package org.apache.hadoop.yarn.server.resourcemanager;

import java.io.IOException;
import java.net.InetSocketAddress;
import java.nio.ByteBuffer;
import java.security.PrivilegedAction;
import java.util.Arrays;
import java.util.Collection;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.io.DataInputByteBuffer;
import org.apache.hadoop.security.AccessControlException;
import org.apache.hadoop.security.Credentials;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.TokenIdentifier;
import org.apache.hadoop.yarn.api.ApplicationMasterProtocol;
import org.apache.hadoop.yarn.api.ContainerManagementProtocol;
import org.apache.hadoop.yarn.api.protocolrecords.GetContainerStatusesRequest;
import org.apache.hadoop.yarn.api.protocolrecords.GetContainerStatusesResponse;
import org.apache.hadoop.yarn.api.protocolrecords.IncreaseContainersResourceRequest;
import org.apache.hadoop.yarn.api.protocolrecords.IncreaseContainersResourceResponse;
import org.apache.hadoop.yarn.api.protocolrecords.RegisterApplicationMasterRequest;
import org.apache.hadoop.yarn.api.protocolrecords.RegisterApplicationMasterResponse;
import org.apache.hadoop.yarn.api.protocolrecords.StartContainerRequest;
import org.apache.hadoop.yarn.api.protocolrecords.StartContainersRequest;
import org.apache.hadoop.yarn.api.protocolrecords.StartContainersResponse;
import org.apache.hadoop.yarn.api.protocolrecords.StopContainersRequest;
import org.apache.hadoop.yarn.api.protocolrecords.StopContainersResponse;
import org.apache.hadoop.yarn.api.records.ApplicationAccessType;
import org.apache.hadoop.yarn.api.records.ApplicationAttemptId;
import org.apache.hadoop.yarn.exceptions.YarnException;
import org.apache.hadoop.yarn.ipc.YarnRPC;
import org.apache.hadoop.yarn.security.AMRMTokenIdentifier;
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.RMApp;
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttempt;
import org.apache.hadoop.yarn.server.resourcemanager.rmapp.attempt.RMAppAttemptState;
import org.apache.hadoop.yarn.util.Records;
import org.junit.After;
import org.junit.Assert;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;

@RunWith(Parameterized.class)
/* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/TestAMAuthorization.class */
public class TestAMAuthorization {
    private static final Log LOG = LogFactory.getLog(TestAMAuthorization.class);
    private final Configuration conf;
    private MockRM rm;

    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/TestAMAuthorization$MockRMWithAMS.class */
    public static class MockRMWithAMS extends MockRMWithCustomAMLauncher {
        public MockRMWithAMS(Configuration configuration, ContainerManagementProtocol containerManagementProtocol) {
            super(configuration, containerManagementProtocol);
        }

        protected void doSecureLogin() throws IOException {
        }

        @Override // org.apache.hadoop.yarn.server.resourcemanager.MockRM
        protected ApplicationMasterService createApplicationMasterService() {
            return new ApplicationMasterService(getRMContext(), this.scheduler);
        }

        public static Token<? extends TokenIdentifier> setupAndReturnAMRMToken(InetSocketAddress inetSocketAddress, Collection<Token<? extends TokenIdentifier>> collection) {
            for (Token<? extends TokenIdentifier> token : collection) {
                if (token.getKind().equals(AMRMTokenIdentifier.KIND_NAME)) {
                    SecurityUtil.setTokenService(token, inetSocketAddress);
                    return token;
                }
            }
            return null;
        }
    }

    /* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/TestAMAuthorization$MyContainerManager.class */
    public static final class MyContainerManager implements ContainerManagementProtocol {
        public ByteBuffer containerTokens;

        public StartContainersResponse startContainers(StartContainersRequest startContainersRequest) throws YarnException {
            this.containerTokens = ((StartContainerRequest) startContainersRequest.getStartContainerRequests().get(0)).getContainerLaunchContext().getTokens();
            return StartContainersResponse.newInstance((Map) null, (List) null, (Map) null);
        }

        public StopContainersResponse stopContainers(StopContainersRequest stopContainersRequest) throws YarnException {
            return StopContainersResponse.newInstance((List) null, (Map) null);
        }

        public GetContainerStatusesResponse getContainerStatuses(GetContainerStatusesRequest getContainerStatusesRequest) throws YarnException {
            return GetContainerStatusesResponse.newInstance((List) null, (Map) null);
        }

        public IncreaseContainersResourceResponse increaseContainersResource(IncreaseContainersResourceRequest increaseContainersResourceRequest) throws YarnException {
            return IncreaseContainersResourceResponse.newInstance((List) null, (Map) null);
        }

        public Credentials getContainerCredentials() throws IOException {
            Credentials credentials = new Credentials();
            DataInputByteBuffer dataInputByteBuffer = new DataInputByteBuffer();
            this.containerTokens.rewind();
            dataInputByteBuffer.reset(new ByteBuffer[]{this.containerTokens});
            credentials.readTokenStorageStream(dataInputByteBuffer);
            return credentials;
        }
    }

    @Parameterized.Parameters
    public static Collection<Object[]> configs() {
        Configuration configuration = new Configuration();
        Configuration configuration2 = new Configuration();
        configuration2.set("hadoop.security.authentication", UserGroupInformation.AuthenticationMethod.KERBEROS.toString());
        return Arrays.asList(new Object[]{configuration}, new Object[]{configuration2});
    }

    public TestAMAuthorization(Configuration configuration) {
        this.conf = configuration;
        UserGroupInformation.setConfiguration(configuration);
    }

    @After
    public void tearDown() {
        if (this.rm != null) {
            this.rm.stop();
        }
    }

    @Test
    public void testAuthorizedAccess() throws Exception {
        MyContainerManager myContainerManager = new MyContainerManager();
        this.rm = new MockRMWithAMS(this.conf, myContainerManager);
        this.rm.start();
        MockNM registerNode = this.rm.registerNode("localhost:1234", 5120);
        HashMap hashMap = new HashMap(2);
        hashMap.put(ApplicationAccessType.VIEW_APP, "*");
        RMApp submitApp = this.rm.submitApp(1024, "appname", "appuser", hashMap);
        registerNode.nodeHeartbeat(true);
        int i = 0;
        while (myContainerManager.containerTokens == null) {
            int i2 = i;
            i++;
            if (i2 >= 20) {
                break;
            }
            LOG.info("Waiting for AM Launch to happen..");
            Thread.sleep(1000L);
        }
        Assert.assertNotNull(myContainerManager.containerTokens);
        RMAppAttempt currentAppAttempt = submitApp.getCurrentAppAttempt();
        ApplicationAttemptId appAttemptId = currentAppAttempt.getAppAttemptId();
        waitForLaunchedState(currentAppAttempt);
        final Configuration config = this.rm.getConfig();
        final YarnRPC create = YarnRPC.create(config);
        UserGroupInformation createRemoteUser = UserGroupInformation.createRemoteUser(appAttemptId.toString());
        createRemoteUser.addToken(MockRMWithAMS.setupAndReturnAMRMToken(this.rm.getApplicationMasterService().getBindAddress(), myContainerManager.getContainerCredentials().getAllTokens()));
        RegisterApplicationMasterResponse registerApplicationMaster = ((ApplicationMasterProtocol) createRemoteUser.doAs(new PrivilegedAction<ApplicationMasterProtocol>() { // from class: org.apache.hadoop.yarn.server.resourcemanager.TestAMAuthorization.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedAction
            public ApplicationMasterProtocol run() {
                return (ApplicationMasterProtocol) create.getProxy(ApplicationMasterProtocol.class, TestAMAuthorization.this.rm.getApplicationMasterService().getBindAddress(), config);
            }
        })).registerApplicationMaster((RegisterApplicationMasterRequest) Records.newRecord(RegisterApplicationMasterRequest.class));
        Assert.assertNotNull(registerApplicationMaster.getClientToAMTokenMasterKey());
        if (UserGroupInformation.isSecurityEnabled()) {
            Assert.assertTrue(registerApplicationMaster.getClientToAMTokenMasterKey().array().length > 0);
        }
        Assert.assertEquals("Register response has bad ACLs", "*", registerApplicationMaster.getApplicationACLs().get(ApplicationAccessType.VIEW_APP));
    }

    @Test
    public void testUnauthorizedAccess() throws Exception {
        MyContainerManager myContainerManager = new MyContainerManager();
        this.rm = new MockRMWithAMS(this.conf, myContainerManager);
        this.rm.start();
        MockNM registerNode = this.rm.registerNode("localhost:1234", 5120);
        RMApp submitApp = this.rm.submitApp(1024);
        registerNode.nodeHeartbeat(true);
        int i = 0;
        while (myContainerManager.containerTokens == null) {
            int i2 = i;
            i++;
            if (i2 >= 40) {
                break;
            }
            LOG.info("Waiting for AM Launch to happen..");
            Thread.sleep(1000L);
        }
        Assert.assertNotNull(myContainerManager.containerTokens);
        RMAppAttempt currentAppAttempt = submitApp.getCurrentAppAttempt();
        ApplicationAttemptId appAttemptId = currentAppAttempt.getAppAttemptId();
        waitForLaunchedState(currentAppAttempt);
        final Configuration config = this.rm.getConfig();
        final YarnRPC create = YarnRPC.create(config);
        final InetSocketAddress socketAddr = config.getSocketAddr("yarn.resourcemanager.scheduler.address", "0.0.0.0:8030", 8030);
        try {
            ((ApplicationMasterProtocol) UserGroupInformation.createRemoteUser(appAttemptId.toString()).doAs(new PrivilegedAction<ApplicationMasterProtocol>() { // from class: org.apache.hadoop.yarn.server.resourcemanager.TestAMAuthorization.2
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedAction
                public ApplicationMasterProtocol run() {
                    return (ApplicationMasterProtocol) create.getProxy(ApplicationMasterProtocol.class, socketAddr, config);
                }
            })).registerApplicationMaster((RegisterApplicationMasterRequest) Records.newRecord(RegisterApplicationMasterRequest.class));
            Assert.fail("Should fail with authorization error");
        } catch (Exception e) {
            if (!isCause(AccessControlException.class, e)) {
                throw e;
            }
            Assert.assertTrue(e.getCause().getMessage().contains(UserGroupInformation.isSecurityEnabled() ? "Client cannot authenticate via:[TOKEN]" : "SIMPLE authentication is not enabled.  Available:[TOKEN]"));
        }
    }

    private static boolean isCause(Class<? extends Throwable> cls, Throwable th) {
        return th != null && (cls.isInstance(th) || isCause(cls, th.getCause()));
    }

    private void waitForLaunchedState(RMAppAttempt rMAppAttempt) throws InterruptedException {
        int i = 0;
        while (rMAppAttempt.getAppAttemptState() != RMAppAttemptState.LAUNCHED) {
            int i2 = i;
            i++;
            if (i2 >= 40) {
                break;
            }
            LOG.info("Waiting for AppAttempt to reach LAUNCHED state. Current state is " + rMAppAttempt.getAppAttemptState());
            Thread.sleep(1000L);
        }
        Assert.assertEquals(rMAppAttempt.getAppAttemptState(), RMAppAttemptState.LAUNCHED);
    }
}
