package alluxio.client.fs;

import alluxio.AlluxioURI;
import alluxio.annotation.dora.DoraTestTodoItem;
import alluxio.client.file.FileSystem;
import alluxio.client.file.FileSystemContext;
import alluxio.client.file.URIStatus;
import alluxio.conf.Configuration;
import alluxio.conf.PropertyKey;
import alluxio.exception.status.UnauthenticatedException;
import alluxio.grpc.SetAttributePOptions;
import alluxio.security.CurrentUser;
import alluxio.security.authorization.Mode;
import alluxio.security.group.GroupMappingService;
import alluxio.testutils.BaseIntegrationTest;
import alluxio.testutils.LocalAlluxioClusterResource;
import com.google.common.collect.Lists;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import javax.security.auth.Subject;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Ignore;
import org.junit.Rule;
import org.junit.Test;

@DoraTestTodoItem(action = DoraTestTodoItem.Action.FIX, owner = "bowen", comment = "pending security features in dora")
@Ignore
/* loaded from: input_file:alluxio/client/fs/ImpersonationIntegrationTest.class */
public final class ImpersonationIntegrationTest extends BaseIntegrationTest {
    private static final String IMPERSONATION_USER = "impersonation_user";
    private static final String IMPERSONATION_GROUP1 = "impersonation_group1";
    private static final String IMPERSONATION_GROUP2 = "impersonation_group2";
    private static final String HDFS_USER = "hdfs_user";
    private static final String HDFS_GROUP1 = "hdfs_group1";
    private static final String HDFS_GROUP2 = "hdfs_group2";
    private static final String CONNECTION_USER = "alluxio_user";
    private static final String IMPERSONATION_GROUPS_CONFIG = "alluxio.master.security.impersonation.alluxio_user.groups";
    private static final String IMPERSONATION_USERS_CONFIG = "alluxio.master.security.impersonation.alluxio_user.users";
    private static final HashMap<String, String> GROUPS = new HashMap<>();

    @Rule
    public LocalAlluxioClusterResource mLocalAlluxioClusterResource = new LocalAlluxioClusterResource.Builder().setProperty(PropertyKey.USER_METRICS_COLLECTION_ENABLED, false).setProperty(PropertyKey.SECURITY_LOGIN_USERNAME, CONNECTION_USER).setProperty(PropertyKey.SECURITY_GROUP_MAPPING_CACHE_TIMEOUT_MS, 0).setProperty(PropertyKey.SECURITY_GROUP_MAPPING_CLASS, CustomGroupMapping.class.getName()).build();

    /* loaded from: input_file:alluxio/client/fs/ImpersonationIntegrationTest$CustomGroupMapping.class */
    public static class CustomGroupMapping implements GroupMappingService {
        public List<String> getGroups(String str) {
            return ImpersonationIntegrationTest.GROUPS.containsKey(str) ? Lists.newArrayList(((String) ImpersonationIntegrationTest.GROUPS.get(str)).split(",")) : new ArrayList();
        }
    }

    @After
    public void after() throws Exception {
        Configuration.reloadProperties();
    }

    @Before
    public void before() throws Exception {
        FileSystem.Factory.create().setAttribute(new AlluxioURI("/"), SetAttributePOptions.newBuilder().setMode(new Mode((short) 511).toProto()).build());
        Configuration.set(PropertyKey.SECURITY_LOGIN_IMPERSONATION_USERNAME, "_HDFS_USER_");
    }

    @BeforeClass
    public static void beforeClass() {
        GROUPS.put(IMPERSONATION_USER, "impersonation_group1,impersonation_group2");
        GROUPS.put(HDFS_USER, "hdfs_group1,hdfs_group2");
    }

    @Test
    @LocalAlluxioClusterResource.Config(confParams = {IMPERSONATION_GROUPS_CONFIG, "*"})
    public void impersonationNotUsed() throws Exception {
        Configuration.set(PropertyKey.SECURITY_LOGIN_IMPERSONATION_USERNAME, "_NONE_");
        FileSystem client = this.mLocalAlluxioClusterResource.get().getClient(FileSystemContext.create(createHdfsSubject(), Configuration.global()));
        client.createFile(new AlluxioURI("/impersonation-test")).close();
        List listStatus = client.listStatus(new AlluxioURI("/"));
        Assert.assertEquals(1L, listStatus.size());
        Assert.assertNotEquals(IMPERSONATION_USER, ((URIStatus) listStatus.get(0)).getOwner());
    }

    @Test
    @LocalAlluxioClusterResource.Config(confParams = {IMPERSONATION_GROUPS_CONFIG, "*"})
    public void impersonationArbitraryUserDisallowed() throws Exception {
        Configuration.set(PropertyKey.SECURITY_LOGIN_IMPERSONATION_USERNAME, "arbitrary_user");
        FileSystem client = this.mLocalAlluxioClusterResource.get().getClient(FileSystemContext.create(createHdfsSubject(), Configuration.global()));
        client.createFile(new AlluxioURI("/impersonation-test")).close();
        List listStatus = client.listStatus(new AlluxioURI("/"));
        Assert.assertEquals(1L, listStatus.size());
        Assert.assertNotEquals("arbitrary_user", ((URIStatus) listStatus.get(0)).getOwner());
    }

    @Test
    @LocalAlluxioClusterResource.Config(confParams = {IMPERSONATION_GROUPS_CONFIG, "*"})
    public void impersonationUsedHdfsUser() throws Exception {
        checkCreateFile(createHdfsSubject(), HDFS_USER);
    }

    @Test
    public void impersonationHdfsDisabled() throws Exception {
        try {
            checkCreateFile(createHdfsSubject(), HDFS_USER);
            Assert.fail("Connection succeeded, but impersonation should be denied.");
        } catch (UnauthenticatedException e) {
        }
    }

    @Test
    @LocalAlluxioClusterResource.Config(confParams = {IMPERSONATION_USERS_CONFIG, HDFS_USER})
    public void impersonationHdfsUserAllowed() throws Exception {
        checkCreateFile(createHdfsSubject(), HDFS_USER);
    }

    @Test
    @LocalAlluxioClusterResource.Config(confParams = {IMPERSONATION_USERS_CONFIG, "wrong_user1,wrong_user2,hdfs_user"})
    public void impersonationHdfsUsersAllowed() throws Exception {
        checkCreateFile(createHdfsSubject(), HDFS_USER);
    }

    @Test
    @LocalAlluxioClusterResource.Config(confParams = {IMPERSONATION_USERS_CONFIG, "wrong_user"})
    public void impersonationHdfsUserDenied() throws Exception {
        try {
            checkCreateFile(createHdfsSubject(), HDFS_USER);
            Assert.fail("Connection succeeded, but impersonation should be denied.");
        } catch (UnauthenticatedException e) {
        }
    }

    @Test
    @LocalAlluxioClusterResource.Config(confParams = {IMPERSONATION_USERS_CONFIG, HDFS_USER, IMPERSONATION_GROUPS_CONFIG, HDFS_GROUP1})
    public void impersonationUsersAllowedGroupsAllowed() throws Exception {
        checkCreateFile(createHdfsSubject(), HDFS_USER);
    }

    @Test
    @LocalAlluxioClusterResource.Config(confParams = {IMPERSONATION_USERS_CONFIG, "wrong_user", IMPERSONATION_GROUPS_CONFIG, HDFS_GROUP1})
    public void impersonationUsersDeniedGroupsAllowed() throws Exception {
        checkCreateFile(createHdfsSubject(), HDFS_USER);
    }

    @Test
    @LocalAlluxioClusterResource.Config(confParams = {IMPERSONATION_USERS_CONFIG, HDFS_USER, IMPERSONATION_GROUPS_CONFIG, "wrong_group"})
    public void impersonationUsersAllowedGroupsDenied() throws Exception {
        checkCreateFile(createHdfsSubject(), HDFS_USER);
    }

    @Test
    @LocalAlluxioClusterResource.Config(confParams = {IMPERSONATION_USERS_CONFIG, "wrong_user", IMPERSONATION_GROUPS_CONFIG, "wrong_group"})
    public void impersonationUsersDeniedGroupsDenied() throws Exception {
        try {
            checkCreateFile(createHdfsSubject(), HDFS_USER);
            Assert.fail("Connection succeeded, but impersonation should be denied.");
        } catch (UnauthenticatedException e) {
        }
    }

    @Test
    @LocalAlluxioClusterResource.Config(confParams = {IMPERSONATION_GROUPS_CONFIG, HDFS_GROUP2})
    public void impersonationHdfsGroupAllowed() throws Exception {
        checkCreateFile(createHdfsSubject(), HDFS_USER);
    }

    @Test
    @LocalAlluxioClusterResource.Config(confParams = {IMPERSONATION_GROUPS_CONFIG, "impersonation_group1,impersonation_group2,hdfs_group1"})
    public void impersonationHdfsGroupsAllowed() throws Exception {
        checkCreateFile(createHdfsSubject(), HDFS_USER);
    }

    @Test
    @LocalAlluxioClusterResource.Config(confParams = {IMPERSONATION_GROUPS_CONFIG, "wrong_group"})
    public void impersonationHdfsGroupDenied() throws Exception {
        try {
            checkCreateFile(createHdfsSubject(), HDFS_USER);
            Assert.fail("Connection succeeded, but impersonation should be denied.");
        } catch (UnauthenticatedException e) {
        }
    }

    private void checkCreateFile(Subject subject, String str) throws Exception {
        FileSystem client = this.mLocalAlluxioClusterResource.get().getClient(FileSystemContext.create(subject, Configuration.global()));
        client.createFile(new AlluxioURI("/impersonation-test")).close();
        List listStatus = client.listStatus(new AlluxioURI("/"));
        Assert.assertEquals(1L, listStatus.size());
        Assert.assertEquals(str, ((URIStatus) listStatus.get(0)).getOwner());
    }

    private Subject createHdfsSubject() {
        CurrentUser currentUser = new CurrentUser(HDFS_USER);
        HashSet hashSet = new HashSet();
        hashSet.add(currentUser);
        return new Subject(false, hashSet, new HashSet(), new HashSet());
    }
}
