package org.apache.hadoop.hbase.security.visibility;

import com.google.protobuf.ByteString;
import java.io.IOException;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Iterator;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.HBaseTestingUtility;
import org.apache.hadoop.hbase.MediumTests;
import org.apache.hadoop.hbase.TableName;
import org.apache.hadoop.hbase.client.Get;
import org.apache.hadoop.hbase.client.HTable;
import org.apache.hadoop.hbase.client.Put;
import org.apache.hadoop.hbase.client.Result;
import org.apache.hadoop.hbase.client.ResultScanner;
import org.apache.hadoop.hbase.client.Scan;
import org.apache.hadoop.hbase.coprocessor.CoprocessorHost;
import org.apache.hadoop.hbase.protobuf.generated.VisibilityLabelsProtos;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.access.AccessControlLists;
import org.apache.hadoop.hbase.security.access.AccessController;
import org.apache.hadoop.hbase.security.access.Permission;
import org.apache.hadoop.hbase.security.access.SecureTestUtil;
import org.apache.hadoop.hbase.util.Bytes;
import org.apache.hadoop.hdfs.DFSConfigKeys;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Rule;
import org.junit.Test;
import org.junit.experimental.categories.Category;
import org.junit.rules.TestName;

@Category({MediumTests.class})
/* loaded from: input_file:org/apache/hadoop/hbase/security/visibility/TestVisibilityLabelsWithACL.class */
public class TestVisibilityLabelsWithACL {
    private static final String PRIVATE = "private";
    private static final String CONFIDENTIAL = "confidential";
    private static final String SECRET = "secret";
    private static final HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility();
    private static final byte[] row1 = Bytes.toBytes("row1");
    private static final byte[] fam = Bytes.toBytes("info");
    private static final byte[] qual = Bytes.toBytes("qual");
    private static final byte[] value = Bytes.toBytes("value");
    private static Configuration conf;

    @Rule
    public final TestName TEST_NAME = new TestName();
    private static User SUPERUSER;
    private static User NORMAL_USER1;
    private static User NORMAL_USER2;

    @BeforeClass
    public static void setupBeforeClass() throws Exception {
        conf = TEST_UTIL.getConfiguration();
        SecureTestUtil.enableSecurity(conf);
        conf.set(CoprocessorHost.MASTER_COPROCESSOR_CONF_KEY, AccessController.class.getName() + "," + VisibilityController.class.getName());
        conf.set(CoprocessorHost.REGION_COPROCESSOR_CONF_KEY, AccessController.class.getName() + "," + VisibilityController.class.getName());
        TEST_UTIL.startMiniCluster(2);
        TEST_UTIL.waitTableEnabled(AccessControlLists.ACL_TABLE_NAME.getName(), 50000L);
        TEST_UTIL.waitTableEnabled(VisibilityConstants.LABELS_TABLE_NAME.getName(), 50000L);
        addLabels();
        SUPERUSER = User.createUserForTesting(conf, "admin", new String[]{DFSConfigKeys.DFS_PERMISSIONS_SUPERUSERGROUP_DEFAULT});
        NORMAL_USER1 = User.createUserForTesting(conf, "user1", new String[0]);
        NORMAL_USER2 = User.createUserForTesting(conf, "user2", new String[0]);
        SecureTestUtil.grantOnTable(TEST_UTIL, NORMAL_USER1.getShortName(), VisibilityConstants.LABELS_TABLE_NAME, null, null, Permission.Action.EXEC);
        SecureTestUtil.grantOnTable(TEST_UTIL, NORMAL_USER2.getShortName(), VisibilityConstants.LABELS_TABLE_NAME, null, null, Permission.Action.EXEC);
    }

    @AfterClass
    public static void tearDownAfterClass() throws Exception {
        TEST_UTIL.shutdownMiniCluster();
    }

    @Test
    public void testScanForUserWithFewerLabelAuthsThanLabelsInScanAuthorizations() throws Throwable {
        VisibilityClient.setAuths(conf, new String[]{SECRET}, "user2");
        TableName valueOf = TableName.valueOf(this.TEST_NAME.getMethodName());
        final HTable createTableAndWriteDataWithLabels = createTableAndWriteDataWithLabels(valueOf, "secret&confidential&!private", "secret&!private");
        SecureTestUtil.grantOnTable(TEST_UTIL, NORMAL_USER2.getShortName(), valueOf, null, null, Permission.Action.READ);
        NORMAL_USER2.runAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.hbase.security.visibility.TestVisibilityLabelsWithACL.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                Scan scan = new Scan();
                scan.setAuthorizations(new Authorizations(TestVisibilityLabelsWithACL.SECRET, "confidential"));
                HTable hTable = new HTable(TestVisibilityLabelsWithACL.conf, createTableAndWriteDataWithLabels.getTableName());
                try {
                    ResultScanner scanner = hTable.getScanner(scan);
                    Result next = scanner.next();
                    Assert.assertTrue(!next.isEmpty());
                    Assert.assertTrue(Bytes.equals(Bytes.toBytes("row2"), next.getRow()));
                    Assert.assertNull(scanner.next());
                    hTable.close();
                    return null;
                } catch (Throwable th) {
                    hTable.close();
                    throw th;
                }
            }
        });
    }

    @Test
    public void testScanForSuperUserWithFewerLabelAuths() throws Throwable {
        VisibilityClient.setAuths(conf, new String[]{SECRET}, "admin");
        final HTable createTableAndWriteDataWithLabels = createTableAndWriteDataWithLabels(TableName.valueOf(this.TEST_NAME.getMethodName()), "secret&confidential&!private", "secret&!private");
        SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.hbase.security.visibility.TestVisibilityLabelsWithACL.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                Scan scan = new Scan();
                scan.setAuthorizations(new Authorizations(TestVisibilityLabelsWithACL.SECRET, "confidential"));
                HTable hTable = new HTable(TestVisibilityLabelsWithACL.conf, createTableAndWriteDataWithLabels.getTableName());
                try {
                    Assert.assertTrue(hTable.getScanner(scan).next(5).length == 2);
                    hTable.close();
                    return null;
                } catch (Throwable th) {
                    hTable.close();
                    throw th;
                }
            }
        });
    }

    @Test
    public void testGetForSuperUserWithFewerLabelAuths() throws Throwable {
        VisibilityClient.setAuths(conf, new String[]{SECRET}, "admin");
        final HTable createTableAndWriteDataWithLabels = createTableAndWriteDataWithLabels(TableName.valueOf(this.TEST_NAME.getMethodName()), "secret&confidential&!private", "secret&!private");
        SUPERUSER.runAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.hbase.security.visibility.TestVisibilityLabelsWithACL.3
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                Get get = new Get(TestVisibilityLabelsWithACL.row1);
                get.setAuthorizations(new Authorizations(TestVisibilityLabelsWithACL.SECRET, "confidential"));
                HTable hTable = new HTable(TestVisibilityLabelsWithACL.conf, createTableAndWriteDataWithLabels.getTableName());
                try {
                    Assert.assertTrue(!hTable.get(get).isEmpty());
                    hTable.close();
                    return null;
                } catch (Throwable th) {
                    hTable.close();
                    throw th;
                }
            }
        });
    }

    @Test
    public void testVisibilityLabelsForUserWithNoAuths() throws Throwable {
        String[] strArr = {SECRET};
        VisibilityClient.clearAuths(conf, strArr, "admin");
        VisibilityClient.setAuths(conf, strArr, "user1");
        TableName valueOf = TableName.valueOf(this.TEST_NAME.getMethodName());
        final HTable createTableAndWriteDataWithLabels = createTableAndWriteDataWithLabels(valueOf, SECRET);
        SecureTestUtil.grantOnTable(TEST_UTIL, NORMAL_USER1.getShortName(), valueOf, null, null, Permission.Action.READ);
        SecureTestUtil.grantOnTable(TEST_UTIL, NORMAL_USER2.getShortName(), valueOf, null, null, Permission.Action.READ);
        NORMAL_USER2.runAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.hbase.security.visibility.TestVisibilityLabelsWithACL.4
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                Get get = new Get(TestVisibilityLabelsWithACL.row1);
                get.setAuthorizations(new Authorizations(TestVisibilityLabelsWithACL.SECRET, "confidential"));
                HTable hTable = new HTable(TestVisibilityLabelsWithACL.conf, createTableAndWriteDataWithLabels.getTableName());
                try {
                    Assert.assertTrue(hTable.get(get).isEmpty());
                    hTable.close();
                    return null;
                } catch (Throwable th) {
                    hTable.close();
                    throw th;
                }
            }
        });
    }

    @Test
    public void testLabelsTableOpsWithDifferentUsers() throws Throwable {
        VisibilityLabelsProtos.VisibilityLabelsResponse visibilityLabelsResponse = (VisibilityLabelsProtos.VisibilityLabelsResponse) NORMAL_USER1.runAs(new PrivilegedExceptionAction<VisibilityLabelsProtos.VisibilityLabelsResponse>() { // from class: org.apache.hadoop.hbase.security.visibility.TestVisibilityLabelsWithACL.5
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public VisibilityLabelsProtos.VisibilityLabelsResponse run() throws Exception {
                try {
                    return VisibilityClient.addLabels(TestVisibilityLabelsWithACL.conf, new String[]{"l1", "l2"});
                } catch (Throwable th) {
                    return null;
                }
            }
        });
        Assert.assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", visibilityLabelsResponse.getResult(0).getException().getName());
        Assert.assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", visibilityLabelsResponse.getResult(1).getException().getName());
        VisibilityLabelsProtos.VisibilityLabelsResponse visibilityLabelsResponse2 = (VisibilityLabelsProtos.VisibilityLabelsResponse) NORMAL_USER1.runAs(new PrivilegedExceptionAction<VisibilityLabelsProtos.VisibilityLabelsResponse>() { // from class: org.apache.hadoop.hbase.security.visibility.TestVisibilityLabelsWithACL.6
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public VisibilityLabelsProtos.VisibilityLabelsResponse run() throws Exception {
                try {
                    return VisibilityClient.setAuths(TestVisibilityLabelsWithACL.conf, new String[]{"confidential", "private"}, "user1");
                } catch (Throwable th) {
                    return null;
                }
            }
        });
        Assert.assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", visibilityLabelsResponse2.getResult(0).getException().getName());
        Assert.assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", visibilityLabelsResponse2.getResult(1).getException().getName());
        VisibilityLabelsProtos.VisibilityLabelsResponse visibilityLabelsResponse3 = (VisibilityLabelsProtos.VisibilityLabelsResponse) SUPERUSER.runAs(new PrivilegedExceptionAction<VisibilityLabelsProtos.VisibilityLabelsResponse>() { // from class: org.apache.hadoop.hbase.security.visibility.TestVisibilityLabelsWithACL.7
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public VisibilityLabelsProtos.VisibilityLabelsResponse run() throws Exception {
                try {
                    return VisibilityClient.setAuths(TestVisibilityLabelsWithACL.conf, new String[]{"confidential", "private"}, "user1");
                } catch (Throwable th) {
                    return null;
                }
            }
        });
        Assert.assertTrue(visibilityLabelsResponse3.getResult(0).getException().getValue().isEmpty());
        Assert.assertTrue(visibilityLabelsResponse3.getResult(1).getException().getValue().isEmpty());
        VisibilityLabelsProtos.VisibilityLabelsResponse visibilityLabelsResponse4 = (VisibilityLabelsProtos.VisibilityLabelsResponse) NORMAL_USER1.runAs(new PrivilegedExceptionAction<VisibilityLabelsProtos.VisibilityLabelsResponse>() { // from class: org.apache.hadoop.hbase.security.visibility.TestVisibilityLabelsWithACL.8
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public VisibilityLabelsProtos.VisibilityLabelsResponse run() throws Exception {
                try {
                    return VisibilityClient.clearAuths(TestVisibilityLabelsWithACL.conf, new String[]{"confidential", "private"}, "user1");
                } catch (Throwable th) {
                    return null;
                }
            }
        });
        Assert.assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", visibilityLabelsResponse4.getResult(0).getException().getName());
        Assert.assertEquals("org.apache.hadoop.hbase.security.AccessDeniedException", visibilityLabelsResponse4.getResult(1).getException().getName());
        VisibilityLabelsProtos.VisibilityLabelsResponse clearAuths = VisibilityClient.clearAuths(conf, new String[]{"confidential", "private"}, "user1");
        Assert.assertTrue(clearAuths.getResult(0).getException().getValue().isEmpty());
        Assert.assertTrue(clearAuths.getResult(1).getException().getValue().isEmpty());
        VisibilityClient.setAuths(conf, new String[]{"confidential", "private"}, "user3");
        PrivilegedExceptionAction<VisibilityLabelsProtos.GetAuthsResponse> privilegedExceptionAction = new PrivilegedExceptionAction<VisibilityLabelsProtos.GetAuthsResponse>() { // from class: org.apache.hadoop.hbase.security.visibility.TestVisibilityLabelsWithACL.9
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public VisibilityLabelsProtos.GetAuthsResponse run() throws Exception {
                try {
                    return VisibilityClient.getAuths(TestVisibilityLabelsWithACL.conf, "user3");
                } catch (Throwable th) {
                    return null;
                }
            }
        };
        Assert.assertNull((VisibilityLabelsProtos.GetAuthsResponse) NORMAL_USER1.runAs(privilegedExceptionAction));
        VisibilityLabelsProtos.GetAuthsResponse getAuthsResponse = (VisibilityLabelsProtos.GetAuthsResponse) SUPERUSER.runAs(privilegedExceptionAction);
        ArrayList arrayList = new ArrayList();
        Iterator<ByteString> it2 = getAuthsResponse.getAuthList().iterator();
        while (it2.hasNext()) {
            arrayList.add(Bytes.toString(it2.next().toByteArray()));
        }
        Assert.assertEquals(2L, arrayList.size());
        Assert.assertTrue(arrayList.contains("confidential"));
        Assert.assertTrue(arrayList.contains("private"));
    }

    private static HTable createTableAndWriteDataWithLabels(TableName tableName, String... strArr) throws Exception {
        HTable hTable = null;
        try {
            hTable = TEST_UTIL.createTable(tableName, fam);
            int i = 1;
            ArrayList arrayList = new ArrayList();
            for (String str : strArr) {
                Put put = new Put(Bytes.toBytes("row" + i));
                put.add(fam, qual, Long.MAX_VALUE, value);
                put.setCellVisibility(new CellVisibility(str));
                arrayList.add(put);
                i++;
            }
            hTable.put(arrayList);
            if (hTable != null) {
                hTable.close();
            }
            return hTable;
        } catch (Throwable th) {
            if (hTable != null) {
                hTable.close();
            }
            throw th;
        }
    }

    private static void addLabels() throws IOException {
        try {
            VisibilityClient.addLabels(conf, new String[]{SECRET, "confidential", "private"});
        } catch (Throwable th) {
            throw new IOException(th);
        }
    }
}
