package org.apache.hadoop.hbase.security.access;

import com.google.common.collect.Lists;
import com.google.common.collect.Maps;
import com.google.protobuf.RpcController;
import com.google.protobuf.ServiceException;
import java.io.IOException;
import java.lang.reflect.UndeclaredThrowableException;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.Callable;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.HBaseTestingUtility;
import org.apache.hadoop.hbase.HConstants;
import org.apache.hadoop.hbase.MiniHBaseCluster;
import org.apache.hadoop.hbase.TableName;
import org.apache.hadoop.hbase.Waiter;
import org.apache.hadoop.hbase.client.HTable;
import org.apache.hadoop.hbase.client.RetriesExhaustedWithDetailsException;
import org.apache.hadoop.hbase.protobuf.ProtobufUtil;
import org.apache.hadoop.hbase.protobuf.generated.AccessControlProtos;
import org.apache.hadoop.hbase.regionserver.HRegion;
import org.apache.hadoop.hbase.security.AccessDeniedException;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.access.Permission;
import org.apache.hadoop.hbase.util.JVMClusterUtil;
import org.junit.Assert;

/* loaded from: input_file:org/apache/hadoop/hbase/security/access/SecureTestUtil.class */
public class SecureTestUtil {
    private static final Log LOG = LogFactory.getLog(SecureTestUtil.class);
    private static final int WAIT_TIME = 10000;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/hadoop/hbase/security/access/SecureTestUtil$AccessTestAction.class */
    public interface AccessTestAction extends PrivilegedExceptionAction<Object> {
    }

    public static void enableSecurity(Configuration configuration) throws IOException {
        configuration.set("hadoop.security.authorization", "false");
        configuration.set("hadoop.security.authentication", "simple");
        configuration.set("hbase.coprocessor.master.classes", AccessController.class.getName());
        configuration.set("hbase.coprocessor.region.classes", AccessController.class.getName() + "," + SecureBulkLoadEndpoint.class.getName());
        configuration.set("hbase.coprocessor.regionserver.classes", AccessController.class.getName());
        String name = User.getCurrent().getName();
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append("admin,");
        stringBuffer.append(name);
        for (int i = 0; i < 5; i++) {
            stringBuffer.append(',');
            stringBuffer.append(name);
            stringBuffer.append(".hfs.");
            stringBuffer.append(i);
        }
        configuration.set("hbase.superuser", stringBuffer.toString());
        configuration.setInt("hfile.format.version", 3);
    }

    public static void verifyConfiguration(Configuration configuration) {
        if (!configuration.get("hbase.coprocessor.master.classes").contains(AccessController.class.getName()) || !configuration.get("hbase.coprocessor.region.classes").contains(AccessController.class.getName()) || !configuration.get("hbase.coprocessor.regionserver.classes").contains(AccessController.class.getName())) {
            throw new RuntimeException("AccessController is missing from a system coprocessor list");
        }
        if (configuration.getInt("hfile.format.version", 2) < 3) {
            throw new RuntimeException("Post 0.96 security features require HFile version >= 3");
        }
    }

    public static void checkTablePerms(Configuration configuration, TableName tableName, byte[] bArr, byte[] bArr2, Permission.Action... actionArr) throws IOException {
        Permission[] permissionArr = new Permission[actionArr.length];
        for (int i = 0; i < actionArr.length; i++) {
            permissionArr[i] = new TablePermission(tableName, bArr, bArr2, new Permission.Action[]{actionArr[i]});
        }
        checkTablePerms(configuration, tableName, permissionArr);
    }

    public static void checkTablePerms(Configuration configuration, TableName tableName, Permission... permissionArr) throws IOException {
        AccessControlProtos.CheckPermissionsRequest.Builder newBuilder = AccessControlProtos.CheckPermissionsRequest.newBuilder();
        for (Permission permission : permissionArr) {
            newBuilder.addPermission(ProtobufUtil.toPermission(permission));
        }
        HTable hTable = new HTable(configuration, tableName);
        try {
            try {
                AccessControlProtos.AccessControlService.newBlockingStub(hTable.coprocessorService(new byte[0])).checkPermissions((RpcController) null, newBuilder.build());
            } catch (ServiceException e) {
                ProtobufUtil.toIOException(e);
            }
        } finally {
            hTable.close();
        }
    }

    public static void verifyAllowed(User user, AccessTestAction... accessTestActionArr) throws Exception {
        List list;
        for (AccessTestAction accessTestAction : accessTestActionArr) {
            try {
                Object runAs = user.runAs(accessTestAction);
                if (runAs != null && (runAs instanceof List) && (list = (List) runAs) != null && list.isEmpty()) {
                    Assert.fail("Empty non null results from action for user '" + user.getShortName() + "'");
                }
            } catch (AccessDeniedException e) {
                Assert.fail("Expected action to pass for user '" + user.getShortName() + "' but was denied");
            }
        }
    }

    public static void verifyAllowed(AccessTestAction accessTestAction, User... userArr) throws Exception {
        for (User user : userArr) {
            verifyAllowed(user, accessTestAction);
        }
    }

    public static void verifyAllowed(User user, AccessTestAction accessTestAction, int i) throws Exception {
        try {
            Object runAs = user.runAs(accessTestAction);
            if (runAs != null && (runAs instanceof List)) {
                List list = (List) runAs;
                if (list != null && list.isEmpty()) {
                    Assert.fail("Empty non null results from action for user '" + user.getShortName() + "'");
                }
                Assert.assertEquals(i, list.size());
            }
        } catch (AccessDeniedException e) {
            Assert.fail("Expected action to pass for user '" + user.getShortName() + "' but was denied");
        }
    }

    public static void verifyDeniedWithException(User user, AccessTestAction... accessTestActionArr) throws Exception {
        verifyDenied(user, true, accessTestActionArr);
    }

    public static void verifyDeniedWithException(AccessTestAction accessTestAction, User... userArr) throws Exception {
        for (User user : userArr) {
            verifyDenied(user, true, accessTestAction);
        }
    }

    public static void verifyDenied(User user, AccessTestAction... accessTestActionArr) throws Exception {
        verifyDenied(user, false, accessTestActionArr);
    }

    public static void verifyDenied(User user, boolean z, AccessTestAction... accessTestActionArr) throws Exception {
        List list;
        for (AccessTestAction accessTestAction : accessTestActionArr) {
            try {
                Object runAs = user.runAs(accessTestAction);
                if (z) {
                    Assert.fail("Expected exception was not thrown for user '" + user.getShortName() + "'");
                }
                if (runAs != null && (runAs instanceof List) && (list = (List) runAs) != null && !list.isEmpty()) {
                    Assert.fail("Unexpected results for user '" + user.getShortName() + "'");
                }
            } catch (IOException e) {
                boolean z2 = false;
                if (!(e instanceof RetriesExhaustedWithDetailsException)) {
                    RetriesExhaustedWithDetailsException retriesExhaustedWithDetailsException = e;
                    while (true) {
                        if (retriesExhaustedWithDetailsException instanceof AccessDeniedException) {
                            z2 = true;
                            break;
                        }
                        RetriesExhaustedWithDetailsException cause = retriesExhaustedWithDetailsException.getCause();
                        retriesExhaustedWithDetailsException = cause;
                        if (cause == null) {
                            break;
                        }
                    }
                } else {
                    Iterator it = e.getCauses().iterator();
                    while (true) {
                        if (it.hasNext()) {
                            if (((Throwable) it.next()) instanceof AccessDeniedException) {
                                z2 = true;
                                break;
                            }
                        } else {
                            break;
                        }
                    }
                }
                if (!z2) {
                    Assert.fail("Expected exception was not thrown for user '" + user.getShortName() + "'");
                }
            } catch (UndeclaredThrowableException e2) {
                ServiceException undeclaredThrowable = e2.getUndeclaredThrowable();
                if (undeclaredThrowable instanceof PrivilegedActionException) {
                    undeclaredThrowable = ((PrivilegedActionException) undeclaredThrowable).getException();
                }
                if (undeclaredThrowable instanceof ServiceException) {
                    ServiceException serviceException = undeclaredThrowable;
                    if (serviceException.getCause() != null && (serviceException.getCause() instanceof AccessDeniedException)) {
                        return;
                    }
                }
                Assert.fail("Expected exception was not thrown for user '" + user.getShortName() + "'");
            }
        }
    }

    public static void verifyDenied(AccessTestAction accessTestAction, User... userArr) throws Exception {
        for (User user : userArr) {
            verifyDenied(user, accessTestAction);
        }
    }

    private static List<AccessController> getAccessControllers(MiniHBaseCluster miniHBaseCluster) {
        ArrayList newArrayList = Lists.newArrayList();
        Iterator<JVMClusterUtil.RegionServerThread> it = miniHBaseCluster.getLiveRegionServerThreads().iterator();
        while (it.hasNext()) {
            Iterator it2 = it.next().getRegionServer().getOnlineRegionsLocalContext().iterator();
            while (it2.hasNext()) {
                AccessController findCoprocessor = ((HRegion) it2.next()).getCoprocessorHost().findCoprocessor(AccessController.class.getName());
                if (findCoprocessor != null) {
                    newArrayList.add(findCoprocessor);
                }
            }
        }
        return newArrayList;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static Map<AccessController, Long> getAuthManagerMTimes(MiniHBaseCluster miniHBaseCluster) {
        HashMap newHashMap = Maps.newHashMap();
        for (AccessController accessController : getAccessControllers(miniHBaseCluster)) {
            newHashMap.put(accessController, Long.valueOf(accessController.getAuthManager().getMTime()));
        }
        return newHashMap;
    }

    private static void updateACLs(final HBaseTestingUtility hBaseTestingUtility, Callable callable) throws Exception {
        final Map<AccessController, Long> authManagerMTimes = getAuthManagerMTimes(hBaseTestingUtility.getHBaseCluster());
        callable.call();
        hBaseTestingUtility.waitFor(10000L, 100L, new Waiter.Predicate<IOException>() { // from class: org.apache.hadoop.hbase.security.access.SecureTestUtil.1
            public boolean evaluate() throws IOException {
                for (Map.Entry entry : SecureTestUtil.getAuthManagerMTimes(HBaseTestingUtility.this.getHBaseCluster()).entrySet()) {
                    if (!authManagerMTimes.containsKey(entry.getKey())) {
                        SecureTestUtil.LOG.error("Snapshot of AccessController state does not include instance on region " + ((AccessController) entry.getKey()).getRegion().getRegionNameAsString());
                        return false;
                    }
                    long longValue = ((Long) authManagerMTimes.get(entry.getKey())).longValue();
                    long longValue2 = ((Long) entry.getValue()).longValue();
                    if (longValue2 <= longValue) {
                        SecureTestUtil.LOG.info("AccessController on region " + ((AccessController) entry.getKey()).getRegion().getRegionNameAsString() + " has not updated: mtime=" + longValue2);
                        return false;
                    }
                }
                return true;
            }
        });
    }

    public static void grantGlobal(final HBaseTestingUtility hBaseTestingUtility, final String str, final Permission.Action... actionArr) throws Exception {
        updateACLs(hBaseTestingUtility, new Callable<Void>() { // from class: org.apache.hadoop.hbase.security.access.SecureTestUtil.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public Void call() throws Exception {
                HTable hTable = new HTable(HBaseTestingUtility.this.getConfiguration(), AccessControlLists.ACL_TABLE_NAME);
                try {
                    ProtobufUtil.grant(AccessControlProtos.AccessControlService.newBlockingStub(hTable.coprocessorService(HConstants.EMPTY_START_ROW)), str, actionArr);
                    hTable.close();
                    return null;
                } catch (Throwable th) {
                    hTable.close();
                    throw th;
                }
            }
        });
    }

    public static void revokeGlobal(final HBaseTestingUtility hBaseTestingUtility, final String str, final Permission.Action... actionArr) throws Exception {
        updateACLs(hBaseTestingUtility, new Callable<Void>() { // from class: org.apache.hadoop.hbase.security.access.SecureTestUtil.3
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public Void call() throws Exception {
                HTable hTable = new HTable(HBaseTestingUtility.this.getConfiguration(), AccessControlLists.ACL_TABLE_NAME);
                try {
                    ProtobufUtil.revoke(AccessControlProtos.AccessControlService.newBlockingStub(hTable.coprocessorService(HConstants.EMPTY_START_ROW)), str, actionArr);
                    hTable.close();
                    return null;
                } catch (Throwable th) {
                    hTable.close();
                    throw th;
                }
            }
        });
    }

    public static void grantOnNamespace(final HBaseTestingUtility hBaseTestingUtility, final String str, final String str2, final Permission.Action... actionArr) throws Exception {
        updateACLs(hBaseTestingUtility, new Callable<Void>() { // from class: org.apache.hadoop.hbase.security.access.SecureTestUtil.4
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public Void call() throws Exception {
                HTable hTable = new HTable(HBaseTestingUtility.this.getConfiguration(), AccessControlLists.ACL_TABLE_NAME);
                try {
                    ProtobufUtil.grant(AccessControlProtos.AccessControlService.newBlockingStub(hTable.coprocessorService(HConstants.EMPTY_START_ROW)), str, str2, actionArr);
                    hTable.close();
                    return null;
                } catch (Throwable th) {
                    hTable.close();
                    throw th;
                }
            }
        });
    }

    public static void revokeFromNamespace(final HBaseTestingUtility hBaseTestingUtility, final String str, final String str2, final Permission.Action... actionArr) throws Exception {
        updateACLs(hBaseTestingUtility, new Callable<Void>() { // from class: org.apache.hadoop.hbase.security.access.SecureTestUtil.5
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public Void call() throws Exception {
                HTable hTable = new HTable(HBaseTestingUtility.this.getConfiguration(), AccessControlLists.ACL_TABLE_NAME);
                try {
                    ProtobufUtil.revoke(AccessControlProtos.AccessControlService.newBlockingStub(hTable.coprocessorService(HConstants.EMPTY_START_ROW)), str, str2, actionArr);
                    hTable.close();
                    return null;
                } catch (Throwable th) {
                    hTable.close();
                    throw th;
                }
            }
        });
    }

    public static void grantOnTable(final HBaseTestingUtility hBaseTestingUtility, final String str, final TableName tableName, final byte[] bArr, final byte[] bArr2, final Permission.Action... actionArr) throws Exception {
        updateACLs(hBaseTestingUtility, new Callable<Void>() { // from class: org.apache.hadoop.hbase.security.access.SecureTestUtil.6
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public Void call() throws Exception {
                HTable hTable = new HTable(HBaseTestingUtility.this.getConfiguration(), AccessControlLists.ACL_TABLE_NAME);
                try {
                    ProtobufUtil.grant(AccessControlProtos.AccessControlService.newBlockingStub(hTable.coprocessorService(HConstants.EMPTY_START_ROW)), str, tableName, bArr, bArr2, actionArr);
                    hTable.close();
                    return null;
                } catch (Throwable th) {
                    hTable.close();
                    throw th;
                }
            }
        });
    }

    public static void revokeFromTable(final HBaseTestingUtility hBaseTestingUtility, final String str, final TableName tableName, final byte[] bArr, final byte[] bArr2, final Permission.Action... actionArr) throws Exception {
        updateACLs(hBaseTestingUtility, new Callable<Void>() { // from class: org.apache.hadoop.hbase.security.access.SecureTestUtil.7
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public Void call() throws Exception {
                HTable hTable = new HTable(HBaseTestingUtility.this.getConfiguration(), AccessControlLists.ACL_TABLE_NAME);
                try {
                    ProtobufUtil.revoke(AccessControlProtos.AccessControlService.newBlockingStub(hTable.coprocessorService(HConstants.EMPTY_START_ROW)), str, tableName, bArr, bArr2, actionArr);
                    hTable.close();
                    return null;
                } catch (Throwable th) {
                    hTable.close();
                    throw th;
                }
            }
        });
    }
}
