package org.apache.hadoop.ozone;

import java.io.File;
import java.io.IOException;
import java.net.InetAddress;
import java.nio.file.Paths;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.hadoop.hdds.annotation.InterfaceAudience;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.scm.ScmConfig;
import org.apache.hadoop.hdds.scm.server.SCMHTTPServerConfig;
import org.apache.hadoop.hdds.scm.server.StorageContainerManager;
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.keys.HDDSKeyGenerator;
import org.apache.hadoop.hdds.security.x509.keys.KeyCodec;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.ipc.Server;
import org.apache.hadoop.metrics2.lib.DefaultMetricsSystem;
import org.apache.hadoop.minikdc.MiniKdc;
import org.apache.hadoop.net.ServerSocketUtil;
import org.apache.hadoop.ozone.client.CertificateClientTestImpl;
import org.apache.hadoop.ozone.om.OMStorage;
import org.apache.hadoop.ozone.om.OzoneManager;
import org.apache.hadoop.ozone.om.exceptions.OMException;
import org.apache.hadoop.ozone.om.protocolPB.OmTransportFactory;
import org.apache.hadoop.ozone.om.protocolPB.OzoneManagerProtocolClientSideTranslatorPB;
import org.apache.hadoop.security.SaslRpcServer;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.test.GenericTestUtils;
import org.apache.hadoop.test.LambdaTestUtils;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;
import org.junit.rules.Timeout;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.slf4j.event.Level;

@InterfaceAudience.Private
/* loaded from: input_file:org/apache/hadoop/ozone/TestDelegationToken.class */
public final class TestDelegationToken {
    private static final String TEST_USER = "testUgiUser@EXAMPLE.COM";
    private static final String COMPONENT = "test";
    private static final int CLIENT_TIMEOUT = 2000;
    private static final String OM_CERT_SERIAL_ID = "9879877970576";
    private static final Logger LOG = LoggerFactory.getLogger(TestDelegationToken.class);

    @Rule
    public Timeout timeout = Timeout.seconds(80);

    @Rule
    public TemporaryFolder folder = new TemporaryFolder();
    private MiniKdc miniKdc;
    private OzoneConfiguration conf;
    private File workDir;
    private File scmKeytab;
    private File spnegoKeytab;
    private File omKeyTab;
    private File testUserKeytab;
    private String testUserPrincipal;
    private StorageContainerManager scm;
    private OzoneManager om;
    private String host;
    private String clusterId;
    private String scmId;
    private String omId;
    private OzoneManagerProtocolClientSideTranslatorPB omClient;

    @Before
    public void init() {
        try {
            this.conf = new OzoneConfiguration();
            this.conf.set("ozone.scm.client.address", "localhost");
            this.conf.setInt("ozone.scm.client.port", ServerSocketUtil.getPort(9860, 100));
            this.conf.setInt("ozone.scm.datanode.port", ServerSocketUtil.getPort(9861, 100));
            this.conf.setInt("ozone.scm.block.client.port", ServerSocketUtil.getPort(9863, 100));
            this.conf.setInt("ozone.scm.security.service.port", ServerSocketUtil.getPort(9961, 100));
            DefaultMetricsSystem.setMiniClusterMode(true);
            this.conf.set("ozone.metadata.dirs", Paths.get(this.folder.newFolder().toString(), "om-meta").toString());
            this.conf.setBoolean("ozone.security.enabled", true);
            this.conf.set("hadoop.security.authentication", UserGroupInformation.AuthenticationMethod.KERBEROS.name());
            this.workDir = GenericTestUtils.getTestDir(getClass().getSimpleName());
            startMiniKdc();
            setSecureConfig();
            createCredentialsInKDC();
            generateKeyPair();
        } catch (Exception e) {
            LOG.error("Failed to initialize TestSecureOzoneCluster", e);
        }
    }

    @After
    public void stop() {
        try {
            stopMiniKdc();
            if (this.scm != null) {
                this.scm.stop();
            }
            IOUtils.closeQuietly(this.om);
            IOUtils.closeQuietly(this.omClient);
        } catch (Exception e) {
            LOG.error("Failed to stop TestSecureOzoneCluster", e);
        }
    }

    private void createCredentialsInKDC() throws Exception {
        ScmConfig scmConfig = (ScmConfig) this.conf.getObject(ScmConfig.class);
        SCMHTTPServerConfig sCMHTTPServerConfig = (SCMHTTPServerConfig) this.conf.getObject(SCMHTTPServerConfig.class);
        createPrincipal(this.scmKeytab, scmConfig.getKerberosPrincipal());
        createPrincipal(this.spnegoKeytab, sCMHTTPServerConfig.getKerberosPrincipal());
        createPrincipal(this.testUserKeytab, this.testUserPrincipal);
        createPrincipal(this.omKeyTab, this.conf.get("ozone.om.kerberos.principal"));
    }

    private void createPrincipal(File file, String... strArr) throws Exception {
        this.miniKdc.createPrincipal(file, strArr);
    }

    private void startMiniKdc() throws Exception {
        this.miniKdc = new MiniKdc(MiniKdc.createConf(), this.workDir);
        this.miniKdc.start();
    }

    private void stopMiniKdc() {
        this.miniKdc.stop();
    }

    private void setSecureConfig() throws IOException {
        this.conf.setBoolean("ozone.security.enabled", true);
        this.host = InetAddress.getLocalHost().getCanonicalHostName().toLowerCase();
        this.conf.set("hadoop.security.authentication", "kerberos");
        this.conf.set("ozone.administrators", UserGroupInformation.getCurrentUser().getUserName());
        String realm = this.miniKdc.getRealm();
        String str = this.host + "@" + realm;
        this.conf.set("hdds.scm.kerberos.principal", "scm/" + str);
        this.conf.set(SCMHTTPServerConfig.ConfigStrings.HDDS_SCM_HTTP_KERBEROS_PRINCIPAL_KEY, "HTTP_SCM/" + str);
        this.conf.set("ozone.om.kerberos.principal", "om/" + str);
        this.conf.set("ozone.om.http.auth.kerberos.principal", "HTTP_OM/" + str);
        this.scmKeytab = new File(this.workDir, "scm.keytab");
        this.spnegoKeytab = new File(this.workDir, "http.keytab");
        this.omKeyTab = new File(this.workDir, "om.keytab");
        this.testUserKeytab = new File(this.workDir, "testuser.keytab");
        this.testUserPrincipal = "test@" + realm;
        this.conf.set("hdds.scm.kerberos.keytab.file", this.scmKeytab.getAbsolutePath());
        this.conf.set(SCMHTTPServerConfig.ConfigStrings.HDDS_SCM_HTTP_KERBEROS_KEYTAB_FILE_KEY, this.spnegoKeytab.getAbsolutePath());
        this.conf.set("ozone.om.kerberos.keytab.file", this.omKeyTab.getAbsolutePath());
        this.conf.set("ozone.om.http.auth.kerberos.keytab", this.spnegoKeytab.getAbsolutePath());
    }

    @Test
    public void testDelegationToken() throws Exception {
        GenericTestUtils.LogCapturer captureLogs = GenericTestUtils.LogCapturer.captureLogs(Server.AUDITLOG);
        GenericTestUtils.LogCapturer captureLogs2 = GenericTestUtils.LogCapturer.captureLogs(OzoneManager.getLogger());
        GenericTestUtils.setLogLevel(LoggerFactory.getLogger(Server.class.getName()), Level.INFO);
        setupOm(this.conf);
        this.om.getScmClient().getBlockClient().close();
        this.om.getScmClient().getContainerClient().close();
        try {
            this.om.setCertClient(new CertificateClientTestImpl(this.conf));
            this.om.start();
            UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
            String userName = currentUser.getUserName();
            this.omClient = new OzoneManagerProtocolClientSideTranslatorPB(OmTransportFactory.create(this.conf, currentUser, (String) null), RandomStringUtils.randomAscii(5));
            Assert.assertFalse(captureLogs.getOutput().contains("Auth successful for " + userName + " (auth:KERBEROS)"));
            Token delegationToken = this.omClient.getDelegationToken(new Text("om"));
            Assert.assertTrue(this.omClient.renewDelegationToken(delegationToken) > 0);
            Assert.assertNotNull(delegationToken);
            Assert.assertEquals("OzoneToken", delegationToken.getKind().toString());
            Assert.assertEquals(OmUtils.getOmRpcAddress(this.conf), delegationToken.getService().toString());
            this.omClient.close();
            UserGroupInformation createRemoteUser = UserGroupInformation.createRemoteUser(TEST_USER);
            createRemoteUser.addToken(delegationToken);
            createRemoteUser.setAuthenticationMethod(SaslRpcServer.AuthMethod.TOKEN);
            UserGroupInformation.setLoginUser(createRemoteUser);
            createRemoteUser.doAs(() -> {
                this.omClient = new OzoneManagerProtocolClientSideTranslatorPB(OmTransportFactory.create(this.conf, createRemoteUser, (String) null), RandomStringUtils.randomAscii(5));
                return null;
            });
            Assert.assertFalse(captureLogs.getOutput().contains("Auth successful for " + userName + " (auth:TOKEN)"));
            OzoneTestUtils.expectOmException(OMException.ResultCodes.VOLUME_NOT_FOUND, () -> {
                this.omClient.deleteVolume("vol1");
            });
            Assert.assertTrue("Log file doesn't contain successful auth for user " + userName, captureLogs.getOutput().contains("Auth successful for " + userName + " (auth:TOKEN)"));
            captureLogs2.clearOutput();
            Assert.assertEquals(OMException.ResultCodes.INVALID_AUTH_METHOD, LambdaTestUtils.intercept(OMException.class, "INVALID_AUTH_METHOD", () -> {
                return Long.valueOf(this.omClient.renewDelegationToken(delegationToken));
            }).getResult());
            Assert.assertTrue(captureLogs.getOutput().contains("Auth successful for " + userName + " (auth:TOKEN)"));
            captureLogs2.clearOutput();
            this.omClient.close();
            UserGroupInformation.setLoginUser(currentUser);
            this.omClient = new OzoneManagerProtocolClientSideTranslatorPB(OmTransportFactory.create(this.conf, currentUser, (String) null), RandomStringUtils.randomAscii(5));
            this.omClient.cancelDelegationToken(delegationToken);
            this.omClient.close();
            Thread.sleep(2000L);
            Assert.assertFalse(captureLogs.getOutput().contains("Auth failed for"));
            this.omClient = new OzoneManagerProtocolClientSideTranslatorPB(OmTransportFactory.create(this.conf, createRemoteUser, (String) null), RandomStringUtils.randomAscii(5));
            Assert.assertEquals(OMException.ResultCodes.TOKEN_ERROR_OTHER, LambdaTestUtils.intercept(OMException.class, "Cancel delegation token failed", () -> {
                this.omClient.cancelDelegationToken(delegationToken);
            }).getResult());
            Assert.assertTrue(captureLogs.getOutput().contains("Auth failed for"));
            this.om.stop();
            this.om.join();
        } catch (Throwable th) {
            this.om.stop();
            this.om.join();
            throw th;
        }
    }

    private void generateKeyPair() throws Exception {
        new KeyCodec(new SecurityConfig(this.conf), COMPONENT).writeKey(new HDDSKeyGenerator(this.conf).generateKey(), true);
    }

    private void setupOm(OzoneConfiguration ozoneConfiguration) throws Exception {
        OMStorage oMStorage = new OMStorage(ozoneConfiguration);
        oMStorage.setClusterId("testClusterId");
        oMStorage.setScmId("testScmId");
        oMStorage.setOmCertSerialId(OM_CERT_SERIAL_ID);
        oMStorage.initialize();
        OzoneManager.setTestSecureOmFlag(true);
        this.om = OzoneManager.createOm(ozoneConfiguration);
    }
}
