package org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.runtime;

import java.io.File;
import java.io.IOException;
import java.nio.charset.Charset;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.yarn.api.records.ContainerId;
import org.apache.hadoop.yarn.api.records.ContainerLaunchContext;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.container.Container;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.privileged.PrivilegedOperation;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.privileged.PrivilegedOperationException;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.linux.privileged.PrivilegedOperationExecutor;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerExecutionException;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntimeConstants;
import org.apache.hadoop.yarn.server.nodemanager.containermanager.runtime.ContainerRuntimeContext;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import org.mockito.ArgumentCaptor;
import org.mockito.Matchers;
import org.mockito.Mockito;

/* loaded from: input_file:test-classes/org/apache/hadoop/yarn/server/nodemanager/containermanager/linux/runtime/TestDockerContainerRuntime.class */
public class TestDockerContainerRuntime {
    private static final Log LOG = LogFactory.getLog(TestDockerContainerRuntime.class);
    private Configuration conf;
    PrivilegedOperationExecutor mockExecutor;
    Container container;
    ContainerId cId;
    ContainerLaunchContext context;
    HashMap<String, String> env;
    String image;
    String runAsUser;
    String user;
    String appId;
    Path containerWorkDir;
    Path nmPrivateContainerScriptPath;
    Path nmPrivateTokensPath;
    Path pidFilePath;
    List<String> localDirs;
    List<String> logDirs;
    String resourcesOptions;
    ContainerRuntimeContext.Builder builder;
    String containerId;
    String containerIdStr = this.containerId;
    String submittingUser = "anakin";
    String whitelistedUser = "yoda";

    @Before
    public void setup() {
        String stringBuffer = new StringBuffer(System.getProperty("test.build.data")).append('/').append("hadoop.tmp.dir").toString();
        this.conf = new Configuration();
        this.conf.set("hadoop.tmp.dir", stringBuffer);
        this.mockExecutor = (PrivilegedOperationExecutor) Mockito.mock(PrivilegedOperationExecutor.class);
        this.containerId = "container_id";
        this.container = (Container) Mockito.mock(Container.class);
        this.cId = (ContainerId) Mockito.mock(ContainerId.class);
        this.context = (ContainerLaunchContext) Mockito.mock(ContainerLaunchContext.class);
        this.env = new HashMap<>();
        this.image = "busybox:latest";
        this.env.put(DockerLinuxContainerRuntime.ENV_DOCKER_CONTAINER_IMAGE, this.image);
        Mockito.when(this.container.getContainerId()).thenReturn(this.cId);
        Mockito.when(this.cId.toString()).thenReturn(this.containerId);
        Mockito.when(this.container.getLaunchContext()).thenReturn(this.context);
        Mockito.when(this.context.getEnvironment()).thenReturn(this.env);
        Mockito.when(this.container.getUser()).thenReturn(this.submittingUser);
        this.runAsUser = "run_as_user";
        this.user = "user";
        this.appId = "app_id";
        this.containerIdStr = this.containerId;
        this.containerWorkDir = new Path("/test_container_work_dir");
        this.nmPrivateContainerScriptPath = new Path("/test_script_path");
        this.nmPrivateTokensPath = new Path("/test_private_tokens_path");
        this.pidFilePath = new Path("/test_pid_file_path");
        this.localDirs = new ArrayList();
        this.logDirs = new ArrayList();
        this.resourcesOptions = "cgroups:none";
        this.localDirs.add("/test_local_dir");
        this.logDirs.add("/test_log_dir");
        this.builder = new ContainerRuntimeContext.Builder(this.container);
        this.builder.setExecutionAttribute(LinuxContainerRuntimeConstants.RUN_AS_USER, this.runAsUser).setExecutionAttribute(LinuxContainerRuntimeConstants.USER, this.user).setExecutionAttribute(LinuxContainerRuntimeConstants.APPID, this.appId).setExecutionAttribute(LinuxContainerRuntimeConstants.CONTAINER_ID_STR, this.containerIdStr).setExecutionAttribute(LinuxContainerRuntimeConstants.CONTAINER_WORK_DIR, this.containerWorkDir).setExecutionAttribute(LinuxContainerRuntimeConstants.NM_PRIVATE_CONTAINER_SCRIPT_PATH, this.nmPrivateContainerScriptPath).setExecutionAttribute(LinuxContainerRuntimeConstants.NM_PRIVATE_TOKENS_PATH, this.nmPrivateTokensPath).setExecutionAttribute(LinuxContainerRuntimeConstants.PID_FILE_PATH, this.pidFilePath).setExecutionAttribute(LinuxContainerRuntimeConstants.LOCAL_DIRS, this.localDirs).setExecutionAttribute(LinuxContainerRuntimeConstants.LOG_DIRS, this.logDirs).setExecutionAttribute(LinuxContainerRuntimeConstants.RESOURCES_OPTIONS, this.resourcesOptions);
    }

    @Test
    public void testSelectDockerContainerType() {
        HashMap hashMap = new HashMap();
        HashMap hashMap2 = new HashMap();
        hashMap.put(ContainerRuntimeConstants.ENV_CONTAINER_TYPE, "docker");
        hashMap2.put(ContainerRuntimeConstants.ENV_CONTAINER_TYPE, "other");
        Assert.assertEquals(false, Boolean.valueOf(DockerLinuxContainerRuntime.isDockerContainerRequested(null)));
        Assert.assertEquals(true, Boolean.valueOf(DockerLinuxContainerRuntime.isDockerContainerRequested(hashMap)));
        Assert.assertEquals(false, Boolean.valueOf(DockerLinuxContainerRuntime.isDockerContainerRequested(hashMap2)));
    }

    private PrivilegedOperation capturePrivilegedOperationAndVerifyArgs() throws PrivilegedOperationException {
        ArgumentCaptor forClass = ArgumentCaptor.forClass(PrivilegedOperation.class);
        ((PrivilegedOperationExecutor) Mockito.verify(this.mockExecutor, Mockito.times(1))).executePrivilegedOperation(Mockito.anyList(), (PrivilegedOperation) forClass.capture(), (File) Mockito.any(File.class), (Map) Mockito.any(Map.class), Matchers.eq(false), Matchers.eq(false));
        PrivilegedOperation privilegedOperation = (PrivilegedOperation) forClass.getValue();
        Assert.assertEquals(PrivilegedOperation.OperationType.LAUNCH_DOCKER_CONTAINER, privilegedOperation.getOperationType());
        List<String> arguments = privilegedOperation.getArguments();
        Assert.assertEquals(13L, arguments.size());
        Assert.assertEquals(this.runAsUser, arguments.get(0));
        Assert.assertEquals(this.user, arguments.get(1));
        Assert.assertEquals(Integer.toString(PrivilegedOperation.RunAsUserCommand.LAUNCH_DOCKER_CONTAINER.getValue()), arguments.get(2));
        Assert.assertEquals(this.appId, arguments.get(3));
        Assert.assertEquals(this.containerId, arguments.get(4));
        Assert.assertEquals(this.containerWorkDir.toString(), arguments.get(5));
        Assert.assertEquals(this.nmPrivateContainerScriptPath.toUri().toString(), arguments.get(6));
        Assert.assertEquals(this.nmPrivateTokensPath.toUri().getPath(), arguments.get(7));
        Assert.assertEquals(this.pidFilePath.toString(), arguments.get(8));
        Assert.assertEquals(this.localDirs.get(0), arguments.get(9));
        Assert.assertEquals(this.logDirs.get(0), arguments.get(10));
        Assert.assertEquals(this.resourcesOptions, arguments.get(12));
        return privilegedOperation;
    }

    @Test
    public void testDockerContainerLaunch() throws ContainerExecutionException, PrivilegedOperationException, IOException {
        DockerLinuxContainerRuntime dockerLinuxContainerRuntime = new DockerLinuxContainerRuntime(this.mockExecutor);
        dockerLinuxContainerRuntime.initialize(this.conf);
        String[] strArr = {"NET_BIND_SERVICE", "SYS_CHROOT"};
        this.conf.setStrings("yarn.nodemanager.runtime.linux.docker.capabilities", strArr);
        dockerLinuxContainerRuntime.launchContainer(this.builder.build());
        String str = capturePrivilegedOperationAndVerifyArgs().getArguments().get(11);
        HashSet hashSet = new HashSet(Arrays.asList(strArr));
        StringBuilder sb = new StringBuilder("--cap-drop=ALL ");
        Iterator it = hashSet.iterator();
        while (it.hasNext()) {
            sb.append("--cap-add=").append((String) it.next()).append(" ");
        }
        String format = String.format(new StringBuffer("run --name=%1$s ").append("--user=%2$s -d ").append("--workdir=%3$s ").append("--net=host ").append((CharSequence) sb).append("-v /etc/passwd:/etc/password:ro ").append("-v %4$s:%4$s ").append("-v %5$s:%5$s ").append("-v %6$s:%6$s ").append("%7$s ").append("bash %8$s/launch_container.sh").toString(), this.containerId, this.runAsUser, this.containerWorkDir, this.localDirs.get(0), this.containerWorkDir, this.logDirs.get(0), this.image, this.containerWorkDir);
        List<String> readAllLines = Files.readAllLines(Paths.get(str, new String[0]), Charset.forName("UTF-8"));
        Assert.assertEquals(1L, readAllLines.size());
        Assert.assertEquals(format, readAllLines.get(0));
    }

    @Test
    public void testLaunchPrivilegedContainersInvalidEnvVar() throws ContainerExecutionException, PrivilegedOperationException, IOException {
        DockerLinuxContainerRuntime dockerLinuxContainerRuntime = new DockerLinuxContainerRuntime(this.mockExecutor);
        dockerLinuxContainerRuntime.initialize(this.conf);
        this.env.put(DockerLinuxContainerRuntime.ENV_DOCKER_CONTAINER_RUN_PRIVILEGED_CONTAINER, "invalid-value");
        dockerLinuxContainerRuntime.launchContainer(this.builder.build());
        List<String> readAllLines = Files.readAllLines(Paths.get(capturePrivilegedOperationAndVerifyArgs().getArguments().get(11), new String[0]), Charset.forName("UTF-8"));
        Assert.assertEquals(1L, readAllLines.size());
        String str = readAllLines.get(0);
        Assert.assertTrue("Unexpected --privileged in docker run args : " + str, !str.contains("--privileged"));
    }

    @Test
    public void testLaunchPrivilegedContainersWithDisabledSetting() throws ContainerExecutionException, PrivilegedOperationException, IOException {
        DockerLinuxContainerRuntime dockerLinuxContainerRuntime = new DockerLinuxContainerRuntime(this.mockExecutor);
        dockerLinuxContainerRuntime.initialize(this.conf);
        this.env.put(DockerLinuxContainerRuntime.ENV_DOCKER_CONTAINER_RUN_PRIVILEGED_CONTAINER, "true");
        try {
            dockerLinuxContainerRuntime.launchContainer(this.builder.build());
            Assert.fail("Expected a privileged launch container failure.");
        } catch (ContainerExecutionException e) {
            LOG.info("Caught expected exception : " + e);
        }
    }

    @Test
    public void testLaunchPrivilegedContainersWithEnabledSettingAndDefaultACL() throws ContainerExecutionException, PrivilegedOperationException, IOException {
        this.conf.setBoolean("yarn.nodemanager.runtime.linux.docker.privileged-containers.allowed", true);
        DockerLinuxContainerRuntime dockerLinuxContainerRuntime = new DockerLinuxContainerRuntime(this.mockExecutor);
        dockerLinuxContainerRuntime.initialize(this.conf);
        this.env.put(DockerLinuxContainerRuntime.ENV_DOCKER_CONTAINER_RUN_PRIVILEGED_CONTAINER, "true");
        try {
            dockerLinuxContainerRuntime.launchContainer(this.builder.build());
            Assert.fail("Expected a privileged launch container failure.");
        } catch (ContainerExecutionException e) {
            LOG.info("Caught expected exception : " + e);
        }
    }

    @Test
    public void testLaunchPrivilegedContainersEnabledAndUserNotInWhitelist() throws ContainerExecutionException, PrivilegedOperationException, IOException {
        this.conf.setBoolean("yarn.nodemanager.runtime.linux.docker.privileged-containers.allowed", true);
        this.conf.set("yarn.nodemanager.runtime.linux.docker.privileged-containers.acl", this.whitelistedUser);
        DockerLinuxContainerRuntime dockerLinuxContainerRuntime = new DockerLinuxContainerRuntime(this.mockExecutor);
        dockerLinuxContainerRuntime.initialize(this.conf);
        this.env.put(DockerLinuxContainerRuntime.ENV_DOCKER_CONTAINER_RUN_PRIVILEGED_CONTAINER, "true");
        try {
            dockerLinuxContainerRuntime.launchContainer(this.builder.build());
            Assert.fail("Expected a privileged launch container failure.");
        } catch (ContainerExecutionException e) {
            LOG.info("Caught expected exception : " + e);
        }
    }

    @Test
    public void testLaunchPrivilegedContainersEnabledAndUserInWhitelist() throws ContainerExecutionException, PrivilegedOperationException, IOException {
        this.conf.setBoolean("yarn.nodemanager.runtime.linux.docker.privileged-containers.allowed", true);
        this.conf.set("yarn.nodemanager.runtime.linux.docker.privileged-containers.acl", this.submittingUser);
        DockerLinuxContainerRuntime dockerLinuxContainerRuntime = new DockerLinuxContainerRuntime(this.mockExecutor);
        dockerLinuxContainerRuntime.initialize(this.conf);
        this.env.put(DockerLinuxContainerRuntime.ENV_DOCKER_CONTAINER_RUN_PRIVILEGED_CONTAINER, "true");
        dockerLinuxContainerRuntime.launchContainer(this.builder.build());
        List<String> readAllLines = Files.readAllLines(Paths.get(capturePrivilegedOperationAndVerifyArgs().getArguments().get(11), new String[0]), Charset.forName("UTF-8"));
        Assert.assertEquals(1L, readAllLines.size());
        String str = readAllLines.get(0);
        Assert.assertTrue("Did not find expected '--privileged' in docker run args : " + str, str.contains("--privileged"));
    }

    @Test
    public void testDockerImageNamePattern() throws Exception {
        String[] strArr = {"Ubuntu", "ubuntu || fedora", "ubuntu#", "myregistryhost:50AB0/ubuntu", "myregistry#host:50AB0/ubuntu", ":8080/ubuntu"};
        for (String str : new String[]{"ubuntu", "fedora/httpd:version1.0", "fedora/httpd:version1.0.test", "fedora/httpd:version1.0.TEST", "myregistryhost:5000/ubuntu", "myregistryhost:5000/fedora/httpd:version1.0", "myregistryhost:5000/fedora/httpd:version1.0.test", "myregistryhost:5000/fedora/httpd:version1.0.TEST"}) {
            DockerLinuxContainerRuntime.validateImageName(str);
        }
        for (String str2 : strArr) {
            try {
                DockerLinuxContainerRuntime.validateImageName(str2);
                Assert.fail(str2 + " is an invalid name and should fail the regex");
            } catch (ContainerExecutionException e) {
            }
        }
    }
}
