package org.keycloak.vault;

import java.io.ByteArrayOutputStream;
import java.io.PrintStream;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.attribute.FileAttribute;
import java.util.Arrays;
import java.util.concurrent.BlockingQueue;
import java.util.concurrent.LinkedBlockingQueue;
import java.util.logging.Handler;
import java.util.logging.Level;
import java.util.logging.LogRecord;
import java.util.logging.Logger;
import org.hamcrest.CoreMatchers;
import org.hamcrest.MatcherAssert;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.keycloak.vault.AbstractVaultProviderFactory;

/* loaded from: input_file:org/keycloak/vault/PlainTextVaultProviderTest.class */
public class PlainTextVaultProviderTest {
    private static final Logger logger = Logger.getLogger("org.keycloak.vault");
    private BlockingQueue<String> logMessages;
    private final ByteArrayOutputStream errContent = new ByteArrayOutputStream();
    private final PrintStream originalErr = System.err;
    private Handler logHandler;

    @Before
    public void setUp() {
        this.logMessages = new LinkedBlockingQueue();
        logger.setLevel(Level.WARNING);
        this.logHandler = new Handler() { // from class: org.keycloak.vault.PlainTextVaultProviderTest.1
            @Override // java.util.logging.Handler
            public void publish(LogRecord logRecord) {
                PlainTextVaultProviderTest.this.logMessages.add(logRecord.getMessage());
            }

            @Override // java.util.logging.Handler
            public void flush() {
            }

            @Override // java.util.logging.Handler
            public void close() throws SecurityException {
            }
        };
        logger.addHandler(this.logHandler);
        System.setErr(new PrintStream(this.errContent));
    }

    @After
    public void tearDown() {
        logger.removeHandler(this.logHandler);
        System.setErr(this.originalErr);
    }

    @Test
    public void shouldObtainSecret() throws Exception {
        VaultRawSecret obtainSecret = new FilesPlainTextVaultProvider(Scenario.EXISTING.getPath(), "test", Arrays.asList(AbstractVaultProviderFactory.AvailableResolvers.REALM_UNDERSCORE_KEY.getVaultKeyResolver())).obtainSecret("key1");
        Assert.assertNotNull(obtainSecret);
        Assert.assertNotNull(obtainSecret.get().get());
        MatcherAssert.assertThat(obtainSecret, SecretContains.secretContains("secret1"));
    }

    @Test
    public void shouldReplaceUnderscoreWithTwoUnderscores() throws Exception {
        VaultRawSecret obtainSecret = new FilesPlainTextVaultProvider(Scenario.EXISTING.getPath(), "test_realm", Arrays.asList(AbstractVaultProviderFactory.AvailableResolvers.REALM_UNDERSCORE_KEY.getVaultKeyResolver())).obtainSecret("underscore_key1");
        Assert.assertNotNull(obtainSecret);
        Assert.assertNotNull(obtainSecret.get().get());
        MatcherAssert.assertThat(obtainSecret, SecretContains.secretContains("underscore_secret1"));
    }

    @Test
    public void shouldReturnEmptyOptionalOnMissingSecret() throws Exception {
        VaultRawSecret obtainSecret = new FilesPlainTextVaultProvider(Scenario.EXISTING.getPath(), "test", Arrays.asList(AbstractVaultProviderFactory.AvailableResolvers.REALM_UNDERSCORE_KEY.getVaultKeyResolver())).obtainSecret("non-existing-key");
        Assert.assertNotNull(obtainSecret);
        Assert.assertFalse(obtainSecret.get().isPresent());
    }

    @Test
    public void shouldOperateOnNonExistingVaultDirectory() throws Exception {
        VaultRawSecret obtainSecret = new FilesPlainTextVaultProvider(Scenario.NON_EXISTING.getPath(), "test", Arrays.asList(AbstractVaultProviderFactory.AvailableResolvers.REALM_UNDERSCORE_KEY.getVaultKeyResolver())).obtainSecret("non-existing-key");
        Assert.assertNotNull(obtainSecret);
        Assert.assertFalse(obtainSecret.get().isPresent());
    }

    @Test
    public void shouldOperateOnRealmDirectory() throws Exception {
        VaultRawSecret obtainSecret = new FilesPlainTextVaultProvider(Scenario.EXISTING.getPath(), "test", Arrays.asList(AbstractVaultProviderFactory.AvailableResolvers.REALM_FILESEPARATOR_KEY.getVaultKeyResolver())).obtainSecret("key2");
        Assert.assertNotNull(obtainSecret);
        Assert.assertNotNull(obtainSecret.get().get());
        MatcherAssert.assertThat(obtainSecret, SecretContains.secretContains("secret2"));
    }

    @Test
    public void shouldObtainSecretWithMultipleResolvers() throws Exception {
        VaultRawSecret obtainSecret = new FilesPlainTextVaultProvider(Scenario.EXISTING.getPath(), "test", Arrays.asList(AbstractVaultProviderFactory.AvailableResolvers.REALM_UNDERSCORE_KEY.getVaultKeyResolver(), AbstractVaultProviderFactory.AvailableResolvers.REALM_FILESEPARATOR_KEY.getVaultKeyResolver())).obtainSecret("key2");
        Assert.assertNotNull(obtainSecret);
        Assert.assertNotNull(obtainSecret.get().get());
        MatcherAssert.assertThat(obtainSecret, SecretContains.secretContains("secret2"));
    }

    @Test
    public void shouldReflectChangesInASecretFile() throws Exception {
        Path createTempFile = Files.createTempFile("vault", null, new FileAttribute[0]);
        Path parent = createTempFile.getParent();
        String path = createTempFile.getFileName().toString();
        FilesPlainTextVaultProvider filesPlainTextVaultProvider = new FilesPlainTextVaultProvider(parent, "ignored", Arrays.asList(AbstractVaultProviderFactory.AvailableResolvers.KEY_ONLY.getVaultKeyResolver()));
        Files.write(createTempFile, "secret1".getBytes(), new OpenOption[0]);
        VaultRawSecret obtainSecret = filesPlainTextVaultProvider.obtainSecret(path);
        try {
            String charBuffer = StandardCharsets.UTF_8.decode((ByteBuffer) obtainSecret.get().get()).toString();
            if (obtainSecret != null) {
                obtainSecret.close();
            }
            Files.write(createTempFile, "secret2".getBytes(), new OpenOption[0]);
            obtainSecret = filesPlainTextVaultProvider.obtainSecret(path);
            try {
                String charBuffer2 = StandardCharsets.UTF_8.decode((ByteBuffer) obtainSecret.get().get()).toString();
                if (obtainSecret != null) {
                    obtainSecret.close();
                }
                Assert.assertEquals("secret1", charBuffer);
                Assert.assertEquals("secret2", charBuffer2);
            } finally {
            }
        } finally {
        }
    }

    @Test
    public void shouldNotOverrideFileWhenDestroyingASecret() throws Exception {
        Path createTempFile = Files.createTempFile("vault", null, new FileAttribute[0]);
        Path parent = createTempFile.getParent();
        String path = createTempFile.getFileName().toString();
        FilesPlainTextVaultProvider filesPlainTextVaultProvider = new FilesPlainTextVaultProvider(parent, "ignored", Arrays.asList(AbstractVaultProviderFactory.AvailableResolvers.KEY_ONLY.getVaultKeyResolver()));
        Files.write(createTempFile, "secret".getBytes(), new OpenOption[0]);
        VaultRawSecret obtainSecret = filesPlainTextVaultProvider.obtainSecret(path);
        MatcherAssert.assertThat(obtainSecret, SecretContains.secretContains("secret"));
        obtainSecret.close();
        VaultRawSecret obtainSecret2 = filesPlainTextVaultProvider.obtainSecret(path);
        MatcherAssert.assertThat(obtainSecret, CoreMatchers.not(SecretContains.secretContains("secret")));
        MatcherAssert.assertThat(obtainSecret2, SecretContains.secretContains("secret"));
    }

    @Test
    public void shouldPreventPathFileSeparatorInVaultSecretId() {
        VaultRawSecret obtainSecret = new FilesPlainTextVaultProvider(Scenario.EXISTING.getPath(), "test", Arrays.asList(AbstractVaultProviderFactory.AvailableResolvers.REALM_FILESEPARATOR_KEY.getVaultKeyResolver())).obtainSecret(".../key1");
        Assert.assertNotNull(obtainSecret);
        Assert.assertFalse(obtainSecret.get().isPresent());
        Assert.assertTrue(this.logMessages.stream().anyMatch(str -> {
            return str.contains("Key .../key1 contains invalid file separator character");
        }));
    }

    @Test
    public void shouldNotValidateWithInvalidPath() {
        Assert.assertFalse(new FilesPlainTextVaultProvider(Paths.get("/vault", new String[0]), "test_realm", Arrays.asList(AbstractVaultProviderFactory.AvailableResolvers.REALM_FILESEPARATOR_KEY.getVaultKeyResolver())).validate(AbstractVaultProviderFactory.AvailableResolvers.REALM_FILESEPARATOR_KEY.getVaultKeyResolver(), "key1", "../key1"));
    }

    @Test
    public void shouldValidateWithDifferentResolver() {
        Assert.assertTrue(new FilesPlainTextVaultProvider(Paths.get("/vault", new String[0]), "test_realm", Arrays.asList(AbstractVaultProviderFactory.AvailableResolvers.KEY_ONLY.getVaultKeyResolver())).validate(AbstractVaultProviderFactory.AvailableResolvers.KEY_ONLY.getVaultKeyResolver(), "key1", "key1"));
    }

    @Test
    public void shouldSearchForEscapedKeyOnlySecret() throws Exception {
        VaultRawSecret obtainSecret = new FilesPlainTextVaultProvider(Scenario.EXISTING.getPath(), "test", Arrays.asList(AbstractVaultProviderFactory.AvailableResolvers.KEY_ONLY.getVaultKeyResolver())).obtainSecret("keyonly_escaped");
        Assert.assertNotNull(obtainSecret);
        Assert.assertNotNull(obtainSecret.get().get());
        MatcherAssert.assertThat(obtainSecret, SecretContains.secretContains("expected_secret_value"));
    }

    @Test
    public void shouldSearchForKeyOnlyLegacy() throws Exception {
        VaultRawSecret obtainSecret = new FilesPlainTextVaultProvider(Scenario.EXISTING.getPath(), "test", Arrays.asList(AbstractVaultProviderFactory.AvailableResolvers.KEY_ONLY.getVaultKeyResolver())).obtainSecret("keyonly_legacy");
        Assert.assertNotNull(obtainSecret);
        Assert.assertFalse(obtainSecret.get().isPresent());
        Assert.assertTrue(this.logMessages.stream().anyMatch(str -> {
            return str.contains("Secret was found using legacy key 'keyonly_legacy'. Please rename the key to 'keyonly__legacy' and repeat the action.");
        }));
    }
}
