package org.apache.hadoop.hbase.rest;

import com.fasterxml.jackson.jaxrs.json.JacksonJaxbJsonProvider;
import java.io.File;
import java.net.URL;
import java.security.Principal;
import java.security.PrivilegedExceptionAction;
import javax.ws.rs.core.MediaType;
import org.apache.commons.io.FileUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.HBaseClassTestRule;
import org.apache.hadoop.hbase.HBaseTestingUtility;
import org.apache.hadoop.hbase.MiniHBaseCluster;
import org.apache.hadoop.hbase.StartMiniClusterOption;
import org.apache.hadoop.hbase.TableName;
import org.apache.hadoop.hbase.client.ColumnFamilyDescriptorBuilder;
import org.apache.hadoop.hbase.client.Connection;
import org.apache.hadoop.hbase.client.ConnectionFactory;
import org.apache.hadoop.hbase.client.Put;
import org.apache.hadoop.hbase.client.Table;
import org.apache.hadoop.hbase.client.TableDescriptorBuilder;
import org.apache.hadoop.hbase.http.ssl.KeyStoreTestUtil;
import org.apache.hadoop.hbase.rest.model.CellModel;
import org.apache.hadoop.hbase.rest.model.CellSetModel;
import org.apache.hadoop.hbase.rest.model.RowModel;
import org.apache.hadoop.hbase.security.HBaseKerberosUtils;
import org.apache.hadoop.hbase.security.access.AccessControlClient;
import org.apache.hadoop.hbase.security.access.AccessController;
import org.apache.hadoop.hbase.security.access.Permission;
import org.apache.hadoop.hbase.security.token.TokenProvider;
import org.apache.hadoop.hbase.testclassification.MiscTests;
import org.apache.hadoop.hbase.testclassification.SmallTests;
import org.apache.hadoop.hbase.util.Bytes;
import org.apache.hadoop.hbase.util.Pair;
import org.apache.hadoop.http.HttpConfig;
import org.apache.hadoop.minikdc.MiniKdc;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.util.KerberosName;
import org.apache.http.HttpHost;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.Credentials;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpGet;
import org.apache.http.client.methods.HttpPut;
import org.apache.http.client.protocol.HttpClientContext;
import org.apache.http.config.Registry;
import org.apache.http.config.RegistryBuilder;
import org.apache.http.entity.ContentType;
import org.apache.http.entity.StringEntity;
import org.apache.http.impl.auth.SPNegoSchemeFactory;
import org.apache.http.impl.client.BasicAuthCache;
import org.apache.http.impl.client.BasicCredentialsProvider;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
import org.apache.http.util.EntityUtils;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;
import org.junit.experimental.categories.Category;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Category({MiscTests.class, SmallTests.class})
/* loaded from: input_file:org/apache/hadoop/hbase/rest/TestSecureRESTServer.class */
public class TestSecureRESTServer {

    @ClassRule
    public static final HBaseClassTestRule CLASS_RULE = HBaseClassTestRule.forClass(TestSecureRESTServer.class);
    private static final Logger LOG = LoggerFactory.getLogger(TestSecureRESTServer.class);
    private static final HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility();
    private static final HBaseRESTTestingUtility REST_TEST = new HBaseRESTTestingUtility();
    private static MiniHBaseCluster CLUSTER;
    private static final String HOSTNAME = "localhost";
    private static final String CLIENT_PRINCIPAL = "client";
    private static final String SPNEGO_SERVICE_PRINCIPAL = "HTTP/localhost";
    private static final String REST_SERVER_PRINCIPAL = "rest";
    private static final String SERVICE_PRINCIPAL = "hbase/localhost";
    private static URL baseUrl;
    private static MiniKdc KDC;
    private static RESTServer server;
    private static File restServerKeytab;
    private static File clientKeytab;
    private static File serviceKeytab;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/hbase/rest/TestSecureRESTServer$EmptyCredentials.class */
    public static class EmptyCredentials implements Credentials {
        public static final EmptyCredentials INSTANCE = new EmptyCredentials();

        private EmptyCredentials() {
        }

        @Override // org.apache.http.auth.Credentials
        public String getPassword() {
            return null;
        }

        @Override // org.apache.http.auth.Credentials
        public Principal getUserPrincipal() {
            return null;
        }
    }

    @BeforeClass
    public static void setupServer() throws Exception {
        File file = new File(System.getProperty("user.dir"), "target");
        Assert.assertTrue(file.exists());
        File file2 = new File(file, TestSecureRESTServer.class.getSimpleName() + "_keytabs");
        if (file2.exists()) {
            FileUtils.deleteDirectory(file2);
        }
        file2.mkdirs();
        serviceKeytab = new File(file2, "hbase.service.keytab");
        restServerKeytab = new File(file2, "spnego.keytab");
        clientKeytab = new File(file2, "client.keytab");
        final Configuration configuration = TEST_UTIL.getConfiguration();
        KDC = TEST_UTIL.setupMiniKdc(serviceKeytab);
        KDC.createPrincipal(clientKeytab, new String[]{CLIENT_PRINCIPAL});
        KDC.createPrincipal(serviceKeytab, new String[]{SERVICE_PRINCIPAL});
        KDC.createPrincipal(restServerKeytab, new String[]{SPNEGO_SERVICE_PRINCIPAL, REST_SERVER_PRINCIPAL});
        HBaseKerberosUtils.setPrincipalForTesting("hbase/localhost@" + KDC.getRealm());
        HBaseKerberosUtils.setKeytabFileForTesting(serviceKeytab.getAbsolutePath());
        configuration.set("hbase.master.keytab.file", serviceKeytab.getAbsolutePath());
        configuration.set("hbase.regionserver.hostname", HOSTNAME);
        configuration.set("hbase.master.hostname", HOSTNAME);
        HBaseKerberosUtils.setSecuredConfiguration(configuration, "hbase/localhost@" + KDC.getRealm(), "HTTP/localhost@" + KDC.getRealm());
        setHdfsSecuredConfiguration(configuration);
        configuration.setStrings("hbase.coprocessor.region.classes", new String[]{TokenProvider.class.getName(), AccessController.class.getName()});
        configuration.setStrings("hbase.coprocessor.master.classes", new String[]{AccessController.class.getName()});
        configuration.setStrings("hbase.coprocessor.regionserver.classes", new String[]{AccessController.class.getName()});
        configuration.setBoolean("hbase.security.exec.permission.checks", true);
        configuration.set("hbase.superuser", "hbase");
        configuration.set("hadoop.proxyuser.rest.hosts", "*");
        configuration.set("hadoop.proxyuser.rest.users", "*");
        UserGroupInformation.setConfiguration(configuration);
        updateKerberosConfiguration(configuration, REST_SERVER_PRINCIPAL, SPNEGO_SERVICE_PRINCIPAL, restServerKeytab);
        TEST_UTIL.startMiniCluster(StartMiniClusterOption.builder().numMasters(1).numRegionServers(1).numZkServers(1).build());
        UserGroupInformation.loginUserFromKeytabAndReturnUGI(REST_SERVER_PRINCIPAL, restServerKeytab.getAbsolutePath()).doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.hbase.rest.TestSecureRESTServer.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                TestSecureRESTServer.REST_TEST.startServletContainer(configuration);
                return null;
            }
        });
        baseUrl = new URL("http://localhost:" + REST_TEST.getServletPort());
        LOG.info("HTTP server started: " + baseUrl);
        TEST_UTIL.waitTableAvailable(TableName.valueOf("hbase:acl"));
        UserGroupInformation.loginUserFromKeytabAndReturnUGI(SERVICE_PRINCIPAL, serviceKeytab.getAbsolutePath()).doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.hbase.rest.TestSecureRESTServer.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                try {
                    Connection createConnection = ConnectionFactory.createConnection(TestSecureRESTServer.TEST_UTIL.getConfiguration());
                    Throwable th = null;
                    try {
                        AccessControlClient.grant(createConnection, TestSecureRESTServer.REST_SERVER_PRINCIPAL, new Permission.Action[]{Permission.Action.CREATE, Permission.Action.READ, Permission.Action.WRITE});
                        if (createConnection != null) {
                            if (0 != 0) {
                                try {
                                    createConnection.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                createConnection.close();
                            }
                        }
                        return null;
                    } finally {
                    }
                } catch (Throwable th3) {
                    if (th3 instanceof Exception) {
                        throw ((Exception) th3);
                    }
                    throw new Exception(th3);
                }
            }
        });
    }

    @AfterClass
    public static void stopServer() throws Exception {
        try {
            if (null != server) {
                server.stop();
            }
        } catch (Exception e) {
            LOG.info("Failed to stop info server", e);
        }
        try {
            if (CLUSTER != null) {
                CLUSTER.shutdown();
            }
        } catch (Exception e2) {
            LOG.info("Failed to stop HBase cluster", e2);
        }
        try {
            if (null != KDC) {
                KDC.stop();
            }
        } catch (Exception e3) {
            LOG.info("Failed to stop mini KDC", e3);
        }
    }

    private static void setHdfsSecuredConfiguration(Configuration configuration) throws Exception {
        configuration.set("dfs.namenode.kerberos.principal", "hbase/localhost@" + KDC.getRealm());
        configuration.set("dfs.namenode.keytab.file", serviceKeytab.getAbsolutePath());
        configuration.set("dfs.datanode.kerberos.principal", "hbase/localhost@" + KDC.getRealm());
        configuration.set("dfs.datanode.keytab.file", serviceKeytab.getAbsolutePath());
        configuration.set("dfs.web.authentication.kerberos.principal", "HTTP/localhost@" + KDC.getRealm());
        configuration.setBoolean("dfs.block.access.token.enable", true);
        configuration.set("dfs.http.policy", HttpConfig.Policy.HTTPS_ONLY.name());
        configuration.set("dfs.namenode.https-address", "localhost:0");
        configuration.set("dfs.datanode.https.address", "localhost:0");
        File file = new File(TEST_UTIL.getDataTestDir("keystore").toUri().getPath());
        file.mkdirs();
        KeyStoreTestUtil.setupSSLConfig(file.getAbsolutePath(), KeyStoreTestUtil.getClasspathDir(TestSecureRESTServer.class), configuration, false);
        configuration.setBoolean("ignore.secure.ports.for.testing", true);
    }

    private static void updateKerberosConfiguration(Configuration configuration, String str, String str2, File file) {
        KerberosName.setRules("DEFAULT");
        configuration.set("hbase.security.authentication", "kerberos");
        configuration.set("hbase.rest.authentication.type", "kerberos");
        configuration.set("hbase.rest.kerberos.principal", str);
        configuration.set("hbase.rest.authentication.kerberos.principal", str2);
        configuration.set("hbase.rest.keytab.file", file.getAbsolutePath());
        configuration.set("hbase.rest.authentication.kerberos.keytab", file.getAbsolutePath());
    }

    @Test
    public void testPositiveAuthorization() throws Exception {
        UserGroupInformation loginUserFromKeytabAndReturnUGI = UserGroupInformation.loginUserFromKeytabAndReturnUGI(SERVICE_PRINCIPAL, serviceKeytab.getAbsolutePath());
        final TableName valueOf = TableName.valueOf("publicTable");
        loginUserFromKeytabAndReturnUGI.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.hbase.rest.TestSecureRESTServer.3
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                try {
                    Connection createConnection = ConnectionFactory.createConnection(TestSecureRESTServer.TEST_UTIL.getConfiguration());
                    Throwable th = null;
                    try {
                        createConnection.getAdmin().createTable(TableDescriptorBuilder.newBuilder(valueOf).setColumnFamily(ColumnFamilyDescriptorBuilder.of("f1")).build());
                        Table table = createConnection.getTable(valueOf);
                        Throwable th2 = null;
                        try {
                            try {
                                Put put = new Put(Bytes.toBytes("a"));
                                put.addColumn(Bytes.toBytes("f1"), new byte[0], Bytes.toBytes("1"));
                                table.put(put);
                                if (table != null) {
                                    if (0 != 0) {
                                        try {
                                            table.close();
                                        } catch (Throwable th3) {
                                            th2.addSuppressed(th3);
                                        }
                                    } else {
                                        table.close();
                                    }
                                }
                                AccessControlClient.grant(createConnection, TestSecureRESTServer.CLIENT_PRINCIPAL, new Permission.Action[]{Permission.Action.READ});
                                if (createConnection != null) {
                                    if (0 != 0) {
                                        try {
                                            createConnection.close();
                                        } catch (Throwable th4) {
                                            th.addSuppressed(th4);
                                        }
                                    } else {
                                        createConnection.close();
                                    }
                                }
                                return null;
                            } finally {
                            }
                        } catch (Throwable th5) {
                            if (table != null) {
                                if (th2 != null) {
                                    try {
                                        table.close();
                                    } catch (Throwable th6) {
                                        th2.addSuppressed(th6);
                                    }
                                } else {
                                    table.close();
                                }
                            }
                            throw th5;
                        }
                    } finally {
                    }
                } catch (Throwable th7) {
                    if (th7 instanceof Exception) {
                        throw ((Exception) th7);
                    }
                    throw new Exception(th7);
                }
            }
        });
        Pair<CloseableHttpClient, HttpClientContext> client = getClient();
        final CloseableHttpClient closeableHttpClient = (CloseableHttpClient) client.getFirst();
        final HttpClientContext httpClientContext = (HttpClientContext) client.getSecond();
        final HttpGet httpGet = new HttpGet(new URL("http://localhost:" + REST_TEST.getServletPort()).toURI() + "/" + valueOf + "/a");
        httpGet.addHeader("Accept", "application/json");
        CellSetModel cellSetModel = (CellSetModel) new JacksonJaxbJsonProvider().locateMapper(CellSetModel.class, MediaType.APPLICATION_JSON_TYPE).readValue((String) UserGroupInformation.loginUserFromKeytabAndReturnUGI(CLIENT_PRINCIPAL, clientKeytab.getAbsolutePath()).doAs(new PrivilegedExceptionAction<String>() { // from class: org.apache.hadoop.hbase.rest.TestSecureRESTServer.4
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public String run() throws Exception {
                CloseableHttpResponse execute = closeableHttpClient.execute(httpGet, httpClientContext);
                Throwable th = null;
                try {
                    Assert.assertEquals(execute.getStatusLine().toString(), 200L, execute.getStatusLine().getStatusCode());
                    String entityUtils = EntityUtils.toString(execute.getEntity());
                    if (execute != null) {
                        if (0 != 0) {
                            try {
                                execute.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            execute.close();
                        }
                    }
                    return entityUtils;
                } catch (Throwable th3) {
                    if (execute != null) {
                        if (0 != 0) {
                            try {
                                execute.close();
                            } catch (Throwable th4) {
                                th.addSuppressed(th4);
                            }
                        } else {
                            execute.close();
                        }
                    }
                    throw th3;
                }
            }
        }), CellSetModel.class);
        Assert.assertEquals(1L, cellSetModel.getRows().size());
        RowModel rowModel = (RowModel) cellSetModel.getRows().get(0);
        Assert.assertEquals("a", Bytes.toString(rowModel.getKey()));
        Assert.assertEquals(1L, rowModel.getCells().size());
        Assert.assertEquals("1", Bytes.toString(((CellModel) rowModel.getCells().get(0)).getValue()));
    }

    @Test
    public void testNegativeAuthorization() throws Exception {
        Pair<CloseableHttpClient, HttpClientContext> client = getClient();
        final CloseableHttpClient closeableHttpClient = (CloseableHttpClient) client.getFirst();
        final HttpClientContext httpClientContext = (HttpClientContext) client.getSecond();
        StringEntity stringEntity = new StringEntity("{\"name\":\"test\", \"ColumnSchema\":[{\"name\":\"f\"}]}", ContentType.APPLICATION_JSON);
        final HttpPut httpPut = new HttpPut("http://localhost:" + REST_TEST.getServletPort() + "/test/schema");
        httpPut.setEntity(stringEntity);
        UserGroupInformation.loginUserFromKeytabAndReturnUGI(CLIENT_PRINCIPAL, clientKeytab.getAbsolutePath()).doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.hbase.rest.TestSecureRESTServer.5
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                CloseableHttpResponse execute = closeableHttpClient.execute(httpPut, httpClientContext);
                Throwable th = null;
                try {
                    Assert.assertEquals("Got response: " + EntityUtils.toString(execute.getEntity()), 403L, execute.getStatusLine().getStatusCode());
                    if (execute == null) {
                        return null;
                    }
                    if (0 == 0) {
                        execute.close();
                        return null;
                    }
                    try {
                        execute.close();
                        return null;
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                        return null;
                    }
                } catch (Throwable th3) {
                    if (execute != null) {
                        if (0 != 0) {
                            try {
                                execute.close();
                            } catch (Throwable th4) {
                                th.addSuppressed(th4);
                            }
                        } else {
                            execute.close();
                        }
                    }
                    throw th3;
                }
            }
        });
    }

    private Pair<CloseableHttpClient, HttpClientContext> getClient() {
        PoolingHttpClientConnectionManager poolingHttpClientConnectionManager = new PoolingHttpClientConnectionManager();
        HttpHost httpHost = new HttpHost(HOSTNAME, REST_TEST.getServletPort());
        Registry build = RegistryBuilder.create().register("Negotiate", new SPNegoSchemeFactory(true, true)).build();
        BasicCredentialsProvider basicCredentialsProvider = new BasicCredentialsProvider();
        basicCredentialsProvider.setCredentials(AuthScope.ANY, EmptyCredentials.INSTANCE);
        BasicAuthCache basicAuthCache = new BasicAuthCache();
        CloseableHttpClient build2 = HttpClients.custom().setDefaultAuthSchemeRegistry(build).setConnectionManager(poolingHttpClientConnectionManager).build();
        HttpClientContext create = HttpClientContext.create();
        create.setTargetHost(httpHost);
        create.setCredentialsProvider(basicCredentialsProvider);
        create.setAuthSchemeRegistry(build);
        create.setAuthCache(basicAuthCache);
        return new Pair<>(build2, create);
    }
}
