package org.apache.hadoop.security;

import java.io.File;
import java.security.PrivilegedExceptionAction;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosTicket;
import javax.security.sasl.Sasl;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.minikdc.KerberosSecurityTestcase;
import org.apache.hadoop.security.SaslRpcServer;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.test.LambdaTestUtils;
import org.apache.hadoop.yarn.service.ServiceMaster;
import org.apache.kerby.kerberos.kerb.KrbConstant;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;

/* loaded from: input_file:WEB-INF/lib/hadoop-common-3.3.4.1-eep-900-tests.jar:org/apache/hadoop/security/TestFixKerberosTicketOrder.class */
public class TestFixKerberosTicketOrder extends KerberosSecurityTestcase {
    private File keytabFile;
    private Map<String, String> props;
    private String clientPrincipal = "client";
    private String server1Protocol = "server1";
    private String server2Protocol = "server2";
    private String host = "localhost";
    private String server1Principal = this.server1Protocol + "/" + this.host;
    private String server2Principal = this.server2Protocol + "/" + this.host;
    private Configuration conf = new Configuration();

    @Before
    public void setUp() throws Exception {
        this.keytabFile = new File(getWorkDir(), ServiceMaster.KEYTAB_OPTION);
        getKdc().createPrincipal(this.keytabFile, new String[]{this.clientPrincipal, this.server1Principal, this.server2Principal});
        SecurityUtil.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.KERBEROS, this.conf);
        UserGroupInformation.setConfiguration(this.conf);
        UserGroupInformation.setShouldRenewImmediatelyForTests(true);
        this.props = new HashMap();
        this.props.put("javax.security.sasl.qop", SaslRpcServer.QualityOfProtection.AUTHENTICATION.saslQop);
    }

    @Test
    public void test() throws Exception {
        UserGroupInformation loginUserFromKeytabAndReturnUGI = UserGroupInformation.loginUserFromKeytabAndReturnUGI(this.clientPrincipal, this.keytabFile.getCanonicalPath());
        loginUserFromKeytabAndReturnUGI.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.security.TestFixKerberosTicketOrder.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                SaslClient createSaslClient = Sasl.createSaslClient(new String[]{SaslRpcServer.AuthMethod.KERBEROS.getMechanismName()}, TestFixKerberosTicketOrder.this.clientPrincipal, TestFixKerberosTicketOrder.this.server1Protocol, TestFixKerberosTicketOrder.this.host, TestFixKerberosTicketOrder.this.props, (CallbackHandler) null);
                createSaslClient.evaluateChallenge(new byte[0]);
                createSaslClient.dispose();
                return null;
            }
        });
        Subject subject = loginUserFromKeytabAndReturnUGI.getSubject();
        Iterator it = subject.getPrivateCredentials(KerberosTicket.class).iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            KerberosTicket kerberosTicket = (KerberosTicket) it.next();
            if (kerberosTicket.getServer().getName().startsWith(KrbConstant.TGS_PRINCIPAL)) {
                subject.getPrivateCredentials().remove(kerberosTicket);
                subject.getPrivateCredentials().add(kerberosTicket);
                break;
            }
        }
        Assert.assertFalse("The first ticket is still tgt, the implementation in jdk may have been changed, please reconsider the problem in HADOOP-13433", ((String) subject.getPrivateCredentials().stream().filter(obj -> {
            return obj instanceof KerberosTicket;
        }).map(obj2 -> {
            return ((KerberosTicket) obj2).getServer().getName();
        }).findFirst().get()).startsWith(KrbConstant.TGS_PRINCIPAL));
        LambdaTestUtils.intercept(SaslException.class, () -> {
            return (Void) loginUserFromKeytabAndReturnUGI.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.security.TestFixKerberosTicketOrder.2
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Void run() throws Exception {
                    SaslClient createSaslClient = Sasl.createSaslClient(new String[]{SaslRpcServer.AuthMethod.KERBEROS.getMechanismName()}, TestFixKerberosTicketOrder.this.clientPrincipal, TestFixKerberosTicketOrder.this.server2Protocol, TestFixKerberosTicketOrder.this.host, TestFixKerberosTicketOrder.this.props, (CallbackHandler) null);
                    createSaslClient.evaluateChallenge(new byte[0]);
                    createSaslClient.dispose();
                    return null;
                }
            });
        });
        loginUserFromKeytabAndReturnUGI.fixKerberosTicketOrder();
        Assert.assertTrue("The first ticket is not tgt", ((String) subject.getPrivateCredentials().stream().filter(obj3 -> {
            return obj3 instanceof KerberosTicket;
        }).map(obj4 -> {
            return ((KerberosTicket) obj4).getServer().getName();
        }).findFirst().get()).startsWith(KrbConstant.TGS_PRINCIPAL));
        loginUserFromKeytabAndReturnUGI.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.security.TestFixKerberosTicketOrder.3
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                SaslClient createSaslClient = Sasl.createSaslClient(new String[]{SaslRpcServer.AuthMethod.KERBEROS.getMechanismName()}, TestFixKerberosTicketOrder.this.clientPrincipal, TestFixKerberosTicketOrder.this.server2Protocol, TestFixKerberosTicketOrder.this.host, TestFixKerberosTicketOrder.this.props, (CallbackHandler) null);
                createSaslClient.evaluateChallenge(new byte[0]);
                createSaslClient.dispose();
                return null;
            }
        });
        Assert.assertTrue("No service ticket for " + this.server2Protocol + " found", subject.getPrivateCredentials(KerberosTicket.class).stream().filter(kerberosTicket2 -> {
            return kerberosTicket2.getServer().getName().startsWith(this.server2Protocol);
        }).findAny().isPresent());
    }

    @Test
    public void testWithDestroyedTGT() throws Exception {
        UserGroupInformation loginUserFromKeytabAndReturnUGI = UserGroupInformation.loginUserFromKeytabAndReturnUGI(this.clientPrincipal, this.keytabFile.getCanonicalPath());
        loginUserFromKeytabAndReturnUGI.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.security.TestFixKerberosTicketOrder.4
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                SaslClient createSaslClient = Sasl.createSaslClient(new String[]{SaslRpcServer.AuthMethod.KERBEROS.getMechanismName()}, TestFixKerberosTicketOrder.this.clientPrincipal, TestFixKerberosTicketOrder.this.server1Protocol, TestFixKerberosTicketOrder.this.host, TestFixKerberosTicketOrder.this.props, (CallbackHandler) null);
                createSaslClient.evaluateChallenge(new byte[0]);
                createSaslClient.dispose();
                return null;
            }
        });
        Subject subject = loginUserFromKeytabAndReturnUGI.getSubject();
        Iterator it = subject.getPrivateCredentials(KerberosTicket.class).iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            KerberosTicket kerberosTicket = (KerberosTicket) it.next();
            if (kerberosTicket.getServer().getName().startsWith(KrbConstant.TGS_PRINCIPAL)) {
                kerberosTicket.destroy();
                break;
            }
        }
        loginUserFromKeytabAndReturnUGI.fixKerberosTicketOrder();
        Assert.assertFalse("The first ticket is not tgt", subject.getPrivateCredentials().stream().filter(obj -> {
            return obj instanceof KerberosTicket;
        }).map(obj2 -> {
            return ((KerberosTicket) obj2).getServer().getName();
        }).findFirst().isPresent());
        LambdaTestUtils.intercept(SaslException.class, () -> {
            return (Void) loginUserFromKeytabAndReturnUGI.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.security.TestFixKerberosTicketOrder.5
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Void run() throws Exception {
                    SaslClient createSaslClient = Sasl.createSaslClient(new String[]{SaslRpcServer.AuthMethod.KERBEROS.getMechanismName()}, TestFixKerberosTicketOrder.this.clientPrincipal, TestFixKerberosTicketOrder.this.server2Protocol, TestFixKerberosTicketOrder.this.host, TestFixKerberosTicketOrder.this.props, (CallbackHandler) null);
                    createSaslClient.evaluateChallenge(new byte[0]);
                    createSaslClient.dispose();
                    return null;
                }
            });
        });
        loginUserFromKeytabAndReturnUGI.reloginFromKeytab();
        loginUserFromKeytabAndReturnUGI.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.security.TestFixKerberosTicketOrder.6
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                SaslClient createSaslClient = Sasl.createSaslClient(new String[]{SaslRpcServer.AuthMethod.KERBEROS.getMechanismName()}, TestFixKerberosTicketOrder.this.clientPrincipal, TestFixKerberosTicketOrder.this.server2Protocol, TestFixKerberosTicketOrder.this.host, TestFixKerberosTicketOrder.this.props, (CallbackHandler) null);
                createSaslClient.evaluateChallenge(new byte[0]);
                createSaslClient.dispose();
                return null;
            }
        });
        Assert.assertTrue("No service ticket for " + this.server2Protocol + " found", subject.getPrivateCredentials(KerberosTicket.class).stream().filter(kerberosTicket2 -> {
            return kerberosTicket2.getServer().getName().startsWith(this.server2Protocol);
        }).findAny().isPresent());
    }
}
