package org.apache.hadoop.ozone;

import java.io.File;
import java.io.IOException;
import java.net.InetAddress;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyPair;
import java.security.PrivilegedExceptionAction;
import java.security.cert.X509Certificate;
import java.sql.Date;
import java.time.LocalDate;
import java.time.LocalDateTime;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Properties;
import java.util.UUID;
import java.util.concurrent.Callable;
import junit.framework.TestCase;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.hadoop.classification.InterfaceAudience;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.protocol.SCMSecurityProtocol;
import org.apache.hadoop.hdds.scm.ScmInfo;
import org.apache.hadoop.hdds.scm.client.HddsClientUtils;
import org.apache.hadoop.hdds.scm.server.SCMStorageConfig;
import org.apache.hadoop.hdds.scm.server.StorageContainerManager;
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
import org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator;
import org.apache.hadoop.hdds.security.x509.keys.KeyCodec;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.ipc.Client;
import org.apache.hadoop.ipc.RPC;
import org.apache.hadoop.ipc.RemoteException;
import org.apache.hadoop.ipc.Server;
import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem;
import org.apache.hadoop.minikdc.MiniKdc;
import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.ozone.client.CertificateClientTestImpl;
import org.apache.hadoop.ozone.common.Storage;
import org.apache.hadoop.ozone.om.OMStorage;
import org.apache.hadoop.ozone.om.OzoneManager;
import org.apache.hadoop.ozone.om.exceptions.OMException;
import org.apache.hadoop.ozone.om.helpers.S3SecretValue;
import org.apache.hadoop.ozone.om.protocolPB.OzoneManagerProtocolClientSideTranslatorPB;
import org.apache.hadoop.ozone.om.protocolPB.OzoneManagerProtocolPB;
import org.apache.hadoop.ozone.security.OzoneTokenIdentifier;
import org.apache.hadoop.security.KerberosAuthException;
import org.apache.hadoop.security.SaslRpcServer;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.test.GenericTestUtils;
import org.apache.hadoop.test.LambdaTestUtils;
import org.bouncycastle.asn1.x500.RDN;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.cert.jcajce.JcaX509CertificateHolder;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;
import org.junit.rules.Timeout;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.slf4j.event.Level;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/ozone/TestSecureOzoneCluster.class */
public final class TestSecureOzoneCluster {
    private static final String TEST_USER = "testUgiUser@EXAMPLE.COM";
    private static final String COMPONENT = "test";
    private static final int CLIENT_TIMEOUT = 2000;
    private MiniKdc miniKdc;
    private OzoneConfiguration conf;
    private File workDir;
    private static Properties securityProperties;
    private File scmKeytab;
    private File spnegoKeytab;
    private File omKeyTab;
    private File testUserKeytab;
    private String curUser;
    private String testUserPrincipal;
    private UserGroupInformation testKerberosUgi;
    private StorageContainerManager scm;
    private OzoneManager om;
    private String host;
    private static String clusterId;
    private static String scmId;
    private static String omId;
    private OzoneManagerProtocolClientSideTranslatorPB omClient;
    private KeyPair keyPair;
    private Path metaDirPath;
    private Logger logger = LoggerFactory.getLogger(TestSecureOzoneCluster.class);

    @Rule
    public Timeout timeout = new Timeout(80000);

    @Rule
    public TemporaryFolder folder = new TemporaryFolder();
    private String omCertSerialId = "9879877970576";

    @Before
    public void init() {
        try {
            this.conf = new OzoneConfiguration();
            this.conf.set("ozone.scm.client.address", "localhost");
            DefaultMetricsSystem.setMiniClusterMode(true);
            this.metaDirPath = Paths.get(this.folder.newFolder().toString(), "om-meta");
            this.conf.set("ozone.metadata.dirs", this.metaDirPath.toString());
            this.conf.setBoolean("ozone.security.enabled", true);
            this.conf.set("hadoop.security.authentication", UserGroupInformation.AuthenticationMethod.KERBEROS.toString());
            startMiniKdc();
            setSecureConfig(this.conf);
            createCredentialsInKDC(this.conf, this.miniKdc);
            generateKeyPair(this.conf);
        } catch (IOException e) {
            this.logger.error("Failed to initialize TestSecureOzoneCluster", e);
        } catch (Exception e2) {
            this.logger.error("Failed to initialize TestSecureOzoneCluster", e2);
        }
    }

    @After
    public void stop() {
        try {
            stopMiniKdc();
            if (this.scm != null) {
                this.scm.stop();
            }
            if (this.om != null) {
                this.om.stop();
            }
            if (this.omClient != null) {
                this.omClient.close();
            }
        } catch (Exception e) {
            this.logger.error("Failed to stop TestSecureOzoneCluster", e);
        }
    }

    private void createCredentialsInKDC(Configuration configuration, MiniKdc miniKdc) throws Exception {
        createPrincipal(this.scmKeytab, configuration.get("hdds.scm.kerberos.principal"));
        createPrincipal(this.spnegoKeytab, configuration.get("hdds.scm.http.kerberos.principal"));
        createPrincipal(this.testUserKeytab, this.testUserPrincipal);
        createPrincipal(this.omKeyTab, configuration.get("ozone.om.kerberos.principal"));
    }

    private void createPrincipal(File file, String... strArr) throws Exception {
        this.miniKdc.createPrincipal(file, strArr);
    }

    private void startMiniKdc() throws Exception {
        this.workDir = GenericTestUtils.getTestDir(TestSecureOzoneCluster.class.getSimpleName());
        securityProperties = MiniKdc.createConf();
        this.miniKdc = new MiniKdc(securityProperties, this.workDir);
        this.miniKdc.start();
    }

    private void stopMiniKdc() {
        this.miniKdc.stop();
    }

    private void setSecureConfig(Configuration configuration) throws IOException {
        configuration.setBoolean("ozone.security.enabled", true);
        configuration.setBoolean("ozone.enabled", true);
        this.host = InetAddress.getLocalHost().getCanonicalHostName().toLowerCase();
        String realm = this.miniKdc.getRealm();
        this.curUser = UserGroupInformation.getCurrentUser().getUserName();
        configuration.set("hadoop.security.authentication", "kerberos");
        configuration.set("ozone.administrators", this.curUser);
        configuration.set("hdds.scm.kerberos.principal", "scm/" + this.host + "@" + realm);
        configuration.set("hdds.scm.http.kerberos.principal", "HTTP_SCM/" + this.host + "@" + realm);
        configuration.set("ozone.om.kerberos.principal", "om/" + this.host + "@" + realm);
        configuration.set("ozone.om.http.kerberos.principal", "HTTP_OM/" + this.host + "@" + realm);
        this.scmKeytab = new File(this.workDir, "scm.keytab");
        this.spnegoKeytab = new File(this.workDir, "http.keytab");
        this.omKeyTab = new File(this.workDir, "om.keytab");
        this.testUserKeytab = new File(this.workDir, "testuser.keytab");
        this.testUserPrincipal = "test@" + realm;
        configuration.set("hdds.scm.kerberos.keytab.file", this.scmKeytab.getAbsolutePath());
        configuration.set("hdds.scm.http.kerberos.keytab", this.spnegoKeytab.getAbsolutePath());
        configuration.set("ozone.om.kerberos.keytab.file", this.omKeyTab.getAbsolutePath());
        this.conf.set("ozone.om.http.kerberos.keytab", this.spnegoKeytab.getAbsolutePath());
    }

    @Test
    public void testSecureScmStartupSuccess() throws Exception {
        initSCM();
        this.scm = StorageContainerManager.createSCM(this.conf);
        ScmInfo scmInfo = this.scm.getClientProtocolServer().getScmInfo();
        Assert.assertEquals(clusterId, scmInfo.getClusterId());
        Assert.assertEquals(scmId, scmInfo.getScmId());
    }

    @Test
    public void testSCMSecurityProtocol() throws Exception {
        initSCM();
        this.scm = StorageContainerManager.createSCM(this.conf);
        try {
            this.scm.start();
            UserGroupInformation loginUserFromKeytabAndReturnUGI = UserGroupInformation.loginUserFromKeytabAndReturnUGI(this.testUserPrincipal, this.testUserKeytab.getCanonicalPath());
            loginUserFromKeytabAndReturnUGI.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.KERBEROS);
            SCMSecurityProtocol scmSecurityClient = HddsClientUtils.getScmSecurityClient(this.conf, loginUserFromKeytabAndReturnUGI);
            TestCase.assertNotNull(scmSecurityClient);
            String cACertificate = scmSecurityClient.getCACertificate();
            LambdaTestUtils.intercept(RemoteException.class, "Certificate not found", () -> {
                return scmSecurityClient.getCertificate("1");
            });
            TestCase.assertNotNull(cACertificate);
            UserGroupInformation createRemoteUser = UserGroupInformation.createRemoteUser(COMPONENT);
            createRemoteUser.setAuthenticationMethod(SaslRpcServer.AuthMethod.TOKEN);
            SCMSecurityProtocol scmSecurityClient2 = HddsClientUtils.getScmSecurityClient(this.conf, createRemoteUser);
            LambdaTestUtils.intercept(IOException.class, "Client cannot authenticate via:[KERBEROS]", () -> {
                return scmSecurityClient2.getCACertificate();
            });
            LambdaTestUtils.intercept(IOException.class, "Client cannot authenticate via:[KERBEROS]", () -> {
                return scmSecurityClient2.getCertificate("1");
            });
            if (this.scm != null) {
                this.scm.stop();
            }
        } catch (Throwable th) {
            if (this.scm != null) {
                this.scm.stop();
            }
            throw th;
        }
    }

    private void initSCM() throws IOException, AuthenticationException {
        clusterId = UUID.randomUUID().toString();
        scmId = UUID.randomUUID().toString();
        omId = UUID.randomUUID().toString();
        Path path = Paths.get(this.folder.newFolder().toString(), "scm-meta");
        File file = path.toFile();
        if (!file.exists()) {
            file.mkdirs();
        }
        this.conf.set("ozone.metadata.dirs", path.toString());
        this.conf.setBoolean("ozone.enabled", true);
        SCMStorageConfig sCMStorageConfig = new SCMStorageConfig(this.conf);
        sCMStorageConfig.setClusterId(clusterId);
        sCMStorageConfig.setScmId(scmId);
        sCMStorageConfig.initialize();
    }

    @Test
    public void testSecureScmStartupFailure() throws Exception {
        initSCM();
        this.conf.set("hdds.scm.kerberos.keytab.file", "");
        this.conf.set("hadoop.security.authentication", "kerberos");
        LambdaTestUtils.intercept(IOException.class, "Running in secure mode, but config doesn't have a keytab", () -> {
            StorageContainerManager.createSCM(this.conf);
        });
        this.conf.set("hdds.scm.kerberos.principal", "scm/_HOST@EXAMPLE.com");
        this.conf.set("hdds.scm.kerberos.keytab.file", "/etc/security/keytabs/scm.keytab");
        testCommonKerberosFailures(() -> {
            return StorageContainerManager.createSCM(this.conf);
        });
    }

    private void testCommonKerberosFailures(Callable callable) throws Exception {
        LambdaTestUtils.intercept(KerberosAuthException.class, "failure to login: for principal:", callable);
        this.conf.set("hadoop.security.authentication", "OAuth2");
        LambdaTestUtils.intercept(IllegalArgumentException.class, "Invalid attribute value for hadoop.security.authentication of OAuth2", callable);
        this.conf.set("hadoop.security.authentication", "KERBEROS_SSL");
        LambdaTestUtils.intercept(AuthenticationException.class, "KERBEROS_SSL authentication method not", callable);
    }

    @Test
    public void testSecureOMInitializationFailure() throws Exception {
        initSCM();
        this.scm = StorageContainerManager.createSCM(this.conf);
        setupOm(this.conf);
        this.conf.set("ozone.om.kerberos.principal", "non-existent-user@EXAMPLE.com");
        testCommonKerberosFailures(() -> {
            return OzoneManager.createOm(this.conf);
        });
    }

    @Test
    public void testSecureOmInitializationSuccess() throws Exception {
        initSCM();
        this.scm = StorageContainerManager.createSCM(this.conf);
        GenericTestUtils.LogCapturer captureLogs = GenericTestUtils.LogCapturer.captureLogs(OzoneManager.LOG);
        GenericTestUtils.setLogLevel(OzoneManager.LOG, Level.INFO);
        setupOm(this.conf);
        try {
            this.om.start();
        } catch (Exception e) {
            Assert.assertTrue(captureLogs.getOutput().contains("Ozone Manager login successful"));
        }
    }

    @Test
    public void testDelegationToken() throws Exception {
        GenericTestUtils.LogCapturer captureLogs = GenericTestUtils.LogCapturer.captureLogs(Server.AUDITLOG);
        GenericTestUtils.LogCapturer captureLogs2 = GenericTestUtils.LogCapturer.captureLogs(OzoneManager.getLogger());
        GenericTestUtils.setLogLevel(LoggerFactory.getLogger(Server.class.getName()), Level.INFO);
        setupOm(this.conf);
        final long protocolVersion = RPC.getProtocolVersion(OzoneManagerProtocolPB.class);
        try {
            this.om.setCertClient(new CertificateClientTestImpl(this.conf));
            this.om.start();
            UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
            String userName = currentUser.getUserName();
            this.omClient = new OzoneManagerProtocolClientSideTranslatorPB((OzoneManagerProtocolPB) RPC.getProxy(OzoneManagerProtocolPB.class, protocolVersion, OmUtils.getOmAddress(this.conf), currentUser, this.conf, NetUtils.getDefaultSocketFactory(this.conf), 2000), RandomStringUtils.randomAscii(5));
            Assert.assertFalse(captureLogs.getOutput().contains("Auth successful for " + userName + " (auth:KERBEROS)"));
            Token delegationToken = this.omClient.getDelegationToken(new Text("om"));
            Assert.assertTrue(this.omClient.renewDelegationToken(delegationToken) > 0);
            Assert.assertEquals(delegationToken.getKind().toString(), "OzoneToken");
            Assert.assertEquals(delegationToken.getService().toString(), OmUtils.getOmRpcAddress(this.conf));
            this.omClient.close();
            final UserGroupInformation createRemoteUser = UserGroupInformation.createRemoteUser(TEST_USER);
            createRemoteUser.addToken(delegationToken);
            createRemoteUser.setAuthenticationMethod(SaslRpcServer.AuthMethod.TOKEN);
            UserGroupInformation.setLoginUser(createRemoteUser);
            createRemoteUser.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.ozone.TestSecureOzoneCluster.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Void run() throws Exception {
                    TestSecureOzoneCluster.this.omClient = new OzoneManagerProtocolClientSideTranslatorPB((OzoneManagerProtocolPB) RPC.getProxy(OzoneManagerProtocolPB.class, protocolVersion, OmUtils.getOmAddress(TestSecureOzoneCluster.this.conf), createRemoteUser, TestSecureOzoneCluster.this.conf, NetUtils.getDefaultSocketFactory(TestSecureOzoneCluster.this.conf), 2000), RandomStringUtils.randomAscii(5));
                    return null;
                }
            });
            Assert.assertFalse(captureLogs.getOutput().contains("Auth successful for " + userName + " (auth:TOKEN)"));
            OzoneTestUtils.expectOmException(OMException.ResultCodes.VOLUME_NOT_FOUND, () -> {
                this.omClient.deleteVolume("vol1");
            });
            Assert.assertTrue(captureLogs.getOutput().contains("Auth successful for " + userName + " (auth:TOKEN)"));
            captureLogs2.clearOutput();
            LambdaTestUtils.intercept(OMException.class, "INVALID_AUTH_METHOD", () -> {
                try {
                    this.omClient.renewDelegationToken(delegationToken);
                } catch (OMException e) {
                    Assert.assertTrue(e.getResult().equals(OMException.ResultCodes.INVALID_AUTH_METHOD));
                    throw e;
                }
            });
            Assert.assertTrue(captureLogs.getOutput().contains("Auth successful for " + userName + " (auth:TOKEN)"));
            captureLogs2.clearOutput();
            UserGroupInformation.setLoginUser(currentUser);
            this.omClient = new OzoneManagerProtocolClientSideTranslatorPB((OzoneManagerProtocolPB) RPC.getProxy(OzoneManagerProtocolPB.class, protocolVersion, OmUtils.getOmAddress(this.conf), currentUser, this.conf, NetUtils.getDefaultSocketFactory(this.conf), Client.getRpcTimeout(this.conf)), RandomStringUtils.randomAscii(5));
            this.omClient.cancelDelegationToken(delegationToken);
            this.omClient.close();
            Thread.sleep(2000L);
            Assert.assertFalse(captureLogs.getOutput().contains("Auth failed for"));
            this.omClient = new OzoneManagerProtocolClientSideTranslatorPB((OzoneManagerProtocolPB) RPC.getProxy(OzoneManagerProtocolPB.class, protocolVersion, OmUtils.getOmAddress(this.conf), createRemoteUser, this.conf, NetUtils.getDefaultSocketFactory(this.conf), Client.getRpcTimeout(this.conf)), RandomStringUtils.randomAscii(5));
            LambdaTestUtils.intercept(OMException.class, "Cancel delegation token failed", () -> {
                try {
                    this.omClient.cancelDelegationToken(delegationToken);
                } catch (OMException e) {
                    Assert.assertTrue(e.getResult().equals(OMException.ResultCodes.TOKEN_ERROR_OTHER));
                    throw e;
                }
            });
            Assert.assertTrue(captureLogs.getOutput().contains("Auth failed for"));
            this.om.stop();
            this.om.join();
        } catch (Throwable th) {
            this.om.stop();
            this.om.join();
            throw th;
        }
    }

    private void generateKeyPair(OzoneConfiguration ozoneConfiguration) throws Exception {
        this.keyPair = new HDDSKeyGenerator(this.conf).generateKey();
        new KeyCodec(new SecurityConfig(ozoneConfiguration), COMPONENT).writeKey(this.keyPair, true);
    }

    @Test
    public void testDelegationTokenRenewal() throws Exception {
        GenericTestUtils.setLogLevel(LoggerFactory.getLogger(Server.class.getName()), Level.INFO);
        GenericTestUtils.LogCapturer captureLogs = GenericTestUtils.LogCapturer.captureLogs(OzoneManager.getLogger());
        OzoneConfiguration ozoneConfiguration = new OzoneConfiguration(this.conf);
        ozoneConfiguration.setLong("ozone.manager.delegation.token.max-lifetime", 500L);
        setupOm(ozoneConfiguration);
        long protocolVersion = RPC.getProtocolVersion(OzoneManagerProtocolPB.class);
        OzoneManager.setTestSecureOmFlag(true);
        try {
            this.om.setCertClient(new CertificateClientTestImpl(this.conf));
            this.om.start();
            this.omClient = new OzoneManagerProtocolClientSideTranslatorPB((OzoneManagerProtocolPB) RPC.getProxy(OzoneManagerProtocolPB.class, protocolVersion, OmUtils.getOmAddress(this.conf), UserGroupInformation.getCurrentUser(), this.conf, NetUtils.getDefaultSocketFactory(this.conf), 2000), RandomStringUtils.randomAscii(5));
            Token delegationToken = this.omClient.getDelegationToken(new Text("om"));
            Assert.assertEquals(delegationToken.getKind().toString(), "OzoneToken");
            Assert.assertEquals(delegationToken.getService().toString(), OmUtils.getOmRpcAddress(this.conf));
            Assert.assertTrue(this.omClient.renewDelegationToken(delegationToken) > 0);
            captureLogs.clearOutput();
            Thread.sleep(500L);
            LambdaTestUtils.intercept(OMException.class, "TOKEN_EXPIRED", () -> {
                try {
                    this.omClient.renewDelegationToken(delegationToken);
                } catch (OMException e) {
                    Assert.assertTrue(e.getResult().equals(OMException.ResultCodes.TOKEN_EXPIRED));
                    throw e;
                }
            });
            captureLogs.clearOutput();
            Token delegationToken2 = this.omClient.getDelegationToken(new Text("randomService"));
            LambdaTestUtils.intercept(OMException.class, "Delegation token renewal failed", () -> {
                return Long.valueOf(this.omClient.renewDelegationToken(delegationToken2));
            });
            Assert.assertTrue(captureLogs.getOutput().contains(" with non-matching renewer randomService"));
            captureLogs.clearOutput();
            OzoneTokenIdentifier readProtoBuf = OzoneTokenIdentifier.readProtoBuf(delegationToken.getIdentifier());
            readProtoBuf.setRenewer(new Text("om"));
            readProtoBuf.setMaxDate(System.currentTimeMillis() * 2);
            Token token = new Token(readProtoBuf.getBytes(), delegationToken2.getPassword(), delegationToken2.getKind(), delegationToken2.getService());
            LambdaTestUtils.intercept(OMException.class, "Delegation token renewal failed", () -> {
                return Long.valueOf(this.omClient.renewDelegationToken(token));
            });
            Assert.assertTrue(captureLogs.getOutput().contains("can't be found in cache"));
            captureLogs.clearOutput();
            this.om.stop();
            this.om.join();
        } catch (Throwable th) {
            this.om.stop();
            this.om.join();
            throw th;
        }
    }

    private void setupOm(OzoneConfiguration ozoneConfiguration) throws Exception {
        OMStorage oMStorage = new OMStorage(ozoneConfiguration);
        oMStorage.setClusterId("testClusterId");
        oMStorage.setScmId("testScmId");
        oMStorage.setOmCertSerialId(this.omCertSerialId);
        oMStorage.initialize();
        OzoneManager.setTestSecureOmFlag(true);
        this.om = OzoneManager.createOm(ozoneConfiguration);
    }

    @Test
    public void testGetS3Secret() throws Exception {
        setupOm(this.conf);
        long protocolVersion = RPC.getProtocolVersion(OzoneManagerProtocolPB.class);
        try {
            this.om.setCertClient(new CertificateClientTestImpl(this.conf));
            this.om.start();
            UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
            currentUser.getUserName();
            this.omClient = new OzoneManagerProtocolClientSideTranslatorPB((OzoneManagerProtocolPB) RPC.getProxy(OzoneManagerProtocolPB.class, protocolVersion, OmUtils.getOmAddress(this.conf), currentUser, this.conf, NetUtils.getDefaultSocketFactory(this.conf), 2000), RandomStringUtils.randomAscii(5));
            S3SecretValue s3Secret = this.omClient.getS3Secret("HADOOP/JOHNDOE");
            S3SecretValue s3Secret2 = this.omClient.getS3Secret("HADOOP/JOHNDOE");
            Assert.assertTrue(s3Secret.getAwsSecret().equals(s3Secret2.getAwsSecret()));
            Assert.assertTrue(s3Secret.getAwsAccessKey().equals(s3Secret2.getAwsAccessKey()));
            if (this.om != null) {
                this.om.stop();
            }
        } catch (Throwable th) {
            if (this.om != null) {
                this.om.stop();
            }
            throw th;
        }
    }

    @Test
    public void testSecureOmReInit() throws Exception {
        GenericTestUtils.LogCapturer captureLogs = GenericTestUtils.LogCapturer.captureLogs(OzoneManager.getLogger());
        captureLogs.clearOutput();
        this.conf.set("ozone.om.kerberos.principal", "scm/" + this.host + "@" + this.miniKdc.getRealm());
        this.omKeyTab = new File(this.workDir, "scm.keytab");
        this.conf.set("ozone.om.kerberos.keytab.file", this.omKeyTab.getAbsolutePath());
        initSCM();
        try {
            this.scm = StorageContainerManager.createSCM(this.conf);
            this.scm.start();
            this.conf.setBoolean("ozone.security.enabled", false);
            initializeOmStorage(new OMStorage(this.conf));
            OzoneManager.setTestSecureOmFlag(true);
            this.om = OzoneManager.createOm(this.conf);
            Assert.assertNull(this.om.getCertificateClient());
            Assert.assertFalse(captureLogs.getOutput().contains("Init response: GETCERT"));
            Assert.assertFalse(captureLogs.getOutput().contains("Successfully stored SCM signed certificate"));
            this.conf.setBoolean("ozone.security.enabled", true);
            OzoneManager.omInit(this.conf);
            this.om.stop();
            this.om = OzoneManager.createOm(this.conf);
            Assert.assertNotNull(this.om.getCertificateClient());
            Assert.assertNotNull(this.om.getCertificateClient().getPublicKey());
            Assert.assertNotNull(this.om.getCertificateClient().getPrivateKey());
            Assert.assertNotNull(this.om.getCertificateClient().getCertificate());
            Assert.assertTrue(captureLogs.getOutput().contains("Init response: GETCERT"));
            Assert.assertTrue(captureLogs.getOutput().contains("Successfully stored SCM signed certificate"));
            validateCertificate(this.om.getCertificateClient().getCertificate());
            if (this.scm != null) {
                this.scm.stop();
            }
        } catch (Throwable th) {
            if (this.scm != null) {
                this.scm.stop();
            }
            throw th;
        }
    }

    @Test
    public void testSecureOmInitSuccess() throws Exception {
        GenericTestUtils.LogCapturer captureLogs = GenericTestUtils.LogCapturer.captureLogs(OzoneManager.getLogger());
        captureLogs.clearOutput();
        initSCM();
        try {
            this.scm = StorageContainerManager.createSCM(this.conf);
            this.scm.start();
            initializeOmStorage(new OMStorage(this.conf));
            OzoneManager.setTestSecureOmFlag(true);
            this.om = OzoneManager.createOm(this.conf);
            Assert.assertNotNull(this.om.getCertificateClient());
            Assert.assertNotNull(this.om.getCertificateClient().getPublicKey());
            Assert.assertNotNull(this.om.getCertificateClient().getPrivateKey());
            Assert.assertNotNull(this.om.getCertificateClient().getCertificate());
            Assert.assertTrue(captureLogs.getOutput().contains("Init response: GETCERT"));
            Assert.assertTrue(captureLogs.getOutput().contains("Successfully stored SCM signed certificate"));
            validateCertificate(this.om.getCertificateClient().getCertificate());
            X509Certificate x509Cert = CertificateCodec.getX509Cert(this.scm.getSecurityProtocolServer().getCACertificate());
            Assert.assertEquals(x509Cert, this.om.getCertificateClient().getCertificate(x509Cert.getSerialNumber().toString()));
            if (this.scm != null) {
                this.scm.stop();
            }
            if (this.om != null) {
                this.om.stop();
            }
        } catch (Throwable th) {
            if (this.scm != null) {
                this.scm.stop();
            }
            if (this.om != null) {
                this.om.stop();
            }
            throw th;
        }
    }

    public void validateCertificate(X509Certificate x509Certificate) throws Exception {
        RDN rdn = new JcaX509CertificateHolder(x509Certificate).getIssuer().getRDNs(BCStyle.CN)[0];
        String str = "scm@" + InetAddress.getLocalHost().getHostName();
        Assert.assertEquals(str, rdn.getFirst().getValue().toString());
        Assert.assertEquals(str, rdn.getFirst().getValue().toString());
        LocalDate localDate = LocalDateTime.now().toLocalDate();
        Assert.assertTrue(x509Certificate.getNotAfter().after(Date.valueOf(localDate.plus(1L, (TemporalUnit) ChronoUnit.DAYS))));
        Assert.assertTrue(x509Certificate.getNotAfter().before(Date.valueOf(localDate.plus(400L, (TemporalUnit) ChronoUnit.DAYS))));
        Assert.assertTrue(x509Certificate.getSubjectDN().toString().contains(scmId));
        Assert.assertTrue(x509Certificate.getSubjectDN().toString().contains(clusterId));
        Assert.assertTrue(x509Certificate.getIssuerDN().toString().contains(str));
        Assert.assertTrue(x509Certificate.getIssuerDN().toString().contains(scmId));
        Assert.assertTrue(x509Certificate.getIssuerDN().toString().contains(clusterId));
        Assert.assertEquals(x509Certificate.getPublicKey().toString(), this.om.getCertificateClient().getPublicKey().toString());
    }

    private void initializeOmStorage(OMStorage oMStorage) throws IOException {
        if (oMStorage.getState() == Storage.StorageState.INITIALIZED) {
            return;
        }
        oMStorage.setClusterId(clusterId);
        oMStorage.setScmId(scmId);
        oMStorage.setOmId(omId);
        if (OzoneSecurityUtil.isSecurityEnabled(this.conf)) {
            OzoneManager.initializeSecurity(this.conf, oMStorage);
        }
        oMStorage.initialize();
    }
}
