package com.yahoo.vespa.model.application.validation;

import com.yahoo.config.application.api.ApplicationPackage;
import com.yahoo.config.model.NullConfigModelRegistry;
import com.yahoo.config.model.api.EndpointCertificateSecrets;
import com.yahoo.config.model.deploy.DeployState;
import com.yahoo.config.model.deploy.TestProperties;
import com.yahoo.config.model.test.MockApplicationPackage;
import com.yahoo.config.provision.Environment;
import com.yahoo.config.provision.RegionName;
import com.yahoo.config.provision.SystemName;
import com.yahoo.config.provision.Zone;
import com.yahoo.path.Path;
import com.yahoo.security.KeyAlgorithm;
import com.yahoo.security.KeyUtils;
import com.yahoo.security.SignatureAlgorithm;
import com.yahoo.security.X509CertificateBuilder;
import com.yahoo.security.X509CertificateUtils;
import com.yahoo.vespa.model.VespaModel;
import java.io.File;
import java.io.IOException;
import java.io.StringReader;
import java.math.BigInteger;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import javax.security.auth.x500.X500Principal;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.io.TempDir;
import org.xml.sax.SAXException;

/* loaded from: input_file:com/yahoo/vespa/model/application/validation/CloudDataPlaneFilterValidatorTest.class */
public class CloudDataPlaneFilterValidatorTest {

    @TempDir
    public File applicationFolder;

    @Test
    void validator_accepts_distinct_client_certificates() throws IOException, SAXException {
        DeployState createDeployState = createDeployState("        <services version='1.0'>\n          <container version='1.0'>\n            <clients>\n              <client id=\"a\" permissions=\"read,write\">\n                <certificate file=\"%s\"/>\n              </client>\n              <client id=\"b\" permissions=\"read,write\">\n                <certificate file=\"%s\"/>\n              </client>\n            </clients>\n          </container>\n        </services>\n".formatted("security/foo.pem", "security/bar.pem"), Map.of("security/foo.pem", List.of(createCertificate("foo")), "security/bar.pem", List.of(createCertificate("bar"))));
        new CloudDataPlaneFilterValidator().validate(new VespaModel(new NullConfigModelRegistry(), createDeployState), createDeployState);
    }

    @Test
    void validator_rejects_duplicate_client_certificates_different_files() throws IOException, SAXException {
        X509Certificate createCertificate = createCertificate("a");
        DeployState createDeployState = createDeployState("<services version='1.0'>\n  <container version='1.0'>\n    <clients>\n      <client id=\"a\" permissions=\"read,write\">\n        <certificate file=\"%s\"/>\n      </client>\n      <client id=\"b\" permissions=\"read,write\">\n        <certificate file=\"%s\"/>\n      </client>\n    </clients>\n  </container>\n</services>\n".formatted("security/a.pem", "security/b.pem"), Map.of("security/a.pem", List.of(createCertificate), "security/b.pem", List.of(createCertificate)));
        VespaModel vespaModel = new VespaModel(new NullConfigModelRegistry(), createDeployState);
        Assertions.assertEquals("Duplicate certificate(s) detected in files: [%s, %s]. Certificate subject of duplicates: [%s]".formatted("security/a.pem", "security/b.pem", createCertificate.getSubjectX500Principal().getName()), ((IllegalArgumentException) Assertions.assertThrows(IllegalArgumentException.class, () -> {
            new CloudDataPlaneFilterValidator().validate(vespaModel, createDeployState);
        })).getMessage());
    }

    @Test
    void validator_rejects_duplicate_client_certificates_same_file() throws IOException, SAXException {
        X509Certificate createCertificate = createCertificate("a");
        DeployState createDeployState = createDeployState("<services version='1.0'>\n  <container version='1.0'>\n    <clients>\n      <client id=\"a\" permissions=\"read,write\">\n        <certificate file=\"%s\"/>\n      </client>\n    </clients>\n  </container>\n</services>\n".formatted("security/a.pem"), Map.of("security/a.pem", List.of(createCertificate, createCertificate)));
        VespaModel vespaModel = new VespaModel(new NullConfigModelRegistry(), createDeployState);
        Assertions.assertEquals("Duplicate certificate(s) detected in files: [%s]. Certificate subject of duplicates: [%s]".formatted("security/a.pem", createCertificate.getSubjectX500Principal().getName()), ((IllegalArgumentException) Assertions.assertThrows(IllegalArgumentException.class, () -> {
            new CloudDataPlaneFilterValidator().validate(vespaModel, createDeployState);
        })).getMessage());
    }

    private DeployState createDeployState(String str, Map<String, List<X509Certificate>> map) {
        ApplicationPackage build = new MockApplicationPackage.Builder().withRoot(this.applicationFolder).withServices(str).build();
        build.getFile(Path.fromString("security")).createDirectory();
        map.forEach((str2, list) -> {
            build.getFile(Path.fromString(str2)).writeFile(new StringReader(X509CertificateUtils.toPem(list)));
        });
        return new DeployState.Builder().applicationPackage(build).properties(new TestProperties().setEndpointCertificateSecrets(Optional.of(new EndpointCertificateSecrets("CERT", "KEY"))).setHostedVespa(true)).zone(new Zone(SystemName.PublicCd, Environment.dev, RegionName.defaultName())).build();
    }

    static X509Certificate createCertificate(String str) throws IOException {
        return X509CertificateBuilder.fromKeypair(KeyUtils.generateKeypair(KeyAlgorithm.EC, 256), new X500Principal("CN=" + str), Instant.now(), Instant.now().plus(1L, (TemporalUnit) ChronoUnit.DAYS), SignatureAlgorithm.SHA512_WITH_ECDSA, BigInteger.valueOf(1L)).build();
    }
}
