package io.confluent.kafka.schemaregistry.encryption.tools;

import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSortedSet;
import io.confluent.dekregistry.client.DekRegistryClient;
import io.confluent.dekregistry.client.DekRegistryClientFactory;
import io.confluent.dekregistry.client.MockDekRegistryClientFactory;
import io.confluent.kafka.schemaregistry.avro.AvroSchema;
import io.confluent.kafka.schemaregistry.avro.AvroSchemaProvider;
import io.confluent.kafka.schemaregistry.client.SchemaRegistryClient;
import io.confluent.kafka.schemaregistry.client.SchemaRegistryClientFactory;
import io.confluent.kafka.schemaregistry.client.rest.entities.Metadata;
import io.confluent.kafka.schemaregistry.client.rest.entities.Rule;
import io.confluent.kafka.schemaregistry.client.rest.entities.RuleKind;
import io.confluent.kafka.schemaregistry.client.rest.entities.RuleMode;
import io.confluent.kafka.schemaregistry.client.rest.entities.RuleSet;
import io.confluent.kafka.schemaregistry.encryption.FieldEncryptionProperties;
import io.confluent.kafka.schemaregistry.encryption.local.LocalFieldEncryptionProperties;
import io.confluent.kafka.schemaregistry.encryption.tink.DekFormat;
import io.confluent.kafka.schemaregistry.testutil.FakeClock;
import io.confluent.kafka.schemaregistry.testutil.MockSchemaRegistry;
import java.time.temporal.ChronoUnit;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import org.apache.avro.Schema;
import org.junit.After;
import org.junit.Assert;
import org.junit.Test;
import picocli.CommandLine;

/* loaded from: input_file:io/confluent/kafka/schemaregistry/encryption/tools/RegisterDeksTest.class */
public class RegisterDeksTest {
    private final FakeClock fakeClock = new FakeClock();
    private final String topic = "test";
    private final FieldEncryptionProperties fieldEncryptionProps = new LocalFieldEncryptionProperties(ImmutableList.of("rule1"));
    private final SchemaRegistryClient schemaRegistry = SchemaRegistryClientFactory.newClient(Collections.singletonList("mock://"), 1000, ImmutableList.of(new AvroSchemaProvider()), (Map) null, (Map) null);
    private final DekRegistryClient dekRegistry = DekRegistryClientFactory.newClient(Collections.singletonList("mock://"), 1000, 100000, Collections.emptyMap(), (Map) null);

    private Schema createUserSchema() {
        return new Schema.Parser().parse("{\"namespace\": \"example.avro\", \"type\": \"record\", \"name\": \"User\",\"fields\": [{\"name\": \"name\", \"type\": [\"null\", \"string\"], \"confluent:tags\": [\"PII\", \"PII3\"]},{\"name\": \"name2\", \"type\": [\"null\", \"string\"], \"confluent:tags\": [\"PII2\"]},{\"name\": \"age\", \"type\": [\"null\", \"int\"]}]}");
    }

    @After
    public void tearDown() {
        MockSchemaRegistry.clear();
        MockDekRegistryClientFactory.clear();
    }

    @Test
    public void testRegisterDek() throws Exception {
        String str = this.topic + "-value";
        this.schemaRegistry.register(str, new AvroSchema(createUserSchema()).copy(getMetadata("kek1"), new RuleSet(Collections.emptyList(), ImmutableList.of(new Rule("rule1", (String) null, (RuleKind) null, (RuleMode) null, "ENCRYPT", ImmutableSortedSet.of("PII"), (Map) null, (String) null, (String) null, (String) null, false)))));
        Assert.assertEquals(0L, new CommandLine(new RegisterDeks()).execute(new String[]{"mock://", str, "--property", "rule.executors._default_.param.secret=mysecret"}));
        Assert.assertEquals("kek1", this.dekRegistry.getDekVersion("kek1", str, -1, (DekFormat) null, false).getKekName());
    }

    @Test
    public void testRotateDek() throws Exception {
        String str = this.topic + "rotate-value";
        this.schemaRegistry.register(str, new AvroSchema(createUserSchema()).copy(getMetadata("kek2"), new RuleSet(Collections.emptyList(), ImmutableList.of(new Rule("rule1", (String) null, (RuleKind) null, (RuleMode) null, "ENCRYPT", ImmutableSortedSet.of("PII"), ImmutableMap.of("encrypt.dek.expiry.days", "1"), (String) null, (String) null, (String) null, false)))));
        RegisterDeks registerDeks = new RegisterDeks();
        registerDeks.setClock(this.fakeClock);
        CommandLine commandLine = new CommandLine(registerDeks);
        Assert.assertEquals(0L, commandLine.execute(new String[]{"mock://", str, "--property", "rule.executors._default_.param.secret=mysecret"}));
        Assert.assertEquals("kek2", this.dekRegistry.getDekVersion("kek2", str, -1, (DekFormat) null, false).getKekName());
        Assert.assertEquals(1L, r0.getVersion());
        Assert.assertEquals(0L, commandLine.execute(new String[]{"mock://", str, "--property", "rule.executors._default_.param.secret=mysecret"}));
        Assert.assertEquals("kek2", this.dekRegistry.getDekVersion("kek2", str, -1, (DekFormat) null, false).getKekName());
        Assert.assertEquals(1L, r0.getVersion());
        this.fakeClock.advance(2L, ChronoUnit.DAYS);
        Assert.assertEquals(0L, commandLine.execute(new String[]{"mock://", str, "--property", "rule.executors._default_.param.secret=mysecret"}));
        Assert.assertEquals("kek2", this.dekRegistry.getDekVersion("kek2", str, -1, (DekFormat) null, false).getKekName());
        Assert.assertEquals(2L, r0.getVersion());
    }

    protected Metadata getMetadata(String str) {
        HashMap hashMap = new HashMap();
        hashMap.put("encrypt.kek.name", str);
        hashMap.put("encrypt.kms.type", this.fieldEncryptionProps.getKmsType());
        hashMap.put("encrypt.kms.key.id", this.fieldEncryptionProps.getKmsKeyId());
        return getMetadata(hashMap);
    }

    protected Metadata getMetadata(Map<String, String> map) {
        return new Metadata(Collections.emptyMap(), map, Collections.emptySet());
    }
}
