package org.apache.phoenix.jdbc;

import java.io.File;
import java.io.IOException;
import java.lang.reflect.Field;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashSet;
import java.util.List;
import java.util.Properties;
import org.apache.commons.io.FileUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.minikdc.MiniKdc;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.util.KerberosName;
import org.apache.phoenix.end2end.NeedsOwnMiniClusterTest;
import org.apache.phoenix.jdbc.PhoenixEmbeddedDriver;
import org.apache.phoenix.query.ConfigurationFactory;
import org.apache.phoenix.util.InstanceResolver;
import org.apache.phoenix.util.ReadOnlyProps;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;
import org.junit.experimental.categories.Category;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Category({NeedsOwnMiniClusterTest.class})
/* loaded from: input_file:org/apache/phoenix/jdbc/SecureUserConnectionsIT.class */
public class SecureUserConnectionsIT {
    private static final int KDC_START_ATTEMPTS = 10;
    private static final int NUM_USERS = 3;
    private static final String BASE_URL = "jdbc:phoenix:localhost:2181";
    private static MiniKdc KDC;
    private static final Logger LOGGER = LoggerFactory.getLogger(SecureUserConnectionsIT.class);
    private static final File TEMP_DIR = new File(getClassTempDir());
    private static final File KEYTAB_DIR = new File(TEMP_DIR, "keytabs");
    private static final File KDC_DIR = new File(TEMP_DIR, "kdc");
    private static final List<File> USER_KEYTAB_FILES = new ArrayList();
    private static final List<File> SERVICE_KEYTAB_FILES = new ArrayList();
    private static final Properties EMPTY_PROPERTIES = new Properties();

    @BeforeClass
    public static synchronized void setupKdc() throws Exception {
        ensureIsEmptyDirectory(KDC_DIR);
        ensureIsEmptyDirectory(KEYTAB_DIR);
        boolean z = false;
        for (int i = 0; !z && i < 10; i++) {
            Properties createConf = MiniKdc.createConf();
            createConf.put("debug", true);
            KDC = new MiniKdc(createConf, KDC_DIR);
            try {
                KDC.start();
                z = true;
            } catch (Exception e) {
                LOGGER.warn("PHOENIX-3287: Failed to start KDC, retrying..", e);
            }
        }
        Assert.assertTrue("The embedded KDC failed to start successfully after 10 attempts.", z);
        createUsers(NUM_USERS);
        createServiceUsers(NUM_USERS);
        final Configuration configuration = new Configuration(false);
        configuration.set("hadoop.security.authentication", "kerberos");
        configuration.set("hbase.security.authentication", "kerberos");
        configuration.setBoolean("hbase.security.authorization", true);
        UserGroupInformation.setConfiguration(configuration);
        InstanceResolver.clearSingletons();
        InstanceResolver.getSingleton(ConfigurationFactory.class, new ConfigurationFactory() { // from class: org.apache.phoenix.jdbc.SecureUserConnectionsIT.1
            public Configuration getConfiguration() {
                return configuration;
            }

            public Configuration getConfiguration(Configuration configuration2) {
                Configuration configuration3 = new Configuration(configuration);
                configuration3.addResource(configuration2);
                return configuration3;
            }
        });
        updateDefaultRealm();
    }

    private static void updateDefaultRealm() throws Exception {
        Field declaredField = KerberosName.class.getDeclaredField("defaultRealm");
        declaredField.setAccessible(true);
        declaredField.set(null, "EXAMPLE.COM");
    }

    @AfterClass
    public static synchronized void stopKdc() throws Exception {
        InstanceResolver.clearSingletons();
        if (null != KDC) {
            KDC.stop();
            KDC = null;
        }
    }

    private static String getClassTempDir() {
        StringBuilder sb = new StringBuilder(32);
        sb.append(System.getProperty("user.dir")).append(File.separator);
        sb.append("target").append(File.separator);
        sb.append(SecureUserConnectionsIT.class.getSimpleName());
        return sb.toString();
    }

    private static void ensureIsEmptyDirectory(File file) throws IOException {
        if (file.exists()) {
            if (file.isDirectory()) {
                FileUtils.deleteDirectory(file);
            } else {
                Assert.assertTrue("Failed to delete keytab directory", file.delete());
            }
        }
        Assert.assertTrue("Failed to create keytab directory", file.mkdirs());
    }

    private static void createUsers(int i) throws Exception {
        Assert.assertNotNull("KDC is null, was setup method called?", KDC);
        for (int i2 = 1; i2 <= i; i2++) {
            String str = "user" + i2;
            File file = new File(KEYTAB_DIR, str + ".keytab");
            KDC.createPrincipal(file, new String[]{str});
            USER_KEYTAB_FILES.add(file);
        }
    }

    private static void createServiceUsers(int i) throws Exception {
        Assert.assertNotNull("KDC is null, was setup method called?", KDC);
        for (int i2 = 1; i2 <= i; i2++) {
            File file = new File(KEYTAB_DIR, "user" + i2 + ".service.keytab");
            KDC.createPrincipal(file, new String[]{"user" + i2 + "/localhost"});
            SERVICE_KEYTAB_FILES.add(file);
        }
    }

    private static String getUserPrincipal(int i) {
        return "user" + i + "@" + KDC.getRealm();
    }

    private static String getServicePrincipal(int i) {
        return "user" + i + "/localhost@" + KDC.getRealm();
    }

    public static File getUserKeytabFile(int i) {
        return getKeytabFile(i, USER_KEYTAB_FILES);
    }

    public static File getServiceKeytabFile(int i) {
        return getKeytabFile(i, SERVICE_KEYTAB_FILES);
    }

    private static File getKeytabFile(int i, List<File> list) {
        Assert.assertTrue("Invalid offset: " + i, i - 1 >= 0 && i - 1 < list.size());
        return list.get(i - 1);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String joinUserAuthentication(String str, String str2, File file) {
        StringBuilder sb = new StringBuilder(64);
        if (str.charAt(str.length() - 1) == ';') {
            sb.append((CharSequence) str, 0, str.length() - 1);
        } else {
            sb.append(str);
        }
        sb.append(':').append(str2);
        sb.append(':').append(file.getPath());
        return sb.append(';').toString();
    }

    @Test
    public void testMultipleInvocationsBySameUserAreEquivalent() throws Exception {
        final HashSet hashSet = new HashSet();
        final String userPrincipal = getUserPrincipal(1);
        final File userKeytabFile = getUserKeytabFile(1);
        UserGroupInformation loginUserFromKeytabAndReturnUGI = UserGroupInformation.loginUserFromKeytabAndReturnUGI(userPrincipal, userKeytabFile.getPath());
        PrivilegedExceptionAction<Void> privilegedExceptionAction = new PrivilegedExceptionAction<Void>() { // from class: org.apache.phoenix.jdbc.SecureUserConnectionsIT.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                hashSet.add(PhoenixEmbeddedDriver.ConnectionInfo.create(SecureUserConnectionsIT.this.joinUserAuthentication(SecureUserConnectionsIT.BASE_URL, userPrincipal, userKeytabFile)).normalize(ReadOnlyProps.EMPTY_PROPS, SecureUserConnectionsIT.EMPTY_PROPERTIES));
                return null;
            }
        };
        loginUserFromKeytabAndReturnUGI.doAs(privilegedExceptionAction);
        Assert.assertEquals(1L, hashSet.size());
        verifyAllConnectionsAreKerberosBased(hashSet);
        loginUserFromKeytabAndReturnUGI.doAs(privilegedExceptionAction);
        Assert.assertEquals(1L, hashSet.size());
        verifyAllConnectionsAreKerberosBased(hashSet);
    }

    @Test
    public void testMultipleUniqueUGIInstancesAreDisjoint() throws Exception {
        final HashSet hashSet = new HashSet();
        final String userPrincipal = getUserPrincipal(1);
        final File userKeytabFile = getUserKeytabFile(1);
        UserGroupInformation loginUserFromKeytabAndReturnUGI = UserGroupInformation.loginUserFromKeytabAndReturnUGI(userPrincipal, userKeytabFile.getPath());
        PrivilegedExceptionAction<Void> privilegedExceptionAction = new PrivilegedExceptionAction<Void>() { // from class: org.apache.phoenix.jdbc.SecureUserConnectionsIT.3
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                hashSet.add(PhoenixEmbeddedDriver.ConnectionInfo.create(SecureUserConnectionsIT.this.joinUserAuthentication(SecureUserConnectionsIT.BASE_URL, userPrincipal, userKeytabFile)).normalize(ReadOnlyProps.EMPTY_PROPS, SecureUserConnectionsIT.EMPTY_PROPERTIES));
                return null;
            }
        };
        loginUserFromKeytabAndReturnUGI.doAs(privilegedExceptionAction);
        Assert.assertEquals(1L, hashSet.size());
        verifyAllConnectionsAreKerberosBased(hashSet);
        UserGroupInformation.loginUserFromKeytabAndReturnUGI(userPrincipal, userKeytabFile.getPath()).doAs(privilegedExceptionAction);
        Assert.assertEquals(2L, hashSet.size());
        verifyAllConnectionsAreKerberosBased(hashSet);
    }

    @Test
    public void testAlternatingLogins() throws Exception {
        final HashSet hashSet = new HashSet();
        final String userPrincipal = getUserPrincipal(1);
        final File userKeytabFile = getUserKeytabFile(1);
        final String userPrincipal2 = getUserPrincipal(2);
        final File userKeytabFile2 = getUserKeytabFile(2);
        UserGroupInformation loginUserFromKeytabAndReturnUGI = UserGroupInformation.loginUserFromKeytabAndReturnUGI(userPrincipal, userKeytabFile.getPath());
        UserGroupInformation loginUserFromKeytabAndReturnUGI2 = UserGroupInformation.loginUserFromKeytabAndReturnUGI(userPrincipal2, userKeytabFile2.getPath());
        loginUserFromKeytabAndReturnUGI.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.phoenix.jdbc.SecureUserConnectionsIT.4
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                hashSet.add(PhoenixEmbeddedDriver.ConnectionInfo.create(SecureUserConnectionsIT.this.joinUserAuthentication(SecureUserConnectionsIT.BASE_URL, userPrincipal, userKeytabFile)).normalize(ReadOnlyProps.EMPTY_PROPS, SecureUserConnectionsIT.EMPTY_PROPERTIES));
                return null;
            }
        });
        Assert.assertEquals(1L, hashSet.size());
        verifyAllConnectionsAreKerberosBased(hashSet);
        loginUserFromKeytabAndReturnUGI2.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.phoenix.jdbc.SecureUserConnectionsIT.5
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                hashSet.add(PhoenixEmbeddedDriver.ConnectionInfo.create(SecureUserConnectionsIT.this.joinUserAuthentication(SecureUserConnectionsIT.BASE_URL, userPrincipal2, userKeytabFile2)).normalize(ReadOnlyProps.EMPTY_PROPS, SecureUserConnectionsIT.EMPTY_PROPERTIES));
                return null;
            }
        });
        Assert.assertEquals(2L, hashSet.size());
        verifyAllConnectionsAreKerberosBased(hashSet);
        loginUserFromKeytabAndReturnUGI.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.phoenix.jdbc.SecureUserConnectionsIT.6
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                hashSet.add(PhoenixEmbeddedDriver.ConnectionInfo.create(SecureUserConnectionsIT.this.joinUserAuthentication(SecureUserConnectionsIT.BASE_URL, userPrincipal, userKeytabFile)).normalize(ReadOnlyProps.EMPTY_PROPS, SecureUserConnectionsIT.EMPTY_PROPERTIES));
                return null;
            }
        });
        Assert.assertEquals(2L, hashSet.size());
        verifyAllConnectionsAreKerberosBased(hashSet);
    }

    @Test
    public void testAlternatingDestructiveLogins() throws Exception {
        HashSet hashSet = new HashSet();
        String userPrincipal = getUserPrincipal(1);
        File userKeytabFile = getUserKeytabFile(1);
        String userPrincipal2 = getUserPrincipal(2);
        File userKeytabFile2 = getUserKeytabFile(2);
        String joinUserAuthentication = joinUserAuthentication(BASE_URL, userPrincipal, userKeytabFile);
        String joinUserAuthentication2 = joinUserAuthentication(BASE_URL, userPrincipal2, userKeytabFile2);
        UserGroupInformation.loginUserFromKeytab(userPrincipal, userKeytabFile.getPath());
        hashSet.add(PhoenixEmbeddedDriver.ConnectionInfo.create(joinUserAuthentication).normalize(ReadOnlyProps.EMPTY_PROPS, EMPTY_PROPERTIES));
        Assert.assertEquals(1L, hashSet.size());
        verifyAllConnectionsAreKerberosBased(hashSet);
        UserGroupInformation.loginUserFromKeytab(userPrincipal2, userKeytabFile2.getPath());
        hashSet.add(PhoenixEmbeddedDriver.ConnectionInfo.create(joinUserAuthentication2).normalize(ReadOnlyProps.EMPTY_PROPS, EMPTY_PROPERTIES));
        Assert.assertEquals(2L, hashSet.size());
        verifyAllConnectionsAreKerberosBased(hashSet);
        UserGroupInformation.loginUserFromKeytab(userPrincipal, userKeytabFile.getPath());
        hashSet.add(PhoenixEmbeddedDriver.ConnectionInfo.create(joinUserAuthentication).normalize(ReadOnlyProps.EMPTY_PROPS, EMPTY_PROPERTIES));
        Assert.assertEquals(3L, hashSet.size());
        verifyAllConnectionsAreKerberosBased(hashSet);
    }

    @Test
    public void testMultipleConnectionsAsSameUser() throws Exception {
        HashSet hashSet = new HashSet();
        String userPrincipal = getUserPrincipal(1);
        File userKeytabFile = getUserKeytabFile(1);
        String joinUserAuthentication = joinUserAuthentication(BASE_URL, userPrincipal, userKeytabFile);
        UserGroupInformation.loginUserFromKeytab(userPrincipal, userKeytabFile.getPath());
        hashSet.add(PhoenixEmbeddedDriver.ConnectionInfo.create(joinUserAuthentication).normalize(ReadOnlyProps.EMPTY_PROPS, EMPTY_PROPERTIES));
        Assert.assertEquals(1L, hashSet.size());
        verifyAllConnectionsAreKerberosBased(hashSet);
        hashSet.add(PhoenixEmbeddedDriver.ConnectionInfo.create(joinUserAuthentication).normalize(ReadOnlyProps.EMPTY_PROPS, EMPTY_PROPERTIES));
        Assert.assertEquals(1L, hashSet.size());
    }

    @Test
    public void testMultipleConnectionsAsSameUserWithoutLogin() throws Exception {
        HashSet hashSet = new HashSet();
        String joinUserAuthentication = joinUserAuthentication(BASE_URL, getUserPrincipal(1), getUserKeytabFile(1));
        hashSet.add(PhoenixEmbeddedDriver.ConnectionInfo.create(joinUserAuthentication).normalize(ReadOnlyProps.EMPTY_PROPS, EMPTY_PROPERTIES));
        Assert.assertEquals(1L, hashSet.size());
        verifyAllConnectionsAreKerberosBased(hashSet);
        hashSet.add(PhoenixEmbeddedDriver.ConnectionInfo.create(joinUserAuthentication).normalize(ReadOnlyProps.EMPTY_PROPS, EMPTY_PROPERTIES));
        Assert.assertEquals(1L, hashSet.size());
    }

    @Test
    public void testAlternatingConnectionsWithoutLogin() throws Exception {
        HashSet hashSet = new HashSet();
        String userPrincipal = getUserPrincipal(1);
        File userKeytabFile = getUserKeytabFile(1);
        String userPrincipal2 = getUserPrincipal(2);
        File userKeytabFile2 = getUserKeytabFile(2);
        String joinUserAuthentication = joinUserAuthentication(BASE_URL, userPrincipal, userKeytabFile);
        String joinUserAuthentication2 = joinUserAuthentication(BASE_URL, userPrincipal2, userKeytabFile2);
        hashSet.add(PhoenixEmbeddedDriver.ConnectionInfo.create(joinUserAuthentication).normalize(ReadOnlyProps.EMPTY_PROPS, EMPTY_PROPERTIES));
        Assert.assertEquals(1L, hashSet.size());
        verifyAllConnectionsAreKerberosBased(hashSet);
        hashSet.add(PhoenixEmbeddedDriver.ConnectionInfo.create(joinUserAuthentication2).normalize(ReadOnlyProps.EMPTY_PROPS, EMPTY_PROPERTIES));
        Assert.assertEquals(2L, hashSet.size());
        verifyAllConnectionsAreKerberosBased(hashSet);
        hashSet.add(PhoenixEmbeddedDriver.ConnectionInfo.create(joinUserAuthentication).normalize(ReadOnlyProps.EMPTY_PROPS, EMPTY_PROPERTIES));
        Assert.assertEquals(3L, hashSet.size());
        verifyAllConnectionsAreKerberosBased(hashSet);
    }

    @Test
    public void testHostSubstitutionInUrl() throws Exception {
        HashSet hashSet = new HashSet();
        String servicePrincipal = getServicePrincipal(1);
        File serviceKeytabFile = getServiceKeytabFile(1);
        String servicePrincipal2 = getServicePrincipal(2);
        File serviceKeytabFile2 = getServiceKeytabFile(2);
        String joinUserAuthentication = joinUserAuthentication(BASE_URL, servicePrincipal, serviceKeytabFile);
        String joinUserAuthentication2 = joinUserAuthentication(BASE_URL, servicePrincipal2, serviceKeytabFile2);
        hashSet.add(PhoenixEmbeddedDriver.ConnectionInfo.create(joinUserAuthentication).normalize(ReadOnlyProps.EMPTY_PROPS, EMPTY_PROPERTIES));
        Assert.assertEquals(1L, hashSet.size());
        verifyAllConnectionsAreKerberosBased(hashSet);
        hashSet.add(PhoenixEmbeddedDriver.ConnectionInfo.create(joinUserAuthentication).normalize(ReadOnlyProps.EMPTY_PROPS, EMPTY_PROPERTIES));
        Assert.assertEquals(1L, hashSet.size());
        verifyAllConnectionsAreKerberosBased(hashSet);
        hashSet.add(PhoenixEmbeddedDriver.ConnectionInfo.create(joinUserAuthentication2).normalize(ReadOnlyProps.EMPTY_PROPS, EMPTY_PROPERTIES));
        Assert.assertEquals(2L, hashSet.size());
        verifyAllConnectionsAreKerberosBased(hashSet);
        hashSet.add(PhoenixEmbeddedDriver.ConnectionInfo.create(joinUserAuthentication2).normalize(ReadOnlyProps.EMPTY_PROPS, EMPTY_PROPERTIES));
        Assert.assertEquals(2L, hashSet.size());
        verifyAllConnectionsAreKerberosBased(hashSet);
        hashSet.add(PhoenixEmbeddedDriver.ConnectionInfo.create(joinUserAuthentication).normalize(ReadOnlyProps.EMPTY_PROPS, EMPTY_PROPERTIES));
        Assert.assertEquals(3L, hashSet.size());
        verifyAllConnectionsAreKerberosBased(hashSet);
    }

    private void verifyAllConnectionsAreKerberosBased(Collection<PhoenixEmbeddedDriver.ConnectionInfo> collection) {
        for (PhoenixEmbeddedDriver.ConnectionInfo connectionInfo : collection) {
            Assert.assertTrue("ConnectionInfo does not have kerberos credentials: " + connectionInfo, connectionInfo.getUser().getUGI().hasKerberosCredentials());
        }
    }
}
