package org.apache.hadoop.yarn.server.timeline.security;

import java.io.File;
import java.security.PrivilegedExceptionAction;
import java.util.Arrays;
import java.util.Collection;
import java.util.concurrent.Callable;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.FileUtil;
import org.apache.hadoop.http.HttpConfig;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.minikdc.MiniKdc;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.KerberosTestUtils;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.authorize.AuthorizationException;
import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.yarn.api.records.timeline.TimelineDomain;
import org.apache.hadoop.yarn.api.records.timeline.TimelineEntity;
import org.apache.hadoop.yarn.client.api.TimelineClient;
import org.apache.hadoop.yarn.security.client.TimelineDelegationTokenIdentifier;
import org.apache.hadoop.yarn.server.applicationhistoryservice.ApplicationHistoryServer;
import org.apache.hadoop.yarn.server.timeline.MemoryTimelineStore;
import org.apache.hadoop.yarn.server.timeline.TimelineStore;
import org.apache.hadoop.yarn.server.timeline.webapp.CrossOriginFilter;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;

@RunWith(Parameterized.class)
/* loaded from: input_file:test-classes/org/apache/hadoop/yarn/server/timeline/security/TestTimelineAuthenticationFilter.class */
public class TestTimelineAuthenticationFilter {
    private static final String FOO_USER = "foo";
    private static final String BAR_USER = "bar";
    private static final String HTTP_USER = "HTTP";
    private static final File testRootDir = new File(System.getProperty("test.build.dir", "target/test-dir"), TestTimelineAuthenticationFilter.class.getName() + "-root");
    private static File httpSpnegoKeytabFile = new File(KerberosTestUtils.getKeytabFile());
    private static String httpSpnegoPrincipal = KerberosTestUtils.getServerPrincipal();
    private static final String BASEDIR = System.getProperty("test.build.dir", "target/test-dir") + "/" + TestTimelineAuthenticationFilter.class.getSimpleName();
    private static MiniKdc testMiniKDC;
    private static String keystoresDir;
    private static String sslConfDir;
    private static ApplicationHistoryServer testTimelineServer;
    private static Configuration conf;
    private static boolean withSsl;

    @Parameterized.Parameters
    public static Collection<Object[]> withSsl() {
        return Arrays.asList(new Object[]{false}, new Object[]{true});
    }

    public TestTimelineAuthenticationFilter(boolean z) {
        withSsl = z;
    }

    @BeforeClass
    public static void setup() {
        try {
            testMiniKDC = new MiniKdc(MiniKdc.createConf(), testRootDir);
            testMiniKDC.start();
            testMiniKDC.createPrincipal(httpSpnegoKeytabFile, new String[]{"HTTP/localhost"});
        } catch (Exception e) {
            Assert.assertTrue("Couldn't setup MiniKDC", false);
        }
        try {
            testTimelineServer = new ApplicationHistoryServer();
            conf = new Configuration(false);
            conf.setStrings("yarn.timeline-service.http-authentication.type", new String[]{"kerberos"});
            conf.set("yarn.timeline-service.http-authentication.kerberos.principal", httpSpnegoPrincipal);
            conf.set("yarn.timeline-service.http-authentication.kerberos.keytab", httpSpnegoKeytabFile.getAbsolutePath());
            conf.set("hadoop.security.authentication", "kerberos");
            conf.set("yarn.timeline-service.principal", httpSpnegoPrincipal);
            conf.set("yarn.timeline-service.keytab", httpSpnegoKeytabFile.getAbsolutePath());
            conf.setBoolean("yarn.timeline-service.enabled", true);
            conf.setClass("yarn.timeline-service.store-class", MemoryTimelineStore.class, TimelineStore.class);
            conf.set("yarn.timeline-service.address", "localhost:10200");
            conf.set("yarn.timeline-service.webapp.address", "localhost:8188");
            conf.set("yarn.timeline-service.webapp.https.address", "localhost:8190");
            conf.set("hadoop.proxyuser.HTTP.hosts", CrossOriginFilter.ALLOWED_ORIGINS_DEFAULT);
            conf.set("hadoop.proxyuser.HTTP.users", FOO_USER);
            conf.setInt("yarn.timeline-service.client.max-retries", 1);
            if (withSsl) {
                conf.set("yarn.http.policy", HttpConfig.Policy.HTTPS_ONLY.name());
                File file = new File(BASEDIR);
                FileUtil.fullyDelete(file);
                file.mkdirs();
                keystoresDir = new File(BASEDIR).getAbsolutePath();
                sslConfDir = KeyStoreTestUtil.getClasspathDir(TestTimelineAuthenticationFilter.class);
                KeyStoreTestUtil.setupSSLConfig(keystoresDir, sslConfDir, conf, false);
            }
            UserGroupInformation.setConfiguration(conf);
            testTimelineServer.init(conf);
            testTimelineServer.start();
        } catch (Exception e2) {
            Assert.assertTrue("Couldn't setup TimelineServer", false);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public TimelineClient createTimelineClientForUGI() {
        TimelineClient createTimelineClient = TimelineClient.createTimelineClient();
        createTimelineClient.init(conf);
        createTimelineClient.start();
        return createTimelineClient;
    }

    @AfterClass
    public static void tearDown() throws Exception {
        if (testMiniKDC != null) {
            testMiniKDC.stop();
        }
        if (testTimelineServer != null) {
            testTimelineServer.stop();
        }
        if (withSsl) {
            KeyStoreTestUtil.cleanupSSLConfig(keystoresDir, sslConfDir);
            FileUtil.fullyDelete(new File(BASEDIR));
        }
    }

    @Test
    public void testPutTimelineEntities() throws Exception {
        KerberosTestUtils.doAs("HTTP/localhost", new Callable<Void>() { // from class: org.apache.hadoop.yarn.server.timeline.security.TestTimelineAuthenticationFilter.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public Void call() throws Exception {
                TimelineClient createTimelineClientForUGI = TestTimelineAuthenticationFilter.this.createTimelineClientForUGI();
                TimelineEntity timelineEntity = new TimelineEntity();
                timelineEntity.setEntityType(TestTimelineAuthenticationFilter.class.getName());
                timelineEntity.setEntityId("entity1");
                timelineEntity.setStartTime(0L);
                Assert.assertEquals(0L, createTimelineClientForUGI.putEntities(new TimelineEntity[]{timelineEntity}).getErrors().size());
                Assert.assertNotNull(TestTimelineAuthenticationFilter.testTimelineServer.getTimelineStore().getEntity("entity1", TestTimelineAuthenticationFilter.class.getName(), null));
                return null;
            }
        });
    }

    @Test
    public void testPutDomains() throws Exception {
        KerberosTestUtils.doAs("HTTP/localhost", new Callable<Void>() { // from class: org.apache.hadoop.yarn.server.timeline.security.TestTimelineAuthenticationFilter.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public Void call() throws Exception {
                TimelineClient createTimelineClientForUGI = TestTimelineAuthenticationFilter.this.createTimelineClientForUGI();
                TimelineDomain timelineDomain = new TimelineDomain();
                timelineDomain.setId(TestTimelineAuthenticationFilter.class.getName());
                timelineDomain.setReaders(CrossOriginFilter.ALLOWED_ORIGINS_DEFAULT);
                timelineDomain.setWriters(CrossOriginFilter.ALLOWED_ORIGINS_DEFAULT);
                createTimelineClientForUGI.putDomain(timelineDomain);
                Assert.assertNotNull(TestTimelineAuthenticationFilter.testTimelineServer.getTimelineStore().getDomain(TestTimelineAuthenticationFilter.class.getName()));
                return null;
            }
        });
    }

    @Test
    public void testDelegationTokenOperations() throws Exception {
        TimelineClient timelineClient = (TimelineClient) KerberosTestUtils.doAs("HTTP/localhost", new Callable<TimelineClient>() { // from class: org.apache.hadoop.yarn.server.timeline.security.TestTimelineAuthenticationFilter.3
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public TimelineClient call() throws Exception {
                return TestTimelineAuthenticationFilter.this.createTimelineClientForUGI();
            }
        });
        UserGroupInformation userGroupInformation = (UserGroupInformation) KerberosTestUtils.doAs("HTTP/localhost", new Callable<UserGroupInformation>() { // from class: org.apache.hadoop.yarn.server.timeline.security.TestTimelineAuthenticationFilter.4
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public UserGroupInformation call() throws Exception {
                return UserGroupInformation.getCurrentUser();
            }
        });
        Token delegationToken = timelineClient.getDelegationToken(userGroupInformation.getShortUserName());
        Assert.assertNotNull(delegationToken);
        TimelineDelegationTokenIdentifier decodeIdentifier = delegationToken.decodeIdentifier();
        Assert.assertNotNull(decodeIdentifier);
        Assert.assertEquals(new Text(HTTP_USER), decodeIdentifier.getOwner());
        Assert.assertFalse(delegationToken.getService().toString().isEmpty());
        long renewDelegationToken = timelineClient.renewDelegationToken(delegationToken);
        Thread.sleep(100L);
        delegationToken.setService(new Text());
        Assert.assertTrue(delegationToken.getService().toString().isEmpty());
        Assert.assertTrue(renewDelegationToken < timelineClient.renewDelegationToken(delegationToken));
        Assert.assertTrue(delegationToken.getService().toString().isEmpty());
        timelineClient.cancelDelegationToken(delegationToken);
        try {
            timelineClient.renewDelegationToken(delegationToken);
            Assert.fail();
        } catch (Exception e) {
            Assert.assertTrue(e.getMessage().contains("Renewal request for unknown token"));
        }
        TimelineClient timelineClient2 = (TimelineClient) UserGroupInformation.createProxyUser(FOO_USER, userGroupInformation).doAs(new PrivilegedExceptionAction<TimelineClient>() { // from class: org.apache.hadoop.yarn.server.timeline.security.TestTimelineAuthenticationFilter.5
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public TimelineClient run() throws Exception {
                return TestTimelineAuthenticationFilter.this.createTimelineClientForUGI();
            }
        });
        Token delegationToken2 = timelineClient2.getDelegationToken(userGroupInformation.getShortUserName());
        Assert.assertNotNull(delegationToken2);
        TimelineDelegationTokenIdentifier decodeIdentifier2 = delegationToken2.decodeIdentifier();
        Assert.assertNotNull(decodeIdentifier2);
        Assert.assertEquals(new Text(FOO_USER), decodeIdentifier2.getOwner());
        Assert.assertEquals(new Text(HTTP_USER), decodeIdentifier2.getRealUser());
        Assert.assertTrue(timelineClient.renewDelegationToken(delegationToken2) < timelineClient.renewDelegationToken(delegationToken2));
        Assert.assertFalse(delegationToken2.getService().toString().isEmpty());
        timelineClient2.cancelDelegationToken(delegationToken2);
        try {
            timelineClient.renewDelegationToken(delegationToken2);
            Assert.fail();
        } catch (Exception e2) {
            Assert.assertTrue(e2.getMessage().contains("Renewal request for unknown token"));
        }
        try {
            ((TimelineClient) UserGroupInformation.createProxyUser(BAR_USER, userGroupInformation).doAs(new PrivilegedExceptionAction<TimelineClient>() { // from class: org.apache.hadoop.yarn.server.timeline.security.TestTimelineAuthenticationFilter.6
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public TimelineClient run() {
                    return TestTimelineAuthenticationFilter.this.createTimelineClientForUGI();
                }
            })).getDelegationToken(userGroupInformation.getShortUserName());
            Assert.fail();
        } catch (Exception e3) {
            Assert.assertTrue((e3.getCause() instanceof AuthorizationException) || (e3.getCause() instanceof AuthenticationException));
        }
    }
}
