package org.apache.hadoop.hdfs;

import java.io.Closeable;
import java.io.File;
import java.io.FileWriter;
import java.io.IOException;
import java.security.PrivilegedExceptionAction;
import java.util.EnumSet;
import java.util.UUID;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.crypto.key.kms.server.MiniKMS;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.FileSystemTestWrapper;
import org.apache.hadoop.fs.FileUtil;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.fs.permission.FsPermission;
import org.apache.hadoop.hdfs.MiniDFSCluster;
import org.apache.hadoop.hdfs.client.CreateEncryptionZoneFlag;
import org.apache.hadoop.hdfs.client.HdfsAdmin;
import org.apache.hadoop.hdfs.server.datanode.TestDataNodeFaultInjector;
import org.apache.hadoop.http.HttpConfig;
import org.apache.hadoop.io.IOUtils;
import org.apache.hadoop.minikdc.MiniKdc;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.Timeout;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hdfs/TestSecureEncryptionZoneWithKMS.class */
public class TestSecureEncryptionZoneWithKMS {
    private static HdfsConfiguration baseConf;
    private static File baseDir;
    private static String keystoresDir;
    private static String sslConfDir;
    private static final String HDFS_USER_NAME = "hdfs";
    private static final String SPNEGO_USER_NAME = "HTTP";
    private static final String OOZIE_USER_NAME = "oozie";
    private static final String OOZIE_PROXIED_USER_NAME = "oozie_user";
    private static String hdfsPrincipal;
    private static String spnegoPrincipal;
    private static String ooziePrincipal;
    private static String keytab;
    private static MiniKdc kdc;
    private static MiniKMS miniKMS;
    private static final long AUTH_TOKEN_VALIDITY = 1;
    private MiniDFSCluster cluster;
    private HdfsConfiguration conf;
    private FileSystem fs;
    private HdfsAdmin dfsAdmin;
    private FileSystemTestWrapper fsWrapper;
    public static final Logger LOG = LoggerFactory.getLogger(TestSecureEncryptionZoneWithKMS.class);
    private static final Path TEST_PATH = new Path("/test-dir");
    private static final EnumSet<CreateEncryptionZoneFlag> NO_TRASH = EnumSet.of(CreateEncryptionZoneFlag.NO_TRASH);
    private static boolean testKeyCreated = false;
    private final String testKey = "test_key";

    @Rule
    public Timeout timeout = new Timeout(120000);

    public static File getTestDir() throws Exception {
        File file = new File(new File(new File("dummy").getAbsoluteFile().getParentFile(), "target"), UUID.randomUUID().toString());
        if (file.mkdirs()) {
            return file;
        }
        throw new RuntimeException("Could not create test directory: " + file);
    }

    @BeforeClass
    public static void init() throws Exception {
        baseDir = getTestDir();
        FileUtil.fullyDelete(baseDir);
        Assert.assertTrue(baseDir.mkdirs());
        kdc = new MiniKdc(MiniKdc.createConf(), baseDir);
        kdc.start();
        baseConf = new HdfsConfiguration();
        SecurityUtil.setAuthenticationMethod(UserGroupInformation.AuthenticationMethod.KERBEROS, baseConf);
        UserGroupInformation.setConfiguration(baseConf);
        Assert.assertTrue("Expected configuration to enable security", UserGroupInformation.isSecurityEnabled());
        File file = new File(baseDir, "test.keytab");
        keytab = file.getAbsolutePath();
        String str = Path.WINDOWS ? "127.0.0.1" : "localhost";
        kdc.createPrincipal(file, new String[]{"hdfs/" + str, "HTTP/" + str, "oozie/" + str, "oozie_user/" + str});
        hdfsPrincipal = "hdfs/" + str + "@" + kdc.getRealm();
        spnegoPrincipal = "HTTP/" + str + "@" + kdc.getRealm();
        ooziePrincipal = "oozie/" + str + "@" + kdc.getRealm();
        baseConf.set("hadoop.proxyuser.oozie.hosts", "*");
        baseConf.set("hadoop.proxyuser.oozie.groups", "*");
        baseConf.set("hadoop.user.group.static.mapping.overrides", "oozie_user=oozie");
        baseConf.set("dfs.namenode.kerberos.principal", hdfsPrincipal);
        baseConf.set("dfs.namenode.keytab.file", keytab);
        baseConf.set("dfs.datanode.kerberos.principal", hdfsPrincipal);
        baseConf.set("dfs.datanode.keytab.file", keytab);
        baseConf.set("dfs.web.authentication.kerberos.principal", spnegoPrincipal);
        baseConf.setBoolean("dfs.block.access.token.enable", true);
        baseConf.set("dfs.data.transfer.protection", "authentication");
        baseConf.set("dfs.http.policy", HttpConfig.Policy.HTTPS_ONLY.name());
        baseConf.set("dfs.namenode.https-address", "localhost:0");
        baseConf.set("dfs.datanode.https.address", "localhost:0");
        baseConf.set("dfs.journalnode.https-address", "localhost:0");
        baseConf.setInt("ipc.client.connect.max.retries.on.sasl", 10);
        baseConf.set("hadoop.security.kms.client.encrypted.key.cache.size", "4");
        baseConf.set("hadoop.security.kms.client.encrypted.key.cache.low-watermark", "0.5");
        keystoresDir = baseDir.getAbsolutePath();
        sslConfDir = KeyStoreTestUtil.getClasspathDir(TestSecureEncryptionZoneWithKMS.class);
        KeyStoreTestUtil.setupSSLConfig(keystoresDir, sslConfDir, baseConf, false);
        baseConf.set("dfs.client.https.keystore.resource", KeyStoreTestUtil.getClientSSLConfigFileName());
        baseConf.set("dfs.https.server.keystore.resource", KeyStoreTestUtil.getServerSSLConfigFileName());
        File file2 = new File(baseDir, "kms-site.xml");
        if (file2.exists()) {
            FileUtil.fullyDelete(file2);
        }
        Configuration configuration = new Configuration(true);
        configuration.set("hadoop.kms.key.provider.uri", "jceks://file@" + new Path(baseDir.toString(), "kms.keystore").toUri());
        configuration.set("hadoop.kms.authentication.type", "kerberos");
        configuration.set("hadoop.kms.authentication.kerberos.keytab", keytab);
        configuration.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
        configuration.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
        configuration.set("hadoop.kms.acl.GENERATE_EEK", HDFS_USER_NAME);
        configuration.setLong("hadoop.kms.authentication.token.validity", AUTH_TOKEN_VALIDITY);
        FileWriter fileWriter = new FileWriter(file2);
        configuration.writeXml(fileWriter);
        fileWriter.close();
        miniKMS = new MiniKMS.Builder().setKmsConfDir(baseDir).build();
        miniKMS.start();
    }

    @AfterClass
    public static void destroy() throws Exception {
        if (kdc != null) {
            kdc.stop();
        }
        if (miniKMS != null) {
            miniKMS.stop();
        }
        FileUtil.fullyDelete(baseDir);
        KeyStoreTestUtil.cleanupSSLConfig(keystoresDir, sslConfDir);
    }

    @Before
    public void setup() throws Exception {
        baseConf.set("hadoop.security.key.provider.path", getKeyProviderURI());
        baseConf.setBoolean("dfs.namenode.delegation.token.always-use", true);
        this.conf = new HdfsConfiguration(baseConf);
        this.cluster = new MiniDFSCluster.Builder(this.conf).build();
        this.cluster.waitActive();
        this.fs = this.cluster.getFileSystem();
        this.fsWrapper = new FileSystemTestWrapper(this.fs);
        this.dfsAdmin = new HdfsAdmin(this.cluster.getURI(), this.conf);
        this.cluster.waitActive();
        if (testKeyCreated) {
            return;
        }
        DFSTestUtil.createKey("test_key", this.cluster, this.conf);
        testKeyCreated = true;
    }

    @After
    public void shutdown() throws IOException {
        IOUtils.cleanupWithLogger((Logger) null, new Closeable[]{this.fs});
        if (this.cluster != null) {
            this.cluster.shutdown();
            this.cluster = null;
        }
    }

    private String getKeyProviderURI() {
        return "kms://" + miniKMS.getKMSUrl().toExternalForm().replace("://", "@");
    }

    @Test
    public void testSecureEncryptionZoneWithKMS() throws IOException, InterruptedException {
        final Path path = new Path(TEST_PATH, "TestEZ1");
        this.fsWrapper.mkdir(path, FsPermission.getDirDefault(), true);
        this.fsWrapper.setOwner(path, OOZIE_PROXIED_USER_NAME, "supergroup");
        this.dfsAdmin.createEncryptionZone(path, "test_key", NO_TRASH);
        UserGroupInformation.createProxyUser(OOZIE_PROXIED_USER_NAME, UserGroupInformation.loginUserFromKeytabAndReturnUGI(ooziePrincipal, keytab)).doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.hdfs.TestSecureEncryptionZoneWithKMS.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws IOException {
                try {
                    DistributedFileSystem fileSystem = TestSecureEncryptionZoneWithKMS.this.cluster.getFileSystem();
                    for (int i = 0; i < 3; i++) {
                        try {
                            DFSTestUtil.createFile(fileSystem, new Path(path, "testData." + i + ".dat"), 1024L, (short) 3, TestSecureEncryptionZoneWithKMS.AUTH_TOKEN_VALIDITY);
                        } catch (Throwable th) {
                            if (fileSystem != null) {
                                try {
                                    fileSystem.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            }
                            throw th;
                        }
                    }
                    if (fileSystem != null) {
                        fileSystem.close();
                    }
                    return null;
                } catch (IOException e) {
                    throw new IOException(e);
                }
            }
        });
    }

    @Test
    public void testCreateZoneAfterAuthTokenExpiry() throws Exception {
        UserGroupInformation loginUserFromKeytabAndReturnUGI = UserGroupInformation.loginUserFromKeytabAndReturnUGI(hdfsPrincipal, keytab);
        LOG.info("Created ugi: {} ", loginUserFromKeytabAndReturnUGI);
        loginUserFromKeytabAndReturnUGI.doAs(() -> {
            Path path = new Path("/expire1");
            this.fsWrapper.mkdir(path, FsPermission.getDirDefault(), true);
            this.dfsAdmin.createEncryptionZone(path, "test_key", NO_TRASH);
            Path path2 = new Path("/expire2");
            this.fsWrapper.mkdir(path2, FsPermission.getDirDefault(), true);
            LOG.info("Sleeping {} seconds to wait for kms auth token expiration", Long.valueOf(TestDataNodeFaultInjector.MetricsDataNodeFaultInjector.DELAY));
            Thread.sleep(TestDataNodeFaultInjector.MetricsDataNodeFaultInjector.DELAY);
            this.dfsAdmin.createEncryptionZone(path2, "test_key", NO_TRASH);
            return null;
        });
    }
}
