package org.apache.hadoop.hive.metastore;

import com.github.tomakehurst.wiremock.client.WireMock;
import com.github.tomakehurst.wiremock.junit.WireMockRule;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.io.File;
import java.lang.reflect.Field;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Path;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hive.metastore.annotation.MetastoreUnitTest;
import org.apache.hadoop.hive.metastore.api.Database;
import org.apache.hadoop.hive.metastore.conf.MetastoreConf;
import org.apache.hadoop.hive.metastore.security.HadoopThriftAuthBridge;
import org.apache.thrift.transport.TTransportException;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.ClassRule;
import org.junit.Test;
import org.junit.experimental.categories.Category;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Category({MetastoreUnitTest.class})
/* loaded from: input_file:org/apache/hadoop/hive/metastore/TestRemoteHiveMetastoreWithHttpJwt.class */
public class TestRemoteHiveMetastoreWithHttpJwt {
    private static Map<String, String> envMap;
    private static final String USER_1 = "HMS_TEST_USER_1";
    private static final String TEST_DB_NAME_PREFIX = "HMS_JWT_AUTH_DB";
    private static int port;
    private static final Map<String, String> DEFAULTS = new HashMap(System.getenv());
    private static String baseDir = System.getProperty("basedir");
    private static final File jwtAuthorizedKeyFile = new File(baseDir, "src/test/resources/auth/jwt/jwt-authorized-key.json");
    private static final File jwtUnauthorizedKeyFile = new File(baseDir, "src/test/resources/auth/jwt/jwt-unauthorized-key.json");
    private static final File jwtVerificationJWKSFile = new File(baseDir, "src/test/resources/auth/jwt/jwt-verification-jwks.json");
    private static final Logger LOG = LoggerFactory.getLogger(TestRemoteHiveMetastoreWithHttpJwt.class);
    private static final int MOCK_JWKS_SERVER_PORT = 8089;

    @ClassRule
    public static final WireMockRule MOCK_JWKS_SERVER = new WireMockRule(MOCK_JWKS_SERVER_PORT);
    private static Configuration conf = null;

    @BeforeClass
    public static void makeEnvModifiable() throws Exception {
        envMap = new HashMap();
        removeStaticFinalAndSetValue(Class.forName("java.lang.ProcessEnvironment").getDeclaredField("theUnmodifiableEnvironment"), envMap);
    }

    private static void removeStaticFinalAndSetValue(Field field, Object obj) throws Exception {
        field.setAccessible(true);
        Field declaredField = Field.class.getDeclaredField("modifiers");
        declaredField.setAccessible(true);
        declaredField.setInt(field, field.getModifiers() & (-17));
        field.set(null, obj);
    }

    @AfterClass
    public static void stopServices() throws Exception {
        System.getenv().remove("HMS_JWT");
    }

    @BeforeClass
    public static void setUp() throws Exception {
        conf = MetastoreConf.newMetastoreConf();
        MetastoreConf.setBoolVar(conf, MetastoreConf.ConfVars.METRICS_ENABLED, true);
        conf.set("datanucleus.autoCreateTables", "false");
        conf.set("hive.in.test", "true");
        MetastoreConf.setVar(conf, MetastoreConf.ConfVars.METASTORE_METADATA_TRANSFORMER_CLASS, " ");
        MetaStoreTestUtils.setConfForStandloneMode(conf);
        MetastoreConf.setLongVar(conf, MetastoreConf.ConfVars.BATCH_RETRIEVE_MAX, 2L);
        MetastoreConf.setLongVar(conf, MetastoreConf.ConfVars.LIMIT_PARTITION_REQUEST, 100L);
        MetastoreConf.setVar(conf, MetastoreConf.ConfVars.STORAGE_SCHEMA_READER_IMPL, "no.such.class");
        setupMockServer();
        MetastoreConf.setBoolVar(conf, MetastoreConf.ConfVars.EXECUTE_SET_UGI, false);
        MetastoreConf.setVar(conf, MetastoreConf.ConfVars.THRIFT_TRANSPORT_MODE, "http");
        MetastoreConf.setVar(conf, MetastoreConf.ConfVars.METASTORE_CLIENT_THRIFT_TRANSPORT_MODE, "http");
        MetastoreConf.setVar(conf, MetastoreConf.ConfVars.METASTORE_CLIENT_AUTH_MODE, "JWT");
        MetastoreConf.setVar(conf, MetastoreConf.ConfVars.THRIFT_METASTORE_AUTHENTICATION, "JWT");
        startMetastoreServer();
    }

    private static void startMetastoreServer() throws Exception {
        port = MetaStoreTestUtils.startMetaStoreWithRetry(HadoopThriftAuthBridge.getBridge(), conf);
        MetastoreConf.setVar(conf, MetastoreConf.ConfVars.THRIFT_URIS, "thrift://localhost:" + port);
        System.out.println("Starting MetaStore Server on port " + port);
    }

    @Before
    public void initEnvMap() {
        envMap.clear();
        envMap.putAll(DEFAULTS);
    }

    private static void setupMockServer() throws Exception {
        MOCK_JWKS_SERVER.stubFor(WireMock.get("/jwks").willReturn(WireMock.ok().withBody(Files.readAllBytes(jwtVerificationJWKSFile.toPath()))));
        MetastoreConf.setVar(conf, MetastoreConf.ConfVars.THRIFT_METASTORE_AUTHENTICATION_JWT_JWKS_URL, "http://localhost:8089/jwks");
    }

    @Test
    public void testValidJWT() throws Exception {
        System.getenv().put("HMS_JWT", generateJWT(USER_1, jwtAuthorizedKeyFile.toPath(), TimeUnit.MINUTES.toMillis(5L)));
        String lowerCase = ("valid_jwt_HMS_JWT_AUTH_DB_" + UUID.randomUUID()).toLowerCase();
        HiveMetaStoreClient hiveMetaStoreClient = new HiveMetaStoreClient(conf);
        try {
            Database database = new Database();
            database.setName(lowerCase);
            hiveMetaStoreClient.createDatabase(database);
            Assert.assertEquals(lowerCase, hiveMetaStoreClient.getDatabase(lowerCase).getName());
        } finally {
            try {
                hiveMetaStoreClient.dropDatabase(lowerCase);
            } catch (Exception e) {
                LOG.warn("Failed to drop database: " + lowerCase + ". Error message: " + e);
            }
            try {
                hiveMetaStoreClient.close();
            } catch (Exception e2) {
                LOG.error("Failed to close metastore client");
            }
        }
    }

    @Test(expected = TTransportException.class)
    public void testExpiredJWT() throws Exception {
        System.getenv().put("HMS_JWT", generateJWT(USER_1, jwtAuthorizedKeyFile.toPath(), TimeUnit.MILLISECONDS.toMillis(2L)));
        String lowerCase = ("expired_jwt_HMS_JWT_AUTH_DB_" + UUID.randomUUID()).toLowerCase();
        HiveMetaStoreClient hiveMetaStoreClient = new HiveMetaStoreClient(conf);
        try {
            Thread.sleep(TimeUnit.MILLISECONDS.toMillis(2L));
            Database database = new Database();
            database.setName(lowerCase);
            hiveMetaStoreClient.createDatabase(database);
            try {
                hiveMetaStoreClient.close();
            } catch (Exception e) {
                LOG.error("Failed to close metastore client");
            }
        } catch (InterruptedException e2) {
            try {
                hiveMetaStoreClient.close();
            } catch (Exception e3) {
                LOG.error("Failed to close metastore client");
            }
        } catch (Throwable th) {
            try {
                hiveMetaStoreClient.close();
            } catch (Exception e4) {
                LOG.error("Failed to close metastore client");
            }
            throw th;
        }
    }

    @Test(expected = TTransportException.class)
    public void testInvalidJWT() throws Exception {
        System.getenv().put("HMS_JWT", generateJWT(USER_1, jwtUnauthorizedKeyFile.toPath(), TimeUnit.MINUTES.toMillis(2L)));
        String lowerCase = ("invalid_jwt_HMS_JWT_AUTH_DB_" + UUID.randomUUID()).toLowerCase();
        HiveMetaStoreClient hiveMetaStoreClient = new HiveMetaStoreClient(conf);
        try {
            Thread.sleep(TimeUnit.MILLISECONDS.toMillis(2L));
            Database database = new Database();
            database.setName(lowerCase);
            hiveMetaStoreClient.createDatabase(database);
            try {
                hiveMetaStoreClient.close();
            } catch (Exception e) {
                LOG.error("Failed to close metastore client");
            }
        } catch (InterruptedException e2) {
            try {
                hiveMetaStoreClient.close();
            } catch (Exception e3) {
                LOG.error("Failed to close metastore client");
            }
        } catch (Throwable th) {
            try {
                hiveMetaStoreClient.close();
            } catch (Exception e4) {
                LOG.error("Failed to close metastore client");
            }
            throw th;
        }
    }

    private String generateJWT(String str, Path path, long j) throws Exception {
        RSAKey parse = RSAKey.parse(new String(Files.readAllBytes(path), StandardCharsets.UTF_8));
        RSASSASigner rSASSASigner = new RSASSASigner(parse);
        JWSHeader build = new JWSHeader.Builder(JWSAlgorithm.RS256).keyID(parse.getKeyID()).build();
        Date date = new Date();
        SignedJWT signedJWT = new SignedJWT(build, new JWTClaimsSet.Builder().jwtID(UUID.randomUUID().toString()).issueTime(date).issuer("auth-server").subject(str).expirationTime(new Date(date.getTime() + j)).claim("custom-claim-or-payload", "custom-claim-or-payload").build());
        signedJWT.sign(rSASSASigner);
        return signedJWT.serialize();
    }
}
