEnoughBookiesException e) {
        }
        LOG.info("latch countdown");
        countDownLatch.countDown();
    }

    @Test
    public void testTLSChannelCounters() throws Exception {
        ClientConfiguration numChannelsPerBookie = new ClientConfiguration(this.baseClientConf).setNumChannelsPerBookie(1);
        ClientConfiguration tLSProviderFactoryClass = new ClientConfiguration(this.baseClientConf).setNumChannelsPerBookie(1).setTLSProviderFactoryClass((String) null);
        TestStatsProvider testStatsProvider = new TestStatsProvider();
        TestStatsProvider testStatsProvider2 = new TestStatsProvider();
        BookKeeperTestClient bookKeeperTestClient = new BookKeeperTestClient(numChannelsPerBookie, testStatsProvider);
        BookKeeperTestClient bookKeeperTestClient2 = new BookKeeperTestClient(tLSProviderFactoryClass, testStatsProvider2);
        testClient(bookKeeperTestClient, this.numBookies);
        testClient(bookKeeperTestClient2, this.numBookies);
        for (int i = 0; i < this.numBookies; i++) {
            BookieServer bookieServer = this.bs.get(i);
            StringBuilder append = new StringBuilder("per_channel_bookie_client").append(".").append("bookie_").append(bookieServer.getBookieId().toString().replace('.', '_').replace('-', '_').replace(":", "_")).append(".");
            Assert.assertEquals("Mismatch TLS channel count", 1L, bookKeeperTestClient.getTestStatsProvider().getCounter(append.toString() + "ACTIVE_TLS_CHANNEL_COUNTER").get().longValue());
            Assert.assertEquals("TLS handshake failure unexpected", 0L, bookKeeperTestClient.getTestStatsProvider().getCounter(append.toString() + "FAILED_TLS_HANDSHAKE_COUNTER").get().longValue());
            Assert.assertEquals("Mismatch non-TLS channel count", 0L, bookKeeperTestClient.getTestStatsProvider().getCounter(append.toString() + "ACTIVE_NON_TLS_CHANNEL_COUNTER").get().longValue());
            Assert.assertEquals("Connection failures unexpected", 0L, bookKeeperTestClient.getTestStatsProvider().getCounter(append.toString() + "FAILED_CONNECTION_COUNTER").get().longValue());
            Assert.assertEquals("Mismatch TLS channel count", 0L, bookKeeperTestClient2.getTestStatsProvider().getCounter(append.toString() + "ACTIVE_TLS_CHANNEL_COUNTER").get().longValue());
            Assert.assertEquals("TLS handshake failure unexpected", 0L, bookKeeperTestClient2.getTestStatsProvider().getCounter(append.toString() + "FAILED_TLS_HANDSHAKE_COUNTER").get().longValue());
            Assert.assertEquals("Mismatch non-TLS channel count", 1L, bookKeeperTestClient2.getTestStatsProvider().getCounter(append.toString() + "ACTIVE_NON_TLS_CHANNEL_COUNTER").get().longValue());
            Assert.assertEquals("Connection failures unexpected", 0L, bookKeeperTestClient2.getTestStatsProvider().getCounter(append.toString() + "FAILED_CONNECTION_COUNTER").get().longValue());
            bookieServer.shutdown();
            Assert.assertEquals("Mismatch TLS channel count", 0L, bookKeeperTestClient.getTestStatsProvider().getCounter(append.toString() + "ACTIVE_TLS_CHANNEL_COUNTER").get().longValue());
            Assert.assertEquals("Mismatch non-TLS channel count", 0L, bookKeeperTestClient2.getTestStatsProvider().getCounter(append.toString() + "ACTIVE_NON_TLS_CHANNEL_COUNTER").get().longValue());
        }
    }

    @Test
    public void testHandshakeFailure() throws Exception {
        ClientConfiguration numChannelsPerBookie = new ClientConfiguration(this.baseClientConf).setNumChannelsPerBookie(1);
        ServerConfiguration serverConfiguration = this.bsConfs.get(0);
        switch (AnonymousClass1.$SwitchMap$org$apache$bookkeeper$tls$TLSContextFactory$KeyStoreType[this.serverTrustStoreFormat.ordinal()]) {
            case 1:
                serverConfiguration.setTLSTrustStore(getResourcePath("server-cert.pem"));
                break;
            case 2:
                serverConfiguration.setTLSTrustStore(getResourcePath("server-key.jks")).setTLSTrustStorePasswordPath(getResourcePath("keyStoreServerPassword.txt"));
                break;
            case 3:
                serverConfiguration.setTLSTrustStore(getResourcePath("server-key.p12")).setTLSTrustStorePasswordPath(getResourcePath("keyStoreServerPassword.txt"));
                break;
            default:
                throw new Exception("Unrecognized trust store format: " + this.serverTrustStoreFormat);
        }
        killBookie(0);
        LOG.info("Sleeping for 1s before restarting bookie with bad cert");
        Thread.sleep(1000L);
        BookieServer startBookie = startBookie(serverConfiguration);
        this.bs.add(startBookie);
        this.bsConfs.add(serverConfiguration);
        BookKeeperTestClient bookKeeperTestClient = new BookKeeperTestClient(numChannelsPerBookie, new TestStatsProvider());
        byte[] bytes = "testPassword".getBytes();
        byte[] bytes2 = "testEntry".getBytes();
        try {
            LedgerHandle createLedger = bookKeeperTestClient.createLedger(this.numBookies, this.numBookies, this.numBookies, BookKeeper.DigestType.CRC32, bytes);
            for (int i = 0; i <= 2; i++) {
                try {
                    createLedger.addEntry(bytes2);
                } finally {
                }
            }
            Assert.fail("Should have failed with not enough bookies to write");
            if (createLedger != null) {
                createLedger.close();
            }
        } catch (BKException.BKNotEnoughBookiesException e) {
        }
        Assert.assertEquals("TLS handshake failure expected", 1L, bookKeeperTestClient.getTestStatsProvider().getCounter(("per_channel_bookie_client.bookie_" + startBookie.getBookieId().toString().replace('.', '_').replace('-', '_').replace(":", "_") + ".") + "FAILED_TLS_HANDSHAKE_COUNTER").get().longValue());
    }

    @Test
    public void testClientAuthPluginWithHostnameVerificationEnabled() throws Exception {
        secureClientSideChannel = false;
        secureClientSideChannelPrincipals = null;
        ClientConfiguration clientConfiguration = new ClientConfiguration(this.baseClientConf);
        clientConfiguration.setClientAuthProviderFactoryClass(AllowOnlyBookiesWithX509Certificates.class.getName());
        clientConfiguration.setHostnameVerificationEnabled(true);
        try {
            testClient(clientConfiguration, this.numBookies);
            Assert.fail("should have failed with unauthorized exception");
        } catch (BKException.BKNotEnoughBookiesException e) {
        }
    }
}
