package org.apache.kafka.common.network;

import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.nio.ByteBuffer;
import java.nio.channels.Channels;
import java.nio.channels.SelectionKey;
import java.nio.channels.SocketChannel;
import java.util.Arrays;
import java.util.Map;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import org.apache.kafka.common.KafkaException;
import org.apache.kafka.common.config.types.Password;
import org.apache.kafka.common.metrics.Metrics;
import org.apache.kafka.common.protocol.SecurityProtocol;
import org.apache.kafka.common.security.ssl.SslFactory;
import org.apache.kafka.common.utils.MockTime;
import org.apache.kafka.test.TestCondition;
import org.apache.kafka.test.TestUtils;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:org/apache/kafka/common/network/SslTransportLayerTest.class */
public class SslTransportLayerTest {
    private static final int BUFFER_SIZE = 4096;
    private NioEchoServer server;
    private Selector selector;
    private ChannelBuilder channelBuilder;
    private CertStores serverCertStores;
    private CertStores clientCertStores;
    private Map<String, Object> sslClientConfigs;
    private Map<String, Object> sslServerConfigs;

    /* loaded from: input_file:org/apache/kafka/common/network/SslTransportLayerTest$TestSslTransportLayer.class */
    private static class TestSslTransportLayer extends SslTransportLayer {
        private final ResizeableBufferSize netReadBufSize;
        private final ResizeableBufferSize netWriteBufSize;
        private final ResizeableBufferSize appBufSize;

        /* loaded from: input_file:org/apache/kafka/common/network/SslTransportLayerTest$TestSslTransportLayer$ResizeableBufferSize.class */
        private static class ResizeableBufferSize {
            private Integer bufSizeOverride;

            ResizeableBufferSize(Integer num) {
                this.bufSizeOverride = num;
            }

            int updateAndGet(int i, boolean z) {
                int i2 = i;
                if (this.bufSizeOverride != null) {
                    if (z) {
                        this.bufSizeOverride = Integer.valueOf(Math.min(this.bufSizeOverride.intValue() * 2, i2));
                    }
                    i2 = this.bufSizeOverride.intValue();
                }
                return i2;
            }
        }

        public TestSslTransportLayer(String str, SelectionKey selectionKey, SSLEngine sSLEngine, Integer num, Integer num2, Integer num3) throws IOException {
            super(str, selectionKey, sSLEngine, false);
            this.netReadBufSize = new ResizeableBufferSize(num);
            this.netWriteBufSize = new ResizeableBufferSize(num2);
            this.appBufSize = new ResizeableBufferSize(num3);
        }

        protected int netReadBufferSize() {
            return this.netReadBufSize.updateAndGet(super.netReadBufferSize(), (netReadBuffer() == null || netReadBuffer().hasRemaining()) ? false : true);
        }

        protected int netWriteBufferSize() {
            return this.netWriteBufSize.updateAndGet(super.netWriteBufferSize(), true);
        }

        protected int applicationBufferSize() {
            return this.appBufSize.updateAndGet(super.applicationBufferSize(), true);
        }
    }

    @Before
    public void setup() throws Exception {
        this.serverCertStores = new CertStores(true, "localhost");
        this.clientCertStores = new CertStores(false, "localhost");
        this.sslServerConfigs = this.serverCertStores.getTrustingConfig(this.clientCertStores);
        this.sslClientConfigs = this.clientCertStores.getTrustingConfig(this.serverCertStores);
        this.channelBuilder = new SslChannelBuilder(Mode.CLIENT);
        this.channelBuilder.configure(this.sslClientConfigs);
        this.selector = new Selector(5000L, new Metrics(), new MockTime(), "MetricGroup", this.channelBuilder);
    }

    @After
    public void teardown() throws Exception {
        if (this.selector != null) {
            this.selector.close();
        }
        if (this.server != null) {
            this.server.close();
        }
    }

    @Test
    public void testValidEndpointIdentification() throws Exception {
        this.server = NetworkTestUtils.createEchoServer(SecurityProtocol.SSL, this.sslServerConfigs);
        this.sslClientConfigs.put("ssl.endpoint.identification.algorithm", "HTTPS");
        createSelector(this.sslClientConfigs);
        this.selector.connect("0", new InetSocketAddress("localhost", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(this.selector, "0", 100, 10);
    }

    @Test
    public void testInvalidEndpointIdentification() throws Exception {
        this.serverCertStores = new CertStores(true, "notahost");
        this.clientCertStores = new CertStores(false, "localhost");
        this.sslServerConfigs = this.serverCertStores.getTrustingConfig(this.clientCertStores);
        this.sslClientConfigs = this.clientCertStores.getTrustingConfig(this.serverCertStores);
        this.sslClientConfigs.put("ssl.endpoint.identification.algorithm", "HTTPS");
        this.server = NetworkTestUtils.createEchoServer(SecurityProtocol.SSL, this.sslServerConfigs);
        createSelector(this.sslClientConfigs);
        this.selector.connect("0", new InetSocketAddress("localhost", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.waitForChannelClose(this.selector, "0");
    }

    @Test
    public void testEndpointIdentificationDisabled() throws Exception {
        String hostAddress = InetAddress.getLocalHost().getHostAddress();
        this.server = new NioEchoServer(SecurityProtocol.SSL, this.sslServerConfigs, hostAddress);
        this.server.start();
        this.sslClientConfigs.remove("ssl.endpoint.identification.algorithm");
        createSelector(this.sslClientConfigs);
        this.selector.connect("0", new InetSocketAddress(hostAddress, this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(this.selector, "0", 100, 10);
    }

    @Test
    public void testClientAuthenticationRequiredValidProvided() throws Exception {
        this.sslServerConfigs.put("ssl.client.auth", "required");
        this.server = NetworkTestUtils.createEchoServer(SecurityProtocol.SSL, this.sslServerConfigs);
        createSelector(this.sslClientConfigs);
        this.selector.connect("0", new InetSocketAddress("localhost", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(this.selector, "0", 100, 10);
    }

    @Test
    public void testClientAuthenticationRequiredUntrustedProvided() throws Exception {
        this.sslServerConfigs = this.serverCertStores.getUntrustingConfig();
        this.sslServerConfigs.put("ssl.client.auth", "required");
        this.server = NetworkTestUtils.createEchoServer(SecurityProtocol.SSL, this.sslServerConfigs);
        createSelector(this.sslClientConfigs);
        this.selector.connect("0", new InetSocketAddress("localhost", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.waitForChannelClose(this.selector, "0");
    }

    @Test
    public void testClientAuthenticationRequiredNotProvided() throws Exception {
        this.sslServerConfigs.put("ssl.client.auth", "required");
        this.server = NetworkTestUtils.createEchoServer(SecurityProtocol.SSL, this.sslServerConfigs);
        this.sslClientConfigs.remove("ssl.keystore.location");
        this.sslClientConfigs.remove("ssl.keystore.password");
        this.sslClientConfigs.remove("ssl.key.password");
        createSelector(this.sslClientConfigs);
        this.selector.connect("0", new InetSocketAddress("localhost", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.waitForChannelClose(this.selector, "0");
    }

    @Test
    public void testClientAuthenticationDisabledUntrustedProvided() throws Exception {
        this.sslServerConfigs = this.serverCertStores.getUntrustingConfig();
        this.sslServerConfigs.put("ssl.client.auth", "none");
        this.server = NetworkTestUtils.createEchoServer(SecurityProtocol.SSL, this.sslServerConfigs);
        createSelector(this.sslClientConfigs);
        this.selector.connect("0", new InetSocketAddress("localhost", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(this.selector, "0", 100, 10);
    }

    @Test
    public void testClientAuthenticationDisabledNotProvided() throws Exception {
        this.sslServerConfigs.put("ssl.client.auth", "none");
        this.server = NetworkTestUtils.createEchoServer(SecurityProtocol.SSL, this.sslServerConfigs);
        this.sslClientConfigs.remove("ssl.keystore.location");
        this.sslClientConfigs.remove("ssl.keystore.password");
        this.sslClientConfigs.remove("ssl.key.password");
        createSelector(this.sslClientConfigs);
        this.selector.connect("0", new InetSocketAddress("localhost", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(this.selector, "0", 100, 10);
    }

    @Test
    public void testClientAuthenticationRequestedValidProvided() throws Exception {
        this.sslServerConfigs.put("ssl.client.auth", "requested");
        this.server = NetworkTestUtils.createEchoServer(SecurityProtocol.SSL, this.sslServerConfigs);
        createSelector(this.sslClientConfigs);
        this.selector.connect("0", new InetSocketAddress("localhost", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(this.selector, "0", 100, 10);
    }

    @Test
    public void testClientAuthenticationRequestedNotProvided() throws Exception {
        this.sslServerConfigs.put("ssl.client.auth", "requested");
        this.server = NetworkTestUtils.createEchoServer(SecurityProtocol.SSL, this.sslServerConfigs);
        this.sslClientConfigs.remove("ssl.keystore.location");
        this.sslClientConfigs.remove("ssl.keystore.password");
        this.sslClientConfigs.remove("ssl.key.password");
        createSelector(this.sslClientConfigs);
        this.selector.connect("0", new InetSocketAddress("localhost", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(this.selector, "0", 100, 10);
    }

    @Test
    public void testInvalidSecureRandomImplementation() throws Exception {
        SslChannelBuilder sslChannelBuilder = new SslChannelBuilder(Mode.CLIENT);
        try {
            this.sslClientConfigs.put("ssl.secure.random.implementation", "invalid");
            sslChannelBuilder.configure(this.sslClientConfigs);
            Assert.fail("SSL channel configured with invalid SecureRandom implementation");
        } catch (KafkaException e) {
        }
    }

    @Test
    public void testInvalidTruststorePassword() throws Exception {
        SslChannelBuilder sslChannelBuilder = new SslChannelBuilder(Mode.CLIENT);
        try {
            this.sslClientConfigs.put("ssl.truststore.password", "invalid");
            sslChannelBuilder.configure(this.sslClientConfigs);
            Assert.fail("SSL channel configured with invalid truststore password");
        } catch (KafkaException e) {
        }
    }

    @Test
    public void testInvalidKeystorePassword() throws Exception {
        SslChannelBuilder sslChannelBuilder = new SslChannelBuilder(Mode.CLIENT);
        try {
            this.sslClientConfigs.put("ssl.keystore.password", "invalid");
            sslChannelBuilder.configure(this.sslClientConfigs);
            Assert.fail("SSL channel configured with invalid keystore password");
        } catch (KafkaException e) {
        }
    }

    @Test
    public void testInvalidKeyPassword() throws Exception {
        this.sslServerConfigs.put("ssl.key.password", new Password("invalid"));
        this.server = NetworkTestUtils.createEchoServer(SecurityProtocol.SSL, this.sslServerConfigs);
        createSelector(this.sslClientConfigs);
        this.selector.connect("0", new InetSocketAddress("localhost", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.waitForChannelClose(this.selector, "0");
    }

    @Test
    public void testUnsupportedTLSVersion() throws Exception {
        this.sslServerConfigs.put("ssl.enabled.protocols", Arrays.asList("TLSv1.2"));
        this.server = NetworkTestUtils.createEchoServer(SecurityProtocol.SSL, this.sslServerConfigs);
        this.sslClientConfigs.put("ssl.enabled.protocols", Arrays.asList("TLSv1.1"));
        createSelector(this.sslClientConfigs);
        this.selector.connect("0", new InetSocketAddress("localhost", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.waitForChannelClose(this.selector, "0");
    }

    @Test
    public void testUnsupportedCiphers() throws Exception {
        String[] cipherSuites = SSLContext.getDefault().getDefaultSSLParameters().getCipherSuites();
        this.sslServerConfigs.put("ssl.cipher.suites", Arrays.asList(cipherSuites[0]));
        this.server = NetworkTestUtils.createEchoServer(SecurityProtocol.SSL, this.sslServerConfigs);
        this.sslClientConfigs.put("ssl.cipher.suites", Arrays.asList(cipherSuites[1]));
        createSelector(this.sslClientConfigs);
        this.selector.connect("0", new InetSocketAddress("localhost", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.waitForChannelClose(this.selector, "0");
    }

    @Test
    public void testNetReadBufferResize() throws Exception {
        this.server = NetworkTestUtils.createEchoServer(SecurityProtocol.SSL, this.sslServerConfigs);
        createSelector(this.sslClientConfigs, 10, null, null);
        this.selector.connect("0", new InetSocketAddress("localhost", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(this.selector, "0", 64000, 10);
    }

    @Test
    public void testNetWriteBufferResize() throws Exception {
        this.server = NetworkTestUtils.createEchoServer(SecurityProtocol.SSL, this.sslServerConfigs);
        createSelector(this.sslClientConfigs, null, 10, null);
        this.selector.connect("0", new InetSocketAddress("localhost", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(this.selector, "0", 64000, 10);
    }

    @Test
    public void testApplicationBufferResize() throws Exception {
        this.server = NetworkTestUtils.createEchoServer(SecurityProtocol.SSL, this.sslServerConfigs);
        createSelector(this.sslClientConfigs, null, null, 10);
        this.selector.connect("0", new InetSocketAddress("localhost", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.checkClientConnection(this.selector, "0", 64000, 10);
    }

    @Test
    public void testCloseSsl() throws Exception {
        testClose(SecurityProtocol.SSL, new SslChannelBuilder(Mode.CLIENT));
    }

    @Test
    public void testClosePlaintext() throws Exception {
        testClose(SecurityProtocol.PLAINTEXT, new PlaintextChannelBuilder());
    }

    private void testClose(SecurityProtocol securityProtocol, ChannelBuilder channelBuilder) throws Exception {
        this.server = NetworkTestUtils.createEchoServer(securityProtocol, this.sslServerConfigs);
        channelBuilder.configure(this.sslClientConfigs);
        this.selector = new Selector(5000L, new Metrics(), new MockTime(), "MetricGroup", channelBuilder);
        this.selector.connect("0", new InetSocketAddress("localhost", this.server.port()), BUFFER_SIZE, BUFFER_SIZE);
        NetworkTestUtils.waitForChannelReady(this.selector, "0");
        final ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        this.server.outputChannel(Channels.newChannel(byteArrayOutputStream));
        this.server.selector().muteAll();
        byte[] bytes = TestUtils.randomString(100).getBytes();
        final int length = 20 * (bytes.length + 4);
        for (int i = 0; i < 20; i++) {
            this.selector.send(new NetworkSend("0", ByteBuffer.wrap(bytes)));
            do {
                this.selector.poll(0L);
            } while (this.selector.completedSends().isEmpty());
        }
        this.server.selector().unmuteAll();
        this.selector.close("0");
        TestUtils.waitForCondition(new TestCondition() { // from class: org.apache.kafka.common.network.SslTransportLayerTest.1
            @Override // org.apache.kafka.test.TestCondition
            public boolean conditionMet() {
                return byteArrayOutputStream.toByteArray().length == length;
            }
        }, 5000L, "All requests sent were not processed");
    }

    private void createSelector(Map<String, Object> map) {
        createSelector(map, null, null, null);
    }

    private void createSelector(Map<String, Object> map, final Integer num, final Integer num2, final Integer num3) {
        this.channelBuilder = new SslChannelBuilder(Mode.CLIENT) { // from class: org.apache.kafka.common.network.SslTransportLayerTest.2
            protected SslTransportLayer buildTransportLayer(SslFactory sslFactory, String str, SelectionKey selectionKey) throws IOException {
                SocketChannel socketChannel = (SocketChannel) selectionKey.channel();
                TestSslTransportLayer testSslTransportLayer = new TestSslTransportLayer(str, selectionKey, sslFactory.createSslEngine(socketChannel.socket().getInetAddress().getHostName(), socketChannel.socket().getPort()), num, num2, num3);
                testSslTransportLayer.startHandshake();
                return testSslTransportLayer;
            }
        };
        this.channelBuilder.configure(map);
        this.selector = new Selector(5000L, new Metrics(), new MockTime(), "MetricGroup", this.channelBuilder);
    }
}
