package org.gridgain.aws.encryption.spi;

import com.google.common.primitives.Bytes;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.TimeUnit;
import org.apache.ignite.IgniteException;
import org.apache.ignite.cluster.ClusterState;
import org.apache.ignite.configuration.CacheConfiguration;
import org.apache.ignite.internal.cluster.IgniteClusterEx;
import org.apache.ignite.lang.IgniteFuture;
import org.gridgain.control.agent.AbstractSelfTest;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;
import software.amazon.awssdk.core.SdkBytes;
import software.amazon.awssdk.services.kms.KmsClient;
import software.amazon.awssdk.services.kms.model.DecryptRequest;
import software.amazon.awssdk.services.kms.model.DecryptResponse;
import software.amazon.awssdk.services.kms.model.DescribeKeyRequest;
import software.amazon.awssdk.services.kms.model.DescribeKeyResponse;
import software.amazon.awssdk.services.kms.model.EncryptRequest;
import software.amazon.awssdk.services.kms.model.EncryptResponse;
import software.amazon.awssdk.services.kms.model.EncryptionAlgorithmSpec;
import software.amazon.awssdk.services.kms.model.KeyMetadata;

/* loaded from: input_file:org/gridgain/aws/encryption/spi/AwsKmsEncryptionSpiTest.class */
public class AwsKmsEncryptionSpiTest extends AbstractSelfTest {
    static final String MASTER_KEY_NAME = "arn:aws:kms:eu-central-1:313272427743:key/1234abcd-12ab-34cd-56ef-1234567890a1";
    static final String MASTER_KEY_NAME_2 = "arn:aws:kms:eu-central-1:313272427743:key/1234abcd-12ab-34cd-56ef-1234567890a2";
    static final String ROLE_ARN = "arn:aws:iam::313272747743:role/cmk-access-role";
    static final String EXTERNAL_ID = "766d9557-27d9-473f-a7c6-508b8f5968f3";
    final Map<SdkBytes, SdkBytes> decryptMap = new ConcurrentHashMap();
    IgniteClusterEx cluster;
    KmsClient kmsClient;
    AwsKmsEncryptionSpi encSpi;

    @Before
    public void setup() throws Exception {
        cleanup();
        this.kmsClient = kmsClient();
        this.encSpi = spi();
    }

    @After
    public void teardown() {
        cleanup();
        this.decryptMap.clear();
    }

    @Test
    public void loadMasterKeyFromMetastore() {
        startupCluster();
        ((KmsClient) Mockito.verify(this.kmsClient, Mockito.atLeastOnce())).describeKey((DescribeKeyRequest) ArgumentMatchers.argThat(describeKeyRequest -> {
            return describeKeyRequest.keyId().equals(MASTER_KEY_NAME);
        }));
        this.cluster.ignite().encryption().changeMasterKey(MASTER_KEY_NAME_2).get(3L, TimeUnit.SECONDS);
        ((KmsClient) Mockito.verify(this.kmsClient, Mockito.atLeastOnce())).describeKey((DescribeKeyRequest) ArgumentMatchers.argThat(describeKeyRequest2 -> {
            return describeKeyRequest2.keyId().equals(MASTER_KEY_NAME_2);
        }));
        stopAllGrids();
        this.kmsClient = kmsClient();
        this.encSpi = spi();
        startupCluster();
        ((KmsClient) Mockito.verify(this.kmsClient, Mockito.never())).describeKey((DescribeKeyRequest) ArgumentMatchers.argThat(describeKeyRequest3 -> {
            return describeKeyRequest3.keyId().equals(MASTER_KEY_NAME);
        }));
        ((KmsClient) Mockito.verify(this.kmsClient, Mockito.atLeastOnce())).describeKey((DescribeKeyRequest) ArgumentMatchers.argThat(describeKeyRequest4 -> {
            return describeKeyRequest4.keyId().equals(MASTER_KEY_NAME_2);
        }));
    }

    @Test
    public void startupFailedWithInvalidMasterKey() {
        ((KmsClient) Mockito.doReturn(DescribeKeyResponse.builder().keyMetadata((KeyMetadata) KeyMetadata.builder().enabled(false).encryptionAlgorithms(new EncryptionAlgorithmSpec[]{EncryptionAlgorithmSpec.SYMMETRIC_DEFAULT}).build()).build()).when(this.kmsClient)).describeKey((DescribeKeyRequest) ArgumentMatchers.argThat(describeKeyRequest -> {
            return describeKeyRequest.keyId().equals(MASTER_KEY_NAME);
        }));
        Assert.assertThrows(IgniteException.class, this::startupCluster);
    }

    @Test
    public void changeMasterKeyFailedWithInvalidKey() {
        ((KmsClient) Mockito.doReturn(DescribeKeyResponse.builder().keyMetadata((KeyMetadata) KeyMetadata.builder().enabled(false).encryptionAlgorithms(new EncryptionAlgorithmSpec[]{EncryptionAlgorithmSpec.SYMMETRIC_DEFAULT}).build()).build()).when(this.kmsClient)).describeKey((DescribeKeyRequest) ArgumentMatchers.argThat(describeKeyRequest -> {
            return describeKeyRequest.keyId().equals(MASTER_KEY_NAME_2);
        }));
        startupCluster();
        Assert.assertEquals(MASTER_KEY_NAME, this.cluster.ignite().encryption().getMasterKeyName());
        IgniteFuture changeMasterKey = this.cluster.ignite().encryption().changeMasterKey(MASTER_KEY_NAME_2);
        Assert.assertThrows(IgniteException.class, () -> {
        });
        ((KmsClient) Mockito.verify(this.kmsClient, Mockito.atLeastOnce())).describeKey((DescribeKeyRequest) ArgumentMatchers.argThat(describeKeyRequest2 -> {
            return describeKeyRequest2.keyId().equals(MASTER_KEY_NAME_2);
        }));
        Assert.assertEquals(MASTER_KEY_NAME, this.cluster.ignite().encryption().getMasterKeyName());
    }

    protected void cleanup() {
        stopAllGrids();
        cleanPersistenceDir();
    }

    private KmsClient kmsClient() {
        KmsClient kmsClient = (KmsClient) Mockito.mock(KmsClient.class);
        ((KmsClient) Mockito.doReturn(DescribeKeyResponse.builder().keyMetadata((KeyMetadata) KeyMetadata.builder().enabled(true).encryptionAlgorithms(new EncryptionAlgorithmSpec[]{EncryptionAlgorithmSpec.SYMMETRIC_DEFAULT}).build()).build()).when(kmsClient)).describeKey((DescribeKeyRequest) ArgumentMatchers.any(DescribeKeyRequest.class));
        Mockito.when(kmsClient.encrypt((EncryptRequest) ArgumentMatchers.any(EncryptRequest.class))).thenAnswer(invocationOnMock -> {
            return EncryptResponse.builder().ciphertextBlob(encrypt(((EncryptRequest) invocationOnMock.getArgument(0, EncryptRequest.class)).plaintext())).build();
        });
        Mockito.when(kmsClient.decrypt((DecryptRequest) ArgumentMatchers.any(DecryptRequest.class))).thenAnswer(invocationOnMock2 -> {
            return DecryptResponse.builder().plaintext(decrypt(((DecryptRequest) invocationOnMock2.getArgument(0, DecryptRequest.class)).ciphertextBlob())).build();
        });
        return kmsClient;
    }

    private void startupCluster() {
        this.cluster = startGrid(getConfiguration("default").setEncryptionSpi(this.encSpi).setCacheConfiguration(new CacheConfiguration[]{new CacheConfiguration("encrypted-cache").setEncryptionEnabled(true)})).cluster();
        this.cluster.state(ClusterState.ACTIVE);
    }

    private AwsKmsEncryptionSpi spi() {
        AwsKmsEncryptionSpiMocked awsKmsEncryptionSpiMocked = new AwsKmsEncryptionSpiMocked(this.kmsClient);
        awsKmsEncryptionSpiMocked.setMasterKeyName(MASTER_KEY_NAME);
        awsKmsEncryptionSpiMocked.setRoleArn(ROLE_ARN);
        awsKmsEncryptionSpiMocked.setExternalId(EXTERNAL_ID);
        return awsKmsEncryptionSpiMocked;
    }

    private SdkBytes encrypt(SdkBytes sdkBytes) {
        byte[] asByteArray = sdkBytes.asByteArray();
        Bytes.reverse(asByteArray);
        SdkBytes fromByteArray = SdkBytes.fromByteArray(asByteArray);
        this.decryptMap.put(fromByteArray, sdkBytes);
        return fromByteArray;
    }

    private SdkBytes decrypt(SdkBytes sdkBytes) {
        return this.decryptMap.get(sdkBytes);
    }
}
