package org.apache.hadoop.http;

import java.io.File;
import java.io.FileWriter;
import java.net.HttpURLConnection;
import java.net.URI;
import java.net.URL;
import java.util.Properties;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
import org.apache.hadoop.http.HttpServer2;
import org.apache.hadoop.minikdc.MiniKdc;
import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.security.AuthenticationFilterInitializer;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.KerberosTestUtils;
import org.apache.hadoop.security.authentication.client.AuthenticatedURL;
import org.apache.hadoop.security.authentication.server.AuthenticationFilter;
import org.apache.hadoop.security.authentication.server.AuthenticationToken;
import org.apache.hadoop.security.authentication.server.ProxyUserAuthenticationFilterInitializer;
import org.apache.hadoop.security.authentication.util.Signer;
import org.apache.hadoop.security.authentication.util.StringSignerSecretProvider;
import org.apache.hadoop.security.authentication.util.StringSignerSecretProviderCreator;
import org.apache.hadoop.security.authorize.AccessControlList;
import org.apache.hadoop.security.authorize.ProxyUsers;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;

/* loaded from: input_file:WEB-INF/lib/hadoop-common-3.4.0-tests.jar:org/apache/hadoop/http/TestHttpServerWithSpnego.class */
public class TestHttpServerWithSpnego {
    private static final String HTTP_USER = "HTTP";
    private static final String PREFIX = "hadoop.http.authentication.";
    private static final long TIMEOUT = 20000;
    private static MiniKdc testMiniKDC;
    private static File httpSpnegoKeytabFile = new File(KerberosTestUtils.getKeytabFile());
    private static String httpSpnegoPrincipal = KerberosTestUtils.getServerPrincipal();
    private static String realm = KerberosTestUtils.getRealm();
    private static File testRootDir = new File("target", TestHttpServerWithSpnego.class.getName() + "-root");
    private static final String SECRET_STR = "secret";
    private static File secretFile = new File(testRootDir, SECRET_STR);

    @BeforeClass
    public static void setUp() throws Exception {
        try {
            testMiniKDC = new MiniKdc(MiniKdc.createConf(), testRootDir);
            testMiniKDC.start();
            testMiniKDC.createPrincipal(httpSpnegoKeytabFile, new String[]{"HTTP/localhost"});
        } catch (Exception e) {
            Assert.assertTrue("Couldn't setup MiniKDC", false);
        }
        FileWriter fileWriter = new FileWriter(secretFile);
        fileWriter.write(SECRET_STR);
        fileWriter.close();
    }

    @AfterClass
    public static void tearDown() {
        if (testMiniKDC != null) {
            testMiniKDC.stop();
        }
    }

    @Test
    public void testAuthenticationWithProxyUser() throws Exception {
        Configuration spnegoConf = getSpnegoConf(new Configuration());
        spnegoConf.set(HttpServer2.FILTER_INITIALIZER_PROPERTY, ProxyUserAuthenticationFilterInitializer.class.getName());
        System.setProperty("hadoop.log.dir", testRootDir.getAbsolutePath());
        UserGroupInformation.createUserForTesting("userA", new String[]{"groupA", "groupB"});
        UserGroupInformation.createUserForTesting("userB", new String[]{"groupB"});
        UserGroupInformation.createUserForTesting("userC", new String[]{"groupC"});
        spnegoConf.set("hadoop.proxyuser.userA.hosts", "*");
        spnegoConf.set("hadoop.proxyuser.userA.groups", "groupB");
        ProxyUsers.refreshSuperUserGroupsConfiguration(spnegoConf);
        HttpServer2 httpServer2 = null;
        try {
            httpServer2 = getCommonBuilder().setConf(spnegoConf).setACL(new AccessControlList("userA groupA")).build();
            httpServer2.start();
            Signer signerToEncrypt = getSignerToEncrypt();
            AuthenticatedURL.Token encryptedAuthToken = getEncryptedAuthToken(signerToEncrypt, "userA");
            String str = "http://" + NetUtils.getHostPortString(httpServer2.getConnectorAddress(0)) + "/";
            AuthenticatedURL authenticatedURL = new AuthenticatedURL();
            int length = new String[]{"stacks", "jmx", "conf"}.length;
            for (int i = 0; i < length; i++) {
                Assert.assertEquals(200L, authenticatedURL.openConnection(new URL(str + r0[i] + "?doAs=userB"), encryptedAuthToken).getResponseCode());
            }
            int length2 = new String[]{"stacks", "jmx", "conf"}.length;
            for (int i2 = 0; i2 < length2; i2++) {
                Assert.assertEquals(403L, authenticatedURL.openConnection(new URL(str + r0[i2] + "?doAs=userC"), encryptedAuthToken).getResponseCode());
            }
            int length3 = new String[]{"logLevel", YarnConfiguration.DEFAULT_NM_REMOTE_APP_LOG_DIR_SUFFIX}.length;
            for (int i3 = 0; i3 < length3; i3++) {
                Assert.assertEquals(200L, authenticatedURL.openConnection(new URL(str + r0[i3]), encryptedAuthToken).getResponseCode());
            }
            AuthenticatedURL.Token encryptedAuthToken2 = getEncryptedAuthToken(signerToEncrypt, "userB");
            int length4 = new String[]{"logLevel", YarnConfiguration.DEFAULT_NM_REMOTE_APP_LOG_DIR_SUFFIX}.length;
            for (int i4 = 0; i4 < length4; i4++) {
                Assert.assertEquals(403L, authenticatedURL.openConnection(new URL(str + r0[i4]), encryptedAuthToken2).getResponseCode());
            }
            if (httpServer2 != null) {
                httpServer2.stop();
            }
        } catch (Throwable th) {
            if (httpServer2 != null) {
                httpServer2.stop();
            }
            throw th;
        }
    }

    @Test
    public void testAuthenticationToAllowList() throws Exception {
        Configuration spnegoConf = getSpnegoConf(new Configuration());
        String[] strArr = {"/jmx", "/prom"};
        String[] strArr2 = {"/conf", "/stacks", "/logLevel"};
        spnegoConf.set("hadoop.http.authentication.kerberos.endpoint.whitelist", String.join(",", strArr));
        spnegoConf.set(CommonConfigurationKeysPublic.HADOOP_PROMETHEUS_ENABLED, "true");
        spnegoConf.set(HttpServer2.FILTER_INITIALIZER_PROPERTY, AuthenticationFilterInitializer.class.getName());
        System.setProperty("hadoop.log.dir", testRootDir.getAbsolutePath());
        HttpServer2 httpServer2 = null;
        try {
            httpServer2 = getCommonBuilder().setConf(spnegoConf).setSecurityEnabled(true).setUsernameConfKey("hadoop.http.authentication.kerberos.principal").setKeytabConfKey("hadoop.http.authentication.kerberos.keytab").build();
            httpServer2.start();
            String str = "http://" + NetUtils.getHostPortString(httpServer2.getConnectorAddress(0));
            for (String str2 : strArr) {
                Assert.assertEquals(200L, ((HttpURLConnection) new URL(str + str2).openConnection()).getResponseCode());
            }
            for (String str3 : strArr2) {
                Assert.assertEquals(401L, ((HttpURLConnection) new URL(str + str3).openConnection()).getResponseCode());
            }
            if (httpServer2 != null) {
                httpServer2.stop();
            }
        } catch (Throwable th) {
            if (httpServer2 != null) {
                httpServer2.stop();
            }
            throw th;
        }
    }

    private AuthenticatedURL.Token getEncryptedAuthToken(Signer signer, String str) throws Exception {
        AuthenticationToken authenticationToken = new AuthenticationToken(str, str, "kerberos");
        authenticationToken.setExpires(System.currentTimeMillis() + 20000);
        return new AuthenticatedURL.Token(signer.sign(authenticationToken.toString()));
    }

    private Signer getSignerToEncrypt() throws Exception {
        StringSignerSecretProvider newStringSignerSecretProvider = StringSignerSecretProviderCreator.newStringSignerSecretProvider();
        Properties properties = new Properties();
        properties.setProperty(AuthenticationFilter.SIGNATURE_SECRET, SECRET_STR);
        newStringSignerSecretProvider.init(properties, null, 20000L);
        return new Signer(newStringSignerSecretProvider);
    }

    private Configuration getSpnegoConf(Configuration configuration) {
        Configuration configuration2 = new Configuration();
        configuration2.set(CommonConfigurationKeysPublic.HADOOP_HTTP_AUTHENTICATION_TYPE, "kerberos");
        configuration2.setBoolean("hadoop.http.authentication.simple.anonymous.allowed", false);
        configuration2.set("hadoop.http.authentication.signature.secret.file", secretFile.getAbsolutePath());
        configuration2.set("hadoop.http.authentication.kerberos.keytab", httpSpnegoKeytabFile.getAbsolutePath());
        configuration2.set("hadoop.http.authentication.kerberos.principal", httpSpnegoPrincipal);
        configuration2.set("hadoop.http.authentication.cookie.domain", realm);
        configuration2.setBoolean("hadoop.security.authorization", true);
        return configuration2;
    }

    private HttpServer2.Builder getCommonBuilder() throws Exception {
        return new HttpServer2.Builder().setName("test").addEndpoint(new URI("http://localhost:0")).setFindPort(true);
    }
}
