package org.apache.hadoop.hive.metastore;

import io.hops.security.CertificateLocalization;
import io.hops.security.CertificateLocalizationCtx;
import io.hops.security.SuperuserKeystoresLoader;
import java.io.File;
import java.io.FileNotFoundException;
import java.lang.reflect.UndeclaredThrowableException;
import java.nio.ByteBuffer;
import java.nio.charset.Charset;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyPair;
import java.security.cert.X509Certificate;
import org.apache.commons.io.FileUtils;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.hive.metastore.conf.MetastoreConf;
import org.apache.hadoop.net.NetUtils;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.ExpectedException;

/* loaded from: input_file:org/apache/hadoop/hive/metastore/TestTLSHiveMetastoreClient.class */
public class TestTLSHiveMetastoreClient {
    private static Path serverKeyStore;
    private static Path serverTrustStore;
    private static Path clientKeyStore;
    private static Path clientTrustStore;
    private static Path appClientKeyStore;
    private static Path appClientTrustStore;
    private static String outputDir;
    private static X509Certificate caCert;
    private static KeyPair caKeyPair;
    private static final String clientUsername = "Ring__Gandalf";
    private static final String fakeUser = "fake__user";
    private static final String password = "123456";
    private static Configuration hiveConf;
    private HiveMetaStoreClient hmsc = null;
    private HiveMetaStoreClient hmscUser = null;

    @Rule
    public final ExpectedException rule = ExpectedException.none();

    @BeforeClass
    public static void setUp() throws Exception {
        outputDir = KeyStoreTestUtil.getClasspathDir(TestTLSHiveMetastoreClient.class);
        hiveConf = MetastoreConf.newMetastoreConf();
        MetaStoreTestUtils.setConfForStandloneMode(hiveConf);
        String userName = UserGroupInformation.getCurrentUser().getUserName();
        hiveConf.set("hadoop.proxyuser." + userName, "*");
        generateCerts();
        hiveConf.set(MetastoreConf.ConfVars.HIVE_SUPER_USER.getVarname(), userName);
        hiveConf.set(MetastoreConf.ConfVars.HIVE_SUPERUSER_ALLOWED_IMPERSONATION.getVarname(), userName);
        hiveConf.setBoolean("ipc.server.ssl.enabled", true);
        hiveConf.set("hadoop.ssl.enabled.protocols", "TLSv1.2,TLSv1.1,TLSv1");
        hiveConf.set("hadoop.ssl.hostname.verifier", "ALLOW_ALL");
        MetastoreConf.setVar(hiveConf, MetastoreConf.ConfVars.RAW_STORE_IMPL, DummyRawStoreForJdoConnection.class.getName());
        MetastoreConf.setVar(hiveConf, MetastoreConf.ConfVars.CONNECT_URL_HOOK, DummyJdoConnectionUrlHook.class.getName());
        MetastoreConf.setVar(hiveConf, MetastoreConf.ConfVars.CONNECT_URL_KEY, DummyJdoConnectionUrlHook.initialUrl);
        MetastoreConf.setLongVar(hiveConf, MetastoreConf.ConfVars.CERT_RELOAD_THREAD_SLEEP, 1000L);
        hiveConf.setClass(MetastoreConf.ConfVars.EXPRESSION_PROXY_CLASS.getVarname(), MockPartitionExpressionForMetastore.class, PartitionExpressionProxy.class);
        hiveConf.setBoolean(MetastoreConf.ConfVars.EXECUTE_SET_UGI.getVarname(), true);
        hiveConf.set(MetastoreConf.ConfVars.THRIFT_URIS.getVarname(), "thrift://localhost:" + MetaStoreTestUtils.startMetaStoreWithRetry(hiveConf));
        hiveConf.set(MetastoreConf.ConfVars.INIT_HOOKS.getVarname(), "");
        hiveConf.setBoolean(MetastoreConf.ConfVars.HIVE_SUPPORT_CONCURRENCY.getVarname(), false);
        hiveConf.setInt(MetastoreConf.ConfVars.THRIFT_CONNECTION_RETRIES.getVarname(), 1);
    }

    @After
    public void closeClient() throws Exception {
        if (this.hmsc != null) {
            this.hmsc.close();
        }
        cleanCertificateLocalization(clientUsername, null);
        cleanCertificateLocalization(clientUsername, "app");
        cleanCertificateLocalization(fakeUser, "app");
    }

    @AfterClass
    public static void afterClass() {
        if (outputDir != null) {
            FileUtils.deleteQuietly(new File(outputDir));
        }
    }

    @Test
    public void testClientMatchingCNUGI() throws Exception {
        setUpCertificateLocalization(clientUsername, clientKeyStore, clientTrustStore);
        UserGroupInformation.createProxyUser(clientUsername, UserGroupInformation.getCurrentUser()).doAs(() -> {
            this.hmsc = new HiveMetaStoreClient(hiveConf);
            return null;
        });
        CertificateLocalization certificateLocalization = CertificateLocalizationCtx.getInstance().getCertificateLocalization();
        Assert.assertEquals(2L, certificateLocalization.getX509MaterialLocation(clientUsername).getRequestedApplications());
        this.hmsc.close();
        this.hmsc = null;
        Thread.sleep(1000L);
        Assert.assertEquals(1L, certificateLocalization.getX509MaterialLocation(clientUsername).getRequestedApplications());
    }

    @Test
    public void testClientNotMatchingCNUGI() throws Exception {
        UserGroupInformation createProxyUser = UserGroupInformation.createProxyUser(fakeUser, UserGroupInformation.getCurrentUser());
        setUpCertificateLocalization(fakeUser, clientKeyStore, clientTrustStore);
        createProxyUser.doAs(() -> {
            this.rule.expect(UndeclaredThrowableException.class);
            this.hmsc = new HiveMetaStoreClient(hiveConf);
            return null;
        });
        cleanCertificateLocalization(fakeUser, null);
    }

    @Test
    public void testAppClient() throws Exception {
        UserGroupInformation createProxyUser = UserGroupInformation.createProxyUser(clientUsername, UserGroupInformation.getCurrentUser());
        createProxyUser.addApplicationId("app");
        setUpCertificateLocalization(clientUsername, appClientKeyStore, appClientTrustStore);
        createProxyUser.doAs(() -> {
            this.hmsc = new HiveMetaStoreClient(hiveConf);
            return null;
        });
        CertificateLocalization certificateLocalization = CertificateLocalizationCtx.getInstance().getCertificateLocalization();
        Assert.assertEquals(1L, certificateLocalization.getX509MaterialLocation(clientUsername).getRequestedApplications());
        Assert.assertEquals(1L, certificateLocalization.getX509MaterialLocation(clientUsername, "app").getRequestedApplications());
        this.hmsc.close();
        this.hmsc = null;
        Thread.sleep(1000L);
        this.rule.expect(FileNotFoundException.class);
        certificateLocalization.getX509MaterialLocation(clientUsername, "app");
        Assert.assertEquals(1L, certificateLocalization.getX509MaterialLocation(clientUsername).getRequestedApplications());
        cleanCertificateLocalization(clientUsername, null);
    }

    @Test
    public void testConcurrentAppNonAppUser() throws Exception {
        UserGroupInformation createProxyUser = UserGroupInformation.createProxyUser(clientUsername, UserGroupInformation.getCurrentUser());
        createProxyUser.addApplicationId("app");
        setUpCertificateLocalization(clientUsername, appClientKeyStore, appClientTrustStore);
        createProxyUser.doAs(() -> {
            this.hmsc = new HiveMetaStoreClient(hiveConf);
            return null;
        });
        UserGroupInformation createProxyUser2 = UserGroupInformation.createProxyUser(clientUsername, UserGroupInformation.getCurrentUser());
        byte[] readAllBytes = Files.readAllBytes(clientKeyStore);
        byte[] readAllBytes2 = Files.readAllBytes(clientTrustStore);
        CertificateLocalization certificateLocalization = CertificateLocalizationCtx.getInstance().getCertificateLocalization();
        certificateLocalization.updateX509(clientUsername, (String) null, ByteBuffer.wrap(readAllBytes), password, ByteBuffer.wrap(readAllBytes2), password);
        createProxyUser2.doAs(() -> {
            this.hmscUser = new HiveMetaStoreClient(hiveConf);
            return null;
        });
        Assert.assertEquals(2L, certificateLocalization.getX509MaterialLocation(clientUsername).getRequestedApplications());
        Assert.assertEquals(1L, certificateLocalization.getX509MaterialLocation(clientUsername, "app").getRequestedApplications());
        this.hmsc.close();
        this.hmscUser.close();
        this.hmsc = null;
        Thread.sleep(1000L);
        this.rule.expect(FileNotFoundException.class);
        certificateLocalization.getX509MaterialLocation(clientUsername, "app");
        Assert.assertEquals(1L, certificateLocalization.getX509MaterialLocation(clientUsername).getRequestedApplications());
        cleanCertificateLocalization(clientUsername, null);
    }

    @Test
    public void testConcurrentUsers() throws Exception {
        UserGroupInformation createProxyUser = UserGroupInformation.createProxyUser(clientUsername, UserGroupInformation.getCurrentUser());
        setUpCertificateLocalization(clientUsername, clientKeyStore, clientTrustStore);
        createProxyUser.doAs(() -> {
            this.hmsc = new HiveMetaStoreClient(hiveConf);
            return null;
        });
        createProxyUser.doAs(() -> {
            this.hmscUser = new HiveMetaStoreClient(hiveConf);
            return null;
        });
        CertificateLocalization certificateLocalization = CertificateLocalizationCtx.getInstance().getCertificateLocalization();
        Assert.assertEquals(3L, certificateLocalization.getX509MaterialLocation(clientUsername).getRequestedApplications());
        this.hmsc.close();
        this.hmsc = null;
        Thread.sleep(1000L);
        Assert.assertEquals(2L, certificateLocalization.getX509MaterialLocation(clientUsername).getRequestedApplications());
        this.hmscUser.close();
        this.hmscUser = null;
        Thread.sleep(1000L);
        Assert.assertEquals(1L, certificateLocalization.getX509MaterialLocation(clientUsername).getRequestedApplications());
    }

    @Test
    public void testAppCertificateRotation() throws Exception {
        UserGroupInformation createProxyUser = UserGroupInformation.createProxyUser(clientUsername, UserGroupInformation.getCurrentUser());
        FileUtils.copyFile(appClientKeyStore.toFile(), Paths.get("k_certificate", new String[0]).toFile());
        FileUtils.copyFile(appClientTrustStore.toFile(), Paths.get("t_certificate", new String[0]).toFile());
        FileUtils.write(Paths.get("material_passwd", new String[0]).toFile(), password);
        createProxyUser.doAs(() -> {
            this.hmsc = new HiveMetaStoreClient(hiveConf);
            return null;
        });
        CertificateLocalization certificateLocalization = CertificateLocalizationCtx.getInstance().getCertificateLocalization();
        Assert.assertEquals(1L, certificateLocalization.getX509MaterialLocation(clientUsername, "app").getRequestedApplications());
        int capacity = certificateLocalization.getX509MaterialLocation(clientUsername, "app").getKeyStoreMem().capacity();
        generateCertificate("CN=Ring__Gandalf,O=app,OU=100000", "c_client_alias", appClientKeyStore, appClientTrustStore);
        FileUtils.deleteQuietly(Paths.get("k_certificate", new String[0]).toFile());
        FileUtils.deleteQuietly(Paths.get("t_certificate", new String[0]).toFile());
        FileUtils.copyFile(appClientKeyStore.toFile(), Paths.get("k_certificate", new String[0]).toFile());
        FileUtils.copyFile(appClientTrustStore.toFile(), Paths.get("t_certificate", new String[0]).toFile());
        Thread.sleep(10000L);
        Assert.assertEquals(1L, certificateLocalization.getX509MaterialLocation(clientUsername, "app").getRequestedApplications());
        Assert.assertNotEquals(capacity, certificateLocalization.getX509MaterialLocation(clientUsername, "app").getKeyStoreMem().capacity());
        this.hmsc.close();
        this.hmsc = null;
        FileUtils.deleteQuietly(Paths.get("k_certificate", new String[0]).toFile());
        FileUtils.deleteQuietly(Paths.get("t_certificate", new String[0]).toFile());
        FileUtils.deleteQuietly(Paths.get("material_passwd", new String[0]).toFile());
        cleanCertificateLocalization(clientUsername, "app");
    }

    @Test
    public void testSuperuserCertificates() throws Exception {
        this.hmsc = new HiveMetaStoreClient(hiveConf);
    }

    private static void generateCerts() throws Exception {
        caKeyPair = KeyStoreTestUtil.generateKeyPair("RSA");
        caCert = KeyStoreTestUtil.generateCertificate("CN=CARoot", caKeyPair, 42, "SHA256withRSA", true);
        String userName = UserGroupInformation.getCurrentUser().getUserName();
        SuperuserKeystoresLoader superuserKeystoresLoader = new SuperuserKeystoresLoader(hiveConf);
        serverKeyStore = Paths.get(outputDir, superuserKeystoresLoader.getSuperKeystoreFilename(userName));
        serverTrustStore = Paths.get(outputDir, superuserKeystoresLoader.getSuperTruststoreFilename(userName));
        generateCertificate("CN=" + NetUtils.getHostNameOfIP("127.0.0.1") + ",L=" + userName, "server_alias", serverKeyStore, serverTrustStore);
        FileUtils.writeStringToFile(Paths.get(outputDir, superuserKeystoresLoader.getSuperMaterialPasswdFilename(userName)).toFile(), password, Charset.defaultCharset());
        hiveConf.set("hops.tls.superuser-material-directory", outputDir);
        clientKeyStore = Paths.get(outputDir, "c_client.keystore.jks");
        clientTrustStore = Paths.get(outputDir, "c_client.truststore.jks");
        generateCertificate("CN=Ring__Gandalf", "c_client_alias", clientKeyStore, clientTrustStore);
        appClientKeyStore = Paths.get(outputDir, "c_app_client.keystore.jks");
        appClientTrustStore = Paths.get(outputDir, "c_app_client.truststore.jks");
        generateCertificate("CN=Ring__Gandalf,O=app,OU=0", "c_client_alias", appClientKeyStore, appClientTrustStore);
    }

    private static void generateCertificate(String str, String str2, Path path, Path path2) throws Exception {
        KeyPair generateKeyPair = KeyStoreTestUtil.generateKeyPair("RSA");
        KeyStoreTestUtil.createKeyStore(path.toString(), password, password, str2, generateKeyPair.getPrivate(), KeyStoreTestUtil.generateSignedCertificate(str, generateKeyPair, 42, "SHA256withRSA", caKeyPair.getPrivate(), caCert));
        KeyStoreTestUtil.createTrustStore(path2.toString(), password, "CARoot", caCert);
    }

    private void setUpCertificateLocalization(String str, Path path, Path path2) throws Exception {
        CertificateLocalizationCtx.getInstance().getCertificateLocalization().materializeCertificates(str, str, ByteBuffer.wrap(Files.readAllBytes(path)), password, ByteBuffer.wrap(Files.readAllBytes(path2)), password);
    }

    private void cleanCertificateLocalization(String str, String str2) {
        try {
            CertificateLocalizationCtx.getInstance().getCertificateLocalization().removeX509Material(str, str2);
        } catch (Exception e) {
        }
    }
}
