package io.confluent.rest.impersonation;

import com.google.common.collect.ImmutableMap;
import io.confluent.rest.RestConfig;
import io.confluent.rest.exceptions.RestServerErrorException;
import io.confluent.rest.mapr.test.MaprHomeSupport;
import io.confluent.rest.mapr.test.MaprTestLoginModule;
import io.confluent.rest.mapr.test.MaprTestLoginRule;
import io.confluent.rest.mapr.test.TestUtils;
import java.io.IOException;
import java.security.PrivilegedAction;
import javax.security.auth.login.LoginException;
import org.apache.commons.codec.binary.Base64;
import org.apache.hadoop.security.UserGroupInformation;
import org.hamcrest.CoreMatchers;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.internal.matchers.ThrowableCauseMatcher;

/* loaded from: input_file:io/confluent/rest/impersonation/ImpersonationUtilsTest.class */
public class ImpersonationUtilsTest {

    @Rule
    public final MaprTestLoginRule loginRule = MaprTestLoginRule.forHadoopSimpleAndJpam();
    private static final String ANY_USER = "user";

    @Before
    public void setUp() {
        configure(true);
    }

    private void configure(boolean z) {
        ImpersonationUtils.initialize(new RestConfig(RestConfig.baseConfigDef(), ImmutableMap.of("impersonation.enable", Boolean.toString(z))));
    }

    @Test
    public void enablesImpersonationWhenConfiguredTrue() {
        configure(true);
        Assert.assertTrue(ImpersonationUtils.isImpersonationEnabled());
    }

    @Test
    public void disablesImpersonationWhenConfiguredFalse() {
        configure(false);
        Assert.assertFalse(ImpersonationUtils.isImpersonationEnabled());
    }

    @Test
    public void whenEnabledImpersonatesRunner() {
        configure(true);
        Assert.assertEquals(ANY_USER, ((UserGroupInformation) ImpersonationUtils.runAsUserIfImpersonationEnabled(this::getCurrentUser, basicAuth(ANY_USER), cookieAuth(ANY_USER))).getUserName());
    }

    @Test
    public void whenDisabledRunsActionAsSameUser() {
        configure(false);
        Assert.assertSame(getCurrentUser(), (UserGroupInformation) ImpersonationUtils.runAsUserIfImpersonationEnabled(this::getCurrentUser, basicAuth("ignored-basic-auth-user"), cookieAuth("ignored-cookie-user")));
    }

    @Test
    public void whenForcedImpersonatesRunner() {
        configure(false);
        Assert.assertEquals(ANY_USER, ((UserGroupInformation) ImpersonationUtils.runAsUser(this::getCurrentUser, basicAuth(ANY_USER), cookieAuth(ANY_USER))).getUserName());
    }

    @Test
    public void throwsRestExceptionOnIOException() throws IOException {
        MaprTestLoginModule.restrict(UserGroupInformation.getLoginUser().getUserName(), str -> {
            throw new LoginException();
        });
        UserGroupInformation.reset();
        TestUtils.assertThatThrownRestException(() -> {
            ImpersonationUtils.runAsUser(this::getCurrentUser, basicAuth("whatever"), cookieAuth("whatever"));
        }, CoreMatchers.allOf(TestUtils.hasSameRestAttributesAs(Errors.serverLoginException(new IOException())), ThrowableCauseMatcher.hasCause(CoreMatchers.instanceOf(IOException.class))));
    }

    @Test
    public void wrapsRestServerExceptions() {
        RestServerErrorException restServerErrorException = new RestServerErrorException("Some server error", 0);
        PrivilegedAction privilegedAction = () -> {
            throw restServerErrorException;
        };
        TestUtils.assertThatThrownRestException(() -> {
            ImpersonationUtils.runAsUser(privilegedAction, basicAuth("whatever"), cookieAuth("whatever"));
        }, CoreMatchers.allOf(TestUtils.hasSameRestAttributesAs(Errors.serverLoginException("whatever", restServerErrorException)), ThrowableCauseMatcher.hasCause(CoreMatchers.sameInstance(restServerErrorException))));
    }

    private UserGroupInformation getCurrentUser() {
        try {
            return UserGroupInformation.getCurrentUser();
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    private String cookieAuth(String str) {
        return "hadoop.auth=whatever&u=" + str;
    }

    private String basicAuth(String str) {
        return "Basic " + Base64.encodeBase64String((str + ":any-pass").getBytes());
    }

    static {
        MaprHomeSupport.activate();
    }
}
