package org.apache.hadoop.ozone.security.acl;

import com.google.common.base.Optional;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.stream.Collectors;
import org.apache.commons.lang3.RandomUtils;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
import org.apache.hadoop.hdds.scm.protocol.ScmBlockLocationProtocol;
import org.apache.hadoop.hdds.utils.db.cache.CacheKey;
import org.apache.hadoop.hdds.utils.db.cache.CacheValue;
import org.apache.hadoop.ozone.OzoneAcl;
import org.apache.hadoop.ozone.om.BucketManagerImpl;
import org.apache.hadoop.ozone.om.IOzoneAcl;
import org.apache.hadoop.ozone.om.KeyManagerImpl;
import org.apache.hadoop.ozone.om.OMMetadataManager;
import org.apache.hadoop.ozone.om.OmMetadataManagerImpl;
import org.apache.hadoop.ozone.om.PrefixManager;
import org.apache.hadoop.ozone.om.PrefixManagerImpl;
import org.apache.hadoop.ozone.om.VolumeManagerImpl;
import org.apache.hadoop.ozone.om.exceptions.OMException;
import org.apache.hadoop.ozone.om.helpers.OmBucketInfo;
import org.apache.hadoop.ozone.om.helpers.OmKeyArgs;
import org.apache.hadoop.ozone.om.helpers.OmVolumeArgs;
import org.apache.hadoop.ozone.om.helpers.OpenKeySession;
import org.apache.hadoop.ozone.om.helpers.OzoneAclUtil;
import org.apache.hadoop.ozone.om.request.TestOMRequestUtils;
import org.apache.hadoop.ozone.security.OzoneBlockTokenSecretManager;
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer;
import org.apache.hadoop.ozone.security.acl.OzoneObj;
import org.apache.hadoop.ozone.security.acl.OzoneObjInfo;
import org.apache.hadoop.ozone.security.acl.RequestContext;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.test.GenericTestUtils;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;
import org.mockito.Mockito;

@RunWith(Parameterized.class)
/* loaded from: input_file:org/apache/hadoop/ozone/security/acl/TestOzoneNativeAuthorizer.class */
public class TestOzoneNativeAuthorizer {
    private static OzoneConfiguration ozConfig;
    private String vol;
    private String buck;
    private String key;
    private String prefix;
    private IAccessAuthorizer.ACLType parentDirUserAcl;
    private IAccessAuthorizer.ACLType parentDirGroupAcl;
    private boolean expectedAclResult;
    private static KeyManagerImpl keyManager;
    private static VolumeManagerImpl volumeManager;
    private static BucketManagerImpl bucketManager;
    private static PrefixManager prefixManager;
    private static OMMetadataManager metadataManager;
    private static OzoneNativeAuthorizer nativeAuthorizer;
    private static UserGroupInformation ugi;
    private static OzoneObj volObj;
    private static OzoneObj buckObj;
    private static OzoneObj keyObj;
    private static OzoneObj prefixObj;
    private static long keySessionId;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.apache.hadoop.ozone.security.acl.TestOzoneNativeAuthorizer$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/hadoop/ozone/security/acl/TestOzoneNativeAuthorizer$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$hadoop$ozone$security$acl$IAccessAuthorizer$ACLIdentityType = new int[IAccessAuthorizer.ACLIdentityType.values().length];

        static {
            try {
                $SwitchMap$org$apache$hadoop$ozone$security$acl$IAccessAuthorizer$ACLIdentityType[IAccessAuthorizer.ACLIdentityType.USER.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$hadoop$ozone$security$acl$IAccessAuthorizer$ACLIdentityType[IAccessAuthorizer.ACLIdentityType.GROUP.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    @Parameterized.Parameters
    public static Collection<Object[]> data() {
        return Arrays.asList(new Object[]{"key", "dir1/", IAccessAuthorizer.ACLType.ALL, IAccessAuthorizer.ACLType.ALL, true}, new Object[]{"file1", "2019/june/01/", IAccessAuthorizer.ACLType.ALL, IAccessAuthorizer.ACLType.ALL, true}, new Object[]{"file2", "", IAccessAuthorizer.ACLType.ALL, IAccessAuthorizer.ACLType.ALL, true}, new Object[]{"dir1/dir2/dir4/", "", IAccessAuthorizer.ACLType.ALL, IAccessAuthorizer.ACLType.ALL, true}, new Object[]{"key", "dir1/", IAccessAuthorizer.ACLType.NONE, IAccessAuthorizer.ACLType.NONE, false}, new Object[]{"file1", "2019/june/01/", IAccessAuthorizer.ACLType.NONE, IAccessAuthorizer.ACLType.NONE, false}, new Object[]{"file2", "", IAccessAuthorizer.ACLType.NONE, IAccessAuthorizer.ACLType.NONE, false}, new Object[]{"dir1/dir2/dir4/", "", IAccessAuthorizer.ACLType.NONE, IAccessAuthorizer.ACLType.NONE, false});
    }

    public TestOzoneNativeAuthorizer(String str, String str2, IAccessAuthorizer.ACLType aCLType, IAccessAuthorizer.ACLType aCLType2, boolean z) throws IOException {
        int nextInt = RandomUtils.nextInt();
        this.vol = "vol" + nextInt;
        this.buck = "bucket" + nextInt;
        this.key = str + nextInt;
        this.prefix = str2 + nextInt + "/";
        this.parentDirUserAcl = aCLType;
        this.parentDirGroupAcl = aCLType2;
        this.expectedAclResult = z;
        createVolume(this.vol);
        createBucket(this.vol, this.buck);
        createKey(this.vol, this.buck, this.key);
    }

    @BeforeClass
    public static void setup() throws Exception {
        ozConfig = new OzoneConfiguration();
        ozConfig.set("ozone.acl.authorizer.class", "org.apache.hadoop.ozone.security.acl.OzoneNativeAuthorizer");
        ozConfig.set("ozone.metadata.dirs", GenericTestUtils.getRandomizedTestDir().toString());
        ozConfig.set("ozone.administrators", "*");
        metadataManager = new OmMetadataManagerImpl(ozConfig);
        volumeManager = new VolumeManagerImpl(metadataManager, ozConfig);
        bucketManager = new BucketManagerImpl(metadataManager);
        prefixManager = new PrefixManagerImpl(metadataManager, false);
        keyManager = new KeyManagerImpl((ScmBlockLocationProtocol) Mockito.mock(ScmBlockLocationProtocol.class), metadataManager, ozConfig, "om1", (OzoneBlockTokenSecretManager) null);
        nativeAuthorizer = new OzoneNativeAuthorizer(volumeManager, bucketManager, keyManager, prefixManager);
        ugi = UserGroupInformation.getCurrentUser();
    }

    private void createKey(String str, String str2, String str3) throws IOException {
        OmKeyArgs build = new OmKeyArgs.Builder().setVolumeName(str).setBucketName(str2).setKeyName(str3).setFactor(HddsProtos.ReplicationFactor.ONE).setDataSize(0L).setType(HddsProtos.ReplicationType.STAND_ALONE).setAcls(OzoneAclUtil.getAclList(ugi.getUserName(), ugi.getGroups(), IAccessAuthorizer.ACLType.ALL, IAccessAuthorizer.ACLType.ALL)).build();
        if (str3.split("/").length > 1) {
            keyManager.createDirectory(build);
            this.key += "/";
        } else {
            OpenKeySession createFile = keyManager.createFile(build, true, false);
            build.setLocationInfoList(createFile.getKeyInfo().getLatestVersionLocations().getLocationList());
            keyManager.commitKey(build, createFile.getId());
            keySessionId = createFile.getId();
        }
        keyObj = new OzoneObjInfo.Builder().setVolumeName(this.vol).setBucketName(this.buck).setKeyName(this.key).setResType(OzoneObj.ResourceType.KEY).setStoreType(OzoneObj.StoreType.OZONE).build();
    }

    private void createBucket(String str, String str2) throws IOException {
        TestOMRequestUtils.addBucketToOM(metadataManager, OmBucketInfo.newBuilder().setVolumeName(str).setBucketName(str2).build());
        buckObj = new OzoneObjInfo.Builder().setVolumeName(this.vol).setBucketName(this.buck).setResType(OzoneObj.ResourceType.BUCKET).setStoreType(OzoneObj.StoreType.OZONE).build();
    }

    private void createVolume(String str) throws IOException {
        TestOMRequestUtils.addVolumeToOM(metadataManager, OmVolumeArgs.newBuilder().setVolume(str).setAdminName("bilbo").setOwnerName("bilbo").build());
        volObj = new OzoneObjInfo.Builder().setVolumeName(this.vol).setResType(OzoneObj.ResourceType.VOLUME).setStoreType(OzoneObj.StoreType.OZONE).build();
    }

    @Test
    public void testCheckAccessForVolume() throws Exception {
        this.expectedAclResult = true;
        resetAclsAndValidateAccess(volObj, IAccessAuthorizer.ACLIdentityType.USER, volumeManager);
        resetAclsAndValidateAccess(volObj, IAccessAuthorizer.ACLIdentityType.GROUP, volumeManager);
        resetAclsAndValidateAccess(volObj, IAccessAuthorizer.ACLIdentityType.WORLD, volumeManager);
        resetAclsAndValidateAccess(volObj, IAccessAuthorizer.ACLIdentityType.ANONYMOUS, volumeManager);
    }

    @Test
    public void testCheckAccessForBucket() throws Exception {
        setVolumeAcl(Arrays.asList(new OzoneAcl(IAccessAuthorizer.ACLIdentityType.USER, ugi.getUserName(), this.parentDirUserAcl, OzoneAcl.AclScope.ACCESS), new OzoneAcl(IAccessAuthorizer.ACLIdentityType.GROUP, ugi.getGroups().size() > 0 ? (String) ugi.getGroups().get(0) : "", this.parentDirGroupAcl, OzoneAcl.AclScope.ACCESS)));
        resetAclsAndValidateAccess(buckObj, IAccessAuthorizer.ACLIdentityType.USER, bucketManager);
        resetAclsAndValidateAccess(buckObj, IAccessAuthorizer.ACLIdentityType.GROUP, bucketManager);
        resetAclsAndValidateAccess(buckObj, IAccessAuthorizer.ACLIdentityType.WORLD, bucketManager);
        resetAclsAndValidateAccess(buckObj, IAccessAuthorizer.ACLIdentityType.ANONYMOUS, bucketManager);
    }

    @Test
    public void testCheckAccessForKey() throws Exception {
        OzoneAcl ozoneAcl = new OzoneAcl(IAccessAuthorizer.ACLIdentityType.USER, ugi.getUserName(), this.parentDirUserAcl, OzoneAcl.AclScope.ACCESS);
        OzoneAcl ozoneAcl2 = new OzoneAcl(IAccessAuthorizer.ACLIdentityType.GROUP, ugi.getGroups().size() > 0 ? (String) ugi.getGroups().get(0) : "", this.parentDirGroupAcl, OzoneAcl.AclScope.ACCESS);
        setVolumeAcl(Arrays.asList(ozoneAcl, ozoneAcl2));
        setBucketAcl(Arrays.asList(ozoneAcl, ozoneAcl2));
        resetAclsAndValidateAccess(keyObj, IAccessAuthorizer.ACLIdentityType.USER, keyManager);
        resetAclsAndValidateAccess(keyObj, IAccessAuthorizer.ACLIdentityType.GROUP, keyManager);
        resetAclsAndValidateAccess(keyObj, IAccessAuthorizer.ACLIdentityType.WORLD, keyManager);
        resetAclsAndValidateAccess(keyObj, IAccessAuthorizer.ACLIdentityType.ANONYMOUS, keyManager);
    }

    @Test
    public void testCheckAccessForPrefix() throws Exception {
        prefixObj = new OzoneObjInfo.Builder().setVolumeName(this.vol).setBucketName(this.buck).setPrefixName(this.prefix).setResType(OzoneObj.ResourceType.PREFIX).setStoreType(OzoneObj.StoreType.OZONE).build();
        OzoneAcl ozoneAcl = new OzoneAcl(IAccessAuthorizer.ACLIdentityType.USER, ugi.getUserName(), this.parentDirUserAcl, OzoneAcl.AclScope.ACCESS);
        OzoneAcl ozoneAcl2 = new OzoneAcl(IAccessAuthorizer.ACLIdentityType.GROUP, ugi.getGroups().size() > 0 ? (String) ugi.getGroups().get(0) : "", this.parentDirGroupAcl, OzoneAcl.AclScope.ACCESS);
        setVolumeAcl(Arrays.asList(ozoneAcl, ozoneAcl2));
        setBucketAcl(Arrays.asList(ozoneAcl, ozoneAcl2));
        resetAclsAndValidateAccess(prefixObj, IAccessAuthorizer.ACLIdentityType.USER, prefixManager);
        resetAclsAndValidateAccess(prefixObj, IAccessAuthorizer.ACLIdentityType.GROUP, prefixManager);
        resetAclsAndValidateAccess(prefixObj, IAccessAuthorizer.ACLIdentityType.WORLD, prefixManager);
        resetAclsAndValidateAccess(prefixObj, IAccessAuthorizer.ACLIdentityType.ANONYMOUS, prefixManager);
    }

    private void setVolumeAcl(List<OzoneAcl> list) throws IOException {
        String volumeKey = metadataManager.getVolumeKey(volObj.getVolumeName());
        OmVolumeArgs omVolumeArgs = (OmVolumeArgs) metadataManager.getVolumeTable().get(volumeKey);
        omVolumeArgs.setAcls(list);
        metadataManager.getVolumeTable().addCacheEntry(new CacheKey(volumeKey), new CacheValue(Optional.of(omVolumeArgs), 1L));
    }

    private void setBucketAcl(List<OzoneAcl> list) throws IOException {
        String bucketKey = metadataManager.getBucketKey(this.vol, this.buck);
        OmBucketInfo omBucketInfo = (OmBucketInfo) metadataManager.getBucketTable().get(bucketKey);
        omBucketInfo.setAcls(list);
        metadataManager.getBucketTable().addCacheEntry(new CacheKey(bucketKey), new CacheValue(Optional.of(omBucketInfo), 1L));
    }

    private void addVolumeAcl(OzoneAcl ozoneAcl) throws IOException {
        String volumeKey = metadataManager.getVolumeKey(volObj.getVolumeName());
        OmVolumeArgs omVolumeArgs = (OmVolumeArgs) metadataManager.getVolumeTable().get(volumeKey);
        omVolumeArgs.addAcl(ozoneAcl);
        metadataManager.getVolumeTable().addCacheEntry(new CacheKey(volumeKey), new CacheValue(Optional.of(omVolumeArgs), 1L));
    }

    private void addBucketAcl(OzoneAcl ozoneAcl) throws IOException {
        String bucketKey = metadataManager.getBucketKey(this.vol, this.buck);
        OmBucketInfo omBucketInfo = (OmBucketInfo) metadataManager.getBucketTable().get(bucketKey);
        omBucketInfo.addAcl(ozoneAcl);
        metadataManager.getBucketTable().addCacheEntry(new CacheKey(bucketKey), new CacheValue(Optional.of(omBucketInfo), 1L));
    }

    private void resetAclsAndValidateAccess(OzoneObj ozoneObj, IAccessAuthorizer.ACLIdentityType aCLIdentityType, IOzoneAcl iOzoneAcl) throws IOException {
        String userName = ugi.getUserName();
        String str = ugi.getGroups().size() > 0 ? (String) ugi.getGroups().get(0) : "";
        RequestContext.Builder aclType = new RequestContext.Builder().setClientUgi(ugi).setAclType(aCLIdentityType);
        for (IAccessAuthorizer.ACLType aCLType : (List) Arrays.stream(IAccessAuthorizer.ACLType.values()).collect(Collectors.toList())) {
            OzoneAcl ozoneAcl = new OzoneAcl(aCLIdentityType, getAclName(aCLIdentityType), aCLType, OzoneAcl.AclScope.ACCESS);
            if (ozoneObj.getResourceType() == OzoneObj.ResourceType.VOLUME) {
                setVolumeAcl(Collections.singletonList(ozoneAcl));
            } else if (ozoneObj.getResourceType() == OzoneObj.ResourceType.BUCKET) {
                setBucketAcl(Collections.singletonList(ozoneAcl));
            } else {
                iOzoneAcl.setAcl(ozoneObj, Collections.singletonList(ozoneAcl));
            }
            List acl = iOzoneAcl.getAcl(ozoneObj);
            Assert.assertTrue(acl.size() == 1);
            Assert.assertTrue(acl.contains(ozoneAcl));
            if (aCLType.equals(IAccessAuthorizer.ACLType.ALL)) {
                validateAll(ozoneObj, aclType);
            } else if (aCLType.equals(IAccessAuthorizer.ACLType.NONE)) {
                validateNone(ozoneObj, aclType);
            } else {
                Assert.assertEquals("Acl to check:" + aCLType + " accessType:" + aCLIdentityType + " path:" + ozoneObj.getPath(), Boolean.valueOf(this.expectedAclResult), Boolean.valueOf(nativeAuthorizer.checkAccess(ozoneObj, aclType.setAclRights(aCLType).build())));
                List<IAccessAuthorizer.ACLType> list = (List) Arrays.stream(IAccessAuthorizer.ACLType.values()).collect(Collectors.toList());
                List<IAccessAuthorizer.ACLType> list2 = (List) Arrays.stream(IAccessAuthorizer.ACLType.values()).collect(Collectors.toList());
                list.remove(IAccessAuthorizer.ACLType.NONE);
                list.remove(IAccessAuthorizer.ACLType.WRITE);
                list.remove(aCLType);
                list2.remove(IAccessAuthorizer.ACLType.NONE);
                list2.remove(IAccessAuthorizer.ACLType.ALL);
                list2.remove(IAccessAuthorizer.ACLType.CREATE);
                list2.remove(IAccessAuthorizer.ACLType.WRITE);
                for (IAccessAuthorizer.ACLType aCLType2 : list2) {
                    if (!aCLType2.equals(aCLType)) {
                        Assert.assertFalse("Did not expect client to have " + aCLType2 + " acl. Current acls found:" + ((List) iOzoneAcl.getAcl(ozoneObj).stream().map(ozoneAcl2 -> {
                            return ozoneAcl2.getAclList();
                        }).collect(Collectors.toList())) + ". Type:" + aCLIdentityType + ", name:" + (aCLIdentityType == IAccessAuthorizer.ACLIdentityType.USER ? userName : str), nativeAuthorizer.checkAccess(ozoneObj, aclType.setAclRights(aCLType2).build()));
                        IAccessAuthorizer.ACLIdentityType aCLIdentityType2 = IAccessAuthorizer.ACLIdentityType.values()[RandomUtils.nextInt(0, 3)];
                        OzoneAcl ozoneAcl3 = new OzoneAcl(aCLIdentityType2, getAclName(aCLIdentityType2), aCLType2, OzoneAcl.AclScope.ACCESS);
                        if (ozoneObj.getResourceType() == OzoneObj.ResourceType.VOLUME) {
                            addVolumeAcl(ozoneAcl3);
                        } else if (ozoneObj.getResourceType() == OzoneObj.ResourceType.BUCKET) {
                            addBucketAcl(ozoneAcl3);
                        } else {
                            iOzoneAcl.addAcl(ozoneObj, ozoneAcl3);
                        }
                        List<OzoneAcl> acl2 = iOzoneAcl.getAcl(ozoneObj);
                        boolean z = false;
                        boolean z2 = false;
                        for (OzoneAcl ozoneAcl4 : acl2) {
                            if (ozoneAcl4.getAclList().contains(aCLType2)) {
                                z = true;
                            }
                            if (ozoneAcl4.getAclList().contains(aCLType)) {
                                z2 = true;
                            }
                        }
                        Assert.assertTrue("Current acls :" + acl2 + ". Type:" + aCLIdentityType + ", name:" + (aCLIdentityType == IAccessAuthorizer.ACLIdentityType.USER ? userName : str) + " acl:" + aCLType2, z);
                        Assert.assertTrue("Expected client to have " + aCLType + " acl. Current acls found:" + acl2 + ". Type:" + aCLIdentityType + ", name:" + (aCLIdentityType == IAccessAuthorizer.ACLIdentityType.USER ? userName : str), z2);
                        Assert.assertEquals("Current acls " + acl2 + ". Expect acl:" + aCLType2 + " to be set? " + this.expectedAclResult + " accessType:" + aCLIdentityType, Boolean.valueOf(this.expectedAclResult), Boolean.valueOf(nativeAuthorizer.checkAccess(ozoneObj, aclType.setAclRights(aCLType2).build())));
                        list.remove(aCLType2);
                        for (IAccessAuthorizer.ACLType aCLType3 : list) {
                            if (!aCLType3.equals(aCLType) && !aCLType3.equals(aCLType2) && !aCLType3.equals(IAccessAuthorizer.ACLType.CREATE)) {
                                Assert.assertFalse("User shouldn't have right " + aCLType3 + ". Current acl rights for user:" + aCLType + "," + aCLType2, nativeAuthorizer.checkAccess(ozoneObj, aclType.setAclRights(aCLType3).build()));
                            }
                        }
                    }
                }
            }
        }
    }

    private String getAclName(IAccessAuthorizer.ACLIdentityType aCLIdentityType) {
        switch (AnonymousClass1.$SwitchMap$org$apache$hadoop$ozone$security$acl$IAccessAuthorizer$ACLIdentityType[aCLIdentityType.ordinal()]) {
            case 1:
                return ugi.getUserName();
            case 2:
                return ugi.getGroups().size() > 0 ? (String) ugi.getGroups().get(0) : "";
            default:
                return "";
        }
    }

    private void validateAll(OzoneObj ozoneObj, RequestContext.Builder builder) throws OMException {
        ArrayList<IAccessAuthorizer.ACLType> arrayList = new ArrayList(Arrays.asList(IAccessAuthorizer.ACLType.values()));
        arrayList.remove(IAccessAuthorizer.ACLType.ALL);
        arrayList.remove(IAccessAuthorizer.ACLType.NONE);
        for (IAccessAuthorizer.ACLType aCLType : arrayList) {
            Assert.assertEquals("User should have right " + aCLType + ".", Boolean.valueOf(nativeAuthorizer.checkAccess(ozoneObj, builder.setAclRights(aCLType).build())), Boolean.valueOf(this.expectedAclResult));
        }
    }

    private void validateNone(OzoneObj ozoneObj, RequestContext.Builder builder) throws OMException {
        ArrayList<IAccessAuthorizer.ACLType> arrayList = new ArrayList(Arrays.asList(IAccessAuthorizer.ACLType.values()));
        arrayList.remove(IAccessAuthorizer.ACLType.NONE);
        arrayList.remove(IAccessAuthorizer.ACLType.CREATE);
        arrayList.remove(IAccessAuthorizer.ACLType.WRITE);
        for (IAccessAuthorizer.ACLType aCLType : arrayList) {
            Assert.assertFalse("User shouldn't have right " + aCLType + ".", nativeAuthorizer.checkAccess(ozoneObj, builder.setAclRights(aCLType).build()));
        }
    }
}
