package co.cask.cdap.common.security;

import co.cask.cdap.common.conf.CConfiguration;
import co.cask.cdap.common.io.Locations;
import co.cask.http.AbstractHttpHandler;
import co.cask.http.HttpResponder;
import co.cask.http.NettyHttpService;
import com.google.common.base.Preconditions;
import com.google.common.io.Files;
import com.google.gson.Gson;
import java.io.BufferedOutputStream;
import java.io.DataOutputStream;
import java.io.File;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.util.Collections;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hdfs.MiniDFSCluster;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.minikdc.MiniKdc;
import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.twill.discovery.Discoverable;
import org.apache.twill.discovery.InMemoryDiscoveryService;
import org.apache.twill.filesystem.FileContextLocationFactory;
import org.apache.twill.filesystem.Location;
import org.apache.twill.filesystem.LocationFactory;
import org.jboss.netty.handler.codec.http.HttpRequest;
import org.jboss.netty.handler.codec.http.HttpResponseStatus;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;

/* loaded from: input_file:co/cask/cdap/common/security/UGIProviderTest.class */
public class UGIProviderTest {

    @ClassRule
    public static final TemporaryFolder TEMP_FOLDER = new TemporaryFolder();
    private static CConfiguration cConf;
    private static MiniDFSCluster miniDFSCluster;
    private static LocationFactory locationFactory;
    private static MiniKdc miniKdc;
    private static File keytabFile;

    /* loaded from: input_file:co/cask/cdap/common/security/UGIProviderTest$UGIProviderTestHandler.class */
    public static final class UGIProviderTestHandler extends AbstractHttpHandler {
        @POST
        @Path("/v1/impersonation/credentials")
        public void getCredentials(HttpRequest httpRequest, HttpResponder httpResponder) throws IOException {
            ImpersonationInfo impersonationInfo = (ImpersonationInfo) new Gson().fromJson(httpRequest.getContent().toString(StandardCharsets.UTF_8), ImpersonationInfo.class);
            Credentials credentials = new Credentials();
            credentials.addToken(new Text("principal"), new Token(impersonationInfo.getPrincipal().getBytes(StandardCharsets.UTF_8), impersonationInfo.getPrincipal().getBytes(StandardCharsets.UTF_8), new Text("principal"), new Text("service")));
            credentials.addToken(new Text("keytab"), new Token(impersonationInfo.getKeytabURI().getBytes(StandardCharsets.UTF_8), impersonationInfo.getKeytabURI().getBytes(StandardCharsets.UTF_8), new Text("keytab"), new Text("service")));
            Location create = UGIProviderTest.locationFactory.create("credentials");
            Preconditions.checkState(create.mkdirs());
            Location tempFile = create.append("tmp").getTempFile(".credentials");
            DataOutputStream dataOutputStream = new DataOutputStream(new BufferedOutputStream(tempFile.getOutputStream()));
            Throwable th = null;
            try {
                try {
                    credentials.writeTokenStorageToStream(dataOutputStream);
                    if (dataOutputStream != null) {
                        if (0 != 0) {
                            try {
                                dataOutputStream.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            dataOutputStream.close();
                        }
                    }
                    httpResponder.sendString(HttpResponseStatus.OK, tempFile.toURI().toString());
                } finally {
                }
            } catch (Throwable th3) {
                if (dataOutputStream != null) {
                    if (th != null) {
                        try {
                            dataOutputStream.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        dataOutputStream.close();
                    }
                }
                throw th3;
            }
        }
    }

    @BeforeClass
    public static void init() throws Exception {
        cConf = CConfiguration.create();
        cConf.set("local.data.dir", TEMP_FOLDER.newFolder().getAbsolutePath());
        miniKdc = new MiniKdc(MiniKdc.createConf(), TEMP_FOLDER.newFolder());
        miniKdc.start();
        System.setProperty("java.security.krb5.conf", miniKdc.getKrb5conf().getAbsolutePath());
        keytabFile = TEMP_FOLDER.newFile();
        miniKdc.createPrincipal(keytabFile, new String[]{"hdfs", "alice", "bob"});
        Configuration configuration = new Configuration();
        configuration.set("hdfs.minidfs.basedir", TEMP_FOLDER.newFolder().getAbsolutePath());
        miniDFSCluster = new MiniDFSCluster.Builder(configuration).numDataNodes(1).build();
        miniDFSCluster.waitClusterUp();
        locationFactory = new FileContextLocationFactory(miniDFSCluster.getFileSystem().getConf());
        Configuration configuration2 = new Configuration();
        configuration2.set("hadoop.security.authentication", "kerberos");
        UserGroupInformation.setConfiguration(configuration2);
    }

    @AfterClass
    public static void finish() {
        if (miniDFSCluster != null) {
            miniDFSCluster.shutdown();
        }
        if (miniKdc != null) {
            miniKdc.stop();
        }
    }

    @Test
    public void testDefaultUGIProvider() throws IOException {
        System.setProperty("sun.security.krb5.debug", "true");
        DefaultUGIProvider defaultUGIProvider = new DefaultUGIProvider(cConf, locationFactory);
        ImpersonationInfo impersonationInfo = new ImpersonationInfo(getPrincipal("alice"), keytabFile.getAbsolutePath());
        UserGroupInformation configuredUGI = defaultUGIProvider.getConfiguredUGI(impersonationInfo);
        Assert.assertEquals(UserGroupInformation.AuthenticationMethod.KERBEROS, configuredUGI.getAuthenticationMethod());
        Assert.assertTrue(configuredUGI.hasKerberosCredentials());
        Assert.assertSame(configuredUGI, defaultUGIProvider.getConfiguredUGI(impersonationInfo));
        Location tempFile = locationFactory.create("keytab").getTempFile(".tmp");
        Files.copy(keytabFile, Locations.newOutputSupplier(tempFile));
        ImpersonationInfo impersonationInfo2 = new ImpersonationInfo(getPrincipal("bob"), tempFile.toURI().toString());
        UserGroupInformation configuredUGI2 = defaultUGIProvider.getConfiguredUGI(impersonationInfo2);
        Assert.assertEquals(UserGroupInformation.AuthenticationMethod.KERBEROS, configuredUGI2.getAuthenticationMethod());
        Assert.assertTrue(configuredUGI2.hasKerberosCredentials());
        tempFile.delete();
        Assert.assertSame(configuredUGI2, defaultUGIProvider.getConfiguredUGI(impersonationInfo2));
        defaultUGIProvider.invalidCache();
        Assert.assertNotSame(configuredUGI, defaultUGIProvider.getConfiguredUGI(impersonationInfo));
        try {
            defaultUGIProvider.getConfiguredUGI(impersonationInfo2);
            Assert.fail("Expected IOException when getting UGI for " + impersonationInfo2);
        } catch (IOException e) {
        }
    }

    @Test
    public void testRemoteUGIProvider() throws Exception {
        NettyHttpService build = NettyHttpService.builder("remoteUGITest").addHttpHandlers(Collections.singleton(new UGIProviderTestHandler())).build();
        build.startAndWait();
        try {
            InMemoryDiscoveryService inMemoryDiscoveryService = new InMemoryDiscoveryService();
            inMemoryDiscoveryService.register(new Discoverable("appfabric", build.getBindAddress()));
            RemoteUGIProvider remoteUGIProvider = new RemoteUGIProvider(cConf, inMemoryDiscoveryService, locationFactory);
            ImpersonationInfo impersonationInfo = new ImpersonationInfo(getPrincipal("alice"), keytabFile.toURI().toString());
            UserGroupInformation configuredUGI = remoteUGIProvider.getConfiguredUGI(impersonationInfo);
            Assert.assertFalse(configuredUGI.hasKerberosCredentials());
            Token token = configuredUGI.getCredentials().getToken(new Text("principal"));
            Assert.assertArrayEquals(impersonationInfo.getPrincipal().getBytes(StandardCharsets.UTF_8), token.getIdentifier());
            Assert.assertArrayEquals(impersonationInfo.getPrincipal().getBytes(StandardCharsets.UTF_8), token.getPassword());
            Assert.assertEquals(new Text("principal"), token.getKind());
            Assert.assertEquals(new Text("service"), token.getService());
            Token token2 = configuredUGI.getCredentials().getToken(new Text("keytab"));
            Assert.assertArrayEquals(impersonationInfo.getKeytabURI().getBytes(StandardCharsets.UTF_8), token2.getIdentifier());
            Assert.assertArrayEquals(impersonationInfo.getKeytabURI().getBytes(StandardCharsets.UTF_8), token2.getPassword());
            Assert.assertEquals(new Text("keytab"), token2.getKind());
            Assert.assertEquals(new Text("service"), token2.getService());
            Assert.assertSame(configuredUGI, remoteUGIProvider.getConfiguredUGI(impersonationInfo));
            remoteUGIProvider.invalidCache();
            Assert.assertNotSame(configuredUGI, remoteUGIProvider.getConfiguredUGI(impersonationInfo));
            build.stopAndWait();
        } catch (Throwable th) {
            build.stopAndWait();
            throw th;
        }
    }

    private static String getPrincipal(String str) {
        return String.format("%s@%s", str, miniKdc.getRealm());
    }
}
