package org.apache.hadoop.hdfs.server.federation.security;

import java.io.IOException;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.fs.contract.router.RouterHDFSContract;
import org.apache.hadoop.fs.contract.router.SecurityConfUtil;
import org.apache.hadoop.hdfs.HdfsConfiguration;
import org.apache.hadoop.hdfs.security.token.delegation.DelegationTokenIdentifier;
import org.apache.hadoop.hdfs.server.federation.RouterConfigBuilder;
import org.apache.hadoop.hdfs.server.federation.router.Router;
import org.apache.hadoop.hdfs.server.federation.router.security.RouterSecurityManager;
import org.apache.hadoop.hdfs.server.federation.router.security.token.ZKDelegationTokenSecretManagerImpl;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager;
import org.apache.hadoop.service.ServiceStateException;
import org.apache.hadoop.test.LambdaTestUtils;
import org.hamcrest.core.StringContains;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hdfs/server/federation/security/TestRouterSecurityManager.class */
public class TestRouterSecurityManager {
    private static final Logger LOG = LoggerFactory.getLogger(TestRouterSecurityManager.class);
    private static RouterSecurityManager securityManager = null;

    @Rule
    public ExpectedException exceptionRule = ExpectedException.none();

    @BeforeClass
    public static void createMockSecretManager() throws IOException {
        MockDelegationTokenSecretManager mockDelegationTokenSecretManager = new MockDelegationTokenSecretManager(100L, 100L, 100L, 100L);
        mockDelegationTokenSecretManager.startThreads();
        securityManager = new RouterSecurityManager(mockDelegationTokenSecretManager);
    }

    @Test
    public void testCreateSecretManagerUsingReflection() throws IOException {
        HdfsConfiguration hdfsConfiguration = new HdfsConfiguration();
        hdfsConfiguration.set("dfs.federation.router.secret.manager.class", MockDelegationTokenSecretManager.class.getName());
        hdfsConfiguration.set("hadoop.security.authentication", UserGroupInformation.AuthenticationMethod.KERBEROS.name());
        RouterSecurityManager routerSecurityManager = new RouterSecurityManager(hdfsConfiguration);
        AbstractDelegationTokenSecretManager secretManager = routerSecurityManager.getSecretManager();
        Assert.assertNotNull(secretManager);
        Assert.assertTrue(secretManager.isRunning());
        routerSecurityManager.stop();
        Assert.assertFalse(secretManager.isRunning());
    }

    @Test
    public void testDelegationTokens() throws IOException {
        UserGroupInformation.reset();
        UserGroupInformation.setLoginUser(UserGroupInformation.createUserForTesting("router", getUserGroupForTesting()));
        Token delegationToken = securityManager.getDelegationToken(new Text("some_renewer"));
        Assert.assertNotNull(delegationToken);
        UserGroupInformation.setLoginUser(UserGroupInformation.createUserForTesting("some_renewer", getUserGroupForTesting()));
        Assert.assertTrue(securityManager.renewDelegationToken(delegationToken) <= delegationToken.decodeIdentifier().getMaxDate());
        securityManager.cancelDelegationToken(delegationToken);
        this.exceptionRule.expect(SecretManager.InvalidToken.class);
        this.exceptionRule.expectMessage("Renewal request for unknown token");
        securityManager.renewDelegationToken(delegationToken);
    }

    @Test
    public void testVerifyToken() throws IOException {
        UserGroupInformation.reset();
        UserGroupInformation.setLoginUser(UserGroupInformation.createUserForTesting("router", getUserGroupForTesting()));
        Token delegationToken = securityManager.getDelegationToken(new Text("some_renewer"));
        Assert.assertNotNull(delegationToken);
        securityManager.verifyToken(delegationToken.decodeIdentifier(), delegationToken.getPassword());
        this.exceptionRule.expect(SecretManager.InvalidToken.class);
        this.exceptionRule.expectMessage(StringContains.containsString("password doesn't match"));
        securityManager.verifyToken(delegationToken.decodeIdentifier(), new byte[10]);
    }

    @Test
    public void testCreateCredentials() throws Exception {
        Configuration initSecurity = SecurityConfUtil.initSecurity();
        initSecurity.addResource(new RouterConfigBuilder().metrics().rpc().build());
        Router router = new Router();
        router.init(initSecurity);
        router.start();
        for (Token token : RouterSecurityManager.createCredentials(router, UserGroupInformation.createUserForTesting("router", getUserGroupForTesting()), "some_renewer").getAllTokens()) {
            Assert.assertNotNull(token);
            Assert.assertEquals("HDFS_DELEGATION_TOKEN", token.getKind().toString());
            DelegationTokenIdentifier decodeIdentifier = token.decodeIdentifier();
            Assert.assertNotNull(decodeIdentifier);
            Assert.assertEquals("router/" + (Path.WINDOWS ? "127.0.0.1" : "localhost") + "@EXAMPLE.COM", decodeIdentifier.getOwner().toString());
            Assert.assertEquals("some_renewer", decodeIdentifier.getRenewer().toString());
        }
        RouterHDFSContract.destroyCluster();
    }

    private static String[] getUserGroupForTesting() {
        return new String[]{"router_group"};
    }

    @Test
    public void testWithoutSecretManager() throws Exception {
        Configuration initSecurity = SecurityConfUtil.initSecurity();
        initSecurity.set("dfs.federation.router.secret.manager.class", ZKDelegationTokenSecretManagerImpl.class.getName());
        Router router = new Router();
        LambdaTestUtils.intercept(ServiceStateException.class, "Failed to create SecretManager", () -> {
            router.init(initSecurity);
        });
    }

    @Test
    public void testNotRunningSecretManager() throws Exception {
        Configuration initSecurity = SecurityConfUtil.initSecurity();
        initSecurity.set("dfs.federation.router.secret.manager.class", MockNotRunningSecretManager.class.getName());
        Router router = new Router();
        LambdaTestUtils.intercept(ServiceStateException.class, "Failed to create SecretManager", () -> {
            router.init(initSecurity);
        });
    }
}
