package org.apache.hadoop.yarn.server;

import java.io.File;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.security.PrivilegedAction;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Iterator;
import java.util.List;
import junit.framework.Assert;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.minikdc.KerberosSecurityTestcase;
import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.yarn.api.ContainerManagementProtocol;
import org.apache.hadoop.yarn.api.protocolrecords.GetContainerStatusesRequest;
import org.apache.hadoop.yarn.api.protocolrecords.GetContainerStatusesResponse;
import org.apache.hadoop.yarn.api.protocolrecords.StartContainerRequest;
import org.apache.hadoop.yarn.api.protocolrecords.StartContainersRequest;
import org.apache.hadoop.yarn.api.protocolrecords.StopContainersRequest;
import org.apache.hadoop.yarn.api.protocolrecords.StopContainersResponse;
import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
import org.apache.hadoop.yarn.api.records.ApplicationId;
import org.apache.hadoop.yarn.api.records.ContainerId;
import org.apache.hadoop.yarn.api.records.ContainerLaunchContext;
import org.apache.hadoop.yarn.api.records.NodeId;
import org.apache.hadoop.yarn.api.records.Resource;
import org.apache.hadoop.yarn.api.records.SerializedException;
import org.apache.hadoop.yarn.api.records.Token;
import org.apache.hadoop.yarn.exceptions.YarnException;
import org.apache.hadoop.yarn.factories.RecordFactory;
import org.apache.hadoop.yarn.factory.providers.RecordFactoryProvider;
import org.apache.hadoop.yarn.ipc.YarnRPC;
import org.apache.hadoop.yarn.server.nodemanager.Context;
import org.apache.hadoop.yarn.server.nodemanager.NodeManager;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.ContainerManagerImpl;
import org.apache.hadoop.yarn.server.nodemanager.security.NMTokenSecretManagerInNM;
import org.apache.hadoop.yarn.server.resourcemanager.security.NMTokenSecretManagerInRM;
import org.apache.hadoop.yarn.server.resourcemanager.security.RMContainerTokenSecretManager;
import org.apache.hadoop.yarn.util.ConverterUtils;
import org.apache.hadoop.yarn.util.Records;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;

/* JADX WARN: Classes with same name are omitted:
  input_file:hadoop-yarn-server-tests-2.4.1-tests.jar:org/apache/hadoop/yarn/server/TestContainerManagerSecurity.class
 */
@RunWith(Parameterized.class)
/* loaded from: input_file:test-classes/org/apache/hadoop/yarn/server/TestContainerManagerSecurity.class */
public class TestContainerManagerSecurity extends KerberosSecurityTestcase {
    private static MiniYARNCluster yarnCluster;
    private Configuration conf;
    static Log LOG = LogFactory.getLog(TestContainerManagerSecurity.class);
    static final RecordFactory recordFactory = RecordFactoryProvider.getRecordFactory((Configuration) null);
    private static final File testRootDir = new File("target", TestContainerManagerSecurity.class.getName() + "-root");
    private static File httpSpnegoKeytabFile = new File(testRootDir, "httpSpnegoKeytabFile.keytab");
    private static String httpSpnegoPrincipal = "HTTP/localhost@EXAMPLE.COM";

    @Before
    public void setUp() throws Exception {
        testRootDir.mkdirs();
        httpSpnegoKeytabFile.deleteOnExit();
        getKdc().createPrincipal(httpSpnegoKeytabFile, new String[]{httpSpnegoPrincipal});
    }

    @After
    public void tearDown() {
        testRootDir.delete();
    }

    @Parameterized.Parameters
    public static Collection<Object[]> configs() {
        Configuration configuration = new Configuration();
        configuration.set("hadoop.security.authentication", "simple");
        Configuration configuration2 = new Configuration();
        configuration2.set("hadoop.security.authentication", "kerberos");
        configuration2.set("yarn.resourcemanager.webapp.spnego-principal", httpSpnegoPrincipal);
        configuration2.set("yarn.resourcemanager.webapp.spnego-keytab-file", httpSpnegoKeytabFile.getAbsolutePath());
        configuration2.set("yarn.nodemanager.webapp.spnego-principal", httpSpnegoPrincipal);
        configuration2.set("yarn.nodemanager.webapp.spnego-keytab-file", httpSpnegoKeytabFile.getAbsolutePath());
        return Arrays.asList(new Object[]{configuration}, new Object[]{configuration2});
    }

    public TestContainerManagerSecurity(Configuration configuration) {
        configuration.setLong("yarn.am.liveness-monitor.expiry-interval-ms", 100000L);
        UserGroupInformation.setConfiguration(configuration);
        this.conf = configuration;
    }

    @Test(timeout = 1000000)
    public void testContainerManager() throws Exception {
        try {
            try {
                yarnCluster = new MiniYARNCluster(TestContainerManagerSecurity.class.getName(), 1, 1, 1);
                yarnCluster.init(this.conf);
                yarnCluster.start();
                testNMTokens(this.conf);
                testContainerToken(this.conf);
                if (yarnCluster != null) {
                    yarnCluster.stop();
                    yarnCluster = null;
                }
            } catch (Exception e) {
                e.printStackTrace();
                throw e;
            }
        } catch (Throwable th) {
            if (yarnCluster != null) {
                yarnCluster.stop();
                yarnCluster = null;
            }
            throw th;
        }
    }

    private void testNMTokens(Configuration configuration) throws Exception {
        NMTokenSecretManagerInRM nMTokenSecretManager = yarnCluster.getResourceManager().getRMContext().getNMTokenSecretManager();
        NMTokenSecretManagerInNM nMTokenSecretManager2 = yarnCluster.getNodeManager(0).getNMContext().getNMTokenSecretManager();
        RMContainerTokenSecretManager containerTokenSecretManager = yarnCluster.getResourceManager().getRMContext().getContainerTokenSecretManager();
        NodeManager nodeManager = yarnCluster.getNodeManager(0);
        waitForNMToReceiveNMTokenKey(nMTokenSecretManager2, nodeManager);
        Assert.assertEquals(nMTokenSecretManager2.getCurrentKey().getKeyId(), nMTokenSecretManager.getCurrentKey().getKeyId());
        YarnRPC create = YarnRPC.create(configuration);
        Resource newInstance = Resource.newInstance(1024, 1);
        ApplicationId newInstance2 = ApplicationId.newInstance(1L, 1);
        ApplicationAttemptId newInstance3 = ApplicationAttemptId.newInstance(newInstance2, 1);
        ApplicationAttemptId newInstance4 = ApplicationAttemptId.newInstance(newInstance2, 2);
        ContainerId newInstance5 = ContainerId.newInstance(newInstance3, 0);
        NodeId nodeId = yarnCluster.getNodeManager(0).getNMContext().getNodeId();
        NodeId newInstance6 = NodeId.newInstance("InvalidHost", 1234);
        Token createNMToken = nMTokenSecretManager.createNMToken(newInstance3, nodeId, "test");
        Token createContainerToken = containerTokenSecretManager.createContainerToken(newInstance5, nodeId, "test", newInstance);
        NMTokenSecretManagerInRM nMTokenSecretManagerInRM = new NMTokenSecretManagerInRM(configuration);
        nMTokenSecretManagerInRM.rollMasterKey();
        do {
            nMTokenSecretManagerInRM.rollMasterKey();
            nMTokenSecretManagerInRM.activateNextMasterKey();
        } while (nMTokenSecretManagerInRM.getCurrentKey().getKeyId() == nMTokenSecretManager.getCurrentKey().getKeyId());
        Assert.assertTrue(testStartContainer(create, newInstance3, nodeId, createContainerToken, null, true).contains((UserGroupInformation.isSecurityEnabled() ? new StringBuilder("Client cannot authenticate via:[TOKEN]") : new StringBuilder("SIMPLE authentication is not enabled.  Available:[TOKEN]")).toString()));
        Token createNMToken2 = nMTokenSecretManagerInRM.createNMToken(newInstance3, nodeId, "test");
        StringBuilder sb = new StringBuilder("Given NMToken for application : ");
        sb.append(newInstance3.toString()).append(" seems to have been generated illegally.");
        Assert.assertTrue(sb.toString().contains(testStartContainer(create, newInstance3, nodeId, createContainerToken, createNMToken2, true)));
        Token createNMToken3 = nMTokenSecretManager.createNMToken(newInstance3, newInstance6, "test");
        StringBuilder sb2 = new StringBuilder("Given NMToken for application : ");
        sb2.append(newInstance3).append(" is not valid for current node manager.expected : ").append(nodeId.toString()).append(" found : ").append(newInstance6.toString());
        Assert.assertTrue(sb2.toString().contains(testStartContainer(create, newInstance3, nodeId, createContainerToken, createNMToken3, true)));
        Token createNMToken4 = nMTokenSecretManager.createNMToken(newInstance4, nodeId, "test");
        StringBuilder sb3 = new StringBuilder("\nNMToken for application attempt : ");
        sb3.append(newInstance4.toString()).append(" was used for starting container with container token").append(" issued for application attempt : ").append(newInstance3.toString());
        Assert.assertTrue(testStartContainer(create, newInstance3, nodeId, createContainerToken, createNMToken4, true).contains(sb3.toString()));
        configuration.setInt("yarn.resourcemanager.rm.container-allocation.expiry-interval-ms", 240000);
        Token createContainerToken2 = containerTokenSecretManager.createContainerToken(newInstance5, nodeId, "test", newInstance);
        testStartContainer(create, newInstance3, nodeId, createContainerToken2, createNMToken, false);
        Assert.assertTrue(nMTokenSecretManager2.isAppAttemptNMTokenKeyPresent(newInstance3));
        waitForContainerToFinishOnNM(newInstance5);
        Assert.assertTrue(testStartContainer(create, newInstance3, nodeId, createContainerToken2, createNMToken, true).contains("Attempt to relaunch the same container with id " + newInstance5));
        testStopContainer(create, newInstance3, nodeId, newInstance5, createNMToken, false);
        rollNMTokenMasterKey(nMTokenSecretManager, nMTokenSecretManager2);
        rollNMTokenMasterKey(nMTokenSecretManager, nMTokenSecretManager2);
        Assert.assertTrue(testGetContainer(create, newInstance3, nodeId, newInstance5, createNMToken, true).contains("Container " + newInstance5 + " was recently stopped on node manager"));
        nodeManager.getNodeStatusUpdater().clearFinishedContainersFromCache();
        Assert.assertTrue(testGetContainer(create, newInstance3, nodeId, newInstance5, createNMToken, false).contains("Container " + newInstance5.toString() + " is not handled by this NodeManager"));
    }

    private void waitForContainerToFinishOnNM(ContainerId containerId) {
        Context nMContext = yarnCluster.getNodeManager(0).getNMContext();
        int i = 240;
        while (true) {
            int i2 = i;
            i--;
            if (i2 <= 0 || !nMContext.getContainers().containsKey(containerId)) {
                break;
            } else {
                try {
                    Thread.sleep(1000L);
                } catch (InterruptedException e) {
                }
            }
        }
        Assert.assertFalse(nMContext.getContainers().containsKey(containerId));
    }

    protected void waitForNMToReceiveNMTokenKey(NMTokenSecretManagerInNM nMTokenSecretManagerInNM, NodeManager nodeManager) throws InterruptedException {
        int i = 60;
        ContainerManagerImpl containerManager = nodeManager.getNMContext().getContainerManager();
        while (true) {
            if (!containerManager.getBlockNewContainerRequestsStatus() && nMTokenSecretManagerInNM.getNodeId() != null) {
                return;
            }
            int i2 = i;
            i--;
            if (i2 <= 0) {
                return;
            } else {
                Thread.sleep(2000L);
            }
        }
    }

    protected void rollNMTokenMasterKey(NMTokenSecretManagerInRM nMTokenSecretManagerInRM, NMTokenSecretManagerInNM nMTokenSecretManagerInNM) throws Exception {
        int keyId = nMTokenSecretManagerInRM.getCurrentKey().getKeyId();
        nMTokenSecretManagerInRM.rollMasterKey();
        int i = 40;
        while (nMTokenSecretManagerInNM.getCurrentKey().getKeyId() == keyId) {
            int i2 = i;
            i--;
            if (i2 <= 0) {
                break;
            } else {
                Thread.sleep(1000L);
            }
        }
        nMTokenSecretManagerInRM.activateNextMasterKey();
        Assert.assertTrue(nMTokenSecretManagerInNM.getCurrentKey().getKeyId() == nMTokenSecretManagerInRM.getCurrentKey().getKeyId());
    }

    private String testStopContainer(YarnRPC yarnRPC, ApplicationAttemptId applicationAttemptId, NodeId nodeId, ContainerId containerId, Token token, boolean z) {
        try {
            stopContainer(yarnRPC, token, Arrays.asList(containerId), applicationAttemptId, nodeId);
            if (!z) {
                return "";
            }
            org.junit.Assert.fail("Exception was expected!!");
            return "";
        } catch (Exception e) {
            e.printStackTrace();
            return e.getMessage();
        }
    }

    private String testGetContainer(YarnRPC yarnRPC, ApplicationAttemptId applicationAttemptId, NodeId nodeId, ContainerId containerId, Token token, boolean z) {
        try {
            getContainerStatus(yarnRPC, token, containerId, applicationAttemptId, nodeId, z);
            if (!z) {
                return "";
            }
            org.junit.Assert.fail("Exception was expected!!");
            return "";
        } catch (Exception e) {
            e.printStackTrace();
            return e.getMessage();
        }
    }

    private String testStartContainer(YarnRPC yarnRPC, ApplicationAttemptId applicationAttemptId, NodeId nodeId, Token token, Token token2, boolean z) {
        try {
            startContainer(yarnRPC, token2, token, nodeId, applicationAttemptId.toString());
            if (!z) {
                return "";
            }
            org.junit.Assert.fail("Exception was expected!!");
            return "";
        } catch (Exception e) {
            e.printStackTrace();
            return e.getMessage();
        }
    }

    private void stopContainer(YarnRPC yarnRPC, Token token, List<ContainerId> list, ApplicationAttemptId applicationAttemptId, NodeId nodeId) throws Exception {
        StopContainersRequest newInstance = StopContainersRequest.newInstance(list);
        ContainerManagementProtocol containerManagementProtocol = null;
        try {
            containerManagementProtocol = getContainerManagementProtocolProxy(yarnRPC, token, nodeId, applicationAttemptId.toString());
            StopContainersResponse stopContainers = containerManagementProtocol.stopContainers(newInstance);
            if (stopContainers.getFailedRequests() != null && stopContainers.getFailedRequests().containsKey(list)) {
                parseAndThrowException(((SerializedException) stopContainers.getFailedRequests().get(list)).deSerialize());
            }
        } catch (Exception e) {
            if (containerManagementProtocol != null) {
                yarnRPC.stopProxy(containerManagementProtocol, this.conf);
            }
        }
    }

    private void getContainerStatus(YarnRPC yarnRPC, Token token, ContainerId containerId, ApplicationAttemptId applicationAttemptId, NodeId nodeId, boolean z) throws Exception {
        ArrayList arrayList = new ArrayList();
        arrayList.add(containerId);
        GetContainerStatusesRequest newInstance = GetContainerStatusesRequest.newInstance(arrayList);
        ContainerManagementProtocol containerManagementProtocol = null;
        try {
            containerManagementProtocol = getContainerManagementProtocolProxy(yarnRPC, token, nodeId, applicationAttemptId.toString());
            GetContainerStatusesResponse containerStatuses = containerManagementProtocol.getContainerStatuses(newInstance);
            if (containerStatuses.getFailedRequests() != null && containerStatuses.getFailedRequests().containsKey(containerId)) {
                parseAndThrowException(((SerializedException) containerStatuses.getFailedRequests().get(containerId)).deSerialize());
            }
            if (containerManagementProtocol != null) {
                yarnRPC.stopProxy(containerManagementProtocol, this.conf);
            }
        } catch (Throwable th) {
            if (containerManagementProtocol != null) {
                yarnRPC.stopProxy(containerManagementProtocol, this.conf);
            }
            throw th;
        }
    }

    private void startContainer(YarnRPC yarnRPC, Token token, Token token2, NodeId nodeId, String str) throws Exception {
        StartContainerRequest newInstance = StartContainerRequest.newInstance((ContainerLaunchContext) Records.newRecord(ContainerLaunchContext.class), token2);
        ArrayList arrayList = new ArrayList();
        arrayList.add(newInstance);
        StartContainersRequest newInstance2 = StartContainersRequest.newInstance(arrayList);
        ContainerManagementProtocol containerManagementProtocol = null;
        try {
            containerManagementProtocol = getContainerManagementProtocolProxy(yarnRPC, token, nodeId, str);
            Iterator it = containerManagementProtocol.startContainers(newInstance2).getFailedRequests().values().iterator();
            while (it.hasNext()) {
                parseAndThrowException(((SerializedException) it.next()).deSerialize());
            }
            if (containerManagementProtocol != null) {
                yarnRPC.stopProxy(containerManagementProtocol, this.conf);
            }
        } catch (Throwable th) {
            if (containerManagementProtocol != null) {
                yarnRPC.stopProxy(containerManagementProtocol, this.conf);
            }
            throw th;
        }
    }

    private void parseAndThrowException(Throwable th) throws YarnException, IOException {
        if (th instanceof YarnException) {
            throw ((YarnException) th);
        }
        if (!(th instanceof SecretManager.InvalidToken)) {
            throw ((IOException) th);
        }
        throw ((SecretManager.InvalidToken) th);
    }

    protected ContainerManagementProtocol getContainerManagementProtocolProxy(final YarnRPC yarnRPC, Token token, NodeId nodeId, String str) {
        UserGroupInformation createRemoteUser = UserGroupInformation.createRemoteUser(str);
        final InetSocketAddress createSocketAddr = NetUtils.createSocketAddr(nodeId.getHost(), nodeId.getPort());
        if (token != null) {
            createRemoteUser.addToken(ConverterUtils.convertFromYarn(token, createSocketAddr));
        }
        return (ContainerManagementProtocol) createRemoteUser.doAs(new PrivilegedAction<ContainerManagementProtocol>() { // from class: org.apache.hadoop.yarn.server.TestContainerManagerSecurity.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public ContainerManagementProtocol run() {
                return (ContainerManagementProtocol) yarnRPC.getProxy(ContainerManagementProtocol.class, createSocketAddr, TestContainerManagerSecurity.this.conf);
            }
        });
    }

    private void testContainerToken(Configuration configuration) throws IOException, InterruptedException, YarnException {
        LOG.info("Running test for malice user");
        NMTokenSecretManagerInRM nMTokenSecretManager = yarnCluster.getResourceManager().getRMContext().getNMTokenSecretManager();
        ApplicationAttemptId newInstance = ApplicationAttemptId.newInstance(ApplicationId.newInstance(1L, 1), 0);
        ContainerId newInstance2 = ContainerId.newInstance(newInstance, 0);
        NodeManager nodeManager = yarnCluster.getNodeManager(0);
        NMTokenSecretManagerInNM nMTokenSecretManager2 = nodeManager.getNMContext().getNMTokenSecretManager();
        waitForNMToReceiveNMTokenKey(nMTokenSecretManager2, nodeManager);
        NodeId nodeId = nodeManager.getNMContext().getNodeId();
        Assert.assertEquals(nMTokenSecretManager2.getCurrentKey().getKeyId(), nMTokenSecretManager.getCurrentKey().getKeyId());
        RMContainerTokenSecretManager containerTokenSecretManager = yarnCluster.getResourceManager().getRMContext().getContainerTokenSecretManager();
        RMContainerTokenSecretManager rMContainerTokenSecretManager = new RMContainerTokenSecretManager(configuration);
        rMContainerTokenSecretManager.rollMasterKey();
        do {
            rMContainerTokenSecretManager.rollMasterKey();
            rMContainerTokenSecretManager.activateNextMasterKey();
        } while (containerTokenSecretManager.getCurrentKey().getKeyId() == rMContainerTokenSecretManager.getCurrentKey().getKeyId());
        Token createContainerToken = rMContainerTokenSecretManager.createContainerToken(newInstance2, nodeId, "test", Resource.newInstance(1230, 2));
        Token createNMToken = nMTokenSecretManager.createNMToken(newInstance, nodeId, "test");
        Assert.assertTrue(testStartContainer(YarnRPC.create(configuration), newInstance, nodeId, createContainerToken, createNMToken, true).contains("Given Container " + newInstance2 + " seems to have an illegally generated token."));
    }
}
