package com.yahoo.vespa.model.container.xml;

import com.yahoo.cloud.config.DataplaneProxyConfig;
import com.yahoo.config.model.api.ApplicationClusterEndpoint;
import com.yahoo.config.model.api.ContainerEndpoint;
import com.yahoo.config.model.api.EndpointCertificateSecrets;
import com.yahoo.config.model.builder.xml.test.DomBuilderTest;
import com.yahoo.config.model.deploy.DeployState;
import com.yahoo.config.model.deploy.TestProperties;
import com.yahoo.config.model.test.MockApplicationPackage;
import com.yahoo.config.provision.DataplaneToken;
import com.yahoo.config.provision.Environment;
import com.yahoo.config.provision.RegionName;
import com.yahoo.config.provision.SystemName;
import com.yahoo.config.provision.Zone;
import com.yahoo.jdisc.http.ConnectorConfig;
import com.yahoo.jdisc.http.filter.security.cloud.config.CloudTokenDataPlaneFilterConfig;
import com.yahoo.vespa.model.container.ContainerModel;
import com.yahoo.vespa.model.container.http.ConnectorFactory;
import com.yahoo.vespa.model.container.http.JettyHttpServer;
import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.attribute.FileAttribute;
import java.time.Duration;
import java.time.Instant;
import java.time.temporal.TemporalAmount;
import java.util.Collection;
import java.util.List;
import java.util.Optional;
import java.util.OptionalInt;
import java.util.Set;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.io.TempDir;
import org.w3c.dom.Element;

/* loaded from: input_file:com/yahoo/vespa/model/container/xml/CloudTokenDataPlaneFilterTest.class */
public class CloudTokenDataPlaneFilterTest extends ContainerModelBuilderTestBase {
    private static final String servicesXmlTemplate = "<container version='1.0'>\n  <clients>\n    <client id=\"foo\" permissions=\"read,write\">\n        <certificate file=\"%s\"/>\n    </client>\n    <client id=\"bar\" permissions=\"read\">\n        <token id=\"my-token\"/>\n    </client>\n  </clients>\n</container>\n";
    private static final List<DataplaneToken> defaultTokens = List.of(new DataplaneToken("my-token", List.of(new DataplaneToken.Version("myfingerprint1", "myaccesshash1", Optional.empty()), new DataplaneToken.Version("myfingerprint2", "myaccesshash2", Optional.of(Instant.EPOCH.plus((TemporalAmount) Duration.ofDays(100000)))))));
    private static final ContainerEndpoint tokenEndpoint = new ContainerEndpoint("cluster", ApplicationClusterEndpoint.Scope.zone, List.of("token"), OptionalInt.empty(), ApplicationClusterEndpoint.RoutingMethod.exclusive, ApplicationClusterEndpoint.AuthMethod.token);
    private static final ContainerEndpoint mtlsEndpoint = new ContainerEndpoint("cluster", ApplicationClusterEndpoint.Scope.zone, List.of("mtls"), OptionalInt.empty(), ApplicationClusterEndpoint.RoutingMethod.exclusive, ApplicationClusterEndpoint.AuthMethod.mtls);

    @TempDir
    public File applicationFolder;
    Path securityFolder;
    private static final String filterConfigId = "container/filters/chain/cloud-token-data-plane-secure/component/com.yahoo.jdisc.http.filter.security.cloud.CloudTokenDataPlaneFilter";

    @BeforeEach
    public void setup() throws IOException {
        this.securityFolder = this.applicationFolder.toPath().resolve("security");
        Files.createDirectories(this.securityFolder, new FileAttribute[0]);
    }

    @Test
    void generates_correct_config_for_tokens() throws IOException {
        Path resolve = this.securityFolder.resolve("foo.pem");
        Element parse = DomBuilderTest.parse(servicesXmlTemplate.formatted(this.applicationFolder.toPath().relativize(resolve).toString()));
        CloudDataPlaneFilterTest.createCertificate(resolve);
        buildModel(Set.of(tokenEndpoint, mtlsEndpoint), defaultTokens, parse);
        CloudTokenDataPlaneFilterConfig.Clients clients = (CloudTokenDataPlaneFilterConfig.Clients) this.root.getConfig(CloudTokenDataPlaneFilterConfig.class, filterConfigId).clients().stream().filter(clients2 -> {
            return clients2.id().equals("bar");
        }).findAny().orElse(null);
        Assertions.assertNotNull(clients);
        Assertions.assertEquals(List.of("read"), clients.permissions());
        Assertions.assertEquals(List.of(tokenConfig("my-token", List.of("myfingerprint1", "myfingerprint2"), List.of("myaccesshash1", "myaccesshash2"), List.of("<none>", "2243-10-17T00:00:00Z"))), clients.tokens());
    }

    @Test
    void configures_dataplane_proxy_when_token_defined() throws IOException {
        Path resolve = this.securityFolder.resolve("foo.pem");
        Element parse = DomBuilderTest.parse(servicesXmlTemplate.formatted(this.applicationFolder.toPath().relativize(resolve).toString()));
        CloudDataPlaneFilterTest.createCertificate(resolve);
        buildModel(Set.of(tokenEndpoint, mtlsEndpoint), defaultTokens, parse);
        DataplaneProxyConfig config = this.root.getConfig(DataplaneProxyConfig.class, "container/component/com.yahoo.container.jdisc.DataplaneProxyConfigurator");
        Assertions.assertEquals(8443, config.mtlsPort());
        Assertions.assertEquals(8444, config.tokenPort());
    }

    @Test
    void configures_dataplane_proxy_when_token_defined_but_missing() throws IOException {
        Path resolve = this.securityFolder.resolve("foo.pem");
        Element parse = DomBuilderTest.parse(servicesXmlTemplate.formatted(this.applicationFolder.toPath().relativize(resolve).toString()));
        CloudDataPlaneFilterTest.createCertificate(resolve);
        buildModel(Set.of(tokenEndpoint, mtlsEndpoint), List.of(), parse);
        DataplaneProxyConfig config = this.root.getConfig(DataplaneProxyConfig.class, "container/component/com.yahoo.container.jdisc.DataplaneProxyConfigurator");
        Assertions.assertNotNull(config);
        Assertions.assertEquals(8443, config.mtlsPort());
        Assertions.assertEquals(8444, config.tokenPort());
    }

    @Test
    void does_notconfigure_dataplane_proxy_when_token_endpoints_not_defined() throws IOException {
        Path resolve = this.securityFolder.resolve("foo.pem");
        Element parse = DomBuilderTest.parse(servicesXmlTemplate.formatted(this.applicationFolder.toPath().relativize(resolve).toString()));
        CloudDataPlaneFilterTest.createCertificate(resolve);
        buildModel(Set.of(mtlsEndpoint), List.of(), parse);
        Assertions.assertFalse(this.root.getConfigIds().stream().anyMatch(str -> {
            return str.contains("DataplaneProxyConfigurator");
        }));
    }

    @Test
    void configuresCorrectConnectors() throws IOException {
        Path resolve = this.securityFolder.resolve("foo.pem");
        Element parse = DomBuilderTest.parse(servicesXmlTemplate.formatted(this.applicationFolder.toPath().relativize(resolve).toString()));
        CloudDataPlaneFilterTest.createCertificate(resolve);
        buildModel(Set.of(tokenEndpoint, mtlsEndpoint), defaultTokens, parse);
        Assertions.assertEquals(List.of("mtls"), connectorConfig(8443).serverName().known());
        Assertions.assertEquals(List.of("token"), connectorConfig(8444).serverName().known());
    }

    private static CloudTokenDataPlaneFilterConfig.Clients.Tokens tokenConfig(String str, Collection<String> collection, Collection<String> collection2, Collection<String> collection3) {
        return new CloudTokenDataPlaneFilterConfig.Clients.Tokens.Builder().id(str).fingerprints(collection).checkAccessHashes(collection2).expirations(collection3).build();
    }

    public List<ContainerModel> buildModel(Set<ContainerEndpoint> set, List<DataplaneToken> list, Element... elementArr) {
        return createModel(this.root, new DeployState.Builder().applicationPackage(new MockApplicationPackage.Builder().withRoot(this.applicationFolder).build()).properties(new TestProperties().setEndpointCertificateSecrets(Optional.of(new EndpointCertificateSecrets("CERT", "KEY"))).setDataplaneTokens(list).setHostedVespa(true)).zone(new Zone(SystemName.PublicCd, Environment.dev, RegionName.defaultName())).endpoints(set).build(), null, elementArr);
    }

    private ConnectorConfig connectorConfig(int i) {
        ConnectorFactory connectorFactory = (ConnectorFactory) ((JettyHttpServer) this.root.getProducer("container/container.0").getHttp().getHttpServer().get()).getConnectorFactories().stream().filter(connectorFactory2 -> {
            return connectorFactory2.getListenPort() == i;
        }).findFirst().orElseThrow();
        ConnectorConfig.Builder builder = new ConnectorConfig.Builder();
        connectorFactory.getConfig(builder);
        return new ConnectorConfig(builder);
    }
}
