package org.apache.hadoop.ozone.security;

import java.io.File;
import java.io.IOException;
import java.security.KeyPair;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.Signature;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.client.OMCertificateClient;
import org.apache.hadoop.hdds.server.ServerUtils;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.ozone.om.OmMetadataManagerImpl;
import org.apache.hadoop.ozone.om.S3SecretManager;
import org.apache.hadoop.ozone.om.S3SecretManagerImpl;
import org.apache.hadoop.ozone.om.helpers.S3SecretValue;
import org.apache.hadoop.ozone.protocol.proto.OzoneManagerProtocolProtos;
import org.apache.hadoop.ozone.security.OzoneDelegationTokenSecretManager;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
import org.apache.hadoop.security.token.SecretManager;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.test.LambdaTestUtils;
import org.apache.hadoop.util.Time;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.TemporaryFolder;

/* loaded from: input_file:org/apache/hadoop/ozone/security/TestOzoneDelegationTokenSecretManager.class */
public class TestOzoneDelegationTokenSecretManager {
    private OzoneDelegationTokenSecretManager secretManager;
    private SecurityConfig securityConfig;
    private CertificateClient certificateClient;
    private long expiryTime;
    private Text serviceRpcAdd;
    private OzoneConfiguration conf;
    private static final Text TEST_USER = new Text("testUser");
    private S3SecretManager s3SecretManager;
    private long tokenMaxLifetime = 20000;
    private long tokenRemoverScanInterval = 20000;
    private String s3Secret = "dbaksbzljandlkandlsd";

    @Rule
    public TemporaryFolder folder = new TemporaryFolder();

    @Before
    public void setUp() throws Exception {
        this.conf = createNewTestPath();
        this.securityConfig = new SecurityConfig(this.conf);
        this.certificateClient = setupCertificateClient();
        this.certificateClient.init();
        this.expiryTime = Time.monotonicNow() + 86400;
        this.serviceRpcAdd = new Text("localhost");
        final HashMap hashMap = new HashMap();
        hashMap.put("testuser1", this.s3Secret);
        hashMap.put("abc", "djakjahkd");
        this.s3SecretManager = new S3SecretManagerImpl(this.conf, new OmMetadataManagerImpl(this.conf)) { // from class: org.apache.hadoop.ozone.security.TestOzoneDelegationTokenSecretManager.1
            public S3SecretValue getS3Secret(String str) {
                if (hashMap.containsKey(str)) {
                    return new S3SecretValue(str, (String) hashMap.get(str));
                }
                return null;
            }

            public String getS3UserSecretString(String str) {
                if (hashMap.containsKey(str)) {
                    return (String) hashMap.get(str);
                }
                return null;
            }
        };
    }

    private OzoneConfiguration createNewTestPath() throws IOException {
        OzoneConfiguration ozoneConfiguration = new OzoneConfiguration();
        ozoneConfiguration.setBoolean("ozone.om.ratis.enable", false);
        File newFolder = this.folder.newFolder();
        if (!newFolder.exists()) {
            Assert.assertTrue(newFolder.mkdirs());
        }
        ServerUtils.setOzoneMetaDirPath(ozoneConfiguration, newFolder.toString());
        return ozoneConfiguration;
    }

    private CertificateClient setupCertificateClient() throws Exception {
        final KeyPair generateKeyPair = KeyStoreTestUtil.generateKeyPair("RSA");
        final X509Certificate generateCertificate = KeyStoreTestUtil.generateCertificate("CN=OzoneMaster", generateKeyPair, 30, "SHA256withRSA");
        return new OMCertificateClient(this.securityConfig) { // from class: org.apache.hadoop.ozone.security.TestOzoneDelegationTokenSecretManager.2
            public X509Certificate getCertificate() {
                return generateCertificate;
            }

            public PrivateKey getPrivateKey() {
                return generateKeyPair.getPrivate();
            }

            public PublicKey getPublicKey() {
                return generateKeyPair.getPublic();
            }

            public X509Certificate getCertificate(String str) {
                return generateCertificate;
            }
        };
    }

    @After
    public void tearDown() throws IOException {
        this.secretManager.stop();
    }

    @Test
    public void testCreateToken() throws Exception {
        this.secretManager = createSecretManager(this.conf, this.tokenMaxLifetime, this.expiryTime, this.tokenRemoverScanInterval);
        this.secretManager.start(this.certificateClient);
        Token createToken = this.secretManager.createToken(TEST_USER, TEST_USER, TEST_USER);
        OzoneTokenIdentifier readProtoBuf = OzoneTokenIdentifier.readProtoBuf(createToken.getIdentifier());
        Assert.assertTrue(readProtoBuf.getRealUser().equals(TEST_USER));
        Assert.assertTrue(readProtoBuf.getRenewer().equals(TEST_USER));
        Assert.assertTrue(readProtoBuf.getOwner().equals(TEST_USER));
        validateHash(createToken.getPassword(), createToken.getIdentifier());
    }

    private void restartSecretManager() throws IOException {
        this.secretManager.stop();
        this.secretManager = null;
        this.secretManager = createSecretManager(this.conf, this.tokenMaxLifetime, this.expiryTime, this.tokenRemoverScanInterval);
    }

    private void testRenewTokenSuccessHelper(boolean z) throws Exception {
        this.secretManager = createSecretManager(this.conf, this.tokenMaxLifetime, this.expiryTime, this.tokenRemoverScanInterval);
        this.secretManager.start(this.certificateClient);
        Token createToken = this.secretManager.createToken(TEST_USER, TEST_USER, TEST_USER);
        Thread.sleep(50L);
        if (z) {
            restartSecretManager();
        }
        Assert.assertTrue(this.secretManager.renewToken(createToken, TEST_USER.toString()) > 0);
    }

    @Test
    public void testReloadAndRenewToken() throws Exception {
        testRenewTokenSuccessHelper(true);
    }

    @Test
    public void testRenewTokenSuccess() throws Exception {
        testRenewTokenSuccessHelper(false);
    }

    @Test
    public void testRenewTokenFailure() throws Exception {
        this.secretManager = createSecretManager(this.conf, this.tokenMaxLifetime, this.expiryTime, this.tokenRemoverScanInterval);
        this.secretManager.start(this.certificateClient);
        Token createToken = this.secretManager.createToken(TEST_USER, TEST_USER, TEST_USER);
        LambdaTestUtils.intercept(AccessControlException.class, "rougeUser tries to renew a token", () -> {
            this.secretManager.renewToken(createToken, "rougeUser");
        });
    }

    @Test
    public void testRenewTokenFailureMaxTime() throws Exception {
        this.secretManager = createSecretManager(this.conf, 100L, 100L, this.tokenRemoverScanInterval);
        this.secretManager.start(this.certificateClient);
        Token createToken = this.secretManager.createToken(TEST_USER, TEST_USER, TEST_USER);
        Thread.sleep(101L);
        LambdaTestUtils.intercept(IOException.class, "testUser tried to renew an expired token", () -> {
            this.secretManager.renewToken(createToken, TEST_USER.toString());
        });
    }

    @Test
    public void testRenewTokenFailureRenewalTime() throws Exception {
        this.secretManager = createSecretManager(this.conf, 10000L, 10L, this.tokenRemoverScanInterval);
        this.secretManager.start(this.certificateClient);
        Token createToken = this.secretManager.createToken(TEST_USER, TEST_USER, TEST_USER);
        Thread.sleep(15L);
        LambdaTestUtils.intercept(IOException.class, "is expired", () -> {
            this.secretManager.renewToken(createToken, TEST_USER.toString());
        });
    }

    @Test
    public void testCreateIdentifier() throws Exception {
        this.secretManager = createSecretManager(this.conf, this.tokenMaxLifetime, this.expiryTime, this.tokenRemoverScanInterval);
        this.secretManager.start(this.certificateClient);
        OzoneTokenIdentifier createIdentifier = this.secretManager.createIdentifier();
        Assert.assertTrue(createIdentifier.getOwner().equals(new Text("")));
        Assert.assertTrue(createIdentifier.getRealUser().equals(new Text("")));
        Assert.assertTrue(createIdentifier.getRenewer().equals(new Text("")));
    }

    @Test
    public void testCancelTokenSuccess() throws Exception {
        this.secretManager = createSecretManager(this.conf, this.tokenMaxLifetime, this.expiryTime, this.tokenRemoverScanInterval);
        this.secretManager.start(this.certificateClient);
        this.secretManager.cancelToken(this.secretManager.createToken(TEST_USER, TEST_USER, TEST_USER), TEST_USER.toString());
    }

    @Test
    public void testCancelTokenFailure() throws Exception {
        this.secretManager = createSecretManager(this.conf, this.tokenMaxLifetime, this.expiryTime, this.tokenRemoverScanInterval);
        this.secretManager.start(this.certificateClient);
        Token createToken = this.secretManager.createToken(TEST_USER, TEST_USER, TEST_USER);
        LambdaTestUtils.intercept(AccessControlException.class, "rougeUser is not authorized to cancel the token", () -> {
            this.secretManager.cancelToken(createToken, "rougeUser");
        });
    }

    @Test
    public void testVerifySignatureSuccess() throws Exception {
        this.secretManager = createSecretManager(this.conf, this.tokenMaxLifetime, this.expiryTime, this.tokenRemoverScanInterval);
        this.secretManager.start(this.certificateClient);
        OzoneTokenIdentifier ozoneTokenIdentifier = new OzoneTokenIdentifier();
        ozoneTokenIdentifier.setOmCertSerialId(this.certificateClient.getCertificate().getSerialNumber().toString());
        ozoneTokenIdentifier.setMaxDate(Time.now() + 86400);
        ozoneTokenIdentifier.setOwner(new Text("test"));
        Assert.assertTrue(this.secretManager.verifySignature(ozoneTokenIdentifier, this.certificateClient.signData(ozoneTokenIdentifier.getBytes())));
    }

    @Test
    public void testVerifySignatureFailure() throws Exception {
        this.secretManager = createSecretManager(this.conf, this.tokenMaxLifetime, this.expiryTime, this.tokenRemoverScanInterval);
        this.secretManager.start(this.certificateClient);
        OzoneTokenIdentifier ozoneTokenIdentifier = new OzoneTokenIdentifier();
        ozoneTokenIdentifier.setOmCertSerialId("1927393");
        ozoneTokenIdentifier.setMaxDate(Time.now() + 86400);
        ozoneTokenIdentifier.setOwner(new Text("test"));
        Assert.assertFalse(this.secretManager.verifySignature(ozoneTokenIdentifier, ozoneTokenIdentifier.getBytes()));
    }

    @Test
    public void testValidateS3AUTHINFOSuccess() throws Exception {
        this.secretManager = createSecretManager(this.conf, this.tokenMaxLifetime, this.expiryTime, this.tokenRemoverScanInterval);
        this.secretManager.start(this.certificateClient);
        OzoneTokenIdentifier ozoneTokenIdentifier = new OzoneTokenIdentifier();
        ozoneTokenIdentifier.setTokenType(OzoneManagerProtocolProtos.OMTokenProto.Type.S3AUTHINFO);
        ozoneTokenIdentifier.setSignature("56ec73ba1974f8feda8365c3caef89c5d4a688d5f9baccf4765f46a14cd745ad");
        ozoneTokenIdentifier.setStrToSign("AWS4-HMAC-SHA256\n20190221T002037Z\n20190221/us-west-1/s3/aws4_request\nc297c080cce4e0927779823d3fd1f5cae71481a8f7dfc7e18d91851294efc47d");
        ozoneTokenIdentifier.setAwsAccessId("testuser1");
        ozoneTokenIdentifier.setOwner(new Text("testuser1"));
        this.secretManager.retrievePassword(ozoneTokenIdentifier);
    }

    @Test
    public void testValidateS3AUTHINFOFailure() throws Exception {
        this.secretManager = createSecretManager(this.conf, this.tokenMaxLifetime, this.expiryTime, this.tokenRemoverScanInterval);
        this.secretManager.start(this.certificateClient);
        OzoneTokenIdentifier ozoneTokenIdentifier = new OzoneTokenIdentifier();
        ozoneTokenIdentifier.setTokenType(OzoneManagerProtocolProtos.OMTokenProto.Type.S3AUTHINFO);
        ozoneTokenIdentifier.setSignature("56ec73ba1974f8feda8365c3caef89c5d4a688d5f9baccf4765f46a14cd745ad");
        ozoneTokenIdentifier.setStrToSign("AWS4-HMAC-SHA256\n20190221T002037Z\n20190221/us-west-1/s3/aws4_request\nc297c080cce4e0927779823d3fd1f5cae71481a8f7dfc7e18d91851294efc47d");
        ozoneTokenIdentifier.setAwsAccessId("testuser2");
        ozoneTokenIdentifier.setOwner(new Text("testuser2"));
        LambdaTestUtils.intercept(SecretManager.InvalidToken.class, " No S3 secret found for S3 identifier", () -> {
            return this.secretManager.retrievePassword(ozoneTokenIdentifier);
        });
        ozoneTokenIdentifier.setStrToSign("AWS4-HMAC-SHA256\n20190221T002037Z\n20190221/us-west-1/s3/aws4_request\nc297c080cce4e0927779823d3fd1f5cae71481a8f7dfc7e18d91851294efc47d+invalidhash");
        LambdaTestUtils.intercept(SecretManager.InvalidToken.class, " No S3 secret found for S3 identifier", () -> {
            return this.secretManager.retrievePassword(ozoneTokenIdentifier);
        });
        ozoneTokenIdentifier.setSignature("56ec73ba1974f8feda8365c3caef89c5d4a688d+invalidhash5f9baccf4765f46a14cd745ad");
        ozoneTokenIdentifier.setStrToSign("AWS4-HMAC-SHA256\n20190221T002037Z\n20190221/us-west-1/s3/aws4_request\nc297c080cce4e0927779823d3fd1f5cae71481a8f7dfc7e18d91851294efc47d");
        LambdaTestUtils.intercept(SecretManager.InvalidToken.class, " No S3 secret found for S3 identifier", () -> {
            return this.secretManager.retrievePassword(ozoneTokenIdentifier);
        });
    }

    private void validateHash(byte[] bArr, byte[] bArr2) throws Exception {
        Signature signature = Signature.getInstance(this.securityConfig.getSignatureAlgo(), this.securityConfig.getProvider());
        signature.initVerify(this.certificateClient.getPublicKey());
        signature.update(bArr2);
        Assert.assertTrue(signature.verify(bArr));
    }

    private OzoneDelegationTokenSecretManager createSecretManager(OzoneConfiguration ozoneConfiguration, long j, long j2, long j3) throws IOException {
        return new OzoneDelegationTokenSecretManager.Builder().setConf(ozoneConfiguration).setTokenMaxLifetime(j).setTokenRenewInterval(j2).setTokenRemoverScanInterval(j3).setService(this.serviceRpcAdd).setS3SecretManager(this.s3SecretManager).setCertificateClient(this.certificateClient).setOmServiceId("omServiceIdDefault").build();
    }
}
