package org.apache.drill.exec.rpc.user.security;

import com.bettercloud.vault.Vault;
import com.bettercloud.vault.VaultConfig;
import java.util.Arrays;
import java.util.Iterator;
import org.apache.drill.categories.SecurityTest;
import org.apache.drill.exec.rpc.user.security.VaultUserAuthenticator;
import org.apache.drill.test.ClientFixture;
import org.apache.drill.test.ClusterFixture;
import org.apache.drill.test.ClusterTest;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;
import org.junit.experimental.categories.Category;
import org.testcontainers.utility.DockerImageName;
import org.testcontainers.vault.VaultContainer;
import org.testcontainers.vault.VaultLogLevel;

@Category({SecurityTest.class})
/* loaded from: input_file:org/apache/drill/exec/rpc/user/security/TestVaultUserAuthenticator.class */
public class TestVaultUserAuthenticator extends ClusterTest {
    private static String vaultAddr;
    private static final String VAULT_ROOT_TOKEN = "vault-token";

    @ClassRule
    public static final VaultContainer<?> vaultContainer = new VaultContainer(DockerImageName.parse("vault").withTag("1.10.3")).withLogLevel(VaultLogLevel.Debug).withVaultToken(VAULT_ROOT_TOKEN).withInitCommand(new String[]{"auth enable userpass", "write auth/userpass/users/alice password=pass1 policies=admins", "write auth/userpass/users/bob password=buzzkill policies=admins"});

    @BeforeClass
    public static void init() throws Exception {
        vaultAddr = String.format("http://%s:%d", vaultContainer.getHost(), vaultContainer.getMappedPort(8200));
    }

    @Test
    public void testUserPassAuth() throws Exception {
        cluster = ClusterFixture.bareBuilder(dirTestWatcher).clusterSize(3).configProperty("drill.exec.allow_loopback_address_binding", true).configProperty("drill.exec.security.user.auth.enabled", true).configProperty("drill.exec.security.user.auth.impl", "vault").configProperty("drill.exec.security.user.auth.vault.address", vaultAddr).configProperty("drill.exec.security.user.auth.vault.method", VaultUserAuthenticator.VaultAuthMethod.USER_PASS).build();
        tryCredentials("notalice", "pass1", cluster, false);
        tryCredentials("notbob", "buzzkill", cluster, false);
        tryCredentials("alice", "wrong", cluster, false);
        tryCredentials("bob", "incorrect", cluster, false);
        tryCredentials("alice", "pass1", cluster, true);
        tryCredentials("bob", "buzzkill", cluster, true);
    }

    @Test
    public void testVaultTokenAuth() throws Exception {
        Vault vault = new Vault(new VaultConfig().address(vaultAddr).token(VAULT_ROOT_TOKEN).build());
        String authClientToken = vault.auth().loginByUserPass("alice", "pass1").getAuthClientToken();
        String authClientToken2 = vault.auth().loginByUserPass("bob", "buzzkill").getAuthClientToken();
        cluster = ClusterFixture.bareBuilder(dirTestWatcher).clusterSize(3).configProperty("drill.exec.allow_loopback_address_binding", true).configProperty("drill.exec.security.user.auth.enabled", true).configProperty("drill.exec.security.user.auth.impl", "vault").configProperty("drill.exec.security.user.auth.vault.address", vaultAddr).configProperty("drill.exec.security.user.auth.vault.method", VaultUserAuthenticator.VaultAuthMethod.VAULT_TOKEN).build();
        tryCredentials("notalice", authClientToken, cluster, false);
        tryCredentials("notbob", authClientToken2, cluster, false);
        tryCredentials("alice", "wrong", cluster, false);
        tryCredentials("bob", "incorrect", cluster, false);
        tryCredentials("alice", authClientToken, cluster, true);
        tryCredentials("bob", authClientToken2, cluster, true);
    }

    private static void tryCredentials(String str, String str2, ClusterFixture clusterFixture, boolean z) throws Exception {
        try {
            ClientFixture build = clusterFixture.clientBuilder().property("user", str).property("password", str2).build();
            Iterator it = Arrays.asList("SHOW SCHEMAS", "USE INFORMATION_SCHEMA", "SHOW TABLES", "SELECT * FROM INFORMATION_SCHEMA.`TABLES` WHERE TABLE_NAME LIKE 'COLUMNS'", "SELECT * FROM cp.`region.json` LIMIT 5").iterator();
            while (it.hasNext()) {
                build.queryBuilder().sql((String) it.next()).run();
            }
            if (!z) {
                Assert.fail("Expected connect to fail because of incorrect username / password combination, but it succeeded");
            }
        } catch (IllegalStateException e) {
            if (z) {
                throw e;
            }
        }
    }
}
