package org.apache.impala.customcluster;

import java.io.File;
import java.io.FileWriter;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardCopyOption;
import java.nio.file.attribute.FileAttribute;
import java.util.HashMap;
import java.util.List;
import org.apache.hive.service.rpc.thrift.TCLIService;
import org.apache.hive.service.rpc.thrift.TColumn;
import org.apache.hive.service.rpc.thrift.TExecuteStatementReq;
import org.apache.hive.service.rpc.thrift.TExecuteStatementResp;
import org.apache.hive.service.rpc.thrift.TFetchOrientation;
import org.apache.hive.service.rpc.thrift.TFetchResultsReq;
import org.apache.hive.service.rpc.thrift.TFetchResultsResp;
import org.apache.hive.service.rpc.thrift.TOpenSessionReq;
import org.apache.hive.service.rpc.thrift.TOpenSessionResp;
import org.apache.hive.service.rpc.thrift.TOperationHandle;
import org.apache.hive.service.rpc.thrift.TSessionHandle;
import org.apache.hive.service.rpc.thrift.TStatus;
import org.apache.hive.service.rpc.thrift.TStatusCode;
import org.apache.impala.testutil.WebClient;
import org.apache.impala.testutil.X509CertChain;
import org.apache.thrift.protocol.TBinaryProtocol;
import org.apache.thrift.transport.THttpClient;
import org.hamcrest.Matcher;
import org.hamcrest.core.IsCollectionContaining;
import org.hamcrest.core.StringContains;
import org.junit.After;
import org.junit.Assert;
import org.junit.Test;

/* loaded from: input_file:org/apache/impala/customcluster/JwtHttpTest.class */
public class JwtHttpTest {
    private static final String CA_CERT = "cacert.pem";
    private static final String SERVER_CERT = "server-cert.pem";
    private static final String SERVER_KEY = "server-key.pem";
    private static final String JWKS_FILE_NAME = "jwks_rs256.json";
    WebClient client_ = new WebClient();
    String jwtToken_ = "eyJhbGciOiJSUzI1NiIsImtpZCI6InB1YmxpYzpjNDI0YjY3Yi1mZTI4LTQ1ZDctYjAxNS1mNzlkYTUwYjViMjEiLCJ0eXAiOiJKV1MifQ.eyJpc3MiOiJhdXRoMCIsInVzZXJuYW1lIjoiaW1wYWxhIn0.OW5H2SClLlsotsCarTHYEbqlbRh43LFwOyo9WubpNTwE7hTuJDsnFoVrvHiWI02W69TZNat7DYcC86A_ogLMfNXagHjlMFJaRnvG5Ekag8NRuZNJmHVqfX-qr6x7_8mpOdU554kc200pqbpYLhhuK4Qf7oT7y9mOrtNrUKGDCZ0Q2y_mizlbY6SMg4RWqSz0RQwJbRgXIWSgcbZd0GbD_MQQ8x7WRE4nluU-5Fl4N2Wo8T9fNTuxALPiuVeIczO25b5n4fryfKasSgaZfmk0CoOJzqbtmQxqiK9QNSJAiH2kaqMwLNgAdgn8fbd-lB1RAEGeyPH8Px8ipqcKsPk0bg";
    boolean createJWKSForWebServer_ = false;

    private void setUp(String str) throws Exception {
        Assert.assertEquals(CustomClusterRunner.StartImpalaCluster(str), 0L);
    }

    private void setUp(String str, String str2, String str3, int i) throws Exception {
        if (this.createJWKSForWebServer_) {
            createTempJWKSInWebServerRootDir(JWKS_FILE_NAME);
        }
        Assert.assertEquals(i, CustomClusterRunner.StartImpalaCluster(str, str2, str3));
    }

    private void setUpWithSingleCoordinator(String str, String str2, String str3, int i) throws Exception {
        if (this.createJWKSForWebServer_) {
            createTempJWKSInWebServerRootDir(JWKS_FILE_NAME);
        }
        Assert.assertEquals(i, CustomClusterRunner.StartImpalaCluster(str, str2, str3, new HashMap(), "--num_coordinators=1"));
    }

    @After
    public void cleanUp() throws Exception {
        CustomClusterRunner.StartImpalaCluster();
        if (this.createJWKSForWebServer_) {
            deleteTempJWKSFromWebServerRootDir();
        }
        this.client_.Close();
    }

    private void createTempJWKSInWebServerRootDir(String str) {
        try {
            Files.copy(Paths.get(System.getenv("IMPALA_HOME"), "testdata", "jwt", str), Paths.get(System.getenv("IMPALA_HOME"), "www", "temp_jwks.json"), StandardCopyOption.REPLACE_EXISTING);
        } catch (IOException e) {
            Assert.fail("Failed to copy file: " + e.getMessage());
        }
    }

    private void deleteTempJWKSFromWebServerRootDir() {
        try {
            Files.delete(Paths.get(System.getenv("IMPALA_HOME"), "www", "temp_jwks.json"));
        } catch (IOException e) {
            Assert.fail("Failed to delete file: " + e.getMessage());
        }
    }

    static void verifySuccess(TStatus tStatus) throws Exception {
        if (tStatus.getStatusCode() != TStatusCode.SUCCESS_STATUS && tStatus.getStatusCode() != TStatusCode.SUCCESS_WITH_INFO_STATUS) {
            throw new Exception(tStatus.toString());
        }
    }

    static TOperationHandle execAndFetch(TCLIService.Iface iface, TSessionHandle tSessionHandle, String str, String str2) throws Exception {
        TExecuteStatementResp ExecuteStatement = iface.ExecuteStatement(new TExecuteStatementReq(tSessionHandle, str));
        verifySuccess(ExecuteStatement.getStatus());
        TFetchResultsResp FetchResults = iface.FetchResults(new TFetchResultsReq(ExecuteStatement.getOperationHandle(), TFetchOrientation.FETCH_NEXT, 1000L));
        verifySuccess(FetchResults.getStatus());
        List columns = FetchResults.getResults().getColumns();
        Assert.assertEquals(1L, columns.size());
        Assert.assertEquals(str2, ((TColumn) columns.get(0)).getStringVal().getValues().get(0));
        return ExecuteStatement.getOperationHandle();
    }

    private void verifyJwtAuthMetrics(long j, long j2) throws Exception {
        Assert.assertEquals(j, ((Long) this.client_.getMetric("impala.thrift-server.hiveserver2-http-frontend.total-jwt-token-auth-success")).longValue());
        Assert.assertEquals(j2, ((Long) this.client_.getMetric("impala.thrift-server.hiveserver2-http-frontend.total-jwt-token-auth-failure")).longValue());
    }

    @Test
    public void testJwtAuth() throws Exception {
        this.createJWKSForWebServer_ = false;
        setUp(String.format("--jwt_token_auth=true --jwt_validate_signature=true --jwks_file_path=%s --jwt_allow_without_tls=true", new File(System.getenv("IMPALA_HOME"), String.format("testdata/jwt/%s", JWKS_FILE_NAME)).getPath()));
        THttpClient tHttpClient = new THttpClient("http://localhost:28000");
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", "Bearer " + this.jwtToken_);
        hashMap.put("X-Forwarded-For", "127.0.0.1");
        tHttpClient.setCustomHeaders(hashMap);
        tHttpClient.open();
        TCLIService.Client client = new TCLIService.Client(new TBinaryProtocol(tHttpClient));
        TOpenSessionReq tOpenSessionReq = new TOpenSessionReq();
        TOpenSessionResp OpenSession = client.OpenSession(tOpenSessionReq);
        verifyJwtAuthMetrics(1L, 0L);
        execAndFetch(client, OpenSession.getSessionHandle(), "select logged_in_user()", "impala");
        verifyJwtAuthMetrics(3L, 0L);
        hashMap.put("Authorization", "Bearer eyJhbGciOiJSUzI1NiIsImtpZCI6InB1YmxpYzpjNDI0YjY3Yi1mZTI4LTQ1ZDctYjAxNS1mNzlkYTUwYjViMjEiLCJ0eXAiOiJKV1MifQ.eyJpc3MiOiJhdXRoMCIsInVzZXJuYW1lIjoiaW1wYWxhIn0.");
        hashMap.put("X-Forwarded-For", "127.0.0.1");
        tHttpClient.setCustomHeaders(hashMap);
        try {
            client.OpenSession(tOpenSessionReq);
            Assert.fail("Exception expected.");
        } catch (Exception e) {
            verifyJwtAuthMetrics(3L, 1L);
            Assert.assertEquals(e.getMessage(), "HTTP Response code: 401");
        }
        hashMap.put("Authorization", "Basic VGVzdDFMZGFwOjEyMzQ1");
        hashMap.put("X-Forwarded-For", "127.0.0.1");
        tHttpClient.setCustomHeaders(hashMap);
        try {
            client.OpenSession(tOpenSessionReq);
            Assert.fail("Exception expected.");
        } catch (Exception e2) {
            verifyJwtAuthMetrics(3L, 1L);
            Assert.assertEquals(e2.getMessage(), "HTTP Response code: 401");
        }
        hashMap.put("X-Forwarded-For", "127.0.0.1");
        tHttpClient.setCustomHeaders(hashMap);
        try {
            client.OpenSession(tOpenSessionReq);
            Assert.fail("Exception expected.");
        } catch (Exception e3) {
            verifyJwtAuthMetrics(3L, 1L);
            Assert.assertEquals(e3.getMessage(), "HTTP Response code: 401");
        }
    }

    @Test
    public void testJwtAuthNotVerifySig() throws Exception {
        this.createJWKSForWebServer_ = false;
        setUp("--jwt_token_auth=true --jwt_validate_signature=false --jwt_allow_without_tls=true");
        THttpClient tHttpClient = new THttpClient("http://localhost:28000");
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", "Bearer " + this.jwtToken_);
        hashMap.put("X-Forwarded-For", "127.0.0.1");
        tHttpClient.setCustomHeaders(hashMap);
        tHttpClient.open();
        TCLIService.Client client = new TCLIService.Client(new TBinaryProtocol(tHttpClient));
        TOpenSessionResp OpenSession = client.OpenSession(new TOpenSessionReq());
        verifyJwtAuthMetrics(1L, 0L);
        execAndFetch(client, OpenSession.getSessionHandle(), "select logged_in_user()", "impala");
        verifyJwtAuthMetrics(3L, 0L);
    }

    @Test
    public void testJwtAuthWithJwksHttpUrl() throws Exception {
        this.createJWKSForWebServer_ = true;
        setUp(String.format("--jwt_token_auth=true --jwt_validate_signature=true --jwks_url=%s --jwks_update_frequency_s=1 --jwt_allow_without_tls=true", "http://localhost:25010/www/temp_jwks.json"), "", "--webserver_port=25010", 0);
        THttpClient tHttpClient = new THttpClient("http://localhost:28000");
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", "Bearer " + this.jwtToken_);
        hashMap.put("X-Forwarded-For", "127.0.0.1");
        tHttpClient.setCustomHeaders(hashMap);
        tHttpClient.open();
        TCLIService.Client client = new TCLIService.Client(new TBinaryProtocol(tHttpClient));
        TOpenSessionReq tOpenSessionReq = new TOpenSessionReq();
        TOpenSessionResp OpenSession = client.OpenSession(tOpenSessionReq);
        verifyJwtAuthMetrics(1L, 0L);
        execAndFetch(client, OpenSession.getSessionHandle(), "select logged_in_user()", "impala");
        verifyJwtAuthMetrics(3L, 0L);
        createTempJWKSInWebServerRootDir("jwks_es256.json");
        Thread.sleep(3000L);
        tHttpClient.setCustomHeaders(hashMap);
        try {
            client.OpenSession(tOpenSessionReq);
            Assert.fail("Exception expected.");
        } catch (Exception e) {
            verifyJwtAuthMetrics(3L, 1L);
            Assert.assertEquals(e.getMessage(), "HTTP Response code: 401");
        }
    }

    @Test
    public void testJwtAuthWithInsecureJwksHttpsUrl() throws Exception {
        this.createJWKSForWebServer_ = true;
        String str = setupServerAndRootCerts("testJwtAuthWithInsecureJwksHttpsUrl", "testJwtAuthWithInsecureJwksHttpsUrl Root", "localhostlocalhost");
        setUp(String.format("--jwt_token_auth=true --jwt_validate_signature=true --jwks_url=%s --jwt_allow_without_tls=true --jwks_verify_server_certificate=false ", "https://localhost:25010/www/temp_jwks.json"), "", String.format("--webserver_certificate_file=%s --webserver_private_key_file=%s --webserver_interface=localhost --webserver_port=25010 --hostname=localhost ", Paths.get(str, SERVER_CERT), Paths.get(str, SERVER_KEY)), 0);
        THttpClient tHttpClient = new THttpClient("http://localhost:28000");
        HashMap hashMap = new HashMap();
        hashMap.put("Authorization", "Bearer " + this.jwtToken_);
        hashMap.put("X-Forwarded-For", "127.0.0.1");
        tHttpClient.setCustomHeaders(hashMap);
        tHttpClient.open();
        TCLIService.Client client = new TCLIService.Client(new TBinaryProtocol(tHttpClient));
        TOpenSessionResp OpenSession = client.OpenSession(new TOpenSessionReq());
        verifyJwtAuthMetrics(1L, 0L);
        execAndFetch(client, OpenSession.getSessionHandle(), "select logged_in_user()", "impala");
        verifyJwtAuthMetrics(3L, 0L);
    }

    @Test
    public void testJwtAuthWithUntrustedJwksHttpsUrl() throws Exception {
        this.createJWKSForWebServer_ = true;
        String str = setupServerAndRootCerts("testJwtAuthWithUntrustedJwksHttpsUrl", "testJwtAuthWithUntrustedJwksHttpsUrl Root", "localhost");
        Path createTempDirectory = Files.createTempDirectory("testJwtAuthWithUntrustedJwksHttpsUrl", new FileAttribute[0]);
        String format = String.format("--webserver_certificate_file=%s --webserver_private_key_file=%s --webserver_interface=localhost --webserver_port=25010 --hostname=localhost ", Paths.get(str, SERVER_CERT), Paths.get(str, SERVER_KEY));
        String format2 = String.format("--jwt_token_auth=true --jwt_validate_signature=true --jwks_url=%s --jwt_allow_without_tls=true --log_dir=%s --logbuflevel=-1 ", "https://localhost:25010/www/temp_jwks.json", createTempDirectory.toAbsolutePath());
        String format3 = String.format("Impalad services did not start correctly, exiting.  Error: Error downloading JWKS from '%s': Network error: curl error: SSL peer certificate or SSH remote key was not OK: SSL certificate problem: unable to get local issuer certificate", "https://localhost:25010/www/temp_jwks.json");
        setUpWithSingleCoordinator(format2, "", format, 1);
        checkCoordinatorLogs(format3, createTempDirectory);
    }

    @Test
    public void testJwtAuthWithTrustedJwksHttpsUrlInvalidCN() throws Exception {
        this.createJWKSForWebServer_ = true;
        String str = setupServerAndRootCerts("testJwtAuthWithTrustedJwksHttpsUrlInvalidCN", "testJwtAuthWithTrustedJwksHttpsUrlInvalidCN Root", "notvalid");
        Path createTempDirectory = Files.createTempDirectory("testJwtAuthWithTrustedJwksHttpsUrlInvalidCN", new FileAttribute[0]);
        String format = String.format("--webserver_certificate_file=%s --webserver_private_key_file=%s --webserver_interface=localhost --webserver_port=25010 --hostname=localhost ", Paths.get(str, SERVER_CERT), Paths.get(str, SERVER_KEY));
        String format2 = String.format("--jwt_token_auth=true --jwt_validate_signature=true --jwks_url=%s --jwt_allow_without_tls=true --log_dir=%s --jwks_ca_certificate=%s --logbuflevel=-1 ", "https://localhost:25010/www/temp_jwks.json", createTempDirectory.toAbsolutePath(), Paths.get(str, CA_CERT));
        String format3 = String.format("Impalad services did not start correctly, exiting.  Error: Error downloading JWKS from '%s': Network error: curl error: SSL peer certificate or SSH remote key was not OK: SSL: certificate subject name '%s' does not match target host name '%s'", "https://localhost:25010/www/temp_jwks.json", "notvalid", "localhost");
        setUpWithSingleCoordinator(format2, "", format, 1);
        checkCoordinatorLogs(format3, createTempDirectory);
    }

    @Test
    public void testJwtAuthWithTrustedJwksHttpsUrl() throws Exception {
        this.createJWKSForWebServer_ = true;
        String str = setupServerAndRootCerts("testJwtAuthWithTrustedJwksHttpsUrl", "testJwtAuthWithTrustedJwksHttpsUrl Root", "localhost");
        setUp(String.format("--jwt_token_auth=true --jwt_validate_signature=true --jwks_url=%s --jwt_allow_without_tls=true --jwks_ca_certificate=%s ", "https://localhost:25010/www/temp_jwks.json", Paths.get(str, CA_CERT)), "", String.format("--webserver_certificate_file=%s --webserver_private_key_file=%s --webserver_interface=localhost --webserver_port=25010 --hostname=localhost ", Paths.get(str, SERVER_CERT), Paths.get(str, SERVER_KEY)), 0);
    }

    private String setupServerAndRootCerts(String str, String str2, String str3) throws Exception {
        Path createTempDirectory = Files.createTempDirectory(str, new FileAttribute[0]);
        Path resolve = createTempDirectory.resolve(Paths.get(CA_CERT, new String[0]));
        Path resolve2 = createTempDirectory.resolve(Paths.get(SERVER_CERT, new String[0]));
        Path resolve3 = createTempDirectory.resolve(Paths.get(SERVER_KEY, new String[0]));
        FileWriter fileWriter = new FileWriter(resolve.toFile());
        FileWriter fileWriter2 = new FileWriter(resolve2.toFile());
        FileWriter fileWriter3 = new FileWriter(resolve3.toFile());
        X509CertChain x509CertChain = new X509CertChain(str2, str3);
        x509CertChain.writeLeafCertAsPem(fileWriter2);
        x509CertChain.writeLeafPrivateKeyAsPem(fileWriter3);
        x509CertChain.writeRootCertAsPem(fileWriter);
        fileWriter.close();
        fileWriter2.close();
        fileWriter3.close();
        return createTempDirectory.toString();
    }

    private void checkCoordinatorLogs(String str, Path path) throws IOException, InterruptedException {
        List<String> list = null;
        Matcher hasItem = IsCollectionContaining.hasItem(StringContains.containsString(str));
        for (int i = 0; i < 10; i++) {
            list = Files.readAllLines(path.resolve("impalad.ERROR"));
            if (hasItem.matches(list)) {
                break;
            }
            Thread.sleep(250L);
        }
        Assert.assertThat(String.format("Impalad startup failed but not for the expected reason. See logs in the '%s' folder for details.", path), list, IsCollectionContaining.hasItem(StringContains.containsString(str)));
    }
}
