package org.apache.hadoop.yarn.server.resourcemanager.security;

import com.google.gson.JsonArray;
import com.google.gson.JsonParser;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.JWTParser;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URISyntaxException;
import java.net.URL;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.Security;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.time.LocalDateTime;
import java.time.ZoneId;
import java.time.format.DateTimeFormatter;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Date;
import java.util.HashSet;
import java.util.Random;
import java.util.Set;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import java.util.regex.Matcher;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.commons.math3.util.Pair;
import org.apache.hadoop.conf.Configurable;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory;
import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
import org.apache.hadoop.security.ssl.SSLFactory;
import org.apache.hadoop.yarn.api.records.ApplicationId;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.server.resourcemanager.security.HopsworksRMAppSecurityActions;
import org.apache.hadoop.yarn.server.resourcemanager.security.JWTSecurityHandler;
import org.apache.http.Header;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.RequestBuilder;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.ssl.SSLContextBuilder;
import org.apache.http.ssl.TrustStrategy;
import org.apache.http.util.EntityUtils;
import org.bouncycastle.asn1.x500.X500NameBuilder;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Ignore;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;

@Ignore
/* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/TestHopsworksRMAppSecurityActions.class */
public class TestHopsworksRMAppSecurityActions {
    private static final Log LOG = LogFactory.getLog(TestHopsworksRMAppSecurityActions.class);
    private static final String HOPSWORKS_ENDPOINT = "https://bbc5.sics.se:64845";
    private static final String HOPSWORKS_USER = "agent@hops.io";
    private static final String HOPSWORKS_PASSWORD = "admin";
    private static final String HOPSWORKS_LOGIN_PATH = "/hopsworks-api/api/auth/service";
    private static final String O = "application_id";
    private static final String OU = "1";
    private static final String KEYSTORE_LOCATION = "/path/to/keystore";
    private static final String KEYSTORE_PASS = "12345";
    private static final String JWT_SUBJECT = "ProjectA1__Flock";
    private static String classPath;
    private static MockJWTIssuer jwtIssuer;
    private Path sslServerPath;
    private Configuration conf;
    private Configuration sslServer;

    @Rule
    public final ExpectedException rule = ExpectedException.none();

    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/TestHopsworksRMAppSecurityActions$FailingTestHopsworksActions.class */
    private class FailingTestHopsworksActions extends TestingHopsworksActions {
        private int failures;
        private boolean succeedRenewing;
        private Set<String> usedOneTimeTokens;

        public FailingTestHopsworksActions(String str, Date date, String[] strArr) throws MalformedURLException, GeneralSecurityException {
            super(str, date, strArr);
            this.failures = 0;
            this.succeedRenewing = false;
            this.usedOneTimeTokens = new HashSet();
        }

        /* JADX WARN: Type inference failed for: r1v12, types: [java.time.ZonedDateTime] */
        @Override // org.apache.hadoop.yarn.server.resourcemanager.security.TestHopsworksRMAppSecurityActions.TestingHopsworksActions
        protected HopsworksRMAppSecurityActions.ServiceTokenDTO renewServiceJWT(String str, String str2, LocalDateTime localDateTime, LocalDateTime localDateTime2) throws URISyntaxException, IOException, GeneralSecurityException {
            this.usedOneTimeTokens.add(str2);
            int i = this.failures;
            this.failures = i + 1;
            if (i < 3) {
                throw new IOException("OOoops");
            }
            this.succeedRenewing = true;
            HopsworksRMAppSecurityActions.JWTDTO jwtdto = new HopsworksRMAppSecurityActions.JWTDTO(this);
            jwtdto.setToken(this.newMasterToken);
            jwtdto.setExpiresAt(this.expiresAt);
            jwtdto.setNbf(Date.from(localDateTime2.atZone(ZoneId.systemDefault()).toInstant()));
            HopsworksRMAppSecurityActions.ServiceTokenDTO serviceTokenDTO = new HopsworksRMAppSecurityActions.ServiceTokenDTO(this);
            serviceTokenDTO.setJwt(jwtdto);
            serviceTokenDTO.setRenewTokens(this.newRenewalTokens);
            return serviceTokenDTO;
        }
    }

    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/TestHopsworksRMAppSecurityActions$TestingHopsworksActions.class */
    private class TestingHopsworksActions extends HopsworksRMAppSecurityActions {
        final String newMasterToken;
        final Date expiresAt;
        final String[] newRenewalTokens;
        private boolean renewed = false;

        public TestingHopsworksActions(String str, Date date, String[] strArr) throws MalformedURLException, GeneralSecurityException {
            this.newMasterToken = str;
            this.expiresAt = date;
            this.newRenewalTokens = strArr;
        }

        /* JADX WARN: Type inference failed for: r1v6, types: [java.time.ZonedDateTime] */
        protected HopsworksRMAppSecurityActions.ServiceTokenDTO renewServiceJWT(String str, String str2, LocalDateTime localDateTime, LocalDateTime localDateTime2) throws URISyntaxException, IOException, GeneralSecurityException {
            HopsworksRMAppSecurityActions.JWTDTO jwtdto = new HopsworksRMAppSecurityActions.JWTDTO(this);
            jwtdto.setToken(this.newMasterToken);
            jwtdto.setExpiresAt(this.expiresAt);
            jwtdto.setNbf(Date.from(localDateTime2.atZone(ZoneId.systemDefault()).toInstant()));
            HopsworksRMAppSecurityActions.ServiceTokenDTO serviceTokenDTO = new HopsworksRMAppSecurityActions.ServiceTokenDTO(this);
            serviceTokenDTO.setJwt(jwtdto);
            serviceTokenDTO.setRenewTokens(this.newRenewalTokens);
            return serviceTokenDTO;
        }

        protected void invalidateServiceJWT(String str) throws URISyntaxException, IOException, GeneralSecurityException {
        }

        protected boolean isTime2Renew(LocalDateTime localDateTime, LocalDateTime localDateTime2) {
            if (this.renewed) {
                return false;
            }
            this.renewed = true;
            return true;
        }
    }

    @BeforeClass
    public static void beforeClass() throws Exception {
        Security.addProvider(new BouncyCastleProvider());
        classPath = KeyStoreTestUtil.getClasspathDir(TestHopsworksRMAppSecurityActions.class);
        byte[] bArr = new byte[32];
        new Random().nextBytes(bArr);
        jwtIssuer = new MockJWTIssuer(bArr);
    }

    @Before
    public void beforeTest() throws Exception {
        RMAppSecurityActionsFactory.getInstance().clear();
        this.conf = new Configuration();
        String str = TestHopsworksRMAppSecurityActions.class.getSimpleName() + ".ssl-server.xml";
        this.sslServerPath = Paths.get(classPath, str);
        Pair<String, String[]> loginAndGetJWT = loginAndGetJWT();
        this.sslServer = new Configuration(false);
        this.sslServer.set(YarnConfiguration.RM_JWT_MASTER_TOKEN, (String) loginAndGetJWT.getFirst());
        for (int i = 0; i < ((String[]) loginAndGetJWT.getSecond()).length; i++) {
            this.sslServer.set(String.format(YarnConfiguration.RM_JWT_RENEW_TOKEN_PATTERN, Integer.valueOf(i)), ((String[]) loginAndGetJWT.getSecond())[i]);
        }
        this.sslServer.set(FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.SERVER, "ssl.{0}.keystore.location"), KEYSTORE_LOCATION);
        this.sslServer.set(FileBasedKeyStoresFactory.resolvePropertyName(SSLFactory.Mode.SERVER, "ssl.{0}.keystore.password"), KEYSTORE_PASS);
        KeyStoreTestUtil.saveConfig(this.sslServerPath.toFile(), this.sslServer);
        this.conf.set("hadoop.ssl.server.conf", str);
        this.conf.set(YarnConfiguration.HOPS_HOPSWORKS_HOST_KEY, HOPSWORKS_ENDPOINT);
        this.conf.set(YarnConfiguration.HOPS_RM_SECURITY_ACTOR_KEY, "org.apache.hadoop.yarn.server.resourcemanager.security.DevHopsworksRMAppSecurityActions");
        this.conf.setBoolean("ipc.server.ssl.enabled", true);
        this.conf.setBoolean(YarnConfiguration.RM_JWT_ENABLED, true);
    }

    @After
    public void afterTest() throws Exception {
        RMAppSecurityActionsFactory.getInstance().getActor(this.conf).destroy();
        if (this.sslServerPath != null) {
            this.sslServerPath.toFile().delete();
        }
    }

    @Test
    public void testSign() throws Exception {
        Assert.assertNotNull(RMAppSecurityActionsFactory.getInstance().getActor(this.conf).sign(generateCSR(UUID.randomUUID().toString())));
    }

    @Test
    public void testRevoke() throws Exception {
        PKCS10CertificationRequest generateCSR = generateCSR(UUID.randomUUID().toString());
        RMAppSecurityActionsFactory.getInstance().getActor(this.conf).sign(generateCSR);
        Assert.assertEquals(200L, r0.revoke(r0 + "__" + O + "__" + OU));
    }

    private PKCS10CertificationRequest generateCSR(String str) throws Exception {
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA", "BC");
        keyPairGenerator.initialize(1024);
        KeyPair genKeyPair = keyPairGenerator.genKeyPair();
        X500NameBuilder x500NameBuilder = new X500NameBuilder(BCStyle.INSTANCE);
        x500NameBuilder.addRDN(BCStyle.CN, str);
        x500NameBuilder.addRDN(BCStyle.O, O);
        x500NameBuilder.addRDN(BCStyle.OU, OU);
        return new JcaPKCS10CertificationRequestBuilder(x500NameBuilder.build(), genKeyPair.getPublic()).build(new JcaContentSignerBuilder("SHA256withRSA").setProvider("BC").build(genKeyPair.getPrivate()));
    }

    @Test
    public void testGenerateJWT() throws Exception {
        JWTSecurityHandler.JWTMaterialParameter createJWTParameter = createJWTParameter(ApplicationId.newInstance(System.currentTimeMillis(), 1));
        RMAppSecurityActions actor = RMAppSecurityActionsFactory.getInstance().getActor(this.conf);
        String generateJWT = actor.generateJWT(createJWTParameter);
        Assert.assertNotNull(generateJWT);
        Assert.assertEquals(JWT_SUBJECT.split("__")[1], JWTParser.parse(generateJWT).getJWTClaimsSet().getSubject());
        JWTSecurityHandler.JWTMaterialParameter jWTMaterialParameter = new JWTSecurityHandler.JWTMaterialParameter(ApplicationId.newInstance(System.currentTimeMillis(), 2), "dorothy");
        jWTMaterialParameter.setRenewable(false);
        Instant now = Instant.now();
        jWTMaterialParameter.setExpirationDate(now.plus(10L, (TemporalUnit) ChronoUnit.MINUTES));
        jWTMaterialParameter.setValidNotBefore(now);
        jWTMaterialParameter.setAudiences(new String[]{"job"});
        Assert.assertEquals("dorothy", JWTParser.parse(actor.generateJWT(jWTMaterialParameter)).getJWTClaimsSet().getSubject());
    }

    @Test
    public void testInvalidateJWT() throws Exception {
        RMAppSecurityActionsFactory.getInstance().getActor(this.conf).invalidateJWT("lala");
    }

    @Test
    public void testGenerateJWTSameSigningKeyShouldFail() throws Exception {
        JWTSecurityHandler.JWTMaterialParameter createJWTParameter = createJWTParameter(ApplicationId.newInstance(System.currentTimeMillis(), 1));
        RMAppSecurityActions actor = RMAppSecurityActionsFactory.getInstance().getActor(this.conf);
        actor.generateJWT(createJWTParameter);
        this.rule.expect(IOException.class);
        actor.generateJWT(createJWTParameter);
    }

    @Test
    public void testGenerateJWTInvalidateGenerate() throws Exception {
        ApplicationId newInstance = ApplicationId.newInstance(System.currentTimeMillis(), 1);
        JWTSecurityHandler.JWTMaterialParameter createJWTParameter = createJWTParameter(newInstance);
        RMAppSecurityActions actor = RMAppSecurityActionsFactory.getInstance().getActor(this.conf);
        String generateJWT = actor.generateJWT(createJWTParameter);
        Assert.assertNotNull(generateJWT);
        actor.invalidateJWT(newInstance.toString());
        Assert.assertNotEquals(generateJWT, actor.generateJWT(createJWTParameter));
    }

    @Test
    public void testRenewJWT() throws Exception {
        ApplicationId newInstance = ApplicationId.newInstance(System.currentTimeMillis(), 1);
        JWTSecurityHandler.JWTMaterialParameter createJWTParameter = createJWTParameter(newInstance, 2L, ChronoUnit.SECONDS);
        RMAppSecurityActions actor = RMAppSecurityActionsFactory.getInstance().getActor(this.conf);
        String generateJWT = actor.generateJWT(createJWTParameter);
        TimeUnit.SECONDS.sleep(2L);
        JWTSecurityHandler.JWTMaterialParameter createJWTParameter2 = createJWTParameter(newInstance);
        createJWTParameter2.setToken(generateJWT);
        String renewJWT = actor.renewJWT(createJWTParameter2);
        Assert.assertNotNull(renewJWT);
        Assert.assertNotEquals(generateJWT, renewJWT);
        LOG.info(generateJWT);
        LOG.info(renewJWT);
    }

    private JWTSecurityHandler.JWTMaterialParameter createJWTParameter(ApplicationId applicationId) {
        return createJWTParameter(applicationId, 10L, ChronoUnit.MINUTES);
    }

    private JWTSecurityHandler.JWTMaterialParameter createJWTParameter(ApplicationId applicationId, long j, TemporalUnit temporalUnit) {
        JWTSecurityHandler.JWTMaterialParameter jWTMaterialParameter = new JWTSecurityHandler.JWTMaterialParameter(applicationId, JWT_SUBJECT);
        jWTMaterialParameter.setRenewable(false);
        Instant now = Instant.now();
        jWTMaterialParameter.setExpirationDate(now.plus(j, temporalUnit));
        jWTMaterialParameter.setValidNotBefore(now);
        jWTMaterialParameter.setAudiences(new String[]{"job"});
        return jWTMaterialParameter;
    }

    /* JADX WARN: Type inference failed for: r0v2, types: [java.time.ZonedDateTime] */
    /* JADX WARN: Type inference failed for: r0v8, types: [java.time.ZonedDateTime] */
    @Test
    public void testConfUpdate() throws Exception {
        LocalDateTime now = LocalDateTime.now();
        Date from = Date.from(now.atZone(ZoneId.systemDefault()).toInstant());
        LocalDateTime plus = now.plus(10L, (TemporalUnit) ChronoUnit.MINUTES);
        Date from2 = Date.from(plus.atZone(ZoneId.systemDefault()).toInstant());
        JWTClaimsSet jWTClaimsSet = new JWTClaimsSet();
        jWTClaimsSet.setSubject("master_token");
        jWTClaimsSet.setExpirationTime(from2);
        jWTClaimsSet.setNotBeforeTime(from);
        String generate = jwtIssuer.generate(jWTClaimsSet);
        Assert.assertNotNull(generate);
        String[] strArr = new String[5];
        JWTClaimsSet jWTClaimsSet2 = new JWTClaimsSet();
        jWTClaimsSet2.setSubject("renew_token");
        jWTClaimsSet2.setExpirationTime(from2);
        jWTClaimsSet2.setNotBeforeTime(from);
        for (int i = 0; i < strArr.length; i++) {
            String generate2 = jwtIssuer.generate(jWTClaimsSet2);
            Assert.assertNotNull(generate2);
            strArr[i] = generate2;
        }
        HopsworksRMAppSecurityActions testingHopsworksActions = new TestingHopsworksActions(generate, from2, strArr);
        ((Configurable) testingHopsworksActions).setConf(this.conf);
        testingHopsworksActions.init();
        TimeUnit.MILLISECONDS.sleep(500L);
        Configuration configuration = new Configuration();
        configuration.addResource(this.conf.get("hadoop.ssl.server.conf"));
        Assert.assertEquals(generate, configuration.get(YarnConfiguration.RM_JWT_MASTER_TOKEN, ""));
        for (int i2 = 0; i2 < strArr.length; i2++) {
            Assert.assertEquals(strArr[i2], configuration.get(String.format(YarnConfiguration.RM_JWT_RENEW_TOKEN_PATTERN, Integer.valueOf(i2)), ""));
        }
        DateTimeFormatter ofPattern = DateTimeFormatter.ofPattern("yyyy-MM-dd'T'HH:mm:ss");
        Assert.assertEquals(plus.format(ofPattern), testingHopsworksActions.getMasterTokenExpiration().format(ofPattern));
        testingHopsworksActions.destroy();
    }

    /* JADX WARN: Type inference failed for: r0v3, types: [java.time.ZonedDateTime] */
    @Test
    public void testServiceJWTRenewalRetry() throws Exception {
        Date from = Date.from(LocalDateTime.now().plus(10L, (TemporalUnit) ChronoUnit.MINUTES).atZone(ZoneId.systemDefault()).toInstant());
        JWTClaimsSet jWTClaimsSet = new JWTClaimsSet();
        jWTClaimsSet.setSubject("test");
        jWTClaimsSet.setExpirationTime(from);
        String generate = jwtIssuer.generate(jWTClaimsSet);
        String[] strArr = new String[5];
        for (int i = 0; i < strArr.length; i++) {
            strArr[i] = jwtIssuer.generate(jWTClaimsSet);
        }
        FailingTestHopsworksActions failingTestHopsworksActions = new FailingTestHopsworksActions(generate, from, strArr);
        ((Configurable) failingTestHopsworksActions).setConf(this.conf);
        failingTestHopsworksActions.init();
        int i2 = 0;
        while (!failingTestHopsworksActions.succeedRenewing) {
            int i3 = i2;
            i2++;
            if (i3 >= 10) {
                break;
            } else {
                TimeUnit.SECONDS.sleep(1L);
            }
        }
        Assert.assertTrue(failingTestHopsworksActions.succeedRenewing);
        Assert.assertTrue(failingTestHopsworksActions.usedOneTimeTokens.size() > 1);
        failingTestHopsworksActions.destroy();
    }

    private Pair<String, String[]> loginAndGetJWT() throws Exception {
        CloseableHttpClient closeableHttpClient = null;
        try {
            SSLContextBuilder sSLContextBuilder = new SSLContextBuilder();
            sSLContextBuilder.loadTrustMaterial(new TrustStrategy() { // from class: org.apache.hadoop.yarn.server.resourcemanager.security.TestHopsworksRMAppSecurityActions.1
                public boolean isTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
                    return true;
                }
            });
            CloseableHttpClient build = HttpClients.custom().setSSLSocketFactory(new SSLConnectionSocketFactory(sSLContextBuilder.build(), NoopHostnameVerifier.INSTANCE)).build();
            CloseableHttpResponse execute = build.execute(RequestBuilder.post().setUri(new URL(new URL(HOPSWORKS_ENDPOINT), HOPSWORKS_LOGIN_PATH).toURI()).addParameter("email", HOPSWORKS_USER).addParameter("password", HOPSWORKS_PASSWORD).build());
            Assert.assertNotNull(execute);
            Assert.assertEquals(200L, execute.getStatusLine().getStatusCode());
            String str = null;
            for (Header header : execute.getHeaders("Authorization")) {
                Matcher matcher = HopsworksRMAppSecurityActions.JWT_PATTERN.matcher(header.getValue());
                if (matcher.matches()) {
                    str = matcher.group(1);
                }
            }
            JsonArray asJsonArray = new JsonParser().parse(EntityUtils.toString(execute.getEntity())).getAsJsonObject().getAsJsonArray("renewTokens");
            String[] strArr = new String[asJsonArray.size()];
            boolean z = false;
            for (int i = 0; i < strArr.length; i++) {
                strArr[i] = asJsonArray.get(i).getAsString();
                z = true;
            }
            if (str == null || !z) {
                throw new IOException("Could not get JWT from Hopsworks");
            }
            Pair<String, String[]> pair = new Pair<>(str, strArr);
            if (build != null) {
                build.close();
            }
            return pair;
        } catch (Throwable th) {
            if (0 != 0) {
                closeableHttpClient.close();
            }
            throw th;
        }
    }
}
