package org.apache.hadoop.crypto.key.kms.server;

import java.io.File;
import java.io.FileWriter;
import java.io.IOException;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.net.ServerSocket;
import java.net.SocketTimeoutException;
import java.net.URI;
import java.net.URL;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.UUID;
import java.util.concurrent.Callable;
import javax.security.auth.login.AppConfigurationEntry;
import org.apache.commons.math3.geometry.VectorFormat;
import org.apache.curator.test.TestingServer;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.crypto.key.KeyProvider;
import org.apache.hadoop.crypto.key.KeyProviderCryptoExtension;
import org.apache.hadoop.crypto.key.KeyProviderDelegationTokenExtension;
import org.apache.hadoop.crypto.key.KeyProviderFactory;
import org.apache.hadoop.crypto.key.kms.KMSClientProvider;
import org.apache.hadoop.crypto.key.kms.LoadBalancingKMSClientProvider;
import org.apache.hadoop.crypto.key.kms.server.KMSACLs;
import org.apache.hadoop.crypto.key.kms.server.MiniKMS;
import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.minikdc.MiniKdc;
import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.server.KerberosAuthenticationHandler;
import org.apache.hadoop.security.authentication.server.PseudoAuthenticationHandler;
import org.apache.hadoop.security.authorize.AuthorizationException;
import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.test.GenericTestUtils;
import org.apache.log4j.Level;
import org.apache.log4j.LogManager;
import org.apache.zookeeper.client.ZooKeeperSaslClient;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.Timeout;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* JADX WARN: Classes with same name are omitted:
  input_file:hadoop-kms-2.7.0-mapr-1710-tests.jar:org/apache/hadoop/crypto/key/kms/server/TestKMS.class
 */
/* loaded from: input_file:test-classes/org/apache/hadoop/crypto/key/kms/server/TestKMS.class */
public class TestKMS {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) TestKMS.class);

    @Rule
    public final Timeout testTimeout = new Timeout(180000);
    private static MiniKdc kdc;
    private static File keytab;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:hadoop-kms-2.7.0-mapr-1710-tests.jar:org/apache/hadoop/crypto/key/kms/server/TestKMS$17.class
     */
    /* renamed from: org.apache.hadoop.crypto.key.kms.server.TestKMS$17, reason: invalid class name */
    /* loaded from: input_file:test-classes/org/apache/hadoop/crypto/key/kms/server/TestKMS$17.class */
    public class AnonymousClass17 extends KMSCallable<Void> {
        final /* synthetic */ boolean val$kerberos;

        AnonymousClass17(boolean z) {
            this.val$kerberos = z;
        }

        @Override // java.util.concurrent.Callable
        public Void call() throws Exception {
            final Configuration configuration = new Configuration();
            configuration.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 64);
            final URI createKMSUri = TestKMS.createKMSUri(getKMSUrl());
            final UserGroupInformation loginUserFromKeytabAndReturnUGI = this.val$kerberos ? UserGroupInformation.loginUserFromKeytabAndReturnUGI("client", TestKMS.keytab.getAbsolutePath()) : UserGroupInformation.createRemoteUser("client");
            loginUserFromKeytabAndReturnUGI.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.17.1
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Void run() throws Exception {
                    UserGroupInformation.createProxyUser("foo", loginUserFromKeytabAndReturnUGI).doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.17.1.1
                        /* JADX WARN: Can't rename method to resolve collision */
                        @Override // java.security.PrivilegedExceptionAction
                        public Void run() throws Exception {
                            Assert.assertNotNull(TestKMS.this.createProvider(createKMSUri, configuration).createKey("kaa", new KeyProvider.Options(configuration)));
                            return null;
                        }
                    });
                    UserGroupInformation.createProxyUser("foo1", loginUserFromKeytabAndReturnUGI).doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.17.1.2
                        /* JADX WARN: Can't rename method to resolve collision */
                        @Override // java.security.PrivilegedExceptionAction
                        public Void run() throws Exception {
                            try {
                                TestKMS.this.createProvider(createKMSUri, configuration).createKey("kbb", new KeyProvider.Options(configuration));
                                Assert.fail();
                                return null;
                            } catch (Exception e) {
                                Assert.assertTrue(e.getMessage(), e.getMessage().contains("Forbidden"));
                                return null;
                            }
                        }
                    });
                    UserGroupInformation.createProxyUser("bar", loginUserFromKeytabAndReturnUGI).doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.17.1.3
                        /* JADX WARN: Can't rename method to resolve collision */
                        @Override // java.security.PrivilegedExceptionAction
                        public Void run() throws Exception {
                            Assert.assertNotNull(TestKMS.this.createProvider(createKMSUri, configuration).createKey("kcc", new KeyProvider.Options(configuration)));
                            return null;
                        }
                    });
                    return null;
                }
            });
            return null;
        }
    }

    /* JADX WARN: Classes with same name are omitted:
      input_file:hadoop-kms-2.7.0-mapr-1710-tests.jar:org/apache/hadoop/crypto/key/kms/server/TestKMS$KMSCallable.class
     */
    /* loaded from: input_file:test-classes/org/apache/hadoop/crypto/key/kms/server/TestKMS$KMSCallable.class */
    public static abstract class KMSCallable<T> implements Callable<T> {
        private URL kmsUrl;

        protected URL getKMSUrl() {
            return this.kmsUrl;
        }
    }

    /* JADX WARN: Classes with same name are omitted:
      input_file:hadoop-kms-2.7.0-mapr-1710-tests.jar:org/apache/hadoop/crypto/key/kms/server/TestKMS$KerberosConfiguration.class
     */
    /* loaded from: input_file:test-classes/org/apache/hadoop/crypto/key/kms/server/TestKMS$KerberosConfiguration.class */
    private static class KerberosConfiguration extends javax.security.auth.login.Configuration {
        private String principal;
        private String keytab;
        private boolean isInitiator;

        private KerberosConfiguration(String str, File file, boolean z) {
            this.principal = str;
            this.keytab = file.getAbsolutePath();
            this.isInitiator = z;
        }

        public static javax.security.auth.login.Configuration createClientConfig(String str, File file) {
            return new KerberosConfiguration(str, file, true);
        }

        private static String getKrb5LoginModuleName() {
            return System.getProperty("java.vendor").contains("IBM") ? "com.ibm.security.auth.module.Krb5LoginModule" : "com.sun.security.auth.module.Krb5LoginModule";
        }

        public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
            HashMap hashMap = new HashMap();
            hashMap.put("keyTab", this.keytab);
            hashMap.put("principal", this.principal);
            hashMap.put("useKeyTab", ZooKeeperSaslClient.ENABLE_CLIENT_SASL_DEFAULT);
            hashMap.put("storeKey", ZooKeeperSaslClient.ENABLE_CLIENT_SASL_DEFAULT);
            hashMap.put("doNotPrompt", ZooKeeperSaslClient.ENABLE_CLIENT_SASL_DEFAULT);
            hashMap.put("useTicketCache", ZooKeeperSaslClient.ENABLE_CLIENT_SASL_DEFAULT);
            hashMap.put("renewTGT", ZooKeeperSaslClient.ENABLE_CLIENT_SASL_DEFAULT);
            hashMap.put("refreshKrb5Config", ZooKeeperSaslClient.ENABLE_CLIENT_SASL_DEFAULT);
            hashMap.put("isInitiator", Boolean.toString(this.isInitiator));
            String str2 = System.getenv("KRB5CCNAME");
            if (str2 != null) {
                hashMap.put("ticketCache", str2);
            }
            hashMap.put("debug", ZooKeeperSaslClient.ENABLE_CLIENT_SASL_DEFAULT);
            return new AppConfigurationEntry[]{new AppConfigurationEntry(getKrb5LoginModuleName(), AppConfigurationEntry.LoginModuleControlFlag.REQUIRED, hashMap)};
        }
    }

    @Before
    public void cleanUp() {
        UserGroupInformation.setConfiguration(new Configuration());
        GenericTestUtils.setLogLevel(LOG, Level.INFO);
    }

    public static File getTestDir() throws Exception {
        File file = new File(new File(new File("dummy").getAbsoluteFile().getParentFile(), "target"), UUID.randomUUID().toString());
        if (file.mkdirs()) {
            return file;
        }
        throw new RuntimeException("Could not create test directory: " + file);
    }

    protected KeyProvider createProvider(URI uri, Configuration configuration) throws IOException {
        return new LoadBalancingKMSClientProvider(new KMSClientProvider[]{new KMSClientProvider(uri, configuration)}, configuration);
    }

    protected <T> T runServer(String str, String str2, File file, KMSCallable<T> kMSCallable) throws Exception {
        return (T) runServer(-1, str, str2, file, kMSCallable);
    }

    protected <T> T runServer(int i, String str, String str2, File file, KMSCallable<T> kMSCallable) throws Exception {
        MiniKMS.Builder log4jConfFile = new MiniKMS.Builder().setKmsConfDir(file).setLog4jConfFile(LogManager.DEFAULT_CONFIGURATION_FILE);
        if (str != null) {
            log4jConfFile.setSslConf(new File(str), str2);
        }
        if (i > 0) {
            log4jConfFile.setPort(i);
        }
        MiniKMS build = log4jConfFile.build();
        build.start();
        try {
            System.out.println("Test KMS running at: " + build.getKMSUrl());
            ((KMSCallable) kMSCallable).kmsUrl = build.getKMSUrl();
            T call = kMSCallable.call();
            build.stop();
            return call;
        } catch (Throwable th) {
            build.stop();
            throw th;
        }
    }

    protected Configuration createBaseKMSConf(File file) throws Exception {
        Configuration configuration = new Configuration(false);
        configuration.set(KMSConfiguration.KEY_PROVIDER_URI, "jceks://file@" + new Path(file.getAbsolutePath(), "kms.keystore").toUri());
        configuration.set("hadoop.kms.authentication.type", PseudoAuthenticationHandler.TYPE);
        return configuration;
    }

    public static void writeConf(File file, Configuration configuration) throws Exception {
        FileWriter fileWriter = new FileWriter(new File(file, KMSConfiguration.KMS_SITE_XML));
        configuration.writeXml(fileWriter);
        fileWriter.close();
        FileWriter fileWriter2 = new FileWriter(new File(file, KMSConfiguration.KMS_ACLS_XML));
        configuration.writeXml(fileWriter2);
        fileWriter2.close();
        FileWriter fileWriter3 = new FileWriter(new File(file, "core-site.xml"));
        new Configuration(false).writeXml(fileWriter3);
        fileWriter3.close();
    }

    public static URI createKMSUri(URL url) throws Exception {
        return new URI("kms://" + url.toString().replaceFirst("://", "@"));
    }

    @BeforeClass
    public static void setUpMiniKdc() throws Exception {
        File testDir = getTestDir();
        kdc = new MiniKdc(MiniKdc.createConf(), testDir);
        kdc.start();
        keytab = new File(testDir, "keytab");
        ArrayList arrayList = new ArrayList();
        arrayList.add("HTTP/localhost");
        arrayList.add("client");
        arrayList.add("hdfs");
        arrayList.add("otheradmin");
        arrayList.add("client/host");
        arrayList.add("client1");
        for (KMSACLs.Type type : KMSACLs.Type.values()) {
            arrayList.add(type.toString());
        }
        arrayList.add("CREATE_MATERIAL");
        arrayList.add("ROLLOVER_MATERIAL");
        kdc.createPrincipal(keytab, (String[]) arrayList.toArray(new String[arrayList.size()]));
    }

    @AfterClass
    public static void tearDownMiniKdc() throws Exception {
        if (kdc != null) {
            kdc.stop();
        }
        UserGroupInformation.setShouldRenewImmediatelyForTests(false);
        UserGroupInformation.reset();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public <T> T doAs(String str, PrivilegedExceptionAction<T> privilegedExceptionAction) throws Exception {
        UserGroupInformation.loginUserFromKeytab(str, keytab.getAbsolutePath());
        UserGroupInformation loginUser = UserGroupInformation.getLoginUser();
        try {
            T t = (T) loginUser.doAs(privilegedExceptionAction);
            loginUser.logoutUserFromKeytab();
            return t;
        } catch (Throwable th) {
            loginUser.logoutUserFromKeytab();
            throw th;
        }
    }

    public void testStartStop(final boolean z, final boolean z2) throws Exception {
        String str;
        String str2;
        Configuration configuration = new Configuration();
        if (z2) {
            configuration.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, KerberosAuthenticationHandler.TYPE);
        }
        UserGroupInformation.setConfiguration(configuration);
        File testDir = getTestDir();
        Configuration createBaseKMSConf = createBaseKMSConf(testDir);
        if (z) {
            KeyStoreTestUtil.setupSSLConfig(testDir.getAbsolutePath(), KeyStoreTestUtil.getClasspathDir(TestKMS.class), createBaseKMSConf, false);
            str = testDir.getAbsolutePath() + "/serverKS.jks";
            str2 = "serverP";
        } else {
            str = null;
            str2 = null;
        }
        createBaseKMSConf.set("hadoop.kms.authentication.token.validity", "1");
        if (z2) {
            createBaseKMSConf.set("hadoop.kms.authentication.type", KerberosAuthenticationHandler.TYPE);
            createBaseKMSConf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath());
            createBaseKMSConf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
            createBaseKMSConf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
        }
        writeConf(testDir, createBaseKMSConf);
        final String str3 = str;
        runServer(str, str2, testDir, new KMSCallable<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.1
            /* JADX WARN: Multi-variable type inference failed */
            @Override // java.util.concurrent.Callable
            public Void call() throws Exception {
                ThreadGroup threadGroup;
                final Configuration configuration2 = new Configuration();
                Assert.assertEquals(Boolean.valueOf(str3 != null), Boolean.valueOf(getKMSUrl().getProtocol().equals("https")));
                final URI createKMSUri = TestKMS.createKMSUri(getKMSUrl());
                if (z) {
                    KeyProvider createProvider = TestKMS.this.createProvider(createKMSUri, configuration2);
                    ThreadGroup threadGroup2 = Thread.currentThread().getThreadGroup();
                    while (true) {
                        threadGroup = threadGroup2;
                        if (threadGroup.getParent() == null) {
                            break;
                        }
                        threadGroup2 = threadGroup.getParent();
                    }
                    Thread[] threadArr = new Thread[threadGroup.activeCount()];
                    threadGroup.enumerate(threadArr);
                    Thread thread = null;
                    for (Thread thread2 : threadArr) {
                        if (thread2.getName() != null && thread2.getName().contains("Truststore reloader thread")) {
                            thread = thread2;
                        }
                    }
                    Assert.assertTrue("Reloader is not alive", thread.isAlive());
                    createProvider.close();
                    boolean z3 = true;
                    for (int i = 0; i < 10; i++) {
                        z3 = thread.isAlive();
                        if (!z3) {
                            break;
                        }
                        Thread.sleep(1000L);
                    }
                    Assert.assertFalse("Reloader is still alive", z3);
                }
                if (z2) {
                    for (String str4 : new String[]{"client", "client/host"}) {
                        TestKMS.this.doAs(str4, new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.1.1
                            /* JADX WARN: Can't rename method to resolve collision */
                            /* JADX WARN: Multi-variable type inference failed */
                            @Override // java.security.PrivilegedExceptionAction
                            public Void run() throws Exception {
                                KeyProvider createProvider2 = TestKMS.this.createProvider(createKMSUri, configuration2);
                                Assert.assertTrue(createProvider2.getKeys().isEmpty());
                                Thread.sleep(4000L);
                                Token<?>[] addDelegationTokens = ((KeyProviderDelegationTokenExtension.DelegationTokenExtension) createProvider2).addDelegationTokens("myuser", new Credentials());
                                Assert.assertEquals(1L, addDelegationTokens.length);
                                Assert.assertEquals(KMSClientProvider.TOKEN_KIND_STR, addDelegationTokens[0].getKind().toString());
                                return null;
                            }
                        });
                    }
                    return null;
                }
                KeyProvider createProvider2 = TestKMS.this.createProvider(createKMSUri, configuration2);
                Assert.assertTrue(createProvider2.getKeys().isEmpty());
                Thread.sleep(4000L);
                Token<?>[] addDelegationTokens = ((KeyProviderDelegationTokenExtension.DelegationTokenExtension) createProvider2).addDelegationTokens("myuser", new Credentials());
                Assert.assertEquals(1L, addDelegationTokens.length);
                Assert.assertEquals(KMSClientProvider.TOKEN_KIND_STR, addDelegationTokens[0].getKind().toString());
                return null;
            }
        });
    }

    @Test
    public void testStartStopHttpPseudo() throws Exception {
        testStartStop(false, false);
    }

    @Test
    public void testStartStopHttpsPseudo() throws Exception {
        testStartStop(true, false);
    }

    @Test
    public void testStartStopHttpKerberos() throws Exception {
        testStartStop(false, true);
    }

    @Test
    public void testStartStopHttpsKerberos() throws Exception {
        testStartStop(true, true);
    }

    @Test(timeout = KMSConfiguration.CURR_KEY_CACHE_TIMEOUT_DEFAULT)
    public void testSpecialKeyNames() throws Exception {
        Configuration configuration = new Configuration();
        configuration.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, KerberosAuthenticationHandler.TYPE);
        UserGroupInformation.setConfiguration(configuration);
        File testDir = getTestDir();
        Configuration createBaseKMSConf = createBaseKMSConf(testDir);
        createBaseKMSConf.set("key.acl.key %^[\n{]}|\"<>\\.ALL", "*");
        writeConf(testDir, createBaseKMSConf);
        runServer(null, null, testDir, new KMSCallable<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.2
            @Override // java.util.concurrent.Callable
            public Void call() throws Exception {
                Configuration configuration2 = new Configuration();
                KeyProvider createProvider = TestKMS.this.createProvider(TestKMS.createKMSUri(getKMSUrl()), configuration2);
                Assert.assertTrue(createProvider.getKeys().isEmpty());
                Assert.assertEquals(0L, createProvider.getKeysMetadata(new String[0]).length);
                KeyProvider.Options options = new KeyProvider.Options(configuration2);
                options.setCipher("AES/CTR/NoPadding");
                options.setBitLength(128);
                options.setDescription("l1");
                TestKMS.LOG.info("Creating key with name '{}'", "key %^[\n{]}|\"<>\\");
                KeyProvider.KeyVersion createKey = createProvider.createKey("key %^[\n{]}|\"<>\\", options);
                Assert.assertNotNull(createKey);
                Assert.assertEquals("key %^[\n{]}|\"<>\\", createKey.getName());
                Assert.assertNotNull(createKey.getVersionName());
                Assert.assertNotNull(createKey.getMaterial());
                return null;
            }
        });
    }

    @Test
    public void testKMSProvider() throws Exception {
        Configuration configuration = new Configuration();
        configuration.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, KerberosAuthenticationHandler.TYPE);
        UserGroupInformation.setConfiguration(configuration);
        File testDir = getTestDir();
        Configuration createBaseKMSConf = createBaseKMSConf(testDir);
        createBaseKMSConf.set("key.acl.k1.ALL", "*");
        createBaseKMSConf.set("key.acl.k2.MANAGEMENT", "*");
        createBaseKMSConf.set("key.acl.k2.READ", "*");
        createBaseKMSConf.set("key.acl.k3.ALL", "*");
        createBaseKMSConf.set("key.acl.k4.ALL", "*");
        createBaseKMSConf.set("key.acl.k5.ALL", "*");
        createBaseKMSConf.set("key.acl.k6.ALL", "*");
        writeConf(testDir, createBaseKMSConf);
        runServer(null, null, testDir, new KMSCallable<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.3
            @Override // java.util.concurrent.Callable
            public Void call() throws Exception {
                Date date = new Date();
                Configuration configuration2 = new Configuration();
                KeyProvider createProvider = TestKMS.this.createProvider(TestKMS.createKMSUri(getKMSUrl()), configuration2);
                Assert.assertTrue(createProvider.getKeys().isEmpty());
                Assert.assertEquals(0L, createProvider.getKeysMetadata(new String[0]).length);
                KeyProvider.Options options = new KeyProvider.Options(configuration2);
                options.setCipher("AES/CTR/NoPadding");
                options.setBitLength(128);
                options.setDescription("l1");
                KeyProvider.KeyVersion createKey = createProvider.createKey("k1", options);
                Assert.assertNotNull(createKey);
                Assert.assertNotNull(createKey.getVersionName());
                Assert.assertNotNull(createKey.getMaterial());
                KeyProvider.KeyVersion keyVersion = createProvider.getKeyVersion(createKey.getVersionName());
                Assert.assertEquals(createKey.getVersionName(), keyVersion.getVersionName());
                Assert.assertNotNull(keyVersion.getMaterial());
                KeyProvider.KeyVersion currentKey = createProvider.getCurrentKey("k1");
                Assert.assertEquals(createKey.getVersionName(), currentKey.getVersionName());
                Assert.assertNotNull(currentKey.getMaterial());
                KeyProvider.Metadata metadata = createProvider.getMetadata("k1");
                Assert.assertEquals("AES/CTR/NoPadding", metadata.getCipher());
                Assert.assertEquals("AES", metadata.getAlgorithm());
                Assert.assertEquals(128L, metadata.getBitLength());
                Assert.assertEquals(1L, metadata.getVersions());
                Assert.assertNotNull(metadata.getCreated());
                Assert.assertTrue(date.before(metadata.getCreated()));
                List<KeyProvider.KeyVersion> keyVersions = createProvider.getKeyVersions("k1");
                Assert.assertEquals(1L, keyVersions.size());
                Assert.assertEquals(createKey.getVersionName(), keyVersions.get(0).getVersionName());
                Assert.assertNotNull(keyVersion.getMaterial());
                KeyProvider.KeyVersion rollNewVersion = createProvider.rollNewVersion("k1");
                Assert.assertNotSame(createKey.getVersionName(), rollNewVersion.getVersionName());
                Assert.assertNotNull(rollNewVersion.getMaterial());
                KeyProvider.KeyVersion keyVersion2 = createProvider.getKeyVersion(rollNewVersion.getVersionName());
                boolean z = true;
                for (int i = 0; i < keyVersion.getMaterial().length; i++) {
                    z = z && keyVersion.getMaterial()[i] == keyVersion2.getMaterial()[i];
                }
                Assert.assertFalse(z);
                KeyProvider.KeyVersion currentKey2 = createProvider.getCurrentKey("k1");
                Assert.assertEquals(keyVersion2.getVersionName(), currentKey2.getVersionName());
                Assert.assertNotNull(currentKey2.getMaterial());
                boolean z2 = true;
                for (int i2 = 0; i2 < keyVersion.getMaterial().length; i2++) {
                    z2 = z2 && currentKey2.getMaterial()[i2] == keyVersion2.getMaterial()[i2];
                }
                Assert.assertTrue(z2);
                List<KeyProvider.KeyVersion> keyVersions2 = createProvider.getKeyVersions("k1");
                Assert.assertEquals(2L, keyVersions2.size());
                Assert.assertEquals(keyVersion.getVersionName(), keyVersions2.get(0).getVersionName());
                Assert.assertNotNull(keyVersions2.get(0).getMaterial());
                Assert.assertEquals(keyVersion2.getVersionName(), keyVersions2.get(1).getVersionName());
                Assert.assertNotNull(keyVersions2.get(1).getMaterial());
                KeyProvider.Metadata metadata2 = createProvider.getMetadata("k1");
                Assert.assertEquals("AES/CTR/NoPadding", metadata2.getCipher());
                Assert.assertEquals("AES", metadata2.getAlgorithm());
                Assert.assertEquals(128L, metadata2.getBitLength());
                Assert.assertEquals(2L, metadata2.getVersions());
                Assert.assertNotNull(metadata2.getCreated());
                Assert.assertTrue(date.before(metadata2.getCreated()));
                List<String> keys = createProvider.getKeys();
                Assert.assertEquals(1L, keys.size());
                Assert.assertEquals("k1", keys.get(0));
                KeyProvider.Metadata[] keysMetadata = createProvider.getKeysMetadata("k1");
                Assert.assertEquals(1L, keysMetadata.length);
                Assert.assertEquals("AES/CTR/NoPadding", keysMetadata[0].getCipher());
                Assert.assertEquals("AES", keysMetadata[0].getAlgorithm());
                Assert.assertEquals(128L, keysMetadata[0].getBitLength());
                Assert.assertEquals(2L, keysMetadata[0].getVersions());
                Assert.assertNotNull(keysMetadata[0].getCreated());
                Assert.assertTrue(date.before(keysMetadata[0].getCreated()));
                KeyProvider.KeyVersion currentKey3 = createProvider.getCurrentKey("k1");
                KeyProviderCryptoExtension createKeyProviderCryptoExtension = KeyProviderCryptoExtension.createKeyProviderCryptoExtension(createProvider);
                KeyProviderCryptoExtension.EncryptedKeyVersion generateEncryptedKey = createKeyProviderCryptoExtension.generateEncryptedKey(currentKey3.getName());
                Assert.assertEquals(KeyProviderCryptoExtension.EEK, generateEncryptedKey.getEncryptedKeyVersion().getVersionName());
                Assert.assertNotNull(generateEncryptedKey.getEncryptedKeyVersion().getMaterial());
                Assert.assertEquals(currentKey3.getMaterial().length, generateEncryptedKey.getEncryptedKeyVersion().getMaterial().length);
                KeyProvider.KeyVersion decryptEncryptedKey = createKeyProviderCryptoExtension.decryptEncryptedKey(generateEncryptedKey);
                Assert.assertEquals(KeyProviderCryptoExtension.EK, decryptEncryptedKey.getVersionName());
                Assert.assertArrayEquals(decryptEncryptedKey.getMaterial(), createKeyProviderCryptoExtension.decryptEncryptedKey(generateEncryptedKey).getMaterial());
                Assert.assertEquals(currentKey3.getMaterial().length, decryptEncryptedKey.getMaterial().length);
                KeyProviderCryptoExtension.EncryptedKeyVersion generateEncryptedKey2 = createKeyProviderCryptoExtension.generateEncryptedKey(currentKey3.getName());
                KeyProvider.KeyVersion decryptEncryptedKey2 = createKeyProviderCryptoExtension.decryptEncryptedKey(generateEncryptedKey2);
                boolean z3 = true;
                for (int i3 = 0; z3 && i3 < generateEncryptedKey2.getEncryptedKeyVersion().getMaterial().length; i3++) {
                    z3 = decryptEncryptedKey2.getMaterial()[i3] == decryptEncryptedKey.getMaterial()[i3];
                }
                Assert.assertFalse(z3);
                createProvider.deleteKey("k1");
                try {
                    createKeyProviderCryptoExtension.decryptEncryptedKey(generateEncryptedKey);
                    Assert.fail("Should not be allowed !!");
                } catch (Exception e) {
                    Assert.assertTrue(e.getMessage().contains("'k1@1' not found"));
                }
                Assert.assertNull(createProvider.getKeyVersion("k1"));
                Assert.assertNull(createProvider.getKeyVersions("k1"));
                Assert.assertNull(createProvider.getMetadata("k1"));
                Assert.assertTrue(createProvider.getKeys().isEmpty());
                Assert.assertEquals(0L, createProvider.getKeysMetadata(new String[0]).length);
                KeyProvider.Options options2 = new KeyProvider.Options(configuration2);
                options2.setCipher("AES/CTR/NoPadding");
                options2.setBitLength(128);
                KeyProvider.KeyVersion createKey2 = createProvider.createKey("k2", options2);
                KeyProvider.Metadata metadata3 = createProvider.getMetadata("k2");
                Assert.assertNull(metadata3.getDescription());
                Assert.assertEquals("k2", metadata3.getAttributes().get("key.acl.name"));
                try {
                    KeyProviderCryptoExtension.createKeyProviderCryptoExtension(createProvider).generateEncryptedKey(createKey2.getName());
                    Assert.fail("User should not be allowed to encrypt !!");
                } catch (Exception e2) {
                }
                KeyProvider.Options options3 = new KeyProvider.Options(configuration2);
                options3.setCipher("AES/CTR/NoPadding");
                options3.setBitLength(128);
                options3.setDescription("d");
                createProvider.createKey("k3", options3);
                KeyProvider.Metadata metadata4 = createProvider.getMetadata("k3");
                Assert.assertEquals("d", metadata4.getDescription());
                Assert.assertEquals("k3", metadata4.getAttributes().get("key.acl.name"));
                HashMap hashMap = new HashMap();
                hashMap.put("a", "A");
                KeyProvider.Options options4 = new KeyProvider.Options(configuration2);
                options4.setCipher("AES/CTR/NoPadding");
                options4.setBitLength(128);
                hashMap.put("key.acl.name", "k4");
                options4.setAttributes(hashMap);
                createProvider.createKey("k4", options4);
                KeyProvider.Metadata metadata5 = createProvider.getMetadata("k4");
                Assert.assertNull(metadata5.getDescription());
                Assert.assertEquals(hashMap, metadata5.getAttributes());
                KeyProvider.Options options5 = new KeyProvider.Options(configuration2);
                options5.setCipher("AES/CTR/NoPadding");
                options5.setBitLength(128);
                options5.setDescription("d");
                hashMap.put("key.acl.name", "k5");
                options5.setAttributes(hashMap);
                createProvider.createKey("k5", options5);
                KeyProvider.Metadata metadata6 = createProvider.getMetadata("k5");
                Assert.assertEquals("d", metadata6.getDescription());
                Assert.assertEquals(hashMap, metadata6.getAttributes());
                KeyProviderCryptoExtension createKeyProviderCryptoExtension2 = KeyProviderCryptoExtension.createKeyProviderCryptoExtension(createProvider);
                KeyProvider.Options options6 = new KeyProvider.Options(configuration2);
                options6.setCipher("AES/CTR/NoPadding");
                options6.setBitLength(128);
                createKeyProviderCryptoExtension2.createKey("k6", options6);
                KeyProviderCryptoExtension.EncryptedKeyVersion generateEncryptedKey3 = createKeyProviderCryptoExtension2.generateEncryptedKey("k6");
                createKeyProviderCryptoExtension2.rollNewVersion("k6");
                Assert.assertNotEquals(generateEncryptedKey3.getEncryptionKeyVersionName(), createKeyProviderCryptoExtension2.generateEncryptedKey("k6").getEncryptionKeyVersionName());
                return null;
            }
        });
    }

    @Test
    public void testKeyACLs() throws Exception {
        Configuration configuration = new Configuration();
        configuration.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, KerberosAuthenticationHandler.TYPE);
        UserGroupInformation.setConfiguration(configuration);
        File testDir = getTestDir();
        Configuration createBaseKMSConf = createBaseKMSConf(testDir);
        createBaseKMSConf.set("hadoop.kms.authentication.type", KerberosAuthenticationHandler.TYPE);
        createBaseKMSConf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath());
        createBaseKMSConf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
        createBaseKMSConf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
        for (KMSACLs.Type type : KMSACLs.Type.values()) {
            createBaseKMSConf.set(type.getAclConfigKey(), type.toString());
        }
        createBaseKMSConf.set(KMSACLs.Type.CREATE.getAclConfigKey(), "CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK,DECRYPT_EEK");
        createBaseKMSConf.set(KMSACLs.Type.ROLLOVER.getAclConfigKey(), "CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK,DECRYPT_EEK");
        createBaseKMSConf.set(KMSACLs.Type.GENERATE_EEK.getAclConfigKey(), "CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK,DECRYPT_EEK");
        createBaseKMSConf.set(KMSACLs.Type.DECRYPT_EEK.getAclConfigKey(), "CREATE,ROLLOVER,GET,SET_KEY_MATERIAL,GENERATE_EEK");
        createBaseKMSConf.set("key.acl.test_key.MANAGEMENT", "CREATE");
        createBaseKMSConf.set("key.acl.some_key.MANAGEMENT", "ROLLOVER");
        createBaseKMSConf.set("whitelist.key.acl.MANAGEMENT", "DECRYPT_EEK");
        createBaseKMSConf.set("whitelist.key.acl.ALL", "DECRYPT_EEK");
        createBaseKMSConf.set("key.acl.all_access.ALL", "GENERATE_EEK");
        createBaseKMSConf.set("key.acl.all_access.DECRYPT_EEK", "ROLLOVER");
        createBaseKMSConf.set("default.key.acl.MANAGEMENT", "ROLLOVER");
        createBaseKMSConf.set("default.key.acl.GENERATE_EEK", "SOMEBODY");
        createBaseKMSConf.set("default.key.acl.ALL", "ROLLOVER");
        writeConf(testDir, createBaseKMSConf);
        runServer(null, null, testDir, new KMSCallable<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.4
            @Override // java.util.concurrent.Callable
            public Void call() throws Exception {
                final Configuration configuration2 = new Configuration();
                configuration2.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 128);
                final URI createKMSUri = TestKMS.createKMSUri(getKMSUrl());
                TestKMS.this.doAs("CREATE", new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.4.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public Void run() throws Exception {
                        KeyProvider createProvider = TestKMS.this.createProvider(createKMSUri, configuration2);
                        try {
                            KeyProvider.Options options = new KeyProvider.Options(configuration2);
                            Map<String, String> attributes = options.getAttributes();
                            HashMap hashMap = new HashMap(attributes);
                            hashMap.put("key.acl.name", "test_key");
                            options.setAttributes(hashMap);
                            Assert.assertNull(createProvider.createKey("k0", options).getMaterial());
                            Assert.assertNull(createProvider.rollNewVersion("k0").getMaterial());
                            try {
                                KeyProviderCryptoExtension.createKeyProviderCryptoExtension(createProvider).generateEncryptedKey("k0");
                                Assert.fail("User [CREATE] should not be allowed to generate_eek on k0");
                            } catch (Exception e) {
                            }
                            HashMap hashMap2 = new HashMap(attributes);
                            hashMap2.put("key.acl.name", "all_access");
                            options.setAttributes(hashMap2);
                            try {
                                createProvider.createKey("kx", options);
                                Assert.fail("User [CREATE] should not be allowed to create kx");
                            } catch (Exception e2) {
                            }
                            return null;
                        } catch (Exception e3) {
                            Assert.fail(e3.getMessage());
                            return null;
                        }
                    }
                });
                TestKMS.this.doAs("DECRYPT_EEK", new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.4.2
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public Void run() throws Exception {
                        KeyProvider createProvider = TestKMS.this.createProvider(createKMSUri, configuration2);
                        try {
                            KeyProvider.Options options = new KeyProvider.Options(configuration2);
                            Map<String, String> attributes = options.getAttributes();
                            HashMap hashMap = new HashMap(attributes);
                            hashMap.put("key.acl.name", "some_key");
                            options.setAttributes(hashMap);
                            Assert.assertNull(createProvider.createKey("kk0", options).getMaterial());
                            Assert.assertNull(createProvider.rollNewVersion("kk0").getMaterial());
                            try {
                                KeyProviderCryptoExtension.createKeyProviderCryptoExtension(createProvider).generateEncryptedKey("kk0");
                                Assert.fail("User [DECRYPT_EEK] should not be allowed to generate_eek on kk0");
                            } catch (Exception e) {
                            }
                            HashMap hashMap2 = new HashMap(attributes);
                            hashMap2.put("key.acl.name", "all_access");
                            options.setAttributes(hashMap2);
                            createProvider.createKey("kkx", options);
                            return null;
                        } catch (Exception e2) {
                            Assert.fail(e2.getMessage());
                            return null;
                        }
                    }
                });
                TestKMS.this.doAs("ROLLOVER", new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.4.3
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public Void run() throws Exception {
                        KeyProvider createProvider = TestKMS.this.createProvider(createKMSUri, configuration2);
                        try {
                            KeyProvider.Options options = new KeyProvider.Options(configuration2);
                            Map<String, String> attributes = options.getAttributes();
                            HashMap hashMap = new HashMap(attributes);
                            hashMap.put("key.acl.name", "test_key2");
                            options.setAttributes(hashMap);
                            Assert.assertNull(createProvider.createKey("k1", options).getMaterial());
                            Assert.assertNull(createProvider.rollNewVersion("k1").getMaterial());
                            try {
                                createProvider.rollNewVersion("k0");
                                Assert.fail("User [ROLLOVER] should not be allowed to rollover k0");
                            } catch (Exception e) {
                            }
                            try {
                                KeyProviderCryptoExtension.createKeyProviderCryptoExtension(createProvider).generateEncryptedKey("k1");
                                Assert.fail("User [ROLLOVER] should not be allowed to generate_eek on k1");
                            } catch (Exception e2) {
                            }
                            HashMap hashMap2 = new HashMap(attributes);
                            hashMap2.put("key.acl.name", "all_access");
                            options.setAttributes(hashMap2);
                            try {
                                createProvider.createKey("kx", options);
                                Assert.fail("User [ROLLOVER] should not be allowed to create kx");
                            } catch (Exception e3) {
                            }
                            return null;
                        } catch (Exception e4) {
                            Assert.fail(e4.getMessage());
                            return null;
                        }
                    }
                });
                TestKMS.this.doAs("GET", new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.4.4
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public Void run() throws Exception {
                        KeyProvider createProvider = TestKMS.this.createProvider(createKMSUri, configuration2);
                        try {
                            KeyProvider.Options options = new KeyProvider.Options(configuration2);
                            Map<String, String> attributes = options.getAttributes();
                            HashMap hashMap = new HashMap(attributes);
                            hashMap.put("key.acl.name", "test_key");
                            options.setAttributes(hashMap);
                            try {
                                createProvider.createKey("k2", options);
                                Assert.fail("User [GET] should not be allowed to create key..");
                            } catch (Exception e) {
                            }
                            HashMap hashMap2 = new HashMap(attributes);
                            hashMap2.put("key.acl.name", "all_access");
                            options.setAttributes(hashMap2);
                            try {
                                createProvider.createKey("kx", options);
                                Assert.fail("User [GET] should not be allowed to create kx");
                            } catch (Exception e2) {
                            }
                            return null;
                        } catch (Exception e3) {
                            Assert.fail(e3.getMessage());
                            return null;
                        }
                    }
                });
                final KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion = (KeyProviderCryptoExtension.EncryptedKeyVersion) TestKMS.this.doAs("GENERATE_EEK", new PrivilegedExceptionAction<KeyProviderCryptoExtension.EncryptedKeyVersion>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.4.5
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public KeyProviderCryptoExtension.EncryptedKeyVersion run() throws Exception {
                        KeyProvider createProvider = TestKMS.this.createProvider(createKMSUri, configuration2);
                        try {
                            KeyProvider.Options options = new KeyProvider.Options(configuration2);
                            HashMap hashMap = new HashMap(options.getAttributes());
                            hashMap.put("key.acl.name", "all_access");
                            options.setAttributes(hashMap);
                            createProvider.createKey("kx", options);
                            try {
                                return KeyProviderCryptoExtension.createKeyProviderCryptoExtension(createProvider).generateEncryptedKey("kx");
                            } catch (Exception e) {
                                Assert.fail("User [GENERATE_EEK] should be allowed to generate_eek on kx");
                                return null;
                            }
                        } catch (Exception e2) {
                            Assert.fail(e2.getMessage());
                            return null;
                        }
                    }
                });
                TestKMS.this.doAs("ROLLOVER", new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.4.6
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public Void run() throws Exception {
                        try {
                            KeyProviderCryptoExtension.createKeyProviderCryptoExtension(TestKMS.this.createProvider(createKMSUri, configuration2)).decryptEncryptedKey(encryptedKeyVersion);
                            return null;
                        } catch (Exception e) {
                            Assert.fail(e.getMessage());
                            return null;
                        }
                    }
                });
                return null;
            }
        });
        createBaseKMSConf.set("default.key.acl.MANAGEMENT", "");
        createBaseKMSConf.set("default.key.acl.GENERATE_EEK", "*");
        writeConf(testDir, createBaseKMSConf);
        runServer(null, null, testDir, new KMSCallable<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.5
            @Override // java.util.concurrent.Callable
            public Void call() throws Exception {
                final Configuration configuration2 = new Configuration();
                configuration2.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 128);
                final URI createKMSUri = TestKMS.createKMSUri(getKMSUrl());
                TestKMS.this.doAs("GENERATE_EEK", new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.5.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public Void run() throws Exception {
                        try {
                            try {
                                KeyProviderCryptoExtension.createKeyProviderCryptoExtension(TestKMS.this.createProvider(createKMSUri, configuration2)).generateEncryptedKey("k1");
                            } catch (Exception e) {
                                Assert.fail("User [GENERATE_EEK] should be allowed to generate_eek on k1");
                            }
                            return null;
                        } catch (Exception e2) {
                            Assert.fail(e2.getMessage());
                            return null;
                        }
                    }
                });
                return null;
            }
        });
    }

    @Test
    public void testKMSRestartKerberosAuth() throws Exception {
        doKMSRestart(true);
    }

    @Test
    public void testKMSRestartSimpleAuth() throws Exception {
        doKMSRestart(false);
    }

    public void doKMSRestart(boolean z) throws Exception {
        Configuration configuration = new Configuration();
        configuration.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, KerberosAuthenticationHandler.TYPE);
        UserGroupInformation.setConfiguration(configuration);
        File testDir = getTestDir();
        Configuration createBaseKMSConf = createBaseKMSConf(testDir);
        if (z) {
            createBaseKMSConf.set("hadoop.kms.authentication.type", KerberosAuthenticationHandler.TYPE);
        }
        createBaseKMSConf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath());
        createBaseKMSConf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
        createBaseKMSConf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
        for (KMSACLs.Type type : KMSACLs.Type.values()) {
            createBaseKMSConf.set(type.getAclConfigKey(), type.toString());
        }
        createBaseKMSConf.set(KMSACLs.Type.CREATE.getAclConfigKey(), KMSACLs.Type.CREATE.toString() + ",SET_KEY_MATERIAL");
        createBaseKMSConf.set(KMSACLs.Type.ROLLOVER.getAclConfigKey(), KMSACLs.Type.ROLLOVER.toString() + ",SET_KEY_MATERIAL");
        createBaseKMSConf.set("key.acl.k0.ALL", "*");
        createBaseKMSConf.set("key.acl.k1.ALL", "*");
        createBaseKMSConf.set("key.acl.k2.ALL", "*");
        createBaseKMSConf.set("key.acl.k3.ALL", "*");
        writeConf(testDir, createBaseKMSConf);
        KMSCallable<KeyProvider> kMSCallable = new KMSCallable<KeyProvider>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.6
            @Override // java.util.concurrent.Callable
            public KeyProvider call() throws Exception {
                final Configuration configuration2 = new Configuration();
                configuration2.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 128);
                final URI createKMSUri = TestKMS.createKMSUri(getKMSUrl());
                return (KeyProvider) TestKMS.this.doAs("SET_KEY_MATERIAL", new PrivilegedExceptionAction<KeyProvider>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.6.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public KeyProvider run() throws Exception {
                        KeyProvider createProvider = TestKMS.this.createProvider(createKMSUri, configuration2);
                        createProvider.createKey("k1", new byte[16], new KeyProvider.Options(configuration2));
                        return createProvider;
                    }
                });
            }
        };
        final KeyProvider keyProvider = (KeyProvider) runServer(null, null, testDir, kMSCallable);
        runServer(kMSCallable.getKMSUrl().getPort(), null, null, testDir, new KMSCallable<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.7
            @Override // java.util.concurrent.Callable
            public Void call() throws Exception {
                final Configuration configuration2 = new Configuration();
                configuration2.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 128);
                TestKMS.this.doAs("SET_KEY_MATERIAL", new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.7.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public Void run() throws Exception {
                        keyProvider.createKey("k2", new byte[16], new KeyProvider.Options(configuration2));
                        keyProvider.createKey("k3", new byte[16], new KeyProvider.Options(configuration2));
                        return null;
                    }
                });
                return null;
            }
        });
    }

    @Test
    public void testKMSAuthFailureRetry() throws Exception {
        Configuration configuration = new Configuration();
        configuration.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, KerberosAuthenticationHandler.TYPE);
        UserGroupInformation.setConfiguration(configuration);
        File testDir = getTestDir();
        Configuration createBaseKMSConf = createBaseKMSConf(testDir);
        createBaseKMSConf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath());
        createBaseKMSConf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
        createBaseKMSConf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
        createBaseKMSConf.set("hadoop.kms.authentication.token.validity", "1");
        for (KMSACLs.Type type : KMSACLs.Type.values()) {
            createBaseKMSConf.set(type.getAclConfigKey(), type.toString());
        }
        createBaseKMSConf.set(KMSACLs.Type.CREATE.getAclConfigKey(), KMSACLs.Type.CREATE.toString() + ",SET_KEY_MATERIAL");
        createBaseKMSConf.set(KMSACLs.Type.ROLLOVER.getAclConfigKey(), KMSACLs.Type.ROLLOVER.toString() + ",SET_KEY_MATERIAL");
        createBaseKMSConf.set("key.acl.k0.ALL", "*");
        createBaseKMSConf.set("key.acl.k1.ALL", "*");
        createBaseKMSConf.set("key.acl.k2.ALL", "*");
        createBaseKMSConf.set("key.acl.k3.ALL", "*");
        createBaseKMSConf.set("key.acl.k4.ALL", "*");
        writeConf(testDir, createBaseKMSConf);
        runServer(null, null, testDir, new KMSCallable<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.8
            @Override // java.util.concurrent.Callable
            public Void call() throws Exception {
                final Configuration configuration2 = new Configuration();
                configuration2.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 128);
                final URI createKMSUri = TestKMS.createKMSUri(getKMSUrl());
                TestKMS.this.doAs("SET_KEY_MATERIAL", new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.8.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public Void run() throws Exception {
                        KeyProvider createProvider = TestKMS.this.createProvider(createKMSUri, configuration2);
                        createProvider.createKey("k0", new byte[16], new KeyProvider.Options(configuration2));
                        createProvider.createKey("k1", new byte[16], new KeyProvider.Options(configuration2));
                        Thread.sleep(3500L);
                        createProvider.createKey("k2", new byte[16], new KeyProvider.Options(configuration2));
                        return null;
                    }
                });
                return null;
            }
        });
        runServer(null, null, testDir, new KMSCallable<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.9
            @Override // java.util.concurrent.Callable
            public Void call() throws Exception {
                final Configuration configuration2 = new Configuration();
                configuration2.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 128);
                configuration2.setInt(KMSClientProvider.AUTH_RETRY, 0);
                final URI createKMSUri = TestKMS.createKMSUri(getKMSUrl());
                TestKMS.this.doAs("SET_KEY_MATERIAL", new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.9.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public Void run() throws Exception {
                        KeyProvider createProvider = TestKMS.this.createProvider(createKMSUri, configuration2);
                        createProvider.createKey("k3", new byte[16], new KeyProvider.Options(configuration2));
                        Thread.sleep(3500L);
                        try {
                            createProvider.createKey("k4", new byte[16], new KeyProvider.Options(configuration2));
                            Assert.fail("This should not succeed..");
                            return null;
                        } catch (IOException e) {
                            Assert.assertTrue("HTTP exception must be a 401 : " + e.getMessage(), e.getMessage().contains("401"));
                            return null;
                        }
                    }
                });
                return null;
            }
        });
    }

    @Test
    public void testACLs() throws Exception {
        Configuration configuration = new Configuration();
        configuration.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, KerberosAuthenticationHandler.TYPE);
        UserGroupInformation.setConfiguration(configuration);
        final File testDir = getTestDir();
        Configuration createBaseKMSConf = createBaseKMSConf(testDir);
        createBaseKMSConf.set("hadoop.kms.authentication.type", KerberosAuthenticationHandler.TYPE);
        createBaseKMSConf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath());
        createBaseKMSConf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
        createBaseKMSConf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
        for (KMSACLs.Type type : KMSACLs.Type.values()) {
            createBaseKMSConf.set(type.getAclConfigKey(), type.toString());
        }
        createBaseKMSConf.set(KMSACLs.Type.CREATE.getAclConfigKey(), KMSACLs.Type.CREATE.toString() + ",SET_KEY_MATERIAL");
        createBaseKMSConf.set(KMSACLs.Type.ROLLOVER.getAclConfigKey(), KMSACLs.Type.ROLLOVER.toString() + ",SET_KEY_MATERIAL");
        createBaseKMSConf.set("key.acl.k0.ALL", "*");
        createBaseKMSConf.set("key.acl.k1.ALL", "*");
        writeConf(testDir, createBaseKMSConf);
        runServer(null, null, testDir, new KMSCallable<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.10
            @Override // java.util.concurrent.Callable
            public Void call() throws Exception {
                final Configuration configuration2 = new Configuration();
                configuration2.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 128);
                final URI createKMSUri = TestKMS.createKMSUri(getKMSUrl());
                TestKMS.this.doAs("client", new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.10.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public Void run() throws Exception {
                        KeyProvider createProvider = TestKMS.this.createProvider(createKMSUri, configuration2);
                        try {
                            createProvider.createKey("k", new KeyProvider.Options(configuration2));
                            Assert.fail();
                        } catch (AuthorizationException e) {
                        } catch (Exception e2) {
                            Assert.fail(e2.getMessage());
                        }
                        try {
                            createProvider.createKey("k", new byte[16], new KeyProvider.Options(configuration2));
                            Assert.fail();
                        } catch (AuthorizationException e3) {
                        } catch (Exception e4) {
                            Assert.fail(e4.getMessage());
                        }
                        try {
                            createProvider.rollNewVersion("k");
                            Assert.fail();
                        } catch (AuthorizationException e5) {
                        } catch (Exception e6) {
                            Assert.fail(e6.getMessage());
                        }
                        try {
                            createProvider.rollNewVersion("k", new byte[16]);
                            Assert.fail();
                        } catch (AuthorizationException e7) {
                        } catch (Exception e8) {
                            Assert.fail(e8.getMessage());
                        }
                        try {
                            createProvider.getKeys();
                            Assert.fail();
                        } catch (AuthorizationException e9) {
                        } catch (Exception e10) {
                            Assert.fail(e10.getMessage());
                        }
                        try {
                            createProvider.getKeysMetadata("k");
                            Assert.fail();
                        } catch (AuthorizationException e11) {
                        } catch (Exception e12) {
                            Assert.fail(e12.getMessage());
                        }
                        try {
                            createProvider.getKeyVersion("k@0");
                            Assert.fail();
                        } catch (AuthorizationException e13) {
                        } catch (Exception e14) {
                            Assert.fail(e14.getMessage());
                        }
                        try {
                            createProvider.getCurrentKey("k");
                            Assert.fail();
                        } catch (AuthorizationException e15) {
                        } catch (Exception e16) {
                            Assert.fail(e16.getMessage());
                        }
                        try {
                            createProvider.getMetadata("k");
                            Assert.fail();
                        } catch (AuthorizationException e17) {
                        } catch (Exception e18) {
                            Assert.fail(e18.getMessage());
                        }
                        try {
                            createProvider.getKeyVersions("k");
                            Assert.fail();
                            return null;
                        } catch (AuthorizationException e19) {
                            return null;
                        } catch (Exception e20) {
                            Assert.fail(e20.getMessage());
                            return null;
                        }
                    }
                });
                TestKMS.this.doAs("CREATE", new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.10.2
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public Void run() throws Exception {
                        try {
                            Assert.assertNull(TestKMS.this.createProvider(createKMSUri, configuration2).createKey("k0", new KeyProvider.Options(configuration2)).getMaterial());
                            return null;
                        } catch (Exception e) {
                            Assert.fail(e.getMessage());
                            return null;
                        }
                    }
                });
                TestKMS.this.doAs("DELETE", new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.10.3
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public Void run() throws Exception {
                        try {
                            TestKMS.this.createProvider(createKMSUri, configuration2).deleteKey("k0");
                            return null;
                        } catch (Exception e) {
                            Assert.fail(e.getMessage());
                            return null;
                        }
                    }
                });
                TestKMS.this.doAs("SET_KEY_MATERIAL", new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.10.4
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public Void run() throws Exception {
                        try {
                            Assert.assertNull(TestKMS.this.createProvider(createKMSUri, configuration2).createKey("k1", new byte[16], new KeyProvider.Options(configuration2)).getMaterial());
                            return null;
                        } catch (Exception e) {
                            Assert.fail(e.getMessage());
                            return null;
                        }
                    }
                });
                TestKMS.this.doAs("ROLLOVER", new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.10.5
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public Void run() throws Exception {
                        try {
                            Assert.assertNull(TestKMS.this.createProvider(createKMSUri, configuration2).rollNewVersion("k1").getMaterial());
                            return null;
                        } catch (Exception e) {
                            Assert.fail(e.getMessage());
                            return null;
                        }
                    }
                });
                TestKMS.this.doAs("SET_KEY_MATERIAL", new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.10.6
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public Void run() throws Exception {
                        try {
                            Assert.assertNull(TestKMS.this.createProvider(createKMSUri, configuration2).rollNewVersion("k1", new byte[16]).getMaterial());
                            return null;
                        } catch (Exception e) {
                            Assert.fail(e.getMessage());
                            return null;
                        }
                    }
                });
                final KeyProvider.KeyVersion keyVersion = (KeyProvider.KeyVersion) TestKMS.this.doAs("GET", new PrivilegedExceptionAction<KeyProvider.KeyVersion>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.10.7
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public KeyProvider.KeyVersion run() throws Exception {
                        KeyProvider createProvider = TestKMS.this.createProvider(createKMSUri, configuration2);
                        try {
                            createProvider.getKeyVersion("k1@0");
                            return createProvider.getCurrentKey("k1");
                        } catch (Exception e) {
                            Assert.fail(e.toString());
                            return null;
                        }
                    }
                });
                final KeyProviderCryptoExtension.EncryptedKeyVersion encryptedKeyVersion = (KeyProviderCryptoExtension.EncryptedKeyVersion) TestKMS.this.doAs("GENERATE_EEK", new PrivilegedExceptionAction<KeyProviderCryptoExtension.EncryptedKeyVersion>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.10.8
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public KeyProviderCryptoExtension.EncryptedKeyVersion run() throws Exception {
                        try {
                            return KeyProviderCryptoExtension.createKeyProviderCryptoExtension(TestKMS.this.createProvider(createKMSUri, configuration2)).generateEncryptedKey(keyVersion.getName());
                        } catch (Exception e) {
                            Assert.fail(e.toString());
                            return null;
                        }
                    }
                });
                TestKMS.this.doAs("DECRYPT_EEK", new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.10.9
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public Void run() throws Exception {
                        try {
                            KeyProviderCryptoExtension.createKeyProviderCryptoExtension(TestKMS.this.createProvider(createKMSUri, configuration2)).decryptEncryptedKey(encryptedKeyVersion);
                            return null;
                        } catch (Exception e) {
                            Assert.fail(e.getMessage());
                            return null;
                        }
                    }
                });
                TestKMS.this.doAs("GET_KEYS", new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.10.10
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public Void run() throws Exception {
                        try {
                            TestKMS.this.createProvider(createKMSUri, configuration2).getKeys();
                            return null;
                        } catch (Exception e) {
                            Assert.fail(e.getMessage());
                            return null;
                        }
                    }
                });
                TestKMS.this.doAs("GET_METADATA", new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.10.11
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public Void run() throws Exception {
                        KeyProvider createProvider = TestKMS.this.createProvider(createKMSUri, configuration2);
                        try {
                            createProvider.getMetadata("k1");
                            createProvider.getKeysMetadata("k1");
                            return null;
                        } catch (Exception e) {
                            Assert.fail(e.getMessage());
                            return null;
                        }
                    }
                });
                KMSWebApp.getACLs().stopReloader();
                Thread.sleep(10L);
                configuration2.set(KMSACLs.Type.CREATE.getAclConfigKey(), "foo");
                TestKMS.writeConf(testDir, configuration2);
                Thread.sleep(1000L);
                KMSWebApp.getACLs().run();
                TestKMS.this.doAs("CREATE", new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.10.12
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public Void run() throws Exception {
                        try {
                            TestKMS.this.createProvider(createKMSUri, configuration2).createKey("k2", new KeyProvider.Options(configuration2));
                            Assert.fail();
                            return null;
                        } catch (AuthorizationException e) {
                            return null;
                        } catch (Exception e2) {
                            Assert.fail(e2.getMessage());
                            return null;
                        }
                    }
                });
                return null;
            }
        });
    }

    @Test
    public void testKMSBlackList() throws Exception {
        Configuration configuration = new Configuration();
        configuration.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, KerberosAuthenticationHandler.TYPE);
        UserGroupInformation.setConfiguration(configuration);
        File testDir = getTestDir();
        Configuration createBaseKMSConf = createBaseKMSConf(testDir);
        createBaseKMSConf.set("hadoop.kms.authentication.type", KerberosAuthenticationHandler.TYPE);
        createBaseKMSConf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath());
        createBaseKMSConf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
        createBaseKMSConf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
        for (KMSACLs.Type type : KMSACLs.Type.values()) {
            createBaseKMSConf.set(type.getAclConfigKey(), " ");
        }
        createBaseKMSConf.set(KMSACLs.Type.CREATE.getAclConfigKey(), "client,hdfs,otheradmin");
        createBaseKMSConf.set(KMSACLs.Type.GENERATE_EEK.getAclConfigKey(), "client,hdfs,otheradmin");
        createBaseKMSConf.set(KMSACLs.Type.DECRYPT_EEK.getAclConfigKey(), "client,hdfs,otheradmin");
        createBaseKMSConf.set(KMSACLs.Type.DECRYPT_EEK.getBlacklistConfigKey(), "hdfs,otheradmin");
        createBaseKMSConf.set("key.acl.ck0.ALL", "*");
        createBaseKMSConf.set("key.acl.ck1.ALL", "*");
        writeConf(testDir, createBaseKMSConf);
        runServer(null, null, testDir, new KMSCallable<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.11
            @Override // java.util.concurrent.Callable
            public Void call() throws Exception {
                final Configuration configuration2 = new Configuration();
                configuration2.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 128);
                final URI createKMSUri = TestKMS.createKMSUri(getKMSUrl());
                TestKMS.this.doAs("client", new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.11.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    /* JADX WARN: Multi-variable type inference failed */
                    @Override // java.security.PrivilegedExceptionAction
                    public Void run() throws Exception {
                        try {
                            KeyProvider createProvider = TestKMS.this.createProvider(createKMSUri, configuration2);
                            KeyProvider.KeyVersion createKey = createProvider.createKey("ck0", new KeyProvider.Options(configuration2));
                            ((KeyProviderCryptoExtension.CryptoExtension) createProvider).decryptEncryptedKey(((KeyProviderCryptoExtension.CryptoExtension) createProvider).generateEncryptedKey("ck0"));
                            Assert.assertNull(createKey.getMaterial());
                            return null;
                        } catch (Exception e) {
                            Assert.fail(e.getMessage());
                            return null;
                        }
                    }
                });
                TestKMS.this.doAs("hdfs", new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.11.2
                    /* JADX WARN: Can't rename method to resolve collision */
                    /* JADX WARN: Multi-variable type inference failed */
                    @Override // java.security.PrivilegedExceptionAction
                    public Void run() throws Exception {
                        try {
                            KeyProvider createProvider = TestKMS.this.createProvider(createKMSUri, configuration2);
                            createProvider.createKey("ck1", new KeyProvider.Options(configuration2));
                            ((KeyProviderCryptoExtension.CryptoExtension) createProvider).decryptEncryptedKey(((KeyProviderCryptoExtension.CryptoExtension) createProvider).generateEncryptedKey("ck1"));
                            Assert.fail("admin user must not be allowed to decrypt !!");
                            return null;
                        } catch (Exception e) {
                            return null;
                        }
                    }
                });
                TestKMS.this.doAs("otheradmin", new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.11.3
                    /* JADX WARN: Can't rename method to resolve collision */
                    /* JADX WARN: Multi-variable type inference failed */
                    @Override // java.security.PrivilegedExceptionAction
                    public Void run() throws Exception {
                        try {
                            KeyProvider createProvider = TestKMS.this.createProvider(createKMSUri, configuration2);
                            createProvider.createKey("ck2", new KeyProvider.Options(configuration2));
                            ((KeyProviderCryptoExtension.CryptoExtension) createProvider).decryptEncryptedKey(((KeyProviderCryptoExtension.CryptoExtension) createProvider).generateEncryptedKey("ck2"));
                            Assert.fail("admin user must not be allowed to decrypt !!");
                            return null;
                        } catch (Exception e) {
                            return null;
                        }
                    }
                });
                return null;
            }
        });
    }

    @Test
    public void testServicePrincipalACLs() throws Exception {
        Configuration configuration = new Configuration();
        configuration.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, KerberosAuthenticationHandler.TYPE);
        UserGroupInformation.setConfiguration(configuration);
        File testDir = getTestDir();
        Configuration createBaseKMSConf = createBaseKMSConf(testDir);
        createBaseKMSConf.set("hadoop.kms.authentication.type", KerberosAuthenticationHandler.TYPE);
        createBaseKMSConf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath());
        createBaseKMSConf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
        createBaseKMSConf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
        for (KMSACLs.Type type : KMSACLs.Type.values()) {
            createBaseKMSConf.set(type.getAclConfigKey(), " ");
        }
        createBaseKMSConf.set(KMSACLs.Type.CREATE.getAclConfigKey(), "client");
        createBaseKMSConf.set("default.key.acl.MANAGEMENT", "client,client/host");
        writeConf(testDir, createBaseKMSConf);
        runServer(null, null, testDir, new KMSCallable<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.12
            @Override // java.util.concurrent.Callable
            public Void call() throws Exception {
                final Configuration configuration2 = new Configuration();
                configuration2.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 128);
                configuration2.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 64);
                final URI createKMSUri = TestKMS.createKMSUri(getKMSUrl());
                TestKMS.this.doAs("client", new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.12.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public Void run() throws Exception {
                        try {
                            Assert.assertNull(TestKMS.this.createProvider(createKMSUri, configuration2).createKey("ck0", new KeyProvider.Options(configuration2)).getMaterial());
                            return null;
                        } catch (Exception e) {
                            Assert.fail(e.getMessage());
                            return null;
                        }
                    }
                });
                TestKMS.this.doAs("client/host", new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.12.2
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public Void run() throws Exception {
                        try {
                            Assert.assertNull(TestKMS.this.createProvider(createKMSUri, configuration2).createKey("ck1", new KeyProvider.Options(configuration2)).getMaterial());
                            return null;
                        } catch (Exception e) {
                            Assert.fail(e.getMessage());
                            return null;
                        }
                    }
                });
                return null;
            }
        });
    }

    @Test
    public void testKMSTimeout() throws Exception {
        File testDir = getTestDir();
        Configuration createBaseKMSConf = createBaseKMSConf(testDir);
        createBaseKMSConf.setInt(KMSClientProvider.TIMEOUT_ATTR, 1);
        writeConf(testDir, createBaseKMSConf);
        try {
            ServerSocket serverSocket = new ServerSocket(0, 50, InetAddress.getByName("localhost"));
            URI createKMSUri = createKMSUri(new URL("http://localhost:" + serverSocket.getLocalPort() + "/kms"));
            try {
                createProvider(createKMSUri, createBaseKMSConf).getKeys();
            } catch (SocketTimeoutException e) {
            } catch (IOException e2) {
                Assert.assertTrue("Caught unexpected exception" + e2.toString(), false);
            }
            try {
                KeyProviderCryptoExtension.createKeyProviderCryptoExtension(createProvider(createKMSUri, createBaseKMSConf)).generateEncryptedKey("a");
            } catch (SocketTimeoutException e3) {
            } catch (IOException e4) {
                Assert.assertTrue("Caught unexpected exception" + e4.toString(), false);
            }
            boolean z = false;
            try {
                KeyProviderCryptoExtension.createKeyProviderCryptoExtension(createProvider(createKMSUri, createBaseKMSConf)).decryptEncryptedKey(new KMSClientProvider.KMSEncryptedKeyVersion("a", "a", new byte[]{1, 2}, KeyProviderCryptoExtension.EEK, new byte[]{1, 2}));
            } catch (SocketTimeoutException e5) {
                z = true;
            } catch (IOException e6) {
                Assert.assertTrue("Caught unexpected exception" + e6.toString(), false);
            }
            Assert.assertTrue(z);
            serverSocket.close();
        } catch (Exception e7) {
        }
    }

    @Test
    public void testDelegationTokenAccess() throws Exception {
        Configuration configuration = new Configuration();
        configuration.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, KerberosAuthenticationHandler.TYPE);
        UserGroupInformation.setConfiguration(configuration);
        File testDir = getTestDir();
        Configuration createBaseKMSConf = createBaseKMSConf(testDir);
        createBaseKMSConf.set("hadoop.kms.authentication.type", KerberosAuthenticationHandler.TYPE);
        createBaseKMSConf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath());
        createBaseKMSConf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
        createBaseKMSConf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
        createBaseKMSConf.set("key.acl.key_a.ALL", "*");
        createBaseKMSConf.set("key.acl.key_d.ALL", "*");
        writeConf(testDir, createBaseKMSConf);
        runServer(null, null, testDir, new KMSCallable<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.13
            @Override // java.util.concurrent.Callable
            public Void call() throws Exception {
                final Configuration configuration2 = new Configuration();
                configuration2.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 64);
                final URI createKMSUri = TestKMS.createKMSUri(getKMSUrl());
                final Credentials credentials = new Credentials();
                UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
                try {
                    TestKMS.this.createProvider(createKMSUri, configuration2).createKey("key_a", new KeyProvider.Options(configuration2));
                } catch (IOException e) {
                    System.out.println(e.getMessage());
                }
                TestKMS.this.doAs("client", new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.13.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public Void run() throws Exception {
                        KeyProviderDelegationTokenExtension.createKeyProviderDelegationTokenExtension(TestKMS.this.createProvider(createKMSUri, configuration2)).addDelegationTokens("foo", credentials);
                        return null;
                    }
                });
                currentUser.addCredentials(credentials);
                try {
                    TestKMS.this.createProvider(createKMSUri, configuration2).createKey("key_a", new KeyProvider.Options(configuration2));
                } catch (IOException e2) {
                    System.out.println(e2.getMessage());
                }
                currentUser.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.13.2
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public Void run() throws Exception {
                        TestKMS.this.createProvider(createKMSUri, configuration2).createKey("key_d", new KeyProvider.Options(configuration2));
                        return null;
                    }
                });
                return null;
            }
        });
    }

    @Test
    public void testDelegationTokensOpsSimple() throws Exception {
        testDelegationTokensOps(new Configuration(), false);
    }

    @Test
    public void testDelegationTokensOpsKerberized() throws Exception {
        Configuration configuration = new Configuration();
        configuration.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, KerberosAuthenticationHandler.TYPE);
        testDelegationTokensOps(configuration, true);
    }

    private void testDelegationTokensOps(Configuration configuration, final boolean z) throws Exception {
        UserGroupInformation.setConfiguration(configuration);
        File testDir = getTestDir();
        Configuration createBaseKMSConf = createBaseKMSConf(testDir);
        if (z) {
            createBaseKMSConf.set("hadoop.kms.authentication.type", KerberosAuthenticationHandler.TYPE);
            createBaseKMSConf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath());
            createBaseKMSConf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
            createBaseKMSConf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
        }
        writeConf(testDir, createBaseKMSConf);
        runServer(null, null, testDir, new KMSCallable<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.14
            @Override // java.util.concurrent.Callable
            public Void call() throws Exception {
                final Configuration configuration2 = new Configuration();
                final URI createKMSUri = TestKMS.createKMSUri(getKMSUrl());
                configuration2.set(KeyProviderFactory.KEY_PROVIDER_PATH, TestKMS.createKMSUri(getKMSUrl()).toString());
                TestKMS.this.doAs("client", new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.14.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public Void run() throws Exception {
                        UserGroupInformation createUserForTesting;
                        KeyProviderDelegationTokenExtension createKeyProviderDelegationTokenExtension = KeyProviderDelegationTokenExtension.createKeyProviderDelegationTokenExtension(TestKMS.this.createProvider(createKMSUri, configuration2));
                        Credentials credentials = new Credentials();
                        final Token<?>[] addDelegationTokens = createKeyProviderDelegationTokenExtension.addDelegationTokens("client1", credentials);
                        Assert.assertEquals(1L, credentials.getAllTokens().size());
                        Assert.assertEquals(KMSClientProvider.TOKEN_KIND, credentials.getToken(SecurityUtil.buildTokenService(new InetSocketAddress(getKMSUrl().getHost(), getKMSUrl().getPort()))).getKind());
                        for (Token<?> token : addDelegationTokens) {
                            if (token.getKind().equals(KMSClientProvider.TOKEN_KIND)) {
                                TestKMS.LOG.info("Got dt for " + createKMSUri + VectorFormat.DEFAULT_SEPARATOR + token);
                                try {
                                    token.renew(configuration2);
                                    Assert.fail("client should not be allowed to renew token withrenewer=client1");
                                } catch (Exception e) {
                                    GenericTestUtils.assertExceptionContains("tries to renew a token with renewer", e);
                                }
                            } else {
                                TestKMS.LOG.info("Skipping token {}", token);
                            }
                        }
                        if (z) {
                            UserGroupInformation.loginUserFromKeytab("client1", TestKMS.keytab.getAbsolutePath());
                            createUserForTesting = UserGroupInformation.getLoginUser();
                        } else {
                            createUserForTesting = UserGroupInformation.createUserForTesting("client1", new String[]{"other group"});
                        }
                        try {
                            createUserForTesting.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.14.1.1
                                /* JADX WARN: Can't rename method to resolve collision */
                                @Override // java.security.PrivilegedExceptionAction
                                public Void run() throws Exception {
                                    boolean z2 = false;
                                    for (Token token2 : addDelegationTokens) {
                                        if (token2.getKind().equals(KMSClientProvider.TOKEN_KIND)) {
                                            TestKMS.LOG.info("Got dt for " + createKMSUri + VectorFormat.DEFAULT_SEPARATOR + token2);
                                            long renew = token2.renew(configuration2);
                                            TestKMS.LOG.info("Renewed token of kind {}, new lifetime:{}", token2.getKind(), Long.valueOf(renew));
                                            Thread.sleep(100L);
                                            long renew2 = token2.renew(configuration2);
                                            TestKMS.LOG.info("Renewed token of kind {}, new lifetime:{}", token2.getKind(), Long.valueOf(renew2));
                                            Assert.assertTrue(renew2 > renew);
                                            z2 = true;
                                        } else {
                                            TestKMS.LOG.info("Skipping token {}", token2);
                                        }
                                    }
                                    Assert.assertTrue(z2);
                                    for (Token token3 : addDelegationTokens) {
                                        if (token3.getKind().equals(KMSClientProvider.TOKEN_KIND)) {
                                            TestKMS.LOG.info("Got dt for " + createKMSUri + VectorFormat.DEFAULT_SEPARATOR + token3);
                                            token3.cancel(configuration2);
                                            TestKMS.LOG.info("Cancelled token of kind {}", token3.getKind());
                                            try {
                                                token3.renew(configuration2);
                                                Assert.fail("should not be able to renew a canceled token");
                                            } catch (Exception e2) {
                                                TestKMS.LOG.info("Expected exception when renewing token", (Throwable) e2);
                                            }
                                        } else {
                                            TestKMS.LOG.info("Skipping token {}", token3);
                                        }
                                    }
                                    return null;
                                }
                            });
                            createUserForTesting.logoutUserFromKeytab();
                            return null;
                        } catch (Throwable th) {
                            createUserForTesting.logoutUserFromKeytab();
                            throw th;
                        }
                    }
                });
                return null;
            }
        });
    }

    @Test
    public void testKMSWithZKSigner() throws Exception {
        doKMSWithZK(true, false);
    }

    @Test
    public void testKMSWithZKDTSM() throws Exception {
        doKMSWithZK(false, true);
    }

    @Test
    public void testKMSWithZKSignerAndDTSM() throws Exception {
        doKMSWithZK(true, true);
    }

    public void doKMSWithZK(boolean z, boolean z2) throws Exception {
        TestingServer testingServer = null;
        try {
            testingServer = new TestingServer();
            testingServer.start();
            Configuration configuration = new Configuration();
            configuration.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, KerberosAuthenticationHandler.TYPE);
            UserGroupInformation.setConfiguration(configuration);
            File testDir = getTestDir();
            Configuration createBaseKMSConf = createBaseKMSConf(testDir);
            createBaseKMSConf.set("hadoop.kms.authentication.type", KerberosAuthenticationHandler.TYPE);
            createBaseKMSConf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath());
            createBaseKMSConf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
            createBaseKMSConf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
            if (z2) {
                createBaseKMSConf.set("hadoop.kms.authentication.signer.secret.provider", "zookeeper");
                createBaseKMSConf.set("hadoop.kms.authentication.signer.secret.provider.zookeeper.path", "/testKMSWithZKDTSM");
                createBaseKMSConf.set("hadoop.kms.authentication.signer.secret.provider.zookeeper.connection.string", testingServer.getConnectString());
            }
            if (z) {
                createBaseKMSConf.set("hadoop.kms.authentication.zk-dt-secret-manager.enable", ZooKeeperSaslClient.ENABLE_CLIENT_SASL_DEFAULT);
            }
            if (z && !z2) {
                createBaseKMSConf.set("hadoop.kms.authentication.zk-dt-secret-manager.zkConnectionString", testingServer.getConnectString());
                createBaseKMSConf.set("hadoop.kms.authentication.zk-dt-secret-manager.znodeWorkingPath", "testZKPath");
                createBaseKMSConf.set("hadoop.kms.authentication.zk-dt-secret-manager.zkAuthType", "none");
            }
            for (KMSACLs.Type type : KMSACLs.Type.values()) {
                createBaseKMSConf.set(type.getAclConfigKey(), type.toString());
            }
            createBaseKMSConf.set(KMSACLs.Type.CREATE.getAclConfigKey(), KMSACLs.Type.CREATE.toString() + ",SET_KEY_MATERIAL");
            createBaseKMSConf.set(KMSACLs.Type.ROLLOVER.getAclConfigKey(), KMSACLs.Type.ROLLOVER.toString() + ",SET_KEY_MATERIAL");
            createBaseKMSConf.set("key.acl.k0.ALL", "*");
            createBaseKMSConf.set("key.acl.k1.ALL", "*");
            createBaseKMSConf.set("key.acl.k2.ALL", "*");
            createBaseKMSConf.set("key.acl.k3.ALL", "*");
            writeConf(testDir, createBaseKMSConf);
            runServer(null, null, testDir, new KMSCallable<KeyProvider>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.15
                @Override // java.util.concurrent.Callable
                public KeyProvider call() throws Exception {
                    final Configuration configuration2 = new Configuration();
                    configuration2.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 128);
                    final URI createKMSUri = TestKMS.createKMSUri(getKMSUrl());
                    return (KeyProvider) TestKMS.this.doAs("SET_KEY_MATERIAL", new PrivilegedExceptionAction<KeyProvider>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.15.1
                        /* JADX WARN: Can't rename method to resolve collision */
                        @Override // java.security.PrivilegedExceptionAction
                        public KeyProvider run() throws Exception {
                            KeyProvider createProvider = TestKMS.this.createProvider(createKMSUri, configuration2);
                            createProvider.createKey("k1", new byte[16], new KeyProvider.Options(configuration2));
                            createProvider.createKey("k2", new byte[16], new KeyProvider.Options(configuration2));
                            createProvider.createKey("k3", new byte[16], new KeyProvider.Options(configuration2));
                            return createProvider;
                        }
                    });
                }
            });
            if (testingServer != null) {
                testingServer.stop();
                testingServer.close();
            }
        } catch (Throwable th) {
            if (testingServer != null) {
                testingServer.stop();
                testingServer.close();
            }
            throw th;
        }
    }

    @Test
    public void testProxyUserKerb() throws Exception {
        doProxyUserTest(true);
    }

    @Test
    public void testProxyUserSimple() throws Exception {
        doProxyUserTest(false);
    }

    public void doProxyUserTest(final boolean z) throws Exception {
        Configuration configuration = new Configuration();
        configuration.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, KerberosAuthenticationHandler.TYPE);
        UserGroupInformation.setConfiguration(configuration);
        File testDir = getTestDir();
        Configuration createBaseKMSConf = createBaseKMSConf(testDir);
        if (z) {
            createBaseKMSConf.set("hadoop.kms.authentication.type", KerberosAuthenticationHandler.TYPE);
        }
        createBaseKMSConf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath());
        createBaseKMSConf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
        createBaseKMSConf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
        createBaseKMSConf.set("hadoop.kms.proxyuser.client.users", "foo,bar");
        createBaseKMSConf.set("hadoop.kms.proxyuser.client.hosts", "*");
        createBaseKMSConf.set("key.acl.kaa.ALL", "client");
        createBaseKMSConf.set("key.acl.kbb.ALL", "foo");
        createBaseKMSConf.set("key.acl.kcc.ALL", "foo1");
        createBaseKMSConf.set("key.acl.kdd.ALL", "bar");
        writeConf(testDir, createBaseKMSConf);
        runServer(null, null, testDir, new KMSCallable<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.16
            @Override // java.util.concurrent.Callable
            public Void call() throws Exception {
                final Configuration configuration2 = new Configuration();
                configuration2.setInt(KeyProvider.DEFAULT_BITLENGTH_NAME, 64);
                final URI createKMSUri = TestKMS.createKMSUri(getKMSUrl());
                final UserGroupInformation loginUserFromKeytabAndReturnUGI = z ? UserGroupInformation.loginUserFromKeytabAndReturnUGI("client", TestKMS.keytab.getAbsolutePath()) : UserGroupInformation.createRemoteUser("client");
                loginUserFromKeytabAndReturnUGI.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.16.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public Void run() throws Exception {
                        final KeyProvider createProvider = TestKMS.this.createProvider(createKMSUri, configuration2);
                        createProvider.createKey("kaa", new KeyProvider.Options(configuration2));
                        UserGroupInformation.createProxyUser("foo", loginUserFromKeytabAndReturnUGI).doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.16.1.1
                            /* JADX WARN: Can't rename method to resolve collision */
                            @Override // java.security.PrivilegedExceptionAction
                            public Void run() throws Exception {
                                Assert.assertNotNull(createProvider.createKey("kbb", new KeyProvider.Options(configuration2)));
                                return null;
                            }
                        });
                        UserGroupInformation.createProxyUser("foo1", loginUserFromKeytabAndReturnUGI).doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.16.1.2
                            /* JADX WARN: Can't rename method to resolve collision */
                            @Override // java.security.PrivilegedExceptionAction
                            public Void run() throws Exception {
                                try {
                                    createProvider.createKey("kcc", new KeyProvider.Options(configuration2));
                                    Assert.fail();
                                    return null;
                                } catch (AuthorizationException e) {
                                    return null;
                                } catch (Exception e2) {
                                    Assert.fail(e2.getMessage());
                                    return null;
                                }
                            }
                        });
                        UserGroupInformation.createProxyUser("bar", loginUserFromKeytabAndReturnUGI).doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.crypto.key.kms.server.TestKMS.16.1.3
                            /* JADX WARN: Can't rename method to resolve collision */
                            @Override // java.security.PrivilegedExceptionAction
                            public Void run() throws Exception {
                                Assert.assertNotNull(createProvider.createKey("kdd", new KeyProvider.Options(configuration2)));
                                return null;
                            }
                        });
                        return null;
                    }
                });
                return null;
            }
        });
    }

    @Test
    public void testWebHDFSProxyUserKerb() throws Exception {
        doWebHDFSProxyUserTest(true);
    }

    @Test
    public void testWebHDFSProxyUserSimple() throws Exception {
        doWebHDFSProxyUserTest(false);
    }

    public void doWebHDFSProxyUserTest(boolean z) throws Exception {
        Configuration configuration = new Configuration();
        configuration.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, KerberosAuthenticationHandler.TYPE);
        UserGroupInformation.setConfiguration(configuration);
        File testDir = getTestDir();
        Configuration createBaseKMSConf = createBaseKMSConf(testDir);
        if (z) {
            createBaseKMSConf.set("hadoop.kms.authentication.type", KerberosAuthenticationHandler.TYPE);
        }
        createBaseKMSConf.set("hadoop.kms.authentication.kerberos.keytab", keytab.getAbsolutePath());
        createBaseKMSConf.set("hadoop.kms.authentication.kerberos.principal", "HTTP/localhost");
        createBaseKMSConf.set("hadoop.kms.authentication.kerberos.name.rules", "DEFAULT");
        createBaseKMSConf.set(KMSClientProvider.TIMEOUT_ATTR, "300");
        createBaseKMSConf.set("hadoop.kms.proxyuser.client.users", "foo,bar");
        createBaseKMSConf.set("hadoop.kms.proxyuser.client.hosts", "*");
        createBaseKMSConf.set("key.acl.kaa.ALL", "foo");
        createBaseKMSConf.set("key.acl.kbb.ALL", "foo1");
        createBaseKMSConf.set("key.acl.kcc.ALL", "bar");
        writeConf(testDir, createBaseKMSConf);
        runServer(null, null, testDir, new AnonymousClass17(z));
    }
}
