package org.apache.hadoop.yarn.server.resourcemanager.security;

import io.hops.util.DBUtility;
import io.hops.util.RMStorageFactory;
import io.hops.util.YarnAPIStorageFactory;
import java.io.File;
import java.io.FileOutputStream;
import java.io.FileWriter;
import java.io.IOException;
import java.nio.file.Paths;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.Security;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.time.LocalDateTime;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Arrays;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.TimeUnit;
import junit.framework.TestCase;
import org.apache.commons.io.FileUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.security.ssl.FileBasedKeyStoresFactory;
import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
import org.apache.hadoop.security.ssl.SSLFactory;
import org.apache.hadoop.util.DateUtils;
import org.apache.hadoop.yarn.MockApps;
import org.apache.hadoop.yarn.api.records.ApplicationId;
import org.apache.hadoop.yarn.api.records.ApplicationSubmissionContext;
import org.apache.hadoop.yarn.api.records.Container;
import org.apache.hadoop.yarn.api.records.NodeId;
import org.apache.hadoop.yarn.api.records.ResourceRequest;
import org.apache.hadoop.yarn.api.records.impl.pb.ApplicationSubmissionContextPBImpl;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.event.DrainDispatcher;
import org.apache.hadoop.yarn.server.resourcemanager.ApplicationMasterService;
import org.apache.hadoop.yarn.server.resourcemanager.MockAM;
import org.apache.hadoop.yarn.server.resourcemanager.MockNM;
import org.apache.hadoop.yarn.server.resourcemanager.MockRM;
import org.apache.hadoop.yarn.server.resourcemanager.RMAppManager;
import org.apache.hadoop.yarn.server.resourcemanager.RMContext;
import org.apache.hadoop.yarn.server.resourcemanager.RMContextImpl;
import org.apache.hadoop.yarn.server.resourcemanager.recovery.DBRMStateStore;
import org.apache.hadoop.yarn.server.resourcemanager.recovery.records.ApplicationStateData;
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppEventType;
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppImpl;
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMAppState;
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.AMLivelinessMonitor;
import org.apache.hadoop.yarn.server.resourcemanager.rmcontainer.ContainerAllocationExpirer;
import org.apache.hadoop.yarn.server.resourcemanager.rmnode.RMNodeImpl;
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.YarnScheduler;
import org.apache.hadoop.yarn.server.resourcemanager.security.MockX509SecurityHandler;
import org.apache.hadoop.yarn.server.resourcemanager.security.RMSecurityHandlersBaseTest;
import org.apache.hadoop.yarn.server.resourcemanager.security.X509SecurityHandler;
import org.apache.hadoop.yarn.server.security.ApplicationACLsManager;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.mockito.Mockito;

/* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/TestX509SecurityHandler.class */
public class TestX509SecurityHandler extends RMSecurityHandlersBaseTest {
    private static final Log LOG = LogFactory.getLog(TestX509SecurityHandler.class);
    private static final String BASE_DIR = Paths.get(System.getProperty("test.build.dir", Paths.get("target", "test-dir").toString()), TestX509SecurityHandler.class.getSimpleName()).toString();
    private static final File BASE_DIR_FILE = new File(BASE_DIR);
    private static String classPath;
    private Configuration conf;
    private DrainDispatcher dispatcher;
    private RMContext rmContext;
    private File sslServerFile;

    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/TestX509SecurityHandler$MyMockRM.class */
    private class MyMockRM extends MockRM {
        public MyMockRM(Configuration configuration) {
            super(configuration);
        }

        /* JADX INFO: Access modifiers changed from: protected */
        @Override // org.apache.hadoop.yarn.server.resourcemanager.MockRM
        public RMAppSecurityManager createRMAppSecurityManager() throws Exception {
            RMAppSecurityManager rMAppSecurityManager = (RMAppSecurityManager) Mockito.spy(new RMAppSecurityManager(this.rmContext) { // from class: org.apache.hadoop.yarn.server.resourcemanager.security.TestX509SecurityHandler.MyMockRM.1
                protected void clearRMAppSecurityActionsFactory() {
                }
            });
            rMAppSecurityManager.registerRMAppSecurityHandlerWithType(createX509SecurityHandler(rMAppSecurityManager), X509SecurityHandler.class);
            rMAppSecurityManager.registerRMAppSecurityHandler(createJWTSecurityHandler(rMAppSecurityManager));
            return rMAppSecurityManager;
        }

        @Override // org.apache.hadoop.yarn.server.resourcemanager.MockRM
        protected RMAppSecurityHandler createX509SecurityHandler(RMAppSecurityManager rMAppSecurityManager) {
            return (RMAppSecurityHandler) Mockito.spy(new MockX509SecurityHandler(this.rmContext, rMAppSecurityManager, false));
        }

        @Override // org.apache.hadoop.yarn.server.resourcemanager.MockRM
        protected RMAppSecurityHandler createJWTSecurityHandler(RMAppSecurityManager rMAppSecurityManager) {
            return new JWTSecurityHandler(this.rmContext, rMAppSecurityManager);
        }
    }

    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/TestX509SecurityHandler$MyMockRM2.class */
    private class MyMockRM2 extends MockRM {

        /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/TestX509SecurityHandler$MyMockRM2$MyRMApp.class */
        private class MyRMApp extends RMAppImpl {
            public MyRMApp(ApplicationId applicationId, RMContext rMContext, Configuration configuration, String str, String str2, String str3, ApplicationSubmissionContext applicationSubmissionContext, YarnScheduler yarnScheduler, ApplicationMasterService applicationMasterService, long j, String str4, Set<String> set, ResourceRequest resourceRequest) throws IOException {
                super(applicationId, rMContext, configuration, str, str2, str3, applicationSubmissionContext, yarnScheduler, applicationMasterService, j, str4, set, resourceRequest);
            }

            public void rmNodeHasUpdatedCryptoMaterial(NodeId nodeId) {
            }
        }

        /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/security/TestX509SecurityHandler$MyMockRM2$MyRMAppManager.class */
        private class MyRMAppManager extends RMAppManager {
            public MyRMAppManager(RMContext rMContext, YarnScheduler yarnScheduler, ApplicationMasterService applicationMasterService, ApplicationACLsManager applicationACLsManager, Configuration configuration) {
                super(rMContext, yarnScheduler, applicationMasterService, applicationACLsManager, configuration);
            }

            protected RMApp createRMApp(ApplicationId applicationId, String str, ApplicationSubmissionContext applicationSubmissionContext, long j, ResourceRequest resourceRequest) throws IOException {
                return new MyRMApp(applicationId, MyMockRM2.this.rmContext, MyMockRM2.this.getConfig(), applicationSubmissionContext.getApplicationName(), str, applicationSubmissionContext.getQueue(), applicationSubmissionContext, MyMockRM2.this.scheduler, MyMockRM2.this.masterService, j, applicationSubmissionContext.getApplicationType(), applicationSubmissionContext.getApplicationTags(), resourceRequest);
            }
        }

        public MyMockRM2(Configuration configuration) {
            super(configuration);
        }

        protected RMAppManager createRMAppManager() {
            return new MyRMAppManager(this.rmContext, this.scheduler, this.masterService, this.applicationACLsManager, getConfig());
        }
    }

    @BeforeClass
    public static void beforeClass() throws Exception {
        Security.addProvider(new BouncyCastleProvider());
        BASE_DIR_FILE.mkdirs();
        classPath = KeyStoreTestUtil.getClasspathDir(TestX509SecurityHandler.class);
    }

    @Before
    public void beforeTest() throws Exception {
        this.conf = new Configuration();
        this.conf.set(YarnConfiguration.RM_APP_CERTIFICATE_EXPIRATION_SAFETY_PERIOD, "5s");
        RMAppSecurityActionsFactory.getInstance().clear();
        RMStorageFactory.setConfiguration(this.conf);
        YarnAPIStorageFactory.setConfiguration(this.conf);
        DBUtility.InitializeDB();
        this.dispatcher = new DrainDispatcher();
        this.rmContext = new RMContextImpl(this.dispatcher, (ContainerAllocationExpirer) null, (AMLivelinessMonitor) null, (AMLivelinessMonitor) null, (DelegationTokenRenewer) null, (AMRMTokenSecretManager) null, (RMContainerTokenSecretManager) null, (NMTokenSecretManagerInRM) null, (ClientToAMTokenSecretManagerInRM) null);
        this.dispatcher.init(this.conf);
        this.dispatcher.start();
        String str = TestX509SecurityHandler.class.getSimpleName() + ".ssl-server.xml";
        this.sslServerFile = Paths.get(classPath, str).toFile();
        KeyStoreTestUtil.saveConfig(this.sslServerFile, new Configuration(false));
        this.conf.set("hadoop.ssl.server.conf", str);
    }

    @After
    public void afterTest() throws Exception {
        if (this.dispatcher != null) {
            this.dispatcher.stop();
        }
        if (this.sslServerFile != null) {
            this.sslServerFile.delete();
        }
    }

    @AfterClass
    public static void afterClass() throws Exception {
        if (BASE_DIR_FILE.exists()) {
            FileUtils.deleteDirectory(BASE_DIR_FILE);
        }
        RMAppSecurityActionsFactory.getInstance().clear();
    }

    @Test
    public void testSuccessfulCertificateCreationTesting() throws Exception {
        File file = null;
        try {
            this.conf.set(YarnConfiguration.HOPS_RM_SECURITY_ACTOR_KEY, "org.apache.hadoop.yarn.server.resourcemanager.security.TestingRMAppSecurityActions");
            TestingRMAppSecurityActions actor = RMAppSecurityActionsFactory.getInstance().getActor(this.conf);
            String path = Paths.get(BASE_DIR, "trustStore.jks").toString();
            X509Certificate caCert = actor.getCaCert();
            String str = caCert.getIssuerX500Principal().getName().split("=")[1];
            String str2 = TestX509SecurityHandler.class.getSimpleName() + "-testSuccessfulCertificateCreationTesting.ssl-server.xml";
            file = Paths.get(classPath, str2).toFile();
            this.conf.set("hadoop.ssl.server.conf", str2);
            createTrustStore(path, "password", str, caCert);
            saveConfig(file.getAbsoluteFile(), createSSLConfig("", "", "", path, "password", ""));
            RMSecurityHandlersBaseTest.MockRMAppEventHandler mockRMAppEventHandler = new RMSecurityHandlersBaseTest.MockRMAppEventHandler(RMAppEventType.SECURITY_MATERIAL_GENERATED);
            this.rmContext.getDispatcher().register(RMAppEventType.class, mockRMAppEventHandler);
            RMAppSecurityManager rMAppSecurityManager = new RMAppSecurityManager(this.rmContext);
            rMAppSecurityManager.registerRMAppSecurityHandler(new MockX509SecurityHandler(this.rmContext, rMAppSecurityManager, true));
            rMAppSecurityManager.init(this.conf);
            rMAppSecurityManager.start();
            ApplicationId newInstance = ApplicationId.newInstance(System.currentTimeMillis(), 1);
            X509SecurityHandler.X509MaterialParameter x509MaterialParameter = new X509SecurityHandler.X509MaterialParameter(newInstance, "Dorothy", 1);
            RMAppSecurityMaterial rMAppSecurityMaterial = new RMAppSecurityMaterial();
            rMAppSecurityMaterial.addMaterial(x509MaterialParameter);
            rMAppSecurityManager.handle(new RMAppSecurityManagerEvent(newInstance, rMAppSecurityMaterial, RMAppSecurityManagerEventType.GENERATE_SECURITY_MATERIAL));
            this.dispatcher.await();
            mockRMAppEventHandler.verifyEvent();
            rMAppSecurityManager.stop();
            if (file != null) {
                file.delete();
            }
        } catch (Throwable th) {
            if (file != null) {
                file.delete();
            }
            throw th;
        }
    }

    @Test
    public void testCertificateRenewal() throws Exception {
        this.conf.set(YarnConfiguration.HOPS_RM_SECURITY_ACTOR_KEY, "org.apache.hadoop.yarn.server.resourcemanager.security.TestingRMAppSecurityActions");
        RMAppSecurityManager rMAppSecurityManager = new RMAppSecurityManager(this.rmContext);
        MockX509SecurityHandler mockX509SecurityHandler = new MockX509SecurityHandler(this.rmContext, rMAppSecurityManager, false);
        rMAppSecurityManager.registerRMAppSecurityHandler(mockX509SecurityHandler);
        rMAppSecurityManager.init(this.conf);
        rMAppSecurityManager.start();
        LocalDateTime now = DateUtils.getNow();
        LocalDateTime plus = now.plus(10L, (TemporalUnit) ChronoUnit.SECONDS);
        ApplicationId newInstance = ApplicationId.newInstance(DateUtils.localDateTime2UnixEpoch(now), 1);
        mockX509SecurityHandler.setOldCertificateExpiration(DateUtils.localDateTime2UnixEpoch(plus));
        X509SecurityHandler.X509MaterialParameter x509MaterialParameter = new X509SecurityHandler.X509MaterialParameter(newInstance, "Dolores", 1);
        x509MaterialParameter.setExpiration(Long.valueOf(DateUtils.localDateTime2UnixEpoch(plus)));
        mockX509SecurityHandler.registerRenewer(x509MaterialParameter);
        Map renewalTasks = mockX509SecurityHandler.getRenewalTasks();
        ScheduledFuture scheduledFuture = (ScheduledFuture) renewalTasks.get(newInstance);
        Assert.assertFalse(scheduledFuture.isCancelled());
        Assert.assertFalse(scheduledFuture.isDone());
        TimeUnit.SECONDS.sleep(10L);
        TestCase.assertTrue(scheduledFuture.isDone());
        Assert.assertFalse(mockX509SecurityHandler.getRenewalException());
        TestCase.assertTrue(renewalTasks.isEmpty());
        rMAppSecurityManager.stop();
    }

    @Test(timeout = 12000)
    public void testFailedCertificateRenewal() throws Exception {
        this.conf.set(YarnConfiguration.HOPS_RM_SECURITY_ACTOR_KEY, "org.apache.hadoop.yarn.server.resourcemanager.security.TestingRMAppSecurityActions");
        RMAppSecurityManager rMAppSecurityManager = new RMAppSecurityManager(this.rmContext);
        MockX509SecurityHandler.MockFailingX509SecurityHandler mockFailingX509SecurityHandler = new MockX509SecurityHandler.MockFailingX509SecurityHandler(this.rmContext, rMAppSecurityManager, Integer.MAX_VALUE);
        rMAppSecurityManager.registerRMAppSecurityHandlerWithType(mockFailingX509SecurityHandler, X509SecurityHandler.class);
        rMAppSecurityManager.init(this.conf);
        rMAppSecurityManager.start();
        LocalDateTime now = DateUtils.getNow();
        LocalDateTime plus = now.plus(10L, (TemporalUnit) ChronoUnit.SECONDS);
        ApplicationId newInstance = ApplicationId.newInstance(DateUtils.localDateTime2UnixEpoch(now), 1);
        X509SecurityHandler.X509MaterialParameter x509MaterialParameter = new X509SecurityHandler.X509MaterialParameter(newInstance, "Dolores", 1);
        x509MaterialParameter.setExpiration(Long.valueOf(DateUtils.localDateTime2UnixEpoch(plus)));
        mockFailingX509SecurityHandler.registerRenewer(x509MaterialParameter);
        Map renewalTasks = mockFailingX509SecurityHandler.getRenewalTasks();
        ScheduledFuture scheduledFuture = (ScheduledFuture) renewalTasks.get(newInstance);
        Assert.assertFalse(scheduledFuture.isCancelled());
        Assert.assertFalse(scheduledFuture.isDone());
        Assert.assertFalse(mockFailingX509SecurityHandler.hasRenewalFailed());
        Assert.assertEquals(0L, mockFailingX509SecurityHandler.getNumberOfRenewalFailures());
        TimeUnit.SECONDS.sleep(10L);
        TestCase.assertTrue(renewalTasks.isEmpty());
        Assert.assertEquals(4L, mockFailingX509SecurityHandler.getNumberOfRenewalFailures());
        TestCase.assertTrue(mockFailingX509SecurityHandler.hasRenewalFailed());
        rMAppSecurityManager.stop();
    }

    @Test(timeout = 12000)
    public void testRetryCertificateRenewal() throws Exception {
        this.conf.set(YarnConfiguration.HOPS_RM_SECURITY_ACTOR_KEY, "org.apache.hadoop.yarn.server.resourcemanager.security.TestingRMAppSecurityActions");
        RMAppSecurityManager rMAppSecurityManager = new RMAppSecurityManager(this.rmContext);
        MockX509SecurityHandler.MockFailingX509SecurityHandler mockFailingX509SecurityHandler = new MockX509SecurityHandler.MockFailingX509SecurityHandler(this.rmContext, rMAppSecurityManager, 2);
        rMAppSecurityManager.registerRMAppSecurityHandlerWithType(mockFailingX509SecurityHandler, X509SecurityHandler.class);
        rMAppSecurityManager.init(this.conf);
        rMAppSecurityManager.start();
        LocalDateTime now = DateUtils.getNow();
        LocalDateTime plus = now.plus(10L, (TemporalUnit) ChronoUnit.SECONDS);
        X509SecurityHandler.X509MaterialParameter x509MaterialParameter = new X509SecurityHandler.X509MaterialParameter(ApplicationId.newInstance(DateUtils.localDateTime2UnixEpoch(now), 1), "Dolores", 1);
        x509MaterialParameter.setExpiration(Long.valueOf(DateUtils.localDateTime2UnixEpoch(plus)));
        mockFailingX509SecurityHandler.registerRenewer(x509MaterialParameter);
        TimeUnit.SECONDS.sleep(10L);
        Assert.assertEquals(2L, mockFailingX509SecurityHandler.getNumberOfRenewalFailures());
        Assert.assertFalse(mockFailingX509SecurityHandler.hasRenewalFailed());
        TestCase.assertTrue(mockFailingX509SecurityHandler.getRenewalTasks().isEmpty());
        rMAppSecurityManager.stop();
    }

    @Test
    public void testFailingCertificateCreationLocal() throws Exception {
        this.conf.set(YarnConfiguration.HOPS_RM_SECURITY_ACTOR_KEY, "org.apache.hadoop.yarn.server.resourcemanager.security.TestingRMAppSecurityActions");
        RMSecurityHandlersBaseTest.MockRMAppEventHandler mockRMAppEventHandler = new RMSecurityHandlersBaseTest.MockRMAppEventHandler(RMAppEventType.KILL);
        this.rmContext.getDispatcher().register(RMAppEventType.class, mockRMAppEventHandler);
        RMAppSecurityManager rMAppSecurityManager = new RMAppSecurityManager(this.rmContext);
        rMAppSecurityManager.registerRMAppSecurityHandlerWithType(new MockX509SecurityHandler.MockFailingX509SecurityHandler(this.rmContext, rMAppSecurityManager, Integer.MAX_VALUE), X509SecurityHandler.class);
        rMAppSecurityManager.init(this.conf);
        rMAppSecurityManager.start();
        ApplicationId newInstance = ApplicationId.newInstance(System.currentTimeMillis(), 1);
        X509SecurityHandler.X509MaterialParameter x509MaterialParameter = new X509SecurityHandler.X509MaterialParameter(newInstance, "Dolores", 1);
        RMAppSecurityMaterial rMAppSecurityMaterial = new RMAppSecurityMaterial();
        rMAppSecurityMaterial.addMaterial(x509MaterialParameter);
        rMAppSecurityManager.handle(new RMAppSecurityManagerEvent(newInstance, rMAppSecurityMaterial, RMAppSecurityManagerEventType.GENERATE_SECURITY_MATERIAL));
        this.dispatcher.await();
        mockRMAppEventHandler.verifyEvent();
        rMAppSecurityManager.stop();
    }

    @Test(timeout = 20000)
    public void testCertificateRevocationMonitor() throws Exception {
        RMAppSecurityActions rMAppSecurityActions = (RMAppSecurityActions) Mockito.spy(new TestingRMAppSecurityActions());
        rMAppSecurityActions.init();
        RMAppSecurityActionsFactory.getInstance().register(rMAppSecurityActions);
        this.conf.set(YarnConfiguration.RM_APP_CERTIFICATE_EXPIRATION_SAFETY_PERIOD, "40s");
        this.conf.set(YarnConfiguration.RM_APP_CERTIFICATE_REVOCATION_MONITOR_INTERVAL, "3s");
        this.conf.setBoolean("ipc.server.ssl.enabled", true);
        MyMockRM myMockRM = new MyMockRM(this.conf);
        myMockRM.start();
        MockNM mockNM = new MockNM("127.0.0.1:8032", 15360, myMockRM.getResourceTrackerService());
        mockNM.registerNode();
        RMApp submitApp = myMockRM.submitApp(1024, "application1", "Phil", new HashMap(), false, "default", 2, null, "MAPREDUCE", true, false);
        mockNM.nodeHeartbeat(true);
        while (!submitApp.isAppRotatingCryptoMaterial()) {
            TimeUnit.MILLISECONDS.sleep(500L);
        }
        LOG.info(">> Rotation has happened");
        TestCase.assertTrue(submitApp.isAppRotatingCryptoMaterial());
        Assert.assertNotEquals(-1L, submitApp.getMaterialRotationStartTime());
        TimeUnit.SECONDS.sleep(6L);
        Assert.assertFalse(submitApp.isAppRotatingCryptoMaterial());
        Assert.assertEquals(-1L, submitApp.getMaterialRotationStartTime());
        ((RMAppSecurityActions) Mockito.verify(rMAppSecurityActions)).revoke((String) Mockito.eq(X509SecurityHandler.getCertificateIdentifier(submitApp.getApplicationId(), submitApp.getUser(), Integer.valueOf(submitApp.getCryptoMaterialVersion().intValue() - 1))));
        ((RMAppSecurityManager) Mockito.verify(myMockRM.getRMContext().getRMAppSecurityManager(), Mockito.never())).revokeSecurityMaterial((RMAppSecurityManagerEvent) Mockito.any(RMAppSecurityManagerEvent.class));
        myMockRM.stop();
    }

    @Test
    public void testApplicationSubmission() throws Exception {
        this.conf.set(YarnConfiguration.HOPS_RM_SECURITY_ACTOR_KEY, "org.apache.hadoop.yarn.server.resourcemanager.security.TestingRMAppSecurityActions");
        this.conf.setBoolean("yarn.resourcemanager.recovery.enabled", true);
        this.conf.set("yarn.resourcemanager.store.class", DBRMStateStore.class.getName());
        this.conf.set(YarnConfiguration.RM_APP_CERTIFICATE_EXPIRATION_SAFETY_PERIOD, "45s");
        this.conf.setBoolean("ipc.server.ssl.enabled", true);
        MyMockRM myMockRM = new MyMockRM(this.conf);
        myMockRM.start();
        MockNM mockNM = new MockNM("127.0.0.1:8032", 15360, myMockRM.getResourceTrackerService());
        mockNM.registerNode();
        RMAppImpl submitApp = myMockRM.submitApp(1024, "application1", "Phil", new HashMap(), false, "default", 2, null, "MAPREDUCE", true, false);
        mockNM.nodeHeartbeat(true);
        Assert.assertNotNull(submitApp);
        byte[] keyStore = submitApp.getKeyStore();
        Assert.assertNotNull(keyStore);
        Assert.assertNotEquals(0L, keyStore.length);
        char[] keyStorePassword = submitApp.getKeyStorePassword();
        Assert.assertNotNull(keyStorePassword);
        Assert.assertNotEquals(0L, keyStorePassword.length);
        byte[] trustStore = submitApp.getTrustStore();
        Assert.assertNotNull(trustStore);
        Assert.assertNotEquals(0L, trustStore.length);
        char[] trustStorePassword = submitApp.getTrustStorePassword();
        Integer cryptoMaterialVersion = submitApp.getCryptoMaterialVersion();
        Assert.assertNotNull(trustStorePassword);
        Assert.assertNotEquals(0L, trustStorePassword.length);
        TimeUnit.SECONDS.sleep(6L);
        byte[] keyStore2 = submitApp.getKeyStore();
        Assert.assertFalse(Arrays.equals(keyStore, keyStore2));
        Assert.assertNotEquals(0L, keyStore2.length);
        byte[] trustStore2 = submitApp.getTrustStore();
        Assert.assertFalse(Arrays.equals(trustStore, trustStore2));
        Assert.assertNotEquals(0L, trustStore2.length);
        char[] keyStorePassword2 = submitApp.getKeyStorePassword();
        Assert.assertFalse(Arrays.equals(keyStorePassword, keyStorePassword2));
        Assert.assertNotEquals(0L, keyStorePassword2.length);
        char[] trustStorePassword2 = submitApp.getTrustStorePassword();
        Assert.assertFalse(Arrays.equals(trustStorePassword, trustStorePassword2));
        Assert.assertNotEquals(0L, trustStorePassword2.length);
        Integer cryptoMaterialVersion2 = submitApp.getCryptoMaterialVersion();
        Assert.assertEquals(Integer.valueOf(cryptoMaterialVersion.intValue() + 1), cryptoMaterialVersion2);
        ApplicationStateData applicationStateData = (ApplicationStateData) myMockRM.getRMContext().getStateStore().loadState().getApplicationState().get(submitApp.getApplicationId());
        TestCase.assertTrue(Arrays.equals(keyStore2, applicationStateData.getKeyStore()));
        TestCase.assertTrue(Arrays.equals(trustStore2, applicationStateData.getTrustStore()));
        TestCase.assertTrue(Arrays.equals(keyStorePassword2, applicationStateData.getKeyStorePassword()));
        TestCase.assertTrue(Arrays.equals(trustStorePassword2, applicationStateData.getTrustStorePassword()));
        Assert.assertEquals(cryptoMaterialVersion2, applicationStateData.getCryptoMaterialVersion());
        TestCase.assertTrue(applicationStateData.isDuringMaterialRotation());
        Assert.assertNotEquals(-1L, applicationStateData.getMaterialRotationStartTime());
        HashSet hashSet = new HashSet(1);
        hashSet.add(submitApp.getApplicationId());
        mockNM.nodeHeartbeat(Collections.emptyList(), Collections.emptyList(), true, mockNM.getNextResponseId(), hashSet);
        TimeUnit.MILLISECONDS.sleep(100L);
        Assert.assertNull(submitApp.getRMNodesUpdatedCryptoMaterial());
        Assert.assertFalse(submitApp.isAppRotatingCryptoMaterial());
        ApplicationStateData applicationStateData2 = (ApplicationStateData) myMockRM.getRMContext().getStateStore().loadState().getApplicationState().get(submitApp.getApplicationId());
        Assert.assertFalse(applicationStateData2.isDuringMaterialRotation());
        Assert.assertEquals(-1L, applicationStateData2.getMaterialRotationStartTime());
        X509SecurityHandler securityHandler = myMockRM.getRMContext().getRMAppSecurityManager().getSecurityHandler(X509SecurityHandler.class);
        TestCase.assertTrue(securityHandler.getRenewalTasks().containsKey(submitApp.getApplicationId()));
        TimeUnit.MILLISECONDS.sleep(100L);
        ((X509SecurityHandler) Mockito.verify(securityHandler)).revokeMaterial((X509SecurityHandler.X509MaterialParameter) Mockito.eq(new X509SecurityHandler.X509MaterialParameter(submitApp.getApplicationId(), submitApp.getUser(), Integer.valueOf(submitApp.getCryptoMaterialVersion().intValue() - 1), true)), Boolean.valueOf(Mockito.eq(false)));
        myMockRM.stop();
        this.conf.set(YarnConfiguration.RM_APP_CERTIFICATE_EXPIRATION_SAFETY_PERIOD, "1s");
        MyMockRM myMockRM2 = new MyMockRM(this.conf);
        myMockRM2.start();
        mockNM.setResourceTrackerService(myMockRM2.getResourceTrackerService());
        mockNM.nodeHeartbeat(true);
        RMApp rMApp = (RMApp) myMockRM2.getRMContext().getRMApps().get(submitApp.getApplicationId());
        Assert.assertNotNull(rMApp);
        TestCase.assertTrue(Arrays.equals(keyStore2, rMApp.getKeyStore()));
        ApplicationStateData applicationStateData3 = (ApplicationStateData) myMockRM2.getRMContext().getStateStore().loadState().getApplicationState().get(submitApp.getApplicationId());
        Assert.assertFalse(applicationStateData3.isDuringMaterialRotation());
        Assert.assertEquals(-1L, applicationStateData3.getMaterialRotationStartTime());
        TestCase.assertTrue(myMockRM2.getRMContext().getRMAppSecurityManager().getSecurityHandler(X509SecurityHandler.class).getRenewalTasks().containsKey(submitApp.getApplicationId()));
        myMockRM2.killApp(submitApp.getApplicationId());
        myMockRM2.waitForState(submitApp.getApplicationId(), RMAppState.KILLED);
        myMockRM2.stop();
    }

    @Test
    public void testContainerAllocationDuringMaterialRotation() throws Exception {
        List list;
        this.conf.set(YarnConfiguration.HOPS_RM_SECURITY_ACTOR_KEY, "org.apache.hadoop.yarn.server.resourcemanager.security.TestingRMAppSecurityActions");
        this.conf.setBoolean("yarn.resourcemanager.recovery.enabled", true);
        this.conf.set("yarn.resourcemanager.store.class", DBRMStateStore.class.getName());
        this.conf.set(YarnConfiguration.RM_APP_CERTIFICATE_EXPIRATION_SAFETY_PERIOD, "40s");
        this.conf.setBoolean("ipc.server.ssl.enabled", true);
        MyMockRM2 myMockRM2 = new MyMockRM2(this.conf);
        myMockRM2.start();
        MockNM mockNM = new MockNM("127.0.0.1:1234", 2048, myMockRM2.getResourceTrackerService());
        mockNM.registerNode();
        RMApp submitApp = myMockRM2.submitApp(1024);
        mockNM.nodeHeartbeat(true);
        MockAM sendAMLaunched = myMockRM2.sendAMLaunched(submitApp.getCurrentAppAttempt().getAppAttemptId());
        sendAMLaunched.registerAppAttempt(true);
        sendAMLaunched.allocate("127.0.0.1", 512, 1, Collections.emptyList());
        mockNM.nodeHeartbeat(true);
        for (List allocatedContainers = sendAMLaunched.allocate(Collections.emptyList(), Collections.emptyList()).getAllocatedContainers(); allocatedContainers.size() < 1; allocatedContainers = sendAMLaunched.allocate(Collections.emptyList(), Collections.emptyList()).getAllocatedContainers()) {
            mockNM.nodeHeartbeat(true);
            TimeUnit.MILLISECONDS.sleep(200L);
        }
        while (!submitApp.isAppRotatingCryptoMaterial()) {
            TimeUnit.MILLISECONDS.sleep(500L);
        }
        MockNM mockNM2 = new MockNM("127.0.0.2:1234", 2048, myMockRM2.getResourceTrackerService());
        mockNM2.registerNode();
        TestCase.assertTrue(submitApp.isAppRotatingCryptoMaterial());
        sendAMLaunched.allocate("127.0.0.2", 512, 1, Collections.emptyList());
        TestCase.assertTrue(mockNM2.nodeHeartbeat(true).getUpdatedCryptoForApps().isEmpty());
        List allocatedContainers2 = sendAMLaunched.allocate(Collections.emptyList(), Collections.emptyList()).getAllocatedContainers();
        while (true) {
            list = allocatedContainers2;
            if (list.size() >= 1) {
                break;
            }
            TestCase.assertTrue(mockNM2.nodeHeartbeat(true).getUpdatedCryptoForApps().isEmpty());
            TimeUnit.MILLISECONDS.sleep(200L);
            allocatedContainers2 = sendAMLaunched.allocate(Collections.emptyList(), Collections.emptyList()).getAllocatedContainers();
        }
        Assert.assertEquals(1L, list.size());
        Assert.assertEquals(mockNM2.getNodeId(), ((Container) list.get(0)).getNodeId());
        TimeUnit.MILLISECONDS.sleep(500L);
        RMNodeImpl rMNodeImpl = (RMNodeImpl) myMockRM2.getRMContext().getRMNodes().get(mockNM2.getNodeId());
        Assert.assertNotNull(rMNodeImpl);
        for (int i = 0; rMNodeImpl.getAppX509ToUpdate().isEmpty() && i < 10; i++) {
            TimeUnit.MILLISECONDS.sleep(300L);
        }
        Assert.assertFalse(rMNodeImpl.getAppX509ToUpdate().isEmpty());
        TestCase.assertTrue(mockNM2.nodeHeartbeat(true).getUpdatedCryptoForApps().containsKey(submitApp.getApplicationId()));
        myMockRM2.stop();
    }

    private RMApp createNewTestApplication(int i) throws IOException {
        ApplicationId newAppID = MockApps.newAppID(i);
        String newUserName = MockApps.newUserName();
        String newAppName = MockApps.newAppName();
        String newQueue = MockApps.newQueue();
        YarnScheduler yarnScheduler = (YarnScheduler) Mockito.mock(YarnScheduler.class);
        ApplicationMasterService applicationMasterService = new ApplicationMasterService(this.rmContext, yarnScheduler);
        ApplicationSubmissionContextPBImpl applicationSubmissionContextPBImpl = new ApplicationSubmissionContextPBImpl();
        applicationSubmissionContextPBImpl.setApplicationId(newAppID);
        RMAppImpl rMAppImpl = new RMAppImpl(newAppID, this.rmContext, this.conf, newAppName, newUserName, newQueue, applicationSubmissionContextPBImpl, yarnScheduler, applicationMasterService, System.currentTimeMillis(), "YARN", (Set) null, (ResourceRequest) Mockito.mock(ResourceRequest.class));
        this.rmContext.getRMApps().put(newAppID, rMAppImpl);
        return rMAppImpl;
    }

    private String getClasspathDir(Class cls) throws Exception {
        String str = cls.getName().replace('.', '/') + ".class";
        String path = Thread.currentThread().getContextClassLoader().getResource(str).toURI().getPath();
        return path.substring(0, (path.length() - str.length()) - 1);
    }

    private void createTrustStore(String str, String str2, String str3, Certificate certificate) throws GeneralSecurityException, IOException {
        KeyStore keyStore = KeyStore.getInstance("JKS");
        keyStore.load(null, null);
        keyStore.setCertificateEntry(str3, certificate);
        FileOutputStream fileOutputStream = new FileOutputStream(str);
        try {
            keyStore.store(fileOutputStream, str2.toCharArray());
            fileOutputStream.close();
        } catch (Throwable th) {
            fileOutputStream.close();
            throw th;
        }
    }

    private Configuration createSSLConfig(String str, String str2, String str3, String str4, String str5, String str6) {
        SSLFactory.Mode mode = SSLFactory.Mode.SERVER;
        Configuration configuration = new Configuration(false);
        if (str != null) {
            configuration.set(FileBasedKeyStoresFactory.resolvePropertyName(mode, "ssl.{0}.keystore.location"), str);
        }
        if (str2 != null) {
            configuration.set(FileBasedKeyStoresFactory.resolvePropertyName(mode, "ssl.{0}.keystore.password"), str2);
        }
        if (str3 != null) {
            configuration.set(FileBasedKeyStoresFactory.resolvePropertyName(mode, "ssl.{0}.keystore.keypassword"), str3);
        }
        configuration.set(FileBasedKeyStoresFactory.resolvePropertyName(mode, "ssl.{0}.keystore.reload.interval"), "1000");
        configuration.set(FileBasedKeyStoresFactory.resolvePropertyName(mode, "ssl.{0}.keystore.reload.timeunit"), "MILLISECONDS");
        if (str4 != null) {
            configuration.set(FileBasedKeyStoresFactory.resolvePropertyName(mode, "ssl.{0}.truststore.location"), str4);
        }
        if (str5 != null) {
            configuration.set(FileBasedKeyStoresFactory.resolvePropertyName(mode, "ssl.{0}.truststore.password"), str5);
        }
        if (null != str6 && !str6.isEmpty()) {
            configuration.set(FileBasedKeyStoresFactory.resolvePropertyName(mode, "ssl.{0}.exclude.cipher.list"), str6);
        }
        configuration.set(FileBasedKeyStoresFactory.resolvePropertyName(mode, "ssl.{0}.truststore.reload.interval"), "1000");
        return configuration;
    }

    private void saveConfig(File file, Configuration configuration) throws IOException {
        FileWriter fileWriter = new FileWriter(file);
        try {
            configuration.writeXml(fileWriter);
            fileWriter.close();
        } catch (Throwable th) {
            fileWriter.close();
            throw th;
        }
    }
}
