package org.apache.hadoop.yarn.server.timelineservice.security;

import java.io.BufferedReader;
import java.io.File;
import java.io.FileReader;
import java.io.IOException;
import java.util.Arrays;
import java.util.Collection;
import java.util.UUID;
import java.util.concurrent.Callable;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.CommonConfigurationKeysPublic;
import org.apache.hadoop.fs.FileUtil;
import org.apache.hadoop.hbase.shaded.org.apache.commons.io.FileUtils;
import org.apache.hadoop.hdfs.tools.offlineImageViewer.PBImageXmlWriter;
import org.apache.hadoop.http.HttpConfig;
import org.apache.hadoop.io.Text;
import org.apache.hadoop.minikdc.MiniKdc;
import org.apache.hadoop.security.SecurityUtil;
import org.apache.hadoop.security.UserGroupInformation;
import org.apache.hadoop.security.authentication.KerberosTestUtils;
import org.apache.hadoop.security.ssl.KeyStoreTestUtil;
import org.apache.hadoop.security.token.Token;
import org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager;
import org.apache.hadoop.yarn.api.records.ApplicationId;
import org.apache.hadoop.yarn.api.records.CollectorInfo;
import org.apache.hadoop.yarn.api.records.timelineservice.TimelineEntity;
import org.apache.hadoop.yarn.client.api.TimelineV2Client;
import org.apache.hadoop.yarn.conf.YarnConfiguration;
import org.apache.hadoop.yarn.exceptions.YarnException;
import org.apache.hadoop.yarn.security.client.TimelineDelegationTokenIdentifier;
import org.apache.hadoop.yarn.server.api.CollectorNodemanagerProtocol;
import org.apache.hadoop.yarn.server.api.protocolrecords.GetTimelineCollectorContextRequest;
import org.apache.hadoop.yarn.server.api.protocolrecords.GetTimelineCollectorContextResponse;
import org.apache.hadoop.yarn.server.timelineservice.collector.AppLevelTimelineCollector;
import org.apache.hadoop.yarn.server.timelineservice.collector.NodeTimelineCollectorManager;
import org.apache.hadoop.yarn.server.timelineservice.collector.PerNodeTimelineCollectorsAuxService;
import org.apache.hadoop.yarn.server.timelineservice.security.TimelineV2DelegationTokenSecretManagerService;
import org.apache.hadoop.yarn.server.timelineservice.storage.FileSystemTimelineReaderImpl;
import org.apache.hadoop.yarn.server.timelineservice.storage.FileSystemTimelineWriterImpl;
import org.apache.hadoop.yarn.server.timelineservice.storage.TimelineWriter;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;
import org.mockito.Matchers;
import org.mockito.Mockito;

@RunWith(Parameterized.class)
/* loaded from: input_file:org/apache/hadoop/yarn/server/timelineservice/security/TestTimelineAuthFilterForV2.class */
public class TestTimelineAuthFilterForV2 {
    private static final String FOO_USER = "foo";
    private static final String HTTP_USER = "HTTP";
    private static final File TEST_ROOT_DIR = new File(System.getProperty("test.build.dir", PBImageXmlWriter.INODE_SECTION_TARGET + File.separator + "test-dir"), UUID.randomUUID().toString());
    private static final String BASEDIR = System.getProperty("test.build.dir", "target/test-dir") + "/" + TestTimelineAuthFilterForV2.class.getSimpleName();
    private static File httpSpnegoKeytabFile = new File(KerberosTestUtils.getKeytabFile());
    private static String httpSpnegoPrincipal = KerberosTestUtils.getServerPrincipal();
    private static MiniKdc testMiniKDC;
    private static String keystoresDir;
    private static String sslConfDir;
    private static Configuration conf;
    private static UserGroupInformation nonKerberosUser;
    private boolean withSsl;
    private boolean withKerberosLogin;
    private NodeTimelineCollectorManager collectorManager;
    private PerNodeTimelineCollectorsAuxService auxService;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/hadoop/yarn/server/timelineservice/security/TestTimelineAuthFilterForV2$DummyNodeTimelineCollectorManager.class */
    public static class DummyNodeTimelineCollectorManager extends NodeTimelineCollectorManager {
        private volatile int tokenExpiredCnt = 0;

        DummyNodeTimelineCollectorManager() {
        }

        /* JADX INFO: Access modifiers changed from: private */
        public int getTokenExpiredCnt() {
            return this.tokenExpiredCnt;
        }

        @Override // org.apache.hadoop.yarn.server.timelineservice.collector.NodeTimelineCollectorManager
        protected TimelineV2DelegationTokenSecretManagerService createTokenManagerService() {
            return (TimelineV2DelegationTokenSecretManagerService) Mockito.spy(new TimelineV2DelegationTokenSecretManagerService() { // from class: org.apache.hadoop.yarn.server.timelineservice.security.TestTimelineAuthFilterForV2.DummyNodeTimelineCollectorManager.1
                @Override // org.apache.hadoop.yarn.server.timelineservice.security.TimelineV2DelegationTokenSecretManagerService, org.apache.hadoop.yarn.server.timeline.security.TimelineDelgationTokenSecretManagerService
                protected AbstractDelegationTokenSecretManager<TimelineDelegationTokenIdentifier> createTimelineDelegationTokenSecretManager(long j, long j2, long j3, long j4) {
                    return (AbstractDelegationTokenSecretManager) Mockito.spy(new TimelineV2DelegationTokenSecretManagerService.TimelineV2DelegationTokenSecretManager(j, j2, j3, 2000L) { // from class: org.apache.hadoop.yarn.server.timelineservice.security.TestTimelineAuthFilterForV2.DummyNodeTimelineCollectorManager.1.1
                        /* JADX INFO: Access modifiers changed from: protected */
                        /* JADX WARN: Can't rename method to resolve collision */
                        @Override // org.apache.hadoop.yarn.server.timelineservice.security.TimelineV2DelegationTokenSecretManagerService.TimelineV2DelegationTokenSecretManager, org.apache.hadoop.security.token.delegation.AbstractDelegationTokenSecretManager
                        public void logExpireToken(TimelineDelegationTokenIdentifier timelineDelegationTokenIdentifier) throws IOException {
                            DummyNodeTimelineCollectorManager.access$208(DummyNodeTimelineCollectorManager.this);
                        }
                    });
                }
            });
        }

        @Override // org.apache.hadoop.yarn.server.timelineservice.collector.NodeTimelineCollectorManager
        protected CollectorNodemanagerProtocol getNMCollectorService() {
            CollectorNodemanagerProtocol collectorNodemanagerProtocol = (CollectorNodemanagerProtocol) Mockito.mock(CollectorNodemanagerProtocol.class);
            try {
                Mockito.when(collectorNodemanagerProtocol.getTimelineCollectorContext((GetTimelineCollectorContextRequest) Matchers.any(GetTimelineCollectorContextRequest.class))).thenReturn(GetTimelineCollectorContextResponse.newInstance(UserGroupInformation.getCurrentUser().getUserName(), "test_flow_name", "test_flow_version", 1L));
            } catch (IOException | YarnException e) {
                Assert.fail();
            }
            return collectorNodemanagerProtocol;
        }

        static /* synthetic */ int access$208(DummyNodeTimelineCollectorManager dummyNodeTimelineCollectorManager) {
            int i = dummyNodeTimelineCollectorManager.tokenExpiredCnt;
            dummyNodeTimelineCollectorManager.tokenExpiredCnt = i + 1;
            return i;
        }
    }

    @Parameterized.Parameters
    public static Collection<Object[]> params() {
        return Arrays.asList(new Object[]{false, true}, new Object[]{false, false}, new Object[]{true, false}, new Object[]{true, true});
    }

    public TestTimelineAuthFilterForV2(boolean z, boolean z2) {
        this.withSsl = z;
        this.withKerberosLogin = z2;
    }

    @BeforeClass
    public static void setup() {
        try {
            testMiniKDC = new MiniKdc(MiniKdc.createConf(), TEST_ROOT_DIR);
            testMiniKDC.start();
            testMiniKDC.createPrincipal(httpSpnegoKeytabFile, new String[]{"HTTP/localhost"});
        } catch (Exception e) {
            Assert.fail("Couldn't setup MiniKDC.");
        }
        try {
            conf = new Configuration(false);
            conf.setStrings("yarn.timeline-service.http-authentication.type", "kerberos");
            conf.set("yarn.timeline-service.http-authentication.kerberos.principal", httpSpnegoPrincipal);
            conf.set("yarn.timeline-service.http-authentication.kerberos.keytab", httpSpnegoKeytabFile.getAbsolutePath());
            conf.set(CommonConfigurationKeysPublic.HADOOP_SECURITY_AUTHENTICATION, "kerberos");
            conf.set(YarnConfiguration.TIMELINE_SERVICE_PRINCIPAL, httpSpnegoPrincipal);
            conf.set(YarnConfiguration.TIMELINE_SERVICE_KEYTAB, httpSpnegoKeytabFile.getAbsolutePath());
            conf.setBoolean(YarnConfiguration.TIMELINE_SERVICE_ENABLED, true);
            conf.setFloat(YarnConfiguration.TIMELINE_SERVICE_VERSION, 2.0f);
            conf.setClass(YarnConfiguration.TIMELINE_SERVICE_WRITER_CLASS, FileSystemTimelineWriterImpl.class, TimelineWriter.class);
            conf.set(YarnConfiguration.TIMELINE_SERVICE_READER_BIND_HOST, "localhost");
            conf.set("yarn.timeline-service.fs-writer.root-dir", TEST_ROOT_DIR.getAbsolutePath());
            conf.set("hadoop.proxyuser.HTTP.hosts", "*");
            conf.set("hadoop.proxyuser.HTTP.users", FOO_USER);
            UserGroupInformation.setConfiguration(conf);
        } catch (Exception e2) {
            Assert.fail("Couldn't setup TimelineServer V2.");
        }
    }

    @Before
    public void initialize() throws Exception {
        if (this.withSsl) {
            conf.set(YarnConfiguration.YARN_HTTP_POLICY_KEY, HttpConfig.Policy.HTTPS_ONLY.name());
            File file = new File(BASEDIR);
            FileUtil.fullyDelete(file);
            file.mkdirs();
            keystoresDir = new File(BASEDIR).getAbsolutePath();
            sslConfDir = KeyStoreTestUtil.getClasspathDir(TestTimelineAuthFilterForV2.class);
            KeyStoreTestUtil.setupSSLConfig(keystoresDir, sslConfDir, conf, false);
        } else {
            conf.set(YarnConfiguration.YARN_HTTP_POLICY_KEY, HttpConfig.Policy.HTTP_ONLY.name());
        }
        if (!this.withKerberosLogin) {
            conf.setLong(YarnConfiguration.TIMELINE_DELEGATION_TOKEN_RENEW_INTERVAL, 100L);
            conf.setLong(YarnConfiguration.TIMELINE_DELEGATION_TOKEN_MAX_LIFETIME, 4000L);
        }
        UserGroupInformation.setConfiguration(conf);
        this.collectorManager = new DummyNodeTimelineCollectorManager();
        this.auxService = PerNodeTimelineCollectorsAuxService.launchServer(new String[0], this.collectorManager, conf);
        if (this.withKerberosLogin) {
            SecurityUtil.login(conf, YarnConfiguration.TIMELINE_SERVICE_KEYTAB, YarnConfiguration.TIMELINE_SERVICE_PRINCIPAL, "localhost");
        }
        ApplicationId newInstance = ApplicationId.newInstance(0L, 1);
        this.auxService.addApplication(newInstance, UserGroupInformation.getCurrentUser().getUserName());
        if (this.withKerberosLogin) {
            return;
        }
        Token<TimelineDelegationTokenIdentifier> delegationTokenForApp = ((AppLevelTimelineCollector) this.collectorManager.get(newInstance)).getDelegationTokenForApp();
        delegationTokenForApp.setService(new Text("localhost" + delegationTokenForApp.getService().toString().substring(delegationTokenForApp.getService().toString().indexOf(":"))));
        UserGroupInformation.getCurrentUser().addToken(delegationTokenForApp);
    }

    private TimelineV2Client createTimelineClientForUGI(ApplicationId applicationId) {
        TimelineV2Client createTimelineClient = TimelineV2Client.createTimelineClient(ApplicationId.newInstance(0L, 1));
        String restServerBindAddress = this.collectorManager.getRestServerBindAddress();
        createTimelineClient.setTimelineCollectorInfo(CollectorInfo.newInstance("localhost" + restServerBindAddress.substring(restServerBindAddress.indexOf(":"))));
        createTimelineClient.init(conf);
        createTimelineClient.start();
        return createTimelineClient;
    }

    @AfterClass
    public static void tearDown() throws Exception {
        if (testMiniKDC != null) {
            testMiniKDC.stop();
        }
        FileUtil.fullyDelete(TEST_ROOT_DIR);
    }

    @After
    public void destroy() throws Exception {
        if (this.auxService != null) {
            this.auxService.stop();
        }
        if (this.withSsl) {
            KeyStoreTestUtil.cleanupSSLConfig(keystoresDir, sslConfDir);
            FileUtil.fullyDelete(new File(BASEDIR));
        }
        if (this.withKerberosLogin) {
            UserGroupInformation.getCurrentUser().logoutUserFromKeytab();
        }
        UserGroupInformation.setLoginUser(UserGroupInformation.createRemoteUser(nonKerberosUser.getUserName()));
    }

    private static TimelineEntity createEntity(String str, String str2) {
        TimelineEntity timelineEntity = new TimelineEntity();
        timelineEntity.setId(str);
        timelineEntity.setType(str2);
        timelineEntity.setCreatedTime(0L);
        return timelineEntity;
    }

    private static void verifyEntity(File file, String str, String str2) throws IOException {
        File file2 = new File(file, str + FileSystemTimelineWriterImpl.TIMELINE_SERVICE_STORAGE_EXTENSION);
        Assert.assertTrue(file2.exists());
        TimelineEntity readEntityFile = readEntityFile(file2);
        Assert.assertNotNull(readEntityFile);
        Assert.assertEquals(str, readEntityFile.getId());
        Assert.assertEquals(str2, readEntityFile.getType());
    }

    private static TimelineEntity readEntityFile(File file) throws IOException {
        String readLine;
        BufferedReader bufferedReader = null;
        try {
            bufferedReader = new BufferedReader(new FileReader(file));
            do {
                readLine = bufferedReader.readLine();
                if (readLine == null) {
                    bufferedReader.close();
                    return null;
                }
            } while (readLine.trim().length() <= 0);
            TimelineEntity timelineEntity = (TimelineEntity) FileSystemTimelineReaderImpl.getTimelineRecordFromJSON(readLine.trim(), TimelineEntity.class);
            bufferedReader.close();
            return timelineEntity;
        } catch (Throwable th) {
            bufferedReader.close();
            throw th;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void publishAndVerifyEntity(ApplicationId applicationId, File file, String str, int i) throws Exception {
        TimelineV2Client createTimelineClientForUGI = createTimelineClientForUGI(applicationId);
        try {
            createTimelineClientForUGI.putEntities(createEntity("entity1", str));
            Assert.assertEquals(i, file.listFiles().length);
            verifyEntity(file, "entity1", str);
            createTimelineClientForUGI.putEntitiesAsync(createEntity("entity2", str));
            createTimelineClientForUGI.stop();
        } catch (Throwable th) {
            createTimelineClientForUGI.stop();
            throw th;
        }
    }

    private boolean publishWithRetries(ApplicationId applicationId, File file, String str, int i) throws Exception {
        for (int i2 = 0; i2 < 10; i2++) {
            try {
                publishAndVerifyEntity(applicationId, file, str, i);
                return true;
            } catch (YarnException e) {
                Thread.sleep(50L);
            }
        }
        return false;
    }

    @Test
    public void testPutTimelineEntities() throws Exception {
        final ApplicationId newInstance = ApplicationId.newInstance(0L, 1);
        final File file = new File(TEST_ROOT_DIR.getAbsolutePath() + File.separator + FileSystemTimelineWriterImpl.ENTITIES_DIR + File.separator + YarnConfiguration.DEFAULT_RM_CLUSTER_ID + File.separator + UserGroupInformation.getCurrentUser().getUserName() + File.separator + "test_flow_name" + File.separator + "test_flow_version" + File.separator + "1" + File.separator + newInstance.toString() + File.separator + "dummy_type");
        try {
            if (this.withKerberosLogin) {
                KerberosTestUtils.doAs("HTTP/localhost", new Callable<Void>() { // from class: org.apache.hadoop.yarn.server.timelineservice.security.TestTimelineAuthFilterForV2.1
                    /* JADX WARN: Can't rename method to resolve collision */
                    @Override // java.util.concurrent.Callable
                    public Void call() throws Exception {
                        TestTimelineAuthFilterForV2.this.publishAndVerifyEntity(newInstance, file, "dummy_type", 1);
                        return null;
                    }
                });
            } else {
                Assert.assertTrue("Entities should have been published successfully.", publishWithRetries(newInstance, file, "dummy_type", 1));
                AppLevelTimelineCollector appLevelTimelineCollector = (AppLevelTimelineCollector) this.collectorManager.get(newInstance);
                Token<TimelineDelegationTokenIdentifier> delegationTokenForApp = appLevelTimelineCollector.getDelegationTokenForApp();
                Assert.assertNotNull(delegationTokenForApp);
                Thread.sleep(1000L);
                Assert.assertTrue("Entities should have been published successfully.", publishWithRetries(newInstance, file, "dummy_type", 2));
                Assert.assertNotNull(appLevelTimelineCollector);
                ((TimelineV2DelegationTokenSecretManagerService) Mockito.verify(this.collectorManager.getTokenManagerService(), Mockito.atLeastOnce())).renewToken((Token) Matchers.eq(appLevelTimelineCollector.getDelegationTokenForApp()), (String) Matchers.any(String.class));
                Thread.sleep(3000L);
                for (int i = 0; i < 40 && delegationTokenForApp.equals(appLevelTimelineCollector.getDelegationTokenForApp()); i++) {
                    Thread.sleep(50L);
                }
                Assert.assertNotEquals("Token should have been regenerated.", delegationTokenForApp, appLevelTimelineCollector.getDelegationTokenForApp());
                Thread.sleep(1000L);
                try {
                    publishAndVerifyEntity(newInstance, file, "dummy_type", 2);
                    Assert.fail("Exception should have been thrown due to Invalid Token.");
                } catch (YarnException e) {
                    Assert.assertTrue("Exception thrown should have been due to Invalid Token.", e.getCause().getMessage().contains("InvalidToken"));
                }
                Token<TimelineDelegationTokenIdentifier> delegationTokenForApp2 = appLevelTimelineCollector.getDelegationTokenForApp();
                delegationTokenForApp2.setService(new Text("localhost" + delegationTokenForApp2.getService().toString().substring(delegationTokenForApp2.getService().toString().indexOf(":"))));
                UserGroupInformation.getCurrentUser().addToken(delegationTokenForApp2);
                Assert.assertTrue("Entities should have been published successfully.", publishWithRetries(newInstance, file, "dummy_type", 2));
                ((TimelineV2DelegationTokenSecretManagerService) Mockito.verify(this.collectorManager.getTokenManagerService(), Mockito.times(2))).generateToken((UserGroupInformation) Matchers.any(UserGroupInformation.class), (String) Matchers.any(String.class));
                Assert.assertEquals(1L, ((DummyNodeTimelineCollectorManager) this.collectorManager).getTokenExpiredCnt());
            }
            for (int i2 = 0; i2 < 50 && file.listFiles().length != 2; i2++) {
                Thread.sleep(50L);
            }
            Assert.assertEquals(2L, file.listFiles().length);
            verifyEntity(file, "entity2", "dummy_type");
            AppLevelTimelineCollector appLevelTimelineCollector2 = (AppLevelTimelineCollector) this.collectorManager.get(newInstance);
            Assert.assertNotNull(appLevelTimelineCollector2);
            this.auxService.removeApplication(newInstance);
            ((TimelineV2DelegationTokenSecretManagerService) Mockito.verify(this.collectorManager.getTokenManagerService())).cancelToken((Token) Matchers.eq(appLevelTimelineCollector2.getDelegationTokenForApp()), (String) Matchers.any(String.class));
            FileUtils.deleteQuietly(file);
        } catch (Throwable th) {
            FileUtils.deleteQuietly(file);
            throw th;
        }
    }

    static {
        try {
            nonKerberosUser = UserGroupInformation.getCurrentUser();
        } catch (IOException e) {
        }
    }
}
