package org.apache.sentry.provider.db.service.thrift;

import com.google.common.collect.Sets;
import java.util.HashMap;
import java.util.Map;
import org.apache.log4j.Level;
import org.apache.log4j.Logger;
import org.apache.sentry.provider.db.log.appender.AuditLoggerTestAppender;
import org.apache.sentry.provider.db.log.util.CommandUtil;
import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
import org.codehaus.jettison.json.JSONObject;
import org.hamcrest.core.Is;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;

/* loaded from: input_file:org/apache/sentry/provider/db/service/thrift/TestAuthorizingDDLAuditLogWithKerberos.class */
public class TestAuthorizingDDLAuditLogWithKerberos extends SentryServiceIntegrationBase {
    @BeforeClass
    public static void setupLog4j() throws Exception {
        Logger logger = Logger.getLogger("sentry.hive.authorization.ddl.logger");
        logger.addAppender(new AuditLoggerTestAppender());
        logger.setLevel(Level.INFO);
    }

    @Test
    public void testBasic() throws Exception {
        runTestAsSubject(new SentryServiceIntegrationBase.TestOperation() { // from class: org.apache.sentry.provider.db.service.thrift.TestAuthorizingDDLAuditLogWithKerberos.1
            @Override // org.apache.sentry.service.thrift.SentryServiceIntegrationBase.TestOperation
            public void runTestAsSubject() throws Exception {
                TestAuthorizingDDLAuditLogWithKerberos.this.setLocalGroupMapping("admin_user", Sets.newHashSet(new String[]{"admin_group"}));
                TestAuthorizingDDLAuditLogWithKerberos.this.writePolicyFile();
                HashMap hashMap = new HashMap();
                TestAuthorizingDDLAuditLogWithKerberos.this.client.createRole("admin_user", "testRole");
                hashMap.put("operation", "CREATE_ROLE");
                hashMap.put("operationText", "CREATE ROLE testRole");
                hashMap.put("allowed", "true");
                hashMap.put("ipAddress", null);
                TestAuthorizingDDLAuditLogWithKerberos.this.assertAuditLog(hashMap);
                TestAuthorizingDDLAuditLogWithKerberos.this.client.grantRoleToGroup("admin_user", "testGroup", "testRole");
                hashMap.clear();
                hashMap.put("operation", "ADD_ROLE_TO_GROUP");
                hashMap.put("operationText", "GRANT ROLE testRole TO GROUP testGroup");
                hashMap.put("allowed", "true");
                hashMap.put("ipAddress", null);
                TestAuthorizingDDLAuditLogWithKerberos.this.assertAuditLog(hashMap);
                TestAuthorizingDDLAuditLogWithKerberos.this.client.grantDatabasePrivilege("admin_user", "testRole", "server1", "dbTest", "ALL");
                hashMap.clear();
                hashMap.put("operation", "GRANT_PRIVILEGE");
                hashMap.put("operationText", "GRANT ALL ON DATABASE dbTest TO ROLE testRole");
                hashMap.put("databaseName", "dbTest");
                hashMap.put("allowed", "true");
                hashMap.put("ipAddress", null);
                TestAuthorizingDDLAuditLogWithKerberos.this.assertAuditLog(hashMap);
                TestAuthorizingDDLAuditLogWithKerberos.this.client.grantTablePrivilege("admin_user", "testRole", "server1", "dbTest", "tableTest", "SELECT", true);
                hashMap.clear();
                hashMap.put("operation", "GRANT_PRIVILEGE");
                hashMap.put("operationText", "GRANT SELECT ON TABLE tableTest TO ROLE testRole WITH GRANT OPTION");
                hashMap.put("tableName", "tableTest");
                hashMap.put("allowed", "true");
                hashMap.put("ipAddress", null);
                TestAuthorizingDDLAuditLogWithKerberos.this.assertAuditLog(hashMap);
                try {
                    TestAuthorizingDDLAuditLogWithKerberos.this.client.createRole("admin_user", "testRole");
                    Assert.fail("Exception should have been thrown");
                } catch (Exception e) {
                    hashMap.clear();
                    hashMap.put("operation", "CREATE_ROLE");
                    hashMap.put("operationText", "CREATE ROLE testRole");
                    hashMap.put("allowed", "false");
                    hashMap.put("ipAddress", null);
                    TestAuthorizingDDLAuditLogWithKerberos.this.assertAuditLog(hashMap);
                }
                try {
                    TestAuthorizingDDLAuditLogWithKerberos.this.client.grantRoleToGroup("admin_user", "testGroup", "errorRole");
                    Assert.fail("Exception should have been thrown");
                } catch (Exception e2) {
                    hashMap.clear();
                    hashMap.put("operation", "ADD_ROLE_TO_GROUP");
                    hashMap.put("operationText", "GRANT ROLE errorRole TO GROUP testGroup");
                    hashMap.put("allowed", "false");
                    hashMap.put("ipAddress", null);
                    TestAuthorizingDDLAuditLogWithKerberos.this.assertAuditLog(hashMap);
                }
                try {
                    TestAuthorizingDDLAuditLogWithKerberos.this.client.grantDatabasePrivilege("admin_user", "errorRole", "server1", "dbTest", "ALL");
                    Assert.fail("Exception should have been thrown");
                } catch (Exception e3) {
                    hashMap.clear();
                    hashMap.put("operation", "GRANT_PRIVILEGE");
                    hashMap.put("operationText", "GRANT ALL ON DATABASE dbTest TO ROLE errorRole");
                    hashMap.put("allowed", "false");
                    hashMap.put("ipAddress", null);
                    TestAuthorizingDDLAuditLogWithKerberos.this.assertAuditLog(hashMap);
                }
                try {
                    TestAuthorizingDDLAuditLogWithKerberos.this.client.grantDatabasePrivilege("admin_user", "errorRole", "server1", "dbTest", "INSERT");
                    Assert.fail("Exception should have been thrown");
                } catch (Exception e4) {
                    hashMap.clear();
                    hashMap.put("operation", "GRANT_PRIVILEGE");
                    hashMap.put("operationText", "GRANT INSERT ON DATABASE dbTest TO ROLE errorRole");
                    hashMap.put("allowed", "false");
                    hashMap.put("ipAddress", null);
                    TestAuthorizingDDLAuditLogWithKerberos.this.assertAuditLog(hashMap);
                }
                try {
                    TestAuthorizingDDLAuditLogWithKerberos.this.client.grantDatabasePrivilege("admin_user", "errorRole", "server1", "dbTest", "SELECT");
                    Assert.fail("Exception should have been thrown");
                } catch (Exception e5) {
                    hashMap.clear();
                    hashMap.put("operation", "GRANT_PRIVILEGE");
                    hashMap.put("operationText", "GRANT SELECT ON DATABASE dbTest TO ROLE errorRole");
                    hashMap.put("allowed", "false");
                    hashMap.put("ipAddress", null);
                    TestAuthorizingDDLAuditLogWithKerberos.this.assertAuditLog(hashMap);
                }
                try {
                    TestAuthorizingDDLAuditLogWithKerberos.this.client.grantTablePrivilege("admin_user", "errorRole", "server1", "dbTest", "tableTest", "SELECT");
                    Assert.fail("Exception should have been thrown");
                } catch (Exception e6) {
                    hashMap.clear();
                    hashMap.put("operation", "GRANT_PRIVILEGE");
                    hashMap.put("operationText", "GRANT SELECT ON TABLE tableTest TO ROLE errorRole");
                    hashMap.put("allowed", "false");
                    hashMap.put("ipAddress", null);
                    TestAuthorizingDDLAuditLogWithKerberos.this.assertAuditLog(hashMap);
                }
                TestAuthorizingDDLAuditLogWithKerberos.this.client.revokeTablePrivilege("admin_user", "testRole", "server1", "dbTest", "tableTest", "SELECT");
                hashMap.clear();
                hashMap.put("operation", "REVOKE_PRIVILEGE");
                hashMap.put("operationText", "REVOKE SELECT ON TABLE tableTest FROM ROLE testRole");
                hashMap.put("tableName", "tableTest");
                hashMap.put("allowed", "true");
                hashMap.put("ipAddress", null);
                TestAuthorizingDDLAuditLogWithKerberos.this.assertAuditLog(hashMap);
                TestAuthorizingDDLAuditLogWithKerberos.this.client.revokeDatabasePrivilege("admin_user", "testRole", "server1", "dbTest", "ALL");
                hashMap.clear();
                hashMap.put("operation", "REVOKE_PRIVILEGE");
                hashMap.put("operationText", "REVOKE ALL ON DATABASE dbTest FROM ROLE testRole");
                hashMap.put("databaseName", "dbTest");
                hashMap.put("allowed", "true");
                hashMap.put("ipAddress", null);
                TestAuthorizingDDLAuditLogWithKerberos.this.assertAuditLog(hashMap);
                TestAuthorizingDDLAuditLogWithKerberos.this.client.revokeRoleFromGroup("admin_user", "testGroup", "testRole");
                hashMap.clear();
                hashMap.put("operation", "DELETE_ROLE_FROM_GROUP");
                hashMap.put("operationText", "REVOKE ROLE testRole FROM GROUP testGroup");
                hashMap.put("allowed", "true");
                hashMap.put("ipAddress", null);
                TestAuthorizingDDLAuditLogWithKerberos.this.assertAuditLog(hashMap);
                TestAuthorizingDDLAuditLogWithKerberos.this.client.dropRole("admin_user", "testRole");
                hashMap.clear();
                hashMap.put("operation", "DROP_ROLE");
                hashMap.put("operationText", "DROP ROLE testRole");
                hashMap.put("allowed", "true");
                hashMap.put("ipAddress", null);
                TestAuthorizingDDLAuditLogWithKerberos.this.assertAuditLog(hashMap);
                try {
                    TestAuthorizingDDLAuditLogWithKerberos.this.client.revokeTablePrivilege("admin_user", "errorRole", "server1", "dbTest", "tableTest", "SELECT");
                    Assert.fail("Exception should have been thrown");
                } catch (Exception e7) {
                    hashMap.clear();
                    hashMap.put("operation", "REVOKE_PRIVILEGE");
                    hashMap.put("operationText", "REVOKE SELECT ON TABLE tableTest FROM ROLE errorRole");
                    hashMap.put("allowed", "false");
                    hashMap.put("ipAddress", null);
                    TestAuthorizingDDLAuditLogWithKerberos.this.assertAuditLog(hashMap);
                }
                try {
                    TestAuthorizingDDLAuditLogWithKerberos.this.client.revokeDatabasePrivilege("admin_user", "errorRole", "server1", "dbTest", "ALL");
                    Assert.fail("Exception should have been thrown");
                } catch (Exception e8) {
                    hashMap.clear();
                    hashMap.put("operation", "REVOKE_PRIVILEGE");
                    hashMap.put("operationText", "REVOKE ALL ON DATABASE dbTest FROM ROLE errorRole");
                    hashMap.put("allowed", "false");
                    hashMap.put("ipAddress", null);
                    TestAuthorizingDDLAuditLogWithKerberos.this.assertAuditLog(hashMap);
                }
                try {
                    TestAuthorizingDDLAuditLogWithKerberos.this.client.revokeRoleFromGroup("admin_user", "testGroup", "errorRole");
                    Assert.fail("Exception should have been thrown");
                } catch (Exception e9) {
                    hashMap.clear();
                    hashMap.put("operation", "DELETE_ROLE_FROM_GROUP");
                    hashMap.put("operationText", "REVOKE ROLE errorRole FROM GROUP testGroup");
                    hashMap.put("allowed", "false");
                    hashMap.put("ipAddress", null);
                    TestAuthorizingDDLAuditLogWithKerberos.this.assertAuditLog(hashMap);
                }
                try {
                    TestAuthorizingDDLAuditLogWithKerberos.this.client.dropRole("admin_user", "errorRole");
                    Assert.fail("Exception should have been thrown");
                } catch (Exception e10) {
                    hashMap.clear();
                    hashMap.put("operation", "DROP_ROLE");
                    hashMap.put("operationText", "DROP ROLE errorRole");
                    hashMap.put("allowed", "false");
                    hashMap.put("ipAddress", null);
                    TestAuthorizingDDLAuditLogWithKerberos.this.assertAuditLog(hashMap);
                }
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void assertAuditLog(Map<String, String> map) throws Exception {
        Assert.assertThat(AuditLoggerTestAppender.getLastLogLevel(), Is.is(Level.INFO));
        JSONObject jSONObject = new JSONObject(AuditLoggerTestAppender.getLastLogEvent());
        if (map != null) {
            for (Map.Entry<String, String> entry : map.entrySet()) {
                String key = entry.getKey();
                if ("ipAddress".equals(key)) {
                    Assert.assertTrue(CommandUtil.assertIPInAuditLog(jSONObject.get(key).toString()));
                } else {
                    Assert.assertTrue(entry.getValue().equalsIgnoreCase(jSONObject.get(key).toString()));
                }
            }
        }
    }
}
