package org.apache.activemq.artemis.tests.integration.amqp;

import java.io.BufferedReader;
import java.io.File;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.StringReader;
import java.lang.management.ManagementFactory;
import java.net.InetSocketAddress;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.security.PrivilegedActionException;
import java.text.MessageFormat;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Hashtable;
import java.util.Iterator;
import java.util.Map;
import java.util.logging.ConsoleHandler;
import java.util.logging.Handler;
import java.util.logging.Level;
import javax.jms.Connection;
import javax.jms.Queue;
import javax.jms.Session;
import javax.jms.TextMessage;
import javax.naming.NameClassPair;
import javax.naming.NamingEnumeration;
import javax.naming.directory.InitialDirContext;
import javax.security.auth.Subject;
import javax.security.auth.login.LoginContext;
import org.apache.activemq.artemis.api.core.TransportConfiguration;
import org.apache.activemq.artemis.core.config.impl.ConfigurationImpl;
import org.apache.activemq.artemis.core.security.Role;
import org.apache.activemq.artemis.core.server.ActiveMQServer;
import org.apache.activemq.artemis.core.server.ActiveMQServers;
import org.apache.activemq.artemis.spi.core.security.ActiveMQJAASSecurityManager;
import org.apache.activemq.artemis.tests.integration.ssl.CoreClientOverOneWaySSLKerb5Test;
import org.apache.activemq.artemis.tests.util.ActiveMQTestBase;
import org.apache.activemq.artemis.utils.RandomUtil;
import org.apache.commons.io.FileUtils;
import org.apache.commons.io.IOUtils;
import org.apache.directory.api.ldap.model.entry.DefaultEntry;
import org.apache.directory.api.ldap.model.entry.Entry;
import org.apache.directory.api.ldap.model.filter.PresenceNode;
import org.apache.directory.api.ldap.model.ldif.LdifEntry;
import org.apache.directory.api.ldap.model.ldif.LdifReader;
import org.apache.directory.api.ldap.model.ldif.LdifUtils;
import org.apache.directory.api.ldap.model.message.AliasDerefMode;
import org.apache.directory.api.ldap.model.message.SearchScope;
import org.apache.directory.api.ldap.model.name.Dn;
import org.apache.directory.server.annotations.CreateKdcServer;
import org.apache.directory.server.annotations.CreateLdapServer;
import org.apache.directory.server.annotations.CreateTransport;
import org.apache.directory.server.annotations.SaslMechanism;
import org.apache.directory.server.core.annotations.ApplyLdifFiles;
import org.apache.directory.server.core.annotations.ContextEntry;
import org.apache.directory.server.core.annotations.CreateDS;
import org.apache.directory.server.core.annotations.CreateIndex;
import org.apache.directory.server.core.annotations.CreatePartition;
import org.apache.directory.server.core.api.filtering.EntryFilteringCursor;
import org.apache.directory.server.core.integ.AbstractLdapTestUnit;
import org.apache.directory.server.core.integ.FrameworkRunner;
import org.apache.directory.server.core.kerberos.KeyDerivationInterceptor;
import org.apache.directory.server.kerberos.shared.crypto.encryption.KerberosKeyFactory;
import org.apache.directory.server.kerberos.shared.keytab.Keytab;
import org.apache.directory.server.kerberos.shared.keytab.KeytabEntry;
import org.apache.directory.server.ldap.handlers.sasl.gssapi.GssapiMechanismHandler;
import org.apache.directory.shared.kerberos.KerberosTime;
import org.apache.directory.shared.kerberos.components.EncryptionKey;
import org.apache.qpid.jms.JmsConnectionFactory;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;
import org.junit.runner.RunWith;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@CreateLdapServer(transports = {@CreateTransport(protocol = "LDAP", port = 1024)}, saslHost = "localhost", saslPrincipal = "ldap/localhost@EXAMPLE.COM", saslMechanisms = {@SaslMechanism(name = "GSSAPI", implClass = GssapiMechanismHandler.class)})
@CreateKdcServer(transports = {@CreateTransport(protocol = "TCP", port = 0)})
@RunWith(FrameworkRunner.class)
@CreateDS(name = "Example", partitions = {@CreatePartition(name = "example", suffix = "dc=example,dc=com", contextEntry = @ContextEntry(entryLdif = "dn: dc=example,dc=com\ndc: example\nobjectClass: top\nobjectClass: domain\n\n"), indexes = {@CreateIndex(attribute = "objectClass"), @CreateIndex(attribute = "dc"), @CreateIndex(attribute = "ou")})}, additionalInterceptors = {KeyDerivationInterceptor.class})
@ApplyLdifFiles({"SaslKrb5LDAPSecurityTest.ldif"})
/* loaded from: input_file:org/apache/activemq/artemis/tests/integration/amqp/SaslKrb5LDAPSecurityTest.class */
public class SaslKrb5LDAPSecurityTest extends AbstractLdapTestUnit {
    protected static final Logger LOG = LoggerFactory.getLogger(SaslKrb5LDAPSecurityTest.class);
    public static final String QUEUE_NAME = "some_queue";
    ActiveMQServer server;
    public static final String TARGET_TMP = "./target/tmp";
    private static final String PRINCIPAL = "uid=admin,ou=system";
    private static final String CREDENTIALS = "secret";
    private final boolean debug = false;

    @Rule
    public TemporaryFolder temporaryFolder;
    private String testDir;

    public SaslKrb5LDAPSecurityTest() {
        File file = new File("./target/tmp");
        file.mkdirs();
        this.temporaryFolder = new TemporaryFolder(file);
    }

    @Before
    public void setUp() throws Exception {
        this.testDir = this.temporaryFolder.getRoot().getAbsolutePath();
        createPrincipal(new File("target/test.krb5.keytab"), CoreClientOverOneWaySSLKerb5Test.CLIENT_PRINCIPAL, "amqp/localhost", "ldap/localhost");
        rewriteKerb5Conf();
    }

    private void createArtemisServer(String str) {
        ActiveMQJAASSecurityManager activeMQJAASSecurityManager = new ActiveMQJAASSecurityManager(str);
        HashMap hashMap = new HashMap();
        hashMap.put("port", String.valueOf(5672));
        hashMap.put("protocols", "AMQP");
        HashMap hashMap2 = new HashMap();
        hashMap2.put("saslMechanisms", "GSSAPI");
        hashMap2.put("saslLoginConfigScope", "amqp-sasl-gssapi");
        this.server = ActiveMQServers.newActiveMQServer(new ConfigurationImpl().setSecurityEnabled(true).addAcceptorConfiguration(new TransportConfiguration(ActiveMQTestBase.NETTY_ACCEPTOR_FACTORY, hashMap, "netty-amqp", hashMap2)).setJournalDirectory(ActiveMQTestBase.getJournalDir(this.testDir, 0, false)).setBindingsDirectory(ActiveMQTestBase.getBindingsDir(this.testDir, 0, false)).setPagingDirectory(ActiveMQTestBase.getPageDir(this.testDir, 0, false)).setLargeMessagesDirectory(ActiveMQTestBase.getLargeMessagesDir(this.testDir, 0, false)), ManagementFactory.getPlatformMBeanServer(), activeMQJAASSecurityManager, false);
    }

    /* JADX WARN: Finally extract failed */
    private void rewriteKerb5Conf() throws Exception {
        StringBuilder sb = new StringBuilder();
        InputStream resourceAsStream = getClass().getClassLoader().getResourceAsStream("minikdc-krb5.conf");
        BufferedReader bufferedReader = null;
        try {
            bufferedReader = new BufferedReader(new InputStreamReader(resourceAsStream, StandardCharsets.UTF_8));
            for (String readLine = bufferedReader.readLine(); readLine != null; readLine = bufferedReader.readLine()) {
                sb.append(readLine).append("{3}");
            }
            IOUtils.closeQuietly(bufferedReader);
            IOUtils.closeQuietly(resourceAsStream);
            int port = ((InetSocketAddress) kdcServer.getTransports()[0].getAcceptor().getLocalAddress()).getPort();
            File absoluteFile = new File(this.testDir, "krb5.conf").getAbsoluteFile();
            FileUtils.writeStringToFile(absoluteFile, MessageFormat.format(sb.toString(), getRealm(), "localhost", Integer.toString(port), System.getProperty("line.separator")));
            System.setProperty("java.security.krb5.conf", absoluteFile.getAbsolutePath());
            System.setProperty("sun.security.krb5.debug", "true");
            Class<?> cls = System.getProperty("java.vendor").contains("IBM") ? Class.forName("com.ibm.security.krb5.internal.Config") : Class.forName("sun.security.krb5.Config");
            cls.getMethod("refresh", new Class[0]).invoke(cls, new Object[0]);
            LOG.info("krb5.conf to: {}", absoluteFile.getAbsolutePath());
        } catch (Throwable th) {
            IOUtils.closeQuietly(bufferedReader);
            IOUtils.closeQuietly(resourceAsStream);
            throw th;
        }
    }

    private void dumpLdapContents() throws Exception {
        String str;
        EntryFilteringCursor search = getService().getAdminSession().search(new Dn(new String[]{"ou=system"}), SearchScope.SUBTREE, new PresenceNode("ObjectClass"), AliasDerefMode.DEREF_ALWAYS, new String[0]);
        String str2 = "";
        while (true) {
            str = str2;
            if (!search.next()) {
                break;
            } else {
                str2 = str + LdifUtils.convertToLdif((Entry) search.get()) + "\n";
            }
        }
        System.out.println(str);
        EntryFilteringCursor search2 = getService().getAdminSession().search(new Dn(new String[]{"dc=example,dc=com"}), SearchScope.SUBTREE, new PresenceNode("ObjectClass"), AliasDerefMode.DEREF_ALWAYS, new String[0]);
        String str3 = "";
        while (true) {
            String str4 = str3;
            if (!search2.next()) {
                System.out.println(str4);
                return;
            }
            str3 = str4 + LdifUtils.convertToLdif((Entry) search2.get()) + "\n";
        }
    }

    private void initLogging() {
        java.util.logging.Logger logger = java.util.logging.Logger.getLogger("javax.security.sasl");
        logger.setLevel(Level.FINEST);
        logger.addHandler(new ConsoleHandler());
        for (Handler handler : logger.getHandlers()) {
            handler.setLevel(Level.FINEST);
        }
    }

    public synchronized void createPrincipal(String str, String str2) throws Exception {
        Iterator it = new LdifReader(new StringReader("dn: uid=" + str + "," + getKdcServer().getSearchBaseDn() + "\nobjectClass: top\nobjectClass: person\nobjectClass: inetOrgPerson\nobjectClass: krb5principal\nobjectClass: krb5kdcentry\ncn: " + str + "\nsn: " + str + "\nuid: " + str + "\nuserPassword: " + str2 + "\nbusinessCategory: cn=admins,ou=system\nbusinessCategory: cn=bees,ou=system\nkrb5PrincipalName: " + str + "@" + getRealm() + "\nkrb5KeyVersionNumber: 0")).iterator();
        while (it.hasNext()) {
            service.getAdminSession().add(new DefaultEntry(service.getSchemaManager(), ((LdifEntry) it.next()).getEntry()));
        }
    }

    public void createPrincipal(File file, String... strArr) throws Exception {
        Keytab keytab = new Keytab();
        ArrayList arrayList = new ArrayList();
        for (String str : strArr) {
            createPrincipal(str, "notSecret!");
            String str2 = str + "@" + getRealm();
            KerberosTime kerberosTime = new KerberosTime();
            Iterator it = KerberosKeyFactory.getKerberosKeys(str2, "notSecret!").entrySet().iterator();
            while (it.hasNext()) {
                EncryptionKey encryptionKey = (EncryptionKey) ((Map.Entry) it.next()).getValue();
                arrayList.add(new KeytabEntry(str2, 1L, kerberosTime, (byte) encryptionKey.getKeyVersion(), encryptionKey));
            }
        }
        keytab.setEntries(arrayList);
        keytab.write(file);
    }

    private String getRealm() {
        return getKdcServer().getConfig().getPrimaryRealm();
    }

    @After
    public void tearDown() throws Exception {
        if (this.server != null) {
            this.server.stop();
        }
    }

    @Test
    public void testRunning() throws Exception {
        Hashtable hashtable = new Hashtable();
        hashtable.put("java.naming.provider.url", "ldap://localhost:1024");
        hashtable.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        hashtable.put("java.naming.security.authentication", "simple");
        hashtable.put("java.naming.security.principal", PRINCIPAL);
        hashtable.put("java.naming.security.credentials", CREDENTIALS);
        InitialDirContext initialDirContext = new InitialDirContext(hashtable);
        HashSet hashSet = new HashSet();
        NamingEnumeration list = initialDirContext.list("ou=system");
        while (list.hasMore()) {
            hashSet.add(((NameClassPair) list.next()).getName());
        }
        Assert.assertTrue(hashSet.contains("uid=admin"));
        Assert.assertTrue(hashSet.contains("ou=users"));
        Assert.assertTrue(hashSet.contains("ou=groups"));
        Assert.assertTrue(hashSet.contains("ou=configuration"));
        Assert.assertTrue(hashSet.contains("prefNodeName=sysPrefRoot"));
        initialDirContext.close();
    }

    @Test
    public void testSaslGssapiLdapAuth() throws Exception {
        Hashtable hashtable = new Hashtable();
        hashtable.put("java.naming.provider.url", "ldap://localhost:1024");
        hashtable.put("java.naming.factory.initial", "com.sun.jndi.ldap.LdapCtxFactory");
        hashtable.put("java.naming.security.authentication", "GSSAPI");
        LoginContext loginContext = new LoginContext("broker-sasl-gssapi");
        loginContext.login();
        try {
            Subject.doAs(loginContext.getSubject(), () -> {
                HashSet hashSet = new HashSet();
                InitialDirContext initialDirContext = new InitialDirContext(hashtable);
                NamingEnumeration list = initialDirContext.list("ou=system");
                while (list.hasMore()) {
                    hashSet.add(((NameClassPair) list.next()).getName());
                }
                Assert.assertTrue(hashSet.contains("uid=first"));
                Assert.assertTrue(hashSet.contains("cn=users"));
                Assert.assertTrue(hashSet.contains("ou=configuration"));
                Assert.assertTrue(hashSet.contains("prefNodeName=sysPrefRoot"));
                initialDirContext.close();
                return null;
            });
        } catch (PrivilegedActionException e) {
            throw e.getException();
        }
    }

    @Test
    public void testJAASSecurityManagerAuthorizationPositive() throws Exception {
        dotestJAASSecurityManagerAuthorizationPositive("Krb5PlusLdap", "admins");
    }

    @Test
    public void testJAASSecurityManagerAuthorizationPositiveMemberOf() throws Exception {
        dotestJAASSecurityManagerAuthorizationPositive("Krb5PlusLdapMemberOf", "bees");
    }

    @Test
    public void testJAASSecurityManagerAuthorizationPositiveNoRoleName() throws Exception {
        dotestJAASSecurityManagerAuthorizationPositive("Krb5PlusLdapNoRoleName", "cn=admins,ou=system");
    }

    @Test
    public void testJAASSecurityManagerAuthorizationPositiveMemberOfNoRoleName() throws Exception {
        dotestJAASSecurityManagerAuthorizationPositive("Krb5PlusLdapMemberOfNoRoleName", "cn=bees,ou=system");
    }

    public void dotestJAASSecurityManagerAuthorizationPositive(String str, String str2) throws Exception {
        createArtemisServer(str);
        HashSet hashSet = new HashSet();
        hashSet.add(new Role(str2, true, true, true, true, true, true, true, true, true, true));
        this.server.getConfiguration().putSecurityRoles(QUEUE_NAME, hashSet);
        this.server.start();
        Connection createConnection = new JmsConnectionFactory("amqp://localhost:5672?amqp.saslMechanisms=GSSAPI").createConnection(CoreClientOverOneWaySSLKerb5Test.CLIENT_PRINCIPAL, (String) null);
        try {
            createConnection.start();
            Session createSession = createConnection.createSession(false, 1);
            Queue createQueue = createSession.createQueue(QUEUE_NAME);
            String randomString = RandomUtil.randomString();
            try {
                createSession.createProducer(createQueue).send(createSession.createTextMessage(randomString));
            } catch (Exception e) {
                e.printStackTrace();
                Assert.fail("should not throw exception here");
            }
            try {
                TextMessage receive = createSession.createConsumer(createQueue).receive(1000L);
                Assert.assertNotNull(receive);
                Assert.assertEquals(randomString, receive.getText());
            } catch (Exception e2) {
                Assert.fail("should not throw exception here");
            }
        } finally {
            createConnection.close();
        }
    }

    static {
        URL resource;
        if (System.getProperty("java.security.auth.login.config") != null || (resource = SaslKrb5LDAPSecurityTest.class.getClassLoader().getResource("login.config")) == null) {
            return;
        }
        System.setProperty("java.security.auth.login.config", resource.getFile());
    }
}
