package org.openmetadata.service.secrets;

import java.util.Map;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.junit.jupiter.MockitoExtension;
import org.openmetadata.schema.api.services.CreateDatabaseService;
import org.openmetadata.schema.api.services.DatabaseConnection;
import org.openmetadata.schema.auth.SSOAuthMechanism;
import org.openmetadata.schema.entity.automations.TestServiceConnectionRequest;
import org.openmetadata.schema.entity.automations.Workflow;
import org.openmetadata.schema.entity.services.DatabaseService;
import org.openmetadata.schema.entity.services.ServiceType;
import org.openmetadata.schema.entity.services.ingestionPipelines.IngestionPipeline;
import org.openmetadata.schema.entity.services.ingestionPipelines.PipelineType;
import org.openmetadata.schema.entity.teams.AuthenticationMechanism;
import org.openmetadata.schema.metadataIngestion.DbtPipeline;
import org.openmetadata.schema.metadataIngestion.SourceConfig;
import org.openmetadata.schema.metadataIngestion.dbtconfig.DbtS3Config;
import org.openmetadata.schema.security.client.OktaSSOClientConfig;
import org.openmetadata.schema.security.client.OpenMetadataJWTClientConfig;
import org.openmetadata.schema.security.credentials.AWSCredentials;
import org.openmetadata.schema.security.secrets.Parameters;
import org.openmetadata.schema.security.secrets.SecretsManagerConfiguration;
import org.openmetadata.schema.security.secrets.SecretsManagerProvider;
import org.openmetadata.schema.services.connections.database.MysqlConnection;
import org.openmetadata.schema.services.connections.database.common.basicAuth;
import org.openmetadata.schema.services.connections.metadata.OpenMetadataConnection;
import org.openmetadata.service.exception.InvalidServiceConnectionException;
import org.openmetadata.service.fernet.Fernet;
import org.openmetadata.service.util.JsonUtils;
import org.openmetadata.service.util.TestUtils;

@ExtendWith({MockitoExtension.class})
/* loaded from: input_file:org/openmetadata/service/secrets/ExternalSecretsManagerTest.class */
public abstract class ExternalSecretsManagerTest {
    AWSBasedSecretsManager secretsManager;

    @BeforeEach
    void setUp() {
        Fernet.getInstance().setFernetKey("jJ/9sz0g0OHxsfxOoSfdFdmk3ysNmPRnH3TUAbz3IHA=");
        Parameters parameters = new Parameters();
        parameters.setAdditionalProperty("region", "eu-west-1");
        parameters.setAdditionalProperty("accessKeyId", "123456");
        parameters.setAdditionalProperty("secretAccessKey", "654321");
        SecretsManagerConfiguration secretsManagerConfiguration = new SecretsManagerConfiguration();
        secretsManagerConfiguration.setParameters(parameters);
        setUpSpecific(secretsManagerConfiguration);
    }

    @Test
    void testEncryptDecryptDatabaseServiceConnectionConfig() {
        MysqlConnection withAuthType = new MysqlConnection().withAuthType(new basicAuth().withPassword("openmetadata-test"));
        Map of = Map.of("authType", Map.of("password", "openmetadata-test"));
        Assertions.assertNotEquals("openmetadata-test", ((basicAuth) JsonUtils.convertValue(((MysqlConnection) this.secretsManager.encryptServiceConnectionConfig(of, CreateDatabaseService.DatabaseServiceType.Mysql.value(), TestUtils.TEST_USER_NAME, ServiceType.DATABASE)).getAuthType(), basicAuth.class)).getPassword());
        MysqlConnection mysqlConnection = (MysqlConnection) this.secretsManager.decryptServiceConnectionConfig(of, CreateDatabaseService.DatabaseServiceType.Mysql.value(), ServiceType.DATABASE);
        Assertions.assertEquals("openmetadata-test", ((basicAuth) JsonUtils.convertValue(mysqlConnection.getAuthType(), basicAuth.class)).getPassword());
        Assertions.assertEquals(withAuthType, mysqlConnection);
    }

    @Test
    void testEncryptDecryptSSSOConfig() {
        AuthenticationMechanism authenticationMechanism = (AuthenticationMechanism) JsonUtils.convertValue(new AuthenticationMechanism().withAuthType(AuthenticationMechanism.AuthType.SSO).withConfig(new SSOAuthMechanism().withAuthConfig(new OktaSSOClientConfig().withPrivateKey("secret:/openmetadata/bot/bot/config/authconfig/privatekey")).withSsoServiceType(SSOAuthMechanism.SsoServiceType.OKTA)), AuthenticationMechanism.class);
        this.secretsManager.encryptAuthenticationMechanism("bot", authenticationMechanism);
        Assertions.assertNotEquals("secret:/openmetadata/bot/bot/config/authconfig/privatekey", getPrivateKey(authenticationMechanism));
        this.secretsManager.decryptAuthenticationMechanism("bot", authenticationMechanism);
        Assertions.assertEquals("secret:/openmetadata/bot/bot/config/authconfig/privatekey", getPrivateKey(authenticationMechanism));
    }

    @Test
    void testEncryptDecryptIngestionPipelineDBTConfig() {
        IngestionPipeline withSourceConfig = new IngestionPipeline().withName("my-pipeline").withPipelineType(PipelineType.DBT).withService(new DatabaseService().getEntityReference().withType("databaseService")).withSourceConfig(new SourceConfig().withConfig(new DbtPipeline().withDbtConfigSource(new DbtS3Config().withDbtSecurityConfig(new AWSCredentials().withAwsSecretAccessKey("secret:/openmetadata/pipeline/my-pipeline/sourceconfig/config/dbtconfigsource/dbtsecurityconfig/awssecretaccesskey").withAwsRegion("eu-west-1")))));
        IngestionPipeline ingestionPipeline = (IngestionPipeline) JsonUtils.convertValue(withSourceConfig, IngestionPipeline.class);
        this.secretsManager.encryptIngestionPipeline(ingestionPipeline);
        Assertions.assertNotEquals("secret:/openmetadata/pipeline/my-pipeline/sourceconfig/config/dbtconfigsource/dbtsecurityconfig/awssecretaccesskey", getAwsSecretAccessKey(ingestionPipeline));
        this.secretsManager.decryptIngestionPipeline(ingestionPipeline);
        Assertions.assertEquals("secret:/openmetadata/pipeline/my-pipeline/sourceconfig/config/dbtconfigsource/dbtsecurityconfig/awssecretaccesskey", getAwsSecretAccessKey(ingestionPipeline));
        Assertions.assertEquals(withSourceConfig, ingestionPipeline);
    }

    @Test
    void testEncryptDecryptWorkflow() {
        OpenMetadataConnection withSecurityConfig = new OpenMetadataConnection().withSecurityConfig(new OpenMetadataJWTClientConfig().withJwtToken("secret:/openmetadata/serverconnection/securityconfig/secretkey"));
        Workflow withRequest = new Workflow().withName("my-workflow").withOpenMetadataServerConnection(withSecurityConfig).withRequest(new TestServiceConnectionRequest().withConnection(new DatabaseConnection().withConfig(new MysqlConnection().withAuthType(new basicAuth().withPassword("secret:/openmetadata/workflow/my-workflow/request/connection/config/password")))).withServiceType(ServiceType.DATABASE).withConnectionType("Mysql"));
        Workflow encryptWorkflow = this.secretsManager.encryptWorkflow((Workflow) JsonUtils.convertValue(withRequest, Workflow.class));
        Assertions.assertNotEquals("secret:/openmetadata/workflow/my-workflow/request/connection/config/password", getPassword(encryptWorkflow));
        Assertions.assertNotEquals("secret:/openmetadata/serverconnection/securityconfig/secretkey", encryptWorkflow.getOpenMetadataServerConnection().getSecurityConfig().getJwtToken());
        Workflow decryptWorkflow = this.secretsManager.decryptWorkflow(encryptWorkflow);
        Assertions.assertEquals("secret:/openmetadata/workflow/my-workflow/request/connection/config/password", getPassword(decryptWorkflow));
        Assertions.assertEquals("secret:/openmetadata/serverconnection/securityconfig/secretkey", decryptWorkflow.getOpenMetadataServerConnection().getSecurityConfig().getJwtToken());
        Assertions.assertEquals(withRequest, decryptWorkflow);
    }

    @Test
    void testExceptionConnection() {
        Map of = Map.of("username1", "openmetadata-test", "authType", Map.of("password", "openmetadata-test"));
        Assertions.assertEquals("Failed to encrypt 'Mysql' connection stored in DB due to an unrecognized field: 'username1'", Assertions.assertThrows(InvalidServiceConnectionException.class, () -> {
            this.secretsManager.encryptServiceConnectionConfig(of, CreateDatabaseService.DatabaseServiceType.Mysql.value(), TestUtils.TEST_USER_NAME, ServiceType.DATABASE);
        }).getMessage());
        Assertions.assertEquals("Failed to decrypt 'Mysql' connection stored in DB due to an unrecognized field: 'username1'", Assertions.assertThrows(InvalidServiceConnectionException.class, () -> {
            this.secretsManager.decryptServiceConnectionConfig(of, CreateDatabaseService.DatabaseServiceType.Mysql.value(), ServiceType.DATABASE);
        }).getMessage());
    }

    @Test
    void testReturnsExpectedSecretManagerProvider() {
        Assertions.assertEquals(expectedSecretManagerProvider(), this.secretsManager.getSecretsManagerProvider());
    }

    abstract void setUpSpecific(SecretsManagerConfiguration secretsManagerConfiguration);

    protected abstract SecretsManagerProvider expectedSecretManagerProvider();

    private String getPrivateKey(AuthenticationMechanism authenticationMechanism) {
        return ((OktaSSOClientConfig) ((SSOAuthMechanism) authenticationMechanism.getConfig()).getAuthConfig()).getPrivateKey();
    }

    private String getAwsSecretAccessKey(IngestionPipeline ingestionPipeline) {
        return ((DbtS3Config) ((DbtPipeline) ingestionPipeline.getSourceConfig().getConfig()).getDbtConfigSource()).getDbtSecurityConfig().getAwsSecretAccessKey();
    }

    private String getPassword(Workflow workflow) {
        return ((basicAuth) JsonUtils.convertValue(((MysqlConnection) ((DatabaseConnection) ((TestServiceConnectionRequest) workflow.getRequest()).getConnection()).getConfig()).getAuthType(), basicAuth.class)).getPassword();
    }
}
