package org.apache.hadoop.hbase.http;

import java.io.File;
import java.io.IOException;
import java.net.HttpURLConnection;
import java.net.URL;
import java.security.Principal;
import java.security.PrivilegedExceptionAction;
import java.util.Set;
import javax.security.auth.Subject;
import javax.security.auth.kerberos.KerberosTicket;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.HBaseClassTestRule;
import org.apache.hadoop.hbase.http.TestHttpServer;
import org.apache.hadoop.hbase.http.resource.JerseyResource;
import org.apache.hadoop.hbase.testclassification.MiscTests;
import org.apache.hadoop.hbase.testclassification.SmallTests;
import org.apache.hadoop.security.authentication.util.KerberosName;
import org.apache.http.HttpHost;
import org.apache.http.HttpResponse;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.KerberosCredentials;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.protocol.HttpClientContext;
import org.apache.http.config.Registry;
import org.apache.http.config.RegistryBuilder;
import org.apache.http.impl.auth.SPNegoSchemeFactory;
import org.apache.http.impl.client.BasicCredentialsProvider;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.protocol.HttpContext;
import org.apache.http.util.EntityUtils;
import org.apache.kerby.kerberos.kerb.KrbException;
import org.apache.kerby.kerberos.kerb.client.JaasKrbUtil;
import org.apache.kerby.kerberos.kerb.server.SimpleKdcServer;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSManager;
import org.ietf.jgss.GSSName;
import org.ietf.jgss.Oid;
import org.junit.AfterClass;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;
import org.junit.experimental.categories.Category;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Category({MiscTests.class, SmallTests.class})
/* loaded from: input_file:org/apache/hadoop/hbase/http/TestSpnegoHttpServer.class */
public class TestSpnegoHttpServer extends HttpServerFunctionalTest {

    @ClassRule
    public static final HBaseClassTestRule CLASS_RULE = HBaseClassTestRule.forClass(TestSpnegoHttpServer.class);
    private static final Logger LOG = LoggerFactory.getLogger(TestSpnegoHttpServer.class);
    private static final String KDC_SERVER_HOST = "localhost";
    private static final String CLIENT_PRINCIPAL = "client";
    private static HttpServer server;
    private static URL baseUrl;
    private static SimpleKdcServer kdc;
    private static File infoServerKeytab;
    private static File clientKeytab;

    @BeforeClass
    public static void setupServer() throws Exception {
        File file = new File(System.getProperty("user.dir"), "target");
        assertTrue(file.exists());
        kdc = buildMiniKdc();
        kdc.start();
        File file2 = new File(file, TestSpnegoHttpServer.class.getSimpleName() + "_keytabs");
        if (file2.exists()) {
            deleteRecursively(file2);
        }
        file2.mkdirs();
        infoServerKeytab = new File(file2, "HTTP/localhost".replace('/', '_') + ".keytab");
        clientKeytab = new File(file2, "client.keytab");
        setupUser(kdc, clientKeytab, CLIENT_PRINCIPAL);
        setupUser(kdc, infoServerKeytab, "HTTP/localhost");
        server = createTestServerWithSecurity(buildSpnegoConfiguration("HTTP/localhost", infoServerKeytab));
        server.addUnprivilegedServlet("echo", "/echo", TestHttpServer.EchoServlet.class);
        server.addJerseyResourcePackage(JerseyResource.class.getPackage().getName(), "/jersey/*");
        server.start();
        baseUrl = getServerURL(server);
        LOG.info("HTTP server started: " + baseUrl);
    }

    @AfterClass
    public static void stopServer() throws Exception {
        try {
            if (null != server) {
                server.stop();
            }
        } catch (Exception e) {
            LOG.info("Failed to stop info server", e);
        }
        try {
            if (null != kdc) {
                kdc.stop();
            }
        } catch (Exception e2) {
            LOG.info("Failed to stop mini KDC", e2);
        }
    }

    private static void setupUser(SimpleKdcServer simpleKdcServer, File file, String str) throws KrbException {
        simpleKdcServer.createPrincipal(str);
        simpleKdcServer.exportPrincipal(str, file);
    }

    private static SimpleKdcServer buildMiniKdc() throws Exception {
        SimpleKdcServer simpleKdcServer = new SimpleKdcServer();
        File file = new File(new File(System.getProperty("user.dir"), "target"), TestSpnegoHttpServer.class.getSimpleName());
        if (file.exists()) {
            deleteRecursively(file);
        }
        file.mkdirs();
        simpleKdcServer.setWorkDir(file);
        simpleKdcServer.setKdcHost(KDC_SERVER_HOST);
        int freePort = getFreePort();
        simpleKdcServer.setAllowTcp(true);
        simpleKdcServer.setAllowUdp(false);
        simpleKdcServer.setKdcTcpPort(freePort);
        LOG.info("Starting KDC server at localhost:" + freePort);
        simpleKdcServer.init();
        return simpleKdcServer;
    }

    private static Configuration buildSpnegoConfiguration(String str, File file) {
        Configuration configuration = new Configuration();
        KerberosName.setRules("DEFAULT");
        configuration.setInt("hbase.http.max.threads", 16);
        configuration.set("hbase.security.authentication", "kerberos");
        configuration.set("hbase.security.authentication.ui", "kerberos");
        configuration.set("hbase.security.authentication.spnego.kerberos.principal", str);
        configuration.set("hbase.security.authentication.spnego.kerberos.keytab", file.getAbsolutePath());
        return configuration;
    }

    @Test
    public void testUnauthorizedClientsDisallowed() throws IOException {
        assertEquals(401L, ((HttpURLConnection) new URL(getServerURL(server), "/echo?a=b").openConnection()).getResponseCode());
    }

    @Test
    public void testAllowedClient() throws Exception {
        Subject loginUsingKeytab = JaasKrbUtil.loginUsingKeytab(CLIENT_PRINCIPAL, clientKeytab);
        Set<Principal> principals = loginUsingKeytab.getPrincipals();
        assertFalse(principals.isEmpty());
        Set privateCredentials = loginUsingKeytab.getPrivateCredentials(KerberosTicket.class);
        assertFalse(privateCredentials.isEmpty());
        assertNotNull((KerberosTicket) privateCredentials.iterator().next());
        final String name = principals.iterator().next().getName();
        HttpResponse httpResponse = (HttpResponse) Subject.doAs(loginUsingKeytab, new PrivilegedExceptionAction<HttpResponse>() { // from class: org.apache.hadoop.hbase.http.TestSpnegoHttpServer.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public HttpResponse run() throws Exception {
                GSSManager gSSManager = GSSManager.getInstance();
                GSSCredential createCredential = gSSManager.createCredential(gSSManager.createName(name, GSSName.NT_USER_NAME), 0, new Oid("1.2.840.113554.1.2.2"), 1);
                HttpContext create = HttpClientContext.create();
                Registry build = RegistryBuilder.create().register("Negotiate", new SPNegoSchemeFactory(true, true)).build();
                CloseableHttpClient build2 = HttpClients.custom().setDefaultAuthSchemeRegistry(build).build();
                BasicCredentialsProvider basicCredentialsProvider = new BasicCredentialsProvider();
                basicCredentialsProvider.setCredentials(AuthScope.ANY, new KerberosCredentials(createCredential));
                URL url = new URL(HttpServerFunctionalTest.getServerURL(TestSpnegoHttpServer.server), "/echo?a=b");
                create.setTargetHost(new HttpHost(url.getHost(), url.getPort()));
                create.setCredentialsProvider(basicCredentialsProvider);
                create.setAuthSchemeRegistry(build);
                return build2.execute(new HttpGet(url.toURI()), create);
            }
        });
        assertNotNull(httpResponse);
        assertEquals(200L, httpResponse.getStatusLine().getStatusCode());
        assertEquals("a:b", EntityUtils.toString(httpResponse.getEntity()).trim());
    }

    @Test(expected = IllegalArgumentException.class)
    public void testMissingConfigurationThrowsException() throws Exception {
        Configuration configuration = new Configuration();
        configuration.setInt("hbase.http.max.threads", 16);
        configuration.set("hbase.security.authentication", "kerberos");
        HttpServer createTestServerWithSecurity = createTestServerWithSecurity(configuration);
        createTestServerWithSecurity.addUnprivilegedServlet("echo", "/echo", TestHttpServer.EchoServlet.class);
        createTestServerWithSecurity.addJerseyResourcePackage(JerseyResource.class.getPackage().getName(), "/jersey/*");
        createTestServerWithSecurity.start();
    }
}
