package org.apache.impala.customcluster;

import com.google.common.collect.ImmutableMap;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.apache.directory.server.core.annotations.ApplyLdifFiles;
import org.apache.directory.server.core.annotations.CreateDS;
import org.apache.directory.server.core.annotations.CreatePartition;
import org.apache.impala.testutil.LdapUtil;
import org.junit.Assert;
import org.junit.Assume;
import org.junit.Test;

@CreateDS(name = "myDS", partitions = {@CreatePartition(name = "test", suffix = "dc=myorg,dc=com")})
@ApplyLdifFiles({"users.ldif"})
/* loaded from: input_file:org/apache/impala/customcluster/LdapKerberosImpalaShellTest.class */
public class LdapKerberosImpalaShellTest extends LdapKerberosImpalaShellTestBase {
    @Test
    public void testShellKerberosAuthWithCustomLdapFiltersAndSearchBindNoGroupFilterCheck() throws Exception {
        Assert.assertEquals(startImpalaCluster(flagsToArgs(mergeFlags(kerberosKdcEnvironment.getKerberosAuthFlags(), getLdapSearchBindFlags(), ImmutableMap.of("allow_custom_ldap_filters_with_kerberos_auth", "true"), getCustomLdapFilterFlags()))), 0L);
        testShellKerberosAuthWithUser(kerberosKdcEnvironment, "user", true);
    }

    @Test
    public void testShellKerberosAuthWithCustomLdapFiltersAndSearchBindGroupFilterCheck() throws Exception {
        Assert.assertEquals(startImpalaCluster(flagsToArgs(mergeFlags(kerberosKdcEnvironment.getKerberosAuthFlags(), getLdapSearchBindFlags(), ImmutableMap.of("allow_custom_ldap_filters_with_kerberos_auth", "true"), getCustomLdapFilterFlags(), ImmutableMap.of("enable_group_filter_check_for_authenticated_kerberos_user", "true")))), 0L);
        testShellKerberosAuthWithUser(kerberosKdcEnvironment, LdapUtil.TEST_USER_1, true);
        testShellKerberosAuthWithUser(kerberosKdcEnvironment, LdapUtil.TEST_USER_2, false);
        testShellKerberosAuthWithUser(kerberosKdcEnvironment, LdapUtil.TEST_USER_3, false);
        testShellKerberosAuthWithUser(kerberosKdcEnvironment, "user", false);
    }

    @Test
    public void testHttpImpersonationWithKerberosAuthAndLdapSearchBind() throws Exception {
        Assume.assumeTrue(pythonSupportsSSLContext());
        Assert.assertEquals(startImpalaCluster(flagsToArgs(mergeFlags(kerberosKdcEnvironment.getKerberosAuthFlags(), ImmutableMap.builder().put("enable_ldap_auth", "true").put("ldap_uri", String.format("ldap://localhost:%s", Integer.valueOf(serverRule.getLdapServer().getPort()))).put("ldap_passwords_in_clear_ok", "true").put("ldap_user_search_basedn", "dc=myorg,dc=com").put("ldap_user_filter", "(cn={0})").put("ldap_search_bind_authentication", "true").put("ldap_bind_dn", LdapUtil.TEST_USER_DN_1).put("ldap_bind_password_cmd", String.format("'echo -n %s'", LdapUtil.TEST_PASSWORD_1)).put("allow_custom_ldap_filters_with_kerberos_auth", "true").build(), ImmutableMap.of("authorized_proxy_user_config", String.format("%s=%s", LdapUtil.TEST_USER_1, "proxyUser$"))))), 0L);
        testShellKerberosAuthWithUserWithHttpPath(kerberosKdcEnvironment, LdapUtil.TEST_USER_2, "/?doAs=proxyUser$", false, "", String.format("User '%s' is not authorized to delegate to '%s'", kerberosKdcEnvironment.getUserPrincipal(LdapUtil.TEST_USER_2), "proxyUser$"));
        testShellKerberosAuthWithUserWithHttpPath(kerberosKdcEnvironment, LdapUtil.TEST_USER_1, "/?doAs=invalid-delegate-user", false, "", String.format("User '%s' is not authorized to delegate to '%s'", kerberosKdcEnvironment.getUserPrincipal(LdapUtil.TEST_USER_1), "invalid-delegate-user"));
        testShellKerberosAuthWithUserWithHttpPath(kerberosKdcEnvironment, LdapUtil.TEST_USER_1, "/?doAs=%", false, "", "Not connected to Impala");
        testShellKerberosAuthWithUserWithHttpPath(kerberosKdcEnvironment, LdapUtil.TEST_USER_1, "/?doAs=proxyUser$", true, "proxyUser$", "");
        testShellKerberosAuthWithUser(kerberosKdcEnvironment, LdapUtil.TEST_USER_1, true);
    }

    @Test
    public void testHttpImpersonationWithKerberosAuthAndLdapSearchBindWithGroupFilters() throws Exception {
        Assume.assumeTrue(pythonSupportsSSLContext());
        Assert.assertEquals(startImpalaCluster(flagsToArgs(mergeFlags(kerberosKdcEnvironment.getKerberosAuthFlags(), getLdapSearchBindFlags(), ImmutableMap.of("allow_custom_ldap_filters_with_kerberos_auth", "true"), getCustomLdapFilterFlags(), ImmutableMap.of("authorized_proxy_user_config", String.format("%s=*", LdapUtil.TEST_USER_1))))), 0L);
        testShellKerberosAuthWithUserWithHttpPath(kerberosKdcEnvironment, LdapUtil.TEST_USER_1, "/?doAs=proxyUser$", false, "", "User is not authorized.");
        testShellKerberosAuthWithUserWithHttpPath(kerberosKdcEnvironment, LdapUtil.TEST_USER_1, "/?doAs=Test2Ldap", false, "", "User is not authorized.");
        testShellKerberosAuthWithUserWithHttpPath(kerberosKdcEnvironment, LdapUtil.TEST_USER_1, "/?doAs=Test3Ldap", false, "", "User is not authorized.");
        testShellKerberosAuthWithUserWithHttpPath(kerberosKdcEnvironment, LdapUtil.TEST_USER_1, "/?doAs=Test7Ldap", true, LdapUtil.TEST_USER_7, "");
        testShellKerberosAuthWithUser(kerberosKdcEnvironment, LdapUtil.TEST_USER_1, true);
    }

    @Test
    public void testLdapFiltersWithProxyWithKerberosAuthAndLdapSearchBind() throws Exception {
        Assert.assertEquals(startImpalaCluster(flagsToArgs(mergeFlags(kerberosKdcEnvironment.getKerberosAuthFlags(), getLdapSearchBindFlags(), ImmutableMap.of("allow_custom_ldap_filters_with_kerberos_auth", "true"), ImmutableMap.of("ldap_user_filter", String.format("(&(objectClass=person)(cn={0})(!(cn=%s)))", LdapUtil.TEST_USER_2), "ldap_group_filter", "(&(cn=group1)(uniqueMember={0}))"), ImmutableMap.of("authorized_proxy_user_config", String.format("%s=*", LdapUtil.TEST_USER_4))))), 0L);
        testShellKerberosAuthWithUserWithHttpPath(kerberosKdcEnvironment, LdapUtil.TEST_USER_4, "/?doAs=Test1Ldap", true, LdapUtil.TEST_USER_1, "");
        testShellKerberosAuthWithUserWithHttpPath(kerberosKdcEnvironment, LdapUtil.TEST_USER_4, "/?doAs=Test3Ldap", false, "", "Not connected to Impala");
        testShellKerberosAuthWithUserWithHttpPath(kerberosKdcEnvironment, LdapUtil.TEST_USER_4, "/?doAs=Test2Ldap", false, "", "Not connected to Impala");
        testShellKerberosAuthWithUserWithHttpPath(kerberosKdcEnvironment, LdapUtil.TEST_USER_4, "/?doAs=Test4Ldap", false, "", "Not connected to Impala");
        testShellKerberosAuthWithUserWithHttpPath(kerberosKdcEnvironment, LdapUtil.TEST_USER_4, "/", false, "", "");
    }

    @Test
    public void testHttpImpersonationWithKerberosAuthAndLdapSimpleBind() throws Exception {
        Assume.assumeTrue(pythonSupportsSSLContext());
        Assert.assertEquals(startImpalaCluster(flagsToArgs(mergeFlags(kerberosKdcEnvironment.getKerberosAuthFlags(), ImmutableMap.of("enable_ldap_auth", "true", "ldap_uri", String.format("ldap://localhost:%s", Integer.valueOf(serverRule.getLdapServer().getPort())), "ldap_passwords_in_clear_ok", "true", "ldap_bind_pattern", "'cn=#UID,ou=Users,dc=myorg,dc=com'"), ImmutableMap.of("authorized_proxy_user_config", String.format("%s=%s", LdapUtil.TEST_USER_1, "proxyUser$"))))), 0L);
        testShellKerberosAuthWithUserWithHttpPath(kerberosKdcEnvironment, LdapUtil.TEST_USER_2, "/?doAs=proxyUser$", false, "", String.format("User '%s' is not authorized to delegate to '%s'", kerberosKdcEnvironment.getUserPrincipal(LdapUtil.TEST_USER_2), "proxyUser$"));
        testShellKerberosAuthWithUserWithHttpPath(kerberosKdcEnvironment, LdapUtil.TEST_USER_1, "/?doAs=invalid-delegate-user", false, "", String.format("User '%s' is not authorized to delegate to '%s'", kerberosKdcEnvironment.getUserPrincipal(LdapUtil.TEST_USER_1), "invalid-delegate-user"));
        testShellKerberosAuthWithUserWithHttpPath(kerberosKdcEnvironment, LdapUtil.TEST_USER_1, "/?doAs=%", false, "", "Not connected to Impala");
        testShellKerberosAuthWithUserWithHttpPath(kerberosKdcEnvironment, LdapUtil.TEST_USER_1, "/?doAs=proxyUser$", true, "proxyUser$", "");
        testShellKerberosAuthWithUser(kerberosKdcEnvironment, LdapUtil.TEST_USER_1, true);
    }

    @Test
    public void testShellKerberosAuthWithCustomLdapFiltersAndSimpleBindNoGroupFilterCheck() throws Exception {
        Assert.assertEquals(startImpalaCluster(flagsToArgs(mergeFlags(kerberosKdcEnvironment.getKerberosAuthFlags(), getLdapSimpleBindFlags(), ImmutableMap.of("allow_custom_ldap_filters_with_kerberos_auth", "true"), getCustomLdapSimpleBindSearchFilterFlags()))), 0L);
        testShellKerberosAuthWithUser(kerberosKdcEnvironment, "user", true);
    }

    @Test
    public void testShellKerberosAuthWithCustomLdapFiltersAndSimpleBindGroupFilterCheck() throws Exception {
        Assert.assertEquals(startImpalaCluster(flagsToArgs(mergeFlags(kerberosKdcEnvironment.getKerberosAuthFlags(), getLdapSimpleBindFlags(), ImmutableMap.of("allow_custom_ldap_filters_with_kerberos_auth", "true"), getCustomLdapSimpleBindSearchFilterFlags(), ImmutableMap.of("enable_group_filter_check_for_authenticated_kerberos_user", "true")))), 0L);
        testShellKerberosAuthWithUser(kerberosKdcEnvironment, LdapUtil.TEST_USER_1, true);
        testShellKerberosAuthWithUser(kerberosKdcEnvironment, LdapUtil.TEST_USER_2, false);
        testShellKerberosAuthWithUser(kerberosKdcEnvironment, LdapUtil.TEST_USER_3, false);
        testShellKerberosAuthWithUser(kerberosKdcEnvironment, "user", false);
    }

    @Test
    public void testLdapFiltersWithProxyWithKerberosAuthAndLdapSimpleBind() throws Exception {
        Assert.assertEquals(startImpalaCluster(flagsToArgs(mergeFlags(kerberosKdcEnvironment.getKerberosAuthFlags(), getLdapSimpleBindFlags(), ImmutableMap.of("allow_custom_ldap_filters_with_kerberos_auth", "true"), getCustomLdapSimpleBindSearchFilterFlags(), ImmutableMap.of("authorized_proxy_user_config", String.format("%s=*", LdapUtil.TEST_USER_4))))), 0L);
        testShellKerberosAuthWithUserWithHttpPath(kerberosKdcEnvironment, LdapUtil.TEST_USER_4, "/?doAs=Test1Ldap", true, LdapUtil.TEST_USER_1, "");
        testShellKerberosAuthWithUserWithHttpPath(kerberosKdcEnvironment, LdapUtil.TEST_USER_4, "/?doAs=Test3Ldap", false, "", "Not connected to Impala");
        testShellKerberosAuthWithUserWithHttpPath(kerberosKdcEnvironment, LdapUtil.TEST_USER_4, "/?doAs=Test2Ldap", false, "", "Not connected to Impala");
        testShellKerberosAuthWithUserWithHttpPath(kerberosKdcEnvironment, LdapUtil.TEST_USER_4, "/?doAs=Test4Ldap", false, "", "Not connected to Impala");
        testShellKerberosAuthWithUserWithHttpPath(kerberosKdcEnvironment, LdapUtil.TEST_USER_4, "/", false, "", "");
    }

    protected void testShellKerberosAuthWithUser(KerberosKdcEnvironment kerberosKdcEnvironment, String str, boolean z) throws Exception {
        List asList = Arrays.asList("beeswax", "hs2");
        if (pythonSupportsSSLContext()) {
            asList = Arrays.asList("beeswax", "hs2", "hs2-http");
        }
        String createUserPrincipalAndCredentialsCache = kerberosKdcEnvironment.createUserPrincipalAndCredentialsCache(str);
        Iterator it = asList.iterator();
        while (it.hasNext()) {
            RunShellCommand.Run(new String[]{"impala-shell.sh", String.format("--protocol=%s", (String) it.next()), "--kerberos", "--query=select logged_in_user()"}, kerberosKdcEnvironment.getImpalaShellEnv(createUserPrincipalAndCredentialsCache), z, z ? kerberosKdcEnvironment.getUserPrincipal(str) : "", z ? "Starting Impala Shell with Kerberos authentication" : "Not connected to Impala");
        }
    }

    private Map<String, String> getLdapSimpleBindFlags() {
        return ImmutableMap.builder().put("enable_ldap_auth", "true").put("ldap_uri", String.format("ldap://localhost:%s", Integer.valueOf(serverRule.getLdapServer().getPort()))).put("ldap_passwords_in_clear_ok", "true").put("ldap_bind_pattern", "'cn=#UID,ou=Users,dc=myorg,dc=com'").put("ldap_group_dn_pattern", LdapUtil.GROUP_DN_PATTERN).put("ldap_group_membership_key", "uniqueMember").put("ldap_group_class_key", "groupOfUniqueNames").put("ldap_bind_dn", LdapUtil.TEST_USER_DN_1).put("ldap_bind_password_cmd", String.format("'echo -n %s'", LdapUtil.TEST_PASSWORD_1)).build();
    }

    private Map<String, String> getCustomLdapSimpleBindSearchFilterFlags() {
        return ImmutableMap.of("ldap_group_filter", String.format("%s,another-group", LdapUtil.TEST_USER_GROUP), "ldap_user_filter", String.format("%s,%s,another-user", LdapUtil.TEST_USER_1, LdapUtil.TEST_USER_3));
    }
}
