package co.cask.cdap.internal.app.runtime.artifact;

import co.cask.cdap.api.artifact.ArtifactSummary;
import co.cask.cdap.app.program.ManifestFields;
import co.cask.cdap.common.conf.CConfiguration;
import co.cask.cdap.common.io.Locations;
import co.cask.cdap.common.namespace.NamespaceAdmin;
import co.cask.cdap.common.test.AppJarHelper;
import co.cask.cdap.common.utils.DirUtils;
import co.cask.cdap.internal.AppFabricTestHelper;
import co.cask.cdap.internal.app.runtime.artifact.app.plugin.PluginTestApp;
import co.cask.cdap.internal.app.runtime.artifact.app.plugin.PluginTestRunnable;
import co.cask.cdap.proto.NamespaceMeta;
import co.cask.cdap.proto.id.ArtifactId;
import co.cask.cdap.proto.id.NamespaceId;
import co.cask.cdap.proto.security.Action;
import co.cask.cdap.proto.security.Principal;
import co.cask.cdap.proto.security.Privilege;
import co.cask.cdap.security.authorization.AuthorizerInstantiator;
import co.cask.cdap.security.authorization.InMemoryAuthorizer;
import co.cask.cdap.security.spi.authentication.SecurityRequestContext;
import co.cask.cdap.security.spi.authorization.Authorizer;
import co.cask.cdap.security.spi.authorization.UnauthorizedException;
import com.google.common.io.Files;
import com.google.inject.Injector;
import java.io.File;
import java.io.IOException;
import java.util.Collections;
import java.util.EnumSet;
import java.util.List;
import java.util.jar.Manifest;
import org.apache.twill.filesystem.LocalLocationFactory;
import org.apache.twill.filesystem.Location;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;

/* loaded from: input_file:co/cask/cdap/internal/app/runtime/artifact/SystemArtifactsAuthorizationTest.class */
public class SystemArtifactsAuthorizationTest {

    @ClassRule
    public static final TemporaryFolder TMP_FOLDER = new TemporaryFolder();
    private static final Principal ALICE = new Principal("alice", Principal.PrincipalType.USER);
    private static final String OLD_USER_ID = SecurityRequestContext.getUserId();
    private static final ArtifactId SYSTEM_ARTIFACT = NamespaceId.SYSTEM.artifact("system-artifact", "1.0.0");
    private static ArtifactRepository artifactRepository;
    private static Authorizer authorizer;
    private static NamespaceAdmin namespaceAdmin;

    @BeforeClass
    public static void setup() throws Exception {
        CConfiguration create = CConfiguration.create();
        create.set("local.data.dir", TMP_FOLDER.newFolder().getAbsolutePath());
        create.setBoolean("security.enabled", true);
        create.setBoolean("kerberos.auth.enabled", false);
        create.setBoolean("security.authorization.enabled", true);
        create.setInt("security.authorization.cache.max.entries", 0);
        create.set("security.authorization.extension.jar.path", AppJarHelper.createDeploymentJar(new LocalLocationFactory(TMP_FOLDER.newFolder()), InMemoryAuthorizer.class, new File[0]).toURI().getPath());
        File newFolder = TMP_FOLDER.newFolder();
        create.set("app.artifact.dir", newFolder.getAbsolutePath());
        createSystemArtifact(newFolder);
        Injector injector = AppFabricTestHelper.getInjector(create);
        artifactRepository = (ArtifactRepository) injector.getInstance(ArtifactRepository.class);
        authorizer = ((AuthorizerInstantiator) injector.getInstance(AuthorizerInstantiator.class)).get();
        namespaceAdmin = (NamespaceAdmin) injector.getInstance(NamespaceAdmin.class);
    }

    @Test
    public void testAuthorizationForSystemArtifacts() throws Exception {
        artifactRepository.addSystemArtifacts();
        SecurityRequestContext.setUserId(ALICE.getName());
        try {
            artifactRepository.addSystemArtifacts();
            Assert.fail("Adding system artifacts should have failed because alice does not have admin privileges on the namespace system.");
        } catch (UnauthorizedException e) {
        }
        authorizer.grant(NamespaceId.SYSTEM, ALICE, Collections.singleton(Action.ADMIN));
        Assert.assertEquals(Collections.singleton(new Privilege(NamespaceId.SYSTEM, Action.ADMIN)), authorizer.listPrivileges(ALICE));
        artifactRepository.addSystemArtifacts();
        SecurityRequestContext.setUserId("bob");
        try {
            artifactRepository.deleteArtifact(SYSTEM_ARTIFACT.toId());
            Assert.fail("Deleting a system artifact should have failed because alice does not have admin privileges on the artifact.");
        } catch (UnauthorizedException e2) {
        }
        SecurityRequestContext.setUserId(ALICE.getName());
        NamespaceId namespaceId = new NamespaceId("test");
        authorizer.grant(namespaceId, ALICE, Collections.singleton(Action.ADMIN));
        namespaceAdmin.create(new NamespaceMeta.Builder().setName(namespaceId.getNamespace()).build());
        List artifactSummaries = artifactRepository.getArtifactSummaries(namespaceId, true);
        Assert.assertEquals(1L, artifactSummaries.size());
        ArtifactSummary artifactSummary = (ArtifactSummary) artifactSummaries.get(0);
        Assert.assertEquals(SYSTEM_ARTIFACT.getArtifact(), artifactSummary.getName());
        Assert.assertEquals(SYSTEM_ARTIFACT.getVersion(), artifactSummary.getVersion());
        Assert.assertEquals(SYSTEM_ARTIFACT.getNamespace(), artifactSummary.getScope().name().toLowerCase());
        co.cask.cdap.api.artifact.ArtifactId artifactId = artifactRepository.getArtifact(SYSTEM_ARTIFACT.toId()).getDescriptor().getArtifactId();
        Assert.assertEquals(SYSTEM_ARTIFACT.getArtifact(), artifactId.getName());
        Assert.assertEquals(SYSTEM_ARTIFACT.getVersion(), artifactId.getVersion().getVersion());
        Assert.assertEquals(SYSTEM_ARTIFACT.getNamespace(), artifactId.getScope().name().toLowerCase());
        namespaceAdmin.delete(namespaceId);
        try {
            authorizer.enforce(SYSTEM_ARTIFACT, ALICE, EnumSet.allOf(Action.class));
            Assert.fail();
        } catch (UnauthorizedException e3) {
        }
        try {
            artifactRepository.deleteArtifact(SYSTEM_ARTIFACT.toId());
            Assert.fail();
        } catch (UnauthorizedException e4) {
        }
        authorizer.grant(SYSTEM_ARTIFACT, ALICE, EnumSet.of(Action.ADMIN));
        artifactRepository.deleteArtifact(SYSTEM_ARTIFACT.toId());
        authorizer.revoke(SYSTEM_ARTIFACT);
        authorizer.revoke(namespaceId);
    }

    @AfterClass
    public static void cleanup() throws Exception {
        authorizer.revoke(NamespaceId.SYSTEM);
        Assert.assertEquals(Collections.emptySet(), authorizer.listPrivileges(ALICE));
        SecurityRequestContext.setUserId(OLD_USER_ID);
    }

    private static void createSystemArtifact(File file) throws IOException {
        Manifest manifest = new Manifest();
        manifest.getMainAttributes().put(ManifestFields.EXPORT_PACKAGE, PluginTestRunnable.class.getPackage().getName());
        createAppJar(PluginTestApp.class, new File(file, String.format("%s-%s.jar", SYSTEM_ARTIFACT.getArtifact(), SYSTEM_ARTIFACT.getVersion())), manifest);
    }

    private static File createAppJar(Class<?> cls, File file, Manifest manifest) throws IOException {
        Location createDeploymentJar = AppJarHelper.createDeploymentJar(new LocalLocationFactory(TMP_FOLDER.newFolder()), cls, manifest, new File[0]);
        DirUtils.mkdirs(file.getParentFile());
        Files.copy(Locations.newInputSupplier(createDeploymentJar), file);
        return file;
    }
}
