package org.eclipse.hono.service.management.credentials;

import io.vertx.core.json.DecodeException;
import io.vertx.core.json.Json;
import io.vertx.core.json.JsonArray;
import io.vertx.core.json.JsonObject;
import io.vertx.core.net.SelfSignedCertificate;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.nio.charset.StandardCharsets;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Iterator;
import java.util.List;
import java.util.function.Function;
import java.util.stream.Stream;
import org.assertj.core.api.Assertions;
import org.junit.jupiter.api.Test;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;

/* loaded from: input_file:org/eclipse/hono/service/management/credentials/CredentialsTest.class */
public class CredentialsTest {
    private static final String NOT_BEFORE_STRING = "2020-08-11T11:38:00Z";
    private static final Instant NOT_BEFORE = Instant.parse(NOT_BEFORE_STRING);
    private static final String NOT_AFTER_STRING = "2031-09-11T11:38:00Z";
    private static final Instant NOT_AFTER = Instant.parse(NOT_AFTER_STRING);
    private static final String SECRET_COMMENT = "secret comment";

    static Stream<String> illegalPasswordCredentialAuthIds() {
        return Stream.of((Object[]) new String[]{"$", "#", "%", "!", "(", ")", "?", ",", ";", ":", "@", " ", ""});
    }

    private static <T extends CommonSecret> T addCommonProperties(T t) {
        t.setComment(SECRET_COMMENT);
        t.setNotBefore(NOT_BEFORE);
        t.setNotAfter(NOT_AFTER);
        return t;
    }

    private static X509Certificate getCertificate() {
        try {
            return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new FileInputStream(SelfSignedCertificate.create("hono.eclipse.org").certificatePath()));
        } catch (FileNotFoundException | CertificateException e) {
            throw new RuntimeException("cannot create certificate", e);
        }
    }

    private void assertCommonSecretProperties(JsonObject jsonObject) {
        Assertions.assertThat(jsonObject.getString("not-before")).isEqualTo(NOT_BEFORE_STRING);
        Assertions.assertThat(jsonObject.getString("not-after")).isEqualTo(NOT_AFTER_STRING);
    }

    private void assertCommonSecretProperties(CommonSecret commonSecret) {
        Assertions.assertThat(commonSecret.getComment()).isEqualTo(SECRET_COMMENT);
        Assertions.assertThat(commonSecret.getNotBefore()).isEqualTo(NOT_BEFORE);
        Assertions.assertThat(commonSecret.getNotAfter()).isEqualTo(NOT_AFTER);
    }

    @Test
    public void testEncodePasswordCredential() {
        PasswordSecret passwordSecret = new PasswordSecret();
        addCommonProperties(passwordSecret);
        passwordSecret.setPasswordHash("2a5d81942494986ce6e23aadfa18cd426a1d7ab90629a0814d244c4cd82cc81f");
        passwordSecret.setSalt("abc");
        passwordSecret.setHashFunction("sha-256");
        PasswordCredential passwordCredential = new PasswordCredential("foo", List.of(passwordSecret));
        passwordCredential.setComment("setec astronomy");
        JsonObject mapFrom = JsonObject.mapFrom(passwordCredential);
        org.junit.jupiter.api.Assertions.assertNotNull(mapFrom);
        org.junit.jupiter.api.Assertions.assertEquals("hashed-password", mapFrom.getString("type"));
        org.junit.jupiter.api.Assertions.assertEquals("foo", mapFrom.getString("auth-id"));
        org.junit.jupiter.api.Assertions.assertEquals("setec astronomy", mapFrom.getString("comment"));
        org.junit.jupiter.api.Assertions.assertEquals(1, mapFrom.getJsonArray("secrets").size());
        JsonObject jsonObject = mapFrom.getJsonArray("secrets").getJsonObject(0);
        assertCommonSecretProperties(jsonObject);
        Assertions.assertThat(jsonObject.getString("hash-function")).isEqualTo("sha-256");
        org.junit.jupiter.api.Assertions.assertEquals("2a5d81942494986ce6e23aadfa18cd426a1d7ab90629a0814d244c4cd82cc81f", jsonObject.getString("pwd-hash"));
        org.junit.jupiter.api.Assertions.assertEquals("abc", jsonObject.getString("salt"));
    }

    @Test
    public void testDecodePasswordCredentialSucceeds() {
        PasswordCredential passwordCredential = (PasswordCredential) new JsonObject().put("type", "hashed-password").put("auth-id", "foo_ID-ext.4563=F").put("enabled", true).put("secrets", new JsonArray().add(new JsonObject().put("enabled", true).put("not-before", NOT_BEFORE_STRING).put("not-after", NOT_AFTER_STRING).put("hash-function", "sha-256").put("pwd-hash", "2a5d81942494986ce6e23aadfa18cd426a1d7ab90629a0814d244c4cd82cc81f").put("salt", "abc").put("comment", SECRET_COMMENT))).mapTo(PasswordCredential.class);
        org.junit.jupiter.api.Assertions.assertNotNull(passwordCredential);
        org.junit.jupiter.api.Assertions.assertEquals("foo_ID-ext.4563=F", passwordCredential.getAuthId());
        org.junit.jupiter.api.Assertions.assertTrue(passwordCredential.isEnabled());
        org.junit.jupiter.api.Assertions.assertEquals(1, passwordCredential.getSecrets().size());
        PasswordSecret passwordSecret = (PasswordSecret) passwordCredential.getSecrets().get(0);
        assertCommonSecretProperties((CommonSecret) passwordSecret);
        org.junit.jupiter.api.Assertions.assertEquals("abc", passwordSecret.getSalt());
        org.junit.jupiter.api.Assertions.assertEquals("sha-256", passwordSecret.getHashFunction());
        org.junit.jupiter.api.Assertions.assertEquals("2a5d81942494986ce6e23aadfa18cd426a1d7ab90629a0814d244c4cd82cc81f", passwordSecret.getPasswordHash());
    }

    @Test
    public void testEncodePskCredential() {
        byte[] bArr = {0, 1};
        PskSecret pskSecret = new PskSecret();
        addCommonProperties(pskSecret);
        pskSecret.setKey(bArr);
        JsonObject mapFrom = JsonObject.mapFrom(new PskCredential("foo", List.of(pskSecret)));
        org.junit.jupiter.api.Assertions.assertNotNull(mapFrom);
        org.junit.jupiter.api.Assertions.assertEquals("psk", mapFrom.getString("type"));
        Assertions.assertThat(mapFrom.getJsonArray("secrets")).hasSize(1);
        JsonObject jsonObject = mapFrom.getJsonArray("secrets").getJsonObject(0);
        assertCommonSecretProperties(jsonObject);
        Assertions.assertThat(jsonObject.getBinary("key")).isEqualTo(bArr);
    }

    @Test
    public void testDecodePskCredential() {
        byte[] bArr = {0, 1};
        PskCredential pskCredential = (PskCredential) new JsonObject().put("type", "psk").put("auth-id", "foo_ID-ext.4563=F").put("enabled", true).put("secrets", new JsonArray().add(new JsonObject().put("enabled", true).put("not-before", NOT_BEFORE_STRING).put("not-after", NOT_AFTER_STRING).put("key", Base64.getEncoder().encodeToString(bArr)).put("comment", SECRET_COMMENT))).mapTo(PskCredential.class);
        org.junit.jupiter.api.Assertions.assertEquals("foo_ID-ext.4563=F", pskCredential.getAuthId());
        org.junit.jupiter.api.Assertions.assertTrue(pskCredential.isEnabled());
        org.junit.jupiter.api.Assertions.assertEquals(1, pskCredential.getSecrets().size());
        PskSecret pskSecret = (PskSecret) pskCredential.getSecrets().get(0);
        assertCommonSecretProperties((CommonSecret) pskSecret);
        Assertions.assertThat(pskSecret.getKey()).isEqualTo(bArr);
    }

    @Test
    public void testEncodeX509Credential() {
        X509CertificateSecret x509CertificateSecret = new X509CertificateSecret();
        addCommonProperties(x509CertificateSecret);
        JsonObject mapFrom = JsonObject.mapFrom(X509CertificateCredential.fromSubjectDn("CN=foo, O=bar", List.of(x509CertificateSecret)));
        org.junit.jupiter.api.Assertions.assertEquals("x509-cert", mapFrom.getString("type"));
        org.junit.jupiter.api.Assertions.assertEquals("CN=foo,O=bar", mapFrom.getString("auth-id"));
        assertCommonSecretProperties(mapFrom.getJsonArray("secrets").getJsonObject(0));
        JsonObject mapFrom2 = JsonObject.mapFrom(X509CertificateCredential.fromSubjectDn("emailAddress=hono@eclipse.org,O=Eclipse", List.of(x509CertificateSecret)));
        org.junit.jupiter.api.Assertions.assertEquals("x509-cert", mapFrom2.getString("type"));
        org.junit.jupiter.api.Assertions.assertEquals("1.2.840.113549.1.9.1=#1610686f6e6f4065636c697073652e6f7267,O=Eclipse", mapFrom2.getString("auth-id"));
        assertCommonSecretProperties(mapFrom2.getJsonArray("secrets").getJsonObject(0));
    }

    @Test
    public void testDecodeX509CredentialFromSubjectDn() {
        X509CertificateCredential x509CertificateCredential = (X509CertificateCredential) new JsonObject().put("type", "x509-cert").put("auth-id", "CN=Acme").put("enabled", true).put("secrets", new JsonArray().add(new JsonObject().put("enabled", true).put("not-before", NOT_BEFORE_STRING).put("not-after", NOT_AFTER_STRING).put("comment", SECRET_COMMENT))).mapTo(X509CertificateCredential.class);
        org.junit.jupiter.api.Assertions.assertEquals("CN=Acme", x509CertificateCredential.getAuthId());
        org.junit.jupiter.api.Assertions.assertTrue(x509CertificateCredential.isEnabled());
        org.junit.jupiter.api.Assertions.assertEquals(1, x509CertificateCredential.getSecrets().size());
        assertCommonSecretProperties((CommonSecret) x509CertificateCredential.getSecrets().get(0));
    }

    @Test
    public void testDecodeX509CredentialFromClientCertificate() throws CertificateEncodingException {
        X509Certificate certificate = getCertificate();
        X509CertificateCredential x509CertificateCredential = (X509CertificateCredential) new JsonObject().put("type", "x509-cert").put("cert", certificate.getEncoded()).put("enabled", true).put("secrets", new JsonArray().add(new JsonObject().put("enabled", true).put("not-before", NOT_BEFORE_STRING).put("not-after", NOT_AFTER_STRING).put("comment", SECRET_COMMENT))).mapTo(X509CertificateCredential.class);
        Assertions.assertThat(x509CertificateCredential.getAuthId()).isEqualTo(certificate.getSubjectX500Principal().getName("RFC2253"));
        Assertions.assertThat(x509CertificateCredential.isEnabled()).isTrue();
        Assertions.assertThat(x509CertificateCredential.getSecrets()).hasSize(1);
        X509CertificateSecret x509CertificateSecret = (X509CertificateSecret) x509CertificateCredential.getSecrets().get(0);
        Assertions.assertThat(x509CertificateSecret.getNotBefore()).isEqualTo(certificate.getNotBefore().toInstant());
        Assertions.assertThat(x509CertificateSecret.getNotAfter()).isEqualTo(certificate.getNotAfter().toInstant());
    }

    @Test
    public void testEncodeGenericCredential() {
        GenericSecret genericSecret = new GenericSecret();
        addCommonProperties(genericSecret);
        JsonObject mapFrom = JsonObject.mapFrom(new GenericCredential("custom-type", "foo", List.of(genericSecret)));
        Assertions.assertThat(mapFrom.getString("type")).isEqualTo("custom-type");
        assertCommonSecretProperties(mapFrom.getJsonArray("secrets").getJsonObject(0));
        Assertions.assertThat((CommonCredential) mapFrom.mapTo(CommonCredential.class)).isInstanceOf(GenericCredential.class);
    }

    @Test
    public void testDecodeGenericCredential() {
        GenericCredential genericCredential = (GenericCredential) new JsonObject().put("type", "custom-type").put("auth-id", "foo_ID-ext.4563=F").put("enabled", true).put("secrets", new JsonArray().add(new JsonObject().put("enabled", true).put("not-before", NOT_BEFORE_STRING).put("not-after", NOT_AFTER_STRING).put("comment", SECRET_COMMENT))).mapTo(GenericCredential.class);
        Assertions.assertThat(genericCredential.getType()).isEqualTo("custom-type");
        org.junit.jupiter.api.Assertions.assertEquals("foo_ID-ext.4563=F", genericCredential.getAuthId());
        org.junit.jupiter.api.Assertions.assertTrue(genericCredential.isEnabled());
        org.junit.jupiter.api.Assertions.assertEquals(1, genericCredential.getSecrets().size());
        assertCommonSecretProperties((CommonSecret) genericCredential.getSecrets().get(0));
    }

    @Test
    public void testEncodeArray() {
        testEncodeMany(list -> {
            return list.toArray(i -> {
                return new CommonCredential[i];
            });
        });
    }

    protected void testEncodeMany(Function<List<CommonCredential>, Object> function) {
        ArrayList arrayList = new ArrayList();
        PskSecret pskSecret = new PskSecret();
        pskSecret.setKey("foo".getBytes(StandardCharsets.UTF_8));
        arrayList.add(new PskCredential("device", List.of(pskSecret)));
        arrayList.add(new GenericCredential("custom", "device", List.of(new GenericSecret())));
        Iterator it = new JsonArray(Json.encode(function.apply(arrayList))).iterator();
        while (it.hasNext()) {
            Object next = it.next();
            org.junit.jupiter.api.Assertions.assertTrue(next instanceof JsonObject);
            org.junit.jupiter.api.Assertions.assertNotNull(((JsonObject) next).getString("type"));
            org.junit.jupiter.api.Assertions.assertNotNull(((JsonObject) next).getString("auth-id"));
            org.junit.jupiter.api.Assertions.assertNotNull(((JsonObject) next).getJsonArray("secrets"));
        }
    }

    @Test
    public void testDecodeFailsForUnknownProperties() {
        Assertions.assertThatThrownBy(() -> {
            Json.decodeValue("{\"type\": \"psk\", \"auth-id\": \"device1\", \"unexpected\": \"property\"}", CommonCredential.class);
        }).isInstanceOf(DecodeException.class);
        Assertions.assertThatThrownBy(() -> {
            Json.decodeValue("{\"type\": \"hashed-password\", \"auth-id\": \"device1\", \"unexpected\": \"property\"}", CommonCredential.class);
        }).isInstanceOf(DecodeException.class);
        Assertions.assertThatThrownBy(() -> {
            Json.decodeValue("{\"type\": \"x509-cert\", \"auth-id\": \"CN=foo\", \"unexpected\": \"property\"}", CommonCredential.class);
        }).isInstanceOf(DecodeException.class);
    }

    @Test
    public void testDecodeCredentialsFailsForMissingSecrets() {
        JsonObject put = new JsonObject().put("type", "hashed-password").put("auth-id", "foo_ID-ext.4563=F").put("enabled", true);
        Assertions.assertThatThrownBy(() -> {
            put.mapTo(PasswordCredential.class);
        }).isInstanceOf(IllegalArgumentException.class);
        put.put("secrets", new JsonArray());
        Assertions.assertThatThrownBy(() -> {
            put.mapTo(PasswordCredential.class);
        }).isInstanceOf(IllegalArgumentException.class);
        JsonObject put2 = new JsonObject().put("type", "psk").put("auth-id", "foo_ID-ext.4563=F").put("enabled", true);
        Assertions.assertThatThrownBy(() -> {
            put2.mapTo(PasswordCredential.class);
        }).isInstanceOf(IllegalArgumentException.class);
        put2.put("secrets", new JsonArray());
        Assertions.assertThatThrownBy(() -> {
            put2.mapTo(PasswordCredential.class);
        }).isInstanceOf(IllegalArgumentException.class);
        JsonObject put3 = new JsonObject().put("type", "x509-cert").put("auth-id", "CN=Acme").put("enabled", true);
        Assertions.assertThatThrownBy(() -> {
            put3.mapTo(PasswordCredential.class);
        }).isInstanceOf(IllegalArgumentException.class);
        put3.put("secrets", new JsonArray());
        Assertions.assertThatThrownBy(() -> {
            put3.mapTo(PasswordCredential.class);
        }).isInstanceOf(IllegalArgumentException.class);
        JsonObject put4 = new JsonObject().put("type", "custom").put("auth-id", "foo_ID-ext.4563=F").put("enabled", true);
        Assertions.assertThatThrownBy(() -> {
            put4.mapTo(GenericCredential.class);
        }).isInstanceOf(IllegalArgumentException.class);
        put4.put("secrets", new JsonArray());
        Assertions.assertThatThrownBy(() -> {
            put4.mapTo(GenericCredential.class);
        }).isInstanceOf(IllegalArgumentException.class);
    }

    @Test
    public void testEncodeDecode1() {
        PasswordSecret passwordSecret = new PasswordSecret();
        passwordSecret.setPasswordHash("setec astronomy");
        passwordSecret.setSalt("abc");
        passwordSecret.setNotAfter(NOT_AFTER);
        PasswordCredential[] passwordCredentialArr = (CommonCredential[]) Json.decodeValue(Json.encode(new CommonCredential[]{new PasswordCredential("abcd-=.", List.of(passwordSecret))}), CommonCredential[].class);
        Assertions.assertThat(passwordCredentialArr[0]).isInstanceOf(PasswordCredential.class);
        PasswordCredential passwordCredential = passwordCredentialArr[0];
        Assertions.assertThat(passwordCredential.getAuthId()).isEqualTo("abcd-=.");
        Assertions.assertThat(passwordCredential.getSecrets()).hasSize(1);
        Assertions.assertThat(((PasswordSecret) passwordCredential.getSecrets().get(0)).getNotAfter()).isEqualTo(NOT_AFTER);
    }

    @Test
    public void testMergeFailsForDifferentType() {
        PasswordCredential createPasswordCredential = Credentials.createPasswordCredential("foo", "bar");
        Assertions.assertThatThrownBy(() -> {
            createPasswordCredential.merge(Credentials.createPSKCredential("acme", "key"));
        }).isInstanceOf(IllegalArgumentException.class);
    }

    @Test
    public void testMergeFailsForNonMatchingSecretId() {
        PasswordSecret passwordSecret = (PasswordSecret) Mockito.spy(PasswordSecret.class);
        passwordSecret.setId("two");
        PasswordCredential passwordCredential = new PasswordCredential("foo", List.of(passwordSecret));
        PasswordSecret passwordSecret2 = (PasswordSecret) Mockito.spy(PasswordSecret.class);
        passwordSecret2.setId("one");
        PasswordCredential passwordCredential2 = new PasswordCredential("foo", List.of(passwordSecret2));
        Assertions.assertThatThrownBy(() -> {
            passwordCredential2.merge(passwordCredential);
        }).isInstanceOf(IllegalArgumentException.class);
        ((PasswordSecret) Mockito.verify(passwordSecret, Mockito.never())).merge((CommonSecret) ArgumentMatchers.any(PasswordSecret.class));
        ((PasswordSecret) Mockito.verify(passwordSecret2, Mockito.never())).merge((CommonSecret) ArgumentMatchers.any(PasswordSecret.class));
    }

    @Test
    public void testMergeSucceedsForMatchingSecretIds() {
        PskSecret pskSecret = (PskSecret) Mockito.spy(PskSecret.class);
        pskSecret.setId("one");
        PskCredential pskCredential = new PskCredential("foo", List.of(pskSecret));
        PskSecret pskSecret2 = (PskSecret) Mockito.spy(PskSecret.class);
        pskSecret2.setId("one");
        PskSecret pskSecret3 = (PskSecret) Mockito.spy(PskSecret.class);
        PskCredential pskCredential2 = new PskCredential("foo", List.of(pskSecret2, pskSecret3));
        pskCredential2.merge(pskCredential);
        ((PskSecret) Mockito.verify(pskSecret2)).merge(pskSecret);
        ((PskSecret) Mockito.verify(pskSecret, Mockito.never())).merge((CommonSecret) ArgumentMatchers.any(CommonSecret.class));
        ((PskSecret) Mockito.verify(pskSecret3, Mockito.never())).merge((CommonSecret) ArgumentMatchers.any(CommonSecret.class));
        Assertions.assertThat(pskCredential2.getSecrets()).hasSize(2);
    }

    @Test
    public void testInstantiationFailsForIllegalAuthId() {
        illegalPasswordCredentialAuthIds().forEach(str -> {
            Assertions.assertThatThrownBy(() -> {
                new PasswordCredential(str, List.of(new PasswordSecret()));
            }).isInstanceOf(IllegalArgumentException.class);
        });
        Assertions.assertThatThrownBy(() -> {
            X509CertificateCredential.fromSubjectDn("not-a-subject-DN", List.of(new X509CertificateSecret()));
        }).isInstanceOf(IllegalArgumentException.class);
    }

    @Test
    public void testDecodeFailsForIllegalAuthId() {
        JsonObject put = new JsonObject().put("pwd-plain", "the-pwd");
        illegalPasswordCredentialAuthIds().forEach(str -> {
            JsonObject put2 = new JsonObject().put("type", "hashed-password").put("auth-id", str).put("secrets", new JsonArray().add(put));
            Assertions.assertThatThrownBy(() -> {
                put2.mapTo(PasswordCredential.class);
            }).isInstanceOf(IllegalArgumentException.class);
        });
        JsonObject put2 = new JsonObject().put("type", "x509-cert").put("auth-id", "not-a-subject-DN").put("secrets", new JsonArray().add(new JsonObject()));
        Assertions.assertThatThrownBy(() -> {
            put2.mapTo(X509CertificateCredential.class);
        }).isInstanceOf(IllegalArgumentException.class);
    }

    @Test
    public void testDecodeCredentialFailsForMissingType() {
        JsonObject put = new JsonObject().put("auth-id", "device1").put("secrets", new JsonArray().add(new JsonObject()));
        Assertions.assertThatThrownBy(() -> {
            put.mapTo(CommonCredential.class);
        }).isInstanceOf(IllegalArgumentException.class);
    }
}
