package org.apache.drill.storage;

import com.bettercloud.vault.Vault;
import com.bettercloud.vault.VaultConfig;
import com.bettercloud.vault.VaultException;
import com.google.common.collect.ImmutableMap;
import java.util.Collections;
import org.apache.drill.exec.store.security.EnvCredentialsProvider;
import org.apache.drill.exec.store.security.HadoopCredentialsProvider;
import org.apache.drill.exec.store.security.vault.VaultCredentialsProvider;
import org.apache.drill.test.ClusterFixture;
import org.apache.drill.test.ClusterTest;
import org.apache.hadoop.conf.Configuration;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;
import org.testcontainers.containers.BindMode;
import org.testcontainers.utility.DockerImageName;
import org.testcontainers.vault.VaultContainer;

/* loaded from: input_file:org/apache/drill/storage/CredentialsProviderImplementationsTest.class */
public class CredentialsProviderImplementationsTest extends ClusterTest {
    private static final String VAULT_ROOT_TOKEN = "vault-token";
    private static final String SHARED_SECRET_PATH = "secret/testing";
    private static final String USER_SECRET_PATH = "secret/testing/$user";
    private static final String CONTAINER_POLICY_PATH = "/tmp/read-vault-secrets.hcl";
    private static final String VAULT_APP_ROLE_PATH = "auth/approle/role/drill-role";

    @ClassRule
    public static final VaultContainer<?> vaultContainer = new VaultContainer(DockerImageName.parse("vault").withTag("1.10.3")).withVaultToken(VAULT_ROOT_TOKEN).withSecretInVault(SHARED_SECRET_PATH, "top_secret=password1", new String[]{"db_password=dbpassword1"}).withSecretInVault(USER_SECRET_PATH.replace("$user", "alice"), "top_secret=password1", new String[]{"db_password=dbpassword1"}).withClasspathResourceMapping("vault/read-vault-secrets.hcl", CONTAINER_POLICY_PATH, BindMode.READ_ONLY).withInitCommand(new String[]{"auth enable approle", String.format("policy write read-secrets %s", CONTAINER_POLICY_PATH), String.format("write %s policies=read-secrets", VAULT_APP_ROLE_PATH)});

    @BeforeClass
    public static void init() throws Exception {
        String format = String.format("http://%s:%d", vaultContainer.getHost(), vaultContainer.getFirstMappedPort());
        Vault vault = new Vault(new VaultConfig().address(format).token(VAULT_ROOT_TOKEN).build(), 1);
        startCluster(ClusterFixture.builder(dirTestWatcher).configProperty("drill.exec.storage.vault.address", format).configProperty("drill.exec.storage.vault.app_role_id", (String) vault.logical().read(String.format("%s/role-id", VAULT_APP_ROLE_PATH)).getData().get("role_id")).configProperty("drill.exec.storage.vault.secret_id", (String) vault.logical().write(String.format("%s/secret-id", VAULT_APP_ROLE_PATH), Collections.emptyMap()).getData().get("secret_id")));
    }

    @Test
    public void testEnvCredentialsProvider() {
        String str = System.getenv("USER");
        Assert.assertEquals(Collections.singletonMap("username", str), new EnvCredentialsProvider(ImmutableMap.of("username", "USER")).getCredentials());
    }

    @Test
    public void testHadoopCredentialsProvider() {
        Configuration configuration = new Configuration();
        configuration.set("username_key", "user1");
        configuration.set("password_key", "pass123!@#");
        Assert.assertEquals(ImmutableMap.of("username", "user1", "password", "pass123!@#"), new HadoopCredentialsProvider(configuration, ImmutableMap.of("username", "username_key", "password", "password_key")).getCredentials());
    }

    @Test
    public void testVaultCredentialsProvider() throws VaultException {
        Assert.assertEquals(ImmutableMap.of("username", "password1", "password", "dbpassword1"), new VaultCredentialsProvider(SHARED_SECRET_PATH, ImmutableMap.of("username", "top_secret", "password", "db_password"), cluster.drillbit().getContext().getConfig()).getCredentials());
    }

    @Test
    public void testVaultUserCredentialsPresent() throws VaultException {
        Assert.assertEquals(ImmutableMap.of("username", "password1", "password", "dbpassword1"), new VaultCredentialsProvider(USER_SECRET_PATH, ImmutableMap.of("username", "top_secret", "password", "db_password"), cluster.drillbit().getContext().getConfig()).getUserCredentials("alice"));
    }

    @Test
    public void testVaultUserCredentialsAbsent() throws VaultException {
        Assert.assertEquals(Collections.emptyMap(), new VaultCredentialsProvider(USER_SECRET_PATH, ImmutableMap.of("username", "top_secret", "password", "db_password"), cluster.drillbit().getContext().getConfig()).getUserCredentials("bob"));
    }
}
