package com.cloudera.cmf.service.config;

import com.google.common.collect.ImmutableList;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.security.KeyStore;
import java.util.List;
import javax.crypto.spec.SecretKeySpec;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.alias.CredentialProvider;
import org.apache.hadoop.security.alias.CredentialProviderFactory;
import org.apache.hadoop.security.alias.JavaKeyStoreProvider;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:com/cloudera/cmf/service/config/GenericKeyStoreConfigFileGeneratorTest.class */
public class GenericKeyStoreConfigFileGeneratorTest {
    private static final List<EvaluatedConfig> SENSITIVE_CONFIGS = ImmutableList.of(new EvaluatedConfig("password1", "abracadabra"), new EvaluatedConfig("password2", "pAs5w0rd"), new EvaluatedConfig("password3", "12345678"));
    private static final String keyStoreType = "jceks";
    private static final String OUTPUT_FILE = "test.jceks";
    private static final String KEYSTORE_PASSWORD = "supersecretpassword";
    private String parentDir;

    private byte[] generateJceksBytes(String str, boolean z) throws ConfigGenException {
        GenericKeyStoreConfigFileGenerator genericKeyStoreConfigFileGenerator = new GenericKeyStoreConfigFileGenerator(OUTPUT_FILE, str, keyStoreType);
        SimpleConfigFile simpleConfigFile = new SimpleConfigFile(OUTPUT_FILE);
        simpleConfigFile.addAll(SENSITIVE_CONFIGS);
        Assert.assertEquals(OUTPUT_FILE, genericKeyStoreConfigFileGenerator.getOutputFileName());
        Assert.assertTrue(genericKeyStoreConfigFileGenerator.allowConfigFileConflictResolution());
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        genericKeyStoreConfigFileGenerator.generate(simpleConfigFile, byteArrayOutputStream, z);
        return byteArrayOutputStream.toByteArray();
    }

    private void writeBytes(byte[] bArr, String str) throws Exception {
        FileOutputStream fileOutputStream = null;
        try {
            fileOutputStream = new FileOutputStream(str);
            fileOutputStream.write(bArr);
            if (fileOutputStream != null) {
                fileOutputStream.close();
            }
        } catch (Throwable th) {
            if (fileOutputStream != null) {
                fileOutputStream.close();
            }
            throw th;
        }
    }

    @Before
    public void getParent() throws Exception {
        this.parentDir = new File(getClass().getResource("/log4j.properties").toURI()).getParent();
    }

    @Test
    public void testBasic() throws Exception {
        byte[] generateJceksBytes = generateJceksBytes(KEYSTORE_PASSWORD, false);
        String str = new String(generateJceksBytes, "UTF-8");
        for (EvaluatedConfig evaluatedConfig : SENSITIVE_CONFIGS) {
            Assert.assertFalse("Found " + evaluatedConfig.getValue() + " in raw bytes of keystore", str.contains(evaluatedConfig.getValue()));
        }
        ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(generateJceksBytes);
        KeyStore keyStore = KeyStore.getInstance(keyStoreType);
        keyStore.load(byteArrayInputStream, KEYSTORE_PASSWORD.toCharArray());
        for (EvaluatedConfig evaluatedConfig2 : SENSITIVE_CONFIGS) {
            String name = evaluatedConfig2.getName();
            SecretKeySpec secretKeySpec = (SecretKeySpec) keyStore.getKey(name, KEYSTORE_PASSWORD.toCharArray());
            Assert.assertNotNull("Key with alias " + name + " not found.", secretKeySpec);
            Assert.assertEquals("Mismatch of credentials for alias " + name, evaluatedConfig2.getValue(), new String(secretKeySpec.getEncoded()));
        }
    }

    @Test
    public void testActualUse() throws Exception {
        String str = this.parentDir + "/" + OUTPUT_FILE;
        writeBytes(generateJceksBytes("none", false), str);
        Configuration configuration = new Configuration();
        configuration.set("hadoop.security.credential.provider.path", "jceks://file/" + str);
        List providers = CredentialProviderFactory.getProviders(configuration);
        Assert.assertEquals(1L, providers.size());
        Assert.assertTrue("Not a Keystore", providers.get(0) instanceof JavaKeyStoreProvider);
        JavaKeyStoreProvider javaKeyStoreProvider = (JavaKeyStoreProvider) providers.get(0);
        for (EvaluatedConfig evaluatedConfig : SENSITIVE_CONFIGS) {
            String name = evaluatedConfig.getName();
            CredentialProvider.CredentialEntry credentialEntry = javaKeyStoreProvider.getCredentialEntry(name);
            Assert.assertNotNull("Key with alias " + name + " not found.", credentialEntry);
            Assert.assertEquals("Mismatch of credentials for alias " + name, evaluatedConfig.getValue(), new String(credentialEntry.getCredential()));
        }
    }

    @Test
    public void testSkipSensitive() throws Exception {
        Assert.assertEquals("Shouldn't have any output bytes", 0L, generateJceksBytes("none", true).length);
    }

    @Test
    public void testBadPassword() throws Exception {
        String str = this.parentDir + "/bad-" + OUTPUT_FILE;
        writeBytes(generateJceksBytes("wrong-password", false), str);
        Configuration configuration = new Configuration();
        configuration.set("hadoop.security.credential.provider.path", "jceks://file/" + str);
        boolean z = false;
        try {
            CredentialProviderFactory.getProviders(configuration);
        } catch (IOException e) {
            z = true;
        }
        Assert.assertTrue("Should have failed due to bad password", z);
    }
}
