package org.apache.drill.exec.server.rest.spnego;

import com.typesafe.config.ConfigValueFactory;
import java.lang.reflect.Field;
import java.security.PrivilegedExceptionAction;
import javax.security.auth.Subject;
import javax.servlet.ServletRequest;
import junit.framework.TestCase;
import org.apache.commons.codec.binary.Base64;
import org.apache.drill.categories.SecurityTest;
import org.apache.drill.common.config.DrillConfig;
import org.apache.drill.common.scanner.ClassPathScanner;
import org.apache.drill.common.scanner.persistence.ScanResult;
import org.apache.drill.exec.ExecConstants;
import org.apache.drill.exec.exception.DrillbitStartupException;
import org.apache.drill.exec.rpc.security.AuthenticatorProviderImpl;
import org.apache.drill.exec.rpc.security.KerberosHelper;
import org.apache.drill.exec.server.DrillbitContext;
import org.apache.drill.exec.server.options.SystemOptionManager;
import org.apache.drill.exec.server.rest.auth.DrillHttpSecurityHandlerProvider;
import org.apache.drill.exec.server.rest.auth.DrillSpnegoLoginService;
import org.apache.drill.shaded.guava.com.google.common.collect.Lists;
import org.apache.drill.test.BaseDirTestWatcher;
import org.apache.drill.test.BaseTest;
import org.apache.hadoop.security.authentication.util.KerberosName;
import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.apache.kerby.kerberos.kerb.client.JaasKrbUtil;
import org.eclipse.jetty.server.UserIdentity;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Ignore;
import org.junit.Test;
import org.junit.experimental.categories.Category;
import org.mockito.Mockito;
import org.mockito.stubbing.OngoingStubbing;
import sun.security.jgss.GSSUtil;
import sun.security.krb5.Config;

@Ignore("See DRILL-5387")
@Category({SecurityTest.class})
/* loaded from: input_file:org/apache/drill/exec/server/rest/spnego/TestSpnegoAuthentication.class */
public class TestSpnegoAuthentication extends BaseTest {
    private static KerberosHelper spnegoHelper;
    private static final String primaryName = "HTTP";
    private static final BaseDirTestWatcher dirTestWatcher = new BaseDirTestWatcher();

    @BeforeClass
    public static void setupTest() throws Exception {
        spnegoHelper = new KerberosHelper(TestSpnegoAuthentication.class.getSimpleName(), primaryName);
        spnegoHelper.setupKdc(dirTestWatcher.getTmpDir());
        Config.refresh();
        Field declaredField = KerberosName.class.getDeclaredField("defaultRealm");
        declaredField.setAccessible(true);
        declaredField.set(null, KerberosUtil.getDefaultRealm());
    }

    @Test
    public void testSPNEGOAndFORMEnabled() throws Exception {
        DrillConfig drillConfig = new DrillConfig(DrillConfig.create().withValue("drill.exec.security.user.auth.enabled", ConfigValueFactory.fromAnyRef(true)).withValue("drill.exec.http.auth.mechanisms", ConfigValueFactory.fromIterable(Lists.newArrayList(new String[]{"form", "spnego"}))).withValue("drill.exec.http.auth.spnego.principal", ConfigValueFactory.fromAnyRef(spnegoHelper.SERVER_PRINCIPAL)).withValue("drill.exec.http.auth.spnego.keytab", ConfigValueFactory.fromAnyRef(spnegoHelper.serverKeytab.toString())));
        ScanResult fromPrescan = ClassPathScanner.fromPrescan(drillConfig);
        AuthenticatorProviderImpl authenticatorProviderImpl = (AuthenticatorProviderImpl) Mockito.mock(AuthenticatorProviderImpl.class);
        Mockito.when(Boolean.valueOf(authenticatorProviderImpl.containsFactory("PLAIN"))).thenReturn(true);
        DrillbitContext drillbitContext = (DrillbitContext) Mockito.mock(DrillbitContext.class);
        Mockito.when(drillbitContext.getClasspathScan()).thenReturn(fromPrescan);
        Mockito.when(drillbitContext.getConfig()).thenReturn(drillConfig);
        Mockito.when(drillbitContext.getAuthProvider()).thenReturn(authenticatorProviderImpl);
        DrillHttpSecurityHandlerProvider drillHttpSecurityHandlerProvider = new DrillHttpSecurityHandlerProvider(drillConfig, drillbitContext);
        Assert.assertTrue(drillHttpSecurityHandlerProvider.isFormEnabled());
        Assert.assertTrue(drillHttpSecurityHandlerProvider.isSpnegoEnabled());
    }

    @Test
    public void testOnlyFORMEnabled() throws Exception {
        DrillConfig drillConfig = new DrillConfig(DrillConfig.create().withValue("drill.exec.http.auth.mechanisms", ConfigValueFactory.fromIterable(Lists.newArrayList(new String[]{"form"}))).withValue("drill.exec.security.user.auth.enabled", ConfigValueFactory.fromAnyRef(true)).withValue("drill.exec.http.auth.spnego.principal", ConfigValueFactory.fromAnyRef(spnegoHelper.SERVER_PRINCIPAL)).withValue("drill.exec.http.auth.spnego.keytab", ConfigValueFactory.fromAnyRef(spnegoHelper.serverKeytab.toString())));
        ScanResult fromPrescan = ClassPathScanner.fromPrescan(drillConfig);
        AuthenticatorProviderImpl authenticatorProviderImpl = (AuthenticatorProviderImpl) Mockito.mock(AuthenticatorProviderImpl.class);
        Mockito.when(Boolean.valueOf(authenticatorProviderImpl.containsFactory("PLAIN"))).thenReturn(true);
        DrillbitContext drillbitContext = (DrillbitContext) Mockito.mock(DrillbitContext.class);
        Mockito.when(drillbitContext.getClasspathScan()).thenReturn(fromPrescan);
        Mockito.when(drillbitContext.getConfig()).thenReturn(drillConfig);
        Mockito.when(drillbitContext.getAuthProvider()).thenReturn(authenticatorProviderImpl);
        DrillHttpSecurityHandlerProvider drillHttpSecurityHandlerProvider = new DrillHttpSecurityHandlerProvider(drillConfig, drillbitContext);
        Assert.assertTrue(drillHttpSecurityHandlerProvider.isFormEnabled());
        Assert.assertTrue(!drillHttpSecurityHandlerProvider.isSpnegoEnabled());
    }

    @Test
    public void testFORMEnabledWithPlainDisabled() throws Exception {
        try {
            DrillConfig drillConfig = new DrillConfig(DrillConfig.create().withValue("drill.exec.security.user.auth.enabled", ConfigValueFactory.fromAnyRef(true)).withValue("drill.exec.http.auth.mechanisms", ConfigValueFactory.fromIterable(Lists.newArrayList(new String[]{"form"}))).withValue("drill.exec.http.auth.spnego.principal", ConfigValueFactory.fromAnyRef(spnegoHelper.SERVER_PRINCIPAL)).withValue("drill.exec.http.auth.spnego.keytab", ConfigValueFactory.fromAnyRef(spnegoHelper.serverKeytab.toString())));
            ScanResult fromPrescan = ClassPathScanner.fromPrescan(drillConfig);
            AuthenticatorProviderImpl authenticatorProviderImpl = (AuthenticatorProviderImpl) Mockito.mock(AuthenticatorProviderImpl.class);
            Mockito.when(Boolean.valueOf(authenticatorProviderImpl.containsFactory("PLAIN"))).thenReturn(false);
            DrillbitContext drillbitContext = (DrillbitContext) Mockito.mock(DrillbitContext.class);
            Mockito.when(drillbitContext.getClasspathScan()).thenReturn(fromPrescan);
            Mockito.when(drillbitContext.getConfig()).thenReturn(drillConfig);
            Mockito.when(drillbitContext.getAuthProvider()).thenReturn(authenticatorProviderImpl);
            new DrillHttpSecurityHandlerProvider(drillConfig, drillbitContext);
            TestCase.fail();
        } catch (Exception e) {
            Assert.assertTrue(e instanceof DrillbitStartupException);
        }
    }

    @Test
    public void testOnlySPNEGOEnabled() throws Exception {
        DrillConfig drillConfig = new DrillConfig(DrillConfig.create().withValue("drill.exec.http.auth.mechanisms", ConfigValueFactory.fromIterable(Lists.newArrayList(new String[]{"spnego"}))).withValue("drill.exec.security.user.auth.enabled", ConfigValueFactory.fromAnyRef(true)).withValue("drill.exec.http.auth.spnego.principal", ConfigValueFactory.fromAnyRef(spnegoHelper.SERVER_PRINCIPAL)).withValue("drill.exec.http.auth.spnego.keytab", ConfigValueFactory.fromAnyRef(spnegoHelper.serverKeytab.toString())));
        ScanResult fromPrescan = ClassPathScanner.fromPrescan(drillConfig);
        AuthenticatorProviderImpl authenticatorProviderImpl = (AuthenticatorProviderImpl) Mockito.mock(AuthenticatorProviderImpl.class);
        Mockito.when(Boolean.valueOf(authenticatorProviderImpl.containsFactory("PLAIN"))).thenReturn(false);
        DrillbitContext drillbitContext = (DrillbitContext) Mockito.mock(DrillbitContext.class);
        Mockito.when(drillbitContext.getClasspathScan()).thenReturn(fromPrescan);
        Mockito.when(drillbitContext.getConfig()).thenReturn(drillConfig);
        Mockito.when(drillbitContext.getAuthProvider()).thenReturn(authenticatorProviderImpl);
        DrillHttpSecurityHandlerProvider drillHttpSecurityHandlerProvider = new DrillHttpSecurityHandlerProvider(drillConfig, drillbitContext);
        Assert.assertTrue(!drillHttpSecurityHandlerProvider.isFormEnabled());
        Assert.assertTrue(drillHttpSecurityHandlerProvider.isSpnegoEnabled());
    }

    @Test
    public void testConfigBackwardCompatibility() throws Exception {
        DrillConfig drillConfig = new DrillConfig(DrillConfig.create().withValue("drill.exec.security.user.auth.enabled", ConfigValueFactory.fromAnyRef(true)));
        ScanResult fromPrescan = ClassPathScanner.fromPrescan(drillConfig);
        AuthenticatorProviderImpl authenticatorProviderImpl = (AuthenticatorProviderImpl) Mockito.mock(AuthenticatorProviderImpl.class);
        Mockito.when(Boolean.valueOf(authenticatorProviderImpl.containsFactory("PLAIN"))).thenReturn(true);
        DrillbitContext drillbitContext = (DrillbitContext) Mockito.mock(DrillbitContext.class);
        Mockito.when(drillbitContext.getClasspathScan()).thenReturn(fromPrescan);
        Mockito.when(drillbitContext.getConfig()).thenReturn(drillConfig);
        Mockito.when(drillbitContext.getAuthProvider()).thenReturn(authenticatorProviderImpl);
        DrillHttpSecurityHandlerProvider drillHttpSecurityHandlerProvider = new DrillHttpSecurityHandlerProvider(drillConfig, drillbitContext);
        Assert.assertTrue(drillHttpSecurityHandlerProvider.isFormEnabled());
        Assert.assertTrue(!drillHttpSecurityHandlerProvider.isSpnegoEnabled());
    }

    @Test
    public void testDrillSpnegoLoginService() throws Exception {
        String str = (String) Subject.doAs(JaasKrbUtil.loginUsingKeytab(spnegoHelper.CLIENT_PRINCIPAL, spnegoHelper.clientKeytab.getAbsoluteFile()), new PrivilegedExceptionAction<String>() { // from class: org.apache.drill.exec.server.rest.spnego.TestSpnegoAuthentication.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public String run() throws Exception {
                GSSManager gSSManager = GSSManager.getInstance();
                GSSContext gSSContext = null;
                try {
                    Oid oid = GSSUtil.GSS_SPNEGO_MECH_OID;
                    gSSContext = gSSManager.createContext(gSSManager.createName(TestSpnegoAuthentication.spnegoHelper.SERVER_PRINCIPAL, GSSName.NT_USER_NAME, oid), oid, (GSSCredential) null, 0);
                    gSSContext.requestCredDeleg(true);
                    gSSContext.requestMutualAuth(true);
                    byte[] bArr = new byte[0];
                    String encodeBase64String = Base64.encodeBase64String(gSSContext.initSecContext(bArr, 0, bArr.length));
                    if (gSSContext != null) {
                        gSSContext.dispose();
                    }
                    return encodeBase64String;
                } catch (Throwable th) {
                    if (gSSContext != null) {
                        gSSContext.dispose();
                    }
                    throw th;
                }
            }
        });
        DrillConfig drillConfig = new DrillConfig(DrillConfig.create().withValue("drill.exec.http.auth.mechanisms", ConfigValueFactory.fromIterable(Lists.newArrayList(new String[]{"spnego"}))).withValue("drill.exec.http.auth.spnego.principal", ConfigValueFactory.fromAnyRef(spnegoHelper.SERVER_PRINCIPAL)).withValue("drill.exec.http.auth.spnego.keytab", ConfigValueFactory.fromAnyRef(spnegoHelper.serverKeytab.toString())));
        SystemOptionManager systemOptionManager = (SystemOptionManager) Mockito.mock(SystemOptionManager.class);
        OngoingStubbing when = Mockito.when(systemOptionManager.getOption(ExecConstants.ADMIN_USERS_VALIDATOR));
        ExecConstants.ADMIN_USERS_VALIDATOR.getClass();
        when.thenReturn("%drill_process_user%");
        OngoingStubbing when2 = Mockito.when(systemOptionManager.getOption(ExecConstants.ADMIN_USER_GROUPS_VALIDATOR));
        ExecConstants.ADMIN_USER_GROUPS_VALIDATOR.getClass();
        when2.thenReturn("%drill_process_user_groups%");
        DrillbitContext drillbitContext = (DrillbitContext) Mockito.mock(DrillbitContext.class);
        Mockito.when(drillbitContext.getConfig()).thenReturn(drillConfig);
        Mockito.when(drillbitContext.getOptionManager()).thenReturn(systemOptionManager);
        UserIdentity login = new DrillSpnegoLoginService(drillbitContext).login((String) null, str, (ServletRequest) null);
        Assert.assertNotNull(login);
        String name = login.getUserPrincipal().getName();
        spnegoHelper.getClass();
        Assert.assertEquals(name, "testUser");
        Assert.assertTrue(login.isUserInRole("authenticated", (UserIdentity.Scope) null));
    }

    @AfterClass
    public static void cleanTest() throws Exception {
        spnegoHelper.stopKdc();
    }
}
