package org.apache.druid.server.initialization;

import com.google.common.collect.ImmutableList;
import com.google.inject.Binder;
import com.google.inject.Injector;
import com.google.inject.Key;
import com.google.inject.Module;
import com.google.inject.multibindings.Multibinder;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.lang.annotation.Annotation;
import java.net.URL;
import java.nio.charset.Charset;
import java.nio.charset.StandardCharsets;
import java.nio.file.CopyOption;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.StandardCopyOption;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.text.SimpleDateFormat;
import java.util.EnumSet;
import java.util.Locale;
import java.util.Map;
import java.util.concurrent.ThreadLocalRandom;
import java.util.zip.GZIPOutputStream;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.HttpsURLConnection;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLSession;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import javax.servlet.DispatcherType;
import javax.servlet.Filter;
import org.apache.commons.io.IOUtils;
import org.apache.druid.guice.GuiceInjectors;
import org.apache.druid.guice.Jerseys;
import org.apache.druid.guice.JsonConfigProvider;
import org.apache.druid.guice.LazySingleton;
import org.apache.druid.guice.LifecycleModule;
import org.apache.druid.guice.annotations.Self;
import org.apache.druid.initialization.Initialization;
import org.apache.druid.java.util.http.client.HttpClientConfig;
import org.apache.druid.java.util.http.client.HttpClientInit;
import org.apache.druid.java.util.http.client.Request;
import org.apache.druid.java.util.http.client.response.InputStreamResponseHandler;
import org.apache.druid.metadata.PasswordProvider;
import org.apache.druid.server.DruidNode;
import org.apache.druid.server.initialization.BaseJettyTest;
import org.apache.druid.server.initialization.jetty.JettyServerInitializer;
import org.apache.druid.server.initialization.jetty.ServletFilterHolder;
import org.apache.druid.server.security.AuthTestUtils;
import org.apache.druid.server.security.AuthorizerMapper;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.util.DateCache;
import org.jboss.netty.handler.codec.http.HttpMethod;
import org.joda.time.Duration;
import org.junit.Assert;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;

/* loaded from: input_file:org/apache/druid/server/initialization/JettyCertRenewTest.class */
public class JettyCertRenewTest extends BaseJettyTest {

    @Rule
    public TemporaryFolder folder = new TemporaryFolder();
    private Injector injector;
    private BaseJettyTest.LatchedRequestStateHolder latchedRequestState;
    private Path tmpKeyStore;
    private Path tmpTrustStore;
    private PasswordProvider pp;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/druid/server/initialization/JettyCertRenewTest$AcceptAllForTestHostnameVerifier.class */
    public static class AcceptAllForTestHostnameVerifier implements HostnameVerifier {
        private AcceptAllForTestHostnameVerifier() {
        }

        @Override // javax.net.ssl.HostnameVerifier
        public boolean verify(String str, SSLSession sSLSession) {
            return true;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/druid/server/initialization/JettyCertRenewTest$AcceptAllForTestX509TrustManager.class */
    public static class AcceptAllForTestX509TrustManager implements X509TrustManager {
        private X509Certificate[] accepted;

        private AcceptAllForTestX509TrustManager() {
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) {
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) {
            this.accepted = x509CertificateArr;
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return this.accepted;
        }
    }

    @Override // org.apache.druid.server.initialization.BaseJettyTest
    public void setProperties() {
        super.setProperties();
        System.setProperty("druid.server.http.showDetailedJettyErrors", "true");
    }

    @Override // org.apache.druid.server.initialization.BaseJettyTest
    protected Injector setupInjector() {
        try {
            this.tmpKeyStore = Files.copy(new File(JettyCertRenewTest.class.getClassLoader().getResource("server.jks").getFile()).toPath(), new File(this.folder.newFolder(), "server.jks").toPath(), new CopyOption[0]);
            this.tmpTrustStore = Files.copy(new File(JettyCertRenewTest.class.getClassLoader().getResource("truststore.jks").getFile()).toPath(), new File(this.folder.newFolder(), "truststore.jks").toPath(), new CopyOption[0]);
            this.pp = () -> {
                return "druid123";
            };
            final TLSServerConfig tLSServerConfig = new TLSServerConfig() { // from class: org.apache.druid.server.initialization.JettyCertRenewTest.1
                @Override // org.apache.druid.server.initialization.TLSServerConfig
                public String getKeyStorePath() {
                    return JettyCertRenewTest.this.tmpKeyStore.toString();
                }

                @Override // org.apache.druid.server.initialization.TLSServerConfig
                public String getKeyStoreType() {
                    return "jks";
                }

                @Override // org.apache.druid.server.initialization.TLSServerConfig
                public PasswordProvider getKeyStorePasswordProvider() {
                    return JettyCertRenewTest.this.pp;
                }

                @Override // org.apache.druid.server.initialization.TLSServerConfig
                public PasswordProvider getKeyManagerPasswordProvider() {
                    return JettyCertRenewTest.this.pp;
                }

                @Override // org.apache.druid.server.initialization.TLSServerConfig
                public String getTrustStorePath() {
                    return JettyCertRenewTest.this.tmpTrustStore.toString();
                }

                @Override // org.apache.druid.server.initialization.TLSServerConfig
                public String getTrustStoreAlgorithm() {
                    return "PKIX";
                }

                @Override // org.apache.druid.server.initialization.TLSServerConfig
                public PasswordProvider getTrustStorePasswordProvider() {
                    return JettyCertRenewTest.this.pp;
                }

                @Override // org.apache.druid.server.initialization.TLSServerConfig
                public String getCertAlias() {
                    return "druid";
                }

                @Override // org.apache.druid.server.initialization.TLSServerConfig
                public boolean isRequireClientCertificate() {
                    return false;
                }

                @Override // org.apache.druid.server.initialization.TLSServerConfig
                public boolean isRequestClientCertificate() {
                    return false;
                }

                @Override // org.apache.druid.server.initialization.TLSServerConfig
                public boolean isValidateHostnames() {
                    return false;
                }

                @Override // org.apache.druid.server.initialization.TLSServerConfig
                public boolean isReloadSslContext() {
                    return true;
                }

                @Override // org.apache.druid.server.initialization.TLSServerConfig
                public int getReloadSslContextSeconds() {
                    return 1;
                }
            };
            final int nextInt = ThreadLocalRandom.current().nextInt(49152, 65535);
            this.latchedRequestState = new BaseJettyTest.LatchedRequestStateHolder();
            this.injector = Initialization.makeInjectorWithModules(GuiceInjectors.makeStartupInjector(), ImmutableList.of(new Module() { // from class: org.apache.druid.server.initialization.JettyCertRenewTest.2
                @Override // com.google.inject.Module
                public void configure(Binder binder) {
                    JsonConfigProvider.bindInstance(binder, Key.get(DruidNode.class, (Class<? extends Annotation>) Self.class), new DruidNode("test", "localhost", false, Integer.valueOf(nextInt), Integer.valueOf(nextInt + 1), true, true));
                    binder.bind(TLSServerConfig.class).toInstance(tLSServerConfig);
                    binder.bind(JettyServerInitializer.class).to(BaseJettyTest.JettyServerInit.class).in(LazySingleton.class);
                    binder.bind(BaseJettyTest.LatchedRequestStateHolder.class).toInstance(JettyCertRenewTest.this.latchedRequestState);
                    Multibinder.newSetBinder(binder, ServletFilterHolder.class).addBinding().toInstance(new ServletFilterHolder() { // from class: org.apache.druid.server.initialization.JettyCertRenewTest.2.1
                        @Override // org.apache.druid.server.initialization.jetty.ServletFilterHolder
                        public String getPath() {
                            return "/*";
                        }

                        @Override // org.apache.druid.server.initialization.jetty.ServletFilterHolder
                        public Map<String, String> getInitParameters() {
                            return null;
                        }

                        @Override // org.apache.druid.server.initialization.jetty.ServletFilterHolder
                        public Class<? extends Filter> getFilterClass() {
                            return BaseJettyTest.DummyAuthFilter.class;
                        }

                        @Override // org.apache.druid.server.initialization.jetty.ServletFilterHolder
                        public Filter getFilter() {
                            return null;
                        }

                        @Override // org.apache.druid.server.initialization.jetty.ServletFilterHolder
                        public EnumSet<DispatcherType> getDispatcherType() {
                            return null;
                        }
                    });
                    Jerseys.addResource(binder, BaseJettyTest.SlowResource.class);
                    Jerseys.addResource(binder, BaseJettyTest.LatchedResource.class);
                    Jerseys.addResource(binder, BaseJettyTest.ExceptionResource.class);
                    Jerseys.addResource(binder, BaseJettyTest.DefaultResource.class);
                    Jerseys.addResource(binder, BaseJettyTest.DirectlyReturnResource.class);
                    binder.bind(AuthorizerMapper.class).toInstance(AuthTestUtils.TEST_AUTHORIZER_MAPPER);
                    LifecycleModule.register(binder, Server.class);
                }
            }));
            return this.injector;
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    @Test
    public void testCertificateEndDateInvalid() throws Exception {
        SimpleDateFormat simpleDateFormat = new SimpleDateFormat(DateCache.DEFAULT_FORMAT, Locale.ENGLISH);
        for (Certificate certificate : getCertificates()) {
            Assert.assertEquals(simpleDateFormat.parse("Fri Mar 29 11:00:40 UTC 2030").toInstant(), ((X509Certificate) certificate).getNotAfter().toInstant());
        }
        Assert.assertEquals("hello", getResponseWithProperTrustStore());
        Files.copy(new File(JettyCertRenewTest.class.getClassLoader().getResource("server-new.jks").getFile()).toPath(), this.tmpKeyStore, StandardCopyOption.REPLACE_EXISTING);
        Files.copy(new File(JettyCertRenewTest.class.getClassLoader().getResource("truststore-new.jks").getFile()).toPath(), this.tmpTrustStore, StandardCopyOption.REPLACE_EXISTING);
        Thread.sleep(3000L);
        for (Certificate certificate2 : getCertificates()) {
            Assert.assertEquals(simpleDateFormat.parse("Thu Aug 19 13:38:51 UTC 2032").toInstant(), ((X509Certificate) certificate2).getNotAfter().toInstant());
        }
        Assert.assertEquals("hello", getResponseWithProperTrustStore());
    }

    private Certificate[] getCertificates() throws Exception {
        URL url = new URL("https://localhost:" + this.tlsPort + "/default/");
        SSLContext sSLContext = SSLContext.getInstance("TLS");
        sSLContext.init(null, new TrustManager[]{new AcceptAllForTestX509TrustManager()}, null);
        HttpsURLConnection httpsURLConnection = (HttpsURLConnection) url.openConnection();
        httpsURLConnection.setHostnameVerifier(new AcceptAllForTestHostnameVerifier());
        httpsURLConnection.setSSLSocketFactory(sSLContext.getSocketFactory());
        httpsURLConnection.getResponseCode();
        Certificate[] serverCertificates = httpsURLConnection.getServerCertificates();
        httpsURLConnection.disconnect();
        return serverCertificates;
    }

    private HttpClientConfig getSslConfig() {
        return HttpClientConfig.builder().withSslContext(HttpClientInit.sslContextWithTrustedKeyStore(this.tmpTrustStore.toString(), this.pp.getPassword())).withWorkerCount(1).withReadTimeout(Duration.ZERO).build();
    }

    /* JADX WARN: Multi-variable type inference failed */
    private String getResponseWithProperTrustStore() throws Exception {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        GZIPOutputStream gZIPOutputStream = new GZIPOutputStream(byteArrayOutputStream);
        try {
            gZIPOutputStream.write("hello".getBytes(Charset.defaultCharset()));
            gZIPOutputStream.close();
            Request request = new Request(HttpMethod.GET, new URL("https://localhost:" + this.tlsPort + "/default/"));
            request.setHeader("Content-Encoding", "gzip");
            request.setContent("text/plain", byteArrayOutputStream.toByteArray());
            try {
                return IOUtils.toString((InputStream) HttpClientInit.createClient(getSslConfig(), this.lifecycle).go(request, new InputStreamResponseHandler()).get(), StandardCharsets.UTF_8);
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        } catch (Throwable th) {
            try {
                gZIPOutputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }
}
