package co.cask.cdap.internal.app.services.http;

import co.cask.cdap.api.Predicate;
import co.cask.cdap.api.dataset.DatasetProperties;
import co.cask.cdap.api.dataset.table.Table;
import co.cask.cdap.app.program.ManifestFields;
import co.cask.cdap.common.conf.CConfiguration;
import co.cask.cdap.common.discovery.RandomEndpointStrategy;
import co.cask.cdap.common.io.Locations;
import co.cask.cdap.common.namespace.NamespaceAdmin;
import co.cask.cdap.common.namespace.NamespaceQueryAdmin;
import co.cask.cdap.common.test.AppJarHelper;
import co.cask.cdap.common.test.TestRunner;
import co.cask.cdap.common.utils.DirUtils;
import co.cask.cdap.common.utils.Tasks;
import co.cask.cdap.data2.datafabric.dataset.DatasetsUtil;
import co.cask.cdap.data2.datafabric.dataset.service.DatasetService;
import co.cask.cdap.data2.dataset2.DatasetFramework;
import co.cask.cdap.internal.app.namespace.DefaultNamespaceEnsurer;
import co.cask.cdap.internal.app.runtime.artifact.ArtifactRepository;
import co.cask.cdap.internal.app.runtime.artifact.SystemArtifactLoader;
import co.cask.cdap.internal.app.runtime.artifact.app.plugin.PluginTestApp;
import co.cask.cdap.internal.app.runtime.artifact.app.plugin.PluginTestRunnable;
import co.cask.cdap.internal.guice.AppFabricTestModule;
import co.cask.cdap.proto.NamespaceMeta;
import co.cask.cdap.proto.id.ArtifactId;
import co.cask.cdap.proto.id.InstanceId;
import co.cask.cdap.proto.id.NamespaceId;
import co.cask.cdap.proto.security.Principal;
import co.cask.cdap.security.authorization.AuthorizationBootstrapper;
import co.cask.cdap.security.authorization.AuthorizationEnforcementService;
import co.cask.cdap.security.authorization.InMemoryAuthorizer;
import co.cask.cdap.security.spi.authentication.SecurityRequestContext;
import co.cask.cdap.security.spi.authorization.UnauthorizedException;
import com.google.common.base.Preconditions;
import com.google.common.io.Files;
import com.google.common.util.concurrent.AbstractService;
import com.google.common.util.concurrent.Service;
import com.google.inject.Guice;
import com.google.inject.Injector;
import com.google.inject.Module;
import java.io.File;
import java.io.IOException;
import java.util.Collections;
import java.util.concurrent.Callable;
import java.util.concurrent.TimeUnit;
import java.util.jar.Manifest;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.tephra.TransactionManager;
import org.apache.twill.discovery.DiscoveryServiceClient;
import org.apache.twill.filesystem.LocalLocationFactory;
import org.apache.twill.filesystem.Location;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;
import org.junit.runner.RunWith;

@RunWith(TestRunner.class)
/* loaded from: input_file:co/cask/cdap/internal/app/services/http/AuthorizationBootstrapperTest.class */
public class AuthorizationBootstrapperTest {

    @ClassRule
    public static final TemporaryFolder TMP_FOLDER = new TemporaryFolder();
    private static final ArtifactId SYSTEM_ARTIFACT = NamespaceId.SYSTEM.artifact("system-artifact", "1.0.0");
    private static final Principal ADMIN_USER = new Principal("alice", Principal.PrincipalType.USER);
    private static AuthorizationBootstrapper authorizationBootstrapper;
    private static TransactionManager txManager;
    private static DatasetService datasetService;
    private static DefaultNamespaceEnsurer defaultNamespaceEnsurer;
    private static SystemArtifactLoader systemArtifactLoader;
    private static NamespaceQueryAdmin namespaceQueryAdmin;
    private static NamespaceAdmin namespaceAdmin;
    private static AuthorizationEnforcementService authorizationEnforcementService;
    private static ArtifactRepository artifactRepository;
    private static DatasetFramework dsFramework;
    private static DiscoveryServiceClient discoveryServiceClient;
    private static InstanceId instanceId;

    @BeforeClass
    public static void setup() throws Exception {
        CConfiguration create = CConfiguration.create();
        create.set("local.data.dir", TMP_FOLDER.newFolder().getAbsolutePath());
        create.setBoolean("security.enabled", true);
        create.setBoolean("kerberos.auth.enabled", false);
        create.setBoolean("security.authorization.enabled", true);
        create.setBoolean("security.authorization.cache.enabled", false);
        create.set("security.authorization.extension.jar.path", AppJarHelper.createDeploymentJar(new LocalLocationFactory(TMP_FOLDER.newFolder()), InMemoryAuthorizer.class, new File[0]).toURI().getPath());
        create.set("security.authorization.admin.users", ADMIN_USER.getName());
        instanceId = new InstanceId(create.get("instance.name"));
        File newFolder = TMP_FOLDER.newFolder();
        create.set("app.artifact.dir", newFolder.getAbsolutePath());
        createSystemArtifact(newFolder);
        Injector createInjector = Guice.createInjector(new Module[]{new AppFabricTestModule(create)});
        namespaceQueryAdmin = (NamespaceQueryAdmin) createInjector.getInstance(NamespaceQueryAdmin.class);
        namespaceAdmin = (NamespaceAdmin) createInjector.getInstance(NamespaceAdmin.class);
        defaultNamespaceEnsurer = new DefaultNamespaceEnsurer(namespaceAdmin);
        discoveryServiceClient = (DiscoveryServiceClient) createInjector.getInstance(DiscoveryServiceClient.class);
        txManager = (TransactionManager) createInjector.getInstance(TransactionManager.class);
        datasetService = (DatasetService) createInjector.getInstance(DatasetService.class);
        authorizationEnforcementService = (AuthorizationEnforcementService) createInjector.getInstance(AuthorizationEnforcementService.class);
        authorizationEnforcementService.startAndWait();
        systemArtifactLoader = (SystemArtifactLoader) createInjector.getInstance(SystemArtifactLoader.class);
        authorizationBootstrapper = (AuthorizationBootstrapper) createInjector.getInstance(AuthorizationBootstrapper.class);
        artifactRepository = (ArtifactRepository) createInjector.getInstance(ArtifactRepository.class);
        dsFramework = (DatasetFramework) createInjector.getInstance(DatasetFramework.class);
    }

    @Test
    public void test() throws Exception {
        final Principal principal = new Principal(UserGroupInformation.getCurrentUser().getShortUserName(), Principal.PrincipalType.USER);
        Predicate createFilter = authorizationEnforcementService.createFilter(principal);
        Predicate createFilter2 = authorizationEnforcementService.createFilter(ADMIN_USER);
        Assert.assertFalse(createFilter.apply(instanceId));
        Assert.assertFalse(createFilter.apply(NamespaceId.SYSTEM));
        Assert.assertFalse(createFilter2.apply(NamespaceId.DEFAULT));
        authorizationBootstrapper.run();
        Tasks.waitFor(true, new Callable<Boolean>() { // from class: co.cask.cdap.internal.app.services.http.AuthorizationBootstrapperTest.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public Boolean call() throws Exception {
                Predicate createFilter3 = AuthorizationBootstrapperTest.authorizationEnforcementService.createFilter(principal);
                return Boolean.valueOf(createFilter3.apply(AuthorizationBootstrapperTest.instanceId) && createFilter3.apply(NamespaceId.SYSTEM) && AuthorizationBootstrapperTest.authorizationEnforcementService.createFilter(AuthorizationBootstrapperTest.ADMIN_USER).apply(NamespaceId.DEFAULT));
            }
        }, 10L, TimeUnit.SECONDS);
        txManager.startAndWait();
        datasetService.startAndWait();
        waitForService("dataset.service");
        defaultNamespaceEnsurer.startAndWait();
        systemArtifactLoader.startAndWait();
        waitForService((AbstractService) defaultNamespaceEnsurer);
        waitForService((AbstractService) systemArtifactLoader);
        Tasks.waitFor(true, new Callable<Boolean>() { // from class: co.cask.cdap.internal.app.services.http.AuthorizationBootstrapperTest.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public Boolean call() throws Exception {
                try {
                    return Boolean.valueOf(AuthorizationBootstrapperTest.namespaceQueryAdmin.exists(NamespaceId.DEFAULT));
                } catch (Exception e) {
                    return false;
                }
            }
        }, 10L, TimeUnit.SECONDS);
        Assert.assertTrue(defaultNamespaceEnsurer.isRunning());
        Tasks.waitFor(true, new Callable<Boolean>() { // from class: co.cask.cdap.internal.app.services.http.AuthorizationBootstrapperTest.3
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public Boolean call() throws Exception {
                try {
                    AuthorizationBootstrapperTest.artifactRepository.getArtifact(AuthorizationBootstrapperTest.SYSTEM_ARTIFACT.toId());
                    return true;
                } catch (Exception e) {
                    return false;
                }
            }
        }, 20L, TimeUnit.SECONDS);
        Assert.assertTrue(systemArtifactLoader.isRunning());
        Assert.assertNotNull(DatasetsUtil.getOrCreateDataset(dsFramework, NamespaceId.SYSTEM.dataset("system-dataset"), Table.class.getName(), DatasetProperties.EMPTY, Collections.emptyMap(), getClass().getClassLoader()));
        SecurityRequestContext.setUserId(ADMIN_USER.getName());
        namespaceAdmin.create(new NamespaceMeta.Builder().setName("success").build());
        SecurityRequestContext.setUserId("bob");
        try {
            namespaceAdmin.create(new NamespaceMeta.Builder().setName("failure").build());
            Assert.fail("Bob should not have been able to create a namespace since he is not an admin user");
        } catch (UnauthorizedException e) {
        }
    }

    @AfterClass
    public static void teardown() {
        datasetService.stopAndWait();
        txManager.stopAndWait();
        authorizationEnforcementService.stopAndWait();
    }

    private void waitForService(final AbstractService abstractService) throws Exception {
        Tasks.waitFor(Service.State.RUNNING, new Callable<Service.State>() { // from class: co.cask.cdap.internal.app.services.http.AuthorizationBootstrapperTest.4
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public Service.State call() throws Exception {
                return abstractService.state();
            }
        }, 10L, TimeUnit.SECONDS);
    }

    private void waitForService(String str) throws InterruptedException {
        Preconditions.checkNotNull(new RandomEndpointStrategy(discoveryServiceClient.discover(str)).pick(10L, TimeUnit.SECONDS), "%s service is not up after 10 seconds", new Object[]{str});
    }

    private static File createAppJar(Class<?> cls, File file, Manifest manifest) throws IOException {
        Location createDeploymentJar = AppJarHelper.createDeploymentJar(new LocalLocationFactory(TMP_FOLDER.newFolder()), cls, manifest, new File[0]);
        DirUtils.mkdirs(file.getParentFile());
        Files.copy(Locations.newInputSupplier(createDeploymentJar), file);
        return file;
    }

    private static void createSystemArtifact(File file) throws IOException {
        Manifest manifest = new Manifest();
        manifest.getMainAttributes().put(ManifestFields.EXPORT_PACKAGE, PluginTestRunnable.class.getPackage().getName());
        createAppJar(PluginTestApp.class, new File(file, String.format("%s-%s.jar", SYSTEM_ARTIFACT.getArtifact(), SYSTEM_ARTIFACT.getVersion())), manifest);
    }
}
