package org.apache.hadoop.registry.secure;

import java.io.IOException;
import java.security.PrivilegedExceptionAction;
import java.util.Iterator;
import java.util.List;
import javax.security.auth.login.LoginException;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.PathPermissionException;
import org.apache.hadoop.registry.client.api.RegistryConstants;
import org.apache.hadoop.registry.client.api.RegistryOperations;
import org.apache.hadoop.registry.client.api.RegistryOperationsFactory;
import org.apache.hadoop.registry.client.exceptions.NoPathPermissionsException;
import org.apache.hadoop.registry.client.impl.RegistryOperationsClient;
import org.apache.hadoop.registry.client.impl.zk.RegistrySecurity;
import org.apache.hadoop.registry.client.impl.zk.ZookeeperConfigOptions;
import org.apache.hadoop.registry.server.integration.RMRegistryOperationsService;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.service.ServiceStateException;
import org.apache.zookeeper.data.ACL;
import org.apache.zookeeper.data.Id;
import org.junit.After;
import org.junit.Before;
import org.junit.Test;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX WARN: Classes with same name are omitted:
  input_file:test-classes/org/apache/hadoop/registry/secure/TestSecureRMRegistryOperations.class
 */
/* loaded from: input_file:hadoop-yarn-registry-2.7.0-mapr-1710-EBF1-tests.jar:org/apache/hadoop/registry/secure/TestSecureRMRegistryOperations.class */
public class TestSecureRMRegistryOperations extends AbstractSecureRegistryTest {
    private static final Logger LOG = LoggerFactory.getLogger(TestSecureRMRegistryOperations.class);
    private Configuration secureConf;
    private Configuration zkClientConf;
    private UserGroupInformation zookeeperUGI;

    @Before
    public void setupTestSecureRMRegistryOperations() throws Exception {
        startSecureZK();
        this.secureConf = new Configuration();
        this.secureConf.setBoolean(RegistryConstants.KEY_REGISTRY_SECURE, true);
        this.zkClientConf = new Configuration(this.secureZK.getConfig());
        this.zkClientConf.setBoolean(RegistryConstants.KEY_REGISTRY_SECURE, true);
        assertNotEmpty(this.zkClientConf.get(RegistryConstants.KEY_REGISTRY_ZK_QUORUM));
        this.secureConf.set(RegistryConstants.KEY_REGISTRY_SYSTEM_ACCOUNTS, "sasl:zookeeper@");
        this.zookeeperUGI = loginUGI("zookeeper", keytab_zk);
    }

    @After
    public void teardownTestSecureRMRegistryOperations() {
    }

    public RMRegistryOperationsService startRMRegistryOperations() throws LoginException, IOException, InterruptedException {
        this.secureConf.set(RegistryConstants.KEY_REGISTRY_CLIENT_AUTH, RegistryConstants.REGISTRY_CLIENT_AUTH_KERBEROS);
        this.secureConf.set(RegistryConstants.KEY_REGISTRY_CLIENT_JAAS_CONTEXT, "zookeeper");
        return (RMRegistryOperationsService) this.zookeeperUGI.doAs(new PrivilegedExceptionAction<RMRegistryOperationsService>() { // from class: org.apache.hadoop.registry.secure.TestSecureRMRegistryOperations.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public RMRegistryOperationsService run() throws Exception {
                RMRegistryOperationsService rMRegistryOperationsService = new RMRegistryOperationsService("rmregistry", TestSecureRMRegistryOperations.this.secureZK);
                TestSecureRMRegistryOperations.this.addToTeardown(rMRegistryOperationsService);
                rMRegistryOperationsService.init(TestSecureRMRegistryOperations.this.secureConf);
                TestSecureRMRegistryOperations.LOG.info(rMRegistryOperationsService.bindingDiagnosticDetails());
                rMRegistryOperationsService.start();
                return rMRegistryOperationsService;
            }
        });
    }

    @Test
    public void testZookeeperCanWriteUnderSystem() throws Throwable {
        RMRegistryOperationsService startRMRegistryOperations = startRMRegistryOperations();
        startRMRegistryOperations.mknode("/services/hdfs", false);
        LOG.info(startRMRegistryOperations.dumpPath(true).toString());
    }

    @Test
    public void testAnonReadAccess() throws Throwable {
        startRMRegistryOperations();
        describe(LOG, "testAnonReadAccess", new Object[0]);
        RegistryOperations createAnonymousInstance = RegistryOperationsFactory.createAnonymousInstance(this.zkClientConf);
        addToTeardown(createAnonymousInstance);
        createAnonymousInstance.start();
        assertFalse("RegistrySecurity.isClientSASLEnabled()==true", RegistrySecurity.isClientSASLEnabled());
        createAnonymousInstance.list("/services/");
    }

    @Test
    public void testAnonNoWriteAccess() throws Throwable {
        startRMRegistryOperations();
        describe(LOG, "testAnonNoWriteAccess", new Object[0]);
        RegistryOperations createAnonymousInstance = RegistryOperationsFactory.createAnonymousInstance(this.zkClientConf);
        addToTeardown(createAnonymousInstance);
        createAnonymousInstance.start();
        expectMkNodeFailure(createAnonymousInstance, "/services/hdfs");
    }

    @Test
    public void testAnonNoWriteAccessOffRoot() throws Throwable {
        startRMRegistryOperations();
        describe(LOG, "testAnonNoWriteAccessOffRoot", new Object[0]);
        RegistryOperations createAnonymousInstance = RegistryOperationsFactory.createAnonymousInstance(this.zkClientConf);
        addToTeardown(createAnonymousInstance);
        createAnonymousInstance.start();
        assertFalse("mknode(/)", createAnonymousInstance.mknode("/", false));
        expectMkNodeFailure(createAnonymousInstance, "/sub");
        expectDeleteFailure(createAnonymousInstance, "/services/", true);
    }

    public void expectMkNodeFailure(RegistryOperations registryOperations, String str) throws IOException {
        try {
            registryOperations.mknode(str, false);
            fail("should have failed to create a node under " + str);
        } catch (NoPathPermissionsException e) {
        } catch (PathPermissionException e2) {
        }
    }

    public void expectDeleteFailure(RegistryOperations registryOperations, String str, boolean z) throws IOException {
        try {
            registryOperations.delete(str, z);
            fail("should have failed to delete the node " + str);
        } catch (NoPathPermissionsException e) {
        } catch (PathPermissionException e2) {
        }
    }

    @Test
    public void testAlicePathRestrictedAnonAccess() throws Throwable {
        String initUserRegistry = startRMRegistryOperations().initUserRegistry("alice");
        describe(LOG, "Creating anonymous accessor", new Object[0]);
        RegistryOperations createAnonymousInstance = RegistryOperationsFactory.createAnonymousInstance(this.zkClientConf);
        addToTeardown(createAnonymousInstance);
        createAnonymousInstance.start();
        createAnonymousInstance.list(initUserRegistry);
        expectMkNodeFailure(createAnonymousInstance, initUserRegistry + "/anon");
        expectDeleteFailure(createAnonymousInstance, initUserRegistry, true);
    }

    @Test
    public void testUserZookeeperHomePathAccess() throws Throwable {
        String initUserRegistry = startRMRegistryOperations().initUserRegistry("zookeeper");
        describe(LOG, "Creating ZK client", new Object[0]);
        RegistryOperations registryOperations = (RegistryOperations) this.zookeeperUGI.doAs(new PrivilegedExceptionAction<RegistryOperations>() { // from class: org.apache.hadoop.registry.secure.TestSecureRMRegistryOperations.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public RegistryOperations run() throws Exception {
                RegistryOperations createKerberosInstance = RegistryOperationsFactory.createKerberosInstance(TestSecureRMRegistryOperations.this.zkClientConf, "zookeeper");
                TestSecureRMRegistryOperations.this.addToTeardown(createKerberosInstance);
                createKerberosInstance.start();
                return createKerberosInstance;
            }
        });
        registryOperations.list(initUserRegistry);
        String str = initUserRegistry + "/subpath";
        registryOperations.mknode(str, false);
        registryOperations.delete(str, true);
    }

    @Test
    public void testUserHomedirsPermissionsRestricted() throws Throwable {
        RMRegistryOperationsService startRMRegistryOperations = startRMRegistryOperations();
        ACL acl = null;
        Iterator<ACL> it = startRMRegistryOperations.zkGetACLS(startRMRegistryOperations.initUserRegistry("alice")).iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            ACL next = it.next();
            LOG.info(RegistrySecurity.aclToString(next));
            Id id = next.getId();
            if (id.getScheme().equals(ZookeeperConfigOptions.SCHEME_SASL) && id.getId().startsWith("alice")) {
                acl = next;
                break;
            }
        }
        assertNotNull(acl);
        assertEquals(15L, acl.getPerms());
    }

    @Test
    public void testDigestAccess() throws Throwable {
        RMRegistryOperationsService startRMRegistryOperations = startRMRegistryOperations();
        startRMRegistryOperations.addWriteAccessor("username", "password");
        LOG.info("Client ACLS=\n{}", RegistrySecurity.aclsToString(startRMRegistryOperations.getClientAcls()));
        startRMRegistryOperations.mknode("/digested", false);
        List<ACL> zkGetACLS = startRMRegistryOperations.zkGetACLS("/digested");
        String aclsToString = RegistrySecurity.aclsToString(zkGetACLS);
        LOG.info("Base ACLs=\n{}", aclsToString);
        ACL acl = null;
        Iterator<ACL> it = zkGetACLS.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            ACL next = it.next();
            if ("digest".equals(next.getId().getScheme())) {
                acl = next;
                break;
            }
        }
        assertNotNull("Did not find digest entry in ACLs " + aclsToString, acl);
        this.zkClientConf.set(RegistryConstants.KEY_REGISTRY_USER_ACCOUNTS, "sasl:somebody@EXAMPLE.COM, sasl:other");
        RegistryOperations createAuthenticatedInstance = RegistryOperationsFactory.createAuthenticatedInstance(this.zkClientConf, "username", "password");
        addToTeardown(createAuthenticatedInstance);
        createAuthenticatedInstance.start();
        LOG.info("digest client ACLs=\n{}", RegistrySecurity.aclsToString(((RegistryOperationsClient) createAuthenticatedInstance).getClientAcls()));
        createAuthenticatedInstance.stat("/digested");
        createAuthenticatedInstance.mknode("/digested/subdir", false);
        LOG.info(startRMRegistryOperations.dumpPath(true).toString());
    }

    @Test(expected = IllegalArgumentException.class)
    public void testNoDigestAuthMissingId() throws Throwable {
        RegistryOperationsFactory.createAuthenticatedInstance(this.zkClientConf, "", "pass");
    }

    @Test(expected = ServiceStateException.class)
    public void testNoDigestAuthMissingId2() throws Throwable {
        this.zkClientConf.set(RegistryConstants.KEY_REGISTRY_CLIENT_AUTH, "digest");
        this.zkClientConf.set(RegistryConstants.KEY_REGISTRY_CLIENT_AUTHENTICATION_ID, "");
        this.zkClientConf.set(RegistryConstants.KEY_REGISTRY_CLIENT_AUTHENTICATION_PASSWORD, "pass");
        RegistryOperationsFactory.createInstance("DigestRegistryOperations", this.zkClientConf);
    }

    @Test(expected = IllegalArgumentException.class)
    public void testNoDigestAuthMissingPass() throws Throwable {
        RegistryOperationsFactory.createAuthenticatedInstance(this.zkClientConf, "id", "");
    }

    @Test(expected = ServiceStateException.class)
    public void testNoDigestAuthMissingPass2() throws Throwable {
        this.zkClientConf.set(RegistryConstants.KEY_REGISTRY_CLIENT_AUTH, "digest");
        this.zkClientConf.set(RegistryConstants.KEY_REGISTRY_CLIENT_AUTHENTICATION_ID, "id");
        this.zkClientConf.set(RegistryConstants.KEY_REGISTRY_CLIENT_AUTHENTICATION_PASSWORD, "");
        RegistryOperationsFactory.createInstance("DigestRegistryOperations", this.zkClientConf);
    }
}
