package org.apache.hadoop.hdfs.security;

import java.io.ByteArrayInputStream;
import java.io.DataInputStream;
import java.io.IOException;
import java.net.URI;
import java.security.PrivilegedExceptionAction;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.hdfs.DFSTestUtil;
import org.apache.hadoop.hdfs.DistributedFileSystem;
import org.apache.hadoop.hdfs.HdfsConfiguration;
import org.apache.hadoop.hdfs.MiniDFSCluster;
import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier;
import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenSecretManager;
import org.apache.hadoop.hdfs.server.common.HdfsServerConstants;
import org.apache.hadoop.hdfs.server.namenode.FSNamesystem;
import org.apache.hadoop.hdfs.server.namenode.NameNode;
import org.apache.hadoop.hdfs.server.namenode.NameNodeAdapter;
import org.apache.hadoop.hdfs.server.namenode.web.resources.NamenodeWebHdfsMethods;
import org.apache.hadoop.hdfs.web.WebHdfsFileSystem;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.test.GenericTestUtils;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.slf4j.event.Level;

/* loaded from: input_file:org/apache/hadoop/hdfs/security/TestDelegationToken.class */
public class TestDelegationToken {
    private MiniDFSCluster cluster;
    private DelegationTokenSecretManager dtSecretManager;
    private Configuration config;
    private static final Logger LOG = LoggerFactory.getLogger(TestDelegationToken.class);

    @Before
    public void setUp() throws Exception {
        this.config = new HdfsConfiguration();
        this.config.setLong("dfs.namenode.delegation.token.max-lifetime", 10000L);
        this.config.setLong("dfs.namenode.delegation.token.renew-interval", 5000L);
        this.config.setBoolean("dfs.namenode.delegation.token.always-use", true);
        this.config.set("hadoop.security.auth_to_local", "RULE:[2:$1@$0](JobTracker@.*FOO.COM)s/@.*//DEFAULT");
        FileSystem.setDefaultUri(this.config, "hdfs://localhost:0");
        this.cluster = new MiniDFSCluster.Builder(this.config).numDataNodes(0).build();
        this.cluster.waitActive();
        this.dtSecretManager = NameNodeAdapter.getDtSecretManager(this.cluster.getNamesystem());
    }

    @After
    public void tearDown() throws Exception {
        if (this.cluster != null) {
            this.cluster.shutdown();
            this.cluster = null;
        }
    }

    private Token<DelegationTokenIdentifier> generateDelegationToken(String str, String str2) {
        return new Token<>(new DelegationTokenIdentifier(new Text(str), new Text(str2), (Text) null), this.dtSecretManager);
    }

    @Test
    public void testDelegationTokenSecretManager() throws Exception {
        Token<DelegationTokenIdentifier> generateDelegationToken = generateDelegationToken("SomeUser", "JobTracker");
        try {
            this.dtSecretManager.renewToken(generateDelegationToken, "FakeRenewer");
            Assert.fail("should have failed");
        } catch (AccessControlException e) {
        }
        this.dtSecretManager.renewToken(generateDelegationToken, "JobTracker");
        DelegationTokenIdentifier delegationTokenIdentifier = new DelegationTokenIdentifier();
        delegationTokenIdentifier.readFields(new DataInputStream(new ByteArrayInputStream(generateDelegationToken.getIdentifier())));
        Assert.assertTrue(null != this.dtSecretManager.retrievePassword(delegationTokenIdentifier));
        LOG.info("Sleep to expire the token");
        Thread.sleep(6000L);
        try {
            this.dtSecretManager.retrievePassword(delegationTokenIdentifier);
            Assert.fail("Token should have expired");
        } catch (SecretManager.InvalidToken e2) {
        }
        this.dtSecretManager.renewToken(generateDelegationToken, "JobTracker");
        LOG.info("Sleep beyond the max lifetime");
        Thread.sleep(5000L);
        try {
            this.dtSecretManager.renewToken(generateDelegationToken, "JobTracker");
            Assert.fail("should have been expired");
        } catch (SecretManager.InvalidToken e3) {
        }
    }

    @Test
    public void testCancelDelegationToken() throws Exception {
        Token<DelegationTokenIdentifier> generateDelegationToken = generateDelegationToken("SomeUser", "JobTracker");
        try {
            this.dtSecretManager.cancelToken(generateDelegationToken, "FakeCanceller");
            Assert.fail("should have failed");
        } catch (AccessControlException e) {
        }
        this.dtSecretManager.cancelToken(generateDelegationToken, "JobTracker");
        try {
            this.dtSecretManager.renewToken(generateDelegationToken, "JobTracker");
            Assert.fail("should have failed");
        } catch (SecretManager.InvalidToken e2) {
        }
    }

    @Test
    public void testDelegationTokenMetrics() throws Exception {
        FSNamesystem namesystem = this.cluster.getNamesystem();
        Assert.assertEquals(0L, namesystem.getCurrentTokensCount());
        Token<DelegationTokenIdentifier> generateDelegationToken = generateDelegationToken("SomeUser", "JobTracker");
        Assert.assertEquals(1L, namesystem.getCurrentTokensCount());
        this.dtSecretManager.renewToken(generateDelegationToken, "JobTracker");
        Assert.assertEquals(1L, namesystem.getCurrentTokensCount());
        this.dtSecretManager.cancelToken(generateDelegationToken, "JobTracker");
        Assert.assertEquals(0L, namesystem.getCurrentTokensCount());
    }

    @Test
    public void testAddDelegationTokensDFSApi() throws Exception {
        UserGroupInformation createRemoteUser = UserGroupInformation.createRemoteUser("JobTracker");
        Token<?>[] addDelegationTokens = this.cluster.getFileSystem().addDelegationTokens("JobTracker", new Credentials());
        Assert.assertEquals(1L, addDelegationTokens.length);
        Assert.assertEquals(1L, r0.numberOfTokens());
        checkTokenIdentifier(createRemoteUser, addDelegationTokens[0]);
        Assert.assertEquals(0L, r0.addDelegationTokens("JobTracker", r0).length);
        Assert.assertEquals(1L, r0.numberOfTokens());
    }

    @Test
    public void testDelegationTokenWebHdfsApi() throws Exception {
        GenericTestUtils.setLogLevel(NamenodeWebHdfsMethods.LOG, Level.TRACE);
        final String str = "webhdfs://" + this.config.get("dfs.namenode.http-address");
        UserGroupInformation createUserForTesting = UserGroupInformation.createUserForTesting("JobTracker", new String[]{"user"});
        WebHdfsFileSystem webHdfsFileSystem = (WebHdfsFileSystem) createUserForTesting.doAs(new PrivilegedExceptionAction<WebHdfsFileSystem>() { // from class: org.apache.hadoop.hdfs.security.TestDelegationToken.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public WebHdfsFileSystem run() throws Exception {
                return FileSystem.get(new URI(str), TestDelegationToken.this.config);
            }
        });
        Credentials credentials = new Credentials();
        Token<?>[] addDelegationTokens = webHdfsFileSystem.addDelegationTokens("JobTracker", credentials);
        Assert.assertEquals(1L, addDelegationTokens.length);
        Assert.assertEquals(1L, credentials.numberOfTokens());
        Assert.assertSame(addDelegationTokens[0], credentials.getAllTokens().iterator().next());
        checkTokenIdentifier(createUserForTesting, addDelegationTokens[0]);
        Assert.assertEquals(0L, webHdfsFileSystem.addDelegationTokens("JobTracker", credentials).length);
    }

    @Test
    public void testDelegationTokenWithDoAs() throws Exception {
        Token[] addDelegationTokens = this.cluster.getFileSystem().addDelegationTokens("JobTracker", new Credentials());
        Assert.assertEquals(1L, addDelegationTokens.length);
        final Token token = addDelegationTokens[0];
        final UserGroupInformation createRemoteUser = UserGroupInformation.createRemoteUser("JobTracker/foo.com@FOO.COM");
        UserGroupInformation createRemoteUser2 = UserGroupInformation.createRemoteUser("JobTracker");
        createRemoteUser.doAs(new PrivilegedExceptionAction<Object>() { // from class: org.apache.hadoop.hdfs.security.TestDelegationToken.2
            @Override // java.security.PrivilegedExceptionAction
            public Object run() throws IOException {
                try {
                    token.renew(TestDelegationToken.this.config);
                    return null;
                } catch (Exception e) {
                    Assert.fail("Could not renew delegation token for user " + createRemoteUser);
                    return null;
                }
            }
        });
        createRemoteUser2.doAs(new PrivilegedExceptionAction<Object>() { // from class: org.apache.hadoop.hdfs.security.TestDelegationToken.3
            @Override // java.security.PrivilegedExceptionAction
            public Object run() throws Exception {
                token.renew(TestDelegationToken.this.config);
                return null;
            }
        });
        createRemoteUser.doAs(new PrivilegedExceptionAction<Object>() { // from class: org.apache.hadoop.hdfs.security.TestDelegationToken.4
            @Override // java.security.PrivilegedExceptionAction
            public Object run() throws IOException {
                try {
                    token.cancel(TestDelegationToken.this.config);
                    return null;
                } catch (Exception e) {
                    Assert.fail("Could not cancel delegation token for user " + createRemoteUser);
                    return null;
                }
            }
        });
    }

    @Test
    public void testDelegationTokenUgi() throws Exception {
        DistributedFileSystem fileSystem = this.cluster.getFileSystem();
        Token[] addDelegationTokens = fileSystem.addDelegationTokens("renewer", (Credentials) null);
        Assert.assertEquals(1L, addDelegationTokens.length);
        Token token = addDelegationTokens[0];
        DelegationTokenIdentifier decodeIdentifier = token.decodeIdentifier();
        UserGroupInformation user = decodeIdentifier.getUser();
        for (int i = 0; i < 2; i++) {
            DelegationTokenIdentifier decodeIdentifier2 = token.decodeIdentifier();
            Assert.assertEquals(decodeIdentifier, decodeIdentifier2);
            Assert.assertNotSame(decodeIdentifier, decodeIdentifier2);
            Assert.assertSame(user, decodeIdentifier2.getUser());
            Assert.assertSame(user, decodeIdentifier2.getUser());
        }
        Token[] addDelegationTokens2 = fileSystem.addDelegationTokens("renewer", (Credentials) null);
        Assert.assertEquals(1L, addDelegationTokens2.length);
        Token token2 = addDelegationTokens2[0];
        Assert.assertNotEquals(token, token2);
        Assert.assertNotSame(user, token2.decodeIdentifier().getUser());
    }

    @Test
    public void testDTManagerInSafeMode() throws Exception {
        this.cluster.startDataNodes(this.config, 1, true, HdfsServerConstants.StartupOption.REGULAR, null);
        DistributedFileSystem fileSystem = this.cluster.getFileSystem();
        for (int i = 0; i < 5; i++) {
            DFSTestUtil.createFile(fileSystem, new Path("/test-" + i), 100L, (short) 1, 1L);
        }
        this.cluster.getConfiguration(0).setInt("dfs.namenode.delegation.key.update-interval", 500);
        this.cluster.getConfiguration(0).setInt("dfs.namenode.safemode.extension", 30000);
        this.cluster.setWaitSafeMode(false);
        this.cluster.restartNameNode(new String[0]);
        NameNode nameNode = this.cluster.getNameNode();
        Assert.assertTrue(nameNode.isInSafeMode());
        DelegationTokenSecretManager dtSecretManager = NameNodeAdapter.getDtSecretManager(nameNode.getNamesystem());
        Assert.assertFalse("Secret manager should not run in safe mode", dtSecretManager.isRunning());
        NameNodeAdapter.leaveSafeMode(nameNode);
        Assert.assertTrue("Secret manager should start when safe mode is exited", dtSecretManager.isRunning());
        LOG.info("========= entering safemode again");
        NameNodeAdapter.enterSafeMode(nameNode, false);
        Assert.assertFalse("Secret manager should stop again when safe mode is manually entered", dtSecretManager.isRunning());
        this.cluster.getConfiguration(0).setInt("dfs.namenode.safemode.extension", 0);
        this.cluster.setWaitSafeMode(true);
        this.cluster.restartNameNode(new String[0]);
        NameNode nameNode2 = this.cluster.getNameNode();
        DelegationTokenSecretManager dtSecretManager2 = NameNodeAdapter.getDtSecretManager(nameNode2.getNamesystem());
        Assert.assertFalse(nameNode2.isInSafeMode());
        Assert.assertTrue(dtSecretManager2.isRunning());
    }

    private void checkTokenIdentifier(UserGroupInformation userGroupInformation, final Token<?> token) throws Exception {
        Assert.assertNotNull(token);
        DelegationTokenIdentifier delegationTokenIdentifier = new DelegationTokenIdentifier();
        DataInputStream dataInputStream = new DataInputStream(new ByteArrayInputStream(token.getIdentifier()));
        try {
            delegationTokenIdentifier.readFields(dataInputStream);
            dataInputStream.close();
            Assert.assertNotNull(delegationTokenIdentifier);
            LOG.info("A valid token should have non-null password, and should be renewed successfully");
            Assert.assertTrue(null != this.dtSecretManager.retrievePassword(delegationTokenIdentifier));
            this.dtSecretManager.renewToken(token, "JobTracker");
            userGroupInformation.doAs(new PrivilegedExceptionAction<Object>() { // from class: org.apache.hadoop.hdfs.security.TestDelegationToken.5
                @Override // java.security.PrivilegedExceptionAction
                public Object run() throws Exception {
                    token.renew(TestDelegationToken.this.config);
                    token.cancel(TestDelegationToken.this.config);
                    return null;
                }
            });
        } catch (Throwable th) {
            dataInputStream.close();
            throw th;
        }
    }

    @Test
    public void testDelegationTokenIdentifierToString() throws Exception {
        Assert.assertEquals("HDFS_DELEGATION_TOKEN token 0 for SomeUser with renewer JobTracker", new DelegationTokenIdentifier(new Text("SomeUser"), new Text("JobTracker"), (Text) null).toStringStable());
    }
}
