package com.yahoo.vespa.model.container.xml;

import com.yahoo.config.model.api.EndpointCertificateSecrets;
import com.yahoo.config.model.builder.xml.test.DomBuilderTest;
import com.yahoo.config.model.deploy.DeployState;
import com.yahoo.config.model.deploy.TestProperties;
import com.yahoo.config.model.test.MockApplicationPackage;
import com.yahoo.config.provision.Environment;
import com.yahoo.config.provision.RegionName;
import com.yahoo.config.provision.SystemName;
import com.yahoo.config.provision.Zone;
import com.yahoo.jdisc.http.ConnectorConfig;
import com.yahoo.jdisc.http.ServerConfig;
import com.yahoo.jdisc.http.filter.security.cloud.config.CloudDataPlaneFilterConfig;
import com.yahoo.security.KeyAlgorithm;
import com.yahoo.security.KeyUtils;
import com.yahoo.security.SignatureAlgorithm;
import com.yahoo.security.X509CertificateBuilder;
import com.yahoo.security.X509CertificateUtils;
import com.yahoo.vespa.model.container.ContainerModel;
import com.yahoo.vespa.model.container.http.ConnectorFactory;
import com.yahoo.vespa.model.container.http.JettyHttpServer;
import java.io.File;
import java.io.IOException;
import java.math.BigInteger;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.attribute.FileAttribute;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.List;
import java.util.Optional;
import javax.security.auth.x500.X500Principal;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.io.TempDir;
import org.w3c.dom.Element;

/* loaded from: input_file:com/yahoo/vespa/model/container/xml/CloudDataPlaneFilterTest.class */
public class CloudDataPlaneFilterTest extends ContainerModelBuilderTestBase {

    @TempDir
    public File applicationFolder;
    Path securityFolder;
    private static final String cloudDataPlaneFilterConfigId = "container/filters/chain/cloud-data-plane-secure/component/com.yahoo.jdisc.http.filter.security.cloud.CloudDataPlaneFilter";

    @BeforeEach
    public void setup() throws IOException {
        this.securityFolder = this.applicationFolder.toPath().resolve("security");
        Files.createDirectories(this.securityFolder, new FileAttribute[0]);
    }

    @Test
    public void it_generates_correct_config() throws IOException {
        Path resolve = this.securityFolder.resolve("foo.pem");
        Element parse = DomBuilderTest.parse("<container version='1.0'>\n  <clients>\n    <client id=\"foo\" permissions=\"read,write\">\n        <certificate file=\"%s\"/>\n    </client>\n  </clients>\n</container>\n".formatted(this.applicationFolder.toPath().relativize(resolve).toString()));
        X509Certificate createCertificate = createCertificate(resolve);
        buildModel(parse);
        CloudDataPlaneFilterConfig config = this.root.getConfig(CloudDataPlaneFilterConfig.class, cloudDataPlaneFilterConfigId);
        Assertions.assertFalse(config.legacyMode());
        List clients = config.clients();
        Assertions.assertEquals(1, clients.size());
        CloudDataPlaneFilterConfig.Clients clients2 = (CloudDataPlaneFilterConfig.Clients) clients.get(0);
        Assertions.assertEquals("foo", clients2.id());
        Assertions.assertIterableEquals(List.of("read", "write"), clients2.permissions());
        Assertions.assertIterableEquals(List.of(X509CertificateUtils.toPem(createCertificate)), clients2.certificates());
        List certificateListFromPem = X509CertificateUtils.certificateListFromPem(connectorConfig().ssl().caCertificate());
        Assertions.assertEquals(1, certificateListFromPem.size());
        Assertions.assertEquals(List.of(createCertificate), certificateListFromPem);
        ServerConfig config2 = this.root.getConfig(ServerConfig.class, "container/http");
        Assertions.assertEquals("cloud-data-plane-insecure", ((ServerConfig.DefaultFilters) config2.defaultFilters().get(0)).filterId());
        Assertions.assertEquals(8080, ((ServerConfig.DefaultFilters) config2.defaultFilters().get(0)).localPort());
        Assertions.assertEquals("cloud-data-plane-secure", ((ServerConfig.DefaultFilters) config2.defaultFilters().get(1)).filterId());
        Assertions.assertEquals(4443, ((ServerConfig.DefaultFilters) config2.defaultFilters().get(1)).localPort());
    }

    @Test
    public void it_generates_correct_legacy_config() throws IOException {
        Path resolve = this.securityFolder.resolve("clients.pem");
        Element parse = DomBuilderTest.parse("<container version='1.0' />");
        X509Certificate createCertificate = createCertificate(resolve);
        buildModel(parse);
        CloudDataPlaneFilterConfig config = this.root.getConfig(CloudDataPlaneFilterConfig.class, cloudDataPlaneFilterConfigId);
        Assertions.assertTrue(config.legacyMode());
        Assertions.assertEquals(0, config.clients().size());
        List certificateListFromPem = X509CertificateUtils.certificateListFromPem(connectorConfig().ssl().caCertificate());
        Assertions.assertEquals(1, certificateListFromPem.size());
        Assertions.assertEquals(List.of(createCertificate), certificateListFromPem);
    }

    @Test
    public void it_rejects_files_without_certificates() throws IOException {
        Path resolve = this.securityFolder.resolve("foo.pem");
        Element parse = DomBuilderTest.parse("<container version='1.0'>\n  <clients>\n    <client id=\"foo\" permissions=\"read,write\">\n        <certificate file=\"%s\"/>\n    </client>\n  </clients>\n</container>\n".formatted(this.applicationFolder.toPath().relativize(resolve).toString()));
        Files.writeString(resolve, "effectively empty", new OpenOption[0]);
        Assertions.assertEquals("File security/foo.pem does not contain any certificates.", ((IllegalArgumentException) Assertions.assertThrows(IllegalArgumentException.class, () -> {
            buildModel(parse);
        })).getMessage());
    }

    @Test
    public void it_rejects_invalid_client_ids() throws IOException {
        Element parse = DomBuilderTest.parse("<container version='1.0'>\n  <clients>\n    <client id=\"_foo\" permissions=\"read,write\">\n        <certificate file=\"foo\"/>\n    </client>\n  </clients>\n</container>\n");
        Assertions.assertEquals("Invalid client id '_foo', id cannot start with '_'", ((IllegalArgumentException) Assertions.assertThrows(IllegalArgumentException.class, () -> {
            buildModel(parse);
        })).getMessage());
    }

    private ConnectorConfig connectorConfig() {
        ConnectorFactory connectorFactory = (ConnectorFactory) ((JettyHttpServer) this.root.getProducer("container/container.0").getHttp().getHttpServer().get()).getConnectorFactories().stream().filter(connectorFactory2 -> {
            return connectorFactory2.getListenPort() == 4443;
        }).findFirst().orElseThrow();
        ConnectorConfig.Builder builder = new ConnectorConfig.Builder();
        connectorFactory.getConfig(builder);
        return new ConnectorConfig(builder);
    }

    static X509Certificate createCertificate(Path path) throws IOException {
        X509Certificate build = X509CertificateBuilder.fromKeypair(KeyUtils.generateKeypair(KeyAlgorithm.EC, 256), new X500Principal("CN=mysubject"), Instant.now(), Instant.now().plus(1L, (TemporalUnit) ChronoUnit.DAYS), SignatureAlgorithm.SHA512_WITH_ECDSA, BigInteger.valueOf(1L)).build();
        Files.writeString(path, X509CertificateUtils.toPem(build), new OpenOption[0]);
        return build;
    }

    public List<ContainerModel> buildModel(Element... elementArr) {
        return createModel(this.root, new DeployState.Builder().applicationPackage(new MockApplicationPackage.Builder().withRoot(this.applicationFolder).build()).properties(new TestProperties().setEndpointCertificateSecrets(Optional.of(new EndpointCertificateSecrets("CERT", "KEY"))).setHostedVespa(true)).zone(new Zone(SystemName.PublicCd, Environment.dev, RegionName.defaultName())).build(), null, elementArr);
    }
}
