package org.apache.hadoop.ozone.security.acl;

import java.io.IOException;
import java.net.InetAddress;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.stream.Collectors;
import org.apache.hadoop.hdds.client.StandaloneReplicationConfig;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
import org.apache.hadoop.hdds.scm.protocol.ScmBlockLocationProtocol;
import org.apache.hadoop.ozone.om.BucketManagerImpl;
import org.apache.hadoop.ozone.om.KeyManagerImpl;
import org.apache.hadoop.ozone.om.OMMetadataManager;
import org.apache.hadoop.ozone.om.OmMetadataManagerImpl;
import org.apache.hadoop.ozone.om.PrefixManager;
import org.apache.hadoop.ozone.om.PrefixManagerImpl;
import org.apache.hadoop.ozone.om.VolumeManagerImpl;
import org.apache.hadoop.ozone.om.helpers.OmBucketInfo;
import org.apache.hadoop.ozone.om.helpers.OmKeyArgs;
import org.apache.hadoop.ozone.om.helpers.OmVolumeArgs;
import org.apache.hadoop.ozone.om.helpers.OpenKeySession;
import org.apache.hadoop.ozone.om.helpers.OzoneAclUtil;
import org.apache.hadoop.ozone.om.request.TestOMRequestUtils;
import org.apache.hadoop.ozone.security.OzoneBlockTokenSecretManager;
import org.apache.hadoop.ozone.security.acl.IAccessAuthorizer;
import org.apache.hadoop.ozone.security.acl.OzoneObj;
import org.apache.hadoop.ozone.security.acl.OzoneObjInfo;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.ozone.test.GenericTestUtils;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;
import org.mockito.Mockito;

/* loaded from: input_file:org/apache/hadoop/ozone/security/acl/TestVolumeOwner.class */
public class TestVolumeOwner {
    private static OzoneConfiguration ozoneConfig;
    private static OzoneNativeAuthorizer nativeAuthorizer;
    private static KeyManagerImpl keyManager;
    private static VolumeManagerImpl volumeManager;
    private static BucketManagerImpl bucketManager;
    private static PrefixManager prefixManager;
    private static OMMetadataManager metadataManager;
    private static UserGroupInformation testUgi;

    @BeforeClass
    public static void setup() throws IOException {
        ozoneConfig = new OzoneConfiguration();
        ozoneConfig.set("ozone.acl.authorizer.class", "org.apache.hadoop.ozone.security.acl.OzoneNativeAuthorizer");
        ozoneConfig.set("ozone.metadata.dirs", GenericTestUtils.getRandomizedTestDir().toString());
        metadataManager = new OmMetadataManagerImpl(ozoneConfig);
        volumeManager = new VolumeManagerImpl(metadataManager, ozoneConfig);
        bucketManager = new BucketManagerImpl(metadataManager);
        keyManager = new KeyManagerImpl((ScmBlockLocationProtocol) Mockito.mock(ScmBlockLocationProtocol.class), metadataManager, ozoneConfig, "om1", (OzoneBlockTokenSecretManager) null);
        prefixManager = new PrefixManagerImpl(metadataManager, false);
        nativeAuthorizer = new OzoneNativeAuthorizer(volumeManager, bucketManager, keyManager, prefixManager, Collections.singletonList("om"));
        testUgi = UserGroupInformation.createUserForTesting("testuser", new String[]{"test"});
        prepareTestVols();
        prepareTestBuckets();
        prepareTestKeys();
    }

    private static void prepareTestVols() throws IOException {
        for (int i = 0; i < 2; i++) {
            TestOMRequestUtils.addVolumeToOM(metadataManager, OmVolumeArgs.newBuilder().setVolume(getTestVolumeName(i)).setAdminName("om").setOwnerName(getTestVolOwnerName(i)).build());
        }
    }

    private static void prepareTestBuckets() throws IOException {
        for (int i = 0; i < 2; i++) {
            for (int i2 = 0; i2 < 2; i2++) {
                TestOMRequestUtils.addBucketToOM(metadataManager, OmBucketInfo.newBuilder().setVolumeName(getTestVolumeName(i)).setBucketName(getTestBucketName(i2)).build());
            }
        }
    }

    private static void prepareTestKeys() throws IOException {
        for (int i = 0; i < 2; i++) {
            for (int i2 = 0; i2 < 2; i2++) {
                for (int i3 = 0; i3 < 2; i3++) {
                    OmKeyArgs.Builder dataSize = new OmKeyArgs.Builder().setVolumeName(getTestVolumeName(i)).setBucketName(getTestBucketName(i2)).setKeyName(getTestKeyName(i3)).setReplicationConfig(new StandaloneReplicationConfig(HddsProtos.ReplicationFactor.ONE)).setDataSize(0L);
                    if (i3 == 0) {
                        dataSize.setAcls(OzoneAclUtil.getAclList(testUgi.getUserName(), testUgi.getGroupNames(), IAccessAuthorizer.ACLType.ALL, IAccessAuthorizer.ACLType.ALL));
                    } else {
                        dataSize.setAcls(OzoneAclUtil.getAclList(testUgi.getUserName(), testUgi.getGroupNames(), IAccessAuthorizer.ACLType.NONE, IAccessAuthorizer.ACLType.NONE));
                    }
                    OmKeyArgs build = dataSize.build();
                    OpenKeySession createFile = keyManager.createFile(build, true, false);
                    build.setLocationInfoList(createFile.getKeyInfo().getLatestVersionLocations().getLocationList());
                    keyManager.commitKey(build, createFile.getId());
                }
            }
        }
    }

    @Test
    public void testVolumeOps() throws Exception {
        OzoneObj testVolumeobj = getTestVolumeobj(0);
        RequestContext userRequestContext = getUserRequestContext("om", IAccessAuthorizer.ACLType.CREATE, false, getTestVolOwnerName(0));
        Assert.assertTrue("matching admins are allowed to perform admin operations", nativeAuthorizer.checkAccess(testVolumeobj, userRequestContext));
        Assert.assertTrue("matching admins are allowed to perform admin operations", nativeAuthorizer.checkAccess(testVolumeobj, userRequestContext));
        Assert.assertFalse("mismatching admins are not allowed to perform admin operations", nativeAuthorizer.checkAccess(testVolumeobj, getUserRequestContext("testuser", IAccessAuthorizer.ACLType.CREATE, false, getTestVolOwnerName(0))));
        Assert.assertFalse("mismatching admins are not allowed to perform admin operations even for owner", nativeAuthorizer.checkAccess(testVolumeobj, getUserRequestContext(getTestVolOwnerName(0), IAccessAuthorizer.ACLType.CREATE, true, getTestVolOwnerName(0))));
        Iterator it = ((List) Arrays.stream(IAccessAuthorizer.ACLType.values()).filter(aCLType -> {
            return (aCLType == IAccessAuthorizer.ACLType.NONE || aCLType == IAccessAuthorizer.ACLType.CREATE) ? false : true;
        }).collect(Collectors.toList())).iterator();
        while (it.hasNext()) {
            Assert.assertTrue("Owner is allowed to perform all non-admin operations", nativeAuthorizer.checkAccess(testVolumeobj, getUserRequestContext(getTestVolOwnerName(0), (IAccessAuthorizer.ACLType) it.next(), true, getTestVolOwnerName(0))));
        }
    }

    @Test
    public void testBucketOps() throws Exception {
        OzoneObj testBucketobj = getTestBucketobj(1, 1);
        List<IAccessAuthorizer.ACLType> aclsToTest = getAclsToTest();
        for (IAccessAuthorizer.ACLType aCLType : aclsToTest) {
            Assert.assertTrue("non admin volume owner without acls are allowed to do " + aCLType + " on bucket", nativeAuthorizer.checkAccess(testBucketobj, getUserRequestContext(getTestVolOwnerName(1), aCLType, true, getTestVolOwnerName(1))));
        }
        for (IAccessAuthorizer.ACLType aCLType2 : aclsToTest) {
            Assert.assertFalse("non admin non volume owner without acls are not allowed to do " + aCLType2 + " on bucket", nativeAuthorizer.checkAccess(testBucketobj, getUserRequestContext(getTestVolOwnerName(1), aCLType2, false, getTestVolOwnerName(0))));
        }
    }

    @Test
    public void testKeyOps() throws Exception {
        OzoneObj testKeyobj = getTestKeyobj(0, 0, 1);
        List<IAccessAuthorizer.ACLType> aclsToTest = getAclsToTest();
        Iterator<IAccessAuthorizer.ACLType> it = aclsToTest.iterator();
        while (it.hasNext()) {
            Assert.assertTrue("non admin volume owner without acls are allowed to access key", nativeAuthorizer.checkAccess(testKeyobj, getUserRequestContext(getTestVolOwnerName(0), it.next(), true, getTestVolOwnerName(0))));
        }
        Iterator<IAccessAuthorizer.ACLType> it2 = aclsToTest.iterator();
        while (it2.hasNext()) {
            Assert.assertFalse("non admin volume owner without acls are not allowed to access key", nativeAuthorizer.checkAccess(testKeyobj, getUserRequestContext(getTestVolOwnerName(0), it2.next(), false, getTestVolOwnerName(1))));
        }
    }

    private RequestContext getUserRequestContext(String str, IAccessAuthorizer.ACLType aCLType, boolean z, String str2) {
        return RequestContext.getBuilder(UserGroupInformation.createRemoteUser(str), (InetAddress) null, (String) null, aCLType, str2).build();
    }

    private static String getTestVolumeName(int i) {
        return "vol" + i;
    }

    private static String getTestVolOwnerName(int i) {
        return "owner" + i;
    }

    private static String getTestBucketName(int i) {
        return "bucket" + i;
    }

    private static String getTestKeyName(int i) {
        return "key" + i;
    }

    private OzoneObj getTestVolumeobj(int i) {
        return OzoneObjInfo.Builder.getBuilder(OzoneObj.ResourceType.VOLUME, OzoneObj.StoreType.OZONE, getTestVolumeName(i), (String) null, (String) null).build();
    }

    private OzoneObj getTestBucketobj(int i, int i2) {
        return OzoneObjInfo.Builder.newBuilder().setResType(OzoneObj.ResourceType.BUCKET).setStoreType(OzoneObj.StoreType.OZONE).setVolumeName(getTestVolumeName(i)).setBucketName(getTestBucketName(i2)).build();
    }

    private OzoneObj getTestKeyobj(int i, int i2, int i3) {
        return OzoneObjInfo.Builder.newBuilder().setResType(OzoneObj.ResourceType.KEY).setStoreType(OzoneObj.StoreType.OZONE).setVolumeName(getTestVolumeName(i)).setBucketName(getTestBucketName(i2)).setKeyName(getTestKeyName(i3)).build();
    }

    List<IAccessAuthorizer.ACLType> getAclsToTest() {
        return (List) Arrays.stream(IAccessAuthorizer.ACLType.values()).filter(aCLType -> {
            return aCLType != IAccessAuthorizer.ACLType.NONE;
        }).collect(Collectors.toList());
    }
}
