package org.apache.hadoop.yarn.server.resourcemanager;

import java.io.IOException;
import java.security.PrivilegedExceptionAction;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.security.SaslRpcServer;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.util.KerberosName;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.yarn.api.protocolrecords.CancelDelegationTokenRequest;
import org.apache.hadoop.yarn.api.protocolrecords.RenewDelegationTokenRequest;
import org.apache.hadoop.yarn.exceptions.YarnException;
import org.apache.hadoop.yarn.security.client.RMDelegationTokenIdentifier;
import org.apache.hadoop.yarn.server.resourcemanager.recovery.NullRMStateStore;
import org.apache.hadoop.yarn.server.resourcemanager.scheduler.YarnScheduler;
import org.apache.hadoop.yarn.server.resourcemanager.security.QueueACLsManager;
import org.apache.hadoop.yarn.server.resourcemanager.security.RMDelegationTokenSecretManager;
import org.apache.hadoop.yarn.server.security.ApplicationACLsManager;
import org.apache.hadoop.yarn.server.utils.BuilderUtils;
import org.apache.hadoop.yarn.util.Records;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.BeforeClass;
import org.junit.Test;
import org.mockito.Mockito;

/* loaded from: input_file:org/apache/hadoop/yarn/server/resourcemanager/TestTokenClientRMService.class */
public class TestTokenClientRMService {
    private static final String kerberosRule = "RULE:[1:$1@$0](.*@EXAMPLE.COM)s/@.*//\nDEFAULT";
    private static RMDelegationTokenSecretManager dtsm;
    private static final UserGroupInformation owner;
    private static final UserGroupInformation other;
    private static final UserGroupInformation tester;
    private static final String testerPrincipal = "tester@EXAMPLE.COM";
    private static final String ownerPrincipal = "owner@EXAMPLE.COM";
    private static final String otherPrincipal = "other@EXAMPLE.COM";
    private static final UserGroupInformation testerKerb;
    private static final UserGroupInformation ownerKerb;
    private static final UserGroupInformation otherKerb;

    @BeforeClass
    public static void setupSecretManager() throws IOException {
        RMContext rMContext = (RMContext) Mockito.mock(RMContext.class);
        Mockito.when(rMContext.getStateStore()).thenReturn(new NullRMStateStore());
        dtsm = new RMDelegationTokenSecretManager(60000L, 60000L, 60000L, 60000L, rMContext);
        dtsm.startThreads();
        Configuration configuration = new Configuration();
        configuration.set("hadoop.security.authentication", "kerberos");
        configuration.set("hadoop.security.auth_to_local", kerberosRule);
        UserGroupInformation.setConfiguration(configuration);
    }

    @AfterClass
    public static void teardownSecretManager() {
        if (dtsm != null) {
            dtsm.stopThreads();
        }
    }

    @Test
    public void testTokenCancellationByOwner() throws Exception {
        final ClientRMService clientRMService = new ClientRMService((RMContext) Mockito.mock(RMContext.class), (YarnScheduler) null, (RMAppManager) null, (ApplicationACLsManager) null, (QueueACLsManager) null, dtsm);
        testerKerb.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.yarn.server.resourcemanager.TestTokenClientRMService.1
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                TestTokenClientRMService.this.checkTokenCancellation(clientRMService, TestTokenClientRMService.testerKerb, TestTokenClientRMService.other);
                return null;
            }
        });
        owner.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.yarn.server.resourcemanager.TestTokenClientRMService.2
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                TestTokenClientRMService.this.checkTokenCancellation(TestTokenClientRMService.owner, TestTokenClientRMService.other);
                return null;
            }
        });
    }

    @Test
    public void testTokenRenewalWrongUser() throws Exception {
        try {
            owner.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.yarn.server.resourcemanager.TestTokenClientRMService.3
                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.security.PrivilegedExceptionAction
                public Void run() throws Exception {
                    try {
                        TestTokenClientRMService.this.checkTokenRenewal(TestTokenClientRMService.owner, TestTokenClientRMService.other);
                        return null;
                    } catch (YarnException e) {
                        Assert.assertTrue(e.getMessage().contains(TestTokenClientRMService.owner.getUserName() + " tries to renew a token with renewer " + TestTokenClientRMService.other.getUserName()));
                        throw e;
                    }
                }
            });
            Assert.fail("renew should have failed");
        } catch (Exception e) {
        }
    }

    @Test
    public void testTokenRenewalByLoginUser() throws Exception {
        UserGroupInformation.getLoginUser().doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.yarn.server.resourcemanager.TestTokenClientRMService.4
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                TestTokenClientRMService.this.checkTokenRenewal(TestTokenClientRMService.owner, TestTokenClientRMService.owner);
                TestTokenClientRMService.this.checkTokenRenewal(TestTokenClientRMService.owner, TestTokenClientRMService.other);
                return null;
            }
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void checkTokenRenewal(UserGroupInformation userGroupInformation, UserGroupInformation userGroupInformation2) throws IOException, YarnException {
        Token token = new Token(new RMDelegationTokenIdentifier(new Text(userGroupInformation.getUserName()), new Text(userGroupInformation2.getUserName()), (Text) null), dtsm);
        org.apache.hadoop.yarn.api.records.Token newDelegationToken = BuilderUtils.newDelegationToken(token.getIdentifier(), token.getKind().toString(), token.getPassword(), token.getService().toString());
        RenewDelegationTokenRequest renewDelegationTokenRequest = (RenewDelegationTokenRequest) Records.newRecord(RenewDelegationTokenRequest.class);
        renewDelegationTokenRequest.setDelegationToken(newDelegationToken);
        new ClientRMService((RMContext) Mockito.mock(RMContext.class), (YarnScheduler) null, (RMAppManager) null, (ApplicationACLsManager) null, (QueueACLsManager) null, dtsm).renewDelegationToken(renewDelegationTokenRequest);
    }

    @Test
    public void testTokenCancellationByRenewer() throws Exception {
        final ClientRMService clientRMService = new ClientRMService((RMContext) Mockito.mock(RMContext.class), (YarnScheduler) null, (RMAppManager) null, (ApplicationACLsManager) null, (QueueACLsManager) null, dtsm);
        testerKerb.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.yarn.server.resourcemanager.TestTokenClientRMService.5
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                TestTokenClientRMService.this.checkTokenCancellation(clientRMService, TestTokenClientRMService.owner, TestTokenClientRMService.testerKerb);
                return null;
            }
        });
        other.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.yarn.server.resourcemanager.TestTokenClientRMService.6
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                TestTokenClientRMService.this.checkTokenCancellation(TestTokenClientRMService.owner, TestTokenClientRMService.other);
                return null;
            }
        });
    }

    @Test
    public void testTokenCancellationByWrongUser() {
        final ClientRMService clientRMService = new ClientRMService((RMContext) Mockito.mock(RMContext.class), (YarnScheduler) null, (RMAppManager) null, (ApplicationACLsManager) null, (QueueACLsManager) null, dtsm);
        UserGroupInformation[] userGroupInformationArr = {owner, other, tester, ownerKerb, otherKerb};
        UserGroupInformation[] userGroupInformationArr2 = {owner, other, ownerKerb, otherKerb};
        for (final UserGroupInformation userGroupInformation : userGroupInformationArr) {
            for (final UserGroupInformation userGroupInformation2 : userGroupInformationArr2) {
                try {
                    testerKerb.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.yarn.server.resourcemanager.TestTokenClientRMService.7
                        /* JADX WARN: Can't rename method to resolve collision */
                        @Override // java.security.PrivilegedExceptionAction
                        public Void run() throws Exception {
                            try {
                                TestTokenClientRMService.this.checkTokenCancellation(clientRMService, userGroupInformation, userGroupInformation2);
                                Assert.fail("We should not reach here; token owner = " + userGroupInformation.getUserName() + ", renewer = " + userGroupInformation2.getUserName());
                                return null;
                            } catch (YarnException e) {
                                Assert.assertTrue(e.getMessage().contains(TestTokenClientRMService.testerKerb.getUserName() + " is not authorized to cancel the token"));
                                return null;
                            }
                        }
                    });
                } catch (Exception e) {
                    Assert.fail("Unexpected exception; " + e.getMessage());
                }
            }
        }
        UserGroupInformation[] userGroupInformationArr3 = {owner, other, ownerKerb, otherKerb, testerKerb};
        UserGroupInformation[] userGroupInformationArr4 = {owner, other, ownerKerb, otherKerb};
        for (final UserGroupInformation userGroupInformation3 : userGroupInformationArr3) {
            for (final UserGroupInformation userGroupInformation4 : userGroupInformationArr4) {
                try {
                    tester.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.yarn.server.resourcemanager.TestTokenClientRMService.8
                        /* JADX WARN: Can't rename method to resolve collision */
                        @Override // java.security.PrivilegedExceptionAction
                        public Void run() throws Exception {
                            try {
                                TestTokenClientRMService.this.checkTokenCancellation(userGroupInformation3, userGroupInformation4);
                                Assert.fail("We should not reach here; token owner = " + userGroupInformation3.getUserName() + ", renewer = " + userGroupInformation4.getUserName());
                                return null;
                            } catch (YarnException e2) {
                                Assert.assertTrue(e2.getMessage().contains(TestTokenClientRMService.tester.getUserName() + " is not authorized to cancel the token"));
                                return null;
                            }
                        }
                    });
                } catch (Exception e2) {
                    Assert.fail("Unexpected exception; " + e2.getMessage());
                }
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void checkTokenCancellation(UserGroupInformation userGroupInformation, UserGroupInformation userGroupInformation2) throws IOException, YarnException {
        checkTokenCancellation(new ClientRMService((RMContext) Mockito.mock(RMContext.class), (YarnScheduler) null, (RMAppManager) null, (ApplicationACLsManager) null, (QueueACLsManager) null, dtsm), userGroupInformation, userGroupInformation2);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void checkTokenCancellation(ClientRMService clientRMService, UserGroupInformation userGroupInformation, UserGroupInformation userGroupInformation2) throws IOException, YarnException {
        Token token = new Token(new RMDelegationTokenIdentifier(new Text(userGroupInformation.getUserName()), new Text(userGroupInformation2.getUserName()), (Text) null), dtsm);
        org.apache.hadoop.yarn.api.records.Token newDelegationToken = BuilderUtils.newDelegationToken(token.getIdentifier(), token.getKind().toString(), token.getPassword(), token.getService().toString());
        CancelDelegationTokenRequest cancelDelegationTokenRequest = (CancelDelegationTokenRequest) Records.newRecord(CancelDelegationTokenRequest.class);
        cancelDelegationTokenRequest.setDelegationToken(newDelegationToken);
        clientRMService.cancelDelegationToken(cancelDelegationTokenRequest);
    }

    @Test
    public void testTokenRenewalByOwner() throws Exception {
        owner.doAs(new PrivilegedExceptionAction<Void>() { // from class: org.apache.hadoop.yarn.server.resourcemanager.TestTokenClientRMService.9
            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.security.PrivilegedExceptionAction
            public Void run() throws Exception {
                TestTokenClientRMService.this.checkTokenRenewal(TestTokenClientRMService.owner, TestTokenClientRMService.owner);
                return null;
            }
        });
    }

    static {
        KerberosName.setRules(kerberosRule);
        owner = UserGroupInformation.createRemoteUser("owner", SaslRpcServer.AuthMethod.KERBEROS);
        other = UserGroupInformation.createRemoteUser("other", SaslRpcServer.AuthMethod.KERBEROS);
        tester = UserGroupInformation.createRemoteUser("tester", SaslRpcServer.AuthMethod.KERBEROS);
        testerKerb = UserGroupInformation.createRemoteUser(testerPrincipal, SaslRpcServer.AuthMethod.KERBEROS);
        ownerKerb = UserGroupInformation.createRemoteUser(ownerPrincipal, SaslRpcServer.AuthMethod.KERBEROS);
        otherKerb = UserGroupInformation.createRemoteUser(otherPrincipal, SaslRpcServer.AuthMethod.KERBEROS);
    }
}
