package org.apache.hadoop.crypto.key.kms.server;

import java.util.Collection;
import java.util.HashMap;
import java.util.HashSet;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.crypto.key.kms.server.KMSACLs;
import org.apache.hadoop.crypto.key.kms.server.KeyAuthorizationKeyProvider;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authorize.AccessControlList;
import org.junit.Assert;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.Timeout;

/* loaded from: input_file:org/apache/hadoop/crypto/key/kms/server/TestKMSACLs.class */
public class TestKMSACLs {

    @Rule
    public final Timeout globalTimeout = new Timeout(180000);

    @Test
    public void testDefaults() {
        KMSACLs kMSACLs = new KMSACLs(new Configuration(false));
        for (KMSACLs.Type type : KMSACLs.Type.values()) {
            Assert.assertTrue(kMSACLs.hasAccess(type, UserGroupInformation.createRemoteUser("foo")));
        }
    }

    @Test
    public void testCustom() {
        Configuration configuration = new Configuration(false);
        for (KMSACLs.Type type : KMSACLs.Type.values()) {
            configuration.set(type.getAclConfigKey(), type.toString() + " ");
        }
        KMSACLs kMSACLs = new KMSACLs(configuration);
        for (KMSACLs.Type type2 : KMSACLs.Type.values()) {
            Assert.assertTrue(kMSACLs.hasAccess(type2, UserGroupInformation.createRemoteUser(type2.toString())));
            Assert.assertFalse(kMSACLs.hasAccess(type2, UserGroupInformation.createRemoteUser("foo")));
        }
    }

    @Test
    public void testKeyAclConfigurationLoad() {
        Configuration configuration = new Configuration(false);
        configuration.set("key.acl.test_key_1.MANAGEMENT", "CREATE");
        configuration.set("key.acl.test_key_2.ALL", "CREATE");
        configuration.set("key.acl.test_key_3.NONEXISTOPERATION", "CREATE");
        configuration.set("default.key.acl.MANAGEMENT", "ROLLOVER");
        configuration.set("whitelist.key.acl.MANAGEMENT", "DECRYPT_EEK");
        configuration.set("default.key.acl.ALL", "invalid");
        configuration.set("whitelist.key.acl.ALL", "invalid");
        KMSACLs kMSACLs = new KMSACLs(configuration);
        Assert.assertTrue("expected key ACL size is 2 but got " + kMSACLs.keyAcls.size(), kMSACLs.keyAcls.size() == 2);
        Assert.assertTrue("expected whitelist ACL size is 1 but got " + kMSACLs.whitelistKeyAcls.size(), kMSACLs.whitelistKeyAcls.size() == 1);
        Assert.assertFalse("ALL should not be allowed for whitelist ACLs.", kMSACLs.whitelistKeyAcls.containsKey(KeyAuthorizationKeyProvider.KeyOpType.ALL));
        Assert.assertTrue("expected default ACL size is 1 but got " + kMSACLs.defaultKeyAcls.size(), kMSACLs.defaultKeyAcls.size() == 1);
        Assert.assertTrue("ALL should not be allowed for default ACLs.", kMSACLs.defaultKeyAcls.size() == 1);
    }

    @Test
    public void testKeyAclDuplicateEntries() {
        Configuration configuration = new Configuration(false);
        configuration.set("key.acl.test_key_1.DECRYPT_EEK", "decrypt1");
        configuration.set("key.acl.test_key_2.ALL", "all2");
        configuration.set("key.acl.test_key_1.DECRYPT_EEK", "decrypt2");
        configuration.set("key.acl.test_key_2.ALL", "all1,all3");
        configuration.set("default.key.acl.MANAGEMENT", "default1");
        configuration.set("default.key.acl.MANAGEMENT", "");
        configuration.set("default.key.acl.DECRYPT_EEK", "*");
        configuration.set("default.key.acl.DECRYPT_EEK", "");
        configuration.set("whitelist.key.acl.DECRYPT_EEK", "whitelist1");
        configuration.set("whitelist.key.acl.DECRYPT_EEK", "*");
        KMSACLs kMSACLs = new KMSACLs(configuration);
        Assert.assertTrue("expected key ACL size is 2 but got " + kMSACLs.keyAcls.size(), kMSACLs.keyAcls.size() == 2);
        assertKeyAcl("test_key_1", kMSACLs, KeyAuthorizationKeyProvider.KeyOpType.DECRYPT_EEK, "decrypt2");
        assertKeyAcl("test_key_2", kMSACLs, KeyAuthorizationKeyProvider.KeyOpType.ALL, "all1", "all3");
        assertDefaultKeyAcl(kMSACLs, KeyAuthorizationKeyProvider.KeyOpType.MANAGEMENT, new String[0]);
        assertDefaultKeyAcl(kMSACLs, KeyAuthorizationKeyProvider.KeyOpType.DECRYPT_EEK, new String[0]);
        AccessControlList accessControlList = (AccessControlList) kMSACLs.whitelistKeyAcls.get(KeyAuthorizationKeyProvider.KeyOpType.DECRYPT_EEK);
        Assert.assertNotNull(accessControlList);
        Assert.assertTrue(accessControlList.isAllAllowed());
    }

    @Test
    public void testKeyAclReload() {
        Configuration configuration = new Configuration(false);
        configuration.set("default.key.acl.READ", "read1");
        configuration.set("default.key.acl.MANAGEMENT", "");
        configuration.set("default.key.acl.GENERATE_EEK", "*");
        configuration.set("default.key.acl.DECRYPT_EEK", "decrypt1");
        configuration.set("key.acl.testuser1.ALL", "testkey1");
        configuration.set("whitelist.key.acl.READ", "admin_read1");
        configuration.set("whitelist.key.acl.MANAGEMENT", "");
        configuration.set("whitelist.key.acl.GENERATE_EEK", "*");
        configuration.set("whitelist.key.acl.DECRYPT_EEK", "admin_decrypt1");
        KMSACLs kMSACLs = new KMSACLs(configuration);
        configuration.set("default.key.acl.READ", "read2");
        configuration.set("default.key.acl.MANAGEMENT", "mgmt1,mgmt2");
        configuration.set("default.key.acl.GENERATE_EEK", "");
        configuration.set("default.key.acl.DECRYPT_EEK", "decrypt2");
        configuration.set("key.acl.testkey1.ALL", "testkey1,testkey2");
        configuration.set("whitelist.key.acl.READ", "admin_read2");
        configuration.set("whitelist.key.acl.MANAGEMENT", "admin_mgmt,admin_mgmt1");
        configuration.set("whitelist.key.acl.GENERATE_EEK", "");
        configuration.set("whitelist.key.acl.DECRYPT_EEK", "admin_decrypt2");
        kMSACLs.setKeyACLs(configuration);
        assertDefaultKeyAcl(kMSACLs, KeyAuthorizationKeyProvider.KeyOpType.READ, "read2");
        assertDefaultKeyAcl(kMSACLs, KeyAuthorizationKeyProvider.KeyOpType.MANAGEMENT, "mgmt1", "mgmt2");
        assertDefaultKeyAcl(kMSACLs, KeyAuthorizationKeyProvider.KeyOpType.GENERATE_EEK, new String[0]);
        assertDefaultKeyAcl(kMSACLs, KeyAuthorizationKeyProvider.KeyOpType.DECRYPT_EEK, "decrypt2");
        assertKeyAcl("testuser1", kMSACLs, KeyAuthorizationKeyProvider.KeyOpType.ALL, "testkey1");
        assertWhitelistKeyAcl(kMSACLs, KeyAuthorizationKeyProvider.KeyOpType.READ, "admin_read2");
        assertWhitelistKeyAcl(kMSACLs, KeyAuthorizationKeyProvider.KeyOpType.MANAGEMENT, "admin_mgmt", "admin_mgmt1");
        assertWhitelistKeyAcl(kMSACLs, KeyAuthorizationKeyProvider.KeyOpType.GENERATE_EEK, new String[0]);
        assertWhitelistKeyAcl(kMSACLs, KeyAuthorizationKeyProvider.KeyOpType.DECRYPT_EEK, "admin_decrypt2");
        kMSACLs.setKeyACLs(configuration);
        assertDefaultKeyAcl(kMSACLs, KeyAuthorizationKeyProvider.KeyOpType.READ, "read2");
        assertDefaultKeyAcl(kMSACLs, KeyAuthorizationKeyProvider.KeyOpType.MANAGEMENT, "mgmt1", "mgmt2");
        assertDefaultKeyAcl(kMSACLs, KeyAuthorizationKeyProvider.KeyOpType.GENERATE_EEK, new String[0]);
        assertDefaultKeyAcl(kMSACLs, KeyAuthorizationKeyProvider.KeyOpType.DECRYPT_EEK, "decrypt2");
        assertKeyAcl("testuser1", kMSACLs, KeyAuthorizationKeyProvider.KeyOpType.ALL, "testkey1");
        assertWhitelistKeyAcl(kMSACLs, KeyAuthorizationKeyProvider.KeyOpType.READ, "admin_read2");
        assertWhitelistKeyAcl(kMSACLs, KeyAuthorizationKeyProvider.KeyOpType.MANAGEMENT, "admin_mgmt", "admin_mgmt1");
        assertWhitelistKeyAcl(kMSACLs, KeyAuthorizationKeyProvider.KeyOpType.GENERATE_EEK, new String[0]);
        assertWhitelistKeyAcl(kMSACLs, KeyAuthorizationKeyProvider.KeyOpType.DECRYPT_EEK, "admin_decrypt2");
        configuration.set("default.key.acl.DECRYPT_EEK", "*");
        kMSACLs.setKeyACLs(configuration);
        AccessControlList accessControlList = (AccessControlList) kMSACLs.defaultKeyAcls.get(KeyAuthorizationKeyProvider.KeyOpType.DECRYPT_EEK);
        Assert.assertTrue(accessControlList.isAllAllowed());
        Assert.assertTrue(accessControlList.getUsers().isEmpty());
        assertDefaultKeyAcl(kMSACLs, KeyAuthorizationKeyProvider.KeyOpType.READ, "read2");
        assertDefaultKeyAcl(kMSACLs, KeyAuthorizationKeyProvider.KeyOpType.MANAGEMENT, "mgmt1", "mgmt2");
        assertDefaultKeyAcl(kMSACLs, KeyAuthorizationKeyProvider.KeyOpType.GENERATE_EEK, new String[0]);
        assertKeyAcl("testuser1", kMSACLs, KeyAuthorizationKeyProvider.KeyOpType.ALL, "testkey1");
        assertWhitelistKeyAcl(kMSACLs, KeyAuthorizationKeyProvider.KeyOpType.READ, "admin_read2");
        assertWhitelistKeyAcl(kMSACLs, KeyAuthorizationKeyProvider.KeyOpType.MANAGEMENT, "admin_mgmt", "admin_mgmt1");
        assertWhitelistKeyAcl(kMSACLs, KeyAuthorizationKeyProvider.KeyOpType.GENERATE_EEK, new String[0]);
        assertWhitelistKeyAcl(kMSACLs, KeyAuthorizationKeyProvider.KeyOpType.DECRYPT_EEK, "admin_decrypt2");
        Configuration configuration2 = new Configuration();
        configuration2.set("default.key.acl.DECRYPT_EEK", "new");
        kMSACLs.setKeyACLs(configuration2);
        assertDefaultKeyAcl(kMSACLs, KeyAuthorizationKeyProvider.KeyOpType.DECRYPT_EEK, "new");
        Assert.assertTrue(kMSACLs.keyAcls.isEmpty());
        Assert.assertTrue(kMSACLs.whitelistKeyAcls.isEmpty());
        Assert.assertEquals("Got unexpected sized acls:" + kMSACLs.defaultKeyAcls, 1L, kMSACLs.defaultKeyAcls.size());
    }

    private void assertDefaultKeyAcl(KMSACLs kMSACLs, KeyAuthorizationKeyProvider.KeyOpType keyOpType, String... strArr) {
        assertAcl((AccessControlList) kMSACLs.defaultKeyAcls.get(keyOpType), keyOpType, strArr);
    }

    private void assertWhitelistKeyAcl(KMSACLs kMSACLs, KeyAuthorizationKeyProvider.KeyOpType keyOpType, String... strArr) {
        assertAcl((AccessControlList) kMSACLs.whitelistKeyAcls.get(keyOpType), keyOpType, strArr);
    }

    private void assertKeyAcl(String str, KMSACLs kMSACLs, KeyAuthorizationKeyProvider.KeyOpType keyOpType, String... strArr) {
        Assert.assertTrue(kMSACLs.keyAcls.containsKey(str));
        HashMap hashMap = (HashMap) kMSACLs.keyAcls.get(str);
        Assert.assertNotNull(hashMap.get(keyOpType));
        assertAcl((AccessControlList) hashMap.get(keyOpType), keyOpType, strArr);
    }

    private void assertAcl(AccessControlList accessControlList, KeyAuthorizationKeyProvider.KeyOpType keyOpType, String... strArr) {
        Assert.assertNotNull(accessControlList);
        Assert.assertFalse(accessControlList.isAllAllowed());
        Collection users = accessControlList.getUsers();
        HashSet hashSet = new HashSet();
        for (String str : strArr) {
            hashSet.add(str);
        }
        Assert.assertEquals("defaultKeyAcls don't match for op:" + keyOpType, hashSet, users);
    }
}
