package co.cask.cdap.gateway.handlers;

import co.cask.cdap.api.Transactional;
import co.cask.cdap.api.TxRunnable;
import co.cask.cdap.client.AuthorizationClient;
import co.cask.cdap.client.config.ClientConfig;
import co.cask.cdap.client.config.ConnectionConfig;
import co.cask.cdap.common.FeatureDisabledException;
import co.cask.cdap.common.NotFoundException;
import co.cask.cdap.common.UnauthenticatedException;
import co.cask.cdap.common.conf.CConfiguration;
import co.cask.cdap.common.entity.EntityExistenceVerifier;
import co.cask.cdap.common.http.AuthenticationChannelHandler;
import co.cask.cdap.common.http.CommonNettyHttpServiceBuilder;
import co.cask.cdap.proto.id.EntityId;
import co.cask.cdap.proto.id.Ids;
import co.cask.cdap.proto.id.NamespaceId;
import co.cask.cdap.proto.security.Action;
import co.cask.cdap.proto.security.Principal;
import co.cask.cdap.proto.security.Privilege;
import co.cask.cdap.proto.security.Role;
import co.cask.cdap.security.authorization.AuthorizationContextFactory;
import co.cask.cdap.security.authorization.AuthorizerInstantiator;
import co.cask.cdap.security.authorization.DefaultAuthorizationContext;
import co.cask.cdap.security.authorization.NoOpAdmin;
import co.cask.cdap.security.authorization.NoOpDatasetContext;
import co.cask.cdap.security.spi.authorization.AuthorizationContext;
import co.cask.cdap.security.spi.authorization.Authorizer;
import co.cask.cdap.security.spi.authorization.RoleAlreadyExistsException;
import co.cask.cdap.security.spi.authorization.RoleNotFoundException;
import co.cask.cdap.security.spi.authorization.UnauthorizedException;
import co.cask.http.NettyHttpService;
import co.cask.tephra.TransactionFailureException;
import com.google.common.base.Function;
import com.google.common.collect.ImmutableList;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Sets;
import java.io.IOException;
import java.util.EnumSet;
import java.util.HashSet;
import java.util.Properties;
import java.util.Set;
import org.jboss.netty.channel.ChannelHandlerContext;
import org.jboss.netty.channel.ChannelPipeline;
import org.jboss.netty.channel.MessageEvent;
import org.jboss.netty.channel.SimpleChannelHandler;
import org.jboss.netty.handler.codec.http.HttpRequest;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:co/cask/cdap/gateway/handlers/AuthorizationHandlerTest.class */
public class AuthorizationHandlerTest {
    private static final String USERNAME_PROPERTY = "cdap.username";
    private static final AuthorizationContextFactory factory = new AuthorizationContextFactory() { // from class: co.cask.cdap.gateway.handlers.AuthorizationHandlerTest.1
        public AuthorizationContext create(Properties properties) {
            return new DefaultAuthorizationContext(properties, new NoOpDatasetContext(), new NoOpAdmin(), new Transactional() { // from class: co.cask.cdap.gateway.handlers.AuthorizationHandlerTest.1.1
                public void execute(TxRunnable txRunnable) throws TransactionFailureException {
                }
            });
        }
    };
    private final Principal admin = new Principal("admin", Principal.PrincipalType.USER);
    private final Properties properties = new Properties();
    private final EntityId ns1 = Ids.namespace("ns1");
    private final EntityId ns2 = Ids.namespace("ns2");
    private final EntityExistenceVerifier entityExistenceVerifier = new InMemoryEntityExistenceVerifier(ImmutableSet.of(this.ns1, this.ns2));
    private NettyHttpService service;
    private AuthorizationClient client;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:co/cask/cdap/gateway/handlers/AuthorizationHandlerTest$DisabledFeatureCaller.class */
    public interface DisabledFeatureCaller {
        void call() throws Exception;
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:co/cask/cdap/gateway/handlers/AuthorizationHandlerTest$TestUserNameSetter.class */
    public static final class TestUserNameSetter extends SimpleChannelHandler {
        private TestUserNameSetter() {
        }

        public void messageReceived(ChannelHandlerContext channelHandlerContext, MessageEvent messageEvent) throws Exception {
            Object message = messageEvent.getMessage();
            if (message instanceof HttpRequest) {
                ((HttpRequest) message).setHeader("CDAP-UserId", System.getProperty(AuthorizationHandlerTest.USERNAME_PROPERTY));
                super.messageReceived(channelHandlerContext, messageEvent);
            }
        }
    }

    @Before
    public void setUp() throws Exception {
        CConfiguration create = CConfiguration.create();
        create.setBoolean("security.authorization.enabled", true);
        create.setBoolean("security.enabled", true);
        this.properties.setProperty("superusers", this.admin.getName());
        final InMemoryAuthorizer inMemoryAuthorizer = new InMemoryAuthorizer();
        inMemoryAuthorizer.initialize(factory.create(this.properties));
        this.service = new CommonNettyHttpServiceBuilder(create).addHttpHandlers(ImmutableList.of(new AuthorizationHandler(new AuthorizerInstantiator(create, factory) { // from class: co.cask.cdap.gateway.handlers.AuthorizationHandlerTest.3
            /* renamed from: get, reason: merged with bridge method [inline-methods] */
            public Authorizer m26get() {
                return inMemoryAuthorizer;
            }
        }, create, this.entityExistenceVerifier))).modifyChannelPipeline(new Function<ChannelPipeline, ChannelPipeline>() { // from class: co.cask.cdap.gateway.handlers.AuthorizationHandlerTest.2
            public ChannelPipeline apply(ChannelPipeline channelPipeline) {
                channelPipeline.addBefore("dispatcher", "usernamesetter", new TestUserNameSetter());
                channelPipeline.addAfter("usernamesetter", "authenticator", new AuthenticationChannelHandler());
                return channelPipeline;
            }
        }).build();
        this.service.startAndWait();
        this.client = new AuthorizationClient(ClientConfig.builder().setConnectionConfig(ConnectionConfig.builder().setHostname(this.service.getBindAddress().getHostName()).setPort(Integer.valueOf(this.service.getBindAddress().getPort())).setSSLEnabled(false).build()).build());
        System.setProperty(USERNAME_PROPERTY, this.admin.getName());
    }

    @After
    public void tearDown() {
        this.service.stopAndWait();
    }

    @Test
    public void testAuthenticationDisabled() throws Exception {
        CConfiguration create = CConfiguration.create();
        create.setBoolean("security.enabled", false);
        create.setBoolean("security.authorization.enabled", true);
        testDisabled(create, FeatureDisabledException.Feature.AUTHENTICATION, "security.enabled");
    }

    @Test
    public void testAuthorizationDisabled() throws Exception {
        CConfiguration create = CConfiguration.create();
        create.setBoolean("security.enabled", true);
        create.setBoolean("security.authorization.enabled", false);
        testDisabled(create, FeatureDisabledException.Feature.AUTHORIZATION, "security.authorization.enabled");
    }

    private void testDisabled(CConfiguration cConfiguration, FeatureDisabledException.Feature feature, String str) throws Exception {
        NettyHttpService build = new CommonNettyHttpServiceBuilder(cConfiguration).addHttpHandlers(ImmutableList.of(new AuthorizationHandler(new AuthorizerInstantiator(cConfiguration, factory) { // from class: co.cask.cdap.gateway.handlers.AuthorizationHandlerTest.4
            /* renamed from: get, reason: merged with bridge method [inline-methods] */
            public Authorizer m27get() {
                return new InMemoryAuthorizer();
            }
        }, cConfiguration, this.entityExistenceVerifier))).build();
        build.startAndWait();
        try {
            final AuthorizationClient authorizationClient = new AuthorizationClient(ClientConfig.builder().setConnectionConfig(ConnectionConfig.builder().setHostname(build.getBindAddress().getHostName()).setPort(Integer.valueOf(build.getBindAddress().getPort())).setSSLEnabled(false).build()).build());
            final NamespaceId namespace = Ids.namespace("ns1");
            final Role role = new Role("admins");
            verifyFeatureDisabled(new DisabledFeatureCaller() { // from class: co.cask.cdap.gateway.handlers.AuthorizationHandlerTest.5
                @Override // co.cask.cdap.gateway.handlers.AuthorizationHandlerTest.DisabledFeatureCaller
                public void call() throws Exception {
                    authorizationClient.grant(namespace, AuthorizationHandlerTest.this.admin, ImmutableSet.of(Action.READ));
                }
            }, feature, str);
            verifyFeatureDisabled(new DisabledFeatureCaller() { // from class: co.cask.cdap.gateway.handlers.AuthorizationHandlerTest.6
                @Override // co.cask.cdap.gateway.handlers.AuthorizationHandlerTest.DisabledFeatureCaller
                public void call() throws Exception {
                    authorizationClient.revoke(namespace, AuthorizationHandlerTest.this.admin, ImmutableSet.of(Action.READ));
                }
            }, feature, str);
            verifyFeatureDisabled(new DisabledFeatureCaller() { // from class: co.cask.cdap.gateway.handlers.AuthorizationHandlerTest.7
                @Override // co.cask.cdap.gateway.handlers.AuthorizationHandlerTest.DisabledFeatureCaller
                public void call() throws Exception {
                    authorizationClient.revoke(namespace);
                }
            }, feature, str);
            verifyFeatureDisabled(new DisabledFeatureCaller() { // from class: co.cask.cdap.gateway.handlers.AuthorizationHandlerTest.8
                @Override // co.cask.cdap.gateway.handlers.AuthorizationHandlerTest.DisabledFeatureCaller
                public void call() throws Exception {
                    authorizationClient.listPrivileges(AuthorizationHandlerTest.this.admin);
                }
            }, feature, str);
            verifyFeatureDisabled(new DisabledFeatureCaller() { // from class: co.cask.cdap.gateway.handlers.AuthorizationHandlerTest.9
                @Override // co.cask.cdap.gateway.handlers.AuthorizationHandlerTest.DisabledFeatureCaller
                public void call() throws Exception {
                    authorizationClient.addRoleToPrincipal(role, AuthorizationHandlerTest.this.admin);
                }
            }, feature, str);
            verifyFeatureDisabled(new DisabledFeatureCaller() { // from class: co.cask.cdap.gateway.handlers.AuthorizationHandlerTest.10
                @Override // co.cask.cdap.gateway.handlers.AuthorizationHandlerTest.DisabledFeatureCaller
                public void call() throws Exception {
                    authorizationClient.removeRoleFromPrincipal(role, AuthorizationHandlerTest.this.admin);
                }
            }, feature, str);
            verifyFeatureDisabled(new DisabledFeatureCaller() { // from class: co.cask.cdap.gateway.handlers.AuthorizationHandlerTest.11
                @Override // co.cask.cdap.gateway.handlers.AuthorizationHandlerTest.DisabledFeatureCaller
                public void call() throws Exception {
                    authorizationClient.createRole(role);
                }
            }, feature, str);
            verifyFeatureDisabled(new DisabledFeatureCaller() { // from class: co.cask.cdap.gateway.handlers.AuthorizationHandlerTest.12
                @Override // co.cask.cdap.gateway.handlers.AuthorizationHandlerTest.DisabledFeatureCaller
                public void call() throws Exception {
                    authorizationClient.dropRole(role);
                }
            }, feature, str);
            verifyFeatureDisabled(new DisabledFeatureCaller() { // from class: co.cask.cdap.gateway.handlers.AuthorizationHandlerTest.13
                @Override // co.cask.cdap.gateway.handlers.AuthorizationHandlerTest.DisabledFeatureCaller
                public void call() throws Exception {
                    authorizationClient.listAllRoles();
                }
            }, feature, str);
            build.stopAndWait();
        } catch (Throwable th) {
            build.stopAndWait();
            throw th;
        }
    }

    @Test
    public void testRevokeEntityUserActions() throws Exception {
        verifyAuthFailure(this.ns1, this.admin, Action.READ);
        this.client.grant(this.ns1, this.admin, ImmutableSet.of(Action.READ));
        verifyAuthSuccess(this.ns1, this.admin, Action.READ);
        this.client.revoke(this.ns1, this.admin, ImmutableSet.of(Action.READ));
        verifyAuthFailure(this.ns1, this.admin, Action.READ);
    }

    @Test
    public void testRevokeEntityUser() throws Exception {
        Principal principal = new Principal("admin", Principal.PrincipalType.GROUP);
        Principal principal2 = new Principal("bob", Principal.PrincipalType.USER);
        this.client.grant(this.ns1, principal, ImmutableSet.of(Action.READ));
        this.client.grant(this.ns1, principal2, ImmutableSet.of(Action.READ));
        verifyAuthSuccess(this.ns1, principal, Action.READ);
        verifyAuthSuccess(this.ns1, principal2, Action.READ);
        this.client.revoke(this.ns1, principal, EnumSet.allOf(Action.class));
        verifyAuthFailure(this.ns1, principal, Action.READ);
        verifyAuthSuccess(this.ns1, principal2, Action.READ);
    }

    @Test
    public void testRevokeEntity() throws Exception {
        Principal principal = new Principal("admin", Principal.PrincipalType.GROUP);
        Principal principal2 = new Principal("bob", Principal.PrincipalType.USER);
        this.client.grant(this.ns1, principal, ImmutableSet.of(Action.READ));
        this.client.grant(this.ns1, principal2, ImmutableSet.of(Action.READ));
        this.client.grant(this.ns2, principal, ImmutableSet.of(Action.READ));
        verifyAuthSuccess(this.ns1, principal, Action.READ);
        verifyAuthSuccess(this.ns1, principal2, Action.READ);
        verifyAuthSuccess(this.ns2, principal, Action.READ);
        this.client.revoke(this.ns1);
        verifyAuthFailure(this.ns1, principal, Action.READ);
        verifyAuthFailure(this.ns1, principal2, Action.READ);
        verifyAuthSuccess(this.ns2, principal, Action.READ);
    }

    @Test
    public void testRBAC() throws Exception {
        Role role = new Role("admins");
        Role role2 = new Role("engineers");
        this.client.createRole(role);
        this.client.createRole(role2);
        Assert.assertEquals(Sets.newHashSet(new Role[]{role, role2}), this.client.listAllRoles());
        try {
            this.client.createRole(role);
            Assert.fail(String.format("Created a role %s which already exists. Should have failed.", role.getName()));
        } catch (RoleAlreadyExistsException e) {
        }
        this.client.dropRole(role);
        Assert.assertEquals(Sets.newHashSet(new Role[]{role2}), this.client.listAllRoles());
        try {
            this.client.dropRole(role);
            Assert.fail(String.format("Dropped a role %s which does not exists. Should have failed.", role.getName()));
        } catch (RoleNotFoundException e2) {
        }
        Principal principal = new Principal("spiderman", Principal.PrincipalType.USER);
        this.client.addRoleToPrincipal(role2, principal);
        try {
            this.client.addRoleToPrincipal(role, principal);
            Assert.fail(String.format("Added role %s to principal %s. Should have failed.", role, principal));
        } catch (RoleNotFoundException e3) {
        }
        Assert.assertEquals(Sets.newHashSet(new Role[]{role2}), this.client.listRoles(principal));
        verifyAuthFailure(this.ns1, principal, Action.READ);
        this.client.grant(this.ns1, role2, ImmutableSet.of(Action.READ));
        verifyAuthSuccess(this.ns1, principal, Action.READ);
        Assert.assertEquals(Sets.newHashSet(new Privilege[]{new Privilege(this.ns1, Action.READ)}), this.client.listPrivileges(principal));
        this.client.revoke(this.ns1, role2, ImmutableSet.of(Action.READ));
        Assert.assertEquals(new HashSet(), this.client.listPrivileges(principal));
        verifyAuthFailure(this.ns1, principal, Action.READ);
        this.client.removeRoleFromPrincipal(role2, principal);
        Assert.assertEquals(new HashSet(), this.client.listRoles(principal));
        try {
            this.client.removeRoleFromPrincipal(role, principal);
            Assert.fail(String.format("Removed non-existing role %s from principal %s. Should have failed.", role, principal));
        } catch (RoleNotFoundException e4) {
        }
    }

    @Test
    public void testAuthorizationForPrivileges() throws Exception {
        Principal principal = new Principal("bob", Principal.PrincipalType.USER);
        Principal principal2 = new Principal("alice", Principal.PrincipalType.USER);
        String currentUser = getCurrentUser();
        setCurrentUser(principal2.getName());
        try {
            try {
                this.client.grant(this.ns1, principal, ImmutableSet.of(Action.ALL));
                Assert.fail(String.format("alice should not be able to grant privileges to bob on namespace %s because she does not have admin privileges on the namespace.", this.ns1));
            } catch (UnauthorizedException e) {
            }
            setCurrentUser(currentUser);
            this.client.grant(this.ns1, principal2, ImmutableSet.of(Action.ADMIN));
            setCurrentUser(principal2.getName());
            this.client.grant(this.ns1, principal, ImmutableSet.of(Action.ALL));
            setCurrentUser(currentUser);
            this.client.revoke(this.ns1);
            setCurrentUser(principal2.getName());
            try {
                this.client.revoke(this.ns1, principal, ImmutableSet.of(Action.ALL));
                Assert.fail(String.format("alice should not be able to revoke bob's privileges on namespace %s because she does not have admin privileges on the namespace.", this.ns1));
            } catch (UnauthorizedException e2) {
            }
            setCurrentUser(currentUser);
            this.client.grant(this.ns1, principal2, ImmutableSet.of(Action.ALL));
            setCurrentUser(principal2.getName());
            this.client.revoke(this.ns1, principal, ImmutableSet.of(Action.ALL));
            setCurrentUser(currentUser);
        } catch (Throwable th) {
            setCurrentUser(currentUser);
            throw th;
        }
    }

    @Test(expected = NotFoundException.class)
    public void testGrantOnNonExistingEntity() throws FeatureDisabledException, UnauthenticatedException, UnauthorizedException, IOException, NotFoundException {
        this.client.grant(Ids.namespace("ns3"), this.admin, ImmutableSet.of(Action.ADMIN));
    }

    @Test(expected = NotFoundException.class)
    public void testRevokeOnNonExistingEntity() throws FeatureDisabledException, UnauthenticatedException, UnauthorizedException, IOException, NotFoundException {
        this.client.revoke(Ids.namespace("ns3"), this.admin, ImmutableSet.of(Action.ADMIN));
    }

    @Test(expected = NotFoundException.class)
    public void testRevokeAllOnNonExistingEntity() throws FeatureDisabledException, UnauthenticatedException, UnauthorizedException, IOException, NotFoundException {
        this.client.revoke(Ids.namespace("ns3"));
    }

    private void verifyFeatureDisabled(DisabledFeatureCaller disabledFeatureCaller, FeatureDisabledException.Feature feature, String str) throws Exception {
        try {
            disabledFeatureCaller.call();
        } catch (FeatureDisabledException e) {
            Assert.assertEquals(feature, e.getFeature());
            Assert.assertEquals("cdap-site.xml", e.getConfigFile());
            Assert.assertEquals(str, e.getEnableConfigKey());
            Assert.assertEquals("true", e.getEnableConfigValue());
        }
    }

    private void verifyAuthSuccess(EntityId entityId, Principal principal, Action action) throws Exception {
        Set listPrivileges = this.client.listPrivileges(principal);
        Privilege privilege = new Privilege(entityId, action);
        Assert.assertTrue(String.format("Expected principal %s to have the privilege %s, but found that it did not.", principal, privilege), listPrivileges.contains(privilege));
    }

    private void verifyAuthFailure(EntityId entityId, Principal principal, Action action) throws Exception {
        Set listPrivileges = this.client.listPrivileges(principal);
        Privilege privilege = new Privilege(entityId, action);
        Assert.assertFalse(String.format("Expected principal %s to not have the privilege %s, but found that it did.", principal, privilege), listPrivileges.contains(privilege));
    }

    private static void setCurrentUser(String str) {
        System.setProperty(USERNAME_PROPERTY, str);
    }

    private static String getCurrentUser() {
        return System.getProperty(USERNAME_PROPERTY);
    }
}
