package org.apache.hadoop.yarn.server.resourcemanager.security;

import java.io.IOException;
import java.lang.annotation.Annotation;
import java.net.InetSocketAddress;
import java.security.PrivilegedAction;
import java.security.PrivilegedExceptionAction;
import javax.security.sasl.SaslException;
import junit.framework.Assert;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.ipc.RPC;
import org.apache.hadoop.ipc.RemoteException;
import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.security.KerberosInfo;
import org.apache.hadoop.security.SecurityInfo;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.hadoop.security.token.TokenInfo;
import org.apache.hadoop.security.token.TokenSelector;
import org.apache.hadoop.service.AbstractService;
import org.apache.hadoop.yarn.api.ContainerManagementProtocol;
import org.apache.hadoop.yarn.api.protocolrecords.GetApplicationReportRequest;
import org.apache.hadoop.yarn.api.protocolrecords.RegisterApplicationMasterResponse;
import org.apache.hadoop.yarn.api.protocolrecords.StartContainersRequest;
import org.apache.hadoop.yarn.api.protocolrecords.StartContainersResponse;
import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
import org.apache.hadoop.yarn.api.records.Token;
import org.apache.hadoop.yarn.event.Dispatcher;
import org.apache.hadoop.yarn.event.DrainDispatcher;
import org.apache.hadoop.yarn.exceptions.YarnException;
import org.apache.hadoop.yarn.exceptions.YarnRuntimeException;
import org.apache.hadoop.yarn.security.client.ClientToAMTokenIdentifier;
import org.apache.hadoop.yarn.security.client.ClientToAMTokenSecretManager;
import org.apache.hadoop.yarn.security.client.ClientToAMTokenSelector;
import org.apache.hadoop.yarn.server.resourcemanager.ClientRMService;
import org.apache.hadoop.yarn.server.resourcemanager.MockAM;
import org.apache.hadoop.yarn.server.resourcemanager.MockNM;
import org.apache.hadoop.yarn.server.resourcemanager.MockRMWithCustomAMLauncher;
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FairSchedulerConfiguration;
import org.apache.hadoop.yarn.server.utils.BuilderUtils;
import org.apache.hadoop.yarn.util.ConverterUtils;
import org.apache.hadoop.yarn.util.Records;
import org.junit.Test;
import org.mockito.Matchers;
import org.mockito.Mockito;

/* JADX WARN: Classes with same name are omitted:
  input_file:test-classes/org/apache/hadoop/yarn/server/resourcemanager/security/TestClientToAMTokens.class
 */
/* loaded from: input_file:hadoop-yarn-server-resourcemanager-2.4.1-mapr-1408-tests.jar:org/apache/hadoop/yarn/server/resourcemanager/security/TestClientToAMTokens.class */
public class TestClientToAMTokens {

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:test-classes/org/apache/hadoop/yarn/server/resourcemanager/security/TestClientToAMTokens$CustomAM.class
     */
    /* loaded from: input_file:hadoop-yarn-server-resourcemanager-2.4.1-mapr-1408-tests.jar:org/apache/hadoop/yarn/server/resourcemanager/security/TestClientToAMTokens$CustomAM.class */
    public static class CustomAM extends AbstractService implements CustomProtocol {
        private final ApplicationAttemptId appAttemptId;
        private final byte[] secretKey;
        private InetSocketAddress address;
        private boolean pinged;

        public CustomAM(ApplicationAttemptId applicationAttemptId, byte[] bArr) {
            super("CustomAM");
            this.pinged = false;
            this.appAttemptId = applicationAttemptId;
            this.secretKey = bArr;
        }

        @Override // org.apache.hadoop.yarn.server.resourcemanager.security.TestClientToAMTokens.CustomProtocol
        public void ping() throws YarnException, IOException {
            this.pinged = true;
        }

        protected void serviceStart() throws Exception {
            try {
                RPC.Server build = new RPC.Builder(getConfig()).setProtocol(CustomProtocol.class).setNumHandlers(1).setSecretManager(new ClientToAMTokenSecretManager(this.appAttemptId, this.secretKey)).setInstance(this).build();
                build.start();
                this.address = NetUtils.getConnectAddress(build);
                super.serviceStart();
            } catch (Exception e) {
                throw new YarnRuntimeException(e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Classes with same name are omitted:
      input_file:test-classes/org/apache/hadoop/yarn/server/resourcemanager/security/TestClientToAMTokens$CustomProtocol.class
     */
    /* loaded from: input_file:hadoop-yarn-server-resourcemanager-2.4.1-mapr-1408-tests.jar:org/apache/hadoop/yarn/server/resourcemanager/security/TestClientToAMTokens$CustomProtocol.class */
    public interface CustomProtocol {
        public static final long versionID = 1;

        void ping() throws YarnException, IOException;
    }

    /* JADX WARN: Classes with same name are omitted:
      input_file:test-classes/org/apache/hadoop/yarn/server/resourcemanager/security/TestClientToAMTokens$CustomSecurityInfo.class
     */
    /* loaded from: input_file:hadoop-yarn-server-resourcemanager-2.4.1-mapr-1408-tests.jar:org/apache/hadoop/yarn/server/resourcemanager/security/TestClientToAMTokens$CustomSecurityInfo.class */
    private static class CustomSecurityInfo extends SecurityInfo {
        private CustomSecurityInfo() {
        }

        public TokenInfo getTokenInfo(Class<?> cls, Configuration configuration) {
            return new TokenInfo() { // from class: org.apache.hadoop.yarn.server.resourcemanager.security.TestClientToAMTokens.CustomSecurityInfo.1
                public Class<? extends Annotation> annotationType() {
                    return null;
                }

                public Class<? extends TokenSelector<? extends TokenIdentifier>> value() {
                    return ClientToAMTokenSelector.class;
                }
            };
        }

        public KerberosInfo getKerberosInfo(Class<?> cls, Configuration configuration) {
            return null;
        }
    }

    @Test
    public void testClientToAMTokens() throws Exception {
        Configuration configuration = new Configuration();
        configuration.set("hadoop.security.authentication", "kerberos");
        UserGroupInformation.setConfiguration(configuration);
        ContainerManagementProtocol containerManagementProtocol = (ContainerManagementProtocol) Mockito.mock(ContainerManagementProtocol.class);
        Mockito.when(containerManagementProtocol.startContainers((StartContainersRequest) Matchers.any())).thenReturn((StartContainersResponse) Mockito.mock(StartContainersResponse.class));
        final DrainDispatcher drainDispatcher = new DrainDispatcher();
        MockRMWithCustomAMLauncher mockRMWithCustomAMLauncher = new MockRMWithCustomAMLauncher(configuration, containerManagementProtocol) { // from class: org.apache.hadoop.yarn.server.resourcemanager.security.TestClientToAMTokens.1
            @Override // org.apache.hadoop.yarn.server.resourcemanager.MockRM, org.apache.hadoop.yarn.server.resourcemanager.ResourceManager
            protected ClientRMService createClientRMService() {
                return new ClientRMService(this.rmContext, this.scheduler, this.rmAppManager, this.applicationACLsManager, this.queueACLsManager, getRMContext().getRMDelegationTokenSecretManager());
            }

            @Override // org.apache.hadoop.yarn.server.resourcemanager.ResourceManager
            protected Dispatcher createDispatcher() {
                return drainDispatcher;
            }

            @Override // org.apache.hadoop.yarn.server.resourcemanager.ResourceManager
            protected void doSecureLogin() throws IOException {
            }
        };
        mockRMWithCustomAMLauncher.start();
        RMApp submitApp = mockRMWithCustomAMLauncher.submitApp(FairSchedulerConfiguration.DEFAULT_RM_SCHEDULER_INCREMENT_ALLOCATION_MB);
        MockNM registerNode = mockRMWithCustomAMLauncher.registerNode("localhost:1234", 3072);
        registerNode.nodeHeartbeat(true);
        drainDispatcher.await();
        registerNode.nodeHeartbeat(true);
        drainDispatcher.await();
        ApplicationAttemptId appAttemptId = submitApp.getCurrentAppAttempt().getAppAttemptId();
        final MockAM mockAM = new MockAM(mockRMWithCustomAMLauncher.getRMContext(), mockRMWithCustomAMLauncher.getApplicationMasterService(), submitApp.getCurrentAppAttempt().getAppAttemptId());
        RegisterApplicationMasterResponse registerApplicationMasterResponse = (RegisterApplicationMasterResponse) UserGroupInformation.createRemoteUser(appAttemptId.toString()).doAs(new PrivilegedAction<RegisterApplicationMasterResponse>() { // from class: org.apache.hadoop.yarn.server.resourcemanager.security.TestClientToAMTokens.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public RegisterApplicationMasterResponse run() {
                RegisterApplicationMasterResponse registerApplicationMasterResponse2 = null;
                try {
                    registerApplicationMasterResponse2 = mockAM.registerAppAttempt();
                } catch (Exception e) {
                    Assert.fail("Exception was not expected");
                }
                return registerApplicationMasterResponse2;
            }
        });
        GetApplicationReportRequest getApplicationReportRequest = (GetApplicationReportRequest) Records.newRecord(GetApplicationReportRequest.class);
        getApplicationReportRequest.setApplicationId(submitApp.getApplicationId());
        Token clientToAMToken = mockRMWithCustomAMLauncher.getClientRMService().getApplicationReport(getApplicationReportRequest).getApplicationReport().getClientToAMToken();
        Assert.assertNotNull(registerApplicationMasterResponse.getClientToAMTokenMasterKey());
        Assert.assertTrue(registerApplicationMasterResponse.getClientToAMTokenMasterKey().array().length > 0);
        ApplicationAttemptId next = submitApp.getAppAttempts().keySet().iterator().next();
        Assert.assertNotNull(next);
        CustomAM customAM = new CustomAM(next, registerApplicationMasterResponse.getClientToAMTokenMasterKey().array());
        customAM.init(configuration);
        customAM.start();
        SecurityUtil.setSecurityInfoProviders(new SecurityInfo[]{new CustomSecurityInfo()});
        try {
            ((CustomProtocol) RPC.getProxy(CustomProtocol.class, 1L, customAM.address, configuration)).ping();
            org.junit.Assert.fail("Access by unauthenticated user should fail!!");
        } catch (Exception e) {
            Assert.assertFalse(customAM.pinged);
        }
        org.apache.hadoop.security.token.Token<ClientToAMTokenIdentifier> convertFromYarn = ConverterUtils.convertFromYarn(clientToAMToken, customAM.address);
        verifyTokenWithTamperedID(configuration, customAM, convertFromYarn);
        verifyTokenWithTamperedUserName(configuration, customAM, convertFromYarn);
        verifyValidToken(configuration, customAM, convertFromYarn);
    }

    private void verifyTokenWithTamperedID(Configuration configuration, CustomAM customAM, org.apache.hadoop.security.token.Token<ClientToAMTokenIdentifier> token) throws IOException {
        verifyTamperedToken(configuration, customAM, token, UserGroupInformation.createRemoteUser("me"), new ClientToAMTokenIdentifier(BuilderUtils.newApplicationAttemptId(BuilderUtils.newApplicationId(customAM.appAttemptId.getApplicationId().getClusterTimestamp(), 42), 43), UserGroupInformation.getCurrentUser().getShortUserName()));
    }

    private void verifyTokenWithTamperedUserName(Configuration configuration, CustomAM customAM, org.apache.hadoop.security.token.Token<ClientToAMTokenIdentifier> token) throws IOException {
        verifyTamperedToken(configuration, customAM, token, UserGroupInformation.createRemoteUser("me"), new ClientToAMTokenIdentifier(customAM.appAttemptId, "evilOrc"));
    }

    private void verifyTamperedToken(final Configuration configuration, final CustomAM customAM, org.apache.hadoop.security.token.Token<ClientToAMTokenIdentifier> token, UserGroupInformation userGroupInformation, ClientToAMTokenIdentifier clientToAMTokenIdentifier) {
        userGroupInformation.addToken(new org.apache.hadoop.security.token.Token(clientToAMTokenIdentifier.getBytes(), token.getPassword(), token.getKind(), token.getService()));
        try {
            userGroupInformation.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.yarn.server.resourcemanager.security.TestClientToAMTokens.3
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Void run() throws Exception {
                    try {
                        ((CustomProtocol) RPC.getProxy(CustomProtocol.class, 1L, customAM.address, configuration)).ping();
                        org.junit.Assert.fail("Connection initiation with illegally modified tokens is expected to fail.");
                        return null;
                    } catch (YarnException e) {
                        org.junit.Assert.fail("Cannot get a YARN remote exception as it will indicate RPC success");
                        throw e;
                    }
                }
            });
        } catch (Exception e) {
            Assert.assertEquals(RemoteException.class.getName(), e.getClass().getName());
            IOException unwrapRemoteException = e.unwrapRemoteException();
            Assert.assertEquals(SaslException.class.getCanonicalName(), unwrapRemoteException.getClass().getCanonicalName());
            Assert.assertTrue(unwrapRemoteException.getMessage().contains("DIGEST-MD5: digest response format violation. Mismatched response."));
            Assert.assertFalse(customAM.pinged);
        }
    }

    private void verifyValidToken(final Configuration configuration, final CustomAM customAM, org.apache.hadoop.security.token.Token<ClientToAMTokenIdentifier> token) throws IOException, InterruptedException {
        UserGroupInformation createRemoteUser = UserGroupInformation.createRemoteUser("me");
        createRemoteUser.addToken(token);
        createRemoteUser.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.yarn.server.resourcemanager.security.TestClientToAMTokens.4
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                ((CustomProtocol) RPC.getProxy(CustomProtocol.class, 1L, customAM.address, configuration)).ping();
                Assert.assertTrue(customAM.pinged);
                return null;
            }
        });
    }
}
