package org.apache.ambari.server.security.authorization;

import com.google.common.collect.HashBasedTable;
import com.google.common.collect.Table;
import com.google.inject.AbstractModule;
import com.google.inject.Guice;
import com.google.inject.Injector;
import com.google.inject.Module;
import java.util.Collections;
import javax.persistence.EntityManager;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import junit.framework.Assert;
import org.apache.ambari.server.audit.AuditLogger;
import org.apache.ambari.server.configuration.Configuration;
import org.apache.ambari.server.hooks.HookContextFactory;
import org.apache.ambari.server.hooks.HookService;
import org.apache.ambari.server.ldap.service.AmbariLdapConfigurationProvider;
import org.apache.ambari.server.orm.DBAccessor;
import org.apache.ambari.server.orm.dao.UserDAO;
import org.apache.ambari.server.security.AmbariEntryPoint;
import org.apache.ambari.server.security.TestAuthenticationFactory;
import org.apache.ambari.server.state.stack.OsFamily;
import org.apache.ambari.server.view.ViewRegistry;
import org.easymock.EasyMock;
import org.junit.After;
import org.junit.Test;
import org.springframework.security.core.Authentication;
import org.springframework.security.core.context.SecurityContextHolder;
import org.springframework.security.crypto.password.PasswordEncoder;

/* loaded from: input_file:org/apache/ambari/server/security/authorization/AmbariAuthorizationFilterTest.class */
public class AmbariAuthorizationFilterTest {
    @After
    public void clearAuthentication() {
        SecurityContextHolder.getContext().setAuthentication((Authentication) null);
    }

    @Test
    public void testDoFilter_adminAccess() throws Exception {
        HashBasedTable create = HashBasedTable.create();
        create.put("/api/v1/clusters/cluster", "GET", true);
        create.put("/api/v1/clusters/cluster", "POST", true);
        create.put("/api/v1/clusters/cluster/", "GET", true);
        create.put("/api/v1/clusters/cluster/", "POST", true);
        create.put("/api/v1/views", "GET", true);
        create.put("/api/v1/views", "POST", true);
        create.put("/api/v1/persist/SomeValue", "GET", true);
        create.put("/api/v1/persist/SomeValue", "POST", true);
        create.put("/api/v1/clusters/c1/credentials/ambari.credential", "POST", true);
        create.put("/api/v1/clusters/c1/credentials/ambari.credential", "PUT", true);
        create.put("/api/v1/clusters/c1/credentials/ambari.credential", "GET", true);
        create.put("/api/v1/clusters/c1/credentials/ambari.credential", "DELETE", true);
        create.put("/api/v1/clusters/c1/credentials/cluster.credential", "POST", true);
        create.put("/api/v1/clusters/c1/credentials/cluster.credential", "PUT", true);
        create.put("/api/v1/clusters/c1/credentials/cluster.credential", "GET", true);
        create.put("/api/v1/clusters/c1/credentials/cluster.credential", "DELETE", true);
        create.put("/api/v1/clusters/c1/config_groups", "GET", true);
        create.put("/api/v1/clusters/c1/config_groups", "PUT", true);
        create.put("/api/v1/clusters/c1/config_groups", "POST", true);
        create.put("/api/v1/clusters/c1/config_groups", "DELETE", true);
        create.put("/api/v1/clusters/c1/configurations", "GET", true);
        create.put("/api/v1/clusters/c1/configurations", "PUT", true);
        create.put("/api/v1/clusters/c1/configurations", "POST", true);
        create.put("/api/v1/clusters/c1/configurations", "DELETE", true);
        create.put("/views/AllowedView/SomeVersion/SomeInstance", "GET", true);
        create.put("/views/AllowedView/SomeVersion/SomeInstance", "POST", true);
        create.put("/views/DeniedView/AnotherVersion/AnotherInstance", "GET", true);
        create.put("/views/DeniedView/AnotherVersion/AnotherInstance", "POST", true);
        create.put("/api/v1/users/user1", "GET", true);
        create.put("/api/v1/users/user1", "POST", true);
        create.put("/api/v1/users/user2", "GET", true);
        create.put("/api/v1/users/user2", "POST", true);
        create.put("/api/v1/groups", "GET", true);
        create.put("/api/v1/ldap_sync_events", "GET", true);
        create.put("/any/other/URL", "GET", true);
        create.put("/any/other/URL", "POST", true);
        performGeneralDoFilterTest(TestAuthenticationFactory.createAdministrator(), create, false);
    }

    @Test
    public void testDoFilter_clusterViewerAccess() throws Exception {
        HashBasedTable create = HashBasedTable.create();
        create.put("/api/v1/clusters/cluster", "GET", true);
        create.put("/api/v1/clusters/cluster", "POST", true);
        create.put("/api/v1/clusters/cluster/", "GET", true);
        create.put("/api/v1/clusters/cluster/", "POST", true);
        create.put("/api/v1/views", "GET", true);
        create.put("/api/v1/views", "POST", true);
        create.put("/api/v1/persist/SomeValue", "GET", true);
        create.put("/api/v1/persist/SomeValue", "POST", true);
        create.put("/api/v1/clusters/c1/credentials/ambari.credential", "POST", true);
        create.put("/api/v1/clusters/c1/credentials/ambari.credential", "PUT", true);
        create.put("/api/v1/clusters/c1/credentials/ambari.credential", "GET", true);
        create.put("/api/v1/clusters/c1/credentials/ambari.credential", "DELETE", true);
        create.put("/api/v1/clusters/c1/credentials/cluster.credential", "POST", true);
        create.put("/api/v1/clusters/c1/credentials/cluster.credential", "PUT", true);
        create.put("/api/v1/clusters/c1/credentials/cluster.credential", "GET", true);
        create.put("/api/v1/clusters/c1/credentials/cluster.credential", "DELETE", true);
        create.put("/api/v1/clusters/c1/config_groups", "GET", true);
        create.put("/api/v1/clusters/c1/config_groups", "PUT", true);
        create.put("/api/v1/clusters/c1/config_groups", "POST", true);
        create.put("/api/v1/clusters/c1/config_groups", "DELETE", true);
        create.put("/api/v1/clusters/c1/configurations", "GET", true);
        create.put("/api/v1/clusters/c1/configurations", "PUT", true);
        create.put("/api/v1/clusters/c1/configurations", "POST", true);
        create.put("/api/v1/clusters/c1/configurations", "DELETE", true);
        create.put("/views/AllowedView/SomeVersion/SomeInstance", "GET", true);
        create.put("/views/AllowedView/SomeVersion/SomeInstance", "POST", true);
        create.put("/views/DeniedView/AnotherVersion/AnotherInstance", "GET", true);
        create.put("/views/DeniedView/AnotherVersion/AnotherInstance", "POST", true);
        create.put("/api/v1/users/user1", "GET", true);
        create.put("/api/v1/users/user1", "POST", true);
        create.put("/api/v1/users/user2", "GET", true);
        create.put("/api/v1/users/user2", "POST", true);
        create.put("/api/v1/groups", "GET", true);
        create.put("/api/v1/ldap_sync_events", "GET", false);
        create.put("/any/other/URL", "GET", true);
        create.put("/any/other/URL", "POST", false);
        performGeneralDoFilterTest(TestAuthenticationFactory.createClusterUser(), create, false);
    }

    @Test
    public void testDoFilter_clusterOperatorAccess() throws Exception {
        HashBasedTable create = HashBasedTable.create();
        create.put("/api/v1/clusters/cluster", "GET", true);
        create.put("/api/v1/clusters/cluster", "POST", true);
        create.put("/api/v1/clusters/cluster/", "GET", true);
        create.put("/api/v1/clusters/cluster/", "POST", true);
        create.put("/api/v1/views", "GET", true);
        create.put("/api/v1/views", "POST", true);
        create.put("/api/v1/persist/SomeValue", "GET", true);
        create.put("/api/v1/persist/SomeValue", "POST", true);
        create.put("/api/v1/clusters/c1/credentials/ambari.credential", "POST", true);
        create.put("/api/v1/clusters/c1/credentials/ambari.credential", "PUT", true);
        create.put("/api/v1/clusters/c1/credentials/ambari.credential", "GET", true);
        create.put("/api/v1/clusters/c1/credentials/ambari.credential", "DELETE", true);
        create.put("/api/v1/clusters/c1/credentials/cluster.credential", "POST", true);
        create.put("/api/v1/clusters/c1/credentials/cluster.credential", "PUT", true);
        create.put("/api/v1/clusters/c1/credentials/cluster.credential", "GET", true);
        create.put("/api/v1/clusters/c1/credentials/cluster.credential", "DELETE", true);
        create.put("/api/v1/clusters/c1/config_groups", "GET", true);
        create.put("/api/v1/clusters/c1/config_groups", "PUT", true);
        create.put("/api/v1/clusters/c1/config_groups", "POST", true);
        create.put("/api/v1/clusters/c1/config_groups", "DELETE", true);
        create.put("/api/v1/clusters/c1/configurations", "GET", true);
        create.put("/api/v1/clusters/c1/configurations", "PUT", true);
        create.put("/api/v1/clusters/c1/configurations", "POST", true);
        create.put("/api/v1/clusters/c1/configurations", "DELETE", true);
        create.put("/views/AllowedView/SomeVersion/SomeInstance", "GET", true);
        create.put("/views/AllowedView/SomeVersion/SomeInstance", "POST", true);
        create.put("/views/DeniedView/AnotherVersion/AnotherInstance", "GET", true);
        create.put("/views/DeniedView/AnotherVersion/AnotherInstance", "POST", true);
        create.put("/api/v1/users/user1", "GET", true);
        create.put("/api/v1/users/user1", "POST", true);
        create.put("/api/v1/users/user2", "GET", true);
        create.put("/api/v1/users/user2", "POST", true);
        create.put("/api/v1/groups", "GET", true);
        create.put("/api/v1/ldap_sync_events", "GET", false);
        create.put("/api/v1/clusters/c1/widgets", "GET", true);
        create.put("/api/v1/clusters/c1/widgets", "PUT", true);
        create.put("/api/v1/clusters/c1/widgets", "POST", true);
        create.put("/any/other/URL", "GET", true);
        create.put("/any/other/URL", "POST", false);
        performGeneralDoFilterTest(TestAuthenticationFactory.createClusterOperator(), create, false);
    }

    @Test
    public void testDoFilter_viewUserAccess() throws Exception {
        HashBasedTable create = HashBasedTable.create();
        create.put("/api/v1/clusters/cluster", "GET", true);
        create.put("/api/v1/clusters/cluster", "POST", true);
        create.put("/api/v1/clusters/cluster/", "GET", true);
        create.put("/api/v1/clusters/cluster/", "POST", true);
        create.put("/api/v1/views", "GET", true);
        create.put("/api/v1/views", "POST", true);
        create.put("/api/v1/persist/SomeValue", "GET", true);
        create.put("/api/v1/persist/SomeValue", "POST", true);
        create.put("/api/v1/clusters/c1/credentials/ambari.credential", "POST", true);
        create.put("/api/v1/clusters/c1/credentials/ambari.credential", "PUT", true);
        create.put("/api/v1/clusters/c1/credentials/ambari.credential", "GET", true);
        create.put("/api/v1/clusters/c1/credentials/ambari.credential", "DELETE", true);
        create.put("/api/v1/clusters/c1/credentials/cluster.credential", "POST", true);
        create.put("/api/v1/clusters/c1/credentials/cluster.credential", "PUT", true);
        create.put("/api/v1/clusters/c1/credentials/cluster.credential", "GET", true);
        create.put("/api/v1/clusters/c1/credentials/cluster.credential", "DELETE", true);
        create.put("/api/v1/clusters/c1/config_groups", "GET", true);
        create.put("/api/v1/clusters/c1/config_groups", "PUT", true);
        create.put("/api/v1/clusters/c1/config_groups", "POST", true);
        create.put("/api/v1/clusters/c1/config_groups", "DELETE", true);
        create.put("/api/v1/clusters/c1/configurations", "GET", true);
        create.put("/api/v1/clusters/c1/configurations", "PUT", true);
        create.put("/api/v1/clusters/c1/configurations", "POST", true);
        create.put("/api/v1/clusters/c1/configurations", "DELETE", true);
        create.put("/views/AllowedView/SomeVersion/SomeInstance", "GET", true);
        create.put("/views/AllowedView/SomeVersion/SomeInstance", "POST", true);
        create.put("/views/DeniedView/AnotherVersion/AnotherInstance", "GET", true);
        create.put("/views/DeniedView/AnotherVersion/AnotherInstance", "POST", true);
        create.put("/api/v1/users/user1", "GET", true);
        create.put("/api/v1/users/user1", "POST", true);
        create.put("/api/v1/users/user2", "GET", true);
        create.put("/api/v1/users/user2", "POST", true);
        create.put("/api/v1/groups", "GET", true);
        create.put("/api/v1/ldap_sync_events", "GET", false);
        create.put("/any/other/URL", "GET", true);
        create.put("/any/other/URL", "POST", false);
        performGeneralDoFilterTest(TestAuthenticationFactory.createViewUser(99L), create, false);
    }

    @Test
    public void testDoFilter_userNoPermissionsAccess() throws Exception {
        HashBasedTable create = HashBasedTable.create();
        create.put("/api/v1/clusters/cluster", "GET", true);
        create.put("/api/v1/clusters/cluster", "POST", true);
        create.put("/api/v1/clusters/cluster/", "GET", true);
        create.put("/api/v1/clusters/cluster/", "POST", true);
        create.put("/api/v1/views", "GET", true);
        create.put("/api/v1/views", "POST", true);
        create.put("/api/v1/persist/SomeValue", "GET", true);
        create.put("/api/v1/persist/SomeValue", "POST", true);
        create.put("/api/v1/clusters/c1/credentials/ambari.credential", "POST", true);
        create.put("/api/v1/clusters/c1/credentials/ambari.credential", "PUT", true);
        create.put("/api/v1/clusters/c1/credentials/ambari.credential", "GET", true);
        create.put("/api/v1/clusters/c1/credentials/ambari.credential", "DELETE", true);
        create.put("/api/v1/clusters/c1/credentials/cluster.credential", "POST", true);
        create.put("/api/v1/clusters/c1/credentials/cluster.credential", "PUT", true);
        create.put("/api/v1/clusters/c1/credentials/cluster.credential", "GET", true);
        create.put("/api/v1/clusters/c1/credentials/cluster.credential", "DELETE", true);
        create.put("/api/v1/clusters/c1/config_groups", "GET", true);
        create.put("/api/v1/clusters/c1/config_groups", "PUT", true);
        create.put("/api/v1/clusters/c1/config_groups", "POST", true);
        create.put("/api/v1/clusters/c1/config_groups", "DELETE", true);
        create.put("/api/v1/clusters/c1/configurations", "GET", true);
        create.put("/api/v1/clusters/c1/configurations", "PUT", true);
        create.put("/api/v1/clusters/c1/configurations", "POST", true);
        create.put("/api/v1/clusters/c1/configurations", "DELETE", true);
        create.put("/views/AllowedView/SomeVersion/SomeInstance", "GET", true);
        create.put("/views/AllowedView/SomeVersion/SomeInstance", "POST", true);
        create.put("/views/DeniedView/AnotherVersion/AnotherInstance", "GET", true);
        create.put("/views/DeniedView/AnotherVersion/AnotherInstance", "POST", true);
        create.put("/api/v1/users/user1", "GET", true);
        create.put("/api/v1/users/user1", "POST", true);
        create.put("/api/v1/users/user2", "GET", true);
        create.put("/api/v1/users/user2", "POST", true);
        create.put("/any/other/URL", "GET", true);
        create.put("/any/other/URL", "POST", false);
        performGeneralDoFilterTest(TestAuthenticationFactory.createViewUser(null), create, false);
    }

    @Test
    public void testDoFilter_viewNotLoggedIn() throws Exception {
        HashBasedTable create = HashBasedTable.create();
        create.put("/views/SomeView/SomeVersion/SomeInstance", "GET", false);
        create.put("/views/SomeView/SomeVersion/SomeInstance?foo=bar", "GET", false);
        performGeneralDoFilterTest(null, create, true);
    }

    @Test
    public void testDoFilter_stackAdvisorCalls() throws Exception {
        HashBasedTable create = HashBasedTable.create();
        create.put("/api/v1/stacks/HDP/versions/2.3/validations", "POST", true);
        create.put("/api/v1/stacks/HDP/versions/2.3/recommendations", "POST", true);
        performGeneralDoFilterTest(TestAuthenticationFactory.createClusterAdministrator(), create, false);
        performGeneralDoFilterTest(TestAuthenticationFactory.createClusterUser(), create, false);
        performGeneralDoFilterTest(TestAuthenticationFactory.createAdministrator(), create, false);
    }

    @Test
    public void testDoFilter_NotLoggedIn_UseDefaultUser() throws Exception {
        FilterChain filterChain = (FilterChain) EasyMock.createStrictMock(FilterChain.class);
        HttpServletResponse httpServletResponse = (HttpServletResponse) EasyMock.createNiceMock(HttpServletResponse.class);
        HttpServletRequest httpServletRequest = (HttpServletRequest) EasyMock.createNiceMock(HttpServletRequest.class);
        EasyMock.expect(httpServletRequest.getRequestURI()).andReturn("/uri").anyTimes();
        EasyMock.expect(httpServletRequest.getQueryString()).andReturn((Object) null).anyTimes();
        EasyMock.expect(httpServletRequest.getMethod()).andReturn("GET").anyTimes();
        filterChain.doFilter((ServletRequest) EasyMock.anyObject(), (ServletResponse) EasyMock.anyObject());
        EasyMock.expectLastCall().once();
        final Configuration configuration = (Configuration) EasyMock.createMock(Configuration.class);
        EasyMock.expect(configuration.getDefaultApiAuthenticatedUser()).andReturn("user1").once();
        User user = (User) EasyMock.createMock(User.class);
        EasyMock.expect(user.getUserName()).andReturn("user1").anyTimes();
        final Users users = (Users) EasyMock.createMock(Users.class);
        EasyMock.expect(users.getUser("user1")).andReturn(user).once();
        EasyMock.expect(users.getUserAuthorities("user1")).andReturn(Collections.emptyList()).once();
        EasyMock.replay(new Object[]{httpServletRequest, httpServletResponse, filterChain, configuration, users, user});
        Injector createInjector = Guice.createInjector(new Module[]{new AbstractModule() { // from class: org.apache.ambari.server.security.authorization.AmbariAuthorizationFilterTest.1
            protected void configure() {
                bind(Configuration.class).toInstance(configuration);
                bind(Users.class).toInstance(users);
                bind(EntityManager.class).toInstance(EasyMock.createMock(EntityManager.class));
                bind(UserDAO.class).toInstance(EasyMock.createMock(UserDAO.class));
                bind(DBAccessor.class).toInstance(EasyMock.createMock(DBAccessor.class));
                bind(PasswordEncoder.class).toInstance(EasyMock.createMock(PasswordEncoder.class));
                bind(OsFamily.class).toInstance(EasyMock.createMock(OsFamily.class));
                bind(AuditLogger.class).toInstance(EasyMock.createNiceMock(AuditLogger.class));
                bind(HookService.class).toInstance(EasyMock.createMock(HookService.class));
                bind(HookContextFactory.class).toInstance(EasyMock.createMock(HookContextFactory.class));
                bind(AmbariLdapConfigurationProvider.class).toInstance(EasyMock.createMock(AmbariLdapConfigurationProvider.class));
            }
        }});
        AmbariAuthorizationFilter ambariAuthorizationFilter = new AmbariAuthorizationFilter((AmbariEntryPoint) EasyMock.createNiceMock(AmbariEntryPoint.class), (Configuration) createInjector.getInstance(Configuration.class), (Users) createInjector.getInstance(Users.class), (AuditLogger) createInjector.getInstance(AuditLogger.class), (PermissionHelper) createInjector.getInstance(PermissionHelper.class));
        createInjector.injectMembers(ambariAuthorizationFilter);
        ambariAuthorizationFilter.doFilter(httpServletRequest, httpServletResponse, filterChain);
        Assert.assertEquals("user1", SecurityContextHolder.getContext().getAuthentication().getName());
    }

    private void performGeneralDoFilterTest(Authentication authentication, Table<String, String, Boolean> table, boolean z) throws Exception {
        SecurityContextHolder.getContext().setAuthentication(authentication);
        FilterConfig filterConfig = (FilterConfig) EasyMock.createNiceMock(FilterConfig.class);
        Configuration configuration = (Configuration) EasyMock.createMock(Configuration.class);
        EasyMock.expect(configuration.getDefaultApiAuthenticatedUser()).andReturn((Object) null).anyTimes();
        AuditLogger auditLogger = (AuditLogger) EasyMock.createNiceMock(AuditLogger.class);
        EasyMock.expect(Boolean.valueOf(auditLogger.isEnabled())).andReturn(false).anyTimes();
        AmbariAuthorizationFilter ambariAuthorizationFilter = (AmbariAuthorizationFilter) EasyMock.createMockBuilder(AmbariAuthorizationFilter.class).addMockedMethod("getSecurityContext").addMockedMethod("getViewRegistry").withConstructor(new Object[]{EasyMock.createNiceMock(AmbariEntryPoint.class), configuration, EasyMock.createNiceMock(Users.class), auditLogger, EasyMock.createNiceMock(PermissionHelper.class)}).createMock();
        ViewRegistry viewRegistry = (ViewRegistry) EasyMock.createNiceMock(ViewRegistry.class);
        EasyMock.expect(filterConfig.getInitParameter("realm")).andReturn("AuthFilter").anyTimes();
        EasyMock.expect(ambariAuthorizationFilter.getSecurityContext()).andReturn(SecurityContextHolder.getContext()).anyTimes();
        EasyMock.expect(ambariAuthorizationFilter.getViewRegistry()).andReturn(viewRegistry).anyTimes();
        EasyMock.expect(Boolean.valueOf(viewRegistry.checkPermission((String) EasyMock.eq("DeniedView"), (String) EasyMock.anyObject(), (String) EasyMock.anyObject(), EasyMock.anyBoolean()))).andReturn(false).anyTimes();
        EasyMock.replay(new Object[]{filterConfig, ambariAuthorizationFilter, viewRegistry, configuration, auditLogger});
        for (Table.Cell cell : table.cellSet()) {
            FilterChain filterChain = (FilterChain) EasyMock.createStrictMock(FilterChain.class);
            HttpServletRequest httpServletRequest = (HttpServletRequest) EasyMock.createNiceMock(HttpServletRequest.class);
            HttpServletResponse httpServletResponse = (HttpServletResponse) EasyMock.createNiceMock(HttpServletResponse.class);
            String[] split = ((String) cell.getRowKey()).split("\\?");
            EasyMock.expect(httpServletRequest.getRequestURI()).andReturn(split[0]).anyTimes();
            EasyMock.expect(httpServletRequest.getQueryString()).andReturn(split.length == 2 ? split[1] : null).anyTimes();
            EasyMock.expect(httpServletRequest.getMethod()).andReturn(cell.getColumnKey()).anyTimes();
            if (z) {
                String str = "/#/login?targetURI=" + ((String) cell.getRowKey());
                EasyMock.expect(httpServletResponse.encodeRedirectURL(str)).andReturn(str);
                httpServletResponse.sendRedirect(str);
            }
            if (((Boolean) cell.getValue()).booleanValue()) {
                filterChain.doFilter((ServletRequest) EasyMock.anyObject(), (ServletResponse) EasyMock.anyObject());
                EasyMock.expectLastCall().once();
            }
            EasyMock.replay(new Object[]{httpServletRequest, httpServletResponse, filterChain});
            try {
                ambariAuthorizationFilter.doFilter(httpServletRequest, httpServletResponse, filterChain);
                try {
                    EasyMock.verify(new Object[]{filterChain});
                    if (z) {
                        EasyMock.verify(new Object[]{httpServletResponse});
                    }
                } catch (AssertionError e) {
                    throw new Exception("verify( failed on " + ((String) cell.getColumnKey()) + " " + ((String) cell.getRowKey()), e);
                }
            } catch (AssertionError e2) {
                throw new Exception("doFilter() should not be chained on " + ((String) cell.getColumnKey()) + " " + ((String) cell.getRowKey()), e2);
            }
        }
    }
}
