package com.yahoo.vespa.model.container.xml;

import com.yahoo.component.ComponentId;
import com.yahoo.config.application.api.ApplicationPackage;
import com.yahoo.config.model.api.EndpointCertificateSecrets;
import com.yahoo.config.model.builder.xml.test.DomBuilderTest;
import com.yahoo.config.model.deploy.DeployState;
import com.yahoo.config.model.deploy.TestProperties;
import com.yahoo.config.model.test.MockApplicationPackage;
import com.yahoo.config.provision.AthenzDomain;
import com.yahoo.config.provision.Environment;
import com.yahoo.config.provision.RegionName;
import com.yahoo.config.provision.SystemName;
import com.yahoo.config.provision.Zone;
import com.yahoo.jdisc.http.ConnectorConfig;
import com.yahoo.path.Path;
import com.yahoo.security.X509CertificateUtils;
import com.yahoo.security.tls.TlsContext;
import com.yahoo.vespa.defaults.Defaults;
import com.yahoo.vespa.model.container.http.AccessControl;
import com.yahoo.vespa.model.container.http.ConnectorFactory;
import com.yahoo.vespa.model.container.http.FilterChains;
import com.yahoo.vespa.model.container.http.Http;
import com.yahoo.vespa.model.container.http.JettyHttpServer;
import com.yahoo.vespa.model.container.http.ssl.HostedSslConnectorFactory;
import java.io.File;
import java.io.StringReader;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import java.util.Set;
import java.util.stream.Collectors;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.io.TempDir;
import org.w3c.dom.Element;

/* loaded from: input_file:com/yahoo/vespa/model/container/xml/AccessControlTest.class */
public class AccessControlTest extends ContainerModelBuilderTestBase {

    @TempDir
    public File applicationFolder;

    @Test
    void access_control_filter_chains_are_set_up() {
        FilterChains filterChains = createModelAndGetHttp("  <http>", "    <filtering>", "      <access-control domain='my-tenant-domain' />", "    </filtering>", "  </http>").getFilterChains();
        Assertions.assertTrue(filterChains.hasChain(AccessControl.ACCESS_CONTROL_CHAIN_ID));
        Assertions.assertTrue(filterChains.hasChain(AccessControl.ACCESS_CONTROL_EXCLUDED_CHAIN_ID));
        Assertions.assertTrue(filterChains.hasChain(AccessControl.DEFAULT_CONNECTOR_HOSTED_REQUEST_CHAIN_ID));
    }

    @Test
    void properties_are_set_from_xml() {
        Assertions.assertEquals("my-tenant-domain", ((AccessControl) createModelAndGetHttp("  <http>", "    <filtering>", "      <access-control domain='my-tenant-domain'/>", "    </filtering>", "  </http>").getAccessControl().get()).domain, "Wrong domain.");
    }

    @Test
    void access_control_excluded_filter_chain_has_all_bindings_from_excluded_handlers() {
        Assertions.assertTrue(getFilterBindings(createModelAndGetHttp("  <http>", "    <filtering>", "      <access-control/>", "    </filtering>", "  </http>"), AccessControl.ACCESS_CONTROL_EXCLUDED_CHAIN_ID).containsAll(List.of("http://*:4443/ApplicationStatus", "http://*:4443/status.html", "http://*:4443/state/v1", "http://*:4443/state/v1/*", "http://*:4443/prometheus/v1", "http://*:4443/prometheus/v1/*", "http://*:4443/metrics/v2", "http://*:4443/metrics/v2/*", "http://*:4443/")));
    }

    @Test
    void access_control_excluded_chain_does_not_contain_any_bindings_from_access_control_chain() {
        Http createModelAndGetHttp = createModelAndGetHttp("  <http>", "    <filtering>", "      <access-control/>", "    </filtering>", "  </http>");
        Set<String> filterBindings = getFilterBindings(createModelAndGetHttp, AccessControl.ACCESS_CONTROL_CHAIN_ID);
        Set<String> filterBindings2 = getFilterBindings(createModelAndGetHttp, AccessControl.ACCESS_CONTROL_EXCLUDED_CHAIN_ID);
        Iterator<String> it = filterBindings.iterator();
        while (it.hasNext()) {
            Assertions.assertFalse(filterBindings2.contains(it.next()));
        }
    }

    @Test
    void access_control_excluded_filter_chain_has_user_provided_excluded_bindings() {
        Assertions.assertTrue(getFilterBindings(createModelAndGetHttp("  <http>", "    <handler id='custom.Handler'>", "      <binding>http://*/custom-handler/*</binding>", "    </handler>", "    <filtering>", "      <access-control>", "        <exclude>", "          <binding>http://*/custom-handler/*</binding>", "          <binding>http://*/search/*</binding>", "        </exclude>", "      </access-control>", "    </filtering>", "  </http>"), AccessControl.ACCESS_CONTROL_EXCLUDED_CHAIN_ID).containsAll(List.of("http://*:4443/custom-handler/*", "http://*:4443/search/*", "http://*:4443/status.html")));
    }

    @Test
    void hosted_connector_for_port_4443_uses_access_control_filter_chain_as_default_request_filter_chain() {
        Http createModelAndGetHttp = createModelAndGetHttp("  <http>", "    <filtering>", "      <access-control/>", "    </filtering>", "  </http>");
        Assertions.assertTrue(getFilterBindings(createModelAndGetHttp, AccessControl.ACCESS_CONTROL_CHAIN_ID).isEmpty());
        Optional defaultRequestFilterChain = ((HostedSslConnectorFactory) ((JettyHttpServer) createModelAndGetHttp.getHttpServer().get()).getConnectorFactories().stream().filter(connectorFactory -> {
            return connectorFactory instanceof HostedSslConnectorFactory;
        }).findAny().get()).getDefaultRequestFilterChain();
        Assertions.assertTrue(defaultRequestFilterChain.isPresent());
        Assertions.assertEquals(AccessControl.ACCESS_CONTROL_CHAIN_ID, defaultRequestFilterChain.get());
    }

    @Test
    void access_control_is_implicitly_added_for_hosted_apps() {
        Optional accessControl = createModelAndGetHttp("<container version='1.0'/>").getAccessControl();
        Assertions.assertTrue(accessControl.isPresent());
        AccessControl accessControl2 = (AccessControl) accessControl.get();
        Assertions.assertEquals(AccessControl.ClientAuthentication.need, accessControl2.clientAuthentication);
        Assertions.assertEquals("my-tenant-domain", accessControl2.domain);
    }

    @Test
    void access_control_is_implicitly_added_for_hosted_apps_with_existing_http_element() {
        Http createModelAndGetHttp = createModelAndGetHttp("  <http>", "    <server port='" + Defaults.getDefaults().vespaWebServicePort() + "' id='main' />", "    <filtering>", "      <filter id='outer' />", "      <request-chain id='myChain'>", "        <filter id='inner' />", "      </request-chain>", "    </filtering>", "  </http>");
        Assertions.assertTrue(createModelAndGetHttp.getAccessControl().isPresent());
        Assertions.assertTrue(createModelAndGetHttp.getFilterChains().hasChain(AccessControl.ACCESS_CONTROL_CHAIN_ID));
        Assertions.assertTrue(createModelAndGetHttp.getFilterChains().hasChain(ComponentId.fromString("myChain")));
    }

    @Test
    void access_control_chain_exclude_chain_does_not_contain_duplicate_bindings_to_user_request_filter_chain() {
        Http createModelAndGetHttp = createModelAndGetHttp("  <http>", "    <handler id='custom.Handler'>", "      <binding>http://*/custom-handler/*</binding>", "      <binding>http://*/</binding>", "    </handler>", "    <filtering>", "      <access-control/>", "      <request-chain id='my-custom-request-chain'>", "        <filter id='my-custom-request-filter' />", "        <binding>http://*/custom-handler/*</binding>", "        <binding>http://*/</binding>", "      </request-chain>", "    </filtering>", "  </http>");
        Assertions.assertTrue(getFilterBindings(createModelAndGetHttp, AccessControl.ACCESS_CONTROL_EXCLUDED_CHAIN_ID).containsAll(List.of("http://*:4443/ApplicationStatus", "http://*:4443/status.html", "http://*:4443/state/v1", "http://*:4443/state/v1/*", "http://*:4443/prometheus/v1", "http://*:4443/prometheus/v1/*", "http://*:4443/metrics/v2", "http://*:4443/metrics/v2/*")));
        Assertions.assertTrue(getFilterBindings(createModelAndGetHttp, ComponentId.fromString("my-custom-request-chain")).containsAll(List.of("http://*:4443/custom-handler/*", "http://*:4443/")));
    }

    @Test
    void access_control_excludes_are_not_affected_by_user_response_filter_chain() {
        Http createModelAndGetHttp = createModelAndGetHttp("  <http>", "    <handler id='custom.Handler'>", "      <binding>http://*/custom-handler/*</binding>", "    </handler>", "    <filtering>", "      <access-control>", "        <exclude>", "          <binding>http://*/custom-handler/*</binding>", "        </exclude>", "      </access-control>", "      <response-chain id='my-custom-response-chain'>", "        <filter id='my-custom-response-filter' />", "        <binding>http://*/custom-handler/*</binding>", "      </response-chain>", "    </filtering>", "  </http>");
        Assertions.assertTrue(getFilterBindings(createModelAndGetHttp, AccessControl.ACCESS_CONTROL_EXCLUDED_CHAIN_ID).containsAll(List.of("http://*:4443/ApplicationStatus", "http://*:4443/status.html", "http://*:4443/state/v1", "http://*:4443/state/v1/*", "http://*:4443/prometheus/v1", "http://*:4443/prometheus/v1/*", "http://*:4443/metrics/v2", "http://*:4443/metrics/v2/*", "http://*:4443/", "http://*:4443/custom-handler/*")));
        Assertions.assertTrue(getFilterBindings(createModelAndGetHttp, ComponentId.fromString("my-custom-response-chain")).contains("http://*:4443/custom-handler/*"));
    }

    @Test
    void access_control_client_auth_defaults_to_need() {
        Http createModelAndGetHttp = createModelAndGetHttp("  <http>", "    <filtering>", "      <access-control />", "    </filtering>", "  </http>");
        Assertions.assertTrue(createModelAndGetHttp.getAccessControl().isPresent());
        Assertions.assertEquals(AccessControl.ClientAuthentication.need, ((AccessControl) createModelAndGetHttp.getAccessControl().get()).clientAuthentication);
    }

    @Test
    void access_control_client_auth_can_be_overridden() {
        Http createModelAndGetHttp = createModelAndGetHttp(new DeployState.Builder().properties(new TestProperties().setAthenzDomain(AthenzDomain.from("my-tenant-domain")).setHostedVespa(true).allowDisableMtls(true).setEndpointCertificateSecrets(Optional.of(new EndpointCertificateSecrets("CERT", "KEY")))).build(), "  <http>", "    <filtering>", "      <access-control tls-handshake-client-auth=\"want\"/>", "    </filtering>", "  </http>");
        Assertions.assertTrue(createModelAndGetHttp.getAccessControl().isPresent());
        Assertions.assertEquals(AccessControl.ClientAuthentication.want, ((AccessControl) createModelAndGetHttp.getAccessControl().get()).clientAuthentication);
        ConnectorFactory connectorFactory = (ConnectorFactory) ((JettyHttpServer) createModelAndGetHttp.getHttpServer().get()).getConnectorFactories().stream().filter(connectorFactory2 -> {
            return connectorFactory2.getListenPort() == 4443;
        }).findFirst().orElseThrow();
        ConnectorConfig.Builder builder = new ConnectorConfig.Builder();
        connectorFactory.getConfig(builder);
        ConnectorConfig connectorConfig = new ConnectorConfig(builder);
        Assertions.assertFalse(connectorConfig.tlsClientAuthEnforcer().enable());
        Assertions.assertEquals(ConnectorConfig.Ssl.ClientAuth.Enum.WANT_AUTH, connectorConfig.ssl().clientAuth());
    }

    @Test
    void access_control_client_auth_cannot_be_overridden_when_disabled() {
        try {
            createModelAndGetHttp(new DeployState.Builder().properties(new TestProperties().setAthenzDomain(AthenzDomain.from("my-tenant-domain")).setHostedVespa(true).allowDisableMtls(false)).build(), "  <http>", "    <filtering>", "      <access-control tls-handshake-client-auth=\"want\"/>", "    </filtering>", "  </http>");
            Assertions.fail("Overriding tls-handshake-client-auth allowed, but should have failed");
        } catch (IllegalArgumentException e) {
            Assertions.assertEquals("Overriding 'tls-handshake-client-auth' for application is not allowed.", e.getMessage());
        }
    }

    @Test
    void local_connector_has_default_chain() {
        Http createModelAndGetHttp = createModelAndGetHttp("  <http>", "    <filtering>", "      <access-control/>", "    </filtering>", "  </http>");
        Assertions.assertTrue(getFilterBindings(createModelAndGetHttp, AccessControl.DEFAULT_CONNECTOR_HOSTED_REQUEST_CHAIN_ID).isEmpty());
        Optional defaultRequestFilterChain = ((ConnectorFactory) ((JettyHttpServer) createModelAndGetHttp.getHttpServer().get()).getConnectorFactories().stream().filter(connectorFactory -> {
            return connectorFactory.getListenPort() == Defaults.getDefaults().vespaWebServicePort();
        }).findAny().get()).getDefaultRequestFilterChain();
        Assertions.assertTrue(defaultRequestFilterChain.isPresent());
        Assertions.assertEquals(AccessControl.DEFAULT_CONNECTOR_HOSTED_REQUEST_CHAIN_ID, defaultRequestFilterChain.get());
    }

    @Test
    void client_authentication_is_enforced() {
        Element parse = DomBuilderTest.parse("<container version='1.0'>", ContainerModelBuilderTestBase.nodesXml, "   <http><filtering>      <access-control domain=\"vespa\" tls-handshake-client-auth=\"need\"/>   </filtering></http></container>");
        createModel(this.root, new DeployState.Builder().properties(new TestProperties().setHostedVespa(true).setEndpointCertificateSecrets(Optional.of(new EndpointCertificateSecrets("CERT", "KEY")))).build(), null, parse);
        ConnectorFactory connectorFactory = (ConnectorFactory) ((JettyHttpServer) this.root.getProducer("container/container.0").getHttp().getHttpServer().get()).getConnectorFactories().stream().filter(connectorFactory2 -> {
            return connectorFactory2.getListenPort() == 4443;
        }).findFirst().orElseThrow();
        ConnectorConfig.Builder builder = new ConnectorConfig.Builder();
        connectorFactory.getConfig(builder);
        ConnectorConfig connectorConfig = new ConnectorConfig(builder);
        Assertions.assertTrue(connectorConfig.ssl().enabled());
        Assertions.assertEquals(ConnectorConfig.Ssl.ClientAuth.Enum.NEED_AUTH, connectorConfig.ssl().clientAuth());
        Assertions.assertEquals("CERT", connectorConfig.ssl().certificate());
        Assertions.assertEquals("KEY", connectorConfig.ssl().privateKey());
        Assertions.assertEquals(4443, connectorConfig.listenPort());
        Assertions.assertEquals("/opt/yahoo/share/ssl/certs/athenz_certificate_bundle.pem", connectorConfig.ssl().caCertificateFile(), "Connector must use Athenz truststore in a non-public system.");
        Assertions.assertTrue(connectorConfig.ssl().caCertificate().isEmpty());
    }

    @Test
    void missing_security_clients_pem_fails_in_public() {
        Element parse = DomBuilderTest.parse("<container version='1.0' />");
        DeployState build = new DeployState.Builder().properties(new TestProperties().setHostedVespa(true).setEndpointCertificateSecrets(Optional.of(new EndpointCertificateSecrets("CERT", "KEY")))).zone(new Zone(SystemName.Public, Environment.prod, RegionName.defaultName())).build();
        Assertions.assertEquals("Client certificate authority security/clients.pem is missing - see: https://cloud.vespa.ai/en/security/guide#data-plane", ((RuntimeException) Assertions.assertThrows(RuntimeException.class, () -> {
            createModel(this.root, build, null, parse);
        })).getMessage());
    }

    @Test
    void security_clients_pem_is_picked_up() {
        ApplicationPackage build = new MockApplicationPackage.Builder().withRoot(this.applicationFolder).build();
        build.getFile(Path.fromString("security")).createDirectory();
        build.getFile(Path.fromString("security/clients.pem")).writeFile(new StringReader("I am a very nice certificate"));
        createModel(this.root, DeployState.createTestState(build), null, DomBuilderTest.parse("<container version='1.0' />"));
        Assertions.assertEquals(Optional.of("I am a very nice certificate"), getContainerCluster("container").getTlsClientAuthority());
    }

    @Test
    void operator_certificates_are_joined_with_clients_pem() {
        ApplicationPackage build = new MockApplicationPackage.Builder().withRoot(this.applicationFolder).build();
        String pem = X509CertificateUtils.toPem(X509CertificateUtils.createSelfSigned("CN=application", Duration.ofDays(1L)).certificate());
        X509Certificate certificate = X509CertificateUtils.createSelfSigned("CN=operator", Duration.ofDays(1L)).certificate();
        build.getFile(Path.fromString("security")).createDirectory();
        build.getFile(Path.fromString("security/clients.pem")).writeFile(new StringReader(pem));
        createModel(this.root, new DeployState.Builder().properties(new TestProperties().setOperatorCertificates(List.of(certificate)).setHostedVespa(true).setEndpointCertificateSecrets(Optional.of(new EndpointCertificateSecrets("CERT", "KEY")))).zone(new Zone(SystemName.PublicCd, Environment.dev, RegionName.defaultName())).applicationPackage(build).build(), null, DomBuilderTest.parse("<container version='1.0' />"));
        ConnectorFactory connectorFactory = (ConnectorFactory) ((JettyHttpServer) this.root.getProducer("container/container.0").getHttp().getHttpServer().get()).getConnectorFactories().stream().filter(connectorFactory2 -> {
            return connectorFactory2.getListenPort() == 4443;
        }).findFirst().orElseThrow();
        ConnectorConfig.Builder builder = new ConnectorConfig.Builder();
        connectorFactory.getConfig(builder);
        List certificateListFromPem = X509CertificateUtils.certificateListFromPem(new ConnectorConfig(builder).ssl().caCertificate());
        Assertions.assertEquals(2, certificateListFromPem.size());
        MatcherAssert.assertThat(certificateListFromPem.stream().map(x509Certificate -> {
            return x509Certificate.getSubjectX500Principal().getName();
        }).toList(), Matchers.containsInAnyOrder(new String[]{"CN=operator", "CN=application"}));
    }

    @Test
    void require_allowed_ciphers() {
        Element parse = DomBuilderTest.parse("<container version='1.0'>", ContainerModelBuilderTestBase.nodesXml, "</container>");
        createModel(this.root, new DeployState.Builder().properties(new TestProperties().setHostedVespa(true).setEndpointCertificateSecrets(Optional.of(new EndpointCertificateSecrets("CERT", "KEY")))).build(), null, parse);
        ConnectorFactory connectorFactory = (ConnectorFactory) ((JettyHttpServer) this.root.getProducer("container/container.0").getHttp().getHttpServer().get()).getConnectorFactories().stream().filter(connectorFactory2 -> {
            return connectorFactory2.getListenPort() == 4443;
        }).findFirst().orElseThrow();
        ConnectorConfig.Builder builder = new ConnectorConfig.Builder();
        connectorFactory.getConfig(builder);
        MatcherAssert.assertThat(new ConnectorConfig(builder).ssl().enabledCipherSuites(), Matchers.containsInAnyOrder(TlsContext.ALLOWED_CIPHER_SUITES.toArray()));
    }

    @Test
    void providing_endpoint_certificate_secrets_opens_port_4443() {
        Element parse = DomBuilderTest.parse("<container version='1.0'>", ContainerModelBuilderTestBase.nodesXml, "</container>");
        createModel(this.root, new DeployState.Builder().properties(new TestProperties().setHostedVespa(true).setEndpointCertificateSecrets(Optional.of(new EndpointCertificateSecrets("CERT", "KEY")))).build(), null, parse);
        List connectorFactories = ((JettyHttpServer) this.root.getProducer("container/container.0").getHttp().getHttpServer().get()).getConnectorFactories();
        Assertions.assertEquals(2, connectorFactories.size());
        MatcherAssert.assertThat(connectorFactories.stream().map((v0) -> {
            return v0.getListenPort();
        }).toList(), Matchers.containsInAnyOrder(new Integer[]{8080, 4443}));
        ConnectorFactory connectorFactory = (ConnectorFactory) connectorFactories.stream().filter(connectorFactory2 -> {
            return connectorFactory2.getListenPort() == 4443;
        }).findFirst().orElseThrow();
        ConnectorConfig.Builder builder = new ConnectorConfig.Builder();
        connectorFactory.getConfig(builder);
        ConnectorConfig connectorConfig = new ConnectorConfig(builder);
        Assertions.assertTrue(connectorConfig.ssl().enabled());
        Assertions.assertEquals(ConnectorConfig.Ssl.ClientAuth.Enum.WANT_AUTH, connectorConfig.ssl().clientAuth());
        Assertions.assertEquals("CERT", connectorConfig.ssl().certificate());
        Assertions.assertEquals("KEY", connectorConfig.ssl().privateKey());
        Assertions.assertEquals(4443, connectorConfig.listenPort());
        Assertions.assertEquals("/opt/yahoo/share/ssl/certs/athenz_certificate_bundle.pem", connectorConfig.ssl().caCertificateFile(), "Connector must use Athenz truststore in a non-public system.");
        Assertions.assertTrue(connectorConfig.ssl().caCertificate().isEmpty());
    }

    private Http createModelAndGetHttp(String... strArr) {
        return createModelAndGetHttp(new DeployState.Builder().properties(new TestProperties().setAthenzDomain(AthenzDomain.from("my-tenant-domain")).setHostedVespa(true)).build(), strArr);
    }

    private Http createModelAndGetHttp(DeployState deployState, String... strArr) {
        ArrayList arrayList = new ArrayList();
        arrayList.add("<container version='1.0'>");
        arrayList.addAll(List.of((Object[]) strArr));
        arrayList.add("</container>");
        createModel(this.root, deployState, null, DomBuilderTest.parse((String[]) arrayList.toArray(i -> {
            return new String[i];
        })));
        return this.root.getProducer("container/container.0").getHttp();
    }

    private static Set<String> getFilterBindings(Http http, ComponentId componentId) {
        return (Set) http.getBindings().stream().filter(filterBinding -> {
            return filterBinding.chainId().toId().equals(componentId);
        }).map(filterBinding2 -> {
            return filterBinding2.binding().patternString();
        }).collect(Collectors.toSet());
    }
}
