package co.cask.cdap.security.authorization;

import co.cask.cdap.common.conf.CConfiguration;
import co.cask.cdap.common.test.AppJarHelper;
import co.cask.cdap.proto.id.ApplicationId;
import co.cask.cdap.proto.id.DatasetId;
import co.cask.cdap.proto.id.EntityId;
import co.cask.cdap.proto.id.NamespaceId;
import co.cask.cdap.proto.security.Action;
import co.cask.cdap.proto.security.Principal;
import co.cask.cdap.security.spi.authorization.AuthorizationEnforcer;
import co.cask.cdap.security.spi.authorization.Authorizer;
import co.cask.cdap.security.spi.authorization.UnauthorizedException;
import com.google.common.collect.ImmutableSet;
import java.io.File;
import java.io.IOException;
import java.util.Collections;
import java.util.EnumSet;
import java.util.Set;
import java.util.jar.Attributes;
import java.util.jar.Manifest;
import org.apache.hadoop.security.UserGroupInformation;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;

/* loaded from: input_file:co/cask/cdap/security/authorization/DefaultAuthorizationEnforcerTest.class */
public class DefaultAuthorizationEnforcerTest extends AuthorizationTestBase {
    private static final Principal ALICE = new Principal("alice", Principal.PrincipalType.USER);
    private static final Principal BOB = new Principal("bob", Principal.PrincipalType.USER);
    private static final NamespaceId NS = new NamespaceId("ns");
    private static final ApplicationId APP = NS.app("app");

    @BeforeClass
    public static void setupClass() throws IOException {
        Manifest manifest = new Manifest();
        manifest.getMainAttributes().put(Attributes.Name.MAIN_CLASS, InMemoryAuthorizer.class.getName());
        CCONF.set("security.authorization.extension.jar.path", AppJarHelper.createDeploymentJar(locationFactory, InMemoryAuthorizer.class, manifest, new File[0]).toString());
    }

    @Test
    public void testAuthenticationDisabled() throws Exception {
        CConfiguration copy = CConfiguration.copy(CCONF);
        copy.setBoolean("security.enabled", false);
        verifyDisabled(copy);
    }

    @Test
    public void testAuthorizationDisabled() throws Exception {
        CConfiguration copy = CConfiguration.copy(CCONF);
        copy.setBoolean("security.authorization.enabled", false);
        verifyDisabled(copy);
    }

    @Test
    public void testPropagationDisabled() throws Exception {
        CConfiguration copy = CConfiguration.copy(CCONF);
        AuthorizerInstantiator authorizerInstantiator = new AuthorizerInstantiator(copy, AUTH_CONTEXT_FACTORY);
        Throwable th = null;
        try {
            try {
                DefaultAuthorizationEnforcer defaultAuthorizationEnforcer = new DefaultAuthorizationEnforcer(copy, authorizerInstantiator);
                authorizerInstantiator.get().grant(NS, ALICE, ImmutableSet.of(Action.ADMIN));
                defaultAuthorizationEnforcer.enforce(NS, ALICE, Action.ADMIN);
                try {
                    defaultAuthorizationEnforcer.enforce(APP, ALICE, Action.ADMIN);
                    Assert.fail("Alice should not have ADMIN privilege on the APP.");
                } catch (UnauthorizedException e) {
                }
                if (authorizerInstantiator != null) {
                    if (0 == 0) {
                        authorizerInstantiator.close();
                        return;
                    }
                    try {
                        authorizerInstantiator.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (authorizerInstantiator != null) {
                if (th != null) {
                    try {
                        authorizerInstantiator.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    authorizerInstantiator.close();
                }
            }
            throw th4;
        }
    }

    @Test
    public void testAuthEnforce() throws Exception {
        AuthorizerInstantiator authorizerInstantiator = new AuthorizerInstantiator(CCONF, AUTH_CONTEXT_FACTORY);
        Throwable th = null;
        try {
            Authorizer authorizer = authorizerInstantiator.get();
            DefaultAuthorizationEnforcer defaultAuthorizationEnforcer = new DefaultAuthorizationEnforcer(CCONF, authorizerInstantiator);
            assertAuthorizationFailure((AuthorizationEnforcer) defaultAuthorizationEnforcer, (EntityId) NS, ALICE, Action.ADMIN);
            DatasetId dataset = NS.dataset("ds");
            authorizer.grant(NS, ALICE, ImmutableSet.of(Action.READ, Action.WRITE));
            authorizer.grant(dataset, BOB, ImmutableSet.of(Action.ADMIN));
            defaultAuthorizationEnforcer.enforce(NS, ALICE, ImmutableSet.of(Action.READ, Action.WRITE));
            assertAuthorizationFailure((AuthorizationEnforcer) defaultAuthorizationEnforcer, (EntityId) NS, ALICE, (Set<Action>) EnumSet.allOf(Action.class));
            assertAuthorizationFailure((AuthorizationEnforcer) defaultAuthorizationEnforcer, (EntityId) dataset, ALICE, Action.READ);
            assertAuthorizationFailure((AuthorizationEnforcer) defaultAuthorizationEnforcer, (EntityId) dataset, ALICE, Action.WRITE);
            assertAuthorizationFailure((AuthorizationEnforcer) defaultAuthorizationEnforcer, (EntityId) NS, ALICE, Action.ADMIN);
            defaultAuthorizationEnforcer.enforce(dataset, BOB, Action.ADMIN);
            authorizer.revoke(NS, ALICE, ImmutableSet.of(Action.READ));
            try {
                defaultAuthorizationEnforcer.enforce(NS, ALICE, Action.READ);
                Assert.fail(String.format("Expected %s to not have '%s' privilege on %s but it does.", ALICE, Action.READ, NS));
            } catch (UnauthorizedException e) {
            }
            authorizer.revoke(NS);
            assertAuthorizationFailure((AuthorizationEnforcer) defaultAuthorizationEnforcer, (EntityId) NS, ALICE, Action.READ);
            assertAuthorizationFailure((AuthorizationEnforcer) defaultAuthorizationEnforcer, (EntityId) NS, ALICE, Action.WRITE);
            defaultAuthorizationEnforcer.enforce(dataset, BOB, Action.ADMIN);
            if (authorizerInstantiator != null) {
                if (0 == 0) {
                    authorizerInstantiator.close();
                    return;
                }
                try {
                    authorizerInstantiator.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        } catch (Throwable th3) {
            if (authorizerInstantiator != null) {
                if (0 != 0) {
                    try {
                        authorizerInstantiator.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    authorizerInstantiator.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testIsVisible() throws Exception {
        AuthorizerInstantiator authorizerInstantiator = new AuthorizerInstantiator(CCONF, AUTH_CONTEXT_FACTORY);
        Throwable th = null;
        try {
            Authorizer authorizer = authorizerInstantiator.get();
            NamespaceId namespaceId = new NamespaceId("ns1");
            NamespaceId namespaceId2 = new NamespaceId("ns2");
            DatasetId dataset = namespaceId.dataset("ds11");
            DatasetId dataset2 = namespaceId.dataset("ds12");
            DatasetId dataset3 = namespaceId2.dataset("ds21");
            DatasetId dataset4 = namespaceId2.dataset("ds22");
            DatasetId dataset5 = namespaceId2.dataset("ds33");
            ImmutableSet of = ImmutableSet.of(namespaceId, namespaceId2);
            authorizer.grant(namespaceId, ALICE, Collections.singleton(Action.WRITE));
            authorizer.grant(namespaceId2, ALICE, Collections.singleton(Action.ADMIN));
            authorizer.grant(dataset, ALICE, Collections.singleton(Action.READ));
            authorizer.grant(dataset, BOB, Collections.singleton(Action.ADMIN));
            authorizer.grant(dataset3, ALICE, Collections.singleton(Action.WRITE));
            authorizer.grant(dataset2, BOB, Collections.singleton(Action.WRITE));
            authorizer.grant(dataset2, BOB, EnumSet.allOf(Action.class));
            authorizer.grant(dataset3, ALICE, Collections.singleton(Action.WRITE));
            authorizer.grant(dataset5, ALICE, Collections.singleton(Action.ADMIN));
            authorizer.grant(dataset4, BOB, Collections.singleton(Action.ADMIN));
            DefaultAuthorizationEnforcer defaultAuthorizationEnforcer = new DefaultAuthorizationEnforcer(CCONF, authorizerInstantiator);
            Assert.assertEquals(of.size(), defaultAuthorizationEnforcer.isVisible(of, ALICE).size());
            Assert.assertEquals(of.size(), defaultAuthorizationEnforcer.isVisible(of, BOB).size());
            ImmutableSet of2 = ImmutableSet.of(dataset, dataset3, dataset5);
            Assert.assertEquals(of2.size(), defaultAuthorizationEnforcer.isVisible(of2, ALICE).size());
            Assert.assertEquals(Collections.EMPTY_SET, defaultAuthorizationEnforcer.isVisible(ImmutableSet.of(dataset2, dataset4), ALICE));
            ImmutableSet of3 = ImmutableSet.of(dataset, dataset2, dataset4);
            Assert.assertEquals(of3.size(), defaultAuthorizationEnforcer.isVisible(of3, BOB).size());
            Assert.assertTrue(defaultAuthorizationEnforcer.isVisible(ImmutableSet.of(dataset3, dataset5), BOB).isEmpty());
            if (authorizerInstantiator != null) {
                if (0 == 0) {
                    authorizerInstantiator.close();
                    return;
                }
                try {
                    authorizerInstantiator.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
        } catch (Throwable th3) {
            if (authorizerInstantiator != null) {
                if (0 != 0) {
                    try {
                        authorizerInstantiator.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    authorizerInstantiator.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testSystemUser() throws Exception {
        CConfiguration copy = CConfiguration.copy(CCONF);
        Principal principal = new Principal(UserGroupInformation.getCurrentUser().getShortUserName(), Principal.PrincipalType.USER);
        AuthorizerInstantiator authorizerInstantiator = new AuthorizerInstantiator(copy, AUTH_CONTEXT_FACTORY);
        Throwable th = null;
        try {
            try {
                authorizerInstantiator.get();
                DefaultAuthorizationEnforcer defaultAuthorizationEnforcer = new DefaultAuthorizationEnforcer(copy, authorizerInstantiator);
                NamespaceId namespaceId = new NamespaceId("ns1");
                defaultAuthorizationEnforcer.enforce(NamespaceId.SYSTEM, principal, EnumSet.allOf(Action.class));
                Assert.assertEquals(ImmutableSet.of(NamespaceId.SYSTEM), defaultAuthorizationEnforcer.isVisible(ImmutableSet.of(namespaceId, NamespaceId.SYSTEM), principal));
                if (authorizerInstantiator != null) {
                    if (0 == 0) {
                        authorizerInstantiator.close();
                        return;
                    }
                    try {
                        authorizerInstantiator.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (authorizerInstantiator != null) {
                if (th != null) {
                    try {
                        authorizerInstantiator.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    authorizerInstantiator.close();
                }
            }
            throw th4;
        }
    }

    private void verifyDisabled(CConfiguration cConfiguration) throws Exception {
        AuthorizerInstantiator authorizerInstantiator = new AuthorizerInstantiator(cConfiguration, AUTH_CONTEXT_FACTORY);
        Throwable th = null;
        try {
            try {
                DefaultAuthorizationEnforcer defaultAuthorizationEnforcer = new DefaultAuthorizationEnforcer(cConfiguration, authorizerInstantiator);
                DatasetId dataset = NS.dataset("ds");
                authorizerInstantiator.get().grant(dataset, BOB, ImmutableSet.of(Action.ADMIN));
                defaultAuthorizationEnforcer.enforce(NS, ALICE, Action.ADMIN);
                defaultAuthorizationEnforcer.enforce(dataset, BOB, Action.ADMIN);
                Assert.assertEquals(2L, defaultAuthorizationEnforcer.isVisible(ImmutableSet.of(NS, dataset), BOB).size());
                if (authorizerInstantiator != null) {
                    if (0 == 0) {
                        authorizerInstantiator.close();
                        return;
                    }
                    try {
                        authorizerInstantiator.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                th = th3;
                throw th3;
            }
        } catch (Throwable th4) {
            if (authorizerInstantiator != null) {
                if (th != null) {
                    try {
                        authorizerInstantiator.close();
                    } catch (Throwable th5) {
                        th.addSuppressed(th5);
                    }
                } else {
                    authorizerInstantiator.close();
                }
            }
            throw th4;
        }
    }

    private void assertAuthorizationFailure(AuthorizationEnforcer authorizationEnforcer, EntityId entityId, Principal principal, Action action) throws Exception {
        try {
            authorizationEnforcer.enforce(entityId, principal, action);
            Assert.fail(String.format("Expected %s to not have '%s' privilege on %s but it does.", principal, action, entityId));
        } catch (UnauthorizedException e) {
        }
    }

    private void assertAuthorizationFailure(AuthorizationEnforcer authorizationEnforcer, EntityId entityId, Principal principal, Set<Action> set) throws Exception {
        try {
            authorizationEnforcer.enforce(entityId, principal, set);
            Assert.fail(String.format("Expected %s to not have '%s' privileges on %s but it does.", principal, set, entityId));
        } catch (UnauthorizedException e) {
        }
    }
}
