package com.datastax.driver.dse.auth;

import com.datastax.driver.core.AuthProvider;
import com.datastax.driver.core.CCMBridge;
import com.datastax.driver.core.CCMConfig;
import com.datastax.driver.core.CreateCCM;
import com.datastax.driver.core.TestUtils;
import com.datastax.driver.core.exceptions.NoHostAvailableException;
import com.datastax.driver.core.utils.DseVersion;
import com.datastax.driver.dse.CCMDseTestsSupport;
import com.datastax.driver.dse.DseCluster;
import com.google.common.collect.ImmutableMap;
import java.io.File;
import java.io.IOException;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import org.apache.commons.exec.CommandLine;
import org.apache.commons.exec.DefaultExecutor;
import org.assertj.core.api.Assertions;
import org.testng.SkipException;
import org.testng.annotations.AfterClass;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.Test;

@CreateCCM(CreateCCM.TestMode.PER_METHOD)
@DseVersion
@CCMConfig(createCluster = {false}, dirtiesContext = {true})
/* loaded from: input_file:com/datastax/driver/dse/auth/DseGSSAPIAuthProviderTest.class */
public class DseGSSAPIAuthProviderTest extends CCMDseTestsSupport {
    private static final String userPrincipal = "cassandra@DATASTAX.COM";
    private static final String unknownPrincipal = "unknown@DATASTAX.COM";
    private File userKeytab;
    private File unknownKeytab;
    private File dseKeytab;
    private File alternateKeytab;
    private EmbeddedADS adsServer = EmbeddedADS.builder().withKerberos().withRealm(realm).withAddress(address).build();
    private static final String address = TestUtils.IP_PREFIX + "1";
    private static final String realm = "DATASTAX.COM";
    private static final String servicePrincipal = "dse/" + address + "@" + realm;
    private static final String alternateServicePrincipal = "alternate/" + address + "@" + realm;

    @BeforeClass(groups = {"long"})
    public void setupKDC() throws Exception {
        if (this.adsServer.isStarted()) {
            return;
        }
        this.adsServer.start();
        this.dseKeytab = this.adsServer.addUserAndCreateKeytab("dse", "dse", servicePrincipal);
        this.alternateKeytab = this.adsServer.addUserAndCreateKeytab("alternate", "alternate", alternateServicePrincipal);
        this.userKeytab = this.adsServer.addUserAndCreateKeytab("cassandra", "cassandra", userPrincipal);
        this.unknownKeytab = this.adsServer.createKeytab("unknown", "unknown", unknownPrincipal);
    }

    @AfterClass(groups = {"long"}, alwaysRun = true)
    public void teardownKDC() throws Exception {
        this.adsServer.stop();
    }

    @Override // com.datastax.driver.dse.CCMDseTestsSupport
    public CCMBridge.Builder configureCCM() {
        return super.configureCCM().withCassandraConfiguration("authenticator", "com.datastax.bdp.cassandra.auth.KerberosAuthenticator").withDSEConfiguration("kerberos_options.keytab", this.dseKeytab.getAbsolutePath()).withDSEConfiguration("kerberos_options.service_principal", servicePrincipal).withDSEConfiguration("kerberos_options.qop", "auth").withJvmArgs(new String[]{"-Dcassandra.superuser_setup_delay_ms=0", "-Djava.security.krb5.conf=" + this.adsServer.getKrb5Conf().getAbsolutePath()});
    }

    public CCMBridge.Builder configureAlternateCCM() {
        return configureCCM().withDSEConfiguration("kerberos_options.keytab", this.alternateKeytab.getAbsolutePath()).withDSEConfiguration("kerberos_options.service_principal", alternateServicePrincipal);
    }

    @Test(groups = {"long"})
    public void should_authenticate_using_kerberos_with_keytab() throws Exception {
        connectAndQuery(keytabClient(this.userKeytab, userPrincipal));
    }

    @CCMConfig(ccmProvider = "configureAlternateCCM")
    @Test(groups = {"long"})
    public void should_authenticate_using_kerberos_with_keytab_and_alternate_service_principal_using_system_property() throws Exception {
        try {
            System.setProperty("dse.sasl.protocol", "alternate");
            connectAndQuery(keytabClient(this.userKeytab, userPrincipal));
            System.clearProperty("dse.sasl.protocol");
        } catch (Throwable th) {
            System.clearProperty("dse.sasl.protocol");
            throw th;
        }
    }

    @CCMConfig(ccmProvider = "configureAlternateCCM")
    @Test(groups = {"long"})
    public void should_authenticate_using_kerberos_with_keytab_and_alternate_service_principal() throws Exception {
        connectAndQuery((AuthProvider) new DseGSSAPIAuthProvider(keytabClient(this.userKeytab, userPrincipal), "alternate"));
    }

    @Test(groups = {"long"})
    public void should_authenticate_using_kerberos_with_ticket() throws Exception {
        String lowerCase = System.getProperty("os.name", "").toLowerCase();
        if (!(lowerCase.contains("mac") || lowerCase.contains("darwin") || lowerCase.contains("nux"))) {
            throw new SkipException("This test requires a unix-based platform with kinit & kdestroy installed.");
        }
        acquireTicket(userPrincipal, this.userKeytab);
        try {
            connectAndQuery(ticketClient(userPrincipal));
        } finally {
            destroyTicket();
        }
    }

    @Test(groups = {"long"}, expectedExceptions = {NoHostAvailableException.class})
    public void should_not_authenticate_if_no_ticket_in_cache() throws Exception {
        connectAndQuery(ticketClient(userPrincipal));
    }

    @Test(groups = {"long"}, expectedExceptions = {NoHostAvailableException.class})
    public void should_not_authenticate_if_keytab_does_not_map_to_valid_principal() throws Exception {
        connectAndQuery(keytabClient(this.unknownKeytab, unknownPrincipal));
    }

    private void connectAndQuery(Configuration configuration) {
        connectAndQuery((AuthProvider) new DseGSSAPIAuthProvider(configuration));
    }

    private void connectAndQuery(AuthProvider authProvider) {
        DseCluster build = mo1createClusterBuilder().addContactPointsWithPorts(getContactPointsWithPorts()).withAuthProvider(authProvider).build();
        try {
            Assertions.assertThat(build.connect().execute("select * from system.local").one()).isNotNull();
            build.close();
        } catch (Throwable th) {
            build.close();
            throw th;
        }
    }

    private void executeCommand(String str) throws IOException {
        ImmutableMap build = ImmutableMap.builder().put("KRB5_CONFIG", this.adsServer.getKrb5Conf().getAbsolutePath()).build();
        Assertions.assertThat(new DefaultExecutor().execute(CommandLine.parse(str), build)).isZero();
    }

    private void acquireTicket(String str, File file) throws IOException {
        executeCommand(String.format("kinit -t %s -k %s", file.getAbsolutePath(), str));
    }

    private void destroyTicket() throws IOException {
        executeCommand("kdestroy");
    }

    private Configuration ticketClient(final String str) {
        return new Configuration() { // from class: com.datastax.driver.dse.auth.DseGSSAPIAuthProviderTest.1
            public AppConfigurationEntry[] getAppConfigurationEntry(String str2) {
                return new AppConfigurationEntry[]{new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, ImmutableMap.builder().put("principal", str).put("useTicketCache", "true").put("renewTGT", "true").build())};
            }
        };
    }

    private Configuration keytabClient(final File file, final String str) {
        return new Configuration() { // from class: com.datastax.driver.dse.auth.DseGSSAPIAuthProviderTest.2
            public AppConfigurationEntry[] getAppConfigurationEntry(String str2) {
                return new AppConfigurationEntry[]{new AppConfigurationEntry("com.sun.security.auth.module.Krb5LoginModule", AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, ImmutableMap.builder().put("principal", str).put("useKeyTab", "true").put("keyTab", file.getAbsolutePath()).build())};
            }
        };
    }
}
