package org.apache.hadoop.hbase.thrift;

import java.io.BufferedInputStream;
import java.io.File;
import java.io.IOException;
import java.lang.reflect.Method;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.cert.X509Certificate;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.HBaseClassTestRule;
import org.apache.hadoop.hbase.HBaseTestingUtility;
import org.apache.hadoop.hbase.testclassification.ClientTests;
import org.apache.hadoop.hbase.testclassification.LargeTests;
import org.apache.hadoop.hbase.thrift.generated.Hbase;
import org.apache.hadoop.hbase.util.EnvironmentEdgeManager;
import org.apache.hadoop.hbase.util.EnvironmentEdgeManagerTestHelper;
import org.apache.hadoop.hbase.util.IncrementingEnvironmentEdge;
import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.entity.ByteArrayEntity;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.ssl.SSLContexts;
import org.apache.http.ssl.TrustStrategy;
import org.apache.thrift.protocol.TBinaryProtocol;
import org.apache.thrift.transport.TMemoryBuffer;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;
import org.junit.experimental.categories.Category;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Category({ClientTests.class, LargeTests.class})
/* loaded from: input_file:org/apache/hadoop/hbase/thrift/TestThriftHttpServerSSL.class */
public class TestThriftHttpServerSSL {

    @ClassRule
    public static final HBaseClassTestRule CLASS_RULE = HBaseClassTestRule.forClass(TestThriftHttpServerSSL.class);
    private static final Logger LOG = LoggerFactory.getLogger(TestThriftHttpServerSSL.class);
    private static final HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility();
    private static final String KEY_STORE_PASSWORD = "myKSPassword";
    private static final String TRUST_STORE_PASSWORD = "myTSPassword";
    private File keyDir;
    private HttpClientBuilder httpClientBuilder;
    private ThriftServerRunner tsr;
    private HttpPost httpPost = null;

    @BeforeClass
    public static void setUpBeforeClass() throws Exception {
        TEST_UTIL.getConfiguration().setBoolean("hbase.regionserver.thrift.http", true);
        TEST_UTIL.getConfiguration().setBoolean("hbase.table.sanity.checks", false);
        TEST_UTIL.startMiniCluster();
        EnvironmentEdgeManagerTestHelper.injectEdge(new IncrementingEnvironmentEdge());
    }

    @AfterClass
    public static void tearDownAfterClass() throws Exception {
        TEST_UTIL.shutdownMiniCluster();
        EnvironmentEdgeManager.reset();
    }

    @Before
    public void setUp() throws Exception {
        initializeAlgorithmId();
        this.keyDir = initKeystoreDir();
        this.keyDir.deleteOnExit();
        KeyPair generateKeyPair = KeyStoreTestUtil.generateKeyPair("RSA");
        X509Certificate generateCertificate = KeyStoreTestUtil.generateCertificate("CN=localhost, O=server", generateKeyPair, 30, "SHA1withRSA");
        generateTrustStore(generateCertificate);
        generateKeyStore(generateKeyPair, generateCertificate);
        Configuration configuration = new Configuration(TEST_UTIL.getConfiguration());
        configuration.setBoolean("hbase.thrift.ssl.enabled", true);
        configuration.set("hbase.thrift.ssl.keystore.store", getKeystoreFilePath());
        configuration.set("hbase.thrift.ssl.keystore.password", KEY_STORE_PASSWORD);
        configuration.set("hbase.thrift.ssl.keystore.keypassword", KEY_STORE_PASSWORD);
        this.tsr = TestThriftServerCmdLine.createBoundServer(() -> {
            return new ThriftServer(configuration);
        });
        String str = "https://localhost:" + this.tsr.getThriftServer().listenPort;
        KeyStore keyStore = KeyStore.getInstance("JKS");
        BufferedInputStream bufferedInputStream = new BufferedInputStream(Files.newInputStream(new File(getTruststoreFilePath()).toPath(), new OpenOption[0]));
        try {
            keyStore.load(bufferedInputStream, TRUST_STORE_PASSWORD.toCharArray());
            bufferedInputStream.close();
            this.httpClientBuilder = HttpClients.custom();
            this.httpClientBuilder.setSSLContext(SSLContexts.custom().loadTrustMaterial(keyStore, (TrustStrategy) null).build());
            this.httpPost = new HttpPost(str);
            this.httpPost.setHeader("Content-Type", "application/x-thrift");
            this.httpPost.setHeader("Accept", "application/x-thrift");
            this.httpPost.setHeader("User-Agent", "Java/THttpClient/HC");
        } catch (Throwable th) {
            try {
                bufferedInputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    @After
    public void tearDown() throws IOException {
        if (this.httpPost != null) {
            this.httpPost.releaseConnection();
        }
        if (this.tsr != null) {
            this.tsr.close();
        }
    }

    @Test
    public void testSecurityHeaders() throws Exception {
        CloseableHttpClient build = this.httpClientBuilder.build();
        try {
            TMemoryBuffer tMemoryBuffer = new TMemoryBuffer(100);
            new Hbase.Client(new TBinaryProtocol(tMemoryBuffer)).send_getClusterId();
            this.httpPost.setEntity(new ByteArrayEntity(tMemoryBuffer.getArray()));
            CloseableHttpResponse execute = build.execute(this.httpPost);
            Assert.assertEquals(200L, execute.getStatusLine().getStatusCode());
            Assert.assertEquals("DENY", execute.getFirstHeader("X-Frame-Options").getValue());
            Assert.assertEquals("nosniff", execute.getFirstHeader("X-Content-Type-Options").getValue());
            Assert.assertEquals("1; mode=block", execute.getFirstHeader("X-XSS-Protection").getValue());
            Assert.assertEquals("default-src https: data: 'unsafe-inline' 'unsafe-eval'", execute.getFirstHeader("Content-Security-Policy").getValue());
            Assert.assertEquals("max-age=63072000;includeSubDomains;preload", execute.getFirstHeader("Strict-Transport-Security").getValue());
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static void initializeAlgorithmId() {
        try {
            Method method = Class.forName("sun.security.x509.AlgorithmId").getMethod("get", String.class);
            method.setAccessible(true);
            method.invoke(null, "PBEWithSHA1AndDESede");
        } catch (Exception e) {
            LOG.warn("failed to initialize AlgorithmId", e);
        }
    }

    private File initKeystoreDir() {
        File file = new File(TEST_UTIL.getDataTestDir().toString(), TestThriftHttpServer.class.getSimpleName() + "_keys");
        file.mkdirs();
        return file;
    }

    private void generateKeyStore(KeyPair keyPair, X509Certificate x509Certificate) throws Exception {
        KeyStoreTestUtil.createKeyStore(getKeystoreFilePath(), KEY_STORE_PASSWORD, KEY_STORE_PASSWORD, "serverKS", keyPair.getPrivate(), x509Certificate);
    }

    private void generateTrustStore(X509Certificate x509Certificate) throws Exception {
        KeyStoreTestUtil.createTrustStore(getTruststoreFilePath(), TRUST_STORE_PASSWORD, "serverTS", x509Certificate);
    }

    private String getKeystoreFilePath() {
        return String.format("%s/serverKS.%s", this.keyDir.getAbsolutePath(), "jks");
    }

    private String getTruststoreFilePath() {
        return String.format("%s/serverTS.%s", this.keyDir.getAbsolutePath(), "jks");
    }
}
