package org.eclipse.sensinact.gateway.southbound.http.factory.integration;

import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.lang.ProcessBuilder;
import java.nio.file.FileVisitOption;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardOpenOption;
import java.nio.file.attribute.FileAttribute;
import java.util.Hashtable;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Set;
import java.util.concurrent.ArrayBlockingQueue;
import java.util.concurrent.BlockingQueue;
import java.util.concurrent.TimeUnit;
import org.eclipse.jetty.server.ConnectionFactory;
import org.eclipse.jetty.server.HttpConfiguration;
import org.eclipse.jetty.server.HttpConnectionFactory;
import org.eclipse.jetty.server.SecureRequestCustomizer;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.server.SslConnectionFactory;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.eclipse.jetty.util.thread.QueuedThreadPool;
import org.eclipse.sensinact.core.notification.ClientActionListener;
import org.eclipse.sensinact.core.notification.ClientLifecycleListener;
import org.eclipse.sensinact.core.notification.ClientMetadataListener;
import org.eclipse.sensinact.core.notification.ResourceDataNotification;
import org.eclipse.sensinact.northbound.security.api.UserInfo;
import org.eclipse.sensinact.northbound.session.SensiNactSession;
import org.eclipse.sensinact.northbound.session.SensiNactSessionManager;
import org.junit.jupiter.api.AfterAll;
import org.junit.jupiter.api.AfterEach;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeAll;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.osgi.service.cm.Configuration;
import org.osgi.service.cm.ConfigurationAdmin;
import org.osgi.test.common.annotation.InjectService;
import org.osgi.test.common.annotation.Property;
import org.osgi.test.common.annotation.config.WithConfiguration;

@WithConfiguration(pid = "sensinact.session.manager", properties = {@Property(key = "auth.policy", value = {"ALLOW_ALL"})})
/* loaded from: input_file:org/eclipse/sensinact/gateway/southbound/http/factory/integration/HttpDeviceFactorySSLTest.class */
public class HttpDeviceFactorySSLTest {
    QueuedThreadPool threadPool;
    Server server;
    RequestHandler handler;
    int httpPort;
    static String trustJksPath;
    static String serverJksPath;
    static String clientJksPath;
    static Path tmpDir;

    @InjectService
    SensiNactSessionManager sessionManager;
    SensiNactSession session;
    BlockingQueue<ResourceDataNotification> queue;

    @InjectService
    ConfigurationAdmin configAdmin;

    @BeforeAll
    static void setup() throws Exception {
        tmpDir = Files.createTempDirectory("sensinact-http", new FileAttribute[0]);
        KeyToolUtils keyToolUtils = new KeyToolUtils();
        String absolutePath = tmpDir.resolve("ca.jks").toFile().getAbsolutePath();
        trustJksPath = tmpDir.resolve("trust.jks").toFile().getAbsolutePath();
        serverJksPath = tmpDir.resolve("server.jks").toFile().getAbsolutePath();
        clientJksPath = tmpDir.resolve("client.jks").toFile().getAbsolutePath();
        File file = tmpDir.resolve("ca.pem").toFile();
        File file2 = tmpDir.resolve("server.crs").toFile();
        File file3 = tmpDir.resolve("server.pem").toFile();
        Path resolve = tmpDir.resolve("ca_server.pem");
        File file4 = tmpDir.resolve("client.crs").toFile();
        File file5 = tmpDir.resolve("client.pem").toFile();
        Path resolve2 = tmpDir.resolve("ca_client.pem");
        keyToolUtils.runTool("-genkeypair", "-keyalg", "RSA", "-keysize", "2048", "-validity", "5", "-alias", "ca", "-dname", "CN=CA,O=sensinact,OU=test", "-keystore", absolutePath, "-storepass", "password", "-ext", "KeyUsage=digitalSignature,keyCertSign", "-ext", "BasicConstraints=ca:true,PathLen:3");
        keyToolUtils.runTool(null, ProcessBuilder.Redirect.to(file), "-exportcert", "-rfc", "-alias", "ca", "-keystore", absolutePath, "-storepass", "password");
        keyToolUtils.runTool(ProcessBuilder.Redirect.from(file), null, "-importcert", "-alias", "ca", "-noprompt", "-keystore", trustJksPath, "-storepass", "password");
        keyToolUtils.runTool("-genkeypair", "-keyalg", "RSA", "-keysize", "2048", "-validity", "5", "-alias", "server", "-dname", "CN=localhost,O=sensinact,OU=test", "-keystore", serverJksPath, "-storepass", "password", "-ext", "SubjectAlternativeName:c=DNS:localhost,IP:127.0.0.1");
        keyToolUtils.runTool(null, ProcessBuilder.Redirect.to(file2), "-certreq", "-alias", "server", "-storepass", "password", "-keystore", serverJksPath);
        keyToolUtils.runTool(ProcessBuilder.Redirect.from(file2), ProcessBuilder.Redirect.to(file3), "-gencert", "-alias", "ca", "-rfc", "-keystore", absolutePath, "-storepass", "password");
        keyToolUtils.runTool(ProcessBuilder.Redirect.from(file), null, "-importcert", "-alias", "ca", "-noprompt", "-keystore", serverJksPath, "-storepass", "password");
        OutputStream newOutputStream = Files.newOutputStream(resolve, StandardOpenOption.CREATE);
        try {
            Files.copy(Paths.get(file.getPath(), new String[0]), newOutputStream);
            Files.copy(Paths.get(file3.getPath(), new String[0]), newOutputStream);
            if (newOutputStream != null) {
                newOutputStream.close();
            }
            keyToolUtils.runTool(ProcessBuilder.Redirect.from(resolve.toFile()), null, "-importcert", "-alias", "server", "-keystore", serverJksPath, "-storepass", "password");
            keyToolUtils.runTool("-genkeypair", "-keyalg", "RSA", "-keysize", "2048", "-validity", "5", "-alias", "client", "-dname", "CN=client,O=sensinact", "-keystore", clientJksPath, "-storepass", "password");
            keyToolUtils.runTool(null, ProcessBuilder.Redirect.to(file4), "-certreq", "-alias", "client", "-keystore", clientJksPath, "-storepass", "password");
            keyToolUtils.runTool(ProcessBuilder.Redirect.from(file4), ProcessBuilder.Redirect.to(file5), "-gencert", "-alias", "ca", "-rfc", "-keystore", absolutePath, "-storepass", "password");
            keyToolUtils.runTool(ProcessBuilder.Redirect.from(file), null, "-importcert", "-alias", "ca", "-noprompt", "-keystore", clientJksPath, "-storepass", "password");
            newOutputStream = Files.newOutputStream(resolve2, StandardOpenOption.CREATE);
            try {
                Files.copy(Paths.get(file.getPath(), new String[0]), newOutputStream);
                Files.copy(Paths.get(file5.getPath(), new String[0]), newOutputStream);
                if (newOutputStream != null) {
                    newOutputStream.close();
                }
                keyToolUtils.runTool(ProcessBuilder.Redirect.from(resolve2.toFile()), null, "-importcert", "-alias", "client", "-keystore", clientJksPath, "-storepass", "password");
            } finally {
            }
        } finally {
        }
    }

    @AfterAll
    static void teardown() throws Exception {
        Files.walk(tmpDir, new FileVisitOption[0]).map((v0) -> {
            return v0.toFile();
        }).forEach((v0) -> {
            v0.delete();
        });
        Files.delete(tmpDir);
    }

    @BeforeEach
    void start() throws InterruptedException {
        this.session = this.sessionManager.getDefaultSession(UserInfo.ANONYMOUS);
        this.queue = new ArrayBlockingQueue(32);
    }

    @AfterEach
    void stop() throws Exception {
        Set keySet = this.session.activeListeners().keySet();
        SensiNactSession sensiNactSession = this.session;
        Objects.requireNonNull(sensiNactSession);
        keySet.forEach(sensiNactSession::removeListener);
        this.session = null;
        stopServer();
    }

    void startServer(boolean z) throws Exception {
        HttpConfiguration httpConfiguration = new HttpConfiguration();
        httpConfiguration.addCustomizer(new SecureRequestCustomizer());
        ConnectionFactory httpConnectionFactory = new HttpConnectionFactory(httpConfiguration);
        SslContextFactory.Server server = new SslContextFactory.Server();
        server.setKeyStorePath(serverJksPath);
        server.setKeyStorePassword("password");
        if (z) {
            server.setTrustStorePath(trustJksPath);
            server.setTrustStorePassword("password");
            server.setNeedClientAuth(true);
        }
        ConnectionFactory sslConnectionFactory = new SslConnectionFactory(server, httpConnectionFactory.getProtocol());
        this.threadPool = new QueuedThreadPool();
        this.threadPool.setName("server");
        this.server = new Server(this.threadPool);
        ServerConnector serverConnector = new ServerConnector(this.server, new ConnectionFactory[]{sslConnectionFactory, httpConnectionFactory});
        serverConnector.setPort(0);
        this.server.addConnector(serverConnector);
        this.handler = new RequestHandler();
        this.server.setHandler(this.handler);
        this.server.start();
        this.httpPort = serverConnector.getLocalPort();
    }

    void stopServer() throws Exception {
        if (this.server != null) {
            this.server.stop();
            this.server = null;
        }
        if (this.threadPool != null) {
            this.threadPool.stop();
            this.threadPool = null;
        }
        if (this.handler != null) {
            this.handler.clear();
        }
    }

    String readFile(String str) throws IOException {
        InputStream resourceAsStream = getClass().getClassLoader().getResourceAsStream("/" + str);
        try {
            String str2 = new String(resourceAsStream.readAllBytes());
            if (resourceAsStream != null) {
                resourceAsStream.close();
            }
            return str2;
        } catch (Throwable th) {
            if (resourceAsStream != null) {
                try {
                    resourceAsStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    String readData(String str, String str2, String str3) throws IOException {
        String readFile = readFile(str);
        return str2 != null ? readFile.replace(str2, str3) : readFile;
    }

    @Test
    void testRejectUntrusted() throws Exception {
        startServer(false);
        this.session.addListener(List.of("ssl-reject-provider1/*"), (str, resourceDataNotification) -> {
            this.queue.offer(resourceDataNotification);
        }, (ClientMetadataListener) null, (ClientLifecycleListener) null, (ClientActionListener) null);
        Assertions.assertNull(this.session.describeProvider("ssl-reject-provider1"));
        String str2 = new String(readFile("csv-header-typed-mapping.json"));
        this.handler.setData("/data", readFile("csv-header-typed.csv").replace("typed-provider", "ssl-reject-provider"));
        Configuration createFactoryConfiguration = this.configAdmin.createFactoryConfiguration("sensinact.http.device.factory", "?");
        try {
            createFactoryConfiguration.update(new Hashtable(Map.of("tasks.oneshot", "[{\"url\": \"https://localhost:" + this.httpPort + "/data\", \"mapping\": " + str2 + "}]")));
            Assertions.assertNull(this.queue.poll(1L, TimeUnit.SECONDS));
            Assertions.assertEquals(0, this.handler.nbVisitedPaths());
            createFactoryConfiguration.delete();
        } catch (Throwable th) {
            createFactoryConfiguration.delete();
            throw th;
        }
    }

    @Test
    void testAllowUntrusted() throws Exception {
        startServer(false);
        this.session.addListener(List.of("ssl-allowed-provider1/*"), (str, resourceDataNotification) -> {
            this.queue.offer(resourceDataNotification);
        }, (ClientMetadataListener) null, (ClientLifecycleListener) null, (ClientActionListener) null);
        Assertions.assertNull(this.session.describeProvider("ssl-allowed-provider1"));
        String str2 = new String(readFile("csv-header-typed-mapping.json"));
        this.handler.setData("/data", readData("csv-header-typed.csv", "typed-provider", "ssl-allowed-provider"));
        Configuration createFactoryConfiguration = this.configAdmin.createFactoryConfiguration("sensinact.http.device.factory", "?");
        try {
            createFactoryConfiguration.update(new Hashtable(Map.of("tasks.oneshot", "[{\"url\": \"https://localhost:" + this.httpPort + "/data\", \"ssl.ignoreErrors\": true, \"mapping\": " + str2 + "}]")));
            Assertions.assertNotNull(this.queue.poll(1L, TimeUnit.SECONDS));
            Assertions.assertEquals(42, (Integer) this.session.getResourceValue("ssl-allowed-provider1", "data", "value", Integer.class));
            Assertions.assertEquals(1, this.handler.nbVisitedPaths());
            Assertions.assertEquals(1, this.handler.nbVisits("/data"));
            createFactoryConfiguration.delete();
        } catch (Throwable th) {
            createFactoryConfiguration.delete();
            throw th;
        }
    }

    @Test
    void testTrusted() throws Exception {
        startServer(false);
        this.session.addListener(List.of("ssl-trusted-provider1/*"), (str, resourceDataNotification) -> {
            this.queue.offer(resourceDataNotification);
        }, (ClientMetadataListener) null, (ClientLifecycleListener) null, (ClientActionListener) null);
        Assertions.assertNull(this.session.describeProvider("ssl-trusted-provider1"));
        String str2 = new String(readFile("csv-header-typed-mapping.json"));
        this.handler.setData("/data", readData("csv-header-typed.csv", "typed-provider", "ssl-trusted-provider"));
        Configuration createFactoryConfiguration = this.configAdmin.createFactoryConfiguration("sensinact.http.device.factory", "?");
        try {
            createFactoryConfiguration.update(new Hashtable(Map.of("tasks.oneshot", "[{\"url\": \"https://localhost:" + this.httpPort + "/data\", \"ssl.ignoreErrors\": false, \"ssl.truststore\": \"" + Paths.get(trustJksPath, new String[0]).toUri().toASCIIString() + "\", \"ssl.truststore.password\": \"password\", \"mapping\": " + str2 + "}]")));
            Assertions.assertNotNull(this.queue.poll(1L, TimeUnit.SECONDS));
            Assertions.assertEquals(42, (Integer) this.session.getResourceValue("ssl-trusted-provider1", "data", "value", Integer.class));
            Assertions.assertEquals(1, this.handler.nbVisitedPaths());
            Assertions.assertEquals(1, this.handler.nbVisits("/data"));
            createFactoryConfiguration.delete();
        } catch (Throwable th) {
            createFactoryConfiguration.delete();
            throw th;
        }
    }

    @Test
    void testClientAuthFailure() throws Exception {
        startServer(true);
        this.session.addListener(List.of("ssl-client-auth-fail-provider1/*"), (str, resourceDataNotification) -> {
            this.queue.offer(resourceDataNotification);
        }, (ClientMetadataListener) null, (ClientLifecycleListener) null, (ClientActionListener) null);
        Assertions.assertNull(this.session.describeProvider("ssl-client-auth-fail-provider1"));
        String str2 = new String(readFile("csv-header-typed-mapping.json"));
        this.handler.setData("/data", readData("csv-header-typed.csv", "typed-provider", "ssl-client-auth-fail-provider"));
        Configuration createFactoryConfiguration = this.configAdmin.createFactoryConfiguration("sensinact.http.device.factory", "?");
        try {
            createFactoryConfiguration.update(new Hashtable(Map.of("tasks.oneshot", "[{\"url\": \"https://localhost:" + this.httpPort + "/data\", \"ssl.ignoreErrors\": false, \"ssl.truststore\": \"" + Paths.get(trustJksPath, new String[0]).toUri().toASCIIString() + "\", \"ssl.truststore.password\": \"password\", \"mapping\": " + str2 + "}]")));
            Assertions.assertNull(this.queue.poll(1L, TimeUnit.SECONDS));
            Assertions.assertEquals(0, this.handler.nbVisitedPaths());
            createFactoryConfiguration.delete();
        } catch (Throwable th) {
            createFactoryConfiguration.delete();
            throw th;
        }
    }

    @Test
    void testClientAuthValid() throws Exception {
        startServer(true);
        this.session.addListener(List.of("ssl-client-auth-valid-provider1/*"), (str, resourceDataNotification) -> {
            this.queue.offer(resourceDataNotification);
        }, (ClientMetadataListener) null, (ClientLifecycleListener) null, (ClientActionListener) null);
        Assertions.assertNull(this.session.describeProvider("ssl-client-auth-valid-provider1"));
        String str2 = new String(readFile("csv-header-typed-mapping.json"));
        this.handler.setData("/data", readData("csv-header-typed.csv", "typed-provider", "ssl-client-auth-valid-provider"));
        Configuration createFactoryConfiguration = this.configAdmin.createFactoryConfiguration("sensinact.http.device.factory", "?");
        try {
            createFactoryConfiguration.update(new Hashtable(Map.of("tasks.oneshot", "[{\"url\": \"https://localhost:" + this.httpPort + "/data\", \"ssl.ignoreErrors\": false, \"ssl.truststore\": \"" + Paths.get(trustJksPath, new String[0]).toUri().toASCIIString() + "\", \"ssl.truststore.password\": \"password\", \"ssl.keystore\": \"" + Paths.get(clientJksPath, new String[0]).toUri().toASCIIString() + "\", \"ssl.keystore.password\": \"password\", \"mapping\": " + str2 + "}]")));
            Assertions.assertNotNull(this.queue.poll(1L, TimeUnit.SECONDS));
            Assertions.assertEquals(42, (Integer) this.session.getResourceValue("ssl-client-auth-valid-provider1", "data", "value", Integer.class));
            Assertions.assertEquals(1, this.handler.nbVisitedPaths());
            Assertions.assertEquals(1, this.handler.nbVisits("/data"));
            createFactoryConfiguration.delete();
        } catch (Throwable th) {
            createFactoryConfiguration.delete();
            throw th;
        }
    }
}
