package org.apache.sentry.service.thrift;

import com.google.common.base.Strings;
import com.google.common.io.Files;
import com.google.common.io.Resources;
import java.io.File;
import java.security.PrivilegedExceptionAction;
import java.util.Iterator;
import java.util.Properties;
import java.util.Set;
import java.util.concurrent.TimeoutException;
import org.apache.commons.io.FileUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.minikdc.MiniKdc;
import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.sentry.provider.db.service.thrift.SentryMiniKdcTestcase;
import org.apache.sentry.provider.db.service.thrift.SentryPolicyServiceClient;
import org.apache.sentry.provider.db.service.thrift.TSentryRole;
import org.apache.sentry.provider.file.PolicyFile;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/sentry/service/thrift/SentryServiceIntegrationBase.class */
public abstract class SentryServiceIntegrationBase extends SentryMiniKdcTestcase {
    protected static final String CLIENT_KERBEROS_SHORT_NAME = "hive";
    protected static final String ADMIN_USER = "admin_user";
    protected static final String ADMIN_GROUP = "admin_group";
    protected static SentryService server;
    protected SentryPolicyServiceClient client;
    protected static MiniKdc kdc;
    protected static File kdcWorkDir;
    protected static File dbDir;
    protected static File serverKeytab;
    protected static File httpKeytab;
    protected static File clientKeytab;
    protected static UserGroupInformation clientUgi;
    protected static boolean kerberos;
    protected PolicyFile policyFile;
    protected File policyFilePath;
    private static final Logger LOGGER = LoggerFactory.getLogger(SentryServiceIntegrationBase.class);
    protected static final String SERVER_HOST = NetUtils.createSocketAddr("localhost:80").getAddress().getCanonicalHostName();
    protected static final String SERVER_PRINCIPAL = "sentry/" + SERVER_HOST;
    protected static final String REALM = "EXAMPLE.COM";
    protected static String SERVER_KERBEROS_NAME = "sentry/" + SERVER_HOST + "@" + REALM;
    protected static final String HTTP_PRINCIPAL = "HTTP/" + SERVER_HOST;
    protected static final String CLIENT_PRINCIPAL = "hive/" + SERVER_HOST;
    protected static final Configuration conf = new Configuration(false);
    protected static Properties kdcConfOverlay = new Properties();
    protected static boolean webServerEnabled = false;
    protected static int webServerPort = 29000;
    protected static boolean webSecurity = false;
    protected static boolean pooled = false;
    protected static boolean useSSL = false;
    protected static String allowedUsers = "hive,USER1";

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/apache/sentry/service/thrift/SentryServiceIntegrationBase$TestOperation.class */
    public interface TestOperation {
        void runTestAsSubject() throws Exception;
    }

    @BeforeClass
    public static void setup() throws Exception {
        kerberos = true;
        pooled = true;
        beforeSetup();
        setupConf();
        startSentryService();
        afterSetup();
    }

    private static void setupKdc() throws Exception {
        startMiniKdc(kdcConfOverlay);
    }

    public static void startSentryService() throws Exception {
        server.start();
        long currentTimeMillis = System.currentTimeMillis();
        while (!server.isRunning()) {
            Thread.sleep(1000L);
            if (System.currentTimeMillis() - currentTimeMillis > 60000) {
                throw new TimeoutException("Server did not start after 60 seconds");
            }
        }
    }

    public void stopSentryService() throws Exception {
        server.stop();
        Thread.sleep(30000L);
    }

    public static void setupConf() throws Exception {
        if (kerberos) {
            setupKdc();
            kdc = getKdc();
            kdcWorkDir = getWorkDir();
            serverKeytab = new File(kdcWorkDir, "server.keytab");
            clientKeytab = new File(kdcWorkDir, "client.keytab");
            kdc.createPrincipal(serverKeytab, new String[]{SERVER_PRINCIPAL});
            kdc.createPrincipal(clientKeytab, new String[]{CLIENT_PRINCIPAL});
            conf.set("sentry.service.server.principal", getServerKerberosName());
            conf.set("sentry.service.server.keytab", serverKeytab.getPath());
            conf.set("sentry.service.allow.connect", CLIENT_KERBEROS_SHORT_NAME);
            conf.set("sentry.zookeeper.client.principal", getServerKerberosName());
            conf.set("sentry.zookeeper.client.keytab", serverKeytab.getPath());
            conf.set("sentry.service.security.use.ugi", "true");
            conf.set("hadoop.security.authentication", "kerberos");
            UserGroupInformation.setConfiguration(conf);
            UserGroupInformation.loginUserFromKeytab(CLIENT_PRINCIPAL, clientKeytab.getPath());
            clientUgi = UserGroupInformation.getLoginUser();
        } else {
            LOGGER.info("Stopped KDC");
            conf.set("sentry.service.security.mode", "none");
        }
        if (webServerEnabled) {
            conf.set("sentry.service.web.enable", "true");
            conf.set("sentry.service.web.port", String.valueOf(webServerPort));
            conf.set("sentry.web.pubsub.servlet.enabled", "true");
            if (webSecurity) {
                httpKeytab = new File(kdcWorkDir, "http.keytab");
                kdc.createPrincipal(httpKeytab, new String[]{HTTP_PRINCIPAL});
                conf.set("sentry.service.web.authentication.type", "KERBEROS");
                conf.set("sentry.service.web.authentication.kerberos.principal", HTTP_PRINCIPAL);
                conf.set("sentry.service.web.authentication.kerberos.keytab", httpKeytab.getPath());
                conf.set("sentry.service.web.authentication.allow.connect.users", allowedUsers);
            } else {
                conf.set("sentry.service.web.authentication.type", "NONE");
            }
        } else {
            conf.set("sentry.service.web.enable", "false");
        }
        if (pooled) {
            conf.set("sentry.service.client.connection.pool.enabled", "true");
        }
        if (useSSL) {
            String path = Resources.getResource("keystore.jks").getPath();
            conf.set("sentry.web.use.ssl", "true");
            conf.set("sentry.web.ssl.keystore.path", path);
            conf.set("sentry.web.ssl.keystore.password", "password");
            LOGGER.debug("{} is at {}", "sentry.web.ssl.keystore.path", path);
        }
        conf.set("sentry.verify.schema.version", "false");
        conf.set("sentry.service.admin.group", ADMIN_GROUP);
        conf.set("sentry.service.server.rpc-address", SERVER_HOST);
        conf.set("sentry.service.server.rpc-port", String.valueOf(0));
        dbDir = new File(Files.createTempDir(), "sentry_policy_db");
        conf.set("sentry.store.jdbc.url", "jdbc:derby:;databaseName=" + dbDir.getPath() + ";create=true");
        conf.set("sentry.store.jdbc.password", "dummy");
        server = SentryServiceFactory.create(conf);
        conf.set("sentry.service.client.server.rpc-addresses", server.getAddress().getHostName());
        conf.set("sentry.service.client.server.rpc-port", String.valueOf(server.getAddress().getPort()));
        conf.set("sentry.store.group.mapping", "org.apache.sentry.provider.file.LocalGroupMappingService");
    }

    @Before
    public void before() throws Exception {
        this.policyFilePath = new File(dbDir, "local_policy_file.ini");
        conf.set("sentry.store.group.mapping.resource", this.policyFilePath.getPath());
        this.policyFile = new PolicyFile();
        connectToSentryService();
    }

    @After
    public void after() {
        try {
            runTestAsSubject(new TestOperation() { // from class: org.apache.sentry.service.thrift.SentryServiceIntegrationBase.1
                @Override // org.apache.sentry.service.thrift.SentryServiceIntegrationBase.TestOperation
                public void runTestAsSubject() throws Exception {
                    if (SentryServiceIntegrationBase.this.client != null) {
                        Set listAllRoles = SentryServiceIntegrationBase.this.client.listAllRoles(SentryServiceIntegrationBase.ADMIN_USER);
                        if (listAllRoles != null) {
                            Iterator it = listAllRoles.iterator();
                            while (it.hasNext()) {
                                SentryServiceIntegrationBase.this.client.dropRole(SentryServiceIntegrationBase.ADMIN_USER, ((TSentryRole) it.next()).getRoleName());
                            }
                        }
                        SentryServiceIntegrationBase.this.client.close();
                    }
                }
            });
        } catch (Exception e) {
            LOGGER.error(e.getMessage(), e);
        } finally {
            this.policyFilePath.delete();
        }
    }

    public void connectToSentryService() throws Exception {
        if (kerberos) {
            this.client = (SentryPolicyServiceClient) clientUgi.doAs(new PrivilegedExceptionAction<SentryPolicyServiceClient>() { // from class: org.apache.sentry.service.thrift.SentryServiceIntegrationBase.2
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public SentryPolicyServiceClient run() throws Exception {
                    return SentryServiceClientFactory.create(SentryServiceIntegrationBase.conf);
                }
            });
        } else {
            this.client = SentryServiceClientFactory.create(conf);
        }
    }

    @AfterClass
    public static void tearDown() throws Exception {
        beforeTeardown();
        if (server != null) {
            server.stop();
        }
        if (dbDir != null) {
            FileUtils.deleteQuietly(dbDir);
        }
        stopMiniKdc();
        afterTeardown();
    }

    public static String getServerKerberosName() {
        return SERVER_KERBEROS_NAME;
    }

    public static void beforeSetup() throws Exception {
    }

    public static void afterSetup() throws Exception {
    }

    public static void beforeTeardown() throws Exception {
    }

    public static void afterTeardown() throws Exception {
    }

    protected static void assertOK(TSentryResponseStatus tSentryResponseStatus) {
        assertStatus(Status.OK, tSentryResponseStatus);
    }

    protected static void assertStatus(Status status, TSentryResponseStatus tSentryResponseStatus) {
        if (tSentryResponseStatus.getValue() != status.getCode()) {
            String str = "Expected: " + status + ", Response: " + Status.fromCode(tSentryResponseStatus.getValue()) + ", Code: " + tSentryResponseStatus.getValue() + ", Message: " + tSentryResponseStatus.getMessage();
            String trim = Strings.nullToEmpty(tSentryResponseStatus.getStack()).trim();
            if (!trim.isEmpty()) {
                str = str + ", StackTrace: " + trim;
            }
            Assert.fail(str);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void setLocalGroupMapping(String str, Set<String> set) {
        Iterator<String> it = set.iterator();
        while (it.hasNext()) {
            this.policyFile.addGroupsToUser(str, new String[]{it.next()});
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void writePolicyFile() throws Exception {
        this.policyFile.write(this.policyFilePath);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void runTestAsSubject(TestOperation testOperation) throws Exception {
        testOperation.runTestAsSubject();
    }
}
