package org.apache.hadoop.security.authentication.server;

import java.io.File;
import java.util.Properties;
import java.util.Set;
import java.util.concurrent.Callable;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang3.reflect.testbed.Bar;
import org.apache.hadoop.minikdc.KerberosSecurityTestcase;
import org.apache.hadoop.security.authentication.KerberosTestUtils;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.authentication.util.KerberosName;
import org.apache.hadoop.security.authentication.util.KerberosUtil;
import org.ietf.jgss.GSSContext;
import org.ietf.jgss.GSSCredential;
import org.ietf.jgss.GSSManager;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.Timeout;
import org.mockito.Mockito;

/* loaded from: input_file:org/apache/hadoop/security/authentication/server/TestKerberosAuthenticationHandler.class */
public class TestKerberosAuthenticationHandler extends KerberosSecurityTestcase {

    @Rule
    public Timeout globalTimeout = Timeout.millis(60000);
    protected KerberosAuthenticationHandler handler;

    protected KerberosAuthenticationHandler getNewAuthenticationHandler() {
        return new KerberosAuthenticationHandler();
    }

    protected String getExpectedType() {
        return "kerberos";
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public Properties getDefaultProperties() {
        Properties properties = new Properties();
        properties.setProperty("kerberos.principal", KerberosTestUtils.getServerPrincipal());
        properties.setProperty("kerberos.keytab", KerberosTestUtils.getKeytabFile());
        properties.setProperty("kerberos.name.rules", "RULE:[1:$1@$0](.*@" + KerberosTestUtils.getRealm() + ")s/@.*//\n");
        properties.setProperty("kerberos.name.rules.mechanism", "hadoop");
        return properties;
    }

    @Before
    public void setup() throws Exception {
        File file = new File(KerberosTestUtils.getKeytabFile());
        String clientPrincipal = KerberosTestUtils.getClientPrincipal();
        String serverPrincipal = KerberosTestUtils.getServerPrincipal();
        getKdc().createPrincipal(file, new String[]{clientPrincipal.substring(0, clientPrincipal.lastIndexOf("@")), serverPrincipal.substring(0, serverPrincipal.lastIndexOf("@"))});
        this.handler = getNewAuthenticationHandler();
        Properties defaultProperties = getDefaultProperties();
        defaultProperties.setProperty("kerberos.endpoint.whitelist", "/white,/white2,/white3");
        try {
            this.handler.init(defaultProperties);
        } catch (Exception e) {
            this.handler = null;
            throw e;
        }
    }

    @Test
    public void testNameRulesHadoop() throws Exception {
        Assert.assertEquals(KerberosTestUtils.getRealm(), new KerberosName(KerberosTestUtils.getServerPrincipal()).getRealm());
        this.handler.destroy();
        this.handler = getNewAuthenticationHandler();
        Properties defaultProperties = getDefaultProperties();
        defaultProperties.setProperty("kerberos.name.rules", "RULE:[1:$1@$0](.*@BAR)s/@.*//\nDEFAULT");
        try {
            this.handler.init(defaultProperties);
        } catch (Exception e) {
        }
        Assert.assertEquals(Bar.VALUE, new KerberosName("bar@BAR").getShortName());
        try {
            new KerberosName("bar@FOO").getShortName();
            Assert.fail();
        } catch (Exception e2) {
        }
    }

    @Test
    public void testNameRulesCompat() throws Exception {
        Assert.assertEquals(KerberosTestUtils.getRealm(), new KerberosName(KerberosTestUtils.getServerPrincipal()).getRealm());
        this.handler.destroy();
        this.handler = getNewAuthenticationHandler();
        Properties defaultProperties = getDefaultProperties();
        defaultProperties.setProperty("kerberos.name.rules", "RULE:[1:$1@$0](.*@BAR)s/@.*//\nDEFAULT");
        defaultProperties.setProperty("kerberos.name.rules.mechanism", "mit");
        try {
            this.handler.init(defaultProperties);
        } catch (Exception e) {
        }
        Assert.assertEquals(Bar.VALUE, new KerberosName("bar@BAR").getShortName());
        Assert.assertEquals("bar@FOO", new KerberosName("bar@FOO").getShortName());
    }

    @Test
    public void testNullProperties() throws Exception {
        Assert.assertEquals(KerberosTestUtils.getRealm(), new KerberosName(KerberosTestUtils.getServerPrincipal()).getRealm());
        KerberosName.setRuleMechanism("MIT");
        KerberosName.setRules("DEFAULT");
        this.handler.destroy();
        this.handler = getNewAuthenticationHandler();
        Properties defaultProperties = getDefaultProperties();
        defaultProperties.remove("kerberos.name.rules");
        defaultProperties.remove("kerberos.name.rules.mechanism");
        try {
            this.handler.init(defaultProperties);
        } catch (Exception e) {
        }
        Assert.assertEquals("MIT", KerberosName.getRuleMechanism());
        Assert.assertEquals("DEFAULT", KerberosName.getRules());
    }

    @Test
    public void testInit() throws Exception {
        Assert.assertEquals(KerberosTestUtils.getKeytabFile(), this.handler.getKeytab());
        Assert.assertTrue(this.handler.getPrincipals().contains(new KerberosPrincipal(KerberosTestUtils.getServerPrincipal())));
        Assert.assertEquals(1L, r0.size());
    }

    @Test
    public void testDynamicPrincipalDiscovery() throws Exception {
        String[] strArr = {"HTTP/host1", "HTTP/host2", "HTTP2/host1", "XHTTP/host"};
        String keytabFile = KerberosTestUtils.getKeytabFile();
        getKdc().createPrincipal(new File(keytabFile), strArr);
        this.handler.destroy();
        Properties properties = new Properties();
        properties.setProperty("kerberos.keytab", keytabFile);
        properties.setProperty("kerberos.principal", "*");
        this.handler = getNewAuthenticationHandler();
        this.handler.init(properties);
        Assert.assertEquals(KerberosTestUtils.getKeytabFile(), this.handler.getKeytab());
        Set principals = this.handler.getPrincipals();
        for (String str : strArr) {
            Assert.assertEquals("checking for " + str, Boolean.valueOf(str.startsWith("HTTP/")), Boolean.valueOf(principals.contains(new KerberosPrincipal(str + "@" + KerberosTestUtils.getRealm()))));
        }
    }

    @Test
    public void testDynamicPrincipalDiscoveryMissingPrincipals() throws Exception {
        String keytabFile = KerberosTestUtils.getKeytabFile();
        getKdc().createPrincipal(new File(keytabFile), new String[]{"hdfs/localhost"});
        this.handler.destroy();
        Properties properties = new Properties();
        properties.setProperty("kerberos.keytab", keytabFile);
        properties.setProperty("kerberos.principal", "*");
        this.handler = getNewAuthenticationHandler();
        try {
            this.handler.init(properties);
            Assert.fail("init should have failed");
        } catch (ServletException e) {
            Assert.assertEquals("Principals do not exist in the keytab", e.getCause().getMessage());
        } catch (Throwable th) {
            Assert.fail("wrong exception: " + th);
        }
    }

    @Test
    public void testType() {
        Assert.assertEquals(getExpectedType(), this.handler.getType());
    }

    @Test
    public void testRequestWithoutAuthorization() throws Exception {
        HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
        HttpServletResponse httpServletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
        Assert.assertNull(this.handler.authenticate(httpServletRequest, httpServletResponse));
        ((HttpServletResponse) Mockito.verify(httpServletResponse)).setHeader("WWW-Authenticate", "Negotiate");
        ((HttpServletResponse) Mockito.verify(httpServletResponse)).setStatus(401);
    }

    @Test
    public void testRequestWithInvalidAuthorization() throws Exception {
        HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
        HttpServletResponse httpServletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
        Mockito.when(httpServletRequest.getHeader("Authorization")).thenReturn("invalid");
        Assert.assertNull(this.handler.authenticate(httpServletRequest, httpServletResponse));
        ((HttpServletResponse) Mockito.verify(httpServletResponse)).setHeader("WWW-Authenticate", "Negotiate");
        ((HttpServletResponse) Mockito.verify(httpServletResponse)).setStatus(401);
    }

    @Test
    public void testRequestWithIncompleteAuthorization() {
        HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
        HttpServletResponse httpServletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
        Mockito.when(httpServletRequest.getHeader("Authorization")).thenReturn("Negotiate");
        try {
            this.handler.authenticate(httpServletRequest, httpServletResponse);
            Assert.fail();
        } catch (Exception e) {
            Assert.fail();
        } catch (AuthenticationException e2) {
        }
    }

    @Test
    public void testRequestWithAuthorization() throws Exception {
        String str = (String) KerberosTestUtils.doAsClient(new Callable<String>() { // from class: org.apache.hadoop.security.authentication.server.TestKerberosAuthenticationHandler.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public String call() throws Exception {
                GSSManager gSSManager = GSSManager.getInstance();
                GSSContext gSSContext = null;
                try {
                    gSSContext = gSSManager.createContext(gSSManager.createName(KerberosTestUtils.getServerPrincipal(), KerberosUtil.NT_GSS_KRB5_PRINCIPAL_OID), KerberosUtil.GSS_KRB5_MECH_OID, (GSSCredential) null, 0);
                    gSSContext.requestCredDeleg(true);
                    gSSContext.requestMutualAuth(true);
                    byte[] bArr = new byte[0];
                    String encodeToString = new Base64(0).encodeToString(gSSContext.initSecContext(bArr, 0, bArr.length));
                    if (gSSContext != null) {
                        gSSContext.dispose();
                    }
                    return encodeToString;
                } catch (Throwable th) {
                    if (gSSContext != null) {
                        gSSContext.dispose();
                    }
                    throw th;
                }
            }
        });
        HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
        HttpServletResponse httpServletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
        Mockito.when(httpServletRequest.getHeader("Authorization")).thenReturn("Negotiate " + str);
        Mockito.when(httpServletRequest.getServerName()).thenReturn("localhost");
        AuthenticationToken authenticate = this.handler.authenticate(httpServletRequest, httpServletResponse);
        if (authenticate == null) {
            ((HttpServletResponse) Mockito.verify(httpServletResponse)).setHeader((String) Mockito.eq("WWW-Authenticate"), Mockito.matches("Negotiate .*"));
            ((HttpServletResponse) Mockito.verify(httpServletResponse)).setStatus(401);
            return;
        }
        ((HttpServletResponse) Mockito.verify(httpServletResponse)).setHeader((String) Mockito.eq("WWW-Authenticate"), Mockito.matches("Negotiate .*"));
        ((HttpServletResponse) Mockito.verify(httpServletResponse)).setStatus(200);
        Assert.assertEquals(KerberosTestUtils.getClientPrincipal(), authenticate.getName());
        Assert.assertTrue(KerberosTestUtils.getClientPrincipal().startsWith(authenticate.getUserName()));
        Assert.assertEquals(getExpectedType(), authenticate.getType());
    }

    @Test
    public void testRequestWithInvalidKerberosAuthorization() {
        String encodeToString = new Base64(0).encodeToString(new byte[]{0, 1, 2});
        HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
        HttpServletResponse httpServletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
        Mockito.when(httpServletRequest.getHeader("Authorization")).thenReturn("Negotiate" + encodeToString);
        try {
            this.handler.authenticate(httpServletRequest, httpServletResponse);
            Assert.fail();
        } catch (AuthenticationException e) {
        } catch (Exception e2) {
            Assert.fail();
        }
    }

    @Test
    public void testRequestToWhitelist() throws Exception {
        String encodeToString = new Base64(0).encodeToString(new byte[]{0, 1, 2});
        HttpServletRequest httpServletRequest = (HttpServletRequest) Mockito.mock(HttpServletRequest.class);
        HttpServletResponse httpServletResponse = (HttpServletResponse) Mockito.mock(HttpServletResponse.class);
        Mockito.when(httpServletRequest.getHeader("Authorization")).thenReturn("Negotiate" + encodeToString);
        Mockito.when(httpServletRequest.getServletPath()).thenReturn("/white");
        this.handler.authenticate(httpServletRequest, httpServletResponse);
        Mockito.when(httpServletRequest.getServletPath()).thenReturn("/white4");
        try {
            this.handler.authenticate(httpServletRequest, httpServletResponse);
            Assert.fail();
        } catch (AuthenticationException e) {
        } catch (Exception e2) {
            Assert.fail();
        }
    }

    @After
    public void tearDown() throws Exception {
        if (this.handler != null) {
            this.handler.destroy();
            this.handler = null;
        }
    }
}
