package co.cask.cdap.security.server;

import co.cask.cdap.common.conf.CConfiguration;
import co.cask.cdap.common.conf.SConfiguration;
import co.cask.cdap.common.guice.ConfigModule;
import co.cask.cdap.common.guice.DiscoveryRuntimeModule;
import co.cask.cdap.common.guice.IOModule;
import co.cask.cdap.common.io.Codec;
import co.cask.cdap.common.utils.Networks;
import co.cask.cdap.security.auth.AccessToken;
import co.cask.cdap.security.auth.AccessTokenCodec;
import co.cask.cdap.security.guice.InMemorySecurityModule;
import com.google.common.base.Throwables;
import com.google.common.collect.Sets;
import com.google.common.io.ByteStreams;
import com.google.gson.JsonObject;
import com.google.gson.JsonParser;
import com.google.inject.AbstractModule;
import com.google.inject.Guice;
import com.google.inject.Injector;
import com.google.inject.Module;
import com.google.inject.name.Names;
import com.google.inject.util.Modules;
import com.unboundid.ldap.listener.InMemoryDirectoryServer;
import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig;
import com.unboundid.ldap.listener.InMemoryListenerConfig;
import com.unboundid.ldap.sdk.Entry;
import java.io.ByteArrayOutputStream;
import java.net.URL;
import java.util.HashSet;
import java.util.Iterator;
import java.util.concurrent.TimeUnit;
import javax.security.auth.login.Configuration;
import org.apache.commons.codec.binary.Base64;
import org.apache.hadoop.hbase.HBaseConfiguration;
import org.apache.http.HttpResponse;
import org.apache.http.client.HttpClient;
import org.apache.http.client.methods.HttpGet;
import org.apache.twill.discovery.Discoverable;
import org.apache.twill.discovery.DiscoveryServiceClient;
import org.apache.twill.discovery.ServiceDiscovered;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Test;
import org.mockito.Matchers;
import org.mockito.Mockito;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:co/cask/cdap/security/server/ExternalAuthenticationServerTestBase.class */
public abstract class ExternalAuthenticationServerTestBase {
    private static ExternalAuthenticationServer server;
    private static int port;
    private static Codec<AccessToken> tokenCodec;
    private static DiscoveryServiceClient discoveryServiceClient;
    private static InMemoryDirectoryServer ldapServer;
    protected static CConfiguration configuration;
    protected static SConfiguration sConfiguration;
    protected static InMemoryListenerConfig ldapListenerConfig;
    private static final Logger LOG = LoggerFactory.getLogger(ExternalAuthenticationServerTestBase.class);
    protected static int ldapPort = Networks.getRandomPort();
    private static final Logger TEST_AUDIT_LOGGER = (Logger) Mockito.mock(Logger.class);

    protected abstract String getProtocol();

    protected abstract HttpClient getHTTPClient() throws Exception;

    /* JADX INFO: Access modifiers changed from: protected */
    public static void setup() throws Exception {
        Assert.assertNotNull("CConfiguration needs to be set by derived classes", configuration);
        Injector createInjector = Guice.createInjector(new Module[]{new IOModule(), Modules.override(new Module[]{new InMemorySecurityModule()}).with(new Module[]{new AbstractModule() { // from class: co.cask.cdap.security.server.ExternalAuthenticationServerTestBase.1
            protected void configure() {
                bind(AuditLogHandler.class).annotatedWith(Names.named("external.auth")).toInstance(new AuditLogHandler(ExternalAuthenticationServerTestBase.TEST_AUDIT_LOGGER));
            }
        }}), new ConfigModule(getConfiguration(configuration), HBaseConfiguration.create(), sConfiguration), new DiscoveryRuntimeModule().getInMemoryModules()});
        server = (ExternalAuthenticationServer) createInjector.getInstance(ExternalAuthenticationServer.class);
        tokenCodec = (Codec) createInjector.getInstance(AccessTokenCodec.class);
        discoveryServiceClient = (DiscoveryServiceClient) createInjector.getInstance(DiscoveryServiceClient.class);
        if (configuration.getBoolean("ssl.enabled")) {
            port = configuration.getInt("security.auth.server.ssl.bind.port");
        } else {
            port = configuration.getInt("security.auth.server.bind.port");
        }
        try {
            startLDAPServer();
            server.startAndWait();
            LOG.info("Auth server running on port {}", Integer.valueOf(port));
            ldapServer.startListening();
            TimeUnit.SECONDS.sleep(3L);
        } catch (Exception e) {
            throw Throwables.propagate(e);
        }
    }

    public int getAuthServerPort() {
        return port;
    }

    private static CConfiguration getConfiguration(CConfiguration cConfiguration) {
        cConfiguration.setInt("security.auth.server.bind.port", Networks.getRandomPort());
        cConfiguration.setInt("security.auth.server.ssl.bind.port", Networks.getRandomPort());
        cConfiguration.set("security.authentication.handlerClassName", LDAPAuthenticationHandler.class.getName());
        cConfiguration.set("security.authentication.loginmodule.className", LDAPLoginModule.class.getName());
        cConfiguration.set("security.authentication.handler.".concat("debug"), "true");
        cConfiguration.set("security.authentication.handler.".concat("hostname"), "localhost");
        cConfiguration.set("security.authentication.handler.".concat("port"), Integer.toString(ldapPort));
        cConfiguration.set("security.authentication.handler.".concat("userBaseDn"), "dc=example,dc=com");
        cConfiguration.set("security.authentication.handler.".concat("userRdnAttribute"), "cn");
        cConfiguration.set("security.authentication.handler.".concat("userObjectClass"), "inetorgperson");
        URL resource = ExternalAuthenticationServerTestBase.class.getClassLoader().getResource("test.keytab");
        Assert.assertNotNull(resource);
        cConfiguration.set("cdap.master.kerberos.keytab", resource.getPath());
        cConfiguration.set("cdap.master.kerberos.principal", "test_principal");
        return cConfiguration;
    }

    private static void startLDAPServer() throws Exception {
        InMemoryDirectoryServerConfig inMemoryDirectoryServerConfig = new InMemoryDirectoryServerConfig(new String[]{"dc=example,dc=com"});
        inMemoryDirectoryServerConfig.setListenerConfigs(new InMemoryListenerConfig[]{ldapListenerConfig});
        Entry entry = new Entry(new String[]{"dn: dc=example,dc=com", "objectClass: top", "objectClass: domain", "dc: example"});
        Entry entry2 = new Entry(new String[]{"dn: uid=user,dc=example,dc=com", "objectClass: inetorgperson", "cn: admin", "sn: User", "uid: user", "userPassword: realtime"});
        ldapServer = new InMemoryDirectoryServer(inMemoryDirectoryServerConfig);
        ldapServer.addEntries(new Entry[]{entry, entry2});
    }

    @AfterClass
    public static void afterClass() throws Exception {
        ldapServer.shutDown(true);
        server.stopAndWait();
        System.clearProperty("zookeeper.authProvider.1");
        Configuration.setConfiguration((Configuration) null);
    }

    @Test
    public void testValidAuthentication() throws Exception {
        HttpClient hTTPClient = getHTTPClient();
        HttpGet httpGet = new HttpGet(String.format("%s://%s:%d/%s", getProtocol(), server.getSocketAddress().getAddress().getHostAddress(), Integer.valueOf(server.getSocketAddress().getPort()), "token"));
        httpGet.addHeader("Authorization", "Basic YWRtaW46cmVhbHRpbWU=");
        HttpResponse execute = hTTPClient.execute(httpGet);
        Assert.assertEquals(execute.getStatusLine().getStatusCode(), 200L);
        ((Logger) Mockito.verify(TEST_AUDIT_LOGGER, Mockito.timeout(10000).atLeastOnce())).trace(Matchers.contains("admin"));
        String value = execute.getFirstHeader("Cache-Control").getValue();
        String value2 = execute.getFirstHeader("Pragma").getValue();
        String value3 = execute.getFirstHeader("Content-Type").getValue();
        Assert.assertEquals("no-store", value);
        Assert.assertEquals("no-cache", value2);
        Assert.assertEquals("application/json;charset=UTF-8", value3);
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        ByteStreams.copy(execute.getEntity().getContent(), byteArrayOutputStream);
        String byteArrayOutputStream2 = byteArrayOutputStream.toString("UTF-8");
        byteArrayOutputStream.close();
        JsonObject parse = new JsonParser().parse(byteArrayOutputStream2);
        String jsonElement = parse.get("token_type").toString();
        long asLong = parse.get("expires_in").getAsLong();
        Assert.assertEquals(String.format("\"%s\"", "Bearer"), jsonElement);
        Assert.assertEquals(configuration.getInt("security.server.token.expiration.ms") / 1000, asLong);
        String asString = parse.get("access_token").getAsString();
        Assert.assertEquals("admin", ((AccessToken) tokenCodec.decode(Base64.decodeBase64(asString))).getIdentifier().getUsername());
        LOG.info("AccessToken got from ExternalAuthenticationServer is: " + asString);
    }

    @Test
    public void testInvalidAuthentication() throws Exception {
        HttpClient hTTPClient = getHTTPClient();
        new HttpGet(String.format("%s://%s:%d/%s", getProtocol(), server.getSocketAddress().getAddress().getHostAddress(), Integer.valueOf(server.getSocketAddress().getPort()), "token")).addHeader("Authorization", "xxxxx");
        Assert.assertEquals(401L, hTTPClient.execute(r0).getStatusLine().getStatusCode());
        ((Logger) Mockito.verify(TEST_AUDIT_LOGGER, Mockito.timeout(10000).atLeastOnce())).trace(Matchers.contains("401"));
    }

    @Test
    public void testStatusResponse() throws Exception {
        Assert.assertEquals(200L, getHTTPClient().execute(new HttpGet(String.format("%s://%s:%d/%s", getProtocol(), server.getSocketAddress().getAddress().getHostAddress(), Integer.valueOf(server.getSocketAddress().getPort()), "/status"))).getStatusLine().getStatusCode());
    }

    @Test
    public void testExtendedToken() throws Exception {
        HttpClient hTTPClient = getHTTPClient();
        HttpGet httpGet = new HttpGet(String.format("%s://%s:%d/%s", getProtocol(), server.getSocketAddress().getAddress().getHostAddress(), Integer.valueOf(server.getSocketAddress().getPort()), "extendedtoken"));
        httpGet.addHeader("Authorization", "Basic YWRtaW46cmVhbHRpbWU=");
        HttpResponse execute = hTTPClient.execute(httpGet);
        Assert.assertEquals(200L, execute.getStatusLine().getStatusCode());
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        ByteStreams.copy(execute.getEntity().getContent(), byteArrayOutputStream);
        String byteArrayOutputStream2 = byteArrayOutputStream.toString("UTF-8");
        byteArrayOutputStream.close();
        JsonObject parse = new JsonParser().parse(byteArrayOutputStream2);
        Assert.assertEquals(configuration.getInt("security.server.extended.token.expiration.ms") / 1000, parse.get("expires_in").getAsLong());
        String asString = parse.get("access_token").getAsString();
        Assert.assertEquals("admin", ((AccessToken) tokenCodec.decode(Base64.decodeBase64(asString))).getIdentifier().getUsername());
        LOG.info("AccessToken got from ExternalAuthenticationServer is: " + asString);
    }

    @Test
    public void testInvalidPath() throws Exception {
        HttpClient hTTPClient = getHTTPClient();
        new HttpGet(String.format("%s://%s:%d/%s", getProtocol(), server.getSocketAddress().getAddress().getHostAddress(), Integer.valueOf(server.getSocketAddress().getPort()), "invalid")).addHeader("Authorization", "Basic YWRtaW46cmVhbHRpbWU=");
        Assert.assertEquals(404L, hTTPClient.execute(r0).getStatusLine().getStatusCode());
    }

    @Test
    public void testServiceRegistration() throws Exception {
        ServiceDiscovered discover = discoveryServiceClient.discover("external.authentication");
        HashSet newHashSet = Sets.newHashSet();
        Iterator it = discover.iterator();
        while (it.hasNext()) {
            newHashSet.add(((Discoverable) it.next()).getSocketAddress());
        }
        Assert.assertTrue(newHashSet.contains(server.getSocketAddress()));
    }
}
