package org.apache.hadoop.hbase.test;

import java.io.IOException;
import java.util.Iterator;
import java.util.List;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.fs.permission.FsPermission;
import org.apache.hadoop.hbase.Abortable;
import org.apache.hadoop.hbase.HBaseConfiguration;
import org.apache.hadoop.hbase.IntegrationTestingUtility;
import org.apache.hadoop.hbase.testclassification.IntegrationTests;
import org.apache.hadoop.hbase.util.AbstractHBaseTool;
import org.apache.hadoop.hbase.util.FSUtils;
import org.apache.hadoop.hbase.zookeeper.RecoverableZooKeeper;
import org.apache.hadoop.hbase.zookeeper.ZKUtil;
import org.apache.hadoop.hbase.zookeeper.ZooKeeperWatcher;
import org.apache.hadoop.util.ToolRunner;
import org.apache.zookeeper.KeeperException;
import org.apache.zookeeper.ZooDefs;
import org.apache.zookeeper.data.ACL;
import org.apache.zookeeper.data.Id;
import org.apache.zookeeper.data.Stat;
import org.junit.Assert;
import org.junit.experimental.categories.Category;

@Category({IntegrationTests.class})
/* loaded from: input_file:org/apache/hadoop/hbase/test/IntegrationTestZKAndFSPermissions.class */
public class IntegrationTestZKAndFSPermissions extends AbstractHBaseTool {
    private static final Log LOG = LogFactory.getLog(IntegrationTestZKAndFSPermissions.class);
    private String superUser;
    private String masterPrincipal;
    private boolean isForce;
    private String fsPerms;
    private boolean skipFSCheck;
    private boolean skipZKCheck;
    public static final String FORCE_CHECK_ARG = "f";
    public static final String PRINCIPAL_ARG = "p";
    public static final String SUPERUSER_ARG = "s";
    public static final String FS_PERMS = "fs_perms";
    public static final String SKIP_CHECK_FS = "skip_fs_check";
    public static final String SKIP_CHECK_ZK = "skip_zk_check";

    public void setConf(Configuration configuration) {
        super.setConf(configuration);
    }

    protected void addOptions() {
        addOptNoArg("f", "Whether to skip configuration lookup and assume a secure setup");
        addOptWithArg(PRINCIPAL_ARG, "The principal for zk authorization");
        addOptWithArg(SUPERUSER_ARG, "The principal for super user");
        addOptWithArg(FS_PERMS, "FS permissions, ex. 700, 750, etc. Defaults to 700");
        addOptNoArg(SKIP_CHECK_FS, "Whether to skip checking FS permissions");
        addOptNoArg(SKIP_CHECK_ZK, "Whether to skip checking ZK permissions");
    }

    protected void processOptions(CommandLine commandLine) {
        this.isForce = commandLine.hasOption("f");
        this.masterPrincipal = getShortUserName(this.conf.get("hbase.master.kerberos.principal"));
        this.superUser = commandLine.getOptionValue(SUPERUSER_ARG, this.conf.get("hbase.superuser"));
        this.masterPrincipal = commandLine.getOptionValue(PRINCIPAL_ARG, this.masterPrincipal);
        this.fsPerms = commandLine.getOptionValue(FS_PERMS, "700");
        this.skipFSCheck = commandLine.hasOption(SKIP_CHECK_FS);
        this.skipZKCheck = commandLine.hasOption(SKIP_CHECK_ZK);
    }

    private String getShortUserName(String str) {
        for (int i = 0; i < str.length(); i++) {
            if (str.charAt(i) == '/' || str.charAt(i) == '@') {
                return str.substring(0, i);
            }
        }
        return str;
    }

    protected int doWork() throws Exception {
        if (!this.isForce && !"kerberos".equalsIgnoreCase(this.conf.get("hbase.security.authentication"))) {
            LOG.warn("hbase.security.authentication is not kerberos, and -f is not supplied. Skip running the test");
            return 0;
        }
        if (!this.skipZKCheck) {
            testZNodeACLs();
        }
        if (this.skipFSCheck) {
            return 0;
        }
        testFSPerms();
        return 0;
    }

    private void testZNodeACLs() throws IOException, KeeperException, InterruptedException {
        ZooKeeperWatcher zooKeeperWatcher = new ZooKeeperWatcher(this.conf, "IntegrationTestZnodeACLs", (Abortable) null);
        RecoverableZooKeeper connect = ZKUtil.connect(this.conf, zooKeeperWatcher);
        String str = zooKeeperWatcher.baseZNode;
        LOG.info("");
        LOG.info("***********************************************************************************");
        LOG.info("Checking ZK permissions, root znode: " + str);
        LOG.info("***********************************************************************************");
        LOG.info("");
        checkZnodePermsRecursive(zooKeeperWatcher, connect, str);
        LOG.info("Checking ZK permissions: SUCCESS");
    }

    private void checkZnodePermsRecursive(ZooKeeperWatcher zooKeeperWatcher, RecoverableZooKeeper recoverableZooKeeper, String str) throws KeeperException, InterruptedException {
        assertZnodePerms(recoverableZooKeeper, str, zooKeeperWatcher.isClientReadable(str));
        try {
            Iterator it = recoverableZooKeeper.getChildren(str, false).iterator();
            while (it.hasNext()) {
                checkZnodePermsRecursive(zooKeeperWatcher, recoverableZooKeeper, ZKUtil.joinZNode(str, (String) it.next()));
            }
        } catch (KeeperException e) {
            if (e.code() != KeeperException.Code.NOAUTH) {
                throw e;
            }
        }
    }

    private void assertZnodePerms(RecoverableZooKeeper recoverableZooKeeper, String str, boolean z) throws KeeperException, InterruptedException {
        List<ACL> acl = recoverableZooKeeper.getZooKeeper().getACL(str, new Stat());
        String[] split = this.superUser == null ? null : this.superUser.split(",");
        LOG.info("Checking ACLs for znode znode:" + str + " acls:" + acl);
        for (ACL acl2 : acl) {
            int perms = acl2.getPerms();
            Id id = acl2.getId();
            if (ZooDefs.Ids.ANYONE_ID_UNSAFE.equals(id)) {
                Assert.assertTrue(z);
                Assert.assertEquals(perms, 1L);
            } else if (split != null && ZooKeeperWatcher.isSuperUserId(split, id)) {
                Assert.assertEquals(perms, 31L);
            } else if (new Id("sasl", this.masterPrincipal).equals(id)) {
                Assert.assertEquals(perms, 31L);
            } else {
                Assert.fail("An ACL is found which is not expected for the znode:" + str + " , ACL:" + acl2);
            }
        }
    }

    private void testFSPerms() throws IOException {
        Path rootDir = FSUtils.getRootDir(this.conf);
        LOG.info("");
        LOG.info("***********************************************************************************");
        LOG.info("Checking FS permissions for root dir:" + rootDir);
        LOG.info("***********************************************************************************");
        LOG.info("");
        Assert.assertEquals(FsPermission.createImmutable(Short.valueOf(this.fsPerms, 8).shortValue()), rootDir.getFileSystem(this.conf).getFileStatus(rootDir).getPermission());
        LOG.info("Checking FS permissions: SUCCESS");
    }

    public static void main(String[] strArr) throws Exception {
        Configuration create = HBaseConfiguration.create();
        IntegrationTestingUtility.setUseDistributedCluster(create);
        System.exit(ToolRunner.run(create, new IntegrationTestZKAndFSPermissions(), strArr));
    }
}
