package org.apache.activemq.artemis.tests.integration.amqp.connect;

import io.vertx.core.Handler;
import io.vertx.core.Vertx;
import io.vertx.core.http.ClientAuth;
import io.vertx.core.net.JksOptions;
import io.vertx.core.net.NetSocket;
import io.vertx.proton.ProtonConnection;
import io.vertx.proton.ProtonServerOptions;
import io.vertx.proton.sasl.ProtonSaslAuthenticator;
import java.nio.charset.StandardCharsets;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Objects;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import javax.crypto.Mac;
import javax.security.auth.login.LoginException;
import org.apache.activemq.artemis.core.config.amqpBrokerConnectivity.AMQPBrokerConnectConfiguration;
import org.apache.activemq.artemis.core.server.ActiveMQServer;
import org.apache.activemq.artemis.protocol.amqp.sasl.SASLResult;
import org.apache.activemq.artemis.protocol.amqp.sasl.scram.SCRAMServerSASL;
import org.apache.activemq.artemis.spi.core.security.scram.SCRAM;
import org.apache.activemq.artemis.spi.core.security.scram.ScramUtils;
import org.apache.activemq.artemis.spi.core.security.scram.UserData;
import org.apache.activemq.artemis.tests.integration.amqp.AmqpClientTestSupport;
import org.apache.qpid.proton.engine.Sasl;
import org.apache.qpid.proton.engine.Transport;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:org/apache/activemq/artemis/tests/integration/amqp/connect/AMQPConnectSaslTest.class */
public class AMQPConnectSaslTest extends AmqpClientTestSupport {
    private static final int BROKER_PORT_NUM = 5673;
    private static final String SERVER_KEYSTORE_NAME = "server-keystore.jks";
    private static final String SERVER_KEYSTORE_PASSWORD = "securepass";
    private static final String CLIENT_KEYSTORE_NAME = "client-keystore.jks";
    private static final String CLIENT_KEYSTORE_PASSWORD = "securepass";
    private static final String SERVER_TRUSTSTORE_NAME = "server-ca-truststore.jks";
    private static final String SERVER_TRUSTSTORE_PASSWORD = "securepass";
    private static final String CLIENT_TRUSTSTORE_NAME = "client-ca-truststore.jks";
    private static final String CLIENT_TRUSTSTORE_PASSWORD = "securepass";
    private static final String USER = "MY_USER";
    private static final String PASSWD = "PASSWD_VALUE";
    private static final String PLAIN = "PLAIN";
    private static final String ANONYMOUS = "ANONYMOUS";
    private static final String EXTERNAL = "EXTERNAL";
    private Vertx vertx;
    private MockServer mockServer;

    /* loaded from: input_file:org/apache/activemq/artemis/tests/integration/amqp/connect/AMQPConnectSaslTest$SCRAMTestAuthenticator.class */
    private static final class SCRAMTestAuthenticator implements ProtonSaslAuthenticator {
        private final SCRAM mech;
        private Sasl sasl;
        private TestSCRAMServerSASL serverSASL;
        private String chosenMech;

        SCRAMTestAuthenticator(SCRAM scram) {
            this.mech = scram;
        }

        public void init(NetSocket netSocket, ProtonConnection protonConnection, Transport transport) {
            this.sasl = transport.sasl();
            this.sasl.server();
            this.sasl.allowSkip(false);
            this.sasl.setMechanisms(new String[]{this.mech.getName(), AMQPConnectSaslTest.PLAIN, AMQPConnectSaslTest.ANONYMOUS});
            try {
                this.serverSASL = new TestSCRAMServerSASL(this.mech);
            } catch (NoSuchAlgorithmException e) {
                throw new AssertionError(e);
            }
        }

        public void process(Handler<Boolean> handler) {
            String[] remoteMechanisms = this.sasl.getRemoteMechanisms();
            int pending = this.sasl.pending();
            if (remoteMechanisms.length == 0 || pending == 0) {
                handler.handle(false);
                return;
            }
            this.chosenMech = remoteMechanisms[0];
            byte[] bArr = new byte[pending];
            this.sasl.recv(bArr, 0, bArr.length);
            byte[] processSASL = this.serverSASL.processSASL(bArr);
            if (processSASL != null) {
                this.sasl.send(processSASL, 0, processSASL.length);
            }
            if (!this.serverSASL.isEnded()) {
                handler.handle(false);
                return;
            }
            if (succeeded()) {
                this.sasl.done(Sasl.SaslOutcome.PN_SASL_OK);
            } else {
                this.sasl.done(Sasl.SaslOutcome.PN_SASL_AUTH);
            }
            handler.handle(true);
        }

        public boolean succeeded() {
            SASLResult result = this.serverSASL.result();
            return result != null && result.isSuccess() && this.serverSASL.e == null;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/activemq/artemis/tests/integration/amqp/connect/AMQPConnectSaslTest$TestAuthenticator.class */
    public static final class TestAuthenticator implements ProtonSaslAuthenticator {
        private Sasl sasl;
        private final boolean succeed;
        private final String[] offeredMechs;
        String chosenMech = null;
        byte[] initialResponse = null;
        boolean done = false;

        TestAuthenticator(boolean z, String... strArr) {
            if (strArr.length == 0) {
                throw new IllegalArgumentException("Must provide at least 1 mechanism to offer");
            }
            this.offeredMechs = strArr;
            this.succeed = z;
        }

        public void init(NetSocket netSocket, ProtonConnection protonConnection, Transport transport) {
            this.sasl = transport.sasl();
            this.sasl.server();
            this.sasl.allowSkip(false);
            this.sasl.setMechanisms(this.offeredMechs);
        }

        public void process(Handler<Boolean> handler) {
            if (!this.done) {
                String[] remoteMechanisms = this.sasl.getRemoteMechanisms();
                if (remoteMechanisms.length > 0) {
                    this.chosenMech = remoteMechanisms[0];
                    this.initialResponse = new byte[this.sasl.pending()];
                    this.sasl.recv(this.initialResponse, 0, this.initialResponse.length);
                    if (this.succeed) {
                        this.sasl.done(Sasl.SaslOutcome.PN_SASL_OK);
                    } else {
                        this.sasl.done(Sasl.SaslOutcome.PN_SASL_AUTH);
                    }
                    this.done = true;
                }
            }
            handler.handle(Boolean.valueOf(this.done));
        }

        public boolean succeeded() {
            return this.succeed;
        }

        public String getChosenMech() {
            return this.chosenMech;
        }

        public byte[] getInitialResponse() {
            return this.initialResponse;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/activemq/artemis/tests/integration/amqp/connect/AMQPConnectSaslTest$TestSCRAMServerSASL.class */
    public static final class TestSCRAMServerSASL extends SCRAMServerSASL {
        private Exception e;

        TestSCRAMServerSASL(SCRAM scram) throws NoSuchAlgorithmException {
            super(scram);
        }

        public void done() {
        }

        protected UserData aquireUserData(String str) throws LoginException {
            if (!AMQPConnectSaslTest.USER.equals(str)) {
                throw new LoginException("invalid username");
            }
            byte[] bArr = new byte[32];
            new SecureRandom().nextBytes(bArr);
            try {
                ScramUtils.NewPasswordStringData byteArrayToStringData = ScramUtils.byteArrayToStringData(ScramUtils.newPassword(AMQPConnectSaslTest.PASSWD, bArr, 4096, MessageDigest.getInstance(this.mechanism.getDigest()), Mac.getInstance(this.mechanism.getHmac())));
                return new UserData(byteArrayToStringData.salt, byteArrayToStringData.iterations, byteArrayToStringData.serverKey, byteArrayToStringData.storedKey);
            } catch (Exception e) {
                throw new LoginException(e.getMessage());
            }
        }

        protected void failed(Exception exc) {
            this.e = exc;
        }
    }

    @Override // org.apache.activemq.artemis.tests.integration.amqp.AmqpClientTestSupport
    protected ActiveMQServer createServer() throws Exception {
        return createServer(BROKER_PORT_NUM, false);
    }

    @Override // org.apache.activemq.artemis.tests.integration.amqp.AmqpClientTestSupport
    @Before
    public void setUp() throws Exception {
        super.setUp();
        this.vertx = Vertx.vertx();
    }

    @Override // org.apache.activemq.artemis.tests.integration.amqp.AmqpClientTestSupport, org.apache.activemq.artemis.tests.integration.amqp.AmqpTestSupport
    @After
    public void tearDown() throws Exception {
        try {
            super.tearDown();
        } finally {
            if (this.mockServer != null) {
                this.mockServer.close();
            }
            CountDownLatch countDownLatch = new CountDownLatch(1);
            this.vertx.close(asyncResult -> {
                countDownLatch.countDown();
            });
            assertTrue("Vert.x instant not closed in alotted time", countDownLatch.await(5L, TimeUnit.SECONDS));
        }
    }

    @Test(timeout = 20000)
    public void testConnectsWithAnonymous() throws Exception {
        CountDownLatch countDownLatch = new CountDownLatch(1);
        TestAuthenticator testAuthenticator = new TestAuthenticator(true, PLAIN, ANONYMOUS);
        this.mockServer = new MockServer(this.vertx, () -> {
            return testAuthenticator;
        }, protonConnection -> {
            protonConnection.openHandler(asyncResult -> {
                countDownLatch.countDown();
                protonConnection.closeHandler(asyncResult -> {
                    protonConnection.close();
                });
                protonConnection.open();
            });
        });
        AMQPBrokerConnectConfiguration aMQPBrokerConnectConfiguration = new AMQPBrokerConnectConfiguration("testSimpleConnect", "tcp://localhost:" + this.mockServer.actualPort());
        aMQPBrokerConnectConfiguration.setReconnectAttempts(0);
        this.server.getConfiguration().addAMQPConnection(aMQPBrokerConnectConfiguration);
        this.server.start();
        assertTrue("Broker did not open connection in alotted time", countDownLatch.await(10L, TimeUnit.SECONDS));
        assertEquals(ANONYMOUS, testAuthenticator.getChosenMech());
        assertArrayEquals(new byte[0], testAuthenticator.getInitialResponse());
    }

    @Test(timeout = 20000)
    public void testConnectsWithPlain() throws Exception {
        CountDownLatch countDownLatch = new CountDownLatch(1);
        TestAuthenticator testAuthenticator = new TestAuthenticator(true, PLAIN, ANONYMOUS);
        this.mockServer = new MockServer(this.vertx, () -> {
            return testAuthenticator;
        }, protonConnection -> {
            protonConnection.openHandler(asyncResult -> {
                countDownLatch.countDown();
                protonConnection.closeHandler(asyncResult -> {
                    protonConnection.close();
                });
                protonConnection.open();
            });
        });
        AMQPBrokerConnectConfiguration aMQPBrokerConnectConfiguration = new AMQPBrokerConnectConfiguration("testSimpleConnect", "tcp://localhost:" + this.mockServer.actualPort());
        aMQPBrokerConnectConfiguration.setReconnectAttempts(0);
        aMQPBrokerConnectConfiguration.setUser(USER);
        aMQPBrokerConnectConfiguration.setPassword(PASSWD);
        this.server.getConfiguration().addAMQPConnection(aMQPBrokerConnectConfiguration);
        this.server.start();
        assertTrue("Broker did not open connection in alotted time", countDownLatch.await(10L, TimeUnit.SECONDS));
        assertEquals(PLAIN, testAuthenticator.getChosenMech());
        assertArrayEquals(expectedPlainInitialResponse(USER, PASSWD), testAuthenticator.getInitialResponse());
    }

    @Test(timeout = 200000)
    public void testConnectsWithSCRAM() throws Exception {
        CountDownLatch countDownLatch = new CountDownLatch(1);
        SCRAMTestAuthenticator sCRAMTestAuthenticator = new SCRAMTestAuthenticator(SCRAM.SHA512);
        this.mockServer = new MockServer(this.vertx, () -> {
            return sCRAMTestAuthenticator;
        }, protonConnection -> {
            protonConnection.openHandler(asyncResult -> {
                countDownLatch.countDown();
                protonConnection.closeHandler(asyncResult -> {
                    protonConnection.close();
                });
                protonConnection.open();
            });
        });
        AMQPBrokerConnectConfiguration aMQPBrokerConnectConfiguration = new AMQPBrokerConnectConfiguration("testSScramConnect", "tcp://localhost:" + this.mockServer.actualPort());
        aMQPBrokerConnectConfiguration.setReconnectAttempts(0);
        aMQPBrokerConnectConfiguration.setUser(USER);
        aMQPBrokerConnectConfiguration.setPassword(PASSWD);
        this.server.getConfiguration().addAMQPConnection(aMQPBrokerConnectConfiguration);
        this.server.start();
        assertTrue("Broker did not open connection in alotted time", countDownLatch.await(10L, TimeUnit.SECONDS));
        assertEquals(SCRAM.SHA512.getName(), sCRAMTestAuthenticator.chosenMech);
        assertTrue(sCRAMTestAuthenticator.succeeded());
    }

    @Test(timeout = 20000)
    public void testConnectsWithExternal() throws Exception {
        doConnectWithExternalTestImpl(true);
    }

    @Test(timeout = 20000)
    public void testExternalIgnoredWhenNoClientCertSupplied() throws Exception {
        doConnectWithExternalTestImpl(false);
    }

    private void doConnectWithExternalTestImpl(boolean z) throws ExecutionException, InterruptedException, Exception {
        CountDownLatch countDownLatch = new CountDownLatch(1);
        TestAuthenticator testAuthenticator = new TestAuthenticator(true, EXTERNAL, PLAIN);
        JksOptions password = new JksOptions().setPath(getClass().getClassLoader().getResource(SERVER_KEYSTORE_NAME).getFile()).setPassword("securepass");
        ProtonServerOptions protonServerOptions = new ProtonServerOptions();
        protonServerOptions.setSsl(true);
        protonServerOptions.setKeyStoreOptions(password);
        if (z) {
            protonServerOptions.setTrustStoreOptions(new JksOptions().setPath(getClass().getClassLoader().getResource(CLIENT_TRUSTSTORE_NAME).getFile()).setPassword("securepass"));
            protonServerOptions.setClientAuth(ClientAuth.REQUIRED);
        }
        this.mockServer = new MockServer(this.vertx, protonServerOptions, () -> {
            return testAuthenticator;
        }, protonConnection -> {
            protonConnection.openHandler(asyncResult -> {
                countDownLatch.countDown();
                protonConnection.closeHandler(asyncResult -> {
                    protonConnection.close();
                });
                protonConnection.open();
            });
        });
        String str = "tcp://localhost:" + this.mockServer.actualPort() + "?sslEnabled=true;trustStorePath=server-ca-truststore.jks;trustStorePassword=securepass";
        if (z) {
            str = str + ";keyStorePath=client-keystore.jks;keyStorePassword=securepass";
        }
        AMQPBrokerConnectConfiguration aMQPBrokerConnectConfiguration = new AMQPBrokerConnectConfiguration("testSimpleConnect", str);
        aMQPBrokerConnectConfiguration.setReconnectAttempts(0);
        aMQPBrokerConnectConfiguration.setUser(USER);
        aMQPBrokerConnectConfiguration.setPassword(PASSWD);
        this.server.getConfiguration().addAMQPConnection(aMQPBrokerConnectConfiguration);
        this.server.start();
        assertTrue("Broker did not open connection in alotted time", countDownLatch.await(10L, TimeUnit.SECONDS));
        if (z) {
            assertEquals(EXTERNAL, testAuthenticator.getChosenMech());
            assertArrayEquals(new byte[0], testAuthenticator.getInitialResponse());
        } else {
            assertEquals(PLAIN, testAuthenticator.getChosenMech());
            assertArrayEquals(expectedPlainInitialResponse(USER, PASSWD), testAuthenticator.getInitialResponse());
        }
    }

    private static byte[] expectedPlainInitialResponse(String str, String str2) {
        Objects.requireNonNull(str);
        Objects.requireNonNull(str2);
        if (str.isEmpty() || str2.isEmpty()) {
            throw new IllegalArgumentException("Must provide at least 1 character in user and pass");
        }
        byte[] bytes = str.getBytes(StandardCharsets.UTF_8);
        byte[] bytes2 = str2.getBytes(StandardCharsets.UTF_8);
        byte[] bArr = new byte[bytes.length + bytes2.length + 2];
        System.arraycopy(bytes, 0, bArr, 1, bytes.length);
        System.arraycopy(bytes2, 0, bArr, 2 + bytes.length, bytes2.length);
        return bArr;
    }
}
