package org.apache.hadoop.hdfs.server.namenode;

import java.io.IOException;
import java.security.PrivilegedExceptionAction;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import junit.framework.TestCase;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.fs.permission.AclEntry;
import org.apache.hadoop.fs.permission.AclEntryScope;
import org.apache.hadoop.fs.permission.AclEntryType;
import org.apache.hadoop.fs.permission.FsAction;
import org.apache.hadoop.fs.permission.FsPermission;
import org.apache.hadoop.hdfs.DFSTestUtil;
import org.apache.hadoop.hdfs.DistributedFileSystem;
import org.apache.hadoop.hdfs.HdfsConfiguration;
import org.apache.hadoop.hdfs.MiniDFSCluster;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.UserGroupInformation;
import org.junit.Test;

/* loaded from: input_file:org/apache/hadoop/hdfs/server/namenode/TestSubtreeLockACL.class */
public class TestSubtreeLockACL extends TestCase {
    private static Log log = LogFactory.getLog(TestSubtreeLockACL.class);
    MiniDFSCluster cluster;
    Configuration conf = new HdfsConfiguration();
    Path subtrees = new Path("/subtrees");
    Path subtree1 = new Path(this.subtrees, "subtree1");
    Path level1folder1 = new Path(this.subtree1, "level1folder1");
    Path level1folder2 = new Path(this.subtree1, "level1folder2");
    Path level2folder1 = new Path(this.level1folder1, "level2folder1");
    Path level2file1 = new Path(this.level1folder1, "level2file1");
    Path level3file1 = new Path(this.level2folder1, "level2file1");
    Path subtree2 = new Path(this.subtrees, "subtree2");
    String sharedGroup = "sharedgroup";
    UserGroupInformation user1 = UserGroupInformation.createUserForTesting("user1", new String[]{"user1", this.sharedGroup});
    UserGroupInformation user2 = UserGroupInformation.createUserForTesting("user2", new String[]{"user2", this.sharedGroup});

    public TestSubtreeLockACL() {
        this.conf.setBoolean("dfs.namenode.acls.enabled", true);
    }

    public void setup() throws IOException {
        this.cluster = new MiniDFSCluster.Builder(this.conf).format(true).numDataNodes(1).build();
        this.cluster.waitActive();
        createFileTree();
    }

    public void teardown() {
        if (this.cluster != null) {
            this.cluster.shutdown();
        }
    }

    @Test
    public void testRenameBlockedByDestinationParentAccessAcl() throws IOException, InterruptedException {
        try {
            setup();
            setReadOnlyUserAccessAcl(this.user2.getShortUserName(), this.subtree2);
            try {
                ((FileSystem) this.user2.doAs(new PrivilegedExceptionAction<FileSystem>() { // from class: org.apache.hadoop.hdfs.server.namenode.TestSubtreeLockACL.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public FileSystem run() throws Exception {
                        return FileSystem.get(TestSubtreeLockACL.this.conf);
                    }
                })).rename(this.level1folder1, new Path(this.subtree2, "newname"));
                fail("Owner permission should block rename");
            } catch (AccessControlException e) {
                assertTrue("Wrong inode triggered access control exception.", e.getMessage().contains("inode=\"/subtrees/subtree2\""));
            }
        } finally {
            teardown();
        }
    }

    @Test
    public void testSubtreeMoveBlockedSourceParentAccessAcl() throws IOException, InterruptedException {
        try {
            setup();
            setReadOnlyUserAccessAcl(this.user2.getShortUserName(), this.subtree1);
            try {
                ((FileSystem) this.user2.doAs(new PrivilegedExceptionAction<FileSystem>() { // from class: org.apache.hadoop.hdfs.server.namenode.TestSubtreeLockACL.2
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public FileSystem run() throws Exception {
                        return FileSystem.get(TestSubtreeLockACL.this.conf);
                    }
                })).rename(this.level1folder1, new Path(this.subtree2, "newname"));
                fail("Acl should block move");
            } catch (AccessControlException e) {
                assertTrue("Wrong inode triggered access control exception.", e.getMessage().contains("inode=\"/subtrees/subtree1\""));
            }
        } finally {
            teardown();
        }
    }

    @Test
    public void testSubtreeMoveBlockedByInheritedDefaultAcl() throws IOException, InterruptedException {
        try {
            setup();
            setReadOnlyUserDefaultAcl(this.user2.getShortUserName(), this.subtree1);
            try {
                ((FileSystem) this.user2.doAs(new PrivilegedExceptionAction<FileSystem>() { // from class: org.apache.hadoop.hdfs.server.namenode.TestSubtreeLockACL.3
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public FileSystem run() throws Exception {
                        return FileSystem.get(TestSubtreeLockACL.this.conf);
                    }
                })).rename(this.level2folder1, new Path(this.subtree2, "newname"));
                fail("Acl should block move");
            } catch (AccessControlException e) {
                assertTrue("Wrong inode triggered access control exception.", e.getMessage().contains("inode=\"/subtrees/subtree1/level1folder1\""));
            }
        } finally {
            teardown();
        }
    }

    @Test
    public void testSubtreeMoveNotBlockedByDeepAcl() throws IOException, InterruptedException {
        try {
            setup();
            setDenyUserAccessAcl(this.user2.getShortUserName(), this.level2folder1);
            try {
                ((FileSystem) this.user2.doAs(new PrivilegedExceptionAction<FileSystem>() { // from class: org.apache.hadoop.hdfs.server.namenode.TestSubtreeLockACL.4
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public FileSystem run() throws Exception {
                        return FileSystem.get(TestSubtreeLockACL.this.conf);
                    }
                })).rename(this.subtree1, new Path(this.subtree2, "newname"));
            } catch (AccessControlException e) {
                fail("Operation should complete without errors");
            }
        } finally {
            teardown();
        }
    }

    @Test
    public void testSubtreeDeleteBlockedByAccessAcl() throws IOException, InterruptedException {
        try {
            setup();
            setDenyUserAccessAcl(this.user2.getShortUserName(), this.level1folder1);
            try {
                ((FileSystem) this.user2.doAs(new PrivilegedExceptionAction<FileSystem>() { // from class: org.apache.hadoop.hdfs.server.namenode.TestSubtreeLockACL.5
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public FileSystem run() throws Exception {
                        return FileSystem.get(TestSubtreeLockACL.this.conf);
                    }
                })).delete(this.subtree1, true);
                fail("Acl should block delete");
            } catch (AccessControlException e) {
                assertTrue("Wrong inode triggered access control exception.", e.getMessage().contains("projectedInode=\"level1folder1\""));
            }
        } finally {
            teardown();
        }
    }

    @Test
    public void testSubtreeDeleteBlockedByInheritedDefaultAcl() throws IOException, InterruptedException {
        try {
            setup();
            setDenyUserDefaultAcl(this.user2.getShortUserName(), this.subtree1);
            try {
                ((FileSystem) this.user2.doAs(new PrivilegedExceptionAction<FileSystem>() { // from class: org.apache.hadoop.hdfs.server.namenode.TestSubtreeLockACL.6
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public FileSystem run() throws Exception {
                        return FileSystem.get(TestSubtreeLockACL.this.conf);
                    }
                })).delete(this.subtree1, true);
                fail("Acl should block delete");
            } catch (AccessControlException e) {
                assertTrue("Wrong inode triggered access control exception.", e.getMessage().contains("projectedInode=\"level1folder1\""));
            }
        } finally {
            teardown();
        }
    }

    @Test
    public void testSubtreeDeleteBlockedByInheritedDefaultDeepAcl() throws IOException, InterruptedException {
        try {
            setup();
            setDenyUserDefaultAcl(this.user2.getShortUserName(), this.level1folder1);
            try {
                ((FileSystem) this.user2.doAs(new PrivilegedExceptionAction<FileSystem>() { // from class: org.apache.hadoop.hdfs.server.namenode.TestSubtreeLockACL.7
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.security.PrivilegedExceptionAction
                    public FileSystem run() throws Exception {
                        return FileSystem.get(TestSubtreeLockACL.this.conf);
                    }
                })).delete(this.subtree1, true);
                fail("Acl should block delete");
            } catch (AccessControlException e) {
                assertTrue("Wrong inode triggered access control exception.", e.getMessage().contains("projectedInode=\"level2folder1\""));
            }
        } finally {
            teardown();
        }
    }

    private void createFileTree() throws IOException {
        DistributedFileSystem fileSystem = this.cluster.getFileSystem();
        FsPermission createImmutable = FsPermission.createImmutable((short) 509);
        fileSystem.mkdirs(this.subtrees);
        fileSystem.setPermission(this.subtrees, createImmutable);
        fileSystem.setOwner(this.subtrees, this.user1.getShortUserName(), this.sharedGroup);
        fileSystem.mkdirs(this.subtree1);
        fileSystem.setPermission(this.subtree1, createImmutable);
        fileSystem.mkdirs(this.level1folder1);
        fileSystem.setPermission(this.level1folder1, createImmutable);
        fileSystem.mkdirs(this.level1folder2);
        fileSystem.setPermission(this.level1folder2, createImmutable);
        fileSystem.mkdirs(this.level2folder1);
        fileSystem.setPermission(this.level2folder1, createImmutable);
        DFSTestUtil.createFile(fileSystem, this.level2file1, 1000L, (short) 1, 0L);
        fileSystem.setPermission(this.level2file1, createImmutable);
        DFSTestUtil.createFile(fileSystem, this.level3file1, 1000L, (short) 1, 0L);
        fileSystem.setPermission(this.level3file1, createImmutable);
        fileSystem.setOwner(this.subtree1, this.user1.getShortUserName(), this.sharedGroup);
        fileSystem.setOwner(this.level1folder1, this.user1.getShortUserName(), this.sharedGroup);
        fileSystem.setOwner(this.level1folder2, this.user1.getShortUserName(), this.sharedGroup);
        fileSystem.setOwner(this.level2folder1, this.user1.getShortUserName(), this.sharedGroup);
        fileSystem.setOwner(this.level2file1, this.user1.getShortUserName(), this.sharedGroup);
        fileSystem.setOwner(this.level3file1, this.user1.getShortUserName(), this.sharedGroup);
        fileSystem.mkdirs(this.subtree2);
        fileSystem.setPermission(this.subtree2, createImmutable);
        fileSystem.setOwner(this.subtree2, this.user1.getShortUserName(), this.sharedGroup);
    }

    private List<AclEntry> createUserEntry(String str, boolean z, FsAction fsAction) {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new AclEntry.Builder().setScope(z ? AclEntryScope.DEFAULT : AclEntryScope.ACCESS).setType(AclEntryType.USER).setName(str).setPermission(fsAction).build());
        return arrayList;
    }

    private void setReadOnlyUserAccessAcl(String str, Path path) throws IOException {
        DistributedFileSystem fileSystem = this.cluster.getFileSystem();
        fileSystem.modifyAclEntries(path, createUserEntry(str, false, FsAction.READ_EXECUTE));
        boolean z = false;
        Iterator it = fileSystem.getAclStatus(path).getEntries().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            AclEntry aclEntry = (AclEntry) it.next();
            if (aclEntry.getScope().equals(AclEntryScope.ACCESS) && aclEntry.getType().equals(AclEntryType.USER) && aclEntry.getName().equals(str) && aclEntry.getPermission().equals(FsAction.READ_EXECUTE)) {
                z = true;
                break;
            }
        }
        assertTrue("Did not manage to update acl for path " + path.toString(), z);
    }

    private void setReadOnlyUserDefaultAcl(String str, Path path) throws IOException {
        DistributedFileSystem fileSystem = this.cluster.getFileSystem();
        fileSystem.modifyAclEntries(path, createUserEntry(str, true, FsAction.READ_EXECUTE));
        boolean z = false;
        Iterator it = fileSystem.getAclStatus(path).getEntries().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            AclEntry aclEntry = (AclEntry) it.next();
            if (aclEntry.getScope().equals(AclEntryScope.DEFAULT) && aclEntry.getType().equals(AclEntryType.USER) && aclEntry.getName().equals(str) && aclEntry.getPermission().equals(FsAction.READ_EXECUTE)) {
                z = true;
                break;
            }
        }
        assertTrue("Did not manage to update acl for path " + path.toString(), z);
    }

    private void setDenyUserAccessAcl(String str, Path path) throws IOException {
        DistributedFileSystem fileSystem = this.cluster.getFileSystem();
        fileSystem.modifyAclEntries(path, createUserEntry(str, false, FsAction.NONE));
        boolean z = false;
        Iterator it = fileSystem.getAclStatus(path).getEntries().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            AclEntry aclEntry = (AclEntry) it.next();
            if (aclEntry.getScope().equals(AclEntryScope.ACCESS) && aclEntry.getType().equals(AclEntryType.USER) && aclEntry.getName().equals(str) && aclEntry.getPermission().equals(FsAction.NONE)) {
                z = true;
                break;
            }
        }
        assertTrue("Did not manage to update acl for path " + path.toString(), z);
    }

    private void setDenyUserDefaultAcl(String str, Path path) throws IOException {
        DistributedFileSystem fileSystem = this.cluster.getFileSystem();
        fileSystem.modifyAclEntries(path, createUserEntry(str, true, FsAction.NONE));
        boolean z = false;
        Iterator it = fileSystem.getAclStatus(path).getEntries().iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            AclEntry aclEntry = (AclEntry) it.next();
            if (aclEntry.getScope().equals(AclEntryScope.DEFAULT) && aclEntry.getType().equals(AclEntryType.USER) && aclEntry.getName().equals(str) && aclEntry.getPermission().equals(FsAction.NONE)) {
                z = true;
                break;
            }
        }
        assertTrue("Did not manage to update acl for path " + path.toString(), z);
    }
}
