package org.apache.hadoop.hdfs;

import java.io.IOException;
import java.net.InetAddress;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import java.util.concurrent.TimeoutException;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.hadoop.conf.Configuration;
import org.apache.hadoop.fs.FSDataInputStream;
import org.apache.hadoop.fs.FSDataOutputStream;
import org.apache.hadoop.fs.FileChecksum;
import org.apache.hadoop.fs.FileSystem;
import org.apache.hadoop.fs.Path;
import org.apache.hadoop.hbase.shaded.com.google.common.base.Supplier;
import org.apache.hadoop.hdfs.MiniDFSCluster;
import org.apache.hadoop.hdfs.protocol.DatanodeInfo;
import org.apache.hadoop.hdfs.protocol.LocatedBlock;
import org.apache.hadoop.hdfs.protocol.datatransfer.TrustedChannelResolver;
import org.apache.hadoop.hdfs.protocol.datatransfer.sasl.DataTransferSaslUtil;
import org.apache.hadoop.hdfs.protocol.datatransfer.sasl.SaslDataTransferServer;
import org.apache.hadoop.hdfs.security.token.block.BlockTokenSecretManager;
import org.apache.hadoop.hdfs.security.token.block.DataEncryptionKey;
import org.apache.hadoop.hdfs.server.common.HdfsServerConstants;
import org.apache.hadoop.hdfs.server.datanode.DataNode;
import org.apache.hadoop.test.GenericTestUtils;
import org.apache.log4j.Level;
import org.apache.log4j.LogManager;
import org.junit.After;
import org.junit.Assert;
import org.junit.Before;
import org.junit.Rule;
import org.junit.Test;
import org.junit.rules.Timeout;
import org.junit.runner.RunWith;
import org.junit.runners.Parameterized;
import org.mockito.Mockito;

@RunWith(Parameterized.class)
/* loaded from: input_file:org/apache/hadoop/hdfs/TestEncryptedTransfer.class */
public class TestEncryptedTransfer {

    @Rule
    public Timeout timeout;
    private static final String PLAIN_TEXT = "this is very secret plain text";
    private MiniDFSCluster cluster;
    private Configuration conf;
    private FileSystem fs;
    String resolverClazz;
    private static final Log LOG = LogFactory.getLog(TestEncryptedTransfer.class);
    private static final Path TEST_PATH = new Path("/non-encrypted-file");

    /* loaded from: input_file:org/apache/hadoop/hdfs/TestEncryptedTransfer$TestTrustedChannelResolver.class */
    static class TestTrustedChannelResolver extends TrustedChannelResolver {
        TestTrustedChannelResolver() {
        }

        @Override // org.apache.hadoop.hdfs.protocol.datatransfer.TrustedChannelResolver
        public boolean isTrusted() {
            return true;
        }

        @Override // org.apache.hadoop.hdfs.protocol.datatransfer.TrustedChannelResolver
        public boolean isTrusted(InetAddress inetAddress) {
            return true;
        }
    }

    @Parameterized.Parameters
    public static Collection<Object[]> data() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new Object[]{null});
        arrayList.add(new Object[]{"org.apache.hadoop.hdfs.TestEncryptedTransfer$TestTrustedChannelResolver"});
        return arrayList;
    }

    private void setEncryptionConfigKeys() {
        this.conf.setBoolean(DFSConfigKeys.DFS_ENCRYPT_DATA_TRANSFER_KEY, true);
        this.conf.setBoolean(DFSConfigKeys.DFS_BLOCK_ACCESS_TOKEN_ENABLE_KEY, true);
        if (this.resolverClazz != null) {
            this.conf.set("dfs.trustedchannel.resolver.class", this.resolverClazz);
        }
    }

    private static FileSystem getFileSystem(Configuration configuration) throws IOException {
        Configuration configuration2 = new Configuration(configuration);
        configuration2.setBoolean(DFSConfigKeys.DFS_ENCRYPT_DATA_TRANSFER_KEY, false);
        configuration2.unset(DFSConfigKeys.DFS_DATA_ENCRYPTION_ALGORITHM_KEY);
        return FileSystem.get(configuration2);
    }

    public TestEncryptedTransfer(String str) {
        LogManager.getLogger(SaslDataTransferServer.class).setLevel(Level.DEBUG);
        LogManager.getLogger(DataTransferSaslUtil.class).setLevel(Level.DEBUG);
        this.timeout = new Timeout(300000);
        this.cluster = null;
        this.conf = null;
        this.fs = null;
        this.resolverClazz = str;
    }

    @Before
    public void setup() throws IOException {
        this.conf = new Configuration();
    }

    @After
    public void teardown() throws IOException {
        if (this.fs != null) {
            this.fs.close();
        }
        if (this.cluster != null) {
            this.cluster.shutdown();
        }
    }

    private FileChecksum writeUnencryptedAndThenRestartEncryptedCluster() throws IOException {
        this.cluster = new MiniDFSCluster.Builder(this.conf).build();
        this.fs = getFileSystem(this.conf);
        writeTestDataToFile(this.fs);
        Assert.assertEquals(PLAIN_TEXT, DFSTestUtil.readFile(this.fs, TEST_PATH));
        FileChecksum fileChecksum = this.fs.getFileChecksum(TEST_PATH);
        this.fs.close();
        this.cluster.shutdown();
        setEncryptionConfigKeys();
        this.cluster = new MiniDFSCluster.Builder(this.conf).manageDataDfsDirs(false).manageNameDfsDirs(false).format(false).startupOption(HdfsServerConstants.StartupOption.REGULAR).build();
        this.fs = getFileSystem(this.conf);
        return fileChecksum;
    }

    private void testEncryptedRead(String str, String str2, boolean z, boolean z2) throws IOException {
        this.conf.set(DFSConfigKeys.DFS_DATA_ENCRYPTION_ALGORITHM_KEY, str);
        this.conf.set("dfs.encrypt.data.transfer.cipher.suites", str2);
        FileChecksum writeUnencryptedAndThenRestartEncryptedCluster = writeUnencryptedAndThenRestartEncryptedCluster();
        GenericTestUtils.LogCapturer captureLogs = GenericTestUtils.LogCapturer.captureLogs(LogFactory.getLog(SaslDataTransferServer.class));
        GenericTestUtils.LogCapturer captureLogs2 = GenericTestUtils.LogCapturer.captureLogs(LogFactory.getLog(DataTransferSaslUtil.class));
        try {
            Assert.assertEquals(PLAIN_TEXT, DFSTestUtil.readFile(this.fs, TEST_PATH));
            Assert.assertEquals(writeUnencryptedAndThenRestartEncryptedCluster, this.fs.getFileChecksum(TEST_PATH));
            captureLogs.stopCapturing();
            captureLogs2.stopCapturing();
            if (this.resolverClazz == null) {
                if (z) {
                    GenericTestUtils.assertMatches(captureLogs.getOutput(), "Server using cipher suite");
                    GenericTestUtils.assertMatches(captureLogs2.getOutput(), "Creating IOStreamPair of CryptoInputStream and CryptoOutputStream.");
                } else {
                    GenericTestUtils.assertDoesNotMatch(captureLogs.getOutput(), "Server using cipher suite");
                    GenericTestUtils.assertDoesNotMatch(captureLogs2.getOutput(), "Creating IOStreamPair of CryptoInputStream and CryptoOutputStream.");
                }
            }
            if (z2) {
                this.cluster.restartNameNode(new String[0]);
                this.fs = getFileSystem(this.conf);
                Assert.assertEquals(PLAIN_TEXT, DFSTestUtil.readFile(this.fs, TEST_PATH));
                Assert.assertEquals(writeUnencryptedAndThenRestartEncryptedCluster, this.fs.getFileChecksum(TEST_PATH));
            }
        } catch (Throwable th) {
            captureLogs.stopCapturing();
            captureLogs2.stopCapturing();
            throw th;
        }
    }

    @Test
    public void testEncryptedReadDefaultAlgorithmCipherSuite() throws IOException {
        testEncryptedRead("", "", false, false);
    }

    @Test
    public void testEncryptedReadWithRC4() throws IOException {
        testEncryptedRead("rc4", "", false, false);
    }

    @Test
    public void testEncryptedReadWithAES() throws IOException {
        testEncryptedRead("", "AES/CTR/NoPadding", true, false);
    }

    @Test
    public void testEncryptedReadAfterNameNodeRestart() throws IOException {
        testEncryptedRead("", "", false, true);
    }

    @Test
    public void testClientThatDoesNotSupportEncryption() throws IOException {
        this.conf.setInt("dfs.client.retry.window.base", 10);
        writeUnencryptedAndThenRestartEncryptedCluster();
        DFSClient dFSClient = (DFSClient) Mockito.spy(DFSClientAdapter.getDFSClient((DistributedFileSystem) this.fs));
        ((DFSClient) Mockito.doReturn(false).when(dFSClient)).shouldEncryptData();
        DFSClientAdapter.setDFSClient((DistributedFileSystem) this.fs, dFSClient);
        GenericTestUtils.LogCapturer captureLogs = GenericTestUtils.LogCapturer.captureLogs(LogFactory.getLog(DataNode.class));
        try {
            try {
                Assert.assertEquals(PLAIN_TEXT, DFSTestUtil.readFile(this.fs, TEST_PATH));
                if (this.resolverClazz != null && !this.resolverClazz.endsWith("TestTrustedChannelResolver")) {
                    Assert.fail("Should not have been able to read without encryption enabled.");
                }
            } catch (IOException e) {
                GenericTestUtils.assertExceptionContains("Could not obtain block:", e);
                captureLogs.stopCapturing();
            }
            if (this.resolverClazz == null) {
                GenericTestUtils.assertMatches(captureLogs.getOutput(), "Failed to read expected encryption handshake from client at");
            }
        } finally {
            captureLogs.stopCapturing();
        }
    }

    @Test
    public void testLongLivedReadClientAfterRestart() throws IOException {
        FileChecksum writeUnencryptedAndThenRestartEncryptedCluster = writeUnencryptedAndThenRestartEncryptedCluster();
        Assert.assertEquals(PLAIN_TEXT, DFSTestUtil.readFile(this.fs, TEST_PATH));
        Assert.assertEquals(writeUnencryptedAndThenRestartEncryptedCluster, this.fs.getFileChecksum(TEST_PATH));
        this.cluster.restartNameNode(new String[0]);
        Assert.assertTrue(this.cluster.restartDataNode(0));
        Assert.assertEquals(PLAIN_TEXT, DFSTestUtil.readFile(this.fs, TEST_PATH));
        Assert.assertEquals(writeUnencryptedAndThenRestartEncryptedCluster, this.fs.getFileChecksum(TEST_PATH));
    }

    @Test
    public void testLongLivedWriteClientAfterRestart() throws IOException {
        setEncryptionConfigKeys();
        this.cluster = new MiniDFSCluster.Builder(this.conf).build();
        this.fs = getFileSystem(this.conf);
        writeTestDataToFile(this.fs);
        Assert.assertEquals(PLAIN_TEXT, DFSTestUtil.readFile(this.fs, TEST_PATH));
        this.cluster.restartNameNode(new String[0]);
        Assert.assertTrue(this.cluster.restartDataNodes());
        this.cluster.waitActive();
        writeTestDataToFile(this.fs);
        Assert.assertEquals("this is very secret plain textthis is very secret plain text", DFSTestUtil.readFile(this.fs, TEST_PATH));
    }

    @Test
    public void testLongLivedClient() throws IOException, InterruptedException {
        FileChecksum writeUnencryptedAndThenRestartEncryptedCluster = writeUnencryptedAndThenRestartEncryptedCluster();
        BlockTokenSecretManager blockTokenSecretManager = this.cluster.getNamesystem().getBlockManager().getBlockTokenSecretManager();
        blockTokenSecretManager.setKeyUpdateIntervalForTesting(2000L);
        blockTokenSecretManager.setTokenLifetime(2000L);
        blockTokenSecretManager.clearAllKeysForTesting();
        Assert.assertEquals(PLAIN_TEXT, DFSTestUtil.readFile(this.fs, TEST_PATH));
        Assert.assertEquals(writeUnencryptedAndThenRestartEncryptedCluster, this.fs.getFileChecksum(TEST_PATH));
        LOG.info("Sleeping so that encryption keys expire...");
        Thread.sleep(15000L);
        LOG.info("Done sleeping.");
        Assert.assertEquals(PLAIN_TEXT, DFSTestUtil.readFile(this.fs, TEST_PATH));
        Assert.assertEquals(writeUnencryptedAndThenRestartEncryptedCluster, this.fs.getFileChecksum(TEST_PATH));
    }

    @Test
    public void testFileChecksumWithInvalidEncryptionKey() throws IOException, InterruptedException, TimeoutException {
        if (this.resolverClazz != null) {
            return;
        }
        setEncryptionConfigKeys();
        this.cluster = new MiniDFSCluster.Builder(this.conf).build();
        this.fs = getFileSystem(this.conf);
        DFSClient dFSClient = DFSClientAdapter.getDFSClient((DistributedFileSystem) this.fs);
        DFSClient dFSClient2 = (DFSClient) Mockito.spy(dFSClient);
        DFSClientAdapter.setDFSClient((DistributedFileSystem) this.fs, dFSClient2);
        writeTestDataToFile(this.fs);
        FileChecksum fileChecksum = this.fs.getFileChecksum(TEST_PATH);
        BlockTokenSecretManager blockTokenSecretManager = this.cluster.getNamesystem().getBlockManager().getBlockTokenSecretManager();
        blockTokenSecretManager.setKeyUpdateIntervalForTesting(2000L);
        blockTokenSecretManager.setTokenLifetime(2000L);
        blockTokenSecretManager.clearAllKeysForTesting();
        LOG.info("Wait until encryption keys become invalid...");
        final DataEncryptionKey encryptionKey = dFSClient2.getEncryptionKey();
        for (final DataNode dataNode : this.cluster.getDataNodes()) {
            GenericTestUtils.waitFor(new Supplier<Boolean>() { // from class: org.apache.hadoop.hdfs.TestEncryptedTransfer.1
                @Override // org.apache.hadoop.hbase.shaded.com.google.common.base.Supplier, java.util.function.Supplier
                public Boolean get() {
                    return Boolean.valueOf(!dataNode.getBlockPoolTokenSecretManager().get(encryptionKey.blockPoolId).hasKey(encryptionKey.keyId));
                }
            }, 100L, 30000L);
        }
        LOG.info("The encryption key is invalid on all nodes now.");
        this.fs.getFileChecksum(TEST_PATH);
        Assert.assertTrue(dFSClient.getEncryptionKey() == null);
        ((DFSClient) Mockito.verify(dFSClient2, Mockito.times(1))).clearDataEncryptionKey();
        Assert.assertEquals(fileChecksum, this.fs.getFileChecksum(TEST_PATH));
    }

    @Test
    public void testLongLivedClientPipelineRecovery() throws IOException, InterruptedException, TimeoutException {
        if (this.resolverClazz != null) {
            return;
        }
        this.conf.setBoolean("dfs.namenode.redundancy.considerLoad", false);
        setEncryptionConfigKeys();
        this.cluster = new MiniDFSCluster.Builder(this.conf).numDataNodes(4).build();
        this.fs = getFileSystem(this.conf);
        DFSClient dFSClient = (DFSClient) Mockito.spy(DFSClientAdapter.getDFSClient((DistributedFileSystem) this.fs));
        DFSClientAdapter.setDFSClient((DistributedFileSystem) this.fs, dFSClient);
        writeTestDataToFile(this.fs);
        BlockTokenSecretManager blockTokenSecretManager = this.cluster.getNamesystem().getBlockManager().getBlockTokenSecretManager();
        blockTokenSecretManager.setKeyUpdateIntervalForTesting(2000L);
        blockTokenSecretManager.setTokenLifetime(2000L);
        blockTokenSecretManager.clearAllKeysForTesting();
        LOG.info("Wait until encryption keys become invalid...");
        final DataEncryptionKey encryptionKey = dFSClient.getEncryptionKey();
        for (final DataNode dataNode : this.cluster.getDataNodes()) {
            GenericTestUtils.waitFor(new Supplier<Boolean>() { // from class: org.apache.hadoop.hdfs.TestEncryptedTransfer.2
                @Override // org.apache.hadoop.hbase.shaded.com.google.common.base.Supplier, java.util.function.Supplier
                public Boolean get() {
                    return Boolean.valueOf(!dataNode.getBlockPoolTokenSecretManager().get(encryptionKey.blockPoolId).hasKey(encryptionKey.keyId));
                }
            }, 100L, 30000L);
        }
        LOG.info("The encryption key is invalid on all nodes now.");
        FSDataOutputStream append = this.fs.append(TEST_PATH);
        Throwable th = null;
        try {
            try {
                DFSOutputStream dFSOutputStream = (DFSOutputStream) append.getWrappedStream();
                DatanodeInfo[] pipeline = dFSOutputStream.getPipeline();
                this.cluster.stopDataNode(pipeline[0].getXferAddr());
                append.write(PLAIN_TEXT.getBytes());
                append.hflush();
                Assert.assertFalse("The first datanode in the pipeline was not replaced.", Arrays.asList(dFSOutputStream.getPipeline()).contains(pipeline[0]));
                if (append != null) {
                    if (0 != 0) {
                        try {
                            append.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        append.close();
                    }
                }
                ((DFSClient) Mockito.verify(dFSClient, Mockito.times(1))).clearDataEncryptionKey();
            } finally {
            }
        } catch (Throwable th3) {
            if (append != null) {
                if (th != null) {
                    try {
                        append.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    append.close();
                }
            }
            throw th3;
        }
    }

    @Test
    public void testEncryptedWriteWithOneDn() throws IOException {
        testEncryptedWrite(1);
    }

    @Test
    public void testEncryptedWriteWithTwoDns() throws IOException {
        testEncryptedWrite(2);
    }

    @Test
    public void testEncryptedWriteWithMultipleDns() throws IOException {
        testEncryptedWrite(10);
    }

    private void testEncryptedWrite(int i) throws IOException {
        setEncryptionConfigKeys();
        this.cluster = new MiniDFSCluster.Builder(this.conf).numDataNodes(i).build();
        this.fs = getFileSystem(this.conf);
        GenericTestUtils.LogCapturer captureLogs = GenericTestUtils.LogCapturer.captureLogs(LogFactory.getLog(SaslDataTransferServer.class));
        GenericTestUtils.LogCapturer captureLogs2 = GenericTestUtils.LogCapturer.captureLogs(LogFactory.getLog(DataTransferSaslUtil.class));
        try {
            writeTestDataToFile(this.fs);
            captureLogs.stopCapturing();
            captureLogs2.stopCapturing();
            Assert.assertEquals(PLAIN_TEXT, DFSTestUtil.readFile(this.fs, TEST_PATH));
            if (this.resolverClazz == null) {
                GenericTestUtils.assertDoesNotMatch(captureLogs.getOutput(), "Server using cipher suite");
                GenericTestUtils.assertDoesNotMatch(captureLogs2.getOutput(), "Creating IOStreamPair of CryptoInputStream and CryptoOutputStream.");
            }
        } catch (Throwable th) {
            captureLogs.stopCapturing();
            captureLogs2.stopCapturing();
            throw th;
        }
    }

    @Test
    public void testEncryptedAppend() throws IOException {
        setEncryptionConfigKeys();
        this.cluster = new MiniDFSCluster.Builder(this.conf).numDataNodes(3).build();
        this.fs = getFileSystem(this.conf);
        writeTestDataToFile(this.fs);
        Assert.assertEquals(PLAIN_TEXT, DFSTestUtil.readFile(this.fs, TEST_PATH));
        writeTestDataToFile(this.fs);
        Assert.assertEquals("this is very secret plain textthis is very secret plain text", DFSTestUtil.readFile(this.fs, TEST_PATH));
    }

    @Test
    public void testEncryptedAppendRequiringBlockTransfer() throws IOException {
        setEncryptionConfigKeys();
        this.cluster = new MiniDFSCluster.Builder(this.conf).numDataNodes(4).build();
        this.fs = getFileSystem(this.conf);
        writeTestDataToFile(this.fs);
        Assert.assertEquals(PLAIN_TEXT, DFSTestUtil.readFile(this.fs, TEST_PATH));
        FSDataInputStream open = this.fs.open(TEST_PATH);
        List<LocatedBlock> allBlocks = DFSTestUtil.getAllBlocks(open);
        open.close();
        Assert.assertEquals(1L, allBlocks.size());
        Assert.assertEquals(3L, allBlocks.get(0).getLocations().length);
        this.cluster.getDataNode(allBlocks.get(0).getLocations()[0].getIpcPort()).shutdown();
        writeTestDataToFile(this.fs);
        Assert.assertEquals("this is very secret plain textthis is very secret plain text", DFSTestUtil.readFile(this.fs, TEST_PATH));
    }

    private static void writeTestDataToFile(FileSystem fileSystem) throws IOException {
        FSDataOutputStream create = !fileSystem.exists(TEST_PATH) ? fileSystem.create(TEST_PATH) : fileSystem.append(TEST_PATH);
        create.write(PLAIN_TEXT.getBytes());
        create.close();
    }
}
