package co.cask.cdap.internal.app.store.remote;

import co.cask.cdap.common.conf.CConfiguration;
import co.cask.cdap.common.discovery.RandomEndpointStrategy;
import co.cask.cdap.common.test.AppJarHelper;
import co.cask.cdap.internal.AppFabricTestHelper;
import co.cask.cdap.internal.app.services.AppFabricServer;
import co.cask.cdap.proto.ProgramType;
import co.cask.cdap.proto.id.ApplicationId;
import co.cask.cdap.proto.id.DatasetId;
import co.cask.cdap.proto.id.EntityId;
import co.cask.cdap.proto.id.NamespaceId;
import co.cask.cdap.proto.id.NamespacedEntityId;
import co.cask.cdap.proto.id.ProgramId;
import co.cask.cdap.proto.id.StreamId;
import co.cask.cdap.proto.security.Action;
import co.cask.cdap.proto.security.Principal;
import co.cask.cdap.security.authorization.InMemoryAuthorizer;
import co.cask.cdap.security.authorization.RemoteAuthorizationEnforcer;
import co.cask.cdap.security.spi.authorization.AuthorizationEnforcer;
import co.cask.cdap.security.spi.authorization.PrivilegesManager;
import co.cask.cdap.security.spi.authorization.UnauthorizedException;
import com.google.common.base.Preconditions;
import com.google.common.collect.ImmutableSet;
import com.google.inject.Injector;
import java.io.File;
import java.io.IOException;
import java.util.Collections;
import java.util.EnumSet;
import java.util.Iterator;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import java.util.jar.Attributes;
import java.util.jar.Manifest;
import org.apache.twill.discovery.DiscoveryServiceClient;
import org.apache.twill.filesystem.LocalLocationFactory;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.ClassRule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;

/* loaded from: input_file:co/cask/cdap/internal/app/store/remote/RemotePrivilegesTestBase.class */
public abstract class RemotePrivilegesTestBase {
    private static final int CACHE_TIMEOUT = 3;
    protected static AuthorizationEnforcer authorizationEnforcer;
    protected static PrivilegesManager privilegesManager;
    private static DiscoveryServiceClient discoveryService;
    private static AppFabricServer appFabricServer;

    @ClassRule
    public static final TemporaryFolder TEMPORARY_FOLDER = new TemporaryFolder();
    protected static final Principal ALICE = new Principal("alice", Principal.PrincipalType.USER);
    protected static final Principal BOB = new Principal("bob", Principal.PrincipalType.USER);
    protected static final Principal CAROL = new Principal("carol", Principal.PrincipalType.USER);
    protected static final NamespaceId NS = new NamespaceId("ns");
    protected static final ApplicationId APP = NS.app("app");
    protected static final ProgramId PROGRAM = APP.program(ProgramType.FLOW, "flo");
    protected static CConfiguration cConf = CConfiguration.create();

    /* JADX INFO: Access modifiers changed from: protected */
    public static void setup() throws IOException, InterruptedException {
        cConf.set("local.data.dir", TEMPORARY_FOLDER.newFolder().getAbsolutePath());
        cConf.setBoolean("security.enabled", true);
        cConf.setBoolean("kerberos.auth.enabled", false);
        cConf.setBoolean("security.authorization.enabled", true);
        cConf.setInt("security.authorization.cache.ttl.secs", CACHE_TIMEOUT);
        Manifest manifest = new Manifest();
        manifest.getMainAttributes().put(Attributes.Name.MAIN_CLASS, InMemoryAuthorizer.class.getName());
        cConf.set("security.authorization.extension.jar.path", AppJarHelper.createDeploymentJar(new LocalLocationFactory(TEMPORARY_FOLDER.newFolder()), InMemoryAuthorizer.class, manifest, new File[0]).toString());
        Injector injector = AppFabricTestHelper.getInjector(cConf);
        discoveryService = (DiscoveryServiceClient) injector.getInstance(DiscoveryServiceClient.class);
        appFabricServer = (AppFabricServer) injector.getInstance(AppFabricServer.class);
        appFabricServer.startAndWait();
        waitForService("appfabric");
        authorizationEnforcer = (AuthorizationEnforcer) injector.getInstance(RemoteAuthorizationEnforcer.class);
        privilegesManager = (PrivilegesManager) injector.getInstance(PrivilegesManager.class);
    }

    private static void waitForService(String str) throws InterruptedException {
        Preconditions.checkNotNull(new RandomEndpointStrategy(discoveryService.discover(str)).pick(5L, TimeUnit.SECONDS), "%s service is not up after 5 seconds", new Object[]{str});
    }

    @After
    public void after() throws Exception {
        authorizationEnforcer.clearCache();
    }

    @Test
    public void testPrivilegesManager() throws Exception {
        privilegesManager.grant(NS, ALICE, EnumSet.allOf(Action.class));
        privilegesManager.grant(APP, ALICE, Collections.singleton(Action.ADMIN));
        privilegesManager.grant(PROGRAM, ALICE, Collections.singleton(Action.EXECUTE));
        authorizationEnforcer.enforce(NS, ALICE, EnumSet.allOf(Action.class));
        authorizationEnforcer.enforce(APP, ALICE, Action.ADMIN);
        authorizationEnforcer.enforce(PROGRAM, ALICE, Action.EXECUTE);
        authorizationEnforcer.enforce(APP, ALICE, Collections.singleton(Action.ADMIN));
        privilegesManager.revoke(PROGRAM);
        privilegesManager.revoke(APP, ALICE, EnumSet.allOf(Action.class));
        privilegesManager.revoke(NS, ALICE, EnumSet.allOf(Action.class));
        Set listPrivileges = privilegesManager.listPrivileges(ALICE);
        Assert.assertTrue(String.format("Expected all of alice's privileges to be revoked, but found %s", listPrivileges), listPrivileges.isEmpty());
    }

    @Test
    public void testAuthorizationEnforcer() throws Exception {
        privilegesManager.grant(NS, ALICE, EnumSet.allOf(Action.class));
        privilegesManager.grant(APP, ALICE, Collections.singleton(Action.ADMIN));
        privilegesManager.grant(PROGRAM, ALICE, Collections.singleton(Action.EXECUTE));
        authorizationEnforcer.enforce(NS, ALICE, EnumSet.allOf(Action.class));
        authorizationEnforcer.enforce(APP, ALICE, Action.ADMIN);
        authorizationEnforcer.enforce(PROGRAM, ALICE, Action.EXECUTE);
        try {
            authorizationEnforcer.enforce(NS, BOB, Action.ADMIN);
            Assert.fail();
        } catch (UnauthorizedException e) {
        }
        privilegesManager.revoke(PROGRAM);
        privilegesManager.revoke(APP);
        privilegesManager.revoke(NS);
    }

    @Test
    public void testVisibility() throws Exception {
        ApplicationId app = NS.app("app1");
        NamespacedEntityId program = app.program(ProgramType.SERVICE, "service1");
        NamespacedEntityId app2 = NS.app("app2");
        NamespacedEntityId program2 = app2.program(ProgramType.MAPREDUCE, "service2");
        DatasetId dataset = NS.dataset("ds");
        NamespacedEntityId dataset2 = NS.dataset("ds1");
        NamespacedEntityId dataset3 = NS.dataset("ds2");
        StreamId stream = NS.stream("stream");
        NamespacedEntityId stream2 = NS.stream("stream1");
        NamespacedEntityId stream3 = NS.stream("stream2");
        privilegesManager.grant(PROGRAM, ALICE, Collections.singleton(Action.EXECUTE));
        privilegesManager.grant(dataset, ALICE, EnumSet.of(Action.READ, Action.WRITE));
        privilegesManager.grant(stream, ALICE, EnumSet.of(Action.READ));
        privilegesManager.grant(program2, BOB, Collections.singleton(Action.ADMIN));
        privilegesManager.grant(dataset3, BOB, EnumSet.of(Action.READ, Action.WRITE));
        privilegesManager.grant(stream3, BOB, EnumSet.allOf(Action.class));
        ImmutableSet of = ImmutableSet.of(NS, APP, PROGRAM, dataset, stream, app, new NamespacedEntityId[]{program, dataset2, stream2, app2, program2, dataset3, stream3});
        Assert.assertEquals(ImmutableSet.of(NS, APP, PROGRAM, dataset, stream), authorizationEnforcer.isVisible(of, ALICE));
        Assert.assertEquals(ImmutableSet.of(NS, app2, program2, dataset3, stream3), authorizationEnforcer.isVisible(of, BOB));
        Assert.assertEquals(ImmutableSet.of(), authorizationEnforcer.isVisible(of, CAROL));
        Assert.assertEquals(ImmutableSet.of(), authorizationEnforcer.isVisible(ImmutableSet.of(), ALICE));
        Assert.assertEquals(ImmutableSet.of(dataset, APP), authorizationEnforcer.isVisible(ImmutableSet.of(dataset, APP), ALICE));
        Iterator it = of.iterator();
        while (it.hasNext()) {
            privilegesManager.revoke((EntityId) it.next());
        }
    }

    @AfterClass
    public static void tearDown() {
        appFabricServer.stopAndWait();
    }
}
