package org.apache.kafka.common.network;

import java.io.IOException;
import java.net.InetSocketAddress;
import java.util.Arrays;
import java.util.Collections;
import java.util.Map;
import org.apache.kafka.common.config.SslConfigs;
import org.apache.kafka.common.metrics.Metrics;
import org.apache.kafka.common.network.ChannelState;
import org.apache.kafka.common.network.SslTransportLayerTest;
import org.apache.kafka.common.security.TestSecurityConfig;
import org.apache.kafka.common.security.auth.SecurityProtocol;
import org.apache.kafka.common.utils.Java;
import org.apache.kafka.common.utils.LogContext;
import org.apache.kafka.common.utils.Time;
import org.junit.After;
import org.junit.Assume;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:org/apache/kafka/common/network/SslTransportTls12Tls13Test.class */
public class SslTransportTls12Tls13Test {
    private static final int BUFFER_SIZE = 4096;
    private static final Time TIME = Time.SYSTEM;
    private NioEchoServer server;
    private Selector selector;
    private Map<String, Object> sslClientConfigs;
    private Map<String, Object> sslServerConfigs;

    @Before
    public void setup() throws Exception {
        CertStores certStores = new CertStores(true, "server", "localhost");
        CertStores certStores2 = new CertStores(false, "client", "localhost");
        this.sslServerConfigs = certStores.getTrustingConfig(certStores2);
        this.sslClientConfigs = certStores2.getTrustingConfig(certStores);
        LogContext logContext = new LogContext();
        SslChannelBuilder sslChannelBuilder = new SslChannelBuilder(Mode.CLIENT, (ListenerName) null, false, logContext);
        sslChannelBuilder.configure(this.sslClientConfigs);
        this.selector = new Selector(5000L, new Metrics(), TIME, "MetricGroup", sslChannelBuilder, logContext);
    }

    @After
    public void teardown() throws Exception {
        if (this.selector != null) {
            this.selector.close();
        }
        if (this.server != null) {
            this.server.close();
        }
    }

    @Test
    public void testCiphersSuiteForTls12FailsForTls13() throws Exception {
        Assume.assumeTrue(Java.IS_JAVA11_COMPATIBLE);
        this.sslServerConfigs.put("ssl.enabled.protocols", Collections.singletonList("TLSv1.3"));
        this.sslServerConfigs.put("ssl.cipher.suites", Collections.singletonList("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"));
        this.server = NetworkTestUtils.createEchoServer(ListenerName.forSecurityProtocol(SecurityProtocol.SSL), SecurityProtocol.SSL, new TestSecurityConfig(this.sslServerConfigs), null, TIME);
        this.sslClientConfigs.put("ssl.enabled.protocols", Collections.singletonList("TLSv1.3"));
        this.sslClientConfigs.put("ssl.cipher.suites", Collections.singletonList("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"));
        checkAuthentiationFailed();
    }

    @Test
    public void testCiphersSuiteFailForServerTls12ClientTls13() throws Exception {
        Assume.assumeTrue(Java.IS_JAVA11_COMPATIBLE);
        this.sslServerConfigs.put("ssl.protocol", "TLSv1.2");
        this.sslServerConfigs.put("ssl.enabled.protocols", Collections.singletonList("TLSv1.2"));
        this.sslServerConfigs.put("ssl.cipher.suites", Collections.singletonList("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"));
        this.server = NetworkTestUtils.createEchoServer(ListenerName.forSecurityProtocol(SecurityProtocol.SSL), SecurityProtocol.SSL, new TestSecurityConfig(this.sslServerConfigs), null, TIME);
        this.sslClientConfigs.put("ssl.protocol", "TLSv1.3");
        this.sslClientConfigs.put("ssl.cipher.suites", Collections.singletonList("TLS_AES_128_GCM_SHA256"));
        checkAuthentiationFailed();
    }

    @Test
    public void testCiphersSuiteForTls13() throws Exception {
        Assume.assumeTrue(Java.IS_JAVA11_COMPATIBLE);
        this.sslServerConfigs.put("ssl.cipher.suites", Collections.singletonList("TLS_AES_128_GCM_SHA256"));
        this.server = NetworkTestUtils.createEchoServer(ListenerName.forSecurityProtocol(SecurityProtocol.SSL), SecurityProtocol.SSL, new TestSecurityConfig(this.sslServerConfigs), null, TIME);
        this.sslClientConfigs.put("ssl.cipher.suites", Collections.singletonList("TLS_AES_128_GCM_SHA256"));
        checkAuthenticationSucceed();
    }

    @Test
    public void testCiphersSuiteForTls12() throws Exception {
        this.sslServerConfigs.put("ssl.enabled.protocols", Arrays.asList(SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS.split(",")));
        this.sslServerConfigs.put("ssl.cipher.suites", Collections.singletonList("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"));
        this.server = NetworkTestUtils.createEchoServer(ListenerName.forSecurityProtocol(SecurityProtocol.SSL), SecurityProtocol.SSL, new TestSecurityConfig(this.sslServerConfigs), null, TIME);
        this.sslClientConfigs.put("ssl.enabled.protocols", Arrays.asList(SslConfigs.DEFAULT_SSL_ENABLED_PROTOCOLS.split(",")));
        this.sslClientConfigs.put("ssl.cipher.suites", Collections.singletonList("TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"));
        checkAuthenticationSucceed();
    }

    private void checkAuthentiationFailed() throws IOException, InterruptedException {
        this.sslClientConfigs.put("ssl.enabled.protocols", Arrays.asList("TLSv1.3"));
        createSelector(this.sslClientConfigs);
        this.selector.connect("0", new InetSocketAddress("localhost", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.waitForChannelClose(this.selector, "0", ChannelState.State.AUTHENTICATION_FAILED);
        this.server.verifyAuthenticationMetrics(0, 1);
    }

    private void checkAuthenticationSucceed() throws IOException, InterruptedException {
        createSelector(this.sslClientConfigs);
        this.selector.connect("0", new InetSocketAddress("localhost", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.waitForChannelReady(this.selector, "0");
        this.server.verifyAuthenticationMetrics(1, 0);
    }

    private void createSelector(Map<String, Object> map) {
        SslTransportLayerTest.TestSslChannelBuilder testSslChannelBuilder = new SslTransportLayerTest.TestSslChannelBuilder(Mode.CLIENT);
        testSslChannelBuilder.configureBufferSizes(null, null, null);
        testSslChannelBuilder.configure(map);
        this.selector = new Selector(500000L, new Metrics(), TIME, "MetricGroup", testSslChannelBuilder, new LogContext());
    }
}
