package co.cask.cdap.data2.datafabric.dataset.service;

import co.cask.cdap.api.dataset.DatasetManagementException;
import co.cask.cdap.api.dataset.DatasetProperties;
import co.cask.cdap.api.dataset.DatasetSpecification;
import co.cask.cdap.api.dataset.InstanceNotFoundException;
import co.cask.cdap.api.dataset.table.Table;
import co.cask.cdap.common.conf.CConfiguration;
import co.cask.cdap.common.test.AppJarHelper;
import co.cask.cdap.proto.DatasetSpecificationSummary;
import co.cask.cdap.proto.id.DatasetId;
import co.cask.cdap.proto.id.DatasetModuleId;
import co.cask.cdap.proto.id.DatasetTypeId;
import co.cask.cdap.proto.id.EntityId;
import co.cask.cdap.proto.id.NamespaceId;
import co.cask.cdap.proto.security.Action;
import co.cask.cdap.proto.security.Principal;
import co.cask.cdap.proto.security.Privilege;
import co.cask.cdap.security.authorization.AuthorizerInstantiator;
import co.cask.cdap.security.authorization.InMemoryAuthorizer;
import co.cask.cdap.security.spi.authentication.SecurityRequestContext;
import co.cask.cdap.security.spi.authorization.Authorizer;
import co.cask.cdap.security.spi.authorization.UnauthorizedException;
import com.google.common.base.Function;
import com.google.common.collect.Collections2;
import com.google.common.collect.ImmutableMap;
import com.google.common.collect.ImmutableSet;
import com.google.common.collect.Sets;
import java.io.File;
import java.io.IOException;
import java.util.Collection;
import java.util.EnumSet;
import java.util.Iterator;
import java.util.Set;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.twill.filesystem.LocalLocationFactory;
import org.apache.twill.filesystem.Location;
import org.junit.After;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;

/* loaded from: input_file:co/cask/cdap/data2/datafabric/dataset/service/DatasetServiceAuthorizationTest.class */
public class DatasetServiceAuthorizationTest extends DatasetServiceTestBase {
    private static final Principal ALICE = new Principal("alice", Principal.PrincipalType.USER);
    private static final Principal BOB = new Principal("bob", Principal.PrincipalType.USER);
    private static Authorizer authorizer;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:co/cask/cdap/data2/datafabric/dataset/service/DatasetServiceAuthorizationTest$DatasetOperationExecutor.class */
    public interface DatasetOperationExecutor {
        void execute() throws Exception;
    }

    @BeforeClass
    public static void setup() throws Exception {
        locationFactory = new LocalLocationFactory(TMP_FOLDER.newFolder());
        initializeAndStartService(createCConf());
        authorizer = ((AuthorizerInstantiator) injector.getInstance(AuthorizerInstantiator.class)).get();
    }

    protected static CConfiguration createCConf() throws IOException {
        CConfiguration createCConf = DatasetServiceTestBase.createCConf();
        createCConf.setBoolean("security.enabled", true);
        createCConf.setBoolean("security.authorization.enabled", true);
        createCConf.setBoolean("kerberos.auth.enabled", false);
        createCConf.setInt("security.authorization.cache.max.entries", 0);
        createCConf.set("security.authorization.extension.jar.path", AppJarHelper.createDeploymentJar(locationFactory, InMemoryAuthorizer.class, new File[0]).toURI().getPath());
        createCConf.set("cdap.master.kerberos.principal", UserGroupInformation.getLoginUser().getShortUserName());
        return createCConf;
    }

    @Test
    public void testDatasetInstances() throws Exception {
        final DatasetId dataset = NamespaceId.DEFAULT.dataset("myds");
        final DatasetId dataset2 = NamespaceId.DEFAULT.dataset("myds1");
        DatasetId dataset3 = NamespaceId.DEFAULT.dataset("myds2");
        SecurityRequestContext.setUserId(ALICE.getName());
        assertAuthorizationFailure(new DatasetOperationExecutor() { // from class: co.cask.cdap.data2.datafabric.dataset.service.DatasetServiceAuthorizationTest.1
            @Override // co.cask.cdap.data2.datafabric.dataset.service.DatasetServiceAuthorizationTest.DatasetOperationExecutor
            public void execute() throws Exception {
                DatasetServiceTestBase.dsFramework.addInstance(Table.class.getName(), dataset, DatasetProperties.EMPTY);
            }
        }, "Alice should not be able to add a dataset instance since she does not have ADMIN privileges on the dataset");
        grantAndAssertSuccess(dataset, ALICE, ImmutableSet.of(Action.ADMIN));
        dsFramework.addInstance(Table.class.getName(), dataset, DatasetProperties.EMPTY);
        Assert.assertTrue(dsFramework.hasInstance(dataset));
        Assert.assertNotNull(dsFramework.getDataset(dataset, ImmutableMap.of(), (ClassLoader) null));
        dsFramework.updateInstance(dataset, DatasetProperties.builder().add("key", "value").build());
        SecurityRequestContext.setUserId(BOB.getName());
        assertAuthorizationFailure(new DatasetOperationExecutor() { // from class: co.cask.cdap.data2.datafabric.dataset.service.DatasetServiceAuthorizationTest.2
            @Override // co.cask.cdap.data2.datafabric.dataset.service.DatasetServiceAuthorizationTest.DatasetOperationExecutor
            public void execute() throws Exception {
                DatasetServiceTestBase.dsFramework.getDataset(dataset, ImmutableMap.of(), (ClassLoader) null);
            }
        }, String.format("Expected %s to not be have access to %s.", BOB, dataset));
        assertAuthorizationFailure(new DatasetOperationExecutor() { // from class: co.cask.cdap.data2.datafabric.dataset.service.DatasetServiceAuthorizationTest.3
            @Override // co.cask.cdap.data2.datafabric.dataset.service.DatasetServiceAuthorizationTest.DatasetOperationExecutor
            public void execute() throws Exception {
                DatasetServiceTestBase.dsFramework.updateInstance(dataset, DatasetProperties.builder().add("key", "val").build());
            }
        }, String.format("Expected %s to not be have %s privilege on %s.", BOB, Action.ADMIN, dataset));
        assertAuthorizationFailure(new DatasetOperationExecutor() { // from class: co.cask.cdap.data2.datafabric.dataset.service.DatasetServiceAuthorizationTest.4
            @Override // co.cask.cdap.data2.datafabric.dataset.service.DatasetServiceAuthorizationTest.DatasetOperationExecutor
            public void execute() throws Exception {
                DatasetServiceTestBase.dsFramework.truncateInstance(dataset);
            }
        }, String.format("Expected %s to not be have %s privilege on %s.", BOB, Action.ADMIN, dataset));
        grantAndAssertSuccess(dataset, BOB, ImmutableSet.of(Action.ADMIN));
        dsFramework.updateInstance(dataset, DatasetProperties.builder().add("key", "val").build());
        dsFramework.truncateInstance(dataset);
        DatasetSpecification datasetSpec = dsFramework.getDatasetSpec(dataset);
        Assert.assertNotNull(datasetSpec);
        Assert.assertEquals("val", datasetSpec.getProperty("key"));
        grantAndAssertSuccess(dataset2, BOB, ImmutableSet.of(Action.ADMIN));
        grantAndAssertSuccess(dataset3, BOB, ImmutableSet.of(Action.ADMIN));
        dsFramework.addInstance(Table.class.getName(), dataset2, DatasetProperties.EMPTY);
        dsFramework.addInstance(Table.class.getName(), dataset3, DatasetProperties.EMPTY);
        Assert.assertEquals(ImmutableSet.of(dataset, dataset2, dataset3), summaryToDatasetIdSet(dsFramework.getInstances(NamespaceId.DEFAULT)));
        SecurityRequestContext.setUserId(ALICE.getName());
        Assert.assertEquals(ImmutableSet.of(dataset), summaryToDatasetIdSet(dsFramework.getInstances(NamespaceId.DEFAULT)));
        grantAndAssertSuccess(dataset2, ALICE, ImmutableSet.of(Action.EXECUTE));
        grantAndAssertSuccess(dataset3, ALICE, ImmutableSet.of(Action.EXECUTE));
        try {
            dsFramework.deleteAllInstances(NamespaceId.DEFAULT);
            Assert.fail();
        } catch (Exception e) {
            Assert.assertTrue(e.getMessage().contains("is not authorized to perform actions"));
        }
        Assert.assertEquals(ImmutableSet.of(dataset2, dataset3, dataset), summaryToDatasetIdSet(dsFramework.getInstances(NamespaceId.DEFAULT)));
        assertAuthorizationFailure(new DatasetOperationExecutor() { // from class: co.cask.cdap.data2.datafabric.dataset.service.DatasetServiceAuthorizationTest.5
            @Override // co.cask.cdap.data2.datafabric.dataset.service.DatasetServiceAuthorizationTest.DatasetOperationExecutor
            public void execute() throws Exception {
                DatasetServiceTestBase.dsFramework.deleteInstance(dataset2);
            }
        }, String.format("Alice should not be able to delete instance %s since she does not have privileges", dataset2));
        grantAndAssertSuccess(dataset2, ALICE, ImmutableSet.of(Action.ADMIN));
        Assert.assertEquals(ImmutableSet.of(dataset2, dataset3, dataset), summaryToDatasetIdSet(dsFramework.getInstances(NamespaceId.DEFAULT)));
        dsFramework.deleteInstance(dataset2);
        Assert.assertEquals(ImmutableSet.of(dataset3, dataset), summaryToDatasetIdSet(dsFramework.getInstances(NamespaceId.DEFAULT)));
        SecurityRequestContext.setUserId(BOB.getName());
        Assert.assertEquals(ImmutableSet.of(dataset3, dataset), summaryToDatasetIdSet(dsFramework.getInstances(NamespaceId.DEFAULT)));
        dsFramework.deleteInstance(dataset3);
        SecurityRequestContext.setUserId(ALICE.getName());
        dsFramework.deleteInstance(dataset);
        grantAndAssertSuccess(dataset3, ALICE, EnumSet.of(Action.ADMIN));
        dsFramework.addInstance(Table.class.getName(), dataset, DatasetProperties.EMPTY);
        dsFramework.addInstance(Table.class.getName(), dataset2, DatasetProperties.EMPTY);
        dsFramework.addInstance(Table.class.getName(), dataset3, DatasetProperties.EMPTY);
        Assert.assertEquals(ImmutableSet.of(dataset, dataset2, dataset3), summaryToDatasetIdSet(dsFramework.getInstances(NamespaceId.DEFAULT)));
        dsFramework.deleteAllInstances(NamespaceId.DEFAULT);
        Assert.assertTrue(dsFramework.getInstances(NamespaceId.DEFAULT).isEmpty());
    }

    @Test
    public void testNotFound() throws Exception {
        final DatasetId dataset = NamespaceId.DEFAULT.dataset("notfound");
        final DatasetModuleId datasetModule = NamespaceId.DEFAULT.datasetModule("notfound");
        final DatasetTypeId datasetType = NamespaceId.DEFAULT.datasetType("notfound");
        try {
            dsFramework.getDatasetSpec(dataset);
            Assert.fail();
        } catch (Exception e) {
            Assert.assertTrue(e.getMessage().contains("is not authorized to perform any one of the actions"));
        }
        try {
            dsFramework.hasInstance(dataset);
            Assert.fail();
        } catch (Exception e2) {
            Assert.assertTrue(e2.getMessage().contains("is not authorized to perform any one of the actions"));
        }
        SecurityRequestContext.setUserId(ALICE.getName());
        grantAndAssertSuccess(dataset, ALICE, EnumSet.of(Action.ADMIN));
        grantAndAssertSuccess(datasetModule, ALICE, EnumSet.of(Action.ADMIN));
        Assert.assertNull(dsFramework.getDatasetSpec(dataset));
        Assert.assertFalse(dsFramework.hasInstance(dataset));
        assertNotFound(new DatasetOperationExecutor() { // from class: co.cask.cdap.data2.datafabric.dataset.service.DatasetServiceAuthorizationTest.6
            @Override // co.cask.cdap.data2.datafabric.dataset.service.DatasetServiceAuthorizationTest.DatasetOperationExecutor
            public void execute() throws Exception {
                DatasetServiceTestBase.dsFramework.updateInstance(dataset, DatasetProperties.EMPTY);
            }
        }, String.format("Expected %s to not exist", dataset));
        assertNotFound(new DatasetOperationExecutor() { // from class: co.cask.cdap.data2.datafabric.dataset.service.DatasetServiceAuthorizationTest.7
            @Override // co.cask.cdap.data2.datafabric.dataset.service.DatasetServiceAuthorizationTest.DatasetOperationExecutor
            public void execute() throws Exception {
                DatasetServiceTestBase.dsFramework.deleteInstance(dataset);
            }
        }, String.format("Expected %s to not exist", dataset));
        assertNotFound(new DatasetOperationExecutor() { // from class: co.cask.cdap.data2.datafabric.dataset.service.DatasetServiceAuthorizationTest.8
            @Override // co.cask.cdap.data2.datafabric.dataset.service.DatasetServiceAuthorizationTest.DatasetOperationExecutor
            public void execute() throws Exception {
                DatasetServiceTestBase.dsFramework.truncateInstance(dataset);
            }
        }, String.format("Expected %s to not exist", dataset));
        assertAuthorizationFailure(new DatasetOperationExecutor() { // from class: co.cask.cdap.data2.datafabric.dataset.service.DatasetServiceAuthorizationTest.9
            @Override // co.cask.cdap.data2.datafabric.dataset.service.DatasetServiceAuthorizationTest.DatasetOperationExecutor
            public void execute() throws Exception {
                DatasetServiceTestBase.dsFramework.addInstance(datasetType.getType(), dataset, DatasetProperties.EMPTY);
            }
        }, "Alice needs to have READ/ADMIN on the dataset type to create the dataset");
        assertNotFound(new DatasetOperationExecutor() { // from class: co.cask.cdap.data2.datafabric.dataset.service.DatasetServiceAuthorizationTest.10
            @Override // co.cask.cdap.data2.datafabric.dataset.service.DatasetServiceAuthorizationTest.DatasetOperationExecutor
            public void execute() throws Exception {
                DatasetServiceTestBase.dsFramework.deleteModule(datasetModule);
            }
        }, String.format("Expected %s to not exist", datasetModule));
        grantAndAssertSuccess(datasetType, ALICE, EnumSet.of(Action.ADMIN));
        Assert.assertNull(String.format("Expected %s to not exist", datasetType), dsFramework.getTypeInfo(datasetType));
    }

    @Test
    public void testDatasetTypes() throws Exception {
        final DatasetModuleId datasetModule = NamespaceId.DEFAULT.datasetModule("module1");
        final DatasetModuleId datasetModule2 = NamespaceId.DEFAULT.datasetModule("module2");
        final DatasetTypeId datasetType = NamespaceId.DEFAULT.datasetType("datasetType1");
        DatasetTypeId datasetType2 = NamespaceId.DEFAULT.datasetType("datasetType1x");
        final DatasetTypeId datasetType3 = NamespaceId.DEFAULT.datasetType("datasetType2");
        DatasetId dataset = NamespaceId.DEFAULT.dataset("succeed");
        SecurityRequestContext.setUserId(ALICE.getName());
        final Location createModuleJar = createModuleJar(TestModule1x.class, new Location[0]);
        assertAuthorizationFailure(new DatasetOperationExecutor() { // from class: co.cask.cdap.data2.datafabric.dataset.service.DatasetServiceAuthorizationTest.11
            @Override // co.cask.cdap.data2.datafabric.dataset.service.DatasetServiceAuthorizationTest.DatasetOperationExecutor
            public void execute() throws Exception {
                DatasetServiceTestBase.dsFramework.addModule(datasetModule, new TestModule1x(), createModuleJar);
            }
        }, String.format("Expected module add operation to fail for %s because she does not have %s on %s", ALICE, Action.ADMIN, datasetModule));
        grantAndAssertSuccess(datasetModule, ALICE, EnumSet.of(Action.ADMIN));
        grantAndAssertSuccess(datasetType, ALICE, EnumSet.of(Action.ADMIN));
        grantAndAssertSuccess(datasetType2, ALICE, EnumSet.of(Action.ADMIN));
        grantAndAssertSuccess(dataset, ALICE, EnumSet.of(Action.ADMIN));
        dsFramework.addModule(datasetModule, new TestModule1x(), createModuleJar);
        Assert.assertNotNull(dsFramework.getTypeInfo(datasetType));
        Assert.assertNotNull(dsFramework.getTypeInfo(datasetType2));
        dsFramework.addInstance(datasetType2.getType(), dataset, DatasetProperties.EMPTY);
        SecurityRequestContext.setUserId(BOB.getName());
        assertAuthorizationFailure(new DatasetOperationExecutor() { // from class: co.cask.cdap.data2.datafabric.dataset.service.DatasetServiceAuthorizationTest.12
            @Override // co.cask.cdap.data2.datafabric.dataset.service.DatasetServiceAuthorizationTest.DatasetOperationExecutor
            public void execute() throws Exception {
                DatasetServiceTestBase.dsFramework.addInstance(datasetType.getType(), NamespaceId.DEFAULT.dataset("fail"), DatasetProperties.EMPTY);
            }
        }, String.format("Creating an instance of a type from %s should fail as %s does not have any privileges on it.", datasetModule, BOB));
        grantAndAssertSuccess(datasetModule2, BOB, EnumSet.of(Action.ADMIN));
        grantAndAssertSuccess(datasetType3, BOB, EnumSet.of(Action.ADMIN));
        dsFramework.addModule(datasetModule2, new TestModule2(), createModuleJar(TestModule2.class, new Location[0]));
        Assert.assertNotNull(dsFramework.getTypeInfo(datasetType3));
        SecurityRequestContext.setUserId(ALICE.getName());
        assertAuthorizationFailure(new DatasetOperationExecutor() { // from class: co.cask.cdap.data2.datafabric.dataset.service.DatasetServiceAuthorizationTest.13
            @Override // co.cask.cdap.data2.datafabric.dataset.service.DatasetServiceAuthorizationTest.DatasetOperationExecutor
            public void execute() throws Exception {
                DatasetServiceTestBase.dsFramework.addInstance(datasetType3.getType(), NamespaceId.DEFAULT.dataset("fail"), DatasetProperties.EMPTY);
            }
        }, String.format("Creating an instance of a type from %s should fail as %s does not have any privileges on it.", datasetModule2, ALICE));
        assertAuthorizationFailure(new DatasetOperationExecutor() { // from class: co.cask.cdap.data2.datafabric.dataset.service.DatasetServiceAuthorizationTest.14
            @Override // co.cask.cdap.data2.datafabric.dataset.service.DatasetServiceAuthorizationTest.DatasetOperationExecutor
            public void execute() throws Exception {
                DatasetServiceTestBase.dsFramework.deleteModule(datasetModule2);
            }
        }, String.format("Deleting module %s should fail as %s does not have any privileges on it.", datasetModule2, ALICE));
        SecurityRequestContext.setUserId(BOB.getName());
        assertAuthorizationFailure(new DatasetOperationExecutor() { // from class: co.cask.cdap.data2.datafabric.dataset.service.DatasetServiceAuthorizationTest.15
            @Override // co.cask.cdap.data2.datafabric.dataset.service.DatasetServiceAuthorizationTest.DatasetOperationExecutor
            public void execute() throws Exception {
                DatasetServiceTestBase.dsFramework.deleteModule(datasetModule);
            }
        }, String.format("Deleting module %s should fail as %s does not have any privileges on it.", datasetModule, BOB));
        assertAuthorizationFailure(new DatasetOperationExecutor() { // from class: co.cask.cdap.data2.datafabric.dataset.service.DatasetServiceAuthorizationTest.16
            @Override // co.cask.cdap.data2.datafabric.dataset.service.DatasetServiceAuthorizationTest.DatasetOperationExecutor
            public void execute() throws Exception {
                DatasetServiceTestBase.dsFramework.deleteAllModules(NamespaceId.DEFAULT);
            }
        }, String.format("Deleting all modules in %s should fail as %s does not have ADMIN privileges on it.", NamespaceId.DEFAULT, BOB));
        SecurityRequestContext.setUserId(ALICE.getName());
        dsFramework.deleteAllInstances(NamespaceId.DEFAULT);
        SecurityRequestContext.setUserId(BOB.getName());
        grantAndAssertSuccess(datasetModule, BOB, EnumSet.of(Action.ADMIN));
        dsFramework.deleteAllModules(NamespaceId.DEFAULT);
    }

    @Test
    public void testSystemDatasetsInUserNamespace() throws Exception {
        DatasetId dataset = NamespaceId.DEFAULT.dataset("system.queue.config");
        DatasetId dataset2 = NamespaceId.DEFAULT.dataset("system.sharded.queue");
        DatasetId dataset3 = NamespaceId.DEFAULT.dataset("system.queue");
        DatasetId dataset4 = NamespaceId.DEFAULT.dataset("system.stream");
        dsFramework.addInstance(Table.class.getName(), dataset, DatasetProperties.EMPTY);
        dsFramework.addInstance(Table.class.getName(), dataset2, DatasetProperties.EMPTY);
        dsFramework.addInstance(Table.class.getName(), dataset3, DatasetProperties.EMPTY);
        dsFramework.addInstance(Table.class.getName(), dataset4, DatasetProperties.EMPTY);
        Assert.assertTrue(summaryToDatasetIdSet(dsFramework.getInstances(NamespaceId.DEFAULT)).isEmpty());
        Assert.assertNotNull(dsFramework.getDataset(dataset, ImmutableMap.of(), (ClassLoader) null));
        Assert.assertNotNull(dsFramework.getDataset(dataset2, ImmutableMap.of(), (ClassLoader) null));
        Assert.assertNotNull(dsFramework.getDataset(dataset3, ImmutableMap.of(), (ClassLoader) null));
        Assert.assertNotNull(dsFramework.getDataset(dataset4, ImmutableMap.of(), (ClassLoader) null));
        dsFramework.updateInstance(dataset, DatasetProperties.EMPTY);
        dsFramework.deleteInstance(dataset);
        dsFramework.deleteInstance(dataset2);
        dsFramework.deleteInstance(dataset3);
        dsFramework.deleteInstance(dataset4);
    }

    @After
    public void cleanup() throws Exception {
        authorizer.revoke(NamespaceId.DEFAULT);
    }

    private Set<DatasetId> summaryToDatasetIdSet(Collection<DatasetSpecificationSummary> collection) {
        return ImmutableSet.copyOf(Collections2.transform(collection, new Function<DatasetSpecificationSummary, DatasetId>() { // from class: co.cask.cdap.data2.datafabric.dataset.service.DatasetServiceAuthorizationTest.17
            public DatasetId apply(DatasetSpecificationSummary datasetSpecificationSummary) {
                return NamespaceId.DEFAULT.dataset(datasetSpecificationSummary.getName());
            }
        }));
    }

    private void grantAndAssertSuccess(EntityId entityId, Principal principal, Set<Action> set) throws Exception {
        Set listPrivileges = authorizer.listPrivileges(principal);
        authorizer.grant(entityId, principal, set);
        ImmutableSet.Builder builder = ImmutableSet.builder();
        Iterator<Action> it = set.iterator();
        while (it.hasNext()) {
            builder.add(new Privilege(entityId, it.next()));
        }
        Assert.assertEquals(Sets.union(listPrivileges, builder.build()), authorizer.listPrivileges(principal));
    }

    private void assertNotFound(DatasetOperationExecutor datasetOperationExecutor, String str) throws Exception {
        try {
            datasetOperationExecutor.execute();
            Assert.fail(str);
        } catch (InstanceNotFoundException e) {
        } catch (DatasetManagementException e2) {
            Assert.assertTrue(e2.getMessage().contains("Response code: 404, message: 'Not Found'"));
        }
    }

    private void assertAuthorizationFailure(DatasetOperationExecutor datasetOperationExecutor, String str) throws Exception {
        try {
            datasetOperationExecutor.execute();
            Assert.fail(str);
        } catch (UnauthorizedException e) {
        } catch (DatasetManagementException e2) {
            Assert.assertTrue(e2.getMessage().contains("Response code: 403, message: 'Forbidden'"));
        }
    }
}
