package com.datastax.driver.dse.auth;

import com.datastax.driver.core.AuthProvider;
import com.datastax.driver.core.CCMBridge;
import com.datastax.driver.core.CCMConfig;
import com.datastax.driver.core.CreateCCM;
import com.datastax.driver.core.TestUtils;
import com.datastax.driver.core.exceptions.NoHostAvailableException;
import com.datastax.driver.core.utils.DseVersion;
import com.datastax.driver.dse.CCMDseTestsSupport;
import com.datastax.driver.dse.DseCluster;
import java.io.File;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import org.assertj.core.api.Assertions;
import org.testng.SkipException;
import org.testng.annotations.AfterClass;
import org.testng.annotations.BeforeClass;
import org.testng.annotations.Test;

@CreateCCM(CreateCCM.TestMode.PER_METHOD)
@DseVersion("4.8")
@CCMConfig(createCluster = {false}, dirtiesContext = {true}, ccmProvider = "configureCCM")
/* loaded from: input_file:com/datastax/driver/dse/auth/DseGSSAPIAuthProviderTest.class */
public class DseGSSAPIAuthProviderTest extends CCMDseTestsSupport {
    private static final String realm = "DATASTAX.COM";
    private static final String address = TestUtils.IP_PREFIX + "1";
    private final EmbeddedADS adsServer = EmbeddedADS.builder().withKerberos().withRealm(realm).withAddress(address).build();
    private final String servicePrincipal = "dse/" + this.adsServer.getHostname() + "@" + realm;
    private final String alternateServicePrincipal = "alternate/" + this.adsServer.getHostname() + "@" + realm;
    private final String userPrincipal = "cassandra@DATASTAX.COM";
    private final String unknownPrincipal = "unknown@DATASTAX.COM";
    private File userKeytab;
    private File unknownKeytab;
    private File dseKeytab;
    private File alternateKeytab;

    @BeforeClass(groups = {"long"})
    public void setupKDC() throws Exception {
        if (this.adsServer.isStarted()) {
            return;
        }
        this.adsServer.start();
        this.dseKeytab = this.adsServer.addUserAndCreateKeytab("dse", "dse", this.servicePrincipal);
        this.alternateKeytab = this.adsServer.addUserAndCreateKeytab("alternate", "alternate", this.alternateServicePrincipal);
        this.userKeytab = this.adsServer.addUserAndCreateKeytab("cassandra", "cassandra", "cassandra@DATASTAX.COM");
        this.unknownKeytab = this.adsServer.createKeytab("unknown", "unknown", "unknown@DATASTAX.COM");
    }

    @AfterClass(groups = {"long"}, alwaysRun = true)
    public void teardownKDC() throws Exception {
        this.adsServer.stop();
    }

    CCMBridge.Builder baseAuthenticationConfiguration() {
        boolean z = CCMBridge.getGlobalDSEVersion().getMajor() >= 5;
        CCMBridge.Builder withJvmArgs = CCMBridge.builder().withCassandraConfiguration("authenticator", z ? "com.datastax.bdp.cassandra.auth.DseAuthenticator" : "com.datastax.bdp.cassandra.auth.KerberosAuthenticator").withDSEConfiguration("kerberos_options.qop", "auth").withJvmArgs("-Dcassandra.superuser_setup_delay_ms=0", "-Djava.security.krb5.conf=" + this.adsServer.getKrb5Conf().getAbsolutePath());
        if (z) {
            withJvmArgs = withJvmArgs.withDSEConfiguration("authentication_options.enabled", "true").withDSEConfiguration("authentication_options.default_scheme", "kerberos");
        }
        return withJvmArgs;
    }

    public CCMBridge.Builder configureCCM() {
        return baseAuthenticationConfiguration().withDSEConfiguration("kerberos_options.keytab", this.dseKeytab.getAbsolutePath()).withDSEConfiguration("kerberos_options.service_principal", "dse/_HOST@DATASTAX.COM");
    }

    public CCMBridge.Builder configureAlternateCCM() {
        return baseAuthenticationConfiguration().withDSEConfiguration("kerberos_options.qop", "auth-conf").withDSEConfiguration("kerberos_options.keytab", this.alternateKeytab.getAbsolutePath()).withDSEConfiguration("kerberos_options.service_principal", "alternate/_HOST@DATASTAX.COM");
    }

    @Test(groups = {"long"})
    public void should_authenticate_using_subject() throws Exception {
        LoginContext loginContext = new LoginContext("DseClient", (Subject) null, (CallbackHandler) null, KerberosUtils.keytabClient(this.userKeytab, "cassandra@DATASTAX.COM"));
        loginContext.login();
        connectAndQuery((AuthProvider) DseGSSAPIAuthProvider.builder().withSubject(loginContext.getSubject()).build());
    }

    @Test(groups = {"long"})
    public void should_authenticate_using_kerberos_with_keytab() throws Exception {
        connectAndQuery(KerberosUtils.keytabClient(this.userKeytab, "cassandra@DATASTAX.COM"));
    }

    @CCMConfig(ccmProvider = "configureAlternateCCM")
    @Test(groups = {"long"})
    public void should_authenticate_using_kerberos_with_keytab_and_alternate_service_principal_using_system_property() throws Exception {
        try {
            System.setProperty("dse.sasl.protocol", "alternate");
            connectAndQuery((AuthProvider) DseGSSAPIAuthProvider.builder().withLoginConfiguration(KerberosUtils.keytabClient(this.userKeytab, "cassandra@DATASTAX.COM")).addSaslProperty("javax.security.sasl.qop", "auth-conf").build());
            System.clearProperty("dse.sasl.protocol");
        } catch (Throwable th) {
            System.clearProperty("dse.sasl.protocol");
            throw th;
        }
    }

    @CCMConfig(ccmProvider = "configureAlternateCCM")
    @Test(groups = {"long"})
    public void should_authenticate_using_kerberos_with_keytab_and_alternate_service_principal() throws Exception {
        connectAndQuery((AuthProvider) DseGSSAPIAuthProvider.builder().withLoginConfiguration(KerberosUtils.keytabClient(this.userKeytab, "cassandra@DATASTAX.COM")).withSaslProtocol("alternate").addSaslProperty("javax.security.sasl.qop", "auth-conf").build());
    }

    @Test(groups = {"long"})
    public void should_authenticate_using_kerberos_with_ticket() throws Exception {
        String lowerCase = System.getProperty("os.name", "").toLowerCase();
        if (!(lowerCase.contains("mac") || lowerCase.contains("darwin") || lowerCase.contains("nux"))) {
            throw new SkipException("This test requires a unix-based platform with kinit & kdestroy installed.");
        }
        KerberosUtils.acquireTicket("cassandra@DATASTAX.COM", this.userKeytab, this.adsServer);
        try {
            connectAndQuery(KerberosUtils.ticketClient("cassandra@DATASTAX.COM"));
        } finally {
            KerberosUtils.destroyTicket(this.adsServer);
        }
    }

    @Test(groups = {"long"}, expectedExceptions = {NoHostAvailableException.class})
    public void should_not_authenticate_if_no_ticket_in_cache() throws Exception {
        connectAndQuery(KerberosUtils.ticketClient("cassandra@DATASTAX.COM"));
    }

    @Test(groups = {"long"}, expectedExceptions = {NoHostAvailableException.class})
    public void should_not_authenticate_if_keytab_does_not_map_to_valid_principal() throws Exception {
        connectAndQuery(KerberosUtils.keytabClient(this.unknownKeytab, "unknown@DATASTAX.COM"));
    }

    private void connectAndQuery(Configuration configuration) {
        connectAndQuery((AuthProvider) DseGSSAPIAuthProvider.builder().withLoginConfiguration(configuration).build());
    }

    private void connectAndQuery(AuthProvider authProvider) {
        DseCluster build = mo16createClusterBuilder().addContactPointsWithPorts(getContactPointsWithPorts()).withAuthProvider(authProvider).build();
        try {
            Assertions.assertThat(build.connect().execute("select * from system.local").one()).isNotNull();
            build.close();
        } catch (Throwable th) {
            build.close();
            throw th;
        }
    }
}
