package org.apache.hadoop.yarn.server.resourcemanager.security;

import java.io.IOException;
import java.lang.annotation.Annotation;
import java.lang.reflect.UndeclaredThrowableException;
import java.net.InetSocketAddress;
import java.security.PrivilegedExceptionAction;
import junit.framework.Assert;
import org.apache.commons.codec.binary.Base64;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.ipc.RPC;
import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.security.KerberosInfo;
import org.apache.hadoop.security.SecurityInfo;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.hadoop.security.token.TokenInfo;
import org.apache.hadoop.security.token.TokenSelector;
import org.apache.hadoop.yarn.YarnException;
import org.apache.hadoop.yarn.api.ContainerManager;
import org.apache.hadoop.yarn.api.protocolrecords.GetApplicationReportRequest;
import org.apache.hadoop.yarn.api.protocolrecords.GetContainerStatusRequest;
import org.apache.hadoop.yarn.api.protocolrecords.GetContainerStatusResponse;
import org.apache.hadoop.yarn.api.protocolrecords.StartContainerRequest;
import org.apache.hadoop.yarn.api.protocolrecords.StartContainerResponse;
import org.apache.hadoop.yarn.api.protocolrecords.StopContainerRequest;
import org.apache.hadoop.yarn.api.protocolrecords.StopContainerResponse;
import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
import org.apache.hadoop.yarn.api.records.ClientToken;
import org.apache.hadoop.yarn.event.Dispatcher;
import org.apache.hadoop.yarn.event.DrainDispatcher;
import org.apache.hadoop.yarn.exceptions.YarnRemoteException;
import org.apache.hadoop.yarn.security.client.ClientToAMTokenSecretManager;
import org.apache.hadoop.yarn.security.client.ClientTokenIdentifier;
import org.apache.hadoop.yarn.security.client.ClientTokenSelector;
import org.apache.hadoop.yarn.server.resourcemanager.ClientRMService;
import org.apache.hadoop.yarn.server.resourcemanager.MockRMWithCustomAMLauncher;
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
import org.apache.hadoop.yarn.service.AbstractService;
import org.apache.hadoop.yarn.util.BuilderUtils;
import org.apache.hadoop.yarn.util.ProtoUtils;
import org.apache.hadoop.yarn.util.Records;
import org.junit.Test;

/* JADX WARN: Classes with same name are omitted:
  input_file:test-classes/org/apache/hadoop/yarn/server/resourcemanager/security/TestClientTokens.class
 */
/* loaded from: input_file:hadoop-yarn-server-resourcemanager-2.0.6-alpha-tests.jar:org/apache/hadoop/yarn/server/resourcemanager/security/TestClientTokens.class */
public class TestClientTokens {

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:test-classes/org/apache/hadoop/yarn/server/resourcemanager/security/TestClientTokens$CustomAM.class
     */
    /* loaded from: input_file:hadoop-yarn-server-resourcemanager-2.0.6-alpha-tests.jar:org/apache/hadoop/yarn/server/resourcemanager/security/TestClientTokens$CustomAM.class */
    public static class CustomAM extends AbstractService implements CustomProtocol {
        private final ApplicationAttemptId appAttemptId;
        private final String secretKey;
        private InetSocketAddress address;
        private boolean pinged;

        public CustomAM(ApplicationAttemptId applicationAttemptId, String str) {
            super("CustomAM");
            this.pinged = false;
            this.appAttemptId = applicationAttemptId;
            this.secretKey = str;
        }

        @Override // org.apache.hadoop.yarn.server.resourcemanager.security.TestClientTokens.CustomProtocol
        public void ping() {
            this.pinged = true;
        }

        public synchronized void start() {
            Configuration config = getConfig();
            try {
                RPC.Server build = new RPC.Builder(config).setProtocol(CustomProtocol.class).setNumHandlers(1).setSecretManager(new ClientToAMTokenSecretManager(this.appAttemptId, Base64.decodeBase64(this.secretKey))).setInstance(this).build();
                build.start();
                this.address = NetUtils.getConnectAddress(build);
                super.start();
            } catch (Exception e) {
                throw new YarnException(e);
            }
        }
    }

    /* JADX WARN: Classes with same name are omitted:
      input_file:test-classes/org/apache/hadoop/yarn/server/resourcemanager/security/TestClientTokens$CustomNM.class
     */
    /* loaded from: input_file:hadoop-yarn-server-resourcemanager-2.0.6-alpha-tests.jar:org/apache/hadoop/yarn/server/resourcemanager/security/TestClientTokens$CustomNM.class */
    private static class CustomNM implements ContainerManager {
        public String clientTokensSecret;

        private CustomNM() {
        }

        public StartContainerResponse startContainer(StartContainerRequest startContainerRequest) throws YarnRemoteException {
            this.clientTokensSecret = (String) startContainerRequest.getContainerLaunchContext().getEnvironment().get("AppClientSecretEnv");
            return null;
        }

        public StopContainerResponse stopContainer(StopContainerRequest stopContainerRequest) throws YarnRemoteException {
            return null;
        }

        public GetContainerStatusResponse getContainerStatus(GetContainerStatusRequest getContainerStatusRequest) throws YarnRemoteException {
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:test-classes/org/apache/hadoop/yarn/server/resourcemanager/security/TestClientTokens$CustomProtocol.class
     */
    /* loaded from: input_file:hadoop-yarn-server-resourcemanager-2.0.6-alpha-tests.jar:org/apache/hadoop/yarn/server/resourcemanager/security/TestClientTokens$CustomProtocol.class */
    public interface CustomProtocol {
        public static final long versionID = 1;

        void ping();
    }

    /* JADX WARN: Classes with same name are omitted:
      input_file:test-classes/org/apache/hadoop/yarn/server/resourcemanager/security/TestClientTokens$CustomSecurityInfo.class
     */
    /* loaded from: input_file:hadoop-yarn-server-resourcemanager-2.0.6-alpha-tests.jar:org/apache/hadoop/yarn/server/resourcemanager/security/TestClientTokens$CustomSecurityInfo.class */
    private static class CustomSecurityInfo extends SecurityInfo {
        private CustomSecurityInfo() {
        }

        public TokenInfo getTokenInfo(Class<?> cls, Configuration configuration) {
            return new TokenInfo() { // from class: org.apache.hadoop.yarn.server.resourcemanager.security.TestClientTokens.CustomSecurityInfo.1
                public Class<? extends Annotation> annotationType() {
                    return null;
                }

                public Class<? extends TokenSelector<? extends TokenIdentifier>> value() {
                    return ClientTokenSelector.class;
                }
            };
        }

        public KerberosInfo getKerberosInfo(Class<?> cls, Configuration configuration) {
            return null;
        }
    }

    @Test
    public void testClientTokens() throws Exception {
        final Configuration configuration = new Configuration();
        configuration.set("hadoop.security.authentication", "kerberos");
        UserGroupInformation.setConfiguration(configuration);
        CustomNM customNM = new CustomNM();
        final DrainDispatcher drainDispatcher = new DrainDispatcher();
        MockRMWithCustomAMLauncher mockRMWithCustomAMLauncher = new MockRMWithCustomAMLauncher(configuration, customNM) { // from class: org.apache.hadoop.yarn.server.resourcemanager.security.TestClientTokens.1
            @Override // org.apache.hadoop.yarn.server.resourcemanager.MockRM, org.apache.hadoop.yarn.server.resourcemanager.ResourceManager
            protected ClientRMService createClientRMService() {
                return new ClientRMService(this.rmContext, this.scheduler, this.rmAppManager, this.applicationACLsManager, this.rmDTSecretManager);
            }

            @Override // org.apache.hadoop.yarn.server.resourcemanager.ResourceManager
            protected Dispatcher createDispatcher() {
                return drainDispatcher;
            }

            @Override // org.apache.hadoop.yarn.server.resourcemanager.ResourceManager
            protected void doSecureLogin() throws IOException {
            }
        };
        mockRMWithCustomAMLauncher.start();
        RMApp submitApp = mockRMWithCustomAMLauncher.submitApp(1024);
        drainDispatcher.await();
        mockRMWithCustomAMLauncher.registerNode("localhost:1234", 3072).nodeHeartbeat(true);
        drainDispatcher.await();
        GetApplicationReportRequest getApplicationReportRequest = (GetApplicationReportRequest) Records.newRecord(GetApplicationReportRequest.class);
        getApplicationReportRequest.setApplicationId(submitApp.getApplicationId());
        ClientToken clientToken = mockRMWithCustomAMLauncher.getClientRMService().getApplicationReport(getApplicationReportRequest).getApplicationReport().getClientToken();
        int i = 0;
        while (customNM.clientTokensSecret == null) {
            int i2 = i;
            i++;
            if (i2 >= 20) {
                break;
            } else {
                Thread.sleep(1000L);
            }
        }
        Assert.assertNotNull(customNM.clientTokensSecret);
        ApplicationAttemptId next = submitApp.getAppAttempts().keySet().iterator().next();
        Assert.assertNotNull(next);
        final CustomAM customAM = new CustomAM(next, customNM.clientTokensSecret);
        customAM.init(configuration);
        customAM.start();
        SecurityUtil.setSecurityInfoProviders(new SecurityInfo[]{new CustomSecurityInfo()});
        try {
            ((CustomProtocol) RPC.getProxy(CustomProtocol.class, 1L, customAM.address, configuration)).ping();
            org.junit.Assert.fail("Access by unauthenticated user should fail!!");
        } catch (Exception e) {
            Assert.assertFalse(customAM.pinged);
        }
        UserGroupInformation createRemoteUser = UserGroupInformation.createRemoteUser("me");
        Token convertFromProtoFormat = ProtoUtils.convertFromProtoFormat(clientToken, customAM.address);
        createRemoteUser.addToken(new Token(new ClientTokenIdentifier(BuilderUtils.newApplicationAttemptId(BuilderUtils.newApplicationId(submitApp.getApplicationId().getClusterTimestamp(), 42), 43)).getBytes(), convertFromProtoFormat.getPassword(), convertFromProtoFormat.getKind(), convertFromProtoFormat.getService()));
        try {
            createRemoteUser.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.yarn.server.resourcemanager.security.TestClientTokens.2
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Void run() throws Exception {
                    ((CustomProtocol) RPC.getProxy(CustomProtocol.class, 1L, customAM.address, configuration)).ping();
                    org.junit.Assert.fail("Connection initiation with illegally modified tokens is expected to fail.");
                    return null;
                }
            });
        } catch (YarnRemoteException e2) {
            org.junit.Assert.fail("Cannot get a YARN remote exception as it will indicate RPC success");
        } catch (Exception e3) {
            Assert.assertEquals(UndeclaredThrowableException.class.getCanonicalName(), e3.getClass().getCanonicalName());
            Assert.assertTrue(e3.getCause().getMessage().contains("DIGEST-MD5: digest response format violation. Mismatched response."));
            Assert.assertFalse(customAM.pinged);
        }
        UserGroupInformation createRemoteUser2 = UserGroupInformation.createRemoteUser("me");
        createRemoteUser2.addToken(convertFromProtoFormat);
        createRemoteUser2.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.yarn.server.resourcemanager.security.TestClientTokens.3
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                ((CustomProtocol) RPC.getProxy(CustomProtocol.class, 1L, customAM.address, configuration)).ping();
                Assert.assertTrue(customAM.pinged);
                return null;
            }
        });
    }
}
