package org.gridgain.aws.encryption.spi;

import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.util.Arrays;
import org.apache.ignite.IgniteException;
import org.apache.ignite.internal.util.IgniteUtils;
import org.apache.ignite.spi.encryption.EncryptionSpi;
import org.jetbrains.annotations.NotNull;
import org.junit.Assert;
import org.junit.Test;
import org.mockito.ArgumentMatchers;
import org.mockito.Mockito;
import software.amazon.awssdk.core.SdkBytes;
import software.amazon.awssdk.services.kms.KmsClient;
import software.amazon.awssdk.services.kms.model.DecryptRequest;
import software.amazon.awssdk.services.kms.model.DecryptResponse;
import software.amazon.awssdk.services.kms.model.DescribeKeyRequest;
import software.amazon.awssdk.services.kms.model.DescribeKeyResponse;
import software.amazon.awssdk.services.kms.model.EncryptRequest;
import software.amazon.awssdk.services.kms.model.EncryptResponse;
import software.amazon.awssdk.services.kms.model.EncryptionAlgorithmSpec;
import software.amazon.awssdk.services.kms.model.KeyMetadata;

/* loaded from: input_file:org/gridgain/aws/encryption/spi/AwsKmsEncryptionSpiSelfTest.class */
public class AwsKmsEncryptionSpiSelfTest {
    static final String MASTER_KEY_NAME = "arn:aws:kms:eu-central-1:313272427743:key/1234abcd-12ab-34cd-56ef-1234567890ab";
    static final String MASTER_KEY_NAME_2 = "arn:aws:kms:eu-central-1:313272427743:key/12341234-12ab-34cd-56ef-1234567890ab";
    static final String ROLE_ARN = "arn:aws:iam::313272747743:role/nebula-cmk-access-role";
    static final String EXTERNAL_ID = "766d9557-27d9-473f-a7c6-508b8f5968f3";
    KmsClient kmsClient = (KmsClient) Mockito.mock(KmsClient.class);

    @Test
    public void testCantStartWithEmptyParam() throws Exception {
        AwsKmsEncryptionSpi awsKmsEncryptionSpi = new AwsKmsEncryptionSpi();
        Assert.assertThrows(IgniteException.class, () -> {
            awsKmsEncryptionSpi.spiStart("default");
        });
    }

    @Test
    public void testCantLoadMasterKeyEmpty() {
        EncryptionSpi prepareSpi = prepareSpi();
        Assert.assertThrows(IgniteException.class, () -> {
            prepareSpi.setMasterKeyName("");
        });
    }

    @Test
    public void testFailedToChangeMasterKeyDisabled() {
        EncryptionSpi prepareSpi = prepareSpi();
        ((KmsClient) Mockito.doReturn(DescribeKeyResponse.builder().keyMetadata((KeyMetadata) KeyMetadata.builder().enabled(false).encryptionAlgorithms(new EncryptionAlgorithmSpec[]{EncryptionAlgorithmSpec.SYMMETRIC_DEFAULT}).build()).build()).when(this.kmsClient)).describeKey((DescribeKeyRequest) ArgumentMatchers.any(DescribeKeyRequest.class));
        Assert.assertThrows(IgniteException.class, () -> {
            prepareSpi.setMasterKeyName(MASTER_KEY_NAME_2);
        });
    }

    @Test
    public void testFailedToChangeMasterKeyWrongEncryptionAlg() {
        EncryptionSpi prepareSpi = prepareSpi();
        ((KmsClient) Mockito.doReturn(DescribeKeyResponse.builder().keyMetadata((KeyMetadata) KeyMetadata.builder().enabled(true).encryptionAlgorithms(new EncryptionAlgorithmSpec[]{EncryptionAlgorithmSpec.SM2_PKE}).build()).build()).when(this.kmsClient)).describeKey((DescribeKeyRequest) ArgumentMatchers.any(DescribeKeyRequest.class));
        Assert.assertThrows(IgniteException.class, () -> {
            prepareSpi.setMasterKeyName(MASTER_KEY_NAME_2);
        });
    }

    @Test
    public void testFailedToChangeMasterKeyEncryptionNotAllowed() {
        EncryptionSpi prepareSpi = prepareSpi();
        ((KmsClient) Mockito.doThrow(RuntimeException.class).when(this.kmsClient)).encrypt((EncryptRequest) ArgumentMatchers.any(EncryptRequest.class));
        Assert.assertThrows(IgniteException.class, () -> {
            prepareSpi.setMasterKeyName(MASTER_KEY_NAME_2);
        });
    }

    @Test
    public void testFailedToChangeMasterKeyDecryptionNotAllowed() {
        EncryptionSpi prepareSpi = prepareSpi();
        ((KmsClient) Mockito.doThrow(RuntimeException.class).when(this.kmsClient)).decrypt((DecryptRequest) ArgumentMatchers.any(DecryptRequest.class));
        Assert.assertThrows(IgniteException.class, () -> {
            prepareSpi.setMasterKeyName(MASTER_KEY_NAME_2);
        });
    }

    @Test
    public void testEncryptDecrypt() throws Exception {
        EncryptionSpi prepareSpi = prepareSpi();
        EncryptionKey create = prepareSpi.create();
        Assert.assertNotNull(create);
        Assert.assertNotNull(create.key());
        byte[] bytes = "Just a test string to encrypt!".getBytes(StandardCharsets.UTF_8);
        byte[] bArr = new byte[prepareSpi().encryptedSize(bytes.length)];
        prepareSpi.encrypt(ByteBuffer.wrap(bytes), create, ByteBuffer.wrap(bArr));
        Assert.assertNotNull(bArr);
        Assert.assertEquals(prepareSpi.encryptedSize(bytes.length), bArr.length);
        byte[] decrypt = prepareSpi.decrypt(bArr, create);
        Assert.assertNotNull(decrypt);
        Assert.assertEquals(bytes.length, decrypt.length);
        Assert.assertEquals(new String(bytes, StandardCharsets.UTF_8), new String(decrypt, StandardCharsets.UTF_8));
    }

    @Test
    public void testMasterKeysDigest() throws Exception {
        EncryptionSpi prepareSpi = prepareSpi();
        byte[] masterKeyDigest = prepareSpi.masterKeyDigest();
        prepareSpi.setMasterKeyName(MASTER_KEY_NAME_2);
        byte[] masterKeyDigest2 = prepareSpi.masterKeyDigest();
        Assert.assertNotNull(masterKeyDigest);
        Assert.assertFalse(Arrays.equals(masterKeyDigest, masterKeyDigest2));
    }

    @Test
    public void testKeyEncryptDecrypt() throws Exception {
        EncryptionSpi prepareSpi = prepareSpi();
        EncryptionKey encryptionKey = (EncryptionKey) prepareSpi.create();
        Assert.assertNotNull(encryptionKey);
        Assert.assertNotNull(encryptionKey.key());
        ((KmsClient) Mockito.doReturn(EncryptResponse.builder().ciphertextBlob(SdkBytes.fromByteArray(new byte[]{0, 1, 2, 3})).build()).when(this.kmsClient)).encrypt((EncryptRequest) ArgumentMatchers.any(EncryptRequest.class));
        ((KmsClient) Mockito.doReturn(DecryptResponse.builder().plaintext(SdkBytes.fromByteArray(IgniteUtils.toBytes(encryptionKey))).build()).when(this.kmsClient)).decrypt((DecryptRequest) ArgumentMatchers.any(DecryptRequest.class));
        checkKeyEncryptDecrypt(prepareSpi, encryptionKey);
    }

    private void checkKeyEncryptDecrypt(EncryptionSpi encryptionSpi, EncryptionKey encryptionKey) {
        byte[] encryptKey = encryptionSpi.encryptKey(encryptionKey);
        Assert.assertNotNull(encryptKey);
        Assert.assertTrue(encryptKey.length > 0);
        Assert.assertEquals(encryptionKey.key(), encryptionSpi.decryptKey(encryptKey).key());
    }

    @NotNull
    private EncryptionSpi prepareSpi() {
        AwsKmsEncryptionSpi spi = spi(this.kmsClient);
        spi.onBeforeStart();
        spi.spiStart("default");
        return spi;
    }

    @NotNull
    public static AwsKmsEncryptionSpi spi(KmsClient kmsClient) {
        AwsKmsEncryptionSpiMocked awsKmsEncryptionSpiMocked = new AwsKmsEncryptionSpiMocked(kmsClient);
        awsKmsEncryptionSpiMocked.setMasterKeyName(MASTER_KEY_NAME);
        awsKmsEncryptionSpiMocked.setRoleArn(ROLE_ARN);
        awsKmsEncryptionSpiMocked.setExternalId(EXTERNAL_ID);
        ((KmsClient) Mockito.doReturn(DescribeKeyResponse.builder().keyMetadata((KeyMetadata) KeyMetadata.builder().enabled(true).encryptionAlgorithms(new EncryptionAlgorithmSpec[]{EncryptionAlgorithmSpec.SYMMETRIC_DEFAULT}).build()).build()).when(kmsClient)).describeKey((DescribeKeyRequest) ArgumentMatchers.any(DescribeKeyRequest.class));
        ((KmsClient) Mockito.doReturn(EncryptResponse.builder().ciphertextBlob(SdkBytes.fromByteArray(new byte[]{1, 2, 0, -1})).build()).when(kmsClient)).encrypt((EncryptRequest) ArgumentMatchers.any(EncryptRequest.class));
        ((KmsClient) Mockito.doReturn(DecryptResponse.builder().build()).when(kmsClient)).decrypt((DecryptRequest) ArgumentMatchers.any(DecryptRequest.class));
        return awsKmsEncryptionSpiMocked;
    }
}
