package org.apache.sentry.provider.db.service.thrift;

import com.google.common.collect.Sets;
import java.io.File;
import java.net.HttpURLConnection;
import java.net.URL;
import java.security.PrivilegedExceptionAction;
import java.util.HashSet;
import javax.security.auth.Subject;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.kerberos.KerberosPrincipal;
import javax.security.auth.login.LoginContext;
import org.apache.commons.io.IOUtils;
import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
import org.apache.hadoop.security.authentication.client.AuthenticationException;
import org.apache.hadoop.security.authentication.client.KerberosAuthenticator;
import org.apache.sentry.service.thrift.KerberosConfiguration;
import org.apache.sentry.service.thrift.SentryServiceIntegrationBase;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/sentry/provider/db/service/thrift/TestSentryWebServerWithKerberos.class */
public class TestSentryWebServerWithKerberos extends SentryServiceIntegrationBase {
    private static Logger LOG = LoggerFactory.getLogger(TestSentryWebServerWithKerberos.class);

    @BeforeClass
    public static void setup() throws Exception {
        webServerEnabled = true;
        webSecurity = true;
        SentryServiceIntegrationBase.setup();
    }

    @Override // org.apache.sentry.service.thrift.SentryServiceIntegrationBase
    @Before
    public void before() throws Exception {
    }

    @Override // org.apache.sentry.service.thrift.SentryServiceIntegrationBase
    @After
    public void after() {
    }

    @Test
    public void testPing() throws Exception {
        clientUgi.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.sentry.provider.db.service.thrift.TestSentryWebServerWithKerberos.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                HttpURLConnection openConnection = new AuthenticatedURL(new KerberosAuthenticator()).openConnection(new URL("http://" + TestSentryWebServerWithKerberos.SERVER_HOST + ":" + TestSentryWebServerWithKerberos.webServerPort + "/ping"), new AuthenticatedURL.Token());
                Assert.assertEquals(200L, openConnection.getResponseCode());
                Assert.assertEquals("pong\n", IOUtils.toString(openConnection.getInputStream()));
                return null;
            }
        });
    }

    @Test
    public void testPingWithoutSubject() throws Exception {
        try {
            new AuthenticatedURL(new KerberosAuthenticator()).openConnection(new URL("http://" + SERVER_HOST + ":" + webServerPort + "/ping"), new AuthenticatedURL.Token());
            Assert.fail("Here should fail.");
        } catch (Exception e) {
            Assert.assertTrue("Here should fail by 'No valid credentials provided', but the exception is:" + e, e.getMessage().contains("No valid credentials provided"));
        }
    }

    @Test
    public void testPingUsingHttpURLConnection() throws Exception {
        HttpURLConnection httpURLConnection = (HttpURLConnection) new URL("http://" + SERVER_HOST + ":" + webServerPort + "/ping").openConnection();
        Assert.assertEquals(401L, httpURLConnection.getResponseCode());
        Assert.assertTrue(IOUtils.toString(httpURLConnection.getErrorStream()).contains("Authentication required"));
    }

    @Test
    public void testPingWithUnauthorizedUser() throws Exception {
        String str = "user/" + SERVER_HOST;
        String str2 = str + "@EXAMPLE.COM";
        Subject subject = new Subject(false, Sets.newHashSet(new KerberosPrincipal[]{new KerberosPrincipal(str2)}), new HashSet(), new HashSet());
        File file = new File(kdcWorkDir, "user.keytab");
        kdc.createPrincipal(file, new String[]{str});
        LoginContext loginContext = new LoginContext("", subject, (CallbackHandler) null, KerberosConfiguration.createClientConfig(str2, file));
        loginContext.login();
        Subject.doAs(loginContext.getSubject(), new PrivilegedExceptionAction<Void>() { // from class: org.apache.sentry.provider.db.service.thrift.TestSentryWebServerWithKerberos.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                try {
                    new AuthenticatedURL(new KerberosAuthenticator()).openConnection(new URL("http://" + TestSentryWebServerWithKerberos.SERVER_HOST + ":" + TestSentryWebServerWithKerberos.webServerPort + "/ping"), new AuthenticatedURL.Token());
                    Assert.fail("Here should fail.");
                    return null;
                } catch (AuthenticationException e) {
                    if (e.getMessage().contains("status code: 403")) {
                        return null;
                    }
                    TestSentryWebServerWithKerberos.LOG.error("UnexpectedError: " + e.getMessage(), e);
                    Assert.fail("UnexpectedError: " + e.getMessage());
                    return null;
                }
            }
        });
    }

    @Test
    public void testPingWithCaseSensitiveUser() throws Exception {
        String str = "user1/" + SERVER_HOST;
        String str2 = str + "@EXAMPLE.COM";
        Subject subject = new Subject(false, Sets.newHashSet(new KerberosPrincipal[]{new KerberosPrincipal(str2)}), new HashSet(), new HashSet());
        File file = new File(kdcWorkDir, "user1.keytab");
        kdc.createPrincipal(file, new String[]{str});
        LoginContext loginContext = new LoginContext("", subject, (CallbackHandler) null, KerberosConfiguration.createClientConfig(str2, file));
        loginContext.login();
        Subject.doAs(loginContext.getSubject(), new PrivilegedExceptionAction<Void>() { // from class: org.apache.sentry.provider.db.service.thrift.TestSentryWebServerWithKerberos.3
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                try {
                    new AuthenticatedURL(new KerberosAuthenticator()).openConnection(new URL("http://" + TestSentryWebServerWithKerberos.SERVER_HOST + ":" + TestSentryWebServerWithKerberos.webServerPort + "/ping"), new AuthenticatedURL.Token());
                    Assert.fail("Login with user1 should fail");
                    return null;
                } catch (AuthenticationException e) {
                    if (e.getMessage().contains("status code: 403")) {
                        return null;
                    }
                    TestSentryWebServerWithKerberos.LOG.error("UnexpectedError: " + e.getMessage(), e);
                    Assert.fail("UnexpectedError: " + e.getMessage());
                    return null;
                }
            }
        });
    }

    @Test
    public void testTraceIsDisabled() throws Exception {
        ((HttpURLConnection) new URL("http://" + SERVER_HOST + ":" + webServerPort).openConnection()).setRequestMethod("TRACE");
        Assert.assertEquals(403L, r0.getResponseCode());
    }
}
