package org.apache.oozie.service;

import java.io.File;
import java.io.FileWriter;
import java.io.IOException;
import java.net.URI;
import java.util.Arrays;
import java.util.List;
import java.util.UUID;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.fs.permission.FsAction;
import org.apache.hadoop.fs.permission.FsPermission;
import org.apache.oozie.BundleJobBean;
import org.apache.oozie.CoordinatorJobBean;
import org.apache.oozie.DagEngine;
import org.apache.oozie.ErrorCode;
import org.apache.oozie.ForTestingActionExecutor;
import org.apache.oozie.client.Job;
import org.apache.oozie.client.WorkflowJob;
import org.apache.oozie.test.XDataTestCase;
import org.apache.oozie.util.IOUtils;
import org.apache.oozie.util.XConfiguration;
import org.apache.oozie.util.XLog;
import org.apache.oozie.workflow.WorkflowInstance;

/* loaded from: input_file:org/apache/oozie/service/TestAuthorizationService.class */
public class TestAuthorizationService extends XDataTestCase {
    private Services services;

    /* loaded from: input_file:org/apache/oozie/service/TestAuthorizationService$DummyGroupsService.class */
    public static class DummyGroupsService extends GroupsService {
        public void init(Services services) {
        }

        public List<String> getGroups(String str) throws IOException {
            return TestAuthorizationService.access$000().equals(str) ? Arrays.asList("users", TestAuthorizationService.access$100()) : Arrays.asList("users");
        }

        public void destroy() {
        }
    }

    private void init(boolean z, boolean z2) throws Exception {
        setSystemProperty("oozie.service.SchemaService.wf.ext.schemas", "wf-ext-schema.xsd");
        this.services = new Services();
        Configuration conf = this.services.getConf();
        if (z2) {
            IOUtils.copyCharStream(IOUtils.getResourceAsReader("adminusers.txt", -1), new FileWriter(new File(getTestCaseConfDir(), "adminusers.txt")));
        } else {
            conf.set("oozie.service.AuthorizationService.admin.groups", getTestGroup());
        }
        conf.set("oozie.services", conf.get("oozie.services") + "," + AuthorizationService.class.getName() + "," + DummyGroupsService.class.getName());
        conf.set("oozie.service.AuthorizationService.default.group.as.acl", Boolean.toString(z));
        this.services.init();
        this.services.getConf().setBoolean("oozie.service.AuthorizationService.security.enabled", true);
        this.services.get(AuthorizationService.class).init(this.services);
        this.services.get(ActionService.class).register(ForTestingActionExecutor.class);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.oozie.test.XHCatTestCase, org.apache.oozie.test.XFsTestCase, org.apache.oozie.test.XTestCase
    public void tearDown() throws Exception {
        this.services.destroy();
        super.tearDown();
    }

    public void testAuthorizationServiceUseDefaultGroup() throws Exception {
        _testAuthorizationService(true);
    }

    public void testAuthorizationServiceUseACLs() throws Exception {
        _testAuthorizationService(false);
    }

    private void _testAuthorizationService(boolean z) throws Exception {
        init(z, true);
        IOUtils.copyCharStream(IOUtils.getResourceAsReader("wf-ext-schema-valid.xml", -1), new FileWriter(new File(getTestCaseDir(), "workflow.xml")));
        DagEngine dagEngine = new DagEngine(getTestUser());
        XConfiguration xConfiguration = new XConfiguration();
        xConfiguration.set("oozie.wf.application.path", getTestCaseFileUri("workflow.xml"));
        xConfiguration.set("user.name", getTestUser());
        if (z) {
            xConfiguration.set("group.name", getTestGroup());
        } else {
            xConfiguration.set("group.name", getTestGroup() + ",foo");
        }
        xConfiguration.set("oozie.wf.log.token", "t");
        xConfiguration.set("external-status", "ok");
        xConfiguration.set("signal-value", "based_on_action_status");
        String submitJob = dagEngine.submitJob(xConfiguration, true);
        HadoopAccessorService hadoopAccessorService = Services.get().get(HadoopAccessorService.class);
        URI uri = getFileSystem().getUri();
        FileSystem createFileSystem = hadoopAccessorService.createFileSystem(getTestUser(), uri, hadoopAccessorService.createJobConf(uri.getAuthority()));
        Path path = new Path(createFileSystem.getWorkingDirectory(), UUID.randomUUID().toString());
        Path makeQualified = createFileSystem.makeQualified(path);
        System.out.println(XLog.format("Setting FS testcase work dir[{0}]", new Object[]{makeQualified}));
        createFileSystem.delete(makeQualified, true);
        if (!createFileSystem.mkdirs(path)) {
            throw new IOException(XLog.format("Could not create FS testcase dir [{0}]", new Object[]{makeQualified}));
        }
        String str = makeQualified.toString() + "/app";
        Path path2 = new Path(str, "workflow.xml");
        createFileSystem.create(path2).close();
        createFileSystem.setOwner(path2, getTestUser(), getTestGroup());
        createFileSystem.setPermission(path2, new FsPermission(FsAction.READ_WRITE, FsAction.READ, FsAction.NONE));
        AuthorizationService authorizationService = this.services.get(AuthorizationService.class);
        assertNotNull(authorizationService);
        authorizationService.authorizeForGroup(getTestUser(), getTestGroup());
        assertNotNull(authorizationService.getDefaultGroup(getTestUser()));
        authorizationService.authorizeForApp(getTestUser2(), getTestGroup(), str, xConfiguration);
        try {
            authorizationService.authorizeForApp(getTestUser3(), getTestGroup(), str, xConfiguration);
            fail();
        } catch (AuthorizationException e) {
        }
        authorizationService.authorizeForJob(getTestUser(), submitJob, false);
        authorizationService.authorizeForJob(getTestUser(), submitJob, true);
        if (!z) {
            authorizationService.authorizeForJob("foo", submitJob, true);
        }
        try {
            authorizationService.authorizeForJob("bar", submitJob, true);
            fail();
        } catch (AuthorizationException e2) {
        }
    }

    public void testAuthorizationServiceForCoord() throws Exception {
        init(false, true);
        CoordinatorJobBean addRecordToCoordJobTable = addRecordToCoordJobTable(Job.Status.PREP, false, false);
        assertNotNull(addRecordToCoordJobTable);
        AuthorizationService authorizationService = this.services.get(AuthorizationService.class);
        assertNotNull(authorizationService);
        authorizationService.authorizeForJob(getTestUser(), addRecordToCoordJobTable.getId(), false);
        authorizationService.authorizeForJob(getTestUser(), addRecordToCoordJobTable.getId(), true);
    }

    public void testAuthorizationServiceForBundle() throws Exception {
        init(false, true);
        BundleJobBean addRecordToBundleJobTable = addRecordToBundleJobTable(Job.Status.PREP, false);
        assertNotNull(addRecordToBundleJobTable);
        AuthorizationService authorizationService = this.services.get(AuthorizationService.class);
        assertNotNull(authorizationService);
        authorizationService.authorizeForJob(getTestUser(), addRecordToBundleJobTable.getId(), false);
        authorizationService.authorizeForJob(getTestUser(), addRecordToBundleJobTable.getId(), true);
    }

    public void testDefaultGroup() throws Exception {
        init(false, true);
        AuthorizationService authorizationService = this.services.get(AuthorizationService.class);
        assertNotNull(authorizationService);
        assertNotNull(authorizationService.getDefaultGroup(getTestUser()));
    }

    public void testErrors() throws Exception {
        init(false, true);
        this.services.setService(ForTestAuthorizationService.class);
        AuthorizationService authorizationService = this.services.get(AuthorizationService.class);
        Configuration configuration = new Configuration();
        HadoopAccessorService hadoopAccessorService = Services.get().get(HadoopAccessorService.class);
        URI uri = getFileSystem().getUri();
        FileSystem createFileSystem = hadoopAccessorService.createFileSystem(getTestUser(), uri, hadoopAccessorService.createJobConf(uri.getAuthority()));
        try {
            authorizationService.authorizeForGroup(getTestUser3(), getTestGroup());
            fail();
        } catch (AuthorizationException e) {
            assertEquals(ErrorCode.E0502, e.getErrorCode());
        }
        try {
            authorizationService.authorizeForAdmin(getTestUser(), true);
            fail();
        } catch (AuthorizationException e2) {
            assertEquals(ErrorCode.E0503, e2.getErrorCode());
        }
        try {
            authorizationService.authorizeForApp(getTestUser(), getTestGroup(), new Path(getFsTestCaseDir(), "w").toString(), configuration);
            fail();
        } catch (AuthorizationException e3) {
            assertEquals(ErrorCode.E0504, e3.getErrorCode());
        }
        try {
            Path path = new Path(getFsTestCaseDir(), "w");
            createFileSystem.mkdirs(path);
            authorizationService.authorizeForApp(getTestUser(), getTestGroup(), path.toString(), configuration);
            fail();
        } catch (AuthorizationException e4) {
            assertEquals(ErrorCode.E0505, e4.getErrorCode());
        }
        try {
            Path path2 = new Path(getFsTestCaseDir(), "w");
            createFileSystem.mkdirs(new Path(path2, "workflow.xml"));
            authorizationService.authorizeForApp(getTestUser(), getTestGroup(), path2.toString(), configuration);
            fail();
        } catch (AuthorizationException e5) {
            assertEquals(ErrorCode.E0506, e5.getErrorCode());
        }
        try {
            Path path3 = new Path(getFsTestCaseDir(), "ww");
            createFileSystem.mkdirs(path3);
            createFileSystem.create(new Path(path3, "workflow.xml")).close();
            createFileSystem.setPermission(path3, new FsPermission(FsAction.READ, FsAction.NONE, FsAction.NONE));
            authorizationService.authorizeForApp(getTestUser2(), getTestGroup() + "-invalid", path3.toString(), configuration);
            fail();
        } catch (AuthorizationException e6) {
            assertEquals(ErrorCode.E0507, e6.getErrorCode());
        }
        try {
            authorizationService.authorizeForJob(getTestUser(), "1", true);
            fail();
        } catch (AuthorizationException e7) {
            assertEquals(ErrorCode.E0604, e7.getErrorCode());
        }
        try {
            authorizationService.authorizeForJob(getTestUser3(), addRecordToWfJobTable(WorkflowJob.Status.PREP, WorkflowInstance.Status.PREP).getId(), true);
            fail();
        } catch (AuthorizationException e8) {
            assertEquals(ErrorCode.E0508, e8.getErrorCode());
        }
    }

    private void _testAdminUsers(boolean z, String str, String str2) throws Exception {
        init(true, z);
        AuthorizationService authorizationService = this.services.get(AuthorizationService.class);
        authorizationService.authorizeForAdmin(str, false);
        authorizationService.authorizeForAdmin(str, true);
        try {
            authorizationService.authorizeForAdmin(str2, true);
            fail();
        } catch (AuthorizationException e) {
        }
        try {
            authorizationService.authorizeForAdmin(str2, true);
            fail();
        } catch (AuthorizationException e2) {
        }
    }

    public void testAdminUsersWithAdminFile() throws Exception {
        _testAdminUsers(true, "admin", getTestUser());
    }

    public void testAdminUsersWithAdminGroup() throws Exception {
        _testAdminUsers(false, getTestUser(), getTestUser2());
    }

    static /* synthetic */ String access$000() {
        return getTestUser();
    }

    static /* synthetic */ String access$100() {
        return getTestGroup();
    }
}
