package org.apache.hadoop.yarn.server.resourcemanager.security;

import java.io.IOException;
import java.net.InetSocketAddress;
import java.security.PrivilegedAction;
import java.util.Arrays;
import java.util.Collection;
import java.util.concurrent.atomic.AtomicReference;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.hadoop.yarn.api.ApplicationMasterProtocol;
import org.apache.hadoop.yarn.api.protocolrecords.AllocateRequest;
import org.apache.hadoop.yarn.api.protocolrecords.FinishApplicationMasterRequest;
import org.apache.hadoop.yarn.api.protocolrecords.RegisterApplicationMasterRequest;
import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
import org.apache.hadoop.yarn.api.records.ContainerState;
import org.apache.hadoop.yarn.api.records.FinalApplicationStatus;
import org.apache.hadoop.yarn.ipc.YarnRPC;
import org.apache.hadoop.yarn.security.AMRMTokenIdentifier;
import org.apache.hadoop.yarn.server.resourcemanager.MockAM;
import org.apache.hadoop.yarn.server.resourcemanager.MockNM;
import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
import org.apache.hadoop.yarn.server.resourcemanager.RMContext;
import org.apache.hadoop.yarn.server.resourcemanager.RMSecretManagerService;
import org.apache.hadoop.yarn.server.resourcemanager.TestAMAuthorization;
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttempt;
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptState;
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.event.RMAppAttemptContainerFinishedEvent;
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fair.FairSchedulerConfiguration;
import org.apache.hadoop.yarn.server.security.MasterKeyData;
import org.apache.hadoop.yarn.server.utils.BuilderUtils;
import org.apache.hadoop.yarn.util.ConverterUtils;
import org.apache.hadoop.yarn.util.Records;
import org.junit.Assert;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;
import org.mockito.Mockito;

/* JADX WARN: Classes with same name are omitted:
  input_file:hadoop-yarn-server-resourcemanager-2.10.1-ODI-tests.jar:org/apache/hadoop/yarn/server/resourcemanager/security/TestAMRMTokens.class
 */
@RunWith(Parameterized.class)
/* loaded from: input_file:test-classes/org/apache/hadoop/yarn/server/resourcemanager/security/TestAMRMTokens.class */
public class TestAMRMTokens {
    private static final Log LOG = LogFactory.getLog(TestAMRMTokens.class);
    private final Configuration conf;
    private static final int maxWaitAttempts = 50;
    private static final int rolling_interval_sec = 13;
    private static final long am_expire_ms = 4000;

    @Parameterized.Parameters
    public static Collection<Object[]> configs() {
        Configuration configuration = new Configuration();
        Configuration configuration2 = new Configuration();
        configuration2.set("hadoop.security.authentication", "kerberos");
        return Arrays.asList(new Object[]{configuration}, new Object[]{configuration2});
    }

    public TestAMRMTokens(Configuration configuration) {
        this.conf = configuration;
        UserGroupInformation.setConfiguration(configuration);
    }

    @Test
    public void testTokenExpiry() throws Exception {
        this.conf.setLong("yarn.resourcemanager.am-rm-tokens.master-key-rolling-interval-secs", 86400L);
        this.conf.setLong("yarn.am.liveness-monitor.expiry-interval-ms", 600000L);
        this.conf.set("yarn.resourcemanager.scheduler.address", "0.0.0.0:0");
        TestAMAuthorization.MyContainerManager myContainerManager = new TestAMAuthorization.MyContainerManager();
        TestAMAuthorization.MockRMWithAMS mockRMWithAMS = new TestAMAuthorization.MockRMWithAMS(this.conf, myContainerManager);
        mockRMWithAMS.start();
        Configuration config = mockRMWithAMS.getConfig();
        YarnRPC create = YarnRPC.create(config);
        ApplicationMasterProtocol applicationMasterProtocol = null;
        try {
            MockNM registerNode = mockRMWithAMS.registerNode("localhost:1234", 5120);
            RMApp submitApp = mockRMWithAMS.submitApp(FairSchedulerConfiguration.DEFAULT_RM_SCHEDULER_INCREMENT_ALLOCATION_MB);
            registerNode.nodeHeartbeat(true);
            int i = 0;
            while (myContainerManager.containerTokens == null) {
                int i2 = i;
                i++;
                if (i2 >= 20) {
                    break;
                }
                LOG.info("Waiting for AM Launch to happen..");
                Thread.sleep(1000L);
            }
            Assert.assertNotNull(myContainerManager.containerTokens);
            RMAppAttempt currentAppAttempt = submitApp.getCurrentAppAttempt();
            ApplicationAttemptId appAttemptId = currentAppAttempt.getAppAttemptId();
            UserGroupInformation createRemoteUser = UserGroupInformation.createRemoteUser(appAttemptId.toString());
            createRemoteUser.addToken(TestAMAuthorization.MockRMWithAMS.setupAndReturnAMRMToken(mockRMWithAMS.getApplicationMasterService().getBindAddress(), myContainerManager.getContainerCredentials().getAllTokens()));
            ApplicationMasterProtocol createRMClient = createRMClient(mockRMWithAMS, config, create, createRemoteUser);
            createRMClient.registerApplicationMaster((RegisterApplicationMasterRequest) Records.newRecord(RegisterApplicationMasterRequest.class));
            FinishApplicationMasterRequest finishApplicationMasterRequest = (FinishApplicationMasterRequest) Records.newRecord(FinishApplicationMasterRequest.class);
            finishApplicationMasterRequest.setFinalApplicationStatus(FinalApplicationStatus.SUCCEEDED);
            finishApplicationMasterRequest.setDiagnostics("diagnostics");
            finishApplicationMasterRequest.setTrackingUrl("url");
            createRMClient.finishApplicationMaster(finishApplicationMasterRequest);
            mockRMWithAMS.getRMContext().getDispatcher().getEventHandler().handle(new RMAppAttemptContainerFinishedEvent(appAttemptId, BuilderUtils.newContainerStatus(currentAppAttempt.getMasterContainer().getId(), ContainerState.COMPLETE, "AM Container Finished", 0, currentAppAttempt.getMasterContainer().getResource()), registerNode.getNodeId()));
            for (int i3 = 0; currentAppAttempt.getState() != RMAppAttemptState.FINISHED && i3 < maxWaitAttempts; i3++) {
                Thread.sleep(100L);
            }
            Assert.assertTrue(currentAppAttempt.getState() == RMAppAttemptState.FINISHED);
            create.stopProxy(createRMClient, config);
            applicationMasterProtocol = createRMClient(mockRMWithAMS, config, create, createRemoteUser);
            try {
                applicationMasterProtocol.allocate((AllocateRequest) Records.newRecord(AllocateRequest.class));
                Assert.fail("You got to be kidding me! Using App tokens after app-finish should fail!");
            } catch (Throwable th) {
                LOG.info("Exception found is ", th);
                Assert.assertTrue(th.getCause().getMessage().contains(appAttemptId.toString() + " not found in AMRMTokenSecretManager."));
            }
            mockRMWithAMS.stop();
            if (applicationMasterProtocol != null) {
                create.stopProxy(applicationMasterProtocol, config);
            }
        } catch (Throwable th2) {
            mockRMWithAMS.stop();
            if (applicationMasterProtocol != null) {
                create.stopProxy(applicationMasterProtocol, config);
            }
            throw th2;
        }
    }

    @Test
    public void testMasterKeyRollOver() throws Exception {
        this.conf.setLong("yarn.resourcemanager.am-rm-tokens.master-key-rolling-interval-secs", 13L);
        this.conf.setLong("yarn.am.liveness-monitor.expiry-interval-ms", am_expire_ms);
        this.conf.set("yarn.resourcemanager.scheduler.address", "0.0.0.0:0");
        TestAMAuthorization.MyContainerManager myContainerManager = new TestAMAuthorization.MyContainerManager();
        TestAMAuthorization.MockRMWithAMS mockRMWithAMS = new TestAMAuthorization.MockRMWithAMS(this.conf, myContainerManager);
        mockRMWithAMS.start();
        Long valueOf = Long.valueOf(System.currentTimeMillis());
        Configuration config = mockRMWithAMS.getConfig();
        YarnRPC create = YarnRPC.create(config);
        ApplicationMasterProtocol applicationMasterProtocol = null;
        AMRMTokenSecretManager aMRMTokenSecretManager = mockRMWithAMS.getRMContext().getAMRMTokenSecretManager();
        MasterKeyData masterKey = aMRMTokenSecretManager.getMasterKey();
        Assert.assertNotNull(masterKey);
        try {
            MockNM registerNode = mockRMWithAMS.registerNode("localhost:1234", 5120);
            RMApp submitApp = mockRMWithAMS.submitApp(FairSchedulerConfiguration.DEFAULT_RM_SCHEDULER_INCREMENT_ALLOCATION_MB);
            registerNode.nodeHeartbeat(true);
            int i = 0;
            while (myContainerManager.containerTokens == null) {
                int i2 = i;
                i++;
                if (i2 >= maxWaitAttempts) {
                    break;
                }
                LOG.info("Waiting for AM Launch to happen..");
                Thread.sleep(1000L);
            }
            Assert.assertNotNull(myContainerManager.containerTokens);
            ApplicationAttemptId appAttemptId = submitApp.getCurrentAppAttempt().getAppAttemptId();
            UserGroupInformation createRemoteUser = UserGroupInformation.createRemoteUser(appAttemptId.toString());
            Credentials containerCredentials = myContainerManager.getContainerCredentials();
            InetSocketAddress bindAddress = mockRMWithAMS.getApplicationMasterService().getBindAddress();
            Token<? extends TokenIdentifier> token = TestAMAuthorization.MockRMWithAMS.setupAndReturnAMRMToken(bindAddress, containerCredentials.getAllTokens());
            createRemoteUser.addToken(token);
            ApplicationMasterProtocol createRMClient = createRMClient(mockRMWithAMS, config, create, createRemoteUser);
            createRMClient.registerApplicationMaster((RegisterApplicationMasterRequest) Records.newRecord(RegisterApplicationMasterRequest.class));
            AllocateRequest allocateRequest = (AllocateRequest) Records.newRecord(AllocateRequest.class);
            Assert.assertTrue(createRMClient.allocate(allocateRequest).getAMCommand() == null);
            while (System.currentTimeMillis() - valueOf.longValue() < 13000) {
                createRMClient.allocate(allocateRequest);
                Thread.sleep(500L);
            }
            MasterKeyData masterKey2 = aMRMTokenSecretManager.getMasterKey();
            Assert.assertNotNull(masterKey2);
            Assert.assertFalse("Master key should have changed!", masterKey.equals(masterKey2));
            create.stopProxy(createRMClient, config);
            ApplicationMasterProtocol createRMClient2 = createRMClient(mockRMWithAMS, config, create, createRemoteUser);
            Assert.assertTrue(createRMClient2.allocate(allocateRequest).getAMCommand() == null);
            int i3 = 0;
            while (true) {
                int i4 = i3;
                i3++;
                if (i4 > maxWaitAttempts || aMRMTokenSecretManager.getCurrnetMasterKeyData() != masterKey) {
                    break;
                }
                try {
                    createRMClient2.allocate(allocateRequest);
                    Thread.sleep(200L);
                } catch (Exception e) {
                }
            }
            Assert.assertTrue(aMRMTokenSecretManager.getCurrnetMasterKeyData().equals(masterKey2));
            Assert.assertTrue(aMRMTokenSecretManager.getMasterKey().equals(masterKey2));
            Assert.assertTrue(aMRMTokenSecretManager.getNextMasterKeyData() == null);
            Token<AMRMTokenIdentifier> createAndGetAMRMToken = aMRMTokenSecretManager.createAndGetAMRMToken(appAttemptId);
            SecurityUtil.setTokenService(createAndGetAMRMToken, bindAddress);
            createRemoteUser.addToken(createAndGetAMRMToken);
            create.stopProxy(createRMClient2, config);
            applicationMasterProtocol = createRMClient(mockRMWithAMS, config, create, createRemoteUser);
            Assert.assertTrue(applicationMasterProtocol.allocate((AllocateRequest) Records.newRecord(AllocateRequest.class)).getAMCommand() == null);
            create.stopProxy(applicationMasterProtocol, config);
            try {
                createRemoteUser.addToken(token);
                applicationMasterProtocol = createRMClient(mockRMWithAMS, config, create, createRemoteUser);
                Assert.assertTrue(applicationMasterProtocol.allocate((AllocateRequest) Records.newRecord(AllocateRequest.class)).getAMCommand() == null);
                Assert.fail("The old Token should not work");
            } catch (Exception e2) {
            }
        } finally {
            mockRMWithAMS.stop();
            if (applicationMasterProtocol != null) {
                create.stopProxy(applicationMasterProtocol, config);
            }
        }
    }

    @Test(timeout = 20000)
    public void testAMRMMasterKeysUpdate() throws Exception {
        final AtomicReference atomicReference = new AtomicReference();
        MockRM mockRM = new MockRM(this.conf) { // from class: org.apache.hadoop.yarn.server.resourcemanager.security.TestAMRMTokens.1
            @Override // org.apache.hadoop.yarn.server.resourcemanager.ResourceManager
            protected void doSecureLogin() throws IOException {
            }

            @Override // org.apache.hadoop.yarn.server.resourcemanager.ResourceManager
            protected RMSecretManagerService createRMSecretManagerService() {
                return new RMSecretManagerService(TestAMRMTokens.this.conf, this.rmContext) { // from class: org.apache.hadoop.yarn.server.resourcemanager.security.TestAMRMTokens.1.1
                    /* JADX INFO: Access modifiers changed from: protected */
                    @Override // org.apache.hadoop.yarn.server.resourcemanager.RMSecretManagerService
                    public AMRMTokenSecretManager createAMRMTokenSecretManager(Configuration configuration, RMContext rMContext) {
                        AMRMTokenSecretManager aMRMTokenSecretManager = (AMRMTokenSecretManager) Mockito.spy(super.createAMRMTokenSecretManager(configuration, rMContext));
                        atomicReference.set(aMRMTokenSecretManager);
                        return aMRMTokenSecretManager;
                    }
                };
            }
        };
        mockRM.start();
        MockNM registerNode = mockRM.registerNode("127.0.0.1:1234", 8000);
        RMApp submitApp = mockRM.submitApp(200);
        MockAM launchAndRegisterAM = MockRM.launchAndRegisterAM(submitApp, mockRM, registerNode);
        AMRMTokenSecretManager aMRMTokenSecretManager = (AMRMTokenSecretManager) atomicReference.get();
        Assert.assertNull(launchAndRegisterAM.allocate((AllocateRequest) Records.newRecord(AllocateRequest.class)).getAMRMToken());
        Token<AMRMTokenIdentifier> aMRMToken = mockRM.getRMContext().getRMApps().get(submitApp.getApplicationId()).getRMAppAttempt(launchAndRegisterAM.getApplicationAttemptId()).getAMRMToken();
        mockRM.getRMContext().getAMRMTokenSecretManager().rollMasterKey();
        Assert.assertNotNull(launchAndRegisterAM.allocate((AllocateRequest) Records.newRecord(AllocateRequest.class)).getAMRMToken());
        Assert.assertEquals(ConverterUtils.convertFromYarn(r0.getAMRMToken(), new Text(r0.getAMRMToken().getService())).decodeIdentifier().getKeyId(), mockRM.getRMContext().getAMRMTokenSecretManager().getMasterKey().getMasterKey().getKeyId());
        Mockito.reset(new AMRMTokenSecretManager[]{aMRMTokenSecretManager});
        UserGroupInformation createUserForTesting = UserGroupInformation.createUserForTesting(launchAndRegisterAM.getApplicationAttemptId().toString(), new String[0]);
        createUserForTesting.addTokenIdentifier(aMRMToken.decodeIdentifier());
        Assert.assertNotNull(launchAndRegisterAM.doAllocateAs(createUserForTesting, (AllocateRequest) Records.newRecord(AllocateRequest.class)).getAMRMToken());
        ((AMRMTokenSecretManager) Mockito.verify(aMRMTokenSecretManager, Mockito.never())).createAndGetAMRMToken((ApplicationAttemptId) Mockito.isA(ApplicationAttemptId.class));
        Assert.assertNull(launchAndRegisterAM.allocate((AllocateRequest) Records.newRecord(AllocateRequest.class)).getAMRMToken());
        mockRM.getRMContext().getAMRMTokenSecretManager().activateNextMasterKey();
        Assert.assertNull(launchAndRegisterAM.allocate((AllocateRequest) Records.newRecord(AllocateRequest.class)).getAMRMToken());
        mockRM.stop();
    }

    private ApplicationMasterProtocol createRMClient(final MockRM mockRM, final Configuration configuration, final YarnRPC yarnRPC, UserGroupInformation userGroupInformation) {
        return (ApplicationMasterProtocol) userGroupInformation.doAs(new PrivilegedAction<ApplicationMasterProtocol>() { // from class: org.apache.hadoop.yarn.server.resourcemanager.security.TestAMRMTokens.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public ApplicationMasterProtocol run() {
                return (ApplicationMasterProtocol) yarnRPC.getProxy(ApplicationMasterProtocol.class, mockRM.getApplicationMasterService().getBindAddress(), configuration);
            }
        });
    }
}
