package org.apache.hadoop.hbase.security.token;

import java.io.IOException;
import java.net.InetSocketAddress;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.concurrent.ConcurrentMap;
import java.util.concurrent.ExecutorService;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeys;
import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
import org.apache.hadoop.hbase.ChoreService;
import org.apache.hadoop.hbase.ClusterId;
import org.apache.hadoop.hbase.CoordinatedStateManager;
import org.apache.hadoop.hbase.Coprocessor;
import org.apache.hadoop.hbase.HBaseTestingUtility;
import org.apache.hadoop.hbase.HRegionInfo;
import org.apache.hadoop.hbase.Server;
import org.apache.hadoop.hbase.ServerName;
import org.apache.hadoop.hbase.TableName;
import org.apache.hadoop.hbase.client.ClusterConnection;
import org.apache.hadoop.hbase.client.Connection;
import org.apache.hadoop.hbase.client.ConnectionFactory;
import org.apache.hadoop.hbase.client.HTableInterface;
import org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment;
import org.apache.hadoop.hbase.ipc.BlockingRpcCallback;
import org.apache.hadoop.hbase.ipc.FifoRpcScheduler;
import org.apache.hadoop.hbase.ipc.RpcClient;
import org.apache.hadoop.hbase.ipc.RpcClientFactory;
import org.apache.hadoop.hbase.ipc.RpcServer;
import org.apache.hadoop.hbase.ipc.RpcServerInterface;
import org.apache.hadoop.hbase.ipc.ServerRpcController;
import org.apache.hadoop.hbase.metrics.MetricRegistry;
import org.apache.hadoop.hbase.protobuf.generated.AuthenticationProtos;
import org.apache.hadoop.hbase.regionserver.HRegion;
import org.apache.hadoop.hbase.regionserver.RegionServerServices;
import org.apache.hadoop.hbase.security.SecurityInfo;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.shaded.com.google.protobuf.RpcController;
import org.apache.hadoop.hbase.shaded.com.google.protobuf.ServiceException;
import org.apache.hadoop.hbase.shaded.org.junit.AfterClass;
import org.apache.hadoop.hbase.shaded.org.junit.Assert;
import org.apache.hadoop.hbase.shaded.org.junit.BeforeClass;
import org.apache.hadoop.hbase.shaded.org.junit.Test;
import org.apache.hadoop.hbase.shaded.org.junit.experimental.categories.Category;
import org.apache.hadoop.hbase.testclassification.MediumTests;
import org.apache.hadoop.hbase.util.Bytes;
import org.apache.hadoop.hbase.util.EnvironmentEdgeManager;
import org.apache.hadoop.hbase.util.Sleeper;
import org.apache.hadoop.hbase.util.Strings;
import org.apache.hadoop.hbase.util.Threads;
import org.apache.hadoop.hbase.util.Writables;
import org.apache.hadoop.hbase.zookeeper.MetaTableLocator;
import org.apache.hadoop.hbase.zookeeper.ZKClusterId;
import org.apache.hadoop.hbase.zookeeper.ZooKeeperWatcher;
import org.apache.hadoop.net.DNS;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler;
import org.apache.hadoop.security.authorize.PolicyProvider;
import org.apache.hadoop.security.authorize.Service;
import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;

@Category({MediumTests.class})
/* loaded from: input_file:org/apache/hadoop/hbase/security/token/TestTokenAuthentication.class */
public class TestTokenAuthentication {
    private static final Log LOG;
    private static HBaseTestingUtility TEST_UTIL;
    private static TokenServer server;
    private static Thread serverThread;
    private static AuthenticationTokenSecretManager secretManager;
    private static ClusterId clusterId;

    /* loaded from: input_file:org/apache/hadoop/hbase/security/token/TestTokenAuthentication$AuthenticationServiceSecurityInfo.class */
    public interface AuthenticationServiceSecurityInfo {
    }

    /* loaded from: input_file:org/apache/hadoop/hbase/security/token/TestTokenAuthentication$TokenServer.class */
    private static class TokenServer extends TokenProvider implements AuthenticationProtos.AuthenticationService.BlockingInterface, Runnable, Server {
        private static final Log LOG = LogFactory.getLog(TokenServer.class);
        private Configuration conf;
        private RpcServerInterface rpcServer;
        private InetSocketAddress isa;
        private ZooKeeperWatcher zookeeper;
        private Sleeper sleeper;
        private boolean started = false;
        private boolean aborted = false;
        private boolean stopped = false;
        private long startcode = EnvironmentEdgeManager.currentTime();

        public TokenServer(Configuration configuration) throws IOException {
            this.conf = configuration;
            InetSocketAddress inetSocketAddress = new InetSocketAddress(Strings.domainNamePointerToHostName(DNS.getDefaultHost("default", "default")), 0);
            if (inetSocketAddress.getAddress() == null) {
                throw new IllegalArgumentException("Failed resolve of " + inetSocketAddress);
            }
            ArrayList arrayList = new ArrayList(1);
            arrayList.add(new RpcServer.BlockingServiceAndInterface(AuthenticationProtos.AuthenticationService.newReflectiveBlockingService(this), AuthenticationProtos.AuthenticationService.BlockingInterface.class));
            this.rpcServer = new RpcServer(this, "tokenServer", arrayList, inetSocketAddress, configuration, new FifoRpcScheduler(configuration, 1));
            InetSocketAddress listenerAddress = this.rpcServer.getListenerAddress();
            if (listenerAddress == null) {
                throw new IOException("Listener channel is closed");
            }
            this.isa = listenerAddress;
            this.sleeper = new Sleeper(1000, this);
        }

        @Override // org.apache.hadoop.hbase.Server
        public Configuration getConfiguration() {
            return this.conf;
        }

        @Override // org.apache.hadoop.hbase.Server
        public ClusterConnection getConnection() {
            return null;
        }

        @Override // org.apache.hadoop.hbase.Server
        public MetaTableLocator getMetaTableLocator() {
            return null;
        }

        @Override // org.apache.hadoop.hbase.Server
        public ZooKeeperWatcher getZooKeeper() {
            return this.zookeeper;
        }

        @Override // org.apache.hadoop.hbase.Server
        public CoordinatedStateManager getCoordinatedStateManager() {
            return null;
        }

        @Override // org.apache.hadoop.hbase.Abortable
        public boolean isAborted() {
            return this.aborted;
        }

        @Override // org.apache.hadoop.hbase.Server
        public ServerName getServerName() {
            return ServerName.valueOf(this.isa.getHostName(), this.isa.getPort(), this.startcode);
        }

        @Override // org.apache.hadoop.hbase.Abortable
        public void abort(String str, Throwable th) {
            LOG.fatal("Aborting on: " + str, th);
            this.aborted = true;
            this.stopped = true;
            this.sleeper.skipSleepCycle();
        }

        private void initialize() throws IOException {
            Configuration configuration = new Configuration(this.conf);
            configuration.set(User.HBASE_SECURITY_CONF_KEY, PseudoAuthenticationHandler.TYPE);
            this.zookeeper = new ZooKeeperWatcher(configuration, TokenServer.class.getSimpleName(), this, true);
            this.rpcServer.start();
            final RegionServerServices createMockRegionServerService = TestTokenAuthentication.TEST_UTIL.createMockRegionServerService(this.rpcServer);
            super.start(new RegionCoprocessorEnvironment() { // from class: org.apache.hadoop.hbase.security.token.TestTokenAuthentication.TokenServer.1
                @Override // org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment
                public HRegion getRegion() {
                    return null;
                }

                @Override // org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment
                public RegionServerServices getRegionServerServices() {
                    return createMockRegionServerService;
                }

                @Override // org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment
                public ConcurrentMap<String, Object> getSharedData() {
                    return null;
                }

                @Override // org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment
                public MetricRegistry getMetricRegistryForRegionServer() {
                    return null;
                }

                @Override // org.apache.hadoop.hbase.CoprocessorEnvironment
                public int getVersion() {
                    return 0;
                }

                @Override // org.apache.hadoop.hbase.CoprocessorEnvironment
                public String getHBaseVersion() {
                    return null;
                }

                @Override // org.apache.hadoop.hbase.CoprocessorEnvironment
                public Coprocessor getInstance() {
                    return null;
                }

                @Override // org.apache.hadoop.hbase.CoprocessorEnvironment
                public int getPriority() {
                    return 0;
                }

                @Override // org.apache.hadoop.hbase.CoprocessorEnvironment
                public int getLoadSequence() {
                    return 0;
                }

                @Override // org.apache.hadoop.hbase.CoprocessorEnvironment
                public Configuration getConfiguration() {
                    return TokenServer.this.conf;
                }

                @Override // org.apache.hadoop.hbase.CoprocessorEnvironment
                public HTableInterface getTable(TableName tableName) throws IOException {
                    return null;
                }

                @Override // org.apache.hadoop.hbase.CoprocessorEnvironment
                public HTableInterface getTable(TableName tableName, ExecutorService executorService) throws IOException {
                    return null;
                }

                @Override // org.apache.hadoop.hbase.CoprocessorEnvironment
                public ClassLoader getClassLoader() {
                    return Thread.currentThread().getContextClassLoader();
                }

                @Override // org.apache.hadoop.hbase.coprocessor.RegionCoprocessorEnvironment
                public HRegionInfo getRegionInfo() {
                    return null;
                }
            });
            this.started = true;
        }

        @Override // java.lang.Runnable
        public void run() {
            try {
                initialize();
                while (!this.stopped) {
                    this.sleeper.sleep();
                }
            } catch (Exception e) {
                abort(e.getMessage(), e);
            }
            this.rpcServer.stop();
        }

        public boolean isStarted() {
            return this.started;
        }

        @Override // org.apache.hadoop.hbase.Stoppable
        public void stop(String str) {
            LOG.info("Stopping due to: " + str);
            this.stopped = true;
            this.sleeper.skipSleepCycle();
        }

        @Override // org.apache.hadoop.hbase.Stoppable
        public boolean isStopped() {
            return this.stopped;
        }

        public InetSocketAddress getAddress() {
            return this.isa;
        }

        public SecretManager<? extends TokenIdentifier> getSecretManager() {
            return ((RpcServer) this.rpcServer).getSecretManager();
        }

        @Override // org.apache.hadoop.hbase.protobuf.generated.AuthenticationProtos.AuthenticationService.BlockingInterface
        public AuthenticationProtos.GetAuthenticationTokenResponse getAuthenticationToken(RpcController rpcController, AuthenticationProtos.GetAuthenticationTokenRequest getAuthenticationTokenRequest) throws ServiceException {
            LOG.debug("Authentication token request from " + RpcServer.getRequestUserName());
            ServerRpcController serverRpcController = new ServerRpcController();
            BlockingRpcCallback blockingRpcCallback = new BlockingRpcCallback();
            getAuthenticationToken(serverRpcController, getAuthenticationTokenRequest, blockingRpcCallback);
            try {
                serverRpcController.checkFailed();
                return (AuthenticationProtos.GetAuthenticationTokenResponse) blockingRpcCallback.get();
            } catch (IOException e) {
                throw new ServiceException(e);
            }
        }

        @Override // org.apache.hadoop.hbase.protobuf.generated.AuthenticationProtos.AuthenticationService.BlockingInterface
        public AuthenticationProtos.WhoAmIResponse whoAmI(RpcController rpcController, AuthenticationProtos.WhoAmIRequest whoAmIRequest) throws ServiceException {
            LOG.debug("whoAmI() request from " + RpcServer.getRequestUserName());
            ServerRpcController serverRpcController = new ServerRpcController();
            BlockingRpcCallback blockingRpcCallback = new BlockingRpcCallback();
            whoAmI(serverRpcController, whoAmIRequest, blockingRpcCallback);
            try {
                serverRpcController.checkFailed();
                return (AuthenticationProtos.WhoAmIResponse) blockingRpcCallback.get();
            } catch (IOException e) {
                throw new ServiceException(e);
            }
        }

        @Override // org.apache.hadoop.hbase.Server
        public ChoreService getChoreService() {
            return null;
        }
    }

    @BeforeClass
    public static void setupBeforeClass() throws Exception {
        TEST_UTIL = new HBaseTestingUtility();
        TEST_UTIL.startMiniZKCluster();
        SecurityInfo.addInfo(AuthenticationProtos.AuthenticationService.getDescriptor().getName(), new SecurityInfo("hbase.test.kerberos.principal", AuthenticationProtos.TokenIdentifier.Kind.HBASE_AUTH_TOKEN));
        Configuration configuration = TEST_UTIL.getConfiguration();
        configuration.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, KerberosAuthenticationHandler.TYPE);
        configuration.set(User.HBASE_SECURITY_CONF_KEY, KerberosAuthenticationHandler.TYPE);
        configuration.setBoolean("hadoop.security.authorization", true);
        server = new TokenServer(configuration);
        serverThread = new Thread(server);
        Threads.setDaemonThreadRunning(serverThread, "TokenServer:" + server.getServerName().toString());
        while (!server.isStarted() && !server.isStopped()) {
            Thread.sleep(10L);
        }
        server.rpcServer.refreshAuthManager(configuration, new PolicyProvider() { // from class: org.apache.hadoop.hbase.security.token.TestTokenAuthentication.1
            @Override // org.apache.hadoop.security.authorize.PolicyProvider
            public Service[] getServices() {
                return new Service[]{new Service(CommonConfigurationKeys.SECURITY_CLIENT_PROTOCOL_ACL, AuthenticationProtos.AuthenticationService.BlockingInterface.class)};
            }
        });
        ZKClusterId.setClusterId(server.getZooKeeper(), clusterId);
        secretManager = (AuthenticationTokenSecretManager) server.getSecretManager();
        while (secretManager.getCurrentKey() == null) {
            Thread.sleep(1L);
        }
    }

    @AfterClass
    public static void tearDownAfterClass() throws Exception {
        server.stop("Test complete");
        Threads.shutdown(serverThread);
        TEST_UTIL.shutdownMiniZKCluster();
    }

    @Test
    public void testTokenCreation() throws Exception {
        Token<AuthenticationTokenIdentifier> generateToken = secretManager.generateToken("testuser");
        AuthenticationTokenIdentifier authenticationTokenIdentifier = new AuthenticationTokenIdentifier();
        Writables.getWritable(generateToken.getIdentifier(), authenticationTokenIdentifier);
        Assert.assertEquals("Token username should match", "testuser", authenticationTokenIdentifier.getUsername());
        Assert.assertTrue("Token password and password from secret manager should match", Bytes.equals(generateToken.getPassword(), secretManager.retrievePassword(authenticationTokenIdentifier)));
    }

    @Test
    public void testTokenAuthentication() throws Exception {
        UserGroupInformation createUserForTesting = UserGroupInformation.createUserForTesting("testuser", new String[]{"testgroup"});
        createUserForTesting.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.TOKEN);
        UserGroupInformation.setConfiguration(TEST_UTIL.getConfiguration());
        Token<AuthenticationTokenIdentifier> generateToken = secretManager.generateToken("testuser");
        LOG.debug("Got token: " + generateToken.toString());
        createUserForTesting.addToken(generateToken);
        createUserForTesting.doAs(new PrivilegedExceptionAction<Object>() { // from class: org.apache.hadoop.hbase.security.token.TestTokenAuthentication.2
            @Override // java.security.PrivilegedExceptionAction
            public Object run() throws Exception {
                RpcClient createClient = RpcClientFactory.createClient(TestTokenAuthentication.server.getConfiguration(), TestTokenAuthentication.clusterId.toString());
                try {
                    AuthenticationProtos.WhoAmIResponse whoAmI = AuthenticationProtos.AuthenticationService.newBlockingStub(createClient.createBlockingRpcChannel(ServerName.valueOf(TestTokenAuthentication.server.getAddress().getHostName(), TestTokenAuthentication.server.getAddress().getPort(), System.currentTimeMillis()), User.getCurrent(), 60000)).whoAmI(null, AuthenticationProtos.WhoAmIRequest.getDefaultInstance());
                    Assert.assertEquals("testuser", whoAmI.getUsername());
                    Assert.assertEquals("TOKEN", whoAmI.getAuthMethod());
                    createClient.close();
                    return null;
                } catch (Throwable th) {
                    createClient.close();
                    throw th;
                }
            }
        });
    }

    @Test
    public void testUseExistingToken() throws Exception {
        User createUserForTesting = User.createUserForTesting(TEST_UTIL.getConfiguration(), "testuser2", new String[]{"testgroup"});
        Token<AuthenticationTokenIdentifier> generateToken = secretManager.generateToken(createUserForTesting.getName());
        Assert.assertNotNull(generateToken);
        createUserForTesting.addToken(generateToken);
        Token<AuthenticationTokenIdentifier> selectToken = new AuthenticationTokenSelector().selectToken(generateToken.getService(), createUserForTesting.getTokens());
        Assert.assertNotNull(selectToken);
        Assert.assertEquals(generateToken, selectToken);
        Connection createConnection = ConnectionFactory.createConnection(TEST_UTIL.getConfiguration());
        try {
            Assert.assertFalse(TokenUtil.addTokenIfMissing(createConnection, createUserForTesting));
            Assert.assertEquals(selectToken, new AuthenticationTokenSelector().selectToken(generateToken.getService(), createUserForTesting.getTokens()));
            createConnection.close();
        } catch (Throwable th) {
            createConnection.close();
            throw th;
        }
    }

    static {
        System.setProperty("java.security.krb5.realm", "hbase");
        System.setProperty("java.security.krb5.kdc", "blah");
        LOG = LogFactory.getLog(TestTokenAuthentication.class);
        clusterId = new ClusterId();
    }
}
