package org.apache.accumulo.test.functional;

import com.google.common.base.Throwables;
import com.google.common.collect.Iterables;
import java.io.File;
import java.io.FileWriter;
import java.io.IOException;
import java.net.ConnectException;
import java.net.InetAddress;
import java.nio.ByteBuffer;
import java.nio.charset.StandardCharsets;
import java.security.PrivilegedExceptionAction;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Properties;
import javax.security.auth.callback.CallbackHandler;
import org.apache.accumulo.cluster.ClusterUser;
import org.apache.accumulo.core.client.Connector;
import org.apache.accumulo.core.client.ZooKeeperInstance;
import org.apache.accumulo.core.client.security.tokens.KerberosToken;
import org.apache.accumulo.core.client.security.tokens.PasswordToken;
import org.apache.accumulo.core.conf.Property;
import org.apache.accumulo.core.rpc.UGIAssumingTransport;
import org.apache.accumulo.core.security.Authorizations;
import org.apache.accumulo.core.security.TablePermission;
import org.apache.accumulo.harness.AccumuloITBase;
import org.apache.accumulo.harness.MiniClusterConfigurationCallback;
import org.apache.accumulo.harness.MiniClusterHarness;
import org.apache.accumulo.harness.TestingKdc;
import org.apache.accumulo.minicluster.impl.MiniAccumuloClusterImpl;
import org.apache.accumulo.minicluster.impl.MiniAccumuloConfigImpl;
import org.apache.accumulo.proxy.Proxy;
import org.apache.accumulo.proxy.thrift.AccumuloProxy;
import org.apache.accumulo.proxy.thrift.AccumuloSecurityException;
import org.apache.accumulo.proxy.thrift.ColumnUpdate;
import org.apache.accumulo.proxy.thrift.Key;
import org.apache.accumulo.proxy.thrift.KeyValue;
import org.apache.accumulo.proxy.thrift.ScanOptions;
import org.apache.accumulo.proxy.thrift.ScanResult;
import org.apache.accumulo.proxy.thrift.TimeType;
import org.apache.accumulo.proxy.thrift.WriterOptions;
import org.apache.accumulo.server.util.PortUtils;
import org.apache.accumulo.test.categories.MiniClusterOnlyTests;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.thrift.protocol.TCompactProtocol;
import org.apache.thrift.transport.TSaslClientTransport;
import org.apache.thrift.transport.TSocket;
import org.apache.thrift.transport.TTransportException;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.junit.experimental.categories.Category;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Category({MiniClusterOnlyTests.class})
/* loaded from: input_file:org/apache/accumulo/test/functional/KerberosProxyIT.class */
public class KerberosProxyIT extends AccumuloITBase {
    private static final String PROXIED_USER1 = "proxied_user1";
    private static final String PROXIED_USER2 = "proxied_user2";
    private static final String PROXIED_USER3 = "proxied_user3";
    private static TestingKdc kdc;
    private static File proxyKeytab;
    private static String hostname;
    private static String proxyPrimary;
    private static String proxyPrincipal;
    private MiniAccumuloClusterImpl mac;
    private Process proxyProcess;
    private int proxyPort;
    private static final Logger log = LoggerFactory.getLogger(KerberosProxyIT.class);
    private static String krbEnabledForITs = null;

    @Override // org.apache.accumulo.harness.AccumuloITBase
    protected int defaultTimeoutSeconds() {
        return 300;
    }

    @BeforeClass
    public static void startKdc() throws Exception {
        kdc = new TestingKdc();
        kdc.start();
        krbEnabledForITs = System.getProperty(MiniClusterHarness.USE_KERBEROS_FOR_IT_OPTION);
        if (null == krbEnabledForITs || !Boolean.parseBoolean(krbEnabledForITs)) {
            System.setProperty(MiniClusterHarness.USE_KERBEROS_FOR_IT_OPTION, "true");
        }
        proxyKeytab = new File(kdc.getKeytabDir(), "proxy.keytab");
        hostname = InetAddress.getLocalHost().getCanonicalHostName();
        proxyPrimary = "proxy";
        proxyPrincipal = proxyPrimary + "/" + hostname;
        kdc.createPrincipal(proxyKeytab, proxyPrincipal);
        proxyPrincipal = kdc.qualifyUser(proxyPrincipal);
    }

    @AfterClass
    public static void stopKdc() throws Exception {
        if (null != kdc) {
            kdc.stop();
        }
        if (null != krbEnabledForITs) {
            System.setProperty(MiniClusterHarness.USE_KERBEROS_FOR_IT_OPTION, krbEnabledForITs);
        }
        UserGroupInformation.setConfiguration(new Configuration(false));
    }

    @Before
    public void startMac() throws Exception {
        this.mac = new MiniClusterHarness().create(getClass().getName(), this.testName.getMethodName(), new PasswordToken("unused"), new MiniClusterConfigurationCallback() { // from class: org.apache.accumulo.test.functional.KerberosProxyIT.1
            @Override // org.apache.accumulo.harness.MiniClusterConfigurationCallback
            public void configureMiniCluster(MiniAccumuloConfigImpl miniAccumuloConfigImpl, Configuration configuration) {
                miniAccumuloConfigImpl.setNumTservers(1);
                Map siteConfig = miniAccumuloConfigImpl.getSiteConfig();
                siteConfig.put(Property.INSTANCE_RPC_SASL_ALLOWED_USER_IMPERSONATION.getKey(), KerberosProxyIT.proxyPrincipal + ":" + KerberosProxyIT.kdc.getRootUser().getPrincipal() + "," + KerberosProxyIT.kdc.qualifyUser(KerberosProxyIT.PROXIED_USER1) + "," + KerberosProxyIT.kdc.qualifyUser(KerberosProxyIT.PROXIED_USER2));
                siteConfig.put(Property.INSTANCE_RPC_SASL_ALLOWED_HOST_IMPERSONATION.getKey(), "*");
                miniAccumuloConfigImpl.setSiteConfig(siteConfig);
            }
        }, kdc);
        this.mac.start();
        MiniAccumuloConfigImpl config = this.mac.getConfig();
        this.proxyProcess = startProxy(config);
        Configuration configuration = new Configuration(false);
        configuration.set("hadoop.security.authentication", "kerberos");
        UserGroupInformation.setConfiguration(configuration);
        boolean z = false;
        ClusterUser rootUser = kdc.getRootUser();
        while (!z) {
            try {
                UserGroupInformation loginUserFromKeytabAndReturnUGI = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
                TSocket tSocket = new TSocket(hostname, this.proxyPort);
                log.info("Connecting to proxy with server primary '" + proxyPrimary + "' running on " + hostname);
                try {
                    UGIAssumingTransport uGIAssumingTransport = new UGIAssumingTransport(new TSaslClientTransport("GSSAPI", (String) null, proxyPrimary, hostname, Collections.singletonMap("javax.security.sasl.qop", "auth"), (CallbackHandler) null, tSocket), loginUserFromKeytabAndReturnUGI);
                    try {
                        uGIAssumingTransport.open();
                        z = true;
                        uGIAssumingTransport.close();
                    } catch (Throwable th) {
                        try {
                            uGIAssumingTransport.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                        throw th;
                        break;
                    }
                } catch (TTransportException e) {
                    Throwable cause = e.getCause();
                    if (null != cause && (cause instanceof ConnectException)) {
                        log.info("Proxy not yet up, waiting");
                        Thread.sleep(3000L);
                        this.proxyProcess = checkProxyAndRestart(this.proxyProcess, config);
                    }
                }
            } catch (IOException e2) {
                log.info("Login as root is failing", e2);
                Thread.sleep(3000L);
            }
        }
        Assert.assertTrue("Failed to connect to the proxy repeatedly", z);
    }

    private Process startProxy(MiniAccumuloConfigImpl miniAccumuloConfigImpl) throws IOException {
        return this.mac.exec(Proxy.class, new String[]{"-p", generateNewProxyConfiguration(miniAccumuloConfigImpl).getCanonicalPath()});
    }

    private File generateNewProxyConfiguration(MiniAccumuloConfigImpl miniAccumuloConfigImpl) throws IOException {
        this.proxyPort = PortUtils.getRandomFreePort();
        File file = new File(miniAccumuloConfigImpl.getConfDir(), "proxy.properties");
        if (file.exists()) {
            Assert.assertTrue("Failed to delete proxy.properties file", file.delete());
        }
        Properties properties = new Properties();
        properties.setProperty("useMockInstance", "false");
        properties.setProperty("useMiniAccumulo", "false");
        properties.setProperty("protocolFactory", TCompactProtocol.Factory.class.getName());
        properties.setProperty("tokenClass", KerberosToken.class.getName());
        properties.setProperty("port", Integer.toString(this.proxyPort));
        properties.setProperty("maxFrameSize", "16M");
        properties.setProperty("instance", this.mac.getInstanceName());
        properties.setProperty("zookeepers", this.mac.getZooKeepers());
        properties.setProperty("thriftServerType", "sasl");
        properties.setProperty("kerberosPrincipal", proxyPrincipal);
        properties.setProperty("kerberosKeytab", proxyKeytab.getCanonicalPath());
        FileWriter fileWriter = new FileWriter(file);
        properties.store(fileWriter, "Configuration for Accumulo proxy");
        fileWriter.close();
        log.info("Created configuration for proxy listening on {}", Integer.valueOf(this.proxyPort));
        return file;
    }

    private Process checkProxyAndRestart(Process process, MiniAccumuloConfigImpl miniAccumuloConfigImpl) throws IOException {
        try {
            process.exitValue();
            log.info("Restarting proxy because it is no longer alive");
            return startProxy(miniAccumuloConfigImpl);
        } catch (IllegalThreadStateException e) {
            log.info("Proxy is still running");
            return process;
        }
    }

    @After
    public void stopMac() throws Exception {
        if (null != this.proxyProcess) {
            log.info("Destroying proxy process");
            this.proxyProcess.destroy();
            log.info("Waiting for proxy termination");
            this.proxyProcess.waitFor();
            log.info("Proxy terminated");
        }
        if (null != this.mac) {
            this.mac.stop();
        }
    }

    @Test
    public void testProxyClient() throws Exception {
        ClusterUser rootUser = kdc.getRootUser();
        UserGroupInformation loginUserFromKeytabAndReturnUGI = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
        TSocket tSocket = new TSocket(hostname, this.proxyPort);
        log.info("Connecting to proxy with server primary '" + proxyPrimary + "' running on " + hostname);
        UGIAssumingTransport uGIAssumingTransport = new UGIAssumingTransport(new TSaslClientTransport("GSSAPI", (String) null, proxyPrimary, hostname, Collections.singletonMap("javax.security.sasl.qop", "auth"), (CallbackHandler) null, tSocket), loginUserFromKeytabAndReturnUGI);
        uGIAssumingTransport.open();
        AccumuloProxy.Client client = new AccumuloProxy.Client.Factory().getClient(new TCompactProtocol(uGIAssumingTransport), new TCompactProtocol(uGIAssumingTransport));
        ByteBuffer login = client.login(rootUser.getPrincipal(), Collections.emptyMap());
        if (!client.tableExists(login, "table")) {
            client.createTable(login, "table", true, TimeType.MILLIS);
        }
        String createWriter = client.createWriter(login, "table", new WriterOptions());
        HashMap hashMap = new HashMap();
        ColumnUpdate columnUpdate = new ColumnUpdate(ByteBuffer.wrap("cf1".getBytes(StandardCharsets.UTF_8)), ByteBuffer.wrap("cq1".getBytes(StandardCharsets.UTF_8)));
        columnUpdate.setValue(ByteBuffer.wrap("value1".getBytes(StandardCharsets.UTF_8)));
        hashMap.put(ByteBuffer.wrap("row1".getBytes(StandardCharsets.UTF_8)), Collections.singletonList(columnUpdate));
        ColumnUpdate columnUpdate2 = new ColumnUpdate(ByteBuffer.wrap("cf2".getBytes(StandardCharsets.UTF_8)), ByteBuffer.wrap("cq2".getBytes(StandardCharsets.UTF_8)));
        columnUpdate2.setValue(ByteBuffer.wrap("value2".getBytes(StandardCharsets.UTF_8)));
        hashMap.put(ByteBuffer.wrap("row2".getBytes(StandardCharsets.UTF_8)), Collections.singletonList(columnUpdate2));
        client.update(createWriter, hashMap);
        client.flush(createWriter);
        client.closeWriter(createWriter);
        String createScanner = client.createScanner(login, "table", new ScanOptions());
        ScanResult nextK = client.nextK(createScanner, 10);
        Assert.assertEquals(2L, nextK.getResults().size());
        KeyValue keyValue = (KeyValue) nextK.getResults().get(0);
        Key key = keyValue.key;
        ByteBuffer byteBuffer = keyValue.value;
        Assert.assertEquals(ByteBuffer.wrap("row1".getBytes(StandardCharsets.UTF_8)), key.row);
        Assert.assertEquals(ByteBuffer.wrap("cf1".getBytes(StandardCharsets.UTF_8)), key.colFamily);
        Assert.assertEquals(ByteBuffer.wrap("cq1".getBytes(StandardCharsets.UTF_8)), key.colQualifier);
        Assert.assertEquals(ByteBuffer.wrap(new byte[0]), key.colVisibility);
        Assert.assertEquals(ByteBuffer.wrap("value1".getBytes(StandardCharsets.UTF_8)), byteBuffer);
        KeyValue keyValue2 = (KeyValue) nextK.getResults().get(1);
        Key key2 = keyValue2.key;
        ByteBuffer byteBuffer2 = keyValue2.value;
        Assert.assertEquals(ByteBuffer.wrap("row2".getBytes(StandardCharsets.UTF_8)), key2.row);
        Assert.assertEquals(ByteBuffer.wrap("cf2".getBytes(StandardCharsets.UTF_8)), key2.colFamily);
        Assert.assertEquals(ByteBuffer.wrap("cq2".getBytes(StandardCharsets.UTF_8)), key2.colQualifier);
        Assert.assertEquals(ByteBuffer.wrap(new byte[0]), key2.colVisibility);
        Assert.assertEquals(ByteBuffer.wrap("value2".getBytes(StandardCharsets.UTF_8)), byteBuffer2);
        client.closeScanner(createScanner);
        uGIAssumingTransport.close();
    }

    @Test
    public void testDisallowedClientForImpersonation() throws Exception {
        String methodName = this.testName.getMethodName();
        File file = new File(kdc.getKeytabDir(), methodName + ".keytab");
        kdc.createPrincipal(file, methodName);
        UserGroupInformation loginUserFromKeytabAndReturnUGI = UserGroupInformation.loginUserFromKeytabAndReturnUGI(methodName, file.getAbsolutePath());
        log.info("Logged in as " + loginUserFromKeytabAndReturnUGI);
        TSocket tSocket = new TSocket(hostname, this.proxyPort);
        log.info("Connecting to proxy with server primary '" + proxyPrimary + "' running on " + hostname);
        UGIAssumingTransport uGIAssumingTransport = new UGIAssumingTransport(new TSaslClientTransport("GSSAPI", (String) null, proxyPrimary, hostname, Collections.singletonMap("javax.security.sasl.qop", "auth"), (CallbackHandler) null, tSocket), loginUserFromKeytabAndReturnUGI);
        try {
            uGIAssumingTransport.open();
            AccumuloProxy.Client client = new AccumuloProxy.Client.Factory().getClient(new TCompactProtocol(uGIAssumingTransport), new TCompactProtocol(uGIAssumingTransport));
            AccumuloSecurityException accumuloSecurityException = (AccumuloSecurityException) Assert.assertThrows(AccumuloSecurityException.class, () -> {
                client.login(kdc.qualifyUser(methodName), Collections.emptyMap());
            });
            Assert.assertTrue(thriftExceptionMatchesPattern(accumuloSecurityException, ".*Error BAD_CREDENTIALS.*"));
            Assert.assertTrue(thriftExceptionMatchesPattern(accumuloSecurityException, ".*Expected '" + proxyPrincipal + "' but was '" + kdc.qualifyUser(methodName) + "'.*"));
            uGIAssumingTransport.close();
        } catch (Throwable th) {
            try {
                uGIAssumingTransport.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    @Test
    public void testMismatchPrincipals() throws Exception {
        ClusterUser rootUser = kdc.getRootUser();
        String methodName = this.testName.getMethodName();
        File file = new File(kdc.getKeytabDir(), methodName + ".keytab");
        kdc.createPrincipal(file, methodName);
        UserGroupInformation loginUserFromKeytabAndReturnUGI = UserGroupInformation.loginUserFromKeytabAndReturnUGI(methodName, file.getAbsolutePath());
        log.info("Logged in as " + loginUserFromKeytabAndReturnUGI);
        TSocket tSocket = new TSocket(hostname, this.proxyPort);
        log.info("Connecting to proxy with server primary '" + proxyPrimary + "' running on " + hostname);
        UGIAssumingTransport uGIAssumingTransport = new UGIAssumingTransport(new TSaslClientTransport("GSSAPI", (String) null, proxyPrimary, hostname, Collections.singletonMap("javax.security.sasl.qop", "auth"), (CallbackHandler) null, tSocket), loginUserFromKeytabAndReturnUGI);
        try {
            uGIAssumingTransport.open();
            AccumuloProxy.Client client = new AccumuloProxy.Client.Factory().getClient(new TCompactProtocol(uGIAssumingTransport), new TCompactProtocol(uGIAssumingTransport));
            Assert.assertTrue(thriftExceptionMatchesPattern((AccumuloSecurityException) Assert.assertThrows(AccumuloSecurityException.class, () -> {
                client.login(rootUser.getPrincipal(), Collections.emptyMap());
            }), "RPC principal did not match requested Accumulo principal"));
            uGIAssumingTransport.close();
        } catch (Throwable th) {
            try {
                uGIAssumingTransport.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    @Test
    public void proxiedUserAccessWithoutAccumuloProxy() throws Exception {
        final String str = getUniqueNames(1)[0];
        ClusterUser rootUser = kdc.getRootUser();
        final UserGroupInformation loginUserFromKeytabAndReturnUGI = UserGroupInformation.loginUserFromKeytabAndReturnUGI(rootUser.getPrincipal(), rootUser.getKeytab().getAbsolutePath());
        UserGroupInformation loginUserFromKeytabAndReturnUGI2 = UserGroupInformation.loginUserFromKeytabAndReturnUGI(proxyPrincipal, proxyKeytab.getAbsolutePath());
        final String qualifyUser = kdc.qualifyUser(PROXIED_USER1);
        final String qualifyUser2 = kdc.qualifyUser(PROXIED_USER2);
        final String qualifyUser3 = kdc.qualifyUser(PROXIED_USER3);
        UserGroupInformation createProxyUser = UserGroupInformation.createProxyUser(qualifyUser, loginUserFromKeytabAndReturnUGI2);
        UserGroupInformation createProxyUser2 = UserGroupInformation.createProxyUser(qualifyUser2, loginUserFromKeytabAndReturnUGI2);
        UserGroupInformation createProxyUser3 = UserGroupInformation.createProxyUser(qualifyUser3, loginUserFromKeytabAndReturnUGI2);
        loginUserFromKeytabAndReturnUGI.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.accumulo.test.functional.KerberosProxyIT.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                Connector connector = new ZooKeeperInstance(KerberosProxyIT.this.mac.getClientConfig()).getConnector(loginUserFromKeytabAndReturnUGI.getUserName(), new KerberosToken());
                connector.tableOperations().create(str);
                connector.securityOperations().createLocalUser(qualifyUser, new PasswordToken("ignored"));
                connector.securityOperations().grantTablePermission(qualifyUser, str, TablePermission.READ);
                connector.securityOperations().createLocalUser(qualifyUser3, new PasswordToken("ignored"));
                connector.securityOperations().grantTablePermission(qualifyUser3, str, TablePermission.READ);
                return null;
            }
        });
        loginUserFromKeytabAndReturnUGI2.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.accumulo.test.functional.KerberosProxyIT.3
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                try {
                    new ZooKeeperInstance(KerberosProxyIT.this.mac.getClientConfig()).getConnector(KerberosProxyIT.proxyPrincipal, new KerberosToken()).createScanner(str, Authorizations.EMPTY).iterator().hasNext();
                    Assert.fail("Expected to see an exception");
                    return null;
                } catch (RuntimeException e) {
                    Assert.assertTrue("Expected to see at least one AccumuloSecurityException, but saw: " + Throwables.getStackTraceAsString(e), Iterables.size(Iterables.filter(Throwables.getCausalChain(e), org.apache.accumulo.core.client.AccumuloSecurityException.class)) > 0);
                    return null;
                }
            }
        });
        createProxyUser.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.accumulo.test.functional.KerberosProxyIT.4
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                Assert.assertFalse(new ZooKeeperInstance(KerberosProxyIT.this.mac.getClientConfig()).getConnector(qualifyUser, new KerberosToken(qualifyUser)).createScanner(str, Authorizations.EMPTY).iterator().hasNext());
                return null;
            }
        });
        createProxyUser2.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.accumulo.test.functional.KerberosProxyIT.5
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                try {
                    new ZooKeeperInstance(KerberosProxyIT.this.mac.getClientConfig()).getConnector(qualifyUser2, new KerberosToken(qualifyUser3)).createScanner(str, Authorizations.EMPTY).iterator().hasNext();
                    Assert.fail("Expected to see an exception");
                    return null;
                } catch (RuntimeException e) {
                    Assert.assertTrue("Expected to see at least one AccumuloSecurityException, but saw: " + Throwables.getStackTraceAsString(e), Iterables.size(Iterables.filter(Throwables.getCausalChain(e), org.apache.accumulo.core.client.AccumuloSecurityException.class)) > 0);
                    return null;
                }
            }
        });
        createProxyUser3.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.accumulo.test.functional.KerberosProxyIT.6
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                try {
                    new ZooKeeperInstance(KerberosProxyIT.this.mac.getClientConfig()).getConnector(qualifyUser3, new KerberosToken(qualifyUser3));
                    Assert.fail("Should not be able to create a Connector as this user cannot be proxied");
                    return null;
                } catch (org.apache.accumulo.core.client.AccumuloSecurityException e) {
                    return null;
                }
            }
        });
    }

    private boolean thriftExceptionMatchesPattern(AccumuloSecurityException accumuloSecurityException, String str) {
        return accumuloSecurityException.isSetMsg() && accumuloSecurityException.msg.matches(str);
    }
}
