package co.cask.cdap.security.impersonation;

import co.cask.cdap.common.AlreadyExistsException;
import co.cask.cdap.common.conf.CConfiguration;
import co.cask.cdap.common.io.Locations;
import co.cask.cdap.common.kerberos.DefaultOwnerAdmin;
import co.cask.cdap.common.kerberos.ImpersonatedOpType;
import co.cask.cdap.common.kerberos.ImpersonationRequest;
import co.cask.cdap.common.kerberos.OwnerAdmin;
import co.cask.cdap.common.kerberos.OwnerStore;
import co.cask.cdap.common.kerberos.PrincipalCredentials;
import co.cask.cdap.common.kerberos.UGIWithPrincipal;
import co.cask.cdap.common.namespace.InMemoryNamespaceClient;
import co.cask.cdap.proto.NamespaceMeta;
import co.cask.cdap.proto.codec.EntityIdTypeAdapter;
import co.cask.cdap.proto.id.DatasetId;
import co.cask.cdap.proto.id.KerberosPrincipalId;
import co.cask.cdap.proto.id.NamespaceId;
import co.cask.cdap.proto.id.NamespacedEntityId;
import co.cask.cdap.proto.id.StreamId;
import co.cask.http.AbstractHttpHandler;
import co.cask.http.HttpResponder;
import co.cask.http.NettyHttpService;
import com.google.common.base.Preconditions;
import com.google.common.io.Files;
import com.google.gson.Gson;
import com.google.gson.GsonBuilder;
import java.io.BufferedOutputStream;
import java.io.DataOutputStream;
import java.io.File;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import javax.annotation.Nullable;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hdfs.MiniDFSCluster;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.minikdc.MiniKdc;
import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.twill.discovery.Discoverable;
import org.apache.twill.discovery.InMemoryDiscoveryService;
import org.apache.twill.filesystem.FileContextLocationFactory;
import org.apache.twill.filesystem.Location;
import org.apache.twill.filesystem.LocationFactory;
import org.jboss.netty.handler.codec.http.HttpRequest;
import org.jboss.netty.handler.codec.http.HttpResponseStatus;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;

/* loaded from: input_file:co/cask/cdap/security/impersonation/UGIProviderTest.class */
public class UGIProviderTest {
    private static CConfiguration cConf;
    private static MiniDFSCluster miniDFSCluster;
    private static LocationFactory locationFactory;
    private static MiniKdc miniKdc;
    private static InMemoryNamespaceClient namespaceClient;
    private static KerberosPrincipalId aliceKerberosPrincipalId;
    private static KerberosPrincipalId bobKerberosPrincipalId;
    private static KerberosPrincipalId eveKerberosPrincipalId;
    private static File localKeytabDirPath;
    private static File aliceKeytabFile;
    private static File bobKeytabFile;
    private static File eveKeytabFile;

    @ClassRule
    public static final TemporaryFolder TEMP_FOLDER = new TemporaryFolder();
    private static NamespaceId namespaceId = new NamespaceId("UGIProviderTest");
    private static StreamId aliceEntity = namespaceId.stream("dummyStream");
    private static DatasetId bobEntity = namespaceId.dataset("dummyDataset");

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:co/cask/cdap/security/impersonation/UGIProviderTest$MockOwnerStore.class */
    public static class MockOwnerStore implements OwnerStore {
        final Map<NamespacedEntityId, KerberosPrincipalId> ownerInfo;

        private MockOwnerStore() {
            this.ownerInfo = new HashMap();
        }

        public void add(NamespacedEntityId namespacedEntityId, KerberosPrincipalId kerberosPrincipalId) throws IOException, AlreadyExistsException {
            this.ownerInfo.put(namespacedEntityId, kerberosPrincipalId);
        }

        @Nullable
        public KerberosPrincipalId getOwner(NamespacedEntityId namespacedEntityId) throws IOException {
            return this.ownerInfo.get(namespacedEntityId);
        }

        public boolean exists(NamespacedEntityId namespacedEntityId) throws IOException {
            return this.ownerInfo.containsKey(namespacedEntityId);
        }

        public void delete(NamespacedEntityId namespacedEntityId) throws IOException {
            this.ownerInfo.remove(namespacedEntityId);
        }
    }

    /* loaded from: input_file:co/cask/cdap/security/impersonation/UGIProviderTest$UGIProviderTestHandler.class */
    public static final class UGIProviderTestHandler extends AbstractHttpHandler {
        private static final Gson GSON = new GsonBuilder().registerTypeAdapter(NamespacedEntityId.class, new EntityIdTypeAdapter()).create();

        @POST
        @Path("/v1/impersonation/credentials")
        public void getCredentials(HttpRequest httpRequest, HttpResponder httpResponder) throws IOException {
            ImpersonationRequest impersonationRequest = (ImpersonationRequest) GSON.fromJson(httpRequest.getContent().toString(StandardCharsets.UTF_8), ImpersonationRequest.class);
            Credentials credentials = new Credentials();
            credentials.addToken(new Text("entity"), new Token(impersonationRequest.getEntityId().toString().getBytes(StandardCharsets.UTF_8), impersonationRequest.getEntityId().toString().getBytes(StandardCharsets.UTF_8), new Text("entity"), new Text("service")));
            credentials.addToken(new Text("opType"), new Token(impersonationRequest.getImpersonatedOpType().toString().getBytes(StandardCharsets.UTF_8), impersonationRequest.getImpersonatedOpType().toString().getBytes(StandardCharsets.UTF_8), new Text("opType"), new Text("service")));
            Location create = UGIProviderTest.locationFactory.create("credentials");
            if (!create.exists()) {
                Preconditions.checkState(create.mkdirs());
            }
            Location tempFile = create.append("tmp").getTempFile(".credentials");
            DataOutputStream dataOutputStream = new DataOutputStream(new BufferedOutputStream(tempFile.getOutputStream()));
            Throwable th = null;
            try {
                try {
                    credentials.writeTokenStorageToStream(dataOutputStream);
                    if (dataOutputStream != null) {
                        if (0 != 0) {
                            try {
                                dataOutputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            dataOutputStream.close();
                        }
                    }
                    httpResponder.sendJson(HttpResponseStatus.OK, new PrincipalCredentials(UGIProviderTest.aliceKerberosPrincipalId.getPrincipal(), tempFile.toURI().toString()));
                } finally {
                }
            } catch (Throwable th3) {
                if (dataOutputStream != null) {
                    if (th != null) {
                        try {
                            dataOutputStream.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        dataOutputStream.close();
                    }
                }
                throw th3;
            }
        }
    }

    private static File createPrincipal(File file, String str) throws Exception {
        File file2 = new File(file, str + ".keytab");
        Assert.assertTrue(file2.createNewFile());
        miniKdc.createPrincipal(file2, new String[]{str});
        return file2;
    }

    @BeforeClass
    public static void init() throws Exception {
        cConf = CConfiguration.create();
        cConf.set("local.data.dir", TEMP_FOLDER.newFolder().getAbsolutePath());
        namespaceClient = new InMemoryNamespaceClient();
        miniKdc = new MiniKdc(MiniKdc.createConf(), TEMP_FOLDER.newFolder());
        miniKdc.start();
        System.setProperty("java.security.krb5.conf", miniKdc.getKrb5conf().getAbsolutePath());
        localKeytabDirPath = TEMP_FOLDER.newFolder();
        aliceKeytabFile = createPrincipal(localKeytabDirPath, "alice");
        bobKeytabFile = createPrincipal(localKeytabDirPath, "bob");
        eveKeytabFile = createPrincipal(localKeytabDirPath, "eve");
        aliceKerberosPrincipalId = new KerberosPrincipalId(getPrincipal("alice"));
        bobKerberosPrincipalId = new KerberosPrincipalId(getPrincipal("bob"));
        eveKerberosPrincipalId = new KerberosPrincipalId(getPrincipal("eve"));
        Configuration configuration = new Configuration();
        configuration.set("hdfs.minidfs.basedir", TEMP_FOLDER.newFolder().getAbsolutePath());
        configuration.setBoolean("ipc.client.fallback-to-simple-auth-allowed", true);
        miniDFSCluster = new MiniDFSCluster.Builder(configuration).numDataNodes(1).build();
        miniDFSCluster.waitClusterUp();
        locationFactory = new FileContextLocationFactory(miniDFSCluster.getFileSystem().getConf());
        Configuration configuration2 = new Configuration();
        configuration2.set("hadoop.security.authentication", "kerberos");
        UserGroupInformation.setConfiguration(configuration2);
    }

    @AfterClass
    public static void finish() {
        if (miniDFSCluster != null) {
            miniDFSCluster.shutdown();
        }
        if (miniKdc != null) {
            miniKdc.stop();
        }
    }

    @Test
    public void testDefaultUGIProviderWithLocalFiles() throws Exception {
        System.setProperty("sun.security.krb5.debug", "true");
        setKeytabDir(localKeytabDirPath.getAbsolutePath());
        OwnerAdmin ownerAdmin = getOwnerAdmin();
        DefaultUGIProvider defaultUGIProvider = new DefaultUGIProvider(cConf, locationFactory, ownerAdmin, namespaceClient);
        namespaceClient.create(new NamespaceMeta.Builder().setName(namespaceId).setPrincipal(eveKerberosPrincipalId.getPrincipal()).setKeytabURI(eveKeytabFile.getAbsolutePath()).build());
        ownerAdmin.add(aliceEntity, aliceKerberosPrincipalId);
        ownerAdmin.add(bobEntity, bobKerberosPrincipalId);
        ImpersonationRequest impersonationRequest = new ImpersonationRequest(aliceEntity, ImpersonatedOpType.OTHER);
        ImpersonationRequest impersonationRequest2 = new ImpersonationRequest(bobEntity, ImpersonatedOpType.OTHER);
        UGIWithPrincipal verifyAndGetUGI = verifyAndGetUGI(defaultUGIProvider, aliceKerberosPrincipalId, impersonationRequest);
        UGIWithPrincipal verifyAndGetUGI2 = verifyAndGetUGI(defaultUGIProvider, bobKerberosPrincipalId, impersonationRequest2);
        Assert.assertTrue(bobKeytabFile.delete());
        verifyCaching(defaultUGIProvider, impersonationRequest, impersonationRequest2, verifyAndGetUGI, verifyAndGetUGI2);
        ownerAdmin.delete(bobEntity);
        UGIWithPrincipal configuredUGI = defaultUGIProvider.getConfiguredUGI(impersonationRequest2);
        Assert.assertEquals(UserGroupInformation.AuthenticationMethod.KERBEROS, configuredUGI.getUGI().getAuthenticationMethod());
        Assert.assertTrue(configuredUGI.getUGI().hasKerberosCredentials());
        Assert.assertEquals(eveKerberosPrincipalId.getPrincipal(), configuredUGI.getPrincipal());
        ownerAdmin.delete(aliceEntity);
        ownerAdmin.delete(bobEntity);
        namespaceClient.delete(namespaceId);
    }

    @Test
    public void testDefaultUGIProviderWithHDFSFiles() throws Exception {
        Location create = locationFactory.create("keytabs");
        setKeytabDir(create.toURI().toString());
        copyFileToHDFS(create, aliceKeytabFile);
        Location copyFileToHDFS = copyFileToHDFS(create, bobKeytabFile);
        OwnerAdmin ownerAdmin = getOwnerAdmin();
        DefaultUGIProvider defaultUGIProvider = new DefaultUGIProvider(cConf, locationFactory, ownerAdmin, namespaceClient);
        ownerAdmin.add(aliceEntity, aliceKerberosPrincipalId);
        ownerAdmin.add(bobEntity, bobKerberosPrincipalId);
        ImpersonationRequest impersonationRequest = new ImpersonationRequest(aliceEntity, ImpersonatedOpType.OTHER);
        ImpersonationRequest impersonationRequest2 = new ImpersonationRequest(bobEntity, ImpersonatedOpType.OTHER);
        UGIWithPrincipal verifyAndGetUGI = verifyAndGetUGI(defaultUGIProvider, aliceKerberosPrincipalId, impersonationRequest);
        UGIWithPrincipal verifyAndGetUGI2 = verifyAndGetUGI(defaultUGIProvider, bobKerberosPrincipalId, impersonationRequest2);
        Assert.assertTrue(copyFileToHDFS.delete());
        verifyCaching(defaultUGIProvider, impersonationRequest, impersonationRequest2, verifyAndGetUGI, verifyAndGetUGI2);
        ownerAdmin.delete(aliceEntity);
        ownerAdmin.delete(bobEntity);
    }

    @Test
    public void testRemoteUGIProvider() throws Exception {
        NettyHttpService build = NettyHttpService.builder("remoteUGITest").addHttpHandlers(Collections.singleton(new UGIProviderTestHandler())).build();
        build.startAndWait();
        setKeytabDir(localKeytabDirPath.getAbsolutePath());
        OwnerAdmin ownerAdmin = getOwnerAdmin();
        ownerAdmin.add(aliceEntity, aliceKerberosPrincipalId);
        try {
            InMemoryDiscoveryService inMemoryDiscoveryService = new InMemoryDiscoveryService();
            inMemoryDiscoveryService.register(new Discoverable("appfabric", build.getBindAddress()));
            RemoteUGIProvider remoteUGIProvider = new RemoteUGIProvider(cConf, inMemoryDiscoveryService, locationFactory, ownerAdmin, namespaceClient);
            ImpersonationRequest impersonationRequest = new ImpersonationRequest(aliceEntity, ImpersonatedOpType.OTHER);
            UGIWithPrincipal configuredUGI = remoteUGIProvider.getConfiguredUGI(impersonationRequest);
            Assert.assertFalse(configuredUGI.getUGI().hasKerberosCredentials());
            Token token = configuredUGI.getUGI().getCredentials().getToken(new Text("entity"));
            Assert.assertArrayEquals(aliceEntity.toString().getBytes(StandardCharsets.UTF_8), token.getIdentifier());
            Assert.assertArrayEquals(aliceEntity.toString().getBytes(StandardCharsets.UTF_8), token.getPassword());
            Assert.assertEquals(new Text("entity"), token.getKind());
            Assert.assertEquals(new Text("service"), token.getService());
            Token token2 = configuredUGI.getUGI().getCredentials().getToken(new Text("opType"));
            Assert.assertArrayEquals(impersonationRequest.getImpersonatedOpType().toString().getBytes(StandardCharsets.UTF_8), token2.getIdentifier());
            Assert.assertArrayEquals(impersonationRequest.getImpersonatedOpType().toString().getBytes(StandardCharsets.UTF_8), token2.getPassword());
            Assert.assertEquals(new Text("opType"), token2.getKind());
            Assert.assertEquals(new Text("service"), token2.getService());
            Assert.assertSame(configuredUGI, remoteUGIProvider.getConfiguredUGI(impersonationRequest));
            remoteUGIProvider.invalidCache();
            Assert.assertNotSame(configuredUGI, remoteUGIProvider.getConfiguredUGI(impersonationRequest));
            build.stopAndWait();
            ownerAdmin.delete(aliceEntity);
        } catch (Throwable th) {
            build.stopAndWait();
            throw th;
        }
    }

    private void verifyCaching(DefaultUGIProvider defaultUGIProvider, ImpersonationRequest impersonationRequest, ImpersonationRequest impersonationRequest2, UGIWithPrincipal uGIWithPrincipal, UGIWithPrincipal uGIWithPrincipal2) throws IOException {
        Assert.assertSame(uGIWithPrincipal2, defaultUGIProvider.getConfiguredUGI(impersonationRequest2));
        defaultUGIProvider.invalidCache();
        Assert.assertNotSame(uGIWithPrincipal, defaultUGIProvider.getConfiguredUGI(impersonationRequest));
        try {
            defaultUGIProvider.getConfiguredUGI(impersonationRequest2);
            Assert.fail("Expected IOException when getting UGI for " + impersonationRequest2);
        } catch (IOException e) {
        }
    }

    private Location copyFileToHDFS(Location location, File file) throws IOException {
        Location append = location.append(file.getName());
        Assert.assertTrue(append.createNew());
        Files.copy(file, Locations.newOutputSupplier(append));
        return append;
    }

    private UGIWithPrincipal verifyAndGetUGI(UGIProvider uGIProvider, KerberosPrincipalId kerberosPrincipalId, ImpersonationRequest impersonationRequest) throws IOException {
        UGIWithPrincipal configuredUGI = uGIProvider.getConfiguredUGI(impersonationRequest);
        Assert.assertEquals(UserGroupInformation.AuthenticationMethod.KERBEROS, configuredUGI.getUGI().getAuthenticationMethod());
        Assert.assertEquals(kerberosPrincipalId.getPrincipal(), configuredUGI.getPrincipal());
        Assert.assertTrue(configuredUGI.getUGI().hasKerberosCredentials());
        Assert.assertSame(configuredUGI.getUGI(), uGIProvider.getConfiguredUGI(impersonationRequest).getUGI());
        return configuredUGI;
    }

    private OwnerAdmin getOwnerAdmin() {
        return new DefaultOwnerAdmin(cConf, new MockOwnerStore(), namespaceClient);
    }

    private void setKeytabDir(String str) {
        cConf.set("security.keytab.path", str + "/${name}.keytab");
    }

    private static String getPrincipal(String str) {
        return String.format("%s@%s", str, miniKdc.getRealm());
    }
}
