package io.hops.security;

import io.hops.common.security.HopsworksFsSecurityActions;
import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyPair;
import java.security.PrivilegedExceptionAction;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Random;
import java.util.concurrent.TimeUnit;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.commons.math3.util.Pair;
import org.apache.commons.net.util.Base64;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.FSDataOutputStream;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.permission.FsPermission;
import org.apache.hadoop.hdfs.DistributedFileSystem;
import org.apache.hadoop.hdfs.MiniDFSCluster;
import org.apache.hadoop.hdfs.web.WebHdfsFileSystem;
import org.apache.hadoop.hdfs.web.WebHdfsTestUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.ssl.HopsSSLTestUtils;
import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;

/* loaded from: input_file:io/hops/security/TestWebHDFSHopsTLS.class */
public class TestWebHDFSHopsTLS extends HopsSSLTestUtils {
    private static final Log LOG = LogFactory.getLog(TestWebHDFSHopsTLS.class);
    private static String classpathDir;
    private static Random rand;
    private Configuration conf;
    private MiniDFSCluster cluster;
    private UserGroupInformation ugi;
    private Pair<KeyPair, X509Certificate> caMaterial;

    @Rule
    public ExpectedException expectedException = ExpectedException.none();

    public TestWebHDFSHopsTLS() {
        ((HopsSSLTestUtils) this).error_mode = HopsSSLTestUtils.CERT_ERR.NO_ERROR;
    }

    @BeforeClass
    public static void beforeClass() throws Exception {
        classpathDir = KeyStoreTestUtil.getClasspathDir(TestWebHDFSHopsTLS.class);
        rand = new Random();
    }

    @Before
    public void before() throws Exception {
        this.conf = WebHdfsTestUtil.createConf();
        this.conf.set("dfs.http.policy", "HTTPS_ONLY");
        this.conf.setBoolean("dfs.client.https.need-auth", true);
        this.ugi = UserGroupInformation.createRemoteUser("project__user");
        this.caMaterial = generateCAMaterial("CN=CARoot");
        this.filesToPurge = prepareCryptoMaterial(classpathDir, this.caMaterial);
        setCryptoConfig(this.conf, classpathDir);
        this.conf.set("dfs.https.server.keystore.resource", this.conf.get("hadoop.ssl.server.conf", "ssl-server.xml"));
        this.conf.setBoolean("hadoop.ssl.require.client.cert", true);
        this.conf.set("dfs.security-actions.actor-class", "io.hops.security.TestingFsSecurityActions");
        this.conf.set(MiniDFSCluster.HDFS_MINIDFS_BASEDIR, new File(System.getProperty(MiniDFSCluster.PROP_TEST_BUILD_DATA, "build/test/data"), "dfs_cluster").getAbsolutePath());
        this.cluster = new MiniDFSCluster.Builder(this.conf).numDataNodes(1).build();
        this.cluster.waitActive();
    }

    @After
    public void after() throws Exception {
        if (this.cluster != null) {
            this.cluster.shutdown();
        }
        HopsSecurityActionsFactory.getInstance().clear();
    }

    @Test
    public void testOps() throws Exception {
        prepareFS();
        Pair<KeyPair, X509Certificate> createClientCertificate = createClientCertificate("CN=" + this.ugi.getUserName());
        Path path = Paths.get(classpathDir, this.ugi.getUserName() + "_kstore.jks");
        Path path2 = Paths.get(classpathDir, this.ugi.getUserName() + "_tstore.jks");
        this.filesToPurge.add(path);
        this.filesToPurge.add(path2);
        KeyStoreTestUtil.createKeyStore(path.toString(), this.passwd, this.passwd, this.ugi.getUserName(), ((KeyPair) createClientCertificate.getFirst()).getPrivate(), (Certificate) createClientCertificate.getSecond());
        KeyStoreTestUtil.createTrustStore(path2.toString(), this.passwd, "CARoot", (Certificate) this.caMaterial.getSecond());
        Pair<String, String> readStoresBase64 = readStoresBase64(path, path2);
        TestingFsSecurityActions testingFsSecurityActions = (TestingFsSecurityActions) HopsSecurityActionsFactory.getInstance().getActor(this.conf, this.conf.get("dfs.security-actions.actor-class"));
        HopsworksFsSecurityActions.X509CredentialsDTO x509CredentialsDTO = new HopsworksFsSecurityActions.X509CredentialsDTO();
        x509CredentialsDTO.setFileExtension("jks");
        x509CredentialsDTO.setkStore((String) readStoresBase64.getFirst());
        x509CredentialsDTO.settStore((String) readStoresBase64.getSecond());
        x509CredentialsDTO.setPassword(this.passwd);
        testingFsSecurityActions.setX509Credentials(this.ugi.getUserName(), x509CredentialsDTO);
        final Configuration configuration = new Configuration(this.conf);
        createClientSSLConf(path, path2, configuration);
        final org.apache.hadoop.fs.Path path3 = new org.apache.hadoop.fs.Path("/testfile");
        final byte[] bArr = new byte[65536];
        rand.nextBytes(bArr);
        this.ugi.doAs(new PrivilegedExceptionAction<Void>() { // from class: io.hops.security.TestWebHDFSHopsTLS.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                WebHdfsFileSystem webHdfsFileSystem = WebHdfsTestUtil.getWebHdfsFileSystem(configuration, "swebhdfs");
                FSDataOutputStream create = webHdfsFileSystem.create(path3);
                create.write(bArr, 0, bArr.length);
                create.hflush();
                create.close();
                TimeUnit.SECONDS.sleep(1L);
                Assert.assertTrue(webHdfsFileSystem.exists(path3));
                webHdfsFileSystem.setPermission(path3, FsPermission.valueOf("-rwxrwxrwx"));
                return null;
            }
        });
        this.ugi.doAs(new PrivilegedExceptionAction<Void>() { // from class: io.hops.security.TestWebHDFSHopsTLS.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                WebHdfsFileSystem webHdfsFileSystem = WebHdfsTestUtil.getWebHdfsFileSystem(configuration, "swebhdfs");
                webHdfsFileSystem.open(path3).readFully(new byte[bArr.length]);
                return null;
            }
        });
        this.ugi.doAs(new PrivilegedExceptionAction<Void>() { // from class: io.hops.security.TestWebHDFSHopsTLS.3
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                FSDataOutputStream append = WebHdfsTestUtil.getWebHdfsFileSystem(configuration, "swebhdfs").append(path3);
                append.write(bArr, 0, bArr.length);
                append.hflush();
                append.close();
                TimeUnit.MILLISECONDS.sleep(500L);
                return null;
            }
        });
    }

    @Test
    public void testWithMissingClientMaterial() throws Exception {
        prepareFS();
        Pair<KeyPair, X509Certificate> createClientCertificate = createClientCertificate("CN=" + this.ugi.getUserName());
        Path path = Paths.get(classpathDir, this.ugi.getUserName() + "_kstore.jks");
        Path path2 = Paths.get(classpathDir, this.ugi.getUserName() + "_tstore.jks");
        this.filesToPurge.add(path);
        this.filesToPurge.add(path2);
        KeyStoreTestUtil.createKeyStore(path.toString(), this.passwd, this.passwd, this.ugi.getUserName(), ((KeyPair) createClientCertificate.getFirst()).getPrivate(), (Certificate) createClientCertificate.getSecond());
        KeyStoreTestUtil.createTrustStore(path2.toString(), this.passwd, "CARoot", (Certificate) this.caMaterial.getSecond());
        final Configuration configuration = new Configuration(this.conf);
        createClientSSLConf(path, path2, configuration);
        final byte[] bArr = new byte[64];
        rand.nextBytes(bArr);
        this.expectedException.expect(IOException.class);
        this.expectedException.expectMessage("Could not find X.509 credentials for " + this.ugi.getUserName());
        this.ugi.doAs(new PrivilegedExceptionAction<Void>() { // from class: io.hops.security.TestWebHDFSHopsTLS.4
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                FSDataOutputStream create = WebHdfsTestUtil.getWebHdfsFileSystem(configuration, "swebhdfs").create(new org.apache.hadoop.fs.Path("/testfile"));
                create.write(bArr, 0, bArr.length);
                create.hflush();
                create.close();
                return null;
            }
        });
    }

    @Test
    public void testWrongCN() throws Exception {
        prepareFS();
        Pair<KeyPair, X509Certificate> createClientCertificate = createClientCertificate("CN=WRONG" + this.ugi.getUserName());
        Path path = Paths.get(classpathDir, "WRONG" + this.ugi.getUserName() + "_kstore.jks");
        Path path2 = Paths.get(classpathDir, "WRONG" + this.ugi.getUserName() + "_tstore.jks");
        this.filesToPurge.add(path);
        this.filesToPurge.add(path2);
        KeyStoreTestUtil.createKeyStore(path.toString(), this.passwd, this.passwd, this.ugi.getUserName(), ((KeyPair) createClientCertificate.getFirst()).getPrivate(), (Certificate) createClientCertificate.getSecond());
        KeyStoreTestUtil.createTrustStore(path2.toString(), this.passwd, "CARoot", (Certificate) this.caMaterial.getSecond());
        final Configuration configuration = new Configuration(this.conf);
        createClientSSLConf(path, path2, configuration);
        final byte[] bArr = new byte[64];
        rand.nextBytes(bArr);
        this.expectedException.expect(HopsX509AuthenticationException.class);
        this.ugi.doAs(new PrivilegedExceptionAction<Void>() { // from class: io.hops.security.TestWebHDFSHopsTLS.5
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                FSDataOutputStream create = WebHdfsTestUtil.getWebHdfsFileSystem(configuration, "swebhdfs").create(new org.apache.hadoop.fs.Path("/testfile"));
                create.write(bArr, 0, bArr.length);
                create.hflush();
                create.close();
                return null;
            }
        });
    }

    private void prepareFS() throws IOException {
        DistributedFileSystem distributedFileSystem = FileSystem.get(this.conf);
        distributedFileSystem.setPermission(new org.apache.hadoop.fs.Path("/"), FsPermission.valueOf("-rwxrwxrwx"));
        DistributedFileSystem distributedFileSystem2 = distributedFileSystem;
        distributedFileSystem2.addUser(this.ugi.getUserName());
        distributedFileSystem2.addGroup(this.ugi.getUserName());
        distributedFileSystem2.addUserToGroup(this.ugi.getUserName(), this.ugi.getUserName());
    }

    private Pair<KeyPair, X509Certificate> createClientCertificate(String str) throws Exception {
        KeyPair generateKeyPair = KeyStoreTestUtil.generateKeyPair("RSA");
        return new Pair<>(generateKeyPair, KeyStoreTestUtil.generateSignedCertificate(str, generateKeyPair, 42, "SHA256withRSA", ((KeyPair) this.caMaterial.getFirst()).getPrivate(), (X509Certificate) this.caMaterial.getSecond()));
    }

    private Pair<String, String> readStoresBase64(Path path, Path path2) throws IOException {
        return new Pair<>(Base64.encodeBase64String(Files.readAllBytes(path)), Base64.encodeBase64String(Files.readAllBytes(path2)));
    }

    private void createClientSSLConf(Path path, Path path2, Configuration configuration) throws IOException {
        Configuration createClientSSLConfig = KeyStoreTestUtil.createClientSSLConfig(path.toString(), this.passwd, this.passwd, path2.toString(), this.passwd, "");
        createClientSSLConfig.set("hadoop.ssl.enabled.protocols", "TLSv1.2,TLSv1.1");
        Path path3 = Paths.get(classpathDir, TestWebHDFSHopsTLS.class.getSimpleName() + ".ssl-client.xml");
        this.filesToPurge.add(path3);
        KeyStoreTestUtil.saveConfig(new File(path3.toUri()), createClientSSLConfig);
        configuration.set("hadoop.ssl.client.conf", TestWebHDFSHopsTLS.class.getSimpleName() + ".ssl-client.xml");
        configuration.set("hadoop.ssl.hostname.verifier", "ALLOW_ALL");
    }
}
