package org.apache.drill.exec.rpc.user.security;

import java.util.Objects;
import javax.security.auth.Subject;
import junit.framework.TestCase;
import org.apache.drill.categories.SecurityTest;
import org.apache.drill.exec.rpc.NonTransientRpcException;
import org.apache.drill.exec.rpc.RpcException;
import org.apache.drill.exec.rpc.RpcMetrics;
import org.apache.drill.exec.rpc.control.ControlRpcMetrics;
import org.apache.drill.exec.rpc.data.DataRpcMetrics;
import org.apache.drill.exec.rpc.security.KerberosHelper;
import org.apache.drill.exec.rpc.user.UserRpcMetrics;
import org.apache.drill.exec.rpc.user.security.testing.UserAuthenticatorTestImpl;
import org.apache.drill.shaded.guava.com.google.common.collect.Lists;
import org.apache.drill.test.BaseDirTestWatcher;
import org.apache.drill.test.ClientFixture;
import org.apache.drill.test.ClusterFixture;
import org.apache.drill.test.ClusterFixtureBuilder;
import org.apache.drill.test.ClusterTest;
import org.apache.drill.test.TestBuilder;
import org.apache.kerby.kerberos.kerb.client.JaasKrbUtil;
import org.junit.AfterClass;
import org.junit.BeforeClass;
import org.junit.Ignore;
import org.junit.Test;
import org.junit.experimental.categories.Category;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Category({SecurityTest.class})
/* loaded from: input_file:org/apache/drill/exec/rpc/user/security/TestUserBitKerberosEncryption.class */
public class TestUserBitKerberosEncryption extends ClusterTest {
    private static final Logger logger;
    private static KerberosHelper krbHelper;
    static final /* synthetic */ boolean $assertionsDisabled;

    @BeforeClass
    public static void setupTest() throws Exception {
        krbHelper = new KerberosHelper(TestUserBitKerberosEncryption.class.getSimpleName(), null);
        krbHelper.setupKdc(BaseDirTestWatcher.createTempDir(dirTestWatcher.getTmpDir()));
        System.setProperty("hadoop.login", "kerberos");
        cluster = defaultClusterConfig().build();
    }

    private static ClusterFixtureBuilder defaultClusterConfig() {
        return ClusterFixture.bareBuilder(dirTestWatcher).clusterSize(1).configProperty("drill.exec.security.user.auth.enabled", true).configProperty("drill.exec.security.user.auth.impl", UserAuthenticatorTestImpl.TYPE).configProperty("drill.exec.security.auth.principal", krbHelper.SERVER_PRINCIPAL).configProperty("drill.exec.security.auth.keytab", krbHelper.serverKeytab.toString()).configNonStringProperty("drill.exec.security.auth.mechanisms", Lists.newArrayList(new String[]{"plain", "kerberos"})).configProperty("drill.exec.security.user.encryption.sasl.enabled", "true");
    }

    @AfterClass
    public static void cleanTest() throws Exception {
        krbHelper.stopKdc();
    }

    @Test
    public void successKeytabWithoutChunking() throws Exception {
        ClientFixture build = cluster.clientBuilder().property("principal", krbHelper.SERVER_PRINCIPAL).property("user", krbHelper.CLIENT_PRINCIPAL).property("keytab", krbHelper.clientKeytab.getAbsolutePath()).build();
        try {
            TestBuilder baselineColumns = build.testBuilder().sqlQuery("SELECT session_user FROM (SELECT * FROM sys.drillbits LIMIT 1)").unOrdered().baselineColumns("session_user");
            Objects.requireNonNull(krbHelper);
            baselineColumns.baselineValues("testUser").go();
            build.runSqlSilently("SHOW SCHEMAS", new Object[0]);
            build.runSqlSilently("USE INFORMATION_SCHEMA", new Object[0]);
            build.runSqlSilently("SHOW TABLES", new Object[0]);
            build.runSqlSilently("SELECT * FROM INFORMATION_SCHEMA.`TABLES` WHERE TABLE_NAME LIKE 'COLUMNS'", new Object[0]);
            build.runSqlSilently("SELECT * FROM cp.`region.json`", new Object[0]);
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    @Ignore("See DRILL-5387. This test works in isolation but not when sharing counters with other tests")
    public void testConnectionCounters() throws Exception {
        ClusterFixture build = defaultClusterConfig().build();
        try {
            ClientFixture build2 = build.clientBuilder().property("principal", krbHelper.SERVER_PRINCIPAL).property("user", krbHelper.CLIENT_PRINCIPAL).property("keytab", krbHelper.clientKeytab.getAbsolutePath()).build();
            try {
                TestBuilder baselineColumns = build2.testBuilder().sqlQuery("SELECT session_user FROM (SELECT * FROM sys.drillbits LIMIT 1)").unOrdered().baselineColumns("session_user");
                Objects.requireNonNull(krbHelper);
                baselineColumns.baselineValues("testUser").go();
                RpcMetrics userRpcMetrics = UserRpcMetrics.getInstance();
                RpcMetrics controlRpcMetrics = ControlRpcMetrics.getInstance();
                RpcMetrics dataRpcMetrics = DataRpcMetrics.getInstance();
                TestCase.assertEquals(1L, userRpcMetrics.getEncryptedConnectionCount());
                TestCase.assertEquals(0L, controlRpcMetrics.getEncryptedConnectionCount());
                TestCase.assertEquals(0L, dataRpcMetrics.getEncryptedConnectionCount());
                TestCase.assertEquals(0L, userRpcMetrics.getUnEncryptedConnectionCount());
                TestCase.assertEquals(0L, controlRpcMetrics.getUnEncryptedConnectionCount());
                TestCase.assertEquals(0L, dataRpcMetrics.getUnEncryptedConnectionCount());
                if (build2 != null) {
                    build2.close();
                }
                if (build != null) {
                    build.close();
                }
            } finally {
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void successTicketWithoutChunking() throws Exception {
        Subject loginUsingKeytab = JaasKrbUtil.loginUsingKeytab(krbHelper.CLIENT_PRINCIPAL, krbHelper.clientKeytab.getAbsoluteFile());
        System.setProperty("hadoop.login", "simple");
        ClientFixture clientFixture = (ClientFixture) Subject.doAs(loginUsingKeytab, () -> {
            return cluster.clientBuilder().property("principal", krbHelper.SERVER_PRINCIPAL).property("from_subject", "true").build();
        });
        try {
            System.setProperty("hadoop.login", "kerberos");
            TestBuilder baselineColumns = clientFixture.testBuilder().sqlQuery("SELECT session_user FROM (SELECT * FROM sys.drillbits LIMIT 1)").unOrdered().baselineColumns("session_user");
            Objects.requireNonNull(krbHelper);
            baselineColumns.baselineValues("testUser").go();
            clientFixture.runSqlSilently("SHOW SCHEMAS", new Object[0]);
            clientFixture.runSqlSilently("USE INFORMATION_SCHEMA", new Object[0]);
            clientFixture.runSqlSilently("SHOW TABLES", new Object[0]);
            clientFixture.runSqlSilently("SELECT * FROM INFORMATION_SCHEMA.`TABLES` WHERE TABLE_NAME LIKE 'COLUMNS'", new Object[0]);
            clientFixture.runSqlSilently("SELECT * FROM cp.`region.json` LIMIT 5", new Object[0]);
            if (clientFixture != null) {
                clientFixture.close();
            }
        } catch (Throwable th) {
            if (clientFixture != null) {
                try {
                    clientFixture.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void successKeytabWithChunking() throws Exception {
        ClusterFixture build = defaultClusterConfig().configProperty("drill.exec.security.user.encryption.sasl.max_wrapped_size", 100).build();
        try {
            ClientFixture build2 = build.clientBuilder().property("principal", krbHelper.SERVER_PRINCIPAL).property("user", krbHelper.CLIENT_PRINCIPAL).property("keytab", krbHelper.clientKeytab.getAbsolutePath()).build();
            try {
                TestBuilder baselineColumns = build2.testBuilder().sqlQuery("SELECT session_user FROM (SELECT * FROM sys.drillbits LIMIT 1)").unOrdered().baselineColumns("session_user");
                Objects.requireNonNull(krbHelper);
                baselineColumns.baselineValues("testUser").go();
                build2.runSqlSilently("SHOW SCHEMAS", new Object[0]);
                build2.runSqlSilently("USE INFORMATION_SCHEMA", new Object[0]);
                build2.runSqlSilently("SHOW TABLES", new Object[0]);
                build2.runSqlSilently("SELECT * FROM INFORMATION_SCHEMA.`TABLES` WHERE TABLE_NAME LIKE 'COLUMNS'", new Object[0]);
                build2.runSqlSilently("SELECT * FROM cp.`region.json` LIMIT 5", new Object[0]);
                if (build2 != null) {
                    build2.close();
                }
                if (build != null) {
                    build.close();
                }
            } finally {
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void successKeytabWithChunkingDefaultChunkSize() throws Exception {
        ClientFixture build = cluster.clientBuilder().property("principal", krbHelper.SERVER_PRINCIPAL).property("user", krbHelper.CLIENT_PRINCIPAL).property("keytab", krbHelper.clientKeytab.getAbsolutePath()).build();
        try {
            TestBuilder baselineColumns = build.testBuilder().sqlQuery("SELECT session_user FROM (SELECT * FROM sys.drillbits LIMIT 1)").unOrdered().baselineColumns("session_user");
            Objects.requireNonNull(krbHelper);
            baselineColumns.baselineValues("testUser").go();
            build.runSqlSilently("SHOW SCHEMAS", new Object[0]);
            build.runSqlSilently("USE INFORMATION_SCHEMA", new Object[0]);
            build.runSqlSilently("SHOW TABLES", new Object[0]);
            build.runSqlSilently("SELECT * FROM INFORMATION_SCHEMA.`TABLES` WHERE TABLE_NAME LIKE 'COLUMNS'", new Object[0]);
            build.runSqlSilently("SELECT * FROM cp.`region.json` LIMIT 5", new Object[0]);
            if (build != null) {
                build.close();
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void successEncryptionAllChannelChunkMode() throws Exception {
        ClusterFixture build = defaultClusterConfig().configProperty("drill.exec.security.user.encryption.sasl.max_wrapped_size", 100).configProperty("drill.exec.security.user.encryption.sasl.max_wrapped_size", 10000).configProperty("drill.exec.security.bit.auth.enabled", true).configProperty("drill.exec.security.bit.auth.mechanism", "kerberos").configProperty("drill.exec.security.bit.auth.use_login_principal", true).configProperty("drill.exec.security.bit.encryption.sasl.enabled", true).configProperty("drill.exec.security.bit.encryption.sasl.max_wrapped_size", 10000).build();
        try {
            ClientFixture build2 = build.clientBuilder().property("principal", krbHelper.SERVER_PRINCIPAL).property("user", krbHelper.CLIENT_PRINCIPAL).property("keytab", krbHelper.clientKeytab.getAbsolutePath()).build();
            try {
                TestBuilder baselineColumns = build2.testBuilder().sqlQuery("SELECT session_user FROM (SELECT * FROM sys.drillbits LIMIT 1)").unOrdered().baselineColumns("session_user");
                Objects.requireNonNull(krbHelper);
                baselineColumns.baselineValues("testUser").go();
                build2.runSqlSilently("SHOW SCHEMAS", new Object[0]);
                build2.runSqlSilently("USE INFORMATION_SCHEMA", new Object[0]);
                build2.runSqlSilently("SHOW TABLES", new Object[0]);
                build2.runSqlSilently("SELECT * FROM INFORMATION_SCHEMA.`TABLES` WHERE TABLE_NAME LIKE 'COLUMNS'", new Object[0]);
                build2.runSqlSilently("SELECT * FROM cp.`region.json` LIMIT 5", new Object[0]);
                if (build2 != null) {
                    build2.close();
                }
                if (build != null) {
                    build.close();
                }
            } finally {
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void successEncryptionAllChannel() throws Exception {
        ClusterFixture build = defaultClusterConfig().configProperty("drill.exec.security.user.encryption.sasl.max_wrapped_size", 100).configProperty("drill.exec.security.user.encryption.sasl.max_wrapped_size", 10000).configProperty("drill.exec.security.bit.auth.enabled", true).configProperty("drill.exec.security.bit.auth.mechanism", "kerberos").configProperty("drill.exec.security.bit.auth.use_login_principal", true).configProperty("drill.exec.security.bit.encryption.sasl.enabled", true).build();
        try {
            ClientFixture build2 = build.clientBuilder().property("principal", krbHelper.SERVER_PRINCIPAL).property("user", krbHelper.CLIENT_PRINCIPAL).property("keytab", krbHelper.clientKeytab.getAbsolutePath()).build();
            try {
                TestBuilder baselineColumns = build2.testBuilder().sqlQuery("SELECT session_user FROM (SELECT * FROM sys.drillbits LIMIT 1)").unOrdered().baselineColumns("session_user");
                Objects.requireNonNull(krbHelper);
                baselineColumns.baselineValues("testUser").go();
                build2.runSqlSilently("SHOW SCHEMAS", new Object[0]);
                build2.runSqlSilently("USE INFORMATION_SCHEMA", new Object[0]);
                build2.runSqlSilently("SHOW TABLES", new Object[0]);
                build2.runSqlSilently("SELECT * FROM INFORMATION_SCHEMA.`TABLES` WHERE TABLE_NAME LIKE 'COLUMNS'", new Object[0]);
                build2.runSqlSilently("SELECT * FROM cp.`region.json` LIMIT 5", new Object[0]);
                if (build2 != null) {
                    build2.close();
                }
                if (build != null) {
                    build.close();
                }
            } finally {
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    @Ignore("See DRILL-5387. This test works in isolation but not when sharing counters with other tests")
    public void testEncryptedConnectionCountersAllChannel() throws Exception {
        ClusterFixture build = defaultClusterConfig().configProperty("drill.exec.security.user.encryption.sasl.max_wrapped_size", 100).configProperty("drill.exec.security.user.encryption.sasl.max_wrapped_size", 10000).configProperty("drill.exec.security.bit.auth.enabled", true).configProperty("drill.exec.security.bit.auth.mechanism", "kerberos").configProperty("drill.exec.security.bit.auth.use_login_principal", true).configProperty("drill.exec.security.bit.encryption.sasl.enabled", true).build();
        try {
            ClientFixture build2 = build.clientBuilder().property("principal", krbHelper.SERVER_PRINCIPAL).property("user", krbHelper.CLIENT_PRINCIPAL).property("keytab", krbHelper.clientKeytab.getAbsolutePath()).build();
            try {
                TestBuilder baselineColumns = build2.testBuilder().sqlQuery("SELECT session_user FROM (SELECT * FROM sys.drillbits LIMIT 1)").unOrdered().baselineColumns("session_user");
                Objects.requireNonNull(krbHelper);
                baselineColumns.baselineValues("testUser").go();
                RpcMetrics userRpcMetrics = UserRpcMetrics.getInstance();
                RpcMetrics controlRpcMetrics = ControlRpcMetrics.getInstance();
                RpcMetrics dataRpcMetrics = DataRpcMetrics.getInstance();
                TestCase.assertEquals(1L, userRpcMetrics.getEncryptedConnectionCount());
                TestCase.assertEquals(0L, controlRpcMetrics.getEncryptedConnectionCount());
                TestCase.assertEquals(0L, dataRpcMetrics.getEncryptedConnectionCount());
                TestCase.assertEquals(0L, userRpcMetrics.getUnEncryptedConnectionCount());
                TestCase.assertEquals(0L, controlRpcMetrics.getUnEncryptedConnectionCount());
                TestCase.assertEquals(0L, dataRpcMetrics.getUnEncryptedConnectionCount());
                if (build2 != null) {
                    build2.close();
                }
                if (build != null) {
                    build.close();
                }
            } finally {
            }
        } catch (Throwable th) {
            if (build != null) {
                try {
                    build.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Test
    public void failurePlainMech() {
        try {
            ClientFixture build = cluster.clientBuilder().property("user", "anonymous").property("password", "anything works!").build();
            try {
                TestCase.fail();
                if (build != null) {
                    build.close();
                }
            } finally {
            }
        } catch (Exception e) {
            if (!$assertionsDisabled && !(e.getCause() instanceof NonTransientRpcException)) {
                throw new AssertionError();
            }
            logger.error("Caught exception: ", e);
        }
    }

    @Test
    public void encryptionEnabledWithOnlyPlainMech() {
        try {
            ClusterFixture build = defaultClusterConfig().configNonStringProperty("drill.exec.security.auth.mechanisms", Lists.newArrayList(new String[]{"plain"})).build();
            try {
                ClientFixture build2 = build.clientBuilder().property("principal", krbHelper.SERVER_PRINCIPAL).property("user", krbHelper.CLIENT_PRINCIPAL).property("keytab", krbHelper.clientKeytab.getAbsolutePath()).build();
                try {
                    TestCase.fail();
                    if (build2 != null) {
                        build2.close();
                    }
                    if (build != null) {
                        build.close();
                    }
                } catch (Throwable th) {
                    if (build2 != null) {
                        try {
                            build2.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } finally {
            }
        } catch (Exception e) {
            if (!$assertionsDisabled && !(e.getCause() instanceof NonTransientRpcException)) {
                throw new AssertionError();
            }
            logger.error("Caught exception: ", e);
        }
    }

    @Test
    public void failureOldClientEncryptionEnabled() {
        try {
            ClientFixture build = cluster.clientBuilder().property("principal", krbHelper.SERVER_PRINCIPAL).property("user", krbHelper.CLIENT_PRINCIPAL).property("keytab", krbHelper.clientKeytab.getAbsolutePath()).property("test_sasl_level", "1").build();
            try {
                TestCase.fail();
                if (build != null) {
                    build.close();
                }
            } finally {
            }
        } catch (Exception e) {
            if (!$assertionsDisabled && !(e.getCause() instanceof RpcException)) {
                throw new AssertionError();
            }
            logger.error("Caught exception: ", e);
        }
    }

    @Test
    public void successOldClientEncryptionDisabled() {
        try {
            ClusterFixture build = defaultClusterConfig().configProperty("drill.exec.security.user.encryption.sasl.enabled", false).build();
            try {
                ClientFixture build2 = build.clientBuilder().property("principal", krbHelper.SERVER_PRINCIPAL).property("user", krbHelper.CLIENT_PRINCIPAL).property("keytab", krbHelper.clientKeytab.getAbsolutePath()).property("test_sasl_level", "1").build();
                try {
                    TestBuilder baselineColumns = build2.testBuilder().sqlQuery("SELECT session_user FROM (SELECT * FROM sys.drillbits LIMIT 1)").unOrdered().baselineColumns("session_user");
                    Objects.requireNonNull(krbHelper);
                    baselineColumns.baselineValues("testUser").go();
                    if (build2 != null) {
                        build2.close();
                    }
                    if (build != null) {
                        build.close();
                    }
                } catch (Throwable th) {
                    if (build2 != null) {
                        try {
                            build2.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } finally {
            }
        } catch (Exception e) {
            TestCase.fail();
            if (!$assertionsDisabled && !(e.getCause() instanceof NonTransientRpcException)) {
                throw new AssertionError();
            }
        }
    }

    @Test
    public void clientNeedsEncryptionWithNoServerSupport() {
        try {
            ClusterFixture build = defaultClusterConfig().configProperty("drill.exec.security.user.encryption.sasl.enabled", false).build();
            try {
                ClientFixture build2 = build.clientBuilder().property("principal", krbHelper.SERVER_PRINCIPAL).property("user", krbHelper.CLIENT_PRINCIPAL).property("keytab", krbHelper.clientKeytab.getAbsolutePath()).property("sasl_encrypt", "true").build();
                try {
                    TestCase.fail();
                    if (build2 != null) {
                        build2.close();
                    }
                    if (build != null) {
                        build.close();
                    }
                } catch (Throwable th) {
                    if (build2 != null) {
                        try {
                            build2.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } finally {
            }
        } catch (Exception e) {
            if (!$assertionsDisabled && !(e.getCause() instanceof NonTransientRpcException)) {
                throw new AssertionError();
            }
        }
    }

    @Test
    public void clientNeedsEncryptionWithServerSupport() {
        try {
            ClientFixture build = cluster.clientBuilder().property("principal", krbHelper.SERVER_PRINCIPAL).property("user", krbHelper.CLIENT_PRINCIPAL).property("keytab", krbHelper.clientKeytab.getAbsolutePath()).property("sasl_encrypt", "true").build();
            try {
                TestBuilder baselineColumns = build.testBuilder().sqlQuery("SELECT session_user FROM (SELECT * FROM sys.drillbits LIMIT 1)").unOrdered().baselineColumns("session_user");
                Objects.requireNonNull(krbHelper);
                baselineColumns.baselineValues("testUser").go();
                if (build != null) {
                    build.close();
                }
            } finally {
            }
        } catch (Exception e) {
            TestCase.fail();
            if (!$assertionsDisabled && !(e.getCause() instanceof NonTransientRpcException)) {
                throw new AssertionError();
            }
        }
    }

    static {
        $assertionsDisabled = !TestUserBitKerberosEncryption.class.desiredAssertionStatus();
        logger = LoggerFactory.getLogger(TestUserBitKerberosEncryption.class);
    }
}
