package org.apache.kudu.client;

import com.stumbleupon.async.Deferred;
import java.io.Closeable;
import java.io.IOException;
import java.security.PrivilegedActionException;
import java.security.PrivilegedExceptionAction;
import java.util.Iterator;
import java.util.Set;
import java.util.concurrent.TimeUnit;
import javax.security.auth.Subject;
import org.apache.kudu.client.Client;
import org.apache.kudu.client.Connection;
import org.apache.kudu.client.KuduClient;
import org.apache.kudu.client.MiniKuduCluster;
import org.apache.kudu.security.Token;
import org.apache.kudu.shaded.com.google.common.base.Preconditions;
import org.apache.kudu.shaded.com.google.common.base.Stopwatch;
import org.apache.kudu.shaded.com.google.common.collect.ImmutableSet;
import org.apache.kudu.util.AssertHelpers;
import org.apache.kudu.util.CapturingLogAppender;
import org.apache.kudu.util.SecurityUtil;
import org.hamcrest.CoreMatchers;
import org.junit.After;
import org.junit.Assert;
import org.junit.Test;

/* loaded from: input_file:org/apache/kudu/client/TestSecurity.class */
public class TestSecurity {
    private static final String TABLE_NAME = "TestSecurity-table";
    private static final int TICKET_LIFETIME_SECS = 10;
    private static final int RENEWABLE_LIFETIME_SECS = 30;
    private final CapturingLogAppender cla = new CapturingLogAppender();
    private MiniKuduCluster miniCluster;
    private KuduClient client;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/kudu/client/TestSecurity$Option.class */
    public enum Option {
        LONG_LEADER_ELECTION,
        SHORT_TOKENS_AND_TICKETS,
        START_TSERVERS
    }

    private void startCluster(Set<Option> set) throws IOException {
        Preconditions.checkState(this.miniCluster == null);
        MiniKuduCluster.MiniKuduClusterBuilder miniKuduClusterBuilder = new MiniKuduCluster.MiniKuduClusterBuilder();
        miniKuduClusterBuilder.enableKerberos();
        if (set.contains(Option.LONG_LEADER_ELECTION)) {
            miniKuduClusterBuilder.addMasterFlag("--leader_failure_max_missed_heartbeat_periods=10.0");
        }
        if (set.contains(Option.SHORT_TOKENS_AND_TICKETS)) {
            miniKuduClusterBuilder.addMasterFlag("--authn_token_validity_seconds=10").kdcRenewLifetime("30s").kdcTicketLifetime("10s");
        }
        this.miniCluster = miniKuduClusterBuilder.numMasters(3).numTservers(set.contains(Option.START_TSERVERS) ? 3 : 0).build();
        this.miniCluster.kinit("test-admin");
        this.client = new KuduClient.KuduClientBuilder(this.miniCluster.getMasterAddresses()).build();
        this.client.listTabletServers();
    }

    @After
    public void reset() throws IOException, InterruptedException {
        if (this.client != null) {
            this.client.close();
        }
        if (this.miniCluster != null) {
            this.miniCluster.shutdown();
        }
    }

    private KuduClient createClientFromSubject(Subject subject) throws PrivilegedActionException {
        return (KuduClient) Subject.doAs(subject, new PrivilegedExceptionAction<KuduClient>() { // from class: org.apache.kudu.client.TestSecurity.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public KuduClient run() throws Exception {
                return TestSecurity.this.createClient();
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public KuduClient createClient() {
        return new KuduClient.KuduClientBuilder(this.miniCluster.getMasterAddresses()).build();
    }

    private void checkClientCanReconnect(KuduClient kuduClient) throws IOException {
        this.miniCluster.killMasters();
        this.miniCluster.restartDeadMasters();
        kuduClient.listTabletServers();
    }

    @Test
    public void testImportExportAuthenticationCredentials() throws Exception {
        startCluster(ImmutableSet.of(Option.SHORT_TOKENS_AND_TICKETS, Option.START_TSERVERS));
        byte[] exportAuthenticationCredentials = this.client.exportAuthenticationCredentials();
        Assert.assertNotNull(exportAuthenticationCredentials);
        String property = System.getProperty("kudu.krb5ccname");
        System.clearProperty("kudu.krb5ccname");
        try {
            KuduClient build = new KuduClient.KuduClientBuilder(this.miniCluster.getMasterAddresses()).build();
            try {
                build.listTabletServers();
                Assert.fail("should not have been able to connect to a secure cluster with no credentials");
            } catch (NonRecoverableException e) {
                Assert.assertThat(e.getMessage(), CoreMatchers.containsString("server requires authentication, but client does not have Kerberos credentials (tgt). Authentication tokens were not used because no token is available"));
            }
            build.importAuthenticationCredentials(exportAuthenticationCredentials);
            KuduTable createTable = build.createTable(TABLE_NAME, BaseKuduTest.basicSchema, BaseKuduTest.getBasicCreateTableOptions());
            KuduSession newSession = build.newSession();
            newSession.apply(BaseKuduTest.createBasicSchemaInsert(createTable, 1));
            newSession.flush();
            System.setProperty("kudu.krb5ccname", property);
        } catch (Throwable th) {
            System.setProperty("kudu.krb5ccname", property);
            throw th;
        }
    }

    @Test
    public void testErrorMessageWithNoCaCert() throws Exception {
        startCluster(ImmutableSet.of(Option.SHORT_TOKENS_AND_TICKETS));
        byte[] byteArray = Client.AuthenticationCredentialsPB.parseFrom(this.client.exportAuthenticationCredentials()).toBuilder().clearCaCertDers().build().toByteArray();
        String property = System.getProperty("kudu.krb5ccname");
        System.clearProperty("kudu.krb5ccname");
        try {
            KuduClient createClient = createClient();
            createClient.importAuthenticationCredentials(byteArray);
            try {
                createClient.listTabletServers();
                Assert.fail("should not have been able to connect to a secure cluster with no credentials");
            } catch (NonRecoverableException e) {
                Assert.assertThat(e.getMessage(), CoreMatchers.containsString("server requires authentication, but client does not have Kerberos credentials (tgt). Authentication tokens were not used because no TLS certificates are trusted by the client"));
            }
        } finally {
            System.setProperty("kudu.krb5ccname", property);
        }
    }

    @Test
    public void testKudu2267() throws Exception {
        startCluster(ImmutableSet.of(Option.SHORT_TOKENS_AND_TICKETS));
        byte[] exportAuthenticationCredentials = this.client.exportAuthenticationCredentials();
        Assert.assertNotNull(exportAuthenticationCredentials);
        String property = System.getProperty("kudu.krb5ccname");
        System.clearProperty("kudu.krb5ccname");
        try {
            final KuduClient createClient = createClient();
            createClient.importAuthenticationCredentials(exportAuthenticationCredentials);
            AssertHelpers.assertEventuallyTrue("Not able to connect to all the masters", new AssertHelpers.BooleanExpression() { // from class: org.apache.kudu.client.TestSecurity.2
                @Override // org.apache.kudu.util.AssertHelpers.BooleanExpression
                public boolean get() throws Exception {
                    ConnectToCluster connectToCluster = new ConnectToCluster(TestSecurity.this.miniCluster.getMasterHostPorts());
                    Iterator it = connectToCluster.connectToMasters(createClient.asyncClient.getMasterTable(), (KuduRpc) null, 50000L, Connection.CredentialsPolicy.ANY_CREDENTIALS).iterator();
                    while (it.hasNext()) {
                        ((Deferred) it.next()).join();
                    }
                    return connectToCluster.getExceptionsReceived().size() == 0;
                }
            }, 50000L);
            System.setProperty("kudu.krb5ccname", property);
        } catch (Throwable th) {
            System.setProperty("kudu.krb5ccname", property);
            throw th;
        }
    }

    @Test
    public void testConnectToNonLeaderMasters() throws Exception {
        startCluster(ImmutableSet.of(Option.LONG_LEADER_ELECTION));
        System.err.println("=> started cluster");
        byte[] exportAuthenticationCredentials = this.client.exportAuthenticationCredentials();
        System.err.println("=> exported auth");
        Assert.assertNotNull(exportAuthenticationCredentials);
        String property = System.getProperty("kudu.krb5ccname");
        System.clearProperty("kudu.krb5ccname");
        try {
            KuduClient createClient = createClient();
            createClient.importAuthenticationCredentials(exportAuthenticationCredentials);
            System.err.println("=> imported auth");
            this.miniCluster.killMasters();
            this.miniCluster.restartDeadMasters();
            createClient.listTabletServers();
            System.err.println("=> listTabletServers");
            System.setProperty("kudu.krb5ccname", property);
        } catch (Throwable th) {
            System.setProperty("kudu.krb5ccname", property);
            throw th;
        }
    }

    @Test(timeout = 300000)
    public void testRenewAndReacquireKeberosCredentials() throws Exception {
        startCluster(ImmutableSet.of(Option.SHORT_TOKENS_AND_TICKETS));
        Stopwatch createStarted = Stopwatch.createStarted();
        Closeable attach = this.cla.attach();
        Throwable th = null;
        try {
            try {
                Stopwatch createStarted2 = Stopwatch.createStarted();
                while (createStarted2.elapsed(TimeUnit.SECONDS) < 60) {
                    if (createStarted.elapsed(TimeUnit.SECONDS) > 15) {
                        this.miniCluster.kinit("test-admin");
                        createStarted.reset().start();
                    }
                    Thread.sleep(5000L);
                    this.client.asyncClient.securityContext.setAuthenticationToken((Token.SignedTokenPB) null);
                    checkClientCanReconnect(this.client);
                }
                if (attach != null) {
                    if (0 != 0) {
                        try {
                            attach.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        attach.close();
                    }
                }
                Assert.assertThat(this.cla.getAppendedText(), CoreMatchers.containsString("Successfully refreshed Kerberos credentials from ticket cache"));
            } finally {
            }
        } catch (Throwable th3) {
            if (attach != null) {
                if (th != null) {
                    try {
                        attach.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    attach.close();
                }
            }
            throw th3;
        }
    }

    @Test(timeout = 300000)
    public void testDoNotSwitchPrincipalsInExistingClient() throws Exception {
        startCluster(ImmutableSet.of(Option.SHORT_TOKENS_AND_TICKETS));
        this.miniCluster.kinit("test-user");
        Closeable attach = this.cla.attach();
        Throwable th = null;
        try {
            assertEventualAuthenticationFailure(this.client, "server requires authentication, but client Kerberos credentials (TGT) have expired");
            if (attach != null) {
                if (0 != 0) {
                    try {
                        attach.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    attach.close();
                }
            }
            Assert.assertThat(this.cla.getAppendedText(), CoreMatchers.containsString("found that the new Kerberos principal test-user@KRBTEST.COM did not match the original principal test-admin@KRBTEST.COM"));
        } catch (Throwable th3) {
            if (attach != null) {
                if (0 != 0) {
                    try {
                        attach.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    attach.close();
                }
            }
            throw th3;
        }
    }

    private void assertEventualAuthenticationFailure(final KuduClient kuduClient, final String str) throws Exception {
        AssertHelpers.assertEventuallyTrue("should eventually fail to connect", new AssertHelpers.BooleanExpression() { // from class: org.apache.kudu.client.TestSecurity.3
            @Override // org.apache.kudu.util.AssertHelpers.BooleanExpression
            public boolean get() throws Exception {
                Thread.sleep(3000L);
                TestSecurity.this.miniCluster.killMasters();
                TestSecurity.this.miniCluster.restartDeadMasters();
                try {
                    kuduClient.listTabletServers();
                    return false;
                } catch (Exception e) {
                    if (e.toString().contains(str)) {
                        return true;
                    }
                    throw e;
                }
            }
        }, 60000L);
    }

    @Test(timeout = 300000)
    public void testExternallyProvidedSubjectExpires() throws Exception {
        startCluster(ImmutableSet.of(Option.SHORT_TOKENS_AND_TICKETS));
        Subject subjectFromTicketCacheOrNull = SecurityUtil.getSubjectFromTicketCacheOrNull();
        Assert.assertNotNull(subjectFromTicketCacheOrNull);
        Closeable attach = this.cla.attach();
        Throwable th = null;
        try {
            KuduClient createClientFromSubject = createClientFromSubject(subjectFromTicketCacheOrNull);
            try {
                assertEventualAuthenticationFailure(createClientFromSubject, "server requires authentication, but client Kerberos credentials (TGT) have expired");
                createClientFromSubject.close();
                Assert.assertThat(this.cla.getAppendedText(), CoreMatchers.containsString("Using caller-provided subject with Kerberos principal test-admin@KRBTEST.COM."));
                Assert.assertThat(this.cla.getAppendedText(), CoreMatchers.containsString("Caller-provided Subject has a Kerberos ticket that is about to expire"));
            } catch (Throwable th2) {
                createClientFromSubject.close();
                throw th2;
            }
        } finally {
            if (attach != null) {
                if (0 != 0) {
                    try {
                        attach.close();
                    } catch (Throwable th3) {
                        th.addSuppressed(th3);
                    }
                } else {
                    attach.close();
                }
            }
        }
    }

    @Test(timeout = 300000)
    public void testExternallyProvidedSubjectRefreshedExternally() throws Exception {
        startCluster(ImmutableSet.of(Option.SHORT_TOKENS_AND_TICKETS));
        Subject subjectFromTicketCacheOrNull = SecurityUtil.getSubjectFromTicketCacheOrNull();
        Assert.assertNotNull(subjectFromTicketCacheOrNull);
        Closeable attach = this.cla.attach();
        Throwable th = null;
        try {
            try {
                KuduClient createClientFromSubject = createClientFromSubject(subjectFromTicketCacheOrNull);
                Stopwatch createStarted = Stopwatch.createStarted();
                while (createStarted.elapsed(TimeUnit.SECONDS) < 35) {
                    this.miniCluster.kinit("test-admin");
                    Subject subjectFromTicketCacheOrNull2 = SecurityUtil.getSubjectFromTicketCacheOrNull();
                    subjectFromTicketCacheOrNull.getPrivateCredentials().clear();
                    subjectFromTicketCacheOrNull.getPrivateCredentials().addAll(subjectFromTicketCacheOrNull2.getPrivateCredentials());
                    createClientFromSubject.asyncClient.securityContext.setAuthenticationToken((Token.SignedTokenPB) null);
                    checkClientCanReconnect(createClientFromSubject);
                    Thread.sleep(3000L);
                }
                if (attach != null) {
                    if (0 != 0) {
                        try {
                            attach.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        attach.close();
                    }
                }
                Assert.assertThat(this.cla.getAppendedText(), CoreMatchers.containsString("Using caller-provided subject with Kerberos principal test-admin@KRBTEST.COM."));
            } finally {
            }
        } catch (Throwable th3) {
            if (attach != null) {
                if (th != null) {
                    try {
                        attach.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    attach.close();
                }
            }
            throw th3;
        }
    }
}
