package com.yahoo.vespa.model.container.xml;

import com.yahoo.component.ComponentId;
import com.yahoo.config.model.api.TenantSecretStore;
import com.yahoo.config.model.builder.xml.test.DomBuilderTest;
import com.yahoo.config.model.deploy.DeployState;
import com.yahoo.config.model.deploy.TestProperties;
import com.yahoo.config.provision.Environment;
import com.yahoo.config.provision.RegionName;
import com.yahoo.config.provision.SystemName;
import com.yahoo.config.provision.Zone;
import com.yahoo.container.jdisc.secretstore.SecretStoreConfig;
import com.yahoo.vespa.model.container.ApplicationContainerCluster;
import com.yahoo.vespa.model.container.SecretStore;
import java.util.List;
import java.util.Optional;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;
import org.w3c.dom.Element;

/* loaded from: input_file:com/yahoo/vespa/model/container/xml/SecretStoreTest.class */
public class SecretStoreTest extends ContainerModelBuilderTestBase {
    @Test
    void secret_store_can_be_set_up() {
        createModel(this.root, DomBuilderTest.parse("<container version='1.0'>", "  <secret-store type='oath-ckms'>", "    <group name='group1' environment='env1'/>", "  </secret-store>", "</container>"));
        SecretStore secretStore = (SecretStore) getContainerCluster("container").getSecretStore().get();
        Assertions.assertEquals("group1", ((SecretStore.Group) secretStore.getGroups().get(0)).name);
        Assertions.assertEquals("env1", ((SecretStore.Group) secretStore.getGroups().get(0)).environment);
    }

    @Test
    void cloud_secret_store_requires_configured_secret_store() {
        Element parse = DomBuilderTest.parse("<container version='1.0'>", "  <secret-store type='cloud'>", "    <store id='store'>", "      <aws-parameter-store account='store1' region='eu-north-1'/>", "    </store>", "  </secret-store>", "</container>");
        try {
            createModel(this.root, new DeployState.Builder().properties(new TestProperties().setHostedVespa(true)).zone(new Zone(SystemName.Public, Environment.prod, RegionName.defaultName())).build(), null, parse);
            Assertions.fail("secret store not defined");
        } catch (RuntimeException e) {
            Assertions.assertEquals("No configured secret store named store1", e.getMessage());
        }
    }

    @Test
    void cloud_secret_store_can_be_set_up() {
        Element parse = DomBuilderTest.parse("<container version='1.0'>", "  <secret-store type='cloud'>", "    <store id='store'>", "      <aws-parameter-store account='store1' region='eu-north-1'/>", "    </store>", "  </secret-store>", "</container>");
        createModel(this.root, new DeployState.Builder().properties(new TestProperties().setHostedVespa(true).setTenantSecretStores(List.of(new TenantSecretStore("store1", "1234", "role", Optional.of("externalid"))))).zone(new Zone(SystemName.Public, Environment.prod, RegionName.defaultName())).build(), null, parse);
        ApplicationContainerCluster containerCluster = getContainerCluster("container");
        assertComponentConfigured(containerCluster, "com.yahoo.jdisc.cloud.aws.AwsParameterStore");
        CloudSecretStore cloudSecretStore = (CloudSecretStore) containerCluster.getComponentsMap().get(ComponentId.fromString("com.yahoo.jdisc.cloud.aws.AwsParameterStore"));
        SecretStoreConfig.Builder builder = new SecretStoreConfig.Builder();
        cloudSecretStore.getConfig(builder);
        SecretStoreConfig build = builder.build();
        Assertions.assertEquals(1, build.awsParameterStores().size());
        Assertions.assertEquals("store1", ((SecretStoreConfig.AwsParameterStores) build.awsParameterStores().get(0)).name());
    }

    @Test
    void cloud_secret_store_fails_to_set_up_in_non_public_zone() {
        try {
            Element parse = DomBuilderTest.parse("<container version='1.0'>", "  <secret-store type='cloud'>", "    <store id='store'>", "      <aws-parameter-store account='store1' region='eu-north-1'/>", "    </store>", "  </secret-store>", "</container>");
            createModel(this.root, new DeployState.Builder().properties(new TestProperties().setHostedVespa(true).setTenantSecretStores(List.of(new TenantSecretStore("store1", "1234", "role", Optional.of("externalid"))))).zone(new Zone(SystemName.main, Environment.prod, RegionName.defaultName())).build(), null, parse);
            Assertions.fail();
        } catch (RuntimeException e) {
            Assertions.assertEquals("Cloud secret store is not supported in non-public system, see the documentation", e.getMessage());
        }
    }
}
