package org.apache.hadoop.hbase.security.access;

import com.google.protobuf.RpcController;
import com.google.protobuf.Service;
import com.google.protobuf.ServiceException;
import java.io.IOException;
import java.util.Collections;
import java.util.HashMap;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.AuthUtil;
import org.apache.hadoop.hbase.CellUtil;
import org.apache.hadoop.hbase.HBaseClassTestRule;
import org.apache.hadoop.hbase.HBaseTestingUtility;
import org.apache.hadoop.hbase.TableName;
import org.apache.hadoop.hbase.client.Admin;
import org.apache.hadoop.hbase.client.ColumnFamilyDescriptorBuilder;
import org.apache.hadoop.hbase.client.Connection;
import org.apache.hadoop.hbase.client.ConnectionFactory;
import org.apache.hadoop.hbase.client.Get;
import org.apache.hadoop.hbase.client.Put;
import org.apache.hadoop.hbase.client.Result;
import org.apache.hadoop.hbase.client.Table;
import org.apache.hadoop.hbase.client.TableDescriptor;
import org.apache.hadoop.hbase.client.TableDescriptorBuilder;
import org.apache.hadoop.hbase.coprocessor.MasterCoprocessor;
import org.apache.hadoop.hbase.coprocessor.RegionServerCoprocessor;
import org.apache.hadoop.hbase.ipc.protobuf.generated.TestProtos;
import org.apache.hadoop.hbase.ipc.protobuf.generated.TestRpcServiceProtos;
import org.apache.hadoop.hbase.quotas.SpaceQuotaHelperForTests;
import org.apache.hadoop.hbase.security.AccessDeniedException;
import org.apache.hadoop.hbase.security.User;
import org.apache.hadoop.hbase.security.access.Permission;
import org.apache.hadoop.hbase.testclassification.MediumTests;
import org.apache.hadoop.hbase.testclassification.SecurityTests;
import org.apache.hadoop.hbase.util.Bytes;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Rule;
import org.junit.Test;
import org.junit.experimental.categories.Category;
import org.junit.rules.TestName;
import org.mockito.Mockito;

@Category({SecurityTests.class, MediumTests.class})
/* loaded from: input_file:org/apache/hadoop/hbase/security/access/TestRpcAccessChecks.class */
public class TestRpcAccessChecks {

    @Rule
    public final TestName TEST_NAME = new TestName();
    private static Configuration conf;
    private static User USER_ADMIN;
    private static User USER_NON_ADMIN;
    private static User USER_IN_SUPERGROUPS;
    private static User USER_ADMIN_NOT_SUPER;
    private static final String GROUP_ADMIN = "admin_group";
    private static User USER_GROUP_ADMIN;

    @ClassRule
    public static final HBaseClassTestRule CLASS_RULE = HBaseClassTestRule.forClass(TestRpcAccessChecks.class);
    private static final HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility();

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/apache/hadoop/hbase/security/access/TestRpcAccessChecks$Action.class */
    public interface Action {
        void run(Admin admin) throws Exception;
    }

    /* loaded from: input_file:org/apache/hadoop/hbase/security/access/TestRpcAccessChecks$DummyCpService.class */
    public static class DummyCpService implements MasterCoprocessor, RegionServerCoprocessor {
        public Iterable<Service> getServices() {
            return Collections.singleton(Mockito.mock(TestRpcServiceProtos.TestProtobufRpcProto.class));
        }
    }

    private static void enableSecurity(Configuration configuration) throws IOException {
        configuration.set("hadoop.security.authorization", "false");
        configuration.set("hadoop.security.authentication", "simple");
        configuration.set("hbase.coprocessor.master.classes", AccessController.class.getName() + "," + DummyCpService.class.getName());
        configuration.set("hbase.coprocessor.region.classes", AccessController.class.getName());
        configuration.set("hbase.coprocessor.regionserver.classes", AccessController.class.getName() + "," + DummyCpService.class.getName());
        configuration.set("hbase.security.authorization", "true");
        SecureTestUtil.configureSuperuser(configuration);
    }

    @BeforeClass
    public static void setup() throws Exception {
        conf = TEST_UTIL.getConfiguration();
        enableSecurity(conf);
        USER_ADMIN = User.createUserForTesting(conf, "admin", new String[0]);
        USER_NON_ADMIN = User.createUserForTesting(conf, "non_admin", new String[0]);
        USER_GROUP_ADMIN = User.createUserForTesting(conf, "user_group_admin", new String[]{GROUP_ADMIN});
        USER_IN_SUPERGROUPS = User.createUserForTesting(conf, "user_in_supergroup", new String[]{"supergroup"});
        USER_ADMIN_NOT_SUPER = User.createUserForTesting(conf, "normal_admin", new String[0]);
        TEST_UTIL.startMiniCluster();
        TEST_UTIL.waitUntilAllRegionsAssigned(PermissionStorage.ACL_TABLE_NAME);
        SecureTestUtil.grantGlobal(TEST_UTIL, AuthUtil.toGroupEntry(GROUP_ADMIN), Permission.Action.ADMIN, Permission.Action.CREATE);
        SecureTestUtil.grantGlobal(TEST_UTIL, USER_ADMIN_NOT_SUPER.getShortName(), Permission.Action.ADMIN);
    }

    private void verifyAllowed(User user, Action action) throws Exception {
        user.runAs(() -> {
            try {
                Connection createConnection = ConnectionFactory.createConnection(conf);
                Throwable th = null;
                try {
                    Admin admin = createConnection.getAdmin();
                    Throwable th2 = null;
                    try {
                        try {
                            action.run(admin);
                            if (admin != null) {
                                if (0 != 0) {
                                    try {
                                        admin.close();
                                    } catch (Throwable th3) {
                                        th2.addSuppressed(th3);
                                    }
                                } else {
                                    admin.close();
                                }
                            }
                            if (createConnection != null) {
                                if (0 != 0) {
                                    try {
                                        createConnection.close();
                                    } catch (Throwable th4) {
                                        th.addSuppressed(th4);
                                    }
                                } else {
                                    createConnection.close();
                                }
                            }
                            return null;
                        } catch (Throwable th5) {
                            th2 = th5;
                            throw th5;
                        }
                    } catch (Throwable th6) {
                        if (admin != null) {
                            if (th2 != null) {
                                try {
                                    admin.close();
                                } catch (Throwable th7) {
                                    th2.addSuppressed(th7);
                                }
                            } else {
                                admin.close();
                            }
                        }
                        throw th6;
                    }
                } finally {
                }
            } catch (IOException e) {
                Assert.fail(e.toString());
                return null;
            }
        });
    }

    private void verifyDenied(User user, Action action) throws Exception {
        user.runAs(() -> {
            boolean z = false;
            try {
                try {
                    Connection createConnection = ConnectionFactory.createConnection(conf);
                    Throwable th = null;
                    Admin admin = createConnection.getAdmin();
                    Throwable th2 = null;
                    try {
                        action.run(admin);
                        if (admin != null) {
                            if (0 != 0) {
                                try {
                                    admin.close();
                                } catch (Throwable th3) {
                                    th2.addSuppressed(th3);
                                }
                            } else {
                                admin.close();
                            }
                        }
                        if (createConnection != null) {
                            if (0 != 0) {
                                try {
                                    createConnection.close();
                                } catch (Throwable th4) {
                                    th.addSuppressed(th4);
                                }
                            } else {
                                createConnection.close();
                            }
                        }
                    } catch (Throwable th5) {
                        if (admin != null) {
                            if (0 != 0) {
                                try {
                                    admin.close();
                                } catch (Throwable th6) {
                                    th2.addSuppressed(th6);
                                }
                            } else {
                                admin.close();
                            }
                        }
                        throw th5;
                    }
                } finally {
                }
            } catch (AccessDeniedException e) {
                z = true;
            }
            Assert.assertTrue("Expected access to be denied", z);
            return null;
        });
    }

    private void verifiedDeniedServiceException(User user, Action action) throws Exception {
        user.runAs(() -> {
            boolean z = false;
            try {
                try {
                    Connection createConnection = ConnectionFactory.createConnection(conf);
                    Throwable th = null;
                    Admin admin = createConnection.getAdmin();
                    Throwable th2 = null;
                    try {
                        action.run(admin);
                        if (admin != null) {
                            if (0 != 0) {
                                try {
                                    admin.close();
                                } catch (Throwable th3) {
                                    th2.addSuppressed(th3);
                                }
                            } else {
                                admin.close();
                            }
                        }
                        if (createConnection != null) {
                            if (0 != 0) {
                                try {
                                    createConnection.close();
                                } catch (Throwable th4) {
                                    th.addSuppressed(th4);
                                }
                            } else {
                                createConnection.close();
                            }
                        }
                    } catch (Throwable th5) {
                        if (admin != null) {
                            if (0 != 0) {
                                try {
                                    admin.close();
                                } catch (Throwable th6) {
                                    th2.addSuppressed(th6);
                                }
                            } else {
                                admin.close();
                            }
                        }
                        throw th5;
                    }
                } finally {
                }
            } catch (ServiceException e) {
                if (e.getCause() instanceof AccessDeniedException) {
                    z = true;
                }
            }
            Assert.assertTrue("Expected access to be denied", z);
            return null;
        });
    }

    private void verifyAdminCheckForAction(Action action) throws Exception {
        verifyAllowed(USER_ADMIN, action);
        verifyAllowed(USER_GROUP_ADMIN, action);
        verifyDenied(USER_NON_ADMIN, action);
    }

    @Test
    public void testEnableCatalogJanitor() throws Exception {
        verifyAdminCheckForAction(admin -> {
            admin.enableCatalogJanitor(true);
        });
    }

    @Test
    public void testRunCatalogJanitor() throws Exception {
        verifyAdminCheckForAction(admin -> {
            admin.runCatalogJanitor();
        });
    }

    @Test
    public void testCleanerChoreRunning() throws Exception {
        verifyAdminCheckForAction(admin -> {
            admin.cleanerChoreSwitch(true);
        });
    }

    @Test
    public void testRunCleanerChore() throws Exception {
        verifyAdminCheckForAction(admin -> {
            admin.runCleanerChore();
        });
    }

    @Test
    public void testExecProcedure() throws Exception {
        verifyAdminCheckForAction(admin -> {
            admin.execProcedure("flush-table-proc", TableName.META_TABLE_NAME.getNameAsString(), new HashMap());
        });
    }

    @Test
    public void testExecService() throws Exception {
        Action action = admin -> {
            TestRpcServiceProtos.TestProtobufRpcProto.newBlockingStub(admin.coprocessorService()).ping((RpcController) null, TestProtos.EmptyRequestProto.getDefaultInstance());
        };
        verifyAllowed(USER_ADMIN, action);
        verifyAllowed(USER_GROUP_ADMIN, action);
        verifiedDeniedServiceException(USER_NON_ADMIN, action);
    }

    @Test
    public void testExecProcedureWithRet() throws Exception {
        verifyAdminCheckForAction(admin -> {
            admin.execProcedureWithReturn("flush-table-proc", TableName.META_TABLE_NAME.getNameAsString(), new HashMap());
        });
    }

    @Test
    public void testNormalize() throws Exception {
        verifyAdminCheckForAction(admin -> {
            admin.normalize();
        });
    }

    @Test
    public void testSetNormalizerRunning() throws Exception {
        verifyAdminCheckForAction(admin -> {
            admin.normalizerSwitch(true);
        });
    }

    @Test
    public void testExecRegionServerService() throws Exception {
        Action action = admin -> {
            TestRpcServiceProtos.TestProtobufRpcProto.newBlockingStub(admin.coprocessorService(TEST_UTIL.getHBaseCluster().getRegionServer(0).getServerName())).ping((RpcController) null, TestProtos.EmptyRequestProto.getDefaultInstance());
        };
        verifyAllowed(USER_ADMIN, action);
        verifyAllowed(USER_GROUP_ADMIN, action);
        verifiedDeniedServiceException(USER_NON_ADMIN, action);
    }

    @Test
    public void testTableFlush() throws Exception {
        TableName valueOf = TableName.valueOf(this.TEST_NAME.getMethodName());
        TableDescriptor build = TableDescriptorBuilder.newBuilder(valueOf).setColumnFamily(ColumnFamilyDescriptorBuilder.of(SpaceQuotaHelperForTests.F1)).build();
        verifyAllowed(USER_ADMIN, admin -> {
            admin.createTable(build);
            SecureTestUtil.grantOnTable(TEST_UTIL, USER_NON_ADMIN.getShortName(), valueOf, null, null, Permission.Action.READ, Permission.Action.WRITE, Permission.Action.CREATE);
        });
        verifyAllowed(USER_NON_ADMIN, admin2 -> {
            Connection connection = admin2.getConnection();
            byte[] bytes = Bytes.toBytes("row1");
            byte[] bytes2 = Bytes.toBytes("q1");
            byte[] bytes3 = Bytes.toBytes("v1");
            Table table = connection.getTable(valueOf);
            Throwable th = null;
            try {
                try {
                    Put put = new Put(bytes);
                    put.addColumn(Bytes.toBytes(SpaceQuotaHelperForTests.F1), bytes2, bytes3);
                    table.put(put);
                    admin2.flush(valueOf);
                    Result result = table.get(new Get(bytes));
                    Assert.assertFalse(result.isEmpty());
                    Assert.assertArrayEquals(bytes3, CellUtil.cloneValue(result.getColumnLatestCell(Bytes.toBytes(SpaceQuotaHelperForTests.F1), bytes2)));
                    if (table != null) {
                        if (0 == 0) {
                            table.close();
                            return;
                        }
                        try {
                            table.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                } catch (Throwable th3) {
                    th = th3;
                    throw th3;
                }
            } catch (Throwable th4) {
                if (table != null) {
                    if (th != null) {
                        try {
                            table.close();
                        } catch (Throwable th5) {
                            th.addSuppressed(th5);
                        }
                    } else {
                        table.close();
                    }
                }
                throw th4;
            }
        });
    }

    @Test
    public void testTableFlushAndSnapshot() throws Exception {
        TableName valueOf = TableName.valueOf(this.TEST_NAME.getMethodName());
        TableDescriptor build = TableDescriptorBuilder.newBuilder(valueOf).setColumnFamily(ColumnFamilyDescriptorBuilder.of(SpaceQuotaHelperForTests.F1)).build();
        verifyAllowed(USER_ADMIN, admin -> {
            admin.createTable(build);
            SecureTestUtil.grantOnTable(TEST_UTIL, USER_NON_ADMIN.getShortName(), valueOf, null, null, Permission.Action.READ, Permission.Action.WRITE, Permission.Action.CREATE, Permission.Action.ADMIN);
        });
        verifyAllowed(USER_NON_ADMIN, admin2 -> {
            Connection connection = admin2.getConnection();
            byte[] bytes = Bytes.toBytes("row1");
            byte[] bytes2 = Bytes.toBytes("q1");
            byte[] bytes3 = Bytes.toBytes("v1");
            Table table = connection.getTable(valueOf);
            Throwable th = null;
            try {
                Put put = new Put(bytes);
                put.addColumn(Bytes.toBytes(SpaceQuotaHelperForTests.F1), bytes2, bytes3);
                table.put(put);
                admin2.flush(valueOf);
                admin2.snapshot(valueOf.getNameAsString() + "_snapshot1", valueOf);
                Result result = table.get(new Get(bytes));
                Assert.assertFalse(result.isEmpty());
                Assert.assertArrayEquals(bytes3, CellUtil.cloneValue(result.getColumnLatestCell(Bytes.toBytes(SpaceQuotaHelperForTests.F1), bytes2)));
                if (table != null) {
                    if (0 == 0) {
                        table.close();
                        return;
                    }
                    try {
                        table.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
            } catch (Throwable th3) {
                if (table != null) {
                    if (0 != 0) {
                        try {
                            table.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        table.close();
                    }
                }
                throw th3;
            }
        });
    }

    @Test
    public void testGrantDeniedOnSuperUsersGroups() {
        try {
            SecureTestUtil.grantGlobal(USER_ADMIN_NOT_SUPER, TEST_UTIL, USER_ADMIN.getShortName(), Permission.Action.ADMIN, Permission.Action.CREATE);
            Assert.fail("Granting superuser's global permissions is not allowed.");
        } catch (Exception e) {
        }
        try {
            SecureTestUtil.grantOnNamespace(USER_ADMIN_NOT_SUPER, TEST_UTIL, USER_ADMIN.getShortName(), this.TEST_NAME.getMethodName(), Permission.Action.ADMIN, Permission.Action.CREATE);
            Assert.fail("Granting superuser's namespace permissions is not allowed.");
        } catch (Exception e2) {
        }
        try {
            SecureTestUtil.grantOnTable(USER_ADMIN_NOT_SUPER, TEST_UTIL, USER_ADMIN.getName(), TableName.valueOf(this.TEST_NAME.getMethodName()), null, null, Permission.Action.ADMIN, Permission.Action.CREATE);
            Assert.fail("Granting superuser's table permissions is not allowed.");
        } catch (Exception e3) {
        }
        try {
            SecureTestUtil.grantGlobal(USER_ADMIN_NOT_SUPER, TEST_UTIL, USER_IN_SUPERGROUPS.getShortName(), Permission.Action.ADMIN, Permission.Action.CREATE);
            Assert.fail("Granting superuser's global permissions is not allowed.");
        } catch (Exception e4) {
        }
    }

    @Test
    public void testRevokeDeniedOnSuperUsersGroups() {
        try {
            SecureTestUtil.revokeGlobal(USER_ADMIN_NOT_SUPER, TEST_UTIL, USER_ADMIN.getShortName(), Permission.Action.ADMIN);
            Assert.fail("Revoking superuser's global permissions is not allowed.");
        } catch (Exception e) {
        }
        try {
            SecureTestUtil.revokeFromNamespace(USER_ADMIN_NOT_SUPER, TEST_UTIL, USER_ADMIN.getShortName(), this.TEST_NAME.getMethodName(), Permission.Action.ADMIN);
            Assert.fail("Revoking superuser's namespace permissions is not allowed.");
        } catch (Exception e2) {
        }
        try {
            SecureTestUtil.revokeFromTable(USER_ADMIN_NOT_SUPER, TEST_UTIL, USER_ADMIN.getName(), TableName.valueOf(this.TEST_NAME.getMethodName()), null, null, Permission.Action.ADMIN);
            Assert.fail("Revoking superuser's table permissions is not allowed.");
        } catch (Exception e3) {
        }
        try {
            SecureTestUtil.revokeGlobal(USER_ADMIN_NOT_SUPER, TEST_UTIL, AuthUtil.toGroupEntry("supergroup"), Permission.Action.ADMIN, Permission.Action.CREATE);
            Assert.fail("Revoking supergroup's permissions is not allowed.");
        } catch (Exception e4) {
        }
    }
}
