package co.cask.cdap.security.authorization;

import co.cask.cdap.api.Predicate;
import co.cask.cdap.common.conf.CConfiguration;
import co.cask.cdap.common.test.AppJarHelper;
import co.cask.cdap.common.utils.Tasks;
import co.cask.cdap.proto.id.DatasetId;
import co.cask.cdap.proto.id.EntityId;
import co.cask.cdap.proto.id.InstanceId;
import co.cask.cdap.proto.id.NamespaceId;
import co.cask.cdap.proto.security.Action;
import co.cask.cdap.proto.security.Principal;
import co.cask.cdap.proto.security.Privilege;
import co.cask.cdap.security.spi.authorization.Authorizer;
import co.cask.cdap.security.spi.authorization.PrivilegesFetcher;
import co.cask.cdap.security.spi.authorization.UnauthorizedException;
import com.google.common.collect.ImmutableSet;
import com.google.common.util.concurrent.Service;
import java.io.File;
import java.io.IOException;
import java.util.Collections;
import java.util.EnumSet;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.Callable;
import java.util.concurrent.CountDownLatch;
import java.util.concurrent.TimeUnit;
import java.util.jar.Attributes;
import java.util.jar.Manifest;
import org.apache.hadoop.security.UserGroupInformation;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;

/* loaded from: input_file:co/cask/cdap/security/authorization/DefaultAuthorizationEnforcementServiceTest.class */
public class DefaultAuthorizationEnforcementServiceTest extends AuthorizationTestBase {
    private static final Principal ALICE = new Principal("alice", Principal.PrincipalType.USER);
    private static final Principal BOB = new Principal("bob", Principal.PrincipalType.USER);
    private static final NamespaceId NS = new NamespaceId("ns");

    /* loaded from: input_file:co/cask/cdap/security/authorization/DefaultAuthorizationEnforcementServiceTest$FailingPrivilegesFetcher.class */
    private static final class FailingPrivilegesFetcher implements PrivilegesFetcher {
        private final CountDownLatch countDownLatch;

        private FailingPrivilegesFetcher(CountDownLatch countDownLatch) {
            this.countDownLatch = countDownLatch;
        }

        public Set<Privilege> listPrivileges(Principal principal) throws Exception {
            this.countDownLatch.countDown();
            throw new UnsupportedOperationException(String.format("Deliberately failing list privileges for %s to test resiliency.", principal));
        }
    }

    @BeforeClass
    public static void setupClass() throws IOException {
        Manifest manifest = new Manifest();
        manifest.getMainAttributes().put(Attributes.Name.MAIN_CLASS, InMemoryAuthorizer.class.getName());
        CCONF.set("security.authorization.extension.jar.path", AppJarHelper.createDeploymentJar(locationFactory, InMemoryAuthorizer.class, manifest, new File[0]).toString());
    }

    @Test
    public void testAuthenticationDisabled() throws Exception {
        CConfiguration copy = CConfiguration.copy(CCONF);
        copy.setBoolean("security.enabled", false);
        verifyDisabled(copy);
    }

    @Test
    public void testAuthorizationDisabled() throws Exception {
        CConfiguration copy = CConfiguration.copy(CCONF);
        copy.setBoolean("security.authorization.enabled", false);
        verifyDisabled(copy);
    }

    @Test
    public void testCachingDisabled() throws Exception {
        CConfiguration copy = CConfiguration.copy(CCONF);
        copy.setBoolean("security.authorization.cache.enabled", false);
        AuthorizerInstantiator authorizerInstantiator = new AuthorizerInstantiator(copy, AUTH_CONTEXT_FACTORY);
        Throwable th = null;
        try {
            DefaultAuthorizationEnforcementService defaultAuthorizationEnforcementService = new DefaultAuthorizationEnforcementService(authorizerInstantiator.get(), copy, AUTH_CONTEXT);
            defaultAuthorizationEnforcementService.startAndWait();
            try {
                authorizerInstantiator.get().grant(NS, ALICE, ImmutableSet.of(Action.ADMIN));
                defaultAuthorizationEnforcementService.enforce(NS, ALICE, Action.ADMIN);
                Assert.assertTrue(defaultAuthorizationEnforcementService.getCache().isEmpty());
                defaultAuthorizationEnforcementService.stopAndWait();
                if (authorizerInstantiator != null) {
                    if (0 == 0) {
                        authorizerInstantiator.close();
                        return;
                    }
                    try {
                        authorizerInstantiator.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                defaultAuthorizationEnforcementService.stopAndWait();
                throw th3;
            }
        } catch (Throwable th4) {
            if (authorizerInstantiator != null) {
                if (0 != 0) {
                    try {
                        authorizerInstantiator.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    authorizerInstantiator.close();
                }
            }
            throw th4;
        }
    }

    @Test(expected = IllegalArgumentException.class)
    public void testInvalidCacheTTLConfig() throws Exception {
        CConfiguration copy = CConfiguration.copy(CCONF);
        copy.setInt("security.authorization.cache.ttl.secs", -1);
        AuthorizerInstantiator authorizerInstantiator = new AuthorizerInstantiator(copy, AUTH_CONTEXT_FACTORY);
        Throwable th = null;
        try {
            try {
                new DefaultAuthorizationEnforcementService(authorizerInstantiator.get(), copy, AUTH_CONTEXT);
                if (authorizerInstantiator != null) {
                    if (0 == 0) {
                        authorizerInstantiator.close();
                        return;
                    }
                    try {
                        authorizerInstantiator.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (authorizerInstantiator != null) {
                if (th != null) {
                    try {
                        authorizerInstantiator.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    authorizerInstantiator.close();
                }
            }
            throw th4;
        }
    }

    @Test(expected = IllegalArgumentException.class)
    public void testInvalidCacheRefreshConfig() throws Exception {
        CConfiguration copy = CConfiguration.copy(CCONF);
        copy.setInt("security.authorization.cache.refresh.interval.secs", -1);
        AuthorizerInstantiator authorizerInstantiator = new AuthorizerInstantiator(copy, AUTH_CONTEXT_FACTORY);
        Throwable th = null;
        try {
            try {
                new DefaultAuthorizationEnforcementService(authorizerInstantiator.get(), copy, AUTH_CONTEXT);
                if (authorizerInstantiator != null) {
                    if (0 == 0) {
                        authorizerInstantiator.close();
                        return;
                    }
                    try {
                        authorizerInstantiator.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (authorizerInstantiator != null) {
                if (th != null) {
                    try {
                        authorizerInstantiator.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    authorizerInstantiator.close();
                }
            }
            throw th4;
        }
    }

    @Test
    public void testAuthCacheEnforce() throws Exception {
        AuthorizerInstantiator authorizerInstantiator = new AuthorizerInstantiator(CCONF, AUTH_CONTEXT_FACTORY);
        Throwable th = null;
        try {
            Authorizer authorizer = authorizerInstantiator.get();
            DefaultAuthorizationEnforcementService defaultAuthorizationEnforcementService = new DefaultAuthorizationEnforcementService(authorizer, CCONF, AUTH_CONTEXT);
            defaultAuthorizationEnforcementService.startAndWait();
            try {
                assertAuthorizationFailure(defaultAuthorizationEnforcementService, (EntityId) NS, ALICE, Action.ADMIN);
                Assert.assertTrue(((Map) defaultAuthorizationEnforcementService.getCache().get(ALICE)).isEmpty());
                DatasetId dataset = NS.dataset("ds");
                authorizer.grant(NS, ALICE, ImmutableSet.of(Action.READ, Action.WRITE));
                authorizer.grant(dataset, BOB, ImmutableSet.of(Action.ADMIN));
                defaultAuthorizationEnforcementService.runOneIteration();
                Assert.assertEquals(EnumSet.of(Action.READ, Action.WRITE), ((Map) defaultAuthorizationEnforcementService.getCache().get(ALICE)).get(NS));
                defaultAuthorizationEnforcementService.enforce(NS, ALICE, ImmutableSet.of(Action.READ, Action.WRITE));
                assertAuthorizationFailure(defaultAuthorizationEnforcementService, (EntityId) NS, ALICE, (Set<Action>) EnumSet.allOf(Action.class));
                defaultAuthorizationEnforcementService.enforce(dataset, ALICE, Action.READ);
                defaultAuthorizationEnforcementService.enforce(dataset, ALICE, Action.WRITE);
                assertAuthorizationFailure(defaultAuthorizationEnforcementService, (EntityId) NS, ALICE, Action.ADMIN);
                defaultAuthorizationEnforcementService.enforce(dataset, BOB, Action.ADMIN);
                authorizer.revoke(NS);
                defaultAuthorizationEnforcementService.runOneIteration();
                Assert.assertTrue(((Map) defaultAuthorizationEnforcementService.getCache().get(ALICE)).isEmpty());
                Assert.assertEquals(EnumSet.of(Action.ADMIN), ((Map) defaultAuthorizationEnforcementService.getCache().get(BOB)).get(dataset));
                assertAuthorizationFailure(defaultAuthorizationEnforcementService, (EntityId) NS, ALICE, Action.READ);
                assertAuthorizationFailure(defaultAuthorizationEnforcementService, (EntityId) NS, ALICE, Action.WRITE);
                defaultAuthorizationEnforcementService.enforce(dataset, BOB, Action.ADMIN);
                defaultAuthorizationEnforcementService.stopAndWait();
                if (authorizerInstantiator != null) {
                    if (0 == 0) {
                        authorizerInstantiator.close();
                        return;
                    }
                    try {
                        authorizerInstantiator.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                defaultAuthorizationEnforcementService.stopAndWait();
                throw th3;
            }
        } catch (Throwable th4) {
            if (authorizerInstantiator != null) {
                if (0 != 0) {
                    try {
                        authorizerInstantiator.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    authorizerInstantiator.close();
                }
            }
            throw th4;
        }
    }

    /* JADX WARN: Finally extract failed */
    @Test
    public void testAuthCacheFilter() throws Exception {
        AuthorizerInstantiator authorizerInstantiator = new AuthorizerInstantiator(CCONF, AUTH_CONTEXT_FACTORY);
        Throwable th = null;
        try {
            Authorizer authorizer = authorizerInstantiator.get();
            NamespaceId namespaceId = new NamespaceId("ns1");
            NamespaceId namespaceId2 = new NamespaceId("ns2");
            DatasetId dataset = namespaceId.dataset("ds1");
            DatasetId dataset2 = namespaceId.dataset("ds2");
            DatasetId dataset3 = namespaceId2.dataset("ds1");
            DatasetId dataset4 = namespaceId2.dataset("ds2");
            DatasetId dataset5 = namespaceId2.dataset("ds3");
            ImmutableSet of = ImmutableSet.of(namespaceId, namespaceId2);
            authorizer.grant(namespaceId, ALICE, Collections.singleton(Action.WRITE));
            authorizer.grant(namespaceId2, ALICE, Collections.singleton(Action.ADMIN));
            authorizer.grant(dataset, ALICE, Collections.singleton(Action.READ));
            authorizer.grant(dataset, BOB, Collections.singleton(Action.ADMIN));
            authorizer.grant(dataset3, ALICE, Collections.singleton(Action.WRITE));
            authorizer.grant(dataset2, BOB, Collections.singleton(Action.WRITE));
            authorizer.grant(dataset2, BOB, EnumSet.allOf(Action.class));
            authorizer.grant(dataset3, ALICE, Collections.singleton(Action.WRITE));
            authorizer.grant(dataset5, ALICE, Collections.singleton(Action.ADMIN));
            authorizer.grant(dataset4, BOB, Collections.singleton(Action.ADMIN));
            DefaultAuthorizationEnforcementService defaultAuthorizationEnforcementService = new DefaultAuthorizationEnforcementService(authorizer, CCONF, AUTH_CONTEXT);
            defaultAuthorizationEnforcementService.startAndWait();
            try {
                Predicate createFilter = defaultAuthorizationEnforcementService.createFilter(ALICE);
                Iterator it = of.iterator();
                while (it.hasNext()) {
                    Assert.assertTrue(createFilter.apply((NamespaceId) it.next()));
                }
                Predicate createFilter2 = defaultAuthorizationEnforcementService.createFilter(BOB);
                Iterator it2 = of.iterator();
                while (it2.hasNext()) {
                    Assert.assertFalse(createFilter2.apply((NamespaceId) it2.next()));
                }
                Iterator it3 = ImmutableSet.of(dataset, dataset3, dataset5).iterator();
                while (it3.hasNext()) {
                    Assert.assertTrue(createFilter.apply((DatasetId) it3.next()));
                }
                Iterator it4 = ImmutableSet.of(dataset2, dataset4).iterator();
                while (it4.hasNext()) {
                    Assert.assertTrue(createFilter.apply((DatasetId) it4.next()));
                }
                Iterator it5 = ImmutableSet.of(dataset, dataset2, dataset4).iterator();
                while (it5.hasNext()) {
                    Assert.assertTrue(createFilter2.apply((DatasetId) it5.next()));
                }
                Iterator it6 = ImmutableSet.of(dataset3, dataset5).iterator();
                while (it6.hasNext()) {
                    Assert.assertFalse(createFilter2.apply((DatasetId) it6.next()));
                }
                defaultAuthorizationEnforcementService.stopAndWait();
                if (authorizerInstantiator != null) {
                    if (0 == 0) {
                        authorizerInstantiator.close();
                        return;
                    }
                    try {
                        authorizerInstantiator.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                defaultAuthorizationEnforcementService.stopAndWait();
                throw th3;
            }
        } catch (Throwable th4) {
            if (authorizerInstantiator != null) {
                if (0 != 0) {
                    try {
                        authorizerInstantiator.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    authorizerInstantiator.close();
                }
            }
            throw th4;
        }
    }

    @Test
    public void testResiliency() throws Exception {
        CConfiguration copy = CConfiguration.copy(CCONF);
        copy.setInt("security.authorization.cache.refresh.interval.secs", 1);
        CountDownLatch countDownLatch = new CountDownLatch(10);
        DefaultAuthorizationEnforcementService defaultAuthorizationEnforcementService = new DefaultAuthorizationEnforcementService(new FailingPrivilegesFetcher(countDownLatch), copy, AUTH_CONTEXT);
        Map cache = defaultAuthorizationEnforcementService.getCache();
        cache.put(new Principal("bob", Principal.PrincipalType.USER), Collections.emptyMap());
        cache.put(new Principal("tom", Principal.PrincipalType.USER), Collections.emptyMap());
        defaultAuthorizationEnforcementService.startAndWait();
        try {
            countDownLatch.await();
            Assert.assertEquals(String.format("Expected authorization enforcement service to be %s, but it is %s", Service.State.RUNNING, defaultAuthorizationEnforcementService.state()), Service.State.RUNNING, defaultAuthorizationEnforcementService.state());
            defaultAuthorizationEnforcementService.stopAndWait();
        } catch (Throwable th) {
            defaultAuthorizationEnforcementService.stopAndWait();
            throw th;
        }
    }

    @Test
    public void testSystemUser() throws Exception {
        CConfiguration copy = CConfiguration.copy(CCONF);
        Principal principal = new Principal(UserGroupInformation.getCurrentUser().getShortUserName(), Principal.PrincipalType.USER);
        copy.setInt("security.authorization.cache.refresh.interval.secs", 1);
        AuthorizerInstantiator authorizerInstantiator = new AuthorizerInstantiator(copy, AUTH_CONTEXT_FACTORY);
        Throwable th = null;
        try {
            Authorizer authorizer = authorizerInstantiator.get();
            DefaultAuthorizationEnforcementService defaultAuthorizationEnforcementService = new DefaultAuthorizationEnforcementService(authorizer, copy, AUTH_CONTEXT);
            NamespaceId namespaceId = new NamespaceId("ns1");
            InstanceId instanceId = new InstanceId(copy.get("instance.name"));
            new AuthorizationBootstrapper(copy, authorizer).run();
            defaultAuthorizationEnforcementService.startAndWait();
            try {
                waitForBootstrap(defaultAuthorizationEnforcementService);
                defaultAuthorizationEnforcementService.enforce(instanceId, principal, Action.ADMIN);
                defaultAuthorizationEnforcementService.enforce(NamespaceId.SYSTEM, principal, EnumSet.allOf(Action.class));
                Predicate createFilter = defaultAuthorizationEnforcementService.createFilter(principal);
                Assert.assertFalse(createFilter.apply(namespaceId));
                Assert.assertTrue(createFilter.apply(instanceId));
                Assert.assertTrue(createFilter.apply(NamespaceId.SYSTEM));
                defaultAuthorizationEnforcementService.stopAndWait();
                if (authorizerInstantiator != null) {
                    if (0 == 0) {
                        authorizerInstantiator.close();
                        return;
                    }
                    try {
                        authorizerInstantiator.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                defaultAuthorizationEnforcementService.stopAndWait();
                throw th3;
            }
        } catch (Throwable th4) {
            if (authorizerInstantiator != null) {
                if (0 != 0) {
                    try {
                        authorizerInstantiator.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    authorizerInstantiator.close();
                }
            }
            throw th4;
        }
    }

    private void waitForBootstrap(final DefaultAuthorizationEnforcementService defaultAuthorizationEnforcementService) throws Exception {
        Tasks.waitFor(false, new Callable<Boolean>() { // from class: co.cask.cdap.security.authorization.DefaultAuthorizationEnforcementServiceTest.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public Boolean call() throws Exception {
                return Boolean.valueOf(((Map) defaultAuthorizationEnforcementService.getCache().get(AuthorizationTestBase.AUTH_CONTEXT.getPrincipal())).isEmpty());
            }
        }, 5L, TimeUnit.SECONDS);
    }

    private void verifyDisabled(CConfiguration cConfiguration) throws Exception {
        AuthorizerInstantiator authorizerInstantiator = new AuthorizerInstantiator(cConfiguration, AUTH_CONTEXT_FACTORY);
        Throwable th = null;
        try {
            DefaultAuthorizationEnforcementService defaultAuthorizationEnforcementService = new DefaultAuthorizationEnforcementService(authorizerInstantiator.get(), cConfiguration, AUTH_CONTEXT);
            defaultAuthorizationEnforcementService.startAndWait();
            try {
                DatasetId dataset = NS.dataset("ds");
                Assert.assertTrue(defaultAuthorizationEnforcementService.getCache().isEmpty());
                defaultAuthorizationEnforcementService.enforce(NS, ALICE, Action.ADMIN);
                defaultAuthorizationEnforcementService.enforce(dataset, BOB, Action.ADMIN);
                Predicate createFilter = defaultAuthorizationEnforcementService.createFilter(BOB);
                Assert.assertTrue(createFilter.apply(NS));
                Assert.assertTrue(createFilter.apply(dataset));
                defaultAuthorizationEnforcementService.stopAndWait();
                if (authorizerInstantiator != null) {
                    if (0 == 0) {
                        authorizerInstantiator.close();
                        return;
                    }
                    try {
                        authorizerInstantiator.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                defaultAuthorizationEnforcementService.stopAndWait();
                throw th3;
            }
        } catch (Throwable th4) {
            if (authorizerInstantiator != null) {
                if (0 != 0) {
                    try {
                        authorizerInstantiator.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    authorizerInstantiator.close();
                }
            }
            throw th4;
        }
    }

    private void assertAuthorizationFailure(DefaultAuthorizationEnforcementService defaultAuthorizationEnforcementService, EntityId entityId, Principal principal, Action action) throws Exception {
        try {
            defaultAuthorizationEnforcementService.enforce(entityId, principal, action);
            Assert.fail(String.format("Expected %s to not have '%s' privilege on %s but it does.", principal, action, entityId));
        } catch (UnauthorizedException e) {
        }
    }

    private void assertAuthorizationFailure(DefaultAuthorizationEnforcementService defaultAuthorizationEnforcementService, EntityId entityId, Principal principal, Set<Action> set) throws Exception {
        try {
            defaultAuthorizationEnforcementService.enforce(entityId, principal, set);
            Assert.fail(String.format("Expected %s to not have '%s' privileges on %s but it does.", principal, set, entityId));
        } catch (UnauthorizedException e) {
        }
    }
}
