package co.cask.cdap.internal.app.store.remote;

import co.cask.cdap.common.conf.CConfiguration;
import co.cask.cdap.common.discovery.RandomEndpointStrategy;
import co.cask.cdap.common.test.AppJarHelper;
import co.cask.cdap.internal.AppFabricTestHelper;
import co.cask.cdap.internal.app.services.AppFabricServer;
import co.cask.cdap.proto.ProgramType;
import co.cask.cdap.proto.id.ApplicationId;
import co.cask.cdap.proto.id.NamespaceId;
import co.cask.cdap.proto.id.ProgramId;
import co.cask.cdap.proto.security.Action;
import co.cask.cdap.proto.security.Principal;
import co.cask.cdap.proto.security.Privilege;
import co.cask.cdap.security.authorization.AuthorizerInstantiator;
import co.cask.cdap.security.authorization.InMemoryAuthorizer;
import co.cask.cdap.security.spi.authorization.Authorizer;
import co.cask.cdap.security.spi.authorization.PrivilegesFetcher;
import co.cask.cdap.security.spi.authorization.PrivilegesManager;
import co.cask.cdap.security.spi.authorization.UnauthorizedException;
import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableSet;
import com.google.inject.Injector;
import java.io.File;
import java.io.IOException;
import java.util.Collections;
import java.util.EnumSet;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.jar.Attributes;
import java.util.jar.Manifest;
import org.apache.twill.discovery.DiscoveryServiceClient;
import org.apache.twill.filesystem.LocalLocationFactory;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;

/* loaded from: input_file:co/cask/cdap/internal/app/store/remote/RemotePrivilegesTest.class */
public class RemotePrivilegesTest {

    @ClassRule
    public static final TemporaryFolder TEMPORARY_FOLDER = new TemporaryFolder();
    private static final Principal ALICE = new Principal("alice", Principal.PrincipalType.USER);
    private static final NamespaceId NS = new NamespaceId("ns");
    private static final ApplicationId APP = NS.app("app");
    private static final ProgramId PROGRAM = APP.program(ProgramType.FLOW, "flo");
    private static Authorizer authorizer;
    private static PrivilegesFetcher privilegesFetcher;
    private static PrivilegesManager privilegesManager;
    private static DiscoveryServiceClient discoveryService;
    private static AppFabricServer appFabricServer;

    @BeforeClass
    public static void setup() throws IOException, InterruptedException {
        CConfiguration create = CConfiguration.create();
        create.set("local.data.dir", TEMPORARY_FOLDER.newFolder().getAbsolutePath());
        create.setBoolean("security.enabled", true);
        create.setBoolean("kerberos.auth.enabled", false);
        create.setBoolean("security.authorization.enabled", true);
        create.setBoolean("security.authorization.cache.enabled", false);
        Manifest manifest = new Manifest();
        manifest.getMainAttributes().put(Attributes.Name.MAIN_CLASS, InMemoryAuthorizer.class.getName());
        create.set("security.authorization.extension.jar.path", AppJarHelper.createDeploymentJar(new LocalLocationFactory(TEMPORARY_FOLDER.newFolder()), InMemoryAuthorizer.class, manifest, new File[0]).toString());
        Injector injector = AppFabricTestHelper.getInjector(create);
        discoveryService = (DiscoveryServiceClient) injector.getInstance(DiscoveryServiceClient.class);
        appFabricServer = (AppFabricServer) injector.getInstance(AppFabricServer.class);
        appFabricServer.startAndWait();
        waitForService("appfabric");
        authorizer = ((AuthorizerInstantiator) injector.getInstance(AuthorizerInstantiator.class)).get();
        privilegesFetcher = (PrivilegesFetcher) injector.getInstance(PrivilegesFetcher.class);
        privilegesManager = (PrivilegesManager) injector.getInstance(PrivilegesManager.class);
    }

    private static void waitForService(String str) throws InterruptedException {
        Preconditions.checkNotNull(new RandomEndpointStrategy(discoveryService.discover(str)).pick(5L, TimeUnit.SECONDS), "%s service is not up after 5 seconds", new Object[]{str});
    }

    @Test
    public void testPrivilegesFetcher() throws Exception {
        authorizer.grant(NS, ALICE, ImmutableSet.of(Action.WRITE));
        authorizer.grant(APP, ALICE, ImmutableSet.of(Action.ADMIN));
        authorizer.grant(PROGRAM, ALICE, ImmutableSet.of(Action.EXECUTE));
        Assert.assertEquals(ImmutableSet.of(new Privilege(NS, Action.WRITE), new Privilege(APP, Action.ADMIN), new Privilege(PROGRAM, Action.EXECUTE)), privilegesFetcher.listPrivileges(ALICE));
        authorizer.revoke(NS);
        authorizer.revoke(APP);
        authorizer.revoke(PROGRAM);
        Set listPrivileges = privilegesFetcher.listPrivileges(ALICE);
        Assert.assertTrue(String.format("Expected all of alice's privileges to be revoked, but found %s", listPrivileges), listPrivileges.isEmpty());
    }

    @Test
    public void testPrivilegesManager() throws Exception {
        privilegesManager.grant(NS, ALICE, EnumSet.allOf(Action.class));
        privilegesManager.grant(APP, ALICE, Collections.singleton(Action.ADMIN));
        privilegesManager.grant(PROGRAM, ALICE, Collections.singleton(Action.EXECUTE));
        authorizer.enforce(NS, ALICE, EnumSet.allOf(Action.class));
        authorizer.enforce(APP, ALICE, Action.ADMIN);
        authorizer.enforce(PROGRAM, ALICE, Action.EXECUTE);
        try {
            authorizer.enforce(APP, ALICE, EnumSet.allOf(Action.class));
            Assert.fail("Expected alice to not have all privileges on the app");
        } catch (UnauthorizedException e) {
        }
        privilegesManager.revoke(PROGRAM);
        privilegesManager.revoke(APP, ALICE, EnumSet.allOf(Action.class));
        privilegesManager.revoke(NS, ALICE, EnumSet.allOf(Action.class));
        Set listPrivileges = authorizer.listPrivileges(ALICE);
        Assert.assertTrue(String.format("Expected all of alice's privileges to be revoked, but found %s", listPrivileges), listPrivileges.isEmpty());
    }

    @AfterClass
    public static void tearDown() {
        appFabricServer.stopAndWait();
    }
}
