package org.apache.hadoop.hbase.security;

import java.io.EOFException;
import java.io.File;
import java.io.IOException;
import java.lang.Thread;
import java.lang.reflect.Field;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Map;
import javax.security.sasl.SaslClient;
import javax.security.sasl.SaslException;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hbase.HBaseTestingUtility;
import org.apache.hadoop.hbase.HConstants;
import org.apache.hadoop.hbase.Server;
import org.apache.hadoop.hbase.exceptions.ConnectionClosedException;
import org.apache.hadoop.hbase.ipc.FallbackDisallowedException;
import org.apache.hadoop.hbase.ipc.FifoRpcScheduler;
import org.apache.hadoop.hbase.ipc.RpcClient;
import org.apache.hadoop.hbase.ipc.RpcClientFactory;
import org.apache.hadoop.hbase.ipc.RpcServer;
import org.apache.hadoop.hbase.ipc.RpcServerFactory;
import org.apache.hadoop.hbase.ipc.TestProtoBufRpc;
import org.apache.hadoop.hbase.ipc.TestProtobufRpcServiceImpl;
import org.apache.hadoop.hbase.regionserver.TestSettingTimeoutOnBlockingPoint;
import org.apache.hadoop.hbase.security.provider.AuthenticationProviderSelector;
import org.apache.hadoop.hbase.security.provider.BuiltInProviderSelector;
import org.apache.hadoop.hbase.security.provider.SaslAuthMethod;
import org.apache.hadoop.hbase.security.provider.SaslClientAuthenticationProvider;
import org.apache.hadoop.hbase.shaded.ipc.protobuf.generated.TestProtos;
import org.apache.hadoop.hbase.shaded.ipc.protobuf.generated.TestRpcServiceProtos;
import org.apache.hadoop.hbase.shaded.protobuf.generated.RPCProtos;
import org.apache.hadoop.hbase.util.Pair;
import org.apache.hadoop.minikdc.MiniKdc;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.hbase.thirdparty.com.google.common.collect.Lists;
import org.apache.hbase.thirdparty.com.google.protobuf.RpcController;
import org.apache.hbase.thirdparty.com.google.protobuf.ServiceException;
import org.hamcrest.MatcherAssert;
import org.hamcrest.Matchers;
import org.junit.Assert;
import org.junit.Test;
import org.mockito.Mockito;

/* loaded from: input_file:org/apache/hadoop/hbase/security/AbstractTestSecureIPC.class */
public class AbstractTestSecureIPC {
    protected static MiniKdc KDC;
    protected static String PRINCIPAL;
    protected String krbKeytab;
    protected String krbPrincipal;
    protected UserGroupInformation ugi;
    protected Configuration clientConf;
    protected Configuration serverConf;
    protected static final HBaseTestingUtility TEST_UTIL = new HBaseTestingUtility();
    protected static final File KEYTAB_FILE = new File(TEST_UTIL.getDataTestDir("keytab").toUri().getPath());
    protected static String HOST = TestProtoBufRpc.ADDRESS;

    /* loaded from: input_file:org/apache/hadoop/hbase/security/AbstractTestSecureIPC$CanonicalHostnameTestingAuthenticationProviderSelector.class */
    public static class CanonicalHostnameTestingAuthenticationProviderSelector extends BuiltInProviderSelector {
        private static final String CANONICAL_HOST_NAME_KEY = "CanonicalHostnameTestingAuthenticationProviderSelector.canonicalHostName";

        public Pair<SaslClientAuthenticationProvider, Token<? extends TokenIdentifier>> selectProvider(String str, User user) {
            Pair<SaslClientAuthenticationProvider, Token<? extends TokenIdentifier>> selectProvider = super.selectProvider(str, user);
            selectProvider.setFirst(createCanonicalHostNameTestingProvider((SaslClientAuthenticationProvider) selectProvider.getFirst()));
            return selectProvider;
        }

        SaslClientAuthenticationProvider createCanonicalHostNameTestingProvider(final SaslClientAuthenticationProvider saslClientAuthenticationProvider) {
            return new SaslClientAuthenticationProvider() { // from class: org.apache.hadoop.hbase.security.AbstractTestSecureIPC.CanonicalHostnameTestingAuthenticationProviderSelector.1
                public SaslClient createClient(Configuration configuration, InetAddress inetAddress, String str, Token<? extends TokenIdentifier> token, boolean z, Map<String, String> map) throws IOException {
                    String str2 = configuration.get(CanonicalHostnameTestingAuthenticationProviderSelector.CANONICAL_HOST_NAME_KEY);
                    if (str2 != null) {
                        try {
                            Field declaredField = InetAddress.class.getDeclaredField("canonicalHostName");
                            declaredField.setAccessible(true);
                            declaredField.set(inetAddress, str2);
                        } catch (IllegalAccessException | NoSuchFieldException e) {
                            throw new RuntimeException(e);
                        }
                    }
                    return saslClientAuthenticationProvider.createClient(configuration, inetAddress, str, token, z, map);
                }

                public RPCProtos.UserInformation getUserInfo(User user) {
                    return saslClientAuthenticationProvider.getUserInfo(user);
                }

                public UserGroupInformation getRealUser(User user) {
                    return saslClientAuthenticationProvider.getRealUser(user);
                }

                public boolean canRetry() {
                    return saslClientAuthenticationProvider.canRetry();
                }

                public void relogin() throws IOException {
                    saslClientAuthenticationProvider.relogin();
                }

                public SaslAuthMethod getSaslAuthMethod() {
                    return saslClientAuthenticationProvider.getSaslAuthMethod();
                }

                public String getTokenKind() {
                    return saslClientAuthenticationProvider.getTokenKind();
                }
            };
        }
    }

    /* loaded from: input_file:org/apache/hadoop/hbase/security/AbstractTestSecureIPC$TestThread.class */
    public static class TestThread extends Thread {
        private final TestRpcServiceProtos.TestProtobufRpcProto.BlockingInterface stub;

        public TestThread(TestRpcServiceProtos.TestProtobufRpcProto.BlockingInterface blockingInterface) {
            this.stub = blockingInterface;
        }

        @Override // java.lang.Thread, java.lang.Runnable
        public void run() {
            try {
                for (int i : new int[]{100, 1000, TestSettingTimeoutOnBlockingPoint.SleepCoprocessor.SLEEP_TIME}) {
                    String random = RandomStringUtils.random(i);
                    Assert.assertEquals(random, this.stub.echo((RpcController) null, TestProtos.EchoRequestProto.newBuilder().setMessage(random).build()).getMessage());
                }
            } catch (ServiceException e) {
                throw new RuntimeException((Throwable) e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static void initKDCAndConf() throws Exception {
        KDC = TEST_UTIL.setupMiniKdc(KEYTAB_FILE);
        PRINCIPAL = "hbase/" + HOST;
        KDC.createPrincipal(KEYTAB_FILE, new String[]{PRINCIPAL});
        HBaseKerberosUtils.setPrincipalForTesting(PRINCIPAL + "@" + KDC.getRealm());
        TEST_UTIL.getConfiguration().setInt("hbase.ipc.client.socket.timeout.read", 2000);
        TEST_UTIL.getConfiguration().setInt("hbase.security.relogin.maxretries", 1);
        TEST_UTIL.getConfiguration().setInt("hbase.security.relogin.maxbackoff", 100);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public static void stopKDC() {
        if (KDC != null) {
            KDC.stop();
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public final void setUpPrincipalAndConf() throws Exception {
        this.krbKeytab = HBaseKerberosUtils.getKeytabFileForTesting();
        this.krbPrincipal = HBaseKerberosUtils.getPrincipalForTesting();
        this.ugi = HBaseKerberosUtils.loginKerberosPrincipal(this.krbKeytab, this.krbPrincipal);
        this.clientConf = new Configuration(TEST_UTIL.getConfiguration());
        HBaseKerberosUtils.setSecuredConfiguration(this.clientConf);
        this.serverConf = new Configuration(TEST_UTIL.getConfiguration());
        HBaseKerberosUtils.setSecuredConfiguration(this.serverConf);
    }

    @Test
    public void testRpcCallWithEnabledKerberosSaslAuth() throws Exception {
        UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
        Assert.assertSame(currentUser, this.ugi);
        Assert.assertEquals(UserGroupInformation.AuthenticationMethod.KERBEROS, this.ugi.getAuthenticationMethod());
        Assert.assertEquals(this.krbPrincipal, this.ugi.getUserName());
        callRpcService(User.create(currentUser));
    }

    @Test
    public void testRpcCallWithEnabledKerberosSaslAuthCanonicalHostname() throws Exception {
        UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
        Assert.assertSame(currentUser, this.ugi);
        Assert.assertEquals(UserGroupInformation.AuthenticationMethod.KERBEROS, this.ugi.getAuthenticationMethod());
        Assert.assertEquals(this.krbPrincipal, this.ugi.getUserName());
        enableCanonicalHostnameTesting(this.clientConf, TestProtoBufRpc.ADDRESS);
        this.clientConf.setBoolean("hbase.unsafe.client.kerberos.hostname.disable.reversedns", false);
        this.clientConf.set("hbase.regionserver.kerberos.principal", "hbase/_HOST@" + KDC.getRealm());
        callRpcService(User.create(currentUser));
    }

    @Test
    public void testRpcCallWithEnabledKerberosSaslAuthNoCanonicalHostname() throws Exception {
        UserGroupInformation currentUser = UserGroupInformation.getCurrentUser();
        Assert.assertSame(currentUser, this.ugi);
        Assert.assertEquals(UserGroupInformation.AuthenticationMethod.KERBEROS, this.ugi.getAuthenticationMethod());
        Assert.assertEquals(this.krbPrincipal, this.ugi.getUserName());
        enableCanonicalHostnameTesting(this.clientConf, "127.0.0.1");
        this.clientConf.setBoolean("hbase.unsafe.client.kerberos.hostname.disable.reversedns", true);
        this.clientConf.set("hbase.regionserver.kerberos.principal", "hbase/_HOST@" + KDC.getRealm());
        callRpcService(User.create(currentUser));
    }

    private static void enableCanonicalHostnameTesting(Configuration configuration, String str) {
        configuration.setClass("hbase.client.sasl.provider.class", CanonicalHostnameTestingAuthenticationProviderSelector.class, AuthenticationProviderSelector.class);
        configuration.set("CanonicalHostnameTestingAuthenticationProviderSelector.canonicalHostName", str);
    }

    @Test
    public void testRpcServerFallbackToSimpleAuth() throws Exception {
        UserGroupInformation createUserForTesting = UserGroupInformation.createUserForTesting("testuser", new String[]{"testuser"});
        Assert.assertNotSame(this.ugi, createUserForTesting);
        Assert.assertEquals(UserGroupInformation.AuthenticationMethod.SIMPLE, createUserForTesting.getAuthenticationMethod());
        Assert.assertEquals("testuser", createUserForTesting.getUserName());
        this.clientConf.set("hbase.security.authentication", "simple");
        this.serverConf.setBoolean("hbase.ipc.server.fallback-to-simple-auth-allowed", true);
        callRpcService(User.create(createUserForTesting));
    }

    @Test
    public void testRpcServerDisallowFallbackToSimpleAuth() throws Exception {
        UserGroupInformation createUserForTesting = UserGroupInformation.createUserForTesting("testuser", new String[]{"testuser"});
        Assert.assertNotSame(this.ugi, createUserForTesting);
        Assert.assertEquals(UserGroupInformation.AuthenticationMethod.SIMPLE, createUserForTesting.getAuthenticationMethod());
        Assert.assertEquals("testuser", createUserForTesting.getUserName());
        this.clientConf.set("hbase.security.authentication", "simple");
        this.serverConf.setBoolean("hbase.ipc.server.fallback-to-simple-auth-allowed", false);
        IOException iOException = (IOException) Assert.assertThrows(IOException.class, () -> {
            callRpcService(User.create(createUserForTesting));
        });
        if (iOException.getMessage() == null || !iOException.getMessage().contains("Broken pipe")) {
            MatcherAssert.assertThat(iOException, Matchers.either(Matchers.instanceOf(EOFException.class)).or(Matchers.instanceOf(ConnectionClosedException.class)));
        }
    }

    @Test
    public void testRpcClientFallbackToSimpleAuth() throws Exception {
        UserGroupInformation createUserForTesting = UserGroupInformation.createUserForTesting("testuser", new String[]{"testuser"});
        Assert.assertNotSame(this.ugi, createUserForTesting);
        Assert.assertEquals(UserGroupInformation.AuthenticationMethod.SIMPLE, createUserForTesting.getAuthenticationMethod());
        Assert.assertEquals("testuser", createUserForTesting.getUserName());
        this.serverConf.set("hbase.security.authentication", "simple");
        this.clientConf.setBoolean("hbase.ipc.client.fallback-to-simple-auth-allowed", true);
        callRpcService(User.create(createUserForTesting), User.create(this.ugi));
    }

    @Test
    public void testRpcClientDisallowFallbackToSimpleAuth() throws Exception {
        UserGroupInformation createUserForTesting = UserGroupInformation.createUserForTesting("testuser", new String[]{"testuser"});
        Assert.assertNotSame(this.ugi, createUserForTesting);
        Assert.assertEquals(UserGroupInformation.AuthenticationMethod.SIMPLE, createUserForTesting.getAuthenticationMethod());
        Assert.assertEquals("testuser", createUserForTesting.getUserName());
        this.serverConf.set("hbase.security.authentication", "simple");
        this.clientConf.setBoolean("hbase.ipc.client.fallback-to-simple-auth-allowed", false);
        Assert.assertThrows(FallbackDisallowedException.class, () -> {
            callRpcService(User.create(createUserForTesting), User.create(this.ugi));
        });
    }

    private void setRpcProtection(String str, String str2) {
        this.clientConf.set("hbase.rpc.protection", str);
        this.serverConf.set("hbase.rpc.protection", str2);
    }

    @Test
    public void testSaslWithCommonQop() throws Exception {
        setRpcProtection("privacy,authentication", "authentication");
        callRpcService();
        setRpcProtection("authentication", "privacy,authentication");
        callRpcService();
        setRpcProtection("integrity,authentication", "privacy,authentication");
        callRpcService();
        setRpcProtection("integrity,authentication", "integrity,authentication");
        callRpcService();
        setRpcProtection("privacy,authentication", "privacy,authentication");
        callRpcService();
    }

    @Test
    public void testSaslNoCommonQop() throws Exception {
        setRpcProtection("integrity", "privacy");
        Assert.assertEquals("No common protection layer between client and server", Assert.assertThrows(SaslException.class, () -> {
            callRpcService();
        }).getMessage());
    }

    @Test
    public void testSaslWithCryptoAES() throws Exception {
        setRpcProtection("privacy", "privacy");
        setCryptoAES("true", "true");
        callRpcService();
    }

    @Test
    public void testDifferentConfWithCryptoAES() throws Exception {
        setRpcProtection("privacy", "privacy");
        setCryptoAES("false", "true");
        callRpcService();
        setCryptoAES("true", "false");
        try {
            callRpcService();
            Assert.fail("The exception should be thrown out for the rpc timeout.");
        } catch (Exception e) {
        }
    }

    private void setCryptoAES(String str, String str2) {
        this.clientConf.set("hbase.rpc.crypto.encryption.aes.enabled", str);
        this.serverConf.set("hbase.rpc.crypto.encryption.aes.enabled", str2);
    }

    private void callRpcService(User user, User user2) throws Exception {
        SecurityInfo securityInfo = (SecurityInfo) Mockito.mock(SecurityInfo.class);
        Mockito.when(securityInfo.getServerPrincipals()).thenReturn(Collections.singletonList("hbase.regionserver.kerberos.principal"));
        SecurityInfo.addInfo("TestProtobufRpcProto", securityInfo);
        InetSocketAddress inetSocketAddress = new InetSocketAddress(HOST, 0);
        RpcServer rpcServer = (RpcServer) user.getUGI().doAs(() -> {
            return RpcServerFactory.createRpcServer((Server) null, "AbstractTestSecureIPC", Lists.newArrayList(new RpcServer.BlockingServiceAndInterface[]{new RpcServer.BlockingServiceAndInterface(TestProtobufRpcServiceImpl.SERVICE, (Class) null)}), inetSocketAddress, this.serverConf, new FifoRpcScheduler(this.serverConf, 1));
        });
        rpcServer.start();
        try {
            RpcClient createClient = RpcClientFactory.createClient(this.clientConf, HConstants.DEFAULT_CLUSTER_ID.toString());
            Throwable th = null;
            try {
                try {
                    TestThread testThread = new TestThread(TestProtobufRpcServiceImpl.newBlockingStub(createClient, rpcServer.getListenerAddress(), user2));
                    final Throwable[] thArr = new Throwable[1];
                    Collections.synchronizedList(new ArrayList());
                    testThread.setUncaughtExceptionHandler(new Thread.UncaughtExceptionHandler() { // from class: org.apache.hadoop.hbase.security.AbstractTestSecureIPC.1
                        @Override // java.lang.Thread.UncaughtExceptionHandler
                        public void uncaughtException(Thread thread, Throwable th2) {
                            thArr[0] = th2;
                        }
                    });
                    testThread.start();
                    testThread.join();
                    if (thArr[0] != null) {
                        while (thArr[0].getCause() != null) {
                            thArr[0] = thArr[0].getCause();
                        }
                        throw ((Exception) thArr[0]);
                    }
                    if (createClient != null) {
                        if (0 != 0) {
                            try {
                                createClient.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        } else {
                            createClient.close();
                        }
                    }
                } finally {
                }
            } finally {
            }
        } finally {
            rpcServer.stop();
        }
    }

    private void callRpcService(User user) throws Exception {
        callRpcService(User.create(this.ugi), user);
    }

    private void callRpcService() throws Exception {
        callRpcService(User.create(this.ugi));
    }
}
