package org.apache.hadoop.yarn.server.resourcemanager.webapp;

import com.sun.jersey.api.client.ClientResponse;
import java.io.BufferedReader;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.io.StringWriter;
import java.net.HttpURLConnection;
import java.net.URL;
import java.util.Arrays;
import java.util.Collection;
import java.util.concurrent.Callable;
import javax.xml.bind.JAXBContext;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.io.IOUtils;
import org.apache.hadoop.minikdc.MiniKdc;
import org.apache.hadoop.security.AuthenticationFilterInitializer;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.KerberosTestUtils;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.yarn.api.records.ApplicationId;
import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.ResourceScheduler;
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.fifo.FifoScheduler;
import org.apache.hadoop.yarn.server.resourcemanager.webapp.dao.ApplicationSubmissionContextInfo;
import org.codehaus.jettison.json.JSONObject;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;

@RunWith(Parameterized.class)
/* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/webapp/TestRMWebServicesDelegationTokenAuthentication.class */
public class TestRMWebServicesDelegationTokenAuthentication {
    private static final String SUN_SECURITY_KRB5_RCACHE_KEY = "sun.security.krb5.rcache";
    private static MiniKdc testMiniKDC;
    private static String sunSecurityKrb5RcacheValue;
    private MockRM rm;
    String delegationTokenHeader;
    static final String OldDelegationTokenHeader = "Hadoop-YARN-Auth-Delegation-Token";
    static final String NewDelegationTokenHeader = "X-Hadoop-Delegation-Token";
    private static final File testRootDir = new File("target", TestRMWebServicesDelegationTokenAuthentication.class.getName() + "-root");
    private static File httpSpnegoKeytabFile = new File(KerberosTestUtils.getKeytabFile());
    private static String httpSpnegoPrincipal = KerberosTestUtils.getServerPrincipal();
    private static boolean miniKDCStarted = false;

    @BeforeClass
    public static void setUp() {
        try {
            sunSecurityKrb5RcacheValue = System.getProperty(SUN_SECURITY_KRB5_RCACHE_KEY);
            System.setProperty(SUN_SECURITY_KRB5_RCACHE_KEY, "none");
            testMiniKDC = new MiniKdc(MiniKdc.createConf(), testRootDir);
            setupKDC();
        } catch (Exception e) {
            Assert.assertTrue("Couldn't create MiniKDC", false);
        }
    }

    @AfterClass
    public static void tearDown() {
        if (testMiniKDC != null) {
            testMiniKDC.stop();
        }
        if (sunSecurityKrb5RcacheValue == null) {
            System.clearProperty(SUN_SECURITY_KRB5_RCACHE_KEY);
        } else {
            System.setProperty(SUN_SECURITY_KRB5_RCACHE_KEY, sunSecurityKrb5RcacheValue);
        }
    }

    @Before
    public void before() throws Exception {
        setupAndStartRM();
    }

    @After
    public void after() {
        if (this.rm != null) {
            this.rm.stop();
        }
    }

    @Parameterized.Parameters
    public static Collection<Object[]> headers() {
        return Arrays.asList(new Object[]{OldDelegationTokenHeader}, new Object[]{NewDelegationTokenHeader});
    }

    public TestRMWebServicesDelegationTokenAuthentication(String str) throws Exception {
        this.delegationTokenHeader = str;
    }

    private void setupAndStartRM() throws Exception {
        Configuration configuration = new Configuration();
        configuration.setInt("yarn.resourcemanager.am.max-attempts", 2);
        configuration.setClass("yarn.resourcemanager.scheduler.class", FifoScheduler.class, ResourceScheduler.class);
        configuration.setBoolean("yarn.acl.enable", true);
        configuration.setStrings("hadoop.http.authentication.type", new String[]{"kerberos"});
        configuration.set("hadoop.http.authentication.kerberos.principal", httpSpnegoPrincipal);
        configuration.set("hadoop.http.authentication.kerberos.keytab", httpSpnegoKeytabFile.getAbsolutePath());
        configuration.set("hadoop.http.authentication.signature.secret.file", httpSpnegoKeytabFile.getAbsolutePath());
        configuration.set("hadoop.security.authentication", "kerberos");
        configuration.setBoolean("yarn.resourcemanager.webapp.delegation-token-auth-filter.enabled", true);
        configuration.set("hadoop.http.filter.initializers", AuthenticationFilterInitializer.class.getName());
        configuration.set("yarn.resourcemanager.webapp.spnego-principal", httpSpnegoPrincipal);
        configuration.set("yarn.resourcemanager.keytab", httpSpnegoKeytabFile.getAbsolutePath());
        configuration.set("yarn.resourcemanager.webapp.spnego-keytab-file", httpSpnegoKeytabFile.getAbsolutePath());
        configuration.set("yarn.nodemanager.webapp.spnego-principal", httpSpnegoPrincipal);
        configuration.set("yarn.nodemanager.webapp.spnego-keytab-file", httpSpnegoKeytabFile.getAbsolutePath());
        configuration.setBoolean("mockrm.webapp.enabled", true);
        configuration.set("yarn.resourcemanager.proxyuser.client.hosts", "*");
        configuration.set("yarn.resourcemanager.proxyuser.client.groups", "*");
        UserGroupInformation.setConfiguration(configuration);
        this.rm = new MockRM(configuration);
        this.rm.start();
    }

    private static void setupKDC() throws Exception {
        if (miniKDCStarted) {
            return;
        }
        testMiniKDC.start();
        getKdc().createPrincipal(httpSpnegoKeytabFile, new String[]{"HTTP/localhost", "client", UserGroupInformation.getLoginUser().getShortUserName(), "client2"});
        miniKDCStarted = true;
    }

    private static MiniKdc getKdc() {
        return testMiniKDC;
    }

    @Test
    public void testDelegationTokenAuth() throws Exception {
        String delegationToken = getDelegationToken("test");
        ApplicationSubmissionContextInfo applicationSubmissionContextInfo = new ApplicationSubmissionContextInfo();
        applicationSubmissionContextInfo.setApplicationId("application_123_0");
        String marshalledAppInfo = getMarshalledAppInfo(applicationSubmissionContextInfo);
        URL url = new URL("http://localhost:8088/ws/v1/cluster/apps");
        HttpURLConnection httpURLConnection = (HttpURLConnection) url.openConnection();
        setupConn(httpURLConnection, "POST", "application/xml", marshalledAppInfo);
        try {
            httpURLConnection.getInputStream();
            Assert.fail("we should not be here");
        } catch (IOException e) {
            Assert.assertEquals(ClientResponse.Status.UNAUTHORIZED.getStatusCode(), httpURLConnection.getResponseCode());
        }
        HttpURLConnection httpURLConnection2 = (HttpURLConnection) url.openConnection();
        httpURLConnection2.setRequestProperty(this.delegationTokenHeader, delegationToken);
        setupConn(httpURLConnection2, "POST", "application/xml", marshalledAppInfo);
        try {
            httpURLConnection2.getInputStream();
        } catch (IOException e2) {
            InputStream errorStream = httpURLConnection2.getErrorStream();
            String str = "";
            BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(errorStream, "UTF8"));
            while (true) {
                String readLine = bufferedReader.readLine();
                if (readLine == null) {
                    break;
                } else {
                    str = str + readLine;
                }
            }
            bufferedReader.close();
            errorStream.close();
            Assert.fail("Response " + httpURLConnection2.getResponseCode() + "; " + str);
        }
        Assert.assertTrue(this.rm.getRMContext().getRMApps().containsKey(ApplicationId.fromString("application_123_0")));
        Assert.assertEquals("client", ((RMApp) this.rm.getRMContext().getRMApps().get(ApplicationId.fromString("application_123_0"))).getUser());
    }

    @Test
    public void testCancelledDelegationToken() throws Exception {
        String delegationToken = getDelegationToken("client");
        cancelDelegationToken(delegationToken);
        ApplicationSubmissionContextInfo applicationSubmissionContextInfo = new ApplicationSubmissionContextInfo();
        applicationSubmissionContextInfo.setApplicationId("application_123_0");
        String marshalledAppInfo = getMarshalledAppInfo(applicationSubmissionContextInfo);
        HttpURLConnection httpURLConnection = (HttpURLConnection) new URL("http://localhost:8088/ws/v1/cluster/apps").openConnection();
        httpURLConnection.setRequestProperty(this.delegationTokenHeader, delegationToken);
        setupConn(httpURLConnection, "POST", "application/xml", marshalledAppInfo);
        try {
            httpURLConnection.getInputStream();
            Assert.fail("Authentication should fail with expired delegation tokens");
        } catch (IOException e) {
            Assert.assertEquals(ClientResponse.Status.FORBIDDEN.getStatusCode(), httpURLConnection.getResponseCode());
        }
    }

    @Test
    public void testDelegationTokenOps() throws Exception {
        String delegationToken = getDelegationToken("client");
        for (String str : new String[]{"{\"renewer\":\"test\"}", "{\"token\": \"" + delegationToken + "\"}"}) {
            HttpURLConnection httpURLConnection = (HttpURLConnection) new URL("http://localhost:8088/ws/v1/cluster/delegation-token").openConnection();
            httpURLConnection.setRequestProperty(this.delegationTokenHeader, delegationToken);
            setupConn(httpURLConnection, "POST", "application/json", str);
            try {
                httpURLConnection.getInputStream();
                Assert.fail("Creation/Renewing delegation tokens should not be allowed with token auth");
            } catch (IOException e) {
                Assert.assertEquals(ClientResponse.Status.FORBIDDEN.getStatusCode(), httpURLConnection.getResponseCode());
            }
        }
        HttpURLConnection httpURLConnection2 = (HttpURLConnection) new URL("http://localhost:8088/ws/v1/cluster/delegation-token").openConnection();
        httpURLConnection2.setRequestProperty(this.delegationTokenHeader, delegationToken);
        httpURLConnection2.setRequestProperty("Hadoop-YARN-RM-Delegation-Token", delegationToken);
        setupConn(httpURLConnection2, "DELETE", null, null);
        try {
            httpURLConnection2.getInputStream();
            Assert.fail("Cancelling delegation tokens should not be allowed with token auth");
        } catch (IOException e2) {
            Assert.assertEquals(ClientResponse.Status.FORBIDDEN.getStatusCode(), httpURLConnection2.getResponseCode());
        }
    }

    @Test
    public void testDoAs() throws Exception {
        KerberosTestUtils.doAsClient(new Callable<Void>() { // from class: org.apache.hadoop.yarn.server.resourcemanager.webapp.TestRMWebServicesDelegationTokenAuthentication.1
            /* JADX WARN: Can't rename method to resolve collision */
            /* JADX WARN: Finally extract failed */
            @Override // java.util.concurrent.Callable
            public Void call() throws Exception {
                String str = "";
                String str2 = "";
                HttpURLConnection httpURLConnection = (HttpURLConnection) new URL("http://localhost:8088/ws/v1/cluster/delegation-token?doAs=client2").openConnection();
                TestRMWebServicesDelegationTokenAuthentication.setupConn(httpURLConnection, "POST", "application/json", "{\"renewer\":\"renewer\"}");
                InputStream inputStream = httpURLConnection.getInputStream();
                Assert.assertEquals(ClientResponse.Status.OK.getStatusCode(), httpURLConnection.getResponseCode());
                BufferedReader bufferedReader = null;
                try {
                    bufferedReader = new BufferedReader(new InputStreamReader(inputStream, "UTF8"));
                    while (true) {
                        String readLine = bufferedReader.readLine();
                        if (readLine == null) {
                            IOUtils.closeStream(bufferedReader);
                            IOUtils.closeStream(inputStream);
                            Assert.assertEquals("client2", str2);
                            Token token = new Token();
                            token.decodeFromUrlString(str);
                            Assert.assertEquals("client2", token.decodeIdentifier().getOwner().toString());
                            return null;
                        }
                        JSONObject jSONObject = new JSONObject(readLine);
                        if (jSONObject.has("token")) {
                            str = jSONObject.getString("token");
                        }
                        if (jSONObject.has("owner")) {
                            str2 = jSONObject.getString("owner");
                        }
                    }
                } catch (Throwable th) {
                    IOUtils.closeStream(bufferedReader);
                    IOUtils.closeStream(inputStream);
                    throw th;
                }
            }
        });
        String delegationToken = getDelegationToken("client");
        HttpURLConnection httpURLConnection = (HttpURLConnection) new URL("http://localhost:8088/ws/v1/cluster/delegation-token?doAs=client2").openConnection();
        httpURLConnection.setRequestProperty(this.delegationTokenHeader, delegationToken);
        setupConn(httpURLConnection, "POST", "application/json", "{\"renewer\":\"renewer\"}");
        try {
            httpURLConnection.getInputStream();
            Assert.fail("Client should not be allowed to impersonate using delegation tokens");
        } catch (IOException e) {
            Assert.assertEquals(ClientResponse.Status.FORBIDDEN.getStatusCode(), httpURLConnection.getResponseCode());
        }
        KerberosTestUtils.doAs("client2@EXAMPLE.COM", new Callable<Void>() { // from class: org.apache.hadoop.yarn.server.resourcemanager.webapp.TestRMWebServicesDelegationTokenAuthentication.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public Void call() throws Exception {
                HttpURLConnection httpURLConnection2 = (HttpURLConnection) new URL("http://localhost:8088/ws/v1/cluster/delegation-token?doAs=client").openConnection();
                TestRMWebServicesDelegationTokenAuthentication.setupConn(httpURLConnection2, "POST", "application/json", "{\"renewer\":\"renewer\"}");
                try {
                    httpURLConnection2.getInputStream();
                    Assert.fail("Non superuser client should not be allowed to carry out doAs");
                    return null;
                } catch (IOException e2) {
                    Assert.assertEquals(ClientResponse.Status.FORBIDDEN.getStatusCode(), httpURLConnection2.getResponseCode());
                    return null;
                }
            }
        });
    }

    private String getDelegationToken(final String str) throws Exception {
        return (String) KerberosTestUtils.doAsClient(new Callable<String>() { // from class: org.apache.hadoop.yarn.server.resourcemanager.webapp.TestRMWebServicesDelegationTokenAuthentication.3
            /* JADX WARN: Can't rename method to resolve collision */
            /* JADX WARN: Code restructure failed: missing block: B:11:0x0086, code lost:
            
                r0.close();
                r0.close();
                r8 = r0.getString("token");
             */
            @Override // java.util.concurrent.Callable
            /*
                Code decompiled incorrectly, please refer to instructions dump.
                To view partially-correct add '--show-bad-code' argument
            */
            public java.lang.String call() throws java.lang.Exception {
                /*
                    r7 = this;
                    r0 = 0
                    r8 = r0
                    java.lang.StringBuilder r0 = new java.lang.StringBuilder
                    r1 = r0
                    r1.<init>()
                    java.lang.String r1 = "{\"renewer\":\""
                    java.lang.StringBuilder r0 = r0.append(r1)
                    r1 = r7
                    java.lang.String r1 = r5
                    java.lang.StringBuilder r0 = r0.append(r1)
                    java.lang.String r1 = "\"}"
                    java.lang.StringBuilder r0 = r0.append(r1)
                    java.lang.String r0 = r0.toString()
                    r9 = r0
                    java.net.URL r0 = new java.net.URL
                    r1 = r0
                    java.lang.String r2 = "http://localhost:8088/ws/v1/cluster/delegation-token"
                    r1.<init>(r2)
                    r10 = r0
                    r0 = r10
                    java.net.URLConnection r0 = r0.openConnection()
                    java.net.HttpURLConnection r0 = (java.net.HttpURLConnection) r0
                    r11 = r0
                    r0 = r11
                    java.lang.String r1 = "POST"
                    java.lang.String r2 = "application/json"
                    r3 = r9
                    org.apache.hadoop.yarn.server.resourcemanager.webapp.TestRMWebServicesDelegationTokenAuthentication.setupConn(r0, r1, r2, r3)
                    r0 = r11
                    java.io.InputStream r0 = r0.getInputStream()
                    r12 = r0
                    com.sun.jersey.api.client.ClientResponse$Status r0 = com.sun.jersey.api.client.ClientResponse.Status.OK
                    int r0 = r0.getStatusCode()
                    long r0 = (long) r0
                    r1 = r11
                    int r1 = r1.getResponseCode()
                    long r1 = (long) r1
                    org.junit.Assert.assertEquals(r0, r1)
                    java.io.BufferedReader r0 = new java.io.BufferedReader     // Catch: java.lang.Throwable -> Lc4
                    r1 = r0
                    java.io.InputStreamReader r2 = new java.io.InputStreamReader     // Catch: java.lang.Throwable -> Lc4
                    r3 = r2
                    r4 = r12
                    java.lang.String r5 = "UTF8"
                    r3.<init>(r4, r5)     // Catch: java.lang.Throwable -> Lc4
                    r1.<init>(r2)     // Catch: java.lang.Throwable -> Lc4
                    r13 = r0
                L66:
                    r0 = r13
                    java.lang.String r0 = r0.readLine()     // Catch: java.lang.Throwable -> La6 java.lang.Throwable -> Lc4
                    r1 = r0
                    r14 = r1
                    if (r0 == 0) goto L9e
                    org.codehaus.jettison.json.JSONObject r0 = new org.codehaus.jettison.json.JSONObject     // Catch: java.lang.Throwable -> La6 java.lang.Throwable -> Lc4
                    r1 = r0
                    r2 = r14
                    r1.<init>(r2)     // Catch: java.lang.Throwable -> La6 java.lang.Throwable -> Lc4
                    r15 = r0
                    r0 = r15
                    java.lang.String r1 = "token"
                    boolean r0 = r0.has(r1)     // Catch: java.lang.Throwable -> La6 java.lang.Throwable -> Lc4
                    if (r0 == 0) goto L9b
                    r0 = r13
                    r0.close()     // Catch: java.lang.Throwable -> La6 java.lang.Throwable -> Lc4
                    r0 = r12
                    r0.close()     // Catch: java.lang.Throwable -> La6 java.lang.Throwable -> Lc4
                    r0 = r15
                    java.lang.String r1 = "token"
                    java.lang.String r0 = r0.getString(r1)     // Catch: java.lang.Throwable -> La6 java.lang.Throwable -> Lc4
                    r8 = r0
                    goto L9e
                L9b:
                    goto L66
                L9e:
                    r0 = r13
                    r0.close()     // Catch: java.lang.Throwable -> Lc4
                    goto Lbc
                La6:
                    r14 = move-exception
                    r0 = r13
                    r0.close()     // Catch: java.lang.Throwable -> Lb0 java.lang.Throwable -> Lc4
                    goto Lb9
                Lb0:
                    r15 = move-exception
                    r0 = r14
                    r1 = r15
                    r0.addSuppressed(r1)     // Catch: java.lang.Throwable -> Lc4
                Lb9:
                    r0 = r14
                    throw r0     // Catch: java.lang.Throwable -> Lc4
                Lbc:
                    r0 = r12
                    org.apache.hadoop.io.IOUtils.closeStream(r0)
                    goto Lce
                Lc4:
                    r16 = move-exception
                    r0 = r12
                    org.apache.hadoop.io.IOUtils.closeStream(r0)
                    r0 = r16
                    throw r0
                Lce:
                    r0 = r8
                    return r0
                */
                throw new UnsupportedOperationException("Method not decompiled: org.apache.hadoop.yarn.server.resourcemanager.webapp.TestRMWebServicesDelegationTokenAuthentication.AnonymousClass3.call():java.lang.String");
            }
        });
    }

    private void cancelDelegationToken(final String str) throws Exception {
        KerberosTestUtils.doAsClient(new Callable<Void>() { // from class: org.apache.hadoop.yarn.server.resourcemanager.webapp.TestRMWebServicesDelegationTokenAuthentication.4
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.util.concurrent.Callable
            public Void call() throws Exception {
                HttpURLConnection httpURLConnection = (HttpURLConnection) new URL("http://localhost:8088/ws/v1/cluster/delegation-token").openConnection();
                httpURLConnection.setRequestProperty("Hadoop-YARN-RM-Delegation-Token", str);
                TestRMWebServicesDelegationTokenAuthentication.setupConn(httpURLConnection, "DELETE", null, null);
                InputStream inputStream = httpURLConnection.getInputStream();
                Assert.assertEquals(ClientResponse.Status.OK.getStatusCode(), httpURLConnection.getResponseCode());
                inputStream.close();
                return null;
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static String getMarshalledAppInfo(ApplicationSubmissionContextInfo applicationSubmissionContextInfo) throws Exception {
        StringWriter stringWriter = new StringWriter();
        JAXBContext.newInstance(new Class[]{ApplicationSubmissionContextInfo.class}).createMarshaller().marshal(applicationSubmissionContextInfo, stringWriter);
        return stringWriter.toString();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static void setupConn(HttpURLConnection httpURLConnection, String str, String str2, String str3) throws Exception {
        httpURLConnection.setRequestMethod(str);
        httpURLConnection.setDoOutput(true);
        httpURLConnection.setRequestProperty("Accept-Charset", "UTF8");
        if (str2 == null || str2.isEmpty()) {
            return;
        }
        httpURLConnection.setRequestProperty("Content-Type", str2 + ";charset=UTF8");
        if (str3 == null || str3.isEmpty()) {
            return;
        }
        OutputStream outputStream = httpURLConnection.getOutputStream();
        outputStream.write(str3.getBytes("UTF8"));
        outputStream.close();
    }
}
